Mikrotik expert Hani Rahrouh offers tips and tricks

Sunday, 03 June 2018 / Published in Blog, Insider Secrets, MikroTik products

The best practice how to selects the perfect MikroTik hardware for your network.

Most underused MikroTik hardware and software features

“The path between fastpath and advanced features”

Objectives

● To help you understand and combine “FastPath” and “SlowPath” features.

● To allow MikroTik equipment to do more.

● Encourage not only to update RouterOS version, but also update existing configurations with the latest features.

● Reduce the amount of hardware performance issue emails to support@mikrotik.com!

Presentation plan

● This presentation will consist of most popular performance issues related to mistakes in

– Hardware choice – Hardware usage – Layer-2 feature usage – Layer-3 feature usage

● We will cover the information needed to avoid such mistakes.

Know your hardware

● Improper use of hardware or using the wrong one for the job is by far the most popular mistake we see in the support requests.

● Each device made by MikroTik has it’s specifics both in: – Structure (CPU cores, memory, port inter connections) – Performance (switching, bridging, routing, encrypting)

Meet Dave

● Dave is a smart and experienced network administrator, well certified in mainstream network equipment brands.

● There was a disaster, the main router died, and Dave needs to get at least something in the network working NOW!!

● The only spare equipment he can get his hands on is some strange “hEX” (RB750Gr3) board from someone called “MikroTik”, that a friend gave him to try out some time ago.

● Dave needs MPLS, L2TP+IPSec, firewall and routing.

Few Days later

● Dave applied RB750Gr3 as a fix and got most of the services online.

● He is in shock how a $60 box was able to do all this.

● Dave has discovered RouterOS and MikroTik instantly becoming a MikroTik fanboy.

● He is sending lots of questions to support@mikrotik.com .

Analysis of the problem

● Dave’s problem #1:

– The daily database exchange throughput is limited to 1 Gbps total, and CPU is not 100%, using routing with large packets.

● Diagnosis:

– Block diagram for RB750Gr3.

● Reason:

– Dave uses ether2 and ether4 ports for database exchange, both ports are on the same 1 Gbps line to CPU.

Read more!

Load-balance using PCC in MikroTik RouterOS v 6.xx

Introduction PCC “Per Connection Classifi...
Audience – a router for those who value both beauty and functionality

Audience is a tri-band (2.4 GHz & high + lo...
DO NOT let the cables limit you, More Throughput over Power!

PWR-LINE PRO PWR-LINE PRO (PL7510Gi) is a smart...
The First MikroTik product with 10G RJ45 Ethernet ports, CRS312-4C+8XG-RM

CRS312-4C+8XG-RM Switch of the future: the firs...
Netflix has identified vulnerabilities in RouterOS.

Netflix has identified several TCP networking v...

CVE-2023-32154
On 10/05/2023 (May 10th, 2023) MikroTik received information about a new vulnerability, which is assigned the ID CVE-2023-32154. The report stated, that vendor (MikroTik) was contacted in December, but we did not find record of such communication. The original report also says, that vendor was informed in person in an…
Mēris botnet
In early September 2021 QRATOR labs published an article about a new wave of DDoS attacks, which are originating from a botnet involving MikroTik devices. As far as we have seen, these attacks use the same routers that were compromised in 2018, when MikroTik RouterOS had a vulnerability, that…
Fragattacks
In beginning of May 2021, a security research group from Belgium published a set of vulnerabilities they call "Frag Attacks" (from Fragmentation Attack), which affect all modern security protocols of Wi-Fi. Not all the published issues affect MikroTik products, but those that were found to be potentially affecting RouterOS, have…
Upgraded package signatures
The RouterOS package signing procedure has been upgraded, to use new algorithms and utilize state of the art security hardware. It will also add a possibility to verify the integrity of existing installations. The new updated package signing procedure provides additional security to prevent installation of malicious software. Best security practices: Keep RouterOS updated…
MUM EUROPE AND OTHER UPCOMING EVENTS - POSTPONED!
In compliance with our commitment to ensure the safety of our clients, partners, staff, and visitors at all MikroTik events, we have no other choice but to postpone our upcoming events: MUM Europe in Prague, Czech Republic (March 26-27) MTCSA in Riga, Latvia (March 23-24) Train the Trainer in Riga, Latvia (March 30…
DNS cache poisoning vulnerability
Tenable has identified a vulnerability in RouterOS DNS implementation. RouterOS 6.45.6 and below is vulnerable to unauthenticated remote DNS cache poisoning via Winbox. The router is impacted even when DNS is not enabled. One possible attack vector is via Winbox on port 8291 if this port is open to untrusted networks.…
Package validation and upgrade vulnerability
Tenable has identified a couple of issues with RouterOS packaging and upgrade systems. The upgrade system used by RouterOS 6.45.5 and below is vulnerable to man in the middle attacks and insufficient package validation. An attacker can abuse these vulnerabilities to downgrade a router's installed RouterOS version, possibly lock the…
CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Summary Netflix has identified several TCP networking vulnerabilities in the Linux kernel that is used in RouterOS. The vulnerabilities can trigger denial of service if the RouterOS system is attacked from an insufficiently protected network interface (port). Firewall can protect against the issue. MikroTik has already applied the necessary patches: fix included in…
CVE-2019-3981
Summary Tenable has published a potential vulnerability in older RouterOS versions where an attacker can retrieve the password hash of a RouterOS username via a complex man-in-the-middle attack over port 8291. The attacker must be able to intercept a valid RouterOS user login attempt, so he must be located in the…
CVE-2018-19298 CVE-2018-19299 IPv6 resource exhaustion
Summary RouterOS contained several IPv6 related resource exhaustion issues, that have now been fixed, taking care of the above-mentioned CVE entries. The first issue caused the device to reboot if traffic to a lot of different destination addresses was routed. The reboot was caused by watchdog timer since the device was overloaded…