TOP 10 RouterOS configuration mistakes by Andis Āriņš (router.lv - Andis Arins, Latvia)
Пікірлер: 40
@thanatos4543 жыл бұрын
10 - 3:12 - Same IP on different interfaces 09 - 5:15 - Lack of monitoring 08 - 20:45 - DNS Issues 07 - 25:15 - Firewall Inefficiency 06 - 27:33 - NAT Issues 05 - 33:44 - Allowed IP Spoofing 04 - 39:45 - Bridge Issues 03 - 44:45 - PoE Issues 02 - 48:40 - Waiting for Hackers 01 - 52:00 - admin / no password
@thanatos4543 жыл бұрын
Link to presentation slides mum.mikrotik.com//presentations/US16/presentation_3001_1462450916.pdf
@Lann912 жыл бұрын
A real hero, thanks
@karlbooklover5 жыл бұрын
Very interesting talk, thank you!
@nirmalacharya39605 жыл бұрын
just wow sir.
@NwasFalih7 жыл бұрын
Great !
@sardarharis55583 жыл бұрын
Great 👍
@azfarhameedkhan71178 жыл бұрын
sir on minute 36:30 when you were discussing traffic generator tool, in packet templates you had 3 tabs General, MAC,IP. but in my routerOS i dont see those 3 Tabs, i only have a General TAB......i am using version 6.35, can you please tell me what version were you using when you prepared those slides? Regards azfar
@xuxamelo5 жыл бұрын
At the NAT section, I supose I don't need the third rule since I'm only accepting related / established connections right?
@gunnargu2 жыл бұрын
2 interfaces can share the same LINK LOCAL address just fine, right? Such as using fe80::1 as ipv6 gw
@daaumarius6 жыл бұрын
Nice presentation , but on the DNS filtering there is no state for UDP , for what I know UDP is connectionless so you can't filter on new connection state isn't it ?
@pubdigitalix6 жыл бұрын
I agree with you Marius, but DNS can use TCP when the replay is long enough for the size of UPD datagrams, and TCP is conecction oriented. I don't agree with your evaluation about the presentation in general, because hearing the speaker is a really PTA for someone not english native.
@Roman_4x55 жыл бұрын
Mikrotik can keep track of the connection for TCP and UDP the same way conntrack in netfilter works in linux. Filtering new connections works well with few exceptions. Some services may reply from different port and will be also filtered. You can define allow rule that will permit established and related connections before it will filter new one.
@reion787 жыл бұрын
Hi Andis! Where slides can be downloaded? Thanks
@Akrobs7 жыл бұрын
Благодарю.
@wreckedzilla Жыл бұрын
my traineeer
@AndreaFlorio4 жыл бұрын
i see some of those mistakes and i think... why doesn't RouterOS handles them? look at junos or IOSm they won't allow to configure overlapping ip/subnets on two interfaces in the same vrf
@sankareshkannan92396 жыл бұрын
I was disabled the lan interface by winbox now I can’t able to access the router how to solve this issue
@nickandritsos61906 жыл бұрын
You need to reset the router
@sankareshkannan92396 жыл бұрын
nick andritsos its possible to enable by WAN interface
@mzakelj6 жыл бұрын
Conect cable to other port and connect over MAC !!
@jovanjanevski37477 жыл бұрын
GNU/MikroTik
@janseniogonzalesvenegas26498 жыл бұрын
Haber si las vídeos sean traducidos en español ya que es la lengua que mas se habla en el mundo seria genial
@scarranza226 жыл бұрын
En realidad la lengua mas hablada es el mandarín, y en segundo lugar el ingles. El español ocupa el cuarto lugar de la lista. en.wikipedia.org/wiki/List_of_languages_by_total_number_of_speakers Deberías tomar algunos cursos de ingles, es mas fácil encontrar información o soporte realizando búsquedas en ingles.
@pubdigitalix6 жыл бұрын
Creo que vos deberías tomar el curso porque si supieras leer ingles podrías observar que el mandarín es el primero y el español es el SEGUNDO (L1 speakers significa nativos). Además no te vendría mal saber un poco de geografía, lo cuál explica las diferencias. Distinto es si miramos la lista de L2 speakers que es una segunda lengua y el ingles lleva lejos la delantera. Coincido que es más facil encontrar información en ingles y eso es en parte por la enorme falta de respeto que tienen los latinos con su propio lenguaje, ya que antes se traducía mucho más al español que ahora.
@RmFrZQ6 жыл бұрын
[20:46] Why even implement this feature without any means to configure it the right way, like selecting interfaces for this service to be available on?
@kjeldschouten-lebbing62604 жыл бұрын
Because IP/Port binding is never supposed to be a replacement for a firewall.
@thegorn3 жыл бұрын
Using Mikrotik without studying all the bugs that affect you is probably #1
@misaelcampos55892 жыл бұрын
underated
@moetarded77572 жыл бұрын
Get an network interpreter. Preferably a network genius with glasses and pen protector.
@sp4c332 жыл бұрын
Use long-term builds...
@user-ur3nw2yi3k3 жыл бұрын
mikrotik
@SteveWrightNZ5 жыл бұрын
too long
@BillAnt4 жыл бұрын
LOL... play in at 2x speed, it will be half as long. ;D
@melonmusk39764 жыл бұрын
Just skip this guy's autopromotion about resume and M$ Cerrified B$ and jump directly to kzfaq.info/get/bejne/eNGKe7V1m9nagYk.html
@chuck0919556 жыл бұрын
At 26 minutes in, talking about firewall inefficiency, Does this person have any knowledge of the subject matter? Apparently not. MikroTik has a stateful firewall and state tables should be examined before any of the configured rules. For traffic from any of the whitelisted IP addresses the return traffic from the web server should never reach the first firewall rule. It should just be permitted by the state table and that should happen very fast. It says this video was published by MikroTik and seeing misinformation like this gives me concern the company does not even know their own product. I have a very large investment in MikroTik equipment and maybe they have lost their talent that was knowledgeable. A better improvement would be to move the rule 9 up to the top since this is for a web server it should be expected that most of the inbound traffic would be hitting that rule. Also doesn't only the first packet of each connection run down the list of rules and all further packets of that connection would be handled in the state table?
@Roman_4x55 жыл бұрын
Stateful firewall keeps track of the connection state, but it still need to know the policy against that traffic. This is why there are matchers for connection state. Each packet is being evaluated against each of the rules until it will match the rule or reach the implicit allow. Above all, the example just explains a "mistake" of allowing for firewall to scan all rules for very common traffic. Solution is to define the explicit rule as close to the top as possible in order to save CPU cycles.