Radius manager export

Posted on February 7, 2017February 7, 2017 by alex

How to export customer’s data from Radius manager including the name of services and non-encrypted passwords: select rm_users.*, radcheck.value, rm_services.srvname from rm_users left join radcheck on rm_users.username = radcheck.username left join rm_services on rm_services.srvid = rm_users.srvid where radcheck.attribute = ‘Cleartext-Password’ or select rm_users.*, radcheck.value, rm_services.srvname from rm_users left join radcheck on rm_users.username = radcheck.username left[…]

Mikrotik hotspot default queue

Posted on August 23, 2016August 31, 2016 by alex

When you configure a hotspot with Mikrotik, routerOS always creates a default queue called hs-<hotspot1> allowing unlimited speed both directions. You can delete the queue, but it will come up again after restart. The problem is that this queue will override simple queue which are below it and speed limitation of hotspot users will not work[…]

Building large lab with Mikrotik on Unetlab

Posted on February 13, 2016April 20, 2016 by alex

In my trainings I use Unetlab environment. I recommend to everyone use Unetlab and get rid of GNS3, because difference in performance and support of different vendors is huge. Last year Mikrotik announced their RouterOS license for virtual machines, called Cloud Hosted Router (CHR). I’m going to show how to setup CHR in Unetlab in few[…]

Mikrotik MPLS implementation issues

Posted on November 12, 2015 by alex

We are running MPLS on RouterOS for over one year and still I’m getting new errors in MPLS implementation on RouterOS. Below is a list of all issues, I’ve found (versions < 6.33) : 1. The main problem is separation of VRFs. RouterOS is a linux based system and all VRF tables are linux routing[…]

MPLS implementation on Mikrotik RouterOS

Posted on August 8, 2015 by alex

My presentation from global event – Mikrotik User Meeting 2015 in Prague

IPv6 transition mechanisms

Posted on July 11, 2015 by alex

There are plenty of IPv6 transition technologies and I always forget some of them. Below is the list with description to have a quick reminder always when it’s needed. I’m considering all technologies from ISP’s point of view : 1. Dual-stack The simplest one. All our infrastructure is IPv6 enabled and we give /64 prefix[…]

uRPF – Prevention of IP SRC spoofing inside AS (BCP38)

Posted on June 25, 2015 by alex

In today world the strongest DDOS are amplification attacks. They use UDP based services. There 2 steps of the attack. First – attacker finds wrong configured servers on public Internet. The second step is that PC with malware sends to these servers small UDP packets with changed IP address. In IP SRC field of the[…]

IPv6 security

Posted on June 20, 2015 by alex

In previous posts I shown how to network on IPv4. IPv6 is a different world, IPv4 ACLs and approach will not work. IPv6 traffic runs in parallel to IPv4 and IPv4 ACLs/Firewall will not block IPv6 traffic. The main problem of IPv6 is that even when you don’t enable IPv6 on routers, some of customers[…]

L2 and STP security on switches

Posted on June 19, 2015 by alex

We were talking about 6 L2 attacks in topic about DHCP snooping. There are also different attacks on switching technologies.One of the main L2 technologies is VLAN. VLAN hopping 1) Spoofing of switch Attacker is connecting to access port and is changing it to trunk Mitigation is very simple – disable DTP negotiation on trunk[…]

IP dhcp snooping – first hop security on IPv4

Posted on June 19, 2015 by alex

When we connect customers to Access switch we immediately face these security threats : DHCP spoofing – some PC in the network will run DHCP server. It can be cause even by wrong configuration of Windows machine. In this case, some of computers inside LAN will connect to new DHCP server and will forward packets[…]