Dot1x in Routeros 6.45.1

Some of you may have noticed a new menu item pop up in winbox labeled dot1x

Dot1x is implementation of IEEE 802.1X standard in RouterOS. Main purpose is to provide port-based network access control using EAP over LAN also known as EAPOL. 802.1X consists of a supplicant, an authenticator and an authentication server (RADIUS server). Currently both authenticator and supplicant sides are supported in RouterOS. Supported EAP methods for supplicant are EAP-TLS, EAP-TTLS, EAP-MSCHAPv2 and PEAPv0/EAP-MSCHAPv2.

Looking at how to use this?
https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x#Application_Example

RouterOS 6.45.1 Out – Security Fixes

Mikrotik has released RouterOS 6.45.1 with some security vulnerability fixes.  Some of these have been known and fixed before, while others are new fixes

MAJOR CHANGES IN v6.45.1:
———————-
!) dot1x – added support for IEEE 802.1X Port-Based Network Access Control;
!) ike2 – added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
!) security – fixed vulnerabilities CVE-2018-1157, CVE-2018-1158;
!) security – fixed vulnerabilities CVE-2019-11477, CVE-2019-11478, CVE-2019-11479;
!) security – fixed vulnerability CVE-2019-13074;
!) user – removed insecure password storage;

Important note!!!
Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading.

Some notes on the security Fixes
CVE-2018-1157
Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a memory exhaustion vulnerability. An authenticated remote attacker can crash the HTTP server and in some circumstances reboot the system via a crafted HTTP POST request.

CVE-2018-1158
Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a stack exhaustion vulnerability. An authenticated remote attacker can crash the HTTP server via recursive parsing of JSON.

CVE-2019-11477/11478
Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff.

CVE-2019-11479
Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commits 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and 5f3e2bf008c2221478101ee72f5cb4654b9fc363.

CVE-2019-13074
This has been reserved and not been made widely public yet. Although a CVE ID may have been assigned by either CVE or a CAN, it will not be available in the NVD if it has a status of RESERVED by CVE.  This is traditionally done to give the vendor, in this case, Mikrotik and possibly others, a chance to fix this before the exploit is released to the general public.

Rest of the Changelog available at https://www.mikrotik.com/download

Mikrotik RouterOS 6.43 and older notes

For those of you running newer routerOS versions you should be aware of this.

Downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading.

I am not sure when this actually started as it shows up in the changelog of 6.45beta62. I am going to assume this starts at 6.45 once it’s released.

Mikrotik LoRaWAN products

Taken directly from Mikrotik newsletter 89.
https://download2.mikrotik.com/news/news_89.pdf

R11e-LoRa8EU – a new LoRaWAN  concentrator Gateway card in miniPCIe form factor

based on Semtech SX1301 chipset. It enables LoRaWAN connectivity for any MikroTik product that has miniPCIe slot with connected USB lines.

With the support of 8 different channels in 868EU band, Listen Before Talk (LBT) and Spectral scan features this product will astound you with its enticing price point – under $100. Max output TX power – 16 dBm, max sensitivity level on SF12 rate – 134 dBm

wAP LoRa8 kit – an out-of-the-box solution to use LoRaWAN gateway. This kit contains

wAP 2nD device with 2.4 GHz WLAN interface and Ethernet port that could be used as a backend connection and pre-installed UDP packet forwarder to any public or private LoRa servers. You can attach an external antenna (see below) or use internal 2.5 dBi antenna. Once again the price is a real bargain – under $200!

LoRa Antenna kit with a 6.5 dBi Omni antenna for 824 – 960 MHz, 1 m long SMA cable and mechanical holder for quick and easy mast attachment – when you need that extra network coverage.

These products are ready to work with ‘The Things Network’ – the famous open-source infrastructure that provides free LoRaWAN network coverage and has tons of apps for your needs. The Things Network helps you get started with the Internet of things in a day. Cattle tracking, smart irrigation and thermostats, smart metering and so on – the possibilities are endless. The setup is so simple, anyone can get started really quickly. With an SLA backed service by ‘The Things Industries’, it has never been easier to deploy secure and scalable LoRaWAN solutions. There is a global community of developers, businesses and enthusiasts – you will never be alone with your questions and ideas regarding LoRaWAN network. No need to reinvent the wheel – join The Things Network to save time and energy with smart solutions!

Common Questions:difference between Masquerade and SRC-NAT

One of the common questions I get is what is the difference between Masquerade and SRC-NAt? Which should I use?
The quick answer is to use SRC-NAT if your gateway IP is static, and use masquerade if it can change.

The Mikrotik Wiki Entry
Firewall NAT action=masquerade is unique subversion of action=srcnat, it was designed for specific use in situations when public IP can randomly change, for example DHCP-server changes it, or PPPoE tunnel after disconnect gets different IP, in short – when public IP is dynamic.

Every time interface disconnects and/or its IP address changes, router will clear all masqueraded connection tracking entries that send packet out that interface, this way improving system recovery time after public ip address change.

Mikrotik chains explained

From the Mikrotik Wiki

  • input – used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router’s addresses. Packets passing through the router are not processed against the rules of the input chain (DST address of the router)
  • forward – used to process packets passing through the router (SRC and DST is not on the router)
  • output – used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain