Community discussions

 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1228
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature requests

Fri Jul 26, 2019 11:35 am

any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces...

Can you post the command that fails? There may be a solution to test for poe interface before command is run.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
pe1chl
Forum Guru
Forum Guru
Posts: 5523
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Jul 26, 2019 12:12 pm

any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces...
Can you post the command that fails? There may be a solution to test for poe interface before command is run.
A workaround for this was already found in another topic.
 
mkx
Forum Guru
Forum Guru
Posts: 2570
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feature requests

Fri Jul 26, 2019 1:24 pm

Need feature to detect if device have poe-out interfaces - now any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces...

I don't know how to script it, but possibility is available already: /interface print where type=pppoe-out
BR,
Metod
 
pe1chl
Forum Guru
Forum Guru
Posts: 5523
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Fri Jul 26, 2019 1:47 pm

Need feature to detect if device have poe-out interfaces - now any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces...
I don't know how to script it, but possibility is available already: /interface print where type=pppoe-out
pppoe has no relation to poe!
 
mkx
Forum Guru
Forum Guru
Posts: 2570
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feature requests

Fri Jul 26, 2019 1:51 pm

Need feature to detect if device have poe-out interfaces - now any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces...
I don't know how to script it, but possibility is available already: /interface print where type=pppoe-out
pppoe has no relation to poe!
Aargh ... suits me for not being careful enough when reading :-(
BR,
Metod
 
pe1chl
Forum Guru
Forum Guru
Posts: 5523
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Sat Jul 27, 2019 11:04 am

Please allow for multiple DNS resolver instances (with independently configured external servers, static entries, and cache).
The current single DNS resolver could just be 1 item in a list, to which others can be added.
These resolvers could be tied to internal interfaces using an interface list or they could listen on one or more addresses specified in their entry, whatever is more convenient.

Reason: you may want to use a different DNS service, like OpenDNS or another DNS with filtering capabilities, for your guest network.
Or you may want to have LAN systems resolve via a local DNS resolver like Windows Server and have the guest network only use internet DNS.
 
msatter
Forum Guru
Forum Guru
Posts: 1158
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Feature requests

Sat Jul 27, 2019 12:31 pm

Able to disable dynamic DNS servers when using an IKEv2 connection to a VPN provider as NordVPN. This to have only the manual entered DNS server receiving requests and no fallback to the dynamic provided DNS servers of the VPN provider.
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.10
Having an Android device, use https://github.com/M66B/NetGuard/releases no root required
 
msatter
Forum Guru
Forum Guru
Posts: 1158
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Feature requests

Tue Aug 13, 2019 11:04 am

Using Address Lists not only with IP address and Domain Name but also with the ASN number.

Never found a way to block in routing incoming traffic using ASN and I had to fallback on generating my own Address List to filter those IP ranges out.
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.10
Having an Android device, use https://github.com/M66B/NetGuard/releases no root required
 
pe1chl
Forum Guru
Forum Guru
Posts: 5523
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Aug 13, 2019 11:14 am

The AS number is only directly available when the router has a full BGP routing table from internet.
When you are just connected using a static default route to internet (i.e. typical endpoint on a single ISP) the AS number is not available.
The cost to lookup the AS number is high to very high (depending if you use some special DNS service or the basic WHOIS method) so it cannot be done on every packet.
There would have to be a very clever cache of AS numbers corresponding to recent traffic, and it probably would work only when a dedicated service was set up for this purpose.
I know that a DNS service that can do this does exist, but I don't think they will be very happy when many MikroTik routers start using this for one out of 100 packets they receive.

Maybe for this special case where you want to block a certain AS number a special service could be setup that returns the subnets advertised by that AS number in the format required to load them into an address list. One of those people that sell blocklists here on the forum could do that, if they had BGP routing to internet (which I don't think they do right now).
 
msatter
Forum Guru
Forum Guru
Posts: 1158
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Feature requests

Tue Aug 13, 2019 1:28 pm

Thanks pe1chl. I had yesterday some kind of only sync requests on ports 80 and 443 from serveral different AS numbers fom Dutch, Lituania, Ukrain and China sourced server/service providers.

I blocked in 12 hours almost 50 000 connections in RAW, now it is quiet again.
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.10
Having an Android device, use https://github.com/M66B/NetGuard/releases no root required
 
pe1chl
Forum Guru
Forum Guru
Posts: 5523
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature requests

Tue Aug 13, 2019 7:34 pm

I have seen that as well. This is a DDoS amplification: those SYN packets are not really coming from the servers or even AS that you think, but they are spoofed by the DDoS operator.
The idea is that for every SYN they send to you, you will send a number of SYN ACK packets to the address that they spoofed, and thus to the addresses of that service provider.
As they do this for many websites the "return traffic" of unidentified SYN ACK packets to that provider can be large and be used as an attack, while the websites used in the amplification note little.
So the addresses you are trying to block are not the abusers but the victims. You might block legitimate visitors doing this, although it is unlikely.

It is not really necessary do do anything about this, it is not an attack on your system and as long as you don't send an unreasonable number of SYN ACK to an incoming SYN, your system should not be overwhelmed with traffic or lingering connections. If necessary you can reduce the number of retries, e.g. like this:

echo 2 > /proc/sys/net/ipv4/tcp_synack_retries

(to change the default from 5 to 2 in Linux)

Of course the REAL problem is that ISP's are not doing source address filtering. When everyone applied source address filters to the networks they host or serve to endusers, this attack would not be possible.
 
Fesiitis
just joined
Posts: 8
Joined: Tue Sep 13, 2016 10:24 am
Location: Latvia, Riga

Re: Feature requests

Thu Aug 15, 2019 7:24 pm

I'm waiting for ike2 support for eap as responder. Hope this feature will be added soon, since support for this as initiator was added in v6.45.1 update.

Who is online

Users browsing this forum: No registered users and 8 guests