@anav:
as long as you had at least one dose of the vaccine
All hail Ausgov... I don't expect to be eligible for another several months
@rextended: My point was to prove there is nothing to be afraid of :D But I can't say I don't appreciate your insight. Most spotted issues are remains of testing (who has time for lab, right?) or deprecated settings:
for speed I suggest you to set protocol-mode=none
Oh, nono, I am not giving up (R)STP on my lan bridge. I know why you suggested that - some switch chips (namely Realtek presented in fancy shiny RB4011) don't support (R)STP with HW offload, but thats not the case for hAP ac2 and Atheros8327. Anyway, I don't really care about speed because the router has plenty of power. I even disabled HW offload on some ports because that makes my life easier when packet sniffing has to occur.
and Loopback is ... I don't even know.. I reckon it is a remain of some uber-genius idea which I abandoned ..
allow-fast-path=no is wanted?
/interface gre add allow-fast-path=no disabled=yes name=gre-tunnel1 remote-address=BBB2.REDACTED-domain.org
Just a remain of some old config when I experimented with GRE. The whole GRE interface is disabled anyway and I should probably delete it.
i suggest you to remove all IP than end with 0 or 255
/ip pool add name=AAA.guest ranges=172.17.0.10-172.17.255.254
wow, good spot! Thanks for that. I made my life easier after hosting a 5k+ event and running out of 253 addresses from a normal /24 network :D I completely forgot that some devices may not understand other than /24 networks.
dude right is obsolete
uhm.. thanks I guess? I should read more about it.
disabled hw offload is wanted?
Absolutely. It does not slow down too much and this device is mainly router. Switching does not need hw speed at all because 99% of the network is behind a single port so the traffic would go to the CPU (to the WAN) anyway. The other port (NBN - our WAN) is in its own single-port bridge because it makes my life easier if I need to change the physical port. Standard practice I started using years ago.
on this are missing DNS, is wanted?
/ip dhcp-server network add address=10.1.175.96/27 gateway=10.1.175.97
If the DNS field is missing, RouterOS will automatically pass through its own DNS. This is a voip network with only ALE 8028 phones operating on L2 - I simply did not bother with setting it up correctly. This device isn't even router/uplink for the voip network. Uplink goes directly to ISP's router.
better change
/ip ssh set allow-none-crypto=yes forwarding-enabled=remote
cool! Thanks. I didn't even looked at that.
why no?
/ipv6 nd set [ find default=yes ] advertise-dns=no
IPv6 isn't active anyway because my ISP's router is misconfigured.
something strange here, removed bridge and orphaned ppp profile?
Correct. During covid lockdown I had to pull receptions phone offsite and created transparent L2 link with L2TP
better disable auto-detect
/system clock set time-zone-name=Australia/Hobart
excellent point!
it is wanted?
/tool bandwidth-server set authenticate=no
Not sure if wanted, but it is intentional. I remember some time ago, I noticed that authenticated results differ from unauthenticated.
@jvanhambelgium:
Under the /ip -> /services menu, I guess "SSH" is enabled without any "filter" ? So basically you allow SSH from anywhere. This is evaluated before your own firewall rule, hence why a potential hacker(bot/script) still gets a "login prompt" and can give it a try
That is very bold claim. I admit I did not test it recently, but unless mikrotik completely broke
the packet flow, it can't be true. Firewall rules should be applied before it hits the service (winbox/ssh etc) and it is generally accepted best practice to block "all other" traffic after allowing required flows (e.g. input from lan, input from mgmt vlan etc). That way, no login attempts should occur.
By my experience, if russians are trying to log in, all management interfaces are fully exposed to the whole world and that can't be caused by anything else than seriously misconfigured firewall. Basic (default/factory) firewall is pretty good nowadays but for people who want to go further, mikrotik wrote
really nice guide to secure their router