Community discussions

Search found 287 matches

by Deantwo
Wed May 22, 2019 4:07 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 67862

Re: Winbox vulnerability: please upgrade

Hello, we have found that our CCR is not accessible, has been compromised, user and passw have changed V 6.38.7 (bubfix) is the version that appears from winbox, we have passed ExploitWinbox and Macserverexploit but it does not work, what else can we do? We do not have backup ..... Thanks! Bugfix v...
by Deantwo
Tue May 21, 2019 10:24 am
Forum: RouterOS v6 RC and v7 BETA
Topic: SSTP Interface Queue Type is invalid after upgrade
Replies: 3
Views: 1288

Re: SSTP Interface Queue Type is invalid after upgrade

Hello Did you get this work on 6.44? default queue type is default-small on 6.44 , i need to put all new dynamic interfaces on startup to ethernet-default or custom pfifo queue type Can you help me? Workaround for now: 1. empty queue tree rule /queue tree add comment=test name=queue3_test priority=...
by Deantwo
Tue May 14, 2019 12:08 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 2354

Re: v6.43.15 [long-term] is released!

*) webfig - improved file handling; *) winbox - improved file handling; Which CVE is it this time? :lol: Did it at least require authorised user? I feel a little horrible for thinking the exact same thing when I saw a new long-term release. Is that really where we have gotten with long-term release...
by Deantwo
Fri May 10, 2019 4:51 pm
Forum: Announcements
Topic: v6.43.14 [long-term] is released!
Replies: 29
Views: 6865

Re: v6.43.14 [long-term] is released!

Hi, we are experiencing the following bug: ...
Be sure to email support@mikrotik.com with the details.
This thread isn't really for bug reports, unless it is specifically related to this update alone.
by Deantwo
Fri Apr 12, 2019 2:38 pm
Forum: Announcements
Topic: Winbox v3.18 released!
Replies: 46
Views: 39450

Re: Winbox v3.18 released!

He should email it to support@hiscompany.com, because it's false positive on company's DPI side, MikroTik cannot do anything with that. Wouldn't that be himself? XD If P2P/File transfer is restricted in the company network, then it might cause problems with a lot of things. None of which would be M...
by Deantwo
Fri Apr 12, 2019 9:30 am
Forum: Announcements
Topic: Winbox v3.18 released!
Replies: 46
Views: 39450

Re: Winbox v3.18 released!

Winbox when downloading descriptors get stock. After some troubleshooting, I found that winbox is being blocked by P2P/File transfer restrictions in the company.
You should email that to support@mikrotik.com.
by Deantwo
Thu Apr 04, 2019 12:22 pm
Forum: Announcements
Topic: v6.43.14 [long-term] is released!
Replies: 29
Views: 6865

Re: v6.43.14 [long-term] is released!

Just gonna leave a link to the MikroTik blog post here, so people can read about what this patch fixes.
Here: https://blog.mikrotik.com/software/cve- ... stion.html
by Deantwo
Thu Apr 04, 2019 11:18 am
Forum: Announcements
Topic: v6.44.2 [stable] is released!
Replies: 67
Views: 10352

Re: v6.44.2 [stable] is released!

Hi Emils, Is this fix related to recent vulnerability issue that were going to go public on 9 April? Nice attempt at being subtle there. Wouldn't it have been better to email something like that to support rather than start a new vulnerability panic? ._. yes, see https://forum.mikrotik.com/viewtopi...
by Deantwo
Wed Apr 03, 2019 10:44 am
Forum: Scripting
Topic: Can't launch script from Netwatch
Replies: 14
Views: 4126

Re: Can't launch script from Netwatch

If you are using RouterOS 6.43.x, then you can simply use dont-require-permissions=yes.
See: viewtopic.php?f=2&t=134538#p720232
by Deantwo
Wed Apr 03, 2019 10:34 am
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 86
Views: 15820

Re: v6.44.1 [stable] is released! - URGENT

@mativcp: After upgrade to 6.44.1 (Stable) CCR1009-7G-1C-1S+ STOP WORKINKG ... ill wait answer...Thanks in advance As it says in the opening post, you need to make a supout while the issue is present and send it to MikroTik support along with your report. RouterOS version 6.44.1 has been released in...
by Deantwo
Mon Apr 01, 2019 12:39 pm
Forum: Announcements
Topic: v6.43.13 [long-term] is released!
Replies: 44
Views: 8340

Re: v6.43.13 [long-term] is released!

I think there is a Bug that wasn't in 6.42.12: Running that command on 6.42.12 works: :log info ([/interface pppoe-client monitor pppoe-WAN as-value]->"status") It's not a bug it's a feature :) Now you need to add "once" after an interface name. This seems like some kind of joke. This change has br...
by Deantwo
Fri Mar 29, 2019 1:16 pm
Forum: General
Topic: Multiple CA Certificates for OpenVPN
Replies: 3
Views: 672

Re: Multiple CA Certificates for OpenVPN

I wanted to ask the exactly same question now, so I'm rather bumping this up - is it possible to hawe two CAs? For the same reason - to slowly update from old MD5 certs to new ones?
I ended up just setting up a second MikroTik router. Closed the old router down here before new year.
by Deantwo
Tue Mar 26, 2019 4:19 pm
Forum: Announcements
Topic: v6.43.13 [long-term] is released!
Replies: 44
Views: 8340

Re: v6.43.13 [long-term] is released!

As 6.43 just recently replaced 6.42 long-term. radius - use MS-CHAPv2 for "login" service authentication; Please revert this change, or at least make this configurable. That is true, and yet another thing people upgrading from v6.42.12 to v6.43.13 will be unprepared for. But all is not lost. If you...
by Deantwo
Tue Mar 26, 2019 11:57 am
Forum: Announcements
Topic: v6.43.13 [long-term] is released!
Replies: 44
Views: 8340

Re: v6.43.13 [long-term] is released!

So are there actually any changes between this long-term version and the v6.43.12 stable version? Really hard to tell from the changes, since as mentioned by others in this thread, there are even changes missing that were made in the v6.43 release thread. PS: Emailed support about adding the missing...
by Deantwo
Tue Mar 19, 2019 4:55 pm
Forum: General
Topic: to many winbox/dude sessions
Replies: 6
Views: 783

Re: to many winbox/dude sessions

/system scheduler { :local uptime [/system resource get uptime] :set uptime [:pick $uptime ([:len $uptime] - 5) [:len $uptime]] :local calculation (([:tonum [:pick $uptime 0 2]] + [:tonum [:pick $uptime 3 5]]) * 40) :set calculation [:totime $calculation] :set calculation (04:00:00 + $calculation) ...
by Deantwo
Tue Mar 19, 2019 11:04 am
Forum: General
Topic: to many winbox/dude sessions
Replies: 6
Views: 783

Re: to many winbox/dude sessions

I don't see any options to set or increase the limit of sessions. I didn't even know there was one. One thing you could do is spread the update checks out over a larger time period so all the requests don't come at the same time. Change your schedulers to have a start-time that depends on the router...
by Deantwo
Mon Mar 18, 2019 1:19 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 67862

Re: Winbox vulnerability: please upgrade

I have explained several times that they should create a separate release channel and configure by default in every shipped router that whenever a release appears on that channel that is newer than the release installed on the router, it would automatically be installed (this channel would be polle...
by Deantwo
Tue Mar 12, 2019 7:09 pm
Forum: General
Topic: Connection tracking issue
Replies: 2
Views: 291

Re: Connection tracking issue

Sounds like the same issue as described in viewtopic.php?f=2&t=127838&p=628464#p628464.
by Deantwo
Tue Mar 12, 2019 5:25 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 67862

Re: Winbox vulnerability: please upgrade

Is enough only by upgrading the OS to safe version or MUST BE do netinstall? As stated multiple times in this thread, and other places on the forum. If you want to be 100% sure that your router is not infested with some Lovecraftian horror , netinstall it. If your router hasn't been attacked, probe...
by Deantwo
Mon Mar 11, 2019 1:52 pm
Forum: General
Topic: Netwatch deprecated ? [SOLVED]
Replies: 48
Views: 6850

Re: Netwatch deprecated ? [SOLVED]

This issue seem to have been addressed in RouterOS version 6.43, so it is much easier to fix these issues now. https://forum.mikrotik.com/viewtopic.php?f=21&t=138995 What's new in 6.43 (2018-Sep-06 12:44): *) console - added "dont-require-permissions" parameter for scripts; *) console - added error ...
by Deantwo
Mon Mar 11, 2019 10:08 am
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 29194

Re: v6.44 [stable] is released!

Not sure if you read the thread properly, however, we're also both and all of us are at least up to MTCRE. I also cannot share the config of our clients due to a Non-Disclosure agreement. This is companies that's been using these units quite a lot, we talk few thousands of the routers especially th...
by Deantwo
Tue Mar 05, 2019 1:20 pm
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 29194

Re: v6.44 [stable] is released!

Upgrading my RB750 from RouterOS 6.40.8 to 6.44 leaves all IPsec peers with "unknown" profiles. And it looks like any IPsec peer settings were lost since only "default" profile exist. Do I have to jump to another version first and then jump to 6.44? Gonna go test if it also happen if I upgrade to 6....
by Deantwo
Mon Mar 04, 2019 2:24 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 67862

Re: Winbox vulnerability: please upgrade

I was lucky that my predecessor had a system in place to easily roll out changes to all customer routers at once. So upgrading all customer routers was done within 24 hours of me learning about this vulnerability. We now have an IP whitelist on the winbox service to prevent anything bad in the furt...
by Deantwo
Mon Feb 25, 2019 9:01 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 67
Views: 4387

Re: Security issue when Winbox exposed

Is it only specific to dude agent binary? To remediate is it enough to have dude agent not installed or not enabled? (of course Winbox port is closed to the internet, but I don't want my LANs to be able to use it, dude is installed, but not enabled) The article says it's only agent, but I'd appreci...
by Deantwo
Mon Feb 25, 2019 2:57 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 67
Views: 4387

Re: Security issue when Winbox exposed

Unless I am mistaken, this vulnerability is a lot less dangerous as long as your internal network isn't public knowledge. The attack shown in the article is an example that only works because he knows the LAN IP address of the vulnerable server and the type of server before doing the attack. I am no...
by Deantwo
Fri Feb 22, 2019 10:36 pm
Forum: Beginner Basics
Topic: How to connect from android app Mikrotik to RB2011?
Replies: 6
Views: 377

Re: How to connect from android app Mikrotik to RB2011?

I have a OpenVPN server on my router and the OpenVPN app. So I can connect to my router from the outside and then use the TikApp to control my router securely.
by Deantwo
Fri Feb 22, 2019 3:32 pm
Forum: Scripting
Topic: Global variable dissapears?
Replies: 9
Views: 544

Re: Global variable dissapears?

/system script add dont-require-permissions=no name=script1 policy=\ reboot,read,write,policy,test,password,sniff,sensitive source=\ "/user add name=yy group=full \r\ \n:log info \"user added\"" /tool netwatch add down-script=script1 host=111.111.111.111 .... [admin@BGP_ruby_test] /tool netwatch> /...
by Deantwo
Fri Feb 22, 2019 2:50 pm
Forum: Announcements
Topic: v6.42.12 [long-term] is released!
Replies: 27
Views: 5550

Re: v6.42.12 [long-term] is released!

MAJOR CHANGES IN v6.42.12: ---------------------- !) winbox - improvements in connection handling to router with open winbox service (CVE-2019–3924); ---------------------- Definitely missing some more details about when and how to we are vulnerable to this vulnerability. I would like to know if Wi...
by Deantwo
Fri Feb 22, 2019 2:43 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 67
Views: 4387

Re: Security issue when Winbox exposed

Yes, "service" menu limitation will protect you, the service "winbox" affects winbox/dude/tik-app all at the same time.
That is wonderful news, first good news I hear all day.
Can that please be added to the blog post maybe? I am sure more people will want to know this.
by Deantwo
Fri Feb 22, 2019 2:36 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 67
Views: 4387

Re: Security issue when Winbox exposed

Are there still people dumb enough to expose winbox to anything but an isolated management vlan? Don't do it, the winbox protocol obviously is not designed to be secure. With the WinBox service exploit we were told that an address whitelist on the service was enough to block anything bad. I am HOPI...
by Deantwo
Fri Feb 22, 2019 12:04 pm
Forum: Announcements
Topic: v6.42.12 [long-term] is released!
Replies: 27
Views: 5550

Re: v6.42.12 [long-term] is released!

MAJOR CHANGES IN v6.42.12: ---------------------- !) winbox - improvements in connection handling to router with open winbox service (CVE-2019–3924); ---------------------- Definitely missing some more details about when and how to we are vulnerable to this vulnerability. I would like to know if Wi...
by Deantwo
Thu Feb 21, 2019 12:26 pm
Forum: Scripting
Topic: Global variable dissapears?
Replies: 9
Views: 544

Re: Global variable dissapears?

https://forum.mikrotik.com/viewtopic.php?f=21&t=133272 What's new in 6.42 (2018-Apr-13 11:03): *) netwatch - limit to read, write, test and reboot policies for Netwatch script execution; Accessing global variables annoyingly require "policy" permission, which Netwatch script execution doesn't have a...
by Deantwo
Thu Feb 21, 2019 12:25 pm
Forum: Scripting
Topic: Script via Netwatch Don't Running
Replies: 3
Views: 325

Re: Script via Netwatch Don't Running

viewtopic.php?f=21&t=133272
What's new in 6.42 (2018-Apr-13 11:03):

*) netwatch - limit to read, write, test and reboot policies for Netwatch script execution;
by Deantwo
Tue Feb 05, 2019 11:36 am
Forum: General
Topic: Upgrade to MS-CHAPv2 RADIUS for >6.43
Replies: 3
Views: 516

Re: Upgrade to MS-CHAPv2 RADIUS for >6.43

We got the new RADIUS server to work with MS-CHAPv2 and RouterOS v6.43. I'll bug my server guy to find out what he did on the server to make it work. I have one fun fact with backward compatibility, a router running <6.43 can still use a MS-CHAPv2 RADIUS, but only for WinBox login. Trying to open th...
by Deantwo
Mon Feb 04, 2019 3:51 pm
Forum: General
Topic: Upgrade to MS-CHAPv2 RADIUS for >6.43
Replies: 3
Views: 516

Re: Upgrade to MS-CHAPv2 RADIUS for >6.43

I am told that the guide on the wiki/manual aren't much help anymore.
This: https://wiki.mikrotik.com/wiki/AAA_with ... _Directory

I sendt an e-mail to support about getting the guide updated and possibly some help with this.
by Deantwo
Wed Jan 30, 2019 5:13 pm
Forum: General
Topic: Upgrade to MS-CHAPv2 RADIUS for >6.43
Replies: 3
Views: 516

Upgrade to MS-CHAPv2 RADIUS for >6.43

I am attempting to figure out the best way to upgrade from my old RADIUS server to a new MS-CHAPv2 RADIUS server. I would prefer a backward compatible solution, so routers running <6.43 can use the same configuration as >6.43. Googling for the answer seem to most of all just point me to a post I wro...
by Deantwo
Tue Jan 29, 2019 1:16 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 67862

Re: Winbox vulnerability: please upgrade

Darman, how do you think an update will know what socks entries are legitimate and what are not? If CPU is at 100% for the last 5 seconds - remove all IP Socks Access entries xD Better idea: if the router is setup incorrectly/insecurely, brick it. But really, none of that is MikroTik's problem to s...
by Deantwo
Wed Jan 23, 2019 1:35 pm
Forum: Announcements
Topic: SwOS version 2.9 released!
Replies: 51
Views: 12196

Re: SwOS version 2.9 released!

reading that no IGMP (Snooping) Problems are know in the latest 2.9 Firmware release, made me a bit angry... As @becs just said; @RobertF and @abrodkin SwOS has supported IGMP v1,v2,v3 since v2.5, also many issues have been addressed since then and now in v2.9 there is an additional port option to ...
by Deantwo
Sat Jan 05, 2019 5:04 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 67862

Re: Winbox vulnerability: please upgrade

im having issues upgrading. it doest do it.. check for uodates then select download and install.. auto reboots but it stays to the version not new one... im using hap ac.... Check the architecture of the router, make sure you are using the correct file. Need more information to be able to help you....
by Deantwo
Fri Dec 28, 2018 12:37 pm
Forum: General
Topic: The "output" chain and VRFs/routing marks
Replies: 4
Views: 1300

Re: The "output" chain and VRFs/routing marks

You are correct in thinking that the "output" chain is after routing decisions are made. But the "output" chain apparently has a "routing adjustment" phase, which I assume is used if the routing mark was changed. See: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6 My current policy routing man...
by Deantwo
Wed Dec 19, 2018 11:06 pm
Forum: SwOS
Topic: CSS326-24G-2S - Where is WATCHDOG IP address to ping!!!???
Replies: 10
Views: 2021

Re: CSS326-24G-2S - Where is WATCHDOG IP address to ping!!!???

Looks like the Watchdog doesn't work in all cases. I have it enabled but the switch hangs for hours rather than rebooting.
Suggest you write to support@mikrotik.com with details so they can make a bug report and get it fixed then.
by Deantwo
Thu Dec 06, 2018 12:59 pm
Forum: Announcements
Topic: URGENT security reminder
Replies: 84
Views: 27355

Re: URGENT security reminder

Noobs will scream when their router randomly restart (because it was just applying updates during their gameplay) Tools -> Traffic Monitor :) "If there's no traffic for the last 5 minutes - it's okay to upgrade" xD = never :D But they will stop complaining about the feature missing! xD How cute. We...
by Deantwo
Tue Nov 20, 2018 12:16 pm
Forum: General
Topic: Radius not work since upgrade to 6.43
Replies: 7
Views: 1387

Re: Radius not work since upgrade to 6.43

I reading in changelog of last version and I see this line: *) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades); Pretty sure that specific line is not related to radius. Instead see v6.43 's !) radius - use MS-CHAPv2 f...
by Deantwo
Fri Nov 16, 2018 7:18 pm
Forum: Beginner Basics
Topic: Routing via IPSec Tunnel
Replies: 4
Views: 375

Re: IPsec Issues

I have an issues by configuring ipsec tunnel . the issue is the following The tunnel is established, nat bypass rule is also there but I'm unable to ping both local network. Please I need help Likely the same issue, and same information needed. What is your setup like? Diagram? What is your configs...
by Deantwo
Fri Nov 16, 2018 5:09 pm
Forum: Scripting
Topic: Script ended
Replies: 1
Views: 408

Re: Script ended

What is the error the script is giving?
by Deantwo
Fri Nov 16, 2018 4:54 pm
Forum: General
Topic: VLAN on a regular switch
Replies: 9
Views: 644

Re: VLAN on a regular switch

If the regular switch doesn't support VLANs, it might be easier to not use VLANs at all.
Or simply get a managed switch that do support VLANs.
by Deantwo
Fri Nov 16, 2018 4:52 pm
Forum: General
Topic: Two VLANS to another place. Voip + Data
Replies: 57
Views: 3322

Re: Two VLANS to another place. Voip + Data

Your VLAN configuration doesn't look totally correct.
Maybe this will help: https://wiki.mikrotik.com/wiki/Manual:L ... idged_VLAN

But if the routers are the only network equipment, then why use VLANs at all? Just make two bridges and route them normally.
by Deantwo
Fri Nov 16, 2018 3:13 pm
Forum: Beginner Basics
Topic: Routing via IPSec Tunnel
Replies: 4
Views: 375

Re: Routing via IPSec Tunnel

A diagram of your setup would make your question easier to understand.
Also your config would help a lot too.

If the subnets are accessible from each end, what is the issue?
by Deantwo
Tue Nov 06, 2018 11:21 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 67862

Re: Winbox vulnerability: please upgrade

Hey caresss As mentioned by vecernik87 , MAC-Telnet and MAC-WinBox are not an IP protocols, so an IP firewall will do nothing to block it. You need to configure your interface list to prevent access from any untrusted networks. The fact that the attacker is using MAC-Telnet or MAC-WinBox means that ...
by Deantwo
Fri Nov 02, 2018 11:02 am
Forum: Announcements
Topic: Winbox v3.18 released!
Replies: 46
Views: 39450

Re: Winbox v3.18 released!

Can anyone log to an older version of Mikrotik, through WinBox 3.18 ?
I am unable to login to a router running RouterOS v5.26 with WinBox v3.18, I just get an error saying "Error: could not fetch index".
But you didn't really specify how much older.