Community discussions

MikroTik App
 
helplessnoob
just joined
Topic Author
Posts: 5
Joined: Thu Sep 29, 2022 5:17 pm

Mikrotik version greater than 6.44 breaks VNC?

Thu Sep 29, 2022 6:06 pm

I give up! After weeks of pondering and testing we are at out wits end so I turn to you kind sages of the forum for help.

Here's our situation: We have a bunch of stores, and each store has a Mikrotik router managing the network, which is divided into Trusted and Untrusted networks, fairly standard. Every machine my departement sends out (I am in IT) we put TightVNC on so that we can access it fairly quickly should the need arise. TightVNC is especially crucial with the computers we use with advertisement screens, as store employees aren't trained to fix those issues.

Everything was fine two months ago, but as Mikrotik has started updating itself to 6.47, 6.49 and so on we've noticed that we can no longer access any of the untrusted computers on the network managed by Mikrotik.

Our method was simple: we use PuTTY to set up a tunnel to the computer we want to control via Mikrotik's IP, and mirror the VNC port on the target computer to a port on our own. By doing this we are able to connect to the remote computer via localhost:5900. I have attached a dummy example image of our tunnel setup.

This worked for the first month I worked here, but since late August things have started falling apart. We're blocked out of almost every untrusted computer running a mikrotik version greater than 6.44. Most 6.44 connections I tested while writing this works fine. Beyond that, the most common error is this, which appears when you try to VNC to localhost:5900:

PuTTY Fatal Error
Recieved SSH2_MSG_REQUEST_FAILURE with no outstanding global request.

Followed by the connection closing and putty going inactive. I've seen this error dozens of times across different stores and despite my best efforts I've never been able to figure out what exactly goes wrong. It seems to be an obscure bug.

What do I need to do to figure out this mystery? We need to get access to the computers we are currently locked out of. The only thing the problem-mikrotiks have in common is that they've been updated beyond 6.44. The lowest version I could find above 6.44 is 6.47.10. Was there any update that affected SSH connections in updates starting at 6.45?

I could also use a way to export all the settings from a mikrotik into a document so I can easily compare the working vs the nonworking ones and find the thing we need to change. Does microtik have that ability?

I'm thankful for all and any answers. I am leaving the office now so I won't be able to read any answers until tomorrow.

Best,
Helplessnoob
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mikrotik version greater than 6.44 breaks VNC?

Thu Sep 29, 2022 8:23 pm

According to changelogs (https://mikrotik.com/download/changelogs), they did touch SSH few times, but whether they broke something or not, that's a question. I you suspect they did, then instead of wondering why something remote doesn't work, do a local testing. Minimum config (basically just two subnets and enabled SSH), try different versions, and if it's really broken, it should show.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik version greater than 6.44 breaks VNC?

Thu Sep 29, 2022 8:35 pm

Sounds like you were not keeping the routers up to date.
Curious how to the routers update themselves? Setup on some scripts?

Almost sounds like firewall rules got changed in the updates?>
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Mikrotik version greater than 6.44 breaks VNC?

Thu Sep 29, 2022 9:12 pm

For what it's worth, I routinely run VNC through my RB4011 that has 6.49.6. When I do it locally from home, the VNC target computer (usually a RaspBerry Pi) is not on the same LAN as the computer I am using as the client, so traffic has to pass through the router. The client computer has an IP address that is allowed to access the other LAN. When I access any of the RasPis from the internet, it's similar except there is a port knock procedure that is required to open the port and a DST-NAT in order to get to the VNC on the RasPi.

In other words, I don't see this is a VNC issue as much as a Putty tunnel issue.
Last edited by k6ccc on Thu Sep 29, 2022 9:19 pm, edited 1 time in total.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Mikrotik version greater than 6.44 breaks VNC?

Thu Sep 29, 2022 9:18 pm

They SSH into the MikroTik and use the forwarding feature do go inside the network.
I wrote they because it seems he's not the only one using those MikroTiks (MikroTik doesn't update by itself ^^).
 
helplessnoob
just joined
Topic Author
Posts: 5
Joined: Thu Sep 29, 2022 5:17 pm

Re: Mikrotik version greater than 6.44 breaks VNC?

Fri Sep 30, 2022 11:51 am

Sounds like you were not keeping the routers up to date.
Curious how to the routers update themselves? Setup on some scripts?

Almost sounds like firewall rules got changed in the updates?>
You're right, my colleauge must have updated some of the routers... but that makes the inconsistency of the versioning across the non 6.44 routers really weird.

Any idea how I could export the firewall rules into two files I can compare? I am not the networks person but I'm the only one investigating this right now. Really I just need a "Troubleshooting putty tunnels and firewalls 101" course, does Mikrotik have documentation about something this specific?
 
helplessnoob
just joined
Topic Author
Posts: 5
Joined: Thu Sep 29, 2022 5:17 pm

Re: Mikrotik version greater than 6.44 breaks VNC?

Fri Sep 30, 2022 11:52 am

For what it's worth, I routinely run VNC through my RB4011 that has 6.49.6. When I do it locally from home, the VNC target computer (usually a RaspBerry Pi) is not on the same LAN as the computer I am using as the client, so traffic has to pass through the router. The client computer has an IP address that is allowed to access the other LAN. When I access any of the RasPis from the internet, it's similar except there is a port knock procedure that is required to open the port and a DST-NAT in order to get to the VNC on the RasPi.

In other words, I don't see this is a VNC issue as much as a Putty tunnel issue.
Yeah it probably is a tunnel issue, as PuTTY crashes when the connection and the error appears. Any idea where I could go poking?
 
gotsprings
Forum Guru
Forum Guru
Posts: 2102
Joined: Mon May 14, 2012 9:30 pm

Re: Mikrotik version greater than 6.44 breaks VNC?

Fri Sep 30, 2022 1:18 pm

They SSH into the MikroTik and use the forwarding feature do go inside the network.
I wrote they because it seems he's not the only one using those MikroTiks (MikroTik doesn't update by itself ^^).
I knew one particularly dumb bastard who had a scheduler to check for updates EFD, and apply them at midnight.

Automagically you might say.

It was beautiful thing when Mikrotik made the change from master slave to bridge. Knocked out a bunch of units and required him to go onsite to fix them.

Moving on from there... It's been over 10 years since I used tightvnc and UltraVNC.

I used to either
1. VPN to the router then open the VNC session.
Or
2. Have a nat rule that I would ENABLE WHILE IN USE ONLY... to allow a port forward FROM MY CURRENT IP ADDRESS, to the computer I was controlling.

For years I would need to get into computers that ended up behind ISP gateways knocked out of bridge. Or carriers that flipped to carrier grade NAT. Or any other stupid thing.

I moved to paying for TeamViewer. At $700 a year its not cheap... But it's pretty clear business write off.

Particularly useful when I have to use a field tech's hotspot in their phone to reach their computer. Then that computer is plugged into a network that is down or some how not publicly reachable.
 
helplessnoob
just joined
Topic Author
Posts: 5
Joined: Thu Sep 29, 2022 5:17 pm

Re: Mikrotik version greater than 6.44 breaks VNC?

Wed Oct 05, 2022 3:23 pm

I am still at a complete loss of direction with this issue. I got the .rsc file for a router that works and a router that doesn't, and they're identical. They're set up the exact same way, yet one of them rejects putty tunnels and the other doesn't. Its all in the version, there are no differences in the actual programming. Mikrotik being greater than 6.44 breaks ssh tunelling. There's nothing else I can find, its the same router, same setup, same everything. Moreover, the Mikrotik routers's logs are blank, so I can't see any output from the putty error. Can I set it to log responses to incoming connections?

The error this issue causes when a tunnel fails is the most mysterious of them all. "SSH2_MSG_REQUEST_FAILED" doesn't return any results on google, its as if this error hasn't been seen by anybody else. What do I do? How do I make putty tunnels work with Mikrotik versions greater than 6.44?

Best,
Helplessnoob
Last edited by helplessnoob on Wed Oct 05, 2022 3:34 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mikrotik version greater than 6.44 breaks VNC?

Wed Oct 05, 2022 3:27 pm

try, after you do a complete backup:
/ip ssh export-host-key key-file-prefix=backup_host_key
/ip ssh regenerate-host-key
 
helplessnoob
just joined
Topic Author
Posts: 5
Joined: Thu Sep 29, 2022 5:17 pm

Re: Mikrotik version greater than 6.44 breaks VNC?

Wed Oct 05, 2022 3:37 pm

I will give this a shot once our network technician is back from vacation and we can do it safely. Thank you!
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik version greater than 6.44 breaks VNC?

Wed Oct 05, 2022 3:40 pm

What does /ip ssh export show on those routers? The port forwarding became configurable since some ROS version:

[me@myTik] > ip ssh set forwarding-enabled=<Tab>
ForwardingEnabled ::= both | local | no | remote
remote -- allow clients to listen on server and forward incoming connections
local -- allow clients to originate connections from server


And the default is no.

The PuTTY error you get appears when you try to activate port forwarding that the server doesn't permit.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mikrotik version greater than 6.44 breaks VNC?

Wed Oct 05, 2022 3:44 pm

@sindy, Notice:
I got the .rsc file for a router that works and a router that doesn't, and they're identical

@helplessnoob
RouterOS version is the same?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mikrotik version greater than 6.44 breaks VNC?

Wed Oct 05, 2022 3:54 pm

Private changelog:

/ip ssh
already on 6.34.6: always-allow-password-login forwarding-enabled strong-crypto
added on 6.36.x: host-key-size
added on 6.44.x: allow-none-crypto
changed on 6.45.x: allow-none-crypto change default value from yes to no
changed on 6.45.x: forwarding-enabled change default value from remote to no

Who is online

Users browsing this forum: Amazon [Bot], Josephny and 96 guests