Community discussions

Search found 560 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 12
by R1CH
Tue Jul 17, 2018 4:18 pm
Forum: RouterBOARD hardware
Topic: RB850Gx2 vs RB450Gx4
Replies: 49
Views: 3492

Re: RB850Gx2 vs RB450Gx4

Anyone tried getting OpenWRT running on one of these yet? Looks like a great board for non-ROS systems.
by R1CH
Mon Jul 16, 2018 2:26 pm
Forum: General
Topic: Problems with SSL Godaddy Hotspot
Replies: 5
Views: 334

Re: Problems with SSL Godaddy Hotspot

Your screenshot is showing everything working perfectly - the browser has detected the hotspot and all you have to do is click "Connect".
by R1CH
Fri Jul 13, 2018 7:37 pm
Forum: General
Topic: Router wireless speed deteriirated
Replies: 1
Views: 90

Re: Router wireless speed deteriirated

Are you sure your router isn't hacked and all the bandwidth being used by attackers? 6.39 is vulnerable to many exploits, if you have any ports exposed it's likely hacked. You should netinstall to 6.42.6 to remove any malware. If you're sure it isn't compromised, try changing channels on the wifi. M...
by R1CH
Fri Jul 13, 2018 2:38 pm
Forum: RouterBOARD hardware
Topic: CRS317 keeps calling "home" (MikroTik cloud)
Replies: 1
Views: 190

Re: CRS317 keeps calling "home" (MikroTik cloud)

You also need to disable timezone auto detection.
by R1CH
Fri Jul 13, 2018 2:37 pm
Forum: General
Topic: .npk files auto deleted
Replies: 13
Views: 533

Re: .npk files auto deleted

This definitely sounds like malware that is preventing you from patching the router to a secure version. Safest way forward is to fornat / netinstall.
by R1CH
Mon Jul 09, 2018 7:56 pm
Forum: Announcements
Topic: Winbox v3.16 released!
Replies: 38
Views: 4390

Re: Winbox v3.16 released!

Winbox self-update is still vulnerable to MITM to execute arbitrary code. (ref: ticket 2018052822004611)
by R1CH
Mon Jul 09, 2018 7:34 pm
Forum: RouterBOARD hardware
Topic: CAP ac bad Antenna design?
Replies: 95
Views: 12270

Re: CAP ac bad Antenna design?

There is no Wave2 support in RouterOS. Maybe in RouterOS v7 when the drivers / kernel are updated.
by R1CH
Sun Jul 08, 2018 1:23 am
Forum: Wireless Networking
Topic: Backup 5GHz link for LHG 60
Replies: 1
Views: 182

Backup 5GHz link for LHG 60

Since rain or other obstacles can cause the 60 GHz link to drop completely, I'm investigating whether to run a 5 GHz link also for redundancy. Failure should be ideally detected within a second and traffic transparently routed to the 5 GHz link until the 60 GHz link is back online. Both sides of the...
by R1CH
Sat Jul 07, 2018 2:42 pm
Forum: General
Topic: DNSSEC
Replies: 26
Views: 6384

Re: DNSSEC

Using an external resolver also fixes latency issues caused by high CPU, routed packets through the kernel still proceed but user mode DNS server is starved, leading to slow DNS response. I also couldn't find a way to do DNS rebinding protection with Mikrotik which was the main reason I switched away.
by R1CH
Sat Jul 07, 2018 2:40 pm
Forum: General
Topic: hAP ac2 crashes?
Replies: 5
Views: 278

Re: hAP ac2 crashes?

I had a wAP AC behave very similarly during a switch loop which is why I mention this. After fixing the loop all devices except the wAP AC came back without intervention.
by R1CH
Fri Jul 06, 2018 6:19 pm
Forum: Wireless Networking
Topic: Client roaming with different subnets and DHCP
Replies: 0
Views: 94

Client roaming with different subnets and DHCP

I was wondering if anyone has any experience with a single SSID roaming setup but using different subnets behind the AP. For example, two SSIDs that share the same name / key, but one assigns in 192.168.88.0/24 space and the other in 10.10.10.0/24: Would most clients issue a new DHCP request when th...
by R1CH
Fri Jul 06, 2018 6:08 pm
Forum: General
Topic: hAP ac2 crashes?
Replies: 5
Views: 278

Re: hAP ac2 crashes?

I would suspect a faulty switch or a loop / broadcast storm. Try monitoring traffic on one of the devices connected to the switch during an outage.
by R1CH
Fri Jul 06, 2018 6:06 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 180
Views: 46954

Re: VPNfilter official statement

I made a checking tool like that as soon as it was announced, but realized it's probably useless as this ssler module is very likely targeted to high profile victims and won't be enabled on most infections.
by R1CH
Thu Jul 05, 2018 12:17 am
Forum: General
Topic: Web Proxy Hacked
Replies: 8
Views: 490

Re: Web Proxy Hacked

You should format and netinstall after being compromised. Winbox access can supposedly be escalated to shell access, where all kinds of malware could be lurking with no way to detect.
by R1CH
Wed Jul 04, 2018 7:51 pm
Forum: General
Topic: PCI Compliance - CVE-2015-4000
Replies: 5
Views: 235

Re: PCI Compliance - CVE-2015-4000

For command line scanning of DH parameters, give this a try: https://github.com/GDSSecurity/SSH-Weak-DH For those curious, strong-crypto=yes enables 2048 bit DH parameters and disables 3des / md5 from ciphers / HMAC but dsa keys and sha1 remain enabled. /ip ssh set strong-crypto=yes: [+] STRONG. Alg...
by R1CH
Wed Jul 04, 2018 2:56 pm
Forum: General
Topic: Block HTTPS sites
Replies: 11
Views: 465

Re: Block HTTPS sites

Please listen to the people saying this is not possible. If anyone could redirect HTTPS, what's to stop anyone on the internet doing that to google or a banking website? Redirecting HTTPS is only possible if you also own all the client devices and have installed a MITM root certificate into the OS. ...
by R1CH
Wed Jul 04, 2018 2:24 am
Forum: RouterBOARD hardware
Topic: IEEE 802.11ac (wave 2)
Replies: 14
Views: 3466

Re: IEEE 802.11ac (wave 2)

RouterOS v7? Probably. Who knows when though...
by R1CH
Wed Jul 04, 2018 2:22 am
Forum: General
Topic: LAN side bridge forward filtering options?
Replies: 4
Views: 185

Re: LAN side bridge forward filtering options?

LAN to LAN packets won't touch your bridge - they will go directly through the ports the clients are connected to on the VLAN switch. dadaniel has the right idea - you need to configure port isolation on whatever device the clients are physically connecting to.
by R1CH
Wed Jul 04, 2018 12:40 am
Forum: General
Topic: PCI Compliance - CVE-2015-4000
Replies: 5
Views: 235

Re: PCI Compliance - CVE-2015-4000

SSH does not use TLS/SSL, using testssl.sh with it will not work. Try https://tls.imirhil.fr/ssh

Results of RouterOS SSH server don't look very promising, no strong ciphers, HMACs or host keys and plenty of bad ones. https://tls.imirhil.fr/ssh/demo.mt.lv:22
by R1CH
Tue Jul 03, 2018 5:30 pm
Forum: General
Topic: Slow ethernet directly from rb750Gr3 port 2 [SOLVED]
Replies: 9
Views: 278

Re: Slow ethernet directly from rb750Gr3 port 2 [SOLVED]

I would suggest removing those blacklist downloads, they pose a huge security risk. If someone is able to MITM your connection or the web host is compromised, your router is compromised since it's essentially executing arbitrary commands from a remote host (!).
by R1CH
Mon Jul 02, 2018 5:35 pm
Forum: General
Topic: [Feature request] Wireguard
Replies: 6
Views: 775

Re: [Feature request] Wireguard

And please use the reference implementation! I'm getting tired of Mikrotik's re-implementations of software which introduce security bugs and miss important features.
by R1CH
Mon Jul 02, 2018 5:28 pm
Forum: Announcements
Topic: Winbox v3.16 released!
Replies: 38
Views: 4390

Re: Winbox v3.16 released!

Hopefully it uses a whitelist approach and only executes DLLs with known hashes.
by R1CH
Sat Jun 30, 2018 6:18 pm
Forum: General
Topic: Block HTTPS sites
Replies: 11
Views: 465

Re: Block HTTPS sites

Blocking is possible, redirecting is not as it would require breaking HTTPS security. Simply drop outbound TCP/UDP port 443.
by R1CH
Fri Jun 29, 2018 9:21 pm
Forum: General
Topic: Why am I getting this firewall entry???
Replies: 22
Views: 851

Re: Why am I getting this firewall entry???

I think I was a little too quick with my first assessment. After some more thought I believe this is actually closer to your network. Something in the outbound network path is generating the TTL exceeded messages with the wrong interface / IP address and these are injected back into the internet. Yo...
by R1CH
Fri Jun 29, 2018 5:29 pm
Forum: General
Topic: hotspot doesn't open browser popup on captive portal when clients connect
Replies: 4
Views: 279

Re: hotspot doesn't open browser popup on captive portal when clients connect

You shouldn't have any whitelisting. If you allow those domains then the device will fail hotspot detection and never prompt. There's no point trying to trick the phones, you'll end up with annoyed non-users who can't access the internet and annoyed users who can't log in to your portal.
by R1CH
Thu Jun 28, 2018 6:14 pm
Forum: General
Topic: Why am I getting this firewall entry???
Replies: 22
Views: 851

Re: Why am I getting this firewall entry???

That's correct, it's caused by a non-translated packet exiting from a remote NAT and making it across the internet with an invalid source IP. They're quite rare, but if you run a busy enough network / website you'll see quite a lot of them. Some stats from one of my websites which filter these on IN...
by R1CH
Thu Jun 28, 2018 5:17 pm
Forum: General
Topic: Why am I getting this firewall entry???
Replies: 22
Views: 851

Re: Why am I getting this firewall entry???

This is caused by a combination of bad ISPs that don't do BCP38 and bad routers that don't NAT properly. An outbound packet from your network goes across the internet to some host behind a poor quality NAT router. The host PC / network responds with an ICMP error (TTL exceeded, port unreachable or s...
by R1CH
Thu Jun 28, 2018 2:58 pm
Forum: Wireless Networking
Topic: Users Not Being Directed to the Hotspot Login Screen
Replies: 6
Views: 356

Re: Users Not Being Directed to the Hotspot Login Screen

Haven't used hotspot before, but this certainly doesn't look right:
/ip dhcp-server network
add address=192.188.254.254/32
   IPv4 Address. . . . . . . . . . . : 192.188.254.251(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
You probably want a /24 network at least?
by R1CH
Wed Jun 27, 2018 9:34 pm
Forum: General
Topic: fasttrack connection question
Replies: 3
Views: 155

Re: fasttrack connection question

Unfortunately this will not work. Your access control rules need to run before marking the connection for fasttrack, once the connection is fasttracked it will no longer hit the forward rule table.
by R1CH
Wed Jun 27, 2018 7:50 pm
Forum: General
Topic: WPA3 on existing Mikrotik routers/APs [SOLVED]
Replies: 9
Views: 3008

Re: WPA3 on existing Mikrotik routers/APs [SOLVED]

Hmm I just looked it up, 802.11w is actually required for 802.11ac certification, so Mikrotik is technically shipping uncertified implementations :D. Hopefully they don't ignore it for WPA3 too. Regarding my other points - with spectral scan I meant an actual RF scan of the frequency, not a simple p...
by R1CH
Wed Jun 27, 2018 2:46 pm
Forum: General
Topic: WPA3 on existing Mikrotik routers/APs [SOLVED]
Replies: 9
Views: 3008

Re: WPA3 on existing Mikrotik routers/APs [SOLVED]

The SAE handshake doesn't look like a huge innovation, was hoping for something more in line with modern TLS, but I guess that's what happens when you have for-profit industry alliances vs open standards bodies. The big question is how long will it take Mikrotik to implement WPA3? We have no 802.11a...
by R1CH
Wed Jun 27, 2018 2:37 pm
Forum: General
Topic: /ip cloud (ddns + time) = Error: request timed out (90% of time)
Replies: 9
Views: 2653

Re: /ip cloud (ddns + time) = Error: request timed out (90% of time)

There still seems to be a major DNS misconfiguration on the domain used for the IP cloud services. Perhaps fixing this would improve reliability.

https://r-1.ch/r1dns/dnscheck.cgi?domain=mynetname.net
by R1CH
Wed Jun 27, 2018 1:40 am
Forum: General
Topic: S.O.S New vurnelabilty on 6.42.3 ????? [SOLVED]
Replies: 21
Views: 3476

Re: S.O.S New vurnelabilty on 6.42.3 ????? [SOLVED]

Did you do a reinstall after being compromised? Winbox access can be escalated to shell access, where attackers can drop undetectable backdoors and other exploits. Changing passwords might be OK if you're lucky and didn't get hit by a sophisticated exploit, but reinstalling is the only truly safe op...
by R1CH
Mon Jun 25, 2018 8:14 pm
Forum: General
Topic: unknown admin with unknown IP address loges in my mikrotik router via API [SOLVED]
Replies: 6
Views: 412

Re: unknown admin with unknown IP address loges in my mikrotik router via API [SOLVED]

You should also change all passwords after updating, since all user accounts are exposed.
by R1CH
Thu Jun 21, 2018 12:40 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 180
Views: 46954

Re: VPNfilter official statement

toknowall.com is a sinkhole, nothing bad will come from hosts contacting it. Cloudflare IPs rotate often, you are probably blocking hundreds or thousands of legitimate sites with such wide rules.

You should instead redirect toknowall.com locally and monitor / block hosts that way.
by R1CH
Wed Jun 20, 2018 7:28 pm
Forum: General
Topic: Maximum speed on 10 Gb port for mikrotik CCR1036
Replies: 5
Views: 308

Re: Maximum speed on 10 Gb port for mikrotik CCR1036

9.9Gbps maybe you have 1.25Gbps SFP module. Single stream? Wasn't there a limitation, with the way ROS (not) distributed the load of a single stream, among the cores? Was it addressed recently? I think you have the right idea here. If it's a single TCP stream with no firewall rules then ~ 1.2gbps s...
by R1CH
Wed Jun 20, 2018 7:21 pm
Forum: General
Topic: Windows 10 Hotspot Problem (V6.38.1)
Replies: 2
Views: 152

Re: Windows 10 Hotspot Problem (V6.38.1)

You should be more concerned about running such an old version of RouterOS! Your router may already be compromised due to various remote exploits in that version, update it ASAP and check for signs of compromise. As for the hotspot problem, have you tried with different browsers? I would expect the ...
by R1CH
Tue Jun 19, 2018 7:13 pm
Forum: Announcements
Topic: v6.42.4 [current]
Replies: 93
Views: 9047

Re: v6.42.4 [current]

I'm also not a fan of the labeling of firmware by RouterOS version. Previously, after updating RouterOS, I could easily see if firmware was outdated and choose to do a 2nd reboot. Now it always appears outdated, even if there were no changes between versions.
by R1CH
Tue Jun 19, 2018 6:54 pm
Forum: Scripting
Topic: Adding SSL to API
Replies: 2
Views: 170

Re: Adding SSL to API

You should use fsockopen ("tls://$ip"). Be aware that without a valid certificate this will fail.
by R1CH
Tue Jun 19, 2018 6:35 pm
Forum: General
Topic: hotspot doesn't open browser popup on captive portal when clients connect
Replies: 4
Views: 279

Re: hotspot doesn't open browser popup on captive portal when clients connect

Make sure you're redirecting all HTTP requests to your portal, don't allow whitelists for gstatic.com etc. Other than that it's up to the device, you can't really influence it.
by R1CH
Mon Jun 18, 2018 7:54 pm
Forum: General
Topic: bug persists after updating to 6.42.3
Replies: 14
Views: 2644

Re: bug persists after updating to 6.42.3

If you didn't change passwords after upgrading to fix the winbox exploit, this is likely how they are gaining access. Change all passwords, preferably after netinstall to ensure no remaining backdoors.
by R1CH
Mon Jun 18, 2018 7:43 pm
Forum: Wireless Networking
Topic: hacking-router
Replies: 2
Views: 344

Re: hacking-router

Your router is compromised due to the winbox bug, you should format / netinstall and change all passwords. Simply updating is not enough, as you must also change all passwords. Removing the scripts will prevent the problem for now, but who knows what other backdoors are lurking.
by R1CH
Mon Jun 18, 2018 7:08 pm
Forum: General
Topic: cant' activate purchased SSL certificate for hotspot
Replies: 15
Views: 644

Re: cant' activate purchased SSL certificate for hotspot

Any signed cert should be fine, price is not important, even a free one from Let's Encrypt should work. ERR_SSL_VERSION_OR_CIPHER_MISMATCH seems to indicate either the hotspot or your browser isn't using modern protocols / ciphers. I don't know if there are any options in RouterOS, but make sure to ...
by R1CH
Mon Jun 18, 2018 4:57 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 180
Views: 46954

Re: VPNfilter official statement

Telnet is well known to be insecure, SSH is the replacement for it (although why telnet is still provided and enabled by default is another question...) Winbox is a proprietary protocol that claims to be "secure" but is vulnerable to MITM, so the fault lies with it. Hopefully this a pointless discus...
by R1CH
Fri Jun 15, 2018 6:49 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 180
Views: 46954

Re: VPNfilter official statement

The only email I got was about the old httpd exploit (below). Maybe something went wrong with the sending of the emails? Subject: MikroTik: URGENT security advisory "It has come to our attention that a rogue botnet is currently scanning random public IP addresses to find open Winbox (8291) and WWW (...
by R1CH
Fri Jun 15, 2018 6:37 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 180
Views: 46954

Re: VPNfilter official statement

For vulnerabilities that allow remote code execution or bypassing of authentication, Mikrotik should really be sending out a security advisory emails to every registered customer / active forum user. The winbox exploit for example is much worse than the httpd bug, and that was deserving of an email....
by R1CH
Fri Jun 15, 2018 5:22 pm
Forum: General
Topic: Login failure critical notification
Replies: 2
Views: 219

Re: Login failure critical notification

Bandwidth test server is hidden! It isn't listed under services but under tools / btest server. If people are able to try to log into it though, this suggests your firewall configuration is incomplete.
by R1CH
Thu Jun 14, 2018 7:17 pm
Forum: General
Topic: cant' activate purchased SSL certificate for hotspot
Replies: 15
Views: 644

Re: cant' activate purchased SSL certificate for hotspot

There seems to be a missing intermediary cert, I'm not entirely sure how RouterOS handles this but try importing the following instead (I added the intermediate cert to the chain).
by R1CH
Thu Jun 14, 2018 4:46 pm
Forum: General
Topic: cant' activate purchased SSL certificate for hotspot
Replies: 15
Views: 644

Re: cant' activate purchased SSL certificate for hotspot

That message means the .crt you supplied to the hotspot wasn't signed properly. Make sure it's the certificate you got from namecheap and not one generated by RouterOS.

You can also link the .crt file here and I can take a look. Make sure you never post the private key though!
  • 1
  • 2
  • 3
  • 4
  • 5
  • 12