Community discussions

Search found 168 matches

by tippenring
Mon Dec 10, 2018 5:17 pm
Forum: General
Topic: Cannot upgrade v6.42.3 to v6.45.3
Replies: 3
Views: 253

Re: Cannot upgrade v6.42.3 to v6.45.3

There is no version 6.45.3.
by tippenring
Thu Nov 15, 2018 12:53 am
Forum: General
Topic: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED) [SOLVED]
Replies: 16
Views: 929

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED) [SOLVED]

I just checked Shodan. Shodan only lists 7 devices on the internet listening on port 64312. 6 of them are Torrent DHT nodes.
by tippenring
Thu Nov 15, 2018 12:43 am
Forum: General
Topic: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED) [SOLVED]
Replies: 16
Views: 929

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED) [SOLVED]

If you're correct, this would be new exploit code that I haven't yet seen. It isn't a surprise to me that firmware and RouterOS updates don't remove it. I personally find it a little hard to believe that you have what you think you have because you haven't provided anything concrete except a belief ...
by tippenring
Tue Nov 13, 2018 8:45 pm
Forum: General
Topic: High Traffic
Replies: 4
Views: 231

Re: High Traffic

Netinstall is the only foolproof way to resolve a hacked router. You could go through the configuration and remove what appears suspicious (proxies and such), but it is nearly impossible to say with 100% certainty that the router is no longer compromised. Perhaps there is a hidden script that runs e...
by tippenring
Tue Nov 13, 2018 5:50 pm
Forum: General
Topic: Rogue IPV6 DNS advertisement Problem, FISHY situation !
Replies: 7
Views: 246

Re: Rogue IPV6 DNS advertisement Problem, FISHY situation !

If you really have the IPv6 package disabled, I'm not sure why the MT is using IPv6 at all. However, it isn't important. The packet you captured is a simple ICMPv6. The fe80 address is a link local address (like 169.254.x.x in IPv4).
by tippenring
Tue Nov 13, 2018 5:15 pm
Forum: General
Topic: Rogue IPV6 DNS advertisement Problem, FISHY situation !
Replies: 7
Views: 246

Re: Rogue IPV6 DNS advertisement Problem, FISHY situation !

See these pcap screenshots. These are DNS queries sent a Windows 7 machine. Note that it is asking the DNS server for both the A records and AAAA records for google.com. The DNS server dutifully responds to both requests. IPv4 and IPv6 are communication protocols. DNS is a name resolution protocol. ...
by tippenring
Tue Nov 13, 2018 4:41 pm
Forum: General
Topic: Rogue IPV6 DNS advertisement Problem, FISHY situation !
Replies: 7
Views: 246

Re: Rogue IPV6 DNS advertisement Problem, FISHY situation !

IPv6 and DNS are generally unrelated. A query for a FQDN will return whatever records are assigned to that FQDN. AAAA records are valid DNS records.
by tippenring
Fri Nov 09, 2018 10:47 pm
Forum: Beginner Basics
Topic: The winbox is hard to use
Replies: 12
Views: 731

Re: The winbox is hard to use

How did you go about setting that up? The basics are here: https://wiki.mikrotik.com/wiki/Manual:Winbox They don't really explain sessions though. Connect to your most convenient router with Winbox. Select the windows you'd like to be open each time you connect to any router. I have the log and fir...
by tippenring
Fri Nov 09, 2018 6:58 pm
Forum: Beginner Basics
Topic: The winbox is hard to use
Replies: 12
Views: 731

Re: The winbox is hard to use

I have my Winbox windows pre-defined in my session preferences, so every new session opens with my preferred windows open in exactly the same place and dimensions each time. If a window ends up behind another, I don't go looking for it in the right-hand pane. I navigate to it through the menu again....
by tippenring
Mon Nov 05, 2018 6:01 pm
Forum: Beginner Basics
Topic: Can't copy big files through VPN
Replies: 3
Views: 278

Re: Can't copy big files through VPN

I'd suggest checking MTU. Try lowering it some on each side. PMTUD should take care of this, but it may either not be enabled, or ICMP packet too big messages may not be able to reach the source host. I'll admit it doesn't seem too likely since you get to 80% and compressed large files still make it...
by tippenring
Mon Nov 05, 2018 5:53 pm
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 151
Views: 10374

Re: Blacklist Filter (Development Topic)

OK, now I'll be clear here ;-) Thanks. Will test how much RAM a RB2011 needed. Only with priority 2 or priority 1 + drop.malicious.rsc I'm using the priority 2 list on an RB2011. Memory is fine. I currently have free 74MB of 128MB with ~30k blacklist entries. The RB2011 is more CPU starved when it'...
by tippenring
Fri Nov 02, 2018 4:23 pm
Forum: Wireless Networking
Topic: Mikrotik wi-fi and Iphone = problem
Replies: 60
Views: 26462

Re: Mikrotik wi-fi and Iphone = problem

We stopped using Mikrotik for client wifi several years ago due to connection instability and weak signals vs other brands. We fought with it for a long time. Apple devices are especially troublesome. We still use Mikrotik routers almost exclusively and Mikrotik radios for point to point wifi links ...
by tippenring
Fri Nov 02, 2018 4:13 pm
Forum: General
Topic: SSTP VPN between two MT routers
Replies: 3
Views: 199

Re: SSTP VPN between two MT routers

It seems to me there are details missing in your explanation. SSTP will transit NAT with no problem. You admit this when you say the PCs can ping Mikrotik 2. Based on the information provided, I think there's something else going on unrelated to a NAT device in the middle. /export hide-sensitive is ...
by tippenring
Mon Oct 29, 2018 10:51 pm
Forum: General
Topic: Mikrotik does not support IPSec, L2TP or OpenVPN connections to any VPN provider
Replies: 9
Views: 916

Re: Mikrotik does not support IPSec, L2TP or OpenVPN connections to any VPN provider

I've had a Torguard tunnel up via L2TP/IPSec for a couple of years. No problems. Torguard has a guide.

It may not be the best, but it serves my purpose.
by tippenring
Tue Oct 23, 2018 9:10 pm
Forum: General
Topic: 31 subnet - Not finding an answer to default gateway.
Replies: 16
Views: 725

Re: 31 subnet - Not finding an answer to default gateway.

I spent a few minutes testing. Unfortunately my tests did not result in connectivity either. First I tried my Windows PC. It didn't like a /31 at all and wouldn't let me use it. Then I used a Cisco router and Mikrotik on the same LAN network. I added 10.99.99.0/31 on the Cisco, and 10.99.99.1/31 on ...
by tippenring
Tue Oct 23, 2018 4:51 pm
Forum: General
Topic: 31 subnet - Not finding an answer to default gateway.
Replies: 16
Views: 725

Re: 31 subnet - Not finding an answer to default gateway.

Is the MAC address for x.x.x.30 in your ARP table?
by tippenring
Tue Oct 23, 2018 4:37 pm
Forum: General
Topic: Advanced IP scanners locks up winbox access?
Replies: 7
Views: 406

Re: Advanced IP scanners locks up winbox access?

Strange. I manage quite a few routers and have yet to see this behavior. The only other thing I can think of is Winbox 3.18 was released at least in part to resolve an issue with failed logins. I'm betting you're already on 3.18 though.
by tippenring
Tue Oct 23, 2018 3:59 pm
Forum: General
Topic: Advanced IP scanners locks up winbox access?
Replies: 7
Views: 406

Re: Advanced IP scanners locks up winbox access?

Are you using RADIUS perhaps?
by tippenring
Thu Oct 18, 2018 5:41 pm
Forum: General
Topic: Unable to login
Replies: 5
Views: 303

Re: Unable to login

I'd suggest posting your firewall config. If you have some kind of blacklisting set of rules, you could very well be hitting them and blocking your own access after a few packets. That's just a thought off the top of my head.
by tippenring
Thu Oct 18, 2018 5:09 pm
Forum: General
Topic: libssh exploit, is Mikrotik affected?
Replies: 5
Views: 707

Re: libssh exploit, is Mikrotik affected?

Is Mikrotik affected by the libssh bug described here? https://arstechnica.com/information-technology/2018/10/bug-in-libssh-makes-it-amazingly-easy-for-hackers-to-gain-root-access/ I am not sure if libssh is used under the hood, it would be great to know one way or the other. Thanks Thanks for aski...
by tippenring
Wed Oct 17, 2018 5:36 pm
Forum: General
Topic: Unable to login
Replies: 5
Views: 303

Re: Unable to login

Good morning, some devices with the 6.43.2 software do not allow me to login. The credentials are correct, in case of error I receive the error "Authentication failed", instead with the right user/pass the process goes into timeout. The problem occurs both with the Winbox, with the telnet and with ...
by tippenring
Thu Oct 11, 2018 4:39 pm
Forum: General
Topic: Can my ISP access my Mikrotik Router and make changes?
Replies: 7
Views: 420

Re: Can my ISP access my Mikrotik Router and make changes?

So you mean they have some exploit in the device that they could gain access anytime?
Depending on your software version, yes, that is correct. See https://blog.mikrotik.com/security/winb ... ility.html

Also, it's a good idea to monitor https://blog.mikrotik.com/security/
by tippenring
Wed Oct 03, 2018 4:07 pm
Forum: General
Topic: Router won't install update
Replies: 7
Views: 452

Re: Router won't install update

As Nescafe mentioned, the log will *probably* tell you why it didn't upgrade. I suspect that's why he asked what other files are on the file system. If you have other packages of a different version, the upgrade may fail.
by tippenring
Mon Oct 01, 2018 9:00 pm
Forum: General
Topic: Winbox Protocol Dissector
Replies: 2
Views: 267

Re: Winbox Protocol Dissector

I loaded up the dissector and captured a small bit of traffic. My understanding from the Cisco article is that it will only work on unencrypted sessions. I believe all newer versions of Winbox use encryption, and my small capture didn't seem to have any readable data. I spent less than 5 minutes try...
by tippenring
Fri Sep 28, 2018 10:38 pm
Forum: Wireless Networking
Topic: Spambots
Replies: 12
Views: 3627

Re: Spambots

by tippenring
Thu Sep 27, 2018 12:45 am
Forum: Beginner Basics
Topic: Router Sending Spam
Replies: 7
Views: 687

Re: Router Sending Spam

In addition to disabling the proxy and socks services, you need to change all passwords (and ideally usernames) for the router as well. Otherwise the attackers will probably log back in and turn on the socks and proxy services again. add action=add-src-to-address-list address-list="port scanners" \ ...
by tippenring
Tue Sep 25, 2018 5:28 pm
Forum: Beginner Basics
Topic: Site to Site IPSec between two Mikrotik Routers
Replies: 7
Views: 499

Re: Site to Site IPSec between two Mikrotik Routers

Glancing over your screenshots, it looks about right for the IPSec. I'd tell you to make sure you exclude the subnets from masquerade or dst-nat, but you aren't getting that far yet.

Can your routers reach each other at all? It looks like they can't.
by tippenring
Tue Sep 25, 2018 5:01 pm
Forum: Beginner Basics
Topic: How to Monitor specific Ip
Replies: 5
Views: 373

Re: How to Monitor specific Ip

Well if this is a site that contains only one host IP it's easy, but if it is something like facebook, with multiple hosts, just mark the connection and then create a log rule on firewall over this connection mark, like so: /ip firewall mangle add chain=forward action=mark-connection new-connection...
by tippenring
Fri Sep 14, 2018 9:47 pm
Forum: Beginner Basics
Topic: How do I connect to IP 0.0.0.0?
Replies: 13
Views: 3530

Re: How do I connect to IP 0.0.0.0?

There it is again. Mention of IPv6. Often times, when I hear about IPv6, someone is saying something about network problems disappearing. I work for a small company with a network of less then 255 devices. I'm having that 0.0.0.0 problem, myself. Would it be worth it to migrate to IPv6? What are th...
by tippenring
Fri Sep 14, 2018 9:38 pm
Forum: General
Topic: DNS Server TTL problem
Replies: 14
Views: 647

Re: DNS Server TTL problem

@tippenring: I'm not admin of RB trying to outsmart DNS domain admin, @alli is.
Dang it. Sorry about that. I don't know why I didn't notice you were not the OP. I read your reply from the context of the OP. No wonder it didn't make sense to me. :-)
by tippenring
Fri Sep 14, 2018 9:35 pm
Forum: General
Topic: Power outage causes specific sites to be blocked
Replies: 11
Views: 441

Re: Power outage causes specific sites to be blocked

I don't think that is the issue. But it is a great Idea. Our 2 CCR in the area are not parallel. They are actually 150 miles apart. We have a layer 3 switch on the mountaintop separating them with OSPF. We don't use ICMP redirects at all. It looks like this Frontier fiber-----Blanding CCR ------ Ab...
by tippenring
Fri Sep 14, 2018 8:12 pm
Forum: General
Topic: Can't Log in After Upgrade
Replies: 21
Views: 1363

Re: Can't Log in After Upgrade

I'm not a mikrotik master, but i have enough brains to change my credentials after hacking.
Have you tried Winbox 3.18? There's a potential fix there. I just realized you aren't the OP. The OP tried 3.18, but you haven't said you tried it.
by tippenring
Fri Sep 14, 2018 5:52 pm
Forum: General
Topic: Can't Log in After Upgrade
Replies: 21
Views: 1363

Re: Can't Log in After Upgrade

RB3011 running 6.40.9, 2 days ago recieved "wrong username or password" in winbox. User is not "admin", password is strong enough. LCD touch was disabled. A crack - i think, than netinstall, 6.43, total reconfig (had no backups)... and today i recived the same message "wrong username or password". ...
by tippenring
Fri Sep 14, 2018 5:49 pm
Forum: Beginner Basics
Topic: Can't access webfig on WAN
Replies: 10
Views: 710

Re: Can't access webfig on WAN

When a router is defaulted, it normally has a set default config which includes firewall rules. When you first connect, you have the option to retain the config or start clean. I'd have to think you chose to start clean. If you are running pre-6.40.8 or pre-6.42.1, someone may have already hijacked ...
by tippenring
Fri Sep 14, 2018 5:07 pm
Forum: General
Topic: block multicast traffic
Replies: 2
Views: 565

Re: block multicast traffic

/ip firewall filter
  add action=drop chain=input dst-address-type=multicast
by tippenring
Thu Sep 13, 2018 6:52 pm
Forum: General
Topic: DNS Server TTL problem
Replies: 14
Views: 647

Re: DNS Server TTL problem

It is up to domain administrator to decide how long TTL is the best one for her domain. If she has really good reason for setting short TTL then it's probably counter-productive if caching DNS server administrator (e.g. @alli) tries to out-smart her. Because it's quite probable that caching DNS adm...
by tippenring
Thu Sep 13, 2018 6:27 pm
Forum: General
Topic: Power outage causes specific sites to be blocked
Replies: 11
Views: 441

Re: Power outage causes specific sites to be blocked

Here's a different possible cause to look at. I believe you've described your network as having two parallel border CCR routers. Is that correct? If so, when the power returns, could one router be the default gateway for your network, but actually be routing the traffic to the other border router (a...
by tippenring
Wed Sep 12, 2018 4:46 am
Forum: General
Topic: Power outage causes specific sites to be blocked
Replies: 11
Views: 441

Re: Power outage causes specific sites to be blocked

I'll take a look and post them without sensitive configs. Too bad I can't use the Mikrotik auto remove sensitive on saved backups.
You don't necessarily need to post them. Just load the before and after in notepad++ and do a compare.
by tippenring
Wed Sep 12, 2018 4:25 am
Forum: General
Topic: Power outage causes specific sites to be blocked
Replies: 11
Views: 441

Re: Power outage causes specific sites to be blocked

Right now we are using the CCR that was causing the issue to pass traffic. The only thing that changed to get it to start working was to restore a config file from before the power outage.
What was different between the two configs? That's an easy thing to look at.
by tippenring
Wed Sep 12, 2018 3:57 am
Forum: General
Topic: RouterOS ISP identifier
Replies: 10
Views: 475

Re: RouterOS ISP identifier

I'm pretty rusty on internet records, but I'm thinking what you're looking for might be PTR DNS records, which your ISP has to set up. Either that, or the IP block you have needs updated with your RIR. I believe your upstream should be able to do that also. I'm sure someone will come along shortly t...
by tippenring
Tue Sep 11, 2018 1:12 am
Forum: General
Topic: DMZ like firewalls on Mikrotik [SOLVED]
Replies: 11
Views: 655

Re: DMZ like firewalls on Mikrotik [SOLVED]

Similarly, our standard starting config contains an address list named whitelist.mgmt where we designate any management subnets. The first rule of the firewall permits the management traffic. The second removes all the default firewall rules, then the rest of our standard ruleset is pasted in. /ip f...
by tippenring
Mon Sep 10, 2018 6:36 am
Forum: Beginner Basics
Topic: UDP Broadcast from my Windows Server [SOLVED]
Replies: 6
Views: 386

Re: UDP Broadcast from my Windows Server [SOLVED]

If you use Winbox to connect to the router via MAC address rather than IP, Winbox sends the packets to the IP broadcast address of the subnet on that UDP port.

https://wiki.mikrotik.com/wiki/Manual:I ... _and_ports
by tippenring
Fri Sep 07, 2018 1:14 am
Forum: General
Topic: Windows 2016 DC requesting lots of IPs from DHCP?
Replies: 6
Views: 306

Re: Windows 2016 DC requesting lots of IPs from DHCP?

If an IP in the DHCP range is in-use but the DHCP server has no lease for it, Mikrotik will mark it as in-use and try the next IP. Microsoft will give out the in-use IP. Example: Client buys a payment terminal, printer or whatever. The vendor plugs it in, the device gets a dynamic IP. Vendor goes a...
by tippenring
Thu Sep 06, 2018 10:12 pm
Forum: General
Topic: Windows 2016 DC requesting lots of IPs from DHCP?
Replies: 6
Views: 306

Re: Windows 2016 DC requesting lots of IPs from DHCP?

Why wouldn't you let your DCs be the DHCP server rather than the router? You have redundancy with 2 DCs.
by tippenring
Thu Sep 06, 2018 10:11 pm
Forum: General
Topic: Windows 2016 DC requesting lots of IPs from DHCP?
Replies: 6
Views: 306

Re: Windows 2016 DC requesting lots of IPs from DHCP?

... and for proxy-arps which pass packets from one subnet to another and "eat" DHCP IPs. proxy-arp is my thought as well. Probably at the vmware level. You're Windows server NIC is a virtual NIC. It isn't physically connected to the LAN. However, your physical host is. It's virtual switch is connec...
by tippenring
Thu Sep 06, 2018 4:13 pm
Forum: General
Topic: Mikrotik output traffic to the 25 port
Replies: 6
Views: 249

Re: Mikrotik output traffic to the 25 port

so just disable it and that's all, or smth more needed?) thanks Maybe. If you haven't changed the credentials (all of them) for the router, then an attacker still has your user list. If you disable your firewall rules preventing access from the internet, they'll log in again and set it up again. It...
by tippenring
Thu Aug 30, 2018 4:20 pm
Forum: Beginner Basics
Topic: RB3011UiAS Password was changed?
Replies: 10
Views: 471

Re: RB3011UiAS Password was changed?

Yes :(
No. Or "not necessarily" anyway.
And how do you log in with a lost password??

Sent from Tapatalk
I'll bet he/she was alluding that the OP may have a version susceptible to the credential theft bug, so the OP could simply download their creds from the router in clear text and log in.
by tippenring
Thu Aug 30, 2018 4:11 pm
Forum: Beginner Basics
Topic: RB3011UiAS Password was changed?
Replies: 10
Views: 471

Re: RB3011UiAS Password was changed?

I never understand the big deal of these "lost access" posts. Why not wipe, reinstall, and restore your backup? It takes just a few minutes.
by tippenring
Tue Aug 28, 2018 6:37 am
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 151
Views: 10374

Re: Blacklist Filter (Development Topic)

Dave, Still very interested in learning how to setup a honeypot to collect addresses. Even if you are not to the point to accept other people's honeypot lists, could you do a brief write up to teach us the best way to setup a honeypot? Thanks! Here are a couple of Honeypot projects from my notes. I...
by tippenring
Tue Aug 28, 2018 6:34 am
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 151
Views: 10374

Re: Blacklist Filter (Development Topic)

Unfortunately, I don't have IPv6 yet. The system is designed for it, but I have no routers in IPv6 networks that I can test with. My home internet supports it, but it's so unstable, I don't bother with it. Have you seen HE's free IPv6 tunnel https://tunnelbroker.net/? I've had one up for nearly a y...