Community discussions

Search found 178 matches

by tippenring
Fri Mar 22, 2019 4:15 pm
Forum: Beginner Basics
Topic: Connecting SSTP Client and SSTP Server on MT
Replies: 6
Views: 323

Re: Connecting SSTP Client and SSTP Server on MT

Your post leaves many unanswered questions, so I'm making a lot of assumptions. I'll start with the basics, and that this is mostly a guess. To summarize: Your SSTP clients in 172.17.0.0/16 connect to MT-CHR (internal IP: 172.17.1.1/16). Then MT-CHR (external SSTP IP: 172.16.16.236) connects as an S...
by tippenring
Wed Mar 06, 2019 6:28 pm
Forum: General
Topic: Port knocking alternative
Replies: 4
Views: 437

Re: Port knocking alternative

Besides being less practical than nping, I suspected the executable might be malicious. VT Detection ratio: 11 / 70

Check VirusTotal: https://www.virustotal.com/en/file/d81c ... /analysis/
by tippenring
Thu Feb 07, 2019 1:18 am
Forum: Beginner Basics
Topic: New connection added!!solution for load failover [SOLVED]
Replies: 10
Views: 461

Re: New connection added!!solution for load failover [SOLVED]

I have something very similar to this (https://wiki.mikrotik.com/wiki/Advanced ... _Scripting) working. It seems to work quite well.
by tippenring
Tue Feb 05, 2019 6:43 pm
Forum: General
Topic: MikroTik Bridget network got DDOS
Replies: 4
Views: 406

Re: MikroTik Bridget network got DDOS

I would run at least a RB4011 these days. However, you'll also need to use the raw table to drop as fast as you can. Ultimately, however, you may need upstream (your ISP) support as they will most likely always be able to do it better than your equipment. Agreed. The 2011 is quite old and weak by t...
by tippenring
Tue Feb 05, 2019 6:18 pm
Forum: General
Topic: Windows short name resolution with bridge and firewall [SOLVED]
Replies: 8
Views: 711

Re: Windows short name resolution with bridge and firewall [SOLVED]

Is there some reason you want to force bridge traffic to be processed by the firewall rules? Based on your description of the network, I doubt you want to do that. I expect you probably just want to apply the firewall rules to traffic that will be crossing trust levels, such as private to public int...
by tippenring
Mon Jan 28, 2019 7:39 pm
Forum: General
Topic: DHCP philosophy - where/what is it best served by?
Replies: 9
Views: 454

Re: DHCP philosophy - where/what is it best served by?

I manage all aspects of a network. Routers, switches, servers, video, VoIP, and pretty much anything else that gets an IP address. If there is a real server (or servers) on the network, one or more will be handling DNS, DHCP, and pretty much any other client/server type of service. Routers are quite...
by tippenring
Sat Jan 12, 2019 12:36 am
Forum: General
Topic: Filtering Malicious Traffic
Replies: 6
Views: 457

Re: Filtering Malicious Traffic

It really depends on the nature of the malicious traffic that is landing you on blacklists. My guess is it is mail since that's most prevalent. If it is, you could drop all outbound port 25, 465, and 587 from your clients and make them relay mail through your internal mail server. Once you have the ...
by tippenring
Wed Jan 09, 2019 10:29 pm
Forum: Beginner Basics
Topic: gateway confusion
Replies: 2
Views: 253

Re: gateway confusion

Sounds to me like "routers" 2-6 are functioning as bridges rather than routers. They probably have an IP address for management. Are the router IPs all on the same subnet?
by tippenring
Wed Jan 09, 2019 10:14 pm
Forum: General
Topic: Spam filtering - how to improve my antispam system
Replies: 9
Views: 783

Re: Spam filtering - how to improve my antispam system

Can you please add a post with your blocking rules and ip address list for this solution. Thank you for your time. Here's my process to create a US-based network address list for geofencing. You may wish to name your address list differently of course. 1. Copy the US-based address list here to N++....
by tippenring
Tue Jan 08, 2019 7:57 pm
Forum: Beginner Basics
Topic: Noob firewall question - being brute forced
Replies: 7
Views: 391

Re: Noob firewall question - being brute forced

The above is good advice, but there is something more fundamentally wrong with your situation. That is a lack of information security awareness. It's good that you managed to notice the brute force attempts to your RDP server. The bigger problem is that you, or whoever is responsible for the network...
by tippenring
Mon Dec 10, 2018 5:17 pm
Forum: General
Topic: Cannot upgrade v6.42.3 to v6.45.3
Replies: 3
Views: 331

Re: Cannot upgrade v6.42.3 to v6.45.3

There is no version 6.45.3.
by tippenring
Thu Nov 15, 2018 12:53 am
Forum: General
Topic: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED) [SOLVED]
Replies: 16
Views: 1266

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED) [SOLVED]

I just checked Shodan. Shodan only lists 7 devices on the internet listening on port 64312. 6 of them are Torrent DHT nodes.
by tippenring
Thu Nov 15, 2018 12:43 am
Forum: General
Topic: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED) [SOLVED]
Replies: 16
Views: 1266

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED) [SOLVED]

If you're correct, this would be new exploit code that I haven't yet seen. It isn't a surprise to me that firmware and RouterOS updates don't remove it. I personally find it a little hard to believe that you have what you think you have because you haven't provided anything concrete except a belief ...
by tippenring
Tue Nov 13, 2018 8:45 pm
Forum: General
Topic: High Traffic
Replies: 4
Views: 320

Re: High Traffic

Netinstall is the only foolproof way to resolve a hacked router. You could go through the configuration and remove what appears suspicious (proxies and such), but it is nearly impossible to say with 100% certainty that the router is no longer compromised. Perhaps there is a hidden script that runs e...
by tippenring
Tue Nov 13, 2018 5:50 pm
Forum: General
Topic: Rogue IPV6 DNS advertisement Problem, FISHY situation !
Replies: 7
Views: 341

Re: Rogue IPV6 DNS advertisement Problem, FISHY situation !

If you really have the IPv6 package disabled, I'm not sure why the MT is using IPv6 at all. However, it isn't important. The packet you captured is a simple ICMPv6. The fe80 address is a link local address (like 169.254.x.x in IPv4).
by tippenring
Tue Nov 13, 2018 5:15 pm
Forum: General
Topic: Rogue IPV6 DNS advertisement Problem, FISHY situation !
Replies: 7
Views: 341

Re: Rogue IPV6 DNS advertisement Problem, FISHY situation !

See these pcap screenshots. These are DNS queries sent a Windows 7 machine. Note that it is asking the DNS server for both the A records and AAAA records for google.com. The DNS server dutifully responds to both requests. IPv4 and IPv6 are communication protocols. DNS is a name resolution protocol. ...
by tippenring
Tue Nov 13, 2018 4:41 pm
Forum: General
Topic: Rogue IPV6 DNS advertisement Problem, FISHY situation !
Replies: 7
Views: 341

Re: Rogue IPV6 DNS advertisement Problem, FISHY situation !

IPv6 and DNS are generally unrelated. A query for a FQDN will return whatever records are assigned to that FQDN. AAAA records are valid DNS records.
by tippenring
Fri Nov 09, 2018 10:47 pm
Forum: Beginner Basics
Topic: The winbox is hard to use
Replies: 12
Views: 945

Re: The winbox is hard to use

How did you go about setting that up? The basics are here: https://wiki.mikrotik.com/wiki/Manual:Winbox They don't really explain sessions though. Connect to your most convenient router with Winbox. Select the windows you'd like to be open each time you connect to any router. I have the log and fir...
by tippenring
Fri Nov 09, 2018 6:58 pm
Forum: Beginner Basics
Topic: The winbox is hard to use
Replies: 12
Views: 945

Re: The winbox is hard to use

I have my Winbox windows pre-defined in my session preferences, so every new session opens with my preferred windows open in exactly the same place and dimensions each time. If a window ends up behind another, I don't go looking for it in the right-hand pane. I navigate to it through the menu again....
by tippenring
Mon Nov 05, 2018 6:01 pm
Forum: Beginner Basics
Topic: Can't copy big files through VPN
Replies: 3
Views: 396

Re: Can't copy big files through VPN

I'd suggest checking MTU. Try lowering it some on each side. PMTUD should take care of this, but it may either not be enabled, or ICMP packet too big messages may not be able to reach the source host. I'll admit it doesn't seem too likely since you get to 80% and compressed large files still make it...
by tippenring
Mon Nov 05, 2018 5:53 pm
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 174
Views: 18284

Re: Blacklist Filter (Development Topic)

OK, now I'll be clear here ;-) Thanks. Will test how much RAM a RB2011 needed. Only with priority 2 or priority 1 + drop.malicious.rsc I'm using the priority 2 list on an RB2011. Memory is fine. I currently have free 74MB of 128MB with ~30k blacklist entries. The RB2011 is more CPU starved when it'...
by tippenring
Fri Nov 02, 2018 4:23 pm
Forum: Wireless Networking
Topic: Mikrotik wi-fi and Iphone = problem
Replies: 64
Views: 36430

Re: Mikrotik wi-fi and Iphone = problem

We stopped using Mikrotik for client wifi several years ago due to connection instability and weak signals vs other brands. We fought with it for a long time. Apple devices are especially troublesome. We still use Mikrotik routers almost exclusively and Mikrotik radios for point to point wifi links ...
by tippenring
Fri Nov 02, 2018 4:13 pm
Forum: General
Topic: SSTP VPN between two MT routers
Replies: 3
Views: 325

Re: SSTP VPN between two MT routers

It seems to me there are details missing in your explanation. SSTP will transit NAT with no problem. You admit this when you say the PCs can ping Mikrotik 2. Based on the information provided, I think there's something else going on unrelated to a NAT device in the middle. /export hide-sensitive is ...
by tippenring
Mon Oct 29, 2018 10:51 pm
Forum: General
Topic: Mikrotik does not support IPSec, L2TP or OpenVPN connections to any VPN provider
Replies: 9
Views: 2529

Re: Mikrotik does not support IPSec, L2TP or OpenVPN connections to any VPN provider

I've had a Torguard tunnel up via L2TP/IPSec for a couple of years. No problems. Torguard has a guide.

It may not be the best, but it serves my purpose.
by tippenring
Tue Oct 23, 2018 9:10 pm
Forum: General
Topic: 31 subnet - Not finding an answer to default gateway.
Replies: 16
Views: 1346

Re: 31 subnet - Not finding an answer to default gateway.

I spent a few minutes testing. Unfortunately my tests did not result in connectivity either. First I tried my Windows PC. It didn't like a /31 at all and wouldn't let me use it. Then I used a Cisco router and Mikrotik on the same LAN network. I added 10.99.99.0/31 on the Cisco, and 10.99.99.1/31 on ...
by tippenring
Tue Oct 23, 2018 4:51 pm
Forum: General
Topic: 31 subnet - Not finding an answer to default gateway.
Replies: 16
Views: 1346

Re: 31 subnet - Not finding an answer to default gateway.

Is the MAC address for x.x.x.30 in your ARP table?
by tippenring
Tue Oct 23, 2018 4:37 pm
Forum: General
Topic: Advanced IP scanners locks up winbox access?
Replies: 7
Views: 529

Re: Advanced IP scanners locks up winbox access?

Strange. I manage quite a few routers and have yet to see this behavior. The only other thing I can think of is Winbox 3.18 was released at least in part to resolve an issue with failed logins. I'm betting you're already on 3.18 though.
by tippenring
Tue Oct 23, 2018 3:59 pm
Forum: General
Topic: Advanced IP scanners locks up winbox access?
Replies: 7
Views: 529

Re: Advanced IP scanners locks up winbox access?

Are you using RADIUS perhaps?
by tippenring
Thu Oct 18, 2018 5:41 pm
Forum: General
Topic: Unable to login
Replies: 5
Views: 398

Re: Unable to login

I'd suggest posting your firewall config. If you have some kind of blacklisting set of rules, you could very well be hitting them and blocking your own access after a few packets. That's just a thought off the top of my head.
by tippenring
Thu Oct 18, 2018 5:09 pm
Forum: General
Topic: libssh exploit, is Mikrotik affected?
Replies: 5
Views: 840

Re: libssh exploit, is Mikrotik affected?

Is Mikrotik affected by the libssh bug described here? https://arstechnica.com/information-technology/2018/10/bug-in-libssh-makes-it-amazingly-easy-for-hackers-to-gain-root-access/ I am not sure if libssh is used under the hood, it would be great to know one way or the other. Thanks Thanks for aski...
by tippenring
Wed Oct 17, 2018 5:36 pm
Forum: General
Topic: Unable to login
Replies: 5
Views: 398

Re: Unable to login

Good morning, some devices with the 6.43.2 software do not allow me to login. The credentials are correct, in case of error I receive the error "Authentication failed", instead with the right user/pass the process goes into timeout. The problem occurs both with the Winbox, with the telnet and with ...
by tippenring
Thu Oct 11, 2018 4:39 pm
Forum: General
Topic: Can my ISP access my Mikrotik Router and make changes?
Replies: 7
Views: 572

Re: Can my ISP access my Mikrotik Router and make changes?

So you mean they have some exploit in the device that they could gain access anytime?
Depending on your software version, yes, that is correct. See https://blog.mikrotik.com/security/winb ... ility.html

Also, it's a good idea to monitor https://blog.mikrotik.com/security/
by tippenring
Wed Oct 03, 2018 4:07 pm
Forum: General
Topic: Router won't install update
Replies: 7
Views: 1070

Re: Router won't install update

As Nescafe mentioned, the log will *probably* tell you why it didn't upgrade. I suspect that's why he asked what other files are on the file system. If you have other packages of a different version, the upgrade may fail.
by tippenring
Mon Oct 01, 2018 9:00 pm
Forum: General
Topic: Winbox Protocol Dissector
Replies: 2
Views: 357

Re: Winbox Protocol Dissector

I loaded up the dissector and captured a small bit of traffic. My understanding from the Cisco article is that it will only work on unencrypted sessions. I believe all newer versions of Winbox use encryption, and my small capture didn't seem to have any readable data. I spent less than 5 minutes try...
by tippenring
Fri Sep 28, 2018 10:38 pm
Forum: Wireless Networking
Topic: Spambots
Replies: 12
Views: 3873

Re: Spambots

by tippenring
Thu Sep 27, 2018 12:45 am
Forum: Beginner Basics
Topic: Router Sending Spam
Replies: 7
Views: 1360

Re: Router Sending Spam

In addition to disabling the proxy and socks services, you need to change all passwords (and ideally usernames) for the router as well. Otherwise the attackers will probably log back in and turn on the socks and proxy services again. add action=add-src-to-address-list address-list="port scanners" \ ...
by tippenring
Tue Sep 25, 2018 5:28 pm
Forum: Beginner Basics
Topic: Site to Site IPSec between two Mikrotik Routers
Replies: 7
Views: 640

Re: Site to Site IPSec between two Mikrotik Routers

Glancing over your screenshots, it looks about right for the IPSec. I'd tell you to make sure you exclude the subnets from masquerade or dst-nat, but you aren't getting that far yet.

Can your routers reach each other at all? It looks like they can't.
by tippenring
Tue Sep 25, 2018 5:01 pm
Forum: Beginner Basics
Topic: How to Monitor specific Ip
Replies: 5
Views: 519

Re: How to Monitor specific Ip

Well if this is a site that contains only one host IP it's easy, but if it is something like facebook, with multiple hosts, just mark the connection and then create a log rule on firewall over this connection mark, like so: /ip firewall mangle add chain=forward action=mark-connection new-connection...
by tippenring
Fri Sep 14, 2018 9:47 pm
Forum: Beginner Basics
Topic: How do I connect to IP 0.0.0.0?
Replies: 13
Views: 4624

Re: How do I connect to IP 0.0.0.0?

There it is again. Mention of IPv6. Often times, when I hear about IPv6, someone is saying something about network problems disappearing. I work for a small company with a network of less then 255 devices. I'm having that 0.0.0.0 problem, myself. Would it be worth it to migrate to IPv6? What are th...
by tippenring
Fri Sep 14, 2018 9:38 pm
Forum: General
Topic: DNS Server TTL problem
Replies: 14
Views: 990

Re: DNS Server TTL problem

@tippenring: I'm not admin of RB trying to outsmart DNS domain admin, @alli is.
Dang it. Sorry about that. I don't know why I didn't notice you were not the OP. I read your reply from the context of the OP. No wonder it didn't make sense to me. :-)
by tippenring
Fri Sep 14, 2018 9:35 pm
Forum: General
Topic: Power outage causes specific sites to be blocked
Replies: 11
Views: 576

Re: Power outage causes specific sites to be blocked

I don't think that is the issue. But it is a great Idea. Our 2 CCR in the area are not parallel. They are actually 150 miles apart. We have a layer 3 switch on the mountaintop separating them with OSPF. We don't use ICMP redirects at all. It looks like this Frontier fiber-----Blanding CCR ------ Ab...
by tippenring
Fri Sep 14, 2018 8:12 pm
Forum: General
Topic: Can't Log in After Upgrade
Replies: 21
Views: 2482

Re: Can't Log in After Upgrade

I'm not a mikrotik master, but i have enough brains to change my credentials after hacking.
Have you tried Winbox 3.18? There's a potential fix there. I just realized you aren't the OP. The OP tried 3.18, but you haven't said you tried it.
by tippenring
Fri Sep 14, 2018 5:52 pm
Forum: General
Topic: Can't Log in After Upgrade
Replies: 21
Views: 2482

Re: Can't Log in After Upgrade

RB3011 running 6.40.9, 2 days ago recieved "wrong username or password" in winbox. User is not "admin", password is strong enough. LCD touch was disabled. A crack - i think, than netinstall, 6.43, total reconfig (had no backups)... and today i recived the same message "wrong username or password". ...
by tippenring
Fri Sep 14, 2018 5:49 pm
Forum: Beginner Basics
Topic: Can't access webfig on WAN
Replies: 10
Views: 1665

Re: Can't access webfig on WAN

When a router is defaulted, it normally has a set default config which includes firewall rules. When you first connect, you have the option to retain the config or start clean. I'd have to think you chose to start clean. If you are running pre-6.40.8 or pre-6.42.1, someone may have already hijacked ...
by tippenring
Fri Sep 14, 2018 5:07 pm
Forum: General
Topic: block multicast traffic
Replies: 2
Views: 1555

Re: block multicast traffic

/ip firewall filter
  add action=drop chain=input dst-address-type=multicast
by tippenring
Thu Sep 13, 2018 6:52 pm
Forum: General
Topic: DNS Server TTL problem
Replies: 14
Views: 990

Re: DNS Server TTL problem

It is up to domain administrator to decide how long TTL is the best one for her domain. If she has really good reason for setting short TTL then it's probably counter-productive if caching DNS server administrator (e.g. @alli) tries to out-smart her. Because it's quite probable that caching DNS adm...
by tippenring
Thu Sep 13, 2018 6:27 pm
Forum: General
Topic: Power outage causes specific sites to be blocked
Replies: 11
Views: 576

Re: Power outage causes specific sites to be blocked

Here's a different possible cause to look at. I believe you've described your network as having two parallel border CCR routers. Is that correct? If so, when the power returns, could one router be the default gateway for your network, but actually be routing the traffic to the other border router (a...
by tippenring
Wed Sep 12, 2018 4:46 am
Forum: General
Topic: Power outage causes specific sites to be blocked
Replies: 11
Views: 576

Re: Power outage causes specific sites to be blocked

I'll take a look and post them without sensitive configs. Too bad I can't use the Mikrotik auto remove sensitive on saved backups.
You don't necessarily need to post them. Just load the before and after in notepad++ and do a compare.
by tippenring
Wed Sep 12, 2018 4:25 am
Forum: General
Topic: Power outage causes specific sites to be blocked
Replies: 11
Views: 576

Re: Power outage causes specific sites to be blocked

Right now we are using the CCR that was causing the issue to pass traffic. The only thing that changed to get it to start working was to restore a config file from before the power outage.
What was different between the two configs? That's an easy thing to look at.
by tippenring
Wed Sep 12, 2018 3:57 am
Forum: General
Topic: RouterOS ISP identifier
Replies: 10
Views: 579

Re: RouterOS ISP identifier

I'm pretty rusty on internet records, but I'm thinking what you're looking for might be PTR DNS records, which your ISP has to set up. Either that, or the IP block you have needs updated with your RIR. I believe your upstream should be able to do that also. I'm sure someone will come along shortly t...