Community discussions

Search found 676 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 14
by msatter
Thu Apr 26, 2018 9:07 pm
Forum: Scripting
Topic: Convert Text File to Address List
Replies: 2
Views: 96

Re: Convert Text File to Address List

I made some converters running in Linux which download the lists and convert them to a import RSC file. I use Spamhaus as source. I have now about 50.000 addresses in list.
by msatter
Thu Apr 26, 2018 3:51 pm
Forum: Scripting
Topic: Fetch - How to access data variable?
Replies: 2
Views: 54

Re: Fetch - How to access data variable?

You can check /System Scripts Environment after a run how the name of the variable is, at-least if it is a global variable.
by msatter
Thu Apr 26, 2018 2:43 pm
Forum: General
Topic: Was Winbox ever downloadable straight from the router? [SOLVED]
Replies: 1
Views: 98

Was Winbox ever downloadable straight from the router? [SOLVED]

I read in a discussion on an other website about the last vulnerability (April 2018) that Winbox was downloadable straight from the router? It should be then in side the firmware or side loaded into the router.

I am not that long, a owner of Mikrotik equipment so my memory is limited in this.
by msatter
Thu Apr 26, 2018 12:08 pm
Forum: General
Topic: [Feature request] Passthrough select box on Jump Action [SOLVED]
Replies: 8
Views: 180

Re: [Feature request] Passthrough select box on Jump Action [SOLVED]

Thanks pe1chl that was the solution to my problem to have an extra RETRUN needed to stop UDP traffic travelling on. The traffic that was the most prominent was port 20561 so when I was using winbox in MAC config. ;-) This still leaves the request for adding the Passthrough checkbox active because it...
by msatter
Thu Apr 26, 2018 10:31 am
Forum: General
Topic: [Feature request] Passthrough select box on Jump Action [SOLVED]
Replies: 8
Views: 180

Re: [Feature request] Passthrough select box on Jump Action [SOLVED]

JumpReturn.jpg add action=jump chain=prerouting jump-target=UDP-target protocol=udp add action=return chain=prerouting log-prefix=UDP-target protocol=udp . . add action=accept chain=UDP-target comment=WireShark/Winpap disabled=yes dst-address=192.168.88.99 dst-port=37008 protocol=udp . . add action...
by msatter
Thu Apr 26, 2018 2:40 am
Forum: General
Topic: [Feature request] Passthrough select box on Jump Action [SOLVED]
Replies: 8
Views: 180

[Feature request] Passthrough select box on Jump Action [SOLVED]

I used today Action Jump to a Chain. I had to put an second Return just beneath the Jump line to not process also the rest of the lines, when the custom Chain was filtered. Feature request is like as in Connection Marking an Router Marking, to add a box in Action to stop processing of the rest of th...
by msatter
Thu Apr 26, 2018 12:24 am
Forum: General
Topic: Ping Knock
Replies: 7
Views: 263

Re: Ping Knock

Use a short period of one minute timeout to connect after knocking. Keep te connection by using established.

This way any parallel hackers on the same source IP have less than a minute to do harm.

After you disconnect established is over and you have to nock again to get in.
by msatter
Wed Apr 25, 2018 8:18 pm
Forum: Announcements
Topic: v6.42.1 [current]
Replies: 123
Views: 8881

Re: v6.42.1 [current]

I checked this on all our routers upgraded to 6.42 or 6.41 ... And In ROS 6.41 and 6.42 Mikrotik Neighbor Discovery protocol outgoing traffic is actually allowed to bypass firewall altogether and cannot be caught in any chain, not something that any process should be IMHO ... And for me this is act...
by msatter
Wed Apr 25, 2018 6:13 pm
Forum: General
Topic: Windows Port Knock Application
Replies: 13
Views: 2390

Re: Windows Port Knock Application

Thanks for the nice port-knocking program. :-)
by msatter
Wed Apr 25, 2018 12:41 pm
Forum: Beginner Basics
Topic: don't write logs
Replies: 5
Views: 156

Re: don't write logs

You are writing to flash memory (Disk) so keep logging to a minimum and lines that are not essential write those to memory.
by msatter
Wed Apr 25, 2018 12:36 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 54346

Re: Advisory: Vulnerability exploiting the Winbox port

I'm glad to see this got fixed so soon! Many thanks to the team who works on this (and lost a lot of sleep probably)! I reacted earlier to your post to include also the users of Mikrotik devices. I agree that Mikrotik worked fast and were communicative about the vulnerability. The final solution fo...
by msatter
Tue Apr 24, 2018 9:15 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Discovery Protocol only on specified interfaces
Replies: 7
Views: 267

Re: Discovery Protocol only on specified interfaces

It is not without risks and have a look at this posting in recent thread:

viewtopic.php?f=21&t=133533&start=150#p656857
by msatter
Tue Apr 24, 2018 6:30 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 54346

Re: Advisory: Vulnerability exploiting the Winbox port

I'm glad to see this got fixed so soon! Many thanks to the team who works on this (and lost a lot of sleep probably)! Attacks seem to be rather specific though, haven't seen the mentioned log entries on my dutch and czech routers. Do not forget the users that brought this to the attention of Mikrot...
by msatter
Tue Apr 24, 2018 6:23 pm
Forum: Announcements
Topic: v6.42.1 [current]
Replies: 123
Views: 8881

Re: v6.42.1 [current]

Can we move this double reboot discussion to a separate thread plz...
More than we exchanged was the maximum we could put in from our side to Mikrotik. Unless it was mentioned again. Which you did. ;-)
by msatter
Tue Apr 24, 2018 3:07 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 54346

Re: Advisory: Vulnerability exploiting the Winbox port

Just to bust some myths, i re-did the connection to a device that doesn't have no firewall input filter protection for the winbox port, but only the "allowed-address" type filterint in /ip service . some claim, that it is possible to extract information from the device this way. it seems, it isn't....
by msatter
Tue Apr 24, 2018 2:55 pm
Forum: Announcements
Topic: v6.42.1 [current]
Replies: 123
Views: 8881

Re: v6.42.1 [current]

Excellent thought and in the release notes it should also state that the firmware is updated and that a upgrade is recommended. If nothing has changed then always as last line in release notes: "- no firmware upgrade needed when you current firmware is x.xx.x or higher." Or maybe in the routerboard...
by msatter
Tue Apr 24, 2018 2:06 pm
Forum: Announcements
Topic: v6.42.1 [current]
Replies: 123
Views: 8881

Re: v6.42.1 [current]

Now that the firmware has the same version as RouterOS, and assuming that not every update to RouterOS really includes a changed firmware version, maybe something can be done to change the warning after the firmware update so that it does not require a reboot when nothing other than the version has...
by msatter
Tue Apr 24, 2018 11:37 am
Forum: Announcements
Topic: v6.42.1 [current]
Replies: 123
Views: 8881

Re: v6.42.1 [current]

Warnings are already there. Can you provide screen shot where we can see that the warning is missing? Screen Shot 2018-04-24 at 08.24.59.png This boggles my mind... In Winbox you can see the message the firmware is upgraded but you will have to first open the window Settings to see that. Why not di...
by msatter
Mon Apr 23, 2018 10:15 pm
Forum: Announcements
Topic: v6.42.1 [current]
Replies: 123
Views: 8881

Re: v6.42.1 [current]

The information is in the LOG. The update versions are just cosmetic. You can't if there was anything changed in the firmware anymore.

I never understood why Mikrotk choose to sync the version of the firmware and RouterOS.
by msatter
Mon Apr 23, 2018 9:52 pm
Forum: Scripting
Topic: ip firewall address list proplem
Replies: 6
Views: 174

Re: ip firewall address list proplem

Yes with this small correction 109.224.(0-255).(0-255) Used notation in RouterOS. 109.224.0.0/16 or 109.224.0.0-109.224.255.255 last question please and i will be very thankfull to you what is number that if we put instead of (16) ,the ip addresses number wil increase more and more . i mean if we p...
by msatter
Mon Apr 23, 2018 9:22 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 54346

Re: Advisory: Vulnerability exploiting the Winbox port

Is it enough by changing the winbox port and password?
Not if they can just request that new user and password because the vulnerability is still there. Also limit access as subscribed in the fist posting in this thread.
by msatter
Mon Apr 23, 2018 9:18 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 54346

Re: Advisory: Vulnerability exploiting the Winbox port

v6.42.1 and v6.43rc4 have been released! They fix the vulnerability. Bugfix coming soon as well. hi Normis, is bugfix only 6.40.7 -- we need to use for breach fix? Even with the fix in place you will still have to implement the limiting of access to the router. See first posting of this thread.
by msatter
Mon Apr 23, 2018 9:15 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 54346

Re: Advisory: Vulnerability exploiting the Winbox port

sorry for my english. Let's say the files save.sh and dnstest hit the router. By changing the password and limiting access from outside through winbox, is there a guarantee that there will be no outgoing connection from my infected router and the new password will not be transferred to the attacker...
by msatter
Mon Apr 23, 2018 9:08 pm
Forum: Scripting
Topic: ip firewall address list proplem
Replies: 6
Views: 174

Re: ip firewall address list proplem

Yes with this small correction 109.224.(0-255).(0-255)

Used notation in RouterOS. 109.224.0.0/16 or 109.224.0.0-109.224.255.255
by msatter
Mon Apr 23, 2018 8:15 pm
Forum: Scripting
Topic: ip firewall address list proplem
Replies: 6
Views: 174

Re: ip firewall address list proplem

.0.0 = /16 which mean all addresses between .0.0 and .255.255 are matced
.0 = /24 which mean all addresses between .0 and .255 are matched

When you limit it with .206.0/24 you can match between .206.0 and .206.255
by msatter
Mon Apr 23, 2018 7:21 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 54346

Re: Advisory: Vulnerability exploiting the Winbox port

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router; Shifting of the blame onto users... what else are we supposed to use for remote management? Where do you see shifting blame on the users? It is information for users to know that routers are safe against this vulner...
by msatter
Mon Apr 23, 2018 3:56 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 54346

Re: Advisory: Vulnerability exploiting the Winbox port

Here's a simple port-knocking firewall + address list for anyone who wants to implement it in the interim for access to the default winbox port (8291) First add any custom IP address ranges (known safe networks) you need like so: /ip firewall address-list add address=123.123.123.123 list=Winbox_Adm...
by msatter
Mon Apr 23, 2018 1:17 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 54346

Re: Advisory: Vulnerability exploiting the Winbox port

WOW. That is really scary. Maybe having port-knocking needed for connection and then lifetime as long as established. Also implement this in Winbox and the Android APP. Web interface is a no no from external. A unique TCP/UDP port sequence printed on the router label is needed to reach that router f...
by msatter
Mon Apr 23, 2018 1:10 pm
Forum: Announcements
Topic: v6.42 [current]
Replies: 146
Views: 13085

Re: v6.42 [current]

Notice the /delay 20 command before trying to enable the interface.
Should that not be :delay 20;?
by msatter
Mon Apr 23, 2018 10:52 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Req: IKEv2 server and client
Replies: 282
Views: 57886

Re: Feature Req: IKEv2 server and client

Maybe it is the case that you don't have to look under IPv6 for that but under IPv4 in the menu or path. ;-)
by msatter
Sun Apr 22, 2018 10:00 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 54
Views: 6492

Re: v6.43rc [release candidate] is released!

I did not wanted to post more on this 6.43RC3 thread and put updated information in my previous posting. I have multiple VPN connections active at the same which are on demand activated and disconnect when not being used. The NAT lines have to be in specific part of the hairpin and the position of e...
by msatter
Sun Apr 22, 2018 2:17 pm
Forum: Forwarding Protocols
Topic: Automating address list maintenance - MANRS compliance
Replies: 4
Views: 317

Re: Automating address list maintenance - MANRS compliance

Very interesting and also thanks for posting.
by msatter
Sun Apr 22, 2018 1:30 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 54
Views: 6492

Re: v6.43rc [release candidate] is released!

It seems that the "comment" possibility is the BEST thing in RouterOS. Maybe Mikrotik should think of making this way of working official and implement a tag or label available so that comment can just be a comment. Thanks Sindy for making this clear so the next time we don't think, WTF is happening...
by msatter
Sun Apr 22, 2018 12:12 pm
Forum: General
Topic: Is IPv6 port redirection possible?
Replies: 1
Views: 105

Re: Is IPv6 port redirection possible?

Obscuring is not that effective and better do limit access to that address and port by sourceIP filtering or Port Knocking before granting access. Tip about port knocking, that I learned here, is to use the established state for keeping the connection instead of a set time in addresslist. And no, Mi...
by msatter
Sun Apr 22, 2018 12:00 pm
Forum: General
Topic: winbox vulnerable! Unusual login to routers [SOLVED]
Replies: 44
Views: 5019

Re: winbox vulnerable! Unusual login to routers [SOLVED]

@Strods: Make sure that there is no user called admin on your router configured A lot of us create a new user with that replaces the user Admin and then just disable the user Admin and leave them on the box, but deactivated? Is it better to remove user Admin in case that could be still an attack vec...
by msatter
Sun Apr 22, 2018 11:29 am
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 54
Views: 6492

Re: v6.43rc [release candidate] is released!

@msatter, When I want to add a filter line using a script run at an On-UP event then "Place Before" or the whole script is not executed. The filter line is not added in the Nat table in my case. When I enter the line manually in Terminal then the line is added without an hitch. Did this work in the...
by msatter
Sat Apr 21, 2018 11:17 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 54
Views: 6492

Re: v6.43rc [release candidate] is released!

Found an other problem with this RC. When I want to add a filter line using a script run at an On-UP event then "Place Before" or the whole script is not executed. The filter line is not added in the Nat table in my case. When I enter the line manually in Terminal then the line is added without an h...
by msatter
Sat Apr 21, 2018 7:33 pm
Forum: General
Topic: Strange traffic coming through the VPN
Replies: 0
Views: 75

Strange traffic coming through the VPN

I had some traffic coming from the VPN service and it appears to be traffic that was destined for the previous users of that VPN service. I use connection marking for the VPN so if a connection is not marked I drop that connection on Chain Input in Filters destined for my local VPN address. Besides...
by msatter
Sat Apr 21, 2018 11:43 am
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 54
Views: 6492

Re: v6.43rc [release candidate] is released!

An other problem with with RC3. It is an problem I know from 6.41.2 and I could solve it then by not allowing the Neighbour Discovery inspect the L2TP/IPSEC connections by using !Dynamic. When Neighbour Discovery is doing its inspection it will reset the countdown on the Dail-On-Demand and the conne...
by msatter
Fri Apr 20, 2018 7:23 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 54
Views: 6492

Re: v6.43rc [release candidate] is released!

I use some high ports defined in Mangle and after flashing this RC they were stripped of the 10.000 so port 15000 became 5000.

Update: repeated the update from 6.42 to 6.43RC3 and this time no high ports where changed. But there must be still a Gremlin in RouterOS that causes this sometimes.
by msatter
Fri Apr 20, 2018 1:32 pm
Forum: General
Topic: Fasttrack and route marked packets
Replies: 17
Views: 586

Re: Fasttrack and route marked packets

I am now more adapting rules to how RouterOS/traffic breaths and not that much according to the manual. It is big fun and you can reduce processing time that way. So when a connection is routing marked and passthrough is no it will leave Mangle without passing through all the lines underneath. The n...
by msatter
Thu Apr 19, 2018 10:42 pm
Forum: General
Topic: Fasttrack and route marked packets
Replies: 17
Views: 586

Re: Fasttrack and route marked packets

After connecting and routing marking, I look if a connecting is still NEW so I can fasttrack it. I think this is because of the no passthrough on marking the routing. I mark fasttrack in Mangle.
by msatter
Thu Apr 19, 2018 10:03 pm
Forum: Beginner Basics
Topic: Address Lists dynamics 00:00:00
Replies: 2
Views: 92

Re: Address Lists dynamics 00:00:00

And you are running version x of RouterOS?
by msatter
Wed Apr 18, 2018 8:42 pm
Forum: Announcements
Topic: v6.42 [current]
Replies: 146
Views: 13085

Re: v6.42 [current]

I am trying on the moment 6.42 with the new bridging setup. Had some problems to access websites and an other setup (NAT) than I used on 6.40.6 did solve that. My L2TP/IPSEC is about 20 to 30 percent slower on 6.42 than on 6.40.6 and I will try 6.42 some more and try solve the slowness I experience ...
by msatter
Tue Apr 17, 2018 11:42 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 737
Views: 133274

Re: Feature requests

Or you use an local DNS server on a RaspberryPI like DNSmasq, PiHole, etc.and you are able to control it all yourself.
by msatter
Tue Apr 17, 2018 2:02 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: TLS and authentication without username/password in OpenVPN. PLEASEE!!!
Replies: 2
Views: 131

Re: TLS and authentication without username/password in OpenVPN. PLEASEE!!!

The internet is since a while not free any more. You have to pay with your "life" when you use it.

Here in the West it is not much better and blocking sites ip-adresses is also done.

L2TP/IPSEC works on the moment and more VPN possibilities in router are welcome.
by msatter
Fri Apr 13, 2018 7:15 pm
Forum: RouterBOARD hardware
Topic: Mikrotik CAP ac - How to change cases / metal ring
Replies: 2
Views: 203

Re: Mikrotik CAP ac - How to change cases / metal ring

At the left opening in the metal ring you see a plastic tab. You have to apply more force when turning to the metal ring to the left. You can also push the plastic tab to the outside.
by msatter
Wed Apr 11, 2018 3:00 pm
Forum: Beginner Basics
Topic: Files
Replies: 1
Views: 92

Re: Files

If I remember it well you can use the flash/skin folder when you are using Dude. I don't know which product you have from Mikrotik but most of the modern products don't have much Flash any more and RAM is used to save files. On reboot those files are deleted. If you want to save your files then you ...
by msatter
Wed Apr 11, 2018 2:52 pm
Forum: General
Topic: run script after reset not working
Replies: 7
Views: 186

Re: run script after reset not working

Je hebt de.....sorry in English now, you have missed the startup delay and when I understand the two postings above you can put as first line in the config.rsc :delay 15s and that would do it. Then is my question why not put this delay as default on export of a config.rsc so that tantrums are spared...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 14