v7.2 is released!

colinardo · April 11, 2022, 2:03pm

Hi.
in the current release there is a problem with dot1x (mac/dot1x) authentication and dynamic vlan assignment with usermanager as radius server. The same settings were successfully tested with RouterOS release 7.1.5(CHR_x86), but in the current release 7.2 (CHR_x86) the setup fails.
RouterOS sends multiple radius requests, always gets Access-Accept from usermanager, but it fails to unblock the port and assignment to the vlan as untagged port.

Demo Config used to reproduce the problem

# apr/11/2022 16:06:40 by RouterOS 7.2
# software id = 
#
/interface bridge
add ingress-filtering=no name=bridgeLocal protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridgeLocal name=vlan200 vlan-id=200
/interface bridge port
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=ether3
/ip pool
add name=pool_vlan200 ranges=10.200.0.10-10.200.0.254
/ip dhcp-server
add address-pool=pool_vlan200 interface=vlan200 lease-time=1h name=dhcp_vlan200
/user-manager user
add attributes=Tunnel-Private-Group-ID:200,Tunnel-Medium-Type:6,Tunnel-Type:13 name=00:0C:29:16:E1:B7
/interface bridge vlan
add bridge=bridgeLocal tagged=bridgeLocal vlan-ids=200
/interface dot1x server
add auth-types=mac-auth interface=ether3
/ip address
add address=10.200.0.1/24 interface=vlan200 network=10.200.0.0
/ip dhcp-server network
add address=10.200.0.0/24 dns-server=10.200.0.1 gateway=10.200.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/radius
add address=127.0.0.1 service=hotspot,ipsec,dot1x src-address=127.0.0.1
/radius incoming
set accept=yes
/system logging
add topics=manager
add topics=dot1x
/user-manager
set enabled=yes
/user-manager router
add address=127.0.0.1 name=local

Best Regards

osc86 · April 11, 2022, 2:12pm

he.net tunnels are working ok in 7.2. Make sure your endpoint address matches your current public address (tunnelbroker.net), it is not updated automatically. Always use the cli to add routes. Winbox route menu is still buggy af, don’t know about webfig.

sirbryan · April 11, 2022, 2:39pm

Doing anything with routes in Webfig has been broken in 7.x for a long time (which is really frustrating since I browse into RouterOS from my Macs or iPhone when Winbox (Mac) or a terminal (iPhone) are often not convenient or available). Until I started deploying 7-only devices, I had no need for Winbox.

As mentioned, CLI is best place to view them for now; I believe they work OK in Winbox.

pe1chl · April 11, 2022, 4:10pm

~~[quote=stlang post_id=925859 time=1649692965 user_id=199983]~~
Winbox is not an option for me as it’s Mac and Linux only here.
[/quote]
winbox.exe is a portable executable that easily runs under wine on both Linux and Mac.

Just download it and type “wine winbox.exe”.

normis · April 11, 2022, 5:49pm

or wine64 winbox64.exe

Larsa · April 11, 2022, 6:04pm

How to install Winbox on MacOS

Follow the Mikrotik install instructions: Run Winbox on macOS. You can install Wine64 using brew: “$ brew --cask install wine-stable”
Create a start icon using the “Script Editor” with the Apple-script code below and save it as type Application in /Applications/Winbox.

on run
	do shell script "/usr/local/bin/wine64 /Applications/Winbox.app/Contents/MacOS/winbox64.exe"
end run

Download and copy the 64 bit version of Winbox (winbox64.exe) to /Applications/Winbox.app/Contents/MacOS

4 Start “System Preferences → Security & Privacy → Privacy → Developer Tools” and add /Applications/Winbox
Screenshot 2022-04-11 at 19.59.55.png

wuffzack · April 11, 2022, 8:05pm

This CRS354-48G-4S+2Q+ feels a little cold (-274 degrees Celsius).
Only a copper pigtail cable is present in one SFP+ port, which has no temperature to report.
It is a Mellanox MCP2104-X01AB cable.

/system/health> print
Columns: NAME, VALUE, TYPE
#  NAME                VALUE  TYPE
0  temperature         -274   C   
1  cpu-temperature     61     C   
2  sfp-temperature     -274   C   
3  fan1-speed          5550   RPM 
4  fan2-speed          5445   RPM 
5  fan3-speed          5610   RPM 
6  board-temperature1  44     C   
7  board-temperature2  27     C   
8  psu1-state          ok         
9  psu2-state          ok

EDIT: I am not sure if this problem is Router OS 7.2 specific, but I just noticed it the first time after upgrading.

Rfulton · April 11, 2022, 8:38pm

7.2 on CCR2004-1G-12S+2XS

PIM-SM still does not work.

I will be submitting an FBI tip.

ingdaka · April 11, 2022, 9:09pm

Just upgraded CCR2004-16G-2S+ / Overall OK
BGP Prefix Count still 0
*) bgp - added BGP advertisements display (requires output.keep-sent-attributes to be set); even that i set output.keep-sent-attributes=yes still no info on command
[username@identity] > routing/bgp/session/dump-saved-advertisements 
numbers: 1
[username@identity] > routing/bgp/session/dump-saved-advertisements 
numbers: 0
There are 2 BGP Peers

I found this! When command is typed there is pcap file on disc that is saved. Downloaded on computer and read with a pcap reader (wireshark in my case)

Tporlapt · April 12, 2022, 4:22am

Just to update, Simple Queues with IPv6 and fq-codel are working fine for the past 24 hours. This is most welcome news.

Note · April 12, 2022, 6:43am

On paste i get this now…

if u cant paste, writing from begin is time painful

haedertowfeq · April 12, 2022, 9:05am

@Note
Can you share your mangle
Or at least ,Qos DSCP
I have 2WAN in loadbalance

jadehart · April 12, 2022, 6:57pm

I lost Winbox connectivity after I upgraded my CCR2216. I am using Winbox for MAC 3.30. I could see the router in my neighbors list, and could connect to it. When I tried to login with the default login username and password, the Winbox session simply disappeared. I upgrade a router before I even create a username and password.

mkx · April 12, 2022, 7:22pm

Winbox 3.35 should be fine.

ath · April 13, 2022, 1:55am

Applying an export filter to a VRF results in no routes being distributed.

/routing filter rule
	chain=DISTRIBUTE rule="accept"
	
/routing bgp vpn
	export-filter=DISTRIBUTE

tigro11 · April 13, 2022, 6:47am

Echoing the experience. Upgraded from 7.1.5 to 7.2 and some OpenVPN clients using AES on some routers are broken. It does not matter which AES cipher is chosen… none of them work with OpenVPN after the upgrade.

I sent the following information to Mikrotik support:

Subject: RouterOS 7.2 - OpenVPN client with AES appears broken on some routers

OpenVPN client with AES appears to be broken on some routers in RouterOS 7.2. Configs worked just fine prior to upgrade from 7.1.5. Client logs show connecting… disconnected… connecting… disconnect… but no error message. Logs on OpenVPN server (also Mikrotik devices) show no errors. Setting cipher on client and server to blowfish128 will allow tunnel to connect and stay connected. Issue appears only with AES on the following routers:

MMIPS (RB750Gr3, RB760iGS) – OpenVPN AES client FAILED

ARM (RB4011iGS+) – OpenVPN client with AES WORKED
CHR – OpenVPN client with AES WORKED
MIPSBE - OpenVPN client with AES WORKED
POWERPC (RB1200) – OpenVPN client with AES WORKED
TILE (CCR1009-7G-1C-1S+) – OpenVPN client with AES WORKED



Original notes:

Started to test RouterOS 7.2 last night. Upgraded my home office router first (RouterBOARD 750G r3 s/n 6F3806195642) from 7.1.5 to 7.2. This router has several production VPN client connections of various types (L2TP/IPSEC, OpenVPN, SSTP, and Wireguard) to remote Mikrotik devices of various types.

My L2TP/IPSEC, SSTP, and Wireguard client connections worked properly after the upgrade, but my OpenVPN connections would not connect. Two of these were OpenVPN TCP client to RouterOS 7.1.5 CHR instances and one to a Mikrotik 760iGS running 6.49.5. If I use any of the AES ciphers, the connections just bounce (connected… disconnected… connected… disconnected…) with no error messages. If I set the cipher to blowfish128, the OpenVPN clients connect and operate properly.

I then upgraded some other test routers from 7.1.5 to 7.2: two CHR instances, an old RB1200, and an RB760iGS.
•	The CHR instances have no problems to other RouterOS OpenVPN servers regardless of protocol (tcp or udp) and cipher.
•	The RB1200 and the RB760iGS routers both fail in the same way my home office router fails. Switching the cipher to blowfish128 allows the VPNs to work.

It appears that there is some sort of issue with the OpenVPN AES cipher on certain RouterOS devices in 7.2

As a last test, I took a fresh RB760iGS router out of the box, upgraded it to 7.2, factory reset the config again (no-defaults=yes) added my test VPN configuration, and created the attached supout.rif file.

Please let me know if I can provide any additional information

4/11/2022 Edit: Mikrotik support confirms there is an issue that is affecting the mmips based routers with OpenVPN AES and says it will be resolved in the next release.

BIG problem!!
maybe before a stable release first to churn out, which is tested well, thankful that I stopped with the updates of the other devices

thuety · April 13, 2022, 7:01am

Have had 3 random reboots after updating my RB2011UiAS-2HnD from 7.1.5 to 7.2.
I’ve never had this problem before, so I went back to 7.1.5 for now.

Note · April 13, 2022, 7:18am

You can get it from here…

http://forum.mikrotik.com/t/advanced-routing-failover-without-scripting/136599/1

Theo9216 · April 13, 2022, 11:01am

Problem fixed with secret disabled.

emils · April 13, 2022, 11:09am

New version v7.2.1 has been released:

http://forum.mikrotik.com/t/v7-2-1-stable-is-released/157240/1