Community discussions

Search found 105 matches

by bigcw
Fri Mar 29, 2019 2:24 am
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 15488

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

That's what security researchers do. Any internet connected device and protocol is studied for such bugs, and finding and fixing them makes everyone safer. Be happy that he found it before the bad guys did. Imagine someone constantly crashing your network and your firewall can't seem to do anything...
by bigcw
Thu Mar 28, 2019 4:19 pm
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 15488

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Let's hope MikroTik can have a build ready with a fix before the full details of this go public...
That is exactly what we are all hoping for. Unfortunately the silence from Mikrotik does not fill me with confidence that they even understand how bad this problem could turn out.
by bigcw
Thu Mar 28, 2019 3:42 pm
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 15488

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Something similar (if not the same) had been already discussed in this forum.
I believe that thread refers to CVE-2018-19298 which is a similar incident. The later one (CVE-2018-19299) is far more sinister.
by bigcw
Thu Mar 28, 2019 3:37 pm
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 15488

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

This is also a new one for me...will be digging into it In a nutshell, it's a memory exhaustion issue. You send a v6 packet formed in a certain way (which I assume will be revealed on 9th April) to a Mikrotik router and the kernel leaks a bit of memory. When memory runs out the router crashes, I as...
by bigcw
Thu Mar 28, 2019 2:26 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40230

Re: UKNOF 43 CVE

…and sadly @mikrotik_com continue to stonewall me saying this remote unauthenticated denial of service is a “bug” not a “security vulnerability” — which is probably why they haven’t prioritised it for the last 50 weeks. https://twitter.com/maznu My point exactly. Marek was kind enough to show me a ...
by bigcw
Thu Mar 28, 2019 2:07 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40230

Re: UKNOF 43 CVE

I am not convinced that your statement is acceptable, Normis. This is a serious issue that could destroy many businesses and cost millions. Given the gravity of the situation, I would expect at the very least: 1. Reassurance that you are taking the matter seriously (unlike the past year where it has...
by bigcw
Thu Mar 28, 2019 1:57 pm
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 15488

Running IPv6 on Mikrotik? You're out of business in 12 days time

Yes, really, it's that serious! It seems there is a bug in ROS that allows a remote attacker to crash any Mikrotik device if they can access it via v6. Even with firewalling you are still a sitting duck. Mikrotik have known about this for a year and have done nothing to fix it. This information is ...
by bigcw
Thu Mar 28, 2019 1:43 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40230

Re: UKNOF 43 CVE

I've been talking to Marek (the presenter) this morning. In a nutshell, if you run v6 on a public-facing interface, you're f***ed come 9th April. Every script kiddie out there can remotely crash your router, and do it over and over again. The only solution is to disable ipv6, not even firewalling wi...
by bigcw
Wed Mar 20, 2019 12:47 am
Forum: General
Topic: Is the bridge admin mac "random"?
Replies: 2
Views: 388

Re: Is the bridge admin mac "random"?

Little bit of proof of concept code. Much simpler than the other methods I have seen in the past! /int bridge add name=getrandom local mac [ /interface bridge get getrandom mac-address] local random ([pick $mac 0 2].[pick $mac 3 5].[pick $mac 6 8].[pick $mac 9 11].[pick $mac 12 14].[pick $mac 15 17]...
by bigcw
Wed Mar 20, 2019 12:06 am
Forum: General
Topic: Is the bridge admin mac "random"?
Replies: 2
Views: 388

Is the bridge admin mac "random"?

Reason for asking: I need to generate a random password. It doesn't have to be particularly secure, just different from most of the others There seems to be a few methods of generating random passwords on here but most are lengthy and complicated bits of code. However it looks to me like if a bridge...
by bigcw
Tue Aug 07, 2018 11:20 am
Forum: General
Topic: "crs317 - improved transmit performance between 10G and 1G ports"
Replies: 3
Views: 726

Re: "crs317 - improved transmit performance between 10G and 1G ports"

Usually where there is a large mismatch in speed, the issue is down to lack of buffers. If you have packets arriving at 10 Gbps and need to send to a port that is only 1 Gbps you need to absorb the burst to stop TCP slowing down. I'm aware of what the issue (likely) was. My question to Mikrotik was...
by bigcw
Mon Aug 06, 2018 3:33 pm
Forum: General
Topic: More hAP AC^2 woes! :(
Replies: 3
Views: 556

Re: More hAP AC^2 woes! :(

Code: Select all

local board
if ([:pick [:sys ro g mod] 0 11] = "RouterBOARD") do={
set board [:pick [:sys ro g mod] 12 [:len [:sys ro g mod]]]
} else={
set board [:pick [:sys ro g mod] 2 [:len [:sys ro g mod]]]
}
Little workaround for anyone else having the same problem.
by bigcw
Fri Aug 03, 2018 2:31 pm
Forum: General
Topic: More hAP AC^2 woes! :(
Replies: 3
Views: 556

Re: More hAP AC^2 woes! :(

I see that, yes.

But doing string comparison in 'Mikrotik script' is tough. Is there some other thing I can query to determine whether to drop either 12 or 2 chars?

...and why is stuff like this NOT DOCUMENTED?? I've wasted 2-3 hours this morning chasing this problem.
by bigcw
Fri Aug 03, 2018 2:27 pm
Forum: General
Topic: "crs317 - improved transmit performance between 10G and 1G ports"
Replies: 3
Views: 726

Re: "crs317 - improved transmit performance between 10G and 1G ports"

Nobody answered on here, and Mikrotik support (email) refused to give me any help. So last week I put in a maintenance notice to clients and then on Tuesday night at midnight I drove 100 miles to the data centre, messed around with site security, got to the rack where the CRS317 was. At 2am I update...
by bigcw
Fri Aug 03, 2018 2:18 pm
Forum: General
Topic: More hAP AC^2 woes! :(
Replies: 3
Views: 556

More hAP AC^2 woes! :(

So it appears AC^2's report their model differently depending on.... I have no idea... different manufacturing dates perhaps? 2018-08-03 12.13.29.jpg Screen Shot 2018-08-03 at 12.14.17.png Up to now, my script takes the model, drops the first 12 chars, and reports that to my server (via fetch). It n...
by bigcw
Wed Jul 25, 2018 7:42 pm
Forum: General
Topic: Has anyone tried the UART port inside the hAP AC^2?
Replies: 3
Views: 760

Re: Has anyone tried the UART port inside the hAP AC^2?

So the initial problem I was trying to debug has now been solved. But that doesn't explain this question. Why would Mikrotik go out of their way to disable the serial port on the smaller routers? CCR's have them, so I can only assume it is not a security issue. What's so bad about power users who ar...
by bigcw
Wed Jul 25, 2018 7:39 pm
Forum: General
Topic: Netinstall broken for hAP AC2 and/or 6.42.6
Replies: 1
Views: 1122

Re: Netinstall broken for hAP AC2 and/or 6.42.6

So I got a reply from Mikrotik support. Posting the results here for anyone else who has this struggle in the future. It appears that scripts are executed prior to the router finishing booting, probably a race condition I guess. As a result, some of the hardware may not be initialised prior to the s...
by bigcw
Wed Jul 25, 2018 5:09 pm
Forum: General
Topic: "crs317 - improved transmit performance between 10G and 1G ports"
Replies: 3
Views: 726

"crs317 - improved transmit performance between 10G and 1G ports"

Hi Mikrotik support "crs317 - improved transmit performance between 10G and 1G ports" ^^ this is a line from the changelog starting from 6.42rc6 and 6.41.1. Are you prepared to provide any more detail on this issue, please? In other words, what symptoms were there that needed to be fixed? Reason for...
by bigcw
Wed Jul 25, 2018 3:54 pm
Forum: General
Topic: Has anyone tried the UART port inside the hAP AC^2?
Replies: 3
Views: 760

Re: Has anyone tried the UART port inside the hAP AC^2?

Hi https://forum.mikrotik.com/viewtopic.php?f=2&t=137238 ^^ this problem. I have also emailed support about it (ticket ID 2018072522004283, currently unanswered) The problem with debugging any netinstall problems is that, if the script does not run for some reason and therefore there is no IP addres...
by bigcw
Wed Jul 25, 2018 3:46 pm
Forum: General
Topic: Has anyone tried the UART port inside the hAP AC^2?
Replies: 3
Views: 760

Has anyone tried the UART port inside the hAP AC^2?

As subject, I need to debug netinstall, and there is no way to do that without a serial port. Has anyone tried soldering on to the internal UART header in the hAP AC^2? Does it work? I've tried this before, I think on a hAP AC Lite, and the port is disabled somehow which is why I am asking if the sa...
by bigcw
Wed Jul 25, 2018 2:23 am
Forum: General
Topic: Netinstall broken for hAP AC2 and/or 6.42.6
Replies: 1
Views: 1122

Netinstall broken for hAP AC2 and/or 6.42.6

Is anyone else having issues with hAP AC2 and Netinstall and/or 6.42.6 and Netinstall? I've got the simplest possible .rsc file for testing with: /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip address add address=10.0.0.1/30 interface=ether2 network=1...
by bigcw
Wed Apr 25, 2018 3:14 pm
Forum: SwOS
Topic: Firmware update 260GS
Replies: 4
Views: 1204

Re: Firmware update 260GS

Thanks. Now you say it I think I recall reading about the MAC address thing somewhere.
by bigcw
Tue Apr 24, 2018 12:24 pm
Forum: SwOS
Topic: Firmware update 260GS
Replies: 4
Views: 1204

Re: Firmware update 260GS

Thanks, I guessed that may be the case from the 'new' word on the firmware download page. Also seems that both my UK suppliers only list one type of 260GS and 260GSP which is equally confusing. Any idea where I can download 1.17 from? Hoping it supports configuring the switch IP via DHCP, or at the ...
by bigcw
Tue Apr 24, 2018 1:28 am
Forum: SwOS
Topic: Firmware update 260GS
Replies: 4
Views: 1204

Firmware update 260GS

Can anyone point me in the right direction to update firmware in an RB260GS. I am on 1.16 at the moment; it seems the latest SwOS is 2.7, but there are only versions for the 'new RB260GS' which I guess mine isn't as, according to the switch, the firmware file is invalid. It is probably only 6 months...
by bigcw
Tue Apr 03, 2018 12:27 pm
Forum: General
Topic: Authentication with parent proxy
Replies: 4
Views: 1113

Re: Authentication with parent proxy

Or there has to be a lot of people who want some feature. And even that doesn't always work.
That is definitely the truth!
by bigcw
Mon Apr 02, 2018 11:44 pm
Forum: General
Topic: Authentication with parent proxy
Replies: 4
Views: 1113

Re: Authentication with parent proxy

It's a year since the original post. Just wondered if Mikrotik had any intention to add this feature? Seems like a pretty simple thing to do to me....
by bigcw
Wed Mar 21, 2018 1:31 pm
Forum: RouterBOARD hardware
Topic: Can the CRS317 do LAG in hardware yet?
Replies: 3
Views: 660

Re: Can the CRS317 do LAG in hardware yet?

Thanks. I was trying to avoid using an 'rc' version in production. Can you give any clue as to when 6.42 will be released?
by bigcw
Wed Mar 21, 2018 12:33 pm
Forum: RouterBOARD hardware
Topic: Can the CRS317 do LAG in hardware yet?
Replies: 3
Views: 660

Can the CRS317 do LAG in hardware yet?

Mikrotik stated last year that the CRS317 cannot do LAG in hardware when using RouterOS: https://forum.mikrotik.com/viewtopic.php?t=120500#p608992 I don't see any mention of a change in the changelog. Has this problem been resolved yet? If so, is any guidance available for configuring it? Thanks, Ch...
by bigcw
Wed Mar 21, 2018 12:27 pm
Forum: General
Topic: Routerboard firmware WTF?
Replies: 5
Views: 997

Re: Routerboard firmware WTF?

Apart from the one I linked in my original post you mean? The one with the page name 'RouterBOOT Changelog'....?

https://wiki.mikrotik.com/wiki/RouterBOOT_changelog
by bigcw
Tue Mar 20, 2018 1:12 am
Forum: General
Topic: Routerboard firmware WTF?
Replies: 5
Views: 997

Re: Routerboard firmware WTF?

Thanks. However do you not think it would have been logical to note this in the RouterBOOT changelog given that this was the component that had changed?
by bigcw
Mon Mar 19, 2018 7:44 pm
Forum: General
Topic: Routerboard firmware WTF?
Replies: 5
Views: 997

Routerboard firmware WTF?

Hi everyone Really not sure WTF is going on with my Routerboard firmware. In a nutshell, I have two CRS317s in server and a third in the lab. The two in service claim they have v 3.40 running and can upgrade to 3.43. I can't actually do the upgrade at present as I will have to schedule an outage wit...
by bigcw
Wed Dec 20, 2017 9:00 pm
Forum: General
Topic: CCR1009 maxes out at 2gbps?
Replies: 26
Views: 2718

Re: CCR1009 maxes out at 2gbps?

Looks good!
Did you also separate the input and output over the 2 different SFP+ or is it still using a VLAN setup?
Yes, we now have WAN and LAN on separate SFP+. Not seeing any improvement so far unfortunately.
by bigcw
Fri Dec 15, 2017 12:26 pm
Forum: General
Topic: CCR1009 maxes out at 2gbps?
Replies: 26
Views: 2718

Re: CCR1009 maxes out at 2gbps?

/ip firewall connections print count-only where srcnat=yes When you omit the "count-only" parameter, you will see all connections in a list. Thanks for that, Chris We replaced the 1009 with a 1036 2S+ yesterday afternoon. CPU load already massively reduced (as expected as it has 3x as many cores!)....
by bigcw
Mon Dec 11, 2017 12:32 pm
Forum: General
Topic: CCR1009 maxes out at 2gbps?
Replies: 26
Views: 2718

Re: CCR1009 maxes out at 2gbps?

Mikrotik support: is there any way of seeing how many NAT sessions are open?

Chris
by bigcw
Mon Dec 11, 2017 11:41 am
Forum: General
Topic: CCR1009 maxes out at 2gbps?
Replies: 26
Views: 2718

Re: CCR1009 maxes out at 2gbps?

Some data collected last night. Note that a tweak in the client access network has allowed us to squeeze a bit more performance out of it (around 2.8gbps max) but there is definitely a 'flat top' to the graph which suggests to me that something is being pushed to it's limit somewhere in the network.
by bigcw
Mon Dec 11, 2017 11:24 am
Forum: General
Topic: CCR1009 maxes out at 2gbps?
Replies: 26
Views: 2718

Re: CCR1009 maxes out at 2gbps?

So the wan is sfp+ , how many LAN ports are you using for client traffic? If you are using 2 ports=2gbps Everything is on the SFP+. It is done with two VLANs; clients in one and WAN in the other. Of course he could get a CCR1036 instead. Here's the thing: the CPU is nowhere near max'ed out on the 1...
by bigcw
Sat Dec 09, 2017 2:55 pm
Forum: General
Topic: CCR1009 maxes out at 2gbps?
Replies: 26
Views: 2718

CCR1009 maxes out at 2gbps?

Using a CCR1009-7G-1C-1S+ in a large NAT scenario. Basically a big version of a home router with around 5,000 subscribers behind it. DHCP, DNS, etc all handled elsewhere, the CCR just does the NAT. It has a /27 of public IPs on it and NAT rules to spread the subscribers between those to avoid runnin...
by bigcw
Sat Dec 02, 2017 3:45 pm
Forum: General
Topic: VLAN IP on CRS317
Replies: 2
Views: 507

Re: VLAN IP on CRS317

Not to worry, I figured it out! :) For anyone reading in the future, you have to add the bridge itself as a tagged interface in the VLAN. eg: /interface bridge vlan add bridge=bridge1 tagged=bridge1,sfpplus1,sfpplus2,sfpplus16 vlan-ids=24 ^^^^^^^ here Chris
by bigcw
Sat Dec 02, 2017 3:19 pm
Forum: General
Topic: VLAN IP on CRS317
Replies: 2
Views: 507

VLAN IP on CRS317

Hi Can someone check I am not doing something silly, please. I can't get a CRS317 to respond to an IP in a bridged VLAN. Here are the relevant bits of config: As above, it is a CRS317 running RouterOS 'rc' version to enable hardware vlan filtering. I want it to respond on 172.31.9.8 on vlan 24 but d...
by bigcw
Fri Sep 15, 2017 3:38 pm
Forum: General
Topic: Path MTU discovery
Replies: 2
Views: 1849

Re: Path MTU discovery

That's great, but I want to do it on the router itself. Wrote a script... :local yes :local no :local test #Set upper and lower test limits below :set yes 1000 :set no 1550 while (($no-$yes) > 1) do={ :set test (($no-$yes)/2 + $yes) if ([/ping **YOUR TEST IP HERE** do-not-fragment count=1 size=$test...
by bigcw
Fri Sep 15, 2017 2:16 pm
Forum: General
Topic: Path MTU discovery
Replies: 2
Views: 1849

Path MTU discovery

Is there a built in tool to discover the path MTU?

If not, has anyone written a script to do it?

(At present I do it manually by doing /ping <ip> do-not-fragment count=1 size=1500 then decrementing size until I see a ping returned)

Chris
by bigcw
Mon Sep 04, 2017 1:26 am
Forum: General
Topic: Netinstall broken (start up very slow) after v6.37.3
Replies: 4
Views: 1009

Re: Netinstall broken (start up very slow) after v6.37.3

Can you provide your configure script? When do you stop time tracker? Does it happen when router get IP address from server? How fast is device accessible through Layer2 after Netinstall process? I don't really want to share the configure script in public but quite happy to send to Mikrotik support...
by bigcw
Wed Aug 30, 2017 9:46 pm
Forum: General
Topic: Netinstall broken (start up very slow) after v6.37.3
Replies: 4
Views: 1009

Re: Netinstall broken (start up very slow) after v6.37.3

That makes sense. But 4 minutes? That sounds very long even on the 650MHz processor in the hAP Lite.

Also it doesn't happen if you don't use a configure script. Does that somehow bypass the key generation? (surely not)
by bigcw
Tue Aug 29, 2017 1:08 pm
Forum: General
Topic: Netinstall broken (start up very slow) after v6.37.3
Replies: 4
Views: 1009

Netinstall broken (start up very slow) after v6.37.3

Hi everyone You may have gathered if you have read any of my previous posts that we deploy a lot of Mikrotik as CPE (hAP Lite and hAP AC Lite mainly). To do this we use netinstall to put a basic config onto the router which connects to our config server and pulls the rest of the data. This is done s...
by bigcw
Fri Aug 25, 2017 2:13 pm
Forum: General
Topic: Hardware suggestion
Replies: 2
Views: 1048

Hardware suggestion

Not sure if this is the best area of the forum to suggest a hardware 'feature', but here goes anyway. My company is deploying a FTTP technology at present, ie pure fibre optic cable directly to consumer homes. We searched long and hard for a suitable CPE to use. I really wanted to use a Mikrotik hAP...
by bigcw
Thu Aug 24, 2017 7:34 pm
Forum: General
Topic: Mass netinstall
Replies: 7
Views: 1184

Re: Mass netinstall

It may well be that ignoring this recommendation and putting both of them on a live network may break things.
I've always run netinstall on a local network. It doesn't break dhcp in my experience.
by bigcw
Tue Aug 22, 2017 10:45 pm
Forum: General
Topic: Mass netinstall
Replies: 7
Views: 1184

Re: Mass netinstall

My guess would be that it doesn't use dhcp as otherwise other hosts on the network would break whilst netinstall was running.

Having said that, perhaps it does use dhcp but only responds to Mikrotik MAC addresses? But even then it would potentially break other routers on the network.
by bigcw
Tue Aug 22, 2017 4:02 pm
Forum: General
Topic: Mass netinstall
Replies: 7
Views: 1184

Mass netinstall

Hi all We are deploying around 200-250 routers per week at present with our own config 'netinstalled' on them (so if the customer does a factory reset it does not break the router). Currently we netinstall them one at a time using the Mikrotik supplied software, so each router has to be plugged in, ...
by bigcw
Sat Apr 22, 2017 1:37 pm
Forum: General
Topic: Slow routing table performance - please share your experiences
Replies: 4
Views: 1625

Re: Slow routing table performance - please share your experiences

Nobody else seeing issues with this? Surely I can't be the only one....
by bigcw
Mon Apr 10, 2017 3:17 pm
Forum: General
Topic: Bank Statement import billing
Replies: 6
Views: 752

Re: Bank Statement import billing

Seeing your location in South Africa probably means this isn't relevant to you... but nevertheless... I rolled my own accounts system and we now use it across four companies. It plugs in to everything required to automate the vast majority of my billing, including time-based (eg monthly subscription...
by bigcw
Mon Apr 10, 2017 1:28 pm
Forum: General
Topic: Slow routing table performance - please share your experiences
Replies: 4
Views: 1625

Slow routing table performance - please share your experiences

Hi everyone Hoping that some of you will share your experiences of big routing tables on Mikrotik and the issues that they cause. I am trying to make a decision as to whether to stick with the MT platform (upgrade a bunch of routers) or find something else. So for me the two biggest limitations of t...
by bigcw
Wed Mar 22, 2017 3:39 pm
Forum: Beginner Basics
Topic: amazon fire tv not getting dhcp address after lease expires on mikrotik router
Replies: 39
Views: 8186

Re: amazon fire tv not getting dhcp address after lease expires on mikrotik router

Replying to my own thread... I've bought a Fire TV as I was getting so many customer complaints and wanted to replicate the problem for myself. Yes this does seem to be DHCP related; the problem goes away if you set a static IP. From what I can see, the DHCP lease expires and the Fire TV renews it a...
by bigcw
Wed Mar 22, 2017 1:07 pm
Forum: Beginner Basics
Topic: amazon fire tv not getting dhcp address after lease expires on mikrotik router
Replies: 39
Views: 8186

Re: amazon fire tv not getting dhcp address after lease expires on mikrotik router

This thread has not been updated for some time, does anyone have an update on the situation? I am having customers complain of the same issue.

Chris
by bigcw
Sat Mar 18, 2017 12:13 am
Forum: Announcements
Topic: Statement on Vault 7 document release
Replies: 92
Views: 45697

Re: Statement on Vault 7 document release


+1 good Idea, on the Shell access, and couldnt agree more on the DNS server issue.
As I understand it, if you want a shell on Mikrotik, wait for the code mentioned in vault7 to be released. That seems to do exactly what you want!
by bigcw
Wed Mar 15, 2017 4:07 pm
Forum: Wireless Networking
Topic: Why would a wireless interface be enabled but not running?
Replies: 1
Views: 4663

Why would a wireless interface be enabled but not running?

Bit of a strange one that I am seeing on 952Ui-5ac2nD. We have around 250 in service as CPE and they are randomly doing it. Customers report this as the wifi has stopped working. When I log in to the router's console the wireless interfaces are enabled (ie 'not disabled') but are not running ie no R...
by bigcw
Mon Mar 13, 2017 2:42 pm
Forum: Announcements
Topic: Statement on Vault 7 document release
Replies: 92
Views: 45697

Re: Statement on Vault 7 document release

That is exactly the confirmation I was looking for. Thanks.

Chris
by bigcw
Mon Mar 13, 2017 2:24 pm
Forum: Announcements
Topic: Statement on Vault 7 document release
Replies: 92
Views: 45697

Re: Statement on Vault 7 document release

What kind of ACL do you mean? Proper firewall will drop all connections, and will not allow the IP to try to negotiate SSL connections I am referring to 'address' (called 'available from' in webfig) at /ip service. Can you please state for the record whether routers are vulnerable to attack from an...
by bigcw
Mon Mar 13, 2017 1:55 pm
Forum: Announcements
Topic: Statement on Vault 7 document release
Replies: 92
Views: 45697

Re: Statement on Vault 7 document release

1. If the firewall prohibits opening the Webfig in the browser from an address, the server is safe This does not answer the question. Does the ACL prevent access sufficiently to prevent the attack being possible or is it critical that the firewall is used? [chris@bacon ~]$ curl -vvv https://x.x.x.x...
by bigcw
Mon Mar 13, 2017 1:31 pm
Forum: Announcements
Topic: Statement on Vault 7 document release
Replies: 92
Views: 45697

Re: Statement on Vault 7 document release

Normis would you kindly comment on the following:

- If the http port is not firewalled but is locked down by access list is the system still vulnerable to attack from an IP other than those on the ACL?

- Is https affected? So far only http has been mentioned.

Thanks, Chris
by bigcw
Fri Feb 03, 2017 5:52 pm
Forum: RouterBOARD hardware
Topic: Ubiquiti UF-SM-10G optic in Mikrotik
Replies: 5
Views: 1562

Re: Ubiquiti UF-SM-10G optic in Mikrotik

Replying to my own thread.... seems the answer is 'yes' they do work, in my scenario at least. I'm going from a CCR1009 to a CRS226. Strange though that the CCR does not show the SFP information (vendor, serial, etc) and does not give options to advertise 10G speed even though it says it is linked a...
by bigcw
Thu Feb 02, 2017 11:02 am
Forum: RouterBOARD hardware
Topic: Ubiquiti UF-SM-10G optic in Mikrotik
Replies: 5
Views: 1562

Re: Ubiquiti UF-SM-10G optic in Mikrotik

I'm well aware that most are made by the same company. I've had good success with both Prolabs and Solid Optics in the past with their 'OEM' optics with manufacturer coding in them. It's just an i2c EEPROM inside with the manufacturer's secret code in it that turns them from one brand to another. Ac...
by bigcw
Wed Feb 01, 2017 11:25 pm
Forum: RouterBOARD hardware
Topic: Ubiquiti UF-SM-10G optic in Mikrotik
Replies: 5
Views: 1562

Ubiquiti UF-SM-10G optic in Mikrotik

Was about to buy a pair of Mikrotik 10G SFP+'s but just spotted my supplier has a twin pack of Ubiquiti UF-SM-10G for less than half the price of a single Mikrotik module. I've never had any problem with Mikrotik gear being fussy about other vendor's optics, but has anyone tried using these modules ...
by bigcw
Mon Jan 23, 2017 12:57 pm
Forum: General
Topic: Authentication with parent proxy
Replies: 4
Views: 1113

Re: Authentication with parent proxy

Any Mikrotik staff able to provide guidance on this, please?
by bigcw
Fri Jan 20, 2017 8:34 pm
Forum: General
Topic: Authentication with parent proxy
Replies: 4
Views: 1113

Authentication with parent proxy

Hi all I have a router set up with a web proxy which forwards to a parent web proxy on the internet. The parent requires a username and password before it will proxy requests but I cannot see anywhere to do this. Can anyone point me in the right direction, please? Note I have tried 'user:pass@ip' as...
by bigcw
Wed Feb 03, 2016 10:43 pm
Forum: General
Topic: WAN IP not being seen by LAN server with port forward
Replies: 2
Views: 380

Re: WAN IP not being seen by LAN server with port forward

Figured this out, but in case anyone in the future needs the solution: If you omit either 'out interface' or 'src address' from your masquerade rule it causes the symptoms I describe. I suspect because the packet matches the masquerade rule both outbound (as expected) but also inbound due the the po...
by bigcw
Wed Feb 03, 2016 3:18 pm
Forum: General
Topic: WAN IP not being seen by LAN server with port forward
Replies: 2
Views: 380

WAN IP not being seen by LAN server with port forward

Hi Everyone Can anyone give some pointers on this, please. Hardware is 1009-8G-1S-1S+ with ROS 6.30.4. It is just doing a simple NAT from a public IP address (/30) on the SFP port to an office of PCs. Standard config with DHCP server, firewall srcnat masquerade rule, etc. They have an FTP server on ...
by bigcw
Tue Nov 17, 2015 2:47 pm
Forum: Wireless Networking
Topic: hAP Lite wireless channels missing?
Replies: 7
Views: 3787

Re: hAP Lite wireless channels missing?

Thank you for the detailed explanation Chechito! The client has come back saying that since the change he is unable to connect to the wireless network. Are there any compatibility issues that surround changing from eC to Ce? My guess is no as it sounds like every access point must switch modes in or...
by bigcw
Fri Nov 13, 2015 9:10 pm
Forum: Wireless Networking
Topic: hAP Lite wireless channels missing?
Replies: 7
Views: 3787

Re: hAP Lite wireless channels missing?

....20/40mhzCe or 20/40mhzeC
Hi

Thanks for this. I changed from Ce to eC and the frequencies appeared. I've no idea what this change does. Is there a plain language explanation of what this setting does anywhere? Nothing I found via Google explained what the difference is.

Chris
by bigcw
Fri Nov 13, 2015 2:15 pm
Forum: Wireless Networking
Topic: hAP Lite wireless channels missing?
Replies: 7
Views: 3787

hAP Lite wireless channels missing?

Hi I have a hAP Lite deployed at a customer site. They have requested I change the wireless channel to 11. No problem I thought, I'll just log in and change it. Tried to set frequency=2472 via ssh but the hAP wasn't having it. Strange. Logged in via web instead and the drop down list of frequencies ...
by bigcw
Wed Jul 15, 2015 8:38 pm
Forum: General
Topic: Traffic flow (aka NetFlow)
Replies: 5
Views: 1041

Re: Traffic flow (aka NetFlow)

Thanks for the explanation. Your apology is accepted. 8)

Chris
by bigcw
Wed Jul 15, 2015 8:36 pm
Forum: Wireless Networking
Topic: Finding which channel has 'auto' selected
Replies: 2
Views: 563

Re: Finding which channel has 'auto' selected

Perfect, thank you! :)

Chris
by bigcw
Wed Jul 15, 2015 4:04 pm
Forum: Wireless Networking
Topic: Finding which channel has 'auto' selected
Replies: 2
Views: 563

Finding which channel has 'auto' selected

When the wireless frequency is set to 'auto', can you query somehow (on the command line) to find which channel the radio has selected to operate on?

Thanks, Chris
by bigcw
Mon Jun 29, 2015 4:40 pm
Forum: General
Topic: Traffic flow (aka NetFlow)
Replies: 5
Views: 1041

Re: Traffic flow (aka NetFlow)

Thanks for taking the time to reply. Too bad a MT employee didn't bother!

Another thing to look forward to in ROS7 then, hopefully along with multi-threaded BGP!

Chris
by bigcw
Wed Jun 24, 2015 7:19 pm
Forum: General
Topic: Traffic flow (aka NetFlow)
Replies: 5
Views: 1041

Re: Traffic flow (aka NetFlow)

Would any Mikrotik employee care to provide some guidance on this subject, please?
by bigcw
Tue Jun 23, 2015 3:16 pm
Forum: General
Topic: Traffic flow (aka NetFlow)
Replies: 5
Views: 1041

Traffic flow (aka NetFlow)

Hi I am looking to write some code to analyse the remote AS's that my traffic flows to/from so I can determine which networks I should request peering with, which exchanges to join, etc. Netflow (or traffic flow as ROS calls it) is the way to do this: http://wiki.mikrotik.com/wiki/Manual:IP/Traffic_...
by bigcw
Tue Jun 23, 2015 3:13 pm
Forum: General
Topic: Loss of link of copper ports on CCR
Replies: 2
Views: 630

Re: Loss of link of copper ports on CCR

Three weeks on and the problem has not reoccurred. Fingers crossed!
by bigcw
Tue Jun 02, 2015 1:28 pm
Forum: General
Topic: Loss of link of copper ports on CCR
Replies: 2
Views: 630

Re: Loss of link of copper ports on CCR

Guess nobody has seen this then? I updated to ROS 6.29.1 and Routerboard 3.22 during a maintenance window last night so fingers crossed this will fix it.

Chris
by bigcw
Mon Jun 01, 2015 5:14 pm
Forum: General
Topic: Loss of link of copper ports on CCR
Replies: 2
Views: 630

Loss of link of copper ports on CCR

Hi everyone I'm having an issue with a CCR1036 where it loses link on all copper ethernet ports after a week or so. SFP ports are unaffected luckily as my uplink is on one of those so I can get in and software reboot the system, but it does cause an outage for the local devices. The symptoms are tha...
by bigcw
Wed Feb 04, 2015 4:46 pm
Forum: General
Topic: CRS212 availability
Replies: 6
Views: 1010

Re: CRS212 availability

Just placed my order. Thanks again Nick!
by bigcw
Wed Feb 04, 2015 4:45 pm
Forum: General
Topic: CRS VLAN CONFIG
Replies: 5
Views: 944

Re: CRS VLAN CONFIG

I don't have a CRS yet, although hopefully my first will arrive tomorrow. However, I'm not sure your question makes sense, or rather, whether this is the correct way to use VLANs. Are ether1-8, which I assume are your clients, tagged (aka trunked) ports? ie you have a separate LAN for each server? T...
by bigcw
Tue Feb 03, 2015 6:56 pm
Forum: General
Topic: CRS212 availability
Replies: 6
Views: 1010

Re: CRS212 availability

Thanks Nick.

I've always used MSD in the past but they don't seem to know when they will be getting them. If yours come in tomorrow I'll be ordering one straight away.

Chris
by bigcw
Thu Jan 22, 2015 12:40 pm
Forum: General
Topic: CRS212 availability
Replies: 6
Views: 1010

Re: CRS212 availability

I take it that's a 'no' then?
by bigcw
Wed Jan 21, 2015 6:17 pm
Forum: General
Topic: Custom default config - possible?
Replies: 4
Views: 1203

Re: Custom default config - possible?

Ok, thanks. I'll set up a netinstall rig and try it.
by bigcw
Wed Jan 21, 2015 12:02 pm
Forum: General
Topic: CRS212 availability
Replies: 6
Views: 1010

CRS212 availability

Is there any official word on when the CRS212 will be available? My usual UK suppliers say that they are not able to order them from Mikrotik yet. I really need one to solve an issue where I need a lot of fibre ports so I'm eager to get hold of one. Is there an official release date?
by bigcw
Wed Jan 21, 2015 11:50 am
Forum: General
Topic: Custom default config - possible?
Replies: 4
Views: 1203

Re: Custom default config - possible?

That's interesting. Are you sure that this config then survives factory reset?
by bigcw
Tue Jan 20, 2015 12:57 pm
Forum: General
Topic: Custom default config - possible?
Replies: 4
Views: 1203

Custom default config - possible?

Is it possible to change the default configuration that is loaded during a factory reset using the hardware button? I know that if doing it via software you can specify an .rsc file, I'm talking about if the reset button is held during power up. The scenario here is that we deploy 951-2n's as CPE. W...
by bigcw
Thu Jan 15, 2015 1:23 am
Forum: General
Topic: CRS212 in RM?
Replies: 2
Views: 836

Re: CRS212 in RM?

Any Mikrotik employee care to answer this?
by bigcw
Fri Jan 02, 2015 6:35 pm
Forum: General
Topic: CRS212 in RM?
Replies: 2
Views: 836

CRS212 in RM?

Will there be a version of the CRS212-1G-10S-1S+IN in a rack mount (-RM) form factor?

Thanks, Chris
by bigcw
Fri Jan 02, 2015 6:13 pm
Forum: General
Topic: Support for ACME/Let's Encrypt certificate management [SOLVED]
Replies: 93
Views: 35645

Support for ACME/Let's Encrypt certificate management [SOLVED]

As subject, it would be great if ROS supported the new ACME-protocol for managing browser-trusted certificates from Let's Encrypt. Let's Encrypt: https://letsencrypt.org/ Protocol spec: https://github.com/letsencrypt/acme-spec Presentation at 31c3 on Tuesday: http://youtu.be/OZyXx8Ie4pA <-- start he...
by bigcw
Fri Jan 02, 2015 6:10 pm
Forum: General
Topic: Mass configuration
Replies: 18
Views: 5418

Re: Mass configuration

So did you ever get this working to mass configure all your routers? No, I never got it working. In the end we SSH'd into every router and ran /import <file>.rsc. This worked, whereas 'run after reboot' didn't. I never found out why it works that way but not the other We have deployed over 200x 951...
by bigcw
Wed Nov 26, 2014 12:39 am
Forum: General
Topic: Feature request: show static routes quickly
Replies: 0
Views: 575

Feature request: show static routes quickly

In a BGP setup on the public internet the routing table contains ~500k routes at present. In my setup where I have multiple full and partial BGP peers I have 1.6m entries in the routing table. /ip route export ...enables you to see the static routes which have been set up. However it does not give a...
by bigcw
Mon Sep 29, 2014 1:19 pm
Forum: Forwarding Protocols
Topic: Loss of BGP function after 3-4 weeks
Replies: 16
Views: 3123

Re: Loss of BGP function after 3-4 weeks

Ok this just happened again, 21 days from last time. Have sent a supout to Mikrotik for analysis, will report back when they respond to me.

Chris
by bigcw
Mon Sep 29, 2014 1:18 pm
Forum: General
Topic: Mass configuration
Replies: 18
Views: 5418

Re: Mass configuration

My advice is to divide this into two steps: 1. Reset RB configuration (with 'no-defaults=yes') 2. After reboot invoke 'import' command from terminal This will show you which line of script file contains error(s). Don't forget to reset config before you start import again. HTH, This is exactly what ...
by bigcw
Thu Sep 25, 2014 2:17 pm
Forum: General
Topic: Mass configuration
Replies: 18
Views: 5418

Re: Mass configuration

Maybe this article will help you solve problem:
http://wiki.mikrotik.com/wiki/Flashfig

HTH,
I think that is about 3 steps down the line. I need to get a working configuration first!
by bigcw
Wed Sep 24, 2014 7:07 pm
Forum: General
Topic: Mass configuration
Replies: 18
Views: 5418

Re: Mass configuration

Ok, so even this doesn't work... export verbose file=second.rsc /system reset-configuration skip-backup=yes no-defaults=yes run-after-reset=second.rsc Again, no IP addresses after reboot. Only option is to factory reset. If this doesn't work what chance is there that any modified file will. This is ...
by bigcw
Wed Sep 24, 2014 6:58 pm
Forum: Forwarding Protocols
Topic: Loss of BGP function after 3-4 weeks
Replies: 16
Views: 3123

Re: Loss of BGP function after 3-4 weeks

I usually use SSH. It was just easier to get the screenshots from webfig.
by bigcw
Wed Sep 24, 2014 6:56 pm
Forum: General
Topic: Mass configuration
Replies: 18
Views: 5418

Re: Mass configuration

Ok, I'm getting completely fed up with this now. I have 100 of these 951-2n routers sat in a box waiting to go out to clients. Any minute now they're going out of the window instead. Try as I might, I just cannot get this to work. Here's what I'm doing: First, I created a simple script: /ip firewall...
by bigcw
Mon Sep 22, 2014 3:41 pm
Forum: Scripting
Topic: Configure Script
Replies: 12
Views: 7296

Re: Configure Script

I am also interested in whether this problem has been solved. Can anyone offer any experiences?
by bigcw
Mon Sep 22, 2014 1:19 pm
Forum: General
Topic: Mass configuration
Replies: 18
Views: 5418

Re: Mass configuration

Thanks for the tips on this. I'm going to have another try at it today. Will report back with the results!

Chris
by bigcw
Thu Sep 18, 2014 1:12 am
Forum: General
Topic: Mass configuration
Replies: 18
Views: 5418

Re: Mass configuration

I have tried to edit the 'backup' file, but it's mainly binary. The only cleartext bits are my scripts. The issue seems to be that wlan1 doesn't get renamed, so then the bridge port doesn't come up. I had a problem with the script that auto-configures the wireless but I got around that by using [fin...
by bigcw
Wed Sep 17, 2014 11:57 pm
Forum: General
Topic: Mass configuration
Replies: 18
Views: 5418

Mass configuration

Hi everyone Hope I'm not missing something obvious here, but I'm struggling with configuring a whole load of RB951 2HnD's. My plan was that I would configure one router, backup the configuration, and then restore it on a whole load of others. However, it seems like the backup has MAC addresses hard ...
by bigcw
Thu Sep 11, 2014 5:35 pm
Forum: Forwarding Protocols
Topic: Loss of BGP function after 3-4 weeks
Replies: 16
Views: 3123

Re: Loss of BGP function after 3-4 weeks

Can you make a supout.rif while you encounter the BGP problem? It's a long shot, but if you succeed in getting a supout, maybe Mikrotik support can find something out. Yes, this is what MT support asked me to do too. Next time it happens I will do that. I was really wondering whether anyone else ha...
by bigcw
Tue Sep 09, 2014 12:53 pm
Forum: Forwarding Protocols
Topic: Loss of BGP function after 3-4 weeks
Replies: 16
Views: 3123

Re: Loss of BGP function after 3-4 weeks

you are speaking about crash every 2 weeks but on your picture we can see that session are up for 13 minutes !
Yes, I took the screenshot after I had rebooted the router and the sessions had loaded fully, hence why they have only been up for a few minutes.
by bigcw
Mon Sep 08, 2014 3:13 pm
Forum: Forwarding Protocols
Topic: CCR and Internet BGP - survey of user experiences
Replies: 24
Views: 9562

Re: CCR and Internet BGP - survey of user experiences

My current setup: 3 x CCR1036-12G-4S running v6.18: - London: 2 x full BGP transit, iBGP to Frankfurt, Madrid and London - Frankfurt: 1x full BGP transit, iBGP to London - Madrid: 1x full BGP transit, iBGP to London 1 x 1100AHx2 v5.26 (yes, it's old, but it's stable!): - Dubin: Approx 20 peering ses...
by bigcw
Mon Sep 08, 2014 3:00 pm
Forum: Forwarding Protocols
Topic: Loss of BGP function after 3-4 weeks
Replies: 16
Views: 3123

Loss of BGP function after 3-4 weeks

Hi everyone I have a deployment of Routerboard kit around Europe and have a problem with one CCR1036 which seems to lose it's BGP service from time to time. The router is in Frankfurt, Germany and has a full-table transit. It also has an iBGP peer with another 1036 in London via a pseudowire service...