Previous poster omitted the fact I did an upgrade in between unpacking and noticing this "challenge"Both my wAP AX's where supplied with 7.15.x.
I know quite well what I'm doing and why I'm doing it.I believe he just upgraded to latest beta without checking what the impact would be and only learned of this change after.
This particular case is a user problem not system problem.
And that part of the problem, we don't know what's driving the device-mode changes (i.e. the threat profile). Beyond platitudes like blocking "dangerous features". Some rational explanation of the concerns be good. The physical presence test changes the flexibility of your routers, and their value.Presumably this is part of what is driving the ideological position of device-mode:
https://blog.ovhcloud.com/the-rise-of-p ... turn-evil/
You misunderstand.This kind if "invalid" packets is caused by the connection tracking entry in the router already removed, and the system (or the remote) still sending related traffic. It can even cause leaking of internal addresses because in that case the corresponding NAT action isn't performed either.
It is a known problem. The solution is either:
- do not log actions of the "match invalid" firewall line
- drop packets with state invalid, protocol tcp, flag ACK, without logging, or reject them with "TCP Reset", then drop remaining invalid packets with log.
Presumably this is part of what is driving the ideological position of device-mode:
https://blog.ovhcloud.com/the-rise-of-p ... turn-evil/
Up to a point. The botnet on that article was composed by high end routers (CCR1036, CCR1072, CCR2004, CCR2116). Those have no firewall or protections whatsoever - since they are professional models.Default configuration does not allow accessing webfig from WAN.
It did with my rb5009 with the default configuration.Default configuration does not allow accessing webfig from WAN.
The RB5009s are already on the "prosumer" series. They come clean, without firewall or rules. Smaller devices (like hEX), come precofigured with firewall.It did with my rb5009 with the default configuration.
Yeah, that's makes the focus on device-mode so ridiculous - when devices use insecure protocols by default. There are home users that use "professional" routers, and professionals that use "home" routers.... The idea that security model depends on some marketing definitions of expected use cases is flawed.Up to a point. The botnet on that article was composed by high end routers (CCR1036, CCR1072, CCR2004, CCR2116). Those have no firewall or protections whatsoever - since they are professional models.Default configuration does not allow accessing webfig from WAN.
MikroTik should probably revise the policy on having default configuration?Yeah, that's makes the focus on device-mode so ridiculous - when devices use insecure protocols by default. There are home users that use "professional" routers, and professionals that use "home" routers.... The idea that security model depends on some marketing definitions of expected use cases is flawed.
Up to a point. The botnet on that article was composed by high end routers (CCR1036, CCR1072, CCR2004, CCR2116). Those have no firewall or protections whatsoever - since they are professional models.
MikroTik should probably revise the policy on having default configuration?
While it can be understood that a CCR does not have a "forward" firewall (and "NAT"), for sure it should always have an "input" firewall.
So it does not hurt to have an example of that in the default config.
That is most likely a font (or encoding) issue... you may try and copy the text (QR code is actually a text) and paste it into Notepad and set the font to Consolas, regular and script to western...As a new web view , the wireguard peer QRcode is still like this:
截图 2024-11-12 14-56-01.png
Not if you also want to display QR code in a terminal :)Would it not be better to present the QR code as an image? Then font does not matter.
█▀▀▀▀▀█ ▄ █ █ █▀▀▀▀▀█
█ ███ █ ▀ ▀▀▄ █ ███ █
█ ▀▀▀ █ ███▀▀ █ ▀▀▀ █
▀▀▀▀▀▀▀ █ ▀ ▀ ▀▀▀▀▀▀▀
▀▀ █▄▄▀▀ ██▀ ███ ▀█▄
█▄▄▀▄█▀ ▄ ▀▄ ▄▀▄█▀▄█
▀▀▀▄▄ █ ▀ ▀▀ ▄
█▀▀▀▀▀█ ▀ ███ ▀█▀▀▀█
█ ███ █ ▄▀█ ▀ ▄▄▄▄▄▄
█ ▀▀▀ █ ▄█▀▄▀▄▀ ▀ ▀ ▀
▀▀▀▀▀▀▀ ▀ ▀ ▀▀ ▀ ▀
Well i hope they are fixing wireless problems, give them as much time needed..Hey Mikrotik, it's already been a month since beta4, and no new releases since, are you okay? :-)
What about MLAG specifically doesn't work for you? I have it working with a 354 and 312 in "lab production" at my desk (runs my home and office) and in production two 317's in two different data center stacks. I think I remember only one time the 354 got into a funky state after I mistakenly enabled/disabled L3HW offload (which isn't supported and breaks things).I hope that MikroTik will also fix MLAG. In fact, all of us who have purchased the CRS520 and CRS518 are eagerly awaiting ROS 7.17 and stable MLAG.
Are you serious?That is most likely a font (or encoding) issue... you may try and copy the text (QR code is actually a text) and paste it into Notepad and set the font to Consolas, regular and script to western...As a new web view , the wireguard peer QRcode is still like this:
截图 2024-11-12 14-56-01.png
wireguard.png
+1 :-)Hey Mikrotik, it's already been a month since beta4, and no new releases since, are you okay? :-)
Yeah, that is called watchdog. A simple Google search gives the full portfolio of devices, e.g. https://www.netio-products.com/en/gloss ... p-watchdogUsing a power adapter that was controlled by ping. If it for some reason lost ping to an IP (eks remote site) for some time, it would remove the power, wait a fixed time, and put the power back.Let's look at my mountaintop CCR2116 as an example. We can get there relatively easily from June to October.
Did not age well.Considering the amount of flak they've gotten in this thread, I would be surprised to see any new public beta this year.
*) disk - add support for SWAP, currently allowed on any block device with "set x swap=yes" when container package is installed (CLI only);
It was a bait. You can thank me later 😉Did not age well.Considering the amount of flak they've gotten in this thread, I would be surprised to see any new public beta this year.
I'm not sure if this topic is entirely relevant here, but I would like to clarify what I mean when I say I hope MLAG will be fixed.What about MLAG specifically doesn't work for you? I have it working with a 354 and 312 in "lab production" at my desk (runs my home and office) and in production two 317's in two different data center stacks. I think I remember only one time the 354 got into a funky state after I mistakenly enabled/disabled L3HW offload (which isn't supported and breaks things).I hope that MikroTik will also fix MLAG. In fact, all of us who have purchased the CRS520 and CRS518 are eagerly awaiting ROS 7.17 and stable MLAG.
Thank you for the note, normis, and I apologize.satboxbg
please make a separate topic. we only discuss changes between latest and previous beta in this topic.
*) bonding - hide mlag-id property on non-compatible devices;
*) bridge - added message for inactive port reason;
*) bridge - added priority setting to manually elect primary MLAG peer (CLI only);
*) bridge - fixed MVRP registrar and applicant port options;
*) bridge - prioritize MAC selection from Ethernet interfaces when using auto-mac feature;
*) bridge - re-synchronize MLAG system-id when bridge MAC changes;
*) bridge - update dynamic MSTI priority value when changing configuration;
/system package update check-for-updates
/system package update install
Great news! Thanks Mikrotik Team!*) vpls - added support for bridge-pvid configuration;
ranges: 2402-2482/20
5170-5250/23/indoor
5250-5330/23/indoor/dfs
5490-5710/30/dfs
*) ovpn-client - added tls-crypt, tls-crypt-v2 support;
*) dhcpv6-server - added IPv6 address delegation support;
[cesar@RB5009] > /ipv6/dhcp-server/export
/ipv6 dhcp-server
add address-pool="" interface=bridge lease-time=1d name=dhcpv6 prefix-pool=pppoe
[cesar@RB5009] > /ipv6/nd/export
/ipv6 nd
set [ find default=yes ] advertise-dns=no interface=bridge managed-address-configuration=yes
/ip dns static
add address-list=DNS_DMN-BYPASS disabled=yes forward-to=8.8.8.8 regexp="(\\.|^)[a-zA-Z0-9]+\\.[a-z][a-z]+\$" type=FWD
add address-list=DNS_DMN-BYPASS disabled=yes forward-to=8.8.8.8 regexp="(\\.|^)[a-zA-Z0-9][-a-zA-Z0-9]+\\.[a-z][a-z]+\$" type=FWD
*) dhcpv6-server - added IPv6 address delegation support;
I'm trying this new address delegation support but no clients would get IPv6 from DHCPv6.
Here's my config:
Code: Select all[cesar@RB5009] > /ipv6/dhcp-server/export /ipv6 dhcp-server add address-pool="" interface=bridge lease-time=1d name=dhcpv6 prefix-pool=pppoe [cesar@RB5009] > /ipv6/nd/export /ipv6 nd set [ find default=yes ] advertise-dns=no interface=bridge managed-address-configuration=yes
The IPv6 pool is a /64. IPv6 from RA works just fine, but DHCPv6 doesn't even with managed-address-configuration=yes.
Other RouterOS' in the same network with /ipv6/dhcp-client/add request=address are stuck in status=searching....
Am I missing something?
2024-11-14 20:55:38 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f started
2024-11-14 20:55:39 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f exited, status: 0
2024-11-14 21:00:38 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f started
2024-11-14 21:00:39 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f exited, status: 0
2024-11-14 21:05:38 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f started
2024-11-14 21:05:39 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f exited, status: 0
2024-11-14 21:10:38 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f started
2024-11-14 21:10:39 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f exited, status: 0
2024-11-14 21:15:38 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f started
2024-11-14 21:15:39 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f exited, status: 0
2024-11-14 21:20:38 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f started
2024-11-14 21:20:39 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f exited, status: 0
2024-11-14 21:25:38 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f started
2024-11-14 21:25:39 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f exited, status: 0
2024-11-14 21:30:38 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f started
2024-11-14 21:30:39 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f exited, status: 0
2024-11-14 21:35:38 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f started
2024-11-14 21:35:39 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f exited, status: 0
2024-11-14 21:40:38 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f started
2024-11-14 21:40:39 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f exited, status: 0
2024-11-14 21:45:38 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f started
2024-11-14 21:45:39 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f exited, status: 0
2024-11-14 21:50:38 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f started
2024-11-14 21:50:39 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f exited, status: 0
2024-11-14 21:55:38 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f started
2024-11-14 21:55:39 container,info,debug container cd2ee075-7e28-4973-ab16-05e6d32fb75f exited, status: 0
So basically something like that? If I would like to hand out, for example, fd23:dead:beef:babe:0000 up to fd23:dead:beef:babe:ffff for clients?You must use address-pool instead of prefix-pool and address pool specified prefix-length must be /128. Other than that you have gotten the idea correctly - IPv6/ND must be used to advertise managed-network for end devices.
/ipv6/pool/add name=mypool prefix=fd23::dead:beef:babe:0/112 prefix-length=128
Those values are correct and same for me, but there are 3 issues: 1) In case of 5490-5710 I have only maximal power 26 dBm with 2.5 dBi antenna. 2) I can not set up manually or automatically any of frequencies beyond 5600 with 20 MHz channel or beyond 5580 with 20/40 MHz channel or beyond 5560 with 20/40/80 MHz channel. If I try - there is only message "no available channels". 3) And in addition why is there 160 MHz channel, but in reality I can not set up? Everything with wifi-qcomm-ac.Hmmm ... what does /interface/wifi/radio/reg-info country=Czech show on your device? On my audience (running 7.15.3) it says
Code: Select allranges: 2402-2482/20 5170-5250/23/indoor 5250-5330/23/indoor/dfs 5490-5710/30/dfs
Which more or less corresponds with limits from "your" document). BTW numbers in above table are EIRP, actual Tx power is reduced by antenna gain. BTW2 if chipset capability is lower, then that's limitation which can't be circumvented.
[admin@MikroTik] > interface/wifi/radio/reg-info country=Czech
number: 1
ranges: 2402-2482/20dBm/40MHz
5170-5250/23dBm/160MHz/indoor
5250-5330/23dBm/160MHz/indoor/dfs
5490-5710/30dBm/160MHz/dfs
Yes, i have same problem with pppoe ISP connection on the one of remote routerboard. It looks like it's fine, but there's no internet. After downgrade to stable channel everything work fine again.Anybody else has issue with connection to internet after upgrade? (I'm using pppoe and there are some changes for PPP) - SUP-171366
Same for me on my home router. Downgrade to beta4 and seems stable now.Anybody else has issue with connection to internet after upgrade? (I'm using pppoe and there are some changes for PPP) - SUP-171366
Those values are correct and same for me, but there are 3 issues: 1) In case of 5490-5710 I have only maximal power 26 dBm with 2.5 dBi antenna. 2) I can not set up manually or automatically any of frequencies beyond 5600 with 20 MHz channel or beyond 5580 with 20/40 MHz channel or beyond 5560 with 20/40/80 MHz channel. If I try - there is only message "no available channels". 3) And in addition why is there 160 MHz channel, but in reality I can not set up? Everything with wifi-qcomm-ac.
Is this answer even real, or your computer got hacked? So you think that ppl will do so for 1000+ potential clients, and more so, if the router is e.g. on /under the roof? How on earth disabling stuff like btest protects just anyone? Are there any documented cases of a feature missuse?blingblouw2 you can just enable bandwidth test. ask the user to push the button to confirm. it's a one time operation, you don't have to do it every time.
2024-11-14 19:17:03 dns,warning DoH server response not OK: 502: no downstream server available
2024-11-14 23:17:19 dns,error DoH server connection error: remote disconnected while in HTTP exchange
2024-11-15 06:46:36 dns,error DoH server connection error: remote disconnected while in HTTP exchange
2024-11-15 06:57:10 dns,error DoH server connection error: remote disconnected while in HTTP exchange
2024-11-15 07:44:29 dns,error DoH server connection error: remote disconnected while in HTTP exchange
2024-11-15 07:44:29 dns,error DoH server connection error: remote disconnected while in HTTP exchange [ignori
ng repeated messages]
2024-11-15 08:12:11 dns,error DoH server connection error: remote disconnected while in HTTP exchange
2024-11-15 08:25:39 dns,error DoH server connection error: while reading - Connection reset by peer
2024-11-15 08:39:23 dns,error DoH server connection error: remote disconnected while in HTTP exchange
Exactly - I think that all this fuss related to (previously mentioned) OVHCloud blogpost is probably related to traffic-gen and not bandwidth-test feature. Bandwidth test can generate actual traffic only after establishing session with other Mikrotik device.Is this answer even real, or your computer got hacked? So you think that ppl will do so for 1000+ potential clients, and more so, if the router is e.g. on /under the roof? How on earth disabling stuff like btest protects just anyone? Are there any documented cases of a feature missuse?blingblouw2 you can just enable bandwidth test. ask the user to push the button to confirm. it's a one time operation, you don't have to do it every time.
Can't reproduce this behavior.Is quad9 DoH ever going to work properly on Mikrotik ?
no need to get agressive. yes, of course there is documented cases of misuse, even in this forum there are people who are asking why they have unrecognized accounts and unrecognized scripts in their devices, that are calling traffic generator, configuring proxy etc. even forum users make mistakes and let in people they did not intend to let in.How on earth disabling stuff like btest protects just anyone? Are there any documented cases of a feature missuse?
I still wonder how many of the large number of users who have a not-optimal configuration are actually upgrading RouterOS, given the fact that this does not occur automatically. They may "forever" remain on <7.17 and only new buyers who get 7.17 from the factory get the improved safety.even in this forum there are people who are asking why they have unrecognized accounts and unrecognized scripts in their devices, that are calling traffic generator, configuring proxy etc. even forum users make mistakes and let in people they did not intend to let in.
I would like to blame my isp but this doesn't happen on Cloudflared, or not very often anyway!Can't reproduce this behavior.Is quad9 DoH ever going to work properly on Mikrotik ?
Can you share your /ip dns export?
/ip/dns/export
# 2024-11-15 12:12:26 by RouterOS 7.17beta5
# software id = FA8N-TIE6
#
# model = C52iG-5HaxD2HaxD
# serial number =
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=250000KiB doh-max-concurrent-queries=200 doh-max-server-connections=2 \
doh-timeout=4s max-concurrent-queries=200 max-concurrent-tcp-sessions=40 use-doh-server=https://dns.quad9.net/dns-query \
verify-doh-cert=yes
/ip dns adlist
add url=https://raw.githubusercontent.com/hagezi/dns-blocklists/main/hosts/pro.txt
/ip dns static
add address=192.168.0.254 comment=defconf name=router.lan type=A
add address=9.9.9.9 name=dns.quad9.net type=A
add address=149.112.112.112 name=dns.quad9.net type=A
add address=1.1.1.1 disabled=yes name=cloudflare-dns.com type=A
add address=1.0.0.1 disabled=yes name=cloudflare-dns.com type=A
[@MikroTik] > /ip/dns/static print
Flags: X - DISABLED
Columns: NAME, TYPE, ADDRESS, TTL
# NAME TYPE ADDRESS TTL
;;; defconf
0 router.lan A 192.168.0.254 1d
1 dns.quad9.net A 9.9.9.9 1d
2 dns.quad9.net A 149.112.112.112 1d
3 X cloudflare-dns.com A 1.1.1.1 1d
4 X cloudflare-dns.com A 1.0.0.1 1d
/ip dns
set allow-remote-requests=yes cache-size=409600KiB servers=9.9.9.9 use-doh-server=https://dns.quad9.net/dns-query verify-doh-cert=yes
The reaction is that this will cost customers time and money. It's like y'all are saying we don't care about professional users. Other Linux-based network OSes give customers root access, and can directly install packages without a physical presence to do even worse.no need to get agressive. yes, of course there is documented cases of misuse, even in this forum there are people who are asking why they have unrecognized accounts and unrecognized scripts in their devices, that are calling traffic generator, configuring proxy etc. even forum users make mistakes and let in people they did not intend to let in.How on earth disabling stuff like btest protects just anyone? Are there any documented cases of a feature missuse?
They are set static ?How does your router know the IP adress of dns.quad9.net?
Mostly default settings, no DNS entries in the log so far.Code: Select all/ip dns set allow-remote-requests=yes cache-size=409600KiB servers=9.9.9.9 use-doh-server=https://dns.quad9.net/dns-query verify-doh-cert=yes
/ip/dns/static print
Flags: X - DISABLED
Columns: NAME, TYPE, ADDRESS, TTL
# NAME TYPE ADDRESS TTL
;;; defconf
0 router.lan A 192.168.0.254 1d
1 dns.quad9.net A 9.9.9.9 1d
2 dns.quad9.net A 149.112.112.112 1d
3 X cloudflare-dns.com A 1.1.1.1 1d
4 X cloudflare-dns.com A 1.0.0.1 1d
Its my opinion the the Tik market is focused on small ISP, entrepreneurs, SMB's and the Home users who are enthusiast's ...Mikrotik seems to want to focus home users. So this trend is concerning, since disabling features is not root cause and shows a haphazard approach to security.
In those markets you don't assume your customers are idiots, which is what device-mode assumes. And UBNT or any other new Linux-based network distro - used in those markets - folks can install packages. And I cannot imagine many in those categories see value in truck rolls to re-enable remotely doing a bandwidth test.Its my opinion the the Tik market is focused on small ISP, entrepreneurs, SMB's and the Home users who are enthusiast's ...Mikrotik seems to want to focus home users. So this trend is concerning, since disabling features is not root cause and shows a haphazard approach to security.
There is no distinction between "critical" and "non-critical" updates and there's no way to activate this feature (if it would become in existance eventually) on already existing devices. Somewhat "unknown" level of QC would lead to additional maintenance costs when issues caused by new bugs will spread like wildfire through automatic updates. It is not viable to do this at current state of things...I think more would have been gained with a default-enabled auto-upgrade mechanism that can install critical updates, because that helps those people that simply never do any maintenance by themselves. "If it works, don't touch it!". Understandable.
It also would be good when the updater recognizes that the firewall config is a past default, and upgrades it to the current default.
Where did you find that address? Perhaps your device queries the wrong address?Code: Select all2 dns.quad9.net A 149.112.112.112 1d
Where did you find that address? Perhaps your device queries the wrong address?Code: Select all2 dns.quad9.net A 149.112.112.112 1d
i'm more confused than when i started...Well, yes... But querying DNS this combination does not exist. So possibly the hosts at 149.112.112.112 are not configured to accept requests for dns.quad9.net? You should disable that static entry, or use a different url:
https://9.9.9.9/dns-query
https://149.112.112.112/dns-query
Even then I am not sure the latter is intended to work.
# Commandline args for cloudflared, using Cloudflare DNS
CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query --address 0.0.0.0
This argument is flawed bacause quad9 set with 9.9.9.9 is still doing thisi'm more confused than when i started...Well, yes... But querying DNS this combination does not exist. So possibly the hosts at 149.112.112.112 are not configured to accept requests for dns.quad9.net? You should disable that static entry, or use a different url:
https://9.9.9.9/dns-query
https://149.112.112.112/dns-query
Even then I am not sure the latter is intended to work.
I get send and rec when using tool/sniffer/quick port=443 ip-address=9.9.9.9,149.112.112.112 from both.
I'll dissable the 149 and see what gives!
I'm just used to using pi-hole, ie exampleCode: Select all# Commandline args for cloudflared, using Cloudflare DNS CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query --address 0.0.0.0
I'd say it means DFS.What does "D" mean in Current Channel?
You're right, I hadn't thought of that!I'd say it means DFS.What does "D" mean in Current Channel?
All these additional properties may be the cause for your issues. Unset and leave the defaults. Start from there again./ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=250000KiB doh-max-concurrent-queries=200 doh-max-server-connections=2 \
doh-timeout=4s max-concurrent-queries=200 max-concurrent-tcp-sessions=40 use-doh-server=https://dns.quad9.net/dns-query \
verify-doh-cert=yes
[/code]
You have two different clients. The first is the home or small business user who has one or a few devices and has no idea that there is anything to update on the devices at all and the device is dying of obsolescence with the firmware that was on the device when it has been bought, and the other is the professional business user. You have lost or is slowly losing the professional users and stuck in the home segment.Device mode is direct consequence of exactly this assumption.In those markets you don't assume your customers are idiots, which is what device-mode assumes.
MikroTik is still sponsoring a team of engineers with snowmobiles and helicopters to push buttons on routers on remote mountaintop sites, right?blingblouw2 you can just enable bandwidth test. ask the user to push the button to confirm. it's a one time operation, you don't have to do it every time.
Has been running pretty stable for some time (think at least 6 hours), but then all of a sudden:Is quad9 DoH ever going to work properly on Mikrotik ?
Have the feeling that it is not MikroTik related.DoH server connection error: remote disconnected while in HTTP exchange
DoH server response not OK: 403: dns query not allowed
DoH server response not OK: 403: dns query not allowed [ignoring repeated messages]
I wonder what the "conversation" was like, and how important that someone must be to generate such an hard action.Still they insist on the button push confirmation thing.
… Sometimes on obscure places (hard, hard to reach physically). Still they insist on the button push confirmation thing.
There must be an alternative approach.
blingblouw2 you can just enable bandwidth test. ask the user to push the button to confirm. it's a one time operation, you don't have to do it every time.
LOL. Perhaps. But device-mode needs more "sophistication" than just physical presence test. I got similar problem as @sirbryan, why I persist... i.e. there are real costs to a power-reset.Device mode is direct consequence of exactly this assumption.In those markets you don't assume your customers are idiots, which is what device-mode assumes.
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK
MikroTik RouterOS 7.17beta5 (c) 1999-2024 https://www.mikrotik.com/
Press F1 for help
2024-11-15 14:32:38 system,clock,critical,info ntp change time Nov/15/2024 14:29:41 => Nov/15/2024 14:32:38
2024-11-15 14:32:41 system,error,critical router was rebooted without proper shutdown, probably kernel failure
2024-11-15 14:32:42 system,error,critical kernel failure in previous boot
2024-11-15 14:32:42 system,error,critical out of memory condition was detected
2024-11-16 04:26:33 system,clock,critical,info ntp change time Nov/15/2024 14:37:12 => Nov/16/2024 04:26:33
It might be worth considering a more differentiated approach. New device mode defaults could be applied only to devices known to have been part of these DDoS botnets. This likely concerns devices that are already accessible, such as those located in data centers.blingblouw2 you can just enable bandwidth test. ask the user to push the button to confirm. it's a one time operation, you don't have to do it every time.
You always need a target device responding before it does anything.
I don't think I am agressive at all, maybe assertive, as I am over-sensitive to what I regard a wrong, not well thought out solution. Normis, it is actually your suggestion of pushing a button being bold, not reflecting reality ppl are pointing at.no need to get agressive. yes, of course there is documented cases of misuse, even in this forum there are people who are asking why they have unrecognized accounts and unrecognized scripts in their devices, that are calling traffic generator, configuring proxy etc. even forum users make mistakes and let in people they did not intend to let in.How on earth disabling stuff like btest protects just anyone? Are there any documented cases of a feature missuse?
Devices in the field need to have a mechanism to just keep working the way they are regardless of model. No explanation has been forthcoming about how bricking features on existing devices will significantly reduce the harm caused by improperly administered MTs already in the wild because no evidence exists that those devices causing the most harm volumetrically will actually be upgraded to any new version MT releases. This change will only impact people actually installing updates.It might be worth considering a more differentiated approach. New device mode defaults could be applied only to devices known to have been part of these DDoS botnets. This likely concerns devices that are already accessible, such as those located in data centers.
Yeah thats what happens, it's frustrating. But at least I'm not going crazy. Thanks for taking the time to humour me!Has been running pretty stable for some time (think at least 6 hours), but then all of a sudden:Is quad9 DoH ever going to work properly on Mikrotik ?
Have the feeling that it is not MikroTik related.DoH server connection error: remote disconnected while in HTTP exchange
DoH server response not OK: 403: dns query not allowed
DoH server response not OK: 403: dns query not allowed [ignoring repeated messages]
7.17beta5 seems to brick C53UiG+5HPaxD2HPaxD7.17beta5 seems to brick RB960PGS - I had to do recovery via Netinstal. I even tried to flash 7.17beta5 via Netinstal and unfortunately the same story - device leds are off except of Blue for POE and RED to POE enabled ports, no ping, no visibility for WinBOX, simply dead. Haven't tried to reset config but if 7.16.1 is running well and 7.17beta4 was okay except of DHCP issue, I don't see reason for reset.
Yeah, this same, no Ethernet, no wifi, no double beep. Reset to defaults and work. Restore config bricked again. Revert back to stable.7.17beta5 seems to brick C53UiG+5HPaxD2HPaxD7.17beta5 seems to brick RB960PGS - I had to do recovery via Netinstal. I even tried to flash 7.17beta5 via Netinstal and unfortunately the same story - device leds are off except of Blue for POE and RED to POE enabled ports, no ping, no visibility for WinBOX, simply dead. Haven't tried to reset config but if 7.16.1 is running well and 7.17beta4 was okay except of DHCP issue, I don't see reason for reset.
Same thing with my ax3. All indicators go out and there is no link on any port and no wifi. I installed the latest beta via netinstall, then chose to restore my backup via winbox and the problem repeated. As a result, I rolled back to the 4th beta version.
A previously created webfig status page does NOT work, despite the release note.... I upgraded a wAPacR with status page showing LTE stuff, running 7.16.1 to 7.17beta5 — no status page is shown.*) webfig - status page is deprecated, old status page config will work, but can't be updated or created;
On a positive note :). I have a KNOT with LoRa (+ 3rd party temp sensor) running 7.17beta5, connected to mosquitto and an old erlang lorawan-server container on RB1100 to run entire LoRaWAN ecosystem entirely on RouterOS. This has [surprisingly] worked flawless in 7.17 (other than the various broken RAID issues I've reported) ... while previously in 7.16 with the same setup, the KNOT occasionally seems to lose LoRa messages over time (which could be a lot of things too). So despite the long list of IOT and LoRa changes in 7.17... those did NOT break anything. And FCnt is pretty useful to check for lost messages. The KNOT is actually one of my test devices for a few months, and it has not had any issue with beta/rc from 7.15+ - why y'all don't hear about that one as much as the wAP and RB1100 ;).*) iot - added additional debug for LoRa logging;
[...]
*) iot - added new LoRa traffic FCnt packet counter parameter;
MikroTik is still sponsoring a team of engineers with snowmobiles and helicopters to push buttons on routers on remote mountaintop sites, right?
and othersmany of them have no easy way to cut power (I have made sure that they stay alive however long power outage might be, some of them even days). Only way is that I send someone on a road trip and have devices restarted on Sunday @3am...
Why isn’t this enough?If the system has this flagged status, the current configuration works, but it is not possible to perform the following actions: bandwidth-test, traffic-generator, sniffer.
There's one other detail in being hacked/locked out as well. Intruder can disable button/jumper reset before changing the password and that can really make device a paperweight for the owner. Therefore flagged status should take care of re-enabling jumper/button reset as well.
What? :-OThere's one other detail in being hacked/locked out as well. Intruder can disable button/jumper reset before changing the password and that can really make device a paperweight for the owner. Therefore flagged status should take care of re-enabling jumper/button reset as well.
agree 100% !!!It seems that we have here a "Mikrotik vs Mikrotik users/buyers" situation...
And I agree with other buyers. We DON'T WANT ANY OF THE FUNCTIONALITY TO BE TAKEN AWAY.
I bought Mikrotik routers because I knew I could manage them, no matter where they "live".
Many of them are in hardly accessible places, many have to work 24/7/366, and many of them have no easy way to cut power (I have made sure that they stay alive however long power outage might be, some of them even days). Only way is that I send someone on a road trip and have devices restarted on Sunday @3am... and I DON'T WANT TO DO THAT just because someone at MT thinks that this messing with "device mode" is a good thing.
Of course, I can leave everything on 7.16 level forever and never upgrade, but that is not really my idea of properly managed network...
And start looking for something to replace MT's... it seems that there is a plenty of "Chinese" devices with enough gigabit ports, strong enough ARM CPU's and able to run Linux which I am perfectly capable of administering to achieve my routing needs (but I'd rather not do that, I love everything else about Mikrotik except for this "device mode" nonsense).
</rant>
On the flip side of the Coin, I buy Mikrotik Gear to keep ISP's OUT!Hi,
I'm working for an ISP and we use a lot of Mikrotik devices on customer sites. BTest is a very important feature for us for validating and supporting. Please don't disable it in advanced mode. I can understand that you want to make product for home users with some security but in this case please create a different brand than Mikrotik home users. Disabling things like btest is just like giving us more difficulties to make our work. We don't need that.
Regards,
Jerome.
https://help.mikrotik.com/docs/spaces/R ... evice-modeabout device-mode - install-any-version.
how to get that?
lolOn the flip side of the Coin, I buy Mikrotik Gear to keep ISP's OUT!Hi,
I'm working for an ISP and we use a lot of Mikrotik devices on customer sites. BTest is a very important feature for us for validating and supporting. Please don't disable it in advanced mode. I can understand that you want to make product for home users with some security but in this case please create a different brand than Mikrotik home users. Disabling things like btest is just like giving us more difficulties to make our work. We don't need that.
Regards,
Jerome.
Strange world we live in.
I wish half my customers were proficient enough to plug their own network cables
On the flip side of the Coin, I buy Mikrotik Gear to keep ISP's OUT!
Strange world we live in.
Btest is not likely be able to be abused when device is compromised because it needs other endpoint to connecto to. Traffic-gen should be the one to be disabled...Hi,
I'm working for an ISP and we use a lot of Mikrotik devices on customer sites. BTest is a very important feature for us for validating and supporting. Please don't disable it in advanced mode. I can understand that you want to make product for home users with some security but in this case please create a different brand than Mikrotik home users. Disabling things like btest is just like giving us more difficulties to make our work. We don't need that.
I just had to revert another device from 7.17beta4 to 7.16.1 owing to these DHCP changes. This latest beta utterly wrecked an existing configuration:
If we redteam all possible scenarios of misuse, then mikrotik will have to rename, and become air-gapped-tikwhen compromised at least one device on at least 2 different networks (meaning 2+ devices), you can establish a btest between these devices.
Ain't we gasping at straws here? I mean, it's true - but You are still limited to the processing capabilities of the (supposed) compromised Miktorik ate the attacked network. Really, really niche - and quite convoluted.when compromised at least one device on at least 2 different networks (meaning 2+ devices), you can establish a btest between these devices.
Functions shouldn't be disabled in this way. A worldwide opened DNS/NTP server is more dangerous than btest or trafficgen! Should MTik disable these functions too? I think no.Btest is not likely be able to be abused when device is compromised because it needs other endpoint to connecto to. Traffic-gen should be the one to be disabled...Hi,
I'm working for an ISP and we use a lot of Mikrotik devices on customer sites. BTest is a very important feature for us for validating and supporting. Please don't disable it in advanced mode. I can understand that you want to make product for home users with some security but in this case please create a different brand than Mikrotik home users. Disabling things like btest is just like giving us more difficulties to make our work. We don't need that.
In that case, we should definitelly hide this dangerous functionality behind device-modebut once I had left an innocent router with publicly accessible DNS server, and it was actively used in amplification attack, but I realized my mistake and fixed it fast.
DNS was just an example. It is a basic functionality of internet. In HTTPS/TLS world NTP too. You can't just simply disable them without harm.In that case, we should definitelly hide this dangerous functionality behind device-modebut once I had left an innocent router with publicly accessible DNS server, and it was actively used in amplification attack, but I realized my mistake and fixed it fast.
/s
or maybe fix DNS VRF-support, still broken in 7.17
or maye still, bind to interface-list, so we can direct the local DNS server to listen only on selected interfaces
In a perfect world, yes, In a real world, unfortunately not in every single case.the user himself takes measures to protect his device.
In a perfect world, yes, In a real world, unfortunately not in every single case.the user himself takes measures to protect his device.
It didn't unchange mine!Will it change anything that is already set? For example install-any-version
system/device-mode/print
mode: advanced
flagged: no
flagging-enabled: yes
scheduler: yes
socks: yes
fetch: yes
pptp: yes
l2tp: yes
bandwidth-test: yes
traffic-gen: no
sniffer: yes
ipsec: yes
romon: yes
proxy: yes
hotspot: yes
smb: yes
email: yes
zerotier: yes
container: no
install-any-version: yes
partitions: no
routerboard: no
attempt-count: 0
/interface ovpn-server server
add mac-address=FE:C6:E8:ED:5F:C3 name=ovpn-server1
I agree granular control here would be nice and the optimal solution, but then again for any units in the field, you can set these options before upgrading to a version where it gets locked down (also currently you can downgrade to v7.13+ where things aren't as locked down so you can make changes if you make mistakes).i think a more granular approach, such as was done with /partitions (only block repartition action) would disencourage people enabling /routerboot for 99% of the use-cases
allow change cpu-speed from "auto" up to the datasheet max
allow change to boot-delay, boot-device (specifically bewteen "nand-then-ethernet", "flashboot-once-then-nand" and "try-ethernet-once")
allow re-enabling "reset-button", but not disabling it
allow toggle silent-boot
allow toggle auto-upgrade
It's a numbers game. I cannot believe more than ~<5% of users change the CPU/etc settings. And even among that ~<5%, some either might re-enable it and/or know something about a firewall (esp if one is mod'ing CPU on a router)...the thing is, putting the useful and inoffensive stuff (such as cpu-frequency, without overclock) behind the same security-group as some other "more dangerous" settings (boot to ethernet-only, disable reset)
will incentivize people to "unblock" this, defeating the purpose of the setting
Please check the documentation:How do I configure new forwarders in my DNS server settings?
Very good! Thank you very much. :) +1P.S: we have listened to the community and have walked back the device mode defaults. Btest is now allowed on the advanced mode template which is the same template that will be used after upgrade from previous versions if you did not change it manually. Also, to those who missed the previous betas, downgrade is also allowed to certain versions.
Well, I'd still prefer earlier "full access", but it seems that I'll have to live with this... Downgrade and BW-test is the minimum that I want always enabled. I don't use other disabled things, so I'm fine, but I still see no point in disabling things in already deployed equipment.P.S: we have listened to the community and have walked back the device mode defaults. Btest is now allowed on the advanced mode template which is the same template that will be used after upgrade from previous versions if you did not change it manually. Also, to those who missed the previous betas, downgrade is also allowed to certain versions.
Direct-Link to section: https://help.mikrotik.com/docs/spaces/R ... terOS7.17)Please check the documentation:How do I configure new forwarders in my DNS server settings?
https://help.mikrotik.com/docs/spaces/R ... 748767/DNS
I have a question regarding the lockdown of routerboard part as you often need to update the bootloader and set auto upgrade. this is now locked!!!P.S: we have listened to the community and have walked back the device mode defaults. Btest is now allowed on the advanced mode template which is the same template that will be used after upgrade from previous versions if you did not change it manually. Also, to those who missed the previous betas, downgrade is also allowed to certain versions.
> /ip route/print where dst-address=10.44.44.4/31
Flags: D - DYNAMIC; A - ACTIVE; d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAd 10.44.44.4/31 10.44.44.100 1
I reported the same problem to Mikrotik after they initially added Framed-Route support for DHCP early in the RouterOS v6 lifecycle. It was resolved and we were using this in production for almost 10 years.There is a DHCP bug in 7.17beta6 (and all earlier versions tested):
If you create a radius backed DHCP server and pass Framed-Route = 10.44.44.4/31, then when the dhcp lease is created the router correctly adds the route:
However, the route never again is removed until reboot. I can disable the dhcp server or let the lease expire but the route remains and because it’s dynamic, there is no way to remove it.Code: Select all> /ip route/print where dst-address=10.44.44.4/31 Flags: D - DYNAMIC; A - ACTIVE; d - DHCP Columns: DST-ADDRESS, GATEWAY, DISTANCE DST-ADDRESS GATEWAY DISTANCE DAd 10.44.44.4/31 10.44.44.100 1
This is unusable, I need routes to be cleaned up otherwise I can’t assign them in radius.