Community discussions

Search found 597 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 12
by R1CH
Sun Aug 12, 2018 6:17 pm
Forum: General
Topic: TCP congestion Illinos
Replies: 4
Views: 236

Re: TCP congestion Illinos

True, but using such services goes against the goals of speed anyway. OVPN in TCP mode is especially terrible.
by R1CH
Sat Aug 11, 2018 6:41 pm
Forum: General
Topic: TCP congestion Illinos
Replies: 4
Views: 236

Re: TCP congestion Illinos

Router doesn't care about the congestion algorithm, it simply forwards packets. It needs to be configured on the endpoints of the connection.
by R1CH
Sat Aug 11, 2018 2:09 am
Forum: General
Topic: TCP connections from china
Replies: 8
Views: 3031

Re: TCP connections from china

If someone is able to connect to that port, your router is insecure. Make sure to firewall all ports from WAN.
by R1CH
Thu Aug 09, 2018 1:46 pm
Forum: Wireless Networking
Topic: Open url / link from Hotspot login page in a browser
Replies: 1
Views: 63

Re: Open url / link from Hotspot login page in a browser

This is entirely dependent on the client device and not something you can configure.
by R1CH
Thu Aug 09, 2018 1:39 pm
Forum: General
Topic: Security breached devices - Port TCP 4145
Replies: 9
Views: 551

Re: Security breached devices - Port TCP 4145

I think you misunderstand, this isn't about services listening on high ports. Say for example client on the network want to connect to Google DNS, 8.8.8.8 port 53. Their OS has to pick a port on the system to send the query, and to which replies are sent, for example maybe it picks 192.168.88.10 por...
by R1CH
Thu Aug 09, 2018 12:49 pm
Forum: General
Topic: Security breached devices - Port TCP 4145
Replies: 9
Views: 551

Re: Security breached devices - Port TCP 4145

Traffic above the reserved ports (0-1024) can be attributed to ephemeral port use. While most OSes generally use the higher end of available ports, there's nothing stopping them from using 1025-65535 as ephemeral port numbers.
by R1CH
Thu Aug 09, 2018 12:46 pm
Forum: Announcements
Topic: WPA2 preshared key brute force attack
Replies: 13
Views: 2493

Re: WPA2 preshared key brute force attack

How do you get the PMKID from a Mikrotik AP? I have tried the attack on my wAP AC (WPA2-PSK), but the driver didn't implement the necessary fields.
by R1CH
Wed Aug 08, 2018 6:10 pm
Forum: RouterBOARD hardware
Topic: upgrade from RB951G-2HnD
Replies: 3
Views: 198

Re: upgrade from RB951G-2HnD

The IPQ4018 used in new products is much faster than the CPU in RB951G-2HnD.
by R1CH
Wed Aug 08, 2018 1:18 am
Forum: General
Topic: Winbox Vulnerability Changes
Replies: 1
Views: 174

Re: Winbox Vulnerability Changes

The vulnerability allows someone full admin access to the router, so they could change anything and everything. Mikrotik seem to suggest that winbox can even be elevated to shell access, in which case undetectable backdoors could be installed. The safest way to restore a router is export the config,...
by R1CH
Tue Aug 07, 2018 7:11 pm
Forum: Wireless Networking
Topic: PMKID Attack - clientless WPA2/WPA PSK attack
Replies: 6
Views: 744

Re: PMKID Attack - clientless WPA2/WPA PSK attack

I've attempted this attack against a wAP AC and it was unsuccessful. I don't think Mikrotik's wireless driver implements the features that this attack exploits.
by R1CH
Tue Aug 07, 2018 2:24 pm
Forum: General
Topic: Block devices with cloned MAC addresses
Replies: 2
Views: 134

Re: Block devices with cloned MAC addresses

The only decent way is to use EAP / 802.1x for authentication so there are per-client encryption keys.
by R1CH
Tue Aug 07, 2018 2:12 pm
Forum: General
Topic: Warning BotNet Attacks! Noticing These IP's! Suggest blocking them!
Replies: 2
Views: 251

Re: Warning BotNet Attacks! Noticing These IP's! Suggest blocking them!

If the bots are even able to try to log in, this means you are exposing winbox / SSH to the internet, and your router will be compromised when the next exploit is found. Any router that has open ports to the internet is not secure according to Mikrotik.
by R1CH
Tue Aug 07, 2018 2:11 pm
Forum: General
Topic: 100% CPU CCR1072 due DDoS - How to improve?
Replies: 16
Views: 571

Re: 100% CPU CCR1072 due DDoS - How to improve?

close port 80 from outside use. This is not a solution to CPU consumption. Also, if it's a web server you can't do this, it's a useless solution because the attacker can choose any port. It is a solution if you have a listening service on port 80. This is a SYN flood, if you actually have an applic...
by R1CH
Mon Aug 06, 2018 5:48 pm
Forum: General
Topic: HTTPS & Force to login from devices
Replies: 2
Views: 92

Re: HTTPS & Force to login from devices

Allowing *google* and gstatic.com will likely break captive portal detection on client devices.
by R1CH
Mon Aug 06, 2018 5:44 pm
Forum: General
Topic: [Feature request] Wireguard
Replies: 18
Views: 1968

Re: [Feature request] Wireguard

I've been playing around with Wireguard recently and it's so refreshingly simple and fast, it makes setup of a new VPN link so easy. And the fact it uses modern, fast crypto is great - I would love to see this in RouterOS so I can finally ditch ipsec with its huge complexity and outdated crypto. And...
by R1CH
Sun Aug 05, 2018 6:42 pm
Forum: General
Topic: Problem with purchased certificate from Comodo
Replies: 3
Views: 155

Re: Problem with purchased certificate from Comodo

This is indeed a mixed content warning. The connection to the page is secure, but the page requests insecure elements such as scripts which means the integrity of the page cannot be trusted as the insecure scripts could modify it.
by R1CH
Sun Aug 05, 2018 5:08 pm
Forum: Wireless Networking
Topic: PMKID Attack - clientless WPA2/WPA PSK attack
Replies: 6
Views: 744

Re: PMKID Attack - clientless WPA2/WPA PSK attack

This seems like it would only affect 802.1x / EAP setups.
by R1CH
Sun Aug 05, 2018 5:02 pm
Forum: General
Topic: cutting off internet
Replies: 6
Views: 264

Re: cutting off internet

Use firewall time matcher or scheduler.
by R1CH
Sun Aug 05, 2018 2:59 am
Forum: General
Topic: Problems with SSL Godaddy Hotspot
Replies: 7
Views: 454

Re: Problems with SSL Godaddy Hotspot

Everything is working fine. There is nothing more to do.

Phones open the webpage automatically as a convenience, in desktop Chrome you have to click "Connect". You cannot alter how the phones or browsers behave.
by R1CH
Sat Aug 04, 2018 3:27 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 108
Views: 10831

Re: Winbox vulnerability: please upgrade

It's disappointing that both the httpd vulnerability and now the winbox vulnerability required mass exploitation before Mikrotik sent an email. Why not send these emails on day 1?
by R1CH
Thu Aug 02, 2018 12:56 pm
Forum: Announcements
Topic: Security announcement blog
Replies: 60
Views: 6236

Re: Security announcement blog

...ignored upgrading because they thought their router wasn't classified as "unsecured"... Any port open to public networks is unsecure! The point is if port is closed by firewall or by disabling service then it is considered secure. So services like OpenVPN and IPsec in Mikrotik are "unsecure" as ...
by R1CH
Wed Aug 01, 2018 8:11 pm
Forum: General
Topic: Unexpected start message
Replies: 6
Views: 249

Re: Unexpected start message

How would malware get access to run arbitrary cp commands? This looks more like a bug in RouterOS, unless there is a new exploit available to elevate winbox to shell access (which is rumored to be possible).
by R1CH
Wed Aug 01, 2018 5:03 pm
Forum: Announcements
Topic: Security announcement blog
Replies: 60
Views: 6236

Re: Security announcement blog

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router; ... Another example that shows how important is to read changelog. That is why we have tried to upgrade it a little bit after few last releases in order to highlight major fixes and improvements. I would actually us...
by R1CH
Wed Aug 01, 2018 2:54 pm
Forum: Announcements
Topic: Security announcement blog
Replies: 60
Views: 6236

Re: Security announcement blog

I also never received an email about the winbox exploit. Mikrotik claims to have sent it, does anyone actually have a copy of it?
by R1CH
Mon Jul 30, 2018 1:59 pm
Forum: General
Topic: SSL Certificate Issue
Replies: 1
Views: 111

Re: SSL Certificate Issue

Do you have hotspot enabled on any of the routers? Looks like something is intercepting your connections, or your routers are compromised and your DNS has been modified.
by R1CH
Mon Jul 30, 2018 1:57 pm
Forum: General
Topic: Mikrotik + Squid Proxy server to log HTTPS traffic
Replies: 2
Views: 160

Re: Mikrotik + Squid Proxy server to log HTTPS traffic

You cannot log HTTPS traffic. Only CONNECT is a supported Squid proxy method, meaning Squid operates in a simple TCP passthrough mode. The most you can get is the hostname that clients are connecting to, and they must be explicitly configured to use the proxy - transparent proxying does not work for...
by R1CH
Fri Jul 27, 2018 6:33 pm
Forum: General
Topic: 185.153.198.228 Has been BUSY
Replies: 9
Views: 565

Re: 185.153.198.228 Has been BUSY

Exposing your winbox port is asking to be compromised when the next exploit is found. Best to firewall it.
by R1CH
Fri Jul 27, 2018 6:32 pm
Forum: General
Topic: chr support fast path?
Replies: 6
Views: 270

Re: chr support fast path?

The presentation says the VMXNET3 NIC supports fastpath. Are you using that?
by R1CH
Fri Jul 27, 2018 6:29 pm
Forum: General
Topic: How to optimize VPN tunnel over high latency link?
Replies: 3
Views: 142

Re: How to optimize VPN tunnel over high latency link?

If using TCP you probably need to tune the send / receive windows. A single TCP connection has a hard time reaching maximum bandwidth over high speed links. You can experiment with these settings: https://fasterdata.es.net/host-tuning/ms-windows/ RouterOS also has a single TCP connection bandwidth l...
by R1CH
Fri Jul 27, 2018 4:56 pm
Forum: Wireless Networking
Topic: Removing Mikrotik elements from beacons
Replies: 5
Views: 401

Re: Removing Mikrotik elements from beacons

Bump.. still annoyed by the fact that anyone can see the version numbers.
by R1CH
Fri Jul 27, 2018 4:54 pm
Forum: Wireless Networking
Topic: What are the different flags when doing a scanner
Replies: 1
Views: 126

Re: What are the different flags when doing a scanner

A = active, recently appeared in a scan. If this is missing, means AP is no longer in range or has weak signal P = privacy, network is secured by some method R = RouterOS network B = bridged RouterOS network Unfortunately there's no way to stop advertising as a RouterOS network, this also gives away...
by R1CH
Fri Jul 27, 2018 3:00 pm
Forum: General
Topic: How to optimize VPN tunnel over high latency link?
Replies: 3
Views: 142

Re: How to optimize VPN tunnel over high latency link?

What kind of file copy? If you're trying to do Windows file sharing, it has terrible performance at higher latencies. There's no real workaround, the protocol is just not meant for WAN use. Make sure both sides are set up for SMB3 if possible as this does provide some small improvement.
by R1CH
Thu Jul 26, 2018 1:21 pm
Forum: Announcements
Topic: Security announcement blog
Replies: 60
Views: 6236

Re: Security announcement blog

Is there a way to sign up for email announcements of new articles too?
by R1CH
Wed Jul 25, 2018 7:26 pm
Forum: General
Topic: Mikrotik Routers Compromised......please READ [SOLVED]
Replies: 8
Views: 521

Re: Mikrotik Routers Compromised......please READ [SOLVED]

If you weren't running latest RouterOS you will have been compromised by various exploits, safest way forward is netinstall (and change all passwords).
by R1CH
Wed Jul 25, 2018 7:25 pm
Forum: General
Topic: Blocking facebook
Replies: 10
Views: 5906

Re: Blocking facebook

That doesn't really work when browsers like Firefox will soon be defaulting to DNS over HTTPS.
by R1CH
Mon Jul 23, 2018 4:31 pm
Forum: General
Topic: Block extensions downloads on HTTPS sites
Replies: 10
Views: 305

Re: Block extensions downloads on HTTPS sites

Not possible unless you own all the client devices and install MITM root certs.
by R1CH
Tue Jul 17, 2018 4:18 pm
Forum: RouterBOARD hardware
Topic: RB850Gx2 vs RB450Gx4
Replies: 49
Views: 3978

Re: RB850Gx2 vs RB450Gx4

Anyone tried getting OpenWRT running on one of these yet? Looks like a great board for non-ROS systems.
by R1CH
Mon Jul 16, 2018 2:26 pm
Forum: General
Topic: Problems with SSL Godaddy Hotspot
Replies: 7
Views: 454

Re: Problems with SSL Godaddy Hotspot

Your screenshot is showing everything working perfectly - the browser has detected the hotspot and all you have to do is click "Connect".
by R1CH
Fri Jul 13, 2018 7:37 pm
Forum: General
Topic: Router wireless speed deteriirated
Replies: 1
Views: 101

Re: Router wireless speed deteriirated

Are you sure your router isn't hacked and all the bandwidth being used by attackers? 6.39 is vulnerable to many exploits, if you have any ports exposed it's likely hacked. You should netinstall to 6.42.6 to remove any malware. If you're sure it isn't compromised, try changing channels on the wifi. M...
by R1CH
Fri Jul 13, 2018 2:38 pm
Forum: RouterBOARD hardware
Topic: CRS317 keeps calling "home" (MikroTik cloud) [SOLVED]
Replies: 1
Views: 247

Re: CRS317 keeps calling "home" (MikroTik cloud) [SOLVED]

You also need to disable timezone auto detection.
by R1CH
Fri Jul 13, 2018 2:37 pm
Forum: General
Topic: .npk files auto deleted
Replies: 14
Views: 675

Re: .npk files auto deleted

This definitely sounds like malware that is preventing you from patching the router to a secure version. Safest way forward is to fornat / netinstall.
by R1CH
Mon Jul 09, 2018 7:56 pm
Forum: Announcements
Topic: Winbox v3.16 released!
Replies: 63
Views: 6968

Re: Winbox v3.16 released!

Winbox self-update is still vulnerable to MITM to execute arbitrary code. (ref: ticket 2018052822004611)
by R1CH
Mon Jul 09, 2018 7:34 pm
Forum: RouterBOARD hardware
Topic: CAP ac bad Antenna design?
Replies: 95
Views: 12949

Re: CAP ac bad Antenna design?

There is no Wave2 support in RouterOS. Maybe in RouterOS v7 when the drivers / kernel are updated.
by R1CH
Sun Jul 08, 2018 1:23 am
Forum: Wireless Networking
Topic: Backup 5GHz link for LHG 60
Replies: 1
Views: 211

Backup 5GHz link for LHG 60

Since rain or other obstacles can cause the 60 GHz link to drop completely, I'm investigating whether to run a 5 GHz link also for redundancy. Failure should be ideally detected within a second and traffic transparently routed to the 5 GHz link until the 60 GHz link is back online. Both sides of the...
by R1CH
Sat Jul 07, 2018 2:42 pm
Forum: General
Topic: DNSSEC
Replies: 26
Views: 6472

Re: DNSSEC

Using an external resolver also fixes latency issues caused by high CPU, routed packets through the kernel still proceed but user mode DNS server is starved, leading to slow DNS response. I also couldn't find a way to do DNS rebinding protection with Mikrotik which was the main reason I switched away.
by R1CH
Sat Jul 07, 2018 2:40 pm
Forum: General
Topic: hAP ac2 crashes?
Replies: 5
Views: 307

Re: hAP ac2 crashes?

I had a wAP AC behave very similarly during a switch loop which is why I mention this. After fixing the loop all devices except the wAP AC came back without intervention.
by R1CH
Fri Jul 06, 2018 6:19 pm
Forum: Wireless Networking
Topic: Client roaming with different subnets and DHCP
Replies: 0
Views: 115

Client roaming with different subnets and DHCP

I was wondering if anyone has any experience with a single SSID roaming setup but using different subnets behind the AP. For example, two SSIDs that share the same name / key, but one assigns in 192.168.88.0/24 space and the other in 10.10.10.0/24: Would most clients issue a new DHCP request when th...
by R1CH
Fri Jul 06, 2018 6:08 pm
Forum: General
Topic: hAP ac2 crashes?
Replies: 5
Views: 307

Re: hAP ac2 crashes?

I would suspect a faulty switch or a loop / broadcast storm. Try monitoring traffic on one of the devices connected to the switch during an outage.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 12