Community discussions

MikroTik App
 
RandomKappaUsr
newbie
Topic Author
Posts: 39
Joined: Thu Oct 15, 2020 8:51 pm

Changes on the configuration - security

Sat Jun 05, 2021 11:22 am

Hello,

Even though I've been using Mikrotik for almost a year now, my knowledge is still very basic.

Yesterday I have decided to do some big changes on my WiFi configuration.
The reason for this change was mainly WiFi config which I was not satisfied with. On PRIMARY RB (with internet source and serves as a router) I had 2 SSIDs configured to 2 different bridges (home/guest), which then on my SECONDARY RB (only wifi extension and connecting my PC) could not have been replicated due to SECONDARY router being assigned bridge-home IP address.
scheme.png
So what I have done:
[*] on SECONDARY RB I have created DHCP Client and on PRIMARY I have set it as static and assigned it an IP Address 192.168.88.2 (PRIMARY ends with .1)
[*] on SECONDARY I have switched Wi-Fi to be managed via CAPSMAN
[*] on PRIMARY I have configured CAPSMAN


It all seems to be working well and it helped me to reach my goal of having home and guest WiFi on my both RBs.

However,
[*] I would like to ask you whether you, more skilled guys, could take a look at my configs and verify whether I might have done anything which could create a security breach.
[*] Also, I would be very glad for any tips regarding other stuff I can do to increase my security (perhaps verification/addition of my Firewall rules etc.?)
[*] Last but not least, my IP address is not public, if this helps with the security advice, but I will soon switch to Fiber - will my setup still be OK to use, will the transition from xDSL to Fiber require minimum changes on my end? My ISP told me they will give me their modem and I can switch it to the bridge mode and use my Mikrotik stuff, but I am not sure whether I can retain most of my current settings due to public IP and different technology.

Thank you very much for literally any feedback! :)
RKU
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Changes on the configuration - security

Sat Jun 05, 2021 2:22 pm

yourself create problems:

NO AUTOREBOOT!!!
NO AUTOUPGRADE!!!
understand?

/system scheduler
add interval=1w name="Auto reboot"
...
add interval=1w name="Auto package update"
...
add interval=1w name="Auto firmware upgrade"
...
 
RandomKappaUsr
newbie
Topic Author
Posts: 39
Joined: Thu Oct 15, 2020 8:51 pm

Re: Changes on the configuration - security

Sat Jun 05, 2021 2:23 pm

I have verified this setup further and I have found 2 minor issues so far...

1. even though I am very close to 5GHz HAP-AC2, it does not switch to 5GHz and still keeps channel 6 2,4 GHz
any ways to fix this?

2. I am connected to cloudflare DNS + DoH and while verifying my settings it 50% of time shows the following:
Screenshot 2021-06-05 131927.png

however upon refreshing, it shows the OK result
Screenshot 2021-06-05 132109.png
Is this bad, what can I do to fix it? I have DNS set also in my DHCP server, shall I remove it and keep it only in section where I configure DoH?
Screenshot 2021-06-05 132213.png

Thanks!
You do not have the required permissions to view the files attached to this post.
 
RandomKappaUsr
newbie
Topic Author
Posts: 39
Joined: Thu Oct 15, 2020 8:51 pm

Re: Changes on the configuration - security

Sat Jun 05, 2021 2:23 pm

yourself create problems:

NO AUTOREBOOT!!!
NO AUTOUPGRADE!!!
understand?

/system scheduler
add interval=1w name="Auto reboot"
...
add interval=1w name="Auto package update"
...
add interval=1w name="Auto firmware upgrade"
...
Oh, okay sir, didn't know this is bad.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Changes on the configuration - security

Sat Jun 05, 2021 2:27 pm

dns must be set on dhcp-server network
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Changes on the configuration - security

Sat Jun 05, 2021 2:28 pm

1. even though I am very close to 5GHz HAP-AC2, it does not switch to 5GHz and still keeps channel 6 2,4 GHz
any ways to fix this?
WiFi is not GSM
 
RandomKappaUsr
newbie
Topic Author
Posts: 39
Joined: Thu Oct 15, 2020 8:51 pm

Re: Changes on the configuration - security

Sat Jun 05, 2021 2:31 pm

dns must be set on dhcp-server network
Screenshot 2021-06-05 133018.png
this is the current settings, anything else needs to be done?

thank you
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Changes on the configuration - security

Sat Jun 05, 2021 2:34 pm

about this is ok,
I do not see any security issue
I must go away I reply later if you post other questions,
by
 
RandomKappaUsr
newbie
Topic Author
Posts: 39
Joined: Thu Oct 15, 2020 8:51 pm

Re: Changes on the configuration - security

Sat Jun 05, 2021 2:37 pm

about this is ok,
I do not see any security issue
I must go away I reply later if you post other questions,
by
Thanks, by WiFi is not GSM you mean that I cannot configure any better the 5 over 2,4 preference and the Client/device will chose as it pleases? :-D
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Changes on the configuration - security

Sat Jun 05, 2021 7:51 pm

Connection to WiFi (both preference of 5GHz/2.4GHZ and connecting to another device in the same network which has stronger signal) has to be configured in the client, or the client should have your desired behavior by default.

Older clients often prefer 2.4, newer often prefer 5 GHz.
 
RandomKappaUsr
newbie
Topic Author
Posts: 39
Joined: Thu Oct 15, 2020 8:51 pm

Re: Changes on the configuration - security

Sat Jun 05, 2021 9:54 pm

Connection to WiFi (both preference of 5GHz/2.4GHZ and connecting to another device in the same network which has stronger signal) has to be configured in the client, or the client should have your desired behavior by default.

Older clients often prefer 2.4, newer often prefer 5 GHz.
Thank you, that kinda makes sense. I have tried it with my Samsung Galaxy S10 so maybe that is why :)

Would you be so kind and take a look at my original post, perhaps you also have the knowledge to answer few of the other raised questions.

Thank you in advance and enjoy your weekend.
 
RandomKappaUsr
newbie
Topic Author
Posts: 39
Joined: Thu Oct 15, 2020 8:51 pm

Re: Changes on the configuration - security

Wed Jun 09, 2021 6:47 pm

Bump
Thx

Who is online

Users browsing this forum: PBondurant and 28 guests