News: MikroTik and Ubiquiti fix WPA2 Client Vulnerability

For those unfamiliar with this latest WPA2 Security Vulnerability, please bear in mind the problem is on the client device, not the AP. Therefore rushing to patch your APs is not going to solve all the problems in your network from this vulnerability!

Of course, if you’re using WPA-TKIP (or using ‘both’ TKIP and AES), you DO have more problems than this attack. Therefore please ensure that any support for TKIP is disabled!  If you’re using WEP, this vulnerability will not affect you, but then again, you have even bigger problems anyway!
Continue reading “News: MikroTik and Ubiquiti fix WPA2 Client Vulnerability” »

News: MikroTik release RouterOS 6.38.7 (bugfix tree)

MikroTik have a new release in the bugfix tree.
https://mikrotik.com/download

What’s new in 6.38.7 (2017-Jun-20 10:55):

!) bridge – fixed BPDU rx/tx when “protocol-mode=none”;
!) bridge – reverted bridge BPDU processing back to pre-v6.38 behaviour (v6.40 will have another separate VLAN-aware bridge implementation);
*) 6to4 – fixed wrong IPv6 “link-local” address generation;
Continue reading “News: MikroTik release RouterOS 6.38.7 (bugfix tree)” »

MikroTik release RouterOS 6.36

MikroTik have released 6.36 in the current release channel. Here is their changelog:

What’s new in 6.36 (2016-Jul-20 14:09):

*) arm – added Dude server support;
*) dude – (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=110428);
*) dude – server package is now made smaller. client side content upgrade is now removed from it and is downloaded straight from our cloud. So workstations on which client is used will require access to wan. Alternatively upgrade must be done by reinstalling the client on each new release;
Continue reading “MikroTik release RouterOS 6.36” »

HowTo: MikroTik Secure VPN Part 1.5 MikroTik to MikroTik with IPSec

This is a short HowTo which will cover the set-up of Mikrotik to Mikrotik VPN but secured with IPsec. The use of IPsec can be very CPU intensive and it is recommended that the VPN server be set up on a Mikrotik which supports hardware based AES/IPsec encryption such as the Mikrotik RB850Gx2RB3011 or any CCR series router.

I will be using a RB850Gx2 as my VPN server and a Mikrotik mAP as my VPN clients, all the heavy IPsec processing will be done on the RB850Gx2 which has AES hardware for offloading IPsec calculations. ROS 6.33.3 or higher on the client side is required in order to make use of the ‘easy IPsec connect’ feature.
Continue reading “HowTo: MikroTik Secure VPN Part 1.5 MikroTik to MikroTik with IPSec” »

HowTo: Optimising MikroTik Firewall rules

When creating complex firewall rules on MikroTik routers, especially those with high levels of packet throughput, it is important that any rules are processed in an efficient manner. Firewall rules are processed top down. Every new packet is tested against each rule until a match is found. For high packet count traffic, this could mean that all those packets are having to be processed many times before it is matched. This can require a higher processing power than necessary and if the CPU reaches 100%, packet loss will occur.
Continue reading “HowTo: Optimising MikroTik Firewall rules” »

News: CVE-2015-0235 RouterOS NOT affected by GHOST glibc security risk

mikrotik_router

 

MikroTik have confirmed that no version of RouterOS suffers from the security vulnerability CVE-2015-0235. See Mikrotik Forum for confirmation.

 

 

 

HowTo: Improved CAPsMAN Wireless Client Roaming

CAPsMAN is a very useful method of setting up a large number of APs (CAPs) in a building, but how can you help a client to roam better?  The problem is that clients can get “sticky”. They refuse to disconnect themselves from an AP, even though they have actually moved their location and are now much closer to another AP.  The client software seems to hang in there for dear life, despite having a very poor and low speed of connection, but it seems to decide, “some connection, no matter how bad, is better than none at all, but I will not check to see if there are any other APs that are stronger”. So they remain “stuck” to that distant AP, even though there is a better one nearby.  So what’s the solution?
Continue reading “HowTo: Improved CAPsMAN Wireless Client Roaming” »

HowTo: Load Balancing multiple Internet connections

A frequent request we receive is how to use a MikroTik Router to get more bandwidth by ‘joining’ multiple internet feeds together. There are a number of different methods, however it’s a good moment to clarify that the term ‘line bonding’ is not the same as ‘Load balancing’. With line bonding we are actually sending each packet in a ’round robin’ fashion up multiple lines and at the ISP end they are joined back together again into a single circuit.  This is a service that can only be carried out at a data centre or ISP and all lines must be all connected to a common interface sharing the same IP address.  Any Public IP Addresses used at the remote site must all be routable over any one of the multiple lines.  Not so easy when all the lines are possibly from completely different service providers.
Continue reading “HowTo: Load Balancing multiple Internet connections” »

HowTo: MikroTik Secure VPN Part 1 MikroTik to MikroTik

This is part 1 of a VPN HowTo to aid in the set up of secure VPN services on Mikrotik Devices, in part 1 I will focus on basic set-up and MikroTik to MikroTik secure VPN. Part 1.5 can be found here which focuses on Mikrotik to Mikrotik IPsec VPN. Part 2 will focus on setting up a secure VPN with IPSec to a MikroTik from a mobile IOS or Android and a computer with Windows/OSX/Ubuntu based operating systems.
Continue reading “HowTo: MikroTik Secure VPN Part 1 MikroTik to MikroTik” »

Mikrotik QRT Perfect for PTP Wisp applications

919_l

 

The Mikrotik QRT is an all in one wireless device similar to the SXT range but much more powerful. The QRT boasts a powerful 24dBi antenna combined with an internal RB911 with a transmit power of 30dBm giving a potential output of 54dbm or 250W which far exceed’s the UK power restriction for wireless networks set by Ofcom. 4W or 36dBm is the current maximum allowed power out in the UK on Band C which the QRT can manage effortlessly.
Continue reading “Mikrotik QRT Perfect for PTP Wisp applications” »