Hacker News new | past | comments | ask | show | jobs | submit login
MikroTik routers are forwarding owners’ traffic to unknown attackers (360.com)
261 points by DyslexicAtheist on Sept 4, 2018 | hide | past | favorite | 145 comments



It's worth pointing out that the default configuration of almost every Mikrotik router these days comes with a firewall that blocks inbound access to all ports. Admins have to go out of their way to expose winbox to the internet (as many did - including myself - under the belief the protocol was somewhat secure running over TLS).

Unfortunately NIH syndrome runs at an all time high at Mikrotik. Even the RouterOS webserver and SMB implementations were custom written, and both were later found to contain remotely exploitable bugs. I'm sure there are other holes lurking in their implementations of ipsec, openvpn, etc, so I no longer open up anything and rely on port forwarding to more secure and battle-tested services like OpenSSH / Wireguard for remote management.


This explains a lot.

Mikrotik boxes are really quirky. They basically have user-facing bugs, symptoms of which can have no explanation except for them fronting some massive clusterfuck on the inside. They used to do bizarre things with timestamps of freshly copied files, when the modified time would oscillate around some convergence point. Some wierd directory names (like .popup ?) were reserved for no apparent reason and an attempt to create them failed with "file not found". That sort of thing. And we even didn't own any of their devices, we were just in a splatter zone from our clients constantly walking into Mikrotik issues. It was few years ago though, so perhaps things have improved since then.


I've been using MT gear for about 10 years now. I actually think the devices themselves are very solid once they're up and running. I've had some running for years without any issues (try that with most other SOHO router brands!), though reboots are much more frequent these days due to security updates. I do agree though that the software side of things can be a bit quirky and the recent security issues are a worrying glimpse into the quality of their code. In general I wish the platform was more open (you can't even get a shell without rooting the device), but it's something I can live with at this price point.

Unfortunately given their affordability and feature set, Mikrotik routers are often times administered by people who don't really have a solid grasp of networking. I've seen some downright awful advice posted on their user forums over the years, stuff that could easily cause connectivity issues under the right circumstances. Who knows how much of that gets copy/pasted into configs after a quick Google search.


>...so I no longer open up anything and rely on port forwarding to more secure and battle-tested services like OpenSSH / Wireguard for remote management.

Absolutely. I purchased an rb2011uiasrm when I got gig fiber at home. I enjoyed hardening the router and ran IPsec VPN for a bit but prefer using another box w/OpenVPN and HMAC auth. I just don't see no matter the promise of security a good reason for explicitly allowing remote access from internet to a core device, MikroTik or otherwise.


Can anyone suggest a wireless router that someone can buy today that either ships with or can be flashed with OSS firmware? I've been trying to shop around for one compatible with DD-WRT or OpenWRT and been rather disheartened so far; every promising model I've found either requires you to play roulette with the specific hardware version of the router that you receive (which is never advertised on product pages), or is out of stock entirely, or costs upwards of $250 (which is tough to sell to my friends, when their ISP charges $10/mo to rent a router with much less hassle).


Ubiquiti EdgeOS based edgerouters are what I prefer as a greybeard sysadmin type who has dealt with everything under the sun. It's VyOS (Vyatta) based, they are now complying with gpl afaik, and their hardware is really good for the price/performance ratio. The edgerouter-x or lite can be found for ~$99 and is a great piece of gear.

Another option would be your own hardware with pfsense (bsd) or ipfire(linux).

Even further would be your own hardware with linux and write your own nftables or bpf.


The ERL family is pretty bad as a router, in my experience. There is a longstanding firmware issue that introduces packet loss for routed packets (it doesn't multiplex across the dual cores correctly, which leads to out of order packets). If you really want to use Ubiquiti, I would suggest using an ER-X which is cheaper, doesn't have this problem, and is quadcore.

The best option in my opinion is something Intel based running a well known Linux distro with automated security updates that is fully in your control. Shorewall can do everything needed for a home router. This option is a lot more expensive though.


Interesting that the more expensive router has this problem. I've been really happy with my ER-X, it works great with my internet service (500Mbs up/500Mbs down). I had some speed issues at first but this was solved by upgrading to the latest firmware and making sure hardware offloading was enabled.


I was a bit annoyed that hardware routing is not automatically enabled for setups that can use it. It is not hard, but you have to stumble upon the fact that that setting exists (only on the command line).


My recollection is that it's not enabled by default because there were (are?) some features that don't work once you enable it. I assume it's the Deep Packet Inspection and advanced routing type stuff.

(Sadly my home internet connection is too slow to make hardware offloading on the edge router matter...)


I think this is batch based. Ubiquiti has had prod line issues intermittently, especially in the earlier batches. I would suggest trying to contact them for a replacement if you are getting packet loss.


> There is a longstanding firmware issue that introduces packet loss for routed packets

Interesting, do you have any more about this?

Got an ER-PoE that intermittently loses packets and have never got to the bottom of why (I gave up and bought a non-Ubnt router, just haven’t got around to configuring it yet).


https://community.ubnt.com/t5/EdgeRouter/UDP-packet-loss-on-...

I was one of the people involved in some of the measurements on there.

I avoid ubnt networking gear in general after that experience (although ER-X seems good and I use one at home as a smart switch). Their specialty is in APs, which work really great.


The last update of the first post says that this was fixed in v1.10.0, and the release notes concur: https://community.ubnt.com/t5/EdgeMAX-Updates-Blog/EdgeMAX-E...


I knew I should have checked the release notes before commenting. No idea if it works but that would be a great improvement.


Open to the idea I’ve got a different issue, but I’m still seeing an issue with 1.10.5.


Thanks, and agreed. It was my first Ubnt gear, and I suspect it will be my last. It was so much cheaper than some of the alternatives though (that should probably have been a red flag…) but firmware that’s at best in continuous beta really isn’t good enough.


I am a big fan of PFSense. Not a huge fan of Netgate as a company and the direction they are taking the product.

In any case, you can load it onto some fairly low cost hardware for your typical home user. It's fantastic.

I am not a huge fan of the Ubiquiti routers. They required loading a config onto them just to get DHCP enabled and NAT setup for a typical 1 WAN and 1 LAN environment. Why on earth they would ship without that config on them when 99.9999% of environments are like that is bewildering to me.

Don't know if it's changed since then but I haven't gone back to mess with them since.


I couldn't recommend PFSense more. Setting up my home firewall years ago using it on a pcengines.ch board was really easy and fun. I used a (now long discontinued) WRAP board back in the day, then when broadband became faster I had to remove it because the slow processor would bottleneck my connection, but I'm looking forward to get faster hardware to have it working again. One day, well over 10 years ago, while I was moving from the old ISP to a new one, they screwed up something and I spent some weeks cut off from the Internet. The WRAP board had a mini-pci connector I already had fitted with a powerful WiFi card, so I connected a high gain directional antenna in place of the low gain one and started monitoring the channels. Back in the day there still were weak WEP encrypted connections, but I was even more lucky because a local ISP which delivered their routers with no default encryption had no less than 3 customers in my neighborhood, one of which, probably an office with no traffic at least since the evening, allowed me to surf a lot faster than my previous connection. PFSense was a godsend because all I had to do was set the rules so that the WLAN interface became a slave seen as the WAN, so I got back online all my cabled home network in a matter of minutes.

As a Linux guy I have to admit PFSense and similar products (NAS4Free etc) interface is the best I have ever seen around wrt functionality and ease of use, sadly OpenWRT web interface simply doesn't stand a chance, and I'm not referring to aesthetics as I'm aware OpenWRT is aimed at hardware with orders of magnitude less resources, but pure functionality - in fact I have never been able to configure a small tp-link mr3020 router to use it as a WiFi bridge for my networked but not wireless printer. Yes it can be done and there is a HOWTO on that task, but it doesn't work and low level iptables scripts aren't exactly my strong point. It would be trivial doing that with PFSense, but sadly it cannot fit into that device. /Rant


They come with a wizard for setting up basics like that now.


Sorry for the spam, I seem to post this regularly but the Ubiquiti EdgeRouter Lite will happily run OpenBSD. It supports the onboard packet accelerator with some extra configuration.


I didn't know that, wow. I found some resources on this [1] [2] [3] but it seems like everything is working? Have you tried WireGuard on OpenBSD/octeon?

[1] https://www.openbsd.org/octeon.html

[2] https://news.ycombinator.com/item?id=10079210

[3] https://an.undulating.space/post/180411-erl-openbsd-upgrade/


Not yet... I bought a brand new one just for testing with OpenBSD vs Vyatta because I'd like to benchmark performance of each.


Are you planning to post your benchmarks? Also, any helpful info on getting OpenBSD running on one of these is welcome!


Yes I will post benchmarks and rulesets. I plan to make equal rulesets for each OS if possible.


Do you have any documentation on using the onboard packet accelerator with OpenBSD? I thought it was just binary linux blobs.


Just saw this, so sorry for the late reply: https://undeadly.org/cgi?action=article;sid=20180418073437

Unfortunately I was wrong and the post is just for cryptography acceleration. Will have to check the commits to see if any other work has been done.


Ahh, that’s unfortunate. Thanks for looking it up anyway.


I wonder if the EdgeRouter Lite is similar enough to the Unifi Security Gateway to port that...


Yes. http://www.codeghar.com/blog/openbsd-on-ubiquiti-usg.html

They're basically the same hardware.


I like the software but for some reason my SFP port intermittently went out for exactly 2 minutes. I tested it with a couple of different SFP modules to be sure that wasn't the problem and contacted Ubiquiti support, assuming I could get an RMA.

For whatever braindead reason, they told me that they wouldn't give me an RMA because they don't "support" 3rd party SFP modules. They wouldn't loan me one to fix the problem, they wouldn't agree to reimburse me if it didn't fix the problem, nothing. Buy their module or deal with broken equipment.

I bought one of their SFP modules and to nobody's surprise the problem persisted. At the same time I bought a Mikrotik hAP and again to nobody's surprise, all the SFP modules that "failed" worked with zero problems.

At that point Ubiquiti finally granted me an RMA but at that point I went and got a refund instead.

After that support experience, I'll never buy Ubiquiti or recommend it again.

I'd much rather recommend PC-Engines: https://www.pcengines.ch/. They're x86 based so you can run whatever on them, cheap and have really good performance.


For something with hardware offload, get a Ubiquiti EdgeRouter. I run one at home, it's debian based, I have lots of tools I've written in Go compiled and running on it for various purposes and you can install debian packages for things you need.

The other option I've heard good things about are the PCEngines devices. They don't, as far as I'm aware, have hardware offload, so make sure their performance suits, but they use OSS U-Boot and you install the OS of your choice. It's one of the most open devices in a router form factor I've come across.

Depending on the number of ports you need, you could also use one of the Jetway devices. They make them with varying numbers of ports as SBCs in a case and you add RAM/M.2 SSD. I got a Celeron one with 2 ports and run it as a Suricata IPS. It performed just fine with my 100M pipe.


I am curious what type of things you're running on your router. I have an ER-X, but haven't ever thought to run software on it (aside from some of the obvious packages like VPN and such).


I have an EAP Proxy Python script running. It allows me to easily and permanently bypass my ATT fiber modem. Speed and service quality went way up when I did that.


I have AT&T fiber and hate the hardware I have. Could you link to your script please? I'm toying w/ the idea of buying my own hardware.


Which VPN do you run on it? Wireguard? How's the performance, I ask as I too have an ER-X.


I have ipsec on my er-x, it's build in. They have a bug in the ipsec offloading in the last few firmware releases so that can't be enabled.

So speeds are kind a slow, around 50-90 megabits (i have gigabit fiber, that the er-x otherwise can fill out completely).


Not OP, but, I use the built in IPSec vpn. I have been looking into WireGuard though.


I know this doesn't help friends and non-technical folks, but I finally gave up and bought an APU[0], installed Debian, and configured dnsmasq+hostapd+iptables. With unattended updates, it was the most secure thing I could think of. Well, I suppose using openbsd would have been potentially more secure, but there were driver issues with the wireless card that I wanted.

[0] https://pcengines.ch/apu2.htm


I really, really love these machines. I'm using one with OPNsense myself. They're just fast enough to get gigabit throughput, but no faster (or more power hungry). Personally I like to separate switching from the firewall and so I've got everything attached to an unmanaged switch or a Unifi AP.

My one complaint about this approach is that there are so many interactions happening at the software level that any time I set up a network stack, I always feel as though the whole thing is very fragile and only works because everything is precisely configured. Since I like to tinker, I want a system that feels more reliable, and so I go for the router-in-a-box approach of pfsense or opnsense. I wish it was easy to get a network configuration that "just works".


I second that. I don't use wireless and know OpenBSD well, so I went the OpenBSD route, but I am sure linux can be made to be very secure if configured properly.

It can sustain 500mbit/s with no issue. As this is my internet connection speed, I don't know if it can go any higher.


I'm running pfSense on an APU2. Works great. A good option if you don't want the effort of configuring things manually - pfSense has a nice web UI.


I highly recommend this sort of roll-your-own, with Debian or OpenBSD depending on your skill set.


The Netgear Nighthawk series is almost always available on Amazon and is generally well supported by dd-wrt.

Specifically, the best deals can be had on the oldest model, the R6700v3, from an Amazon warehouse deal for $70. This is what I use, and it works without issue with dd-wrt. You'll need to flash it 3 times.

The best device is probably the R7800 model. It uses a very fast, non-Broadcom (OpenWRT-supported), modern chip. The only way this matters in practice is if (1) you have a gigabit Internet connection and (2) if you need QoS turned on for scoring an A+ in "bufferbloat" on speedtest.net--i.e., you play games.

If you don't use QoS, you will be able to serve 1 gigabit with dd-wrt's "Shortcut Forwarding Engine," which is an accelerated "in-Linux-kernel IP packet forwarding engine." If you don't have a gigabit connection, the typical Linux routing stuff that dd-wrt uses is fine.

With regards to model roulette, you can always buy it off eBay for the specific model. These routers are so common I see listing for them in Craigslist in the Bay Area right now.

I would argue the two main reasons to do this are for improved security/stability and QoS. If you're not interested in these features, buy something that Wirecutter recommends in your price range. But compared to $70, I believe a truly decent router can be had for $50 (the Archer series others have mentioned) that is also truly ancient.

The Apple Airport devices run ARM NetBSD and you can SSH into them. The last generation ran NetBSD 7 and executed binaries from NetBSD userspace when compiled statically.

OpenWRT does not ship closed-source Broadcom drivers, so it tends to have worse support across the board. I don't think their OSS-related reasons for doing so are material to you.


+1 to OpenWRT 18.x / Netgear R7800.

It's one of the only WiFi routers I've ever worked with that has a fallback flash mode in the bootloader, and the only one that I know you can buy today. This is invaluable when you're not sure if something you're doing could make it fail to boot, like installing an upgrade without knowing whether it uses the same partition layout as you had. When it does you can just try again. (I've needed this once already.)


You can't SSH into Apple AirPort routers, unless I missed something big?


Quick word of caution on the r6700 series: Be careful to avoid the r6700v2 if interested in third-party firmwares. v2 is incompatible for chip-related reasons I don't fully understand, or was as of just a couple months ago. Easy to miss the v2 part when shopping on Amazon, which is how I ended up with my current doorstop.


I just last weekend retired a pair of Asus RT-AC66U routers/access points. They ran stable for years on Tomato (version tomato-RT-AC66U_AT-RT-AC6x-3.4-140-AIO-64K.trx) and I think all the hardware revisions work, but confirm that yourself.

I retired them mostly because the Ubiquiti management is much easier and that hardware also affordable (though the software is not open, so not a fit for your use case).


I too did almost exactly this (albeit a few years ago) and moved to a Ubiquiti UniFi setup for my own place as well as a few small business sites I manage. The single biggest reason was that I became so sick of dealing with updates for "consumer" hardware, if there ever even were any. I didn't find open source to help much on that front either, the whole 30-30-30 song and dance or whatever it was and digging various supported versions up and dealing with the crummy UI and device-by-device work was a PITA and the hardware wasn't even generally cheaper.

It's absolutely not all roses on the UBNT side of things. They are exhibiting some of classic signs of expanding too fast and stretching themselves a bit too thin. In particular their hardware lineup is starting to get overly broad and they aren't being aggressive about retiring older products and keeping the matrix simple, which of course in turn represents an increasing maintenance burden. And some of their hardware which was disruptively priced and fantastic value at launch is now getting very old in the tooth. The UniFi controller UI can be shallow for more then simple usage of things like DNS/DHCP/RADIUS, granted a lot of HN types may have their own separate appliances/servers for that. Their USG has always been a bit of an orphan and only recently has really started getting the serious attention it needs. They've got some features on high end hardware that while niche still haven't been fleshed out. Their EdgeRouter hardware is keeping up better though.

That said the update process has continued to be pleasant and solid, and their support even for old devices has been excellent. There are no required ties to any external services. The hardware itself has been very reliable, and even the RMA process for when something burned out on us was decent (2 minute wait to online chat on a Sunday morning and immediate RMA approval). They've been quite good on security updates for a number of the major issues that have come up over the last year, and have had no major snafus (that MikroTik one storing passwords as plain text was painful/disturbing to see). While enterprises will have more advanced needs for SoHo situations even if they're not open source I think UBNT is worth consideration, particularly for those wearing plenty of hats already who are ready to cut down on cognitive load a bit.


> UBNT is worth consideration, particularly for those wearing plenty of hats already who are ready to cut down on cognitive load a bit.

I've been running UniFi APs for years, but recently switched from my pfSense appliances to USG routers. I lost a lot of flexibility (especially for things like VPN configuration), but the simplicity and seamless management have been a huge time-saver.

I am puzzled by some of their new offerings—do they really expect any serious commercial customers to install lighting powered by PoE? Perhaps they're onto something innovative, but it seems like a distraction from their core business.


>I've been running UniFi APs for years, but recently switched from my pfSense appliances to USG routers. I lost a lot of flexibility (especially for things like VPN configuration), but the simplicity and seamless management have been a huge time-saver.

Yes, although I want to emphasize again that while they made a new hire specifically for the USG and it's seen dramatic improvements in the last year [1] it was still a kind of orphan child for a while and I still need to drop down to the shell sometimes for initial setup. Rock solid after that and simple and good integration with the overall site sure but it hasn't always been clear for someone starting from scratch how to get it up the first time in common SoHo situations. Also for those with gigabit links who want to run Suricata IDS/IPS (which requires turning off hardware offload), Ubiquiti just doesn't offer anything even remotely SoHo priced with the muscle for that right now. The low end USG "3P" (~$110) maxes out around 150 Mbps with IPS after the most recent update (an improvement from 85 Mbps before that) while the Pro (~$300) maxes out around 430-450. Only the XG can handle a gigabit or higher but that's $2500 and built with 8x 10G links, it's ludicrous overkill for those who don't want its other features and routing. Granted gigabit fiber links are far from the norm but they're gradually increasing and the HN crowd may be more likely to go for them then many, and the hardware in the USG 3P and USG Pro is just old now.

>I am puzzled by some of their new offerings—do they really expect any serious commercial customers to install lighting powered by PoE? Perhaps they're onto something innovative, but it seems like a distraction from their core business.

I definitely agree about distractions, though at the same time we should recognize that of course different divisions and people can be doing different things at the same time, development and engineering talent isn't necessarily fungible there. Still, they aren't a megacorp, overall resources and management bandwidth isn't unlimited either.

On the other hand at one point Ubiquiti had a real effort in the IOT space called MFi, but due to a lot of internal technical debt issues there (IIRC there) it essentially got canned, and they planned to eventually resurrect it on top of their more advanced foundations but haven't had the bandwidth. Maybe the lighting and their efforts to improve their security offerings are some first baby steps towards getting back into that? In fairness IOT has some of the same properties in terms of suckage that have made their networking efforts successful, and could also be a major market. Updates are often a pain or non-existent, the security story is awful, and much of it insists on using 3rd party cloud dependencies. There could be a real valuable hole there for Ubiquiti to fill were they to execute well enough, though I'd feel better about it if their core felt more tightly managed and foundations a bit steadier. We'll see I guess, and at least lighting should have been a pretty low R&D way experiment with it?

---

1: And for better or worse, the very fact of a piece of cheaper networking gear seeing years of support and improvements is depressingly unusual in the industry.


I've been running a RT-AC68U for a while. Rock solid stable on Asuswrt-Merlin[1] (204 days uptime last I checked, and the last reboot was due to a power cut, and easily get 50MB/s to my file server over wireless). The Asuswrt interface is a little clunky, but once it's set up it works fine. I've recently changed to Tomato (needed VLAN tagging for wireless), which seems just as solid (55-60MB/s to file server), but I haven't tested WAN/NAT performance (moved to a pfSense box).

[1] DD-WRT struggled with 100Mbps to WAN - hardware NAT


Same experience here. RT-AC68U flashed with AsusWRT Merlin works great, and I'm using a lot of things: VPN, DNS filters, DNS per mac adddress, etc.


Same case for me. I had an AC88U. I got tired of it because the 5GHz 802.11ac radio seemed like it'd be forever broken in OSS firmwares. I felt asuswrt was pretty crappy too. I went ubiquiti. Their management is nice, and they actually seem interested in fixing bugs in their firmware.


On the AC66U, 5GHz radio seemed to work well and I got consistent 105-ish Mbps in the same room as the AP.

(I'm not disputing your experience, but don't want other readers to conclude that 5GHz doesn't work on any of them.)


Is that the expected rate on an AC66U? I'm getting close to 300 Mbps real-world speeds in a very noisy environment on my Unifi lite.


Sorry. I certainly should have been clearer, especially with this crowd. That test was rate-limited by my cable modem. I was on a 100-down package at the time. I did not do a intra-house speed test.


I could be wrong or things may have changed. I think the core issue was the 88u used a different broadcom wireless chipset which has very poor Linux support.


Maybe something like the PC Engines apu2? http://www.pcengines.ch/apu2.htm

x86, can run OpenWRT.


I have an APU2 and it's really the perfect router for any small office or house. Intel NICs, plenty of ram and an mSATA port make it quite capable. I have pfSense on it at the moment, which works very well.

At one point I had an 802.11n card in my older ALIX2D router, but there were stability and performance issues so now I always use a separate access point, most recently a Unifi AC-PRO which has some quirks but works well in general.

I've been happy enough with the x86 routing strategy that when it came time to replace my older Cisco 100mbps switch, I decided to do that with x86 hardware as well. All of the smaller/cheaper gigabit switches either didn't support VLANs, made way too much heat, or had reliability issues, and the ones that were suitable were quite expensive and had reliability issues of their own.

So, I found a Supermicro Atom C2000 board (A1SRM-LN7F[1]) on sale for $90, which has 7 Intel NIC gigabit ports built-in and supports ECC ram. I put it in a Supermicro 1U[2] enclosure along with an Intel PCIe 4x gigabit NIC, for a total of 11 gigabit ports on the switch. I installed Debian on it and set up open-vswitch, which worked but was soon replaced by "vlan-aware" Linux bridging.

It's easily capable of switching gigabit traffic between multiple machines at the same time, ping shows an average latency of 0.310ms, has very low power usage and makes very little heat.

Note that those C2000 Atoms do have a "sudden death" hardware flaw, but Supermicro should have fixed it on more recent inventory, and they will send a "patched" board to replace any that are affected before they fail. The Atom C3000 doesn't have that issue, but I don't think Supermicro (or anyone, really) make any C3000 boards with that many built-in gigabit ports.

[1] http://www.supermicro.com/products/motherboard/Atom/X10/A1SR...

[2] http://www.supermicro.com/products/chassis/1U/510/SC510T-203...


I'm currently using an apu4b4 running OpenBSD as a router; it's been a good way to (as a Linux guy) dip my feet into the BSD ecosystem.

Later today (if all goes well) I'll be adding wifi to it!


There are a lot of them, but depending on which features you need and where you live, it might be difficult to get one.

Take a look e.g. at OpenWrt's list of devices "Ideal for OpenWrt": https://openwrt.org/toh/views/toh_available_864

Consider TP-Link Archer C7, for instance. It is an older one, but has reasonably fast hardware, supports IEEE 802.11ac and is available on Amazon. New costs ~75 USD, a "certified refurbished" version costs ~50 USD.


Sadly, the Archer C7 cannot exceed 60Mbit/s without hardware offload when running OpenWRT. I had to replace mine with a Ubiquiti wireless access point and a dedicated pfSense box.


Source? Are you talking about wireless speed or wired speed? I am asking because I have never experienced such a huge limitation caused by the CPU bottleneck.

I have performed some simple tests using `iperf` tool on Archer C7 with OpenWrt and it was able to sustain wired network speeds of around 750 Mb/s and wireless speeds (IEEE 802.11ac) of around 300 Mb/s (maybe even more, but I do not remember exactly).


Were you using stock firmware or openwrt


There are newer firmwares that allow me to get WAN to LAN ~500 Mbit over 5ghz, and WAN to LAN 950 Mbit over Ethernet


How about a $15.88, small but surprisingly capable, NEXX WT3020? [0]

[0] https://www.aliexpress.com/item/Wifi-Router-NEXX-WT3020H-300...

[1] https://wiki.openwrt.org/toh/nexx/wt3020


You can take a look here https://forum.openwrt.org/c/hardware-questions-and-recommend...

There are many brands and models that are compatible with OpenWRT. I have good experience with tp-link wr1043nd, wdr3600 but they are a bit old by now. I just ordered ZyXEL NBG6617 to test out.


Until very recently I would just go to Microcenter and purchase a cheap refurbished small form factor PC plus two Intel NICs and run OpenBSD. For less than $200 you have a fully functional router albeit at a higher power cost than a true appliance.

If you really need a small / low power usage appliance then some Ubiquiti devices run OpenBSD as I mentioned in another reply below.

Anecdotally OpenBSD also supports wireguard if that's a concern.

https://www.openbsd.org/octeon.html

https://marc.info/?l=openbsd-ports&m=152712417729497&w=2


You can build your own router with inexpensive hardware and run pfsense on it. You can find many guides for that online.

Otherwise, get an edgerouter.


So far, I've had very good luck with the ASUS AC1300 (asus_rt-ac58u) and OpenWRT. I still need to add to the openwrt wiki but it was pretty easy. (Luck == I've bought two so far, plan to buy more)


(1) Ask the manufacturer

(2) If you get the wrong router, just return it and get another.

(3) Buy a router at a brick and mortar store so you know what you're getting.


I have one of the Linksys WRT-AC series (WRT-1900ACS but they are all pretty similar I think) - they're very well supported by OpenWRT (stock firmware is a derivative of OpenWRT in fact at least on some of them). Hardware specs are good, including reasonably fast CPUs (good enough to saturate a VPN at 100Mbit at least which is the uplink I have here). The open source wireless chipset support is towards the better end too - not perfect but a lot better than some others.

If you're flashing your own images of OpenWRT, there are a few conveniences which are a bit more uncommon in the hardware which are useful if you ever need to debrick - eg easily openable case, UART header comes pre-installed (you don't need to solder your own), etc.


Interestingly enough, MikroTik routers are mostly well supported by OpenWrt it seems. At least that's what my search for something that is beefier than regular OTS Routers has yielded. Flashing OpenWrt is a little cumbersome though.

TP-Link, the former manufacturer of my choice, unfortunately has become a version roulette it seems.

If power consumption does not bother you, maybe banana pi? Or something atom based?


I've had good luck running OpenWRT on this TP-Link model: https://www.tp-link.com/us/products/details/cat-9_Archer-C26.... I believe there's only one hardware version so no gamble there.


Same here. Just picked one up a few weeks back and used the stock web-gui to upload the newest OpenWRT. Worked without a hitch.


I'm running openwrt on an R7800 and so far had no issues. But that's just the router, you'll still need a modem.


Here's a list of recommended ones from OpenWRT https://openwrt.org/toh/recommended_routers.

I would assume that they are easy to flash and high compatible.


I personally love pfSense and there’s tons of hardware for $100-250 that supports it.


Here in Germany there is the Fritz brand.

If I am not mistaken FRITZ!OS is a Linux distribution.


correct. But I don't know how much customization is possible after AVM disabled telnet (on the newer boxes).


Anything that you can install OpenWRT on :)


I like Mikrotik hap ac(at work) or hap ac lite (at home). they simply work. always.


Although RouterOS is based on OSS (Linux kernel), parent wanted to flash the unit with software they built themselves from source. This afaik isn't possible with Mikrotik hardware.

Edit: actually, it is possible at least for some MT hardware : https://wiki.openwrt.org/toh/mikrotik/common


I just pay the $10/month. The complete lack of hassle makes it worth it to me. Of all the things in the world I want to do, futzing with some OSS firmware is pretty close to the bottom of the list.

What’s your reason for suggesting friends buy a modem/router beyond the cost?


My MikroTik started going nuts late last week; it managed to upload ~90Gb worth of data in 3 days (downloads weren't nearly as bad). Considering I only have a 300Gb cap, that hurt. I subsequently re-flashed it, and secured it properly this time, which solved the issue.

Using the hardware reset button doesn't fix things, so heads up for others in that situation. Use MikroTik's NetInstall to re-install RouterOS instead.


Curious is this the VPNFilter malware or some new router virus?

Lately I’ve been having IP & Internet issues like....

- match suddenly banned me as a subscriber to okcupid and match. They won’t tell me why either & ive been a subscriber on/off for years. Never or ever would I do anything inappropriate though my match.com account I feel was hacked. Yet they don’t want to listen :-(

- my 6 month old roku device suddenly would no longer find my router.

- yesterday just bought a new Roku & was unable to activate it after many attempts.

Anyone else having weird Internet/IP device issues too?


>MikroTik is a Lithuanian company founded in 1996 to develop routers and wireless ISP systems.

Mikrotik is Latvian, not Lithuanian.


My home router has the following

  /ip firewall filter
  add action=accept chain=input connection-state=established
  add action=accept chain=input connection-state=related
  add action=accept chain=input dst-port=5000 protocol=udp
  add action=accept chain=input dst-port=6000 protocol=udp
  add action=accept chain=input dst-port=6001 protocol=udp
  add action=accept chain=input protocol=icmp
  add action=accept chain=input dst-port=22 protocol=tcp src-address-list=Mgmt
  add action=accept chain=input dst-port=179 in-interface-list=LAN protocol=tcp
  add action=drop chain=input in-interface=btopenreach
  add action=drop chain=input
Clearly it's possible that an attacker could come in from the back door (desktop, XSS etc), I could lock down the BGP more, and tighen up Mgmt beyond it's current fairly wide subnets (a /16 owned by work and my wired range), but it becomes a hassle, which leads to more disabling of the "action=drop" while debugging. My backup script emails me when the configuration changes

To check if your proxy is enabled (probably shouldn't be)

  /ip proxy print 
  enabled: no


You could limit only certain ICMP types as well, and change your SSH port. And you can ask yourself: Do I really need access to my firewall from work?


What OS or software is that? Is that a Mikrotik router with default firmware that accepts such rules as you posted?


Yes, vanilla mikrotik (on the latest firmware -- interface-list is pretty new)

The concept isn't hard -- block non-established incoming traffic from everywhere except where you want management to happen from. I have a few extra rules.

Generally if you leave yourself wide open don't expect to be immune from zero-days.


Didn't know there were consumer routers that support command lines! I mean, fritzbox used to have a telnet interface that you could enable by dialing a dect number, but it wasn't meant to be used for anything or supported in any way (and later they removed it).


Also change the winbox port if you need it to be enabled.


That's a way not to be the low-hanging fruit, but if someone wants this port they're going to find it.


Of course. But the attack mentioned above looks to have simply targeted the default port. Ideally : use a non-default port, and source-IP-based firewalling, and keep firmware up to date.


> After enabling the Mikrotik RouterOS HTTP proxy, the attacker uses a trick in the configuration by redirecting all the HTTP proxy requests to a local HTTP 403 error page, and in this error page a link for web mining code from coinhive.com is inserted. By doing this, the attacker hopes to perform web mining for all the proxy traffic on the users’ devices

> What is disappointing for the attacker though, the mining code does not work in this way, because all the external web resources, including those from coinhive.com necessary for web mining, are blocked by the proxy ACLs set by attackers themselves.

Smart enough to breach Mikrotik routers. Dumb enough to fuck up linking in coinhive JS. That screams "script kiddie buying delivery method on an open market".

Also, how is coinhive still a thing?


> Also, how is coinhive still a thing?

It's too bad coinhive is so easy to abuse. I'd much rather live in a world where websites are financed with my electric bill rather than my data.


Any system that enables payments uncoupled from identity - or customer service - over the internet is going to be prone to abuse. Bad money pushes out good money, and paying with someone else's electric bill is always cheaper than paying with yours.

Which is to say that pretty much any form of cryptocurrency is likely to stay abuse-prone.

Practically speaking, the amount of electric bill you'd have to pay to make up the costs of what your currently pay for with data would almost certainly be shocking. I can't imagine that it costs anything like $5 to mine $5 worth of Monero on your average computer in the first world. And that would be just enough to pay for Gmail, never mind everything else!


On an average computer it would take weeks or months to mine $5 worth of Monero but it is doable.


I don't mean to suggest in any way, shape, form, or manner that it cannot be done! Only that it cannot be done in a way that is anything resembling cost-effective.

The sheer, staggering inefficiency involved might help incentivize usage away from a proxy for micropayments and towards malware.


It's not just your electric bill; that power is being generated somehow. Until that process is clean and green and completely accounts for externalities I prefer whatever wastes less electricity.

I'd personally much rather live in a world where websites are financed up-front or not at all. It would disincentivize the low-effort creation of pointless or misleading material simply to direct time and attention to ads and miners.


I'd prefer to stick to data exchanges that don't double my draw on electrical generation. Even just buying 2x as many solar panels to mine still has more impact than traditional currency.


> I'd much rather live in a world where websites are financed with my electric bill rather than my data.

In general, I wouldn't mind that much if I had to pay some extra "Internet subscription" to cover publisher costs, if reasonable. I don't think electricity bill is the right place to include it in. And I definitely do not want this charge to be included by the means of cryptocurrencies - they're wasteful at their very core (as opposed to every other financial instrument in existence), and I don't want to support such ideas. Not to mention that, like 'Kalium observes, it would take extreme amounts of power use to "send" a publisher some reasonable amount of money.


I dunno about you, but wasting vast amounts of energy in some incredibly inefficient* techno-currency Ponzi scheme is just stupid and I'd rather we figure out something better than these two alternatives.

* ASICs are roughly 100x more power-efficient at essentially any crypto mining algorithm


> ASICs are roughly 100x more power-efficient at essentially any crypto mining algorithm

That's half of the problem.

The other half is that cryptocurrencies rely, in a structural way, on their generation to be difficult, so when enough ASICs get deployed, the currency ups its "difficulty factor", multiplying the amount of power you have to burn for the same reward.

Really, if I were a supervillain who wanted to accelerate energy crisis and climate change by exploiting human greed, cryptocurrencies is the scheme I would come up with.


If I were a socialist who was politically opposed to the huge benefits of cryptocurrency gaining major adoption I would boil it down to "exploiting human greed" and pretend it's operating under the assumption that the energy expenditures are a "waste" and therefor detrimental to climate change.

If you can't understand the compound harm to the environment (for starters) of nations states existing and controlling currency, I feel bad for you. If you do understand it, you should know you're rightly fearful of this technology, because it's going to play a major factor in your future demise.


> If you can't understand the compound harm to the environment (for starters) of nations states existing and controlling currency, I feel bad for you.

Show, don't tell. If you can't explain it adequately to an audience, then you don't know it well enough to to be stating it as fact.


> Show, don't tell.

Sure. Should we start with the estimated 262 million counts of democide committed last century?

http://www.hawaii.edu/powerkills/20TH.HTM

Or perhaps you're one of those people who thinks mass murder of humanity is a good thing because it reduces the human impact on the environment?

> If you can't explain it adequately to an audience, then you don't know it well enough to to be stating it as fact.

Absolutely untrue. That requires you to assume the audience is both intellectually capable of understanding a complex proposition, and that it hasn't been sufficiently biased against or indoctrinated against an opposing view. While I'm sure there is some correlation between familiarity with a given subject and one's ability to explain it, you would be making a gigantic leap in assuming this automatically means a given audience is going to adequately understand the argument.

That is also completely aside from the assumption that my comments were intended to make a compelling case on the matter outside of the person I was responding to. I'm not really convinced that wouldn't be a waste of time, but maybe I'll be surprised.


> Absolutely untrue. That requires you to assume the audience is both intellectually capable of understanding a complex proposition

I downvoted this, but now I'm gonna reply to explain why. This is a veiled insult against your audience, and as such it's both a fallacy and a bad-faith argument. The rest of the sentence, too. Let's not do "I'm smarter than you all and you're all biased" here, please. It just makes the forum a shade uglier.


I actually did not intend to specifically insult the audience in this case, but I can understand why it was interpreted that way. I'll make an effort to be more civil in my future replies.


> That requires you to assume the audience is both intellectually capable of understanding a complex proposition

Being able to explain a complex topic simply is the point. Knowing how to distill the concept to essential points is useful, and if you can't identify the essential points, you probably don't really understand it.

> and that it hasn't been sufficiently biased against or indoctrinated against an opposing view.

> you would be making a gigantic leap in assuming this automatically means a given audience is going to adequately understand the argument.

I didn't say convince, I said explain. Indoctrination is irrelevant. Assume your audience is willing to hear you out, as otherwise all you are doing is yelling at people rather than conversing with people, and that's not acting in good faith.

> the assumption that my comments were intended to make a compelling case on the matter outside of the person I was responding to.

Yes, the assumption is that you are trying to contribute with your comments, and not just tell someone they are wrong without explanation, as the site guidelines specifically disallow that.

> Or perhaps you're one of those people who thinks mass murder of humanity is a good thing because it reduces the human impact on the environment?

You seem to be working under the assumption I disagree with you. I don't recall doing anything other than asking you to explain your reasoning. Do you consider that an aggressive argument against your point?


Can you please not do flamewars on HN? Such tedious tit-for-tat exchanges aren't of general interest, or even of individual interest once the heat dies down.

https://news.ycombinator.com/newsguidelines.html


I didn't consider what I was doing a flame war. I originally honestly asking for more information, and then considered it a conversation on the merits of explaining a topic to a general audience.

That genuinely interests me, which is why I've gotten into conversations on this topic a few times in the past. I understand that others may be uninterested in that or find it tedious, so I'll try to refrain in the future. My apologies.


Thank you for the polite reply. I admit I didn't read it closely enough to suss out the subtleties. In our experience, when people starting arguing "I didn't say that, I said this" with each other, the conversation is close to informationless and tends only to produce more heat.


Cool, you ignored half my comment to engage in dishonest bickering filled with more assumptions as to my motivations. Are you having fun?


> you ignored half my comment

I originally ignored the portion that mistakenly assumed I had a position against your point that aggressively insinuated I believed mass murder was acceptable. I revised my comment right after posting it to append a clarification on that.

> to engage in dishonest bickering

Please do not accuse me of being dishonest without being sure backing up your words with some sort of reasoning. I'm not being dishonest. I think you are not engaging usefully, and attempted to rectify that by asking for more information, and then to explain my reasoning when it was called into question, exactly as I suggested you do originally.

> filled with more assumptions as to my motivations

I'm not sure I assumed a single thing about you. I couched all my statements generically on purpose.

I think you are stuck in a context where you are interpreting me as attacking you. if you truly think I'm being dishonest or attacking you, don't reply. If you think I'm wrong, explain how I'm wrong. If you have problems explaining why I'm wrong, perhaps reexamine the assertion that I am. I'm fully willing to entertain that I'm wrong, and admit it. It wouldn't be the first time I've done so.


Can you please not do flamewars on HN? Incivility like this will get you banned here regardless of how provocative some other comment was.

Edit: I'm sorry to see that you've done this repeatedly before. If you would please review https://news.ycombinator.com/newsguidelines.html and follow the rules when posting here in the future, we'd appreciate it.


You're right, I have clearly forgotten the spirit of the discussion here. I apologize for that.


We seem to have a difference in base assumptions. I'd like to preserve and further the technological civilization. You seem to want to shut it down.

> the compound harm to the environment (for starters) of nations states existing and controlling currency

Do you believe that nation states exist solely, or primarily, to control currency? Currency is the blood of the nation, yes, but nation states form organically, to further interests of groups of people. Whenever you have more than a dozen people in one place, you get hierarchical governance, and the more people you add, the more that hierarchy grows vertically to cope with the load. With millions of people, you arrive at some form of states; add couple wars into the mix, and you arrive at modern sovereign nation states.

Point being, if cryptocurrencies were to break states' control over money - and what I guess you hope for - destroy states entirely, after lots of blood unnecessarily shed, the states would be back in some form. It's doubtful though, that cryptocurrencies would survive the process. They need computing and Internet to work, and computers&Internet need stable global economy to exist. Break the economy, break the supply chains, and modern technology evaporates.

Along with 90% of urban population starving to death.

> you should know you're rightly fearful of this technology, because it's going to play a major factor in your future demise

Yes, I'm fearful, because this technology is tuned in with the markets just well enough that it may propagate, whether governments want it or not, and grow to the point of burning out most of our non-renewable energy sources, with little to show for it, before someone finally puts a stop to it.

--

I've painted a bleak worst-case scenario above, but I sincerely hope cryptocurrenicies as we know today will fizzle out and be remembered just as another scam, one with absurdly large ecological footprint. I'm not against distributed ledgers, distributed consensus, or even new designs for money. I'm just against stupidly inefficient solutions exacerbating the biggest problems humanity faces.


I agree with your assessments of governments, but your assessments of power issues are pretty misguided.

You seem to be arguing that demand for renewable power will...make there be less renewable power available? Which is not really how economics works. Creating lots of power demand isn't going to make us like, run out of sunlight. It's going to raise the price of power. It's going to compensate people for building more capacity. It's going to do all the things that we want.

In fact, by providing a constant demand for excess power generation which is currently hard to store, crypto-currencies can substantially improve the economic profile of building out lots of capacity that otherwise wouldn't make economic sense.


> We seem to have a difference in base assumptions. I'd like to preserve and further the technological civilization. You seem to want to shut it down.

Not sure where you're getting that from. I do not want to "shut it down," quite the opposite.

> Do you believe that nation states exist solely, or primarily, to control currency?

No, but control of currency is a major factor in their sustained existence.

> Currency is the blood of the nation, yes, but nation states form organically, to further interests of groups of people. Whenever you have more than a dozen people in one place, you get hierarchical governance, and the more people you add, the more that hierarchy grows vertically to cope with the load.

Nation states are a symptom of obsolete social organization technology. They result in massive human suffering and hampering of technological growth. Their formation, whether "organically" or not, is irrelevant.

> With millions of people, you arrive at some form of states;

States neither require millions of people, nor are they a necessary result of millions of people existing.

> add couple wars into the mix, and you arrive at modern sovereign nation states.

Is this intended as an indictment?

> Point being, if cryptocurrencies were to break states' control over money - and what I guess you hope for

Yes.

> after lots of blood unnecessarily shed

"Unnecessarily" is a large assumption. And ideally it would happen with as little violence as possible, preferably none. When contrasted with the scale of the crimes of nation states, however, it seems difficult to make a case for their continued existence, even with massive short term casualty.

> the states would be back in some form.

What are you basing this assumption on? I think there is a strong case that social organizing technology is likely to result in nation states being made obsolete over time. The contradicting viewpoint is not substantiated by much, I suspect.

> It's doubtful though, that cryptocurrencies would survive the process. They need computing and Internet to work, and computers&Internet need stable global economy to exist. Break the economy, break the supply chains, and modern technology evaporates.

Computing and networking are not dependent on the existence of nation states. A stable global economy is especially not dependent on them -- in fact, nation states are quite probably the largest cause of global instability, economically and otherwise. Preferably, a transition away from nation states happens using technology itself. Cryptocurrency is likely to play a major role in this.

> Along with 90% of urban population starving to death.

A sudden overnight collapse of nation states might very well lead to large deaths, although probably not at this scale. This is not likely to happen, and certainly not likely to happen as a result of mass cryptocurrency adoption.

> Yes, I'm fearful, because this technology is tuned in with the markets just well enough that it may propagate

I'm glad you've admitted your remarks about cryptocurrency being wasteful and harmful to the environment are motivated by trying to suppress its existence.

> whether governments want it or not

As opposed to free people...

> and grow to the point of burning out most of our non-renewable energy sources

Ridiculous.

> with little to show for it, before someone finally puts a stop to it

Good luck.

> I've painted a bleak worst-case scenario above

You've spread fear-based propaganda based on an issue you clearly have made a lot of seemingly fear-based (as opposed to reasoned) assumptions about.

> I sincerely hope cryptocurrenicies as we know today will fizzle out and be remembered just as another scam

You fear the change that this technology brings, so you hope it is suppressed and remembered for being something you (possibly) understand it is not?

> I'm not against distributed ledgers, distributed consensus, or even new designs for money.

These are the potential benefits of cryptocurrency.

> I'm just against stupidly inefficient solutions exacerbating the biggest problems humanity faces.

Even a grossly less efficient method for mining cryptocurrency would be preferable to the problems caused by the continued existence of nation states, and probably by their control of currency alone, not even factoring in all of their other crimes.

The biggest problem humanity faces is the existence of nation states, and the resulting democide and destruction, as well as potential existential threats of nuclear annihilation or other destruction. In the pursuit of perpetuating themselves, nation states are also likely major limiting factors in technological advance, which is the single greatest factor in preventing human suffering.


Just because you don't understand how something works or are ideologically opposed to its existence doesn't mean it's a ponzi scheme.


I'd much rather live in a world where we can share things without paid somethings, where people contribute not split information where everyone is copying each other.

90% of work, data copied on Internet have no value. Dunno why we need to pay for Clickbait article, or article without value or translated article (EN->FR)


btw this is the actual vulnerability (since MT release logs do not mention the CVE cited in the article):

https://blog.mikrotik.com/security/winbox-vulnerability.html

(referenced here : https://forum.mikrotik.com/viewtopic.php?f=21&t=137284&start...)


> Attackers mainly interested in port 20, 21, 25, 110, and 143, corresponding to FTP-data, FTP, SMTP, POP3, and IMAP traffic.

That strongly suggests password harvesting. Those ports/protocols often (not always) are used for unencrypted user/pass combinations. :(


I always disable winbox on installation.

  /ip service disable winbox
Why would anyone want to use that? My theory is that it has something to do with how in many cases the MT sshd has to be told to figure out the terminal:

  $ ssh user+t@192.168.88.1
...and this information is really hard to find. If the terminal settings aren't right and you can't fix them, ssh is unusable and you're stuck with either winbox or webfig. Fortunately, if the ssh session is wrapped in a mosh session then mosh will handle MT's terminal settings.


Afaik winbox is the only way to reconfigure the device in case of serious IP misconfiguration, or if layer 3 networking does not work for some reason (I just had to debug a switching loop...), as winbox can connect by MAC, rather than IP.


In such a situation I would probably hard reset and upload a saved configuration... certainly not ideal.


My equipment is hidden in walls and hard to reset. However, in this case, the problem was at the physical layer, not software configuration, so a reset would not have accomplished anything.

Since I do not use Windows, I had to emulate Winbox in Wine... pretty awful experience, but in the end it worked while everything else failed.

I would just prefer some sort of unix tool that ssh can use to connect to the equipment through layer 2.



Just yesterday updated my Mikrotik to latest current. And now read that news. Great!


Then you're just fine. The vulnerabilities were patched months ago.


Article link is down on my end.


It's basically another take on this older report: https://www.trustwave.com/Resources/SpiderLabs-Blog/Mass-Mik...


that's a month old; has the compromise been going on that long?

i guess so...



No. That's when the vulnerability was discovered. The cryptojacking attacks on routers began a month ago. Qihoo is just reporting on an ongoing campaign. But I didn't see anything different from the Trustwave report, except that attackers misconfigured some routers to send traffic into a blackhole for some reason.


Do NOT visit...trojan at URL!


I think u use Mikrotik without an update! =D


That stinks. I tried to help the community by providing a warning and I get downvoted. What is the motivation to help? From now on I will not issue any warnings.


Really? In what way?


My antivirus software found two trojans and immediately raised a warning.


I (ironically) got a CoinHive warning from TrendMicro.


Get a better antivirus then, because it's picking the URL that appears in the post.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: