Community discussions

MikroTik App

Search found 948 matches

by R1CH
Tue Feb 02, 2021 1:55 am
Forum: General
Topic: NAT Slipstreaming v2.0
Replies: 5
Views: 674

Re: NAT Slipstreaming v2.0

Disabling all service helpers is a good idea, very rarely will they help. Modern SIP phones for example have built-in NAT traversal and FTP commonly uses encryption that makes the helper unable to see the data.
by R1CH
Thu Jan 28, 2021 3:40 am
Forum: General
Topic: NAT Slipstreaming v2.0
Replies: 5
Views: 674

Re: NAT Slipstreaming v2.0

Yes, ALG is enabled for all protocols in default config.
by R1CH
Thu Jan 21, 2021 2:55 pm
Forum: General
Topic: Is RouterOS and (routing in general) still faster on routers than on dedicated computer ? [SOLVED]
Replies: 13
Views: 1163

Re: Is RouterOS and (routing in general) still faster on routers than on dedicated computer ? [SOLVED]

Mikrotik routers are generic CPUs like a PC would be, ASICs you will find in higher end gear like Cisco. A PC router would be faster than most Mikrotik products.

IMO ASIC isn't needed until you get into the 20gb+ line rate.
by R1CH
Fri Jan 08, 2021 8:53 pm
Forum: General
Topic: Howto mark Amazon AWS traffic?
Replies: 4
Views: 435

Re: Howto mark Amazon AWS traffic?

The IP ranges are published at https://ip-ranges.amazonaws.com/ip-ranges.json, just script something to update the address list.
by R1CH
Wed Dec 30, 2020 3:24 pm
Forum: Wireless Networking
Topic: [wifiwave2] for cAP ac, hAP ac2
Replies: 40
Views: 5345

Re: [wifiwave2] for cAP ac, hAP ac2

With OpenWRT on wAP AC (original), I get ~ 350mbps single client TCP throughput at MCS-9, 2x2, 80 MHz, WPA3. Device CPU is very close to 100% though which seems to be the limiting factor. Very happy with stability, every device "just works" and no weird throughput issues like MT wireless h...
by R1CH
Mon Dec 07, 2020 11:51 pm
Forum: General
Topic: "antenna gain" missing in 6.46.8?
Replies: 38
Views: 3299

Re: "antenna gain" missing in 6.46.8?

Yes, exactly that. Since it knows the gain of the integrated antenna it uses a hard coded value instead of being set from user input. So if you have any device with integrated antenna, there is no good way to reduce TX power.
by R1CH
Fri Dec 04, 2020 5:22 pm
Forum: General
Topic: "antenna gain" missing in 6.46.8?
Replies: 38
Views: 3299

Re: "antenna gain" missing in 6.46.8?

What most people really want is to enter simple value that lowers the gain proportionally for all modulations by a specified number. If I want 5dBm weaker signal, I just enter "5" and I get 5dBm less signal over all modulations and modes. Irregardless of regulation domain settings, MIMO c...
by R1CH
Thu Dec 03, 2020 7:57 pm
Forum: Wireless Networking
Topic: Increase performance of home WiFi
Replies: 18
Views: 1535

Re: Increase performance of home WiFi

2.4 GHz is usually pretty bad except in remote places, way too much interference. You should also enable WMM if you want 802.11n to work.
by R1CH
Thu Dec 03, 2020 3:45 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta3 [development] is released!
Replies: 262
Views: 42935

Re: v7.1beta3 [development] is released!

Great to finally see some movement on newer wireless drivers, but also disappointing to see that no currently released AP hardware can use them (especially the just-released wAP AC revision). Wave2 has been around for over four years at this point! There should have been plenty of time to evaluate t...
by R1CH
Tue Dec 01, 2020 4:33 pm
Forum: General
Topic: Port scanner filling up connection tracking
Replies: 21
Views: 1195

Re: Port scanner filling up connection tracking

You run BGP and don't understand how stateful / stateless firewalls work? I second the suggestion to get a consultant (though not the one above that is also a useless blacklist). You're clearly in over your head here. Using PSD just opens you to further attack when someone decides to spoof the IP of...
by R1CH
Mon Nov 30, 2020 8:27 pm
Forum: General
Topic: Port scanner filling up connection tracking
Replies: 21
Views: 1195

Re: Port scanner filling up connection tracking

Why do you have connection tracking enabled for those connections to begin with? Sounds like you aren't doing NAT.
by R1CH
Fri Nov 20, 2020 8:59 pm
Forum: Announcements
Topic: MikroTik newsletter November 2020 (#98)
Replies: 64
Views: 13736

Re: MikroTik newsletter November 2020 (#98)

Correct me if I am wrong, but isn't the new wAP AC now identical to the cAP AC? Except cAP AC has PoE out on the 2nd port and is $20 cheaper. Are we really paying +$20 for a different case?
by R1CH
Tue Nov 17, 2020 2:43 pm
Forum: Announcements
Topic: MikroTik newsletter November 2020 (#98)
Replies: 64
Views: 13736

Re: MikroTik newsletter November 2020 (#98)

When can we expect to see the new wAP AC at distributors? Thinking of getting one for performance testing. Hopefully they don't co-mingle their stock!
by R1CH
Fri Nov 06, 2020 4:13 pm
Forum: Announcements
Topic: MikroTik newsletter November 2020 (#98)
Replies: 64
Views: 13736

Re: MikroTik newsletter November 2020 (#98)

I'm still skeptical, the CPU isn't a bottleneck on my current wAP AC (it's just an AP), and my signal strength is also great. Can two chains on a new chipset really outperform three chains on an older one? The Mikrotik wireless driver has traditionally had poor MU-MIMO / Wave2 support as well. I gue...
by R1CH
Fri Nov 06, 2020 3:28 pm
Forum: Announcements
Topic: MikroTik newsletter November 2020 (#98)
Replies: 64
Views: 13736

Re: MikroTik newsletter November 2020 (#98)

Not really sure I consider the wAP AC an upgrade when it went from 3 chain to 2 chain :(. With more and more devices sharing the same frequency, having good MU-MIMO throughput becomes very important, this seems like a step backwards to me when the competition is selling 4x4 devices. Re-using the nam...
by R1CH
Wed Oct 28, 2020 6:08 pm
Forum: General
Topic: TCP Bottleneck
Replies: 4
Views: 505

Re: TCP Bottleneck

Bandwidth test through the device, not on the device, or you only test how slow the CPU is at generating traffic. Use iperf3 and your own endpoints.
by R1CH
Wed Oct 07, 2020 12:19 pm
Forum: General
Topic: DDoS detection and blocking [SOLVED]
Replies: 8
Views: 706

Re: DDoS detection and blocking [SOLVED]

UDP source addresses are trivially spoofed, using rules like this you turn a volumetric DDoS into a computational DDoS as your connection tables fill up and crash the router. There are no magic rules to fix DDoS. If your bandwidth is lower than the incoming traffic then by the time it hits your rout...
by R1CH
Sun Sep 13, 2020 6:32 pm
Forum: General
Topic: CVE-2020-11881 PATCH [SOLVED]
Replies: 16
Views: 1563

Re: CVE-2020-11881 PATCH [SOLVED]

Very disappointing if this was disclosed to them in April! Luckily SMB is not a feature that should be enabled by most users.
by R1CH
Sun Sep 13, 2020 6:28 pm
Forum: Announcements
Topic: Expected down time for this forum SEPT 11
Replies: 42
Views: 5597

Re: Expected down time for this forum SEPT 11

Also had to do a reset, made much more difficult when you have to reset by email and not username! My password was also long, autogenerated by password manager. Reset accepted the same one without a problem.
by R1CH
Wed Jul 29, 2020 2:29 pm
Forum: General
Topic: Timeout instead of proxy error page when using https
Replies: 6
Views: 1809

Re: Timeout instead of proxy error page when using https

You can't forge HTTPS certificate of the visited site, so you will never be able to show an error.
by R1CH
Fri Jul 24, 2020 4:11 pm
Forum: General
Topic: Max Throughput of hEX RB750Gr3
Replies: 8
Views: 1610

Re: Max Throughput of hEX RB750Gr3

1gbps should be no problem for this router, I measured about 30% CPU on 1gbps download with fasttrack enabled, though obviously it depends on the complexity of your firewall and other configuration.
by R1CH
Wed Jun 24, 2020 9:57 pm
Forum: RouterBOARD hardware
Topic: RB750Gr3 (hEX) supports 802.3af PoE?
Replies: 7
Views: 1794

Re: RB750Gr3 (hEX) supports 802.3af PoE?

Injectors certainly can't perform any negotiation, they are dumb devices which just put power onto the cable. There is some kind of proprietary negotiation with passive PoE out on Mikrotik switches, but as I don't know what is on the other end of this cable I have to assume it was an injector or 802...
by R1CH
Wed Jun 24, 2020 3:01 am
Forum: RouterBOARD hardware
Topic: RB750Gr3 (hEX) supports 802.3af PoE?
Replies: 7
Views: 1794

Re: RB750Gr3 (hEX) supports 802.3af PoE?

"Real" (802.3af) PoE can be automatic or forced-on, passive PoE as used by Mikrotik supplies the power constantly with no negotiation, so you can fry things that aren't expecting it.
by R1CH
Sat Jun 20, 2020 12:39 am
Forum: General
Topic: Block pornographic pages
Replies: 5
Views: 1532

Re: Block pornographic pages

by R1CH
Mon Jun 15, 2020 7:18 pm
Forum: RouterBOARD hardware
Topic: RB750Gr3 (hEX) supports 802.3af PoE?
Replies: 7
Views: 1794

Re: RB750Gr3 (hEX) supports 802.3af PoE?

I ended up disconnecting the hEX and used a hAP AC2 instead so I unfortunately can't check that. I don't believe the hAP AC2 powered on from the cable but now I am wondering if perhaps I missed it. I can't say for certain that the other end of the link was 802.3af compliant, the previous device whic...
by R1CH
Mon Jun 15, 2020 12:28 am
Forum: RouterBOARD hardware
Topic: RB750Gr3 (hEX) supports 802.3af PoE?
Replies: 7
Views: 1794

RB750Gr3 (hEX) supports 802.3af PoE?

I recently installed a hEX at a client who had 802.3af PoE on their WAN Ethernet link. According to the spec sheet of the RB750Gr3, only passive PoE is supported, so imagine my surprise when I plugged the WAN cable to Ether1 and the hEX powered up... Is this a safe configuration? The supported passi...
by R1CH
Fri May 15, 2020 8:48 pm
Forum: Announcements
Topic: v6.46.6 [stable] is released!
Replies: 68
Views: 35375

Re: v6.46.6 [stable] is released!

Just came to update some routers today and also seeing changelog from 2011, what is going on?!

Image
by R1CH
Fri Apr 24, 2020 4:13 pm
Forum: General
Topic: Poor/ absolutely disappointing cAP ac (model: RBcAPGi-5acD2nD)
Replies: 4
Views: 2186

Re: Poor/ absolutely disappointing cAP ac (model: RBcAPGi-5acD2nD)

You should always set country and installation / distance to indoor to ensure the channel configuration matches what the client device is allowed to use. Out of the box, MT devices need quite a bit of configuring to get to a usable state - disable legacy protocols, enable WMM, etc.
by R1CH
Sun Mar 01, 2020 7:53 pm
Forum: Announcements
Topic: v6.46.4 [stable] is released!
Replies: 107
Views: 52523

Re: v6.46.4 [stable] is released!

*) system - improved system stability when receiving/sending TCP traffic on multicore devices;

Also requesting more info on this, changes to TCP can affect many things, I would like to know exactly what was changed.
by R1CH
Wed Feb 19, 2020 11:35 pm
Forum: General
Topic: Is this a DDOS/Attack?
Replies: 2
Views: 1154

Re: Is this a DDOS/Attack?

That is the point of tarpit, you attract all the traffic to the tarpit so the resources of the attacker are tied up and unable to affect the rest of the network. It seems you probably want a DROP rule instead.
by R1CH
Fri Feb 07, 2020 1:57 pm
Forum: Wireless Networking
Topic: Hotspot Https
Replies: 20
Views: 4172

Re: Hotspot Https

It is up to the CLIENT DEVICE to detect the hotspot and redirect to the login page. Make sure all HTTP and DNS requests are redirecting to your hotspot, and that's all you can do. Absolutely nothing else on your end can influence that.
by R1CH
Thu Feb 06, 2020 4:49 pm
Forum: General
Topic: New RouterOS / Mikrotik user - A few glaring missing features / bugs...
Replies: 5
Views: 1414

Re: New RouterOS / Mikrotik user - A few glaring missing features / bugs...

Unfortunately most of this is true, mostly due to Mikrotik writing their own proprietary implementations of wireless drivers, OpenVPN protocol, etc, so it isn't as simple as just upgrading to the latest public versions. As a power user myself, I still like Mikrotik simply for ease of use and deploym...
by R1CH
Thu Feb 06, 2020 4:44 pm
Forum: Announcements
Topic: Winbox v3.21 released!
Replies: 55
Views: 20598

Re: Winbox v3.21 released!

*) improved MikroTik signature checking on WinBox update;
I can confirm that this now closes the remote code execution bug possible by a MITM. Using winbox auto update should be safe for now :).

Also as a high DPI user, this release looks beautiful...
by R1CH
Fri Jan 31, 2020 8:00 pm
Forum: General
Topic: Reddit packet marking on address list.
Replies: 1
Views: 718

Re: Reddit packet marking on address list.

Your reddit.com address list is probably incorrect.
by R1CH
Fri Jan 31, 2020 1:52 am
Forum: General
Topic: Audiophile Level(Low Noise Floor, Silent) Mikrotik vs Ubiquiti Unifi Network Switch
Replies: 31
Views: 5458

Re: Audiophile Level(Low Noise Floor, Silent) Mikrotik vs Ubiquiti Unifi Network Switch

There's a whole industry based around selling "high end audio" versions of digital equipment for 10-100x normal price. There's no point trying to convince audiophiles that digital signals are not distorted like analogue, they'll always say it "sounds better" because they spent mo...
by R1CH
Wed Jan 22, 2020 7:11 pm
Forum: General
Topic: My public IP is getting raped by port scanners - is that normal?
Replies: 24
Views: 4336

Re: My public IP is getting raped by port scanners - is that normal?

You should DROP all unknown traffic on input chain, and especially not log (easy to exhaust the router with a tiny flood). Your current rules that add to address lists (which you then presumably drop) also open you to attacks by an IP spoofing attacker.
by R1CH
Wed Jan 01, 2020 10:44 pm
Forum: General
Topic: How to redirect all website traffic to one website? [SOLVED]
Replies: 1
Views: 641

Re: How to redirect all website traffic to one website? [SOLVED]

Use hotspot feature. Keep in mind you cannot redirect HTTPS sites (of which the majority of modern sites are).
by R1CH
Wed Dec 25, 2019 1:12 am
Forum: General
Topic: Does anyone know if a fully updated Mikrotik Device is going to be vulnerable to this?
Replies: 9
Views: 2329

Re: Does anyone know if a fully updated Mikrotik Device is going to be vulnerable to this?

This doesn't mention a specific exploit, just a port scan. So there is nothing you're really "vulnerable" to, but if your winbox port is reachable by random users you should expect that to change in the future.
by R1CH
Fri Dec 13, 2019 4:37 pm
Forum: General
Topic: DNS Cache
Replies: 21
Views: 4501

Re: DNS Cache

Why do you have allow-remote-requests turned on if you don't want people using it?
by R1CH
Tue Dec 10, 2019 12:45 pm
Forum: General
Topic: mikrotik.com SSL errors
Replies: 1
Views: 782

mikrotik.com SSL errors

Seems like there are problems on domains used by mikrotik.com, I can't load the product pages or any others due to SSL errors on half of the hosts for i.mt.lv.

Image
by R1CH
Mon Dec 09, 2019 1:34 pm
Forum: General
Topic: Devices are not reliably responding to ARP requests / Wifi Power Saving
Replies: 11
Views: 3285

Re: Devices are not reliably responding to ARP requests / Wifi Power Saving

Is WMM enabled? This is a pre-requisite for a lot of power saving features, though Mikrotik's proprietary wireless drivers are missing a lot of functionality in this area.
by R1CH
Fri Dec 06, 2019 7:27 pm
Forum: General
Topic: Fix for CVE-2019-14899?
Replies: 9
Views: 2405

Re: Fix for CVE-2019-14899?

If you have untrusted devices on your layer 2 network then they can easily ARP spoof, DNS spoof, etc and do a full MITM on you much more easily than exploiting this vulnerability.
by R1CH
Fri Dec 06, 2019 6:36 pm
Forum: General
Topic: Fix for CVE-2019-14899?
Replies: 9
Views: 2405

Re: Fix for CVE-2019-14899?

I wouldn't worry about this one. This requires a "network adjacent attacker" (layer 2), so why do you have attackers next to your router? If you're seriously worried about this, turn on strict reverse-path filtering and block private IP ranges from WAN interfaces (which is a good practice ...
by R1CH
Wed Oct 30, 2019 12:13 pm
Forum: General
Topic: Why the official Mikrotik.com site does use the Let's Encrypt?
Replies: 9
Views: 1826

Re: Why the official Mikrotik.com site does use the Let's Encrypt?

With certificate transparency being a requirement these days, any state that MITM's their users with trusted certificates will be very quickly discovered and their certificates revoked.
by R1CH
Tue Oct 29, 2019 9:49 pm
Forum: General
Topic: Why the official Mikrotik.com site does use the Let's Encrypt?
Replies: 9
Views: 1826

Re: Why the official Mikrotik.com site does use the Let's Encrypt?

Let's Encrypt is just as good, if not better than any other commercial CA. The short lifetime (3 months) limits the duration that a compromised certificate is useful. Considering the track record of commercial CA's mis-issuing certificates, I would trust Let's Encrypt far more than Comodo and friend...
by R1CH
Tue Oct 29, 2019 12:26 pm
Forum: Announcements
Topic: v6.45.7 [stable] is released!
Replies: 104
Views: 45444

Re: v6.45.7 [stable] is released!

At a high level, “messages” sent to the Winbox port can be routed to different binaries in RouterOS based on an array-based numbering scheme. Sigh... who designed this braindead protocol that allows UNAUTHENTICATED USERS to invoke whatever binary they want?! Any programmer could see what a terrible...
by R1CH
Mon Oct 28, 2019 8:32 pm
Forum: General
Topic: When to Upgrade RouterBOARD Firmware / Bootloader?
Replies: 10
Views: 3252

Re: When to Upgrade RouterBOARD Firmware / Bootloader?

You have no idea! I really wish Mikrotik would revert to the old versioning for firmware so you can actually tell when there is an update. I recommend pe1chl's advice.
by R1CH
Mon Oct 28, 2019 8:30 pm
Forum: Announcements
Topic: v6.45.7 [stable] is released!
Replies: 104
Views: 45444

Re: v6.45.7 [stable] is released!

!) security - fixed improper handling of DNS responses (CVE-2019-3978, CVE-2019-3979); Could you give some more info about the exploitability of this? Are all situations where RouterOS parses a DNS packet vulnerable? Eg router used in typical setup - DNS server for LAN and sends queries to the inte...
by R1CH
Fri Oct 25, 2019 7:38 pm
Forum: General
Topic: CVE-2019-15055
Replies: 16
Views: 3270

Re: CVE-2019-15055

There is a special .npk package you can install that allows you to SSH into a root shell. You can also mount the filesystem offline or use this CVE to do a similar thing, if you have physical access to the router then nothing is really secure.
by R1CH
Wed Oct 23, 2019 5:56 pm
Forum: General
Topic: DoS Protection [Question]
Replies: 11
Views: 2579

Re: DoS Protection [Question]

The current RouterOS is based on an old kernel and deployed on routers that are fairly CPU limited. IMO it's best to let it pass through packets and the target device can be responsible for its own DoS protection. By trying to do DoS protection in RouterOS, the router itself becomes vulnerable to D...
by R1CH
Wed Oct 23, 2019 12:50 pm
Forum: General
Topic: DoS Protection [Question]
Replies: 11
Views: 2579

Re: DoS Protection [Question]

The current RouterOS is based on an old kernel and deployed on routers that are fairly CPU limited. IMO it's best to let it pass through packets and the target device can be responsible for its own DoS protection. By trying to do DoS protection in RouterOS, the router itself becomes vulnerable to Do...
by R1CH
Fri Oct 18, 2019 2:00 pm
Forum: General
Topic: Is there an new exploit going around?
Replies: 57
Views: 16298

Re: Is there an new exploit going around?

To test some of the theories in this thread, I netinstalled 6.45.6 on a spare board, with default config and then exposed SSH to the internet after setting a strong admin password. So far while there are plenty of brute force attempts, there is no sign of an exploit that can bypass authentication. I...
by R1CH
Thu Oct 17, 2019 8:11 pm
Forum: General
Topic: Is there an new exploit going around?
Replies: 57
Views: 16298

Re: Is there an new exploit going around?

RouterOS doesn't use web interfaces on top of busybox, it has a custom proprietary protocol. Exploits affecting other devices like the DLINK or Netgear are not going to work on RouterOS.
by R1CH
Thu Oct 17, 2019 6:31 pm
Forum: General
Topic: Is there an new exploit going around?
Replies: 57
Views: 16298

Re: Is there an new exploit going around?

@NathanA, was SSH the only exposed service? No winbox or API etc?
by R1CH
Thu Oct 17, 2019 5:18 pm
Forum: General
Topic: Is there an new exploit going around?
Replies: 57
Views: 16298

Re: Is there an new exploit going around?

I'm inclined to agree with normis here. The Linux kernel firewall operates before any user service like SSH or Winbox even sees a packet, so it's extremely doubtful that the exploit can bypass a properly configured firewall. Don't forget your customers / clients can also be infected with malware - o...
by R1CH
Thu Oct 17, 2019 4:28 pm
Forum: General
Topic: defend from large icmp requests
Replies: 4
Views: 857

Re: defend from large icmp requests

/ip firewall add action=drop chain=input packet-size=200-65535 protocol=icmp
/ip firewall add action=drop chain=forward packet-size=200-65535 protocol=icmp
by R1CH
Thu Oct 17, 2019 2:25 pm
Forum: General
Topic: Is there an new exploit going around?
Replies: 57
Views: 16298

Re: Is there an new exploit going around?

Seems quite widespread. It intercepts DNS requests and redirects any HTTP requests to https://www.youtube.com/watch?v=MK_VfUErRaY&feature=youtu.be. If you look at the comments you can see lots of affected users wondering what the hell is going on. While this might appear benign, any credentials ...
by R1CH
Wed Oct 16, 2019 12:27 am
Forum: Announcements
Topic: Winbox v3.20 released!
Replies: 42
Views: 29859

Re: Winbox v3.20 released!

*) on update, Winbox will check that code is signed by MikroTik and not somebody else;
Unfortunately this check still seems insecure.

Image
by R1CH
Mon Oct 14, 2019 1:33 pm
Forum: General
Topic: [feature request] Blocking a special kind of DDoS
Replies: 17
Views: 5022

Re: [feature request] Blocking a special kind of DDoS

Is this targeting the router or a service behind the router? If the router, such requests should just be DROP with basic firewall, nothing special needed. If its a service behind the router, then that service should enable syncookies as syn flood is easily countered these days.
by R1CH
Thu Oct 03, 2019 12:22 pm
Forum: RouterBOARD hardware
Topic: RB4011
Replies: 383
Views: 118114

Re: RB4011

Had an odd issue recently, my 4011 seemed to have a thread stuck at 100% CPU. Had to reboot to get it to go away. Anyone else seen this before?

Image
by R1CH
Thu Sep 26, 2019 11:49 pm
Forum: General
Topic: Laptops are trying to hack my router
Replies: 8
Views: 2045

Re: Laptops are trying to hack my router

Time to format it, clearly infected with malware.
by R1CH
Thu Sep 26, 2019 11:48 pm
Forum: General
Topic: Mikrotik automatically changes password
Replies: 6
Views: 2207

Re: Mikrotik automatically changes password

Someone did, since you left an unsecured router accessible!
by R1CH
Wed Sep 25, 2019 3:39 pm
Forum: General
Topic: Router under Ddos atac on port 53 and 389.
Replies: 8
Views: 2110

Re: Router under Ddos atac on port 53 and 389.

If you're experiencing high CPU load then you should remove unnecessary firewall rules (all those port scan detection rules for example are useless if you just drop by default). If you're experiencing bandwidth exhaustion then the attack can only be filtered by your upstream.
by R1CH
Fri Sep 20, 2019 12:53 pm
Forum: RouterOS v7 BETA
Topic: Torrent client
Replies: 59
Views: 19909

Re: Torrent client

Please put these kind of features in a external packages. Completely unnecessary for the majority of the users and will only end up as an security issue.

Normal people gets an NAS or mini-server to run torrents.
100% agreed.
by R1CH
Mon Sep 09, 2019 2:16 pm
Forum: General
Topic: Policy to block website in Mikrotik increase CPU
Replies: 16
Views: 2770

Re: Policy to block website in Mikrotik increase CPU

Redirect DNS to local DNS and then filter at DNS server.

Note that blocking 100% is impossible.
by R1CH
Sat Sep 07, 2019 2:23 pm
Forum: General
Topic: SSH and RDP blacklist CPU usage
Replies: 4
Views: 1123

Re: SSH and RDP blacklist CPU usage

You're doing content matching on every outbound packet - of course it's going to be slow! This is a really badly designed firewall, just by writing "530 Login incorrect" in plain text I can trigger your output match rules. And if I was an actual attacker, this rule is useless since I could...
by R1CH
Thu Sep 05, 2019 12:47 am
Forum: General
Topic: winBox access to a wifiranger
Replies: 3
Views: 1232

Re: winBox access to a wifiranger

Judging by their screenshots they are using custom software, not RouterOS.
by R1CH
Tue Sep 03, 2019 12:42 pm
Forum: Wireless Networking
Topic: Need help with WiFi in Apartments/Flats
Replies: 7
Views: 2164

Re: Need help with WiFi in Apartments/Flats

Set antenna gain to like 16 dB to lower the TX power, if the rooms are so small there's no point blasting the signal all over the complex. On the devices that support 5 GHz, disable 2.4 GHz radio and use 5 GHz only.
by R1CH
Mon Aug 19, 2019 4:19 pm
Forum: General
Topic: When can developers improve ipv6 functionality?
Replies: 16
Views: 2654

Re: When can developers improve ipv6 functionality?

While the forum may be a tiny part of overall customers, it likely represents the most dedicated Mikrotik ones who take the time to find the forum and register etc.
by R1CH
Mon Aug 19, 2019 3:33 pm
Forum: General
Topic: Hotspot and HTTPS? What solutions?
Replies: 58
Views: 12324

Re: Hotspot and HTTPS? What solutions?

No amount of money you spend on certificates will fix this issue. You cannot get a certificate that's valid for the entire internet. Best things to do: Intercept ALL requests to internet (make sure gstatic.com, captive.apple.com, etc are NOT whitelisted as some misguided posts suggest) Make sure int...
by R1CH
Mon Aug 19, 2019 3:29 pm
Forum: General
Topic: When can developers improve ipv6 functionality?
Replies: 16
Views: 2654

Re: When can developers improve ipv6 functionality?

Why are requests from distributors prioritized over end users? Distributor is only useful for purchasing and RMA, I never would think to contact them with RouterOS requests or support.
by R1CH
Fri Aug 16, 2019 5:25 pm
Forum: General
Topic: I'm sure Mikrotik has a legit response to this...
Replies: 14
Views: 3012

Re: I'm sure Mikrotik has a legit response to this...

How many of these vulnerabilities though are still present when a competent person configures the router? If your WAN is entirely firewalled against incoming connections (including VPNs) then your risk is only coming from the LAN side which is generally a lot safer. That shouldn't be a reason not t...
by R1CH
Fri Aug 16, 2019 12:32 am
Forum: General
Topic: I'm sure Mikrotik has a legit response to this...
Replies: 14
Views: 3012

Re: I'm sure Mikrotik has a legit response to this...

This is not discussing a particular vulnerability, but it is examining what defense-in-depth procedures are in use. It seems all vendors are doing a very poor job here, not just Mikrotik. As an example of what this means: without ASLR, a router will load the code at the same location in memory every...
by R1CH
Wed Aug 14, 2019 1:33 pm
Forum: General
Topic: mAP tx-power-mode and reducing tx-power [SOLVED]
Replies: 2
Views: 1118

Re: mAP tx-power-mode and reducing tx-power [SOLVED]

Manually setting TX power has been a mess for a while. The most reliable way I've found is to use the antenna gain setting to make the device think you have a stronger antenna so it reduces TX power proportionally for regulatory domain compliance.
by R1CH
Wed Aug 07, 2019 3:25 pm
Forum: Announcements
Topic: Newsletter #90
Replies: 55
Views: 26215

Re: Newsletter #90

Just received the email version of this newsletter. It seems broken, no links work.

Image
by R1CH
Thu Aug 01, 2019 12:15 pm
Forum: General
Topic: Winbox login: authentication failed, maybe due to bad blocks?
Replies: 5
Views: 1135

Re: Winbox login: authentication failed, maybe due to bad blocks?

6.19 is very old and the device is likely hacked, you should netinstall a secure version.
by R1CH
Tue Jul 30, 2019 1:33 pm
Forum: General
Topic: 30 oct 2019 end of gmail support for email send
Replies: 1
Views: 762

Re: 30 oct 2019 end of gmail support for email send

SMTP-only access is unaffected.
by R1CH
Wed Jul 24, 2019 2:52 pm
Forum: General
Topic: Default Configuration Privacy
Replies: 8
Views: 1413

Re: Default Configuration Privacy

This is basically applying a config as part of the install, so no different than manual configuration. As long as there is a strong admin password then only physical access or an exploit will be able to discover the config.
by R1CH
Fri Jul 19, 2019 3:24 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 55884

Re: v6.45.2 [stable] is released!

Yes, something is not quite right with the SFP+ interface on RB4011, we will look forward to fixing it asap! How did this happen? There is nothing related to SFP in the changelog and this is supposed to be a "stable" release. If there was something, anything changed related to SFP, then i...
by R1CH
Fri Jul 19, 2019 12:34 pm
Forum: General
Topic: Mikortik DHCP Option 43
Replies: 16
Views: 5364

Re: Mikortik DHCP Option 43

Has anyone figured out how to use the undocumented vendor-class-id CLI? It doesn't seem to have anything to match on the class identifier in the request so I have no idea how it's supposed to work.
by R1CH
Fri Jul 12, 2019 2:02 pm
Forum: General
Topic: MikroTik blacklists (IPv4/IPv6)
Replies: 4
Views: 3050

Re: MikroTik blacklists (IPv4/IPv6)

Depends what you want to blacklist. I've found from past experience that many blacklists are outdated and eventually block legitimate traffic, instead focus on securing your environment such that a blacklist of "bad IPs" is not needed.
by R1CH
Fri Jul 12, 2019 2:00 pm
Forum: General
Topic: Routing Question: Not able to get 1 gbps through our gateway with our router inline can without it
Replies: 8
Views: 1919

Re: Routing Question: Not able to get 1 gbps through our gateway with our router inline can without it

What kind of speed test are you doing? A single TCP connection will be limited by the CCR per-core frequency, but multiple connections should max out the link no problem. Test with iperf3 through the router for best results. Check profiler to see where load is.
by R1CH
Tue Jul 09, 2019 1:14 pm
Forum: RouterBOARD hardware
Topic: Bunch of fried hAP ac - trash?
Replies: 4
Views: 1630

Re: Bunch of fried hAP ac - trash?

For your own safety, scrap them... Seconding this. One time I tried to get some non-Routerboard boards working again after a thunderstorm. They seemed to power up but nothing was responsive, after a few minutes testing I smelled a burning smell. The A/C adapter was smoking and the power cable was e...
by R1CH
Fri Jul 05, 2019 6:14 pm
Forum: Wireless Networking
Topic: Wireless clients can't get an IP
Replies: 3
Views: 1809

Re: Wireless clients can't get an IP

Use "WISP AP" and set bridge mode. "Home AP Dual" is intended if you have the device hooked up directly to your WAN.
by R1CH
Fri Jul 05, 2019 6:12 pm
Forum: Wireless Networking
Topic: wAP ac performace problem?
Replies: 1
Views: 880

Re: wAP ac performace problem?

Always bandwidth test THROUGH the router, not ON the router. Run a local iperf server on your network and test to that. The CPU on these devices is not powerful enough to generate much traffic when using the built in bandwidth test tools.
by R1CH
Tue Jun 25, 2019 12:50 pm
Forum: RouterBOARD hardware
Topic: RB4011 Metal temperature is really hot
Replies: 53
Views: 17290

Re: RB4011 Metal temperature is really hot

Yes, Mikrotik devices have a history of running quite hot. So far I've seen no reports of actual problems caused by this, the CPUs are rated for very high temperatures. If your router is actually crashing or exhibiting other strange behavior as a result of the temperature then it's a problem.
by R1CH
Wed Jun 19, 2019 3:55 pm
Forum: Announcements
Topic: MikroTik News June 2019 (Issue #89)
Replies: 38
Views: 18397

Re: MikroTik News June 2019 (Issue #89)

I'm a bit disappointed seeing only 2.4 GHz radios on products sold in 2019. In urban areas 2.4 GHz is unusable. The QCA9531 chipset is over five years old now, there really should not be new products coming to market based on it.
by R1CH
Tue Jun 18, 2019 2:40 pm
Forum: General
Topic: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Replies: 15
Views: 4817

Re: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

Surely it's more cpu efficient to detect and add users to a dynamic address list which you then drop in raw? I can't imagine you'd want to accept traffic from someone trying to kill your systems? Dropping the initial SYN is enough to stop the connection, other packets and fragments will just be ign...
by R1CH
Tue Jun 18, 2019 12:33 am
Forum: General
Topic: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Replies: 15
Views: 4817

Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

A bunch of MSS related TCP bugs were found in the Linux kernel that can result in remote denial of service. Details: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md#advisory Since RouterOS is based on older Linux kernel, if you have any open TCP ports the...
by R1CH
Tue Jun 11, 2019 4:26 pm
Forum: Wireless Networking
Topic: "wAP ac kit"
Replies: 2
Views: 1170

Re: "wAP ac kit"

I guess this is based on the IPQ401x chipset given the specs. I'd be a bit hesitant to use it for wireless due to all the issues the 4011 platform is seeing.
by R1CH
Fri Jun 07, 2019 5:12 pm
Forum: General
Topic: IP spoofing
Replies: 1
Views: 1400

Re: IP spoofing

The device running in promiscuous mode won't see all the TCP traffic flows, it will only see broadcast packets on a switched network. Only traffic directed to it will be noticed, which is as your experiment describes. You need to either re-architect your network so that all your traffic flows throug...
by R1CH
Wed Jun 05, 2019 3:50 pm
Forum: General
Topic: Basic traffic prioritization
Replies: 8
Views: 6068

Re: Basic traffic prioritization

If your connection speed is truly fluctuating like this, then you need to set the queue limit at just under the slowest speed your connection drops to. Everything will be throttled to this rate all the time, which isn't ideal. This is the only way to make QoS work, as otherwise the queuing happens o...
by R1CH
Wed Jun 05, 2019 1:03 pm
Forum: General
Topic: LiveStreaming Upload Bandwidth choked by HexS
Replies: 2
Views: 733

Re: LiveStreaming Upload Bandwidth choked by HexS

A Hex S can do way more than 30mbps, most likely you configured it incorrectly. Post your config.
by R1CH
Tue Jun 04, 2019 1:25 pm
Forum: General
Topic: Spam problem.
Replies: 2
Views: 892

Re: Spam problem.

Monitor your users to see who is accessing the mail sites listed under "Sender Email".
by R1CH
Mon Jun 03, 2019 6:13 pm
Forum: Wireless Networking
Topic: Wireless Bandwith Test Issue
Replies: 2
Views: 986

Re: Wireless Bandwith Test Issue

Use iperf3 for bandwidth testing through the device, not on the device.
by R1CH
Wed May 29, 2019 1:43 pm
Forum: General
Topic: Default config, ether2-Master what is the master ?
Replies: 1
Views: 701

Re: Default config, ether2-Master what is the master ?

Update RouterOS and do a reset with new default config, the concept of master interface is long gone.
by R1CH
Tue May 28, 2019 12:51 pm
Forum: Wireless Networking
Topic: Hex poe lite rb750upr2 have Wi-Fi? [SOLVED]
Replies: 1
Views: 934

Re: Hex poe lite rb750upr2 have Wi-Fi? [SOLVED]

No. The wireless package is installed only so it can be used as CAPSMAN controller.
by R1CH
Tue May 28, 2019 12:47 pm
Forum: RouterBOARD hardware
Topic: hAP ac hangs with bad client (962UiGS-5HacT2HnT)
Replies: 5
Views: 1517

Re: hAP ac hangs with bad client (962UiGS-5HacT2HnT)

Your symptoms do suggest it could be power related (a flood of packets causing increased radio use and power draw). As most Mikrotik devices accept a wide voltage range you could try with a different power supply from another device, provided it has equal or greater amperage.
by R1CH
Mon May 27, 2019 3:42 pm
Forum: RouterBOARD hardware
Topic: hAP ac hangs with bad client (962UiGS-5HacT2HnT)
Replies: 5
Views: 1517

Re: hAP ac hangs with bad client (962UiGS-5HacT2HnT)

Have you tried a different power supply?
by R1CH
Mon May 27, 2019 2:21 pm
Forum: Wireless Networking
Topic: RB962UiGS-5HacT2HnT low wifi performance
Replies: 6
Views: 1650

Re: RB962UiGS-5HacT2HnT low wifi performance

Can confirm, no matter the product, the performance just isn't up to the competition. I'm pretty sure it's down to the custom wireless drivers Mikrotik insists on using, which are just not up to the level of open source ones. If your device is supported, flashing OpenWRT onto it will get you a moder...
by R1CH
Fri May 17, 2019 1:40 pm
Forum: RouterBOARD hardware
Topic: [idea] cAP ax
Replies: 9
Views: 2864

Re: [idea] cAP ax

There's plenty of chipsets available, the problem is likely software. Since Mikrotik write their own wifi driver, it will take a long time before a stable 802.11ax driver is available. Even the 802.11ac support still isn't up to the competition after all these years. If you need 802.11ax there's oth...
by R1CH
Mon May 13, 2019 2:36 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 106615

Re: v6.45beta [testing] is released!

conntrack - significant stability and performance improvements;
Can you elaborate on what was changed here? The last time conntrack was changed with the loose TCP tracking option it introduced a regression, so I'd like to know exactly what changed and what to look out for.
by R1CH
Fri May 10, 2019 7:24 pm
Forum: General
Topic: Import and use SSL Certificate
Replies: 5
Views: 2000

Re: Import and use SSL Certificate

The purpose of importing an SSL cert into RouterOS is to secure the hotspot landing page. It won't help you do anything else, if you want to do SSL MITM the root has to be installed on all end user devices regardless of what's on the router.
by R1CH
Fri Apr 26, 2019 3:18 pm
Forum: Wireless Networking
Topic: Wifi AP strength VS Wifi Client strength
Replies: 3
Views: 1036

Re: Wifi AP strength VS Wifi Client strength

APs generally have more power than client devices, so tuning output power to get a balance is important. You're right that a higher gain antenna both improves transmit and receive, but at the cost of radiation pattern. For example a 12dB omni in a house would work great on one floor but go upstairs ...
by R1CH
Sun Apr 21, 2019 11:26 pm
Forum: Wireless Networking
Topic: MikroTik Wireless performance VS Ubiquiti VS Ruckus
Replies: 3
Views: 5794

Re: MikroTik Wireless performance VS Ubiquiti VS Ruckus

For reasons unknown, Mikrotik are very against using open source, and this results in an outdated Linux kernel and custom written drivers and services. This greatly slows development time compared to other manufacturers who use open source on the software side and then focus on building their hardwa...
by R1CH
Thu Apr 18, 2019 1:35 pm
Forum: General
Topic: Problems with BitTorrent
Replies: 8
Views: 1538

Re: Problems with BitTorrent

Mikrotik wifi performance is often worse than competitor devices due to outdated kernel and proprietary drivers. That said it shouldn't drop out completely like this. Is the device possibly overheating? I would suggest trying 20 Mhz channel, g/n only, enable WMM and set group key update to 1h (secur...
by R1CH
Thu Apr 18, 2019 1:32 pm
Forum: General
Topic: Reliability of RouterOS updates [SOLVED]
Replies: 2
Views: 1127

Re: Reliability of RouterOS updates [SOLVED]

"Stable" often introduces regressions, rarely has this resulted in total connectivity loss but I generally stick to long-term on remote devices unless there's need for a specific change. Unless it's a security related fix, I would also wait a few days for bugs to be reported by others befo...
by R1CH
Mon Apr 15, 2019 11:37 pm
Forum: General
Topic: Hotspot https redirect feature
Replies: 5
Views: 2488

Re: Hotspot https redirect feature

The redirection will never work due to security guarantee of HTTPS. Documentation should be like this:

https-redirect=yes
Show a security error if user tries to open HTTPS website.

https-redirect=no
Show a network error if user tries to open HTTPS website.
by R1CH
Mon Apr 15, 2019 11:25 pm
Forum: General
Topic: DHCP "flood" Malformed Packet
Replies: 3
Views: 1675

Re: DHCP "flood" Malformed Packet

Disable detect-internet "feature".
by R1CH
Wed Apr 10, 2019 1:27 pm
Forum: General
Topic: VPN blocked?
Replies: 2
Views: 716

Re: VPN blocked?

You should check firewall rules on 188.252.172.1.
by R1CH
Mon Apr 08, 2019 6:58 pm
Forum: Wireless Networking
Topic: hAP ac wireless problem
Replies: 8
Views: 1816

Re: hAP ac wireless problem

Default settings are probably not good for your environment. Pick correct frequency, channel width, enable WMM, set country, etc.
by R1CH
Sat Apr 06, 2019 3:43 pm
Forum: Wireless Networking
Topic: Mikrotik WLAN & CAPsMAN - Bad download perfomance
Replies: 47
Views: 11135

Re: Mikrotik wireless LAN - WiFi - MIMO not working

The wAP AC CPU is likely maxing out at that bandwidth.
by R1CH
Thu Apr 04, 2019 6:07 pm
Forum: General
Topic: Help: IPv4 NAT - some https websites won't load
Replies: 4
Views: 2175

Re: Help: IPv4 NAT - some https websites won't load

Not being able to load HTTPS sites is usually an MTU issue due to larger packets. Make sure you're clamping TCP MSS if you have a non-standard MTU and aren't blocking ICMP.
by R1CH
Mon Apr 01, 2019 2:33 pm
Forum: General
Topic: ros rb4011 2.4g can't be connected by 4 devices?
Replies: 6
Views: 1103

Re: ros rb4011 2.4g can't be connected by 4 devices?

With 20 virtual APs you are probably destroying the channel with beacons. Make sure to set g/n only or change your data rates.

https://r1ch.net/blog/wifi-beacon-pollution
by R1CH
Sat Mar 30, 2019 3:37 pm
Forum: General
Topic: Block DropBox with firewall
Replies: 2
Views: 1175

Re: Block DropBox with firewall

As it's HTTPS you need to block via DNS or IP range, not recommended. If bandwidth consumption is a concern then use queues or data limits for your users.
by R1CH
Sat Mar 30, 2019 3:28 pm
Forum: General
Topic: how to close all UDP ports on mikrotik?
Replies: 3
Views: 1116

Re: how to close all UDP ports on mikrotik?

Add rule to FORWARD chain, protocol UDP, action DROP. Note that this will break a lot of things that rely on UDP, a better solution is to fix whichever client behind your router is infected and trying to scan the internet.
by R1CH
Fri Mar 29, 2019 2:07 am
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 21967

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

why r u being so disruptive and trying to break mikrotik? That's what security researchers do. Any internet connected device and protocol is studied for such bugs, and finding and fixing them makes everyone safer. Be happy that he found it before the bad guys did. Imagine someone constantly crashin...
by R1CH
Thu Mar 28, 2019 2:24 pm
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 21967

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Somehow this is the first I've heard of this and I'm very concerned as I have a modern network that includes IPv6. You're saying Mikrotik have known about this for 50 weeks and it hasn't been fixed?!? What is going on over there?! This is a completely unacceptable response for a security vulnerabili...
by R1CH
Tue Mar 26, 2019 5:32 pm
Forum: General
Topic: wAP AC reaching out to 159.148.172.226:80 every hour
Replies: 11
Views: 2061

Re: wAP AC reaching out to 159.148.172.226:80 every hour

First thing I checked, definitely disabled.
by R1CH
Tue Mar 26, 2019 2:39 pm
Forum: General
Topic: Question about SSL certificate
Replies: 3
Views: 916

Re: Question about SSL certificate

by R1CH
Tue Mar 26, 2019 2:35 pm
Forum: General
Topic: wAP AC reaching out to 159.148.172.226:80 every hour
Replies: 11
Views: 2061

Re: wAP AC reaching out to 159.148.172.226:80 every hour

The log screenshot is from my core router, the AP has forwarding disabled since it bridges onto the appropriate VLANs so it can't be coming from a client.
by R1CH
Tue Mar 26, 2019 1:51 pm
Forum: General
Topic: wAP AC reaching out to 159.148.172.226:80 every hour
Replies: 11
Views: 2061

Re: wAP AC reaching out to 159.148.172.226:80 every hour

Why would it be doing this by itself? I have no auto upgrade configured, no one is logged in and running check-for-updates. None of the other devices with the same config are doing this.
by R1CH
Tue Mar 26, 2019 1:52 am
Forum: General
Topic: lost password after exploit
Replies: 3
Views: 937

Re: lost password after exploit

If it isn't blocked just use the same exploit to gain access. https://github.com/BigNerd95/WinboxExploit
by R1CH
Tue Mar 26, 2019 1:51 am
Forum: General
Topic: Local devices on DHCP are in DNS cache as 0.0.0.0
Replies: 2
Views: 613

Re: Local devices on DHCP are in DNS cache as 0.0.0.0

DHCP does not register DNS. You need to script this if you want it.

https://wiki.mikrotik.com/wiki/Setting_ ... DHCP_lease
by R1CH
Tue Mar 26, 2019 1:50 am
Forum: General
Topic: wAP AC reaching out to 159.148.172.226:80 every hour
Replies: 11
Views: 2061

Re: wAP AC reaching out to 159.148.172.226:80 every hour

Nope. Very basic config, bridged wlans, some virtual APs, no CAPSMAN. Can't think what else would be causing it.
by R1CH
Mon Mar 25, 2019 6:01 pm
Forum: General
Topic: wAP AC reaching out to 159.148.172.226:80 every hour
Replies: 11
Views: 2061

wAP AC reaching out to 159.148.172.226:80 every hour

Trying to figure why this is happening as of 6.44, also tried 6.44.1. I upgraded all my wAP AC units (5), however only one of them is displaying this behavior. https://i.imgur.com/pE3W2M2.png DDNS is disabled, Update Time is disabled, TZ auto detect is disabled. No scripts, scheduler, etc. What else...
by R1CH
Mon Mar 25, 2019 4:18 pm
Forum: General
Topic: dns cache problam
Replies: 2
Views: 704

Re: dns cache problam

Those are negative entries, the random names are normal and used by captive portal detection of various OSes. Nothing in that should affect WhatsApp, the problem may be elsewhere.
by R1CH
Sat Mar 23, 2019 8:01 pm
Forum: Wireless Networking
Topic: Multiple SSID’s and DHCP [SOLVED]
Replies: 3
Views: 1096

Re: Multiple SSID’s and DHCP [SOLVED]

Bridge should be fine, just make sure DHCP server is set up to run on the bridge instead of one of the interfaces.
by R1CH
Fri Mar 22, 2019 5:31 pm
Forum: General
Topic: Help to config roming wireless
Replies: 4
Views: 821

Re: Help to config roming wireless

The best thing you can do with Mikrotik is setup all APs with same SSID / authentication, ensure they're all in the same broadcast domain and ensure your DHCP server is very fast at handling requests / renews (eg no pinging for 2 seconds before giving a lease). Unfortunately RouterOS lacks support f...
by R1CH
Fri Mar 22, 2019 1:33 pm
Forum: Wireless Networking
Topic: 256QAM and AC provisioning on 2,4GHz
Replies: 2
Views: 919

Re: 256QAM and AC provisioning on 2,4GHz

Sounds like you're asking for 802.11ax...
by R1CH
Fri Mar 22, 2019 12:17 pm
Forum: General
Topic: Question about SSL certificate
Replies: 3
Views: 916

Re: Question about SSL certificate

Yes, the hotspot FQDN must match the certificate. Do note that this only provides security to the hotspot page itself, it will not help in redirecting HTTPS pages to the hotspot.
by R1CH
Thu Mar 21, 2019 6:35 pm
Forum: General
Topic: Feature Request: Separate the firmware(bootloader) and routeros version number
Replies: 8
Views: 1311

Re: Feature Request: Separate the firmware(bootloader) and routeros version number

You always need to update RouterBOOT and keep it the same version as RouterOS The problem is Routerboot often has no changes between RouterOS versions, but we have no way of knowing since the version is incremented regardless. This involves needless reboots and additional wear on the small flash re...
by R1CH
Wed Mar 20, 2019 9:36 pm
Forum: RouterBOARD hardware
Topic: hAP ac and Verizon Gigabit
Replies: 4
Views: 1031

Re: hAP ac and Verizon Gigabit

Make sure fasttrack is active, hAP AC is unlikely to be able to do 1gbps otherwise.
by R1CH
Tue Mar 19, 2019 1:26 pm
Forum: General
Topic: HOTSPOT login https error
Replies: 11
Views: 2565

Re: HOTSPOT login https error

You don't start, since that is impossible. The security of HTTPS negates attempts to intercept such requests, unless you want to teach your users to blindly ignore serious security errors.
by R1CH
Tue Mar 19, 2019 1:24 pm
Forum: General
Topic: CPU consumption by Horizon?
Replies: 2
Views: 1062

Re: CPU consumption by Horizon?

Horizon will disable hardware offload according to wiki.
by R1CH
Mon Mar 18, 2019 4:22 pm
Forum: General
Topic: Putty updated to 0.71
Replies: 12
Views: 1511

Re: Putty updated to 0.71

Which is my point. Post it in the phucking putty forum. Do you want me to start effing posting everytime there is a windows update, a linux update, a macos update, an avast update, etc etc etc............ I might as well post everytime I pop a zit, and pluck a nose hair. ;-) It's been almost two ye...
by R1CH
Mon Mar 18, 2019 1:51 am
Forum: Wireless Networking
Topic: blog.mikrotik.com: 802.11ay?
Replies: 3
Views: 1218

Re: blog.mikrotik.com: 802.11ay?

Right after 802.11ax...
by R1CH
Mon Mar 18, 2019 1:49 am
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 86
Views: 29860

Re: v6.44.1 [stable] is released!

Do you really need all those packages? You are likely out of space since the device only has 16MB flash.
by R1CH
Sun Mar 17, 2019 11:54 pm
Forum: General
Topic: Redirect All SSL Pages to one page
Replies: 4
Views: 859

Re: Redirect All SSL Pages to one page

Don't set up your network in a way that intercepts all HTTPS requests and encourages users to bypass SSL errors. This is teaching users very dangerous practices, when their connection actually does get MITMed by a network attacker or compromised DNS, website, etc, then they will happily ignore the e...
by R1CH
Fri Mar 15, 2019 6:52 pm
Forum: General
Topic: Redirect All SSL Pages to one page
Replies: 4
Views: 859

Re: Redirect All SSL Pages to one page

Not possible, HTTPS is secure so you can't intercept it.
by R1CH
Fri Mar 15, 2019 6:51 pm
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 86
Views: 29860

Re: v6.44.1 [stable] is released!

I didn't see any difference in behavior, it behaves as if it's disabled regardless of the checkbox state.
by R1CH
Fri Mar 15, 2019 3:56 pm
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 86
Views: 29860

Re: v6.44.1 [stable] is released!

This doesn't affect users only during an upgrade, the default RouterOS conntrack timeouts are quite low and especially with the bug with tcp unacked timer, it's easy to get day-to-day TCP connections affected by this.
by R1CH
Fri Mar 15, 2019 3:42 pm
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 86
Views: 29860

Re: v6.44.1 [stable] is released!

I can confirm the "Loose TCP Tracking" is completely broken in this release (and perhaps 6.44, didn't test it extensively). Previously established connections are treated as INVALID regardless of the setting.
by R1CH
Fri Mar 15, 2019 3:27 pm
Forum: General
Topic: HOTSPOT login https error
Replies: 11
Views: 2565

Re: HOTSPOT login https error

Just make sure nothing is in the walled garden. As long as the user is using a modern browser or phone, they should get the prompt for the portal.
by R1CH
Thu Mar 14, 2019 9:11 pm
Forum: General
Topic: HOTSPOT login https error
Replies: 11
Views: 2565

Re: HOTSPOT login https error

Make sure that you aren't allowing any sites in the hotspot before user auth, if you allow connectivity to Google / Apple / etc, the browser will think it has internet and will not trigger the captive portal. Any modern browser otherwise will notice the connection test is failing and prompt the user...
by R1CH
Tue Mar 12, 2019 7:52 pm
Forum: General
Topic: Connection tracking issue
Replies: 2
Views: 774

Re: Connection tracking issue

If you're seeing untranslated packets make it onto the network then you must have modified the default config, as this is considered "invalid" by netfilter and the defconf rules drop it.
by R1CH
Sun Mar 10, 2019 7:47 pm
Forum: General
Topic: Is there any way to do HTTP and HTTPS traffic shaping based on categories?
Replies: 10
Views: 1162

Re: Is there any way to do HTTP and HTTPS traffic shaping based on categories?

You can use the tls host rule which works with SNI.
by R1CH
Sat Mar 09, 2019 2:48 pm
Forum: RouterBOARD hardware
Topic: MUM Europe 2019: new hardware
Replies: 66
Views: 21693

Re: MUM Europe 2019: new hardware

Wish there was some announcements about 802.11ax. I guess until ROS v7 is released the kernel is too old to support such drivers anyway.
by R1CH
Fri Mar 08, 2019 5:14 pm
Forum: General
Topic: hEX S shows activity on disabled SFP port without a link
Replies: 6
Views: 1048

Re: hEX S shows activity on disabled SFP port without a link

I enabled the interface and the problem stopped. Very weird behavior. I don't plan on using the SFP port so this doesn't seem to cause any issues.
by R1CH
Thu Mar 07, 2019 7:44 pm
Forum: General
Topic: hEX S shows activity on disabled SFP port without a link
Replies: 6
Views: 1048

Re: hEX S shows activity on disabled SFP port without a link

This is occurring with 6.44.
by R1CH
Thu Mar 07, 2019 6:26 pm
Forum: General
Topic: hEX S shows activity on disabled SFP port without a link
Replies: 6
Views: 1048

hEX S shows activity on disabled SFP port without a link

How is this even possible?!

Image

ether2-5 and sfp1 are bridged. The traffic levels seems to match around what ether2 is doing.
by R1CH
Tue Mar 05, 2019 6:12 pm
Forum: General
Topic: Cant resolve mynetname.net when DNSSEC validation is enabled
Replies: 2
Views: 1026

Re: Cant resolve mynetname.net when DNSSEC validation is enabled

Seems to work OK here behind a DNSSEC-validating PowerDNS recursor.

No TCP support though is a problem that Mikrotik need to fix.
by R1CH
Sat Mar 02, 2019 3:04 am
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 57530

Re: v6.44 [stable] is released!

https-redirect is not working You can't redirect HTTPS - the security provided by HTTPS means that unless you control the client devices and can install custom root certs, certificate validation will fail and users will see security errors. Mikrotik of all people should know this... what does this ...
by R1CH
Wed Feb 27, 2019 4:22 pm
Forum: General
Topic: RouterOS and 161/udp
Replies: 1
Views: 970

Re: RouterOS and 161/udp

You aren't filtering any other UDP ports, so they are responded to with an ICMP port unreachable, confirming the port is closed. Since UDP is connectionless, unless you speak the protocol there's no way to distinguish between an open port and a filtered port. I recommend you update your firewall to ...
by R1CH
Fri Feb 22, 2019 9:23 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 68
Views: 11863

Re: Security issue when Winbox exposed

Unicode in the updated changelog, which winbox can't handle.

Image
by R1CH
Fri Feb 22, 2019 3:25 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 68
Views: 11863

Re: Security issue when Winbox exposed

I think it's great that Zerodium started a bug bounty program for Mikrotik. It's not like the bad guys don't know, they're just providing incentives for full disclosure. So patch early and patch often my friends! Unfortunately that isn't how it works. Zerodium will pay for Mikrotik exploits and the...
by R1CH
Fri Feb 22, 2019 1:27 am
Forum: Announcements
Topic: v6.43.12 [stable] is released!
Replies: 49
Views: 21425

Re: v6.43.12 [stable] is released!

My CCR1009-7G-1C-1S+ just watchdog timer rebooted after installing this update a few days ago. In over a year of operation never had that happen.
Feb/21/2019 14:46:44 system,error,critical router was rebooted without proper shutdown by watchdog timer
by R1CH
Fri Feb 22, 2019 1:06 am
Forum: General
Topic: Security issue when Winbox exposed
Replies: 68
Views: 11863

Re: Security issue when Winbox exposed

I see where you are coming from, so I fixed it for ya................. Please try to keep in mind some of us run networks where we can't just take down the router for every RouterOS release. This was clearly not labelled as a security fix, so I personally did not consider it a priority to deploy du...
by R1CH
Thu Feb 21, 2019 6:52 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 68
Views: 11863

Re: Security issue when Winbox exposed

Why is this not mentioned as high severity security bug in changelog? Why no mention on security blog? Come on Mikrotik...
by R1CH
Wed Feb 20, 2019 11:56 pm
Forum: General
Topic: Problem with AP RBWAP2ND-BE
Replies: 2
Views: 606

Re: Problem with AP RBWAP2ND-BE

Try a full config reset with the reset button or just netinstall them. The default config on these devices is infuriating!

https://wiki.mikrotik.com/wiki/Manual:Reset_button
by R1CH
Wed Feb 20, 2019 11:44 pm
Forum: Wireless Networking
Topic: Superchannel on ac radios?
Replies: 4
Views: 1525

Re: Superchannel on ac radios?

You need the international version if you want unlocked frequencies. - RB921UAGS-5SHPacT-NM-US (USA) is factory locked for 5170-5250MHz and 5725-5835MHz frequencies. This lock can not be removed. - RB921UAGS-5SHPacT-NM (International) supports 5150MHz-5875MHz range (Specific frequency range can be l...
by R1CH
Wed Feb 20, 2019 4:39 pm
Forum: General
Topic: Problem with DHCP Mikrotik RB962UIGS-5HACT2HNT
Replies: 11
Views: 1238

Re: Problem with DHCP Mikrotik RB962UIGS-5HACT2HNT

Config? Maybe you're blocking important DHCP packets with the firewall.
by R1CH
Mon Feb 18, 2019 1:00 pm
Forum: General
Topic: WireGuard Released !
Replies: 41
Views: 28727

Re: WireGuard Released !

Just because it isn't mainlined doesn't mean it isn't available. I've been using it in production for months via DKMS and I'm very happy with it. There are open source Windows clients available, performance is great and setup is so refreshingly easy compared to something like IPSec. And it's actuall...
by R1CH
Fri Feb 15, 2019 6:16 pm
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 22024

Re: v6.44rc [testing] is released!

You make a good point about reboots creating zombie TCP connections on the nodes, but you are wrong about the DoS mitigation. Setting nf_conntrack_tcp_loose to 0 (not the default) stops false SYN-ACK and ACK packets before they hit the “listen” state lock, thereby allowing conntrack to scale much h...
by R1CH
Fri Feb 15, 2019 5:57 pm
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 22024

Re: v6.44rc [testing] is released!

That setting should have no effect on DoS resistance unless you aren't properly filtering your inbound traffic. It's set to 1 which is the default, for good reason, otherwise any time a router reboots every single active TCP connection would have to time out instead of continuing to work.
by R1CH
Fri Feb 15, 2019 4:21 pm
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 22024

Re: v6.44rc [testing] is released!

Just to clarify, *) wireless - improved system stability for all ARM devices with wireless; *) wireless - improved system stability for all MIPSBE devices with 802.11ac wireless; Does this improve wireless performance or only RouterOS software stability? Also what devices are using AR5212? This is a...
by R1CH
Thu Feb 14, 2019 7:18 pm
Forum: Wireless Networking
Topic: Help Hacker sending deauth packet
Replies: 6
Views: 2123

Re: Help Hacker sending deauth packet

These are often accidental, where someone configures an enterprise AP with "rogue AP mitigation" or a similar setting. Check with any businesses nearby or see if a wireless scan picks out any obvious enterprise APs that might be the culprits.
by R1CH
Thu Feb 14, 2019 1:05 pm
Forum: RouterBOARD hardware
Topic: Why people pair UBNT APs with MikroTik routers?
Replies: 56
Views: 41662

Re: Why people pair UBNT APs with MikroTik routers?

Do all people asking for new kernel realize that it would mean dropping support for WHOLE current CCR series since Linux kernel officially dropped support for Tile-Gx CPUs architecture? While I'm not saying Tile-Gx is awesome it'd still mean dropping support for devices that are: 1) still being sol...
by R1CH
Wed Feb 13, 2019 12:58 pm
Forum: Wireless Networking
Topic: cAP ac (Found the bug)
Replies: 1
Views: 813

Re: cAP ac (Found the bug)

Best to create supout and send to support@mikrotik.com.
by R1CH
Wed Feb 13, 2019 12:51 pm
Forum: General
Topic: $100,000 bounty for Mikrotik 0-days
Replies: 1
Views: 1271

$100,000 bounty for Mikrotik 0-days

Thought this was interesting... given the number of exploits already found, I have no doubts that this kind of bounty will turn up more that will be sold to governments and criminals and used against Mikrotik networks. Unless there's an unpatched kernel bug, the safest way to protect yourself from u...
by R1CH
Wed Feb 13, 2019 12:41 pm
Forum: General
Topic: Feature request - DNSCrypt support...
Replies: 171
Views: 64997

Re: Feature request - DNSCrypt support...

Instead of wordless pluses, how about a discussion on TLS vs HTTPS. TLS gives you a specific port and capability to filter and NAT etc. HTTPS gives you more security, but also the inability to catch this traffic as an administrator. More aspects? Why not both? Although DNS over HTTPS seems to be th...
by R1CH
Tue Feb 12, 2019 1:24 pm
Forum: General
Topic: Config Review - Security Conscience Home User
Replies: 19
Views: 2711

Re: Config Review - Security Conscience Home User

I would ditch all the blacklist / port scan detect / etc stuff. This kind of thing just opens you up to a resource exhaustion attack and can even result in blacklisting legitimate traffic if an attacker has IP spoofing capabilities. The CPUs on these devices are not powerful enough to this kind of s...
by R1CH
Mon Feb 11, 2019 8:21 pm
Forum: Announcements
Topic: v6.43.12 [stable] is released!
Replies: 49
Views: 21425

Re: v6.43.12 [stable] is released!

*) winbox - improvements in connection handling to router with open winbox service;
Yet another security hole, I presume?
How severe is it?
Sounds like you can DoS the service with half-closed connections or something.
by R1CH
Mon Feb 11, 2019 1:05 pm
Forum: General
Topic: ROS v6.43.x Hacked using same old vulnerability
Replies: 2
Views: 1353

Re: ROS v6.43.x Hacked using same old vulnerability

Netinstall the latest version with known clean config and change all passwords. Either you didn't change passwords or you didn't netinstall, so attackers were able to get back onto your device.
by R1CH
Sun Feb 10, 2019 5:08 pm
Forum: General
Topic: problem to block Pubg Game
Replies: 6
Views: 6725

Re: problem to block Pubg Game

Here are the IP ranges used by PUBG. I would not recommend blocking it.

http://ec2-reachability.amazonaws.com/
by R1CH
Fri Feb 08, 2019 12:41 pm
Forum: General
Topic: Bandwidth Test maximum speed
Replies: 4
Views: 1533

Re: Bandwidth Test maximum speed

Test through the routers using iperf3, not on the routers.
by R1CH
Thu Feb 07, 2019 11:32 pm
Forum: RouterBOARD hardware
Topic: New routerboot firmware
Replies: 12
Views: 3986

Re: New routerboot firmware

Note that although the firmware version is in sync with the RouterOS version, there are often no changes between versions. It's only worth upgrading if there's a change you need.
by R1CH
Thu Feb 07, 2019 10:22 pm
Forum: General
Topic: Using RouterOS as a local DNS server?
Replies: 3
Views: 863

Re: Using RouterOS as a local DNS server?

Oh my mistake, I misread this question.
by R1CH
Thu Feb 07, 2019 7:29 pm
Forum: General
Topic: Tunnel which generates least traffic when IDLE
Replies: 13
Views: 2461

Re: Tunnel which generates least traffic when IDLE

Wireguard is absolutely silent when there's no traffic and supports changing of endpoint IPs with no connectivity interruption. If you can go a non-Mikrotik route, I've had great success running Wireguard behind the router on a Linux box.
by R1CH
Thu Feb 07, 2019 6:28 pm
Forum: General
Topic: Using RouterOS as a local DNS server?
Replies: 3
Views: 863

Re: Using RouterOS as a local DNS server?

RouterOS doesn't do DHCP DNS registration. You can use a script to add and remove static entries if you need this.

viewtopic.php?t=119469
by R1CH
Thu Feb 07, 2019 5:37 pm
Forum: RouterBOARD hardware
Topic: RB4011iGS+RM Multi LAN
Replies: 3
Views: 1115

Re: RB4011iGS+RM Multi LAN

Delete the default bridge and each port will act like its own LAN.
by R1CH
Thu Feb 07, 2019 4:55 pm
Forum: RouterBOARD hardware
Topic: Why people pair UBNT APs with MikroTik routers?
Replies: 56
Views: 41662

Re: Why people pair UBNT APs with MikroTik routers?

Where does this stand now in 2019 after an entire 2018?
I feel like there's been no real progress since the original hAP AC release. I'm still using wAP AC units when I need a small cheap AP and don't care about latency, but for any big deployment I'm going with UBNT / Ruckus depending on budget.
by R1CH
Thu Feb 07, 2019 4:20 pm
Forum: General
Topic: SMB issues
Replies: 4
Views: 1280

Re: SMB issues

Wouldn't it make more sense to keep the modern protocol and disable SMB1 and SMB2? SMB1 is completely removed from Windows 10 these days because it's so old and insecure.
by R1CH
Tue Feb 05, 2019 11:32 pm
Forum: General
Topic: Detect-internet causing internal packet loss
Replies: 17
Views: 5950

Re: Packets being dropped from one host only

How is that a thing?!
by R1CH
Mon Feb 04, 2019 7:16 pm
Forum: Wireless Networking
Topic: 802.11ax [SOLVED]
Replies: 141
Views: 54314

Re: 802.11ax [SOLVED]

You can buy 802.11ax routers on the shelf in retail stores already, yet zero communication from Mikrotik about their timeline... this is rather worrying.
by R1CH
Mon Feb 04, 2019 7:05 pm
Forum: Wireless Networking
Topic: High ping to router HAP AC2
Replies: 33
Views: 6097

Re: High ping to router HAP AC2

This isn't too surprising, Mikrotik wifi is generally poor compared to the competition. Join me in waiting for RouterOS v7 when hopefully we aren't running on drivers and kernel from 2012.
by R1CH
Mon Feb 04, 2019 7:01 pm
Forum: Wireless Networking
Topic: wAP AC for medium densidty outdoor Wireless (Hotspot) project
Replies: 7
Views: 1370

Re: wAP AC for medium densidty outdoor Wireless (Hotspot) project

As much as I like Mikrotik, I would avoid their wifi products for this, the features are years behind the competition due to outdated drivers and kernel. Depending on how soon you need to deploy, it might be worth waiting for 802.11ax outdoor products to hit the market. Ruckus might be worth looking...
by R1CH
Fri Feb 01, 2019 4:57 pm
Forum: General
Topic: High number of established connections for one address
Replies: 26
Views: 5503

Re: High number of established connections for one address

TCP session state is based on the endpoints, as long as you pass packets back and forth correctly the session will be fine, there's no state necessary on the router. If you actively break this process by introducing NAT then you should accept that it's your responsibility not to break things for the...
by R1CH
Fri Feb 01, 2019 2:13 pm
Forum: General
Topic: High number of established connections for one address
Replies: 26
Views: 5503

Re: High number of established connections for one address

TCP sessions should be able to last days without a router breaking them. I personally have many active SSH connections that sometimes remain idle for days until a log event is triggered or similar. I would hate to be a user of a network where such connections are broken after just 30 minutes. This o...
by R1CH
Mon Jan 28, 2019 6:27 pm
Forum: Wireless Networking
Topic: Art-Net / UDP port 6454 over WIFI
Replies: 9
Views: 1558

Re: Art-Net / UDP port 6454 over WIFI

For broadcast traffic, look into the multicast buffering / helper and group key update interval. That said, Mikrotik generally has worse WiFi than Ubiquiti due to their outdated kernel / drivers. A modern off-the-shelf router might perform better.
by R1CH
Sun Jan 27, 2019 3:20 pm
Forum: General
Topic: Mikrotek RB750GR3 support DES?
Replies: 2
Views: 838

Re: Mikrotek RB750GR3 support DES?

Why do you want to use obsolete algorithms? Both DES and MD5 are proven insecure, you should not be using them anywhere in your network.
by R1CH
Fri Jan 25, 2019 1:06 am
Forum: General
Topic: 6.43.8 vulnerability or hack?
Replies: 31
Views: 11993

Re: 6.43.8 vulnerability or hack?

If you are talking about malware, then : "Simply upgrading RouterOS software deletes the malware, any other 3rd party files and closes the vulnerability" With old versions having root exploits then it's entirely possible for the malware to protect itself and persist after an upgrade. Any ...
by R1CH
Fri Jan 25, 2019 12:15 am
Forum: Wireless Networking
Topic: Turn down Tx power
Replies: 20
Views: 5087

Re: Turn down Tx power

1) If the APs are on different channels then they won't be affected by each other, but keep in mind there is always risk of overlap (especially prevalent in 2.4 GHz with only 3 non-overlapping channels). 2) Correct, N also has a 6mbps minimum so it makes no difference. 3) Not possible yet, I posted ...
by R1CH
Thu Jan 24, 2019 11:21 pm
Forum: Wireless Networking
Topic: Turn down Tx power
Replies: 20
Views: 5087

Re: Turn down Tx power

Beacons must be sent at the lowest speed the AP supports, with 802.11b this is 1mbps and a few APs nearby can take up a significant amount of channel bandwidth with just beacons. G/N only mitigates this significantly by mandating 6mbps minimum. I wrote about this in more detail on my blog, https://r...
by R1CH
Thu Jan 24, 2019 7:27 pm
Forum: General
Topic: New connection but not SYN
Replies: 8
Views: 1373

Re: New connection but not SYN

This is normal "background traffic" - a client behind your router closed a connection to a server (FIN / RST) but the packet was lost in transit. The server has no idea the connection is closed, but because your router saw the outgoing FIN / RST, it removed the conntrack entry. So any pack...
by R1CH
Thu Jan 24, 2019 7:00 pm
Forum: General
Topic: 6.43.8 vulnerability or hack?
Replies: 31
Views: 11993

Re: 6.43.8 vulnerability

You should setup VPN instead like PPTP, OVPN. etc.much safer This is just as unsafe (if not worse) as opening Winbox. PPTP, OpenVPN, IPsec etc are all custom Mikrotik implementations of protocols just like Winbox, except with much more complexity. I have no doubts serious security flaws exist in th...
by R1CH
Thu Jan 24, 2019 6:58 pm
Forum: General
Topic: Mikrotik Syn Cookies failed? [SOLVED]
Replies: 2
Views: 1112

Re: Mikrotik Syn Cookies failed? [SOLVED]

SYN cookies do not do anything to protect against volumetric attacks, they are intended to protect a listening service from spoofed source IPs. Replace your SYN traffic with any other packet flood and you will likely see similar behavior assuming enough bandwidth between attacker and router. You can...
by R1CH
Mon Jan 14, 2019 10:57 pm
Forum: General
Topic: Tower Cabling Choice?
Replies: 4
Views: 912

Re: Tower Cabling Choice?

Shielding / UV resistance is probably more important for outdoor use. Ubiquiti have a product which looks good: https://www.ui.com/accessories/toughcable/
by R1CH
Sat Jan 12, 2019 9:05 pm
Forum: General
Topic: Drop Rules and Packet Count
Replies: 3
Views: 799

Re: Drop Rules and Packet Count

Yes, VLANs are considered their own interfaces and are filtered independently of the interface to which they're connected. You can filter by physical ports using the in / out bridge port options.
by R1CH
Fri Jan 11, 2019 4:18 pm
Forum: General
Topic: Mikrotik's demo system demo.mt.lv firewall Virus rules, worth using???
Replies: 7
Views: 1776

Re: Mikrotik's demo system demo.mt.lv firewall Virus rules, worth using???

For forward chain it maybe makes a bit of sense to block new connections to these ports, however most of these are no longer active threats and you risk blocking legitimate services (eg cloud services that pick ephemeral ports). The only ones I use on my network are blocking leaky SMB (137-139,445) ...
by R1CH
Thu Jan 10, 2019 8:06 pm
Forum: RouterBOARD hardware
Topic: Higher-end PWR-Line AP
Replies: 1
Views: 834

Re: Higher-end PWR-Line AP

Would be indeed nice, the fact that the current devices only do 2.4 GHz is an immediate non-starter for me.
by R1CH
Wed Jan 09, 2019 2:45 pm
Forum: Announcements
Topic: v6.42.11 [long-term] is released!
Replies: 42
Views: 16841

Re: v6.42.11 [long-term] is released!

Tried to update to 6.42.11 from 6.42.9 on a hEX using "Download and install", then realized I needed to check something so hit Cancel at about 90% downloaded. I then tried "Download and install" later and it says "not enough disk space" and there's no files available t...
by R1CH
Wed Jan 09, 2019 1:40 pm
Forum: Announcements
Topic: v6.42.11 [long-term] is released!
Replies: 42
Views: 16841

Re: v6.42.11 [long-term] is released!

Tried to update to 6.42.11 from 6.42.9 on a hEX using "Download and install", then realized I needed to check something so hit Cancel at about 90% downloaded. I then tried "Download and install" later and it says "not enough disk space" and there's no files available to...
by R1CH
Wed Jan 09, 2019 12:41 pm
Forum: Wireless Networking
Topic: High ping to router HAP AC2
Replies: 33
Views: 6097

Re: High ping to router HAP AC2

Make sure you're configuring / connecting to wlan2 (5 GHz), 2.4 GHz is too noisy for reliable connections.
by R1CH
Tue Jan 08, 2019 5:20 pm
Forum: General
Topic: firewall rules
Replies: 18
Views: 3583

Re: firewall rules

A default drop is generally much better than adding lots of other rules for port scans, address filters, weird TCP flags etc. On embedded devices like routerboards you have limited CPU time, having lots of filter rules running on each packet opens you up to a resource exhaustion DoS.
by R1CH
Mon Jan 07, 2019 3:55 pm
Forum: General
Topic: add it to wishlist - Multicore support for bandwidth test in ROS
Replies: 2
Views: 797

Re: add it to wishlist - Multicore support for bandwidth test in ROS

It's generally better to use iperf instead.
by R1CH
Thu Jan 03, 2019 2:20 pm
Forum: General
Topic: Open Facebook messenger from hotspot after login
Replies: 2
Views: 874

Re: Open Facebook messenger from hotspot after login

The iOS hotspot login page is presented in a modified browser window that for security reasons does not support redirecting to app protocol handlers. Perhaps try directing to a web based version of messenger, since you have no guarantees anyone even has it installed.
by R1CH
Thu Jan 03, 2019 2:07 pm
Forum: General
Topic: VLAN is to complicated
Replies: 21
Views: 3353

Re: VLAN is to complicated

I agree, VLAN support is very messy. It would be nice if when configuring a software VLAN that RouterOS would just enable hardware offloading like it does for a bridge. Having both hardware and software VLAN configurations mixed together gets very confusing.
by R1CH
Thu Jan 03, 2019 1:13 pm
Forum: General
Topic: Should MikroTik make more powerful antennas and wireless protocols in 2019?
Replies: 19
Views: 2887

Re: Should MikroTik make more powerful antennas and wireless protocols in 2019?

You know that we will not see new kernel on current RBs? Update actual RBs or make new ones with new kernel, better hardware and so on, what's the best choice for MK that is selling their products? Come on, it's not so different than smartphones. I don't see why not, there isn't that much hardware ...
by R1CH
Thu Jan 03, 2019 12:25 am
Forum: General
Topic: Hacked Board
Replies: 15
Views: 3081

Re: Hacked Board

Changing passwords is not enough, you MUST netinstall any compromised device!
by R1CH
Wed Jan 02, 2019 5:53 pm
Forum: General
Topic: Should MikroTik make more powerful antennas and wireless protocols in 2019?
Replies: 19
Views: 2887

Re: Should MikroTik make more powerful antennas and wireless protocols in 2019?

As other posters have said, new antennas and protocols don't mean anything when we're still forced to use a six year old kernel with a hacked-together wifi driver that barely supports any modern features. I want an up to date kernel and non-proprietary wifi drivers far more than I want new antennas ...
by R1CH
Wed Jan 02, 2019 5:49 pm
Forum: General
Topic: Hacked Board
Replies: 15
Views: 3081

Re: Hacked Board

They have enabled packet sniffer to send all passwords, bitcoin private keys, etc to their server. You should format and netinstall with a known good config, once a board is compromised it cannot be safely restored from winbox / terminal alone since a root exploit could have been used.
by R1CH
Mon Dec 31, 2018 8:34 pm
Forum: General
Topic: under attack in port 32231? - help
Replies: 25
Views: 3362

Re: under attack in port 32231? - help

Imagine an attacker is sending small flood of 10mbps, they are TCP packets with spoofed IPs, so your address list is filling up at a rate of 10k+ unique addresses per second which increases memory and CPU usage. Without the rule, the packets would be dropped with no additional overhead.
by R1CH
Mon Dec 31, 2018 4:39 pm
Forum: General
Topic: under attack in port 32231? - help
Replies: 25
Views: 3362

Re: under attack in port 32231? - help

Such rules open you up to resource exhaustion DoS and offer very little protection over a default drop. I would not recommend them.
by R1CH
Mon Dec 31, 2018 4:36 pm
Forum: Announcements
Topic: v6.43.8 [stable] is released!
Replies: 169
Views: 51878

Re: v6.43.8 [stable] is released!

!) telnet - do not allow to set "tracefile" parameter;
After some digging, it turns out this is actually to fix an exploit that enables privilege escalation to root or damage to system files. Why is this not labelled as a security fix?

https://cxsecurity.com/issue/WLB-2018120151
by R1CH
Mon Dec 31, 2018 2:20 am
Forum: General
Topic: Redirect requests from HTTPS
Replies: 13
Views: 7696

Re: Redirect requests from HTTPS

You can indeed TCP proxy a HTTPS connection, eg force google.com to resolve to 1.2.3.4 and then proxy 1.2.3.4:443 -> google.com:443. This does not allow you to redirect or do anything else to it though. If you tried to proxy 1.2.3.4:443 -> myhotspot.com:443, the browser would terminate the connectio...
by R1CH
Mon Dec 31, 2018 1:09 am
Forum: General
Topic: Redirect requests from HTTPS
Replies: 13
Views: 7696

Re: Redirect requests from HTTPS

I'm not talking about a session takeover. In a corporate environment where you can control every device then yes, you can intercept and redirect HTTPS by installing a MITM root cert. However people running a Mikrotik Hotspot are unlikely in such an environment otherwise they would be using EAP / 802...
by R1CH
Sun Dec 30, 2018 11:32 pm
Forum: General
Topic: Redirect requests from HTTPS
Replies: 13
Views: 7696

Re: Redirect requests from HTTPS

They are all wrong. If it was possible to intercept and redirect HTTPS, then what's to stop anyone intercepting online banking and other secure sites?

The wiki article only gives steps for making your hotspot login page HTTPS compliant. This has nothing to do with intercepting HTTPS requests.
by R1CH
Sun Dec 30, 2018 5:22 pm
Forum: General
Topic: how to drop udp attack without port in mikrotik?
Replies: 3
Views: 969

Re: how to drop udp attack without port in mikrotik?

Those are fragments. It looks like you are being attacked by a reflected DNS DDoS amplification attack, there isn't much you can do about it as by the time you could block it it's already consumed your bandwidth. You should also ensure you have correct firewall rules to make sure you aren't actually...
by R1CH
Sun Dec 30, 2018 5:15 pm
Forum: General
Topic: under attack in port 32231? - help
Replies: 25
Views: 3362

Re: under attack in port 32231? - help

All you need is a rule at the end of the input chain with action=drop, with your allow rules before it. Stop trying to be fancy with specific ports, TCP scanners, address lists, etc. These offer no additional benefit over a simple drop rule and actually increase resource usage and open you up to DoS.
by R1CH
Sun Dec 30, 2018 5:12 pm
Forum: General
Topic: Redirect requests from HTTPS
Replies: 13
Views: 7696

Re: Redirect requests from HTTPS

This is NOT POSSIBLE, don't waste your time trying.
by R1CH
Mon Dec 17, 2018 12:19 pm
Forum: General
Topic: IP Cloud question
Replies: 26
Views: 3255

Re: IP Cloud question

If you use an old RouterOS version, the service no longer works. Make sure to update your RouterOS, stop the IP cloud service then start it again.

EDIT: Actually it seems like a service outage, ns1.kissthenet.net and ns2.kissthenet.net are both failing.
by R1CH
Fri Dec 14, 2018 2:07 pm
Forum: RouterBOARD hardware
Topic: CCR1009-8G-1S-1S+ Can't get more than 350-450 Mbps single session, can get more with multiple sessions
Replies: 10
Views: 2340

Re: CCR1009-8G-1S-1S+ Can't get more than 350-450 Mbps single session, can get more with multiple sessions

I had a similar issue, disabled queues / enabling fasttrack helped for me though. I think the problem is the RouterOS kernel is too old to support proper balancing of connections across multiple cores, hopefully this is fixed if / when RouterOS v7 comes out. 350 mbps does seem on the low side though...
by R1CH
Wed Dec 12, 2018 7:23 pm
Forum: General
Topic: hAp ac^2: inferior LAN-to-LAN performance when HW offloading is used
Replies: 5
Views: 1097

Re: hAp ac^2: inferior LAN-to-LAN performance when HW offloading is used

I vaguely recall reading something about how mixed speeds cause the switch chip to have to flush buffers before processing a new packet. It's best to put a cheap gigabit switch in front of the device to handle mixed speed devices so only 1gbps devices are connected directly.
by R1CH
Wed Dec 12, 2018 7:20 pm
Forum: General
Topic: Mikrotik Port Scanner -> Filezilla (21) Problem
Replies: 7
Views: 1379

Re: Mikrotik Port Scanner -> Filezilla (21) Problem

FTP opens many connections (1 per file), you should make sure your PSD rules are not running if a connection is allowed. It's also very questionable to do anything with PSD since you have no guarantees the IPs you are adding to your lists aren't spoofed.
by R1CH
Tue Dec 11, 2018 1:18 am
Forum: RouterBOARD hardware
Topic: hardware idea for a multiport switch
Replies: 71
Views: 34213

Re: hardware idea for a multiport switch

I agree with the others. 48 port switches / patch panels already have very thick cable bundles, this would be a nightmare to manage cable-wise.
by R1CH
Mon Dec 10, 2018 7:57 pm
Forum: RouterBOARD hardware
Topic: RB4011
Replies: 383
Views: 118114

Re: RB4011

Really happy with the performance on this device, replaced an aging RB951G that had to used fasttrack and the 4011 handles our 500mbps internet with traffic shaping and IPv6 tunnels with only 25% CPU usage. Only thing I want now is root to install DNSCrypt proxy - anyone found a nice way to root thi...
by R1CH
Fri Dec 07, 2018 11:39 pm
Forum: General
Topic: Supplier requires Iperf Speedtest program
Replies: 8
Views: 1906

Re: Supplier requires Iperf Speedtest program

You should always be doing tests "through" the router, the CPUs on the devices are not optimized for generating traffic. Port forwarding is simple enough, iperf only requires a single port or can reverse-connect to an available server.
by R1CH
Fri Dec 07, 2018 11:37 pm
Forum: General
Topic: DNS Flood
Replies: 8
Views: 2053

Re: DNS Flood

This image was for 1 second, the client generates that amount several times, figuring out further to find out his CPE was "hacked". But I would like to know about this traffic before it gets worse, in this case I redirected the client to a secondary DNS That's still well within the realm ...
by R1CH
Fri Dec 07, 2018 8:47 pm
Forum: General
Topic: DNS Flood
Replies: 8
Views: 2053

Re: DNS Flood

This looks like normal traffic, DNS resolvers use a new socket for every resolution as an added protection against DNS spoofing. I would not consider 28kbps a "flood".
by R1CH
Wed Dec 05, 2018 5:03 pm
Forum: Wireless Networking
Topic: cap AC Critical Errors???
Replies: 9
Views: 1673

Re: cap AC Critical Errors???

Either they are not receiving enough power or the power is not good quality. If you're sure the power source is good and they are running the latest firmware and RouterOS then the device is probably defective.
by R1CH
Wed Dec 05, 2018 5:01 pm
Forum: Wireless Networking
Topic: hAPac2 wifi issue [SOLVED]
Replies: 6
Views: 2269

Re: hAPac2 wifi issue [SOLVED]

If you're only bothered by the log entry you can turn off "info" category if you don't want to see this.
by R1CH
Wed Dec 05, 2018 1:53 pm
Forum: Wireless Networking
Topic: hAPac2 wifi issue [SOLVED]
Replies: 6
Views: 2269

Re: hAPac2 wifi issue [SOLVED]

This usually means the client is using the wrong WPA2 key.
by R1CH
Sat Dec 01, 2018 10:28 pm
Forum: General
Topic: speedtets using 1 core [SOLVED]
Replies: 7
Views: 1683

Re: speedtets using 1 core [SOLVED]

This is a known issue with RouterOS v6. Something to do with the kernel / connection tracking most likely.

See also viewtopic.php?t=131503
by R1CH
Fri Nov 30, 2018 12:04 am
Forum: General
Topic: CoDel support?
Replies: 45
Views: 16322

Re: CoDel support?

No new kernel, so no update. Probably need to wait for RouterOS v7 or move to a different platform if you want this.
by R1CH
Fri Nov 30, 2018 12:03 am
Forum: General
Topic: wifi showing OS version to scanner
Replies: 3
Views: 956

Re: wifi showing OS version to scanner

I also want this to be optional. viewtopic.php?f=7&t=133186
by R1CH
Fri Nov 30, 2018 12:01 am
Forum: General
Topic: SSl Certificat For Mikrotik
Replies: 13
Views: 1860

Re: SSl Certificat For Mikrotik

Nothing is being redirected, it's entirely up to the browser or OS. The browser sees a HTTPS loading error, tries to load a HTTP URL and notices if there was a redirect. If so, it assumes there is a portal and offers the sign in option. Since the "HTTPS error" is technically an attack, som...
by R1CH
Thu Nov 29, 2018 11:58 pm
Forum: General
Topic: Improving hotspot/captive portal detection?
Replies: 3
Views: 1288

Re: Improving hotspot/captive portal detection?

Those systems work by seeing a HTTPS error, then trying to access a normal HTTP URL. If the HTTP request is redirected, they assume a portal is in use. As long as you're redirecting everything, you should see the same behavior with the Mikrotik hotspot.
by R1CH
Wed Nov 28, 2018 6:05 pm
Forum: General
Topic: SSl Certificat For Mikrotik
Replies: 13
Views: 1860

Re: SSl Certificat For Mikrotik

If your device / browser won't detect the portal automatically, then yes, you need to open a non-HTTPS site to get the portal redirect. Most modern browsers and devices do this automatically in the background though when you connect to a new network. There is NO WAY to redirect a HTTPS site!
by R1CH
Mon Nov 26, 2018 4:58 pm
Forum: General
Topic: Improving hotspot/captive portal detection?
Replies: 3
Views: 1288

Re: Improving hotspot/captive portal detection?

There is no system that works with HTTPS*. This is by design, if you could intercept a secure page to show your portal, so could anyone else. The only thing you need to do is redirect ALL requests to your hotspot page, even those without a valid hostname (eg http://sdfnsdgnsseg). When a phone / brow...
by R1CH
Fri Nov 23, 2018 8:05 pm
Forum: General
Topic: Mikrotik SSH Vulnerability 6.14+
Replies: 4
Views: 1209

Re: Mikrotik SSH Vulnerability 6.14+

It looks like the researcher has retracted their claim. The only remaining issue is that the sshd supports a "null" cipher, which isn't secure - but you have to explicitly ask for it.

https://twitter.com/hackerfantastic/sta ... 9068090369
by R1CH
Fri Nov 23, 2018 5:54 pm
Forum: General
Topic: Hotspot Landing Page
Replies: 3
Views: 1646

Re: Hotspot Landing Page

This is intentional behavior - you cannot redirect HTTPS sites to your landing page. Properly configured phones, laptops etc will detect the presence of the portal and redirect users automatically. Make sure your regular HTTP requests are redirecting and you should be fine.
by R1CH
Fri Nov 23, 2018 4:13 pm
Forum: General
Topic: Router Blocking Connections
Replies: 2
Views: 1003

Re: Router Blocking Connections

Your blocklist is blocking most of the internet, which is why ping / winbox is not working.
by R1CH
Fri Nov 23, 2018 4:11 pm
Forum: General
Topic: SSl Certificat For Mikrotik
Replies: 13
Views: 1860

Re: SSl Certificat For Mikrotik

For the hotspot login page itself, this is possible. For redirecting clients to the hotspot, this is not possible.
by R1CH
Fri Nov 23, 2018 4:05 pm
Forum: General
Topic: Mikrotik SSH Vulnerability 6.14+
Replies: 4
Views: 1209

Mikrotik SSH Vulnerability 6.14+

https://twitter.com/hackerfantastic/status/1065838886989922305 Once again, Mikrotik's custom implementation (instead of a well-tested open source version) has introduced a security flaw: The take-away from this is that an attacker could perform a MITM attack against *any* Mikrotik router during the ...
by R1CH
Thu Nov 22, 2018 2:18 am
Forum: Wireless Networking
Topic: Open Wireless network No.2
Replies: 2
Views: 776

Re: Open Wireless network No.2

Set a "none" security profile.

Image