Community discussions

MikroTik App

Search found 305 matches

  • 1
  • 2
by tippenring
Fri Dec 04, 2020 1:12 am
Forum: General
Topic: Two IPSEC channels problem
Replies: 8
Views: 342

Re: Two IPSEC channels problem

I've been running 7.1beta2 on a 4011 for several months. I don't have any IKEv2 tunnels though. I'll upgrade to 7.1beta3 and configure an IKEv2 tunnel tomorrow and see if I have any problems.
by tippenring
Fri Dec 04, 2020 12:34 am
Forum: General
Topic: Two IPSEC channels problem
Replies: 8
Views: 342

Re: Two IPSEC channels problem

That is strange to me too. Thanks you very much for info! I'll file a ticket with Support, it could be a firmware issue.
A bug in RouterOS is fairly unlikely, but can't be completely ruled out. What version are you running?
by tippenring
Fri Dec 04, 2020 12:04 am
Forum: Beginner Basics
Topic: Firewall Rules Check
Replies: 13
Views: 472

Re: Firewall Rules Check

Your firewall rules are too permissive for my taste, but all that matters is the level of risk the organization is willing to accept. Your rule add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587,465 log=yes log-prefix=Spammers_DropConnectionsInSpammersList_ protocol=tcp sr...
by tippenring
Thu Dec 03, 2020 6:04 pm
Forum: Beginner Basics
Topic: Firewall Rules Check
Replies: 13
Views: 472

Re: Firewall Rules Check

IMHO, the most important thing for OP to be aware of is that he/she has an unidentified, uncontrolled, and likely compromised device connected to his/her network. If it is like most home networks, the device has potential to be an attack vector to compromise many other devices on the same network. R...
by tippenring
Thu Dec 03, 2020 1:00 am
Forum: General
Topic: DDOS ATTACK
Replies: 14
Views: 913

Re: DDOS ATTACK

I'm assuming the DDOS is quite successful since we haven't heard back from the OP. :-)
by tippenring
Sat Nov 21, 2020 1:08 am
Forum: General
Topic: new Winbox Log window truncation of messages (need change)
Replies: 7
Views: 287

Re: new Winbox Log window truncation of messages (need change)

I like how there's something obviously wrong and people still defend it, saying that it's actually ok, and suggesting more or less complicated and not always practical workarounds. ;) Fair enough. I was more or less commenting on my personal use cases and what I would do in the situation, rather th...
by tippenring
Sat Nov 21, 2020 12:16 am
Forum: General
Topic: new Winbox Log window truncation of messages (need change)
Replies: 7
Views: 287

Re: new Winbox Log window truncation of messages (need change)

Word wrap wouldn't be valuable for me either. Besides Znevna's comments, I would suggest that you can double-click on a log event so the full content is displayed in a properties box. You can also fire up a syslog daemon on the PC you're using for admin and send log events there. That gives the adde...
by tippenring
Fri Nov 13, 2020 5:41 pm
Forum: General
Topic: INVALID-ID IKEv1 Cisco ASA
Replies: 14
Views: 459

Re: INVALID-ID IKEv1 Cisco ASA

Phase 1 is failing. You need to focus on your device IDs. On the Cisco ASA, it is as follows: ASA(config)# tunnel-group <peer IP> ipsec-attributes ASA(config-tunnel-ipsec)# isakmp identity ? configure mode commands/options: address Use the IP address of the interface for the identity auto Identity a...
by tippenring
Fri Nov 13, 2020 5:32 pm
Forum: Beginner Basics
Topic: Looking for guides to mikrotik router gui
Replies: 3
Views: 151

Re: Looking for guides to mikrotik router gui

You just got your CCNA. Congrats. I'm guessing you have very little real-word experience. The CCNA is a great course that covers a lot of the basics of networking. While it focuses on building familiarity with Cisco products, the concepts translate to all vendors. If you learned to "think like a pac...
by tippenring
Thu Nov 12, 2020 7:01 pm
Forum: General
Topic: IPSec is working - now how should I have done it?
Replies: 9
Views: 553

Re: IPSec is working - now how should I have done it?

I love GRE for Mikrotik to Mikrotik IPSec tunnels. /interface gre add allow-fast-path=no ipsec-secret=<PSK> local-address=<local DDNS hostname>.sn.mynetname.net *OR* <local public IP> name=<tunnel name> remote-address=<remote DDNS hostname>.sn.mynetname.net *OR* <remote public IP> Then /ip address a...
by tippenring
Thu Nov 12, 2020 6:44 pm
Forum: General
Topic: INVALID-ID IKEv1 Cisco ASA
Replies: 14
Views: 459

Re: INVALID-ID IKEv1 Cisco ASA

Getting IPsec to work between devices of different manufacturers is difficult, getting it to work between different devices under different management is almost impossible. In general, I agree with the sentiment. If I manage both sides, I can usually get an IPSec tunnel functional in about 15 minut...
by tippenring
Thu Nov 12, 2020 12:23 am
Forum: General
Topic: Firmware upgrade need or leave it
Replies: 6
Views: 374

Re: Firmware upgrade need or leave it

[clap] That was an excellent explanation. You may drop the mic now.
by tippenring
Tue Nov 10, 2020 5:35 pm
Forum: General
Topic: Route within the same network [SOLVED]
Replies: 7
Views: 298

Re: Route within the same network [SOLVED]

I think you may be looking for
/interface bridge settings
set use-ip-firewall=yes
That should cause the bridged traffic to be subject to firewall rules.
by tippenring
Mon Nov 09, 2020 10:24 pm
Forum: Beginner Basics
Topic: DNS Cache Setup - Allow-remote-requests
Replies: 5
Views: 224

Re: DNS Cache Setup - Allow-remote-requests

Your rule "add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN" requires your interface list "LAN" to be configured correctly, and the rule must be appropriately positioned in the input chain rule order. If the conditions are correct, it will drop all t...
by tippenring
Mon Nov 09, 2020 6:37 pm
Forum: General
Topic: INVALID-ID IKEv1 Cisco ASA
Replies: 14
Views: 459

Re: INVALID-ID IKEv1 Cisco ASA

I think you have at least 2 different problems. I have configured many Cisco router and ASA to Mikrotik IPSec VPNs. With IPSec, both sides need to agree on the source and destination IP addresses to be encrypted (there are certain exceptions, but they are not predictable so it is easier to ensure bo...
by tippenring
Fri Oct 23, 2020 5:31 pm
Forum: General
Topic: PSA: Trickbot is using compromised Mikrotik devices. Secure your routers reachable from the internet.
Replies: 18
Views: 1183

Re: PSA: Trickbot is using compromised Mikrotik devices. Secure your routers reachable from the internet.

Unfortunately that is inconclusive. The CVE says "6.41.3 through 6.46.5, and 7.x through 7.0 Beta5" which would potentially include 6.46.1. Unfortunately I've never seen MT publish their software development hierarchy so I'm not sure. Additionally, they haven't posted any further details at https:/...
by tippenring
Fri Oct 23, 2020 1:23 am
Forum: General
Topic: PSA: Trickbot is using compromised Mikrotik devices. Secure your routers reachable from the internet.
Replies: 18
Views: 1183

Re: PSA: Trickbot is using compromised Mikrotik devices. Secure your routers reachable from the internet.

Please confirm 6.46.1 (stable) is unaffected. Unfortunately that is inconclusive. The CVE says "6.41.3 through 6.46.5, and 7.x through 7.0 Beta5" which would potentially include 6.46.1. Unfortunately I've never seen MT publish their software development hierarchy so I'm not sure. Additionally, they...
by tippenring
Thu Oct 22, 2020 11:18 pm
Forum: Beginner Basics
Topic: IPIP Routing
Replies: 7
Views: 276

Re: IPIP Routing

This looks like a school project. Are you trying to cheat on the test? :-) First, based on your diagram and your routes, I don't see an obvious reason why return traffic (from router3 to router1) would not follow the IP tunnel path. It is a bit confusing though, so I could be mistaken. What leads yo...
by tippenring
Thu Oct 22, 2020 9:11 pm
Forum: General
Topic: PSA: Trickbot is using compromised Mikrotik devices. Secure your routers reachable from the internet.
Replies: 18
Views: 1183

Re: PSA: Trickbot is using compromised Mikrotik devices. Secure your routers reachable from the internet.

Does absolutely nothing. "No results found" in 0.1ms
That's usually a good thing. It means Shodan didn't find any open ports when it scanned the IP(s) that you searched for.

Shodan doesn't scan all ports, so it isn't foolproof, but it is a great place to start.
by tippenring
Thu Oct 22, 2020 9:08 pm
Forum: General
Topic: PSA: Trickbot is using compromised Mikrotik devices. Secure your routers reachable from the internet.
Replies: 18
Views: 1183

Re: PSA: Trickbot is using compromised Mikrotik devices. Secure your routers reachable from the internet.

The obvious one LOL Go check Shodan for your public IP space to see what they've discovered. That isn't at all obvious. I just ran a search with an incognito browser and not logged in to Shodan and didn't have a problem. The point of the post is to raise awareness that the Trickbot ransomware group...
by tippenring
Thu Oct 22, 2020 6:01 pm
Forum: General
Topic: mikrotik after isp router
Replies: 2
Views: 165

Re: mikrotik after isp router

Add a route on the ISP router that sends traffic destined for 172.168.1.0/24 to ether3. You may need to enable proxy-arp on the Mikrotik interface connected to ISP router port 3. You could potentially also add a static route on your PC for 172.168.1.0/24 pointing at the public interface of the Mikro...
by tippenring
Thu Oct 22, 2020 5:38 pm
Forum: General
Topic: PSA: Trickbot is using compromised Mikrotik devices. Secure your routers reachable from the internet.
Replies: 18
Views: 1183

Re: PSA: Trickbot is using compromised Mikrotik devices. Secure your routers reachable from the internet.

Okay so WTF do I do at that site.......... it tells me nothing other than to sign up for an account and then what...............
There are 8 links in the post. Which site do you need help with?
by tippenring
Thu Oct 22, 2020 5:33 pm
Forum: General
Topic: Wildcard DNS
Replies: 15
Views: 825

Re: Wildcard DNS

You provided very little information on what you have tried.

Regex can vary substantially between different types (Perl, Posix, etc). Try something like ".*\.example\.com". That works for me.
by tippenring
Thu Oct 22, 2020 5:08 pm
Forum: General
Topic: PSA: Trickbot is using compromised Mikrotik devices. Secure your routers reachable from the internet.
Replies: 18
Views: 1183

PSA: Trickbot is using compromised Mikrotik devices. Secure your routers reachable from the internet.

As many of you are aware, there is an ongoing attempt to take down Trickbot, the ransomware-as-a-service botnet. This effort started with the US National Security Administration and Microsoft . (It appears that NSA and MS were not coordinating their efforts and that NSA started while MS wasn't ready...
by tippenring
Tue Oct 20, 2020 10:59 pm
Forum: General
Topic: IPSec Asymmetric Routing
Replies: 5
Views: 216

Re: IPSec Asymmetric Routing

Do you manage all 4 routers? If so, perhaps you could use GRE+IPSec. You get the IPSec, and you also get interfaces that can be used for routing.
by tippenring
Mon Oct 19, 2020 6:24 pm
Forum: Beginner Basics
Topic: Ilo4 Access over Internet trough Mikrotik Router Firewall
Replies: 5
Views: 400

Re: Ilo4 Access over Internet trough Mikrotik Router Firewall

There are many decisions to make when implementing a VPN solution. Here's some documentation on VPN options and configurations: https://wiki.mikrotik.com/wiki/Category:VPN
by tippenring
Fri Oct 16, 2020 10:24 pm
Forum: Beginner Basics
Topic: VPN/IPSEC Routing next to Default Gateway, 2 cables needed?
Replies: 8
Views: 396

Re: VPN/IPSEC Routing next to Default Gateway, 2 cables needed?

No, you don't need 2 physical cables. You can configure 2 VLANs on the same physical port. Of course your switch and gateway router must support VLANs as well in that case. You might be able to put 2 IPs on the same interface and route through the IPSec policies that way as well. I haven't done that...
by tippenring
Thu Oct 15, 2020 5:37 pm
Forum: General
Topic: router SSTP VPN Client connects and pings but does not route to JRC VPN
Replies: 21
Views: 565

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Is there a way to export the config in just plain text? As tdw said: The best way to provide information is to post the output of /export hide-sensitive in a code block (the [] icon in the toolbar when posting in the forum) rather than screen shots which don't give the full picture. Mikrotik router...
by tippenring
Thu Oct 15, 2020 5:24 pm
Forum: Beginner Basics
Topic: Ilo4 Access over Internet trough Mikrotik Router Firewall
Replies: 5
Views: 400

Re: Ilo4 Access over Internet trough Mikrotik Router Firewall

I'd suggest making a VPN connection to the router, then accessing the iLo that way. It will probably be more reliable and secure. If you do not wish to use a VPN and instead prefer to expose the iLo to the internet, please configure appropriate firewall rules to only allow access from trusted source...
by tippenring
Thu Oct 15, 2020 1:28 am
Forum: General
Topic: router SSTP VPN Client connects and pings but does not route to JRC VPN
Replies: 21
Views: 565

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Yes I made the change but no change in the results Can still ping remote lan from TERMINAL but not from router board LAN 192.168.88.0/24 thanks, John I suspect that your ping destination host is receiving your ping request, and is replying. A packet capture on the destination host will confirm that...
by tippenring
Thu Oct 15, 2020 1:25 am
Forum: General
Topic: router SSTP VPN Client connects and pings but does not route to JRC VPN
Replies: 21
Views: 565

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

You probably want the static route to be 192.168.5.0/24 via 192.168.5.10. The JRC vpn interface is dynamic and will disappear when it is down, causing your route to change to a next hop value of unknown, and it will not recover. Setting the next hop to an IP will simply disable the route when the t...
by tippenring
Thu Oct 15, 2020 12:29 am
Forum: General
Topic: Site to site VPN
Replies: 2
Views: 174

Re: Site to site VPN

In addition to the above, I see this frequently when one side has PFS enabled and the other doesn't.
by tippenring
Thu Oct 15, 2020 12:25 am
Forum: General
Topic: router SSTP VPN Client connects and pings but does not route to JRC VPN
Replies: 21
Views: 565

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

You probably want the static route to be 192.168.5.0/24 via 192.168.5.10. The JRC vpn interface is dynamic and will disappear when it is down, causing your route to change to a next hop value of unknown, and it will not recover. Setting the next hop to an IP will simply disable the route when the tu...
by tippenring
Wed Oct 14, 2020 9:54 pm
Forum: General
Topic: Ansible playbook error [SOLVED]
Replies: 4
Views: 456

Re: Ansible playbook error [SOLVED]

<mt398> Failed to connect to the host via ssh:
<mt417> Failed to connect to the host via ssh:
Do you think the error messages are incorrect? If so, why do you think that?
by tippenring
Wed Oct 14, 2020 9:52 pm
Forum: General
Topic: Ansible playbook error [SOLVED]
Replies: 4
Views: 456

Re: Ansible playbook error [SOLVED]

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ansible.module_utils.connection.ConnectionError: timeout value 10 seconds reached while trying to send command: /system resource print It would appear perhaps that the SSH connection failed. If it conne...
by tippenring
Tue Oct 13, 2020 5:17 pm
Forum: General
Topic: Updating from 6.28
Replies: 4
Views: 233

Re: Updating from 6.28

That's very old, lots of security holes, metinstall is your friend If these devices have the Winbox port exposed to the internet, then I would assume they are compromised. I would make the trip to netinstall them along with evaluating the networks behind them to see if they are compromised as well....
by tippenring
Wed Oct 07, 2020 9:53 pm
Forum: General
Topic: Send all Vlan Traffic back though the Core Router
Replies: 2
Views: 459

Re: Send all Vlan Traffic back though the Core Router

In typical modern network design, your core should be engineered to simply forward packets as quickly as possible. Filtering and traffic manipulation should be kept to a minimum if not completely eliminated. This allows the the best efficiency and scalability of network resources. You might look at ...
by tippenring
Tue Oct 06, 2020 11:16 pm
Forum: General
Topic: Weird traffic
Replies: 6
Views: 359

Re: Weird traffic

You could add a rule such as
add chain=input action=drop dst-address-type=broadcast
. You might experience some other side effects though, so be prepared to correct any unforeseen issues.
by tippenring
Fri Oct 02, 2020 12:12 am
Forum: Beginner Basics
Topic: Inner DNS server doesn't resolve domain names for hotspot users
Replies: 15
Views: 512

Re: Inner DNS server doesn't resolve domain names for hotspot users

I know that captive portals depend on DNS and that could be the reason that all traffic goes through router. It controls that user would be authorized to go to the Internet, it doesn't resolved any domain name unless you're authenticated. If we open our DNS server to hotspot users there won't be an...
by tippenring
Thu Oct 01, 2020 11:13 pm
Forum: Beginner Basics
Topic: Inner DNS server doesn't resolve domain names for hotspot users
Replies: 15
Views: 512

Re: Inner DNS server doesn't resolve domain names for hotspot users

Well there is a question is it predefined by developers (standards?) that hotspot users won't be able to reach a DNS server inside the other subnet or there is a chance to change a DNS server once a user authenticated. The packets definitely go through a router first. If you mean predefined as in h...
by tippenring
Thu Oct 01, 2020 9:31 pm
Forum: Beginner Basics
Topic: Inner DNS server doesn't resolve domain names for hotspot users
Replies: 15
Views: 512

Re: Inner DNS server doesn't resolve domain names for hotspot users

The clients aren't just "taking" the ISP DNS. They are being configured with it one way or another. The two most common methods are static configuration or DHCP. On one of your hotspot clients, try this: "nslookup google.com 192.168.10.252" . That should resolve. If it doesn't, I'd start with analyz...
by tippenring
Thu Oct 01, 2020 8:22 pm
Forum: Beginner Basics
Topic: Inner DNS server doesn't resolve domain names for hotspot users
Replies: 15
Views: 512

Re: Inner DNS server doesn't resolve domain names for hotspot users

To what IP are the hotspot clients sending DNS queries? Where did they learn of the DNS server they are sending queries to? DHCP perhaps?
by tippenring
Wed Sep 23, 2020 11:07 pm
Forum: General
Topic: [FEATURE REQUEST] User Interface Overhaul?
Replies: 10
Views: 681

Re: [FEATURE REQUEST] User Interface Overhaul?

I also agree that the GUI of Winbox is extremely intuitive (also agreeing than bridges, switches, and VLANs are the exception). The structure is very logical, and how they efficiently cram almost all available options into the GUI is pretty impressive overall. I come from 20 years of Cisco, HP, and ...
by tippenring
Fri Sep 11, 2020 2:53 am
Forum: General
Topic: Very annoying VoIP affecting bug in latest 6.47.x Router OS
Replies: 6
Views: 366

Re: Very annoying VoIP affecting bug in latest 6.47.x Router OS

Thanks for the heads up on the issue. I can understand your frustration. However, it seems to me the injury is at least partly self-inflicted. I won't go into change management and lab test procedures. I'll just say that it sounds to me like you pushed out updated software without testing your traff...
by tippenring
Thu Sep 03, 2020 5:55 pm
Forum: General
Topic: Second usable IP in /29 does not work
Replies: 2
Views: 224

Re: Second usable IP in /29 does not work

You are confusing routing with bridging. First, I would highly recommend not putting a server directly on the internet unless you are well aware of the risks. If after assessing the risks you still would like to connect a server directly to the internet, you'll need to set up a bridge interface with...
by tippenring
Sun Aug 30, 2020 4:40 am
Forum: General
Topic: Is there a website where I can put my example configs?
Replies: 3
Views: 281

Re: Is there a website where I can put my example configs?

I would also suggest considering www.github.com.
by tippenring
Wed Aug 26, 2020 6:22 pm
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 89
Views: 4922

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

5. Yes. The client has to decide how much they want to invest in their security posture. It is ultimately up to them. My job is to advise them of their options, risks, etc, so they can make informed decisions. I've been involved in the security planning and execution for a number of large companies...
by tippenring
Wed Aug 26, 2020 5:18 pm
Forum: Beginner Basics
Topic: HOW TO ADD GRANDSTREAM IP PHONE TO MIKROTIK ROUTEROS
Replies: 4
Views: 2359

Re: HOW TO ADD GRANDSTREAM IP PHONE TO MIKROTIK ROUTEROS

hi,

any ideas on this thread? I'm currently having the same issue

regards,
You should start a new thread. This one is old and the OP posted no useful information.

Explain in detail what issue you're having, and for the fastest response, post the output of
export hide-sensitive
by tippenring
Wed Aug 26, 2020 4:50 pm
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 89
Views: 4922

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

Agreed, and I don't think a router should be expected to incorporate this functionality. I think it ends up asking 1 device to do too much, and complicates administration and management. I perfer standalone devices for packet-inspection functionality where required. I question your arguments :-) 1)...
by tippenring
Wed Aug 26, 2020 4:22 pm
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 89
Views: 4922

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

>The organizations that don't do this are the ones that you read about every day where the entire network infrastructure is encrypted for a ransom. Isn't that usually by an exploit in the OS and/or users unwittingly installing the ransomware software? Not a compromised network? Indeed, in current t...
by tippenring
Wed Aug 26, 2020 1:14 am
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 89
Views: 4922

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

I would also like to add one reason why MikroTik is rarely seen in enterprises: security audits. You simply can not ship network device with 20 different services, many of which are proprietary, active by default (winbox, ssh, telnet, ftp, www, api, mac telnet/winbox/ping server, etc) and expect it...
by tippenring
Tue Aug 25, 2020 6:22 pm
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 89
Views: 4922

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

On the other hand you have sometimes hard limits in functionality. You simply can't control in Mtik, who is allowed to post in F*book and who shall only read. Or at least not out of the box. That continues with many protocols of industrial control systems. Just to give some examples. That applicati...
by tippenring
Tue Aug 25, 2020 5:09 pm
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 89
Views: 4922

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

For any government bureaucracy and especially in the IT world the number one concern is Timely SUPPORT ... price ... and ... Timely SUPPORT . From a Features/Capability and SUPPORT Perspective === MikroTik cannot compete in the league of HP ARUBA, Ruckus, FortiNet, PaloAlto, CISCO, JUNIPER or Ubqui...
by tippenring
Thu Aug 20, 2020 6:12 pm
Forum: Beginner Basics
Topic: Remote Management Access using Public IP
Replies: 11
Views: 1248

Re: Remote Management Access using Public IP

While best practice would be to add a second layer of security by implementing a VPN, I tend not to use a VPN out of convenience. I create an address list called "net.mgmt" in which I add my known public IP allocations such as office and colo where I would normally be logging in from. I also add a D...
by tippenring
Mon Aug 17, 2020 4:57 pm
Forum: General
Topic: Per Connection Classiefier (PCC) blocks incomming FaceTime calls
Replies: 34
Views: 2639

Re: Per Connection Classiefier (PCC) blocks incomming FaceTime calls

For a SIP call, there are a few things to be aware of. The initial SIP management stream, usually in the UDP 5060-5062 range, is like a control channel. The peers authenticate and manage signaling over this path. When there is a call, RTP is typically used. The peers negotiate the RTP peer IPs and p...
by tippenring
Tue Aug 11, 2020 8:15 pm
Forum: General
Topic: potential vulnerability: error unknown msg on OVPN server
Replies: 3
Views: 1517

Re: potential vulnerability: error unknown msg on OVPN server

The IP space is allocated to https://censys.io/ censys.io . Censys is a well-known network security organization. They run many scans across the internet like Shodan. Good catch that you're seeing this. My guess is that Censys has found or is aware of a potential vulnerability. If so, they would be ...
by tippenring
Wed Aug 05, 2020 7:06 pm
Forum: General
Topic: MAC telnet from terminal stopped working in new versions
Replies: 11
Views: 3079

Re: MAC telnet from terminal stopped working in new versions

I suspect this issue may be related to the (unannounced as far as I have found) change to the MAC Telnet Server and MAC Winbox Server configuration. The new default configuration at Tools > MAC Server > MAC Telnet Server and Tools > MAC Server > MAC Winbox Server defines interface list "LAN" as the ...
by tippenring
Wed Aug 05, 2020 6:25 pm
Forum: General
Topic: Gre with IPsec - Only One tunnel builds [SOLVED]
Replies: 16
Views: 3371

Re: Gre with IPsec - Only One tunnel builds [SOLVED]

At first, you need to understand that the MikroTik GRE/IPsec tunnel is not going to work with a dynamic address. So when your remote office IP is really dynamic (vs just a static IP that is assigned via DHCP) it is not advisable to use GRE/IPsec. While I don't disagree that a client/server configur...
by tippenring
Sat Aug 01, 2020 1:08 am
Forum: General
Topic: DNS resolution vulnerability -
Replies: 5
Views: 1278

Re: DNS resolution vulnerability -

The drop rules didnt register much activity from the first location scans. They register a dozen packets when scanned from nmap client2 Perhaps your first nmap location isn't sending DNS requests directly to your router as you think. Perhaps they are being captured by a NGFW for inspection, or a ho...
by tippenring
Fri Jul 31, 2020 10:43 pm
Forum: General
Topic: DNS resolution vulnerability -
Replies: 5
Views: 1278

Re: DNS resolution vulnerability -

Is your nmap scan running on a host on the LAN side of the router? While I think your router DNS server shouldn't reply internally because you have allow-remote-request=no, perhaps it is replying anyway.

Do your drop DNS request rules applied to the interface list WAN get any hits?
by tippenring
Thu Jul 30, 2020 12:31 am
Forum: Beginner Basics
Topic: Looking for guides to mikrotik router gui
Replies: 3
Views: 787

Re: Looking for guides to mikrotik router gui

I don't disagree with what nithinkumar2000 said, other than hiring a vendor part is probably the job you were hired to do. You have a CCNA, but you don't state your experience level in network administration, so I'll assume it is very little. Passing the CCNA basically shows that you have a basic un...
by tippenring
Mon Jul 13, 2020 10:49 pm
Forum: Beginner Basics
Topic: winbox / webfig access broken [SOLVED]
Replies: 3
Views: 926

Re: winbox / webfig access broken [SOLVED]

Hi guys , here I have my new RB4011iGS+ box. I configured it remotele over ssh. Problem is accessing to graphic interface , neither winbox nor webfig finishes loading. Webfig is stuked at "loading ...." and winbox in "loading descriptors" message. I already upgraded firmare to 6.45.9 (long-term). A...
by tippenring
Tue Jun 23, 2020 5:29 pm
Forum: General
Topic: Intermittent loss of packets.............argg
Replies: 28
Views: 4847

Re: Intermittent loss of packets.............argg

When you disable the drop rule, pings that exceed the packet rate defined by "limit=" do not match that rule, but are never dropped. The last rule is an inherent permit any, so the packets that don't match the limit rule are still permitted. That is likely why you think disabling the drop rule fixes...
by tippenring
Sat Jun 20, 2020 1:28 am
Forum: General
Topic: Stop making customers lab rats
Replies: 47
Views: 8776

Re: Stop making customers lab rats

Another 5 still pending investigation with lots of packet loss and 3 just quit working out of warranty.
I'm curious, on your routers experiencing packet loss, do you have a firewall rule that drops invalids in the forward chain? If so, I'd be curious to see what happens if you disable that rule.
by tippenring
Sat Jun 20, 2020 1:26 am
Forum: General
Topic: Stop making customers lab rats
Replies: 47
Views: 8776

Re: Stop making customers lab rats

Reality is: Mikrotik should do a better job at quality control. A lot better. I am in far from a big Mikrotik client with around ~ 100 routers and ~200 access points, but still I had to RMA close to 10 routers for various reasons, ranging from DoA to flapping ports and mysterious crashes. Another 5...
by tippenring
Sat Jun 20, 2020 12:56 am
Forum: General
Topic: IPsec (in)security: phase2 pfs-group
Replies: 4
Views: 1059

Re: IPsec (in)security: phase2 pfs-group

In my experience with traditional IPSec site-to-site tunnels, when PFS group doesn't match on both peers, the tunnel can be brought up in only one direction. The reverse direction will always fail. I don't recall which condition was which though. I imagine the side with better PFS would downgrade to...
by tippenring
Sat Jun 20, 2020 12:35 am
Forum: General
Topic: Stop making customers lab rats
Replies: 47
Views: 8776

Re: Stop making customers lab rats

I've given my input, I know my limitations when it comes to using MT (barely good enough to deploy at home), takes others longer to figure it out I guess. By the posts and advice you write I believe your knowledge of MT could be used in some companies :D :-) Yes, I think anav underestimates his ski...
by tippenring
Fri Jun 19, 2020 8:01 pm
Forum: General
Topic: Stop making customers lab rats
Replies: 47
Views: 8776

Re: Stop making customers lab rats

You are absolutely right, that's what I've said in another topic: Mikrotik is NO good for critical environments. For home use, small offices and other, are perfect ! And cheap ! I disagree. Mikrotik is perfectly fine in mission critical environments if the device(s) have the features required for t...
by tippenring
Fri Jun 19, 2020 7:44 pm
Forum: General
Topic: Stop making customers lab rats
Replies: 47
Views: 8776

Re: Stop making customers lab rats

I am not saying that Mikrotik/RouterOS should have ZERO bugs. There is no perfect network equipment (or other type of it&c item). Any vendor releases sometimes update, security patches etc. But flapping ports between Mikrotik switches with Mikrotik cables? What the hell is this ?! I am not talking ...
by tippenring
Fri Jun 19, 2020 7:26 pm
Forum: General
Topic: Stop making customers lab rats
Replies: 47
Views: 8776

Re: Stop making customers lab rats

It doesn't matter because we do not discuss admin abilities. It's about Mikrotik which should do its job right. Please define your standards, because 'doing the job right' is vague and subjective.What does 'doing the job right' mean? Can you provide an example of a company that develops software th...
by tippenring
Fri Jun 19, 2020 6:57 pm
Forum: General
Topic: Stop making customers lab rats
Replies: 47
Views: 8776

Re: Stop making customers lab rats

Network admins don't blindly reboot a switch and upgrade firmware in a mission critical environment.

People with switch credentials that shouldn't have them do that quite often though. Then they don't perform effective troubleshooting, and complain when something doesn't behave as expected.
by tippenring
Fri Jun 19, 2020 5:57 pm
Forum: General
Topic: Network loop?
Replies: 6
Views: 1909

Re: Network loop?

If you don't have any VLANs, then the router is probably not lying to you. You probably have a switch loop somewhere. Your DNS symptom is probably just one of several symptoms you may not have identified yet. The root bridge *probably* doesn't matter in your configuration if you don't have redundant...
by tippenring
Fri Jun 19, 2020 1:51 am
Forum: Beginner Basics
Topic: Hardware advice, small company network
Replies: 4
Views: 939

Re: Hardware advice, small company network

It's not very likely that you have any bad gear. The issues you describe don't exactly match up with bad gear. Even if you do have something bad, if you replace it all and don't understand how it works, you're likely to have just as much trouble with the new equipment. You might have a switch loop i...
by tippenring
Thu Jun 18, 2020 8:12 pm
Forum: General
Topic: Lan security
Replies: 5
Views: 1090

Re: Lan security

There is nothing reliable to authenticate devices other than 802.1x. You can set up MAC filtering, but it is very simple to get around for anyone that wishes to.
by tippenring
Tue Jun 16, 2020 3:25 pm
Forum: General
Topic: [SOLVED] Forwarding traffic to ftp in a tunnel through a specific IP
Replies: 4
Views: 969

Re: Forwarding traffic to ftp in a tunnel through a specific IP

As already stated, it helps to know in detail how FTP works.

That said, why are you using NAT at all for this traffic? It appears that the hosts should be able to communicate without NAT.
by tippenring
Fri Jun 12, 2020 10:42 pm
Forum: General
Topic: IPSec Not connecting between Palo Alto VM300 and RB3011
Replies: 4
Views: 844

Re: IPSec Not connecting between Palo Alto VM300 and RB3011

From that log, b.b.b.b never receives the IKE packet, or b.b.b.b receives the IKE packet and never replies to a.a.a.a. 19:42:57 ipsec ipsec: acquire for policy: c.c.c.c/24 <=> d.d.d.d/16 19:42:57 ipsec ipsec: policy group mismatch, ignoring. If the above 2 lines are related to these 2 peers, it prob...
by tippenring
Fri Jun 12, 2020 5:15 pm
Forum: General
Topic: IPSec Not connecting between Palo Alto VM300 and RB3011
Replies: 4
Views: 844

Re: IPSec Not connecting between Palo Alto VM300 and RB3011

If I'm interpreting the log correctly, it looks like you may have a private IP address (344 bytes from 192.168.40.1[500] to 41.160.185.171[500]) defined as the peer address on that router. 192.168.40.1 should not be trying to connect with 41.160.185.171. 192.168.40.1 should be a public IP.
by tippenring
Thu Jun 04, 2020 7:41 pm
Forum: General
Topic: Why does both L2MTU and MAX-L2MTU exist?
Replies: 11
Views: 2347

Re: Why does both L2MTU and MAX-L2MTU exist?

Your question got me wondering, so I thought I'd go read about it. See https://wiki.mikrotik.com/wiki/Manual:M ... uterBoards.
by tippenring
Mon Jun 01, 2020 10:06 pm
Forum: Beginner Basics
Topic: RTSP "TAB" Settings
Replies: 6
Views: 1317

Re: RTSP "TAB" Settings

Thanks man, yes I can see where a slip of a letter here or there can get one in trouble LOL. Well all I did to be on the safe side is to keep RTSP working on all the trunk ports on the switch itself. I suppose I could remove it from all ports just not sure if its need or not. Now I am thinking abou...
by tippenring
Mon Jun 01, 2020 9:11 pm
Forum: Beginner Basics
Topic: RTSP "TAB" Settings
Replies: 6
Views: 1317

Re: RTSP "TAB" Settings

Hi tippenring, fixed the title for you........ Its all under the RTSP. @CZFAN - are you saying that I should disable RTSP if using vlans? I do not believe there is an option to choose mode and thus what to do?? As far as the other settings they seem automated and not selectable. edge - ports that a...
by tippenring
Mon Jun 01, 2020 5:41 pm
Forum: Beginner Basics
Topic: RTSP "TAB" Settings
Replies: 6
Views: 1317

Re: RTSP Settings

I was totally thrown off by the Real Time Streaming Protocol subject then asking about port states.
by tippenring
Fri May 29, 2020 4:46 pm
Forum: Wireless Networking
Topic: rb4011or rt5300ac
Replies: 14
Views: 2533

Re: rb4011or rt5300ac

I would expect the Asus to have better-performing wireless. I would expect a live action gamer to use a wired connection rather than wireless if millisecond latency and jitter are concerns also.
by tippenring
Thu May 14, 2020 7:37 pm
Forum: General
Topic: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH
Replies: 13
Views: 2682

Re: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH

Off the top of my head in order of commonality: 1. Exclude VPN traffic from NAT translation. 2. Ensure each VPN peer is the default gateway for its local network. If it isn't, then the default gateway needs a route added that sets the next hop to the remote network as the VPN peer. 3. Ensure each VP...
by tippenring
Tue May 05, 2020 7:31 pm
Forum: General
Topic: A serious issue on RB4011 6.45.8 (WiFi/ DHCP Server)
Replies: 7
Views: 1141

Re: A serious issue on RB4011 6.45.8 (WiFi/ DHCP Server)

In this particular case, your interface bridge-wlan1-home does not have an IP address assigned. Therefore, the DHCP server is unable to be enabled by the system.

I think you want to add:
/ip address
add address=172.16.85.1/24 interface=bridge-wlan1-home
by tippenring
Tue May 05, 2020 6:58 pm
Forum: General
Topic: A serious issue on RB4011 6.45.8 (WiFi/ DHCP Server)
Replies: 7
Views: 1141

Re: A serious issue on RB4011 6.45.8 (WiFi/ DHCP Server)

I don't see where you have assigned any wifi interfaces to bridges, except wlan1. You have DHCP server configurations assigned to the bridges, so I would expect the DHCP server config not to appear red though.
by tippenring
Wed Apr 29, 2020 5:14 pm
Forum: General
Topic: High number of established connections for one address
Replies: 26
Views: 4631

Re: High number of established connections for one address

Hello, i would like to extend this topic further, i have similar situation where lots of connections are established toward my client with 0/0 orig rate and bytes. I see that these connections are established backward only when client established connection to some https server. How i can filter su...
by tippenring
Mon Apr 27, 2020 7:19 pm
Forum: Beginner Basics
Topic: [SOLVED] Whitelist CIDR vs Blacklist
Replies: 2
Views: 1256

Re: [SOLVED] Whitelist CIDR vs Blacklist

One should use caution with blindly trusting a script source. If the source site gets compromised, your router can easily be compromised. A simple example would be if someone compromises the website to return "/system reset-configuration". Anyone that blindly uses "/tool fetch url=http://www.iwik.or...
by tippenring
Sat Apr 25, 2020 12:28 am
Forum: General
Topic: Inter VLAN Firewalling [SOLVED]
Replies: 5
Views: 2034

Re: Inter VLAN Firewalling [SOLVED]

To carry on the idea a bit further, multiple VLANs is about the time I start using jump actions to jump from the forward chain to custom chains such as "vlan 1" and "vlan 2". For example, the address list used in the rule below covers all of my internal production subnets. In this particular case, p...
by tippenring
Thu Apr 23, 2020 7:28 pm
Forum: Wireless Networking
Topic: RB4011iGS+5HacQ2HnD-IN or RB4011iGS+RM with cAP ac
Replies: 4
Views: 1532

Re: RB4011iGS+5HacQ2HnD-IN or RB4011iGS+RM with cAP ac

Thanks for the information. How about the wifi range of 4011? Because it seems powerful with the antennas does the signal drop fast after 1-2 walls? I haven't done any real analysis. I had usable signal on my phone when I was about 100 feet away yesterday. Currently I am about 20 feet (~7 meters) f...
by tippenring
Thu Apr 23, 2020 4:54 pm
Forum: Wireless Networking
Topic: RB4011iGS+5HacQ2HnD-IN or RB4011iGS+RM with cAP ac
Replies: 4
Views: 1532

Re: RB4011iGS+5HacQ2HnD-IN or RB4011iGS+RM with cAP ac

I just upgraded from a 2011 with wifi to a 4011 with wifi last week at home. The 4011 doesn't seem to have the wifi problems that made the 2011 wifi terribly unreliable. So far, I'm quite happy with the 4011. I used a separate AP with the 2011 and disabled the 2011 wifi because it was so unstable. W...
by tippenring
Wed Apr 22, 2020 11:30 pm
Forum: General
Topic: Security: Address(es) of MikroTik update server(s) needed [SOLVED]
Replies: 10
Views: 3215

Re: Security: Address(es) of MikroTik update server(s) needed [SOLVED]

I configure an address-list entry for "download.mikrotik.com". Then I apply that address-list to firewall rules as required.
by tippenring
Wed Apr 15, 2020 4:42 pm
Forum: Beginner Basics
Topic: MikroTik as GlobalProtect VPN Client
Replies: 2
Views: 1436

Re: MikroTik as GlobalProtect VPN Client

An interesting idea. If Global Protect (AFAIK a Palo Alto proprietary VPN service) is as simple as described in the article you link to, you might be able to write a script to pull down the VPN settings via HTTPS, then script the IPSec configuration on the fly. I'm not sure how authentication would ...
by tippenring
Wed Apr 15, 2020 1:04 am
Forum: General
Topic: Security Vulnerabilities
Replies: 13
Views: 2854

Re: Security Vulnerabilities

An authenticated user can crash the console process via a crafted packet.

I'm not seeing a vuln here. I would be much more concerned about an authenticated attacker. An attacker that is authenticated isn't looking to crash the console process.
by tippenring
Tue Apr 07, 2020 6:07 pm
Forum: Beginner Basics
Topic: Mikrotik drops WiFi frequently
Replies: 8
Views: 1947

Re: Mikrotik drops WiFi frequently

The 2011 is well-known to have poor wifi performance. We disabled wifi on all 2011's that we manage around 3 years ago and installed alternate APs. I believe it is due to the wifi chipset myself. Incidentally I had reason to use a 2011 about a week ago for 3-4 days. Even on 6.46, I still had the sam...
by tippenring
Tue Mar 24, 2020 10:52 pm
Forum: General
Topic: How to setup L2TP VPN?
Replies: 20
Views: 3622

Re: How to setup L2TP VPN?

When i disable this rule 12 ;;; defconf: drop all not coming from LAN chain=input action=drop in-interface-list=!LAN Than i can make connection from outside. Tested with mobile and i can Access the router. But i can see on my mobile of i have the same subnet I provided the sample code as a template...
by tippenring
Tue Mar 24, 2020 9:16 pm
Forum: General
Topic: How to setup L2TP VPN?
Replies: 20
Views: 3622

Re: How to setup L2TP VPN?

I posted this in another thread recently. This should be pretty close. It assumes RADIUS, but I'd guess it isn't hard to authenticate against a local database. /ip pool add name=pool.ppp ranges=172.20.0.10-172.20.0.50 /ppp profile add interface-list=ifl.vpn.trusted local-address=172.20.0.1 name=pr.l...
by tippenring
Fri Mar 20, 2020 6:00 pm
Forum: General
Topic: Basic question about L2TP + IPsec VPN
Replies: 13
Views: 3147

Re: Basic question about L2TP + IPsec VPN

I just posted this for Windows in another thread. Here's how to add a VPN tunnel in Windows 10. We push this out via group policy so it is available when users are off the network. Add-VpnConnection -Name "SLHV CNE" -ServerAddress "<URL or IP>" -AllUserConnection:$true -AuthenticationMethod MSChapv2...
by tippenring
Fri Mar 20, 2020 5:50 pm
Forum: Beginner Basics
Topic: L2TP/IPSec and Windows 10 road warriors
Replies: 4
Views: 1741

Re: L2TP/IPSec and Windows 10 road warriors

Here's my template. I think I have everything here, but I might have missed something. /ppp profile add interface-list=ifl.vpn.trusted local-address=172.20.0.1 name=pr.l2tp only-one=yes remote-address=pool.ppp use-encryption=required use-upnp=no /ppp aaa set accounting=no use-radius=yes /radius add ...
by tippenring
Tue Mar 17, 2020 5:05 am
Forum: General
Topic: New WIKI Confluence
Replies: 3
Views: 1525

Re: New WIKI Confluence

The problem with Confluence is it requires editors to be aware of how the hierarchy is structured. People creating documentation don't like to do that, so it will ultimately end up being a single level wiki that is harder to read and find content.
by tippenring
Tue Mar 17, 2020 4:37 am
Forum: General
Topic: Poor Download Speeds CCR1016-12G
Replies: 5
Views: 1890

Re: Poor Download Speeds CCR1016-12G

i don't see any firewall rules in your config. If you have any, try disabling your invalid rule(s). I've been working on a problem where valid traffic fails to match established rules and hits the invalid rule instead.
by tippenring
Fri Mar 13, 2020 5:16 pm
Forum: General
Topic: Looking for POE Access Point Suggestions
Replies: 4
Views: 1524

Re: Looking for POE Access Point Suggestions

By the way: unless You know what You are doing, don't buy an RB2011: they have a very weak CPU. The two ARM ones I posted before will run circles around an RB2011, speed and routing capacity wise. With what You would spend with one RB2011 you could buy 2 ARM ones. That's enough to use one as router...
by tippenring
Fri Mar 13, 2020 5:14 pm
Forum: General
Topic: Packet sniffer : how to stream RTP packets ?
Replies: 5
Views: 1614

Re: Packet sniffer : how to stream RTP packets ?

RTP decode is enabled by default in Wireshark. Are you filtering out the RTP sessions so the RTP packets are not in the capture? RTP ports are negotiated in the SIP session. Sometimes the same ports are negotiated each time, and sometimes the ports are random. It depends upon how the hosts are desig...
by tippenring
Thu Mar 12, 2020 3:27 pm
Forum: Announcements
Topic: Winbox v3.22 released!
Replies: 117
Views: 51873

Re: Winbox v3.22 released!

Dear MT! Would you consider changing the first column in the Log window to the running number? Currently those numbers are from 0 to 999 and when the log is full (all 1000 lines populated) the specific log message will get a new number from the previous log entry with every new entry added. From my...
by tippenring
Wed Mar 11, 2020 10:30 pm
Forum: General
Topic: Coronavirus quarantine impact on network traffic
Replies: 14
Views: 4829

Re: Coronavirus quarantine impact on network traffic

DE-CIX hit a world record yesterday: 9.1 Tbps. The main Swiss ecommerce site has seen display sales double for two days in a row now. More than likely the biggest contributor to the surge in traffic is Call of Duty free battle royal game (Blizzard) and a massive ~80GB update on Rainbow Six Siege (S...
by tippenring
Wed Mar 11, 2020 12:02 am
Forum: General
Topic: Page disappeared in the wiki
Replies: 7
Views: 1867

Re: Page disappeared in the wiki

I noticed another page missing a few days ago. Don't recall which one. I also discovered https://help.mikrotik.com/docs/. The main page states "While the documentation is still being migrated, many additional articles are located in our old documentation portal."
by tippenring
Fri Mar 06, 2020 4:21 pm
Forum: General
Topic: ip-sec between MikroTik and Cisco ASA not passing traffic
Replies: 23
Views: 4457

Re: ip-sec between MikroTik and Cisco ASA not passing traffic

Okay so this is now working. But what is not working is another tunnel (there's 2 configured on our ASA). It seems to be that either one will work, but not together. This seems familiar, but: On the ASA, try a "show crypto ipsec sa peer <peer IP>". Do you have SAs established (it looks like the Mik...
by tippenring
Fri Mar 06, 2020 12:17 am
Forum: General
Topic: ip-sec between MikroTik and Cisco ASA not passing traffic
Replies: 23
Views: 4457

Re: ip-sec between MikroTik and Cisco ASA not passing traffic

Ok. You can probably assume then that your destination on the ASA side is receiving your traffic, but is unable to get return traffic back to you. This may be due to the ASA not being the default gateway for the 10.0.0/24 subnet. It could be that the ASA IPSec peer interface is not the default route...
by tippenring
Fri Mar 06, 2020 12:10 am
Forum: Forwarding Protocols
Topic: WE NEED EIGRP
Replies: 39
Views: 17024

Re: WE NEED EIGRP

I can't imagine devoting the resources to bring up EIGRP. As networks continue to stop being Cisco-exclusive, the demand for EIGRP drops even more. You can run OSPF and EIGRP in parallel if you wish to make a transition to OSPF. I like EIGRP. It is powerful. But to get the best benefits from it, tun...
by tippenring
Thu Mar 05, 2020 11:55 pm
Forum: General
Topic: pppd vulnerable to buffer overflow
Replies: 2
Views: 1923

Re: pppd vulnerable to buffer overflow

In https://www.kb.cert.org/vuls/id/782301/ Mikrotik responded on Feb 14 2020 with "The described issue is with EAP authentication, which RouterOS doesn't support for PPP."
by tippenring
Thu Mar 05, 2020 6:33 pm
Forum: General
Topic: ip-sec between MikroTik and Cisco ASA not passing traffic
Replies: 23
Views: 4457

Re: ip-sec between MikroTik and Cisco ASA not passing traffic

On the ASA, try a "show crypto ipsec sa peer <peer IP>". Do you have SAs established (it looks like the Mikrotik thinks SAs are established from your screenshot)? If so, you should see #pkts encaps and #pkts decaps values > 0. If decaps = 0, then encrypted packets are not being received by the ASA. ...
by tippenring
Thu Feb 27, 2020 6:45 pm
Forum: General
Topic: Packets failing to match established firewall rule [SOLVED]
Replies: 10
Views: 3491

Re: Packets failing to match established firewall rule [SOLVED]

Support replied explaining invalids as follows: The "INVALID" state packets are not only duplicate packets, it means that the packet can't be identified or it does not have determined state in connection tracking (usually - severe out-of-order packets, packets with wrong sequence/ack number, or in c...
by tippenring
Thu Feb 27, 2020 12:01 am
Forum: General
Topic: Packets failing to match established firewall rule [SOLVED]
Replies: 10
Views: 3491

Re: Packets failing to match established firewall rule [SOLVED]

As an update to this thread, the packets in question don't seem to be duplicates. My packet capture consistently shows only one packet, which is being flagged by RouterOS as invalid. This issue came up some time ago with our clients due to poor throughput. At the time it was discovered that packets ...
by tippenring
Tue Feb 25, 2020 12:03 am
Forum: General
Topic: Packets failing to match established firewall rule [SOLVED]
Replies: 10
Views: 3491

Re: Packets failing to match established firewall rule [SOLVED]

Did you try if they match connection-state=invalid? It could be some duplicate packets, but I'm not sure how exactly it works with them. That sir is it. Thanks! The packets are considered invalid for some reason. I don't know why that never occurred to me. Now to run a packet capture to see if I'm ...
by tippenring
Mon Feb 24, 2020 9:27 pm
Forum: General
Topic: Packets failing to match established firewall rule [SOLVED]
Replies: 10
Views: 3491

Re: Packets failing to match established firewall rule [SOLVED]

Theese two log entries have different ports, also connections show different ports. Am I right assuming that each dst/src ip/port combination occurs only once? The 2 log entries showing the ACK packets correspond to the 2 established flows shown on the connections tab above. They are 2 distinct est...
by tippenring
Mon Feb 24, 2020 6:50 pm
Forum: General
Topic: Packets failing to match established firewall rule [SOLVED]
Replies: 10
Views: 3491

Re: Packets failing to match established firewall rule [SOLVED]

Thanks for your comment. I can assure you that these ACKs are packets from established sessions. They are not SYN-ACKs for sessions in the TCP handshake phase, i.e.: in the process of being established. Since the previous screenshot showing established sessions may not have been clear, I just took a...
by tippenring
Mon Feb 24, 2020 4:59 pm
Forum: General
Topic: Packets failing to match established firewall rule [SOLVED]
Replies: 10
Views: 3491

Packets failing to match established firewall rule [SOLVED]

I have a firewall issue that I haven't been able to figure out. I've been going back and forth with support via email on it, but I don't think they are understanding my question. Perhaps the community has some insight. The question is, why are packets failing to match a connection state=established ...
by tippenring
Tue Feb 11, 2020 12:46 am
Forum: Beginner Basics
Topic: DDos Attack (?
Replies: 5
Views: 1698

Re: DDos Attack (?

hello. yes, now it seems that they are port scanning my network's pcs! they have never gone so far.. always with a simple rule of port scanner i stopped the attacks. i comment you that i have a web page in the server, i opened port 443 and 80 for it, but i disabled temporarly and the scan continues...
by tippenring
Mon Feb 10, 2020 10:43 pm
Forum: Beginner Basics
Topic: DDos Attack (?
Replies: 5
Views: 1698

Re: DDos Attack (?

In most cases, you have to go to your upstream provider for assistance with a DDoS-type of attack. Even if you're dropping the packets, they still consume your bandwidth to get to your router, so your circuit is still saturated. You might consider why your network is being attacked. For example, if ...
by tippenring
Sun Feb 09, 2020 6:06 pm
Forum: Forwarding Protocols
Topic: Site to Site VPN: Mikrotik - Cisco
Replies: 7
Views: 14217

Re: Site to Site VPN: Mikrotik - Cisco

As someone else mentioned, debug the IPSEC topic. My default config adds this logging rule. I enable it whenever I want to troubleshoot a tunnel, then disable it when I'm done. /system logging add disabled=yes prefix="IPSEC: " topics=ipsec,!packet Here is a sanitized config I just pulled from a Mikr...
by tippenring
Fri Feb 07, 2020 9:20 pm
Forum: General
Topic: Winbox 3.20 (both 64bit and 32bit) crashing on DNS filter
Replies: 5
Views: 1991

Re: Winbox 3.20 (both 64bit and 32bit) crashing on DNS filter

This is resolved for me in Winbox 3.21 x64 on Win 7.
by tippenring
Thu Feb 06, 2020 12:15 am
Forum: General
Topic: 2 Mikrotik Fails in a week reputation tarnished, major opportunity for MT
Replies: 6
Views: 1255

Re: 2 Mikrotik Fails in a week reputation tarnished, major opportunity for MT

While I also agree with some parts of the original post, I disagree with others. In both scenarios I would have mocked up the entire thing in the lab and tested extensively. There is too much custom and one-off configuration to simply hope it works during deployment. Documentation is quite poor and/...
by tippenring
Mon Feb 03, 2020 7:58 pm
Forum: General
Topic: Winbox 3.20 (both 64bit and 32bit) crashing on DNS filter
Replies: 5
Views: 1991

Re: Winbox 3.20 (both 64bit and 32bit) crashing on DNS filter

I am able to duplicate the issue with Winbox x64.

Edit: I'm using Windows 7.
by tippenring
Wed Jan 29, 2020 6:13 pm
Forum: General
Topic: How is this failover mechanism working??
Replies: 8
Views: 1784

Re: How is this failover mechanism working??

FWIW, this is what I wrote up in my documentation the last time I set redundant providers up a year or two ago. I have a new client where I'm going to go through this again in a couple of days, so if I find any discrepancies, I'll post an update. ----- (Reference: https://wiki.mikrotik.com/wiki/Adva...
by tippenring
Thu Jan 16, 2020 1:03 am
Forum: General
Topic: ipsec tunnel only works when both sides send data [SOLVED]
Replies: 10
Views: 1655

Re: ipsec tunnel only works when both sides send data [SOLVED]

I'd look at keepalive mechanisms. If there is no way for the router to detect a tunnel failure, then it will happily send packets via the tunnel that no longer has a valid security association (SA) until the byte counter or tunnel timer expire. Imagine if router B reboots. It has no knowledge of the...
by tippenring
Mon Dec 23, 2019 8:19 pm
Forum: General
Topic: A lot of TCP Retransmission and TCP Dup ACK
Replies: 4
Views: 2008

Re: A lot of TCP Retransmission and TCP Dup ACK

There isn't quite enough detail to confirm this in your post, but based on the screenshot, my first thought is you are getting duplicate packets 100% of the time. Furthermore, the duplicate packets are arriving extremely quickly, indicating that they aren't really retransmissions. Check to see if yo...
by tippenring
Tue Dec 17, 2019 11:03 pm
Forum: General
Topic: RPKI
Replies: 48
Views: 14049

Re: RPKI

Any idea when ROS 7 will be available for testing? I'm willing to test RPKI for you (IPv6 and IPv4 routes) if you send me the code as soon as it's available ;)
You didn't even try. It took you longer to post this reply than go check. https://www.mikrotik.com/download
by tippenring
Wed Jun 05, 2019 5:29 pm
Forum: General
Topic: Basic traffic prioritization
Replies: 8
Views: 4966

Re: Basic traffic prioritization

I figured I'd post my standard HTB config that I start with. Fasttrack effectively breaks queuing, so I exclude marked packets (this also applies to my mangle rules for IPSec, but that a different example). In this case, I use mangle to mark typical DSCP VOIP traffic, but it can be anything. eth6 is...
by tippenring
Fri Mar 22, 2019 4:15 pm
Forum: Beginner Basics
Topic: Connecting SSTP Client and SSTP Server on MT
Replies: 6
Views: 1106

Re: Connecting SSTP Client and SSTP Server on MT

Your post leaves many unanswered questions, so I'm making a lot of assumptions. I'll start with the basics, and that this is mostly a guess. To summarize: Your SSTP clients in 172.17.0.0/16 connect to MT-CHR (internal IP: 172.17.1.1/16). Then MT-CHR (external SSTP IP: 172.16.16.236) connects as an S...
by tippenring
Wed Mar 06, 2019 6:28 pm
Forum: General
Topic: Port knocking with URL
Replies: 13
Views: 3184

Re: Port knocking alternative

Besides being less practical than nping, I suspected the executable might be malicious. VT Detection ratio: 11 / 70

Check VirusTotal: https://www.virustotal.com/en/file/d81c ... /analysis/
by tippenring
Thu Feb 07, 2019 1:18 am
Forum: Beginner Basics
Topic: New connection added!!solution for load failover [SOLVED]
Replies: 10
Views: 1198

Re: New connection added!!solution for load failover [SOLVED]

I have something very similar to this (https://wiki.mikrotik.com/wiki/Advanced ... _Scripting) working. It seems to work quite well.
by tippenring
Tue Feb 05, 2019 6:43 pm
Forum: General
Topic: MikroTik Bridget network got DDOS
Replies: 4
Views: 870

Re: MikroTik Bridget network got DDOS

I would run at least a RB4011 these days. However, you'll also need to use the raw table to drop as fast as you can. Ultimately, however, you may need upstream (your ISP) support as they will most likely always be able to do it better than your equipment. Agreed. The 2011 is quite old and weak by t...
by tippenring
Tue Feb 05, 2019 6:18 pm
Forum: General
Topic: Windows short name resolution with bridge and firewall [SOLVED]
Replies: 8
Views: 1599

Re: Windows short name resolution with bridge and firewall [SOLVED]

Is there some reason you want to force bridge traffic to be processed by the firewall rules? Based on your description of the network, I doubt you want to do that. I expect you probably just want to apply the firewall rules to traffic that will be crossing trust levels, such as private to public int...
by tippenring
Mon Jan 28, 2019 7:39 pm
Forum: General
Topic: DHCP philosophy - where/what is it best served by?
Replies: 9
Views: 1256

Re: DHCP philosophy - where/what is it best served by?

I manage all aspects of a network. Routers, switches, servers, video, VoIP, and pretty much anything else that gets an IP address. If there is a real server (or servers) on the network, one or more will be handling DNS, DHCP, and pretty much any other client/server type of service. Routers are quite...
by tippenring
Sat Jan 12, 2019 12:36 am
Forum: General
Topic: Filtering Malicious Traffic
Replies: 6
Views: 896

Re: Filtering Malicious Traffic

It really depends on the nature of the malicious traffic that is landing you on blacklists. My guess is it is mail since that's most prevalent. If it is, you could drop all outbound port 25, 465, and 587 from your clients and make them relay mail through your internal mail server. Once you have the ...
by tippenring
Wed Jan 09, 2019 10:29 pm
Forum: Beginner Basics
Topic: gateway confusion
Replies: 2
Views: 574

Re: gateway confusion

Sounds to me like "routers" 2-6 are functioning as bridges rather than routers. They probably have an IP address for management. Are the router IPs all on the same subnet?
by tippenring
Wed Jan 09, 2019 10:14 pm
Forum: General
Topic: Spam filtering - how to improve my antispam system
Replies: 9
Views: 2631

Re: Spam filtering - how to improve my antispam system

Can you please add a post with your blocking rules and ip address list for this solution. Thank you for your time. Here's my process to create a US-based network address list for geofencing. You may wish to name your address list differently of course. 1. Copy the US-based address list here to N++....
by tippenring
Tue Jan 08, 2019 7:57 pm
Forum: Beginner Basics
Topic: Noob firewall question - being brute forced
Replies: 7
Views: 993

Re: Noob firewall question - being brute forced

The above is good advice, but there is something more fundamentally wrong with your situation. That is a lack of information security awareness. It's good that you managed to notice the brute force attempts to your RDP server. The bigger problem is that you, or whoever is responsible for the network...
by tippenring
Mon Dec 10, 2018 5:17 pm
Forum: General
Topic: Cannot upgrade v6.42.3 to v6.45.3
Replies: 3
Views: 715

Re: Cannot upgrade v6.42.3 to v6.45.3

There is no version 6.45.3.
by tippenring
Thu Nov 15, 2018 12:53 am
Forum: General
Topic: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED) [SOLVED]
Replies: 16
Views: 3336

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED) [SOLVED]

I just checked Shodan. Shodan only lists 7 devices on the internet listening on port 64312. 6 of them are Torrent DHT nodes.
by tippenring
Thu Nov 15, 2018 12:43 am
Forum: General
Topic: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED) [SOLVED]
Replies: 16
Views: 3336

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED) [SOLVED]

If you're correct, this would be new exploit code that I haven't yet seen. It isn't a surprise to me that firmware and RouterOS updates don't remove it. I personally find it a little hard to believe that you have what you think you have because you haven't provided anything concrete except a belief ...
by tippenring
Tue Nov 13, 2018 8:45 pm
Forum: General
Topic: High Traffic
Replies: 4
Views: 947

Re: High Traffic

Netinstall is the only foolproof way to resolve a hacked router. You could go through the configuration and remove what appears suspicious (proxies and such), but it is nearly impossible to say with 100% certainty that the router is no longer compromised. Perhaps there is a hidden script that runs e...
by tippenring
Tue Nov 13, 2018 5:50 pm
Forum: General
Topic: Rogue IPV6 DNS advertisement Problem, FISHY situation !
Replies: 7
Views: 949

Re: Rogue IPV6 DNS advertisement Problem, FISHY situation !

If you really have the IPv6 package disabled, I'm not sure why the MT is using IPv6 at all. However, it isn't important. The packet you captured is a simple ICMPv6. The fe80 address is a link local address (like 169.254.x.x in IPv4).
by tippenring
Tue Nov 13, 2018 5:15 pm
Forum: General
Topic: Rogue IPV6 DNS advertisement Problem, FISHY situation !
Replies: 7
Views: 949

Re: Rogue IPV6 DNS advertisement Problem, FISHY situation !

See these pcap screenshots. These are DNS queries sent a Windows 7 machine. Note that it is asking the DNS server for both the A records and AAAA records for google.com. The DNS server dutifully responds to both requests. IPv4 and IPv6 are communication protocols. DNS is a name resolution protocol. ...
by tippenring
Tue Nov 13, 2018 4:41 pm
Forum: General
Topic: Rogue IPV6 DNS advertisement Problem, FISHY situation !
Replies: 7
Views: 949

Re: Rogue IPV6 DNS advertisement Problem, FISHY situation !

IPv6 and DNS are generally unrelated. A query for a FQDN will return whatever records are assigned to that FQDN. AAAA records are valid DNS records.
by tippenring
Fri Nov 09, 2018 10:47 pm
Forum: Beginner Basics
Topic: The winbox is hard to use
Replies: 12
Views: 2144

Re: The winbox is hard to use

How did you go about setting that up? The basics are here: https://wiki.mikrotik.com/wiki/Manual:Winbox They don't really explain sessions though. Connect to your most convenient router with Winbox. Select the windows you'd like to be open each time you connect to any router. I have the log and fir...
by tippenring
Fri Nov 09, 2018 6:58 pm
Forum: Beginner Basics
Topic: The winbox is hard to use
Replies: 12
Views: 2144

Re: The winbox is hard to use

I have my Winbox windows pre-defined in my session preferences, so every new session opens with my preferred windows open in exactly the same place and dimensions each time. If a window ends up behind another, I don't go looking for it in the right-hand pane. I navigate to it through the menu again....
by tippenring
Mon Nov 05, 2018 6:01 pm
Forum: Beginner Basics
Topic: Can't copy big files through VPN
Replies: 3
Views: 934

Re: Can't copy big files through VPN

I'd suggest checking MTU. Try lowering it some on each side. PMTUD should take care of this, but it may either not be enabled, or ICMP packet too big messages may not be able to reach the source host. I'll admit it doesn't seem too likely since you get to 80% and compressed large files still make it...
by tippenring
Mon Nov 05, 2018 5:53 pm
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 191
Views: 39388

Re: Blacklist Filter (Development Topic)

OK, now I'll be clear here ;-) Thanks. Will test how much RAM a RB2011 needed. Only with priority 2 or priority 1 + drop.malicious.rsc I'm using the priority 2 list on an RB2011. Memory is fine. I currently have free 74MB of 128MB with ~30k blacklist entries. The RB2011 is more CPU starved when it'...
by tippenring
Fri Nov 02, 2018 4:23 pm
Forum: Wireless Networking
Topic: Mikrotik wi-fi and Iphone = problem
Replies: 91
Views: 70862

Re: Mikrotik wi-fi and Iphone = problem

We stopped using Mikrotik for client wifi several years ago due to connection instability and weak signals vs other brands. We fought with it for a long time. Apple devices are especially troublesome. We still use Mikrotik routers almost exclusively and Mikrotik radios for point to point wifi links ...
by tippenring
Fri Nov 02, 2018 4:13 pm
Forum: General
Topic: SSTP VPN between two MT routers
Replies: 3
Views: 890

Re: SSTP VPN between two MT routers

It seems to me there are details missing in your explanation. SSTP will transit NAT with no problem. You admit this when you say the PCs can ping Mikrotik 2. Based on the information provided, I think there's something else going on unrelated to a NAT device in the middle. /export hide-sensitive is ...
by tippenring
Mon Oct 29, 2018 10:51 pm
Forum: General
Topic: Mikrotik does not support IPSec, L2TP or OpenVPN connections to any VPN provider
Replies: 12
Views: 9084

Re: Mikrotik does not support IPSec, L2TP or OpenVPN connections to any VPN provider

I've had a Torguard tunnel up via L2TP/IPSec for a couple of years. No problems. Torguard has a guide.

It may not be the best, but it serves my purpose.
by tippenring
Tue Oct 23, 2018 9:10 pm
Forum: General
Topic: 31 subnet - Not finding an answer to default gateway.
Replies: 17
Views: 4966

Re: 31 subnet - Not finding an answer to default gateway.

I spent a few minutes testing. Unfortunately my tests did not result in connectivity either. First I tried my Windows PC. It didn't like a /31 at all and wouldn't let me use it. Then I used a Cisco router and Mikrotik on the same LAN network. I added 10.99.99.0/31 on the Cisco, and 10.99.99.1/31 on ...
by tippenring
Tue Oct 23, 2018 4:51 pm
Forum: General
Topic: 31 subnet - Not finding an answer to default gateway.
Replies: 17
Views: 4966

Re: 31 subnet - Not finding an answer to default gateway.

Is the MAC address for x.x.x.30 in your ARP table?
by tippenring
Tue Oct 23, 2018 4:37 pm
Forum: General
Topic: Advanced IP scanners locks up winbox access?
Replies: 7
Views: 1243

Re: Advanced IP scanners locks up winbox access?

Strange. I manage quite a few routers and have yet to see this behavior. The only other thing I can think of is Winbox 3.18 was released at least in part to resolve an issue with failed logins. I'm betting you're already on 3.18 though.
by tippenring
Tue Oct 23, 2018 3:59 pm
Forum: General
Topic: Advanced IP scanners locks up winbox access?
Replies: 7
Views: 1243

Re: Advanced IP scanners locks up winbox access?

Are you using RADIUS perhaps?
by tippenring
Thu Oct 18, 2018 5:41 pm
Forum: General
Topic: Unable to login
Replies: 5
Views: 878

Re: Unable to login

I'd suggest posting your firewall config. If you have some kind of blacklisting set of rules, you could very well be hitting them and blocking your own access after a few packets. That's just a thought off the top of my head.
by tippenring
Thu Oct 18, 2018 5:09 pm
Forum: General
Topic: libssh exploit, is Mikrotik affected?
Replies: 5
Views: 1393

Re: libssh exploit, is Mikrotik affected?

Is Mikrotik affected by the libssh bug described here? https://arstechnica.com/information-technology/2018/10/bug-in-libssh-makes-it-amazingly-easy-for-hackers-to-gain-root-access/ I am not sure if libssh is used under the hood, it would be great to know one way or the other. Thanks Thanks for aski...
by tippenring
Wed Oct 17, 2018 5:36 pm
Forum: General
Topic: Unable to login
Replies: 5
Views: 878

Re: Unable to login

Good morning, some devices with the 6.43.2 software do not allow me to login. The credentials are correct, in case of error I receive the error "Authentication failed", instead with the right user/pass the process goes into timeout. The problem occurs both with the Winbox, with the telnet and with ...
by tippenring
Thu Oct 11, 2018 4:39 pm
Forum: General
Topic: Can my ISP access my Mikrotik Router and make changes?
Replies: 7
Views: 1411

Re: Can my ISP access my Mikrotik Router and make changes?

So you mean they have some exploit in the device that they could gain access anytime?
Depending on your software version, yes, that is correct. See https://blog.mikrotik.com/security/winb ... ility.html

Also, it's a good idea to monitor https://blog.mikrotik.com/security/
by tippenring
Wed Oct 03, 2018 4:07 pm
Forum: General
Topic: Router won't install update
Replies: 7
Views: 3199

Re: Router won't install update

As Nescafe mentioned, the log will *probably* tell you why it didn't upgrade. I suspect that's why he asked what other files are on the file system. If you have other packages of a different version, the upgrade may fail.
by tippenring
Mon Oct 01, 2018 9:00 pm
Forum: General
Topic: Winbox Protocol Dissector
Replies: 2
Views: 775

Re: Winbox Protocol Dissector

I loaded up the dissector and captured a small bit of traffic. My understanding from the Cisco article is that it will only work on unencrypted sessions. I believe all newer versions of Winbox use encryption, and my small capture didn't seem to have any readable data. I spent less than 5 minutes try...
by tippenring
Fri Sep 28, 2018 10:38 pm
Forum: Wireless Networking
Topic: Spambots
Replies: 12
Views: 4910

Re: Spambots

by tippenring
Thu Sep 27, 2018 12:45 am
Forum: Beginner Basics
Topic: Router Sending Spam
Replies: 7
Views: 3156

Re: Router Sending Spam

In addition to disabling the proxy and socks services, you need to change all passwords (and ideally usernames) for the router as well. Otherwise the attackers will probably log back in and turn on the socks and proxy services again. add action=add-src-to-address-list address-list="port scanners" \ ...
by tippenring
Tue Sep 25, 2018 5:28 pm
Forum: Beginner Basics
Topic: Site to Site IPSec between two Mikrotik Routers
Replies: 7
Views: 1156

Re: Site to Site IPSec between two Mikrotik Routers

Glancing over your screenshots, it looks about right for the IPSec. I'd tell you to make sure you exclude the subnets from masquerade or dst-nat, but you aren't getting that far yet.

Can your routers reach each other at all? It looks like they can't.
by tippenring
Tue Sep 25, 2018 5:01 pm
Forum: Beginner Basics
Topic: How to Monitor specific Ip
Replies: 5
Views: 1057

Re: How to Monitor specific Ip

Well if this is a site that contains only one host IP it's easy, but if it is something like facebook, with multiple hosts, just mark the connection and then create a log rule on firewall over this connection mark, like so: /ip firewall mangle add chain=forward action=mark-connection new-connection...
by tippenring
Fri Sep 14, 2018 9:47 pm
Forum: Beginner Basics
Topic: How do I connect to IP 0.0.0.0?
Replies: 13
Views: 8230

Re: How do I connect to IP 0.0.0.0?

There it is again. Mention of IPv6. Often times, when I hear about IPv6, someone is saying something about network problems disappearing. I work for a small company with a network of less then 255 devices. I'm having that 0.0.0.0 problem, myself. Would it be worth it to migrate to IPv6? What are th...
by tippenring
Fri Sep 14, 2018 9:38 pm
Forum: General
Topic: DNS Server TTL problem
Replies: 14
Views: 2188

Re: DNS Server TTL problem

@tippenring: I'm not admin of RB trying to outsmart DNS domain admin, @alli is.
Dang it. Sorry about that. I don't know why I didn't notice you were not the OP. I read your reply from the context of the OP. No wonder it didn't make sense to me. :-)
by tippenring
Fri Sep 14, 2018 9:35 pm
Forum: General
Topic: Power outage causes specific sites to be blocked
Replies: 11
Views: 1296

Re: Power outage causes specific sites to be blocked

I don't think that is the issue. But it is a great Idea. Our 2 CCR in the area are not parallel. They are actually 150 miles apart. We have a layer 3 switch on the mountaintop separating them with OSPF. We don't use ICMP redirects at all. It looks like this Frontier fiber-----Blanding CCR ------ Ab...
by tippenring
Fri Sep 14, 2018 8:12 pm
Forum: General
Topic: Can't Log in After Upgrade
Replies: 22
Views: 10193

Re: Can't Log in After Upgrade

I'm not a mikrotik master, but i have enough brains to change my credentials after hacking.
Have you tried Winbox 3.18? There's a potential fix there. I just realized you aren't the OP. The OP tried 3.18, but you haven't said you tried it.
by tippenring
Fri Sep 14, 2018 5:52 pm
Forum: General
Topic: Can't Log in After Upgrade
Replies: 22
Views: 10193

Re: Can't Log in After Upgrade

RB3011 running 6.40.9, 2 days ago recieved "wrong username or password" in winbox. User is not "admin", password is strong enough. LCD touch was disabled. A crack - i think, than netinstall, 6.43, total reconfig (had no backups)... and today i recived the same message "wrong username or password". ...
by tippenring
Fri Sep 14, 2018 5:49 pm
Forum: Beginner Basics
Topic: Can't access webfig on WAN
Replies: 10
Views: 3937

Re: Can't access webfig on WAN

When a router is defaulted, it normally has a set default config which includes firewall rules. When you first connect, you have the option to retain the config or start clean. I'd have to think you chose to start clean. If you are running pre-6.40.8 or pre-6.42.1, someone may have already hijacked ...
by tippenring
Fri Sep 14, 2018 5:07 pm
Forum: General
Topic: block multicast traffic
Replies: 2
Views: 5453

Re: block multicast traffic

/ip firewall filter
  add action=drop chain=input dst-address-type=multicast
by tippenring
Thu Sep 13, 2018 6:52 pm
Forum: General
Topic: DNS Server TTL problem
Replies: 14
Views: 2188

Re: DNS Server TTL problem

It is up to domain administrator to decide how long TTL is the best one for her domain. If she has really good reason for setting short TTL then it's probably counter-productive if caching DNS server administrator (e.g. @alli) tries to out-smart her. Because it's quite probable that caching DNS adm...
by tippenring
Thu Sep 13, 2018 6:27 pm
Forum: General
Topic: Power outage causes specific sites to be blocked
Replies: 11
Views: 1296

Re: Power outage causes specific sites to be blocked

Here's a different possible cause to look at. I believe you've described your network as having two parallel border CCR routers. Is that correct? If so, when the power returns, could one router be the default gateway for your network, but actually be routing the traffic to the other border router (a...
by tippenring
Wed Sep 12, 2018 4:46 am
Forum: General
Topic: Power outage causes specific sites to be blocked
Replies: 11
Views: 1296

Re: Power outage causes specific sites to be blocked

I'll take a look and post them without sensitive configs. Too bad I can't use the Mikrotik auto remove sensitive on saved backups.
You don't necessarily need to post them. Just load the before and after in notepad++ and do a compare.
by tippenring
Wed Sep 12, 2018 4:25 am
Forum: General
Topic: Power outage causes specific sites to be blocked
Replies: 11
Views: 1296

Re: Power outage causes specific sites to be blocked

Right now we are using the CCR that was causing the issue to pass traffic. The only thing that changed to get it to start working was to restore a config file from before the power outage.
What was different between the two configs? That's an easy thing to look at.
by tippenring
Wed Sep 12, 2018 3:57 am
Forum: General
Topic: RouterOS ISP identifier
Replies: 10
Views: 1376

Re: RouterOS ISP identifier

I'm pretty rusty on internet records, but I'm thinking what you're looking for might be PTR DNS records, which your ISP has to set up. Either that, or the IP block you have needs updated with your RIR. I believe your upstream should be able to do that also. I'm sure someone will come along shortly t...
by tippenring
Tue Sep 11, 2018 1:12 am
Forum: General
Topic: DMZ like firewalls on Mikrotik [SOLVED]
Replies: 11
Views: 2807

Re: DMZ like firewalls on Mikrotik [SOLVED]

Similarly, our standard starting config contains an address list named whitelist.mgmt where we designate any management subnets. The first rule of the firewall permits the management traffic. The second removes all the default firewall rules, then the rest of our standard ruleset is pasted in. /ip f...
by tippenring
Mon Sep 10, 2018 6:36 am
Forum: Beginner Basics
Topic: UDP Broadcast from my Windows Server [SOLVED]
Replies: 6
Views: 1257

Re: UDP Broadcast from my Windows Server [SOLVED]

If you use Winbox to connect to the router via MAC address rather than IP, Winbox sends the packets to the IP broadcast address of the subnet on that UDP port.

https://wiki.mikrotik.com/wiki/Manual:I ... _and_ports
by tippenring
Fri Sep 07, 2018 1:14 am
Forum: General
Topic: Windows 2016 DC requesting lots of IPs from DHCP?
Replies: 6
Views: 1102

Re: Windows 2016 DC requesting lots of IPs from DHCP?

If an IP in the DHCP range is in-use but the DHCP server has no lease for it, Mikrotik will mark it as in-use and try the next IP. Microsoft will give out the in-use IP. Example: Client buys a payment terminal, printer or whatever. The vendor plugs it in, the device gets a dynamic IP. Vendor goes a...
by tippenring
Thu Sep 06, 2018 10:12 pm
Forum: General
Topic: Windows 2016 DC requesting lots of IPs from DHCP?
Replies: 6
Views: 1102

Re: Windows 2016 DC requesting lots of IPs from DHCP?

Why wouldn't you let your DCs be the DHCP server rather than the router? You have redundancy with 2 DCs.
by tippenring
Thu Sep 06, 2018 10:11 pm
Forum: General
Topic: Windows 2016 DC requesting lots of IPs from DHCP?
Replies: 6
Views: 1102

Re: Windows 2016 DC requesting lots of IPs from DHCP?

... and for proxy-arps which pass packets from one subnet to another and "eat" DHCP IPs. proxy-arp is my thought as well. Probably at the vmware level. You're Windows server NIC is a virtual NIC. It isn't physically connected to the LAN. However, your physical host is. It's virtual switch is connec...
by tippenring
Thu Sep 06, 2018 4:13 pm
Forum: General
Topic: Mikrotik output traffic to the 25 port
Replies: 6
Views: 704

Re: Mikrotik output traffic to the 25 port

so just disable it and that's all, or smth more needed?) thanks Maybe. If you haven't changed the credentials (all of them) for the router, then an attacker still has your user list. If you disable your firewall rules preventing access from the internet, they'll log in again and set it up again. It...
by tippenring
Thu Aug 30, 2018 4:20 pm
Forum: Beginner Basics
Topic: RB3011UiAS Password was changed?
Replies: 10
Views: 1386

Re: RB3011UiAS Password was changed?

Yes :(
No. Or "not necessarily" anyway.
And how do you log in with a lost password??

Sent from Tapatalk
I'll bet he/she was alluding that the OP may have a version susceptible to the credential theft bug, so the OP could simply download their creds from the router in clear text and log in.
by tippenring
Thu Aug 30, 2018 4:11 pm
Forum: Beginner Basics
Topic: RB3011UiAS Password was changed?
Replies: 10
Views: 1386

Re: RB3011UiAS Password was changed?

I never understand the big deal of these "lost access" posts. Why not wipe, reinstall, and restore your backup? It takes just a few minutes.
by tippenring
Tue Aug 28, 2018 6:37 am
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 191
Views: 39388

Re: Blacklist Filter (Development Topic)

Dave, Still very interested in learning how to setup a honeypot to collect addresses. Even if you are not to the point to accept other people's honeypot lists, could you do a brief write up to teach us the best way to setup a honeypot? Thanks! Here are a couple of Honeypot projects from my notes. I...
by tippenring
Tue Aug 28, 2018 6:34 am
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 191
Views: 39388

Re: Blacklist Filter (Development Topic)

Unfortunately, I don't have IPv6 yet. The system is designed for it, but I have no routers in IPv6 networks that I can test with. My home internet supports it, but it's so unstable, I don't bother with it. Have you seen HE's free IPv6 tunnel https://tunnelbroker.net/? I've had one up for nearly a y...
by tippenring
Sun Aug 26, 2018 6:13 am
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 191
Views: 39388

Re: Blacklist Filter (Development Topic)

Please keep up the great work. I've been running the BL on my home router as an experiment for a few weeks now. No trouble so far here. I would be interested in assisting with dev if I can. I'm not sure what I could do to help though. I'm not a good coder (unless my years-ago basic and quickbasic co...
by tippenring
Thu Aug 23, 2018 10:53 pm
Forum: General
Topic: Sofware VLAN/Bridge on RuterOS explained.
Replies: 63
Views: 28527

Re: Sofware VLAN/Bridge on RuterOS explained.

I just want to comment to thank you both. I'm thoroughly enjoying this discussion.

I too have been plagued by the variables of interface, bridge, vlan, and switch configurations when implementing VLANs. This discussion is definitely helping me understand it better.
by tippenring
Thu Aug 23, 2018 5:03 pm
Forum: General
Topic: LHG 60 project in Hawaii
Replies: 99
Views: 26789

Re: LHG 60 project in Hawaii

Waiting for the rain to test the MikroTik LHG 60G over a 1473.16m link... Hurricane LANE will be here in a day or two.
I'll be waiting to see your findings. Be safe!
by tippenring
Thu Aug 23, 2018 4:44 pm
Forum: Beginner Basics
Topic: Error:could not connect to 192.168.15.1
Replies: 4
Views: 14352

Re: Error:could not connect to 192.168.15.1

i noticed that the winbox port has change ...
what can be the reason ?
Presumably you or someone else has control of your router and changed the winbox port. Consider changing the credentials. It wouldn't hurt to netinstall and reconfigure, just in case.
by tippenring
Tue Aug 14, 2018 1:26 am
Forum: General
Topic: Forced routing with UTM connected both ends to Mikrotik
Replies: 7
Views: 1211

Re: Forced routing with UTM connected both ends to Mikrotik

Thanks, the traffic inside the wire that would be connected to the UTM is tagged VLANs and from what I know it doesn't support VLANs (Sophos). And in real config there will be two UTMs daisy chained (client request), and I don't even know what the second one is. So I assume it will not work. Or am ...
by tippenring
Mon Aug 13, 2018 4:52 pm
Forum: Beginner Basics
Topic: google captcha after installing mikrotik
Replies: 4
Views: 1455

Re: google captcha after installing mikrotik

Hi all I just finished installing a rb750GR-3, running a CAPsMAN with 2 AP's. Default firewal rules. I now get a captcha popup when ever I search on google. It reads: Our systems have detected unusual traffic from your computer network. i've attacehd a screenshot of the popup. any help would be gre...
by tippenring
Mon Aug 13, 2018 8:14 am
Forum: General
Topic: Forced routing with UTM connected both ends to Mikrotik
Replies: 7
Views: 1211

Re: Forced routing with UTM connected both ends to Mikrotik

If the UTM is in bridge mode, why not simply connect it in-line with one of the ethernet ports?
by tippenring
Fri Aug 10, 2018 5:02 pm
Forum: Beginner Basics
Topic: Open Ports
Replies: 7
Views: 1582

Re: Open Ports

i used to scan the network from lan and in results had open just 2 ports (dns for example and mikrotik winbox) now when i scan the network from inside (im scaning WAN interface btw not LAN) i have tons of open ports....dont have avast installed anywhere tho Yes, you have Avast installed somewhere. ...
by tippenring
Wed Aug 08, 2018 9:35 pm
Forum: General
Topic: Do not open port tcp/23 to your device from internet you will be hacked
Replies: 6
Views: 1969

Re: Do not open port tcp/23 to your device from internet you will be hacked

This isn't really a surprise for most people.
I am not surprised by the number of the attack, but that its >95% on tcp/23.
I expect the rest of the ports getting pinged are dropped further up in the firewall chain, so not being reported.
by tippenring
Wed Aug 08, 2018 9:28 pm
Forum: General
Topic: Line by line config restore from 6.34 to 6.42 firmware
Replies: 16
Views: 1588

Re: Line by line config restore from 6.34 to 6.42 firmware

there are not any MAC Addresses in my export rsc file so not really sure what you're talking about... sorry If there are no MAC addresses, then restore the whole config to your backup router and test. I personally prefer to either SSH or open a terminal in Winbox and paste a config by hand. That wa...
by tippenring
Wed Aug 08, 2018 9:24 pm
Forum: Beginner Basics
Topic: Please help me get my network in order
Replies: 7
Views: 1295

Re: Please help me get my network in order

I can only give you advice on the MikroTik-part of your network. What you should do: Reset the MikroTik-devices, with no default configuration Access the MikroTik using Winbox and Mac-address Create a new bridge, containing all interfaces (ethernet and wireless) Depending on your need, either confi...
by tippenring
Wed Aug 08, 2018 7:12 pm
Forum: General
Topic: Line by line config restore from 6.34 to 6.42 firmware
Replies: 16
Views: 1588

Re: Line by line config restore from 6.34 to 6.42 firmware

I think you're working way to hard at this. /interface ethernet set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=4074 loop-protect=o...
by tippenring
Wed Aug 08, 2018 1:19 am
Forum: General
Topic: Backround upload traffic from google ips 172.217.x.x is saturating my upload speed
Replies: 7
Views: 996

Re: Backround upload traffic from google ips 172.217.x.x is saturating my upload speed

Maybe I have read too many "help! my users are actually making traffic! I want to block block block!" topics...
I definitely share your frustration with the "Help! Someone please do all my network engineering for free! URGENT!!!" :-)
by tippenring
Tue Aug 07, 2018 9:10 pm
Forum: General
Topic: Backround upload traffic from google ips 172.217.x.x is saturating my upload speed
Replies: 7
Views: 996

Re: Backround upload traffic from google ips 172.217.x.x is saturating my upload speed

Also consider dropping from the business and finding another way to earn money.
That seems a bit harsh. This could be an opportunity for the OP to learn about traffic management.
by tippenring
Tue Aug 07, 2018 5:04 pm
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 191
Views: 39388

Re: Blacklist Filter (Development Topic)

If anyone wants to help out more, I need more routers to report some stats to the server. This is part of the health monitoring and alerting system. If you paste the code into a terminal window, it will setup the script and start reporting. Running on my home router. Do you really want it reporting...
by tippenring
Tue Aug 07, 2018 7:12 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 119035

Re: Winbox vulnerability: please upgrade

Tippenring.

I was agreeing with you. The logs were proof that 2 different attackers had the password from before the upgrade
I misunderstood your post. My apologies.
by tippenring
Tue Aug 07, 2018 1:12 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 119035

Re: Winbox vulnerability: please upgrade

When they updated they didn't change the password. No, the attacker didn't change the password. If he did, that would give away that the router had been compromised. The attacker didn't want you to know he had the admin password for the router. So, you upgraded software, but did not change the pass...
by tippenring
Mon Aug 06, 2018 10:48 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 119035

Re: Winbox vulnerability: please upgrade

Is there anymore detailed information than the old blog post? I've seen numerous routers running 6.40.8 bugfix get compromised in the last few days. Winbox was externally accessible. On Friday I updated a couple older routers that had not yet been compromised that weren't on 6.40.8 to 6.40.8, only ...
by tippenring
Thu Aug 02, 2018 6:40 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 119035

Re: Winbox vulnerability: please upgrade

On forum posts if the subject line doesn't interest me, I would never read it. It is like: I do not like this song as I have never listened to it earlier and the title is boring me. :D lol. Nice try, but the analogy is weak. A song can be in the background and doesn't consume any time. This forum i...
by tippenring
Thu Aug 02, 2018 4:42 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 119035

Re: Winbox vulnerability: please upgrade

@normis, hey can you get this on the blog? I'd like the see any complainers cut off at the pass that this announcement didn't end up in the right spots. I'm with @Samot. If it's worth a forum post, it's worth posting a similar update to the blog. As soon as the blog was announced I added it to my i...
by tippenring
Wed Aug 01, 2018 7:34 am
Forum: Beginner Basics
Topic: Not able to log in [SOLVED]
Replies: 5
Views: 1414

Re: Not able to log in [SOLVED]

RouterBoard OS 6.35.2

I wonder if your device did not maybe get hacked!
why do you say that...? and how can i check?
A search of this forum before yet another post about how "I've been pwned" would do you wonders.
by tippenring
Mon Jul 30, 2018 6:05 pm
Forum: General
Topic: IPsec setting help pls!!
Replies: 10
Views: 1005

Re: IPsec setting help pls!!

Router AB /ip firewall filter add chain=forward action=accept place-before=1 src-address=10.1.101.0/24 dst-address=10.1.202.0/24 connection-state=established,related add chain=forward action=accept place-before=1 src-address=10.1.202.0/24 dst-address=10.1.101.0/24 connection-state=established,relat...
by tippenring
Fri Jul 27, 2018 7:57 pm
Forum: General
Topic: 185.153.198.228 Has been BUSY
Replies: 9
Views: 1642

Re: 185.153.198.228 Has been BUSY

Anyone ever write a good tool for 3 failed winbox log in attempts from one address, and we can add them to an address list??? Here's my typical blacklist firewall config. Generally we don't permit any admin connections from the internet other than known management networks. This is used in any case...
by tippenring
Mon Jul 23, 2018 7:24 pm
Forum: General
Topic: IKEv2 VPN + Radius + EAP-TLS - why does the radius certificate have to be installed on the router?
Replies: 5
Views: 2162

Re: IKEv2 VPN + Radius + EAP-TLS - why does the radius certificate have to be installed on the router?

Hi all, I have successfully configured routeros to allow VPN clients to connect via IKEv2, backed with radius, and authenticating using EAP-TLS (no passwords). The config is below. What I discovered is that this configuration would only work if I took the private key and certificate of our radius s...
by tippenring
Fri Jul 20, 2018 1:24 am
Forum: General
Topic: .npk files auto deleted
Replies: 18
Views: 3221

Re: .npk files auto deleted

Have you tried netinstall? Or is the affected box also too high and/or far to do that?
I understand netinstall doesn't work if the device is >50 ft off the ground. Does anyone have the support ticket # for that issue? :-)
by tippenring
Tue Jul 17, 2018 5:15 pm
Forum: General
Topic: ssl cert error
Replies: 4
Views: 1154

Re: ssl cert error

CRL is the cert revocation list. I'm guessing the CRL is perhaps signed by a cert which the router doesn't trust. You may need to import a different cert chain for it.
by tippenring
Wed Jul 11, 2018 4:26 pm
Forum: General
Topic: Connecting multiple networks. [SOLVED]
Replies: 29
Views: 8512

Re: Connecting class c networks. [SOLVED]

#1 computer (172.19.2.10) is on ether 2, it can ping to 172.19.2.1 (which is the ether 2 IP address). #2 computer (172.19.3.10) is on ether 3, it can ping to 172.19.3.1 (which is the ether 3 IP address). The two computers can not ping to each other. Unfortunately there are many unknowns in this cas...
by tippenring
Wed Jul 11, 2018 4:01 pm
Forum: General
Topic: Connecting multiple networks. [SOLVED]
Replies: 29
Views: 8512

Re: Connecting class c networks. [SOLVED]

What's next thing to do for routing?
It's a router. It always routes by default.
by tippenring
Wed Jun 27, 2018 4:52 pm
Forum: Beginner Basics
Topic: IPSEC Issues
Replies: 11
Views: 1417

Re: IPSEC Issues

/ip firewall nat add action=accept chain=srcnat protocol=udp src-port=500,4500 place-before=0 add action=masquerade chain=srcnat out-interface=pppoe-out1 It sure looks like you're NATing the traffic that would be destined for the remote network. You need an accept rule to prevent NAT from happening...
by tippenring
Fri Jun 22, 2018 10:53 pm
Forum: General
Topic: Bridge VLAN Filtering
Replies: 22
Views: 12322

Re: Bridge VLAN Filtering

Also note that RB3011 is capable of VLAN switching on a hardware level, you can find an example how to set it up here: https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching#Other_devices_with_built-in_switch_chip Hello Artz. Could you possibly elaborate on the wiki URL you posted? /interface e...
by tippenring
Wed Jun 20, 2018 5:54 pm
Forum: General
Topic: ipsec tunnel working in 6.37.5, not working in 6.40.8
Replies: 12
Views: 4086

Re: ipsec tunnel working in 6.37.5, not working in 6.40.8

Hello, I have RB1200 in a company connecting to another location via ipsec tunnel, working well. After the vpnfilter etc bugs, I decided to upgrade to last bugfix release 6.40.8, and it completely broke the tunnel - although I am pretty sure I saw something like "established" in ipsec - remote peer...
by tippenring
Wed Jun 20, 2018 4:59 pm
Forum: General
Topic: bug persists after updating to 6.42.3
Replies: 14
Views: 7639

Re: bug persists after updating to 6.42.3

By Firewall Filter i did Log for the attacker src address , so when he attacks my host , Mikrotik Server logs his Src address and (a) src Mac-Address The src mac address logged in my Server log not belong's to me , That's all buddy MAC addresses work only at the broadcast domain level (layer 2). No...
by tippenring
Wed Jun 20, 2018 4:39 pm
Forum: Announcements
Topic: Winbox v3.15 released!
Replies: 21
Views: 12766

Re: Winbox v3.15 released!

There are 2 anoying bugs since a long time ago: - In some computers, if you try to connect via MAC, it starts to load, then it disconnects, but it connects after you press "Reconnect" button. In my experience historically, this is caused by what appears to be a frame size limitation. If I connect b...
by tippenring
Wed Jun 20, 2018 4:35 pm
Forum: General
Topic: Ping >1500 timing out
Replies: 7
Views: 1380

Re: Ping >1500 timing out

When you have don't fragment set to true, if you aren't getting ICMP fragmentation needed, then you most likely have a layer 2 problem. Layer 2 devices don't respond with ICMP messages. I didn't see what kind of radios you have, but I'm guessing they are bridging. I'm betting the wireless link itsel...
by tippenring
Sun May 20, 2018 5:49 pm
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 7163

Re: I cant quite wrap my head around this one...

If ping delay really bothers you, then you might want to set up a queue (simple queue might do) on your RB to rate limit your VM backups to, say, 80% or 90% of your subscribed UL speed. This way most of time ISP's traffic shaper wouldn't touch your data packets including ICMP echo requests. This wo...
by tippenring
Fri May 18, 2018 11:44 pm
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 7163

Re: I cant quite wrap my head around this one...

Thanks for your reply Can anyone tell me how I do that? Its odd though - as I mentioned in my first post...this router came from my old house and nothing on the config changed when it was moved to the new house with a new line. I never had this issue before I moved house! I actually have a RB750G I...
by tippenring
Fri May 18, 2018 6:52 pm
Forum: General
Topic: some of ipsec tunels stopped working
Replies: 6
Views: 953

Re: some of ipsec tunels stopped working

I've noticed a recent change around 6.42. Previously, if one side was set to tunnel 10.10.0.0/24, and the other side was set for 10.0.0.0/16, the side with the /16 defined would accept the /24 proposal. Around 6.42, it seems that flexibility disappeared. Now both routers have to have matching subnet...
by tippenring
Wed May 16, 2018 4:23 pm
Forum: Announcements
Topic: Winbox 3.13 released!
Replies: 60
Views: 29752

Re: Winbox 3.13 released!

Still no signature checking or HTTPS... man in the middle can easily compromise administrator's PC.

https://i.imgur.com/TX7G9pq.gifv
Wow. Although relatively low risk, I can't think of a reason for not verifying the cert but laziness. Good thing I don't upgrade from Winbox I guess.
by tippenring
Wed May 16, 2018 4:17 pm
Forum: Announcements
Topic: Winbox 3.13 released!
Replies: 60
Views: 29752

Re: Winbox 3.13 released!

Great work ^^ It would be interesting if some day winbox would allow to save "a default view" with the customized configuration of columns, fields, views, etc ... and each time you enter a new routerOS imports automatically your personal "saved" configuration. You could add export / import between ...
by tippenring
Tue May 15, 2018 5:45 pm
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 7163

Re: I cant quite wrap my head around this one...

High latency on a fiber connection is 150ms not 400ms that's just way to much and it doesn't happen when download/upload with original isp router. High latency is whatever increased delay happens as you approach 100% of the bandwidth limit. It might be 150ms worth of buffers, or it might be 500ms w...
by tippenring
Tue May 15, 2018 7:31 am
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 7163

Re: I cant quite wrap my head around this one...

I don't see a problem. Uploading at the max bandwidth of 10Mbps will result in high latency. There are ways to adjust for it with custom queuing to reduce the high latency for desired traffic, such as ping for example. It will result in a slight, not very noticeable reduced upload speed for the big ...
by tippenring
Fri May 11, 2018 9:17 pm
Forum: General
Topic: Site to Site IPsec Tunnel
Replies: 28
Views: 12640

Re: Site to Site IPsec Tunnel

If you aren't getting phase 2 established, something doesn't match between the two peers. I always have this logging rule on standby to enable whenever I want to see what's going on: add disabled=yes prefix="IPSEC: " topics=ipsec,!packet If it helps, here's my starting template when setting up a sit...
by tippenring
Fri May 11, 2018 5:00 pm
Forum: General
Topic: Can route to internet but not between local Subnets
Replies: 10
Views: 1292

Re: Can route to internet but not between local Subnets

You cannot route between subnets by default. That's the point of having different subnets, so the hosts can communicate with those on their subnet but not others. Those dynamic routes that are being made are for Internet access so those subnets can route out to the Internet. If you want 10.0.16.0/2...
by tippenring
Fri May 04, 2018 4:21 pm
Forum: General
Topic: Configuring RB2011 as VPN Remote Access Server
Replies: 3
Views: 1068

Re: Configuring RB2011 as VPN Remote Access Server

Look into SSTP VPN, works great for me, very secure and uses certificates
I second this recommendation. I have several in production now. It's a very simple VPN to set up compared to IPSec client-type connections.
by tippenring
Thu Apr 26, 2018 11:12 pm
Forum: General
Topic: Solutions for cable 1.2km
Replies: 14
Views: 1889

Re: Solutions for cable 1.2km

True fiber is much safer in the case of lightning and other voltage surges, but the originally claimed problem of ground voltage differential due to loading is not a problem for ethernet. It should be able to withstand 1500V RMS or 2250 V DC. (not with the el-cheapo-PoE solution found in older Mikr...
by tippenring
Tue Apr 24, 2018 9:12 pm
Forum: General
Topic: Solutions for cable 1.2km
Replies: 14
Views: 1889

Re: Solutions for cable 1.2km

Besides the lightning, I'll add that copper between buildings can fall victim to ground potential differentials where the copper becomes a current-carrying electrical path for unequal ground voltage. That cannot happen with ethernet, it is isolated from the equipment using a transformer. The except...
by tippenring
Tue Apr 24, 2018 9:01 pm
Forum: General
Topic: 6.42 attacked??
Replies: 3
Views: 1020

Re: 6.42 attacked??

You might want to follow this thread: viewtopic.php?p=655739#p655739
by tippenring
Wed Apr 18, 2018 9:05 pm
Forum: General
Topic: Fasttrack and route marked packets
Replies: 17
Views: 3846

Re: Fasttrack and route marked packets

@Sob and @sindy, with all due respect, I love watching you guys argue / "interfere" ;-) I learn so much from you guys, please continue
Fully agree with what @CZFan said.
by tippenring
Wed Apr 18, 2018 9:00 pm
Forum: General
Topic: Solutions for cable 1.2km
Replies: 14
Views: 1889

Re: Solutions for cable 1.2km

Besides the lightning, I'll add that copper between buildings can fall victim to ground potential differentials where the copper becomes a current-carrying electrical path for unequal ground voltage. It's not a good idea without real electrical engineering involved. Fiber is definitely the way to go.
by tippenring
Tue Apr 17, 2018 11:17 pm
Forum: General
Topic: Block Torrents & p2p Traffic 100% working on all versions
Replies: 59
Views: 165834

Re: Block Torrents & p2p Traffic 100% working on all versions

I am not an ISP. I manage a company network with BYOD policy.
Well that totally changes my opinion. :-) I thought you were an ISP.

In that case, you get to do whatever you want with the bandwidth that you provide to your employees.
by tippenring
Tue Apr 17, 2018 11:06 pm
Forum: General
Topic: Need HELP on L2TP/IPSEC on VPN
Replies: 14
Views: 1991

Re: Need HELP on L2TP/IPSEC on VPN

According to the log (which for some reason was sorted descending by time), phase 1 has succeeded. That's why I've suggested to remove the lifetime from the ph2 proposal.
I only glanced at the log. I hadn't noticed that. Good catch.
by tippenring
Tue Apr 17, 2018 10:57 pm
Forum: General
Topic: Block Torrents & p2p Traffic 100% working on all versions
Replies: 59
Views: 165834

Re: Block Torrents & p2p Traffic 100% working on all versions

I have 100mbps symmetrical. One or two clients doing BitTorrent with a few files to be shared are enough to eat 50+% of the available bandwidth. This is why I mind about p2p! I've managed networks for a few small ISPs over the years. I admit I don't know your environment at all, so I'm just making ...
by tippenring
Tue Apr 17, 2018 9:38 pm
Forum: General
Topic: Need HELP on L2TP/IPSEC on VPN
Replies: 14
Views: 1991

Re: Need HELP on L2TP/IPSEC on VPN

That's phase 2. What about the phase 1 proposals under IPSec > Peers? They all need to agree.

Also, on the IPSec Peer Advanced tab, set Proposal Check to Obey.

I assume you're testing, but don't leave the obsolete algorithms enabled when you're done. Especially null.
by tippenring
Tue Apr 17, 2018 9:26 pm
Forum: General
Topic: Block Torrents & p2p Traffic 100% working on all versions
Replies: 59
Views: 165834

Re: Block Torrents & p2p Traffic 100% working on all versions

Blocking can also be shaping (or queueing in mikrotik lingo). P2P traffic creates sustained loads in both directions and can be overkilling for most WANs. I cannot and don't want to tell legitimate from unlegitimate content access: no sane net admin would. Being able to tell P2P traffic from other ...
by tippenring
Tue Apr 17, 2018 6:45 pm
Forum: General
Topic: Block Torrents & p2p Traffic 100% working on all versions
Replies: 59
Views: 165834

Re: Block Torrents & p2p Traffic 100% working on all versions

Hello from the US. Why would you want to block torrents? It is often legitimate traffic. Perhaps torrents are sometimes used to copy copyrighted content without appropriate license, but that is on the person making the illegal copy. The ISP cannot know if a torrent is legal or illegal without confro...
by tippenring
Tue Apr 17, 2018 6:32 pm
Forum: General
Topic: MikroTik 6.41.4 - FTP daemon Denial of Service PoC
Replies: 25
Views: 2728

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

I wish I had time to write a longer reply, but no one would read it anyway. Just like the world population, there is no black and white when it comes to vuln discovery and reporting. Each of us has our personal opinions on the matter, and they won't agree with others. Industry has generally come up ...
by tippenring
Tue Apr 17, 2018 6:06 pm
Forum: General
Topic: Need HELP on L2TP/IPSEC on VPN
Replies: 14
Views: 1991

Re: Need HELP on L2TP/IPSEC on VPN

If I'm reading your debug correctly, you're offering 3DES and 3DES/SHA1. You should be using the AES family anyway. DES, 3DES, and MD5 are deprecated.
by tippenring
Tue Apr 17, 2018 6:05 pm
Forum: General
Topic: Need HELP on L2TP/IPSEC on VPN
Replies: 14
Views: 1991

Re: Need HELP on L2TP/IPSEC on VPN

Yes. Your router and the far end device have to agree on encryption algorithms. Whatever your router is offering is not being accepted by the peer. Enable more algorithms until a proposal is chosen.
by tippenring
Mon Apr 16, 2018 10:30 pm
Forum: General
Topic: Blocking an IP range from accessing IPsec
Replies: 4
Views: 1758

Re: Blocking an IP range from accessing IPsec

To expand on HzMeister's firewall example, here is part of my standard firewall rules addressing unsolicited incoming traffic. What I like about this set of rules is I can apply it to any protocols and port(s) that I wish. I found the basic example for blacklisting some time ago I believe on the MT ...
by tippenring
Mon Apr 16, 2018 10:13 pm
Forum: General
Topic: IPsec VPN issue Cisco ASA and Mikrotik Router
Replies: 2
Views: 708

Re: IPsec VPN issue Cisco ASA and Mikrotik Router

I have quite a few MT to ASA tunnels in production, including one from my office (CCR1009 on 6.38.3) to an ASA 5515. Once the configs match up, I don't have any stability problems with any tunnels. On the Cisco, your debug commands are "debug crypto ipsec sa" and "debug crypto isa". You also will wa...
by tippenring
Tue Apr 10, 2018 6:02 pm
Forum: General
Topic: IPsec tunnel doesn't reestablish [SOLVED]
Replies: 4
Views: 824

Re: IPsec tunnel doesn't reestablish [SOLVED]

/system logging
add disabled=no prefix="IPSEC: " topics=ipsec,!packet
by tippenring
Mon Apr 09, 2018 6:44 pm
Forum: General
Topic: Sniffer capture split into multiple files
Replies: 8
Views: 1526

Re: Sniffer capture split into multiple files

I think the point the previous posters are trying to make is you can stream it to Wireshark (or tcpdump) and have Wireshark save the files and split the captures for you while it is capturing. That's how I would do it. AFAIK RouterOS does not do what you're wanting.
  • 1
  • 2