Community discussions

Search found 105 matches

by bigcw
Fri Mar 29, 2019 2:24 am
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 13899

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

That's what security researchers do. Any internet connected device and protocol is studied for such bugs, and finding and fixing them makes everyone safer. Be happy that he found it before the bad guys did. Imagine someone constantly crashing your network and your firewall can't seem to do anything...
by bigcw
Thu Mar 28, 2019 4:19 pm
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 13899

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Let's hope MikroTik can have a build ready with a fix before the full details of this go public...
That is exactly what we are all hoping for. Unfortunately the silence from Mikrotik does not fill me with confidence that they even understand how bad this problem could turn out.
by bigcw
Thu Mar 28, 2019 3:42 pm
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 13899

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Something similar (if not the same) had been already discussed in this forum.
I believe that thread refers to CVE-2018-19298 which is a similar incident. The later one (CVE-2018-19299) is far more sinister.
by bigcw
Thu Mar 28, 2019 3:37 pm
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 13899

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

This is also a new one for me...will be digging into it In a nutshell, it's a memory exhaustion issue. You send a v6 packet formed in a certain way (which I assume will be revealed on 9th April) to a Mikrotik router and the kernel leaks a bit of memory. When memory runs out the router crashes, I as...
by bigcw
Thu Mar 28, 2019 2:26 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 222
Views: 35404

Re: UKNOF 43 CVE

…and sadly @mikrotik_com continue to stonewall me saying this remote unauthenticated denial of service is a “bug” not a “security vulnerability” — which is probably why they haven’t prioritised it for the last 50 weeks. https://twitter.com/maznu My point exactly. Marek was kind enough to show me a ...
by bigcw
Thu Mar 28, 2019 2:07 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 222
Views: 35404

Re: UKNOF 43 CVE

I am not convinced that your statement is acceptable, Normis. This is a serious issue that could destroy many businesses and cost millions. Given the gravity of the situation, I would expect at the very least: 1. Reassurance that you are taking the matter seriously (unlike the past year where it has...
by bigcw
Thu Mar 28, 2019 1:57 pm
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 13899

Running IPv6 on Mikrotik? You're out of business in 12 days time

Yes, really, it's that serious! It seems there is a bug in ROS that allows a remote attacker to crash any Mikrotik device if they can access it via v6. Even with firewalling you are still a sitting duck. Mikrotik have known about this for a year and have done nothing to fix it. This information is ...
by bigcw
Thu Mar 28, 2019 1:43 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 222
Views: 35404

Re: UKNOF 43 CVE

I've been talking to Marek (the presenter) this morning. In a nutshell, if you run v6 on a public-facing interface, you're f***ed come 9th April. Every script kiddie out there can remotely crash your router, and do it over and over again. The only solution is to disable ipv6, not even firewalling wi...
by bigcw
Wed Mar 20, 2019 12:47 am
Forum: General
Topic: Is the bridge admin mac "random"?
Replies: 2
Views: 241

Re: Is the bridge admin mac "random"?

Little bit of proof of concept code. Much simpler than the other methods I have seen in the past! /int bridge add name=getrandom local mac [ /interface bridge get getrandom mac-address] local random ([pick $mac 0 2].[pick $mac 3 5].[pick $mac 6 8].[pick $mac 9 11].[pick $mac 12 14].[pick $mac 15 17]...
by bigcw
Wed Mar 20, 2019 12:06 am
Forum: General
Topic: Is the bridge admin mac "random"?
Replies: 2
Views: 241

Is the bridge admin mac "random"?

Reason for asking: I need to generate a random password. It doesn't have to be particularly secure, just different from most of the others There seems to be a few methods of generating random passwords on here but most are lengthy and complicated bits of code. However it looks to me like if a bridge...
by bigcw
Tue Aug 07, 2018 11:20 am
Forum: General
Topic: "crs317 - improved transmit performance between 10G and 1G ports"
Replies: 3
Views: 588

Re: "crs317 - improved transmit performance between 10G and 1G ports"

Usually where there is a large mismatch in speed, the issue is down to lack of buffers. If you have packets arriving at 10 Gbps and need to send to a port that is only 1 Gbps you need to absorb the burst to stop TCP slowing down. I'm aware of what the issue (likely) was. My question to Mikrotik was...
by bigcw
Mon Aug 06, 2018 3:33 pm
Forum: General
Topic: More hAP AC^2 woes! :(
Replies: 3
Views: 478

Re: More hAP AC^2 woes! :(

Code: Select all

local board
if ([:pick [:sys ro g mod] 0 11] = "RouterBOARD") do={
set board [:pick [:sys ro g mod] 12 [:len [:sys ro g mod]]]
} else={
set board [:pick [:sys ro g mod] 2 [:len [:sys ro g mod]]]
}
Little workaround for anyone else having the same problem.
by bigcw
Fri Aug 03, 2018 2:31 pm
Forum: General
Topic: More hAP AC^2 woes! :(
Replies: 3
Views: 478

Re: More hAP AC^2 woes! :(

I see that, yes.

But doing string comparison in 'Mikrotik script' is tough. Is there some other thing I can query to determine whether to drop either 12 or 2 chars?

...and why is stuff like this NOT DOCUMENTED?? I've wasted 2-3 hours this morning chasing this problem.
by bigcw
Fri Aug 03, 2018 2:27 pm
Forum: General
Topic: "crs317 - improved transmit performance between 10G and 1G ports"
Replies: 3
Views: 588

Re: "crs317 - improved transmit performance between 10G and 1G ports"

Nobody answered on here, and Mikrotik support (email) refused to give me any help. So last week I put in a maintenance notice to clients and then on Tuesday night at midnight I drove 100 miles to the data centre, messed around with site security, got to the rack where the CRS317 was. At 2am I update...
by bigcw
Fri Aug 03, 2018 2:18 pm
Forum: General
Topic: More hAP AC^2 woes! :(
Replies: 3
Views: 478

More hAP AC^2 woes! :(

So it appears AC^2's report their model differently depending on.... I have no idea... different manufacturing dates perhaps? 2018-08-03 12.13.29.jpg Screen Shot 2018-08-03 at 12.14.17.png Up to now, my script takes the model, drops the first 12 chars, and reports that to my server (via fetch). It n...
by bigcw
Wed Jul 25, 2018 7:42 pm
Forum: General
Topic: Has anyone tried the UART port inside the hAP AC^2?
Replies: 3
Views: 526

Re: Has anyone tried the UART port inside the hAP AC^2?

So the initial problem I was trying to debug has now been solved. But that doesn't explain this question. Why would Mikrotik go out of their way to disable the serial port on the smaller routers? CCR's have them, so I can only assume it is not a security issue. What's so bad about power users who ar...
by bigcw
Wed Jul 25, 2018 7:39 pm
Forum: General
Topic: Netinstall broken for hAP AC2 and/or 6.42.6
Replies: 1
Views: 746

Re: Netinstall broken for hAP AC2 and/or 6.42.6

So I got a reply from Mikrotik support. Posting the results here for anyone else who has this struggle in the future. It appears that scripts are executed prior to the router finishing booting, probably a race condition I guess. As a result, some of the hardware may not be initialised prior to the s...
by bigcw
Wed Jul 25, 2018 5:09 pm
Forum: General
Topic: "crs317 - improved transmit performance between 10G and 1G ports"
Replies: 3
Views: 588

"crs317 - improved transmit performance between 10G and 1G ports"

Hi Mikrotik support "crs317 - improved transmit performance between 10G and 1G ports" ^^ this is a line from the changelog starting from 6.42rc6 and 6.41.1. Are you prepared to provide any more detail on this issue, please? In other words, what symptoms were there that needed to be fixed? Reason for...
by bigcw
Wed Jul 25, 2018 3:54 pm
Forum: General
Topic: Has anyone tried the UART port inside the hAP AC^2?
Replies: 3
Views: 526

Re: Has anyone tried the UART port inside the hAP AC^2?

Hi https://forum.mikrotik.com/viewtopic.php?f=2&t=137238 ^^ this problem. I have also emailed support about it (ticket ID 2018072522004283, currently unanswered) The problem with debugging any netinstall problems is that, if the script does not run for some reason and therefore there is no IP addres...
by bigcw
Wed Jul 25, 2018 3:46 pm
Forum: General
Topic: Has anyone tried the UART port inside the hAP AC^2?
Replies: 3
Views: 526

Has anyone tried the UART port inside the hAP AC^2?

As subject, I need to debug netinstall, and there is no way to do that without a serial port. Has anyone tried soldering on to the internal UART header in the hAP AC^2? Does it work? I've tried this before, I think on a hAP AC Lite, and the port is disabled somehow which is why I am asking if the sa...
by bigcw
Wed Jul 25, 2018 2:23 am
Forum: General
Topic: Netinstall broken for hAP AC2 and/or 6.42.6
Replies: 1
Views: 746

Netinstall broken for hAP AC2 and/or 6.42.6

Is anyone else having issues with hAP AC2 and Netinstall and/or 6.42.6 and Netinstall? I've got the simplest possible .rsc file for testing with: /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip address add address=10.0.0.1/30 interface=ether2 network=1...
by bigcw
Wed Apr 25, 2018 3:14 pm
Forum: SwOS
Topic: Firmware update 260GS
Replies: 4
Views: 975

Re: Firmware update 260GS

Thanks. Now you say it I think I recall reading about the MAC address thing somewhere.
by bigcw
Tue Apr 24, 2018 12:24 pm
Forum: SwOS
Topic: Firmware update 260GS
Replies: 4
Views: 975

Re: Firmware update 260GS

Thanks, I guessed that may be the case from the 'new' word on the firmware download page. Also seems that both my UK suppliers only list one type of 260GS and 260GSP which is equally confusing. Any idea where I can download 1.17 from? Hoping it supports configuring the switch IP via DHCP, or at the ...
by bigcw
Tue Apr 24, 2018 1:28 am
Forum: SwOS
Topic: Firmware update 260GS
Replies: 4
Views: 975

Firmware update 260GS

Can anyone point me in the right direction to update firmware in an RB260GS. I am on 1.16 at the moment; it seems the latest SwOS is 2.7, but there are only versions for the 'new RB260GS' which I guess mine isn't as, according to the switch, the firmware file is invalid. It is probably only 6 months...
by bigcw
Tue Apr 03, 2018 12:27 pm
Forum: General
Topic: Authentication with parent proxy
Replies: 4
Views: 938

Re: Authentication with parent proxy

Or there has to be a lot of people who want some feature. And even that doesn't always work.
That is definitely the truth!
by bigcw
Mon Apr 02, 2018 11:44 pm
Forum: General
Topic: Authentication with parent proxy
Replies: 4
Views: 938

Re: Authentication with parent proxy

It's a year since the original post. Just wondered if Mikrotik had any intention to add this feature? Seems like a pretty simple thing to do to me....
by bigcw
Wed Mar 21, 2018 1:31 pm
Forum: RouterBOARD hardware
Topic: Can the CRS317 do LAG in hardware yet?
Replies: 3
Views: 524

Re: Can the CRS317 do LAG in hardware yet?

Thanks. I was trying to avoid using an 'rc' version in production. Can you give any clue as to when 6.42 will be released?
by bigcw
Wed Mar 21, 2018 12:33 pm
Forum: RouterBOARD hardware
Topic: Can the CRS317 do LAG in hardware yet?
Replies: 3
Views: 524

Can the CRS317 do LAG in hardware yet?

Mikrotik stated last year that the CRS317 cannot do LAG in hardware when using RouterOS: https://forum.mikrotik.com/viewtopic.php?t=120500#p608992 I don't see any mention of a change in the changelog. Has this problem been resolved yet? If so, is any guidance available for configuring it? Thanks, Ch...
by bigcw
Wed Mar 21, 2018 12:27 pm
Forum: General
Topic: Routerboard firmware WTF?
Replies: 5
Views: 833

Re: Routerboard firmware WTF?

Apart from the one I linked in my original post you mean? The one with the page name 'RouterBOOT Changelog'....?

https://wiki.mikrotik.com/wiki/RouterBOOT_changelog
by bigcw
Tue Mar 20, 2018 1:12 am
Forum: General
Topic: Routerboard firmware WTF?
Replies: 5
Views: 833

Re: Routerboard firmware WTF?

Thanks. However do you not think it would have been logical to note this in the RouterBOOT changelog given that this was the component that had changed?
by bigcw
Mon Mar 19, 2018 7:44 pm
Forum: General
Topic: Routerboard firmware WTF?
Replies: 5
Views: 833

Routerboard firmware WTF?

Hi everyone Really not sure WTF is going on with my Routerboard firmware. In a nutshell, I have two CRS317s in server and a third in the lab. The two in service claim they have v 3.40 running and can upgrade to 3.43. I can't actually do the upgrade at present as I will have to schedule an outage wit...
by bigcw
Wed Dec 20, 2017 9:00 pm
Forum: General
Topic: CCR1009 maxes out at 2gbps?
Replies: 17
Views: 1560

Re: CCR1009 maxes out at 2gbps?

Looks good!
Did you also separate the input and output over the 2 different SFP+ or is it still using a VLAN setup?
Yes, we now have WAN and LAN on separate SFP+. Not seeing any improvement so far unfortunately.
by bigcw
Fri Dec 15, 2017 12:26 pm
Forum: General
Topic: CCR1009 maxes out at 2gbps?
Replies: 17
Views: 1560

Re: CCR1009 maxes out at 2gbps?

/ip firewall connections print count-only where srcnat=yes When you omit the "count-only" parameter, you will see all connections in a list. Thanks for that, Chris We replaced the 1009 with a 1036 2S+ yesterday afternoon. CPU load already massively reduced (as expected as it has 3x as many cores!)....
by bigcw
Mon Dec 11, 2017 12:32 pm
Forum: General
Topic: CCR1009 maxes out at 2gbps?
Replies: 17
Views: 1560

Re: CCR1009 maxes out at 2gbps?

Mikrotik support: is there any way of seeing how many NAT sessions are open?

Chris
by bigcw
Mon Dec 11, 2017 11:41 am
Forum: General
Topic: CCR1009 maxes out at 2gbps?
Replies: 17
Views: 1560

Re: CCR1009 maxes out at 2gbps?

Some data collected last night. Note that a tweak in the client access network has allowed us to squeeze a bit more performance out of it (around 2.8gbps max) but there is definitely a 'flat top' to the graph which suggests to me that something is being pushed to it's limit somewhere in the network.
by bigcw
Mon Dec 11, 2017 11:24 am
Forum: General
Topic: CCR1009 maxes out at 2gbps?
Replies: 17
Views: 1560

Re: CCR1009 maxes out at 2gbps?

So the wan is sfp+ , how many LAN ports are you using for client traffic? If you are using 2 ports=2gbps Everything is on the SFP+. It is done with two VLANs; clients in one and WAN in the other. Of course he could get a CCR1036 instead. Here's the thing: the CPU is nowhere near max'ed out on the 1...
by bigcw
Sat Dec 09, 2017 2:55 pm
Forum: General
Topic: CCR1009 maxes out at 2gbps?
Replies: 17
Views: 1560

CCR1009 maxes out at 2gbps?

Using a CCR1009-7G-1C-1S+ in a large NAT scenario. Basically a big version of a home router with around 5,000 subscribers behind it. DHCP, DNS, etc all handled elsewhere, the CCR just does the NAT. It has a /27 of public IPs on it and NAT rules to spread the subscribers between those to avoid runnin...
by bigcw
Sat Dec 02, 2017 3:45 pm
Forum: General
Topic: VLAN IP on CRS317
Replies: 2
Views: 414

Re: VLAN IP on CRS317

Not to worry, I figured it out! :) For anyone reading in the future, you have to add the bridge itself as a tagged interface in the VLAN. eg: /interface bridge vlan add bridge=bridge1 tagged=bridge1,sfpplus1,sfpplus2,sfpplus16 vlan-ids=24 ^^^^^^^ here Chris
by bigcw
Sat Dec 02, 2017 3:19 pm
Forum: General
Topic: VLAN IP on CRS317
Replies: 2
Views: 414

VLAN IP on CRS317

Hi Can someone check I am not doing something silly, please. I can't get a CRS317 to respond to an IP in a bridged VLAN. Here are the relevant bits of config: As above, it is a CRS317 running RouterOS 'rc' version to enable hardware vlan filtering. I want it to respond on 172.31.9.8 on vlan 24 but d...
by bigcw
Fri Sep 15, 2017 3:38 pm
Forum: General
Topic: Path MTU discovery
Replies: 2
Views: 1489

Re: Path MTU discovery

That's great, but I want to do it on the router itself. Wrote a script... :local yes :local no :local test #Set upper and lower test limits below :set yes 1000 :set no 1550 while (($no-$yes) > 1) do={ :set test (($no-$yes)/2 + $yes) if ([/ping **YOUR TEST IP HERE** do-not-fragment count=1 size=$test...
by bigcw
Fri Sep 15, 2017 2:16 pm
Forum: General
Topic: Path MTU discovery
Replies: 2
Views: 1489

Path MTU discovery

Is there a built in tool to discover the path MTU?

If not, has anyone written a script to do it?

(At present I do it manually by doing /ping <ip> do-not-fragment count=1 size=1500 then decrementing size until I see a ping returned)

Chris
by bigcw
Mon Sep 04, 2017 1:26 am
Forum: General
Topic: Netinstall broken (start up very slow) after v6.37.3
Replies: 4
Views: 914

Re: Netinstall broken (start up very slow) after v6.37.3

Can you provide your configure script? When do you stop time tracker? Does it happen when router get IP address from server? How fast is device accessible through Layer2 after Netinstall process? I don't really want to share the configure script in public but quite happy to send to Mikrotik support...
by bigcw
Wed Aug 30, 2017 9:46 pm
Forum: General
Topic: Netinstall broken (start up very slow) after v6.37.3
Replies: 4
Views: 914

Re: Netinstall broken (start up very slow) after v6.37.3

That makes sense. But 4 minutes? That sounds very long even on the 650MHz processor in the hAP Lite.

Also it doesn't happen if you don't use a configure script. Does that somehow bypass the key generation? (surely not)
by bigcw
Tue Aug 29, 2017 1:08 pm
Forum: General
Topic: Netinstall broken (start up very slow) after v6.37.3
Replies: 4
Views: 914

Netinstall broken (start up very slow) after v6.37.3

Hi everyone You may have gathered if you have read any of my previous posts that we deploy a lot of Mikrotik as CPE (hAP Lite and hAP AC Lite mainly). To do this we use netinstall to put a basic config onto the router which connects to our config server and pulls the rest of the data. This is done s...
by bigcw
Fri Aug 25, 2017 2:13 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Hardware suggestion
Replies: 2
Views: 905

Hardware suggestion

Not sure if this is the best area of the forum to suggest a hardware 'feature', but here goes anyway. My company is deploying a FTTP technology at present, ie pure fibre optic cable directly to consumer homes. We searched long and hard for a suitable CPE to use. I really wanted to use a Mikrotik hAP...
by bigcw
Thu Aug 24, 2017 7:34 pm
Forum: General
Topic: Mass netinstall
Replies: 7
Views: 975

Re: Mass netinstall

It may well be that ignoring this recommendation and putting both of them on a live network may break things.
I've always run netinstall on a local network. It doesn't break dhcp in my experience.
by bigcw
Tue Aug 22, 2017 10:45 pm
Forum: General
Topic: Mass netinstall
Replies: 7
Views: 975

Re: Mass netinstall

My guess would be that it doesn't use dhcp as otherwise other hosts on the network would break whilst netinstall was running.

Having said that, perhaps it does use dhcp but only responds to Mikrotik MAC addresses? But even then it would potentially break other routers on the network.
by bigcw
Tue Aug 22, 2017 4:02 pm
Forum: General
Topic: Mass netinstall
Replies: 7
Views: 975

Mass netinstall

Hi all We are deploying around 200-250 routers per week at present with our own config 'netinstalled' on them (so if the customer does a factory reset it does not break the router). Currently we netinstall them one at a time using the Mikrotik supplied software, so each router has to be plugged in, ...
by bigcw
Sat Apr 22, 2017 1:37 pm
Forum: General
Topic: Slow routing table performance - please share your experiences
Replies: 4
Views: 1424

Re: Slow routing table performance - please share your experiences

Nobody else seeing issues with this? Surely I can't be the only one....
by bigcw
Mon Apr 10, 2017 3:17 pm
Forum: General
Topic: Bank Statement import billing
Replies: 6
Views: 623

Re: Bank Statement import billing

Seeing your location in South Africa probably means this isn't relevant to you... but nevertheless... I rolled my own accounts system and we now use it across four companies. It plugs in to everything required to automate the vast majority of my billing, including time-based (eg monthly subscription...