Wi-Fi Protected Access 3 – WPA3

Back in January 2018, the Wi-Fi Alliance announced in their Press Release that a new Wi-Fi Protected Access®  (aka WPA) certification program had been launched. First there was WPA™, then there was WPA2™, unsurprisingly therefore the new system was called WPA3™. (Note that WPA, WPA2 and WPA3 are not ‘standards’, nor are they ‘protocols’, they are ‘Wi-Fi Alliance certification programs‘. In fact, the standard for WPA2 was actually 802.11i).
Continue reading “Wi-Fi Protected Access 3 – WPA3” »

Which MikroTik RouterOS package channel should I use ?

We are often asked about the different versions of MikroTik RouterOS, and thought we would clarify when each should be used.

MikroTik RouterOS System Packages – Check For Updates

When you go to click the “Check for updates” button in System -> Packages in any recent versions of RouterOS, you are presented with a set of choices in the channel dropdown:
Continue reading “Which MikroTik RouterOS package channel should I use ?” »

News: MikroTik and Ubiquiti fix WPA2 Client Vulnerability

For those unfamiliar with this latest WPA2 Security Vulnerability, please bear in mind the problem is on the client device, not the AP. Therefore rushing to patch your APs is not going to solve all the problems in your network from this vulnerability!

Of course, if you’re using WPA-TKIP (or using ‘both’ TKIP and AES), you DO have more problems than this attack. Therefore please ensure that any support for TKIP is disabled!  If you’re using WEP, this vulnerability will not affect you, but then again, you have even bigger problems anyway!
Continue reading “News: MikroTik and Ubiquiti fix WPA2 Client Vulnerability” »

News: MikroTik release RouterOS 6.38.7 (bugfix tree)

MikroTik have a new release in the bugfix tree.
https://mikrotik.com/download

What’s new in 6.38.7 (2017-Jun-20 10:55):

!) bridge – fixed BPDU rx/tx when “protocol-mode=none”;
!) bridge – reverted bridge BPDU processing back to pre-v6.38 behaviour (v6.40 will have another separate VLAN-aware bridge implementation);
*) 6to4 – fixed wrong IPv6 “link-local” address generation;
Continue reading “News: MikroTik release RouterOS 6.38.7 (bugfix tree)” »

MikroTik release RouterOS 6.36

MikroTik have released 6.36 in the current release channel. Here is their changelog:

What’s new in 6.36 (2016-Jul-20 14:09):

*) arm – added Dude server support;
*) dude – (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=110428);
*) dude – server package is now made smaller. client side content upgrade is now removed from it and is downloaded straight from our cloud. So workstations on which client is used will require access to wan. Alternatively upgrade must be done by reinstalling the client on each new release;
Continue reading “MikroTik release RouterOS 6.36” »

HowTo: MikroTik Secure VPN Part 1.5 MikroTik to MikroTik with IPSec

This is a short HowTo which will cover the set-up of Mikrotik to Mikrotik VPN but secured with IPsec. The use of IPsec can be very CPU intensive and it is recommended that the VPN server be set up on a Mikrotik which supports hardware based AES/IPsec encryption such as the Mikrotik RB850Gx2RB3011 or any CCR series router.

I will be using a RB850Gx2 as my VPN server and a Mikrotik mAP as my VPN clients, all the heavy IPsec processing will be done on the RB850Gx2 which has AES hardware for offloading IPsec calculations. ROS 6.33.3 or higher on the client side is required in order to make use of the ‘easy IPsec connect’ feature.
Continue reading “HowTo: MikroTik Secure VPN Part 1.5 MikroTik to MikroTik with IPSec” »

HowTo: Optimising MikroTik Firewall rules

When creating complex firewall rules on MikroTik routers, especially those with high levels of packet throughput, it is important that any rules are processed in an efficient manner. Firewall rules are processed top down. Every new packet is tested against each rule until a match is found. For high packet count traffic, this could mean that all those packets are having to be processed many times before it is matched. This can require a higher processing power than necessary and if the CPU reaches 100%, packet loss will occur.
Continue reading “HowTo: Optimising MikroTik Firewall rules” »

News: CVE-2015-0235 RouterOS NOT affected by GHOST glibc security risk

mikrotik_router

 

MikroTik have confirmed that no version of RouterOS suffers from the security vulnerability CVE-2015-0235. See Mikrotik Forum for confirmation.

 

 

 

HowTo: Improved CAPsMAN Wireless Client Roaming

CAPsMAN is a very useful method of setting up a large number of APs (CAPs) in a building, but how can you help a client to roam better?  The problem is that clients can get “sticky”. They refuse to disconnect themselves from an AP, even though they have actually moved their location and are now much closer to another AP.  The client software seems to hang in there for dear life, despite having a very poor and low speed of connection, but it seems to decide, “some connection, no matter how bad, is better than none at all, but I will not check to see if there are any other APs that are stronger”. So they remain “stuck” to that distant AP, even though there is a better one nearby.  So what’s the solution?
Continue reading “HowTo: Improved CAPsMAN Wireless Client Roaming” »

HowTo: Load Balancing multiple Internet connections

A frequent request we receive is how to use a MikroTik Router to get more bandwidth by ‘joining’ multiple internet feeds together. There are a number of different methods, however it’s a good moment to clarify that the term ‘line bonding’ is not the same as ‘Load balancing’. With line bonding we are actually sending each packet in a ’round robin’ fashion up multiple lines and at the ISP end they are joined back together again into a single circuit.  This is a service that can only be carried out at a data centre or ISP and all lines must be all connected to a common interface sharing the same IP address.  Any Public IP Addresses used at the remote site must all be routable over any one of the multiple lines.  Not so easy when all the lines are possibly from completely different service providers.
Continue reading “HowTo: Load Balancing multiple Internet connections” »