Mikrotik - pre zaciatocnikov

[Odar]

snake --> Vies odporucit cosi na domace pouzitie, aby clovek nemusel zacat rozpredavat svoje organy? Mohol by si postnut nejaky konkretny kusok HW, ktory podla teba stoji za to.

[16cmfan]

https://www.mf-elektro.sk/cisco-rv160w- ... #933767763

[Odar]

Vdaka. To nevyzera zle. Pozriem detailnejsie, ked budem mat cas.

[Chris]

https://www.mf-elektro.sk/cisco-rv160w- ... #933767763

Prenatuje len 600Mbit, ak mas nahodou rychlejsi net

[molnart]

mam taky problem - snazim sa na mikrotiku premapovat WAN z port 1 na port 5. postupujem podla tohto navodu https://www.youtube.com/watch?v=UvMtn9y ... st=WL&t=0s no ako nahle nastavenia ulozim tak uz sa neviem dostat do mikrotiku ani cez winbox ani cez web, proste nereaguje, ani net nejde. nejaky napad?

[16cmfan]

a nemas nieco vo firewall pre ether 5 nastavene co ta odstrihne ? na router sa nepripojis ani cez MAC ? (vo winbox to ide)

[molnart]

nemyslim si, vzdy zacinam od default configu, kedze inak sa neviem do routra dostat

[16cmfan]

https://forum.mikrotik.com/viewtopic.php?t=87013

[molnart]

vsak presne to iste som spravil. akurat bez tych masterov, ten navod je spred 5 rokov a nastavenia bridge sa medzitym trosku zmenili

[Snake]

https://cve.mitre.org/cgi-bin/cvename.c ... 2018-19299

It seems there is a bug in ROS that allows a remote attacker to crash any Mikrotik device if they can access it via v6. Even with firewalling you are still a sitting duck. Mikrotik have known about this for a year and have done nothing to fix it.

This information is due to be released to the public at UKNOF on 9th April. Yes, in 12 days anyone with a slight bit of knowledge about networks and a v6-enabled connection will be able to take any Mikrotik device (running v6) offline. No doubt an exploit script will follow soon after.

As a community it is absolutely critical that we push Mikrotik for a solution to this problem as a matter of upmost urgency. The consequences of this getting out into the wild before a fix is available would be disastrous for all of us. Please everyone pay attention and help in making sure Mikrotik understand just how critical this problem is.

There is a thread already running on this (viewtopic.php?f=2&t=147048) but the subject is such that most people will probably skip over it.

I have been asking MikroTik for exactly this approach for nearly a year. They will not commit to a date, or even that they have begun work on it. The timeline will be made clear in my talk at UKNOF 43 — which MikroTik were made aware of well in advance.

Additionally I've been working with CERTs and other trusted ops groups to spread the word in advance, and was hoping that the likes of NCSC UK or NCSC NL would be able to mediate between myself and MikroTik as I view responsible disclosure as a priority.

Sadly I also believe there is exploitation in the wild — certainly in the last 2-4 weeks — and have shared this with MikroTik. They continue to view this as a "bug" not a "vulnerability".

Yes, it is kernel level and is very hard to fix, since RouterOS v6 has an older kernel version and we can't just change the kernel.

Oni su fakt tupci 2018 presli s tolkymi vulns ze sam som neveril, a 2019 zacinaju tiez peknym tempom, par rokov takyto pristup este a ostane po nich iba blikajuce CPE od jozkaferka co chce router za dvacku

[Hexaris]

No ... ok, zalezitost kernelu neni uplne chyba ich, ale to neznamena, ze si ho nemohli opatchovat. Dnes sa robi bezne in memory kernel patching a pochybujem, ze by Sergei o tom nevedel. Zas oponovat, ze to neni security fail, ale len zhodenie systemu, je fakt na hlavu ... A Normis fnuka, ze noveho cloveka do vyvoja treba zaskolit a to nejaky cas trva a ze to nie je iba tak ... nech zije kids control.

[Snake]

Kazda normalna spolocnost co ma aj EOL produkty (Juniper, Cisco) pouziva Linuxovy Kernel tiez, preco tie firmy to vedia spravit a Tik sa stale drzi stareho kernelu? Vyhovorka, nic ine iba vyhovorka, proste sa zasekli a dovi.

Hej normisove odpovede su fakt na hlavu, nehovoriac o klamstvach po fore co pisal ohladom tohto (kde mu to vyvratil sam nahlasovatel, s datumami 2018 Maj )

[molnart]

mam taky problem - snazim sa na mikrotiku premapovat WAN z port 1 na port 5. postupujem podla tohto navodu https://www.youtube.com/watch?v=UvMtn9y ... st=WL&t=0s no ako nahle nastavenia ulozim tak uz sa neviem dostat do mikrotiku ani cez winbox ani cez web, proste nereaguje, ani net nejde. nejaky napad?

takze, nejak sa mi podarilo wan rozchodit na eth5 a mikrotik mi pekne napaja antenku na streche a hlavne ju viem softverovo cez mikrotik resetnut a nemusit sa trepat von vytahovat kabel. mam ale maly problem:
neviem nastavit fixnu adresu pre WAN (potrebujem ju pre verejnu IP adresu). to co nastavim na obrazovke quickset je ignorovane a na obrazovke DHCP client vidim ze bola pridelena ina IP adresa. fixnu adresu som nastavil aj v IP \ Addresses na interface eth5, napriek tomu stale dostavam pridelenu tu z DHCP (ked bol WAN na eth1 bez problemov som fixnu IP vedel nastavit)

edit: tak po dalsom nastavovani mi prestal fungovat net ale velmi zaujimavym sposobom. viem pingnut akukolvek stranku (aj podla ip adresy aj podla domeny, takze dns je v poriadku), viem sa pripojit zvonka cez ssh, napriek tomu mi nejde net. nenacita ziadnu webstranku ani mi nic nestiahne cez wget napr.

[Hexaris]

Nepisal si ohladom ubnt na streche s rovnakym nickom na ispfore ? Podla mna bude lepsie si nieco o tom precitat a zmazat komplet ten drb..y quickconfig. Proste reset to default a nahadzat potrebne veci. MT tam nechava pravidla ktore vobec nejdu zmazat v tom zakladnom configu.

Aby som len nekecal. Ak sa pre to rozhodnes, tak MT bude nasledne dostupny len cez mac. Cez winbox sa pripojis a cca postup je:
- Ako prve pre istotu ip firewall dropnut vsetko na input nez si nahadzes ostatne pravidla.
- Nahodit verejnu na port kde mas POE
- Pridat GW ip->routes (DST 0.0.0.0 ostava), ak je to ok musi byt reachable.
- Nasledne vytvorit bridge a nahadzat ostatne porty (mame offload - neriesit)
- Nastavit IP pre bridge
- Vytvorit pool pre dhcp ip->pool rozsah napr. x.x.x.100-x.x.x.200
- Pridat dhcp server na bridge + networks v rozsahu ako je IP pre bridge a nastavit pool z predchadzajuceho kroku
- V NAT pridat pravidlo srcnat / outgoing interf. port kde mas POE a v action nastavit maskaradu.

Toto by malo stacit na funkcny net a zacat sa mozes hrat s dstnat, pravidlami .. atd.
Ak som to napisal nezrozumitelne tak sa radsej do toho nepustaj.
P.S. ak nebudes riesit address list tak aspon pomen porty v services a popridavaj IP odkial ma byt dana sluzba dostupna.

[molnart]

@hexaris, ano, pisal. medzitym som prisiel na to kde je problem: neviem ako sa robi portforwarding na mikrotiku, tak sa mi podarilo presmerovat vsetok traffic cez porty 80 a 443 na rasbperry pi v sieti (kde mi bezi webserver) ked som pridal k nat pravidlam in-interface-list=WAN tak uz mi vsetko fici. ked som presiel ten tvoj zoznam tak to zhruba tak mam nastavene, akurat ten firewall mam ako to bolo defaultne.

akoze keby mi nelezi doma spred 5 rokov mikrotik s PoE na cele sa zvysoka vyseriem a ostanem pri tomato, kde vsetko nastavim za 5 minut vratane dual-WANu pre failover a mam k tomu krasne grafiky a jedno miesto kde vidim vsetky zariadenia vylistovane aj s mac lookup...