Community discussions

MikroTik App
 
optimus0
just joined
Topic Author
Posts: 8
Joined: Tue Jun 07, 2022 11:01 pm

routerboard rb211il-rm Potential Security Risk Ahead

Wed Jun 08, 2022 12:09 am

routerboard mikrotik rb211il-rm Warning: Potential Security Risk Ahead
totally noob, so dont just kill me
port 1 internet (pppoe)
port 3 lan connected to a switch/hub
port 5 router

everything "work" wifi and lan, but almost every web i get this error ----Warning: Potential Security Risk Ahead----
# jun/07/2022 13:09:22 by RouterOS 6.49.6
# software id = BUR0-LWZW
#
# model = 2011iL
# serial number = 5BEE04C2A83F
/interface bridge
add admin-mac=4C:5E:0C:EC:73:34 auto-mac=no fast-forward=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether6-master-local
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether7-slave-local
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether8-slave-local
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether9-slave-local
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether10-slave-local
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-gateway \
    keepalive-timeout=60 max-mru=1480 max-mtu=1480 name=pppoe-out1 password=\
    deperito use-peer-dns=yes user=ediles
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridge-local name=default
/ppp profile
set *FFFFFFFE local-address=dhcp remote-address=dhcp
/interface bridge port
add bridge=bridge-local hw=no interface=ether2
add bridge=bridge-local hw=no interface=ether3
add bridge=bridge-local hw=no interface=ether4
add bridge=bridge-local hw=no interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=ether7-slave-local
add bridge=bridge-local interface=ether8-slave-local
add bridge=bridge-local interface=ether9-slave-local
add bridge=bridge-local interface=ether10-slave-local
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master-local list=discover
add interface=ether7-slave-local list=discover
add interface=ether8-slave-local list=discover
add interface=ether9-slave-local list=discover
add interface=ether10-slave-local list=discover
add interface=bridge-local list=discover
add interface=pppoe-out1 list=discover
add interface=ether2 list=mactel
add interface=ether3 list=mactel
add interface=ether2 list=mac-winbox
add interface=ether4 list=mactel
add interface=ether3 list=mac-winbox
add interface=ether5 list=mactel
add interface=ether4 list=mac-winbox
add interface=ether6-master-local list=mactel
add interface=ether5 list=mac-winbox
add interface=ether7-slave-local list=mactel
add interface=ether6-master-local list=mac-winbox
add interface=ether8-slave-local list=mactel
add interface=ether7-slave-local list=mac-winbox
add interface=ether9-slave-local list=mactel
add interface=ether8-slave-local list=mac-winbox
add interface=ether10-slave-local list=mactel
add interface=ether9-slave-local list=mac-winbox
add interface=bridge-local list=mactel
add interface=ether10-slave-local list=mac-winbox
add interface=bridge-local list=mac-winbox
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether2 \
    network=192.168.88.0
/ip dhcp-client
add comment="default configuration" interface=ether1-gateway
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=185.18.55.75
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=Bogons
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add action=accept chain=forward comment="default configuration" \
    connection-state=established,related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new in-interface=\
    ether1-gateway
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    Bogons
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=pppoe-out1
/ip firewall service-port
set ftp disabled=yes
/ppp secret
add name=xx password=xx profile=default-encryption service=pptp
/system clock
set time-zone-autodetect=no time-zone-name=America/Argentina/Rio_Gallegos
/system ntp client
set enabled=yes primary-ntp=45.11.105.243 secondary-ntp=162.159.200.1
/system ntp server
set broadcast=yes enabled=yes
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
help please
thanks
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: routerboard rb211il-rm Potential Security Risk Ahead

Wed Jun 08, 2022 12:15 am

The problem is in your PC or your ISP blocked your line because you didn't pay your bill...
The RouterBOARD has nothing to do with it.
 
optimus0
just joined
Topic Author
Posts: 8
Joined: Tue Jun 07, 2022 11:01 pm

Re: routerboard rb211il-rm Potential Security Risk Ahead

Wed Jun 08, 2022 12:18 am

The problem is in your PC or your ISP blocked your line because you didn't pay your bill...
The RouterBOARD has nothing to do with it.
if i remove the routerboard works perfectly fine
also before reset was working fine too (i have to reset because i dindt have the password for winbox)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: routerboard rb211il-rm Potential Security Risk Ahead

Wed Jun 08, 2022 12:22 am

Reading the configuration, nothing is formally wrong, except suspicious pptp...
Use netinstall, because the obsolete configuration probably that mean than your routerboard is infected from the past...
 
optimus0
just joined
Topic Author
Posts: 8
Joined: Tue Jun 07, 2022 11:01 pm

Re: routerboard rb211il-rm Potential Security Risk Ahead

Wed Jun 08, 2022 12:29 am

Reading the configuration, nothing is formally wrong, except suspicious pptp...
Use netinstall, because the obsolete configuration probably that mean than your routerboard is infected from the past...
i forgot to mention that if i wait for like a minute or two the website actually loads
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: routerboard rb211il-rm Potential Security Risk Ahead

Wed Jun 08, 2022 12:48 am

Wait a minute ... I reread this again:
if i remove the routerboard works perfectly fine
Removed from where?
Where you put/link the routerboard?
What you use when the routerboard is not present?

also before reset was working fine too (i have to reset because i dindt have the password for winbox)
But if it is reset, why is there something written in it?
 
optimus0
just joined
Topic Author
Posts: 8
Joined: Tue Jun 07, 2022 11:01 pm

Re: routerboard rb211il-rm Potential Security Risk Ahead

Wed Jun 08, 2022 1:53 am

Removed from where?
Where you put/link the routerboard?
What you use when the routerboard is not present?
i try with an ordinary tplink and works just fine

But if it is reset, why is there something written in it?
have no idea, i only change the connection type to pppoe so i can have internet i do not change anything else
and i know it reset because i was able to config the pppoe

sorry i am a complete noob at this
 
JoeFerreira
just joined
Posts: 5
Joined: Sun Jun 05, 2022 12:20 am

Re: routerboard rb211il-rm Potential Security Risk Ahead

Wed Jun 08, 2022 6:18 am

"Warning: Potential Security Risk Ahead"
This is a message you are seeing in your browser right?

This is normally a certificate error. Something is wrong with your config and it is interfering with the https traffic and causing a certificate error.
https://support.mozilla.org/en-US/kb/wh ... ecure-mean

look at the certificate and determine the information like the subject name and the issuer.
It is probably coming from your ISP.

another possible reason...

Do you have your Modem/Router from your ISP in Bridge more?
 
optimus0
just joined
Topic Author
Posts: 8
Joined: Tue Jun 07, 2022 11:01 pm

Re: routerboard rb211il-rm Potential Security Risk Ahead

Wed Jun 08, 2022 2:56 pm

Do you have your Modem/Router from your ISP in Bridge more?
total noob please elaborate where do i check that?
You do not have the required permissions to view the files attached to this post.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: routerboard rb211il-rm Potential Security Risk Ahead

Wed Jun 08, 2022 3:08 pm

@optimus0
The modem behind your MT.
2022-06-08_16-36-17.png
You do not have the required permissions to view the files attached to this post.
 
optimus0
just joined
Topic Author
Posts: 8
Joined: Tue Jun 07, 2022 11:01 pm

Re: routerboard rb211il-rm Potential Security Risk Ahead

Wed Jun 08, 2022 3:59 pm

update it seem to have been solved by blocking the ports 21.22.23 (didn't know about that)
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: routerboard rb211il-rm Potential Security Risk Ahead

Wed Jun 08, 2022 4:13 pm

These ports are access ports FTP, SSH, and TELNET. I can not see how they can cause your issue unless your device has been compromised already. and they could use these ports through remote access.
Last edited by own3r1138 on Wed Jun 08, 2022 4:22 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: routerboard rb211il-rm Potential Security Risk Ahead

Wed Jun 08, 2022 4:19 pm

Is still valid, why you do not do that?
Reading the configuration, nothing is formally wrong, except suspicious pptp...
Use netinstall, because the obsolete configuration probably that mean than your routerboard is infected from the past...
 
optimus0
just joined
Topic Author
Posts: 8
Joined: Tue Jun 07, 2022 11:01 pm

Re: routerboard rb211il-rm Potential Security Risk Ahead

Wed Jun 08, 2022 7:27 pm

Is still valid, why you do not do that?
Reading the configuration, nothing is formally wrong, except suspicious pptp...
Use netinstall, because the obsolete configuration probably that mean than your routerboard is infected from the past...
Ok got it ill try using netinstall
Last edited by optimus0 on Wed Jun 08, 2022 7:34 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: routerboard rb211il-rm Potential Security Risk Ahead

Wed Jun 08, 2022 7:30 pm

welldone
 
optimus0
just joined
Topic Author
Posts: 8
Joined: Tue Jun 07, 2022 11:01 pm

Re: routerboard rb211il-rm Potential Security Risk Ahead

Wed Jun 08, 2022 7:34 pm

yes thanks ill report back after using it

Who is online

Users browsing this forum: No registered users and 21 guests