[WayBack] RB450G and “..could not get answer from dns server” – MikroTik: I do not see a default route. It would be the route with “dst-address=0.0.0.0/0“.
–jeroen
Archive for the ‘MikroTik’ Category
RB450G and “..could not get answer from dns server” – MikroTik
Posted by jpluimers on 2020/07/06
Posted in Internet, MikroTik, Power User, Routers | Leave a Comment »
Route traffic from one port via VPN – MikroTik
Posted by jpluimers on 2019/09/16
For my link archive: [WayBack] Route traffic from one port via VPN – MikroTik
Via [WayBack] networking – Mikrotik route internet traffic from one interface via vpn – Super User
–jeroen
Share this:
Posted in Internet, MikroTik, Power User, Routers | Leave a Comment »
Research list: machine sometimes not visible on LAN
Posted by jpluimers on 2019/04/08
When one of the machine isn’t active for a while it seems to disappear. Even when it’s active some of the machines have intermittent errors pinging it as like every 10-30 seconds one of these ping results appear:
92 bytes from tl-er5120 (192.168.71.1): Redirect Host(New addr: 192.168.71.193) Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 0054 05de 0 0000 40 01 644d 192.168.71.108 192.168.71.193
Sometimes even a simple
Request timeout for icmp_seq 6900
So I need to dig into ICMP “Redirect Host” .
It might be a simple ARP thing like mac mini – Why the different results for ping? Or why is the Time Capsule getting involved? – Ask Different [WayBack] but like usual stuff I bump into is of a more complex kind so I’ve archived at least these:
- ICMP – redirect host (5:1) – MikroTik RouterOS [WayBack]
- Directed ARP and ICMP Redirects « ipSpace.net by @ioshints [WayBack]
- ICMP redirects are ba’ad, mkay? [Google Cache as no WayBack]
- networking – Why do ICMP Redirect Host happen? – Server Fault [WayBack]
–jeroen
Share this:
Posted in Internet, MikroTik, Power User, Routers | Leave a Comment »
Just in case I move away from Mikrotik
Posted by jpluimers on 2018/07/02
Mikrotik has great hardware, great firmware (if you have the right builds), but notoriously bad documentation and a not so great software release and testing process.
So I might consider switching away, so here are some threats that might lead to alternatives:
[WayBack] Router board based on MediaTek MT7620A MIPS processor with 4 LAN port, one PoE capable WAN port, and two mini PCIe slot for 4G LTE module. – Jeroen Wiert Pluimers – Google+
- Jeroen Pluimers on Twitter: “@B1tSmurf I switched to Mikrotik. Great hardware and possibilities. Horrible documentation and software release processes.”
- @B1tSmurf I’ve used to use MikroTik however their braindead GUI and half Cisco-like cli made me switch to pfSense. Much easier and powerful
besides, pfSense is open source software, rock solid with an active community. You can download an iso and install right away. - @jpluimers
then I’d need to find affordable hardware supporting 10g fiber and 24 port 1g CAT6. - @B1tSmurf What price range? :-)
- @jpluimers around CCR1009 and CRS226 prices.
- @B1tSmurf Take a look at the scope7 line from http://landitec.com , a bit more expensive but powerful and flexible.
scope7-7573 or 8759 are the ones you can stuff a 2/4 port SFP+ module into.
- @B1tSmurf I’ve used to use MikroTik however their braindead GUI and half Cisco-like cli made me switch to pfSense. Much easier and powerful
–jeroen
Vincent Parret commented at https://plus.google.com/+JeroenPluimers/posts/UWZiufmkdK1
I use ubnt edgerouters, great bang for buck. My ER Pro-8 has been up for 8 months (no reboots) and hasn’t missed a beat, rock solid ipsec vpn. I looked at microtik, but found the edgerouters slightly easier to configure.
Share this:
Posted in Internet, MikroTik, Power User, Routers | Leave a Comment »
Urgent security advisory – MikroTik – upgrade to 6.41.3 if you can change your bridge implementation, ensure SMB and WWW are not WAN accessible
Posted by jpluimers on 2018/03/31
I both understand the [WayBack] Urgent security advisory – MikroTik and the users reluctant to upgrade: Mikrotik has a history of updates breaking existing behaviour and underdocumenting features and release notes.
The attack is over the www or www-ssl services which by default run on port 80 and 443. You can see on which networks they are bound using this example from the terminal:
> ip service print where name=www
Flags: X - disabled, I - invalid
# NAME PORT ADDRESS CERTIFICATE
0 www 80 192.168.71.0/24
192.168.171.0/24
192.168.124.0/24
> ip service print where name=www-ssl
Flags: X - disabled, I - invalid
# NAME PORT ADDRESS CERTIFICATE
0 www-ssl 443 192.168.71.0/24
192.168.171.0/24
192.168.124.0/24
Note that if your device was infected, not all upgrades will remove the infection on all machines (even though it is mentioned in the FAQ below!). This is one of the “underdocumenting” aspects I mentioned.
There is no way to officially check if your device is infected. If you suspect it is and cannot upgrade to 6.41.3 or more recent, then you need to use [WayBack] Manual:Netinstall – MikroTik Wiki to wipe clean your router and re-install.
Be careful which version you upgrade to:
- 6.41.x and up in the [WayBack] MikroTik – ChangeLog – Current Release Tree need a careful upgrade process have a new bridge implementation (see [WayBack] v6.41 [current] – MikroTik: This update will convert all interface “master-port” configuration into new bridge configuration, and eliminate “master-port” option as such.)
- 6.40.x in the [WayBack] MikroTik – ChangeLog – BugFix Release Tree likely still suffers from the SMB vulnerability (search for “improved NetBIOS name handling and stability” “6.41.3”)
Somewhere in the middle of page 2 of the above post [WayBack], this is slightly addressed:
1) Upgrade to 6.38.5 fixes the botnet scanner and removes it.
2) Upgrade to 6.41.3 fixes SMB vulnerability.
Later this morning further below on page 2 of the above post [WayBack] it was elaborated more:
I recommend that you re-read all the posts from “normis”. Seems that we are going into circles.
1) Winbox port is used only to find out that this is RouterOS powered device (Winbox is not affected by vulnerabilities that we know of);
2) WWW service (“/ip service”) is used in order to “hack” your router if Firewall did not drop connections to this port (affected service was Webfig which by default is running on port 80, but you can change port under “/ip service” menu and then this other port must be protected). For example, “/ip firewall filter add chain=input action=drop in-interface=WAN connection-state=new”;
3) Issue with SMB is completely another thing but the same rules apply. If device (in this case SMB port) is protected by firewall, then no one can use this issue in order to mess up with your router. Usually attacks come to your router from public Internet (not from LAN) and in normal situation SMB access is not open for public Internet;
4) There is not and will not be an official way to gain access to routers shell.You will be safe from both of these issues if you upgrade your routers (6.38.5 for WWW issue and 6.41.3 for SMB). In order to upgrade many devices at the same time – you can use MikroTik tool called The Dude or use scripts.
From the above post, at least read the FAQ:
FAQ:
What is affected?
– Webfig with standard port 80 and no firewall rules
– Winbox has nothing to do with the vulnerability, Winbox port is only used by the scanners to identify MikroTik brand devices. Then it proceeds to exploit WEBFIG through port 80.Am I safe?
– If you upgraded your router in the last ~12 months, you are safe
– If you had “ip service” “www” disabled: you are safe
– If you had firewall configured for port “80”: you are safe
– If you only had Hotspot in your LAN, but Webfig was not available: you are safe.
– If you only had User Manager in your LAN, but Webfig was not available: you are safe.
– If you had other Winbox port before this: you are safe from the scan, but not from the infection.
– If you had “winbox” disabled, you are safe from the scan, not from the infection.– If you had “ip service” “allowed-from” set to specific network: you are safe if that network was not infected.
– If you had “Webfig” visible to LAN network, you could be infected by an infected device in your LAN.How to detect and cure?
– Upgrading to v6.38.5 or newer will remove the bad files, stop the infection and prevent anything similar in the future.
– If you upgrade device and you still see attempts to access Telnet from your network – run Tool/Torch and find out a source of the traffic. It will not be router itself, but another device in local network which also is affected and requires an upgrade.
–jeroen
Share this:
Posted in Internet, MikroTik, Power User, Routers, Security | Leave a Comment »
