Skip to content
Aug 18 / thebrotherswisp

TheBrothersWISP 95 – Mikrotik 60Ghz Tuning, Neighbor Discovery, ROS Post Exploitation



This week Greg , Miller, and Tomas catchup about Mikrotik, Mikrotik, then a little bit of Mikrotik.

This week we talk about:
Miller – LHG 60 experiences
Miller – Neighbor discover over bonding interfaces
Mikrotik copper 10Gb SFP
Mikrotik newsletter 90
RouterOS post exploitation – local only method to gain shell access
Urgent 11

Here’s the video:(if you don’t see it, hit refresh)

Aug 5 / thebrotherswisp

TheBrothersWISP 94 – Urgent 11, Yeahlink W/ 3CX, Ansible



This week Greg and Mike sneak a cast in a day early(shhhhhhh, don’t tell anyone).

This week we talk about:
Urgent 11 – vxworx vulnerabilities – dell powerconnect, sonicwalls, etc.
Greg is learning ansible
WISPAMERICA Dallas March 16
4011s SFP+ issues with 6.45.x – acknowledged issue, could be repaired at this point.
Proxmox 6.1 is getting a networking overhaul – vxlan/eVPN
Resetting a yealink phone via TFTP
Yealink phones on 3cx requires you to add multiple accounts for multiple extensions
“Mike’s” Ansible for UBNT virus

Help support us by becoming a patron! <==join our Slack team!
Keep contacting us: contactus (at) thebrotherswisp.com or https://facebook.com/thebrotherswisp

Click the link below to view the article!

Jul 21 / thebrotherswisp

TheBrothersWISP 93 – Copper 10Gb, Fiber Projects And Kit



This week Greg and Mike sneak a cast in a day early(shhhhhhh, don’t tell anyone).

This week we talk about:
Mikrotik CRS copper 10G – CRS312-4C+8XG-RM
Generic and Cisco optics work well in Mikrotik kit
Physically securing Mikrotiks – 1/16th” steel braided cable
Mikrotik 6.45.1 requires a new version of winbox(3.19)
Greg completed backbone migration at one datacenter to ASR9000s
Nickie B came up with an ansible playbook to put rate-limits on ubiquiti kit
Fiber terminations – all I see anyone use is pigtails for splicing
Cheap splicers – SignalFire(AI-7 or AI-8) or Komshine All around $1K
Cox says that when ordering kit from aliexpress he recommends getting a handful of samples and testing them for a while
Cox found a GPON calculator from Huawei
Danny sends a link on doing midspan splices

Help support us by becoming a patron! <==join our Slack team!
Keep contacting us: contactus (at) thebrotherswisp.com or https://facebook.com/thebrotherswisp

Click the link below to view the article!

Jul 7 / thebrotherswisp

TheBrothersWISP 92 – IPAMs, Verizon Cust BGP Leak, Linux TCP DoS



This week Greg, Tomas, and almost Tom Smyth(but not quite) catch up on a month’s worth of stuff. The show is complete with a Tomas rant(your life is now complete).

This week we talk about:
Greg is looking for a reasonably priced OTDR
Lightning hitting a tree can take out your fiber
PHPIPAM for address management
Mikrotik CVE (linux in general) TCP DOS – fix in 6.45.1
Mikrotik 6.45.1 – API has changed so sonar and other systems aren’t working with it
Bridge filter in MIkrotik can block rogue DHCP servers without sacrificing hardware filtering.
Quick article on installing Mikrotik CHR on proxmox
Nick A. wanted a looking glass, and Greg’s favorite is routeviews
HFS webserver is a good way to test ports through a firewall – thanks Tomas
Physically security APs
Verizon customer leaked full routes due to a route optimizer
The “Tomas corner”:
Tomas loves his Linux Desktop – fully migrated from Windows to Linux on primary PC
RadMan – FOSS FreeRadius Management GUI
Unimus 1.10.2 release
Dealing with CAs as a non-US company is stupid

Help support us by becoming a patron! <==join our Slack team!
Keep contacting us: contactus (at) thebrotherswisp.com or https://facebook.com/thebrotherswisp

Click the link below to view the article!

Jun 19 / Greg

Mikrotik Bridge Filter to Block Rogue DHCP Servers

Mikrotik has introduces a LOT of great features in their switching line CRS100, CRS200, and CRS300. One thing of note is DHCP snooping which blocks rogue DHCP servers on your network. This feature works a treat in the CRS300 series switches as it also allows hardware offloading. Unfortunately if it is enabled on the CRS 100 or CRS 200 series switches, hardware offloading is disable, and spoiler alert, this is very bad.

If, however, you use bridge filtering to block rogue DHCP servers, hardware offloading remains enabled. Having said that, here’s some simple steps you can take to put a bridge filter in place to block rogues.

In this example, ether1 is the uplink port where the DHCP server lives, so no filtering is done here.

First create an interface list for all user/customer interfaces:

1
2
3
#this creates a customer list
/interface list
add name=customers

Next add all of the customer interfaces to the interface list:

1
2
3
4
#**add all customer interfaces to this list**
/interface list member
add interface=ether2 list=customers
add interface=ether3 list=customers

Last, apply the bridge filter to the forward train to catch traffic moving through the bridge.

1
2
3
#this filter rule will block DHCP servers
/interface bridge filter
add action=drop chain=forward in-interface-list=customers ip-protocol=udp mac-protocol=ip src-port=67

Go forth and happy non-rogue-dhcping 😉

Jun 19 / Greg

Install CHR On Proxmox

The first time I went about installing a Mikrotik CHR on a Proxmox server I ran into a lot of problems. I’ve distilled the steps down to something as simple as possible, all based on this wiki post.

1. Go to the mikrotik download page and grab the raw image of whichever version of CHR you prefer.
2. Extract the img file and transfer it into your proxmox /root folder.
3. On proxmox issue the following “qm list”. Pick the next sequential number that isn’t already taken.
4. Create the directory for this VM: “mkdir /var/lib/vz/images/150”
5. Create the qcow2 image. Adjust the image name “/root/chr-6.44.3.img” to whatever you downloaded and adjust the VM number from 150 to whatever you choose “/var/lib/vz/images/150/vm-150-disk-1.qcow2”

qemu-img convert \
-f raw \
-O qcow2 \
/root/chr-6.44.3.img \
/var/lib/vz/images/150/vm-150-disk-1.qcow2

6. Create the VM inside of proxmox. Be sure to change the VM number “150” in all lines to yours and also adjust the name to whatever you prefer:
qm create 150 \
–name chr-cust1 \
–net0 virtio,bridge=vmbr0 \
–bootdisk virtio0 \
–ostype l26 \
–memory 256 \
–onboot no \
–sockets 1 \
–cores 1 \
–virtio0 local:150/vm-150-disk-1.qcow2

After this you can refresh your console and make and adjustments you like.

That should get you up and working quickly. Good luck and happy routing.

Jun 10 / thebrotherswisp

TheBrothersWISP 91 – Flapgate, MAAS, Hypervisors



This week Greg, Dave, Nick, and Tomas try yet another podcast recording suite; spoiler, we didn’t use the audio from it this time, but will next. Don’t stop believing.

This week we talk about:
Mikrotik flapping issue CRS317 on SFP+ with newer firmwares – “flapgate”
Veeam has a community edition – 10 free VMs
Tomas didn’t like GUI options for Freeradius, so of course, he wrote his own. Opensouce link to come
VDSL2 media converters – 190Mb/110Mb
MikroTik L2 QoS – normally works on L3 only – but can be done for L2 as well
Hyper-v, Proxmox, ESXi, Zen – everyone has an opinion on which they prefer.
Alisdair using BFD
Dan fell victim to the Mikrotik LTE simcard; sometimes you just want to put it in upside down.
How many people go new on servers vs Gray market?
Cameo for all your B list celebrity shout outs.
D&D is hard to get started with and fantsy grounds is confusing.

Help support us by becoming a patron! <==join our Slack team!
Keep contacting us: contactus (at) thebrotherswisp.com or https://facebook.com/thebrotherswisp

Click the link below to view the article!