Community discussions

Search found 42 matches

by libove
Tue Apr 23, 2019 10:14 am
Forum: General
Topic: Port Knocking, avoid scan-caused false positives?
Replies: 17
Views: 912

Re: Port Knocking, avoid scan-caused false positives?

Thanks k6ccc and Jotne, also very good points.
First blocking scans, before even checking for knocks (with maybe a too-talky limit on allowed services) does seem more complete and simpler to implement than my more complex knock idea.
cheers,
Jay
by libove
Mon Apr 22, 2019 11:48 pm
Forum: General
Topic: Port Knocking, avoid scan-caused false positives?
Replies: 17
Views: 912

Re: Port Knocking, avoid scan-caused false positives?

You raise a really good point. It depends on who/ what kind of attacks we're protecting against. My initial request would be for something that would stop a common port scan from detecting that there is e.g. an SSH or HTTPS port open on the MikroTik. And it would indeed do that. It would make the po...
by libove
Mon Apr 22, 2019 2:30 pm
Forum: General
Topic: Feature requests
Replies: 1160
Views: 207499

formal port knocking

There are several discussions in these and other forums about how to implement port knocking in RouterOS. And, at a basic level, they all can work. In short, they tend to be "detect proto on port, add src to address-list KNOCKPHASE1", "detect proto on port2 when src already on address-list KNOCKPHAS...
by libove
Mon Apr 22, 2019 2:25 pm
Forum: General
Topic: Port Knocking, avoid scan-caused false positives?
Replies: 17
Views: 912

Re: Port Knocking, avoid scan-caused false positives?

Hi joegoldman, Interesting idea! I'm play devil's advocate and trying to think whether this could have unintended consequences (accidentally block legitimate traffic). Since the only incoming connections should be either VPN or knocked, any legitimate occurrence of all-ports-except-a-very-small-numb...
by libove
Mon Apr 22, 2019 10:50 am
Forum: General
Topic: Port Knocking, avoid scan-caused false positives?
Replies: 17
Views: 912

Re: Port Knocking, avoid scan-caused false positives?

Thanks very much for this Sob, I'm guessing that the third knock port (5000) is added just for purposes of demonstration, not that it's required in order to make the two-step knock order 7000,6000 function; right? I see what you mean about it being a bit ugly, since a rule meant to detect "port this...
by libove
Fri Apr 12, 2019 1:46 pm
Forum: General
Topic: Port Knocking, avoid scan-caused false positives?
Replies: 17
Views: 912

Port Knocking, avoid scan-caused false positives?

Port knocking is well established. There are lots of examples in the forums and Wikis. "IF this, THEN IF ALSO that, THEN ALLOW ...". But. If we want the knocks to be able to be simple (TCP SYN, so it could be triggered by a web browser), then we run a modest risk of a bad guy's high-intensity port s...
by libove
Thu Mar 09, 2017 8:18 am
Forum: General
Topic: MikroTik as RADIUS client to Windows NPS, Framed-Pool not being respected/ where are DHCP responses coming from??
Replies: 1
Views: 3680

Re: MikroTik as RADIUS client to Windows NPS, Framed-Pool not being respected/ where are DHCP responses coming from??

Right, so this is weird. On one Windows 10 VPN client it works. The client gets an IP address from the VPNpool1 statically configured VPN IP address range on the Mikrotik. On another Windows 10 VPN client, it still fails as before. The client is getting that 192.168.255.32 address which mysteriously...
by libove
Thu Mar 09, 2017 8:14 am
Forum: General
Topic: Framed-IP-Pool from Windows NPS, instead of Framed-IP-Address from Windows DHCP?
Replies: 1
Views: 1296

Re: Framed-IP-Pool from Windows NPS, instead of Framed-IP-Address from Windows DHCP?

Following-up my own post. I'm working with Microsoft support. They say that 1. Windows Server NPS is supposed to be able to return the Framed-Pool attribute, but 2. They can reproduce this problem and it looks like it's been this way for a long, long time (that in fact the Framed-Pool attribute neve...
by libove
Sat Feb 25, 2017 2:38 pm
Forum: General
Topic: Configure SSL/TLS cipher suites?
Replies: 0
Views: 596

Configure SSL/TLS cipher suites?

I have an SSL installed on my Mikrotik RB750, to provide httpS:// access to webfig, as well as to serve SSTP VPN connections. When I ran a Qualys SSL Labs SSL test against my Mikrotik, it reports that insecure hash algorithms are enabled (RC4). I don't see where to configure which cipher suites (enc...
by libove
Mon Jan 16, 2017 12:43 pm
Forum: General
Topic: MikroTik as RADIUS client to Windows NPS, Framed-Pool not being respected/ where are DHCP responses coming from??
Replies: 1
Views: 3680

MikroTik as RADIUS client to Windows NPS, Framed-Pool not being respected/ where are DHCP responses coming from??

Hi MikroTik community, I've got a RouterBOARD 951Ui 2HnD (RouterOS v6.38) set up as a VPN server (SSTP). Everything works fine when the VPN clients (Windows 10 workstations) use local authentication from the RouterBOARD (that is, they login using ID+password from /ppp secret). However, I've recently...
by libove
Mon Dec 19, 2016 6:26 pm
Forum: General
Topic: Framed-IP-Pool from Windows NPS, instead of Framed-IP-Address from Windows DHCP?
Replies: 1
Views: 1296

Framed-IP-Pool from Windows NPS, instead of Framed-IP-Address from Windows DHCP?

Hi MikroTik community, I think this is probably more a how-to about Windows Server 2012R2 Network Policy Server configuration than about MikroTik, but I also figure that the community here is likely smarter and better at answering questions like this than the Microsoft support communities are... :-)...
by libove
Sun Apr 17, 2016 11:09 am
Forum: General
Topic: Traffic through VPN doesn't reach Internet through ISP's router
Replies: 7
Views: 1258

Re: Traffic through VPN doesn't reach Internet through ISP's router

Oh, and: RouterOS v6.34.4 (stable) RouterBOARD firmware 3.30 /system license print: software-id: 68EG-0A8X nlevel: 4 features: /system package print Flags: X - disabled # NAME VERSION SCHEDULED 0 routeros-mipsbe 6.34.4 1 system 6.34.4 2 X wireless-cm2 6.34.4 3 X ipv6 6.34.4 4 wireless-fp 6.34.4 5 ho...
by libove
Sun Apr 17, 2016 10:44 am
Forum: General
Topic: Traffic through VPN doesn't reach Internet through ISP's router
Replies: 7
Views: 1258

Re: Traffic through VPN doesn't reach Internet through ISP's router

Hi again Lui, I've re-tested the PINGing, and now it works as expected between the MikroTik (on both it's 192.168.255.3 and 192.168.255.125 addresses) and the VG-8050 - I can't begin to explain why it didn't work before. (Internal hosts e.g. the Windows server on 192.168.255.8 could always PING the ...
by libove
Fri Apr 15, 2016 9:11 pm
Forum: General
Topic: Traffic through VPN doesn't reach Internet through ISP's router
Replies: 7
Views: 1258

Re: Traffic through VPN doesn't reach Internet through ISP's router

Thanks again Lui. Yes, I've always been able to connect across the two subnets; effectively, I'd already done the test that you suggest. And, yes, the configuration script that you provided matches the configuration of the two devices, with one minor difference: The MikroTik's IP addressing is attac...
by libove
Fri Apr 15, 2016 6:51 pm
Forum: General
Topic: Traffic through VPN doesn't reach Internet through ISP's router
Replies: 7
Views: 1258

Re: Traffic through VPN doesn't reach Internet through ISP's router

Hi Lui, I apologise, I was sure that I'd mentioned - there already is a static route on the VG-8050 pointing 192.168.255.64/26 -> 192.168.255.3 (the MikroTik). You mention needing a forwarding rule and a masquerade rule. Why would a forwarding (firewall, right?) rule be necessary? The MikroTik is a ...
by libove
Fri Apr 15, 2016 2:28 pm
Forum: General
Topic: Traffic through VPN doesn't reach Internet through ISP's router
Replies: 7
Views: 1258

Traffic through VPN doesn't reach Internet through ISP's router

I'm probably doing something stupid. Or, Movistar has done something stupid (again) with their (weird, custom) router firmware. I'm hoping someone can tell me which, and what :-) I have Movistar (Spain)'s fibre based Internet service "Fusión", with a VG-8050 Internet router. Behind that I have a Mik...
by libove
Tue Jan 15, 2013 4:09 pm
Forum: General
Topic: Sub VLAN interface?
Replies: 13
Views: 3863

Re: Sub VLAN interface?

In my configuration, I have a VLAN set up: /int vlan add vlan-id=254 name=VLAN254 interface=ether8 ... and an IP on the VLAN: /ip addr add address=192.168.16.2/24 interface=VLAN254 ... This one MikroTik itself can ping its own IP address there, but another MikroTik across a trunked connection canno...
by libove
Mon Jan 14, 2013 11:20 pm
Forum: General
Topic: Sub VLAN interface?
Replies: 13
Views: 3863

Re: Sub VLAN interface?

It seems... in my case... the issue is that if I assign an IP address to the Ethernet interface (e.g. eth1) it does not properly propagate out on the PVID of the network. Where-as if I assign the IP to the VLAN ID of the network then it works. In my configuration, I have a VLAN set up: /int vlan ad...
by libove
Mon Jan 14, 2013 11:07 pm
Forum: General
Topic: Sub VLAN interface?
Replies: 13
Views: 3863

Re: Sub VLAN interface?

I've posted more details in a similar thread here: http://forum.mikrotik.com/viewtopic.php ... 14#p351000
.. if anyone wants to look it over...

Thanks,
-Jay
by libove
Mon Jan 14, 2013 9:40 pm
Forum: General
Topic: PING an IP address assigned to a VLAN interface on an RB1200
Replies: 5
Views: 3553

Re: PING an IP address assigned to a VLAN interface on an RB

What does the routing table look like on the RB1200? Have you only tried pinging from the command line? Any difference if you use the tool in Winbox and explicitly state the interface? The network in question here is 192.168.16.0/24, which should be on VLAN254, which is physically connected on ethe...
by libove
Sat Jan 12, 2013 2:02 am
Forum: General
Topic: PING an IP address assigned to a VLAN interface on an RB1200
Replies: 5
Views: 3553

Re: PING an IP address assigned to a VLAN interface on an RB

Hi. I have tested this scenario and it works. PC-------switch (HP)---------Mikrotik (RB435G) PC is connected to a switch through an untagged port. Switch is connected to Mikrotik via a trunk port. Mikrotik is connected to swith through a tagged port. PC is in vlan 2. Switch trunk port is tagged on ...
by libove
Fri Jan 11, 2013 7:45 pm
Forum: General
Topic: PING an IP address assigned to a VLAN interface on an RB1200
Replies: 5
Views: 3553

PING an IP address assigned to a VLAN interface on an RB1200

On an RB1200 (RouterOS 5.21): /int vlan add name=VLAN101 vlan-id=101 arp=enabled disabled=no interface=ether8 use-service-tag=no /ip address add address=192.168.17.1/24 interface=VLAN101 disabled=no There is an Ethernet cable plugged into ether8 which goes to a trunk port on a Dell PowerConnect 2848...
by libove
Fri Jan 11, 2013 5:07 pm
Forum: General
Topic: Sub VLAN interface?
Replies: 13
Views: 3863

Re: Sub VLAN interface?

For example: Following these instructions: add name=VLAN2 vlan-id=2 interface=ether1 disabled=no add address=10.10.10.3/24 interface=VLAN2 The device will pass traffic through the VLAN and to the appropriate ports... however, it will not respond to pings to that IP address from another device on th...
by libove
Sat Jan 05, 2013 7:47 pm
Forum: RouterBOARD hardware
Topic: RB751G-2HnD, Wi-Fi client, or Wi-Fi adapter in USB port?
Replies: 6
Views: 1843

Re: RB751G-2HnD, Wi-Fi client, or Wi-Fi adapter in USB port?

No usb wireless modules do not work well. Honestly if you are wanting to do QoS on a 100mb link the 751G is not going to be enough. I would recommend a 1200 or 1100AH. You could also use a RB800 with multiple wireless cards.
Thanks very much. Okay, back to the drawing board a bit...
by libove
Sat Jan 05, 2013 6:51 pm
Forum: RouterBOARD hardware
Topic: RB751G-2HnD, Wi-Fi client, or Wi-Fi adapter in USB port?
Replies: 6
Views: 1843

Re: RB751G-2HnD, Wi-Fi client, or Wi-Fi adapter in USB port?

A wireless interface can only be an AP or client. So you can't have one interface acting as both but if you used a 493G you could put multiple interfaces on the board. You can also setup virtual APs for your different networks without having to attach multiple APs. Hi cbrown, Thanks for the clarifi...
by libove
Sat Jan 05, 2013 6:46 pm
Forum: RouterBOARD hardware
Topic: RB751G-2HnD, Wi-Fi client, or Wi-Fi adapter in USB port?
Replies: 6
Views: 1843

Re: RB751G-2HnD, Wi-Fi client, or Wi-Fi adapter in USB port?

Hello libove,

and this should all running smooth and liquid with a cool throughput on a device
that is sold as a wireless access point and 100 MBit/s FTTH Internet on top? :shock:
Hi Dobby,
I don't understand. Are you saying that I am expecting too much from the RB751 series?

Thanks,
by libove
Sat Jan 05, 2013 3:07 pm
Forum: RouterBOARD hardware
Topic: RB751G-2HnD, Wi-Fi client, or Wi-Fi adapter in USB port?
Replies: 6
Views: 1843

RB751G-2HnD, Wi-Fi client, or Wi-Fi adapter in USB port?

I am thinking of buying a RB751G-2HnD (or similar) to use for the following: At my home, I have a 100Mb/10Mb fibre Internet connection. It's usually great. And sometimes it sucks (technical failures in the infrastructure outside the house). I have wireless access to a fallback connection (Wi-Fi, not...
by libove
Mon Dec 31, 2012 11:08 am
Forum: General
Topic: VRRP with only virtual IP
Replies: 3
Views: 3533

Re: VRRP with only virtual IP

Bump. Can anyone confirm (now at RouterOS 5.22) that the setup proposed by jvr is "correct"? That is, that not only does it seem to work for jvr, but that it isn't conflicting in some way with the standards and likely to break, either if the "wrong" kind of other network gear is connected on the sam...
by libove
Thu Dec 27, 2012 6:03 pm
Forum: General
Topic: Mikrotik specialized Consultant?
Replies: 1
Views: 500

Mikrotik specialized Consultant?

I am becoming quite disillusioned with MikroTik. I have the same problem which others have posted (and on NONE of which threads I see a real resolution) where VRRP on-master/ on-backup scripts don't work correctly, where preemption-mode=no doesn't work correctly, etc. I need a consultant who special...
by libove
Tue Dec 18, 2012 6:08 pm
Forum: General
Topic: ROS 5.21, DNS false negative?
Replies: 1
Views: 1247

Re: ROS 5.21, DNS false negative?

The same problem has just happened again. Once again, it was solved (temporarily) by flushing the cache. I've now also reduced the cache-max-ttl from the 1w which it had been set at (by default, I guess) to 2d, in hopes that it helps. I'm not confident of that. This really does look like a bug: When...
by libove
Thu Dec 13, 2012 7:48 pm
Forum: General
Topic: ROS 5.21, DNS false negative?
Replies: 1
Views: 1247

ROS 5.21, DNS false negative?

We have a VRRP pair of RouterBOARD 1200, IP addresses 192.168.1.2 and 192.168.1.3, VRRP address 192.168.1.1. Both are running ROS 5.21. These are our gateway devices to the Internet, in a typical "We're an internal LAN, the MikroTiks let us out to the Internet" medium-sized office configuration. Not...
by libove
Thu Dec 06, 2012 7:13 pm
Forum: General
Topic: 1 or 2 VRRP to failover both "inside" & "outside" interfaces
Replies: 1
Views: 1373

Re: 1 or 2 VRRP to failover both "inside" & "outside" interf

I have performed the initial setup here. I chose to go with one VRRP failover (just the internal LAN), with on-master and on-backup scripts. BUT this is clearly insufficient: When a VRRP failover occurs, the MikroTik which knows it has become Master will enable its IP addresses for our Internet link...
by libove
Thu Nov 15, 2012 2:56 pm
Forum: General
Topic: DHCP and VRRP
Replies: 4
Views: 1307

Re: DHCP and VRRP

Thanks very much!
by libove
Tue Nov 13, 2012 3:16 pm
Forum: General
Topic: DHCP and VRRP
Replies: 4
Views: 1307

Re: DHCP and VRRP

Thank you tws101. Some follow-up questions- When a MikroTik DHCP server detects that an IP address is in use, how long will it remember that detection and not try to re-check the IP address? That is, how long will that MikroTik DHCP server keep that address out of possible use? When a DHCP client "A...
by libove
Mon Nov 12, 2012 6:33 pm
Forum: General
Topic: 1 or 2 VRRP to failover both "inside" & "outside" interfaces
Replies: 1
Views: 1373

1 or 2 VRRP to failover both "inside" & "outside" interfaces

I am going to add a second MikroTik RB1200 to my existing RB1200. Call them RB#1 (in production) and RB#2 (soon to be added). My configuration is fairly straightforward - an internal LAN, to which both RB1200s are connected on their respective Ether5 ports - an Internet connection, to which both RB1...
by libove
Mon Nov 12, 2012 5:37 pm
Forum: General
Topic: DHCP and VRRP
Replies: 4
Views: 1307

DHCP and VRRP

This was discussed 8 years ago. Wow :-) http://forum.mikrotik.com/viewtopic.php?f=2&t=394 The content of that older thread I think remains fully valid. My question just goes a little further than the earlier discussion did: If I set up the same DHCP scope on two co-operating RB1200s in a VRRP config...
by libove
Tue Oct 30, 2012 6:59 pm
Forum: General
Topic: Two subnets, one Ethernet interface
Replies: 8
Views: 11738

Re: Two subnets, one Ethernet interface

Thanks everyone. Given the amount of time this was taking, and that we didn't have a strong reason to keep the two separate subnets on the one same physical medium, we solved the issue by dodging it entirely - We changed from 192.168.1.0/24 and 192.168.4.0/24 to 192.168.0.0/21 .... :-/ So I guess th...
by libove
Tue Oct 30, 2012 9:03 am
Forum: General
Topic: Two subnets, one Ethernet interface
Replies: 8
Views: 11738

Re: Two subnets, one Ethernet interface

Hi jandafields, Thanks for testing and updating the thread. Could I ask you to go one step farther and run a packet capture on one of the machines to check whether they are receiving and honouring the ICMP Redirect which the MikroTik router is surely sending (honouring meaning that thereafter they c...
by libove
Tue Oct 30, 2012 12:20 am
Forum: General
Topic: Two subnets, one Ethernet interface
Replies: 8
Views: 11738

Re: Two subnets, one Ethernet interface

Thank you Feklar. I tested with the Windows firewall completely turned off. It makes no difference. I confirm that, as stated before, the MikroTik is the default route. I also confirm that there are no more specific routes pointing a different way. And even if there were, my packet capture (on all i...
by libove
Mon Oct 29, 2012 4:32 pm
Forum: General
Topic: Two subnets, one Ethernet interface
Replies: 8
Views: 11738

Two subnets, one Ethernet interface

This has been discussed before. I've read everything I can find, here in the MikroTik forums and elsewhere on the Internet. I'm still not getting it to work.... RouterBOARD 1200, firmware 2.33, RouterOS 5.5 (yes, I know, it's old; I will update it, but this is in production and I'm quite conservativ...
by libove
Thu Oct 11, 2012 6:37 pm
Forum: General
Topic: Long-closed OpenVPN connections keep holding IP assignments
Replies: 3
Views: 961

Re: Long-closed OpenVPN connections keep holding IP assignme

Please upgrade to latest version. If still pool addresses are not released then contact support.
So, you're saying that this is a known issue, which has been fixed (in what specific version update release)?
Thanks,
-Jay
by libove
Tue Oct 09, 2012 6:39 pm
Forum: General
Topic: Long-closed OpenVPN connections keep holding IP assignments
Replies: 3
Views: 961

Long-closed OpenVPN connections keep holding IP assignments

RouterOS 5.5 (yes, I know, it's out of date). I've set up an OpenVPN server: >/ppp profile print detail ... 1 name="OpenVPN profile1 Jaytest" local-address=ovpn_pool_win01 remote-address=ovpn_pool_win01 use-mpls=default use-compression=default use-vj-compression=default use-encryption=required only-...