Community discussions

Search found 242 matches

by JimmyNyholm
Tue Nov 13, 2018 9:38 am
Forum: Announcements
Topic: v6.43.4 [stable] is released!
Replies: 67
Views: 12883

Re: v6.43.4 [stable] is released!

6.43.4 is Stable branch and includes *) bridge - do not learn untagged frames when filtering only tagged packets;
When do we recon that this patch will be available in "Long Term" branch?
by JimmyNyholm
Thu Nov 08, 2018 4:17 am
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 180
Views: 30630

Re: v6.44beta [testing] is released!

All hash options is useless, Static passwords is insecure. I use OTP (One time Password) can't hash anything because there is nothing to hash on. Please reimplement PAP so I may once again be secure.
by JimmyNyholm
Fri Aug 24, 2018 9:12 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 558
Views: 87323

Re: v6.43rc [release candidate] is released!

And what about making radius login scheme selectable. chap for people who use static shit that can be challenged pap for us who only use one time passwords. And therefore Inherrently dosen't have anything to do a challenge on. (CHAP is unusable in this case)
by JimmyNyholm
Fri Aug 24, 2018 9:10 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 558
Views: 87323

Re: v6.43rc [release candidate] is released!

And what about making radius login scheme selectable. chap for people who use static shit that can be challenged pap for us who only use one time passwords.
by JimmyNyholm
Fri Aug 24, 2018 9:01 pm
Forum: Announcements
Topic: WPA2 preshared key brute force attack
Replies: 25
Views: 10329

Re: WPA2 preshared key brute force attack

And what about working on WPA3? According to Qualcomm you need new chipsets for WPA3 so it seems that old gear wont be able to support it ... As far as I can tell that is a big spit of "bullspit" ;-) WPA3 can be done in software only if the hardware features in a old chip is to slow. But then again...
by JimmyNyholm
Fri Aug 24, 2018 8:46 pm
Forum: Forwarding Protocols
Topic: IPv6 recursive nexthops via iBGP
Replies: 102
Views: 18630

Re: IPv6 recursive nexthops via iBGP

Passing Into Late 2018 And still this is big issue when @Mikrotik WHEN will recursive routing work in routeros. Installed V6 routes that have reachables nexthops (recursivly that is) will never be active due to something broken. FIX NOW. IPV4 days are over and we must deploy ipv6.
by JimmyNyholm
Sat Aug 18, 2018 9:54 am
Forum: Announcements
Topic: WPA2 preshared key brute force attack
Replies: 25
Views: 10329

Re: WPA2 preshared key brute force attack

And what about working on WPA3?
by JimmyNyholm
Sat Aug 04, 2018 11:17 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 275
Views: 38450

Re: Winbox vulnerability: please upgrade

I got the same Mail two days ago so perhaps they're having problem with the mail systems ? ;-)
by JimmyNyholm
Sat Aug 04, 2018 11:07 am
Forum: General
Topic: IPv6 BGP unreachable nexthop through loopback
Replies: 7
Views: 489

Re: IPv6 BGP unreachable nexthop through loopback

Currently recursive routing will not work if gateway is link local address. I'd say Recusive routing is totally broken for ipv6 in RosV6 having route coming in from ospfv3 process, ibgp session but MP bgp route can't get active because the gateway is unreachable according to the ipv6 route print wh...
by JimmyNyholm
Sat Aug 04, 2018 9:36 am
Forum: Forwarding Protocols
Topic: set next-hop anyhow?
Replies: 2
Views: 312

Re: set next-hop anyhow?

What I have discovered is: If you override the nexthop in a filter on the incoming it will not be reflected that way if you not also have a filter to the respective outgoing. This is unintuitive i'd say but once you realise this it gets a bit clearer in the RouterOS Space. (This is not Currently doa...
by JimmyNyholm
Sat Aug 04, 2018 9:29 am
Forum: Forwarding Protocols
Topic: OSPF splitted broadcast network
Replies: 1
Views: 268

Re: OSPF splitted broadcast network

I'd say you get a classical splitt brain scenario where both sides tries to converge and finds them self as DR's and depending on other redistribution many blackholes in the routing. This is why you run OSPF and perhaps you should have a backup direct link to avoid SplitBrain. But Who am I that may ...
by JimmyNyholm
Sat Aug 04, 2018 9:21 am
Forum: Forwarding Protocols
Topic: OSPF Router ID
Replies: 6
Views: 1800

Re: OSPF Router ID

The Question have been answered but one could put it this way. Say this "number" is just a number. Sure it looks like an IP'adress. BUT for analogy think of it as a Color value. When routers have only few links this is what think and call SIMPLE OSPF network. the reson for this ID is not obvious. Bu...
by JimmyNyholm
Sun Jul 29, 2018 2:42 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: BGP multithreaded
Replies: 8
Views: 1724

Re: BGP multithreaded

Forwarding and routing is good and fast as long as you keep all traffic in fastpath. It is a router not a firewall. True, but it is still good practice to do anti-spoofing filtering on a border router I also feel happier blocking traffic to the control plane with filters on the 'input' chain - you ...
by JimmyNyholm
Tue Jul 24, 2018 4:07 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 558
Views: 87323

Re: v6.43rc [release candidate] is released!

And even worse the chap packet that you send out doest not contain any password (you are sending empty radius request even before asking the user of a password. Clean upp your code and enable PAP/CHAP/MSCHAP as option NOW! I'm trying this RC in a CRS328-4C-20S-4S+RM After downgrading to Current 6.42...
by JimmyNyholm
Tue Jul 24, 2018 3:36 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 558
Views: 87323

Re: v6.43rc [release candidate] is released!

Ok so now I test the RC45 Build. My setup scripts fail can't rename user admin anymore? WHY?
by JimmyNyholm
Tue Jul 24, 2018 11:38 am
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 558
Views: 87323

Re: v6.43rc [release candidate] is released!

NOOOOO!!!! -"radius - use MS-CHAPv2 for "login" service authentication;" I hope there is a setting for this. chap, chapv2 with or without ms flavour is doing nothing good to the fact that static passwords are weak and should not be used. We use one time passwords witch will not work in replay mode d...
by JimmyNyholm
Sun Jul 08, 2018 11:28 am
Forum: RouterOS v7
Topic: Feature Request /31 Subnet
Replies: 29
Views: 8365

Re: Feature Request /31 Subnet

Actually it wont get ugly if you combine the fine /32 support with the fact that you can have the same ip och many interfaces in routerOS. Then you can do fully functional ospf. Assign a /28 for a 16 port router as to say router has the same IP on all its customer facing interfaces then carve /32 to...
by JimmyNyholm
Wed Jun 27, 2018 8:30 am
Forum: Forwarding Protocols
Topic: Can I drop a specific ospf route+gateway combination?
Replies: 1
Views: 240

Re: Can I drop a specific ospf route+gateway combination?

In Router Filter you may check multiple fields in the matcher section. You may then pin this filter matcher to a specified source in conjuction with your other matchers, such as prefix. Only osfp-in list is checked for ospf process if I'm not remembering wrong.
by JimmyNyholm
Sat Jun 23, 2018 2:23 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: CSR3xx, HW-Offloading, Q-in-Q in 6.43
Replies: 10
Views: 1581

Re: CSR3xx, HW-Offloading, Q-in-Q in 6.43

Did a quick look in the current RC with initial qinq support and then what port settings for stack trunk or stack access.
setting vlans marking them as outer q? no.

MT Will this surface later in the development or did you not think this through?
by JimmyNyholm
Sat Jun 23, 2018 2:17 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: ROS 7 Beta
Replies: 41
Views: 7862

Re: ROS 7 Beta

True Isolated VRFs
ip setting RP Filter Strict VRF Aware.
All other Services/Features VRF Aware
New Routing Engine Multicore Support.
v4v6 agnostic full same features over the whole product.
And that's just the top of my head.
by JimmyNyholm
Mon Jun 18, 2018 12:16 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 59890

Re: VPNfilter official statement

Security advisory emails were sent to all users that are in our database.
Where do I register to get this advisorys?
by JimmyNyholm
Wed Jun 06, 2018 1:36 pm
Forum: The Dude
Topic: Adding Winbox Tool
Replies: 25
Views: 9511

Re: Adding Winbox Tool

Or better yet. Support external rest api call for geting current password from other system. Dude is loged in with one type of user that should not be used by personell from say Support or other personel from say NOC.
by JimmyNyholm
Wed Jun 06, 2018 1:02 pm
Forum: Announcements
Topic: v6.42.3 [current]
Replies: 80
Views: 16931

Re: v6.42.3 [current]

6.42.x breaks sometching quite badly in DHCP server. I have a setup where a CCR1016 serves several VLANs, with a dedicated DHCP server to each VLAN. 6.41.4 works beautifully without any sort of hiccups. 6.42.x sometimes won't bring the DHCP instances up in the first boot. If i reboot the CCR, then ...
by JimmyNyholm
Wed May 30, 2018 1:24 pm
Forum: Announcements
Topic: Winbox 3.14 released!
Replies: 77
Views: 15383

Re: Winbox 3.14 released!

What's new in v3.14: *) added support for new style authentication and encryption for connections to RouterOS v6.43; Does this let us get Radius with pap work later on for winbox login (I am using OTP-Tokens there simply is nothing to do chap on so now it's impossible to login to winbox in my more ...
by JimmyNyholm
Wed May 30, 2018 11:56 am
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 59890

Re: VPNfilter official statement

Thanks for the prompt response Normis. I assume people that were using the quickset dynamic dns vpn and appropriate firewall rules + updated fw would have been invunerable to these attacks ? Any RouterOS version with firewall on the www port from untrusted networks was always safe. The original vun...
by JimmyNyholm
Fri May 11, 2018 9:13 am
Forum: Announcements
Topic: v6.42.1 [current]
Replies: 273
Views: 31315

Re: v6.42.1 [current]

still waiting for the bugfix only update This vulnerability isn't much of a problem. The problem is administrators leaving their firewall services (API, Winbox, SSH, etc.) exposed to untrusted networks. It's better to apply firewall filters to the input chain that will protect against this and othe...
by JimmyNyholm
Thu May 10, 2018 4:42 pm
Forum: Announcements
Topic: Newsletter #82 (May 2018)
Replies: 38
Views: 8248

Re: Newsletter #82 (May 2018)

WOW! will CRS332-32S+RM have Hardware MPLS P switching aswell same as we now have at 317-16S+ ?????
by JimmyNyholm
Fri Apr 06, 2018 6:13 pm
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 538
Views: 74998

Re: v6.42rc [release candidate] is released!

Confirmation from MT in Mail RC55 will have fix for my LACP Bonding problem. Have a Nice week end and I hope for the soon Release of RC55. One wonder what more magical fixes will be included.
;-)
by JimmyNyholm
Wed Mar 28, 2018 3:11 pm
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 538
Views: 74998

Re: v6.42rc [release candidate] is released!

My LACP problem is still Present in this RC ([Ticket#2018031222001218] LACP HW problem reaching bridge)
by JimmyNyholm
Sun Mar 25, 2018 10:39 pm
Forum: Announcements
Topic: v6.41.3 [current]
Replies: 139
Views: 22772

Re: v6.41.3 [current]

Word of !WARNING for anyone who has the CCR1072-1G-8S+. We have two of these units, since the upgrade both have used consistently 10 more watts of power! This has also increased the temperature of the device and fan speed, that can't be a good thing can it? We've contacted Mikrotik and this is thei...
by JimmyNyholm
Fri Mar 23, 2018 9:48 am
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 538
Views: 74998

Re: v6.42rc [release candidate] is released!

[admin@sw-under] > interface bonding print Flags: X - disabled, R - running 0 name="CoreUplink" mtu=1500 mac-address=64:D1:54:EA:BC:83 arp=enabled arp-timeout=auto slaves=sfp-sfpplus1,sfp-sfpplus2 mode=802.3ad primary=none link-monitoring=mii arp-interval=100ms arp-ip-targets="" mii-interval=100ms ...
by JimmyNyholm
Thu Mar 22, 2018 12:24 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: New router OS
Replies: 46
Views: 8725

Re: New router OS

Steve is right. There is barely anything left in v7 that we haven't backported. Isolated VRF's VRF aware Services All of them and Multiple of them (ie allow ssh source this in vrf x and source that in vrf p only listening on ip's local to that respective vrfs) Tunnel Interface: Inner VRF and Outer ...
by JimmyNyholm
Thu Mar 22, 2018 12:07 pm
Forum: Announcements
Topic: Winbox 3.12 released!
Replies: 55
Views: 32245

Re: Winbox 3.12 released!

I recon you have full feed. and single core problem every question you make in cli will take forever. I guess that winbox can't be faster then cli can so..... Or am I missing something?
by JimmyNyholm
Sat Mar 10, 2018 7:31 pm
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 538
Views: 74998

Re: v6.42rc [release candidate] is released!

# jan/13/1970 03:06:17 by RouterOS 6.42rc39 # software id = JLRA-QA36 # # model = CRS326-24G-2S+ # serial number = 763C06E78477 /interface ethernet set [ find default-name=sfp-sfpplus2 ] mac-address=6C:3B:6B:ED:F9:E6 /interface bridge add admin-mac=6C:3B:6B:ED:F9:E6 auto-mac=no fast-forward=no name...
by JimmyNyholm
Fri Mar 09, 2018 2:20 pm
Forum: RouterBOARD hardware
Topic: CRS328-24P-4S+RM
Replies: 6
Views: 864

CRS328-24P-4S+RM

CRS328-24P-4S+RM Wow.
This is what I was waiting for. Nice one. When will it be available.
by JimmyNyholm
Fri Mar 09, 2018 12:58 pm
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 538
Views: 74998

Re: v6.42rc [release candidate] is released!

*) crs3xx - added initial "hw-offload" support for 802.3ad and "balance-xor" bonding; Well done! I can confirm it's working on a CRS326 now. Still open is the issue to change MTU size. [admin@MikroTik] /interface bonding> set bond2 mtu=8148 failure: could not set mtu [admin@MikroTik] /interface bon...
by JimmyNyholm
Thu Mar 08, 2018 4:20 pm
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 538
Views: 74998

Re: v6.42rc [release candidate] is released!

*) bridge - added per-port forwarding options for broadcasts, unknown-multicasts and unknown-unicasts; *) bridge - added per-port learning options; *) bridge - added support for static hosts; Thanks. This will make it possible to configure stuff that I was waiting for. Is there any plans for more l...
by JimmyNyholm
Tue Feb 27, 2018 5:46 pm
Forum: Forwarding Protocols
Topic: Point-to-point (/31) addresses
Replies: 62
Views: 34676

Re: Point-to-point (/31) addresses

I would skip using an actual /31, and just use two /32s. Specify the remote address as the "network", and you should be good to go. This mechanism is more flexible than using /31s, as the addresses don't need to be adjacent; and more efficient since you can re-use the same address for multiple link...
by JimmyNyholm
Tue Feb 27, 2018 5:36 pm
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 538
Views: 74998

Re: v6.42rc [release candidate] is released!

We are aware of this DHCP client problem, will try to fix in one of the next RC versions.
Thanks mrz....
Are you aware and have reproduced the LACP problem aswell?
by JimmyNyholm
Mon Feb 26, 2018 11:00 pm
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 538
Views: 74998

Re: v6.42rc [release candidate] is released!

Have you set admin-mac on the bridge? I have only created the bridge1 interface. /interface bridge export # mar/12/1970 15:13:17 by RouterOS 6.42rc35 # software id = M8A7-BVIJ # # model = CRS326-24G-2S+ /interface bridge add igmp-snooping=yes name=bridge1 protocol-mode=none pvid=64 vlan-filtering=y...
by JimmyNyholm
Mon Feb 26, 2018 4:31 pm
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 538
Views: 74998

Re: v6.42rc [release candidate] is released!

Tested This New RC. My Bridge LACP bridge problem still exists. Not reachable through lacp bond if no other local port on bridge is active.

ip dhcp-client connected to bridge1 does eternal searching after reboot disable and enable fixes the problem
by JimmyNyholm
Sun Feb 25, 2018 3:25 pm
Forum: Announcements
Topic: v6.40.6 [bugfix] is released!
Replies: 58
Views: 11217

Re: v6.40.6 [bugfix] is released!

Long, long post ... five seconds of scrolling. Was it necessary? No Scrolling Here. Use real browser and the post is rendered in a scrolled list inside that post. As for the question it seems legit to ask to se if one has understod things right. To actually answer the question: Yes that seems to be...
by JimmyNyholm
Sun Feb 25, 2018 12:10 pm
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 538
Views: 74998

Re: v6.42rc [release candidate] is released!

Ok So I did see the wiki was updated to state the fact of HW offload on crs3xx series. So I did a new test and: 23 I H ether24 bridge1 yes 64 0x80 10 10 none 24 H Core bridge1 yes 64 0x80 10 10 none [admin@labb-mgmt-1] /interface bridge port> Shurely it states that the Bond in my case named Core sho...
by JimmyNyholm
Tue Feb 20, 2018 1:42 pm
Forum: Forwarding Protocols
Topic: eoip sharing subnet
Replies: 6
Views: 586

Re: eoip sharing subnet

The EOIP tunnel is an interface to RouterOS. This is your inside of tunnel and can be part of bridge. the interface that holds the LocalIP that eoip binds to in the encapsulated iptraffic it generates should of course not be part of the same (or any bridge) this creates loops and defeats the purpose...
by JimmyNyholm
Sun Feb 18, 2018 3:21 pm
Forum: Forwarding Protocols
Topic: Choose right VPN tunnel when both peers are dual-homed
Replies: 2
Views: 256

Re: Choose right VPN tunnel when both peers are dual-homed

Hi. If both sides have static ip's this is easy. If you need L3 only then setup meshed gre tunnels with configured ipsec secret then the gre traffic is encrypted and all is well. You may then assign links ip's and loopback and enable ospf and set the weight. Using carefull settings and only routing ...
by JimmyNyholm
Sun Feb 18, 2018 2:58 pm
Forum: Forwarding Protocols
Topic: vrf connected route leaking
Replies: 20
Views: 4623

Re: vrf connected route leaking

Not yet, but v7beta is coming later this year
Are we there yet?
by JimmyNyholm
Sun Feb 18, 2018 12:31 pm
Forum: The User Manager
Topic: API set command
Replies: 1
Views: 386

Re: API set command

The manual is at: https://wiki.mikrotik.com/wiki/Manual:API
C# abstractions are found at nuget and discussed here in the scripting forum, and set command perhaps here: viewtopic.php?f=9&t=130899&p=642998&hil ... 23#p642998
by JimmyNyholm
Sat Feb 17, 2018 2:19 pm
Forum: Forwarding Protocols
Topic: eoip sharing subnet
Replies: 6
Views: 586

Re: eoip sharing subnet

EOIP is ethernet like interface encapsulated over ip packet. Ethernetlike makes it able to be part of bridge witch you seem to grasp but then you attach ip's to interfaces instead of the bridge? Please make a drawing on what you are trying to do, then we are much more able to help you. Subject suges...
by JimmyNyholm
Wed Feb 14, 2018 10:25 am
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 538
Views: 74998

Re: v6.42rc [release candidate] is released!

*) radius - increase allowed RADIUS server timeout to 60s; To add an important reason to the too short limit problem of timeout in radius: Successful authentications are answered immediately (in order of milliseconds if possible), but to protect the server from brute-force attacks and DOS-type atta...
by JimmyNyholm
Sat Feb 10, 2018 4:01 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: CVE-2018-5951: MikroTik RouterOS Denial of Service Vulnerability
Replies: 20
Views: 3396

Re: CVE-2018-5951: MikroTik RouterOS Denial of Service Vulnerability

Did you read my post entirely? A simple firewall stops it. Why don't you have it?
Let me think......... FASTPATH!