Community discussions

Search found 696 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 14
by R1CH
Thu Nov 15, 2018 1:34 am
Forum: Wireless Networking
Topic: RB951G-2HnD (6.43) - connect to internet without cables
Replies: 1
Views: 64

Re: RB951G-2HnD (6.43) - connect to internet without cables

See https://wiki.mikrotik.com/wiki/Manual:I ... s#Repeater

I would not recommend doing this without a wired connection during configuration though.
by R1CH
Thu Nov 15, 2018 1:27 am
Forum: General
Topic: [Request] Add "DNS over HTTPS" to RouterOS (Internet security protocols)
Replies: 9
Views: 638

Re: [Request] Add "DNS over HTTPS" to RouterOS (Internet security protocols)

I've been using DNS over HTTPS on a rooted RB951 and it's been flawless. No timeouts, no perceptible latency increase and the additional security it brings is very nice. Hopefully this makes it into RouterOS v7.
by R1CH
Thu Nov 15, 2018 1:25 am
Forum: General
Topic: HTTP/HTTPS/All Traffic Redirect To Certain Website At End Point Router From Specific Ip Range
Replies: 5
Views: 130

Re: HTTP/HTTPS/All Traffic Redirect To Certain Website At End Point Router From Specific Ip Range

For HTTP sure, just DNAT them to your webserver. There is no way to do this for HTTPS though.
by R1CH
Thu Nov 15, 2018 1:23 am
Forum: General
Topic: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED)
Replies: 9
Views: 329

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED)

You should always netinstall after a compromise. Mikrotik have stated that there are ways to get OS root access once you have winbox access, so processes at that point aren't visible to RouterOS - even after upgrading there may be a persistent backdoor. Formatting / netinstall is the only safe way (...
by R1CH
Sun Nov 11, 2018 8:23 pm
Forum: Wireless Networking
Topic: Problem with wAP AC
Replies: 7
Views: 345

Re: Problem with wAP AC

You've got some misconfigured IPs there for your WAN and LAN connections. First, they shouldn't be the same IP or the router won't know which interface to use, and secondly you have a /8 subnet on the WAN, that certainly can't be right. I'm not sure what your intended configuration is supposed to be...
by R1CH
Fri Nov 09, 2018 4:10 pm
Forum: Announcements
Topic: Newsletter 85
Replies: 25
Views: 4221

Re: Newsletter 85

Good luck getting 150mbps from a 2.4 GHz network that's not even inside the building!
by R1CH
Fri Nov 09, 2018 4:06 pm
Forum: General
Topic: Management Network for router access?
Replies: 10
Views: 408

Re: Management Network for router access?

On one of my bigger networks I have a dedicated management VLAN. RouterOS is firewalled on every interface except this VLAN, so it only performs routing. I have a Linux box on the management network running wireguard that allows me to remote in, I trust wireguard far more than any of the RouterOS VP...
by R1CH
Fri Nov 09, 2018 3:15 pm
Forum: Announcements
Topic: Newsletter 85
Replies: 25
Views: 4221

Re: Newsletter 85

The device could also be used in places where the signal is just average, in order to boost a low speed into 100mbps+ throughput. Only having an FE port already kills this use case though. There's really no reason why devices that have 100mbps+ possible on the radio side are still shipping with FE p...
by R1CH
Thu Nov 08, 2018 6:42 pm
Forum: RouterBOARD hardware
Topic: Qualcomm IPQ8074
Replies: 7
Views: 1561

Re: Qualcomm IPQ8074

Another 11ax product just launched now, putting indeed some pressure on having 11ax products to use. Mechanical design is more questionable, but that can easily be changed (and I like the plane/rocket style of the RAX120, it has a big WOW factor). https://www.netgear.com/home/products/networking/wi...
by R1CH
Tue Nov 06, 2018 4:06 pm
Forum: Announcements
Topic: Newsletter 85
Replies: 25
Views: 4221

Re: Newsletter 85

Was hoping for some 802.11ax news... really hope there's something coming soon!
by R1CH
Mon Nov 05, 2018 6:24 pm
Forum: General
Topic: Firmware upgrade?
Replies: 3
Views: 186

Re: Firmware upgrade?

This is an unfortunate side effect of the new firmware version scheme. The firmware version always shows the same as RouterOS version now, even if there have been no changes between the previous firmware version. The only way to know for sure if there's really been an update is to read through chang...
by R1CH
Mon Nov 05, 2018 6:20 pm
Forum: RouterBOARD hardware
Topic: FTTH FIBER 200MB
Replies: 4
Views: 428

Re: FTTH FIBER 200MB

At that speed you should make sure fasttrack is working, I have 500mbps with fasttrack no problems.
by R1CH
Sat Nov 03, 2018 12:51 am
Forum: General
Topic: PB HTTPS (SSL) on Hotspots : Urgent
Replies: 2
Views: 130

Re: PB HTTPS (SSL) on Hotspots : Urgent

Abandon your quest! As long as you aren't whitelisting the connectivity test domains used my modern devices and browsers, they will pop up the captive portal login automatically. Trying to intercept HTTPS requests is impossible, if you could do it then so could anyone on the network (internet), defe...
by R1CH
Wed Oct 31, 2018 6:13 pm
Forum: General
Topic: Strange loop on update from 6.37.3 to 6.43.4
Replies: 5
Views: 307

Re: Strange loop on update from 6.37.3 to 6.43.4

Given the severity of the exploits, it's best to netinstall with a known good config. System level access allows attackers to install malware that isn't visible to RouterOS / winbox.
by R1CH
Wed Oct 31, 2018 1:25 pm
Forum: Wireless Networking
Topic: wpa3
Replies: 3
Views: 385

Re: wpa3

Qualcomm even shared that the WPA3 security features will be incorporated in its chipsets for mobile devices starting with the Snapdragon 845 mobile platform in June 2018. WPA3 will be supported on all Qualcomm Access Point platforms by July 2018. Doesn't seem like this should require hardware supp...
by R1CH
Wed Oct 31, 2018 1:19 pm
Forum: General
Topic: Old kernel. Why?
Replies: 5
Views: 416

Re: Old kernel. Why?

One of the issues is that Mikrotik wrote a lot of their own proprietary kernel modules, they likely aren't compatible with newer kernels. It's a shame as a lot of the included drivers with newer kernels are much higher quality than Mikrotik's implementations (eg the QCA driver supports Wave 2 802.11...
by R1CH
Mon Oct 29, 2018 6:29 pm
Forum: General
Topic: Advanced IP scanners locks up winbox access?
Replies: 7
Views: 344

Re: Advanced IP scanners locks up winbox access?

I ended up power cycling which resolved the issue (for now). Very strange, hopefully this doesn't happen to routers I don't have physical access to!
by R1CH
Mon Oct 29, 2018 6:28 pm
Forum: General
Topic: MikroTik and SSL website (Comodo)
Replies: 5
Views: 241

Re: MikroTik and SSL website (Comodo)

Have you set MTU appropriately and enabled PMTU clamping if necessary?
by R1CH
Mon Oct 29, 2018 6:27 pm
Forum: General
Topic: Performance problems with CRS112-8P-4S
Replies: 4
Views: 547

Re: Performance problems with CRS112-8P-4S

The "S" in CRS112-8P-4S stands for SWITCH. Stop trying to use it as a router and you won't have these problems.

the switching power seems to be ok, the connected computers can send and receive with the full bandwith of 1GBit.
by R1CH
Sun Oct 28, 2018 3:24 pm
Forum: General
Topic: CloudFlare DNS over TLS
Replies: 38
Views: 7311

Re: CloudFlare DNS over TLS

Not sure, supposedly the update process wipes out any non-standard files so I'm not going to update until I have a very good reason to. I imagine Mikrotik will silently patch the jailbreak so I don't know how long this will be possible.
by R1CH
Fri Oct 26, 2018 7:03 pm
Forum: General
Topic: DHCP Rebinding Issue - stuck in rebinding until lease times out
Replies: 2
Views: 198

Re: DHCP Rebinding Issue - stuck in rebinding until lease times out

I've also seen this behavior at times. The Mikrotik DHCP client seems to have no end of little quirks and bugs like this, I wish we could just use udhcp which comes as part of busybox, it's well tested and should handle these kinds of cases much better.
by R1CH
Fri Oct 26, 2018 5:50 pm
Forum: General
Topic: How recovery hacked RB2011 via JTAG ?
Replies: 3
Views: 254

Re: How recovery hacked RB2011 via JTAG ?

Why can you not netinstall?
by R1CH
Fri Oct 26, 2018 5:49 pm
Forum: General
Topic: Firewall rules not working after hacker infection
Replies: 4
Views: 297

Re: Firewall rules not working after hacker infection

You should netinstall with a known good config. Once a router is compromised an attacker can get system level access that you cannot detect or repair from RouterOS UI.
by R1CH
Thu Oct 25, 2018 5:51 pm
Forum: General
Topic: firewall [SOLVED]
Replies: 5
Views: 379

Re: firewall [SOLVED]

Be aware that the default config in the latest "stable" version has no firewall either.

viewtopic.php?f=2&t=140661
by R1CH
Thu Oct 25, 2018 5:50 pm
Forum: General
Topic: Established connection question
Replies: 3
Views: 226

Re: Established connection question

These are connections to a service on your router. If you don't recognize them, your router might be compromised and running backdoor PPTP services, web proxy, SOCKS, etc.
by R1CH
Wed Oct 24, 2018 3:42 pm
Forum: General
Topic: Port Scan Drop ?
Replies: 6
Views: 335

Re: Port Scan Drop ?

Port scan does not use established connections. If you're using a detect-and-block script, then the attacker can then just scan you with fake IP of Google, Facebook, DNS server, etc and suddenly you've blocked important services. Relying on a hidden port for security is not good, best to use a VPN o...
by R1CH
Wed Oct 24, 2018 2:25 pm
Forum: General
Topic: Missing default config after reset
Replies: 3
Views: 194

Re: Missing default config after reset

The default config was broken in the latest releases.

viewtopic.php?f=2&t=140661
by R1CH
Wed Oct 24, 2018 1:43 pm
Forum: General
Topic: Port Scan Drop ?
Replies: 6
Views: 335

Re: Port Scan Drop ?

Best practice says you should drop all unknown input, there's no need to make rules specifically for port scanners.
by R1CH
Wed Oct 24, 2018 12:44 pm
Forum: General
Topic: Default configuration is broken?
Replies: 5
Views: 360

Re: Default configuration is broken?

QA on updates is getting quite poor lately. How does a change like this even happen to a "bugfix only" branch?
by R1CH
Tue Oct 23, 2018 4:21 pm
Forum: General
Topic: Advanced IP scanners locks up winbox access?
Replies: 7
Views: 344

Re: Advanced IP scanners locks up winbox access?

No RADIUS / user manager or anything for me, just a simple SOHO setup.
by R1CH
Tue Oct 23, 2018 2:02 pm
Forum: RouterBOARD hardware
Topic: New High End Router Hardware Soon?
Replies: 11
Views: 1102

Re: New High End Router Hardware Soon?

Since TILE is a dead architecture in the Linux kernel there needs to be a high end model that will handle RouterOS v7 (if it ever comes out). I am worried more and more about how old the RouterOS v6 kernel is, many modern chipsets (both CPU and wireless etc) require newer kernels so the available ha...
by R1CH
Tue Oct 23, 2018 1:59 pm
Forum: RouterBOARD hardware
Topic: HAP AC2 Availability in the US
Replies: 11
Views: 1119

Re: HAP AC2 Availability in the US

I notice even EuroDK no longer has hAP AC2 in stock. Is there some kind of problem with the board that halted production?
by R1CH
Tue Oct 23, 2018 1:56 pm
Forum: General
Topic: Advanced IP scanners locks up winbox access?
Replies: 7
Views: 344

Re: Advanced IP scanners locks up winbox access?

I wonder if I'm experiencing the same issue. I'm locked out of winbox, webfig, mac-telnet and SSH on one of my routers, if I enter an incorrect username or password I immediately get a negative response, with the correct password the connection hangs for about a minute then says "Incorrect password".
by R1CH
Tue Oct 23, 2018 12:59 pm
Forum: General
Topic: How can I distinguish different certificate in Winbox?
Replies: 1
Views: 83

Re: How can I distinguish different certificate in Winbox?

Modern versions of RouterOS uses SRP protocol to avoid MITM. Prior to this, there was no host verification so MITM was easy.

https://en.wikipedia.org/wiki/Secure_Re ... d_protocol
by R1CH
Mon Oct 22, 2018 1:06 am
Forum: General
Topic: CloudFlare DNS over TLS
Replies: 38
Views: 7311

Re: CloudFlare DNS over TLS

I've got DNS over TLS working on my hEX! If you've rooted your device (don't contact MT for support if you do this!) it's quite straightforward to install. Since cloudflared is written in Go, it's easy to cross-compile and the only thing it needs to operate is a ca-certificates.crt bundle which I co...
by R1CH
Tue Oct 16, 2018 2:22 pm
Forum: RouterBOARD hardware
Topic: Qualcomm IPQ8074
Replies: 7
Views: 1561

Re: Qualcomm IPQ8074

Given how long it took for 802.11ac (which still isn't fully implemented!), I think it will be 2020 or later before Mikrotik come out with 802.11ax products :(.
by R1CH
Tue Oct 16, 2018 1:33 am
Forum: General
Topic: Jailbreak for RouterOS 6.43.2 released [SOLVED]
Replies: 16
Views: 1324

Re: Jailbreak for RouterOS 6.43.2 released [SOLVED]

Finally had some time to play around with this. It works very well and there is almost zero risk of bricking your device. Can't wait to start experimenting with custom software on my router at last!
by R1CH
Fri Oct 12, 2018 5:28 pm
Forum: General
Topic: Jailbreak for RouterOS 6.43.2 released [SOLVED]
Replies: 16
Views: 1324

Re: Jailbreak for RouterOS 6.43.2 released [SOLVED]

I wish there were an official way to do this rather than relying on tools that potentially cause issues or stop working in the future. Installing wireguard for example or proper openvpn with UDP support would be so useful.
by R1CH
Wed Oct 10, 2018 6:19 pm
Forum: General
Topic: Limiting ICMP on input chain
Replies: 3
Views: 673

Re: Limiting ICMP on input chain

Reminder that ICMP source addresses can be spoofed, adding addresses to a blacklist without being able to verify the source address is a bad practice. It's better to just rate limit (which is built into the kernel - check IP / Settings).
by R1CH
Wed Oct 10, 2018 1:15 pm
Forum: General
Topic: Can't Upgrade router mikrotik because hacked
Replies: 4
Views: 848

Re: Can't Upgrade router mikrotik because hacked

The ONLY safe way is to netinstall. The exploit can install files outside of RouterOS, so your router remains compromised even after a config reset. You can still export your config and import it again after sanitizing it.
by R1CH
Tue Oct 09, 2018 12:19 am
Forum: RouterBOARD hardware
Topic: Improove capacitor quality
Replies: 3
Views: 541

Re: Improove capacitor quality

How are we still having failing capacitors in 2018?!
by R1CH
Mon Oct 08, 2018 10:38 pm
Forum: General
Topic: CVE-2018-1156 and Winbox exploit
Replies: 0
Views: 360

CVE-2018-1156 and Winbox exploit

There's quite a few blogs going around today which makes it sound like there is some new Mikrotik exploit. It's not a new exploit, but discussions about the combination of the already patched winbox exploit + the already patched CVE-2018-1156 format string exploit. If a router is vulnerable to the w...
by R1CH
Mon Oct 08, 2018 1:04 pm
Forum: General
Topic: Router is infection by virus coinhive
Replies: 4
Views: 2819

Re: Router is infection by virus coinhive

Updating RouterOS won't magically remove bad parts of your configuration, it only prevents future exploits (assuming you changed your passwords). It's up to you to disinfect the router, the recommended way is to netinstall with a known good config, otherwise export the config, reset to default then ...
by R1CH
Sat Oct 06, 2018 5:09 pm
Forum: General
Topic: Unable to get full gigabit speed on RB750Gr3
Replies: 28
Views: 1457

Re: Unable to get full gigabit speed on RB750Gr3

Most likely the device is not powerful enough, check system / resources while testing to check CPU usage.
by R1CH
Fri Oct 05, 2018 2:54 pm
Forum: Wireless Networking
Topic: IPQ4019 chipsets - random capacity loss
Replies: 8
Views: 709

Re: IPQ4019 chipsets - random capacity loss

Many devices from other manufacturers use the IPQ401x chipset without issue. I suspect the problem is more to do with Mikrotik's proprietary driver than the ARM platform itself.
by R1CH
Fri Oct 05, 2018 12:50 pm
Forum: Wireless Networking
Topic: New standard 802.11ax
Replies: 15
Views: 2866

Re: New standard 802.11ax

Any news? ASUS are releasing their RT-AX88U this month which is based on 802.11ax. Would love for Mikrotik to keep up with the home / office wifi space.
by R1CH
Thu Oct 04, 2018 12:19 am
Forum: General
Topic: Route cast to another VLAN
Replies: 3
Views: 178

Re: Route cast to another VLAN

Easiest solution is to put the TV on the guest VLAN, usually such devices are insecure and should be away from your main network anyway. Otherwise you will need to allow routing between the VLANs and forward the multicasts with something like https://github.com/sonicsnes/udp-broadcast-relay-redux
by R1CH
Wed Oct 03, 2018 3:43 pm
Forum: General
Topic: Router compromised even after updating firmware
Replies: 2
Views: 154

Re: Router compromised even after updating firmware

If you backed up from before the compromise, then the backup is safe to use. You can also export the compromised config and manually review it before importing it on a fresh router with changed passwords.
by R1CH
Mon Oct 01, 2018 3:41 pm
Forum: Wireless Networking
Topic: hap ac achievable wifi speed?
Replies: 28
Views: 1123

Re: hap ac achievable wifi speed?

Real world result from a phone in a room across from the hAP AC (wall mounted high up). Almost clear LOS (has to go through a doorway). -57 dBm on the hAP AC, -54 dBm on the phone. Upload limited by ISP.

Image
by R1CH
Mon Oct 01, 2018 3:33 pm
Forum: General
Topic: dns requests to Mikrotik fail if udp on linux
Replies: 5
Views: 220

Re: dns requests to Mikrotik fail if udp on linux

I have an open ticket (#2016082522001037) about bad DNS behavior with the RB850Gx2, apparently with multi core some UDP packets are simply dropped. Perhaps it applies to the RB3011 also. This is a problem since the Linux resolver likes to send two queries at once, one for IPv4 and one for IPv6. Try ...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 14