MikroTik

R1CH

Looks like there is a new DDoS botnet on the loose, comprised of Mikrotik devices. We do not know precisely what particular vulnerabilities lead to the situation where Mikrotik devices are being compromised on such a large scale. Several records at the Mikrotik forum indicate that its customers expe...

R1CH

Is the Docker support an optional package? I can't imagine many people wanting this, and it introduces massive security implications especially for all those hacked routers. Since privilege escalation is pretty much a given, can we also allow root SSH access to RouterOS directly now? Running a singl...

R1CH

All those DDoS detect / drop rules actually make you more susceptible to DDoS since your router CPU increases for every rule a packet has to traverse.

R1CH

Given the awful upload performance, are you sure you have MTU / MSS set properly?

R1CH

No, just the one that dns.google uses.

R1CH

The cacert.pem is the same list that most browsers and operating systems trust. So if you don't trust them, you have a bigger problem :). If you only want to import a specific certificate, inspect the certificate chain of eg https://dns.google/ in your browser and import the relevant root certificate.

R1CH

DoH in RouterOS is still beta-quality IMO, I wouldn't rely on it just yet.

R1CH

You should be blocking *everything* by default and then open only strictly necessary ports. Use VPN or LAN interface for management. You will need to do a clean reinstall if its been hacked already.

R1CH

WMM is about traffic prioritization not speed ... WMM is required for all rates above 54mbps. I don't know how exactly it's implemented on Mikrotik since even with it off you can still see > 54mbps, but the spec requires it for all 802.11n / 802.11ac rates. I think it's ridiculous that it's off and...

R1CH

Advanced mode, enable WMM, set indoors installation, set 80 MHz channels. For further speed, install OpenWRT.

R1CH

ROS 7 is a dealbreaker for me, can't put anything into production that's running buggy beta software. And all these new CPUs seem to take a very long time to actually become stable, look at 4011, 2004... I really want to like the hardware but the software just can't keep up.

R1CH

You would need multiple 5 GHz radios to do this, a smartphone in hotspot mode runs as an AP, not a client, so you need a unique radio to connect to each smartphone in client mode. So no, wAP AC cannot do this (in fact, this setup is not really realistic for any Mikrotik product)

R1CH

Why did you bump a thread from 2012 ...

R1CH

There is already multicast package which does this.

R1CH

Get rid of any complicated anti DDoS rules, you want your router to forward the packets as fast as possible to your much more powerful PC that ignores them. Sounds like the real DoS condition is your router CPU being overwhelmed by too many rules, or it's a simple bandwidth exhaustion attack (in whi...

R1CH

erlinden is entirely correct. Running a residential AP at 30dBm TX power is downright stupid and no wonder people think Wi-Fi sucks when operators do this. You want balanced TX/RX powers to avoid problem shown above, ideally TX power as low as possible to avoid co-interference and encourage client r...

R1CH

Try disabling fastpath/fasttrack, netfilter timeouts don't update properly for offloaded traffic.

R1CH

The default firewall does not block outbound connections, port 22 is likely filtered further upstream by modem / ISP.

R1CH

Try winbox mac connection, sometimes you won't have any config after netinstall.

R1CH

... Experiments indicate that every Wi-Fi product is affected by at least one vulnerability... (...and that most products are affected by several vulnerabilities...) ... https://www.fragattacks.com/ Nice, fragattacks for say this, has buyed every model of access pont than exist on the world! But re...

R1CH

Did anyone bother to even test a MikroTik device for the said vulnerability? or we're just posting shit on the forums? "Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities." I wasn't able to...

R1CH

This looks bad: 11 May 2021 — This website presents FragAttacks (fragmentation and aggregation attacks) which is a collection of new security vulnerabilities that affect Wi-Fi devices. An adversary that is within radio range of a victim can abuse these vulnerabilities to steal user information or at...

R1CH

RouterOS does not support 802.11ax.

R1CH

OpenWRT handles saturation much better due to fq_codel / cake schedulers, not yet available on Mikrotik. You have to cap your bandwidth significantly below link saturation point to avoid buffers being flooded.

R1CH

You can't "block" broadcast traffic, it doesn't get routed. If you don't want it on your network you need to filter it on your switches or disable LLDP on the source devices.

R1CH

This is expected as you've disabled the conntrack helper.

/ip firewall service-port
set ftp disabled=yes

R1CH

Probably conntrack FTP helper is turned off or behind dual NAT. Winnet FTP uses active mode (requires open port) by default.

R1CH

Yes, this is exactly what happens. A Mikrotik router does not run "dnsmasq", it is instead home-grown MT DNS server. So an ISP in between the place you are scanning from and your router is intercepting your DNS queries. This is why users should use DoH / DNSCrypt / etc to prevent this kind...

R1CH

If you have a non-1500 MTU, yeah you can clamp it to avoid clients having to do PMTU discovery. But this has no relation to DoS resistance.

R1CH

It looks like you have ports in a bridge or a switch that are flooding multicast traffic. Filter or rate limit broadcasts / multicasts from clients from or disable multicast flooding if it isn't necessary. A complete topology of your network would be needed to diagnose further.

R1CH

https://support.mozilla.org/en-US/kb/ca ... ion-dnsnet

R1CH

This is not possible. You can only use HTTPS for your payment / login gateway pages, but not for redirection. If anyone could intercept HTTPS requests it wouldn't be very secure would it?

R1CH

1gbps on AC is an unrealistic expectation, and physically impossible with the 2x2 card you listed. The most you can expect is ~400mbps real-world throughput at 2x2 80 MHz MCS-9. Mikrotik products like hAP AC2/3 and RB4011 can achieve this. I don't think anything supports 160 MHz currently which woul...

R1CH

Disabling all service helpers is a good idea, very rarely will they help. Modern SIP phones for example have built-in NAT traversal and FTP commonly uses encryption that makes the helper unable to see the data.

R1CH

Yes, ALG is enabled for all protocols in default config.

R1CH

Mikrotik routers are generic CPUs like a PC would be, ASICs you will find in higher end gear like Cisco. A PC router would be faster than most Mikrotik products.

IMO ASIC isn't needed until you get into the 20gb+ line rate.

R1CH

The IP ranges are published at https://ip-ranges.amazonaws.com/ip-ranges.json, just script something to update the address list.

R1CH

This is not a vulnerability. https://raxis.com/blog/2018/06/04/goodi ... timestamps

R1CH

With OpenWRT on wAP AC (original), I get ~ 350mbps single client TCP throughput at MCS-9, 2x2, 80 MHz, WPA3. Device CPU is very close to 100% though which seems to be the limiting factor. Very happy with stability, every device "just works" and no weird throughput issues like MT wireless h...

R1CH

Yes, exactly that. Since it knows the gain of the integrated antenna it uses a hard coded value instead of being set from user input. So if you have any device with integrated antenna, there is no good way to reduce TX power.

R1CH

What most people really want is to enter simple value that lowers the gain proportionally for all modulations by a specified number. If I want 5dBm weaker signal, I just enter "5" and I get 5dBm less signal over all modulations and modes. Irregardless of regulation domain settings, MIMO c...

R1CH

2.4 GHz is usually pretty bad except in remote places, way too much interference. You should also enable WMM if you want 802.11n to work.

R1CH

Great to finally see some movement on newer wireless drivers, but also disappointing to see that no currently released AP hardware can use them (especially the just-released wAP AC revision). Wave2 has been around for over four years at this point! There should have been plenty of time to evaluate t...

R1CH

You run BGP and don't understand how stateful / stateless firewalls work? I second the suggestion to get a consultant (though not the one above that is also a useless blacklist). You're clearly in over your head here. Using PSD just opens you to further attack when someone decides to spoof the IP of...

R1CH

Why do you have connection tracking enabled for those connections to begin with? Sounds like you aren't doing NAT.

R1CH

Correct me if I am wrong, but isn't the new wAP AC now identical to the cAP AC? Except cAP AC has PoE out on the 2nd port and is $20 cheaper. Are we really paying +$20 for a different case?

R1CH

When can we expect to see the new wAP AC at distributors? Thinking of getting one for performance testing. Hopefully they don't co-mingle their stock!

R1CH

I'm still skeptical, the CPU isn't a bottleneck on my current wAP AC (it's just an AP), and my signal strength is also great. Can two chains on a new chipset really outperform three chains on an older one? The Mikrotik wireless driver has traditionally had poor MU-MIMO / Wave2 support as well. I gue...

R1CH

Not really sure I consider the wAP AC an upgrade when it went from 3 chain to 2 chain :(. With more and more devices sharing the same frequency, having good MU-MIMO throughput becomes very important, this seems like a step backwards to me when the competition is selling 4x4 devices. Re-using the nam...

R1CH

Bandwidth test through the device, not on the device, or you only test how slow the CPU is at generating traffic. Use iperf3 and your own endpoints.

R1CH

UDP source addresses are trivially spoofed, using rules like this you turn a volumetric DDoS into a computational DDoS as your connection tables fill up and crash the router. There are no magic rules to fix DDoS. If your bandwidth is lower than the incoming traffic then by the time it hits your rout...

R1CH

Very disappointing if this was disclosed to them in April! Luckily SMB is not a feature that should be enabled by most users.

R1CH

Also had to do a reset, made much more difficult when you have to reset by email and not username! My password was also long, autogenerated by password manager. Reset accepted the same one without a problem.

R1CH

You can't forge HTTPS certificate of the visited site, so you will never be able to show an error.

R1CH

1gbps should be no problem for this router, I measured about 30% CPU on 1gbps download with fasttrack enabled, though obviously it depends on the complexity of your firewall and other configuration.

R1CH

Injectors certainly can't perform any negotiation, they are dumb devices which just put power onto the cable. There is some kind of proprietary negotiation with passive PoE out on Mikrotik switches, but as I don't know what is on the other end of this cable I have to assume it was an injector or 802...

R1CH

"Real" (802.3af) PoE can be automatic or forced-on, passive PoE as used by Mikrotik supplies the power constantly with no negotiation, so you can fry things that aren't expecting it.

R1CH

Use some DNS filter list, eg https://www.opendns.com/setupguide/#familyshield

R1CH

I ended up disconnecting the hEX and used a hAP AC2 instead so I unfortunately can't check that. I don't believe the hAP AC2 powered on from the cable but now I am wondering if perhaps I missed it. I can't say for certain that the other end of the link was 802.3af compliant, the previous device whic...

R1CH

I recently installed a hEX at a client who had 802.3af PoE on their WAN Ethernet link. According to the spec sheet of the RB750Gr3, only passive PoE is supported, so imagine my surprise when I plugged the WAN cable to Ether1 and the hEX powered up... Is this a safe configuration? The supported passi...

R1CH

Just came to update some routers today and also seeing changelog from 2011, what is going on?!

R1CH

You should always set country and installation / distance to indoor to ensure the channel configuration matches what the client device is allowed to use. Out of the box, MT devices need quite a bit of configuring to get to a usable state - disable legacy protocols, enable WMM, etc.

R1CH

*) system - improved system stability when receiving/sending TCP traffic on multicore devices;

Also requesting more info on this, changes to TCP can affect many things, I would like to know exactly what was changed.

R1CH

That is the point of tarpit, you attract all the traffic to the tarpit so the resources of the attacker are tied up and unable to affect the rest of the network. It seems you probably want a DROP rule instead.

R1CH

It is up to the CLIENT DEVICE to detect the hotspot and redirect to the login page. Make sure all HTTP and DNS requests are redirecting to your hotspot, and that's all you can do. Absolutely nothing else on your end can influence that.

R1CH

Unfortunately most of this is true, mostly due to Mikrotik writing their own proprietary implementations of wireless drivers, OpenVPN protocol, etc, so it isn't as simple as just upgrading to the latest public versions. As a power user myself, I still like Mikrotik simply for ease of use and deploym...

R1CH

*) improved MikroTik signature checking on WinBox update;

I can confirm that this now closes the remote code execution bug possible by a MITM. Using winbox auto update should be safe for now

.

Also as a high DPI user, this release looks beautiful...

R1CH

Your reddit.com address list is probably incorrect.

R1CH

There's a whole industry based around selling "high end audio" versions of digital equipment for 10-100x normal price. There's no point trying to convince audiophiles that digital signals are not distorted like analogue, they'll always say it "sounds better" because they spent mo...

R1CH

You should DROP all unknown traffic on input chain, and especially not log (easy to exhaust the router with a tiny flood). Your current rules that add to address lists (which you then presumably drop) also open you to attacks by an IP spoofing attacker.

R1CH

Use hotspot feature. Keep in mind you cannot redirect HTTPS sites (of which the majority of modern sites are).

R1CH

This doesn't mention a specific exploit, just a port scan. So there is nothing you're really "vulnerable" to, but if your winbox port is reachable by random users you should expect that to change in the future.

R1CH

Why do you have allow-remote-requests turned on if you don't want people using it?

R1CH

Seems like there are problems on domains used by mikrotik.com, I can't load the product pages or any others due to SSL errors on half of the hosts for i.mt.lv.

R1CH

Is WMM enabled? This is a pre-requisite for a lot of power saving features, though Mikrotik's proprietary wireless drivers are missing a lot of functionality in this area.

R1CH

If you have untrusted devices on your layer 2 network then they can easily ARP spoof, DNS spoof, etc and do a full MITM on you much more easily than exploiting this vulnerability.

R1CH

I wouldn't worry about this one. This requires a "network adjacent attacker" (layer 2), so why do you have attackers next to your router? If you're seriously worried about this, turn on strict reverse-path filtering and block private IP ranges from WAN interfaces (which is a good practice ...

R1CH

It will require a new chipset, so no.

R1CH

With certificate transparency being a requirement these days, any state that MITM's their users with trusted certificates will be very quickly discovered and their certificates revoked.

R1CH

Let's Encrypt is just as good, if not better than any other commercial CA. The short lifetime (3 months) limits the duration that a compromised certificate is useful. Considering the track record of commercial CA's mis-issuing certificates, I would trust Let's Encrypt far more than Comodo and friend...

R1CH

At a high level, “messages” sent to the Winbox port can be routed to different binaries in RouterOS based on an array-based numbering scheme. Sigh... who designed this braindead protocol that allows UNAUTHENTICATED USERS to invoke whatever binary they want?! Any programmer could see what a terrible...

R1CH

You have no idea! I really wish Mikrotik would revert to the old versioning for firmware so you can actually tell when there is an update. I recommend pe1chl's advice.

R1CH

!) security - fixed improper handling of DNS responses (CVE-2019-3978, CVE-2019-3979); Could you give some more info about the exploitability of this? Are all situations where RouterOS parses a DNS packet vulnerable? Eg router used in typical setup - DNS server for LAN and sends queries to the inte...

R1CH

There is a special .npk package you can install that allows you to SSH into a root shell. You can also mount the filesystem offline or use this CVE to do a similar thing, if you have physical access to the router then nothing is really secure.

R1CH

The current RouterOS is based on an old kernel and deployed on routers that are fairly CPU limited. IMO it's best to let it pass through packets and the target device can be responsible for its own DoS protection. By trying to do DoS protection in RouterOS, the router itself becomes vulnerable to D...

R1CH

The current RouterOS is based on an old kernel and deployed on routers that are fairly CPU limited. IMO it's best to let it pass through packets and the target device can be responsible for its own DoS protection. By trying to do DoS protection in RouterOS, the router itself becomes vulnerable to Do...

R1CH

To test some of the theories in this thread, I netinstalled 6.45.6 on a spare board, with default config and then exposed SSH to the internet after setting a strong admin password. So far while there are plenty of brute force attempts, there is no sign of an exploit that can bypass authentication. I...

R1CH

RouterOS doesn't use web interfaces on top of busybox, it has a custom proprietary protocol. Exploits affecting other devices like the DLINK or Netgear are not going to work on RouterOS.

R1CH

@NathanA, was SSH the only exposed service? No winbox or API etc?

R1CH

I'm inclined to agree with normis here. The Linux kernel firewall operates before any user service like SSH or Winbox even sees a packet, so it's extremely doubtful that the exploit can bypass a properly configured firewall. Don't forget your customers / clients can also be infected with malware - o...

R1CH

/ip firewall add action=drop chain=input packet-size=200-65535 protocol=icmp
/ip firewall add action=drop chain=forward packet-size=200-65535 protocol=icmp

R1CH

Seems quite widespread. It intercepts DNS requests and redirects any HTTP requests to https://www.youtube.com/watch?v=MK_VfUErRaY&feature=youtu.be. If you look at the comments you can see lots of affected users wondering what the hell is going on. While this might appear benign, any credentials ...

R1CH

*) on update, Winbox will check that code is signed by MikroTik and not somebody else;

Unfortunately this check still seems insecure.

R1CH

Is this targeting the router or a service behind the router? If the router, such requests should just be DROP with basic firewall, nothing special needed. If its a service behind the router, then that service should enable syncookies as syn flood is easily countered these days.

R1CH

Had an odd issue recently, my 4011 seemed to have a thread stuck at 100% CPU. Had to reboot to get it to go away. Anyone else seen this before?

R1CH

Time to format it, clearly infected with malware.

R1CH

Someone did, since you left an unsecured router accessible!

R1CH

If you're experiencing high CPU load then you should remove unnecessary firewall rules (all those port scan detection rules for example are useless if you just drop by default). If you're experiencing bandwidth exhaustion then the attack can only be filtered by your upstream.

R1CH

Please put these kind of features in a external packages. Completely unnecessary for the majority of the users and will only end up as an security issue.

Normal people gets an NAS or mini-server to run torrents.

100% agreed.

R1CH

Redirect DNS to local DNS and then filter at DNS server.

Note that blocking 100% is impossible.

R1CH

You're doing content matching on every outbound packet - of course it's going to be slow! This is a really badly designed firewall, just by writing "530 Login incorrect" in plain text I can trigger your output match rules. And if I was an actual attacker, this rule is useless since I could...

R1CH

Judging by their screenshots they are using custom software, not RouterOS.

R1CH

Set antenna gain to like 16 dB to lower the TX power, if the rooms are so small there's no point blasting the signal all over the complex. On the devices that support 5 GHz, disable 2.4 GHz radio and use 5 GHz only.

R1CH

While the forum may be a tiny part of overall customers, it likely represents the most dedicated Mikrotik ones who take the time to find the forum and register etc.

R1CH

No amount of money you spend on certificates will fix this issue. You cannot get a certificate that's valid for the entire internet. Best things to do: Intercept ALL requests to internet (make sure gstatic.com, captive.apple.com, etc are NOT whitelisted as some misguided posts suggest) Make sure int...

R1CH

Why are requests from distributors prioritized over end users? Distributor is only useful for purchasing and RMA, I never would think to contact them with RouterOS requests or support.

R1CH

How many of these vulnerabilities though are still present when a competent person configures the router? If your WAN is entirely firewalled against incoming connections (including VPNs) then your risk is only coming from the LAN side which is generally a lot safer. That shouldn't be a reason not t...

R1CH

This is not discussing a particular vulnerability, but it is examining what defense-in-depth procedures are in use. It seems all vendors are doing a very poor job here, not just Mikrotik. As an example of what this means: without ASLR, a router will load the code at the same location in memory every...

R1CH

Manually setting TX power has been a mess for a while. The most reliable way I've found is to use the antenna gain setting to make the device think you have a stronger antenna so it reduces TX power proportionally for regulatory domain compliance.

R1CH

Just received the email version of this newsletter. It seems broken, no links work.

R1CH

6.19 is very old and the device is likely hacked, you should netinstall a secure version.

R1CH

SMTP-only access is unaffected.

R1CH

This is basically applying a config as part of the install, so no different than manual configuration. As long as there is a strong admin password then only physical access or an exploit will be able to discover the config.

R1CH

Yes, something is not quite right with the SFP+ interface on RB4011, we will look forward to fixing it asap! How did this happen? There is nothing related to SFP in the changelog and this is supposed to be a "stable" release. If there was something, anything changed related to SFP, then i...

R1CH

Has anyone figured out how to use the undocumented vendor-class-id CLI? It doesn't seem to have anything to match on the class identifier in the request so I have no idea how it's supposed to work.

R1CH

Depends what you want to blacklist. I've found from past experience that many blacklists are outdated and eventually block legitimate traffic, instead focus on securing your environment such that a blacklist of "bad IPs" is not needed.

R1CH

What kind of speed test are you doing? A single TCP connection will be limited by the CCR per-core frequency, but multiple connections should max out the link no problem. Test with iperf3 through the router for best results. Check profiler to see where load is.

R1CH

For your own safety, scrap them... Seconding this. One time I tried to get some non-Routerboard boards working again after a thunderstorm. They seemed to power up but nothing was responsive, after a few minutes testing I smelled a burning smell. The A/C adapter was smoking and the power cable was e...

R1CH

Use "WISP AP" and set bridge mode. "Home AP Dual" is intended if you have the device hooked up directly to your WAN.

R1CH

Always bandwidth test THROUGH the router, not ON the router. Run a local iperf server on your network and test to that. The CPU on these devices is not powerful enough to generate much traffic when using the built in bandwidth test tools.

R1CH

Yes, Mikrotik devices have a history of running quite hot. So far I've seen no reports of actual problems caused by this, the CPUs are rated for very high temperatures. If your router is actually crashing or exhibiting other strange behavior as a result of the temperature then it's a problem.

R1CH

I'm a bit disappointed seeing only 2.4 GHz radios on products sold in 2019. In urban areas 2.4 GHz is unusable. The QCA9531 chipset is over five years old now, there really should not be new products coming to market based on it.

R1CH

Surely it's more cpu efficient to detect and add users to a dynamic address list which you then drop in raw? I can't imagine you'd want to accept traffic from someone trying to kill your systems? Dropping the initial SYN is enough to stop the connection, other packets and fragments will just be ign...

R1CH

A bunch of MSS related TCP bugs were found in the Linux kernel that can result in remote denial of service. Details: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md#advisory Since RouterOS is based on older Linux kernel, if you have any open TCP ports the...

R1CH

I guess this is based on the IPQ401x chipset given the specs. I'd be a bit hesitant to use it for wireless due to all the issues the 4011 platform is seeing.

R1CH

The device running in promiscuous mode won't see all the TCP traffic flows, it will only see broadcast packets on a switched network. Only traffic directed to it will be noticed, which is as your experiment describes. You need to either re-architect your network so that all your traffic flows throug...

R1CH

If your connection speed is truly fluctuating like this, then you need to set the queue limit at just under the slowest speed your connection drops to. Everything will be throttled to this rate all the time, which isn't ideal. This is the only way to make QoS work, as otherwise the queuing happens o...

R1CH

A Hex S can do way more than 30mbps, most likely you configured it incorrectly. Post your config.

R1CH

Monitor your users to see who is accessing the mail sites listed under "Sender Email".

R1CH

Use iperf3 for bandwidth testing through the device, not on the device.

R1CH

Probably need to clamp MSS to PMTU.

https://wiki.mikrotik.com/wiki/Manual:I ... Change_MSS

R1CH

Update RouterOS and do a reset with new default config, the concept of master interface is long gone.

R1CH

No. The wireless package is installed only so it can be used as CAPSMAN controller.

R1CH

Your symptoms do suggest it could be power related (a flood of packets causing increased radio use and power draw). As most Mikrotik devices accept a wide voltage range you could try with a different power supply from another device, provided it has equal or greater amperage.

R1CH

Have you tried a different power supply?

R1CH

Can confirm, no matter the product, the performance just isn't up to the competition. I'm pretty sure it's down to the custom wireless drivers Mikrotik insists on using, which are just not up to the level of open source ones. If your device is supported, flashing OpenWRT onto it will get you a moder...

R1CH

There's plenty of chipsets available, the problem is likely software. Since Mikrotik write their own wifi driver, it will take a long time before a stable 802.11ax driver is available. Even the 802.11ac support still isn't up to the competition after all these years. If you need 802.11ax there's oth...

R1CH

conntrack - significant stability and performance improvements;

Can you elaborate on what was changed here? The last time conntrack was changed with the loose TCP tracking option it introduced a regression, so I'd like to know exactly what changed and what to look out for.

R1CH

The purpose of importing an SSL cert into RouterOS is to secure the hotspot landing page. It won't help you do anything else, if you want to do SSL MITM the root has to be installed on all end user devices regardless of what's on the router.

R1CH

APs generally have more power than client devices, so tuning output power to get a balance is important. You're right that a higher gain antenna both improves transmit and receive, but at the cost of radiation pattern. For example a 12dB omni in a house would work great on one floor but go upstairs ...

R1CH

For reasons unknown, Mikrotik are very against using open source, and this results in an outdated Linux kernel and custom written drivers and services. This greatly slows development time compared to other manufacturers who use open source on the software side and then focus on building their hardwa...

R1CH

Mikrotik wifi performance is often worse than competitor devices due to outdated kernel and proprietary drivers. That said it shouldn't drop out completely like this. Is the device possibly overheating? I would suggest trying 20 Mhz channel, g/n only, enable WMM and set group key update to 1h (secur...

R1CH

"Stable" often introduces regressions, rarely has this resulted in total connectivity loss but I generally stick to long-term on remote devices unless there's need for a specific change. Unless it's a security related fix, I would also wait a few days for bugs to be reported by others befo...

R1CH

The redirection will never work due to security guarantee of HTTPS. Documentation should be like this:

https-redirect=yes

Show a security error if user tries to open HTTPS website.

https-redirect=no

Show a network error if user tries to open HTTPS website.

R1CH

Disable detect-internet "feature".

R1CH

You should check firewall rules on 188.252.172.1.

R1CH

Default settings are probably not good for your environment. Pick correct frequency, channel width, enable WMM, set country, etc.

R1CH

The wAP AC CPU is likely maxing out at that bandwidth.

R1CH

Not being able to load HTTPS sites is usually an MTU issue due to larger packets. Make sure you're clamping TCP MSS if you have a non-standard MTU and aren't blocking ICMP.

R1CH

With 20 virtual APs you are probably destroying the channel with beacons. Make sure to set g/n only or change your data rates.

https://r1ch.net/blog/wifi-beacon-pollution

R1CH

As it's HTTPS you need to block via DNS or IP range, not recommended. If bandwidth consumption is a concern then use queues or data limits for your users.

R1CH

why r u being so disruptive and trying to break mikrotik? That's what security researchers do. Any internet connected device and protocol is studied for such bugs, and finding and fixing them makes everyone safer. Be happy that he found it before the bad guys did. Imagine someone constantly crashin...

R1CH

Somehow this is the first I've heard of this and I'm very concerned as I have a modern network that includes IPv6. You're saying Mikrotik have known about this for 50 weeks and it hasn't been fixed?!? What is going on over there?! This is a completely unacceptable response for a security vulnerabili...

R1CH

First thing I checked, definitely disabled.

R1CH

Free, https://letsencrypt.org/

R1CH

The log screenshot is from my core router, the AP has forwarding disabled since it bridges onto the appropriate VLANs so it can't be coming from a client.

R1CH

Why would it be doing this by itself? I have no auto upgrade configured, no one is logged in and running check-for-updates. None of the other devices with the same config are doing this.

R1CH

If it isn't blocked just use the same exploit to gain access. https://github.com/BigNerd95/WinboxExploit

R1CH

DHCP does not register DNS. You need to script this if you want it.

https://wiki.mikrotik.com/wiki/Setting_ ... DHCP_lease

R1CH

Nope. Very basic config, bridged wlans, some virtual APs, no CAPSMAN. Can't think what else would be causing it.

R1CH

Trying to figure why this is happening as of 6.44, also tried 6.44.1. I upgraded all my wAP AC units (5), however only one of them is displaying this behavior. https://i.imgur.com/pE3W2M2.png DDNS is disabled, Update Time is disabled, TZ auto detect is disabled. No scripts, scheduler, etc. What else...

R1CH

Those are negative entries, the random names are normal and used by captive portal detection of various OSes. Nothing in that should affect WhatsApp, the problem may be elsewhere.

R1CH

Bridge should be fine, just make sure DHCP server is set up to run on the bridge instead of one of the interfaces.

R1CH

The best thing you can do with Mikrotik is setup all APs with same SSID / authentication, ensure they're all in the same broadcast domain and ensure your DHCP server is very fast at handling requests / renews (eg no pinging for 2 seconds before giving a lease). Unfortunately RouterOS lacks support f...

R1CH

Sounds like you're asking for 802.11ax...

R1CH

Yes, the hotspot FQDN must match the certificate. Do note that this only provides security to the hotspot page itself, it will not help in redirecting HTTPS pages to the hotspot.

R1CH

You always need to update RouterBOOT and keep it the same version as RouterOS The problem is Routerboot often has no changes between RouterOS versions, but we have no way of knowing since the version is incremented regardless. This involves needless reboots and additional wear on the small flash re...

R1CH

Make sure fasttrack is active, hAP AC is unlikely to be able to do 1gbps otherwise.

R1CH

You don't start, since that is impossible. The security of HTTPS negates attempts to intercept such requests, unless you want to teach your users to blindly ignore serious security errors.

R1CH

Horizon will disable hardware offload according to wiki.

R1CH

Which is my point. Post it in the phucking putty forum. Do you want me to start effing posting everytime there is a windows update, a linux update, a macos update, an avast update, etc etc etc............ I might as well post everytime I pop a zit, and pluck a nose hair. ;-) It's been almost two ye...

R1CH

Right after 802.11ax...

R1CH

Do you really need all those packages? You are likely out of space since the device only has 16MB flash.

R1CH

Don't set up your network in a way that intercepts all HTTPS requests and encourages users to bypass SSL errors. This is teaching users very dangerous practices, when their connection actually does get MITMed by a network attacker or compromised DNS, website, etc, then they will happily ignore the e...

R1CH

Not possible, HTTPS is secure so you can't intercept it.

R1CH

I didn't see any difference in behavior, it behaves as if it's disabled regardless of the checkbox state.

R1CH

This doesn't affect users only during an upgrade, the default RouterOS conntrack timeouts are quite low and especially with the bug with tcp unacked timer, it's easy to get day-to-day TCP connections affected by this.

R1CH

I can confirm the "Loose TCP Tracking" is completely broken in this release (and perhaps 6.44, didn't test it extensively). Previously established connections are treated as INVALID regardless of the setting.

R1CH

Just make sure nothing is in the walled garden. As long as the user is using a modern browser or phone, they should get the prompt for the portal.

R1CH

Make sure that you aren't allowing any sites in the hotspot before user auth, if you allow connectivity to Google / Apple / etc, the browser will think it has internet and will not trigger the captive portal. Any modern browser otherwise will notice the connection test is failing and prompt the user...

R1CH

If you're seeing untranslated packets make it onto the network then you must have modified the default config, as this is considered "invalid" by netfilter and the defconf rules drop it.

R1CH

You can use the tls host rule which works with SNI.

R1CH

Wish there was some announcements about 802.11ax. I guess until ROS v7 is released the kernel is too old to support such drivers anyway.

R1CH

I enabled the interface and the problem stopped. Very weird behavior. I don't plan on using the SFP port so this doesn't seem to cause any issues.

R1CH

This is occurring with 6.44.

R1CH

How is this even possible?!

ether2-5 and sfp1 are bridged. The traffic levels seems to match around what ether2 is doing.

R1CH

Seems to work OK here behind a DNSSEC-validating PowerDNS recursor.

No TCP support though is a problem that Mikrotik need to fix.

R1CH

https-redirect is not working You can't redirect HTTPS - the security provided by HTTPS means that unless you control the client devices and can install custom root certs, certificate validation will fail and users will see security errors. Mikrotik of all people should know this... what does this ...

R1CH

You aren't filtering any other UDP ports, so they are responded to with an ICMP port unreachable, confirming the port is closed. Since UDP is connectionless, unless you speak the protocol there's no way to distinguish between an open port and a filtered port. I recommend you update your firewall to ...

R1CH

Unicode in the updated changelog, which winbox can't handle.

R1CH

I think it's great that Zerodium started a bug bounty program for Mikrotik. It's not like the bad guys don't know, they're just providing incentives for full disclosure. So patch early and patch often my friends! Unfortunately that isn't how it works. Zerodium will pay for Mikrotik exploits and the...

R1CH

My CCR1009-7G-1C-1S+ just watchdog timer rebooted after installing this update a few days ago. In over a year of operation never had that happen.

Feb/21/2019 14:46:44 system,error,critical router was rebooted without proper shutdown by watchdog timer

R1CH

I see where you are coming from, so I fixed it for ya................. Please try to keep in mind some of us run networks where we can't just take down the router for every RouterOS release. This was clearly not labelled as a security fix, so I personally did not consider it a priority to deploy du...

R1CH

Why is this not mentioned as high severity security bug in changelog? Why no mention on security blog? Come on Mikrotik...

R1CH

Try a full config reset with the reset button or just netinstall them. The default config on these devices is infuriating!

https://wiki.mikrotik.com/wiki/Manual:Reset_button

R1CH

You need the international version if you want unlocked frequencies. - RB921UAGS-5SHPacT-NM-US (USA) is factory locked for 5170-5250MHz and 5725-5835MHz frequencies. This lock can not be removed. - RB921UAGS-5SHPacT-NM (International) supports 5150MHz-5875MHz range (Specific frequency range can be l...

R1CH

Config? Maybe you're blocking important DHCP packets with the firewall.

R1CH

Just because it isn't mainlined doesn't mean it isn't available. I've been using it in production for months via DKMS and I'm very happy with it. There are open source Windows clients available, performance is great and setup is so refreshingly easy compared to something like IPSec. And it's actuall...

R1CH

You make a good point about reboots creating zombie TCP connections on the nodes, but you are wrong about the DoS mitigation. Setting nf_conntrack_tcp_loose to 0 (not the default) stops false SYN-ACK and ACK packets before they hit the “listen” state lock, thereby allowing conntrack to scale much h...

R1CH

That setting should have no effect on DoS resistance unless you aren't properly filtering your inbound traffic. It's set to 1 which is the default, for good reason, otherwise any time a router reboots every single active TCP connection would have to time out instead of continuing to work.

Search found 1120 matches