Is QuickSet a threat with pppoe?

tmp · Sat Mar 21, 2015 7:39 pm

Hi,

I am new to Mikrotik and ROS and I'm currently using ROS 6.27 with a RB951Ui-2HnD. My ISP uses pppoe for authentication and I used QuickSet with the "HomeAP"-Setting.
When taking a look at firewall rules the device is open to the whole world. After half an hour, I got 200 failed logins in the log via SSH, Telnet, Winbox-Port and WWW. In fact, the firewall-rules are completly useless when QuickSet is used.
Is this the normal behaviour when using QuickSet with pppoe?

Kind regards

tmp

tmp · Mon Mar 30, 2015 7:21 pm

The same happens with hap lite, too (ROS 6.27).

Thu Apr 02, 2015 8:22 am

Quickset is kind of trap. Even it looks useful for those who don't understand the settings deeply enough. On the other side I think that applying any settings to router that you do not understand is big security risk. If you decided to use mikrotik devices you should always fully remove the configuration and set everything manually from scratch. Otherwise you cannot rely on it and be sure how it should behave.

tmp · Thu Apr 02, 2015 5:31 pm

Thanks for your answer, jarda.
Let me first say, I believe I know what I'm doing, I'm just new to ROS. Before I have been using Cisco devices with IOS or configured Sophos/Astaro appliances.
I am just a little bit shocked that QuickSet is positioned as an easy way to configure your device without needing to read through every settings first. I thought I could just set the device up with QuickSet and start "real" configuring after that. But if you do so, the device is completly unprotected and open to the whole world.
I just wanted to share my thoughts because Mikrotik aims -especially with hap lite - at consumers who want to use a stable and speedy device without being forced to read hundreds of manual pages.
Maybe MikroTik wants to take a look at these settings, I guess it's going to be fixed in seconds.

Thu Apr 02, 2015 6:35 pm

I don't think that hap lite is aimed at consumer market. My opinion is that it is answer to request of ISPs to get some cheap device we can give at customer's place and be able to manage / monitor it and can get rid of tplinks with openwrt because other suitable devices just cost at least three times more...

hossain2004a · Thu Apr 02, 2015 7:29 pm

I don't think that hap lite is aimed at consumer market. My opinion is that it is answer to request of ISPs to get some cheap device we can give at customer's place and be able to manage / monitor it and can get rid of tplinks with openwrt because other suitable devices just cost at least three times more...

Common Jarda. I think you're making it hard with hAP Lite. it's little home access point. It's awesome to have $30 AP for your home...
And It's good for you to know in my country, configuring LinkSys modems when you just need to couple of VCI and VPI settings plus wireless settings is needed is not everyone's work, so people attend to network shops or engineers or I dont know who. so then the pay for it.

Thu Apr 02, 2015 8:07 pm

You can take it as you wish. But even with quickset the mikrotik routers are not for home users. I have not met any home user able to set such router.

hossain2004a · Fri Apr 03, 2015 1:10 pm

but they can handle they router to someone who is able to config that. That's all people do here

but yes.... You are right

batsuno45 · Fri Apr 03, 2015 1:14 pm

If you decided to use mikrotik devices you should always fully remove the configuration and set everything manually from scratch. Otherwise you cannot rely on it and be sure how it should behave.

lambert · Sat Apr 04, 2015 9:53 am

I am new to Mikrotik and ROS and I'm currently using ROS 6.27 with a RB951Ui-2HnD. My ISP uses pppoe for authentication and I used QuickSet with the "HomeAP"-Setting.
When taking a look at firewall rules the device is open to the whole world. After half an hour, I got 200 failed logins in the log via SSH, Telnet, Winbox-Port and WWW. In fact, the firewall-rules are completly useless when QuickSet is used.
Is this the normal behaviour when using QuickSet with pppoe?

I don't often use quickset but did for a customer a while back. They were PPPoE and the quickset firewall rules forgot to block traffic in the pppoe interface. The block on the underlying ethernet interface was there. The bad guys were using the the DNS cacheing server as part of a DDoS. My fault for not double checking the quickset generated rules.

There are several places where the quickset generated rules could use some cleanup, at least in the versions of RouterOS where I've tried it out. Why put the IP on the ethernet of HomeAP routers which use the bridge-local?

hossain2004a · Sat Apr 04, 2015 10:52 am

Maybe that's because Quick set is for home and home users don't think of and don't know of any DDos and Brutes and ......
Yes there are lot's of problem with this quick set.
But as I said it's awesome to have $30 with fully ROS.
And for networking stuff at least you should know something. otherwise you can not install NIC card