Community discussions

Search found 819 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 17
by R1CH
Sat Mar 23, 2019 8:01 pm
Forum: Wireless Networking
Topic: Multiple SSID’s and DHCP
Replies: 3
Views: 147

Re: Multiple SSID’s and DHCP

Bridge should be fine, just make sure DHCP server is set up to run on the bridge instead of one of the interfaces.
by R1CH
Fri Mar 22, 2019 5:31 pm
Forum: General
Topic: Help to config roming wireless
Replies: 4
Views: 225

Re: Help to config roming wireless

The best thing you can do with Mikrotik is setup all APs with same SSID / authentication, ensure they're all in the same broadcast domain and ensure your DHCP server is very fast at handling requests / renews (eg no pinging for 2 seconds before giving a lease). Unfortunately RouterOS lacks support f...
by R1CH
Fri Mar 22, 2019 1:33 pm
Forum: Wireless Networking
Topic: 256QAM and AC provisioning on 2,4GHz
Replies: 2
Views: 171

Re: 256QAM and AC provisioning on 2,4GHz

Sounds like you're asking for 802.11ax...
by R1CH
Fri Mar 22, 2019 12:17 pm
Forum: General
Topic: Question about SSL certificate
Replies: 2
Views: 174

Re: Question about SSL certificate

Yes, the hotspot FQDN must match the certificate. Do note that this only provides security to the hotspot page itself, it will not help in redirecting HTTPS pages to the hotspot.
by R1CH
Thu Mar 21, 2019 6:35 pm
Forum: General
Topic: Feature Request: Separate the firmware(bootloader) and routeros version number
Replies: 8
Views: 302

Re: Feature Request: Separate the firmware(bootloader) and routeros version number

You always need to update RouterBOOT and keep it the same version as RouterOS The problem is Routerboot often has no changes between RouterOS versions, but we have no way of knowing since the version is incremented regardless. This involves needless reboots and additional wear on the small flash re...
by R1CH
Wed Mar 20, 2019 9:36 pm
Forum: RouterBOARD hardware
Topic: hAP ac and Verizon Gigabit
Replies: 4
Views: 236

Re: hAP ac and Verizon Gigabit

Make sure fasttrack is active, hAP AC is unlikely to be able to do 1gbps otherwise.
by R1CH
Tue Mar 19, 2019 1:26 pm
Forum: General
Topic: HOTSPOT login https error
Replies: 11
Views: 400

Re: HOTSPOT login https error

You don't start, since that is impossible. The security of HTTPS negates attempts to intercept such requests, unless you want to teach your users to blindly ignore serious security errors.
by R1CH
Tue Mar 19, 2019 1:24 pm
Forum: General
Topic: CPU consumption by Horizon?
Replies: 2
Views: 383

Re: CPU consumption by Horizon?

Horizon will disable hardware offload according to wiki.
by R1CH
Mon Mar 18, 2019 4:22 pm
Forum: General
Topic: Putty updated to 0.71
Replies: 12
Views: 500

Re: Putty updated to 0.71

Which is my point. Post it in the phucking putty forum. Do you want me to start effing posting everytime there is a windows update, a linux update, a macos update, an avast update, etc etc etc............ I might as well post everytime I pop a zit, and pluck a nose hair. ;-) It's been almost two ye...
by R1CH
Mon Mar 18, 2019 1:51 am
Forum: Wireless Networking
Topic: blog.mikrotik.com: 802.11ay?
Replies: 3
Views: 317

Re: blog.mikrotik.com: 802.11ay?

Right after 802.11ax...
by R1CH
Mon Mar 18, 2019 1:49 am
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 64
Views: 9303

Re: v6.44.1 [stable] is released!

Do you really need all those packages? You are likely out of space since the device only has 16MB flash.
by R1CH
Sun Mar 17, 2019 11:54 pm
Forum: General
Topic: Redirect All SSL Pages to one page
Replies: 4
Views: 193

Re: Redirect All SSL Pages to one page

Don't set up your network in a way that intercepts all HTTPS requests and encourages users to bypass SSL errors. This is teaching users very dangerous practices, when their connection actually does get MITMed by a network attacker or compromised DNS, website, etc, then they will happily ignore the e...
by R1CH
Fri Mar 15, 2019 6:52 pm
Forum: General
Topic: Redirect All SSL Pages to one page
Replies: 4
Views: 193

Re: Redirect All SSL Pages to one page

Not possible, HTTPS is secure so you can't intercept it.
by R1CH
Fri Mar 15, 2019 6:51 pm
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 64
Views: 9303

Re: v6.44.1 [stable] is released!

I didn't see any difference in behavior, it behaves as if it's disabled regardless of the checkbox state.
by R1CH
Fri Mar 15, 2019 3:56 pm
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 64
Views: 9303

Re: v6.44.1 [stable] is released!

This doesn't affect users only during an upgrade, the default RouterOS conntrack timeouts are quite low and especially with the bug with tcp unacked timer, it's easy to get day-to-day TCP connections affected by this.
by R1CH
Fri Mar 15, 2019 3:42 pm
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 64
Views: 9303

Re: v6.44.1 [stable] is released!

I can confirm the "Loose TCP Tracking" is completely broken in this release (and perhaps 6.44, didn't test it extensively). Previously established connections are treated as INVALID regardless of the setting.
by R1CH
Fri Mar 15, 2019 3:27 pm
Forum: General
Topic: HOTSPOT login https error
Replies: 11
Views: 400

Re: HOTSPOT login https error

Just make sure nothing is in the walled garden. As long as the user is using a modern browser or phone, they should get the prompt for the portal.
by R1CH
Thu Mar 14, 2019 9:11 pm
Forum: General
Topic: HOTSPOT login https error
Replies: 11
Views: 400

Re: HOTSPOT login https error

Make sure that you aren't allowing any sites in the hotspot before user auth, if you allow connectivity to Google / Apple / etc, the browser will think it has internet and will not trigger the captive portal. Any modern browser otherwise will notice the connection test is failing and prompt the user...
by R1CH
Tue Mar 12, 2019 7:52 pm
Forum: General
Topic: Connection tracking issue
Replies: 2
Views: 265

Re: Connection tracking issue

If you're seeing untranslated packets make it onto the network then you must have modified the default config, as this is considered "invalid" by netfilter and the defconf rules drop it.
by R1CH
Sun Mar 10, 2019 7:47 pm
Forum: General
Topic: Is there any way to do HTTP and HTTPS traffic shaping based on categories?
Replies: 10
Views: 298

Re: Is there any way to do HTTP and HTTPS traffic shaping based on categories?

You can use the tls host rule which works with SNI.
by R1CH
Sat Mar 09, 2019 2:48 pm
Forum: RouterBOARD hardware
Topic: MUM Europe 2019: new hardware
Replies: 54
Views: 5179

Re: MUM Europe 2019: new hardware

Wish there was some announcements about 802.11ax. I guess until ROS v7 is released the kernel is too old to support such drivers anyway.
by R1CH
Fri Mar 08, 2019 5:14 pm
Forum: General
Topic: hEX S shows activity on disabled SFP port without a link
Replies: 6
Views: 231

Re: hEX S shows activity on disabled SFP port without a link

I enabled the interface and the problem stopped. Very weird behavior. I don't plan on using the SFP port so this doesn't seem to cause any issues.
by R1CH
Thu Mar 07, 2019 7:44 pm
Forum: General
Topic: hEX S shows activity on disabled SFP port without a link
Replies: 6
Views: 231

Re: hEX S shows activity on disabled SFP port without a link

This is occurring with 6.44.
by R1CH
Thu Mar 07, 2019 6:26 pm
Forum: General
Topic: hEX S shows activity on disabled SFP port without a link
Replies: 6
Views: 231

hEX S shows activity on disabled SFP port without a link

How is this even possible?!

Image

ether2-5 and sfp1 are bridged. The traffic levels seems to match around what ether2 is doing.
by R1CH
Tue Mar 05, 2019 6:12 pm
Forum: General
Topic: Cant resolve mynetname.net when DNSSEC validation is enabled
Replies: 2
Views: 171

Re: Cant resolve mynetname.net when DNSSEC validation is enabled

Seems to work OK here behind a DNSSEC-validating PowerDNS recursor.

No TCP support though is a problem that Mikrotik need to fix.
by R1CH
Sat Mar 02, 2019 3:04 am
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 26329

Re: v6.44 [stable] is released!

https-redirect is not working You can't redirect HTTPS - the security provided by HTTPS means that unless you control the client devices and can install custom root certs, certificate validation will fail and users will see security errors. Mikrotik of all people should know this... what does this ...
by R1CH
Wed Feb 27, 2019 4:22 pm
Forum: General
Topic: RouterOS and 161/udp
Replies: 1
Views: 216

Re: RouterOS and 161/udp

You aren't filtering any other UDP ports, so they are responded to with an ICMP port unreachable, confirming the port is closed. Since UDP is connectionless, unless you speak the protocol there's no way to distinguish between an open port and a filtered port. I recommend you update your firewall to ...
by R1CH
Fri Feb 22, 2019 9:23 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 67
Views: 4069

Re: Security issue when Winbox exposed

Unicode in the updated changelog, which winbox can't handle.

Image
by R1CH
Fri Feb 22, 2019 3:25 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 67
Views: 4069

Re: Security issue when Winbox exposed

I think it's great that Zerodium started a bug bounty program for Mikrotik. It's not like the bad guys don't know, they're just providing incentives for full disclosure. So patch early and patch often my friends! Unfortunately that isn't how it works. Zerodium will pay for Mikrotik exploits and the...
by R1CH
Fri Feb 22, 2019 1:27 am
Forum: Announcements
Topic: v6.43.12 [stable] is released!
Replies: 49
Views: 9353

Re: v6.43.12 [stable] is released!

My CCR1009-7G-1C-1S+ just watchdog timer rebooted after installing this update a few days ago. In over a year of operation never had that happen.
Feb/21/2019 14:46:44 system,error,critical router was rebooted without proper shutdown by watchdog timer
by R1CH
Fri Feb 22, 2019 1:06 am
Forum: General
Topic: Security issue when Winbox exposed
Replies: 67
Views: 4069

Re: Security issue when Winbox exposed

I see where you are coming from, so I fixed it for ya................. Please try to keep in mind some of us run networks where we can't just take down the router for every RouterOS release. This was clearly not labelled as a security fix, so I personally did not consider it a priority to deploy du...
by R1CH
Thu Feb 21, 2019 6:52 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 67
Views: 4069

Re: Security issue when Winbox exposed

Why is this not mentioned as high severity security bug in changelog? Why no mention on security blog? Come on Mikrotik...
by R1CH
Wed Feb 20, 2019 11:56 pm
Forum: General
Topic: Problem with AP RBWAP2ND-BE
Replies: 2
Views: 178

Re: Problem with AP RBWAP2ND-BE

Try a full config reset with the reset button or just netinstall them. The default config on these devices is infuriating!

https://wiki.mikrotik.com/wiki/Manual:Reset_button
by R1CH
Wed Feb 20, 2019 11:44 pm
Forum: Wireless Networking
Topic: Superchannel on ac radios?
Replies: 4
Views: 347

Re: Superchannel on ac radios?

You need the international version if you want unlocked frequencies. - RB921UAGS-5SHPacT-NM-US (USA) is factory locked for 5170-5250MHz and 5725-5835MHz frequencies. This lock can not be removed. - RB921UAGS-5SHPacT-NM (International) supports 5150MHz-5875MHz range (Specific frequency range can be l...
by R1CH
Wed Feb 20, 2019 4:39 pm
Forum: General
Topic: Problem with DHCP Mikrotik RB962UIGS-5HACT2HNT
Replies: 11
Views: 476

Re: Problem with DHCP Mikrotik RB962UIGS-5HACT2HNT

Config? Maybe you're blocking important DHCP packets with the firewall.
by R1CH
Mon Feb 18, 2019 1:00 pm
Forum: General
Topic: WireGuard Released !
Replies: 8
Views: 952

Re: WireGuard Released !

Just because it isn't mainlined doesn't mean it isn't available. I've been using it in production for months via DKMS and I'm very happy with it. There are open source Windows clients available, performance is great and setup is so refreshingly easy compared to something like IPSec. And it's actuall...
by R1CH
Fri Feb 15, 2019 6:16 pm
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 10183

Re: v6.44rc [testing] is released!

You make a good point about reboots creating zombie TCP connections on the nodes, but you are wrong about the DoS mitigation. Setting nf_conntrack_tcp_loose to 0 (not the default) stops false SYN-ACK and ACK packets before they hit the “listen” state lock, thereby allowing conntrack to scale much h...
by R1CH
Fri Feb 15, 2019 5:57 pm
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 10183

Re: v6.44rc [testing] is released!

That setting should have no effect on DoS resistance unless you aren't properly filtering your inbound traffic. It's set to 1 which is the default, for good reason, otherwise any time a router reboots every single active TCP connection would have to time out instead of continuing to work.
by R1CH
Fri Feb 15, 2019 4:21 pm
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 10183

Re: v6.44rc [testing] is released!

Just to clarify, *) wireless - improved system stability for all ARM devices with wireless; *) wireless - improved system stability for all MIPSBE devices with 802.11ac wireless; Does this improve wireless performance or only RouterOS software stability? Also what devices are using AR5212? This is a...
by R1CH
Thu Feb 14, 2019 7:18 pm
Forum: Wireless Networking
Topic: Help Hacker sending deauth packet
Replies: 6
Views: 519

Re: Help Hacker sending deauth packet

These are often accidental, where someone configures an enterprise AP with "rogue AP mitigation" or a similar setting. Check with any businesses nearby or see if a wireless scan picks out any obvious enterprise APs that might be the culprits.
by R1CH
Thu Feb 14, 2019 1:05 pm
Forum: RouterBOARD hardware
Topic: Why people pair UBNT APs with MikroTik routers?
Replies: 55
Views: 24635

Re: Why people pair UBNT APs with MikroTik routers?

Do all people asking for new kernel realize that it would mean dropping support for WHOLE current CCR series since Linux kernel officially dropped support for Tile-Gx CPUs architecture? While I'm not saying Tile-Gx is awesome it'd still mean dropping support for devices that are: 1) still being sol...
by R1CH
Wed Feb 13, 2019 12:58 pm
Forum: Wireless Networking
Topic: cAP ac (Found the bug)
Replies: 1
Views: 310

Re: cAP ac (Found the bug)

Best to create supout and send to support@mikrotik.com.
by R1CH
Wed Feb 13, 2019 12:51 pm
Forum: General
Topic: $100,000 bounty for Mikrotik 0-days
Replies: 1
Views: 489

$100,000 bounty for Mikrotik 0-days

Thought this was interesting... given the number of exploits already found, I have no doubts that this kind of bounty will turn up more that will be sold to governments and criminals and used against Mikrotik networks. Unless there's an unpatched kernel bug, the safest way to protect yourself from u...
by R1CH
Wed Feb 13, 2019 12:41 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature request - DNSCrypt support...
Replies: 138
Views: 34855

Re: Feature request - DNSCrypt support...

Instead of wordless pluses, how about a discussion on TLS vs HTTPS. TLS gives you a specific port and capability to filter and NAT etc. HTTPS gives you more security, but also the inability to catch this traffic as an administrator. More aspects? Why not both? Although DNS over HTTPS seems to be th...
by R1CH
Tue Feb 12, 2019 1:24 pm
Forum: General
Topic: Config Review - Security Conscience Home User
Replies: 19
Views: 960

Re: Config Review - Security Conscience Home User

I would ditch all the blacklist / port scan detect / etc stuff. This kind of thing just opens you up to a resource exhaustion attack and can even result in blacklisting legitimate traffic if an attacker has IP spoofing capabilities. The CPUs on these devices are not powerful enough to this kind of s...
by R1CH
Mon Feb 11, 2019 8:21 pm
Forum: Announcements
Topic: v6.43.12 [stable] is released!
Replies: 49
Views: 9353

Re: v6.43.12 [stable] is released!

*) winbox - improvements in connection handling to router with open winbox service;
Yet another security hole, I presume?
How severe is it?
Sounds like you can DoS the service with half-closed connections or something.
by R1CH
Mon Feb 11, 2019 1:05 pm
Forum: General
Topic: ROS v6.43.x Hacked using same old vulnerability
Replies: 2
Views: 615

Re: ROS v6.43.x Hacked using same old vulnerability

Netinstall the latest version with known clean config and change all passwords. Either you didn't change passwords or you didn't netinstall, so attackers were able to get back onto your device.
by R1CH
Sun Feb 10, 2019 5:08 pm
Forum: General
Topic: problem to block Pubg Game
Replies: 6
Views: 654

Re: problem to block Pubg Game

Here are the IP ranges used by PUBG. I would not recommend blocking it.

http://ec2-reachability.amazonaws.com/
by R1CH
Fri Feb 08, 2019 12:41 pm
Forum: General
Topic: Bandwidth Test maximum speed
Replies: 4
Views: 400

Re: Bandwidth Test maximum speed

Test through the routers using iperf3, not on the routers.
by R1CH
Thu Feb 07, 2019 11:32 pm
Forum: RouterBOARD hardware
Topic: New routerboot firmware
Replies: 12
Views: 1038

Re: New routerboot firmware

Note that although the firmware version is in sync with the RouterOS version, there are often no changes between versions. It's only worth upgrading if there's a change you need.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 17