TOP10 RouterOS configuration mistakes

Presenter – Andis Arins

andis[at]router.lv

www.linkedin.com/in/andisarins

2

� MikroTik Consultant at

� MikroTik / Microsoft certified trainer

� Member of the board in Latvian Internet Association

� Review expert for EU in future networking research

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

/

3

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

10

The same IP on multiple interfaces

4

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

The same IP on multiple interfaces

5

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

The same IP on multiple interfaces

survival strategy: MAC telnet or

connection from different network

6

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

9

Lack of monitoring

7

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Lack of monitoring

� What is the health of my router?

� Is it reachable from everywhere it should?

� Isn’t it overloaded ?

8

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Lack of monitoring

9

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Lack of monitoring

IP - SNMP

/snmp> send-trap

for proactive

action

10

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Lack of monitoring

The Dude

you can monitor and

manage your devices

new features sinceRouterOS 6.34

11

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Lack of monitoring

tools-

netwatch

12

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Lack of monitoring

tools-

Traffic monitor

13

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Lack of monitoring

IP- Traffic Flow

14

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Lack of monitoring

Also HA solutions without monitoring may fail one day

VRRP for 99.9%+

availability

0.365 days or

8.76 hours

down in year

15

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

8

DNS issues

16

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

DNS issues

Many requests from

spoofed IPs

VICTIM

17

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

DNS issues

10.0.0.0/24

18

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

7

Firewall inefficiency

19

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Firewall inefficiency

internet 123.123.123.123

webserver

20

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

6

NAT issues

21

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

NAT issues

10.0.0.0/24 123.123.123.123

159.148.147.196

src-ip: 10.0.0.10

dst-ip: 159.148.147.196NAT

masquarade

src-ip: 10.0.0.10

src-ip: 123.123.123.123

dst-ip: 159.148.147.196

22

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

NAT issues

10.0.0.0/2410.1.1.0/24

10.1.1.0/24

123.123.123.0/24

bad

ok

ok

23

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

NAT issues

10.0.0.0/24 192.168.0.0/24

IPSec

24

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

5

Allowed IP Spoofing

25

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Allowed IP Spoofing

10.0.0.0/24 123.123.123.123

src-ip: 13.13.13.13

dst-ip: 159.148.147.196 ? 1. routing decision

2. firewall decision

26

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Allowed IP Spoofing

Tools- Traffic Generator

27

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Allowed IP Spoofing

https://spoofer.caida.org/Test your network

http://ieeexplore.ieee.org/

28

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Allowed IP Spoofing

10.0.0.0/24

src-ip: 13.13.13.13

dst-ip: 159.148.147.196 X routing

decision

29

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

4

Bridge issues

30

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Bridge issues

31

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Bridge issues

wanlan

bridge

master slave slave slave

32

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Bridge issues

bridge-lan

DHCP-Server on individual port, not on bridge itself

33

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

3

PoE issues

34

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

PoE issues

Mikrotik PoE standart

(4,5pin +) (7,8pin -)

Hello from DC !!!

35

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

PoE issues

eth1

PoE in

DC adaper

data,power 2

DC power 1

36

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

2

Waiting for hackers

37

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Waiting for hackers

Dude (if installed ) port 2211

38

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Waiting for hackers

39

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Waiting for hackers

MAC telnet/winbox server on all interfaces

default configuration allows MAC access only from initial bridge

40

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

1

Try to Guess …

41

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

admin / no password

42

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

admin / no password

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

That’s it!