Community discussions

Search found 515 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 11
by R1CH
Fri Jun 15, 2018 6:49 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

The only email I got was about the old httpd exploit (below). Maybe something went wrong with the sending of the emails? Subject: MikroTik: URGENT security advisory "It has come to our attention that a rogue botnet is currently scanning random public IP addresses to find open Winbox (8291) and WWW (...
by R1CH
Fri Jun 15, 2018 6:37 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

For vulnerabilities that allow remote code execution or bypassing of authentication, Mikrotik should really be sending out a security advisory emails to every registered customer / active forum user. The winbox exploit for example is much worse than the httpd bug, and that was deserving of an email....
by R1CH
Fri Jun 15, 2018 5:22 pm
Forum: General
Topic: Login failure critical notification
Replies: 1
Views: 107

Re: Login failure critical notification

Bandwidth test server is hidden! It isn't listed under services but under tools / btest server. If people are able to try to log into it though, this suggests your firewall configuration is incomplete.
by R1CH
Thu Jun 14, 2018 7:17 pm
Forum: General
Topic: cant' activate purchased SSL certificate for hotspot
Replies: 12
Views: 412

Re: cant' activate purchased SSL certificate for hotspot

There seems to be a missing intermediary cert, I'm not entirely sure how RouterOS handles this but try importing the following instead (I added the intermediate cert to the chain).
by R1CH
Thu Jun 14, 2018 4:46 pm
Forum: General
Topic: cant' activate purchased SSL certificate for hotspot
Replies: 12
Views: 412

Re: cant' activate purchased SSL certificate for hotspot

That message means the .crt you supplied to the hotspot wasn't signed properly. Make sure it's the certificate you got from namecheap and not one generated by RouterOS.

You can also link the .crt file here and I can take a look. Make sure you never post the private key though!
by R1CH
Wed Jun 13, 2018 6:29 pm
Forum: General
Topic: cant' activate purchased SSL certificate for hotspot
Replies: 12
Views: 412

Re: cant' activate purchased SSL certificate for hotspot

If you're running 6.40.1 your router may already be compromised as you have not installed critical security patches, you should update ASAP and check for signs of compromise (modified DNS, additional users, VPN tunnels, etc). You use testssl.sh from any Linux system and test it against your hotspot....
by R1CH
Wed Jun 13, 2018 4:51 pm
Forum: General
Topic: cant' activate purchased SSL certificate for hotspot
Replies: 12
Views: 412

Re: cant' activate purchased SSL certificate for hotspot

Make sure your RouterOS is up to date. You can use something like https://testssl.sh for verifying that TLS support is working correctly.
by R1CH
Wed Jun 13, 2018 4:45 pm
Forum: General
Topic: problems resolving IP Cloud addresses
Replies: 4
Views: 216

Re: problems resolving IP Cloud addresses

GTLD nameservers are still returning the old records. May want to check that.

https://r-1.ch/r1dns/dnscheck.cgi?domain=mynetname.net
by R1CH
Tue Jun 12, 2018 2:38 pm
Forum: General
Topic: cant' activate purchased SSL certificate for hotspot
Replies: 12
Views: 412

Re: cant' activate purchased SSL certificate for hotspot

Yes, you need to be able to prove ownership of it in some way, eg email to postmaster@example.com should be receivable or if you use free Let's Encrypt cert, challenge files at example.com/.well-known/acme-challenge.
by R1CH
Mon Jun 11, 2018 7:02 pm
Forum: General
Topic: cant' activate purchased SSL certificate for hotspot
Replies: 12
Views: 412

Re: cant' activate purchased SSL certificate for hotspot

You need a FQDN to be able to get a valid CA signed cert. Namecheap isn't going to allow you to sign "myCa" since you have no proof of ownership over that name.

Use something like hotspot.your-isp.com.
by R1CH
Mon Jun 11, 2018 12:54 pm
Forum: RouterBOARD hardware
Topic: IEEE 802.11ac (wave 2)
Replies: 9
Views: 2995

Re: IEEE 802.11ac (wave 2)

There's no Wave2 support for anything yet.
by R1CH
Fri Jun 08, 2018 5:23 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

Thanks, so other than the microtik update service there is really no need for port 80 traffic on the output chain (from the router either with a source port of 80 or with a destination port 0f 80). Be aware that compromised devices could serve 2nd stage payloads from any port - blocking OUTPUT port...
by R1CH
Thu Jun 07, 2018 7:31 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

One thing I have started doing as a preventative measure - block everything in the OUTPUT chain except necessary services (eg dhcp client, sntp client, etc). Most exploits can only carry a very small payload, which often downloads a "real" payload from some other infected device. By restricting outb...
by R1CH
Thu Jun 07, 2018 7:29 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

So , anybody got some ideas on how to do this and what can be found/checked/modified/fixed/enhanced/expanded ? I would guess the bad guys already do something like this all of the time when looking for possible exploits on Internet connected devices. This is definitely possible, you should be able ...
by R1CH
Thu Jun 07, 2018 7:22 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

Just for the record, I don't think people need to check changelogs "constantly" but probably at least once a year might be cool. Maybe even every six months? Might be a stretch but just actually *looking* would be a start for most. The winbox exploit was a 0-day - meaning it was being exploited in ...
by R1CH
Thu Jun 07, 2018 7:18 pm
Forum: Announcements
Topic: Winbox 3.14 released!
Replies: 76
Views: 7499

Re: Winbox 3.14 released!

This version 3.14 works very slowly before connecting to the router. In version 3.13 or 3.12 is connect very fast to riuter *) make all connections in secure mode (all data is encrypted with AES128-CBC-SHA); so it requires more CPU processing power from both sides and more information exchange. Thi...
by R1CH
Thu Jun 07, 2018 5:20 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

There is unfortunately no easy way to tell, since Mikrotik doesn't allow us shell access to our routers to perform this kind of examination. There is a "check installation" feature but unfortunately it does not check if there are files on the router that are unaccounted for, even though this has be...
by R1CH
Thu Jun 07, 2018 4:43 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

how to determine if my router is infected? There is unfortunately no easy way to tell, since Mikrotik doesn't allow us shell access to our routers to perform this kind of examination. Lack of shell access also makes it hard to tell if upgrading a compromised device actually removes the compromise, ...
by R1CH
Thu Jun 07, 2018 3:48 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

The fact that Mikrotik is still on the list due to them seeing Mikrotik routers still being hit by this means one thing only for Mikrotik users. They have failed to keep their routers current and are still running over a YEAR OLD (plus) version of ROS. Regardless of this virus attack, that is just ...
by R1CH
Thu Jun 07, 2018 2:53 pm
Forum: General
Topic: HELP! Strange port forwarding behaviour in 951G-2HnD [SOLVED]
Replies: 3
Views: 156

Re: HELP! Strange port forwarding behaviour in 951G-2HnD

I've seen several NVR systems where the web interface runs on one port, but the video streams are all separate ports that are connected to directly via RTP / RTSP. You should connect locally and use a utility like TCPView to figure out which ports are being accessed, then forward all of them.
by R1CH
Wed Jun 06, 2018 7:25 pm
Forum: General
Topic: Which mikrotik router for OpenVPN
Replies: 8
Views: 348

Re: Which mikrotik router for OpenVPN

I would strongly advise against OpenVPN on Mikrotik for the above reasons. Performance is very poor with TCP-in-TCP, see http://sites.inka.de/bigred/devel/tcp-tcp.html for explanations.
by R1CH
Wed Jun 06, 2018 4:32 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

A new technical update was published, which expands the compromised device list to include almost all Mikrotik boards (CCR1009 (new), CCR1016, CCR1036, CCR1072, CRS109 (new), CRS112 (new), CRS125 (new), RB411 (new), RB450 (new), RB750 (new), RB911 (new), RB921 (new), RB941 (new), RB951 (new), RB952 ...
by R1CH
Wed Jun 06, 2018 2:22 pm
Forum: RouterOS v7
Topic: RouterOS v7.0 beta1 - when?
Replies: 338
Views: 76261

Re: RouterOS v7.0 beta1 - when?

One reason is probably that when you use opensource software and keep tracking all the updates, you end up with more and more bloated software that does not fit into a space-limited router anymore. It works fine on the PC platform where space and other resource usage (CPU) has grown with the code, ...
by R1CH
Tue Jun 05, 2018 4:17 pm
Forum: RouterOS v7
Topic: RouterOS v7.0 beta1 - when?
Replies: 338
Views: 76261

Re: RouterOS v7.0 beta1 - when?

This is the difficulty :D If we were using all open source code, it would be easy to upgrade. Now we must only rely on ourselves to upgrade all programs. Why is Mikrotik so against using open source software? We would have working 802.11ac Wave2, 5 GHz spectral scan, OpenVPN UDP support, more secur...
by R1CH
Tue Jun 05, 2018 2:26 pm
Forum: Wireless Networking
Topic: New standard 802.11ax
Replies: 8
Views: 1735

Re: New standard 802.11ax

Looks like 802.11ax consumer devices will be hitting the market later this year. I really hope Mikrotik is working on something too!

https://www.anandtech.com/show/12871/as ... ax-routers
by R1CH
Sun Jun 03, 2018 6:58 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

Again and again ... it seems be kind of sport nowadays to ask "Is Mikrotik volunerable because someone is scanning particular port?" If you disable or limit sources's IPs for all new incoming connections then there should be no problem at all. If you not secure your router then offenders will try t...
by R1CH
Sat Jun 02, 2018 10:47 pm
Forum: General
Topic: Blocking Virus from Mikrotik
Replies: 9
Views: 407

Re: Blocking Virus from Mikrotik

Perhaps your router was compromised and an attacker is intercepting your DNS.
by R1CH
Sat Jun 02, 2018 7:37 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

Apparently VPNFilter is now scanning for port 2000 (btest server) on Mikrotik routers. Another exploit? Not many admins are aware that this service runs by default.
by R1CH
Fri Jun 01, 2018 7:30 pm
Forum: General
Topic: I can't set a DNS name that starts with a digit.
Replies: 3
Views: 200

Re: I can't set a DNS name that starts with a digit.

Seems like Mikrotik is not RFC compliant here. 2.1 Host Names and Numbers The syntax of a legal Internet host name was specified in RFC-952 [DNS:4]. One aspect of host name syntax is hereby changed: the restriction on the first character is relaxed to allow either a letter or a digit. Host software ...
by R1CH
Thu May 31, 2018 6:25 pm
Forum: General
Topic: Upgraded to 6.42.3 - some SSL trouble from clients
Replies: 4
Views: 278

Re: Upgraded to 6.42.3 - some SSL trouble from clients

Sounds like you have a firewall issue, SSL should be no different to other traffic unless affected by rules (or perhaps some other middlebox is interfering).
by R1CH
Tue May 29, 2018 5:58 pm
Forum: General
Topic: anyone facing DNS ip change to another ip, which is not set by network admin?
Replies: 2
Views: 100

Re: anyone facing DNS ip change to another ip, which is not set by network admin?

You should make sure you're using latest RouterOS and have changed all your passwords. There are several exploits that could have caused this.
by R1CH
Tue May 29, 2018 4:17 pm
Forum: General
Topic: A new scan has started
Replies: 10
Views: 638

Re: A new scan has started

It should not be THAT easy to get a ROS version ... without authentication
Hope you aren't running any wireless networks then, since Mikrotik products broadcast the board name, radio name and RouterOS version number in every beacon!
by R1CH
Tue May 29, 2018 3:11 pm
Forum: Announcements
Topic: Winbox 3.14 released!
Replies: 76
Views: 7499

Re: Winbox 3.14 released!

I've tested on 2 PCs, one of them is the PC which has the signing certificate and private key, the other one is a fresh Windows 10 laptop with no certificates installed. Both ran the example .exe file with no warning. You can test it yourself, simply edit hosts file or add static DNS to point upgrad...
by R1CH
Tue May 29, 2018 3:00 pm
Forum: Announcements
Topic: Winbox 3.14 released!
Replies: 76
Views: 7499

Re: Winbox 3.14 released!

*) make winbox self upgrade check .exe signature; I just tested this.. it checks for a signature, but not Mikrotik's signature! I sign it myself and winbox blindly runs it :-? https://imgur.com/7k8e09p Is that really certificate based ? Or simply some MD5 hash ? In the later case this should not be...
by R1CH
Mon May 28, 2018 9:09 pm
Forum: Announcements
Topic: Winbox 3.14 released!
Replies: 76
Views: 7499

Re: Winbox 3.14 released!

*) make winbox self upgrade check .exe signature; I just tested this.. it checks for a signature, but not Mikrotik's signature! I sign it myself and winbox blindly runs it :-? https://imgur.com/7k8e09p Is that really certificate based ? Or simply some MD5 hash ? In the later case this should not be...
by R1CH
Mon May 28, 2018 7:05 pm
Forum: Announcements
Topic: Winbox 3.14 released!
Replies: 76
Views: 7499

Re: Winbox 3.14 released!

*) make winbox self upgrade check .exe signature;
I just tested this.. it checks for a signature, but not Mikrotik's signature! I sign it myself and winbox blindly runs it :-?

https://imgur.com/7k8e09p
by R1CH
Mon May 28, 2018 6:50 pm
Forum: Announcements
Topic: Winbox 3.14 released!
Replies: 76
Views: 7499

Re: Winbox 3.14 released!

What's new in v3.14: *) added support for new style authentication and encryption for connections to RouterOS v6.43; *) make all connections in secure mode (all data is encrypted with AES128-CBC-SHA); *) make winbox self upgrade check .exe signature; Nice to see a focus on security! Does the "new s...
by R1CH
Sun May 27, 2018 4:10 pm
Forum: General
Topic: Problem with thread access in ffmpeg
Replies: 5
Views: 232

Re: Problem with thread access in ffmpeg

Very weird. RTMP uses TCP and 1.8mbps should be no problem for any Routerboard. Maybe check MTU etc?
by R1CH
Fri May 25, 2018 2:43 pm
Forum: General
Topic: Problem with thread access in ffmpeg
Replies: 5
Views: 232

Re: Problem with thread access in ffmpeg

What's the bandwidth of the source stream?
by R1CH
Fri May 25, 2018 2:40 pm
Forum: General
Topic: How to avoid exposing RB version over a wireless AP?
Replies: 3
Views: 203

Re: How to avoid exposing RB version over a wireless AP?

This information along with the radio name and model number is directly encoded into the 802.11 beacons - you can not remove it (yet).

viewtopic.php?t=133186
by R1CH
Thu May 24, 2018 7:44 pm
Forum: General
Topic: CCR1009-7G-1C-1S+ 10G SFP
Replies: 1
Views: 116

Re: CCR1009-7G-1C-1S+ 10G SFP

Bandwidth tests should be run THROUGH the device, not ON the device. Generating 10G of traffic needs lots of CPU, so it maxes out at a single core on CCR1009.
by R1CH
Thu May 24, 2018 7:41 pm
Forum: General
Topic: [Security] Attackers changed DNS servers
Replies: 8
Views: 2603

Re: [Security] Attackers changed DNS servers

Because you run old version of RouterOS. Update and change all passwords.
by R1CH
Thu May 24, 2018 4:40 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

How do you know for sure it was the www exploit that was used instead of for example the more recent winbox exploit?
by R1CH
Wed May 23, 2018 8:29 pm
Forum: RouterBOARD hardware
Topic: VPNFilter Malware
Replies: 8
Views: 3174

Re: VPNFilter Malware

"We are unsure of the particular exploit used in any given case"

This is yet another reason why we need shell access to our own routers so we can do our own investigating looking for signs of compromise. Not every exploit is public.
by R1CH
Fri May 18, 2018 9:46 pm
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 4252

Re: I cant quite wrap my head around this one...

Sounds like the BT router has some AQM built in that you will need to replicate with RouterOS queue rules. Given the age of RouterOS kernel though it won't be able to compete with modern AQM like fq_codel (https://www.bufferbloat.net/projects/codel/wiki/) which is easy to set-and-forget.
by R1CH
Fri May 18, 2018 9:43 pm
Forum: General
Topic: Firewall Logic / Operation [SOLVED]
Replies: 2
Views: 176

Re: Firewall Logic / Operation [SOLVED]

An established connection should be tracked for 24 hours at minimum, I don't know where you're seeing 60 seconds but that certainly doesn't sound right. You should be seeing SYN, SYN+ACK, ACK as the connection establishment procedure. I'm also not clear what you mean by renegotiating, all connection...
by R1CH
Fri May 18, 2018 6:55 pm
Forum: RouterBOARD hardware
Topic: RB850Gx2 vs RB450Gx4
Replies: 21
Views: 1476

Re: RB850Gx2 vs RB450Gx4

No heatsink on the IPQ4019 chip?! Is it really that power efficient?
by R1CH
Sat May 12, 2018 12:05 am
Forum: RouterBOARD hardware
Topic: hAP AC2 Wrong Setup Instructions
Replies: 9
Views: 746

Re: hAP AC2 Wrong Setup Instructions

Both of mine were new, from the only place in NL that had them in stock at the time (Routershop, listed as official reseller on "Buy" page). They were not in CPE mode once I was able to get a connection, something just caused the first time power up to behave very weirdly. Maybe next time I will try...
by R1CH
Thu May 10, 2018 7:22 pm
Forum: RouterBOARD hardware
Topic: What can be improved in hEX (RB750Gr3)?
Replies: 22
Views: 1738

Re: What can be improved in hEX (RB750Gr3)?

A CCR1009 is cheap enough, plus Tile architecture is end of life so I don't see new products based on that. I'd like a new hEX to be based on quad core ARM (same as hAP AC2) and 8 GigE ports, maybe one SFP/SFP+ if we're lucky. Plus a separate POE version able to handle ~ 80W combined output. Nothing...
by R1CH
Thu May 10, 2018 5:56 pm
Forum: RouterBOARD hardware
Topic: 10GBASE-T for Mikrotik
Replies: 13
Views: 1127

Re: 10GBASE-T for Mikrotik

Because 99.9% of home users don't need > 1gbps, since their devices won't support it. 8 port 10GB for $150? Who are you kidding! A switch alone would be $500+.

I would appreciate more ports in Mikrotik products though, 4+1 is not enough these days.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 11