MikroTik

msatter

the line above are repeated X times. When you dealing with external logs, this is something you like to avoid at all cost like here in my Splunk - Mikrotik project: https://forum.mikrotik.com/viewtopic.php?t=137338 When you read logs external programs its hard to understand what is repeated and get...

msatter

On that being logged many many times the same loglines it would be nice if that could be avoided by buffering the new and same loglines till an other different logline is going to be written to the log. As long as you have connection tracking, and do not use the log on the "established/related" rul...

msatter

On that being logged many many times the same loglines it would be nice if that could be avoided by buffering the new and same loglines till an other different logline is going to be written to the log. The first two and last one/two lines are writen so the time between lines can by seen. First the ...

msatter

debug1: kex: host key algorithm: ssh-rsa

I would only use RSA and not DSA anymore.

msatter

Not very special and cloud you can disable if not used under IP-Cloud.

Why do put your public address and port in the Google search machine by showing that here?
Please make those invisible to the gerneral public.

msatter

The problem is that you did not a TLD to router. If you add ".lan" to the second name then you can it also from other devices.

Whitout a TLD you can only ping it on yhe router self.

msatter

I made a posting yesterday about my LOG being flooded by incoming connections from Google DNS ( 8.8.8.8 ) and thanks to mkx I could stop that by disabling the option Detect Internet under interfaces in the Mikrotik router. https://forum.mikrotik.com/viewtopic.php?f=2&t=141454 It looked like an attac...

msatter

How recent is your RouterOS version?

https://mikrotik.com/download

msatter

turn off internet detection

Darn...I switched that on two days ago to see what that did...I was not wiser and wanted to look at it again coming week. It is now switched off and I will not ever touch it again.

msatter

Thanks mkx. That is now clear to me and the first spoof, triggered the rule that places it on a addreslists to be "dropped" for a long period. I have now changed the RAW for accepting DNS returns so that the next time it would not even reach the spoof check, so it will not be promoted to addresslist...

msatter

A few times now I see the Evil Google DNS trying to connect endless to my DNS port which is blocked to by a RAW rule. In this way I can fill my log files very fast by only that log entry repeating and repeating endlessly. Nov/11/2018 08:29:06 firewall,info Drop RAW - Probe prerouting: in:pppoe-out1 ...

msatter

The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already. https://www.zdnet.com/google-amp/article/a-mysterious-grey-hat-is-patching-peoples-outdated-mikrotik-routers/ Owners being angry at him should th...

msatter

Do you use a profile on those connection? I the profile you can set hard time limit to end a connection. There is also a option to use 'only one' and then you could use a profile for each three connections.

msatter

I am affraid that this will not even be part of RouterOS 7.

msatter

You are talking about different things.

If you put a dedicated DNS server like dnsmasq/unbound/pihole then you can log requests and even control resolved requests.

I am using Pi-hole for that.

msatter

Through a reseller of IPvanish I get on L2TP/IPsec about 90Mbit/s and OpenVPN on my PC 200Mbit/s.

Saddly OpenVPN is not possible through Mikrotik for this provider and many many others.

I tried NordVPN but they were too slow for me.

msatter

WOW....I am speechless, good that I can still type. :wink: Looks great and blistering fast. For the firstime I could see the Addresslist in Firewall. It timed out but still I could see addresses. Now don't have to start the computer to use Winbox and now I trust myself to do stuff from the tablet. M...

msatter

Proposal: choice, to omit not on backup but on restore . So you will have allways a full backup and can select on restore if certain values should not be restored. Let's imagine the internals of this restoration process. There's a database table with the list of interfaces, their parameters, their ...

msatter

Why can't device-specific stuff like MAC-addresses simply be removed from the backup files? Because it is whole system backup. Proposal: choice, to omit not on backup but on restore . So you will have allways a full backup and can select on restore if certain values should not be restored. Workings ...

msatter

When you have a Voip you can call and the onnection is build up. Now if you are being called the connection has to be active and your Voip server renews the connection each minute. It is not stale it us waiting for a call. Now you set the timeout to 30 secs what means that you are unreachable for al...

msatter

Is that SIP connection on TCP or UDP?

TCP knows 'keep alive'

msatter

Better give the link: https://blog.mikrotik.com/security/

msatter

viewtopic.php?f=3&hilit=vdsl&t=104109&s ... 0bd0767a2b

msatter

I had that with two other domains in the past weeks and will try to make a support file when it happens again.

msatter

I am against giving giving root access. If you want to experiment thrn you have to get a other product.

If you want a more open router then have a look at Turris. I like their approach of a modular router that you can click together with the modules you need.

msatter

Gaining more access on your own device is these days called jailbreak/rooting. To be able to do this you need a opening/vulnerability in your device. A important criteria is the the manufacturer does not sell the device with this option default active. Apple is playing catch up all the time and Goog...

msatter

viewtopic.php?f=3&t=140313

msatter

release channels renamed - "bugfix" to "long-term", "current" to "stable" and "release candidate" to "testing"; "testing" release channel now can contain "beta" together with "release-candidate" versions; Would it not be a wonderful world if we had a bugfree version but we have to do with a bugfixed...

msatter

I have same problem.
I broght two HEX S devices, one is working withount any problems. On another SFP port is showing "no link".

Did you try also with auto negotiate off and speed set to 1Gb/s?

msatter

I know, I received confirmation but no response from Mikrotik team

Sent your request again with the word "repeat:" as first word the subject.

msatter

I am also not that good in this. If you only use routing then you have route also the returning package.

I use connection marking for this because I am lazy.

msatter

That is not normal you should have receive a confirmation e-mail and after a few days a response from them.

I put a request last Friday and received today my answer. Yours is more complicated because it involves hardware so the have to check that first.

msatter

[sarcasm]Mikrotik patched RouterOS so all is safe now....[/sarcasm] If it is possible to retake compromised routers, then the correct correct RouterOS can be installed and clean out the bad stuff. I a one leaves it's router open to attacks from the outside why not 'attack' it to make it safe again. ...

msatter

The Mikrotik team can be reached at support@mikrotik.com

ps. the auto-negotiation disabled and set link speed 1G setting is commonly used by owners of Mikrotik stuff to get it working.

msatter

And the saga continues and this time by Tenable:

https://github.com/tenable/routeros

These are already patched so check if you are using a safe RouterOS.

msatter

And don't forget the three location where FastPath is defined. I the one in the Bridge was off and my upload dropped from 750Mbit/s to 120Mbit/s and download was not affected by that and stayed at 520Mbit/s all the time. There is one also in IP Setting and don't forget to enable route cache there be...

msatter

More info: https://blog.mikrotik.com/security/winb ... ility.html

msatter

Only one bridge can use hardware acceleration at the same time.

msatter

I run it under the same circumstances and I use also a SFP for the fiber connection to my ISP. I have mounted my RB760iGS (hEX S) and the temperature is in the 40 to 50 degrees. Check if the ventilation openings of the router are not blocked. If you look in my signature you find a link about cooling...

msatter

What happens if you don't put the SPF into the bridge. I never put the upstream/downstream in the master/slave or these days bridge.

If I look at the CPU usage I could reach 2Gbit/s if the CPU is maxed.

msatter

It is still being encrypted as you state and otherwise it would not deserve the first "s" in SSTP.

The difference is that there is no proof that the client is talking to server the client wanted to talk to.

msatter

From the WiKi; Between two Mikrotik routers it is also possible to set up an insecure tunnel by not using certificates at all. In this case data going through SSTP tunnel is using anonymous DH and Man-in-the-Middle attacks are easily accomplished. This scenario is not compatible with Windows clients...

msatter

Maybe better to switch to RSA.

https://wiki.mikrotik.com/wiki/Manual:IP/SSH

msatter

Update on VPNfilter:

https://blog.talosintelligence.com/2018 ... art-3.html

msatter

The spam is pleasantly low and I am not a moderator but had three posts yesterday by a spanking new member posting spam or even worse, infecting links. I put warnings underneath to have not other users clicking the link and. My warnings and the BAD postings are now removed so that is good. I still s...

msatter

I propose to introduce a waiting time to post links of a to be determined period after the first posting. Ignoring subscription date to not have accounts to be created in advance.

msatter

Let us other owners of the hEX S know what Mikrotik state to you so we don't have to write Mikrotik separately on this.

msatter

In the backup the MAC are different then those in the restored to device. It could be so that restore always respect the devices MAC and use them.

msatter

This is mainly used for VPN services and if we want to avoid this we could change to OpenVPN or IKE2 but that are not fully or not supported in RouterOS.

So we have to bear with these warnings for some time longer.

msatter

Remember that in MikroTik RouterOS, backup file is for restoring past configuration on the same device, not a safeguard against a lost or damaged device, for restoring on other devices, you should be using "export" config files. Export config files is death for me. Tried everything what is mentione...

Search found 923 matches