Community discussions

Search found 114 matches

by tippenring
Tue Aug 14, 2018 1:26 am
Forum: General
Topic: Forced routing with UTM connected both ends to Mikrotik
Replies: 6
Views: 235

Re: Forced routing with UTM connected both ends to Mikrotik

Thanks, the traffic inside the wire that would be connected to the UTM is tagged VLANs and from what I know it doesn't support VLANs (Sophos). And in real config there will be two UTMs daisy chained (client request), and I don't even know what the second one is. So I assume it will not work. Or am ...
by tippenring
Mon Aug 13, 2018 4:52 pm
Forum: Beginner Basics
Topic: google captcha after installing mikrotik
Replies: 4
Views: 200

Re: google captcha after installing mikrotik

Hi all I just finished installing a rb750GR-3, running a CAPsMAN with 2 AP's. Default firewal rules. I now get a captcha popup when ever I search on google. It reads: Our systems have detected unusual traffic from your computer network. i've attacehd a screenshot of the popup. any help would be gre...
by tippenring
Mon Aug 13, 2018 8:14 am
Forum: General
Topic: Forced routing with UTM connected both ends to Mikrotik
Replies: 6
Views: 235

Re: Forced routing with UTM connected both ends to Mikrotik

If the UTM is in bridge mode, why not simply connect it in-line with one of the ethernet ports?
by tippenring
Fri Aug 10, 2018 5:02 pm
Forum: Beginner Basics
Topic: Open Ports
Replies: 7
Views: 268

Re: Open Ports

i used to scan the network from lan and in results had open just 2 ports (dns for example and mikrotik winbox) now when i scan the network from inside (im scaning WAN interface btw not LAN) i have tons of open ports....dont have avast installed anywhere tho Yes, you have Avast installed somewhere. ...
by tippenring
Wed Aug 08, 2018 9:35 pm
Forum: General
Topic: Do not open port tcp/23 to your device from internet you will be hacked
Replies: 6
Views: 386

Re: Do not open port tcp/23 to your device from internet you will be hacked

This isn't really a surprise for most people.
I am not surprised by the number of the attack, but that its >95% on tcp/23.
I expect the rest of the ports getting pinged are dropped further up in the firewall chain, so not being reported.
by tippenring
Wed Aug 08, 2018 9:28 pm
Forum: General
Topic: Line by line config restore from 6.34 to 6.42 firmware
Replies: 13
Views: 389

Re: Line by line config restore from 6.34 to 6.42 firmware

there are not any MAC Addresses in my export rsc file so not really sure what you're talking about... sorry If there are no MAC addresses, then restore the whole config to your backup router and test. I personally prefer to either SSH or open a terminal in Winbox and paste a config by hand. That wa...
by tippenring
Wed Aug 08, 2018 9:24 pm
Forum: Beginner Basics
Topic: Please help me get my network in order
Replies: 7
Views: 433

Re: Please help me get my network in order

I can only give you advice on the MikroTik-part of your network. What you should do: Reset the MikroTik-devices, with no default configuration Access the MikroTik using Winbox and Mac-address Create a new bridge, containing all interfaces (ethernet and wireless) Depending on your need, either confi...
by tippenring
Wed Aug 08, 2018 7:12 pm
Forum: General
Topic: Line by line config restore from 6.34 to 6.42 firmware
Replies: 13
Views: 389

Re: Line by line config restore from 6.34 to 6.42 firmware

I think you're working way to hard at this. /interface ethernet set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=4074 loop-protect=o...
by tippenring
Wed Aug 08, 2018 1:19 am
Forum: General
Topic: Backround upload traffic from google ips 172.217.x.x is saturating my upload speed
Replies: 7
Views: 271

Re: Backround upload traffic from google ips 172.217.x.x is saturating my upload speed

Maybe I have read too many "help! my users are actually making traffic! I want to block block block!" topics...
I definitely share your frustration with the "Help! Someone please do all my network engineering for free! URGENT!!!" :-)
by tippenring
Tue Aug 07, 2018 9:10 pm
Forum: General
Topic: Backround upload traffic from google ips 172.217.x.x is saturating my upload speed
Replies: 7
Views: 271

Re: Backround upload traffic from google ips 172.217.x.x is saturating my upload speed

Also consider dropping from the business and finding another way to earn money.
That seems a bit harsh. This could be an opportunity for the OP to learn about traffic management.
by tippenring
Tue Aug 07, 2018 5:04 pm
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 61
Views: 2742

Re: Blacklist Filter (Development Topic)

If anyone wants to help out more, I need more routers to report some stats to the server. This is part of the health monitoring and alerting system. If you paste the code into a terminal window, it will setup the script and start reporting. Running on my home router. Do you really want it reporting...
by tippenring
Tue Aug 07, 2018 7:12 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 108
Views: 11051

Re: Winbox vulnerability: please upgrade

Tippenring.

I was agreeing with you. The logs were proof that 2 different attackers had the password from before the upgrade
I misunderstood your post. My apologies.
by tippenring
Tue Aug 07, 2018 1:12 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 108
Views: 11051

Re: Winbox vulnerability: please upgrade

When they updated they didn't change the password. No, the attacker didn't change the password. If he did, that would give away that the router had been compromised. The attacker didn't want you to know he had the admin password for the router. So, you upgraded software, but did not change the pass...
by tippenring
Mon Aug 06, 2018 10:48 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 108
Views: 11051

Re: Winbox vulnerability: please upgrade

Is there anymore detailed information than the old blog post? I've seen numerous routers running 6.40.8 bugfix get compromised in the last few days. Winbox was externally accessible. On Friday I updated a couple older routers that had not yet been compromised that weren't on 6.40.8 to 6.40.8, only ...
by tippenring
Thu Aug 02, 2018 6:40 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 108
Views: 11051

Re: Winbox vulnerability: please upgrade

On forum posts if the subject line doesn't interest me, I would never read it. It is like: I do not like this song as I have never listened to it earlier and the title is boring me. :D lol. Nice try, but the analogy is weak. A song can be in the background and doesn't consume any time. This forum i...
by tippenring
Thu Aug 02, 2018 4:42 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 108
Views: 11051

Re: Winbox vulnerability: please upgrade

@normis, hey can you get this on the blog? I'd like the see any complainers cut off at the pass that this announcement didn't end up in the right spots. I'm with @Samot. If it's worth a forum post, it's worth posting a similar update to the blog. As soon as the blog was announced I added it to my i...
by tippenring
Wed Aug 01, 2018 7:34 am
Forum: Beginner Basics
Topic: Not able to log in [SOLVED]
Replies: 5
Views: 297

Re: Not able to log in [SOLVED]

RouterBoard OS 6.35.2

I wonder if your device did not maybe get hacked!
why do you say that...? and how can i check?
A search of this forum before yet another post about how "I've been pwned" would do you wonders.
by tippenring
Mon Jul 30, 2018 6:05 pm
Forum: General
Topic: IPsec setting help pls!!
Replies: 11
Views: 315

Re: IPsec setting help pls!!

Router AB /ip firewall filter add chain=forward action=accept place-before=1 src-address=10.1.101.0/24 dst-address=10.1.202.0/24 connection-state=established,related add chain=forward action=accept place-before=1 src-address=10.1.202.0/24 dst-address=10.1.101.0/24 connection-state=established,relat...
by tippenring
Fri Jul 27, 2018 7:57 pm
Forum: General
Topic: 185.153.198.228 Has been BUSY
Replies: 9
Views: 567

Re: 185.153.198.228 Has been BUSY

Anyone ever write a good tool for 3 failed winbox log in attempts from one address, and we can add them to an address list??? Here's my typical blacklist firewall config. Generally we don't permit any admin connections from the internet other than known management networks. This is used in any case...
by tippenring
Mon Jul 23, 2018 7:24 pm
Forum: General
Topic: IKEv2 VPN + Radius + EAP-TLS - why does the radius certificate have to be installed on the router?
Replies: 3
Views: 348

Re: IKEv2 VPN + Radius + EAP-TLS - why does the radius certificate have to be installed on the router?

Hi all, I have successfully configured routeros to allow VPN clients to connect via IKEv2, backed with radius, and authenticating using EAP-TLS (no passwords). The config is below. What I discovered is that this configuration would only work if I took the private key and certificate of our radius s...
by tippenring
Fri Jul 20, 2018 1:24 am
Forum: General
Topic: .npk files auto deleted
Replies: 14
Views: 678

Re: .npk files auto deleted

Have you tried netinstall? Or is the affected box also too high and/or far to do that?
I understand netinstall doesn't work if the device is >50 ft off the ground. Does anyone have the support ticket # for that issue? :-)
by tippenring
Tue Jul 17, 2018 5:15 pm
Forum: General
Topic: ssl cert error
Replies: 4
Views: 209

Re: ssl cert error

CRL is the cert revocation list. I'm guessing the CRL is perhaps signed by a cert which the router doesn't trust. You may need to import a different cert chain for it.
by tippenring
Wed Jul 11, 2018 4:26 pm
Forum: General
Topic: Connecting multiple networks. [SOLVED]
Replies: 29
Views: 837

Re: Connecting class c networks. [SOLVED]

#1 computer (172.19.2.10) is on ether 2, it can ping to 172.19.2.1 (which is the ether 2 IP address). #2 computer (172.19.3.10) is on ether 3, it can ping to 172.19.3.1 (which is the ether 3 IP address). The two computers can not ping to each other. Unfortunately there are many unknowns in this cas...
by tippenring
Wed Jul 11, 2018 4:01 pm
Forum: General
Topic: Connecting multiple networks. [SOLVED]
Replies: 29
Views: 837

Re: Connecting class c networks. [SOLVED]

What's next thing to do for routing?
It's a router. It always routes by default.
by tippenring
Wed Jun 27, 2018 4:52 pm
Forum: Beginner Basics
Topic: IPSEC Issues
Replies: 11
Views: 462

Re: IPSEC Issues

/ip firewall nat add action=accept chain=srcnat protocol=udp src-port=500,4500 place-before=0 add action=masquerade chain=srcnat out-interface=pppoe-out1 It sure looks like you're NATing the traffic that would be destined for the remote network. You need an accept rule to prevent NAT from happening...
by tippenring
Fri Jun 22, 2018 10:53 pm
Forum: General
Topic: Bridge VLAN Filtering
Replies: 8
Views: 639

Re: Bridge VLAN Filtering

Also note that RB3011 is capable of VLAN switching on a hardware level, you can find an example how to set it up here: https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching#Other_devices_with_built-in_switch_chip Hello Artz. Could you possibly elaborate on the wiki URL you posted? /interface e...
by tippenring
Wed Jun 20, 2018 5:54 pm
Forum: General
Topic: ipsec tunnel working in 6.37.5, not working in 6.40.8
Replies: 12
Views: 539

Re: ipsec tunnel working in 6.37.5, not working in 6.40.8

Hello, I have RB1200 in a company connecting to another location via ipsec tunnel, working well. After the vpnfilter etc bugs, I decided to upgrade to last bugfix release 6.40.8, and it completely broke the tunnel - although I am pretty sure I saw something like "established" in ipsec - remote peer...
by tippenring
Wed Jun 20, 2018 4:59 pm
Forum: General
Topic: bug persists after updating to 6.42.3
Replies: 14
Views: 3140

Re: bug persists after updating to 6.42.3

By Firewall Filter i did Log for the attacker src address , so when he attacks my host , Mikrotik Server logs his Src address and (a) src Mac-Address The src mac address logged in my Server log not belong's to me , That's all buddy MAC addresses work only at the broadcast domain level (layer 2). No...
by tippenring
Wed Jun 20, 2018 4:39 pm
Forum: Announcements
Topic: Winbox v3.15 released!
Replies: 21
Views: 3598

Re: Winbox v3.15 released!

There are 2 anoying bugs since a long time ago: - In some computers, if you try to connect via MAC, it starts to load, then it disconnects, but it connects after you press "Reconnect" button. In my experience historically, this is caused by what appears to be a frame size limitation. If I connect b...
by tippenring
Wed Jun 20, 2018 4:35 pm
Forum: General
Topic: Ping >1500 timing out
Replies: 7
Views: 357

Re: Ping >1500 timing out

When you have don't fragment set to true, if you aren't getting ICMP fragmentation needed, then you most likely have a layer 2 problem. Layer 2 devices don't respond with ICMP messages. I didn't see what kind of radios you have, but I'm guessing they are bridging. I'm betting the wireless link itsel...
by tippenring
Sun May 20, 2018 5:49 pm
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 4431

Re: I cant quite wrap my head around this one...

If ping delay really bothers you, then you might want to set up a queue (simple queue might do) on your RB to rate limit your VM backups to, say, 80% or 90% of your subscribed UL speed. This way most of time ISP's traffic shaper wouldn't touch your data packets including ICMP echo requests. This wo...
by tippenring
Fri May 18, 2018 11:44 pm
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 4431

Re: I cant quite wrap my head around this one...

Thanks for your reply Can anyone tell me how I do that? Its odd though - as I mentioned in my first post...this router came from my old house and nothing on the config changed when it was moved to the new house with a new line. I never had this issue before I moved house! I actually have a RB750G I...
by tippenring
Fri May 18, 2018 6:52 pm
Forum: General
Topic: some of ipsec tunels stopped working
Replies: 6
Views: 259

Re: some of ipsec tunels stopped working

I've noticed a recent change around 6.42. Previously, if one side was set to tunnel 10.10.0.0/24, and the other side was set for 10.0.0.0/16, the side with the /16 defined would accept the /24 proposal. Around 6.42, it seems that flexibility disappeared. Now both routers have to have matching subnet...
by tippenring
Wed May 16, 2018 4:23 pm
Forum: Announcements
Topic: Winbox 3.13 released!
Replies: 61
Views: 10819

Re: Winbox 3.13 released!

Still no signature checking or HTTPS... man in the middle can easily compromise administrator's PC.

https://i.imgur.com/TX7G9pq.gifv
Wow. Although relatively low risk, I can't think of a reason for not verifying the cert but laziness. Good thing I don't upgrade from Winbox I guess.
by tippenring
Wed May 16, 2018 4:17 pm
Forum: Announcements
Topic: Winbox 3.13 released!
Replies: 61
Views: 10819

Re: Winbox 3.13 released!

Great work ^^ It would be interesting if some day winbox would allow to save "a default view" with the customized configuration of columns, fields, views, etc ... and each time you enter a new routerOS imports automatically your personal "saved" configuration. You could add export / import between ...
by tippenring
Tue May 15, 2018 5:45 pm
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 4431

Re: I cant quite wrap my head around this one...

High latency on a fiber connection is 150ms not 400ms that's just way to much and it doesn't happen when download/upload with original isp router. High latency is whatever increased delay happens as you approach 100% of the bandwidth limit. It might be 150ms worth of buffers, or it might be 500ms w...
by tippenring
Tue May 15, 2018 7:31 am
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 4431

Re: I cant quite wrap my head around this one...

I don't see a problem. Uploading at the max bandwidth of 10Mbps will result in high latency. There are ways to adjust for it with custom queuing to reduce the high latency for desired traffic, such as ping for example. It will result in a slight, not very noticeable reduced upload speed for the big ...
by tippenring
Fri May 11, 2018 9:17 pm
Forum: General
Topic: Site to Site IPsec Tunnel
Replies: 28
Views: 919

Re: Site to Site IPsec Tunnel

If you aren't getting phase 2 established, something doesn't match between the two peers. I always have this logging rule on standby to enable whenever I want to see what's going on: add disabled=yes prefix="IPSEC: " topics=ipsec,!packet If it helps, here's my starting template when setting up a sit...
by tippenring
Fri May 11, 2018 5:00 pm
Forum: General
Topic: Can route to internet but not between local Subnets
Replies: 10
Views: 309

Re: Can route to internet but not between local Subnets

You cannot route between subnets by default. That's the point of having different subnets, so the hosts can communicate with those on their subnet but not others. Those dynamic routes that are being made are for Internet access so those subnets can route out to the Internet. If you want 10.0.16.0/2...
by tippenring
Fri May 04, 2018 4:21 pm
Forum: General
Topic: Configuring RB2011 as VPN Remote Access Server
Replies: 3
Views: 211

Re: Configuring RB2011 as VPN Remote Access Server

Look into SSTP VPN, works great for me, very secure and uses certificates
I second this recommendation. I have several in production now. It's a very simple VPN to set up compared to IPSec client-type connections.
by tippenring
Thu Apr 26, 2018 11:12 pm
Forum: General
Topic: Solutions for cable 1.2km
Replies: 14
Views: 699

Re: Solutions for cable 1.2km

True fiber is much safer in the case of lightning and other voltage surges, but the originally claimed problem of ground voltage differential due to loading is not a problem for ethernet. It should be able to withstand 1500V RMS or 2250 V DC. (not with the el-cheapo-PoE solution found in older Mikr...
by tippenring
Tue Apr 24, 2018 9:12 pm
Forum: General
Topic: Solutions for cable 1.2km
Replies: 14
Views: 699

Re: Solutions for cable 1.2km

Besides the lightning, I'll add that copper between buildings can fall victim to ground potential differentials where the copper becomes a current-carrying electrical path for unequal ground voltage. That cannot happen with ethernet, it is isolated from the equipment using a transformer. The except...
by tippenring
Tue Apr 24, 2018 9:01 pm
Forum: General
Topic: 6.42 attacked??
Replies: 3
Views: 437

Re: 6.42 attacked??

You might want to follow this thread: viewtopic.php?p=655739#p655739
by tippenring
Wed Apr 18, 2018 9:05 pm
Forum: General
Topic: Fasttrack and route marked packets
Replies: 17
Views: 792

Re: Fasttrack and route marked packets

@Sob and @sindy, with all due respect, I love watching you guys argue / "interfere" ;-) I learn so much from you guys, please continue
Fully agree with what @CZFan said.
by tippenring
Wed Apr 18, 2018 9:00 pm
Forum: General
Topic: Solutions for cable 1.2km
Replies: 14
Views: 699

Re: Solutions for cable 1.2km

Besides the lightning, I'll add that copper between buildings can fall victim to ground potential differentials where the copper becomes a current-carrying electrical path for unequal ground voltage. It's not a good idea without real electrical engineering involved. Fiber is definitely the way to go.
by tippenring
Tue Apr 17, 2018 11:17 pm
Forum: General
Topic: Block Torrents & p2p Traffic 100% working on all versions
Replies: 57
Views: 134741

Re: Block Torrents & p2p Traffic 100% working on all versions

I am not an ISP. I manage a company network with BYOD policy.
Well that totally changes my opinion. :-) I thought you were an ISP.

In that case, you get to do whatever you want with the bandwidth that you provide to your employees.
by tippenring
Tue Apr 17, 2018 11:06 pm
Forum: General
Topic: Need HELP on L2TP/IPSEC on VPN
Replies: 14
Views: 496

Re: Need HELP on L2TP/IPSEC on VPN

According to the log (which for some reason was sorted descending by time), phase 1 has succeeded. That's why I've suggested to remove the lifetime from the ph2 proposal.
I only glanced at the log. I hadn't noticed that. Good catch.
by tippenring
Tue Apr 17, 2018 10:57 pm
Forum: General
Topic: Block Torrents & p2p Traffic 100% working on all versions
Replies: 57
Views: 134741

Re: Block Torrents & p2p Traffic 100% working on all versions

I have 100mbps symmetrical. One or two clients doing BitTorrent with a few files to be shared are enough to eat 50+% of the available bandwidth. This is why I mind about p2p! I've managed networks for a few small ISPs over the years. I admit I don't know your environment at all, so I'm just making ...
by tippenring
Tue Apr 17, 2018 9:38 pm
Forum: General
Topic: Need HELP on L2TP/IPSEC on VPN
Replies: 14
Views: 496

Re: Need HELP on L2TP/IPSEC on VPN

That's phase 2. What about the phase 1 proposals under IPSec > Peers? They all need to agree.

Also, on the IPSec Peer Advanced tab, set Proposal Check to Obey.

I assume you're testing, but don't leave the obsolete algorithms enabled when you're done. Especially null.