Community discussions

Search found 749 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 15
by R1CH
Mon Jan 14, 2019 10:57 pm
Forum: General
Topic: Tower Cabling Choice?
Replies: 4
Views: 217

Re: Tower Cabling Choice?

Shielding / UV resistance is probably more important for outdoor use. Ubiquiti have a product which looks good: https://www.ui.com/accessories/toughcable/
by R1CH
Sat Jan 12, 2019 9:05 pm
Forum: General
Topic: Drop Rules and Packet Count
Replies: 3
Views: 175

Re: Drop Rules and Packet Count

Yes, VLANs are considered their own interfaces and are filtered independently of the interface to which they're connected. You can filter by physical ports using the in / out bridge port options.
by R1CH
Fri Jan 11, 2019 4:18 pm
Forum: General
Topic: Mikrotik's demo system demo.mt.lv firewall Virus rules, worth using???
Replies: 4
Views: 292

Re: Mikrotik's demo system demo.mt.lv firewall Virus rules, worth using???

For forward chain it maybe makes a bit of sense to block new connections to these ports, however most of these are no longer active threats and you risk blocking legitimate services (eg cloud services that pick ephemeral ports). The only ones I use on my network are blocking leaky SMB (137-139,445) ...
by R1CH
Thu Jan 10, 2019 8:06 pm
Forum: RouterBOARD hardware
Topic: Higher-end PWR-Line AP
Replies: 1
Views: 120

Re: Higher-end PWR-Line AP

Would be indeed nice, the fact that the current devices only do 2.4 GHz is an immediate non-starter for me.
by R1CH
Wed Jan 09, 2019 2:45 pm
Forum: Announcements
Topic: v6.42.11 [long-term] is released!
Replies: 40
Views: 3770

Re: v6.42.11 [long-term] is released!

Tried to update to 6.42.11 from 6.42.9 on a hEX using "Download and install", then realized I needed to check something so hit Cancel at about 90% downloaded. I then tried "Download and install" later and it says "not enough disk space" and there's no files available to delete. How do I delete this...
by R1CH
Wed Jan 09, 2019 1:40 pm
Forum: Announcements
Topic: v6.42.11 [long-term] is released!
Replies: 40
Views: 3770

Re: v6.42.11 [long-term] is released!

Tried to update to 6.42.11 from 6.42.9 on a hEX using "Download and install", then realized I needed to check something so hit Cancel at about 90% downloaded. I then tried "Download and install" later and it says "not enough disk space" and there's no files available to delete. How do I delete this ...
by R1CH
Wed Jan 09, 2019 12:41 pm
Forum: Wireless Networking
Topic: High ping to router HAP AC2
Replies: 19
Views: 542

Re: High ping to router HAP AC2

Make sure you're configuring / connecting to wlan2 (5 GHz), 2.4 GHz is too noisy for reliable connections.
by R1CH
Tue Jan 08, 2019 5:20 pm
Forum: General
Topic: firewall rules
Replies: 18
Views: 663

Re: firewall rules

A default drop is generally much better than adding lots of other rules for port scans, address filters, weird TCP flags etc. On embedded devices like routerboards you have limited CPU time, having lots of filter rules running on each packet opens you up to a resource exhaustion DoS.
by R1CH
Mon Jan 07, 2019 3:55 pm
Forum: General
Topic: add it to wishlist - Multicore support for bandwidth test in ROS
Replies: 2
Views: 191

Re: add it to wishlist - Multicore support for bandwidth test in ROS

It's generally better to use iperf instead.
by R1CH
Thu Jan 03, 2019 2:20 pm
Forum: General
Topic: Open Facebook messenger from hotspot after login
Replies: 1
Views: 84

Re: Open Facebook messenger from hotspot after login

The iOS hotspot login page is presented in a modified browser window that for security reasons does not support redirecting to app protocol handlers. Perhaps try directing to a web based version of messenger, since you have no guarantees anyone even has it installed.
by R1CH
Thu Jan 03, 2019 2:07 pm
Forum: General
Topic: VLAN is to complicated
Replies: 21
Views: 1244

Re: VLAN is to complicated

I agree, VLAN support is very messy. It would be nice if when configuring a software VLAN that RouterOS would just enable hardware offloading like it does for a bridge. Having both hardware and software VLAN configurations mixed together gets very confusing.
by R1CH
Thu Jan 03, 2019 1:13 pm
Forum: General
Topic: Should MikroTik make more powerful antennas and wireless protocols in 2019?
Replies: 19
Views: 957

Re: Should MikroTik make more powerful antennas and wireless protocols in 2019?

You know that we will not see new kernel on current RBs? Update actual RBs or make new ones with new kernel, better hardware and so on, what's the best choice for MK that is selling their products? Come on, it's not so different than smartphones. I don't see why not, there isn't that much hardware ...
by R1CH
Thu Jan 03, 2019 12:25 am
Forum: General
Topic: Hacked Board
Replies: 15
Views: 810

Re: Hacked Board

Changing passwords is not enough, you MUST netinstall any compromised device!
by R1CH
Wed Jan 02, 2019 5:53 pm
Forum: General
Topic: Should MikroTik make more powerful antennas and wireless protocols in 2019?
Replies: 19
Views: 957

Re: Should MikroTik make more powerful antennas and wireless protocols in 2019?

As other posters have said, new antennas and protocols don't mean anything when we're still forced to use a six year old kernel with a hacked-together wifi driver that barely supports any modern features. I want an up to date kernel and non-proprietary wifi drivers far more than I want new antennas ...
by R1CH
Wed Jan 02, 2019 5:49 pm
Forum: General
Topic: Hacked Board
Replies: 15
Views: 810

Re: Hacked Board

They have enabled packet sniffer to send all passwords, bitcoin private keys, etc to their server. You should format and netinstall with a known good config, once a board is compromised it cannot be safely restored from winbox / terminal alone since a root exploit could have been used.
by R1CH
Mon Dec 31, 2018 8:34 pm
Forum: General
Topic: under attack in port 32231? - help
Replies: 25
Views: 1083

Re: under attack in port 32231? - help

Imagine an attacker is sending small flood of 10mbps, they are TCP packets with spoofed IPs, so your address list is filling up at a rate of 10k+ unique addresses per second which increases memory and CPU usage. Without the rule, the packets would be dropped with no additional overhead.
by R1CH
Mon Dec 31, 2018 4:39 pm
Forum: General
Topic: under attack in port 32231? - help
Replies: 25
Views: 1083

Re: under attack in port 32231? - help

Such rules open you up to resource exhaustion DoS and offer very little protection over a default drop. I would not recommend them.
by R1CH
Mon Dec 31, 2018 4:36 pm
Forum: Announcements
Topic: v6.43.8 [stable] is released!
Replies: 143
Views: 17355

Re: v6.43.8 [stable] is released!

!) telnet - do not allow to set "tracefile" parameter;
After some digging, it turns out this is actually to fix an exploit that enables privilege escalation to root or damage to system files. Why is this not labelled as a security fix?

https://cxsecurity.com/issue/WLB-2018120151
by R1CH
Mon Dec 31, 2018 2:20 am
Forum: General
Topic: Redirect requests from HTTPS
Replies: 13
Views: 502

Re: Redirect requests from HTTPS

You can indeed TCP proxy a HTTPS connection, eg force google.com to resolve to 1.2.3.4 and then proxy 1.2.3.4:443 -> google.com:443. This does not allow you to redirect or do anything else to it though. If you tried to proxy 1.2.3.4:443 -> myhotspot.com:443, the browser would terminate the connectio...
by R1CH
Mon Dec 31, 2018 1:09 am
Forum: General
Topic: Redirect requests from HTTPS
Replies: 13
Views: 502

Re: Redirect requests from HTTPS

I'm not talking about a session takeover. In a corporate environment where you can control every device then yes, you can intercept and redirect HTTPS by installing a MITM root cert. However people running a Mikrotik Hotspot are unlikely in such an environment otherwise they would be using EAP / 802...
by R1CH
Sun Dec 30, 2018 11:32 pm
Forum: General
Topic: Redirect requests from HTTPS
Replies: 13
Views: 502

Re: Redirect requests from HTTPS

They are all wrong. If it was possible to intercept and redirect HTTPS, then what's to stop anyone intercepting online banking and other secure sites?

The wiki article only gives steps for making your hotspot login page HTTPS compliant. This has nothing to do with intercepting HTTPS requests.
by R1CH
Sun Dec 30, 2018 5:22 pm
Forum: General
Topic: how to drop udp attack without port in mikrotik?
Replies: 3
Views: 274

Re: how to drop udp attack without port in mikrotik?

Those are fragments. It looks like you are being attacked by a reflected DNS DDoS amplification attack, there isn't much you can do about it as by the time you could block it it's already consumed your bandwidth. You should also ensure you have correct firewall rules to make sure you aren't actually...
by R1CH
Sun Dec 30, 2018 5:15 pm
Forum: General
Topic: under attack in port 32231? - help
Replies: 25
Views: 1083

Re: under attack in port 32231? - help

All you need is a rule at the end of the input chain with action=drop, with your allow rules before it. Stop trying to be fancy with specific ports, TCP scanners, address lists, etc. These offer no additional benefit over a simple drop rule and actually increase resource usage and open you up to DoS.
by R1CH
Sun Dec 30, 2018 5:12 pm
Forum: General
Topic: Redirect requests from HTTPS
Replies: 13
Views: 502

Re: Redirect requests from HTTPS

This is NOT POSSIBLE, don't waste your time trying.
by R1CH
Mon Dec 17, 2018 12:19 pm
Forum: General
Topic: IP Cloud question
Replies: 26
Views: 860

Re: IP Cloud question

If you use an old RouterOS version, the service no longer works. Make sure to update your RouterOS, stop the IP cloud service then start it again.

EDIT: Actually it seems like a service outage, ns1.kissthenet.net and ns2.kissthenet.net are both failing.
by R1CH
Fri Dec 14, 2018 2:07 pm
Forum: RouterBOARD hardware
Topic: CCR1009-8G-1S-1S+ Can't get more than 350-450 Mbps single session, can get more with multiple sessions
Replies: 4
Views: 318

Re: CCR1009-8G-1S-1S+ Can't get more than 350-450 Mbps single session, can get more with multiple sessions

I had a similar issue, disabled queues / enabling fasttrack helped for me though. I think the problem is the RouterOS kernel is too old to support proper balancing of connections across multiple cores, hopefully this is fixed if / when RouterOS v7 comes out. 350 mbps does seem on the low side though...
by R1CH
Wed Dec 12, 2018 7:23 pm
Forum: General
Topic: hAp ac^2: inferior LAN-to-LAN performance when HW offloading is used
Replies: 5
Views: 309

Re: hAp ac^2: inferior LAN-to-LAN performance when HW offloading is used

I vaguely recall reading something about how mixed speeds cause the switch chip to have to flush buffers before processing a new packet. It's best to put a cheap gigabit switch in front of the device to handle mixed speed devices so only 1gbps devices are connected directly.
by R1CH
Wed Dec 12, 2018 7:20 pm
Forum: General
Topic: Mikrotik Port Scanner -> Filezilla (21) Problem
Replies: 7
Views: 399

Re: Mikrotik Port Scanner -> Filezilla (21) Problem

FTP opens many connections (1 per file), you should make sure your PSD rules are not running if a connection is allowed. It's also very questionable to do anything with PSD since you have no guarantees the IPs you are adding to your lists aren't spoofed.
by R1CH
Tue Dec 11, 2018 1:18 am
Forum: RouterBOARD hardware
Topic: hardware idea for a multiport switch
Replies: 23
Views: 1926

Re: hardware idea for a multiport switch

I agree with the others. 48 port switches / patch panels already have very thick cable bundles, this would be a nightmare to manage cable-wise.
by R1CH
Mon Dec 10, 2018 7:57 pm
Forum: RouterBOARD hardware
Topic: RB4011
Replies: 324
Views: 37829

Re: RB4011

Really happy with the performance on this device, replaced an aging RB951G that had to used fasttrack and the 4011 handles our 500mbps internet with traffic shaping and IPv6 tunnels with only 25% CPU usage. Only thing I want now is root to install DNSCrypt proxy - anyone found a nice way to root thi...
by R1CH
Fri Dec 07, 2018 11:39 pm
Forum: General
Topic: Supplier requires Iperf Speedtest program
Replies: 8
Views: 292

Re: Supplier requires Iperf Speedtest program

You should always be doing tests "through" the router, the CPUs on the devices are not optimized for generating traffic. Port forwarding is simple enough, iperf only requires a single port or can reverse-connect to an available server.
by R1CH
Fri Dec 07, 2018 11:37 pm
Forum: General
Topic: DNS Flood
Replies: 5
Views: 388

Re: DNS Flood

This image was for 1 second, the client generates that amount several times, figuring out further to find out his CPE was "hacked". But I would like to know about this traffic before it gets worse, in this case I redirected the client to a secondary DNS That's still well within the realm of normal ...
by R1CH
Fri Dec 07, 2018 8:47 pm
Forum: General
Topic: DNS Flood
Replies: 5
Views: 388

Re: DNS Flood

This looks like normal traffic, DNS resolvers use a new socket for every resolution as an added protection against DNS spoofing. I would not consider 28kbps a "flood".
by R1CH
Wed Dec 05, 2018 5:03 pm
Forum: Wireless Networking
Topic: cap AC Critical Errors???
Replies: 9
Views: 583

Re: cap AC Critical Errors???

Either they are not receiving enough power or the power is not good quality. If you're sure the power source is good and they are running the latest firmware and RouterOS then the device is probably defective.
by R1CH
Wed Dec 05, 2018 5:01 pm
Forum: Wireless Networking
Topic: hAPac2 wifi issue [SOLVED]
Replies: 6
Views: 547

Re: hAPac2 wifi issue [SOLVED]

If you're only bothered by the log entry you can turn off "info" category if you don't want to see this.
by R1CH
Wed Dec 05, 2018 1:53 pm
Forum: Wireless Networking
Topic: hAPac2 wifi issue [SOLVED]
Replies: 6
Views: 547

Re: hAPac2 wifi issue [SOLVED]

This usually means the client is using the wrong WPA2 key.
by R1CH
Sat Dec 01, 2018 10:28 pm
Forum: General
Topic: speedtets using 1 core [SOLVED]
Replies: 7
Views: 298

Re: speedtets using 1 core [SOLVED]

This is a known issue with RouterOS v6. Something to do with the kernel / connection tracking most likely.

See also viewtopic.php?t=131503
by R1CH
Fri Nov 30, 2018 12:04 am
Forum: General
Topic: CoDel support?
Replies: 39
Views: 11715

Re: CoDel support?

No new kernel, so no update. Probably need to wait for RouterOS v7 or move to a different platform if you want this.
by R1CH
Fri Nov 30, 2018 12:03 am
Forum: General
Topic: wifi showing OS version to scanner
Replies: 3
Views: 248

Re: wifi showing OS version to scanner

I also want this to be optional. viewtopic.php?f=7&t=133186
by R1CH
Fri Nov 30, 2018 12:01 am
Forum: General
Topic: SSl Certificat For Mikrotik
Replies: 13
Views: 469

Re: SSl Certificat For Mikrotik

Nothing is being redirected, it's entirely up to the browser or OS. The browser sees a HTTPS loading error, tries to load a HTTP URL and notices if there was a redirect. If so, it assumes there is a portal and offers the sign in option. Since the "HTTPS error" is technically an attack, some bigger s...
by R1CH
Thu Nov 29, 2018 11:58 pm
Forum: General
Topic: Improving hotspot/captive portal detection?
Replies: 3
Views: 217

Re: Improving hotspot/captive portal detection?

Those systems work by seeing a HTTPS error, then trying to access a normal HTTP URL. If the HTTP request is redirected, they assume a portal is in use. As long as you're redirecting everything, you should see the same behavior with the Mikrotik hotspot.
by R1CH
Wed Nov 28, 2018 6:05 pm
Forum: General
Topic: SSl Certificat For Mikrotik
Replies: 13
Views: 469

Re: SSl Certificat For Mikrotik

If your device / browser won't detect the portal automatically, then yes, you need to open a non-HTTPS site to get the portal redirect. Most modern browsers and devices do this automatically in the background though when you connect to a new network. There is NO WAY to redirect a HTTPS site!
by R1CH
Mon Nov 26, 2018 4:58 pm
Forum: General
Topic: Improving hotspot/captive portal detection?
Replies: 3
Views: 217

Re: Improving hotspot/captive portal detection?

There is no system that works with HTTPS*. This is by design, if you could intercept a secure page to show your portal, so could anyone else. The only thing you need to do is redirect ALL requests to your hotspot page, even those without a valid hostname (eg http://sdfnsdgnsseg). When a phone / brow...
by R1CH
Fri Nov 23, 2018 8:05 pm
Forum: General
Topic: Mikrotik SSH Vulnerability 6.14+
Replies: 4
Views: 349

Re: Mikrotik SSH Vulnerability 6.14+

It looks like the researcher has retracted their claim. The only remaining issue is that the sshd supports a "null" cipher, which isn't secure - but you have to explicitly ask for it.

https://twitter.com/hackerfantastic/sta ... 9068090369
by R1CH
Fri Nov 23, 2018 5:54 pm
Forum: General
Topic: Hotspot Landing Page
Replies: 3
Views: 343

Re: Hotspot Landing Page

This is intentional behavior - you cannot redirect HTTPS sites to your landing page. Properly configured phones, laptops etc will detect the presence of the portal and redirect users automatically. Make sure your regular HTTP requests are redirecting and you should be fine.
by R1CH
Fri Nov 23, 2018 4:13 pm
Forum: General
Topic: Router Blocking Connections
Replies: 2
Views: 208

Re: Router Blocking Connections

Your blocklist is blocking most of the internet, which is why ping / winbox is not working.
by R1CH
Fri Nov 23, 2018 4:11 pm
Forum: General
Topic: SSl Certificat For Mikrotik
Replies: 13
Views: 469

Re: SSl Certificat For Mikrotik

For the hotspot login page itself, this is possible. For redirecting clients to the hotspot, this is not possible.
by R1CH
Fri Nov 23, 2018 4:05 pm
Forum: General
Topic: Mikrotik SSH Vulnerability 6.14+
Replies: 4
Views: 349

Mikrotik SSH Vulnerability 6.14+

https://twitter.com/hackerfantastic/status/1065838886989922305 Once again, Mikrotik's custom implementation (instead of a well-tested open source version) has introduced a security flaw: The take-away from this is that an attacker could perform a MITM attack against *any* Mikrotik router during the ...
by R1CH
Thu Nov 22, 2018 2:18 am
Forum: Wireless Networking
Topic: Open Wireless network No.2
Replies: 2
Views: 219

Re: Open Wireless network No.2

Set a "none" security profile.

Image
  • 1
  • 2
  • 3
  • 4
  • 5
  • 15