Community discussions

Search found 879 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 18
by R1CH
Mon Aug 19, 2019 4:19 pm
Forum: General
Topic: When can developers improve ipv6 functionality?
Replies: 15
Views: 575

Re: When can developers improve ipv6 functionality?

While the forum may be a tiny part of overall customers, it likely represents the most dedicated Mikrotik ones who take the time to find the forum and register etc.
by R1CH
Mon Aug 19, 2019 3:33 pm
Forum: General
Topic: Hotspot and HTTPS? What solutions?
Replies: 34
Views: 2896

Re: Hotspot and HTTPS? What solutions?

No amount of money you spend on certificates will fix this issue. You cannot get a certificate that's valid for the entire internet. Best things to do: Intercept ALL requests to internet (make sure gstatic.com, captive.apple.com, etc are NOT whitelisted as some misguided posts suggest) Make sure int...
by R1CH
Mon Aug 19, 2019 3:29 pm
Forum: General
Topic: When can developers improve ipv6 functionality?
Replies: 15
Views: 575

Re: When can developers improve ipv6 functionality?

Why are requests from distributors prioritized over end users? Distributor is only useful for purchasing and RMA, I never would think to contact them with RouterOS requests or support.
by R1CH
Fri Aug 16, 2019 5:25 pm
Forum: General
Topic: I'm sure Mikrotik has a legit response to this...
Replies: 14
Views: 1312

Re: I'm sure Mikrotik has a legit response to this...

How many of these vulnerabilities though are still present when a competent person configures the router? If your WAN is entirely firewalled against incoming connections (including VPNs) then your risk is only coming from the LAN side which is generally a lot safer. That shouldn't be a reason not t...
by R1CH
Fri Aug 16, 2019 12:32 am
Forum: General
Topic: I'm sure Mikrotik has a legit response to this...
Replies: 14
Views: 1312

Re: I'm sure Mikrotik has a legit response to this...

This is not discussing a particular vulnerability, but it is examining what defense-in-depth procedures are in use. It seems all vendors are doing a very poor job here, not just Mikrotik. As an example of what this means: without ASLR, a router will load the code at the same location in memory every...
by R1CH
Wed Aug 14, 2019 1:33 pm
Forum: General
Topic: mAP tx-power-mode and reducing tx-power [SOLVED]
Replies: 2
Views: 308

Re: mAP tx-power-mode and reducing tx-power [SOLVED]

Manually setting TX power has been a mess for a while. The most reliable way I've found is to use the antenna gain setting to make the device think you have a stronger antenna so it reduces TX power proportionally for regulatory domain compliance.
by R1CH
Wed Aug 07, 2019 3:25 pm
Forum: Announcements
Topic: Newsletter #90
Replies: 41
Views: 7817

Re: Newsletter #90

Just received the email version of this newsletter. It seems broken, no links work.

Image
by R1CH
Thu Aug 01, 2019 12:15 pm
Forum: General
Topic: Winbox login: authentication failed, maybe due to bad blocks?
Replies: 5
Views: 299

Re: Winbox login: authentication failed, maybe due to bad blocks?

6.19 is very old and the device is likely hacked, you should netinstall a secure version.
by R1CH
Tue Jul 30, 2019 1:33 pm
Forum: General
Topic: 30 oct 2019 end of gmail support for email send
Replies: 1
Views: 309

Re: 30 oct 2019 end of gmail support for email send

SMTP-only access is unaffected.
by R1CH
Wed Jul 24, 2019 2:52 pm
Forum: General
Topic: Default Configuration Privacy
Replies: 8
Views: 670

Re: Default Configuration Privacy

This is basically applying a config as part of the install, so no different than manual configuration. As long as there is a strong admin password then only physical access or an exploit will be able to discover the config.
by R1CH
Fri Jul 19, 2019 3:24 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 33237

Re: v6.45.2 [stable] is released!

Yes, something is not quite right with the SFP+ interface on RB4011, we will look forward to fixing it asap! How did this happen? There is nothing related to SFP in the changelog and this is supposed to be a "stable" release. If there was something, anything changed related to SFP, then it needs to...
by R1CH
Fri Jul 19, 2019 12:34 pm
Forum: General
Topic: Mikortik DHCP Option 43
Replies: 10
Views: 793

Re: Mikortik DHCP Option 43

Has anyone figured out how to use the undocumented vendor-class-id CLI? It doesn't seem to have anything to match on the class identifier in the request so I have no idea how it's supposed to work.
by R1CH
Fri Jul 12, 2019 2:02 pm
Forum: General
Topic: MikroTik blacklists (IPv4/IPv6)
Replies: 4
Views: 424

Re: MikroTik blacklists (IPv4/IPv6)

Depends what you want to blacklist. I've found from past experience that many blacklists are outdated and eventually block legitimate traffic, instead focus on securing your environment such that a blacklist of "bad IPs" is not needed.
by R1CH
Fri Jul 12, 2019 2:00 pm
Forum: General
Topic: Routing Question: Not able to get 1 gbps through our gateway with our router inline can without it
Replies: 4
Views: 509

Re: Routing Question: Not able to get 1 gbps through our gateway with our router inline can without it

What kind of speed test are you doing? A single TCP connection will be limited by the CCR per-core frequency, but multiple connections should max out the link no problem. Test with iperf3 through the router for best results. Check profiler to see where load is.
by R1CH
Tue Jul 09, 2019 1:14 pm
Forum: RouterBOARD hardware
Topic: Bunch of fried hAP ac - trash?
Replies: 4
Views: 584

Re: Bunch of fried hAP ac - trash?

For your own safety, scrap them... Seconding this. One time I tried to get some non-Routerboard boards working again after a thunderstorm. They seemed to power up but nothing was responsive, after a few minutes testing I smelled a burning smell. The A/C adapter was smoking and the power cable was e...
by R1CH
Fri Jul 05, 2019 6:14 pm
Forum: Wireless Networking
Topic: Wireless clients can't get an IP
Replies: 3
Views: 396

Re: Wireless clients can't get an IP

Use "WISP AP" and set bridge mode. "Home AP Dual" is intended if you have the device hooked up directly to your WAN.
by R1CH
Fri Jul 05, 2019 6:12 pm
Forum: Wireless Networking
Topic: wAP ac performace problem?
Replies: 1
Views: 334

Re: wAP ac performace problem?

Always bandwidth test THROUGH the router, not ON the router. Run a local iperf server on your network and test to that. The CPU on these devices is not powerful enough to generate much traffic when using the built in bandwidth test tools.
by R1CH
Tue Jun 25, 2019 12:50 pm
Forum: RouterBOARD hardware
Topic: RB4011 Metal temperature is really hot
Replies: 42
Views: 5431

Re: RB4011 Metal temperature is really hot

Yes, Mikrotik devices have a history of running quite hot. So far I've seen no reports of actual problems caused by this, the CPUs are rated for very high temperatures. If your router is actually crashing or exhibiting other strange behavior as a result of the temperature then it's a problem.
by R1CH
Wed Jun 19, 2019 3:55 pm
Forum: Announcements
Topic: MikroTik News June 2019 (Issue #89)
Replies: 38
Views: 9822

Re: MikroTik News June 2019 (Issue #89)

I'm a bit disappointed seeing only 2.4 GHz radios on products sold in 2019. In urban areas 2.4 GHz is unusable. The QCA9531 chipset is over five years old now, there really should not be new products coming to market based on it.
by R1CH
Tue Jun 18, 2019 2:40 pm
Forum: General
Topic: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Replies: 15
Views: 2710

Re: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

Surely it's more cpu efficient to detect and add users to a dynamic address list which you then drop in raw? I can't imagine you'd want to accept traffic from someone trying to kill your systems? Dropping the initial SYN is enough to stop the connection, other packets and fragments will just be ign...
by R1CH
Tue Jun 18, 2019 12:33 am
Forum: General
Topic: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Replies: 15
Views: 2710

Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

A bunch of MSS related TCP bugs were found in the Linux kernel that can result in remote denial of service. Details: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md#advisory Since RouterOS is based on older Linux kernel, if you have any open TCP ports the...
by R1CH
Tue Jun 11, 2019 4:26 pm
Forum: Wireless Networking
Topic: "wAP ac kit"
Replies: 2
Views: 374

Re: "wAP ac kit"

I guess this is based on the IPQ401x chipset given the specs. I'd be a bit hesitant to use it for wireless due to all the issues the 4011 platform is seeing.
by R1CH
Fri Jun 07, 2019 5:12 pm
Forum: General
Topic: IP spoofing
Replies: 1
Views: 326

Re: IP spoofing

The device running in promiscuous mode won't see all the TCP traffic flows, it will only see broadcast packets on a switched network. Only traffic directed to it will be noticed, which is as your experiment describes. You need to either re-architect your network so that all your traffic flows throug...
by R1CH
Wed Jun 05, 2019 3:50 pm
Forum: General
Topic: Basic traffic prioritization
Replies: 8
Views: 460

Re: Basic traffic prioritization

If your connection speed is truly fluctuating like this, then you need to set the queue limit at just under the slowest speed your connection drops to. Everything will be throttled to this rate all the time, which isn't ideal. This is the only way to make QoS work, as otherwise the queuing happens o...
by R1CH
Wed Jun 05, 2019 1:03 pm
Forum: General
Topic: LiveStreaming Upload Bandwidth choked by HexS
Replies: 2
Views: 164

Re: LiveStreaming Upload Bandwidth choked by HexS

A Hex S can do way more than 30mbps, most likely you configured it incorrectly. Post your config.
by R1CH
Tue Jun 04, 2019 1:25 pm
Forum: General
Topic: Spam problem.
Replies: 1
Views: 177

Re: Spam problem.

Monitor your users to see who is accessing the mail sites listed under "Sender Email".
by R1CH
Mon Jun 03, 2019 6:13 pm
Forum: Wireless Networking
Topic: Wireless Bandwith Test Issue
Replies: 2
Views: 302

Re: Wireless Bandwith Test Issue

Use iperf3 for bandwidth testing through the device, not on the device.
by R1CH
Wed May 29, 2019 1:43 pm
Forum: General
Topic: Default config, ether2-Master what is the master ?
Replies: 1
Views: 145

Re: Default config, ether2-Master what is the master ?

Update RouterOS and do a reset with new default config, the concept of master interface is long gone.
by R1CH
Tue May 28, 2019 12:51 pm
Forum: Wireless Networking
Topic: Hex poe lite rb750upr2 have Wi-Fi? [SOLVED]
Replies: 1
Views: 199

Re: Hex poe lite rb750upr2 have Wi-Fi? [SOLVED]

No. The wireless package is installed only so it can be used as CAPSMAN controller.
by R1CH
Tue May 28, 2019 12:47 pm
Forum: RouterBOARD hardware
Topic: hAP ac hangs with bad client (962UiGS-5HacT2HnT)
Replies: 5
Views: 570

Re: hAP ac hangs with bad client (962UiGS-5HacT2HnT)

Your symptoms do suggest it could be power related (a flood of packets causing increased radio use and power draw). As most Mikrotik devices accept a wide voltage range you could try with a different power supply from another device, provided it has equal or greater amperage.
by R1CH
Mon May 27, 2019 3:42 pm
Forum: RouterBOARD hardware
Topic: hAP ac hangs with bad client (962UiGS-5HacT2HnT)
Replies: 5
Views: 570

Re: hAP ac hangs with bad client (962UiGS-5HacT2HnT)

Have you tried a different power supply?
by R1CH
Mon May 27, 2019 2:21 pm
Forum: Wireless Networking
Topic: RB962UiGS-5HacT2HnT low wifi performance
Replies: 2
Views: 431

Re: RB962UiGS-5HacT2HnT low wifi performance

Can confirm, no matter the product, the performance just isn't up to the competition. I'm pretty sure it's down to the custom wireless drivers Mikrotik insists on using, which are just not up to the level of open source ones. If your device is supported, flashing OpenWRT onto it will get you a moder...
by R1CH
Fri May 17, 2019 1:40 pm
Forum: RouterBOARD hardware
Topic: [idea] cAP ax
Replies: 9
Views: 1065

Re: [idea] cAP ax

There's plenty of chipsets available, the problem is likely software. Since Mikrotik write their own wifi driver, it will take a long time before a stable 802.11ax driver is available. Even the 802.11ac support still isn't up to the competition after all these years. If you need 802.11ax there's oth...
by R1CH
Mon May 13, 2019 2:36 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 67952

Re: v6.45beta [testing] is released!

conntrack - significant stability and performance improvements;
Can you elaborate on what was changed here? The last time conntrack was changed with the loose TCP tracking option it introduced a regression, so I'd like to know exactly what changed and what to look out for.
by R1CH
Fri May 10, 2019 7:24 pm
Forum: General
Topic: Import and use SSL Certificate
Replies: 5
Views: 435

Re: Import and use SSL Certificate

The purpose of importing an SSL cert into RouterOS is to secure the hotspot landing page. It won't help you do anything else, if you want to do SSL MITM the root has to be installed on all end user devices regardless of what's on the router.
by R1CH
Fri Apr 26, 2019 3:18 pm
Forum: Wireless Networking
Topic: Wifi AP strength VS Wifi Client strength
Replies: 3
Views: 387

Re: Wifi AP strength VS Wifi Client strength

APs generally have more power than client devices, so tuning output power to get a balance is important. You're right that a higher gain antenna both improves transmit and receive, but at the cost of radiation pattern. For example a 12dB omni in a house would work great on one floor but go upstairs ...
by R1CH
Sun Apr 21, 2019 11:26 pm
Forum: Wireless Networking
Topic: MikroTik Wireless performance VS Ubiquiti VS Ruckus
Replies: 3
Views: 1004

Re: MikroTik Wireless performance VS Ubiquiti VS Ruckus

For reasons unknown, Mikrotik are very against using open source, and this results in an outdated Linux kernel and custom written drivers and services. This greatly slows development time compared to other manufacturers who use open source on the software side and then focus on building their hardwa...
by R1CH
Thu Apr 18, 2019 1:35 pm
Forum: General
Topic: Problems with BitTorrent
Replies: 8
Views: 451

Re: Problems with BitTorrent

Mikrotik wifi performance is often worse than competitor devices due to outdated kernel and proprietary drivers. That said it shouldn't drop out completely like this. Is the device possibly overheating? I would suggest trying 20 Mhz channel, g/n only, enable WMM and set group key update to 1h (secur...
by R1CH
Thu Apr 18, 2019 1:32 pm
Forum: General
Topic: Reliability of RouterOS updates [SOLVED]
Replies: 2
Views: 324

Re: Reliability of RouterOS updates [SOLVED]

"Stable" often introduces regressions, rarely has this resulted in total connectivity loss but I generally stick to long-term on remote devices unless there's need for a specific change. Unless it's a security related fix, I would also wait a few days for bugs to be reported by others before upgradi...
by R1CH
Mon Apr 15, 2019 11:37 pm
Forum: General
Topic: Hotspot https redirect feature
Replies: 4
Views: 487

Re: Hotspot https redirect feature

The redirection will never work due to security guarantee of HTTPS. Documentation should be like this:

https-redirect=yes
Show a security error if user tries to open HTTPS website.

https-redirect=no
Show a network error if user tries to open HTTPS website.
by R1CH
Mon Apr 15, 2019 11:25 pm
Forum: General
Topic: DHCP "flood" Malformed Packet
Replies: 3
Views: 408

Re: DHCP "flood" Malformed Packet

Disable detect-internet "feature".
by R1CH
Wed Apr 10, 2019 1:27 pm
Forum: General
Topic: VPN blocked?
Replies: 2
Views: 238

Re: VPN blocked?

You should check firewall rules on 188.252.172.1.
by R1CH
Mon Apr 08, 2019 6:58 pm
Forum: Wireless Networking
Topic: hAP ac wireless problem
Replies: 8
Views: 705

Re: hAP ac wireless problem

Default settings are probably not good for your environment. Pick correct frequency, channel width, enable WMM, set country, etc.
by R1CH
Sat Apr 06, 2019 3:43 pm
Forum: Wireless Networking
Topic: Mikrotik WLAN & CAPsMAN - Bad download perfomance
Replies: 47
Views: 4718

Re: Mikrotik wireless LAN - WiFi - MIMO not working

The wAP AC CPU is likely maxing out at that bandwidth.
by R1CH
Thu Apr 04, 2019 6:07 pm
Forum: General
Topic: Help: IPv4 NAT - some https websites won't load
Replies: 4
Views: 894

Re: Help: IPv4 NAT - some https websites won't load

Not being able to load HTTPS sites is usually an MTU issue due to larger packets. Make sure you're clamping TCP MSS if you have a non-standard MTU and aren't blocking ICMP.
by R1CH
Mon Apr 01, 2019 2:33 pm
Forum: General
Topic: ros rb4011 2.4g can't be connected by 4 devices?
Replies: 6
Views: 412

Re: ros rb4011 2.4g can't be connected by 4 devices?

With 20 virtual APs you are probably destroying the channel with beacons. Make sure to set g/n only or change your data rates.

https://r1ch.net/blog/wifi-beacon-pollution
by R1CH
Sat Mar 30, 2019 3:37 pm
Forum: General
Topic: Block DropBox with firewall
Replies: 2
Views: 394

Re: Block DropBox with firewall

As it's HTTPS you need to block via DNS or IP range, not recommended. If bandwidth consumption is a concern then use queues or data limits for your users.
by R1CH
Sat Mar 30, 2019 3:28 pm
Forum: General
Topic: how to close all UDP ports on mikrotik?
Replies: 3
Views: 429

Re: how to close all UDP ports on mikrotik?

Add rule to FORWARD chain, protocol UDP, action DROP. Note that this will break a lot of things that rely on UDP, a better solution is to fix whichever client behind your router is infected and trying to scan the internet.
by R1CH
Fri Mar 29, 2019 2:07 am
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 14927

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

why r u being so disruptive and trying to break mikrotik? That's what security researchers do. Any internet connected device and protocol is studied for such bugs, and finding and fixing them makes everyone safer. Be happy that he found it before the bad guys did. Imagine someone constantly crashin...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 18