Community discussions

Search found 861 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 18
by R1CH
Wed Jun 19, 2019 3:55 pm
Forum: Announcements
Topic: MikroTik News June 2019 (Issue #89)
Replies: 13
Views: 1558

Re: MikroTik News June 2019 (Issue #89)

I'm a bit disappointed seeing only 2.4 GHz radios on products sold in 2019. In urban areas 2.4 GHz is unusable. The QCA9531 chipset is over five years old now, there really should not be new products coming to market based on it.
by R1CH
Tue Jun 18, 2019 2:40 pm
Forum: General
Topic: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Replies: 8
Views: 767

Re: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

Surely it's more cpu efficient to detect and add users to a dynamic address list which you then drop in raw? I can't imagine you'd want to accept traffic from someone trying to kill your systems? Dropping the initial SYN is enough to stop the connection, other packets and fragments will just be ign...
by R1CH
Tue Jun 18, 2019 12:33 am
Forum: General
Topic: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Replies: 8
Views: 767

Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

A bunch of MSS related TCP bugs were found in the Linux kernel that can result in remote denial of service. Details: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md#advisory Since RouterOS is based on older Linux kernel, if you have any open TCP ports the...
by R1CH
Tue Jun 11, 2019 4:26 pm
Forum: Wireless Networking
Topic: "wAP ac kit"
Replies: 2
Views: 266

Re: "wAP ac kit"

I guess this is based on the IPQ401x chipset given the specs. I'd be a bit hesitant to use it for wireless due to all the issues the 4011 platform is seeing.
by R1CH
Fri Jun 07, 2019 5:12 pm
Forum: General
Topic: IP spoofing
Replies: 1
Views: 270

Re: IP spoofing

The device running in promiscuous mode won't see all the TCP traffic flows, it will only see broadcast packets on a switched network. Only traffic directed to it will be noticed, which is as your experiment describes. You need to either re-architect your network so that all your traffic flows throug...
by R1CH
Wed Jun 05, 2019 3:50 pm
Forum: General
Topic: Basic traffic prioritization
Replies: 8
Views: 358

Re: Basic traffic prioritization

If your connection speed is truly fluctuating like this, then you need to set the queue limit at just under the slowest speed your connection drops to. Everything will be throttled to this rate all the time, which isn't ideal. This is the only way to make QoS work, as otherwise the queuing happens o...
by R1CH
Wed Jun 05, 2019 1:03 pm
Forum: General
Topic: LiveStreaming Upload Bandwidth choked by HexS
Replies: 2
Views: 124

Re: LiveStreaming Upload Bandwidth choked by HexS

A Hex S can do way more than 30mbps, most likely you configured it incorrectly. Post your config.
by R1CH
Tue Jun 04, 2019 1:25 pm
Forum: General
Topic: Spam problem.
Replies: 1
Views: 148

Re: Spam problem.

Monitor your users to see who is accessing the mail sites listed under "Sender Email".
by R1CH
Mon Jun 03, 2019 6:13 pm
Forum: Wireless Networking
Topic: Wireless Bandwith Test Issue
Replies: 2
Views: 218

Re: Wireless Bandwith Test Issue

Use iperf3 for bandwidth testing through the device, not on the device.
by R1CH
Wed May 29, 2019 1:43 pm
Forum: General
Topic: Default config, ether2-Master what is the master ?
Replies: 1
Views: 100

Re: Default config, ether2-Master what is the master ?

Update RouterOS and do a reset with new default config, the concept of master interface is long gone.
by R1CH
Tue May 28, 2019 12:51 pm
Forum: Wireless Networking
Topic: Hex poe lite rb750upr2 have Wi-Fi? [SOLVED]
Replies: 1
Views: 137

Re: Hex poe lite rb750upr2 have Wi-Fi? [SOLVED]

No. The wireless package is installed only so it can be used as CAPSMAN controller.
by R1CH
Tue May 28, 2019 12:47 pm
Forum: RouterBOARD hardware
Topic: hAP ac hangs with bad client (962UiGS-5HacT2HnT)
Replies: 5
Views: 417

Re: hAP ac hangs with bad client (962UiGS-5HacT2HnT)

Your symptoms do suggest it could be power related (a flood of packets causing increased radio use and power draw). As most Mikrotik devices accept a wide voltage range you could try with a different power supply from another device, provided it has equal or greater amperage.
by R1CH
Mon May 27, 2019 3:42 pm
Forum: RouterBOARD hardware
Topic: hAP ac hangs with bad client (962UiGS-5HacT2HnT)
Replies: 5
Views: 417

Re: hAP ac hangs with bad client (962UiGS-5HacT2HnT)

Have you tried a different power supply?
by R1CH
Mon May 27, 2019 2:21 pm
Forum: Wireless Networking
Topic: RB962UiGS-5HacT2HnT low wifi performance
Replies: 2
Views: 293

Re: RB962UiGS-5HacT2HnT low wifi performance

Can confirm, no matter the product, the performance just isn't up to the competition. I'm pretty sure it's down to the custom wireless drivers Mikrotik insists on using, which are just not up to the level of open source ones. If your device is supported, flashing OpenWRT onto it will get you a moder...
by R1CH
Fri May 17, 2019 1:40 pm
Forum: RouterBOARD hardware
Topic: [idea] cAP ax
Replies: 9
Views: 864

Re: [idea] cAP ax

There's plenty of chipsets available, the problem is likely software. Since Mikrotik write their own wifi driver, it will take a long time before a stable 802.11ax driver is available. Even the 802.11ac support still isn't up to the competition after all these years. If you need 802.11ax there's oth...
by R1CH
Mon May 13, 2019 2:36 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 287
Views: 57543

Re: v6.45beta [testing] is released!

conntrack - significant stability and performance improvements;
Can you elaborate on what was changed here? The last time conntrack was changed with the loose TCP tracking option it introduced a regression, so I'd like to know exactly what changed and what to look out for.
by R1CH
Fri May 10, 2019 7:24 pm
Forum: General
Topic: Import and use SSL Certificate
Replies: 5
Views: 296

Re: Import and use SSL Certificate

The purpose of importing an SSL cert into RouterOS is to secure the hotspot landing page. It won't help you do anything else, if you want to do SSL MITM the root has to be installed on all end user devices regardless of what's on the router.
by R1CH
Fri Apr 26, 2019 3:18 pm
Forum: Wireless Networking
Topic: Wifi AP strength VS Wifi Client strength
Replies: 3
Views: 323

Re: Wifi AP strength VS Wifi Client strength

APs generally have more power than client devices, so tuning output power to get a balance is important. You're right that a higher gain antenna both improves transmit and receive, but at the cost of radiation pattern. For example a 12dB omni in a house would work great on one floor but go upstairs ...
by R1CH
Sun Apr 21, 2019 11:26 pm
Forum: Wireless Networking
Topic: MikroTik Wireless performance VS Ubiquiti VS Ruckus
Replies: 3
Views: 712

Re: MikroTik Wireless performance VS Ubiquiti VS Ruckus

For reasons unknown, Mikrotik are very against using open source, and this results in an outdated Linux kernel and custom written drivers and services. This greatly slows development time compared to other manufacturers who use open source on the software side and then focus on building their hardwa...
by R1CH
Thu Apr 18, 2019 1:35 pm
Forum: General
Topic: Problems with BitTorrent
Replies: 8
Views: 392

Re: Problems with BitTorrent

Mikrotik wifi performance is often worse than competitor devices due to outdated kernel and proprietary drivers. That said it shouldn't drop out completely like this. Is the device possibly overheating? I would suggest trying 20 Mhz channel, g/n only, enable WMM and set group key update to 1h (secur...
by R1CH
Thu Apr 18, 2019 1:32 pm
Forum: General
Topic: Reliability of RouterOS updates [SOLVED]
Replies: 2
Views: 264

Re: Reliability of RouterOS updates [SOLVED]

"Stable" often introduces regressions, rarely has this resulted in total connectivity loss but I generally stick to long-term on remote devices unless there's need for a specific change. Unless it's a security related fix, I would also wait a few days for bugs to be reported by others before upgradi...
by R1CH
Mon Apr 15, 2019 11:37 pm
Forum: General
Topic: Hotspot https redirect feature
Replies: 4
Views: 358

Re: Hotspot https redirect feature

The redirection will never work due to security guarantee of HTTPS. Documentation should be like this:

https-redirect=yes
Show a security error if user tries to open HTTPS website.

https-redirect=no
Show a network error if user tries to open HTTPS website.
by R1CH
Mon Apr 15, 2019 11:25 pm
Forum: General
Topic: DHCP "flood" Malformed Packet
Replies: 3
Views: 296

Re: DHCP "flood" Malformed Packet

Disable detect-internet "feature".
by R1CH
Wed Apr 10, 2019 1:27 pm
Forum: General
Topic: VPN blocked?
Replies: 2
Views: 194

Re: VPN blocked?

You should check firewall rules on 188.252.172.1.
by R1CH
Mon Apr 08, 2019 6:58 pm
Forum: Wireless Networking
Topic: hAP ac wireless problem
Replies: 8
Views: 603

Re: hAP ac wireless problem

Default settings are probably not good for your environment. Pick correct frequency, channel width, enable WMM, set country, etc.
by R1CH
Sat Apr 06, 2019 3:43 pm
Forum: Wireless Networking
Topic: Mikrotik WLAN & CAPsMAN - Bad download perfomance
Replies: 44
Views: 3630

Re: Mikrotik wireless LAN - WiFi - MIMO not working

The wAP AC CPU is likely maxing out at that bandwidth.
by R1CH
Thu Apr 04, 2019 6:07 pm
Forum: General
Topic: Help: IPv4 NAT - some https websites won't load
Replies: 4
Views: 772

Re: Help: IPv4 NAT - some https websites won't load

Not being able to load HTTPS sites is usually an MTU issue due to larger packets. Make sure you're clamping TCP MSS if you have a non-standard MTU and aren't blocking ICMP.
by R1CH
Mon Apr 01, 2019 2:33 pm
Forum: General
Topic: ros rb4011 2.4g can't be connected by 4 devices?
Replies: 6
Views: 348

Re: ros rb4011 2.4g can't be connected by 4 devices?

With 20 virtual APs you are probably destroying the channel with beacons. Make sure to set g/n only or change your data rates.

https://r1ch.net/blog/wifi-beacon-pollution
by R1CH
Sat Mar 30, 2019 3:37 pm
Forum: General
Topic: Block DropBox with firewall
Replies: 2
Views: 309

Re: Block DropBox with firewall

As it's HTTPS you need to block via DNS or IP range, not recommended. If bandwidth consumption is a concern then use queues or data limits for your users.
by R1CH
Sat Mar 30, 2019 3:28 pm
Forum: General
Topic: how to close all UDP ports on mikrotik?
Replies: 3
Views: 347

Re: how to close all UDP ports on mikrotik?

Add rule to FORWARD chain, protocol UDP, action DROP. Note that this will break a lot of things that rely on UDP, a better solution is to fix whichever client behind your router is infected and trying to scan the internet.
by R1CH
Fri Mar 29, 2019 2:07 am
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 14202

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

why r u being so disruptive and trying to break mikrotik? That's what security researchers do. Any internet connected device and protocol is studied for such bugs, and finding and fixing them makes everyone safer. Be happy that he found it before the bad guys did. Imagine someone constantly crashin...
by R1CH
Thu Mar 28, 2019 2:24 pm
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 14202

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Somehow this is the first I've heard of this and I'm very concerned as I have a modern network that includes IPv6. You're saying Mikrotik have known about this for 50 weeks and it hasn't been fixed?!? What is going on over there?! This is a completely unacceptable response for a security vulnerabili...
by R1CH
Tue Mar 26, 2019 5:32 pm
Forum: General
Topic: wAP AC reaching out to 159.148.172.226:80 every hour
Replies: 10
Views: 556

Re: wAP AC reaching out to 159.148.172.226:80 every hour

First thing I checked, definitely disabled.
by R1CH
Tue Mar 26, 2019 2:39 pm
Forum: General
Topic: Question about SSL certificate
Replies: 3
Views: 307

Re: Question about SSL certificate

by R1CH
Tue Mar 26, 2019 2:35 pm
Forum: General
Topic: wAP AC reaching out to 159.148.172.226:80 every hour
Replies: 10
Views: 556

Re: wAP AC reaching out to 159.148.172.226:80 every hour

The log screenshot is from my core router, the AP has forwarding disabled since it bridges onto the appropriate VLANs so it can't be coming from a client.
by R1CH
Tue Mar 26, 2019 1:51 pm
Forum: General
Topic: wAP AC reaching out to 159.148.172.226:80 every hour
Replies: 10
Views: 556

Re: wAP AC reaching out to 159.148.172.226:80 every hour

Why would it be doing this by itself? I have no auto upgrade configured, no one is logged in and running check-for-updates. None of the other devices with the same config are doing this.
by R1CH
Tue Mar 26, 2019 1:52 am
Forum: General
Topic: lost password after exploit
Replies: 3
Views: 281

Re: lost password after exploit

If it isn't blocked just use the same exploit to gain access. https://github.com/BigNerd95/WinboxExploit
by R1CH
Tue Mar 26, 2019 1:51 am
Forum: General
Topic: Local devices on DHCP are in DNS cache as 0.0.0.0
Replies: 2
Views: 179

Re: Local devices on DHCP are in DNS cache as 0.0.0.0

DHCP does not register DNS. You need to script this if you want it.

https://wiki.mikrotik.com/wiki/Setting_ ... DHCP_lease
by R1CH
Tue Mar 26, 2019 1:50 am
Forum: General
Topic: wAP AC reaching out to 159.148.172.226:80 every hour
Replies: 10
Views: 556

Re: wAP AC reaching out to 159.148.172.226:80 every hour

Nope. Very basic config, bridged wlans, some virtual APs, no CAPSMAN. Can't think what else would be causing it.
by R1CH
Mon Mar 25, 2019 6:01 pm
Forum: General
Topic: wAP AC reaching out to 159.148.172.226:80 every hour
Replies: 10
Views: 556

wAP AC reaching out to 159.148.172.226:80 every hour

Trying to figure why this is happening as of 6.44, also tried 6.44.1. I upgraded all my wAP AC units (5), however only one of them is displaying this behavior. https://i.imgur.com/pE3W2M2.png DDNS is disabled, Update Time is disabled, TZ auto detect is disabled. No scripts, scheduler, etc. What else...
by R1CH
Mon Mar 25, 2019 4:18 pm
Forum: General
Topic: dns cache problam
Replies: 2
Views: 169

Re: dns cache problam

Those are negative entries, the random names are normal and used by captive portal detection of various OSes. Nothing in that should affect WhatsApp, the problem may be elsewhere.
by R1CH
Sat Mar 23, 2019 8:01 pm
Forum: Wireless Networking
Topic: Multiple SSID’s and DHCP [SOLVED]
Replies: 3
Views: 270

Re: Multiple SSID’s and DHCP [SOLVED]

Bridge should be fine, just make sure DHCP server is set up to run on the bridge instead of one of the interfaces.
by R1CH
Fri Mar 22, 2019 5:31 pm
Forum: General
Topic: Help to config roming wireless
Replies: 4
Views: 312

Re: Help to config roming wireless

The best thing you can do with Mikrotik is setup all APs with same SSID / authentication, ensure they're all in the same broadcast domain and ensure your DHCP server is very fast at handling requests / renews (eg no pinging for 2 seconds before giving a lease). Unfortunately RouterOS lacks support f...
by R1CH
Fri Mar 22, 2019 1:33 pm
Forum: Wireless Networking
Topic: 256QAM and AC provisioning on 2,4GHz
Replies: 2
Views: 321

Re: 256QAM and AC provisioning on 2,4GHz

Sounds like you're asking for 802.11ax...
by R1CH
Fri Mar 22, 2019 12:17 pm
Forum: General
Topic: Question about SSL certificate
Replies: 3
Views: 307

Re: Question about SSL certificate

Yes, the hotspot FQDN must match the certificate. Do note that this only provides security to the hotspot page itself, it will not help in redirecting HTTPS pages to the hotspot.
by R1CH
Thu Mar 21, 2019 6:35 pm
Forum: General
Topic: Feature Request: Separate the firmware(bootloader) and routeros version number
Replies: 8
Views: 390

Re: Feature Request: Separate the firmware(bootloader) and routeros version number

You always need to update RouterBOOT and keep it the same version as RouterOS The problem is Routerboot often has no changes between RouterOS versions, but we have no way of knowing since the version is incremented regardless. This involves needless reboots and additional wear on the small flash re...
by R1CH
Wed Mar 20, 2019 9:36 pm
Forum: RouterBOARD hardware
Topic: hAP ac and Verizon Gigabit
Replies: 4
Views: 320

Re: hAP ac and Verizon Gigabit

Make sure fasttrack is active, hAP AC is unlikely to be able to do 1gbps otherwise.
by R1CH
Tue Mar 19, 2019 1:26 pm
Forum: General
Topic: HOTSPOT login https error
Replies: 11
Views: 534

Re: HOTSPOT login https error

You don't start, since that is impossible. The security of HTTPS negates attempts to intercept such requests, unless you want to teach your users to blindly ignore serious security errors.
by R1CH
Tue Mar 19, 2019 1:24 pm
Forum: General
Topic: CPU consumption by Horizon?
Replies: 2
Views: 437

Re: CPU consumption by Horizon?

Horizon will disable hardware offload according to wiki.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 18