MikroTik

After upgrade of CRS125 it stopped to be visible in a neigherhood and for WinBox.

Tony:

Once more ... please do not start so many threads. Make one and please stick with it.

Isn't it better to make one topic instead of starting several ones?

Have you tried search.php?keywords=system+backup+script ?

After upgrade to 6.44.1 on RB962 GRE+IPSec stopped working when connected to 6.44 on the other side. After downgrade to 6.44 back on-line.

What about logging with WinBox via MACaddress?

Resseting configuration should not be allowed without setting password as integral part of this process.

You are using the wrong symbol to explain to IT people, should use "!=" instead, then they will better understand

For some "<>" should be used

It is always safer to netinstall as it formats device.

*) e-mail - fixed missing "from" address for sent e-mails (introduced in v6.44);

Emils

I'm interested how did it happen? What someone had been messing for with e-mail part of ROS?

"Expected more" means 23+ Gb sustained transmission with 190$ device?

No. It's not old thinking.

My net is my castle. Period.

Xymox,

Be responsible ISP/IT company and inform your customers that someone tries to take over their security.

Inform them about pros and cons and explain why you prefer not to jump into that train.

Easy.

Hmmm.... I watched this video and what comes to my eyes is "security manager will configure customers' micornets to be safe/secure etc...." or sth like that ...
Who the ..... is Alice ... opssss ... security manager?

Keeping up with the Simpsons ... let me decide

Frankly speaking: Bartosz ... "sz" pronounced as "sh" in "wash"

How your PC reaches camera?

WAN -> LAN? Is it OK?
LAN -> LAN? OK or not? Look for Harpin NAT.
LAN -> WAN? OK?

CRS are switches not routers. Thay can do routing but they are not designed for routing/natting/mangling heavy traffic. You should look for CCR devices if you want to mostly route or start with AH1100x4 ones. I have installation with AH1100x4 for 50+ users, VPN+IPSec used to access main office share...

Strange ... IPSec works for me

after upgrade 6.43.12 -> 6.44

IPSeced IPIP and GRE tunnels work smooth after upgrade, self-reconnected without problems. Comments still in place.

viewtopic.php?f=21&t=140165
viewtopic.php?f=21&t=137572

Do you really use these public IPs in your configuration?

Be patient. Most of moderators are volunteers so it takes some time to be moderated.

Suspecting that DHCP server mostly warns

A. when device try to renew address when lease is still valid and full DHCP REQUEST-ACK-CONFIRM process is not done
or
B. ROS sees that device is "vanishing" ... I see it in logs when CAPSMAN moves device from one AP or interface to another.

Does not help ... no change .. still receiving warnings

Most users who start threads "Mikrotik hacked...", "My router is unsecured", "Big hole in security of ..." seems to not check forum for security topics Did you try easiest method to look for security problems: https://forum.mikrotik.com/search.php?keywords=vulnerability https://forum.mikrotik.com/se...

If I recall correctly it means that there is NNNN exactly the same consequent messages in the log.

It is my way of "drop it ASAP" 0. if attacker scans us again (is already on the list) then drop it right now. A. check if unwanted port is checked. B. if yes, add attacker to the ban list C. drop all packets coming from attacker list /ip firewall raw add action=accept chain=prerouting dst-port=porto...

It would be convinient to CAPSAM and DHCP to log to log not only MAC address but also HOSTNAME if it is known.
Process of transforming MAC 2 HOST is tedious and if log changes quickly you have no chance to check who is associating/dhcping

Uncheck ...
"Always send replies as broadcasts even if destination IP is known. Will add additional load on L2 network."
DHCP broadcast an offer even if device is just deassigned.

For me the problem is with static addresses and seems to be connected with this option which sends offer even if there is no demand for it. Converting dynamic address to static makes this option somehow "checked" even DHCP server has it "unchecked" so if you forgot to uncheck then static reservation...

Before import rename all interfaces in 1009 to names used in 3011. It will make import much easier.

/ip firewall filter
add action=drop chain=input comment=WAN->DNS dst-port=53 in-interface=YOURWAN protocol=udp

Please edit your post and use English

Anav ... should mrz explain again and again and step by step what to do when you are hacked or could expect that autor is aware of https://blog.mikrotik.com/

What about https://mikrotik.com/products ?

Users of what service?

IMHO it could be problem of STP/RSTP protocol. Switch it off and see what will happen.

I use N++ with it's regular expression search+replace/replace all option.

@anav: Barracuda ESG does good job .. it filters most of spam from China ... most means 99% ... but I was tired skipping whole pages of "dropped/blocked" entries and decided to not allow such e-mails to reach ESG @Xtreamer: Please check attachment. It is part of a bigger set of rules so you must to ...

How did you remove ethernet interface from router? Physically? Then I doubt if you can connect to your router

Do you have more eth interfaces? What router it is? Configuration?

Almost 24 hours later

Edit ... blocked at RAW firewall level

Chiny4.PNG

Hi, I use Barracuda Spam Filter (Barracude ESG) as my spam-firewall for one of my customers. It does good job but one of their e-mail's was used for communication with China based client. Since then we receive hundreds spam e-mails per day only for this used e-mail. We do not receive e-mails to admi...

https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT

Do you use same "paranoic"

rules for LAN as for WAN side?

@n21roadie ... could you please stop full quoting all posts you are commenting. Use "Post replay" instead of "quoting" post.

Yes.
You don't need

...dst-port=!8291,22 ...

You accept it earlier so packets to 8291 and 22 do not even reach this drop rule.
I suggest to change 8291 port to other port in you configuration for winbox access.

Yes.

If you want to protect your castle then you build THE WALL which stops all at the gate and then allow to go inside only allowed persons/goods/packets. It is far far easier then allow all to enter and spy them for "bad guys".

More details please.

Done ... just warned as previous posts were quite "normal"

General answer is: No.

More details please. Configuration, topology, version upgraded from ... we aren't wizards guessing from tea leaves

Search found 1647 matches