MikroTik

Why do you think that Mikrtik's forum is proper place to ask about problems with Tenda router?

Was it "Upgrading on the edge" by Aerosmith?

Jump from 6.40 directly to 6.45 .... you are brave man. Have you read changelogs in the 6.41?

anav: maybe my toilet paper has just more layers than your? BTW.... If you want to protect computers on one bridge at L3 from another L3 layer then you need to block bridge A pool (name it poolA) from poolB, poolC, poolD ... poolC protect form poolD but not from poolE .... poolF from poolA, poolB bu...

@anav:

Nets at L2 may be separated but routing at L3 works and OP asks how to prevent IP access.

@OP:
what about using filters at bridge level? Antything what is forwarded to other interface than WAN should be dropped.

How you add Port1 to four different bridges?

Do you connect any interfaces to this bridge?

My simple solution: /ip service set winbox port=18291 /interface list add name=WAN_LIST /interface list member add interface=ETH1-WAN list=WAN_LIST /ip firewall raw # # accept packets to nonstandard WinBox port ... could be tailored for access from particular subnets etc. # add action=accept chain=p...

My old 0.02$ to this topic: viewtopic.php?f=1&t=93307&p=490460#p490402

http://bfy.tw/NuAw

viewtopic.php?f=21&t=146087&p=727601#p727601

Directly from power socket if you use 24V PSU?

Thank you for the report.
It is example of situation when one subnet is fully included in another. I do not look for such optimization ... yet

IMHO it is not "a bug" .. output is fully valid however not optimized to "deep roots".

I was thinking how to optimize big IP lists before importing them to Mikrotik. It ended as this program. Feel free to use it. Comments welcome. Written with GNU Linux and gcc. Standard usage ... takes data from stdin and outputs to stdout Program tries to merge consecutive IP addresses or IP ranges....

@tayroborges:

English please !

No device calling itself a router should have this as it's fully patched, default configuration out of the box be this: ...... If you want to make excuses for having crappy default configurations that's fine. Mikrotik is the one that is making the reputation for making devices that are part of botn...

After upgrade of CRS125 it stopped to be visible in a neigherhood and for WinBox.

Tony:

Once more ... please do not start so many threads. Make one and please stick with it.

Isn't it better to make one topic instead of starting several ones?

Have you tried search.php?keywords=system+backup+script ?

After upgrade to 6.44.1 on RB962 GRE+IPSec stopped working when connected to 6.44 on the other side. After downgrade to 6.44 back on-line.

What about logging with WinBox via MACaddress?

Resseting configuration should not be allowed without setting password as integral part of this process.

You are using the wrong symbol to explain to IT people, should use "!=" instead, then they will better understand

For some "<>" should be used

It is always safer to netinstall as it formats device.

*) e-mail - fixed missing "from" address for sent e-mails (introduced in v6.44);

Emils

I'm interested how did it happen? What someone had been messing for with e-mail part of ROS?

"Expected more" means 23+ Gb sustained transmission with 190$ device?

No. It's not old thinking.

My net is my castle. Period.

Xymox,

Be responsible ISP/IT company and inform your customers that someone tries to take over their security.

Inform them about pros and cons and explain why you prefer not to jump into that train.

Easy.

Hmmm.... I watched this video and what comes to my eyes is "security manager will configure customers' micornets to be safe/secure etc...." or sth like that ...
Who the ..... is Alice ... opssss ... security manager?

Keeping up with the Simpsons ... let me decide

Frankly speaking: Bartosz ... "sz" pronounced as "sh" in "wash"

How your PC reaches camera?

WAN -> LAN? Is it OK?
LAN -> LAN? OK or not? Look for Harpin NAT.
LAN -> WAN? OK?

CRS are switches not routers. Thay can do routing but they are not designed for routing/natting/mangling heavy traffic. You should look for CCR devices if you want to mostly route or start with AH1100x4 ones. I have installation with AH1100x4 for 50+ users, VPN+IPSec used to access main office share...

Strange ... IPSec works for me

after upgrade 6.43.12 -> 6.44

IPSeced IPIP and GRE tunnels work smooth after upgrade, self-reconnected without problems. Comments still in place.

viewtopic.php?f=21&t=140165
viewtopic.php?f=21&t=137572

Do you really use these public IPs in your configuration?

Be patient. Most of moderators are volunteers so it takes some time to be moderated.

Suspecting that DHCP server mostly warns

A. when device try to renew address when lease is still valid and full DHCP REQUEST-ACK-CONFIRM process is not done
or
B. ROS sees that device is "vanishing" ... I see it in logs when CAPSMAN moves device from one AP or interface to another.

Does not help ... no change .. still receiving warnings

Most users who start threads "Mikrotik hacked...", "My router is unsecured", "Big hole in security of ..." seems to not check forum for security topics Did you try easiest method to look for security problems: https://forum.mikrotik.com/search.php?keywords=vulnerability https://forum.mikrotik.com/se...

If I recall correctly it means that there is NNNN exactly the same consequent messages in the log.

It is my way of "drop it ASAP" 0. if attacker scans us again (is already on the list) then drop it right now. A. check if unwanted port is checked. B. if yes, add attacker to the ban list C. drop all packets coming from attacker list /ip firewall raw add action=accept chain=prerouting dst-port=porto...

It would be convinient to CAPSAM and DHCP to log to log not only MAC address but also HOSTNAME if it is known.
Process of transforming MAC 2 HOST is tedious and if log changes quickly you have no chance to check who is associating/dhcping

Uncheck ...
"Always send replies as broadcasts even if destination IP is known. Will add additional load on L2 network."
DHCP broadcast an offer even if device is just deassigned.

For me the problem is with static addresses and seems to be connected with this option which sends offer even if there is no demand for it. Converting dynamic address to static makes this option somehow "checked" even DHCP server has it "unchecked" so if you forgot to uncheck then static reservation...

Before import rename all interfaces in 1009 to names used in 3011. It will make import much easier.

/ip firewall filter
add action=drop chain=input comment=WAN->DNS dst-port=53 in-interface=YOURWAN protocol=udp

Please edit your post and use English

Anav ... should mrz explain again and again and step by step what to do when you are hacked or could expect that autor is aware of https://blog.mikrotik.com/

Search found 1663 matches