Community discussions

Search found 846 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 17
by R1CH
Fri May 17, 2019 1:40 pm
Forum: RouterBOARD hardware
Topic: [idea] cAP ax
Replies: 7
Views: 559

Re: [idea] cAP ax

There's plenty of chipsets available, the problem is likely software. Since Mikrotik write their own wifi driver, it will take a long time before a stable 802.11ax driver is available. Even the 802.11ac support still isn't up to the competition after all these years. If you need 802.11ax there's oth...
by R1CH
Mon May 13, 2019 2:36 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 219
Views: 44034

Re: v6.45beta [testing] is released!

conntrack - significant stability and performance improvements;
Can you elaborate on what was changed here? The last time conntrack was changed with the loose TCP tracking option it introduced a regression, so I'd like to know exactly what changed and what to look out for.
by R1CH
Fri May 10, 2019 7:24 pm
Forum: General
Topic: Import and use SSL Certificate
Replies: 5
Views: 259

Re: Import and use SSL Certificate

The purpose of importing an SSL cert into RouterOS is to secure the hotspot landing page. It won't help you do anything else, if you want to do SSL MITM the root has to be installed on all end user devices regardless of what's on the router.
by R1CH
Fri Apr 26, 2019 3:18 pm
Forum: Wireless Networking
Topic: Wifi AP strength VS Wifi Client strength
Replies: 3
Views: 274

Re: Wifi AP strength VS Wifi Client strength

APs generally have more power than client devices, so tuning output power to get a balance is important. You're right that a higher gain antenna both improves transmit and receive, but at the cost of radiation pattern. For example a 12dB omni in a house would work great on one floor but go upstairs ...
by R1CH
Sun Apr 21, 2019 11:26 pm
Forum: Wireless Networking
Topic: MikroTik Wireless performance VS Ubiquiti VS Ruckus
Replies: 3
Views: 583

Re: MikroTik Wireless performance VS Ubiquiti VS Ruckus

For reasons unknown, Mikrotik are very against using open source, and this results in an outdated Linux kernel and custom written drivers and services. This greatly slows development time compared to other manufacturers who use open source on the software side and then focus on building their hardwa...
by R1CH
Thu Apr 18, 2019 1:35 pm
Forum: General
Topic: Problems with BitTorrent
Replies: 8
Views: 367

Re: Problems with BitTorrent

Mikrotik wifi performance is often worse than competitor devices due to outdated kernel and proprietary drivers. That said it shouldn't drop out completely like this. Is the device possibly overheating? I would suggest trying 20 Mhz channel, g/n only, enable WMM and set group key update to 1h (secur...
by R1CH
Thu Apr 18, 2019 1:32 pm
Forum: General
Topic: Reliability of RouterOS updates [SOLVED]
Replies: 2
Views: 234

Re: Reliability of RouterOS updates [SOLVED]

"Stable" often introduces regressions, rarely has this resulted in total connectivity loss but I generally stick to long-term on remote devices unless there's need for a specific change. Unless it's a security related fix, I would also wait a few days for bugs to be reported by others before upgradi...
by R1CH
Mon Apr 15, 2019 11:37 pm
Forum: General
Topic: Hotspot https redirect feature
Replies: 4
Views: 311

Re: Hotspot https redirect feature

The redirection will never work due to security guarantee of HTTPS. Documentation should be like this:

https-redirect=yes
Show a security error if user tries to open HTTPS website.

https-redirect=no
Show a network error if user tries to open HTTPS website.
by R1CH
Mon Apr 15, 2019 11:25 pm
Forum: General
Topic: DHCP "flood" Malformed Packet
Replies: 3
Views: 263

Re: DHCP "flood" Malformed Packet

Disable detect-internet "feature".
by R1CH
Wed Apr 10, 2019 1:27 pm
Forum: General
Topic: VPN blocked?
Replies: 2
Views: 160

Re: VPN blocked?

You should check firewall rules on 188.252.172.1.
by R1CH
Mon Apr 08, 2019 6:58 pm
Forum: Wireless Networking
Topic: hAP ac wireless problem
Replies: 8
Views: 553

Re: hAP ac wireless problem

Default settings are probably not good for your environment. Pick correct frequency, channel width, enable WMM, set country, etc.
by R1CH
Sat Apr 06, 2019 3:43 pm
Forum: Wireless Networking
Topic: Mikrotik WLAN & CAPsMAN - Bad download perfomance
Replies: 33
Views: 2839

Re: Mikrotik wireless LAN - WiFi - MIMO not working

The wAP AC CPU is likely maxing out at that bandwidth.
by R1CH
Thu Apr 04, 2019 6:07 pm
Forum: General
Topic: Help: IPv4 NAT - some https websites won't load
Replies: 4
Views: 710

Re: Help: IPv4 NAT - some https websites won't load

Not being able to load HTTPS sites is usually an MTU issue due to larger packets. Make sure you're clamping TCP MSS if you have a non-standard MTU and aren't blocking ICMP.
by R1CH
Mon Apr 01, 2019 2:33 pm
Forum: General
Topic: ros rb4011 2.4g can't be connected by 4 devices?
Replies: 6
Views: 316

Re: ros rb4011 2.4g can't be connected by 4 devices?

With 20 virtual APs you are probably destroying the channel with beacons. Make sure to set g/n only or change your data rates.

https://r1ch.net/blog/wifi-beacon-pollution
by R1CH
Sat Mar 30, 2019 3:37 pm
Forum: General
Topic: Block DropBox with firewall
Replies: 2
Views: 268

Re: Block DropBox with firewall

As it's HTTPS you need to block via DNS or IP range, not recommended. If bandwidth consumption is a concern then use queues or data limits for your users.
by R1CH
Sat Mar 30, 2019 3:28 pm
Forum: General
Topic: how to close all UDP ports on mikrotik?
Replies: 3
Views: 324

Re: how to close all UDP ports on mikrotik?

Add rule to FORWARD chain, protocol UDP, action DROP. Note that this will break a lot of things that rely on UDP, a better solution is to fix whichever client behind your router is infected and trying to scan the internet.
by R1CH
Fri Mar 29, 2019 2:07 am
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 13868

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

why r u being so disruptive and trying to break mikrotik? That's what security researchers do. Any internet connected device and protocol is studied for such bugs, and finding and fixing them makes everyone safer. Be happy that he found it before the bad guys did. Imagine someone constantly crashin...
by R1CH
Thu Mar 28, 2019 2:24 pm
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 13868

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Somehow this is the first I've heard of this and I'm very concerned as I have a modern network that includes IPv6. You're saying Mikrotik have known about this for 50 weeks and it hasn't been fixed?!? What is going on over there?! This is a completely unacceptable response for a security vulnerabili...
by R1CH
Tue Mar 26, 2019 5:32 pm
Forum: General
Topic: wAP AC reaching out to 159.148.172.226:80 every hour
Replies: 10
Views: 519

Re: wAP AC reaching out to 159.148.172.226:80 every hour

First thing I checked, definitely disabled.
by R1CH
Tue Mar 26, 2019 2:39 pm
Forum: General
Topic: Question about SSL certificate
Replies: 3
Views: 287

Re: Question about SSL certificate

by R1CH
Tue Mar 26, 2019 2:35 pm
Forum: General
Topic: wAP AC reaching out to 159.148.172.226:80 every hour
Replies: 10
Views: 519

Re: wAP AC reaching out to 159.148.172.226:80 every hour

The log screenshot is from my core router, the AP has forwarding disabled since it bridges onto the appropriate VLANs so it can't be coming from a client.
by R1CH
Tue Mar 26, 2019 1:51 pm
Forum: General
Topic: wAP AC reaching out to 159.148.172.226:80 every hour
Replies: 10
Views: 519

Re: wAP AC reaching out to 159.148.172.226:80 every hour

Why would it be doing this by itself? I have no auto upgrade configured, no one is logged in and running check-for-updates. None of the other devices with the same config are doing this.
by R1CH
Tue Mar 26, 2019 1:52 am
Forum: General
Topic: lost password after exploit
Replies: 3
Views: 261

Re: lost password after exploit

If it isn't blocked just use the same exploit to gain access. https://github.com/BigNerd95/WinboxExploit
by R1CH
Tue Mar 26, 2019 1:51 am
Forum: General
Topic: Local devices on DHCP are in DNS cache as 0.0.0.0
Replies: 2
Views: 164

Re: Local devices on DHCP are in DNS cache as 0.0.0.0

DHCP does not register DNS. You need to script this if you want it.

https://wiki.mikrotik.com/wiki/Setting_ ... DHCP_lease
by R1CH
Tue Mar 26, 2019 1:50 am
Forum: General
Topic: wAP AC reaching out to 159.148.172.226:80 every hour
Replies: 10
Views: 519

Re: wAP AC reaching out to 159.148.172.226:80 every hour

Nope. Very basic config, bridged wlans, some virtual APs, no CAPSMAN. Can't think what else would be causing it.
by R1CH
Mon Mar 25, 2019 6:01 pm
Forum: General
Topic: wAP AC reaching out to 159.148.172.226:80 every hour
Replies: 10
Views: 519

wAP AC reaching out to 159.148.172.226:80 every hour

Trying to figure why this is happening as of 6.44, also tried 6.44.1. I upgraded all my wAP AC units (5), however only one of them is displaying this behavior. https://i.imgur.com/pE3W2M2.png DDNS is disabled, Update Time is disabled, TZ auto detect is disabled. No scripts, scheduler, etc. What else...
by R1CH
Mon Mar 25, 2019 4:18 pm
Forum: General
Topic: dns cache problam
Replies: 2
Views: 155

Re: dns cache problam

Those are negative entries, the random names are normal and used by captive portal detection of various OSes. Nothing in that should affect WhatsApp, the problem may be elsewhere.
by R1CH
Sat Mar 23, 2019 8:01 pm
Forum: Wireless Networking
Topic: Multiple SSID’s and DHCP [SOLVED]
Replies: 3
Views: 254

Re: Multiple SSID’s and DHCP [SOLVED]

Bridge should be fine, just make sure DHCP server is set up to run on the bridge instead of one of the interfaces.
by R1CH
Fri Mar 22, 2019 5:31 pm
Forum: General
Topic: Help to config roming wireless
Replies: 4
Views: 301

Re: Help to config roming wireless

The best thing you can do with Mikrotik is setup all APs with same SSID / authentication, ensure they're all in the same broadcast domain and ensure your DHCP server is very fast at handling requests / renews (eg no pinging for 2 seconds before giving a lease). Unfortunately RouterOS lacks support f...
by R1CH
Fri Mar 22, 2019 1:33 pm
Forum: Wireless Networking
Topic: 256QAM and AC provisioning on 2,4GHz
Replies: 2
Views: 306

Re: 256QAM and AC provisioning on 2,4GHz

Sounds like you're asking for 802.11ax...
by R1CH
Fri Mar 22, 2019 12:17 pm
Forum: General
Topic: Question about SSL certificate
Replies: 3
Views: 287

Re: Question about SSL certificate

Yes, the hotspot FQDN must match the certificate. Do note that this only provides security to the hotspot page itself, it will not help in redirecting HTTPS pages to the hotspot.
by R1CH
Thu Mar 21, 2019 6:35 pm
Forum: General
Topic: Feature Request: Separate the firmware(bootloader) and routeros version number
Replies: 8
Views: 364

Re: Feature Request: Separate the firmware(bootloader) and routeros version number

You always need to update RouterBOOT and keep it the same version as RouterOS The problem is Routerboot often has no changes between RouterOS versions, but we have no way of knowing since the version is incremented regardless. This involves needless reboots and additional wear on the small flash re...
by R1CH
Wed Mar 20, 2019 9:36 pm
Forum: RouterBOARD hardware
Topic: hAP ac and Verizon Gigabit
Replies: 4
Views: 299

Re: hAP ac and Verizon Gigabit

Make sure fasttrack is active, hAP AC is unlikely to be able to do 1gbps otherwise.
by R1CH
Tue Mar 19, 2019 1:26 pm
Forum: General
Topic: HOTSPOT login https error
Replies: 11
Views: 485

Re: HOTSPOT login https error

You don't start, since that is impossible. The security of HTTPS negates attempts to intercept such requests, unless you want to teach your users to blindly ignore serious security errors.
by R1CH
Tue Mar 19, 2019 1:24 pm
Forum: General
Topic: CPU consumption by Horizon?
Replies: 2
Views: 417

Re: CPU consumption by Horizon?

Horizon will disable hardware offload according to wiki.
by R1CH
Mon Mar 18, 2019 4:22 pm
Forum: General
Topic: Putty updated to 0.71
Replies: 12
Views: 546

Re: Putty updated to 0.71

Which is my point. Post it in the phucking putty forum. Do you want me to start effing posting everytime there is a windows update, a linux update, a macos update, an avast update, etc etc etc............ I might as well post everytime I pop a zit, and pluck a nose hair. ;-) It's been almost two ye...
by R1CH
Mon Mar 18, 2019 1:51 am
Forum: Wireless Networking
Topic: blog.mikrotik.com: 802.11ay?
Replies: 3
Views: 388

Re: blog.mikrotik.com: 802.11ay?

Right after 802.11ax...
by R1CH
Mon Mar 18, 2019 1:49 am
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 86
Views: 15777

Re: v6.44.1 [stable] is released!

Do you really need all those packages? You are likely out of space since the device only has 16MB flash.
by R1CH
Sun Mar 17, 2019 11:54 pm
Forum: General
Topic: Redirect All SSL Pages to one page
Replies: 4
Views: 230

Re: Redirect All SSL Pages to one page

Don't set up your network in a way that intercepts all HTTPS requests and encourages users to bypass SSL errors. This is teaching users very dangerous practices, when their connection actually does get MITMed by a network attacker or compromised DNS, website, etc, then they will happily ignore the e...
by R1CH
Fri Mar 15, 2019 6:52 pm
Forum: General
Topic: Redirect All SSL Pages to one page
Replies: 4
Views: 230

Re: Redirect All SSL Pages to one page

Not possible, HTTPS is secure so you can't intercept it.
by R1CH
Fri Mar 15, 2019 6:51 pm
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 86
Views: 15777

Re: v6.44.1 [stable] is released!

I didn't see any difference in behavior, it behaves as if it's disabled regardless of the checkbox state.
by R1CH
Fri Mar 15, 2019 3:56 pm
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 86
Views: 15777

Re: v6.44.1 [stable] is released!

This doesn't affect users only during an upgrade, the default RouterOS conntrack timeouts are quite low and especially with the bug with tcp unacked timer, it's easy to get day-to-day TCP connections affected by this.
by R1CH
Fri Mar 15, 2019 3:42 pm
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 86
Views: 15777

Re: v6.44.1 [stable] is released!

I can confirm the "Loose TCP Tracking" is completely broken in this release (and perhaps 6.44, didn't test it extensively). Previously established connections are treated as INVALID regardless of the setting.
by R1CH
Fri Mar 15, 2019 3:27 pm
Forum: General
Topic: HOTSPOT login https error
Replies: 11
Views: 485

Re: HOTSPOT login https error

Just make sure nothing is in the walled garden. As long as the user is using a modern browser or phone, they should get the prompt for the portal.
by R1CH
Thu Mar 14, 2019 9:11 pm
Forum: General
Topic: HOTSPOT login https error
Replies: 11
Views: 485

Re: HOTSPOT login https error

Make sure that you aren't allowing any sites in the hotspot before user auth, if you allow connectivity to Google / Apple / etc, the browser will think it has internet and will not trigger the captive portal. Any modern browser otherwise will notice the connection test is failing and prompt the user...
by R1CH
Tue Mar 12, 2019 7:52 pm
Forum: General
Topic: Connection tracking issue
Replies: 2
Views: 290

Re: Connection tracking issue

If you're seeing untranslated packets make it onto the network then you must have modified the default config, as this is considered "invalid" by netfilter and the defconf rules drop it.
by R1CH
Sun Mar 10, 2019 7:47 pm
Forum: General
Topic: Is there any way to do HTTP and HTTPS traffic shaping based on categories?
Replies: 10
Views: 340

Re: Is there any way to do HTTP and HTTPS traffic shaping based on categories?

You can use the tls host rule which works with SNI.
by R1CH
Sat Mar 09, 2019 2:48 pm
Forum: RouterBOARD hardware
Topic: MUM Europe 2019: new hardware
Replies: 61
Views: 7764

Re: MUM Europe 2019: new hardware

Wish there was some announcements about 802.11ax. I guess until ROS v7 is released the kernel is too old to support such drivers anyway.
by R1CH
Fri Mar 08, 2019 5:14 pm
Forum: General
Topic: hEX S shows activity on disabled SFP port without a link
Replies: 6
Views: 259

Re: hEX S shows activity on disabled SFP port without a link

I enabled the interface and the problem stopped. Very weird behavior. I don't plan on using the SFP port so this doesn't seem to cause any issues.
by R1CH
Thu Mar 07, 2019 7:44 pm
Forum: General
Topic: hEX S shows activity on disabled SFP port without a link
Replies: 6
Views: 259

Re: hEX S shows activity on disabled SFP port without a link

This is occurring with 6.44.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 17