Community discussions

Search found 471 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 10
by R1CH
Fri May 18, 2018 9:46 pm
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 57
Views: 1314

Re: I cant quite wrap my head around this one...

Sounds like the BT router has some AQM built in that you will need to replicate with RouterOS queue rules. Given the age of RouterOS kernel though it won't be able to compete with modern AQM like fq_codel (https://www.bufferbloat.net/projects/codel/wiki/) which is easy to set-and-forget.
by R1CH
Fri May 18, 2018 9:43 pm
Forum: General
Topic: Firewall Logic / Operation
Replies: 2
Views: 129

Re: Firewall Logic / Operation

An established connection should be tracked for 24 hours at minimum, I don't know where you're seeing 60 seconds but that certainly doesn't sound right. You should be seeing SYN, SYN+ACK, ACK as the connection establishment procedure. I'm also not clear what you mean by renegotiating, all connection...
by R1CH
Fri May 18, 2018 6:55 pm
Forum: RouterBOARD hardware
Topic: RB850Gx2 vs RB450Gx4
Replies: 11
Views: 535

Re: RB850Gx2 vs RB450Gx4

No heatsink on the IPQ4019 chip?! Is it really that power efficient?
by R1CH
Sat May 12, 2018 12:05 am
Forum: RouterBOARD hardware
Topic: hAP AC2 Wrong Setup Instructions
Replies: 9
Views: 634

Re: hAP AC2 Wrong Setup Instructions

Both of mine were new, from the only place in NL that had them in stock at the time (Routershop, listed as official reseller on "Buy" page). They were not in CPE mode once I was able to get a connection, something just caused the first time power up to behave very weirdly. Maybe next time I will try...
by R1CH
Thu May 10, 2018 7:22 pm
Forum: RouterBOARD hardware
Topic: What can be improved in hEX (RB750Gr3)?
Replies: 22
Views: 1349

Re: What can be improved in hEX (RB750Gr3)?

A CCR1009 is cheap enough, plus Tile architecture is end of life so I don't see new products based on that. I'd like a new hEX to be based on quad core ARM (same as hAP AC2) and 8 GigE ports, maybe one SFP/SFP+ if we're lucky. Plus a separate POE version able to handle ~ 80W combined output. Nothing...
by R1CH
Thu May 10, 2018 5:56 pm
Forum: RouterBOARD hardware
Topic: 10GBASE-T for Mikrotik
Replies: 13
Views: 918

Re: 10GBASE-T for Mikrotik

Because 99.9% of home users don't need > 1gbps, since their devices won't support it. 8 port 10GB for $150? Who are you kidding! A switch alone would be $500+.

I would appreciate more ports in Mikrotik products though, 4+1 is not enough these days.
by R1CH
Thu May 10, 2018 5:53 pm
Forum: General
Topic: Security advisory emails
Replies: 3
Views: 221

Re: Security advisory emails

I've still yet to receive an email about the winbox zero-day exploit that affected < 6.42.1, I would argue a zero day deserves an email more than an exploit that was patched over a year ago!
by R1CH
Wed May 09, 2018 12:58 am
Forum: General
Topic: 6.42.1, hap ac, time sync not working
Replies: 10
Views: 344

Re: 6.42.1, hap ac, time sync not working

This sounds like it might be a poorly configured upstream ISP that filters NTP packets for "DDoS protection".
by R1CH
Tue May 08, 2018 9:48 pm
Forum: Wireless Networking
Topic: Use AES-CCM only (unicast & group ciphers)
Replies: 4
Views: 179

Re: Use AES-CCM only (unicast & group ciphers)

No one should be considering TKIP in 2018 for either unicast or group ciphers. It's trivially broken and AES has been part of the spec since 2004. Any device not supporting AES today belongs in the trash.
by R1CH
Mon May 07, 2018 2:43 pm
Forum: RouterBOARD hardware
Topic: hAP AC2 Wrong Setup Instructions
Replies: 9
Views: 634

Re: hAP AC2 Wrong Setup Instructions

I only did quick test of 5 GHz to confirm unit was working OK, 176.24 mbps to HAP AC at -60dBm. 2.4 GHz isn't too important to me so I didn't test it.
by R1CH
Mon May 07, 2018 1:39 pm
Forum: RouterBOARD hardware
Topic: hAP AC2 Wrong Setup Instructions
Replies: 9
Views: 634

Re: hAP AC2 Wrong Setup Instructions

Yes, can configure over both wired and wireless. Very strange first time startup behavior though.
by R1CH
Mon May 07, 2018 12:50 pm
Forum: RouterBOARD hardware
Topic: hAP AC2 Wrong Setup Instructions
Replies: 9
Views: 634

Re: hAP AC2 Wrong Setup Instructions

As soon as I plugged in an ethernet cable, the link went up and down several times and now the default wireless network is broadcasting (??!). Looking at the logs it seems the unit didn't even register as being powered on until I plugged in the ethernet, it was on for 5+ minutes but the log shows: 0...
by R1CH
Mon May 07, 2018 12:44 pm
Forum: RouterBOARD hardware
Topic: hAP AC2 Wrong Setup Instructions
Replies: 9
Views: 634

hAP AC2 Wrong Setup Instructions

I have received my second hAP AC2 now, but both the previous unit and this new unit are not broadcasting any network by default. https://i.imgur.com/kk5GDjA.jpg Is this a mistake with the instructions or is something else going on? As far as I know my distributor is not making any modifications to t...
by R1CH
Thu May 03, 2018 4:56 pm
Forum: General
Topic: PSN NAT Type
Replies: 3
Views: 169

Re: PSN NAT Type

The problem is more likely related to your ISP modem or TP-Link load balancer. You shouldn't need to do anything special to have PS4 work fine, default NAT type will allow any inbound packets to endpoint opened ports.
by R1CH
Wed May 02, 2018 4:32 pm
Forum: Wireless Networking
Topic: 802.11ac required ratarate
Replies: 9
Views: 542

Re: 802.11ac required ratarate

You cannot configure 802.11ac rates in RouterOS (yet?)
by R1CH
Wed May 02, 2018 4:31 pm
Forum: General
Topic: "Optimal Mangle" from "RouterOS by Example" performance?
Replies: 16
Views: 706

Re: "Optimal Mangle" from "RouterOS by Example" performance?

You can't avoid examining every packet, the benefit is you can shortcut the mark packet rules evaluation by ordering the rules by volume. Eg if you only care about http traffic, you mark port 80 as http, mark everything else as other, then when it comes to packet marking you have mark other first in...
by R1CH
Wed May 02, 2018 12:15 pm
Forum: General
Topic: ovpn connection established? Is this an attack? [SOLVED]
Replies: 4
Views: 241

Re: ovpn connection established? Is this an attack? [SOLVED]

Be aware that the OpenVPN daemon in RouterOS is a custom Mikrotik version and given their history of other NIH-daemons, it may have remotely exploitable security holes. It is not the official open source OpenVPN daemon which has had rigorous security testing, so I would advise against exposing it to...
by R1CH
Mon Apr 30, 2018 6:32 pm
Forum: RouterBOARD hardware
Topic: wAP AC 3 (IEEE 802.1ax)
Replies: 19
Views: 1111

Re: wAP AC 3 (IEEE 802.1ax)

based on open source This is where you are incorrect Best to avoid anything open source and re-invent everything in house? Meanwhile every other manufacturer is happily using ath10k driver: https://wireless.wiki.kernel.org/en/users/drivers/ath10k And yes, open source driver even has working spectra...
by R1CH
Sat Apr 28, 2018 4:00 pm
Forum: RouterBOARD hardware
Topic: wAP AC 3 (IEEE 802.1ax)
Replies: 19
Views: 1111

Re: wAP AC 3 (IEEE 802.1ax)

the bigger problem is driver support since Mikrotik creates here own drivers. The actual drivers doesn't support anything of WAVE 2, are way behind competitors Performance, and this will not change, so I'm not Interested in new devices, with rudimentary driver support and without any features.... 1...
by R1CH
Thu Apr 26, 2018 12:42 pm
Forum: General
Topic: Auto Upgrade Mirror
Replies: 2
Views: 159

Re: Auto Upgrade Mirror

That's a Cloudfront IP, maybe at some point you thought to auto upgrade by entering IP of Mikrotik update server? Either way that isn't going to work, just remove it.
by R1CH
Tue Apr 24, 2018 11:50 pm
Forum: General
Topic: Bottleneck on CCR (possible queue related)
Replies: 4
Views: 218

Re: Bottleneck on CCR (possible queue related)

Are you sure this isn't caused by your LAG? Depending how you are distributing packets you may be saturating one of the ports with too much traffic. Any chance to test with a 10G uplink?
by R1CH
Tue Apr 24, 2018 11:31 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 64968

Re: Advisory: Vulnerability exploiting the Winbox port

I know ... but it input chain is not the same as forward one. You can block access to router but not traffic forwarded to/from users.
Dropping in input is fine, but I've seen several blacklists use raw table which would obviously affect forwarded traffic too.
by R1CH
Tue Apr 24, 2018 11:11 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 64968

Re: Advisory: Vulnerability exploiting the Winbox port

Why blocking access to router is bad idea? Should "popular" addresses try to access our router?
You should be dropping such packets anyway. If you add them to a blacklist which blocks all communications from that IP, then you block legitimate services if someone spoofs them.
by R1CH
Tue Apr 24, 2018 10:55 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 64968

Re: Advisory: Vulnerability exploiting the Winbox port

If you're blacklisting based on connection attempts to certain ports, I would advise against it. Doing this opens up a new attack vector where an attacker with IP spoofing capabilities (eg many cheap VPS providers) can spoof popular IPs and cause your network to block legitimate services. Taking any...
by R1CH
Mon Apr 23, 2018 6:28 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 64968

Re: Advisory: Vulnerability exploiting the Winbox port

When is the first known exploit of this so we can browse the logs. And have exploit rewritten the log file ? The exploit may not appear in the logs. It can download system passwords without logging in, so even if there appears no successful or failed logins, you should consider your passwords compr...
by R1CH
Mon Apr 23, 2018 6:20 pm
Forum: Announcements
Topic: v6.42.1 [current]
Replies: 272
Views: 23315

Re: v6.42.1 [current]

No issues across my mix of devices (RB750Gr3, wAP AC, hAP AC, RB951).
by R1CH
Mon Apr 23, 2018 5:58 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 64968

Re: Advisory: Vulnerability exploiting the Winbox port

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router; Shifting of the blame onto users... what else are we supposed to use for remote management? Where do you see shifting blame on the users? It is information for users to know that routers are safe against this vulner...
by R1CH
Mon Apr 23, 2018 5:38 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 64968

Re: Advisory: Vulnerability exploiting the Winbox port

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
Shifting of the blame onto users... what else are we supposed to use for remote management?
by R1CH
Mon Apr 23, 2018 5:07 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 64968

Re: Advisory: Vulnerability exploiting the Winbox port

Correct me if I'm wrong, but isn't something missing here? Now we know how they got passwords to log in, but what about those files (script and binary) uploaded to router and (probably) executed by RouterOS? Is it some other hidden functionality of WinBox we know nothing about? When the tool gets y...
by R1CH
Mon Apr 23, 2018 1:31 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 64968

Re: Advisory: Vulnerability exploiting the Winbox port

So is this it https://www.securityweek.com/remotely-e ... s-routeros ?

As its over month old post..
No, that's a different vulnerability in the SMB service.
by R1CH
Mon Apr 23, 2018 1:26 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 64968

Re: Advisory: Vulnerability exploiting the Winbox port

This is really scary. Can you explain how this happened in a more technical manner? Why is authentication not the first thing that is required before downloading files etc is possible? Why is the user database even made available over the winbox port prior to establishment of an authenticated connec...
by R1CH
Sun Apr 22, 2018 11:52 pm
Forum: Wireless Networking
Topic: "Management frame protection" - 802.11w compatibility
Replies: 10
Views: 1842

Re: "Management frame protection" - 802.11w compatibility

Anyone has any news about this issue? I'm surprised how neglected this feature was for this whole time, and now just became one of the top priority features that Mikrotik MUST go for. Specially these days, where any newbie can buy an extremely inexpensive WiFi Deauther anywhere... Any way to push M...
by R1CH
Sun Apr 22, 2018 11:02 pm
Forum: General
Topic: winbox vulnerable! Unusual login to routers [SOLVED]
Replies: 44
Views: 5478

Re: winbox vulnerable! Unusual login to routers [SOLVED]

Also, in general there should be no public facing remote router administration service. Best is to use a VPN. Next best is to allow login on Winbox or SSH only from specific IPs. The VPN still requires exposing to the internet. Given how Mikrotik writes their own VPN daemons, I don't see how a VPN ...
by R1CH
Tue Apr 17, 2018 4:20 pm
Forum: Announcements
Topic: v6.42 [current]
Replies: 146
Views: 14114

Re: v6.42 [current]

Upgraded a bunch of hEX r3, wAP AC and hAP AC (original) with no issues. Holding off on the CCR-1009 for a bit.
by R1CH
Tue Apr 17, 2018 4:18 pm
Forum: General
Topic: MikroTik 6.41.4 - FTP daemon Denial of Service PoC
Replies: 25
Views: 996

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Another home grown Mikrotik daemon with vulnerabilities... :roll: . Any normal Linux ftp daemon will not be vulnerable to such simple DoS attack. Trying to claim this is a normal DoS attack that would work against any service is wrong, see " 6 connections and less than 80KB crafted requests are enou...
by R1CH
Sun Apr 15, 2018 6:48 pm
Forum: General
Topic: ROS SMB version - HP scan destination not compatible
Replies: 5
Views: 220

Re: ROS SMB version - HP scan destination not compatible

This makes me wonder why Mikrotik don't use use Samba like every other home router manufacturer. They would get immediate compatibility with pretty much every SMB version. What benefit does home grown SMB daemon provide? Certainly not security...
by R1CH
Sun Apr 15, 2018 6:17 pm
Forum: Wireless Networking
Topic: Removing Mikrotik elements from beacons
Replies: 0
Views: 123

Removing Mikrotik elements from beacons

Hello, Is there a way to prevent RouterOS from advertising itself in the 802.11 beacon frames? It's not so great to publicly broadcast the radio name, model name and RouterOS version to the world. This makes exploiting of Mikrotik networks much easier, since an adversary doesn't even need to break t...
by R1CH
Sun Apr 15, 2018 6:08 pm
Forum: General
Topic: Hotspot doesn't redirect to login page from https:// pages
Replies: 10
Views: 7014

Re: Hotspot doesn't redirect to login page from https:// pages

Nope, HTTPS is still secure and can't be attacked with a man in the middle without installing a root CA on the client.

A properly configured hotspot will open the portal page automatically on any modern device.
by R1CH
Fri Apr 13, 2018 6:46 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 48
Views: 2006

Re: Remote Host Scanning our IPv6 Network

This doesn't seem to affect Linux itself, wonder what crazy stuff Mikrotik are doing with IPv6 to introduce a vulnerability like this?
by R1CH
Fri Apr 13, 2018 4:26 pm
Forum: General
Topic: rb951G-2hnd 6.41.4 help :(
Replies: 3
Views: 258

Re: rb951G-2hnd 6.41.4 help :(

The concept of master port was removed, you need to use bridges now. If possible they will be hardware accelerated (eg as a switch group).
by R1CH
Fri Apr 13, 2018 12:52 pm
Forum: Announcements
Topic: Winbox 3.13 released!
Replies: 60
Views: 7009

Re: Winbox 3.13 released!

You can point upgrade.mikrotik.com at 188.226.152.164 if you want a live (but harmless) example.
by R1CH
Fri Apr 13, 2018 12:52 am
Forum: Announcements
Topic: Winbox 3.13 released!
Replies: 60
Views: 7009

Re: Winbox 3.13 released!

Still no signature checking or HTTPS... man in the middle can easily compromise administrator's PC.

https://i.imgur.com/TX7G9pq.gifv
by R1CH
Fri Apr 06, 2018 2:06 pm
Forum: RouterBOARD hardware
Topic: CCR1009-7G-1C-1S+ CPU Frequency?
Replies: 3
Views: 239

Re: CCR1009-7G-1C-1S+ CPU Frequency?

I would try to keep it at 1.2 GHz (or at least higher than 400 MHz). Some tasks are still single threaded in RouterOS, eg a single TCP connection with queues / firewall will max out at around 600mbps at 1.2 GHz (example https://forum.mikrotik.com/viewtopic.php?f=3&t=131503) so at 400 MHz I expect it...
by R1CH
Wed Apr 04, 2018 8:28 pm
Forum: Wireless Networking
Topic: HAP AC as CAP CRASHES during Chromecast Screen Mirror
Replies: 4
Views: 264

Re: HAP AC as CAP CRASHES during Chromecast Screen Mirror

Is it a hAP AC 2 or the original? The new model has lots of issues with the radio due to unstable drivers.
by R1CH
Wed Apr 04, 2018 8:28 pm
Forum: Wireless Networking
Topic: Password repeater
Replies: 4
Views: 319

Re: Password repeater

Use certificate based authentication instead.
by R1CH
Wed Apr 04, 2018 8:25 pm
Forum: Wireless Networking
Topic: hAP ac 5GHz max speed
Replies: 9
Views: 716

Re: hAP ac 5GHz max speed

The CPU on the original hAP AC will bottleneck before the radio maximum throughput can be reached. Realistically you can get about 400 - 500 mbps actual throughput.

Conversely the hAP AC 2 has a better CPU but lots of problems with the radio at the moment, probably driver related.
by R1CH
Mon Apr 02, 2018 7:11 pm
Forum: Wireless Networking
Topic: Firewall Within Same Subnet on WLAN
Replies: 1
Views: 105

Re: Firewall Within Same Subnet on WLAN

Disabling "Default Forward" is the only way to accomplish this, traffic within the same subnet will be handled by the radio directly and not go through the CPU.
by R1CH
Mon Apr 02, 2018 7:07 pm
Forum: Wireless Networking
Topic: HAP AC as CAP CRASHES during Chromecast Screen Mirror
Replies: 4
Views: 264

Re: HAP AC as CAP CRASHES during Chromecast Screen Mirror

Is your power supply supplying enough current? Board temperatures?
by R1CH
Mon Apr 02, 2018 6:18 pm
Forum: General
Topic: Add DNS over HTTPS (DoH) support
Replies: 3
Views: 763

Re: Add DNS over HTTPS (DoH) support

DNSCrypt support would also be welcome, to avoid the overhead of wrapping all DNS requests in HTTP / TCP.
by R1CH
Mon Apr 02, 2018 4:12 am
Forum: Wireless Networking
Topic: How do I enable Privacy on WiFi
Replies: 10
Views: 905

Re: How do I enable Privacy on WiFi

I think you may be confused - a password IS a pre-shared key. Almost all networks will want a WPA2 PSK (password), be sure to set your security profile to WPA2 PSK with AES-CCM.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 10