|
I don't think you can be totally safe if you expose management interfaces to the web. Either manage your devices in a way where they connect out to a central location, or via VPN etc.
|
#
?
Oct 3, 2018 19:19
|
|
|
|
| # ? Apr 19, 2024 21:19 |
|
|
We have explicitly permitted management IPs, which is really the standard for most networking gear in my experience. If that isn't good enough here, well I'll be probably 90% Mikrotik free by early next year.
|
|
#
?
Oct 3, 2018 19:24
|
|
|
I'm also losing confidence in their stuff. In the past it was kind of worth it for the cost savings but things have changed.
|
|
#
?
Oct 3, 2018 19:34
|
|
|
redeyes posted:I'm also losing confidence in their stuff. In the past it was kind of worth it for the cost savings but things have changed. Basically everyone who makes internet facing networking gear is getting the poo poo hammered out of them now. Mikrotik is just the latest round of casualties. Cisco had some amazing as gently caress vulnerabilities a while back, and new ones keep getting discovered.
|
|
#
?
Oct 3, 2018 19:43
|
|
|
Methylethylaldehyde posted:Basically everyone who makes internet facing networking gear is getting the poo poo hammered out of them now. Mikrotik is just the latest round of casualties. Cisco had some amazing as gently caress vulnerabilities a while back, and new ones keep getting discovered. I am not aware of any recent Cisco vulnerabilities that allowed an attacker complete access to their devices with no authentication necessary. Having worked with both types of gear for years I trust Cisco significantly more when it comes to this stuff.
|
|
#
?
Oct 3, 2018 19:59
|
|
|
redeyes posted:I'm also losing confidence in their stuff. In the past it was kind of worth it for the cost savings but things have changed. i've been following this thread hawkishly and can at least appreciate MikroTik for being one of the few router manufacturers to patch quickly, promptly, in an easy and transparent manner. i don't have any illusions about the router being bullet-proof and recognize any actor with enough motivation will ruin you regardless of defenses. for reference my previous home router experiences were all cheapie blue/black boxes that required you to download firmware from a site and upload it to the router. and i'm sure in many years ago before https was ubiquitous, i downloaded router firmware in an absurd, insecure manner. not that doing this via https is some fool-proof, secure method either but this was before i was even aware of crap like firesheep in the late 00s.
|
|
#
?
Oct 3, 2018 20:03
|
|
|
Pendent posted:I am not aware of any recent Cisco vulnerabilities that allowed an attacker complete access to their devices with no authentication necessary. I just listen to the Security Now! podcast as background noise, but I remembered a tidbit regarding this. Sorry for the whole wall of text, but I'm not a genius (to put it lightly) when it comes to this stuff and wouldn't want to miss anything relevant. https://www.grc.com/sn/sn-667.htm June 12th, 2018 quote:Steve: So what the heck has been going on at Cisco? Throughout this year Cisco has been performing some internal code auditing for which they should be encouraged and congratulated. And I've been watching these reports, and I haven't said anything because it's like, okay, I mean, I've been a little - I've wondered why Cisco keeps finding backdoors in their own products. That's a little worrisome. But it's not the end of the world. I mean, while it's disturbing that for some reason they're finding backdoors buried in their own products, at least they have the maturity and the foresight to be looking at their own code and not just assuming it's all fine. Edit: VVV yeah I obviously don't know poo poo about poo poo (not sarcastic; recognition of ignorance), but it would have been interesting if this slipped under your radar due to cisco marketing. im depressed lol fucked around with this message at 21:09 on Oct 3, 2018 |
|
#
?
Oct 3, 2018 20:08
|
|
|
im depressed lol posted:I just listen to the Security Now! podcast as background noise, but I remembered a tidbit regarding this. Sorry for the whole wall of text, but I'm not a genius (to put it lightly) when it comes to this stuff and wouldn't want to miss anything relevant. I have a lot less to say about their software offerings like WAAS aside from to say that I agree it's a lot less good that their core products. I'm referring to their mainline routing and switching gear though- stuff like Nexus series switches or ASRs. There are vulnerabilities to be sure but I haven't seen anything as egregious as this Winbox vuln from them in a long time.
|
|
#
?
Oct 3, 2018 20:14
|
|
|
Pendent posted:I am not aware of any recent Cisco vulnerabilities that allowed an attacker complete access to their devices with no authentication necessary. I guess having a hardcoded root password or two does not count has no authentication, in a way. These were not specifically routers but there is no reason to believe their router department is any different.
|
|
#
?
Oct 3, 2018 21:04
|
|
|
Pendent posted:I have a lot less to say about their software offerings like WAAS aside from to say that I agree it's a lot less good that their core products. I'm referring to their mainline routing and switching gear though- stuff like Nexus series switches or ASRs. There are vulnerabilities to be sure but I haven't seen anything as egregious as this Winbox vuln from them in a long time. Not nearly as transparently loving bad, but there is a lot of sketchy poo poo in Cisco's various product offerings, though you're right, their core routing gear doesn't seem to have anything really bad in recent memory. All the fancy enterprise grade management services that touch them though? Those seem to have a good deal more fun CVEs released.
|
|
#
?
Oct 3, 2018 21:12
|
|
|
Lock down your ACLs. Hopefully there isn't an exploit that goes around the ACLs... :\ /ip service set telnet address=192.168.1.0/24 disabled=yes set ftp address=192.168.1.0/24 disabled=yes set www address=192.168.1.0/24 disabled=yes set ssh address=192.168.1.0/24 set www-ssl address=192.168.1.0/24 set api address=192.168.1.0/24 disabled=yes set winbox address=192.168.1.0/24 set api-ssl address=192.168.1.0/24 disabled=yes This locks out everything but my internal LAN's NAT of 192.168.1.0/24 from hitting my home Mikrotik on SSH or Winbox. Fun fact: via the GUI on Winbox it says www-ssl is disabled but from the export above it doesn't. Maybe disabled=yes is default for JUST that one specific entry. I could add some more WAN IP blocks if I want to have access to my Mikrotik from outside/WAN/somewhere else.
|
|
#
?
Oct 3, 2018 21:19
|
|
|
If there's an exploit that can bypass basic ACLs then we're hosed
|
|
#
?
Oct 3, 2018 21:22
|
|
|
EssOEss posted:I guess having a hardcoded root password or two does not count has no authentication, in a way. There is actually a ton of reason to expect that the routing and switching gear is better. People have had literally decades to attack IOS/NXOS etc and it's not like they aren't huge targets. When I look around at other ISP's racks in our various colos I see a hell of a lot of Cisco gear and there's a reason for that. I would be absolutely shocked if some sort of amateur hour exploit like this Mikrotik bug was discovered with the software in an ASR. These other products are generally things they've bought and are not used nearly as widely. Something like the denial of service bug that was recently announced is annoying. Allowing unathenticated access to routing equipment is quite another and is completely unacceptable for anyone that gives the slightest poo poo about what these devices are doing. Thanks Ants posted:If there's an exploit that can bypass basic ACLs then we're hosed I feel like it's just a matter of time and I am trying to pull my migration timeline forward as a result.
|
|
#
?
Oct 3, 2018 21:34
|
|
|
im depressed lol posted:Is there a go-to guide on hardening the default configs of various Mikrotik devices? I use this: https://www.manitonetworks.com/networking/2017/7/25/mikrotik-router-hardening Thanks Ants posted:If there's an exploit that can bypass basic ACLs then we're hosed If/when that happens, I'll gladly start the immediate transition to pfSense or Cisco. Until then, I've personally had no reported issues with the MikroTik routers I've configured for people. Then again, I haven't yet installed the major bugfix revision firmware. Not looking forward to testing that on my router first.
|
|
#
?
Oct 6, 2018 04:16
|
|
|
Mikrotik is great for cheap gigabit switches and small WISP-style routing areas. If you keep stuff private IPs then great. If you need to route with WAN IPs, then just pray that ACL code never gets compromised. Also you could turn on a firewall too also mayhap to supplement the ACLs.
|
|
#
?
Oct 6, 2018 04:56
|
|
|
PUBLIC TOILET posted:I use this: thank you for this. i'm 90% sure i used a GUI-only variant of this guide on initial setup a year ago.
|
|
#
?
Oct 6, 2018 07:03
|
|
|
im depressed lol posted:thank you for this. i'm 90% sure i used a GUI-only variant of this guide on initial setup a year ago. Yeah just be careful if you copy it verbatim to your own MikroTik. Some of the IP addressing/ranges may have to be modified, especially when you build the firewall rules. Been using this for years with no issue. Just pulled the trigger on 6.42.9 (hAP AC) and shockingly no issues to report. I did however notice this change and it confused me at first: http://www.mtin.net/blog/mikrotik-changes-their-firmware-version-numbering/ Didn't know the RouterBOARD firmware versioning was changed.
|
|
#
?
Oct 6, 2018 22:00
|
|
|
Upgraded to 6.42.9 at work and nothing blew up. Also saw the RB4011 is out. 10 Gigabit ports on two switch chips, each switch chip has a 2.5gb/s link to the CPU, and an SFP+ cage. Desktop unit has dual band radios and a million antennas. Rack unit is just fancy ears on a desktop box without antennas.
|
|
#
?
Oct 7, 2018 18:15
|
|
|
Yeah it looks real good. I'd buy it if RouterOS had proper support for IPv6. They still don't support PBR on V6...
|
|
#
?
Oct 8, 2018 00:17
|
|
|
Are there any ‘bargain’ routers that have better software than MikroTik/Ubiquiti, or is the answer just to buy Juniper?
|
|
#
?
Oct 8, 2018 00:40
|
|
|
Thanks Ants posted:Are there any ‘bargain’ routers that have better software than MikroTik/Ubiquiti, or is the answer just to buy Juniper? Pfsense/Opensense might be the answer depending on how many computer parts you have laying around.
|
|
#
?
Oct 8, 2018 00:55
|
|
|
From experience the pfSense distros aren't fantastic routing platforms, they're fine for SMB NAT gateway requirements and have lots of plugins available, but OSPF can be flakey and they can't do route based IPsec.
|
|
#
?
Oct 8, 2018 09:53
|
|
|
Thanks Ants posted:From experience the pfSense distros aren't fantastic routing platforms, they're fine for SMB NAT gateway requirements and have lots of plugins available, but OSPF can be flakey and they can't do route based IPsec. 2.4.4 has some new features and I thought IPsec routes were one of them but I haven't upgraded to it yet.
|
|
#
?
Oct 8, 2018 16:22
|
|
|
https://www.tenable.com/blog/tenable-research-advisory-multiple-vulnerabilities-discovered-in-mikrotiks-routeros Fixed in new releases but drat. I haven't utilized MikroTik on a business scale but come on, at least keep your poo poo up to date via the bugfix channel.
|
|
#
?
Oct 9, 2018 03:13
|
|
|
quote:What’s the attack vector? Attackers could use default credentials, frequently left unchanged on routers, to exploit these vulnerabilities. Yawn.
|
|
#
?
Oct 9, 2018 07:42
|
|
|
Yeah being able to use correct credentials and do bad things to a system isn't really a huge exploit. Close management off to untrusted networks, use TACACS/RADIUS/whatever for your staff to auth to devices.
|
|
#
?
Oct 9, 2018 09:32
|
|
|
I've got a UniFi question if anyone can help. I have two AC-Lites, one bought when they first came out, and another bought in the last month or so. The one I bought in the last month seems to have better reach and range. Did they update the antennas? I can see a pretty noticeable board revision difference, but I don't see enough of their hardware to know if they've really gone through that many versions or if they just updated the number.
|
|
#
?
Oct 11, 2018 16:22
|
|
|
FWIW I have a couple year old AC-Lite that has absolutely crap for range. I was thinking it was broken or something.
|
|
#
?
Oct 11, 2018 16:40
|
|
|
FunOne posted:I've got a UniFi question if anyone can help. I have two AC-Lites, one bought when they first came out, and another bought in the last month or so. Yeah the new AC lite is basically a whole new AP and is actually good. The 1st gen ones are absolute trash. edit: i meant v1 not gen 1. although the gen1 UAP are pretty bad. GnarlyCharlie4u fucked around with this message at 16:47 on Oct 11, 2018 |
|
#
?
Oct 11, 2018 16:42
|
|
|
I have a first gen AC Lite (the 24V passive PoE one) and the range and speed are more than adequate for my purposes, but I live in an apartment. I even have the transmit power set low and only have the 5GHz radio enabled.
|
|
#
?
Oct 11, 2018 16:47
|
|
|
GnarlyCharlie4u posted:Yeah the new AC lite is basically a whole new AP and is actually good. The 1st gen ones are absolute trash. Board revision 18 vs. 33? For the most part, the home network is perfectly fine now that I have the APs mounted on both sides of the house. Everywhere gets 5ghz, but I do notice that most of them are on the 'new' AP even if it is farther away. I guess the correct thing to do is wait for the AC-Lite 2 or AC mega-pro or whatever it is that comes out next to consider upgrading the 'old' one.
|
|
#
?
Oct 11, 2018 18:03
|
|
|
^^yeah? I don't know the board numbers offhand. I will say this. I kinda wish I had 2 Lites instead of one pro. But I'll just get another pro and everything will be peachy. Ubiquiti does the hand off really well between. APs so I'd be comfortable with one in the foyer and another in the basement. Right now it's in the office and I get wifi all the way down the drat street. Anywho... Which one of you is going around patching everyone's routers? https://www.zdnet.com/article/a-mysterious-grey-hat-is-patching-peoples-outdated-mikrotik-routers/ GnarlyCharlie4u fucked around with this message at 02:38 on Oct 13, 2018 |
|
#
?
Oct 13, 2018 02:35
|
|
|
I'm jumping on the mikrotik train for home and just ordered a RB3011UiAS-RM. Time to start reading this thread!
|
|
#
?
Oct 15, 2018 16:02
|
|
|
devmd01 posted:I'm jumping on the mikrotik train for home and just ordered a RB3011UiAS-RM. Time to start reading this thread! Prepare for some pain compared to consumer routers. Having to set up everything manually is not a lot of fun - especially figuring out how to do more obscure crap like NAT-reflection. However, currently watching my $160 RB3011 using <10% cpu while 400 mbit/s of traffic transits ether1. Totally worth it.
|
|
#
?
Oct 15, 2018 16:16
|
|
|
alyandon posted:Prepare for some pain compared to consumer routers. Having to set up everything manually is not a lot of fun - especially figuring out how to do more obscure crap like NAT-reflection. I used DNS instead of NAT reflection to access my webserver by name. Not sure if that is good enough. You can set these routers up really fast. Assuming you mean port forwarding? Internet guides will have that working in a few minutes. Advice: update the firmware before setting up the rest of the stuff, then do a factory reset (using Winbox). This will make sure it comes with default IPv4 and 6 firewall rules and will make things much easier. redeyes fucked around with this message at 16:41 on Oct 15, 2018 |
|
#
?
Oct 15, 2018 16:27
|
|
|
redeyes posted:I used DNS instead of NAT reflection to access my webserver by name. Not sure if that is good enough. Most of the basic stuff like port forwarding was trivial enough to set up as I'm pretty handy with basic networking and iptables stuff. However, transitioning from a consumer router running Tomato that did so many things in the background like mapping dhcp clients to internal queues so that it could then account usage on a per-IP instead of per-interface basis, NAT-reflection, etc to setting up that mess of stuff was rough. I still don't have an easy answer to the per-IP accounting for non-persistent network devices other than forwarding netflow data from the router to a linux box and dissecting the information streams there.
|
|
#
?
Oct 15, 2018 18:30
|
|
|
So I think I might just be an idiot, but I'm a little out of my depth here and am wondering if someone might be able to help. I picked up an RB4011 (non wifi) last week. I've got it in the basement and connected on port 1 to port 4 on my hAP AC, which is powering the RB4011 via PoE. The idea is to have the hAP act as a switch for my entertainment center, as well as to provide wifi to the house. The RB4011 will handle the ethernet connections throughout the rest of the house. Basically this part works, though I don't know if I did it right. All interfaces on the hAP are bridged together, and I configured the DHCP client to get addresses from the RB4011. It's working just fine. BUT now I want to set up a VLAN for some of the home automation gear I have, most of which is over WiFi (and hence would be set up on a Virtual WLAN on the hAP?) but also consumes a couple ports on the RB4011. There are a bunch of references online that purport to tell me how to do this, but I can't for the life of me get it to work. Can someone help me wrap my mind around what needs done here? Sir Bobert Fishbone fucked around with this message at 17:12 on Dec 11, 2018 |
|
#
?
Dec 11, 2018 16:42
|
|
|
I decommissioned the CCR-1072s from my edge over the weekend.  in piss
|
|
#
?
Dec 11, 2018 18:02
|
|
|
Pendent posted:I decommissioned the CCR-1072s from my edge over the weekend. I weep for anyone using Mikrotiks on their edge/BGP. They're great for internal networks though. I mean, stub networks. I mean networks you don't care as much about.
|
|
#
?
Dec 11, 2018 18:53
|
|
|
|
| # ? Apr 19, 2024 21:19 |
|
|
jeeves posted:I weep for anyone using Mikrotiks on their edge/BGP. Two days before they were set to go away a flapping peer caused one of my edge routers to poo poo itself so badly it actually physically bounced a bonded interface. Please learn from my mistakes everyone. Do not trust mikrotik with anything you care about.
|
|
#
?
Dec 11, 2018 18:58
|
|