MikroTik

R1CH

Hmm I just looked it up, 802.11w is actually required for 802.11ac certification, so Mikrotik is technically shipping uncertified implementations :D. Hopefully they don't ignore it for WPA3 too. Regarding my other points - with spectral scan I meant an actual RF scan of the frequency, not a simple p...

R1CH

The SAE handshake doesn't look like a huge innovation, was hoping for something more in line with modern TLS, but I guess that's what happens when you have for-profit industry alliances vs open standards bodies. The big question is how long will it take Mikrotik to implement WPA3? We have no 802.11a...

R1CH

There still seems to be a major DNS misconfiguration on the domain used for the IP cloud services. Perhaps fixing this would improve reliability.

https://r-1.ch/r1dns/dnscheck.cgi?domain=mynetname.net

R1CH

Did you do a reinstall after being compromised? Winbox access can be escalated to shell access, where attackers can drop undetectable backdoors and other exploits. Changing passwords might be OK if you're lucky and didn't get hit by a sophisticated exploit, but reinstalling is the only truly safe op...

R1CH

You should also change all passwords after updating, since all user accounts are exposed.

R1CH

toknowall.com is a sinkhole, nothing bad will come from hosts contacting it. Cloudflare IPs rotate often, you are probably blocking hundreds or thousands of legitimate sites with such wide rules.

You should instead redirect toknowall.com locally and monitor / block hosts that way.

R1CH

9.9Gbps maybe you have 1.25Gbps SFP module. Single stream? Wasn't there a limitation, with the way ROS (not) distributed the load of a single stream, among the cores? Was it addressed recently? I think you have the right idea here. If it's a single TCP stream with no firewall rules then ~ 1.2gbps s...

R1CH

You should be more concerned about running such an old version of RouterOS! Your router may already be compromised due to various remote exploits in that version, update it ASAP and check for signs of compromise. As for the hotspot problem, have you tried with different browsers? I would expect the ...

R1CH

I'm also not a fan of the labeling of firmware by RouterOS version. Previously, after updating RouterOS, I could easily see if firmware was outdated and choose to do a 2nd reboot. Now it always appears outdated, even if there were no changes between versions.

R1CH

You should use fsockopen ("tls://$ip"). Be aware that without a valid certificate this will fail.

R1CH

Make sure you're redirecting all HTTP requests to your portal, don't allow whitelists for gstatic.com etc. Other than that it's up to the device, you can't really influence it.

R1CH

If you didn't change passwords after upgrading to fix the winbox exploit, this is likely how they are gaining access. Change all passwords, preferably after netinstall to ensure no remaining backdoors.

R1CH

Any signed cert should be fine, price is not important, even a free one from Let's Encrypt should work. ERR_SSL_VERSION_OR_CIPHER_MISMATCH seems to indicate either the hotspot or your browser isn't using modern protocols / ciphers. I don't know if there are any options in RouterOS, but make sure to ...

R1CH

Telnet is well known to be insecure, SSH is the replacement for it (although why telnet is still provided and enabled by default is another question...) Winbox is a proprietary protocol that claims to be "secure" but is vulnerable to MITM, so the fault lies with it. Hopefully this a pointl...

R1CH

The only email I got was about the old httpd exploit (below). Maybe something went wrong with the sending of the emails? Subject: MikroTik: URGENT security advisory "It has come to our attention that a rogue botnet is currently scanning random public IP addresses to find open Winbox (8291) and ...

R1CH

For vulnerabilities that allow remote code execution or bypassing of authentication, Mikrotik should really be sending out a security advisory emails to every registered customer / active forum user. The winbox exploit for example is much worse than the httpd bug, and that was deserving of an email....

R1CH

Bandwidth test server is hidden! It isn't listed under services but under tools / btest server. If people are able to try to log into it though, this suggests your firewall configuration is incomplete.

R1CH

There seems to be a missing intermediary cert, I'm not entirely sure how RouterOS handles this but try importing the following instead (I added the intermediate cert to the chain).

R1CH

That message means the .crt you supplied to the hotspot wasn't signed properly. Make sure it's the certificate you got from namecheap and not one generated by RouterOS.

You can also link the .crt file here and I can take a look. Make sure you never post the private key though!

R1CH

If you're running 6.40.1 your router may already be compromised as you have not installed critical security patches, you should update ASAP and check for signs of compromise (modified DNS, additional users, VPN tunnels, etc). You use testssl.sh from any Linux system and test it against your hotspot....

R1CH

Make sure your RouterOS is up to date. You can use something like https://testssl.sh for verifying that TLS support is working correctly.

R1CH

GTLD nameservers are still returning the old records. May want to check that.

https://r-1.ch/r1dns/dnscheck.cgi?domain=mynetname.net

R1CH

Yes, you need to be able to prove ownership of it in some way, eg email to postmaster@example.com should be receivable or if you use free Let's Encrypt cert, challenge files at example.com/.well-known/acme-challenge.

R1CH

You need a FQDN to be able to get a valid CA signed cert. Namecheap isn't going to allow you to sign "myCa" since you have no proof of ownership over that name.

Use something like hotspot.your-isp.com.

R1CH

There's no Wave2 support for anything yet.

R1CH

Thanks, so other than the microtik update service there is really no need for port 80 traffic on the output chain (from the router either with a source port of 80 or with a destination port 0f 80). Be aware that compromised devices could serve 2nd stage payloads from any port - blocking OUTPUT port...

R1CH

One thing I have started doing as a preventative measure - block everything in the OUTPUT chain except necessary services (eg dhcp client, sntp client, etc). Most exploits can only carry a very small payload, which often downloads a "real" payload from some other infected device. By restri...

R1CH

So , anybody got some ideas on how to do this and what can be found/checked/modified/fixed/enhanced/expanded ? I would guess the bad guys already do something like this all of the time when looking for possible exploits on Internet connected devices. This is definitely possible, you should be able ...

R1CH

Just for the record, I don't think people need to check changelogs "constantly" but probably at least once a year might be cool. Maybe even every six months? Might be a stretch but just actually *looking* would be a start for most. The winbox exploit was a 0-day - meaning it was being exp...

R1CH

This version 3.14 works very slowly before connecting to the router. In version 3.13 or 3.12 is connect very fast to riuter *) make all connections in secure mode (all data is encrypted with AES128-CBC-SHA); so it requires more CPU processing power from both sides and more information exchange. Thi...

R1CH

There is unfortunately no easy way to tell, since Mikrotik doesn't allow us shell access to our routers to perform this kind of examination. There is a "check installation" feature but unfortunately it does not check if there are files on the router that are unaccounted for, even though t...

R1CH

how to determine if my router is infected? There is unfortunately no easy way to tell, since Mikrotik doesn't allow us shell access to our routers to perform this kind of examination. Lack of shell access also makes it hard to tell if upgrading a compromised device actually removes the compromise, ...

R1CH

The fact that Mikrotik is still on the list due to them seeing Mikrotik routers still being hit by this means one thing only for Mikrotik users. They have failed to keep their routers current and are still running over a YEAR OLD (plus) version of ROS. Regardless of this virus attack, that is just ...

R1CH

I've seen several NVR systems where the web interface runs on one port, but the video streams are all separate ports that are connected to directly via RTP / RTSP. You should connect locally and use a utility like TCPView to figure out which ports are being accessed, then forward all of them.

R1CH

I would strongly advise against OpenVPN on Mikrotik for the above reasons. Performance is very poor with TCP-in-TCP, see http://sites.inka.de/bigred/devel/tcp-tcp.html for explanations.

R1CH

A new technical update was published, which expands the compromised device list to include almost all Mikrotik boards (CCR1009 (new), CCR1016, CCR1036, CCR1072, CRS109 (new), CRS112 (new), CRS125 (new), RB411 (new), RB450 (new), RB750 (new), RB911 (new), RB921 (new), RB941 (new), RB951 (new), RB952 ...

R1CH

One reason is probably that when you use opensource software and keep tracking all the updates, you end up with more and more bloated software that does not fit into a space-limited router anymore. It works fine on the PC platform where space and other resource usage (CPU) has grown with the code, ...

R1CH

This is the difficulty :D If we were using all open source code, it would be easy to upgrade. Now we must only rely on ourselves to upgrade all programs. Why is Mikrotik so against using open source software? We would have working 802.11ac Wave2, 5 GHz spectral scan, OpenVPN UDP support, more secur...

R1CH

Looks like 802.11ax consumer devices will be hitting the market later this year. I really hope Mikrotik is working on something too!

https://www.anandtech.com/show/12871/as ... ax-routers

R1CH

Again and again ... it seems be kind of sport nowadays to ask "Is Mikrotik volunerable because someone is scanning particular port?" If you disable or limit sources's IPs for all new incoming connections then there should be no problem at all. If you not secure your router then offenders ...

R1CH

Perhaps your router was compromised and an attacker is intercepting your DNS.

R1CH

Apparently VPNFilter is now scanning for port 2000 (btest server) on Mikrotik routers. Another exploit? Not many admins are aware that this service runs by default.

R1CH

Seems like Mikrotik is not RFC compliant here. 2.1 Host Names and Numbers The syntax of a legal Internet host name was specified in RFC-952 [DNS:4]. One aspect of host name syntax is hereby changed: the restriction on the first character is relaxed to allow either a letter or a digit. Host software ...

R1CH

Sounds like you have a firewall issue, SSL should be no different to other traffic unless affected by rules (or perhaps some other middlebox is interfering).

R1CH

You should make sure you're using latest RouterOS and have changed all your passwords. There are several exploits that could have caused this.

R1CH

It should not be THAT easy to get a ROS version ... without authentication

Hope you aren't running any wireless networks then, since Mikrotik products broadcast the board name, radio name and RouterOS version number in every beacon!

R1CH

I've tested on 2 PCs, one of them is the PC which has the signing certificate and private key, the other one is a fresh Windows 10 laptop with no certificates installed. Both ran the example .exe file with no warning. You can test it yourself, simply edit hosts file or add static DNS to point upgrad...

R1CH

*) make winbox self upgrade check .exe signature; I just tested this.. it checks for a signature, but not Mikrotik's signature! I sign it myself and winbox blindly runs it :-? https://imgur.com/7k8e09p Is that really certificate based ? Or simply some MD5 hash ? In the later case this should not be...

R1CH

*) make winbox self upgrade check .exe signature; I just tested this.. it checks for a signature, but not Mikrotik's signature! I sign it myself and winbox blindly runs it :-? https://imgur.com/7k8e09p Is that really certificate based ? Or simply some MD5 hash ? In the later case this should not be...

R1CH

*) make winbox self upgrade check .exe signature;

I just tested this.. it checks for a signature, but not Mikrotik's signature! I sign it myself and winbox blindly runs it

https://imgur.com/7k8e09p

R1CH

What's new in v3.14: *) added support for new style authentication and encryption for connections to RouterOS v6.43; *) make all connections in secure mode (all data is encrypted with AES128-CBC-SHA); *) make winbox self upgrade check .exe signature; Nice to see a focus on security! Does the "...

R1CH

Very weird. RTMP uses TCP and 1.8mbps should be no problem for any Routerboard. Maybe check MTU etc?

R1CH

What's the bandwidth of the source stream?

R1CH

This information along with the radio name and model number is directly encoded into the 802.11 beacons - you can not remove it (yet).

viewtopic.php?t=133186

R1CH

Bandwidth tests should be run THROUGH the device, not ON the device. Generating 10G of traffic needs lots of CPU, so it maxes out at a single core on CCR1009.

R1CH

Because you run old version of RouterOS. Update and change all passwords.

R1CH

How do you know for sure it was the www exploit that was used instead of for example the more recent winbox exploit?

R1CH

"We are unsure of the particular exploit used in any given case"

This is yet another reason why we need shell access to our own routers so we can do our own investigating looking for signs of compromise. Not every exploit is public.

R1CH

Sounds like the BT router has some AQM built in that you will need to replicate with RouterOS queue rules. Given the age of RouterOS kernel though it won't be able to compete with modern AQM like fq_codel (https://www.bufferbloat.net/projects/codel/wiki/) which is easy to set-and-forget.

R1CH

An established connection should be tracked for 24 hours at minimum, I don't know where you're seeing 60 seconds but that certainly doesn't sound right. You should be seeing SYN, SYN+ACK, ACK as the connection establishment procedure. I'm also not clear what you mean by renegotiating, all connection...

R1CH

No heatsink on the IPQ4019 chip?! Is it really that power efficient?

R1CH

Both of mine were new, from the only place in NL that had them in stock at the time (Routershop, listed as official reseller on "Buy" page). They were not in CPE mode once I was able to get a connection, something just caused the first time power up to behave very weirdly. Maybe next time ...

R1CH

A CCR1009 is cheap enough, plus Tile architecture is end of life so I don't see new products based on that. I'd like a new hEX to be based on quad core ARM (same as hAP AC2) and 8 GigE ports, maybe one SFP/SFP+ if we're lucky. Plus a separate POE version able to handle ~ 80W combined output. Nothing...

R1CH

Because 99.9% of home users don't need > 1gbps, since their devices won't support it. 8 port 10GB for $150? Who are you kidding! A switch alone would be $500+.

I would appreciate more ports in Mikrotik products though, 4+1 is not enough these days.

R1CH

I've still yet to receive an email about the winbox zero-day exploit that affected < 6.42.1, I would argue a zero day deserves an email more than an exploit that was patched over a year ago!

R1CH

This sounds like it might be a poorly configured upstream ISP that filters NTP packets for "DDoS protection".

R1CH

No one should be considering TKIP in 2018 for either unicast or group ciphers. It's trivially broken and AES has been part of the spec since 2004. Any device not supporting AES today belongs in the trash.

R1CH

I only did quick test of 5 GHz to confirm unit was working OK, 176.24 mbps to HAP AC at -60dBm. 2.4 GHz isn't too important to me so I didn't test it.

R1CH

Yes, can configure over both wired and wireless. Very strange first time startup behavior though.

R1CH

As soon as I plugged in an ethernet cable, the link went up and down several times and now the default wireless network is broadcasting (??!). Looking at the logs it seems the unit didn't even register as being powered on until I plugged in the ethernet, it was on for 5+ minutes but the log shows: 0...

R1CH

I have received my second hAP AC2 now, but both the previous unit and this new unit are not broadcasting any network by default. https://i.imgur.com/kk5GDjA.jpg Is this a mistake with the instructions or is something else going on? As far as I know my distributor is not making any modifications to t...

R1CH

The problem is more likely related to your ISP modem or TP-Link load balancer. You shouldn't need to do anything special to have PS4 work fine, default NAT type will allow any inbound packets to endpoint opened ports.

R1CH

You cannot configure 802.11ac rates in RouterOS (yet?)

R1CH

You can't avoid examining every packet, the benefit is you can shortcut the mark packet rules evaluation by ordering the rules by volume. Eg if you only care about http traffic, you mark port 80 as http, mark everything else as other, then when it comes to packet marking you have mark other first in...

R1CH

Be aware that the OpenVPN daemon in RouterOS is a custom Mikrotik version and given their history of other NIH-daemons, it may have remotely exploitable security holes. It is not the official open source OpenVPN daemon which has had rigorous security testing, so I would advise against exposing it to...

R1CH

based on open source This is where you are incorrect Best to avoid anything open source and re-invent everything in house? Meanwhile every other manufacturer is happily using ath10k driver: https://wireless.wiki.kernel.org/en/users/drivers/ath10k And yes, open source driver even has working spectra...

R1CH

the bigger problem is driver support since Mikrotik creates here own drivers. The actual drivers doesn't support anything of WAVE 2, are way behind competitors Performance, and this will not change, so I'm not Interested in new devices, with rudimentary driver support and without any features.... 1...

R1CH

That's a Cloudfront IP, maybe at some point you thought to auto upgrade by entering IP of Mikrotik update server? Either way that isn't going to work, just remove it.

R1CH

Are you sure this isn't caused by your LAG? Depending how you are distributing packets you may be saturating one of the ports with too much traffic. Any chance to test with a 10G uplink?

R1CH

I know ... but it input chain is not the same as forward one. You can block access to router but not traffic forwarded to/from users.

Dropping in input is fine, but I've seen several blacklists use raw table which would obviously affect forwarded traffic too.

R1CH

Why blocking access to router is bad idea? Should "popular" addresses try to access our router?

You should be dropping such packets anyway. If you add them to a blacklist which blocks all communications from that IP, then you block legitimate services if someone spoofs them.

R1CH

If you're blacklisting based on connection attempts to certain ports, I would advise against it. Doing this opens up a new attack vector where an attacker with IP spoofing capabilities (eg many cheap VPS providers) can spoof popular IPs and cause your network to block legitimate services. Taking any...

R1CH

When is the first known exploit of this so we can browse the logs. And have exploit rewritten the log file ? The exploit may not appear in the logs. It can download system passwords without logging in, so even if there appears no successful or failed logins, you should consider your passwords compr...

R1CH

No issues across my mix of devices (RB750Gr3, wAP AC, hAP AC, RB951).

R1CH

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router; Shifting of the blame onto users... what else are we supposed to use for remote management? Where do you see shifting blame on the users? It is information for users to know that routers are safe against this vulner...

R1CH

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;

Shifting of the blame onto users... what else are we supposed to use for remote management?

R1CH

Correct me if I'm wrong, but isn't something missing here? Now we know how they got passwords to log in, but what about those files (script and binary) uploaded to router and (probably) executed by RouterOS? Is it some other hidden functionality of WinBox we know nothing about? When the tool gets y...

R1CH

So is this it https://www.securityweek.com/remotely-e ... s-routeros ?

As its over month old post..

No, that's a different vulnerability in the SMB service.

R1CH

This is really scary. Can you explain how this happened in a more technical manner? Why is authentication not the first thing that is required before downloading files etc is possible? Why is the user database even made available over the winbox port prior to establishment of an authenticated connec...

R1CH

Anyone has any news about this issue? I'm surprised how neglected this feature was for this whole time, and now just became one of the top priority features that Mikrotik MUST go for. Specially these days, where any newbie can buy an extremely inexpensive WiFi Deauther anywhere... Any way to push M...

R1CH

Also, in general there should be no public facing remote router administration service. Best is to use a VPN. Next best is to allow login on Winbox or SSH only from specific IPs. The VPN still requires exposing to the internet. Given how Mikrotik writes their own VPN daemons, I don't see how a VPN ...

R1CH

Upgraded a bunch of hEX r3, wAP AC and hAP AC (original) with no issues. Holding off on the CCR-1009 for a bit.

R1CH

Another home grown Mikrotik daemon with vulnerabilities... :roll: . Any normal Linux ftp daemon will not be vulnerable to such simple DoS attack. Trying to claim this is a normal DoS attack that would work against any service is wrong, see " 6 connections and less than 80KB crafted requests are...

R1CH

This makes me wonder why Mikrotik don't use use Samba like every other home router manufacturer. They would get immediate compatibility with pretty much every SMB version. What benefit does home grown SMB daemon provide? Certainly not security...

R1CH

Hello, Is there a way to prevent RouterOS from advertising itself in the 802.11 beacon frames? It's not so great to publicly broadcast the radio name, model name and RouterOS version to the world. This makes exploiting of Mikrotik networks much easier, since an adversary doesn't even need to break t...

R1CH

Nope, HTTPS is still secure and can't be attacked with a man in the middle without installing a root CA on the client.

A properly configured hotspot will open the portal page automatically on any modern device.

R1CH

This doesn't seem to affect Linux itself, wonder what crazy stuff Mikrotik are doing with IPv6 to introduce a vulnerability like this?

R1CH

The concept of master port was removed, you need to use bridges now. If possible they will be hardware accelerated (eg as a switch group).

R1CH

Still no signature checking or HTTPS... man in the middle can easily compromise administrator's PC.

https://i.imgur.com/TX7G9pq.gifv

R1CH

I would try to keep it at 1.2 GHz (or at least higher than 400 MHz). Some tasks are still single threaded in RouterOS, eg a single TCP connection with queues / firewall will max out at around 600mbps at 1.2 GHz (example https://forum.mikrotik.com/viewtopic.php?f=3&t=131503) so at 400 MHz I expec...

R1CH

Is it a hAP AC 2 or the original? The new model has lots of issues with the radio due to unstable drivers.

R1CH

Use certificate based authentication instead.

R1CH

The CPU on the original hAP AC will bottleneck before the radio maximum throughput can be reached. Realistically you can get about 400 - 500 mbps actual throughput.

Conversely the hAP AC 2 has a better CPU but lots of problems with the radio at the moment, probably driver related.

R1CH

Disabling "Default Forward" is the only way to accomplish this, traffic within the same subnet will be handled by the radio directly and not go through the CPU.

R1CH

Is your power supply supplying enough current? Board temperatures?

R1CH

DNSCrypt support would also be welcome, to avoid the overhead of wrapping all DNS requests in HTTP / TCP.

R1CH

I think you may be confused - a password IS a pre-shared key. Almost all networks will want a WPA2 PSK (password), be sure to set your security profile to WPA2 PSK with AES-CCM.

R1CH

Perhaps the problems stem from RouterOS using an extremely outdated kernel (v3.3.5, May 2012). The latest ath10k driver for the IPQ401x wireless chipset requires a newer kernel, so maybe Mikrotik decided to write their own driver for that reason. But there exists a backport project too for older ker...

R1CH

It's been over a year since the WWW server vulnerability was fixed and I only now received an email about it. The recent SMB bug now also has a working exploit. Where is the email notification about this? I hope it doesn't come only after a worm has already infected all the vulnerable devices... I t...

R1CH

Have you actually tried pushing traffic through it? Most devices won't try to negotiate higher rates until it's needed. Simply associating and looking at speed often provides misleading results.

R1CH

@Normis How "random12" user could show us results of "ps", "ls" etc ... Is he cracking his own router or uses some Mikrotik's debug/special module? Simple question: How? There exists a special NPK package that you can install and gain access to shell. This is not publi...

R1CH

This is expected behaviour. Torch shows all traffic even if it later gets filtered by the firewall.

R1CH

If the worm is targeting winbox ports something is seriously broken, even with admin access to winbox you shouldn't be able to get arbitrary code execution. At this point I'm wondering if any Mikrotik service is safe!

R1CH

Use DNAT to 192.168.0.1.

R1CH

This appears to be yet another custom daemon from Mikrotik with remotely exploitable bugs (now a total of three: ssh, http and smb with vulnerabilities). Wonder how many more are lurking in the depths waiting to be found, or are already sold to attackers. There's a reason why many routers use existi...

R1CH

It should be evident from this thread that there are serious issues with CAP AC right now, I would advise not purchasing until stable firmware and RouterOS are released that fixes everything. In theory CAP AC should be about the same performance-wise (or better) as the WAP AC due to the newer high s...

R1CH

Mikrotik claims those are factory test points. I don't think much will happen if you connect an antenna to them but you are welcome to try!

R1CH

I've had very good results with RF Elements Stationbox and their standard 2.4 / 5 GHz antennas. Unfortunately the standard case is a bit too small for any serious antenna upgrades.

R1CH

It's supported in that the option is available, there is no guarantee the hardware will run correctly at higher than default settings. Extra cooling is strongly recommended.

R1CH

Upgrade RouterOS and Winbox to latest versions.

R1CH

Winbox no longer downloads anything from the router (if using new winbox and new RouterOS). Also, the router now checks all internal file signatures itself. That's good to hear. The self-integrity check seems a bit pointless though, if the device is exploited an attacker could easily bypass or disa...

R1CH

Look, you guys cannot ask Mikrotik to fix a problem they already fixed a *year ago* and then complain the solution of upgrading is off the table because you need to sit on a 12 month or older version of RouterOS that you can't take the time to update properly because your config is "complicate...

R1CH

Found this useful tool today, good to make sure your networks are properly responding to ICMP messages and handling fragmented packets and MTU discovery properly.

IPv4: http://icmpcheck.popcount.org/
IPv6: http://icmpcheckv6.popcount.org/

R1CH

I would be surprised if there are mounting points for external antennas. The last device with user modifiable antennas was hAP AC I believe, now they are boring PCB trace or metal flap antennas like every other router you can find at a big box retailer.

R1CH

That's good to hear it is reproducible. I will contact Mikrotik support and hope for an explanation.

R1CH

The queue type is irrelevant since the throughput limitation still happens even without queuing. It seems something in the netfilter processing causes a single TCP stream to become bottlenecked since removing mangle rules improves speeds, as does using fasttrack, despite the CPU showing only 6-7% lo...

R1CH

There will be plenty of high bandwidth TCP connections in real world usage (lots of large file uploads for example). If they can't use the full connection capacity that's a bit disappointing.

R1CH

Window sizes are fine, test server is 3ms away so latency shouldn't be an issue. I want to use queues for traffic shaping so a single HTTP download doesn't starve more important traffic, so only using hardware queue is not really an option. After further testing, even with queues disabled there is s...

R1CH

I finally got 1gbps uplink to my ISP, and after setting up queue trees on my CCR1009-7G-1C-1S+ single TCP streams never seem to be able to go past 600-700mbps. Disabling the queues immediately allows full 1gbps throughput. The queue is limited at 950M and never drops packets so the queue itself shou...

R1CH

Make sure your hotspot is intercepting requests to hotspot-detection services that any modern OS has. This includes HTTP requests to URLs such as http://gstatic.com/generate_204 and intercepting all DNS requests eg for invalid / random hostnames like "xgjaiobman"

R1CH

Thanks for the detailed testing @lukoramu. The IPQ4018 platform looks really good so I'm hoping these issues can be resolved with software updates and eventually Wave2 support is added. Please keep us updated!

R1CH

Your ISP is using CGNAT which is very bad if you're running a network behind it since you'll have double NAT. https://en.wikipedia.org/wiki/Carrier-grade_NAT

R1CH

wAP and cAP is not a fair comparison, wAP is a waterproof device, designed to also be used outdoors. It has a different antenna design. Are there antenna patterns for the devices anywhere so we can see how best to utilize their antenna designs? 10dB difference between products is massive, especiall...

R1CH

Hello, I'm very new to Mikrotik scripting (and already hate the extremely bad syntax and lack of error reporting!). I have four WAN links with four DHCP clients, first one with a default route and the others without. I'm trying to use a DHCP lease script on the 3 DHCP clients without a default route...

R1CH

Even with reduction in chain count, this shouldn't affect signal strength. The difference between -72 and -84 is quite large. Is the TX power the same? Can you test without any of the cases on?

R1CH

So its my understanding that the new hap ac has wave 2 support? Does that mean that the driver does as well? i.e. does it support all features of wave2 already or will that come at a later stage? Can the AP transmit to multiple clients on different spatial streams simultaneously? Currently we don't...

R1CH

Hmm I wasn't aware simple queues could have priority and hierarchy. Not so simple after all!

R1CH

Assume the following setup: 4 WAN links (ether1, ether2, ether3). 6 local VLANs (vlan1, vlan2, ...) on sfp1 Several of the VLANs map 1:1 with a WAN link, ie each VLAN gets a routing mark sending their traffic out a particular WAN interface. I want to attach a queue tree to limit upload / download to...

R1CH

If you've really installed 200 there is interference simply from the beacons. 20mbps from a phone over 2.4 GHz sounds pretty decent given how bad 2.4 GHz is these days. Try forcing G/N only to remove some of the beacon overhead.

R1CH

You should drop all inbound traffic with an chain=input action=drop rule. Not doing so will turn your router into a DDoS participant soon enough since you'll be an open resolver.

R1CH

Some domains I'd like to block with NXDOMAIN, eg known malware sites, wpad, etc. Currently ROS forces you to enter an IP for entries. While 0.0.0.1 and 255.255.255.255 work for Windows, this only works because the Windows DNS client rejects invalid IPs in responses. If you actually query the DNS ser...

R1CH

This would be great for traffic classification and also solve a lot of the "How do I block this HTTPS site" posts we see quite often.

R1CH

I'm also curious about this. I have an excellent connection (-45 dBm, 90+ CCQ) yet I still see 2ms as my lowest ping time. With other vendors I've seen < 1ms.

R1CH

Your previous router was probably 802.11ac, you should get a hAP AC if you want a comparable product from Mikrotik. The RB951G-2HnD is rather old, 2.4 GHz 802.11n will not go very far speed-wise.

R1CH

What kind of clients don't do this by default? At least Apple devices and modern Windows laptops always prefer 5GHz by themselves. Client decides these things, but if you want to FORCE something else, you can use the Access List settings and set required signal levels etc. Android has no "pref...

R1CH

Just do a netinstall and configure it via ethernet. Trying to set it up over wireless will be very frustrating as every time you change a setting you will be disconnected.

https://wiki.mikrotik.com/wiki/Manual:Netinstall

R1CH

The manual is indeed useless for this device, I ended up just doing netinstall with a config reset for my mAP Lite. I really dislike this trend of devices shipping with access from wifi side only!

R1CH

I'm setting up a mAP Lite to use as a hotel internet hotspot. I'd like to reduce how far my signal travels for privacy. I've set my tx power to 0 and even tried things like -10 and using a very high antenna gain setting with regulatory-domain, but the total TX power shows up as 0 and total TX power ...

R1CH

Even without DoS issues, Puma chipset based modems are garbage. If you're an ISP I would seriously look into what it takes to return them all to the manufacturer as they are not fit for their marketed purpose. They have high latency jitter and often packet loss for no discernible reason, even in bri...

R1CH

Probably the HTTP server content length exploit. Should be fine if you're up to date.

R1CH

To further clarify, it won't be possible at all no matter what product you use, unless you install new root CA certificates on every device accessing the network. You can't intercept HTTPS, because it's designed to avoid that, the best you can do is block entire domains (via Ip, DNS or SNI inspectio...

R1CH

Have you checked your CPU use to see if's actually maxing out with non-fasttracked traffic?

R1CH

My new wAP AC just arrived and I was surprised to find it came with a desktop stand and the "special screw" that secures the bottom door is now a regular Philips head. Were there any updates to the device itself? The product page still mentions "The bottom door can also be secured wit...

R1CH

It's important to note that this is a client vulnerability - patching your router / AP does not prevent the attack from working on connected devices. You need to update almost every device that has WPA2 support.

R1CH

Mikrotik response is at viewtopic.php?f=21&t=126695 for those who missed it.

R1CH

Ubiquiti recently came out with their 4x4 Wave2 AP with MU-MIMO. Hopefully we see something from Mikrotik in response!

https://unifi-shd.ubnt.com/

R1CH

https://twitter.com/kennwhite/status/919522184384729089

Sounds scary, hopefully whatever this is can be patched with firmware updates and we don't have to throw away all our radios

. I hope Mikrotik are keeping an eye on these developments.

R1CH

!) detnet - implemented "/interface detect-internet" feature; https://wiki.mikrotik.com/wiki/Manual:Detect_internet Is this feature feature optional if someone does not want their router to contact cloud.mikrotik.com every minute? Is it just cosmetic (ie: " this interface is 'WAN' ju...

R1CH

This is purely a client side detection. You cannot implement anything differently, it's entirely up to the client to detect the hotspot and redirect to the login page. Modern versions of Chrome for desktop now detect this situation, in addition to Android doing it automatically. https://security.sta...

R1CH

Same SSID different frequency is best.

R1CH

*) wireless - improved WPA2 key exchange reliability;

What specifically improved? Thanks

I'm also curious about the technical details of this change.

R1CH

Yes, this will work. Roaming decision is up to client though.

R1CH

If enabling Torch improves things, it would seem to indicate that hardware offload is breaking somewhere (fastpath / fasttrack).

R1CH

Sorry but that isn't true. Twitch is not peer to peer, it's not possible to get a streamers IP. The problem likely appears when streaming to Twitch is because Twitch has the highest concentration of trolls who like to disrupt streams. They are finding the IP some other way as mentioned above.

R1CH

Twitch doesn't leak IP addresses. Playing on unknown servers, voice chat, P2P games, Skype, etc are the more likely causes.

R1CH

The packets are not addressed to you, so the firewall does not process them. And you answered your own question - the modem is in bridge mode, so it passes any traffic from the HFC network to your Mikrotik.

R1CH

Seems like a pretty serious design flaw somewhere if exporting the configuration can cause routing changes! Would love to know the root cause of this one.

R1CH

Other traffic from customers on the same node as you. Probably all ARP and DHCP.

R1CH

Tell him to use http://lite.cnn.io/en

R1CH

I guess I'll be going with the revised CCR1009 then and hope its fast enough for all the queues I want to use. Judging by this thread it looks like the CCR1036 will overheat and die on me since it won't be installed in some datacenter with super low ambient temperatures.

R1CH

If 100kbps of traffic causes 100% CPU use you have much bigger problems...

Use Tools / Profile to find out where the CPU is spent.

R1CH

We do plan to release a replacement 1036 in near future

Is this a possibility before 2018? As someone about to buy my first CCR1036 I'd prefer to avoid the model that's about to be EOL, but I need it before the end of the year.

R1CH

No way to fix this, 802.11 protocol simply doesn't have any security if you run an open network. 802.1x is the only reasonably secure way to handle it but good luck having your customers accept it.

R1CH

Transparent proxy means MT intercepts HTTP, so the source of HTTP traffic is now the MT box - it doesn't hit the queue.

R1CH

It's possible to do this with scripts, but they have to run periodically to add / remove entries. Having this natively supported from the DHCP server would be much nicer.

R1CH

Well that's not very reassuring :( I'm sure there are many other 24V 4A power supplies out there that are more reliable, just wondering about compatibility with the cable to the CCR. Has anyone tried this? Also how easy is the power supply to replace for a non-technical user if I just ship a bunch o...

R1CH

As far as I know, the last 6-8 months we are shipping units with an improved PSU, the C10 has been changed to a better one. Some parts have been changed to better handle the heating. Is there any way for a distributor to tell if they have the fixed version? I'm looking to deploy my first CCR1036 so...

R1CH

hAP AC has been great for me since day one. Obviously if you have polluted RF environment it isn't going to magically fix that, and you need to know what you're doing and configure proper channels / bandwidths / etc. http://www.speedtest.net/android/3021018639.png 320mbps on 5GHz from my cell phone ...

R1CH

Better to use QoS so those downloads are lower priority than normal traffic. Should be easy enough to classify.

R1CH

A single floor apartment should be easily covered by a hAP AC, provided it's in a central location with good line of sight. I've had great success wall mounting mine in just below the ceiling with a Stationbox Inspot (https://www.rfelements.com/products/integration-platforms/stationbox-inspot/statio...

R1CH

This is not something that can be fixed with money. HTTPS interception is impossible without installing root certs on customer devices. If the login screen isn't opening when your clients connect, then either your captive portal is not intercepting the detection requests properly, or the client devi...

R1CH

If you were able to intercept https requests, so could anyone else on the internet, rendering the security useless. If your clients aren't auto opening the login screen they must be very old devices as any modern smartphone detects captive portals and opens the browser automatically. You could consi...

R1CH

https://www.qualcomm.com/news/releases/2017/02/13/qualcomm-announces-first-end-end-80211ax-wi-fi-portfolio Looks like chipsets are already starting to hit the market ahead of the specification finalization. Would be nice if MT was ready with new products when 802.11ax client devices start being prod...

R1CH

I made a basic guide for home / office QoS, this obviously won't work for multi-user setups where each customer needs a separate bucket though. While it's targeted for gamers, you should be able to adapt the mangle rules to your needs.

https://r1ch.net/blog/routerboard

R1CH

It's best to just throttle individual users and let them choose if they want to try throttled streaming or regular browsing. As pe1chl says, most stuff is encrypted these days so ugly L7 hacks are just going to destroy your CPU for no benefit.

R1CH

It's getting far too easy to perform deauth attacks these days. Maybe someone should scatter some devices like this around Mikrotik HQ and then we will see a solution? :) https://github.com/spacehuhn/esp8266_deauther https://www.aliexpress.com/store/product/WiFi-Deauther-ESP8266-preflashed-developme...

R1CH

I believe this is done by iOS devices as an attempt to detect captive portals. The entries should be a negative cached response (0.0.0.0).

R1CH

CAP defaults to client isolation (no forwarding).

https://wiki.mikrotik.com/wiki/Manual:C ... n_Profiles
See datapath.client-to-client-forwarding

R1CH

Check nothing is hitting your management ports (winbox, ssh, etc). It's easy to make the winbox server hit 100% CPU with many connections to winbox port.

R1CH

Mikrotik use a proprietary OpenVPN implementation that doesn't support compression or UDP, so make sure those are turned off.

R1CH

The access rule in the OP is incorrect, one applies to wlan1 and one applies to wlan2. I recommend using one that applies to all wireless interfaces.

/interface wireless access-list
add signal-range=-75..120
add authentication=no forwarding=no signal-range=-120..-76

R1CH

The source address is not authenticated with UDP. If you add IPs to a block list based solely on a UDP packet, then you risk your network breaking horribly when someone spoofs a bunch of popular IPs such as DNS servers, Google, Facebook, etc.

R1CH

I understand you want to try and keep things proprietary for license reasons, but it's kind of silly to rewrite the entire program. Why can't you use the official releases so we get audited code, UDP support, etc? It's less work for you to to drop in a new binary every release than keep your code up...

R1CH

Why exactly do you have your own implementation? Has it been reviewed by a cryptographer and gone through a code audit like the reference client? When will it get feature parity like UDP support?

I really dislike the NIH syndrome going on with Mikrotik.

R1CH

I also experienced something similar to this. Never figured out the cause, eventually moved to a stateless setup as I didn't want to break what seem to be legitimate connections.

viewtopic.php?f=2&t=119282&p=587417#p587417

R1CH

A single file certificate is usually just a combination of the certificate and key. The certificate files are usually PEM encoded which is viewable in a text editor - you can often combine the certificate and key simply by concatenating them together.

R1CH

My workaround for this is to dynamically insert action=reject reject-with=tcp-reset firewall rules for any packets still trying to go out the wrong interface. Since TCP can't handle IP changes anyway, tearing down the connection to force a new one is a decent enough solution.

R1CH

You probably need to factory reset and re-flash all your cameras if they've been hacked. You are essentially a DDoS source right now and it will not be long before your upstream ISP terminates your service if you don't stop the abuse.

R1CH

It limits the packets on port 25, 587 and 465 (SMTP ports) to no more than 30/min or no more than 30 total connections. Spammers typically directly connect to SMTP servers to send their spam, blacklisting your IP space in the process. Very few users need SMTP access, I would suggest blocking all SMT...

R1CH

Is your POE injector supplying enough amps to handle full load? Try a higher power adapter.

Search found 1120 matches