Community discussions

  • 1
  • 2
  • 3
  • 4
  • 5
  • 7
 
erty
just joined
Posts: 1
Joined: Sat Apr 06, 2019 4:24 pm

Re: v6.45beta [testing] is released!

Sat Apr 06, 2019 4:32 pm

RouterOS 6.45beta27
When I set neighbor discovery interface to "!WAN" and then do "export" command I've see in console print:
/ip neighbor discovery-settings
set discover-interface-list=WAN
Without "!" symbol. But if I do "export verbose" it show me
set discover-interface-list=!WAN
It is not good in case of simple copy/paste exported settings
 
User avatar
eworm
Member
Member
Posts: 332
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Mon Apr 08, 2019 1:11 pm

*) fetch - added SFTP support;
Yes, can't wait to use this! Is there a way to use it with public key authentication?
Before we start discussing any advanced features... How does this work at all? Looks like mode=sftp is not a valid syntax for fetch.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5890
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.45beta [testing] is released!

Mon Apr 08, 2019 1:15 pm

@eworm with url=sftp://xxx.xx/
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 451
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 2:25 pm

Version 6.45beta31 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta31 (2019-Apr-12 10:29):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
*) conntrack - fixed "loose-tcp-tracking" parameter not taken in action (introduced in v6.44);
*) dhcp - create dual stack queue based on limitations specified on DHCPv4 server lease configuration;
*) dhcp - do not require lease and binding to have the same configuration for dual-stack queues;
*) dhcp - show warning in log if lease and binding dual-stack related parameters do not match and create separate queues;
*) dhcpv4-server - added "client-mac-limit" parameter (CLI only);
*) dhcpv6-server - added "insert-queue-before" and "parent-queue" parameters (CLI only);
*) dhcpv6-server - added "route-distance" parameter (CLI only);
*) dhcpv6-server - fixed binding setting update from RADIUS;
*) fetch - added SFTP support;
*) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods (CLI only);
*) ipsec - added traffic statistics to "active-peers" menu (CLI only);
*) ipsec - general improvements in policy handling;
*) ipsec - replaced policy SA address parameters with peer setting;
*) ipsec - use tunnel name for dynamic IPsec peer name;
*) ipv6 - adjusted IPv6 route cache max size;
*) lte - fixed session reactivation on R11e-LTE in UMTS mode;
*) snmp - added "radio-name" (mtxrWlRtabRadioName) OID support;
*) ssh - added "both", "local" and "remote" options for "forwarding-enabled" parameter;
*) tunnel - removed "local-address" requirement when "ipsec-secret" is used;
*) userman - added support for "Delegated-IPv6-Pool";
*) userman - added support for "Delegated-IPv6-Pool" and "DNS-Server-IPv6-Address" (CLI only);
*) wireless - improved wireless country settings for EU countries;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
osc86
newbie
Posts: 43
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 2:39 pm

----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
----------------------
Amazing news! Thanks!
CCR1009-7G-1C-1S+ ROS6.45.1
 
muetzekoeln
Member Candidate
Member Candidate
Posts: 105
Joined: Fri Jun 29, 2018 2:34 pm

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 2:53 pm

Version 6.45beta31 has been released.

*) wireless - improved wireless country settings for EU countries;

Please explain!
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23998
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 2:59 pm

Not all frequency ranges had designation "indoor only" or "outdoor only". One range was incorrectly labeled, this is fixed now. 5250-5330 now is correctly marked as indoor.
No answer to your question? How to write posts
 
tangram
Member Candidate
Member Candidate
Posts: 126
Joined: Wed Nov 16, 2016 9:55 pm

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 3:25 pm

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);

Holy Jumpin' Jesus !
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 451
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 3:31 pm

Before anyone asks. Configuration options for dot1x are not yet enabled in this release. Coming in next beta, most likely next week.
 
Beone
Member Candidate
Member Candidate
Posts: 243
Joined: Fri Feb 11, 2011 1:11 pm

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 4:06 pm

Not all frequency ranges had designation "indoor only" or "outdoor only". One range was incorrectly labeled, this is fixed now. 5250-5330 now is correctly marked as indoor.

is the impact purely cosmetic or also effectively changes frequency list allowed to use depending installation type indoor/outdoor?

what about passive probing indication for unii-1 band?
 
Paternot
Long time Member
Long time Member
Posts: 573
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 4:36 pm

Version 6.45beta31 has been released.
*) ipsec - replaced policy SA address parameters with peer setting;
A dream come true! :D
Version 6.45beta31 has been released.
*) ipsec - general improvements in policy handling;
*) ipsec - use tunnel name for dynamic IPsec peer name;
What, exactly, these two mean?
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 11:05 pm

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);

I hope I can use this to authenticate to AT&T fiber services directly. I'll need a certificate, but that's obtainable.
 
Jinaria
just joined
Posts: 2
Joined: Fri Apr 12, 2019 11:38 pm

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 11:47 pm

Version 6.45beta31 has been released.
after upgrading RB3011 from Beta 27 to Beta 31, I was no longer been able to access the device by IP nor mac address via winbox or browser.
There was no error on the device display, dhcp server failed to assign any IP and setting manual ip address did not help either. So I reset the config and restored the backup config file, same issue.
The only solution was: downgrade to Beta 27 and restore the backup.
Last edited by Jinaria on Sat Apr 13, 2019 1:54 am, edited 1 time in total.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Sat Apr 13, 2019 12:41 am

An AC2 Lite TC ( RB 952-Ui-5ac2nD ) seems to have trouble with WiFi on beta 31.

- All ether* and wifi* are in a bridge
- wifi2 ( 5 GHz ) is in pseudo bridge mode - connects to upstream AC2
- wifi1 ( 2.4 GHz) is disabled
- ether1 feeds a notebook
- No firewall rules
- It's a basic wireless - to - wired bridge

The device is not able to obtain a DHCP client address - "searching...." which lasts forever. The few times it did work, ping to the upstream was very unstable - some took up to 2 seconds (normal is 1ms) and maybe 2/3 lost.

Did not occur on beta 27. I also updated Routerboard Firmware when updating from 27 to 31.

Reverting back to 6.44.2 "stable" immediately fixed the issue.

PS - looks very similar to the message above from @Jinaria, "after upgrading RB3011 from Beta 27 to Beta 31..."
 
huntermic
newbie
Posts: 33
Joined: Wed Oct 26, 2016 3:42 pm

Re: v6.45beta [testing] is released!

Sat Apr 13, 2019 10:02 am

Version 6.45beta31 has been released.
after upgrading RB3011 from Beta 27 to Beta 31, I was no longer been able to access the device by IP nor mac address via winbox or browser.
There was no error on the device display, dhcp server failed to assign any IP and setting manual ip address did not help either. So I reset the config and restored the backup config file, same issue.
The only solution was: downgrade to Beta 27 and restore the backup.
I had the same issue on a RB4011, plugging pc in another port did the trick.
 
User avatar
osc86
newbie
Posts: 43
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Sat Apr 13, 2019 10:47 am

I hope they'll add an option to remove single SAs in the future.
CCR1009-7G-1C-1S+ ROS6.45.1
 
Jinaria
just joined
Posts: 2
Joined: Fri Apr 12, 2019 11:38 pm

Re: v6.45beta [testing] is released!

Sat Apr 13, 2019 12:15 pm


I had the same issue on a RB4011, plugging pc in another port did the trick.
The issue on my RB3011 affects all of the ports, connecting to different port/switch didn't fix the issue for me.
 
korniza
newbie
Posts: 26
Joined: Fri Jan 06, 2012 4:05 pm

Re: v6.45beta [testing] is released!

Sat Apr 13, 2019 2:49 pm

I have an CHR install which capsman is running. On 6.45beta27 I noticed that when I try to see on winbox the "Configurations" tab under Capsman settings or "CAP Interface", winbox close/crash without any error on Log window. I also updated to latest beta (6.45beta31) and sitll issue persist. My winbox is v3.18.
Anyone has same issue?
 
User avatar
osc86
newbie
Posts: 43
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Sat Apr 13, 2019 6:34 pm

I have an CHR install which capsman is running. On 6.45beta27 I noticed that when I try to see on winbox the "Configurations" tab under Capsman settings or "CAP Interface", winbox close/crash without any error on Log window. I also updated to latest beta (6.45beta31) and sitll issue persist. My winbox is v3.18.
Anyone has same issue?
Happens to me, too.
CCR1009-7G-1C-1S+ ROS6.45.1
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 640
Joined: Fri Nov 10, 2017 8:19 am

Re: v6.45beta [testing] is released!

Sun Apr 14, 2019 5:24 am

I have an CHR install which capsman is running. On 6.45beta27 I noticed that when I try to see on winbox the "Configurations" tab under Capsman settings or "CAP Interface", winbox close/crash without any error on Log window. I also updated to latest beta (6.45beta31) and sitll issue persist. My winbox is v3.18.
Anyone has same issue?
Happens to me, too.
By my experience, sometime, crash of winbox produces autosupout. If you get it, it would be good if you can send it to mikrotik support so they can fix it :)
 
korniza
newbie
Posts: 26
Joined: Fri Jan 06, 2012 4:05 pm

Re: v6.45beta [testing] is released!

Sun Apr 14, 2019 10:45 pm

I have an CHR install which capsman is running. On 6.45beta27 I noticed that when I try to see on winbox the "Configurations" tab under Capsman settings or "CAP Interface", winbox close/crash without any error on Log window. I also updated to latest beta (6.45beta31) and sitll issue persist. My winbox is v3.18.
Anyone has same issue?
Happens to me, too.
By my experience, sometime, crash of winbox produces autosupout. If you get it, it would be good if you can send it to mikrotik support so they can fix it :)
I just send the autosupport.rif. thank you for your advice
 
User avatar
eworm
Member
Member
Posts: 332
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Mon Apr 15, 2019 12:04 pm

*) lte - fixed session reactivation on R11e-LTE in UMTS mode;
I think this hit me a lot in the past... Hope this will make its way into next stable release.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
mkx
Forum Guru
Forum Guru
Posts: 2457
Joined: Thu Mar 03, 2016 10:23 pm

Re: v6.45beta [testing] is released!

Mon Apr 15, 2019 3:04 pm

I think this hit me a lot in the past... Hope this will make its way into next stable release.
Quite probably ... when 6.45 branch will be the stable branch.
BR,
Metod
 
User avatar
eworm
Member
Member
Posts: 332
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Mon Apr 15, 2019 3:07 pm

I think this hit me a lot in the past... Hope this will make its way into next stable release.
Quite probably ... when 6.45 branch will be the stable branch.
I hope for 6.44.3. :wink:
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
phin
just joined
Posts: 15
Joined: Mon Dec 04, 2017 11:25 pm

Re: v6.45beta [testing] is released!

Mon Apr 15, 2019 9:52 pm

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);

I hope I can use this to authenticate to AT&T fiber services directly. I'll need a certificate, but that's obtainable.
Oh man, that would be awesome!
 
UserDude
just joined
Posts: 1
Joined: Tue Apr 16, 2019 9:01 am

Re: v6.45beta [testing] is released!

Tue Apr 16, 2019 9:12 am


What's new in 6.45beta31 (2019-Apr-12 10:29):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
So this means wired 802.1x is now supported I guess. Any idea how we can configure this through CLI ?
Also is there a planned GUI support version of it coming soon ?
 
User avatar
osc86
newbie
Posts: 43
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Tue Apr 16, 2019 11:08 am

So this means wired 802.1x is now supported I guess. Any idea how we can configure this through CLI ?
Also is there a planned GUI support version of it coming soon ?
Before anyone asks. Configuration options for dot1x are not yet enabled in this release. Coming in next beta, most likely next week.
CCR1009-7G-1C-1S+ ROS6.45.1
 
nostromog
Member Candidate
Member Candidate
Posts: 123
Joined: Wed Jul 18, 2018 3:39 pm

Re: v6.45beta [testing] is released!

Tue Apr 16, 2019 7:06 pm

After I had big problems with ipsec in 6.44.1/hAP ac I remained using 44.1 for a while. Thinking that beta31 had already those issues fixed, I tried to upgrade with the following IPsec configuration:
/ip ipsec peer
  add exchange-mode=ike2 name=router passive=yes
/ip ipsec policy group
  add name=RoadWarrior
/ip pool
  add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
  add address-pool=vpn2 name=RW-cfg split-include=\
    192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec identity
  add generate-policy=port-strict mode-config=RW-cfg my-id=\
    fqdn:router.mydns.com peer=router policy-template-group=RoadWarrior
/ip ipsec policy
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
    template=yes
  add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
    0.0.0.0/0 template=yes
After the upgrade, the CPU was 100%, most of it in ipsec, and / export would stop
after /ip hotspot, just where /ip ipsec should be printed, until I Ctrl-C it.

Same problem as before. :( The router was sluggish but I could select long-term and downgrade to 6.43.13.

Then the machine went up, but ssh was not responding. I got suspicious and checked: telnet was working. When
I got in, security was disabled. I went in, re-ebabled it, rebooted and the following IPsec configuration appeared:
/ip ipsec policy group
  add name=RoadWarrior
/ip pool
  add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
  add address-pool=vpn2 name=RW-cfg split-include=\
    192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec peer
  add exchange-mode=ike2 passive=yes
/ip ipsec policy
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
    template=yes
  add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
    0.0.0.0/0 template=yes
I copied away the ipsec config, which was broken in any case, and tried an experiment: remove all ipsec config, piece by piece
until /ip ipsec export would produce an empty comment. Then I upgraded to get:
* 6.44.2 (100% CPU, could not get /ip ipsec export working)
* 6.45beta31 (same, 100% CPU, could not get /ip ipsec export working).

Is RouterOS keeping all configs hidden somethere, or where is this 100% CPU spinning coming from?

I settled by returning to long term and reconstructing my ipsec config, changing it to xauth and adding users. It is now working well... I was trying to test ike2,
but instead I'm now stuck in long-term.

Any way to empty ipsec and upgrade to 6.44.2 or 6.45betas without CPU spinning at 100%?

Thanks for any help, things are getting messy in this router. Other routers are having no problems at all with ipsec/6.44/6.54beta. I have a production h AP ac running 6.44, as I'm afraid to update it and get the same behaviour
 
mkx
Forum Guru
Forum Guru
Posts: 2457
Joined: Thu Mar 03, 2016 10:23 pm

Re: v6.45beta [testing] is released!

Tue Apr 16, 2019 10:19 pm

Any way to empty ipsec and upgrade to 6.44.2 or 6.45betas without CPU spinning at 100%?
Almost certain way would be netinstall directly to desired ROS version. And then import config from textual export.
BR,
Metod
 
nostromog
Member Candidate
Member Candidate
Posts: 123
Joined: Wed Jul 18, 2018 3:39 pm

Re: v6.45beta [testing] is released!

Tue Apr 16, 2019 11:50 pm

Any way to empty ipsec and upgrade to 6.44.2 or 6.45betas without CPU spinning at 100%?
Almost certain way would be netinstall directly to desired ROS version. And then import config from textual export.
I'm leaving the place where the machine that failed to upgrade yesterday is in a few hours, not to return in more than one month... I could upgrade/downgrade remotely, but certainly not netinstall.

The place where I'm running 6.44 and I don't dare upgrade is remote also, I might have an opportunity to get there and upgrade with possible netinstall in 2/3 months... Also, I tried to netinstall once and was not working, it seems to be really tricky with linux machines and difficult reset procedures... I'll do more experiments in 5 weeks when I return here.

Unreliable upgrades are a big problem, I can't understand how deleting configuration still leds to failure to upgrade
 
User avatar
osc86
newbie
Posts: 43
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Wed Apr 17, 2019 12:52 am

After I had big problems with ipsec in 6.44.1/hAP ac I remained using 44.1 for a while. Thinking that beta31 had already those issues fixed, I tried to upgrade with the following IPsec configuration:
/ip ipsec peer
  add exchange-mode=ike2 name=router passive=yes
/ip ipsec policy group
  add name=RoadWarrior
/ip pool
  add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
  add address-pool=vpn2 name=RW-cfg split-include=\
    192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec identity
  add generate-policy=port-strict mode-config=RW-cfg my-id=\
    fqdn:router.mydns.com peer=router policy-template-group=RoadWarrior
/ip ipsec policy
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
    template=yes
  add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
    0.0.0.0/0 template=yes
After the upgrade, the CPU was 100%, most of it in ipsec, and / export would stop
after /ip hotspot, just where /ip ipsec should be printed, until I Ctrl-C it.

Same problem as before. :( The router was sluggish but I could select long-term and downgrade to 6.43.13.

Then the machine went up, but ssh was not responding. I got suspicious and checked: telnet was working. When
I got in, security was disabled. I went in, re-ebabled it, rebooted and the following IPsec configuration appeared:
/ip ipsec policy group
  add name=RoadWarrior
/ip pool
  add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
  add address-pool=vpn2 name=RW-cfg split-include=\
    192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec peer
  add exchange-mode=ike2 passive=yes
/ip ipsec policy
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
    template=yes
  add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
    0.0.0.0/0 template=yes
I copied away the ipsec config, which was broken in any case, and tried an experiment: remove all ipsec config, piece by piece
until /ip ipsec export would produce an empty comment. Then I upgraded to get:
* 6.44.2 (100% CPU, could not get /ip ipsec export working)
* 6.45beta31 (same, 100% CPU, could not get /ip ipsec export working).

Is RouterOS keeping all configs hidden somethere, or where is this 100% CPU spinning coming from?

I settled by returning to long term and reconstructing my ipsec config, changing it to xauth and adding users. It is now working well... I was trying to test ike2,
but instead I'm now stuck in long-term.

Any way to empty ipsec and upgrade to 6.44.2 or 6.45betas without CPU spinning at 100%?

Thanks for any help, things are getting messy in this router. Other routers are having no problems at all with ipsec/6.44/6.54beta. I have a production h AP ac running 6.44, as I'm afraid to update it and get the same behaviour
Looks similar to the problem I had with 6.44. Bad news is, I had to netinstall to get rid of the broken parts, caused by the migration of configuration, when I up/down-graded the firmware.
viewtopic.php?f=21&t=145793&start=150#p719370
CCR1009-7G-1C-1S+ ROS6.45.1
 
ssbaksa
newbie
Posts: 27
Joined: Tue Oct 20, 2015 10:38 am

Re: v6.45beta [testing] is released!

Wed Apr 17, 2019 8:39 am

Before anyone asks. Configuration options for dot1x are not yet enabled in this release. Coming in next beta, most likely next week.
When dot1x become official, will it be applied to all switches (Router OS based as well as Switch OS)?
 
estdata
Frequent Visitor
Frequent Visitor
Posts: 98
Joined: Mon Feb 20, 2012 9:05 pm
Contact:

Re: v6.45beta [testing] is released!

Wed Apr 17, 2019 1:38 pm

Help me adjust the speeds so that the patch goes. I have a 500/500 connection but do not come through the RB2011 router
don't forget to give me karma if got help
....
 
User avatar
null31
Member Candidate
Member Candidate
Posts: 177
Joined: Fri Dec 23, 2016 6:07 pm
Location: Brazil

Re: v6.45beta [testing] is released!

Wed Apr 17, 2019 9:18 pm

Also, I tried to netinstall once and was not working, it seems to be really tricky with linux machines and difficult reset procedures...

Connect your machine and router to an switch, then run netinstall with Wine as sudo and will work flawlessly.
I didn't had problems with netinstall on 3 mAP and all of them installed ROS on the first try with no fails.

I'm using wine 4.5 with staging patch.
 
EvgeniyV
just joined
Posts: 4
Joined: Sun Oct 28, 2018 5:49 pm

Re: v6.45beta [testing] is released!

Wed Apr 17, 2019 10:29 pm

I'm back to the future. Time bug in Interface - Last link time. See the attached picture.
My time zone GMT +3 , time update by cloud. Routerboard time (clock) is normal.
6.45beta22
mikrotik date bag.png
You do not have the required permissions to view the files attached to this post.
 
vikinggeek
just joined
Posts: 5
Joined: Sat Aug 02, 2014 4:14 am

Re: v6.45beta [testing] is released!

Thu Apr 18, 2019 9:47 am

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);

I hope I can use this to authenticate to AT&T fiber services directly. I'll need a certificate, but that's obtainable.
@pcunite - Can you provide a pointer to how to obtain the certificate? Currently, Still need to have the AT&T Modem attached while booting, but thereafter running directly on the fiber via the OSP port (behind a Cienna 5000 series building concentrator)
 
palii
just joined
Posts: 16
Joined: Sun Nov 19, 2017 6:57 pm

Re: v6.45beta [testing] is released!

Thu Apr 18, 2019 11:51 am

The command ssh-exec with rsa key pairs works like a charm shutting down my Synology now. Thanks a million!
 
nostromog
Member Candidate
Member Candidate
Posts: 123
Joined: Wed Jul 18, 2018 3:39 pm

Re: v6.45beta [testing] is released!

Thu Apr 18, 2019 12:32 pm

Also, I tried to netinstall once and was not working, it seems to be really tricky with linux machines and difficult reset procedures...
Connect your machine and router to an switch, then run netinstall with Wine as sudo and will work flawlessly.
I have no switch, I connected them straight, which gives perfect connection. Not sure if this could interfere with netinstall

I didn't had problems with netinstall on 3 mAP and all of them installed ROS on the first try with no fails.

I'm using wine 4.5 with staging patch.
I could not in a mAP Lite which I have as laboratory in several tries.

I used both wine-stable-3.0-1ubuntu1 and wine-development-3.6-1 on Ubuntu 18.04.2 LTS. I have not used windows in the last 15 years, so I might have made some mistake in either the windows stuff or how linux runs it.

I think the problems were due to being very tricky to handle connect power while hold-pushing the button for some time, with such small button, so close to the USB power, and my hand too big for such small piece.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 451
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Thu Apr 18, 2019 1:32 pm

Version 6.45beta34 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta34 (2019-Apr-18 08:59):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
*) dhcp - create dual stack queue based on limitations specified on DHCPv4 server lease configuration;
*) dhcp - do not require lease and binding to have the same configuration for dual-stack queues;
*) dhcp - show warning in log if lease and binding dual-stack related parameters do not match and create separate queues;
*) dhcpv4-server - replaced "busy" lease status with "conflict" and "declined";
*) dhcpv6-client - fixed status update when leaving "bound" state;
*) dhcpv6-server - override prefix pool and/or DNS server settings by values received from RADIUS;
*) e-mail - include "message-id" identification field in e-mail header;
*) ike1 - fixed rekeying process when NAT is detected (introduced in v6.45beta16);
*) ospf - added support for link scope opaque LSAs (Type 9) for OSPFv2;
*) ospf - improved "unknown" LSA handling in OSPFv3;
*) supout - changed IPv6 pool section to output detailed print;
*) tr069-client - added LTE CQI and IMSI parameter support;
*) tr069-client - fixed potential memory corruption;
*) winbox - fixed crash when opening CAPsMAN menu (introduced in v6.45beta27);
*) wireless - fixed "country-info" printing (introduced in v6.45beta27);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: v6.45beta [testing] is released!

Thu Apr 18, 2019 3:52 pm

dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
I hope I can use this to authenticate to AT&T fiber services directly. I'll need a certificate, but that's obtainable.

@pcunite - Can you provide a pointer to how to obtain the certificate? Currently, Still need to have the AT&T Modem attached while booting, but thereafter running directly on the fiber via the OSP port (behind a Cienna 5000 series building concentrator)

It is discussed here (and elsewhere) based on the findings of this blog.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Thu Apr 18, 2019 11:54 pm

Anyone seeing trouble with IPSec in 6.45beta34?

I received a new RB 4011 today - updated to 6.45beta34 right away - rebuilt my config (copy / pasted snippets from .asc file, piece by piece).

My IPSec tunnels come (GRE, cert auth) come up partially to "SA established" on the server - and then get "deleted" from the RB 4011 side. And it repeats like this, with policy stuck as "no phase 2".

Tried switching from ECDSA to RSA certificates (I have a script) - no difference.

Downgraded to 6.44.2 - after fixing "local address" in polices (required in 6.44, can be left as 0.0.0.0/0 in 6.45) - they got to "established" immediately.

Upgraded to 6.45beta34 again - broken again.

Should I send a support request with supout.rif?

PS - one of my two *idential* tunnels - I mean they use same CA, just different "remote" certs - got to "established" once or twice without my doing anything. But disabling / re-enabling the policy brought the problem back.

PPS - changed SA proposal from aes128-ctr to aes256-gcm and now both policies / peers are working, I can disable / re-enable.

But I had them at aes256-gcm initially! Changed back to aes128-ctr and working again!

Seems like there is something funny going on in 6.45-31 maybe with programming the cpu according to encryption settings (both aes-ctr and aes-gcm are HW accel on this device).
 
User avatar
osc86
newbie
Posts: 43
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Fri Apr 19, 2019 3:56 am

After ugrading from beta31 to beta34, none of the ipsec tunnels work. Reverted back to b31.
CCR1009-7G-1C-1S+ ROS6.45.1
 
pawelkopec88
just joined
Posts: 8
Joined: Wed Mar 14, 2018 11:06 pm

Re: v6.45beta [testing] is released!

Fri Apr 19, 2019 8:38 am

Anyone seeing trouble with IPSec in 6.45beta34?

I received a new RB 4011 today - updated to 6.45beta34 right away - rebuilt my config (copy / pasted snippets from .asc file, piece by piece).

My IPSec tunnels come (GRE, cert auth) come up partially to "SA established" on the server - and then get "deleted" from the RB 4011 side. And it repeats like this, with policy stuck as "no phase 2".

Tried switching from ECDSA to RSA certificates (I have a script) - no difference.

Downgraded to 6.44.2 - after fixing "local address" in polices (required in 6.44, can be left as 0.0.0.0/0 in 6.45) - they got to "established" immediately.

Upgraded to 6.45beta34 again - broken again.

Should I send a support request with supout.rif?

PS - one of my two *idential* tunnels - I mean they use same CA, just different "remote" certs - got to "established" once or twice without my doing anything. But disabling / re-enabling the policy brought the problem back.

PPS - changed SA proposal from aes128-ctr to aes256-gcm and now both policies / peers are working, I can disable / re-enable.

But I had them at aes256-gcm initially! Changed back to aes128-ctr and working again!

Seems like there is something funny going on in 6.45-31 maybe with programming the cpu according to encryption settings (both aes-ctr and aes-gcm are HW accel on this device).

I have same issue. But i have the ipsec static tunnels. GRE tunnel doesnt up. I have CCR1009 6.45beta34, the second site have is CCR1009 on 6.43.1. On IPsec peers I changed from IKE2 to main mode on both side. After that my GRE Tunnel going up.
 
pawelkopec88
just joined
Posts: 8
Joined: Wed Mar 14, 2018 11:06 pm

Re: v6.45beta [testing] is released!

Fri Apr 19, 2019 8:40 am

After I had big problems with ipsec in 6.44.1/hAP ac I remained using 44.1 for a while. Thinking that beta31 had already those issues fixed, I tried to upgrade with the following IPsec configuration:
/ip ipsec peer
  add exchange-mode=ike2 name=router passive=yes
/ip ipsec policy group
  add name=RoadWarrior
/ip pool
  add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
  add address-pool=vpn2 name=RW-cfg split-include=\
    192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec identity
  add generate-policy=port-strict mode-config=RW-cfg my-id=\
    fqdn:router.mydns.com peer=router policy-template-group=RoadWarrior
/ip ipsec policy
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
    template=yes
  add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
    0.0.0.0/0 template=yes
After the upgrade, the CPU was 100%, most of it in ipsec, and / export would stop
after /ip hotspot, just where /ip ipsec should be printed, until I Ctrl-C it.

Same problem as before. :( The router was sluggish but I could select long-term and downgrade to 6.43.13.

Then the machine went up, but ssh was not responding. I got suspicious and checked: telnet was working. When
I got in, security was disabled. I went in, re-ebabled it, rebooted and the following IPsec configuration appeared:
/ip ipsec policy group
  add name=RoadWarrior
/ip pool
  add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
  add address-pool=vpn2 name=RW-cfg split-include=\
    192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec peer
  add exchange-mode=ike2 passive=yes
/ip ipsec policy
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
    template=yes
  add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
    0.0.0.0/0 template=yes
I copied away the ipsec config, which was broken in any case, and tried an experiment: remove all ipsec config, piece by piece
until /ip ipsec export would produce an empty comment. Then I upgraded to get:
* 6.44.2 (100% CPU, could not get /ip ipsec export working)
* 6.45beta31 (same, 100% CPU, could not get /ip ipsec export working).

Is RouterOS keeping all configs hidden somethere, or where is this 100% CPU spinning coming from?

I settled by returning to long term and reconstructing my ipsec config, changing it to xauth and adding users. It is now working well... I was trying to test ike2,
but instead I'm now stuck in long-term.

Any way to empty ipsec and upgrade to 6.44.2 or 6.45betas without CPU spinning at 100%?

Thanks for any help, things are getting messy in this router. Other routers are having no problems at all with ipsec/6.44/6.54beta. I have a production h AP ac running 6.44, as I'm afraid to update it and get the same behaviour
Looks similar to the problem I had with 6.44. Bad news is, I had to netinstall to get rid of the broken parts, caused by the migration of configuration, when I up/down-graded the firmware.
viewtopic.php?f=21&t=145793&start=150#p719370
Change main mode frome IKE2 to main for example. Should be work. I think that on the newest beta IKE2 doesn't work
 
nescafe2002
Long time Member
Long time Member
Posts: 599
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: v6.45beta [testing] is released!

Fri Apr 19, 2019 8:43 am

Please create a supout.rif as soon as you realize something is wrong and send it - with description of what you expected versus what happened instead - to support with supout.rif.

This instruction is posted in every release note:

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Fri Apr 19, 2019 8:55 am

Change main mode frome IKE2 to main for example. Should be work. I think that on the newest beta IKE2 doesn't work
I think changing IPSec settings (I tried crypto) makes it more likely to "estabilsh". But then it breaks again later (when the lifetime expires? happened while I was sleeping).

It's even funny - changing one tunnel's server settings from IKEv2 to v1 fixed both tunnels. Don't think it'll last though.

// RB 4011
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Fri Apr 19, 2019 8:58 am

Change main mode frome IKE2 to main for example. Should be work. I think that on the newest beta IKE2 doesn't work
I think changing IPSec settings (I tried crypto) makes it more likely to "estabilsh". But then it breaks again later (when the lifetime expires? happened while I was sleeping).

It's even funny - changing one tunnel's server settings from IKEv2 to v1 fixed both tunnels. Don't think it'll last though.

// RB 4011
Could be related to:
*) ike1 - fixed rekeying process when NAT is detected (introduced in v6.45beta16);
Funny thing, re-keying (when I trigger it from the server using swanctl --rekey) does work. But I'm using IKEv2 and there is no NAT.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1699
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: v6.45beta [testing] is released!

Mon Apr 22, 2019 9:05 am

After upgrade of CRS125 it stopped to be visible in a neigherhood and for WinBox.
Real admins use real keyboards.
 
CharliesTheMan
just joined
Posts: 1
Joined: Mon May 14, 2018 11:22 pm

Re: v6.45beta [testing] is released!

Mon Apr 22, 2019 6:52 pm

I just had a similar problem. When updating to 6.45beta34 from the previous beta version, I lost IP config, IP address changed to 0.0.0.0 and checking for package updates in winbox brought up a DNS error, "Could not resolve DNS host name" and trying to load web pages brought me the same results. I tried restoring known working config and did not resolve anything. After downgrading back to 6.44.2 everything worked perfect immediately. It's definitely something related to beta34 because on previous 6.45beta (Ibelieve it may have been beta27) everything worked great.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 451
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Tue Apr 23, 2019 9:18 am

Thank you very much for reporting the issues. It seems that IKEv2 over NAT is broken in v6.45beta34. We will resolve the issue in the next beta.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7

Who is online

Users browsing this forum: No registered users and 18 guests