v5.6 released

RouterOS General
1

What’s new in 5.6 (2011-Aug-02 14:45):

*) fixed ssh server crashing when sessions were interrupted
*) ipsec - fix a problem which could silently remove a manual policy
from the kernel if the peer configuration has ‘generate-policy’ set to ‘yes’
and if the policy matches with the traffic selector of a SA being removed
on the responder side, also fix a problem that some generated policies
may stay in kernel after relevant SA was removed;
*) profiler - correctly show idle task on RB1200;
*) webfig - fix dual nstreme interface setting lists;
*) webfig - fix Wireless Access/Connect List editing;
*) webfig - fix bitrate presentation in simple queues (show 1.5M as 1500k);
*) fixed micro-sd access on RB400 not to stop everything else;
*) sstp - when server certificate verification is enabled for sstp client,
it will additionally compare IP addresses found in certificate’s
subjectAltName and subject CN to the real address, DNS names are ignored;
*) tftp - optional block counter roll-over support;
*) hotspot - fixed possible crash in case of multiple Radius CoA requests;
*) userman - speedup user deletion with big log size,
note that first userman startup after this update
may take few minutes if the log size is in hundreds of MB;
*) mpls - added support for enabling/disabling control word usage for
BGP based VPLS tunnels (both - Cisco and RFC 4761 based);
*) mpls - added support for auto-discovery of VPLS NLRI encoding method
for Cisco BGP based VPLS tunnels;
*) winbox - sometimes after disconnecting, winbox could not connect back;
*) bgp - allow parallel operation of RFC4761 “l2vpn” and
draft-ietf-l2vpn-signaling “l2vpn-cisco” BGP VPLS variants inside
single peering session.
*) console - “:resolve” command now returns IPv6 address for domain names
that have only IPv6 address records;
*) snmp - provide ups alarms for bad or low battery or for ups overload;
*) route - fixed SNMP getnext queries, were failing to find next
prefix in the OID order;

http://www.mikrotik.com/download.html

RouterOS 5.5 Released
Layer 7 - regexp too complex - v5.6
RouterOS v5.7 released
2

Normis, why are files of mipsle the only in separate directory? it was in 5.5 release, it’s in 5.6… When you changed all WinBox menus to alphabetical order - it was a bit uncomfortable for the first times, but then it appeared to be very cosy. But I bet nobody likes when all packages are in one heap!.. It’s very easy to mis-select package for another platform when uploading new version… And it wastes space when you try to make your own per-platform folders and have to leave original files in place for torrent seeding…

3

Hi Normis,

Is ticket #2011062866000285 fixed in this release?

4

recreating torrent file, so files are in folders as expected.

edit: 10:40 EEST torrent file is corrected. You should re-download the file.

5

edit, this should be fixed.

6

nice, thanks!

7

Are there any changes relating to #2011062966000309 in this release?

8

No, it will be fixed in one of the future releases.

9

Hello,

After update from 5.5 i’m getting lots of layer7 erros:

log print
13:43:55 firewall,warning layer7 match failed, regexp too complex (^(.?.?\16\03.\16\03|.?.?\01\03\01?.\0B))
13:43:56 firewall,warning layer7 match failed, regexp too complex (^(.?.?\16\03.\16\03|.?.?\01\03\01?.\0B))
13:43:56 firewall,warning layer7 match failed, regexp too complex (^(.?.?\16\03.\16\03|.?.?\01\03\01?.\0B))
13:43:56 firewall,warning layer7 match failed, regexp too complex (^(.?.?\16\03.\16\03|.?.?\01\03\01?.\0B))
13:43:56 firewall,warning layer7 match failed, regexp too complex (^(.?.?\16\03.\16\03|.?.?\01\03\01?.\0B))
13:43:56 firewall,warning layer7 match failed, regexp too complex (^(.?.?\16\03.\16\03|.?.?\01\03\01?.\0B))
13:44:00 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]* (e?smtp|simple mail))
13:44:00 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]* (e?smtp|simple mail))
13:44:00 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]* (e?smtp|simple mail))
13:44:00 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]* (e?smtp|simple mail))
13:44:00 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]* (e?smtp|simple mail))
13:44:00 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]* (e?smtp|simple mail))
13:44:00 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]* (e?smtp|simple mail))
13:44:02 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]ftp)
13:44:02 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~] (e?smtp|simple mail))
13:44:02 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]ftp)
13:44:02 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~] (e?smtp|simple mail))
13:44:02 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]ftp)
13:44:02 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~] (e?smtp|simple mail))
13:44:02 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]ftp)
13:44:02 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~] (e?smtp|simple mail))
13:44:02 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]ftp)
13:44:03 system,info,account user admin logged in from 192.168.6.250 via telnet
13:44:03 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~] (e?smtp|simple mail))
13:44:03 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]ftp)
13:44:03 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~] (e?smtp|simple mail))
13:44:03 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]ftp)
13:44:03 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~] (e?smtp|simple mail))
13:44:12 firewall,warning layer7 match failed, regexp too complex (^(.?.?\16\03.\16\03|.?.?\01\03\01?.\0B))
13:44:12 firewall,warning layer7 match failed, regexp too complex (^(.?.?\16\03.\16\03|.?.?\01\03\01?.\0B))
13:44:12 firewall,warning layer7 match failed, regexp too complex (^(.?.?\16\03.\16\03|.?.?\01\03\01?.\0B))
13:44:12 firewall,warning layer7 match failed, regexp too complex (^(.?.?\16\03.\16\03|.?.?\01\03\01?.\0B))
13:44:12 firewall,warning layer7 match failed, regexp too complex (^(.?.?\16\03.\16\03|.?.?\01\03\01?.\0B))
13:44:12 firewall,warning layer7 match failed, regexp too complex (^(.?.?\16\03.\16\03|.?.?\01\03\01?.\0B))
13:44:12 firewall,warning layer7 match failed, regexp too complex (^(.?.?\16\03.\16\03|.?.?\01\03\01?.\0B))
13:44:13 firewall,warning layer7 match failed, regexp too complex (^(.?.?\16\03.\16\03|.?.?\01\03\01?.\0B))
13:44:13 firewall,warning layer7 match failed, regexp too complex (^(.?.?\16\03.\16\03|.?.?\01\03\01?.\0B))
13:44:13 firewall,warning layer7 match failed, regexp too complex (^(.?.?\16\03.\16\03|.?.?\01\03\01?.\0B))
13:44:13 firewall,warning layer7 match failed, regexp too complex (^(.?.?\16\03.\16\03|.?.?\01\03\01?.\0B))
13:44:13 firewall,warning layer7 match failed, regexp too complex (^(.?.?\16\03.\16\03|.?.?\01\03\01?.\0B))
13:44:13 firewall,warning layer7 match failed, regexp too complex (^(.?.?\16\03.\16\03|.?.?\01\03\01?.\0B))
13:44:13 firewall,warning layer7 match failed, regexp too complex (^(.?.?\16\03.\16\03|.?.?\01\03\01?.\0B))
13:44:17 firewall,warning layer7 match failed, regexp too complex (http/(0.9|1.0|1.1) [1-5][0-9][0-9] [\t-\r -~]*(connection:|content-type:|content-length:|date:)|post [\t-\r -~]

  • http/[01].[019])
    13:44:17 firewall,warning layer7 match failed, regexp too complex (http/(0.9|1.0|1.1) [1-5][0-9][0-9] [\t-\r -~]*(connection:|content-type:|content-length:|date:)|post [\t-\r -~]
  • http/[01].[019])
    13:44:17 firewall,warning layer7 match failed, regexp too complex (http/(0.9|1.0|1.1) [1-5][0-9][0-9] [\t-\r -~]*(connection:|content-type:|content-length:|date:)|post [\t-\r -~]
  • http/[01].[019])
    13:44:17 firewall,warning layer7 match failed, regexp too complex (http/(0.9|1.0|1.1) [1-5][0-9][0-9] [\t-\r -~]*(connection:|content-type:|content-length:|date:)|post [\t-\r -~]
  • http/[01].[019])
    13:44:17 firewall,warning layer7 match failed, regexp too complex (http/(0.9|1.0|1.1) [1-5][0-9][0-9] [\t-\r -~]*(connection:|content-type:|content-length:|date:)|post [\t-\r -~]
  • http/[01].[019])
    13:44:17 firewall,warning layer7 match failed, regexp too complex (http/(0.9|1.0|1.1) [1-5][0-9][0-9] [\t-\r -~]*(connection:|content-type:|content-length:|date:)|post [\t-\r -~]
  • http/[01].[019])
    13:44:17 firewall,warning layer7 match failed, regexp too complex (http/(0.9|1.0|1.1) [1-5][0-9][0-9] [\t-\r -~]*(connection:|content-type:|content-length:|date:)|post [\t-\r -~]
  • http/[01].[019])
    13:44:17 firewall,warning layer7 match failed, regexp too complex (http/(0.9|1.0|1.1) [1-5][0-9][0-9] [\t-\r -~]*(connection:|content-type:|content-length:|date:)|post [\t-\r -~]
  • http/[01].[019])
    13:44:17 firewall,warning layer7 match failed, regexp too complex (http/(0.9|1.0|1.1) [1-5][0-9][0-9] [\t-\r -~]*(connection:|content-type:|content-length:|date:)|post [\t-\r -~]
  • http/[01].[019])
    13:44:17 firewall,warning layer7 match failed, regexp too complex (http/(0.9|1.0|1.1) [1-5][0-9][0-9] [\t-\r -~]*(connection:|content-type:|content-length:|date:)|post [\t-\r -~]
  • http/[01].[019])
    13:44:17 firewall,warning layer7 match failed, regexp too complex (http/(0.9|1.0|1.1) [1-5][0-9][0-9] [\t-\r -~]*(connection:|content-type:|content-length:|date:)|post [\t-\r -~]
  • http/[01].[019])
    13:44:17 firewall,warning layer7 match failed, regexp too complex (http/(0.9|1.0|1.1) [1-5][0-9][0-9] [\t-\r -~]*(connection:|content-type:|content-length:|date:)|post [\t-\r -~]
  • http/[01].[019])
    13:44:18 firewall,warning layer7 match failed, regexp too complex (http/(0.9|1.0|1.1) [1-5][0-9][0-9] [\t-\r -~]*(connection:|content-type:|content-length:|date:)|post [\t-\r -~]
  • http/[01].[019])
    13:44:18 firewall,warning layer7 match failed, regexp too complex (http/(0.9|1.0|1.1) [1-5][0-9][0-9] [\t-\r -~]*(connection:|content-type:|content-length:|date:)|post [\t-\r -~]
  • http/[01].[019])
    13:44:20 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]ftp)
    13:44:20 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]     (e?smtp|simple mail))
    13:44:20 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]ftp)
    13:44:20 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]     (e?smtp|simple mail))
    13:44:20 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]ftp)
    13:44:20 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]     (e?smtp|simple mail))
    13:44:20 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]ftp)
    13:44:20 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]     (e?smtp|simple mail))
    13:44:20 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]ftp)
    13:44:20 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]     (e?smtp|simple mail))
    13:44:20 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]ftp)
    13:44:20 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]     (e?smtp|simple mail))
    13:44:20 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]ftp)
    13:44:20 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]     (e?smtp|simple mail))
    13:44:20 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]* (e?smtp|simple mail))
    13:44:20 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]* (e?smtp|simple mail))
    13:44:20 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]ftp)
    13:44:21 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]     (e?smtp|simple mail))
    13:44:21 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]ftp)
    13:44:21 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]     (e?smtp|simple mail))
    13:44:21 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]ftp)
    13:44:21 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]     (e?smtp|simple mail))
    13:44:21 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]ftp)
    13:44:21 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]     (e?smtp|simple mail))
    13:44:21 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]ftp)
    13:44:21 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]     (e?smtp|simple mail))
    13:44:21 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]* (e?smtp|simple mail))
    13:44:21 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]* (e?smtp|simple mail))
    13:44:21 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]* (e?smtp|simple mail))
    13:44:21 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]ftp)
    13:44:21 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]     (e?smtp|simple mail))
    13:44:21 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]ftp)
    13:44:21 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]     (e?smtp|simple mail))
    13:44:21 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]ftp)
    13:44:22 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]     (e?smtp|simple mail))
    13:44:22 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]ftp)
    13:44:22 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]     (e?smtp|simple mail))
    13:44:30 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]* (e?smtp|simple mail))
    13:44:30 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]* (e?smtp|simple mail))
    13:44:30 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]* (e?smtp|simple mail))
    13:44:30 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]* (e?smtp|simple mail))
    13:44:30 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]* (e?smtp|simple mail))
    13:44:30 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]* (e?smtp|simple mail))
    13:44:30 firewall,warning layer7 match failed, regexp too complex (^220[\t-\r -~]* (e?smtp|simple mail))

I’m using layer 7 with mangle and queue tree.

Thanks

10

I’m trying to get the meaning of this:

*) sstp - when server certificate verification is enabled for sstp client,
it will additionally compare IP addresses found in certificate’s
subjectAltName and subject CN to the real address, DNS names are ignored;


What does this mean in simple terms? Do I now have to have the server IP address as a subjectAltName in the certificate? Is now the SSTP server forcing the client to perform additional checks regarding the certificate? Does the DNS names in the CommonName are ignored in favor of IP addresses in the AltName?

Is SSTP going to be easier or more difficult to use?

Sorry for the many questions, but I really have no idea what this release note covers.

GL

11

Yes, now you have to set server’s IP address (not DNS name) when creating certificate.

SSTP is not harder to use, it is just an additional security feature.

12

Nothing about wireless? :confused:

13

Hello Normis,

Is ticket #2011072166000401 fixed in this release?

Thanks,
Dzieva

14

OK. So let’s assume for a moment that I’m running a VPN server and want to connect to it using SSTP. I generate my certificate signing request and for the CN I use the server IP. I then submit the cetificate signing request to Godaddy or any other signing CA (windows will not connect to servers showing an unsigned certificate by a trusted signing CA). They will throw out the CSR since the CN would not contain a valid domain name.

I’m then stuck creating my own CA and distributing root certificates to my users who may or may not know how to import them into which keystore.

If this is what 5.6 is doing, then it sounds like the killing of an otherwise useful routeros feature.

Thanks
GL

15

It’s pretty much an industry standard to use domain names, how exactly is this a ‘feature’?

16

Because nameservers cannot be trusted.

17

That’s why windows for example will not accept the server certificate unless it’s signed by a trusted signer. So now not only will they have to contaminate the DNS, they will have to generate a valid a signed certificate in your domain name.

So now IE/FF/Chrome/Opera/Safari should warn us every time we visit a secure site like https://amazon.com that although the certificate is in order, we should better use http://72.21.211.176 because DNS servers can be hijacked left and right? (what about DNSSEC btw.) This game had been played and the winner is the domain name. Do not re-invent this wheel.

–I feel however that we are misunderstanding something here and was hoping that MT could give a better explanation instead of this half sentence … this goes back to an earlier issue that better changelogs are needed instead of these misleading half sentences–

18

Still no IPv6 love with no DHCPv6-PD

19

Hi,

I think that the changelog is a little bit confusing.

It should be: “if CN has IP compare, if CN has fqdn ignore, if subjectAltName has IP compare to real IP address of the server. Only one is required”.

@Normunds: Can you please confirm if it is like this?

I successfully created the server certificate with fqdn on CN, IP of server in subjectAltName, and it works.

If you look about subjectAltName and IPSEC, you will find a couple of places explaining why subjectAltName must be used.

Kindly regards,

20

Still no IPv6 love with no DHCPv6-PD

I already told you no sooner than v5.8 :wink: