Вы находитесь на странице: 1из 43

TOP10 RouterOS

configuration mistakes

Presenter Andis Arins


 MikroTik Consultant at

2
/

 MikroTik / Microsoft certified trainer


 Member of the board in Latvian Internet Association
 Review expert for EU in future networking research

andis[at]router.lv

www.linkedin.com/in/andisarins
MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

The same IP on multiple interfaces

10
MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

The same IP on multiple interfaces

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

The same IP on multiple interfaces

survival strategy: MAC telnet or


connection from different network
MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Lack of monitoring

9
MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Lack of monitoring

 What is the health of my router?


 Is it reachable from everywhere it should?
 Isnt it overloaded ?

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Lack of monitoring

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Lack of monitoring

9
IP - SNMP

/snmp> send-trap
for proactive
action

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Lack of monitoring
The Dude
you can monitor and
manage your devices

new features since


RouterOS 6.34

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

10

Lack of monitoring

11
toolsnetwatch

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Lack of monitoring

12
toolsTraffic monitor

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Lack of monitoring
IP- Traffic Flow

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

13

Lack of monitoring
Also HA solutions without monitoring may fail one day
VRRP for 99.9%+
availability
0.365 days or
8.76 hours
down in year

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

14

DNS issues

15

8
MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

DNS issues

16
Many requests from
spoofed IPs

VICTIM
MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

DNS issues

17

10.0.0.0/24

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Firewall inefficiency

18

7
MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Firewall inefficiency

internet

19

123.123.123.123
webserver

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

NAT issues

20

6
MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

NAT issues

21

10.0.0.0/24

123.123.123.123

159.148.147.196
src-ip: 10.0.0.10
dst-ip: 159.148.147.196

NAT
masquarade

src-ip: 10.0.0.10

src-ip: 123.123.123.123
dst-ip: 159.148.147.196

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

NAT issues

22
10.1.1.0/24
10.0.0.0/24

10.1.1.0/24

123.123.123.0/24
bad
ok
ok

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

NAT issues

23

192.168.0.0/24

10.0.0.0/24
IPSec

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Allowed IP Spoofing

5
MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

24

Allowed IP Spoofing

10.0.0.0/24

src-ip: 13.13.13.13
dst-ip: 159.148.147.196

25

123.123.123.123

1. routing decision
2. firewall decision

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Allowed IP Spoofing
Tools- Traffic Generator

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

26

Allowed IP Spoofing
Test your network

https://spoofer.caida.org/

http://ieeexplore.ieee.org/

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

27

Allowed IP Spoofing

28

10.0.0.0/24

src-ip: 13.13.13.13
dst-ip: 159.148.147.196

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

routing
decision

Bridge issues

29

4
MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Bridge issues

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

30

Bridge issues

wan

31

master slave

slave

slave

lan
bridge

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Bridge issues

32

bridge-lan

DHCP-Server on individual port, not on bridge itself

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

PoE issues

33

3
MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

PoE issues

34
Mikrotik PoE standart
(4,5pin +) (7,8pin -)

Hello from DC !!!

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

PoE issues

35
DC adaper

DC power 1

eth1
PoE in

data,power 2

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

Waiting for hackers

2
MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

36

Waiting for hackers

Dude (if installed ) port 2211

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

37

Waiting for hackers

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

38

Waiting for hackers


MAC telnet/winbox server on all interfaces

default configuration allows MAC access only from initial bridge

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

39

Try to Guess

40

1
MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

admin / no password

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

41

admin / no password

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

42

Thats it!

MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv