Community discussions

MikroTik App
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

v6.38rc [release candidate] is released

Fri Sep 30, 2016 11:19 am

What's new in 6.38rc7 (2016-Sep-30 07:33):

!) ssl - fixed peer address/dns verification from certificate (affects sstp, fetch, capsman);
!) switch - added hardware stp functionality for CRS devices (http://wiki.mikrotik.com/wiki/Manual:CR ... e_Protocol);
!) winbox - now Winbox 3.6 is the minimum version that can connect to RouterOS;
*) arp - added local-proxy-arp feature;
*) capsman - added possibility to change arp, mtu, l2mtu values in datapath configuration (CLI only);
*) console - fixed typo in web-proxy (passthru to passhtrough);
*) discovery - added LLDP support;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) export - do not show mac-address in export when it is not necessary;
*) firewall - added creation-time to address list entries;
*) firewall - fixed dynamic dummy firewall rules appearance in raw tables;
*) hotspot - fixed nat rule dst-port by making it visible again;
*) interface - do not treat multiple zeros as single zero on name comparison;
*) interface - show link stats in "/interface print stats-detail" output;
*) ipsec - allow to specify explicit split dns address;
*) ipsec - changed logging topic from error to debug when empty pfkey messages are received;
*) led - fixed default led settings for wAP2nDr2;
*) lte - fixed init delay after power reset;
*) mobile - added support for more Vodafone K4201-Z and ZTE MF90 modems;
*) package - fixed wireless package status after upgrade to 6.37;
*) rb850Gx2 - fixed pcb temperature monitor if temperature was above 60C;
*) snmp - do not allow to execute script if user does not have write permission;
*) tile - do not reboot device after watchdog disable/enable;
*) usb - fixed kernel failure when Nexus 6P device is removed;
*) userman - always re-fetch table data when switching between different menus;
*) userman - fixed timezone adjustment in reports;
*) users - added TikApp policy;
*) winbox - added loop-protect settings;
*) winbox - added passthrough state to web-proxy;
*) winbox - allow to unset http-proxy field on sstp client;
*) winbox - do not show health menu on RB951-2n;
*) winbox - do not show hotspot user profile incoming and outgoing filters and marks as set if there is no value specified;
*) winbox - fixed typo in dhcpv6 relay (DCHP to DHCP);
*) winbox - show address expiration time in dhcp client list;
*) winbox - show primary and secondary ntp addresses as 0.0.0.0 if none are set;
*) wireless - added api command to report country-list (/interface/wireless/info/country-list);
*) wireless - fixed rare kernel failure when connecting to nv2 access point with legacy rate select;
*) wireless - show DFS flag in country-info command output;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 11:23 am

OMG .... *) discovery - added LLDP support;

It's time for the party :)
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 12:23 pm

It is not yet available via the "check for updates" button when selecting release candidate.
Will try again later.
 
patrick7
Member
Member
Posts: 341
Joined: Sat Jul 20, 2013 2:40 pm

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 12:25 pm

STP... Great! What about other products with switching chip?
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 2096
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 12:30 pm

!) switch - added hardware stp functionality for CRS devices
*) arp - added local-proxy-arp feature;
*) discovery - added LLDP support;

PARTY, PARTY, PARTY !!!

Thanks Mikrotik :)
 
paulct
Member
Member
Posts: 336
Joined: Fri Jul 12, 2013 5:38 pm

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 12:45 pm

A very nonchalant post.....not!! Great updates!!!
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1162
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 12:56 pm

Where can I configure LLDP, I cant find anything related to it in "/ip neighbor" or anywhere else.
 
MartijnVdS
Frequent Visitor
Frequent Visitor
Posts: 93
Joined: Wed Aug 13, 2014 9:36 am

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 1:03 pm

Where can I configure LLDP, I cant find anything related to it in "/ip neighbor" or anywhere else.
It seems like LLDP is enabled automatically when neighbour discovery is enabled for an interface.
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1162
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 1:12 pm

Our switch sees the MikroTik in its LLDP table now, just no way to configure it on RouterOS yet I guess.
And no way to see LLDP peer table in Router OS yet.

And of course LLDP data it not in SNMP either...
 
MartijnVdS
Frequent Visitor
Frequent Visitor
Posts: 93
Joined: Wed Aug 13, 2014 9:36 am

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 1:20 pm

Our switch sees the MikroTik in its LLDP table now, just no way to configure it on RouterOS yet I guess.
And no way to see LLDP peer table in Router OS yet.
I see my LLDP peers in the "/ip neighbour show" table on RouterOS. They don't have any info other than mac-address and IP (Mikrotik devices show software-id, version, etc.)
 
patrick7
Member
Member
Posts: 341
Joined: Sat Jul 20, 2013 2:40 pm

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 1:25 pm

Still missing in my opinion: rp_filter per interface. Should be a small thing to implement.
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1162
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 1:31 pm

I see my LLDP peers in the "/ip neighbour show" table on RouterOS. They don't have any info other than mac-address and IP (Mikrotik devices show software-id, version, etc.)
Neither of the 2 switches connected to my test MikroTik show up over LLDP in its "/ip neighbor print detail".
Last edited by tomaskir on Fri Sep 30, 2016 1:35 pm, edited 1 time in total.
 
kamillo
Member Candidate
Member Candidate
Posts: 162
Joined: Tue Jul 15, 2014 5:44 pm

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 1:33 pm

Great news with STP on CRS. What I would like to see is hardware support for LACP on CRS, any chance/ time scale for that?
 
athurdent
newbie
Posts: 25
Joined: Fri Sep 09, 2016 7:02 pm

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 1:50 pm

Any chance we'll see increased wireless speeds with AC WLAN equipment like the wAP/hAP? 400-420 Mbit max with a MacBookPro seems about 100-300 Mbit slower than the competition...
Last edited by athurdent on Fri Sep 30, 2016 1:54 pm, edited 2 times in total.
 
rjickity
Member Candidate
Member Candidate
Posts: 212
Joined: Sat Jul 17, 2010 10:40 am
Location: Perth, Australia

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 1:51 pm

STP and LLDP, look out !
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 2:30 pm

*) arp - added local-proxy-arp feature;
when it will be in the manual? :) need at least a short description...
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 2:31 pm

Our switch sees the MikroTik in its LLDP table now, just no way to configure it on RouterOS yet I guess.
And no way to see LLDP peer table in Router OS yet.

And of course LLDP data it not in SNMP either...
Apparently only outgoing LLDP for now?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 2:32 pm

*) arp - added local-proxy-arp feature;
when it will be in the manual? :) need at least a short description...
local proxy-arp normally means: router will reply to ARP for hosts it can directly reach, not for hosts it can route to.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 2:45 pm

local proxy-arp normally means: router will reply to ARP for hosts it can directly reach, not for hosts it can route to.
in other words, it will search only interface/connected (by the way, which of two exactly? tech guys, we need your knowledge!) routes in routing table, not all routes? thanks
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 3:19 pm

If after upgrade you still see another (unnecessary) wireless package under System/Package menu, then do not worry It will disappear after next reboot of device.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 3:19 pm

I think it is useful in the case where you have the router operating as a VPN server and your VPN clients are in the same subnet as your LAN.
Ethernet interface with local-proxy-arp will reply to ARP requests for VPN users directly connected to the router and with address in the same LAN segment as the ethernet interface.
In earlier releases you could use proxy-arp but it would make the router reply to ALL addresses it knows the route to.
This can lead to nasty problems when it is not detected. (devices without default gateway "just work" but get a very big ARP table)
 
raffav
Member
Member
Posts: 345
Joined: Wed Oct 24, 2012 4:40 am

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 3:40 pm

Via system package cant upgrade to 38rc since get msg "no dude.npk"
 
alexjhart
Member Candidate
Member Candidate
Posts: 197
Joined: Thu Jan 20, 2011 8:03 pm

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 7:13 pm

*) snmp - do not allow to execute script if user does not have write permission;
I'm glad my ticket was addressed quickly to resolve executing scripts with read-only access.

What about adding the ability to chose which scripts are given SNMP access?
 
alexjhart
Member Candidate
Member Candidate
Posts: 197
Joined: Thu Jan 20, 2011 8:03 pm

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 7:14 pm

Also, great work on getting STP for CRS and LLDP out the door!
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 7:50 pm

Updated an existing x86 installation I use for testing (running under VMware ESXi).

IPv6 is completely broken! All addresses are gone and replaced by ::/0 or ::/64 in addresses, routes and firewall.
Re-entering them appears to work but broken again after reboot.
Last edited by pe1chl on Fri Sep 30, 2016 10:44 pm, edited 1 time in total.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1493
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 8:59 pm

If after upgrade you still see another (unnecessary) wireless package under System/Package menu, then do not worry It will disappear after next reboot of device.
Would you please provide some additional information about this.

I am asking because on some upgraded I have done from 6.36 (with 6.36 wireless-rep) upgrades to 6.37 , I have been experiencing problems where the Wireless section in Winbox disappears and under packages, I see two wireless packages where one is a much older package (6.20 or something). The only fix I found was to downgrade from 6.37 to 6.36 and then restore a backup to get it working again. This is reproducible on the problem Mikrotiks when I upgrade again to 6.37.

Another question - re the reboot to make the other wireless package disappear is - what about remote clients. Is there a way to do an upgrade and have them auto-reboot if there are two wireless packages where one if older package - then have it re-load the backup config so that the remote client Mikrotik comes back on-line ?

North Idaho Tom Jones
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 9:11 pm

Local proxy arp.... Interesting.

W/o any knowledge, my guess is this:
Essentially, this would be a proxy ARP which answers for the exact inverse conditions of regular proxy arp - i.e. ONLY reply if the requested IP address is located on the same interface where the ARP request was received.

Am I right?

If so, this seems to me as the missing piece of the pie for being the hub of a NBMA topology.

e.g. You have a network with client isolation / split horizon bridge. This blocks direct client-to-client at the MAC layer. Thus clients are unable to broadcast each other or ARP spoof each other, rogue DHCP / rogue RA, etc. Normally this would make client-to-client communication impossible. If the Mikrotik answers ARP for client-to-client, then it will allow client-to-client communications at layer 3 by forcing all traffic to first get forwarded up to the router, where you can apply the usual firewall rules and not need to sacrifice fastpath by bridging with filters enabled on the bridge.....

Very great feature!
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 2096
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: v6.38rc [release candidate] is released

Fri Sep 30, 2016 11:23 pm

Local proxy arp.... Interesting.

W/o any knowledge, my guess is this:
Essentially, this would be a proxy ARP which answers for the exact inverse conditions of regular proxy arp - i.e. ONLY reply if the requested IP address is located on the same interface where the ARP request was received.

Am I right?
You are spot on ! :)

This is a feature I have been requesting for the last few years. Our primary application is when using a Mikrotik as an IPoE BNG. We have hundreds of vlans in a single bridge, with a DHCP server running on the bridge. We can only present 2 MAC addresses to each vlan, and dont want clients to be able to talk directly to each other. By using local-proxy-arp in combination with split horizon we can achieve this goal.

TLDR; local-proxy-arp replies to all ARP requests on the bridge with it's own MAC address, but only for IP's within the subnet on that bridge.

This is the first cut of this feature by Mikrotik, and I suspect it may need further minor tweaking from the devs, specifically some DHCP client devices that upon receiving a lease send out an ARP request to verify it is not in use, and if they receive one they decline the lease. From initial testing "local-proxy-arp" replies to all ARP requests with it's own MAC, so there may need to be a "reply-only local-proxy-arp" mode.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1493
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: v6.38rc [release candidate] is released

Sat Oct 01, 2016 2:56 am

If after upgrade you still see another (unnecessary) wireless package under System/Package menu, then do not worry It will disappear after next reboot of device.
Would you please provide some additional information about this.

I am asking because on some upgraded I have done from 6.36 (with 6.36 wireless-rep) upgrades to 6.37 , I have been experiencing problems where the Wireless section in Winbox disappears and under packages, I see two wireless packages where one is a much older package (6.20 or something). The only fix I found was to downgrade from 6.37 to 6.36 and then restore a backup to get it working again. This is reproducible on the problem Mikrotiks when I upgrade again to 6.37.

Another question - re the reboot to make the other wireless package disappear is - what about remote clients. Is there a way to do an upgrade and have them auto-reboot if there are two wireless packages where one if older package - then have it re-load the backup config so that the remote client Mikrotik comes back on-line ?

North Idaho Tom Jones
EDIT - Update - Good News
Working with a problem Mikrotik that every time lost the wireless interface when upgrading from 6.36 to 6.37 which resulted in two different versions of the wireless package (one was new at 6.37 and the old was 6.20 (where ever the 6.20 came from I have noo idea). Both wireless packages were disabled and the only recovery was to downgrade to 6.36 then restore the last backup configuration.

What worked was upgrading from 6.36 to 6.38rc7
The wireless link came back
However - there was still the older disabled wireless 6.20 package
I did another reboot - when it came back then everything looked good - there was no longer a second older wireless package.

North Idaho Tom Jones
Last edited by TomjNorthIdaho on Sun Oct 02, 2016 5:59 am, edited 1 time in total.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: v6.38rc [release candidate] is released

Sat Oct 01, 2016 8:57 am

... it may need further minor tweaking from the devs, specifically some DHCP client devices that upon receiving a lease send out an ARP request to verify it is not in use, and if they receive one they decline the lease. From initial testing "local-proxy-arp" replies to all ARP requests with it's own MAC, so there may need to be a "reply-only local-proxy-arp" mode.
Even gratuitous ARPs?

I was thinking the solution to this would be a no-brainer: never respond to gratuitous arps.

Upon reflection, though, there is a wrinkle: what if there IS an address conflict? The gratuitous ARP should be replied to in that case.
It wouldn't matter whether this reply uses the router's MAC or the real MAC as the src. I can see both arguments: using the real MAC is useful in troubleshooting if the conflicting host can report the other MAC in the error message -vs- using the real MAC is a breach of host isolation and allows information about the neighboring hosts to leak through the isolation....

As to how to decide when to respond to gratuitous ARPs....
Maybe if a gratuitous ARP is received and there already exists such an entry in the router's ARP cache with a different MAC address, the router should unicast an ARP request to the existing MAC (if unicast ARP does not violate RFC), and if no reply is given, then ignore the gratuitous arp, and if a reply comes back, then proxy-reply to the gratuitous arp-er so it can detect the conflict.
Even this isn't perfect because the original owner of the IP may have timed out of the router's ARP cache and simply been idle since that timeout.... in which case a conflict would arise anyway.

If unicast ARP is counter-RFC (and some hosts may simply ignore unicast ARP frames), then it would be impossible to simply broadcast a new gratuitous ARP in proxy, because the original host would receive this proxied gratuitous ARP broadcast, and conclude there is a conflict.

Anyone curious about what gratuitous arp means:
http://www.taos.com/2014/07/16/understa ... tous-arps/

I learned that these are also commonly used to force ARP table updates in clustering scenarios where the cluster wasn't using a virtual MAC address. That makes a lot of sense, and I've long-since noticed that Cisco will immediately update its ARP cache whenever an IP packet arrives with a src-mac that is different than the one cached.
 
User avatar
horza
just joined
Posts: 6
Joined: Sun Oct 19, 2014 3:30 pm

Re: v6.38rc [release candidate] is released

Sun Oct 02, 2016 6:23 pm

Is the loop protect dropdown in 6.38rc7 supposed to have these options?
I see it on mipsbe and x86, in both winbox and web, on all interface types that support loop protect.

https://dl.horza.org/routeros/winbox-eo ... rotect.jpg
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 2096
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: v6.38rc [release candidate] is released

Mon Oct 03, 2016 1:35 am

This is the first cut of this feature by Mikrotik, and I suspect it may need further minor tweaking from the devs, specifically some DHCP client devices that upon receiving a lease send out an ARP request to verify it is not in use, and if they receive one they decline the lease. From initial testing "local-proxy-arp" replies to all ARP requests with it's own MAC, so there may need to be a "reply-only local-proxy-arp" mode.
I have just tested this, and can confirm that some further minor tweaking is required by Mikrotik developers.

While the new "local-proxy-arp" feature solves the issue with DHCP clients declining leases, the Mikrotik still rewrites ARP queries even if there is no entry in the Mikrotik's ARP table. This will allow for IP hi-jacking on the bridge.

A "reply-only local-proxy-arp" feature is needed that combines reply-only with local-proxy-arp. This will solve the issues with DHCP clients detecting a duplicate IP and declining the lease, and will also prevent IP hi-jacking on the bridge.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: v6.38rc [release candidate] is released

Mon Oct 03, 2016 5:44 pm

A "reply-only local-proxy-arp" feature is needed that combines reply-only with local-proxy-arp. This will solve the issues with DHCP clients detecting a duplicate IP and declining the lease, and will also prevent IP hi-jacking on the bridge.
Sounds pretty solid to me.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: v6.38rc [release candidate] is released

Mon Oct 03, 2016 6:07 pm

Small off-topic: isn't it time to protect port 53 DDOS for WAN interface in the default rule set ?
 
fredericmoulins
just joined
Posts: 1
Joined: Mon Oct 03, 2016 3:59 pm

Re: v6.38rc [release candidate] is released

Mon Oct 03, 2016 6:50 pm

A "reply-only local-proxy-arp" feature is needed that combines reply-only with local-proxy-arp. This will solve the issues with DHCP clients detecting a duplicate IP and declining the lease, and will also prevent IP hi-jacking on the bridge.
Hi,

I think a "-reply-only" alternative for every case, "proxy-arp-reply-only", and now "local-proxy-arp-reply-only", would be useful to be used with the dhcp-server "add-arp" option.
 
zyzelis
Member Candidate
Member Candidate
Posts: 213
Joined: Sun Apr 08, 2012 9:25 pm

Re: v6.38rc [release candidate] is released

Mon Oct 03, 2016 7:24 pm

Small off-topic: isn't it time to protect port 53 DDOS for WAN interface in the default rule set ?
Why offtopic? it should be "must-have" feature ASAP.

+1 for this suggestion
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: v6.38rc [release candidate] is released

Mon Oct 03, 2016 8:56 pm

OT was from ARP discussion.
 
Zorro
Long time Member
Long time Member
Posts: 675
Joined: Wed Apr 16, 2014 2:43 pm

Re: v6.38rc [release candidate] is released

Tue Oct 04, 2016 1:45 am

OMG .... *) discovery - added LLDP support;

It's time for the party :)
yeah, imagine thos people, whining/shouting/complain/asking about LLDP for months here ;)
*imagines them all happier now /random picture of celebration. eg disco, drinks, girlfriends, etc/*
i guess then RouterOS become closer to version 7.0 a bit ;=)
Small off-topic: isn't it time to protect port 53 DDOS for WAN interface in the default rule set ?
isn't easier just setup "whitelist" for incoming DNS traffic sources ?
unless you use hungreds of random DNS services in your work and/or tend to accept DNS traffic "from strangers" (which isn't good idea for other "essential" services as well, btw).
and generally its working better than moving local, querying DNS client/server on router to "high", "un-priveleged" ports from 53, partly because its not solved problem completely, partly because disallow you from efficiently firewall things. so dnsmasq and bind defaults changed in last 2 years for such pruposes in ways, i critized - just dead/end, not working well "by design".

"reply-only" configuration for ARP or "IP guard" as used in CISCO or Lucent (Juniper and VyOS differ in slang/terms ;) only circumvert Portion of ARP exploitation, not completely eleminating problem. but its neftty trick if you good with plenty of manual work(or scripting. with or without say API usage, Dude, SNMP or other mean).
however for wireless its more useful because 802.1x partial support by ROS atleast for WiFi. which is essential area to continue work/efforts toward, IMHO(both in Wireless and Copper/Fiber interfaces, btw).
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Tue Oct 04, 2016 10:49 am

What's new in 6.38rc8 (2016-Oct-04 06:22):

Changes since 6.38rc7:

*) capsman - added possibility to change arp, mtu, l2mtu values in datapath configuration;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) ipsec - changed logging topic from error to debug for ph2 transform mismatch messages;
*) lte - improved dwm-222 support;
*) torch - fixed aggregate statistics appearance;
*) trafficgen - fixed crash when IPv6 traffic is processed;
*) userman - fixed memory leak on user limitation calculations;
*) winbox - removed spare values from loop-protect menu;
*) wireless - fixed custom channel extension-channel appearance in console;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.38rc [release candidate] is released

Tue Oct 04, 2016 11:07 pm

ERROR: missing dude-6.38rc8.npk
 
ryz
just joined
Posts: 13
Joined: Sun May 27, 2007 5:10 pm

Re: v6.38rc [release candidate] is released

Tue Oct 04, 2016 11:35 pm

The same ERROR: missing dude-6.38rc8.npk

and no packages for 6.37.1 :/
 
szalkerous
newbie
Posts: 35
Joined: Thu Jan 21, 2016 2:30 am
Location: NH, USA

Re: v6.38rc [release candidate] is released

Wed Oct 05, 2016 2:46 am

The same ERROR: missing dude-6.38rc8.npk

and no packages for 6.37.1 :/
Yup all my devices are dead in the water in terms of updates:

ERROR: missing dude-6.37.1-tile.npk (on Current/Stable channel)
ERROR: missing dude-6.38rc8-tile.npk (on Release Candidate channel)
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Wed Oct 05, 2016 4:25 pm

What's new in 6.38rc9 (2016-Oct-05 10:23):

Changes since 6.38rc8:
!) switch - added hardware stp functionality for CRS devices and small Atheros switch chips (http://wiki.mikrotik.com/wiki/Manual:CR ... e_Protocol);
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) ethernet - fixed interface speed reporting for x86 in log after reboot or if "disable-running-check=yes";
*) package – show minimal supported RouterOS version under “/system resource” menu if it is specified (CLI only);
*) sms – fixed crash after modem has failed to start;
*) traffic-flow - fixed dst-port reporting if connection is not maintained by connection tracking;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.38rc [release candidate] is released

Wed Oct 05, 2016 4:52 pm

IPv6 still completely broken... won't accept and keep IPv6 addresses anywhere.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.38rc [release candidate] is released

Wed Oct 05, 2016 6:06 pm

*) ethernet - fixed interface speed reporting for x86 in log after reboot or if "disable-running-check=yes";
I'd rather say, removed, not fixed:
17:51:27 interface,info ether3 link up 
17:51:27 interface,info ether6 link up 
17:51:27 interface,info ether7 link up 
No more speed info
 
patrick7
Member
Member
Posts: 341
Joined: Sat Jul 20, 2013 2:40 pm

Re: v6.38rc [release candidate] is released

Wed Oct 05, 2016 8:30 pm

STP, good work!
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Thu Oct 06, 2016 10:11 am

Chupaka - After setting "disable-running-check=yes" links go up and do not report any status changes. If "disable-running-check=no", then links report status changes
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Thu Oct 06, 2016 3:49 pm

What's new in 6.38rc10 (2016-Oct-06 11:28):

Changes since 6.38rc9:
*) bridge - fixed LLDP packet receive over bridge interfaces;
*) dhcp - do not show slave interfaces in dhcp server interface menu at server setup;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) led - fixed dark mode for cAP2nD (http://wiki.mikrotik.com/wiki/Manual:Sy ... ds_Setting);
*) lte - increased delay when setting sms send mode;
 
w0lt
Long time Member
Long time Member
Posts: 537
Joined: Wed Apr 02, 2008 2:12 pm
Location: Minnesota USA

Re: v6.38rc [release candidate] is released

Thu Oct 06, 2016 3:56 pm

I have a wAP 2nD r2 and every time I upgrade the ROS any backup file I have made gets blitzed !! What gives?
I have tried upgrading, and downgrading..same thing no backup files after doing it.

-tp
 
raffav
Member
Member
Posts: 345
Joined: Wed Oct 24, 2012 4:40 am

Re: v6.38rc [release candidate] is released

Thu Oct 06, 2016 4:01 pm

Hello
can any one test to access a CHR running 38 RC with Winbox and se if can login in, ?
my winbox wont open, it donwload de plugin and after that close it
on terminal on log i see User Login via winbox and instantly after User logout via winbox
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.38rc [release candidate] is released

Thu Oct 06, 2016 4:01 pm

I have a wAP 2nD r2 and every time I upgrade the ROS any backup file I have made gets blitzed !! What gives?
I have tried upgrading, and downgrading..same thing no backup files after doing it.

-tp
Make sure backup file is stored in flash not RAM drive.
 
Shak7
just joined
Posts: 4
Joined: Sun Jan 17, 2016 6:48 pm

Re: v6.38rc [release candidate] is released

Thu Oct 06, 2016 4:29 pm

Hello
can any one test to access a CHR running 38 RC with Winbox and se if can login in, ?
my winbox wont open, it donwload de plugin and after that close it
on terminal on log i see User Login via winbox and instantly after User logout via winbox
Same thing here with RB3011.... Can't access Winbox. Webfig works.
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: v6.38rc [release candidate] is released

Thu Oct 06, 2016 4:45 pm

I have a wAP 2nD r2 and every time I upgrade the ROS any backup file I have made gets blitzed !! What gives?
Where do you store you backups?
You seem to be using a small-flash device, so anything stored outside of the /flash folder is in fact stored in RAM and does not survive reboot.
This is documented here.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.38rc [release candidate] is released

Thu Oct 06, 2016 5:02 pm

I have a wAP 2nD r2 and every time I upgrade the ROS any backup file I have made gets blitzed !! What gives?
You should always download your backups and store them off-device! Otherwise, what use are they?
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Thu Oct 06, 2016 5:21 pm

http://wiki.mikrotik.com/wiki/Manual:System/File

"Warning: If device has a directory named "flash" in its file list, then files which you want to be kept after system reboot/power cycle must be stored within it. As anything outside of it is kept within a RAM disk and will be lost upon reboot. Note: this does not include .npk upgrade files as they will be applied by upgrade process before system discards the RAM drive content. "
 
kez
newbie
Posts: 40
Joined: Tue Jul 05, 2005 4:13 am

Re: v6.38rc [release candidate] is released

Thu Oct 06, 2016 5:25 pm

Hello support!
We are having a lot of problems here with Mikrotik Queues X Windows 10 Updates. When a customer have one PC downloading Windows 10 updates, his queue is 100% used, most of the time is impossible to do anything else, even open an web page.
So, I was reading about it and I could see the "fq_codel" is the best way to minimize this problem.
Windows 10 updates are now downloaded from servers using FAST TCP - https://en.wikipedia.org/wiki/FAST_TCP

More info about fq_codel
http://snapon.lab.bufferbloat.net/~d/Pr ... jan-28.pdf
http://forum.mikrotik.com/viewtopic.php?f=1&t=89221
http://forum.mikrotik.com/viewtopic.php?f=2&t=63594

few years ago, normis said this...
thanks for the suggestion, we are looking into it for v7. currently you can use SFQ, which is also very good
http://forum.mikrotik.com/viewtopic.php ... 21#p464269

Are there any news???
Thanks!
 
roswitina
newbie
Posts: 42
Joined: Tue Mar 12, 2013 8:12 am

Re: v6.38rc [release candidate] is released

Fri Oct 07, 2016 2:46 pm

Can't login with winbox to RouterOS v6.38RC10 x86 (VM in Proxmox). Logon with RouterOS v6.38RC7 x86 works.
Console Login from Proxmox works. Login with Browser (Port 80) works also.

Rosi
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.38rc [release candidate] is released

Fri Oct 07, 2016 3:15 pm

6.38rc10 IPv6 still broken...
Nobody using IPv6 here?
Or is this problem limited to x86 architecture and maybe dependent on specific config?
(I don't assume that, we use very simple config with static address)
 
csalcedo
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Fri Jan 22, 2016 8:09 pm
Location: Santiago Chile

Re: v6.38rc [release candidate] is released

Fri Oct 07, 2016 4:59 pm

Yup cant winbox to CHR in VMWARE 6.38RC10
 
notToNew
Member Candidate
Member Candidate
Posts: 174
Joined: Fri Feb 19, 2016 3:15 pm

Re: v6.38rc [release candidate] is released

Fri Oct 07, 2016 5:47 pm

Feature-request: Just like the new Interface-List, i'd need a Time-object with date/time.

Having this i can set the time-object to tomorrow 06:00 and all FW-rules which are conigured with this object are "enabled" until the time runs off.

I have a big firewall and so i need to enable quiet a few rules to allow external tests. I'm always at risk to forget disabling such a rule after the work is done.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: v6.38rc [release candidate] is released

Fri Oct 07, 2016 11:43 pm

6.38rc10 IPv6 still broken...
Nobody using IPv6 here?
I have one CHR with 6.38rc10 for testing and IPv6 addresses stick just fine. So it must depend on something.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.38rc [release candidate] is released

Sat Oct 08, 2016 11:20 am

My IPv6 config is trivial:

/ipv6 address
add address=2001:xxx:xxxx:xx::195 advertise=no interface=ether2
/ipv6 firewall filter
add action=drop chain=forward
add action=accept chain=input connection-state=established,related
add action=accept chain=input protocol=icmpv6
add action=accept chain=input src-address=2001:yyy:yyyy::/64
add action=drop chain=input
/ipv6 route
add distance=1 gateway=2001:xxx:xxxx:xx::1

This was working fine until 6.37 then I upgraded it to the first v6.38rc and all IPv6 addresses are gone.
(interface address, that address in the firewall, and default route)
They now show like ::/0
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: v6.38rc [release candidate] is released

Sat Oct 08, 2016 2:21 pm

"If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash."
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.38rc [release candidate] is released

Sat Oct 08, 2016 4:12 pm

Yes it looks like I need to do that. It looked more like a bug that they could easily reproduce without such details...
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: v6.38rc [release candidate] is released

Sun Oct 09, 2016 12:27 pm

LLDP party is quite skimpy :-)
DGSLLDP.PNG
You do not have the required permissions to view the files attached to this post.
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Tue Oct 11, 2016 2:56 pm

What's new in 6.38rc12 (2016-Oct-11 10:35):

Changes since 6.38rc10:
!) winbox - now Winbox 3.7 is the minimum version that can connect to RouterOS;
*) crs - fixed rare kernel failure on switch reset (for example, reboot);
*) dhcp - do not allow to create dhcp-server on slave interface;
*) dhcp - show dhcp server as invalid and log an error when interface becomes a slave;
*) dns - improved static dns entry add speed when regexp is being used;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) ethernet - optimized packet processing on low load when irq re-balance is not necessary;
*) export - do not show interface comment in "/ip neighbor discovery" menu;
*) firewall - do not allow to increase/decrease ttl and hop-limit by 0;
*) firewall - increased max size of connection tracking table to 1048576;
*) health - show power consumption on devices which has voltage and current monitor;
*) hotspot - fixed nat rule dst-port by making it visible again for Walled Garden ip return rules;
*) lte - allow to execute concurrent info commands;
*) lte - return info data when all the fields are populated;
*) routerboot - show log message if router CPU/RAM is overclocked;
*) script - increment run count value when script is executed via snmp;
*) snmp - provide sinr in lte table;
*) trafficgen - improved fastpath support;
*) tunnel - properly export keepalive value;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
User avatar
kometchtech
Member Candidate
Member Candidate
Posts: 194
Joined: Sat Jun 15, 2013 4:25 am
Location: Japan
Contact:

Re: v6.38rc [release candidate] is released

Tue Oct 11, 2016 3:27 pm

>*) ethernet - optimized packet processing on low load when irq re-balance is not necessary;

This is how much effect can be expected?
How much throughput can be expected?
 
athurdent
newbie
Posts: 25
Joined: Fri Sep 09, 2016 7:02 pm

Re: v6.38rc [release candidate] is released

Tue Oct 11, 2016 3:42 pm

Upgraded my wAP ac and I am getting warnings about CPU and memory being overclocked. I have never tinkered with any overclock settings, the CPU is running at 720 MHz.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.38rc [release candidate] is released

Tue Oct 11, 2016 5:33 pm

*) firewall - increased max size of connection tracking table to 1048576;
Guys, please comment this in the light of this:
This number in "max-entries" will increase only when needed. <...> It will increase when you will hit the limit for some period of time. It will use 16GB, there is no scam ;)
So, there IS a limit?..
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Tue Oct 11, 2016 7:50 pm

athurdent - Do not worry. Feature is not fully optimized. We will work on it in further rc releases. If you have not overclocked device manually, then do not worry about this message
Chupaka - You can see the limit in IP/Firewall/Connections menu. At the bottom of the table there is Max Entries value.
 
Siona
Frequent Visitor
Frequent Visitor
Posts: 83
Joined: Thu Jan 29, 2015 11:56 am

Re: RE: Re: v6.38rc [release candidate] is released

Tue Oct 11, 2016 7:57 pm

What's new in 6.38rc12 (2016-Oct-11 10:35):

*) health - show power consumption on devices which has voltage and current monitor;
.
Could you be more specific?
 
npero
Member
Member
Posts: 317
Joined: Tue Mar 01, 2005 1:59 pm
Location: Serbia

Re: RE: Re: v6.38rc [release candidate] is released

Tue Oct 11, 2016 8:02 pm

What's new in 6.38rc12 (2016-Oct-11 10:35):

*) health - show power consumption on devices which has voltage and current monitor;
.
Could you be more specific?
I thing in devices where have voltage and current sensor they just do P=U * I
 
Siona
Frequent Visitor
Frequent Visitor
Posts: 83
Joined: Thu Jan 29, 2015 11:56 am

Re: v6.38rc [release candidate] is released

Tue Oct 11, 2016 8:10 pm

That's true, but where can I find list of this devices.
 
Kevo
Frequent Visitor
Frequent Visitor
Posts: 67
Joined: Wed Oct 12, 2011 1:38 am

Re: v6.38rc [release candidate] is released

Tue Oct 11, 2016 10:17 pm

Chupaka - You can see the limit in IP/Firewall/Connections menu. At the bottom of the table there is Max Entries value.
I tried to check this on our main router and I gave up trying to get to the end of the table. (Which brings up a problem with Webfig. There should be a paging mechanism or a scrolling window with some sort of lazy loading mechanism on the screens with potentially massive tables.) The top of the table said something like 94k connections, and I'm pretty sure we've had more than that because our bandwidth usage was only about 1Gbps at the time when I checked. I know we've been up to 1.8Gbps on that router before. Are we going to run into some kind of connection limit that will prevent us from utilizing more of our bandwidth. Do we need to split up our routing because of this? This is on the CCR1072 btw.
 
Kindis
Member
Member
Posts: 434
Joined: Tue Nov 01, 2011 6:54 pm
Location: Sweden

Re: v6.38rc [release candidate] is released

Tue Oct 11, 2016 11:47 pm

Chupaka - You can see the limit in IP/Firewall/Connections menu. At the bottom of the table there is Max Entries value.
I tried to check this on our main router and I gave up trying to get to the end of the table. (Which brings up a problem with Webfig. There should be a paging mechanism or a scrolling window with some sort of lazy loading mechanism on the screens with potentially massive tables.) The top of the table said something like 94k connections, and I'm pretty sure we've had more than that because our bandwidth usage was only about 1Gbps at the time when I checked. I know we've been up to 1.8Gbps on that router before. Are we going to run into some kind of connection limit that will prevent us from utilizing more of our bandwidth. Do we need to split up our routing because of this? This is on the CCR1072 btw.
I check on my router and you do not see this in Webfig. Tested with Winbox and I can see that the value on 6.36.3 is 524288 for me.
So check with Winbox. No scrolling needed :-)

Edit: Or use SSH
[admin@MikroTik] /ip firewall connection tracking> print
enabled: auto
tcp-syn-sent-timeout: 5s
tcp-syn-received-timeout: 5s
tcp-established-timeout: 1d
tcp-fin-wait-timeout: 10s
tcp-close-wait-timeout: 10s
tcp-last-ack-timeout: 10s
tcp-time-wait-timeout: 10s
tcp-close-timeout: 10s
tcp-max-retrans-timeout: 5m
tcp-unacked-timeout: 5m
udp-timeout: 10s
udp-stream-timeout: 3m
icmp-timeout: 10s
generic-timeout: 10m
max-entries: 524288
total-entries: 94
 
Kevo
Frequent Visitor
Frequent Visitor
Posts: 67
Joined: Wed Oct 12, 2011 1:38 am

Re: v6.38rc [release candidate] is released

Wed Oct 12, 2016 1:18 am

Chupaka - You can see the limit in IP/Firewall/Connections menu. At the bottom of the table there is Max Entries value.
I tried to check this on our main router and I gave up trying to get to the end of the table. (Which brings up a problem with Webfig. There should be a paging mechanism or a scrolling window with some sort of lazy loading mechanism on the screens with potentially massive tables.) The top of the table said something like 94k connections, and I'm pretty sure we've had more than that because our bandwidth usage was only about 1Gbps at the time when I checked. I know we've been up to 1.8Gbps on that router before. Are we going to run into some kind of connection limit that will prevent us from utilizing more of our bandwidth. Do we need to split up our routing because of this? This is on the CCR1072 btw.
I check on my router and you do not see this in Webfig. Tested with Winbox and I can see that the value on 6.36.3 is 524288 for me.
So check with Winbox. No scrolling needed :-)
I also have the same value. I was also able to see that the report number in the list of shown connections exceeds the value reported. We had over 104K connections listed but the value showed more like 90K. Maybe there is a delay in the display that prevents the displayed number from matching the actual value. In any case, we only have 2 ports in use right now on this router at roughly 20% capacity, so I could easily see us exceeding this value if we were to ever add a couple more connections which we hope to do. I guess we'll wait and see what happens with this version.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.38rc [release candidate] is released

Wed Oct 12, 2016 2:25 am

Chupaka - You can see the limit in IP/Firewall/Connections menu. At the bottom of the table there is Max Entries value.
then please check the whole topic
Normis said the limit will auto-extend, but here we see it's hardcoded. where's the truth?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Wed Oct 12, 2016 10:36 am

Chupaka. This has changed in the latest versions. In the RC (this topic) there is a specific value which you can see.
 
djdrastic
Member
Member
Posts: 367
Joined: Wed Aug 01, 2012 2:14 pm

Re: v6.38rc [release candidate] is released

Wed Oct 12, 2016 11:19 am

Just wanted to say . Big ups for the LLDP neighbor support guys.
Now if we can get MED and the like working as well :)
 
Lakis
Forum Veteran
Forum Veteran
Posts: 703
Joined: Wed Sep 23, 2009 7:52 pm

Re: v6.38rc [release candidate] is released

Wed Oct 12, 2016 2:25 pm

What's new in 6.38rc12 (2016-Oct-11 10:35):

Changes since 6.38rc10:
*) health - show power consumption on devices which has voltage and current monitor;
Nice future will be if you can add in system health total consumption on PoE devices - sum of all Ethernet (PoE out Power)
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.38rc [release candidate] is released

Wed Oct 12, 2016 2:53 pm

Chupaka. This has changed in the latest versions. In the RC (this topic) there is a specific value which you can see.
What about 'big-table.npk' which will extend conntrack table for those who need it big, for the price of performance? :)
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: v6.38rc [release candidate] is released

Wed Oct 12, 2016 6:00 pm

Feature-request: Just like the new Interface-List, i'd need a Time-object with date/time.

Having this i can set the time-object to tomorrow 06:00 and all FW-rules which are conigured with this object are "enabled" until the time runs off.

I have a big firewall and so i need to enable quiet a few rules to allow external tests. I'm always at risk to forget disabling such a rule after the work is done.
Another way to do this would be to add a single "whitelist" rule based on the IP address(es) of the test source. Place this rule early in the chain and put a time of day component on this one rule.
I'm not sure what all rules you're disabling, but if it's a set of filters, then this solution would work. If you're doing something more complex, you could make a custom rule chain for "test mode" and place just one time-of-day based rule which jumps into that chain during those times.
 
notToNew
Member Candidate
Member Candidate
Posts: 174
Joined: Fri Feb 19, 2016 3:15 pm

Re: v6.38rc [release candidate] is released

Wed Oct 12, 2016 6:13 pm

@ZeroByte Thanks for your suggestion.

hm, I have >90 vlans and several external maintenance-contracts.
so if p.ex. the external "voip"-company needs access to the server, they automatically also need internet-access and access to the svn-server (which are normally denied)
to backup the config.
so i have to enable 7-8 firewall rules just for them. in other firewall distros i just use such a time-object for this, named "maintenance-voip" and enable it for the next 4 hours.
So I cannot forget to disable the rules when the maintenance is finnished, they are automatically disabled.

using chains is a mess whith all those vlans and several hundred rules.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: v6.38rc [release candidate] is released

Wed Oct 12, 2016 6:27 pm

Well, address list can be your friend here.

You could have a rule that says this:
chain=forward src-address-list=maintenance_sources dst-address-list=maintenance_hosts action=accept
(whitelist by IP - allow all ports)

Then schedule a script which injects the source/destination IPs into the appropriate lists at whatever times you've agreed on.
When the script injects the IPs into the lists, just include a 2hr timeout value.
e.g.:
/ip firewall address-list add list=maintenance_sources address=192.0.2.21 timeout=7200
/ip firewall address-list add list=maintenance_hosts address=10.20.30.40 timeout=7200

These entries would automatically remove themselves after 7200 seconds...
Just an idea.
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Thu Oct 13, 2016 9:20 am

What's new in 6.38rc14 (2016-Oct-13 04:52):

Changes since 6.38rc12:
!) fastpath - let one packet per second through slow path to properly update connection timeouts;
*) console - fixed "/interface ethernet switch export" on some boards;
*) discovery - removed 6to4 tunnels from /ip neighbor discovery menu;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) ethernet - fixed potential loopprotect crash;
*) firewall - new faster "connection-limit" option implementation;
*) lte - added support for PANTECH UML295;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.38rc [release candidate] is released

Thu Oct 13, 2016 11:04 am

!) fastpath - let one packet per second through slow path to properly update connection timeouts;
Does that also fix the problem that idle TCP sessions sometimes tick in tcp-unacked state
instead of tcp-established? http://forum.mikrotik.com/viewtopic.php?f=2&t=109608
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Thu Oct 13, 2016 3:28 pm

Yes, it should. If that is not working as suspected, then please try without FastTrack. If behavior with and without FastTrack differs, then write to support@mikrotik.com. Send two supout files - one with and one without FastTrack.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.38rc [release candidate] is released

Thu Oct 13, 2016 3:42 pm

Looks like something is broken in firewall export:
add action=drop chain=output !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content !dscp dst-address=5.6.8.5 !dst-address-list !dst-address-type \
    !dst-limit !dst-port !fragment !hotspot icmp-options=3:0-255 !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit !nth !out-bridge-port \
    !out-bridge-port-list !out-interface !out-interface-list !p2p !packet-mark !packet-size !per-connection-classifier !port !priority protocol=icmp !psd !random !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl
everything is okay in versions upto 6.37.1
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.38rc [release candidate] is released

Thu Oct 13, 2016 3:43 pm

Yes, it should. If that is not working as suspected, then please try without FastTrack. If behavior with and without FastTrack differs, then write to support@mikrotik.com. Send two supout files - one with and one without FastTrack.
Ok, I'll see if I can reproduce the problem on a router that I can update to the RC.
 
hdmn
just joined
Posts: 4
Joined: Fri Oct 14, 2016 12:04 am

v6.38rc: Firewall rule parsing broken

Fri Oct 14, 2016 12:32 am

I have identified a problem since v6.38rc (at least rc10 / up to rc14) on a range of different devices (CCR, CRS, hAP, CHR).

When you add a firewall rule where you put a source or destination address and the 4th byte is >127, src/dst field is being rewritten to *.0.0.0.
For example:
1.1.1.1 OK
1.1.1.254 -> 1.0.0.0
128.128.128.128 -> 128.0.0.0
254.254.254.127 OK
254.254.254.128 -> 254.0.0.0
Also, CIDR notation is broken:
192.168.0.0/23 -> 192.168.0.0-192.0.0.0
192.168.0.0/25 OK
192.168.1.0/24 -> 192.168.1.0-192.0.0.0
192.168.1.0/255.255.255.0 ->192.168.1.0/24 -> 192.168.1.0-192.0.0.0
254.254.254.0/24 -> 254.254.254.0-254.0.0.0
As mentioned above, this is reproducible on virtually all current rc-versions and does not happen on v6.37.1.

PS: As i am relatively new to the MikroTik-world and was not able to locate a bug tracker or the like, I thought this would be a good place to post this kind of information. If I missed the appropriate spot, please push me there… :)
 
raffav
Member
Member
Posts: 345
Joined: Wed Oct 24, 2012 4:40 am

Re: RE: v6.38rc: Firewall rule parsing broken

Fri Oct 14, 2016 12:46 am

I have identified a problem since v6.38rc (at least rc10 / up to rc14) on a range of different devices (CCR, CRS, hAP, CHR).

When you add a firewall rule where you put a source or destination address and the 4th byte is >127, src/dst field is being rewritten to *.0.0.0.
For example:
1.1.1.1 OK
1.1.1.254 -> 1.0.0.0
128.128.128.128 -> 128.0.0.0
254.254.254.127 OK
254.254.254.128 -> 254.0.0.0
Also, CIDR notation is broken:
192.168.0.0/23 -> 192.168.0.0-192.0.0.0
192.168.0.0/25 OK
192.168.1.0/24 -> 192.168.1.0-192.0.0.0
192.168.1.0/255.255.255.0 ->192.168.1.0/24 -> 192.168.1.0-192.0.0.0
254.254.254.0/24 -> 254.254.254.0-254.0.0.0
As mentioned above, this is reproducible on virtually all current rc-versions and does not happen on v6.37.1.

PS: As i am relatively new to the MikroTik-world and was not able to locate a bug tracker or the like, I thought this would be a good place to post this kind of information. If I missed the appropriate spot, please push me there… :)
Send a mail and a support file to mk support mail
And describe the bug.


Enviado do Moto X Force
 
drees
just joined
Posts: 22
Joined: Tue Sep 20, 2016 9:39 pm

Re: v6.38rc [release candidate] is released

Fri Oct 14, 2016 10:24 am

Yes, it should. If that is not working as suspected, then please try without FastTrack. If behavior with and without FastTrack differs, then write to support@mikrotik.com. Send two supout files - one with and one without FastTrack.
FastTrack works better in the latest rc in that an idle SSH connection doesn't completely timeout, but an idle SSH connection (sending keep alives every minute) still has it's Timeout drop to 5 minutes, decline to 4 minutes before popping back up to 5 minutes. I'll send the supout files to support.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.38rc: Firewall rule parsing broken

Fri Oct 14, 2016 12:13 pm

I have identified a problem since v6.38rc (at least rc10 / up to rc14) on a range of different devices (CCR, CRS, hAP, CHR).
When you add a firewall rule where you put a source or destination address and the 4th byte is >127, src/dst field is being rewritten to *.0.0.0.
That is an interesting observation! it could be related to the trouble I have with IPv6, where also the addresses are truncated to zeroes.
Unfortunately there is no followup yet on the support ticket I have filed for that.
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Fri Oct 14, 2016 2:24 pm

What's new in 6.38rc15 (2016-Oct-14 09:11):

Changes since 6.38rc14:
*) dhcp - fixed dhcp-client crash (introduced in 6.37rc14);
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) firewall - fixed compact export (introduced in 6.37rc14);
*) rb2011 - fixed crash on l2mtu changes;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
lelmus
newbie
Posts: 28
Joined: Wed Oct 17, 2012 5:50 am

Re: v6.38rc [release candidate] is released

Fri Oct 14, 2016 5:48 pm

What's with the false critical messages in 6.38rc15 on my 922UAGS-5HPacD?

Critical cpu overclocked
Critical memory overclocked
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1222
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: v6.38rc [release candidate] is released

Fri Oct 14, 2016 6:38 pm

Same issue. CPU is at 720 MHz (factory default):
18:29:59 system,info verified routeros-mipsbe-6.38rc15.npk 
18:30:03 system,info installed routeros-mipsbe-6.38rc15 
18:30:03 system,info router rebooted 
18:30:09 interface,info ether1 link up (speed 1G, full duplex) 
...
18:30:18 system,info,critical cpu overclocked 
18:30:18 system,info,critical memory overclocked
...
[admin@YO2LOJ-Metal] /system routerboard> print
                ;;; Warning: cpu overclocked
                ;;; Warning: memory overclocked
       routerboard: yes
             model: 922UAGS-5HPacD
     serial-number: 6210055ADBAF
     firmware-type: qca9550
  factory-firmware: 3.22
  current-firmware: 3.34
  upgrade-firmware: 3.34
 
User avatar
gyropilot
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Sat Sep 10, 2016 10:49 pm
Location: SE Arizona USA

Re: v6.38rc [release candidate] is released

Fri Oct 14, 2016 7:46 pm

What's with the false critical messages in 6.38rc15 on my 922UAGS-5HPacD?

Critical cpu overclocked
Critical memory overclocked
I'm also getting the "cpu overclocked" error after boot on my RB952 hAP ac lite running 6.38rc14, but not the "memory overclocked" error.

John
 
raffav
Member
Member
Posts: 345
Joined: Wed Oct 24, 2012 4:40 am

Re: v6.38rc [release candidate] is released

Fri Oct 14, 2016 10:06 pm

... Do not worry. Feature is not fully optimized. We will work on it in further rc releases. If you have not overclocked device manually, then do not worry about this message
 
hdmn
just joined
Posts: 4
Joined: Fri Oct 14, 2016 12:04 am

Re: v6.38rc [release candidate] is released

Fri Oct 14, 2016 10:10 pm

v6.38rc: Firewall rule parsing broken in v6.38rc15, too

--------------------------------------------------------------------------------------------------------------------------------------------

hAP lite classic / Warning: cpu overclocked
[admin@hAP] > /system routerboard print
                ;;; Warning: cpu overclocked
       routerboard: yes
             model: RouterBOARD 941-2nD
     serial-number: 5B3204AB2B42
     firmware-type: qca9531L
  factory-firmware: 3.22
  current-firmware: 3.33
  upgrade-firmware: 3.33
  
[admin@hAP] > /system routerboard settings print 
                    ;;; Warning: cpu overclocked
           boot-device: nand-if-fail-then-ethernet
         cpu-frequency: 650MHz
         boot-protocol: bootp
   force-backup-booter: no
           silent-boot: no
  protected-routerboot: disabled
  
  [admin@hAP] > /system resource print
                   uptime: 4h1m36s
                  version: 6.38rc15 (testing)
               build-time: Oct/14/2016 09:11:04
              free-memory: 6.4MiB
             total-memory: 32.0MiB
                      cpu: MIPS 24Kc V7.4
                cpu-count: 1
            cpu-frequency: 650MHz
                 cpu-load: 3%
           free-hdd-space: 7.0MiB
          total-hdd-space: 16.0MiB
  write-sect-since-reboot: 5132
         write-sect-total: 565859
               bad-blocks: 0%
        architecture-name: smips
               board-name: hAP lite
                 platform: MikroTik
 
raffav
Member
Member
Posts: 345
Joined: Wed Oct 24, 2012 4:40 am

Re: v6.38rc [release candidate] is released

Fri Oct 14, 2016 11:40 pm

v6.38rc: Firewall rule parsing broken in v6.38rc15, too

[/code]
on my crs i cant reproduce this bug
[Vaselli@CRS] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=output action=accept src-address=1.1.1.254 dst-address=254.254.254.128 log=no
log-prefix=""

1 chain=forward action=accept src-address=192.168.0.0/23 log=no log-prefix=""
[Vaselli@CRS] > ip firewall filter export
# oct/14/2016 17:39:18 by RouterOS 6.38rc15
# software id = K711-PKMH
#
/ip firewall filter
add action=accept chain=output dst-address=254.254.254.128 src-address=1.1.1.254
add action=accept chain=forward src-address=192.168.0.0/23
[Vaselli@CRS] > system resource print
uptime: 6h32m52s
version: 6.38rc15 (testing)
build-time: Oct/14/2016 09:11:04
free-memory: 102.8MiB
total-memory: 128.0MiB
cpu: MIPS 74Kc V4.12
cpu-count: 1
cpu-frequency: 600MHz
cpu-load: 5%
free-hdd-space: 47.6MiB
total-hdd-space: 64.0MiB
write-sect-since-reboot: 545
write-sect-total: 198197
bad-blocks: 0%
architecture-name: mipsbe
board-name: CRS125-24G-1S-2HnD
platform: MikroTik
[Vaselli@CRS] >
 
hdmn
just joined
Posts: 4
Joined: Fri Oct 14, 2016 12:04 am

Re: v6.38rc [release candidate] is released

Fri Oct 14, 2016 11:48 pm

on my crs i cant reproduce this bug
probably a webfig-only bug? did you add it via winbox or shell?
 
patrick7
Member
Member
Posts: 341
Joined: Sat Jul 20, 2013 2:40 pm

Re: v6.38rc [release candidate] is released

Fri Oct 14, 2016 11:50 pm

Maybe it's only in webfig or winbox?
 
raffav
Member
Member
Posts: 345
Joined: Wed Oct 24, 2012 4:40 am

Re: v6.38rc [release candidate] is released

Fri Oct 14, 2016 11:52 pm

on my crs i cant reproduce this bug
probably a webfig-only bug? did you add it via winbox or shell?
winbox
will try over webfig and post back here, just a minute

EDIT
Via WEBFIG has the BUG
Last edited by raffav on Fri Oct 14, 2016 11:59 pm, edited 1 time in total.
 
hdmn
just joined
Posts: 4
Joined: Fri Oct 14, 2016 12:04 am

Re: v6.38rc [release candidate] is released

Fri Oct 14, 2016 11:56 pm

on my crs i cant reproduce this bug
probably a webfig-only bug? did you add it via winbox or shell?
winbox
will try over webfig and post back here, just a minute
Tik-App (Android) works fine. So this seems to concern webfig only...
 
Zorro
Long time Member
Long time Member
Posts: 675
Joined: Wed Apr 16, 2014 2:43 pm

Re: v6.38rc [release candidate] is released

Sat Oct 15, 2016 8:57 pm

conntrack limit defaults usually not concern even on border devices.
exceptions are CCR endpoints in installations/solutions where expected lot of PPS and/or DDoS attemps of many kind. or say rb850gx2, RB1200 users for example or other "border"/edge devices.
(rb3011 and below aren't fill that role much despite distracting price ;)
contrary usually defaults may be quite over-estimated, especially in soho devices.
not surprised to had conntrack table defaults set in irrelevant to memory size in say ASUS, Zuxel or Alpha, Buffalo, ZTE -made SOHO devices and alikes, but having "default" conntrack table in say ERL(or DFL,DSR by Alpha with similar impact) firmware(taken directly from vyatta without changes)result to resources exhausting eventually and hang in result(sometimes in work, sometmies after re-boot), since (especially in long uptime and with serious traffic) it eventually wouldn't let devices breathe themselves. so for most of them - usually safe/sane was actually reduceing numbers 8x times or 4x atleast and do help a LOT.
thats where ROS shine because low footprint of it, lack/absence of irrelevant (for networking)portions of linux stack/distribution, both in terms of speed, resource consumption and attack surface reduction.
my point is: thats quite helpful/meaningful change. especially if you are run ISP company or mid-big sized company networker.
before that - you absolytely have no control of conntrack table in ROS(except timeouts values), sometimes desperately looking at 8Gb or 16Gb RAM installed on say CCR, with completely exhausted tables. now it fixes that for real world use/tweaking.

p.s. for SOHO devices i highly suggest - go opposite way and slightly decrease all numbers(including hash table) seriously in their config for stability.
 
ivicask
Member
Member
Posts: 422
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: v6.38rc [release candidate] is released

Mon Oct 17, 2016 3:51 pm

Hello support!
We are having a lot of problems here with Mikrotik Queues X Windows 10 Updates. When a customer have one PC downloading Windows 10 updates, his queue is 100% used, most of the time is impossible to do anything else, even open an web page.
So, I was reading about it and I could see the "fq_codel" is the best way to minimize this problem.
Windows 10 updates are now downloaded from servers using FAST TCP - https://en.wikipedia.org/wiki/FAST_TCP

More info about fq_codel
http://snapon.lab.bufferbloat.net/~d/Pr ... jan-28.pdf
http://forum.mikrotik.com/viewtopic.php?f=1&t=89221
http://forum.mikrotik.com/viewtopic.php?f=2&t=63594

few years ago, normis said this...
thanks for the suggestion, we are looking into it for v7. currently you can use SFQ, which is also very good
http://forum.mikrotik.com/viewtopic.php ... 21#p464269

Are there any news???
Thanks!
I had the same problem long time ago, i solved it when separated HTTP traffic into "browsing" and "downloads", so first 5mb are marked as regular web browsing and have higher priority in tree queue, and all above 5MB goes into this downloads queue which is than limited down and has lower priority.
Every day i have alot of computers downloading updates and other stuff and i can browse internet without any delays.And all that works with PCQ.
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 551
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: v6.38rc [release candidate] is released

Wed Oct 19, 2016 9:39 am

On RB951G with 6.38rc15 (using winbox 3.7) if you set wlan1 band to 2 Ghz-G/N the HT MCS tab disappears. It came back if you set band to bgn or only-n (not tested other combinations)
 
JorgeAmaral
Trainer
Trainer
Posts: 199
Joined: Wed Mar 04, 2009 11:53 pm
Location: /ip route add type=blackhole

Re: v6.38rc [release candidate] is released

Wed Oct 19, 2016 3:06 pm

Is it possible to setup port based vlan on CRS with hw RSTP?

I tried the scenario on the wiki ( http://wiki.mikrotik.com/wiki/Manual:CR ... AN_Routing ) and added each masterport vlan to different bridges and was expecting it to behave like "per vlan spanning tree" but... nothing happens.
 
notToNew
Member Candidate
Member Candidate
Posts: 174
Joined: Fri Feb 19, 2016 3:15 pm

Re: v6.38rc [release candidate] is released

Thu Oct 20, 2016 12:37 pm

Intel(R) PRO/Wireless 3945ABG -cardsa can only connect in B/G-mode.
When AP is in B/G/N-mode, no connection is possible.
 
Borizo
newbie
Posts: 40
Joined: Thu Oct 28, 2010 4:38 pm

Re: v6.38rc [release candidate] is released

Thu Oct 20, 2016 6:50 pm

I see one of developers had a chance to look DNS code portion:
Changes since 6.38rc10:
*) dns - improved static dns entry add speed when regexp is being used;
Is there any chance to add two small features please?
[Feature][DNS] Allow 0.0.0.0 as address for DNS records
[Feature][DNS] Apply the regexp entry after plain entries
They should not be consume much time and seems rather natural.
 
bryans2k
just joined
Posts: 21
Joined: Fri Apr 26, 2013 6:10 am

Re: v6.38rc [release candidate] is released

Sat Oct 22, 2016 9:36 am

I've been seeing weird DNS failures on the CCR DNS server. It doesn't seem to follow the DNS server priority when you have 4 DNS servers in the DNS Settings list and query from multiple subnets. For example my CCR has 3 ip's 10.0.0.9,10.1.0.2,10.1.1.2 on 3 different interfaces. If I query dns on 10.1.0.2 from 10.0.0.x it fails on the first DNS server in the list then succeed's on the second even though the first DNS server is fine. If I query dns on 10.0.0.9 from 10.0.0.x it works without a problem. If I reduce the DNS servers to just 2 in the DNS Settings list then it also works without a problem.
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Wed Oct 26, 2016 12:48 pm

What's new in 6.38rc19 (2016-Oct-24 11:19):

Changes since 6.38rc15:
!) snmp - added basic get and walk functionality "/tool snmp-[get|walk]";
*) chr - fixed "/interface print";
*) chr - fixed reboot;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) fastpath - fixed kernel failure when fastpath traffic goes into loop;
*) fastpath - fixed rare crash;
*) interface - changed loopback interface mtu to 1500;
*) ipsec - added ability to specify static IP address at send-dns option (CLI only);
*) ipsec - send xauth password without trailing null;
*) led - fixed cAP 2nD stuck in dark mode all the time;
*) lte - fixed Pantech UML296 support;
*) package - show minimal supported RouterOS version under "/system resource" menu if it is specified;
*) profiler - added ability to monitor cpu usage per core;
*) resolver - ignore cache entries if specific server is used;
*) ssh - fixed lost "/ip ssh" settings on upgrade from version older than 5.15;
*) trafficgen - fixed potential crash when very big frame is generated;
*) vlan - allow to add multiple vlans which name starts with same number and has same length;
*) vlan - fixed CRS switch egress-vlan-tag export;
*) winbox - added led settings menu;
*) winbox - allow to run profiler from "/system resources" menu;
*) winbox - fixed missing switch menu for mmips devices;
*) winbox - properly show VHT basic and supported rates in CAPsMAN;
*) wireless - added CRL checking for eap-tls;
*) wireless - take in account channel width when returning supported channels;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
Kindis
Member
Member
Posts: 434
Joined: Tue Nov 01, 2011 6:54 pm
Location: Sweden

Re: v6.38rc [release candidate] is released

Wed Oct 26, 2016 12:56 pm

What's new in 6.38rc19 (2016-Oct-24 11:19):

Changes since 6.38rc15:
*) chr - fixed "/interface print";
*) chr - fixed reboot;
Looks promising. Will test my CHR when I have access to it.
 
paulct
Member
Member
Posts: 336
Joined: Fri Jul 12, 2013 5:38 pm

Re: v6.38rc [release candidate] is released

Wed Oct 26, 2016 2:24 pm

*) profiler - added ability to monitor cpu usage per core;
Nice :)
 
User avatar
Gennadiy51
newbie
Posts: 30
Joined: Fri Nov 06, 2009 4:33 pm
Location: Moldova, Chisinau

Re: v6.38rc [release candidate] is released

Wed Oct 26, 2016 4:41 pm

I have two hAP lite. On both routers after update from v6.37.1 to v6.38rc19 and after each reboot I am see in Log "system, info, critical --- CPU overclocked", but in system, resources all O.K.

[Guess_Who-2@MikroTik] /log> print
15:29:59 system,info installed dhcp-6.38rc19
15:29:59 system,info installed security-6.38rc19
15:29:59 system,info installed wireless@-6.38rc19
15:30:01 system,info router rebooted
15:30:02 system,info,critical cpu overclocked
15:30:08 interface,info ether1-WAN link up (speed 100M, full duplex)
15:30:12 pppoe,ppp,info Arax_Internet: initializing...
15:30:12 pppoe,ppp,info Arax_Internet: connecting...

[Guess_Who-2@MikroTik] > system resource print
uptime: 1h57m25s
version: 6.38rc19 (testing)
build-time: Oct/24/2016 11:19:32
free-memory: 7.4MiB
total-memory: 32.0MiB
cpu: MIPS 24Kc V7.4
cpu-count: 1
cpu-frequency: 650MHz
cpu-load: 3%
free-hdd-space: 7.6MiB
total-hdd-space: 16.0MiB
write-sect-since-reboot: 180
write-sect-total: 77897
bad-blocks: 0%
architecture-name: smips
board-name: hAP lite
platform: MikroTik

At v6.37.1 in Log no such message.
Last edited by Gennadiy51 on Wed Oct 26, 2016 5:38 pm, edited 2 times in total.
 
Kindis
Member
Member
Posts: 434
Joined: Tue Nov 01, 2011 6:54 pm
Location: Sweden

Re: v6.38rc [release candidate] is released

Wed Oct 26, 2016 4:41 pm

What's new in 6.38rc19 (2016-Oct-24 11:19):

Changes since 6.38rc15:
*) chr - fixed "/interface print";
*) chr - fixed reboot;
Looks promising. Will test my CHR when I have access to it.
Nope this does not solve my issues with my CHR. Still dies when updated. My guess this is related to me using syntecic networkcards insted of legacy.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.38rc [release candidate] is released

Wed Oct 26, 2016 6:04 pm

I have two hAP lite. On both routers after update from v6.37.1 to v6.38rc19 and after each reboot I am see in Log "system, info, critical --- CPU overclocked", but in system, resources all O.K.

[Guess_Who-2@MikroTik] /log> print
15:29:59 system,info installed dhcp-6.38rc19
15:29:59 system,info installed security-6.38rc19
15:29:59 system,info installed wireless@-6.38rc19
15:30:01 system,info router rebooted
15:30:02 system,info,critical cpu overclocked
15:30:08 interface,info ether1-WAN link up (speed 100M, full duplex)
15:30:12 pppoe,ppp,info Arax_Internet: initializing...
15:30:12 pppoe,ppp,info Arax_Internet: connecting...

[Guess_Who-2@MikroTik] > system resource print
uptime: 1h57m25s
version: 6.38rc19 (testing)
build-time: Oct/24/2016 11:19:32
free-memory: 7.4MiB
total-memory: 32.0MiB
cpu: MIPS 24Kc V7.4
cpu-count: 1
cpu-frequency: 650MHz
cpu-load: 3%
free-hdd-space: 7.6MiB
total-hdd-space: 16.0MiB
write-sect-since-reboot: 180
write-sect-total: 77897
bad-blocks: 0%
architecture-name: smips
board-name: hAP lite
platform: MikroTik

At v6.37.1 in Log no such message.
Do not worry about this warning, this is for us to track down wrong default CPU and memory frequencies.
 
drees
just joined
Posts: 22
Joined: Tue Sep 20, 2016 9:39 pm

Re: v6.38rc [release candidate] is released

Wed Oct 26, 2016 6:11 pm

The 2nd to last line before rebooting after upgrading from rc15 was:

system, error, critical System rebooted because of kernel failure

Everything seems fine post reboot. Is that normal? RB951G
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Thu Nov 03, 2016 4:56 pm

Version 6.38rc24 has been released.

Changes since previous rc:

!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set radius=yes" (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
!) ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only);
!) tr069-client - initial implementation (as separate package);
*) arm - improved watchdog reliability;
*) bonding - added "forced-mac-address" option (cli only);
*) bonding - fixed 802.3ad load balancing over routed VLANs with fastpath enabled;
*) bonding - fixed mac address selection after upgrade;
*) bridge - fixed rare crash on bridge port removal;
*) certificates - fixed trust chain update on local certificate revocation in programs using ssl;
*) crs - added comment ability in more switch menus;
*) crs - fixed port mirroring halt after L2MTU change;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) fastpath - improved connection tracking timeout updates;
*) firewall - fixed "connection-state" value disappearance in rules that were created before v6.22;
*) firewall - improved "time" option (ranges like 22h-10h now are acceptable);
*) ipsec - added ph2 accounting for each policy "/ip ipsec policy ph2-count" (cli only);
*) ipsec - non passive peers will also establish SAs from policy without waiting for the first packet;
*) ipv6 - increased default max-neighbor-entries value to 8192, same as ipv4;
*) log - fixed "System rebooted because of kernel failure" message to show after 1st crash reboot;
*) mmips - fixed traffic accounting in "/interface" menu;
*) mmips - improved watchdog reliability;
*) profiler - added ability to monitor cpu usage per core;
*) ssl - fixed potential memory leak ( when using dude for example);
*) queue - fixed rare crash on statistic gathering in "/queue tree";
*) queue - improved "time" option (ranges like 22h-10h are now usable);
*) wireless - added CRL checking for eap-tls;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: v6.38rc [release candidate] is released

Thu Nov 03, 2016 5:31 pm

Updated RB750Gr3 to 6.38rc24.

My policies with sa-src-address=0.0.0.0 are failing.
ipsec, error x.x.x.x parsing packet failed, possible cause: wrong password
After setting correct WAN address as sa-src-address, remote connections are up again:
/ip ipsec policy> set [f] sa-src-address=x.x.x.x
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.38rc [release candidate] is released

Thu Nov 03, 2016 6:04 pm

what is your setup? tunnel or transport mode?

problem confirmed in tunnel mode. Thanks.
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: v6.38rc [release candidate] is released

Thu Nov 03, 2016 6:43 pm

!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set radius=yes" (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
!) ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only);
Yay! I can't believe I will be able to throw a couple of good-old-but-no-longer-supported ASA5505 boxes away soon!
Just need to wait until the version gets stable. :)
 
cutedrummerboy
Member Candidate
Member Candidate
Posts: 137
Joined: Thu Nov 14, 2013 6:32 pm

Re: v6.38rc [release candidate] is released

Thu Nov 03, 2016 8:15 pm

aha, tr069 client. lots of room for experiments.
 
Kindis
Member
Member
Posts: 434
Joined: Tue Nov 01, 2011 6:54 pm
Location: Sweden

Re: v6.38rc [release candidate] is released

Thu Nov 03, 2016 8:45 pm

Any expected date when problems with CHR on Hyper-V will be fixed? No hurry from my side as 6.36.3 is super stable but would like to know if there is any planned eta on that?
[Ticket#2016100322001305]
 
cutedrummerboy
Member Candidate
Member Candidate
Posts: 137
Joined: Thu Nov 14, 2013 6:32 pm

Re: v6.38rc [release candidate] is released

Thu Nov 03, 2016 8:46 pm

after installing tr069 client how to work with it??
 
cutedrummerboy
Member Candidate
Member Candidate
Posts: 137
Joined: Thu Nov 14, 2013 6:32 pm

Re: v6.38rc [release candidate] is released

Fri Nov 04, 2016 6:47 am

nevermind, I found it. currently it is only console based implementation.
 
ditonet
Forum Veteran
Forum Veteran
Posts: 835
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: v6.38rc [release candidate] is released

Fri Nov 04, 2016 11:02 am

Hi,
Download link for Dude server 6.38rc24 for CHR is broken :(

Regards,
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Fri Nov 04, 2016 1:59 pm

dude links for rc24 are fixed. Also, that is the same package made fo x86.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.38rc [release candidate] is released

Fri Nov 04, 2016 9:09 pm

Updated CHR install from rc19 to rc24, on reboot it logs:

system error critical open /dev/panics failed
 
huntah
Member Candidate
Member Candidate
Posts: 287
Joined: Tue Sep 09, 2008 3:24 pm

Re: v6.38rc [release candidate] is released

Sat Nov 05, 2016 11:06 am

strods wrote:
!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set radius=yes" (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
!) ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only);
Does this mean multiple L2TP/IPSEC users behind same Public IP?
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 2096
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: v6.38rc [release candidate] is released

Sat Nov 05, 2016 11:17 am

Does this mean multiple L2TP/IPSEC users behind same Public IP?
In theory yes..

Hopefully some examples appear on the wiki soon.
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: v6.38rc [release candidate] is released

Sat Nov 05, 2016 11:43 am

!) ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only);
Does this mean multiple L2TP/IPSEC users behind same Public IP?
Yes.
Hopefully some examples appear on the wiki soon.
I don't think extra examples are needed. It should just work, provided NAT-T is enabled in the ipsec peer configuration.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.38rc [release candidate] is released

Sat Nov 05, 2016 12:35 pm

I don't think extra examples are needed. It should just work, provided NAT-T is enabled in the ipsec peer configuration.
I hope it can handle double-NAT... in the current version I even need to relax the policy generation (from port-strict to port-override)
or else it is not able to handle certain clients that are behind two levels of NAT. And that is unfortunately quite common, e.g.
a MikroTik router with Huawei E3372 stick (which has its built-in NAT) on a mobile provider that uses carrier-grade NAT.
In this setup the policy is wrongly generated, the port number does not always correctly match on the different levels.

Hopefully someone can report on this, I have seen other people reporting the same problem and fixing it the same way.
(not using the auto-generated peer definition by setting the "ipsec secret" on the L2TP server, but manual IPsec peer
definition with relaxed port matching)
 
danxx26
just joined
Posts: 4
Joined: Fri Feb 12, 2016 6:33 pm

Re: v6.38rc [release candidate] is released

Sun Nov 06, 2016 3:40 am

Today I attempted to upgrade to 6.38rc24 and things did not go well. After reboot I noticed my wireless was gone. I was able to get inside the RB2011 with Winbox and noticed there are is no wireless menu. The interfaces tab confirms no wireless interfaces. I went into the package menu and noticed that the only package is the main 6.38rc24 all other packages are gone and the main package says "disabled". I attempted to download the "extra" packages and copied them over with winbox and reboot. Still no wireless & in packages the ones I uploaded do not show. I see them in files but that's it. Any help would be greatly appreciated.

Thank you


Daniel
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: v6.38rc [release candidate] is released

Sun Nov 06, 2016 11:02 am

Which version have you upgraded from ?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.38rc [release candidate] is released

Sun Nov 06, 2016 10:36 pm

And what's in Log after reboot with package uploaded?
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Mon Nov 07, 2016 11:45 am

Version 6.38rc25 has been released.

Changes since previous version:
!) queues - significantly improved hashing algorithm in dynamic simple queue setups (fixes CPU load spikes on queue removal);
!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set radius=yes" (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
!) ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only);
*) discovery - added LLDP support;
*) routerboot - show log message if router CPU/RAM is overclocked;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Mon Nov 07, 2016 12:19 pm

Version highlight - this release includes significant fix for large scale tunnel implementations (and any other implementations which uses dynamic simple queues).
It was observed that tunnel disconnect process causes a CPU spike. In some cases for significant amount of time, during this spike, throughput of device decreases, latency increases and in worst case scenario causes other tunnels to disconnect, resulting in avalanche like effect.
Problem was narrowed down to queue removal process, which causes hash table update for whole simple queue set. To fix this we adjusted the way hashing algorithm works.
Please, test this, so that we can add it to next current and/or bugfix versions as soon as possible.
 
raffav
Member
Member
Posts: 345
Joined: Wed Oct 24, 2012 4:40 am

Re: v6.38rc [release candidate] is released

Mon Nov 07, 2016 12:45 pm

Version 6.38rc has been released.

Changes since previous version:
!) queues - significantly improved hashing algorithm in dynamic simple queue setups (fixes CPU load spikes on queue removal);
!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set radius=yes" (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
!) ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only);
*) discovery - added LLDP support;
*) routerboot - show log message if router CPU/RAM is overclocked;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
@strods
maybe you forgout to put the new RC version on the change log ?,
*) ipsec - added ph2 accounting for each policy "/ip ipsec policy ph2-count" (cli only); cant find where it that
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Mon Nov 07, 2016 1:04 pm

Post includes only changes since previous rc version release. Full changelog:
http://www.mikrotik.com/download
 
raffav
Member
Member
Posts: 345
Joined: Wed Oct 24, 2012 4:40 am

Re: v6.38rc [release candidate] is released

Mon Nov 07, 2016 1:13 pm

@strods
that i know
i was talking about this
Version 6.38rcXXhas been released.
but never mind, it not important , was only a observation
 
alexjhart
Member Candidate
Member Candidate
Posts: 197
Joined: Thu Jan 20, 2011 8:03 pm

Re: v6.38rc [release candidate] is released

Mon Nov 07, 2016 6:32 pm

*) discovery - added LLDP support;
I thought LLDP was already added?
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: v6.38rc [release candidate] is released

Tue Nov 08, 2016 2:23 am

MikroTik....

!) ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only);

How do we use this?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.38rc [release candidate] is released

Tue Nov 08, 2016 2:34 am

 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: v6.38rc [release candidate] is released

Tue Nov 08, 2016 2:48 am

Thanks
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: v6.38rc [release candidate] is released

Tue Nov 08, 2016 8:24 am

*) discovery - added LLDP support;
I thought LLDP was already added?
AFAIK this is RC changelog, there is no point to add new line for every fix/update for features that was introduced in this RC, when released in current it will still be just one changelog entry about feature introduction. So those entries that have fixes/updates, just pops up again in RC, i have noticed this since the new era of changlogs, for me it makes sense.
 
alexjhart
Member Candidate
Member Candidate
Posts: 197
Joined: Thu Jan 20, 2011 8:03 pm

Re: v6.38rc [release candidate] is released

Tue Nov 08, 2016 8:29 am

*) discovery - added LLDP support;
I thought LLDP was already added?
AFAIK this is RC changelog, there is no point to add new line for every fix/update for features that was introduced in this RC, when released in current it will still be just one changelog entry about feature introduction. So those entries that have fixes/updates, just pops up again in RC, i have noticed this since the new era of changlogs, for me it makes sense.
I can understand summarizing in final release notes, but nice in rc changelog to know if fixes or updates were made relating to that line item, right?
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: v6.38rc [release candidate] is released

Tue Nov 08, 2016 9:07 am

I can understand summarizing in final release notes, but nice in rc changelog to know if fixes or updates were made relating to that line item, right?
Changelog line is moved to latest RC, so there are fixes or updates :). One can argue, that it would be nice to know what exactly are those changes, but i think it is one step too far, just knowing that something is changed is enough for me.
 
markom
Member Candidate
Member Candidate
Posts: 112
Joined: Thu Dec 17, 2009 10:42 pm

Re: v6.38rc [release candidate] is released

Tue Nov 08, 2016 3:38 pm

snmp - added basic get and walk functionality "/tool snmp-[get|walk]";


desired bold command part is missing.
tool snmp-walk community=public address=10.10.10.10 file=device.txt
I would like to see option to put in file snmpwalk command.
 
alexjhart
Member Candidate
Member Candidate
Posts: 197
Joined: Thu Jan 20, 2011 8:03 pm

Re: v6.38rc [release candidate] is released

Tue Nov 08, 2016 7:02 pm

I upgraded from rc7 to rc24 on x86. My road warrior L2TP IPsec VPN stopped working (both OS X and Android clients). I upgraded to rc25, still didn't work. Downgraded back to rc7 works again.

rc24/25:
08:46:31 ipsec,debug respond new phase 2 negotiation: 2.2.2.2[4500]<=>1.1.1.1[10584]
08:46:31 ipsec,debug searching for policy
08:46:31 ipsec,debug can't match selector to any template, skipping: 2.2.2.2:1701 ipproto:17 <=> 1.1.1.1:10584 ipproto:17
08:46:31 ipsec,debug failed to proposal from policy
08:46:31 ipsec,debug failed to get proposal for responder.
08:46:31 ipsec,error 1.1.1.1 failed to pre-process ph2 packet.
08:46:31 ipsec,error 1.1.1.1 failed to pre-process ph2 packet.
08:46:31 ipsec,error 1.1.1.1 failed to pre-process ph2 packet.

rc7:
08:49:48 ipsec,debug respond new phase 2 negotiation: 2.2.2.2[4500]<=>1.1.1.1[23165]
08:49:48 ipsec,debug no policy found, try to generate the policy : 172.31.99.154/32[51455] 2.2.2.2/32[1701] proto=udp dir=in port_override=0
08:49:48 ipsec,debug Adjusting my encmode UDP-Transport->Transport
08:49:48 ipsec,debug Adjusting peer's encmode UDP-Transport(4)->Transport(2)
08:49:48 ipsec,debug pfkey GETSPI succeeded: ESP/Transport 1.1.1.1[23165]->2.2.2.2[4500] spi=152113860(0x91112c4)
08:49:48 ipsec,debug sent phase2 packet 2.2.2.2[4500]<=>1.1.1.1[23165] de330e033113ec3d:14443609588c73ae:0000b502
08:49:49 ipsec IPsec-SA established: ESP/Transport 1.1.1.1[23165]->2.2.2.2[4500] spi=152113860(0x91112c4)
08:49:49 ipsec IPsec-SA established: ESP/Transport 2.2.2.2[4500]->1.1.1.1[23165] spi=215287899(0xcd5085b)
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.38rc [release candidate] is released

Tue Nov 08, 2016 7:10 pm

Send supout to support from rc25
 
alexjhart
Member Candidate
Member Candidate
Posts: 197
Joined: Thu Jan 20, 2011 8:03 pm

Re: v6.38rc [release candidate] is released

Tue Nov 08, 2016 7:25 pm

Send supout to support from rc25
Sent
 
alexjhart
Member Candidate
Member Candidate
Posts: 197
Joined: Thu Jan 20, 2011 8:03 pm

Re: v6.38rc [release candidate] is released

Tue Nov 08, 2016 8:18 pm

I upgraded from rc7 to rc24 on x86. My road warrior L2TP IPsec VPN stopped working (both OS X and Android clients). I upgraded to rc25, still didn't work. Downgraded back to rc7 works again.

rc24/25:
08:46:31 ipsec,debug respond new phase 2 negotiation: 2.2.2.2[4500]<=>1.1.1.1[10584]
08:46:31 ipsec,debug searching for policy
08:46:31 ipsec,debug can't match selector to any template, skipping: 2.2.2.2:1701 ipproto:17 <=> 1.1.1.1:10584 ipproto:17
08:46:31 ipsec,debug failed to proposal from policy
08:46:31 ipsec,debug failed to get proposal for responder.
08:46:31 ipsec,error 1.1.1.1 failed to pre-process ph2 packet.
08:46:31 ipsec,error 1.1.1.1 failed to pre-process ph2 packet.
08:46:31 ipsec,error 1.1.1.1 failed to pre-process ph2 packet.

rc7:
08:49:48 ipsec,debug respond new phase 2 negotiation: 2.2.2.2[4500]<=>1.1.1.1[23165]
08:49:48 ipsec,debug no policy found, try to generate the policy : 172.31.99.154/32[51455] 2.2.2.2/32[1701] proto=udp dir=in port_override=0
08:49:48 ipsec,debug Adjusting my encmode UDP-Transport->Transport
08:49:48 ipsec,debug Adjusting peer's encmode UDP-Transport(4)->Transport(2)
08:49:48 ipsec,debug pfkey GETSPI succeeded: ESP/Transport 1.1.1.1[23165]->2.2.2.2[4500] spi=152113860(0x91112c4)
08:49:48 ipsec,debug sent phase2 packet 2.2.2.2[4500]<=>1.1.1.1[23165] de330e033113ec3d:14443609588c73ae:0000b502
08:49:49 ipsec IPsec-SA established: ESP/Transport 1.1.1.1[23165]->2.2.2.2[4500] spi=152113860(0x91112c4)
08:49:49 ipsec IPsec-SA established: ESP/Transport 2.2.2.2[4500]->1.1.1.1[23165] spi=215287899(0xcd5085b)
This also affects point to point VPN with 2 Mikrotiks.

Support says this should be fixed in next rc. Thanks Maris
 
raffav
Member
Member
Posts: 345
Joined: Wed Oct 24, 2012 4:40 am

Re: v6.38rc [release candidate] is released

Tue Nov 08, 2016 9:26 pm

Hi, had to go back to RC19, for some reason internet navigation was getting problematic , and webpage not loaded very well,
this happens only on office, maybe RC 24-25 changes something that my network didn't worked as supposed to work.
i couldn't reproduce this behavior at home, our in a lab.
 
Zorro
Long time Member
Long time Member
Posts: 675
Joined: Wed Apr 16, 2014 2:43 pm

Re: v6.38rc [release candidate] is released

Wed Nov 09, 2016 1:39 pm

*) discovery - added LLDP support;
I thought LLDP was already added?
LLDP itself, yes.
but not in neighboorhood/discovery.
eg, its now implemented ~ completely, basically.
i guess folks that cried about LLDP necessity - become bit happier now(party time, huh ? :).
 
User avatar
boldsuck
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Sun Sep 01, 2013 1:07 am
Location: Germany

Re: v6.38rc [release candidate] is released

Wed Nov 09, 2016 9:39 pm

This was working fine until 6.37 then I upgraded it to the first v6.38rc and all IPv6 addresses are gone.
(interface address, that address in the firewall, and default route)
They now show like ::/0
Same here:
RouterOS v6.38rc25 (testing) on RB2011UAS (mips)

ISSUES:
IPv6 addresses are not shown correctly (only ::/0, ::, or blank in DHCP_Client).
It's a webfig-only bug here. In Tik App and CLI IPv6 addresses are shown correctly.
IPv6 is normaly working. :D
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.38rc [release candidate] is released

Wed Nov 09, 2016 10:47 pm

The issue has been confirmed by MikroTik and will be fixed. It only occurs in WebFig so you can still configure and check using commandline.
The reason why my IPv6 was down was because of a configuration error.
I put a static address on an ethernet interface but forgot the /64 mask. In previous versions the default was /64 and now it is /128.
This was the real reason why my IPv6 was down. However, I was misled during debugging because of the display problem in WebFig.
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Fri Nov 11, 2016 4:10 pm

Version 6.38rc29 has been released.

Changes since 6.38rc25:

!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set radius=yes" (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
!) ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only);
!) tr069-client - initial implementation (as separate package);
*) bridge - fixed filter Ingress Priority option (broken in v6.38rc16);
*) ccr - added AHCI driver for Samsung XP941 128GB AHCI M.2;
*) crs226 - fixed sfp-sfpplus1 link re-negotiation (broken in 6.37rc28/v6.37.1);
*) certificates - allow import multiple certs with the same key;
*) certificates - if no name provided create certificate name automatically from certificate fields;
*) dhcp - fixed issue when dhcp-client was still possible on interfaces with "slave" flag and using slave interface MAC address;
*) discovery - added LLDP support;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) ethernet - added "k" and "M" unit support to Ethernet Bandwidth setting;
*) firewall - new faster "connection-limit" option implementation;
*) ipsec - don't generate unnecessary ah+esp policies;
*) ipsec - fixed generated policy lookup with ah+esp proposal;
*) traffic-flow - fixed flow sequence counter and length;
*) webfig - fixed smaller than /24 ip address configuration (broken in v6.38rc3);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
irico
newbie
Posts: 47
Joined: Thu Nov 10, 2016 5:35 pm

Re: v6.38rc [release candidate] is released

Fri Nov 11, 2016 7:32 pm

When update from 6.38rc25 to 6.38rc29, ipsec peer exchange mode changes from ike2 to unknown

With 6.38rc29, IKEv2 only works with sha1 or md5 proposal auth algorithm. I have not been able to use "sha256" or "sha512"
 
benoga
just joined
Posts: 13
Joined: Wed Mar 09, 2016 7:50 am

Re: v6.38rc [release candidate] is released

Fri Nov 11, 2016 8:00 pm

I have the same Problem. L2TP from Android can't connect with Auth. Algorithmus sha265 to the Mikrotik 6.38rc29.
 
craigreilly
newbie
Posts: 46
Joined: Mon Jan 26, 2015 7:04 pm

Re: v6.38rc [release candidate] is released

Sat Nov 12, 2016 12:03 am

How do I go about setting up L2TP with ipSEC now that we can have multiple peers behind same NAT.
√ I see it is via CLI only. I really need to get this going since Apple dropped support for PPTP.
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: v6.38rc [release candidate] is released

Sat Nov 12, 2016 3:19 pm

Having a weird issue on my CRS. Running > rc10 seems to crash randomly and just stop passing all traffic (including responding to anything itself) requiring a reboot. I sent supouts. I think it is somewhere in IPSec. I wind up with 100s of SAs that keep expiring.... for a single ipsec tunnel....

-Eric
 
cgaspar
just joined
Posts: 11
Joined: Thu Jul 14, 2016 9:29 pm

Re: v6.38rc [release candidate] is released

Sat Nov 12, 2016 3:36 pm

Hello, I've updated The Dude to 6.38rc29 version and the e-mail notification is not working. Any changes with the variables at all?

{ Body: Service [Probe.Name] on [Device.Name] is now [Service.Status] ([Service.ProblemDescription]) }
 
ThomasLevering
just joined
Posts: 8
Joined: Mon Nov 14, 2016 8:38 am
Location: Germany

Re: v6.38rc [release candidate] is released

Mon Nov 14, 2016 8:53 am

with 6.38rc29 L2TP/IPsec is not working. Windows7/Windows10/iPhone/Mac
with 6.37.1 only one connection per IP
RB750Gr3

6.37.1 QuickSet src-address was Wrong
/ip firewall nat
add action=masquerade chain=srcnat comment="masq. vpn traffic" \
src-address=0.89.168.192-255.89.168.192
 
huntermic
Member Candidate
Member Candidate
Posts: 111
Joined: Wed Oct 26, 2016 3:42 pm

Re: v6.38rc [release candidate] is released

Mon Nov 14, 2016 10:04 am

Same issue here, since last two RC's my L2TP/IPSEC is dead
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Mon Nov 14, 2016 3:58 pm

Version 6.38rc30 has been released.

Changes since previous version:
*) dns - do not resolve incorrect addresses after changes made in static dns entries;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) firewall - fixed timeout option on address lists with domain name;
*) system - reboot device on critical program crash;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
User avatar
ErfanDL
Member
Member
Posts: 366
Joined: Thu Sep 29, 2016 9:13 am

Re: v6.38rc [release candidate] is released

Mon Nov 14, 2016 4:25 pm

Version 6.38rc30 has been released.

Changes since previous version:
*) dns - do not resolve incorrect addresses after changes made in static dns entries;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) firewall - fixed timeout option on address lists with domain name;
*) system - reboot device on critical program crash;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
Hi strods
please add 3G modem D-Link DWM 157 H/W Ver D1 in new routeros release candidate :(
last night I send an email to support@mikrotik.com with supout.rif file attachment for support D-Link DWM 157 H/W Ver D1 but there is no answer
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Mon Nov 14, 2016 4:52 pm

ErfanDL - We usually reply within 3 working days. Did it work in 6.37 version? If it did not, then please do not write such posts in rc related topics. Write to support - that is the correct and fastest way.
 
User avatar
ErfanDL
Member
Member
Posts: 366
Joined: Thu Sep 29, 2016 9:13 am

Re: v6.38rc [release candidate] is released

Mon Nov 14, 2016 6:09 pm

ErfanDL - We usually reply within 3 working days. Did it work in 6.37 version? If it did not, then please do not write such posts in rc related topics. Write to support - that is the correct and fastest way.
thanks for reply.
yes I test it in 6.37 - 6.37.1 and latest RC 6.38 but did not worked.

thanks
 
Rushmore
just joined
Posts: 12
Joined: Fri Nov 04, 2016 1:04 pm

Re: v6.38rc [release candidate] is released

Mon Nov 14, 2016 11:53 pm

6.38rc30 broke synthetic NIC on chr under Hyper-V... again! Hangs on /interface print, then after prints: info failed: std failure: timeout (13)
 
Kindis
Member
Member
Posts: 434
Joined: Tue Nov 01, 2011 6:54 pm
Location: Sweden

Re: v6.38rc [release candidate] is released

Tue Nov 15, 2016 8:17 am

6.38rc30 broke synthetic NIC on chr under Hyper-V... again! Hangs on /interface print, then after prints: info failed: std failure: timeout (13)
I have had this issue since 6.37 release. This affects Hyper-V running 2012 R2 och older Hyper-V versions.
Windows 10 (not tested but i guess server 2016 also) work with same configuration. Wating for MT to verify that they can reproduce the error as they only tested on Windows 10.
 
Rushmore
just joined
Posts: 12
Joined: Fri Nov 04, 2016 1:04 pm

Re: v6.38rc [release candidate] is released

Tue Nov 15, 2016 9:18 am

I have had this issue since 6.37 release. This affects Hyper-V running 2012 R2 och older Hyper-V versions.
6.38rc29 works fine in my environment except live migration issue and auto-negotiation failure. 6.38rc30 hangs again, as before.
 
Kindis
Member
Member
Posts: 434
Joined: Tue Nov 01, 2011 6:54 pm
Location: Sweden

Re: v6.38rc [release candidate] is released

Tue Nov 15, 2016 1:54 pm

I have had this issue since 6.37 release. This affects Hyper-V running 2012 R2 och older Hyper-V versions.
6.38rc29 works fine in my environment except live migration issue and auto-negotiation failure. 6.38rc30 hangs again, as before.
My guess is you only use syntetic Network adapters? Strage as I have this issues even if I download a brand new VHDX ans start with that. If I remove the Network adapters and replace with Legacy Network Adapters this works.
I have tested rc29 but could not get that to boot either. Are you using 2012 R2?
What brand of network adapters are you using?
 
Kindis
Member
Member
Posts: 434
Joined: Tue Nov 01, 2011 6:54 pm
Location: Sweden

Re: v6.38rc [release candidate] is released

Tue Nov 15, 2016 2:12 pm

I have had this issue since 6.37 release. This affects Hyper-V running 2012 R2 och older Hyper-V versions.
6.38rc29 works fine in my environment except live migration issue and auto-negotiation failure. 6.38rc30 hangs again, as before.
Downloaded a new VHDX built on rc29. Built a new machine and tried to start it. Started but maintains the same issue as all other build for me.
 
Rushmore
just joined
Posts: 12
Joined: Fri Nov 04, 2016 1:04 pm

Re: v6.38rc [release candidate] is released

Tue Nov 15, 2016 2:28 pm

Kindis
I did update via /system/packages from 6.36.3.
 
Kindis
Member
Member
Posts: 434
Joined: Tue Nov 01, 2011 6:54 pm
Location: Sweden

Re: v6.38rc [release candidate] is released

Tue Nov 15, 2016 3:03 pm

Kindis
I did update via /system/packages from 6.36.3.
Have done this with several rc releases but got tiered of upgrading my router. Thats why I'm testing new VHDX files from now on.
Tested to update a new 6.36.3 to rc30. Same issue.
Good thing is that 6.36.3 is running very well :-)
 
Rushmore
just joined
Posts: 12
Joined: Fri Nov 04, 2016 1:04 pm

Re: v6.38rc [release candidate] is released

Tue Nov 15, 2016 3:35 pm

Kindis
I'm using Hyper-V checkpoints for testing RC builds.
Shutdown CHR --> create checkpoint --> turn on CHR --> update to fresh build.
If something went wrong, just apply checkpoint and delete whole checkpoint tree. Got stable version again :wink:
 
Kindis
Member
Member
Posts: 434
Joined: Tue Nov 01, 2011 6:54 pm
Location: Sweden

Re: v6.38rc [release candidate] is released

Tue Nov 15, 2016 4:22 pm

Kindis
I'm using Hyper-V checkpoints for testing RC builds.
Shutdown CHR --> create checkpoint --> turn on CHR --> update to fresh build.
If something went wrong, just apply checkpoint and delete whole checkpoint tree. Got stable version again :wink:
I do the same but without turning it off. As the checkpoint covers the memory the recovery back is instant. NTP client updates the clock within a few seconds 
As this is my main router and firewall at home I have a very strong SLA during none office hours ;-) . The family using all types of streaming and me messing with the router does not make them happy 
Testing rc build with new VHDX file do not affect the uptime. Works very well also as I can experiment a lot more.
Otherwise checkpoint builds are the best thing since sliced bread for the router. Don’t have to worry about rollback at all + I export the router via script every night and send it to the NAS. So I have an exported copy backup. Not just the config but the entire router. 
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Tue Nov 15, 2016 4:39 pm

6.38rc31 has been released.

Changes since previous version:
!) ipsec - added IKEv2 EAP RADIUS passthrough authentication for responder (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
*) bgp - do not match all prefixes tagged with community 0:0 by routing filters;
*) certificate - fixed crash when crl is removed while it is being fetched;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) log - ignore email topic if action is email;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
User avatar
JavierTF
just joined
Posts: 12
Joined: Thu Nov 19, 2015 12:15 pm
Location: Santa Cruz de Tenerife
Contact:

Re: v6.38rc [release candidate] is released

Tue Nov 15, 2016 6:02 pm

Hello

I know this has already been suggested in some other topic, but I think this is a best place to do it.

   1) It would be interesting if you could add to CAPSMAN the option to set a frequency range in the 'channels' section instead of setting a single frequency, so that automatic channel selection could be enabled but limited only to that range

   This would help in high-density CAP's environments, where it would not be necessary to set the channel for each CAP manually if you want to limit it's range.

  2) Why in CAPs of 5Ghz with transmission power fixed to 30 dbm and automatic channel selection enabled, CAPSMAN always selects the lowest channel, limiting the transmit power of the CAP to 17dbm? The right way would be that if the power has been fixed, automatic channel selection will automatically limit the range of channels to be used to those that support that power (or at least prioritize these when selecting the channel to use)

Thanks a lot
 
huntermic
Member Candidate
Member Candidate
Posts: 111
Joined: Wed Oct 26, 2016 3:42 pm

Re: v6.38rc [release candidate] is released

Wed Nov 16, 2016 11:16 am

Please fix the L2TP/IPSEC functionality before the final release
 
strzinek
just joined
Posts: 13
Joined: Tue Oct 25, 2016 10:29 am

Re: v6.38rc [release candidate] is released

Wed Nov 16, 2016 1:49 pm

Having problem with SMB on 6.38 rc versions (tried on rc29,30,31) on CHR x86 under VMWare vSphere when using linux client. I have second disc mounted on /disk1.
My ROS smb configuration:
/ip smb
set allow-guests=no comment="SMB share" domain=work enabled=yes \
    interfaces=ether1
/ip smb shares
set [ find default=yes ] disabled=yes
add directory=/disk1 max-sessions=6 name="backup\$"
/ip smb users
add name=backuper password=password
How to reproduce:
1. Connect from windows machine (tested with Win 8.1 and 10), enter username and password - connection succeeds and I am able to see and copy files with Windows explorer.
2. Connect from another machine with linux (tested on CentOS 5 and 7 both with cifs mount), connection time-outs and also existing connection on first machine gets lost. On linux mount command fails with message "mount error 112 = Host is down" when run first and then "mount error 111 = Connection refused"

Log on ROS says nothing. When I use only windows clients, it works ok.
 
alexjhart
Member Candidate
Member Candidate
Posts: 197
Joined: Thu Jan 20, 2011 8:03 pm

Re: v6.38rc [release candidate] is released

Wed Nov 16, 2016 8:02 pm

Please fix the L2TP/IPSEC functionality before the final release
I agree it needs to be fixed before final release. Make sure to send support supout. I am still working through some issues with them that were introduced in this rc. Works in rc7, but hasn't in rc25-31 (haven't tested rc8-24).
 
biatche
Member Candidate
Member Candidate
Posts: 128
Joined: Tue Oct 13, 2015 6:50 am

Re: v6.38rc [release candidate] is released

Thu Nov 17, 2016 5:09 am

would ikev2 be considered stable by the time we reach 6.38 final?
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 2096
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: v6.38rc [release candidate] is released

Thu Nov 17, 2016 9:40 am

would ikev2 be considered stable by the time we reach 6.38 final?
ikev2 will be considered stable when RouterOS 6.38 or higher is in the "bugfix" release chain.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: v6.38rc [release candidate] is released

Thu Nov 17, 2016 3:08 pm

Updated RB750Gr3 to 6.38rc24.

My ipsec tunnels with sa-src-address=0.0.0.0 are failing.
ipsec, error x.x.x.x parsing packet failed, possible cause: wrong password

After setting correct WAN address as sa-src-address, remote connections are up again:
/ip ipsec policy> set [f] sa-src-address=x.x.x.x
After upgrade to 6.38rc31, this also applies to the peers.
Error: parsing packet failed, possible cause: wrong password

Problematic config (tunnel down):

/ip ipsec peer
add address=222.222.222.222/32 enc-algorithm=aes-128 exchange-mode=aggressive local-address=:: my-id=fqdn:router.home.local nat-traversal=no

Better config (tunnel up):

/ip ipsec peer
add address=222.222.222.222/32 enc-algorithm=aes-128 exchange-mode=aggressive local-address=111.111.111.111 my-id=fqdn:router.home.local nat-traversal=no


Edit:
Unsetting the local-address seems to be working as well.. But I don't know how to achieve that from cli (only in winbox).

Edit2:
Unsetting works for a limited period. local-address is reset to :: after a while.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.38rc [release candidate] is released

Mon Nov 21, 2016 9:35 am

I can't get my Layer 7 filters working again on 6.38rc (on the latest version and before). Can someone check if their Layer 7 filters are still working.

I am have a hEX RB750Gr3 as router.

Update: found the problem and I thought the connection state would be NEW and that was not the case....my head banged a few times on the keyboard in that time.

Update 2: I had in /ip settings "Allow Fast Path disabled to be sure all packages went through. After enabling it again the Layer 7 stopped working.

Luckily is the RB750Gr3 fast enough to work without Fast Path and break a sweat. ;-)
Last edited by msatter on Wed Nov 23, 2016 2:10 am, edited 2 times in total.
 
ThomasLevering
just joined
Posts: 8
Joined: Mon Nov 14, 2016 8:38 am
Location: Germany

Re: v6.38rc [release candidate] is released

Mon Nov 21, 2016 12:53 pm

6.38rc29 RB750Gr3
Disable/Enable PPPoE Connection crashed my config. -> No Interfaces in Winbox/CLI

I had to Restore from the Backup
 
cgabriel
newbie
Posts: 32
Joined: Sun Mar 01, 2015 9:14 am

Re: v6.38rc [release candidate] is released

Mon Nov 21, 2016 1:37 pm

I had problems with auto generated certificates with CAPsMAN and local radio.
I simply prepared a board (wAP ac) with CAPsMAN and also enabling local radio for CAPsMAN.
There are some log errors related to issued certificate, which remains unsigned (?). It work shortly on the current session, but after a router restart the client is rejected.
Reverted to 6.37.1 and it works as expected; there is still a certificate error (failed to import CAP CA), I interpret this as normal because the generated certificate is already there...

Gabriel
 
User avatar
noyo
Member Candidate
Member Candidate
Posts: 116
Joined: Sat Jan 28, 2012 12:25 am
Location: Mazury - Poland
Contact:

Re: v6.38rc [release candidate] is released

Mon Nov 21, 2016 7:10 pm

What's new in 6.37.2 ? Changelog is empty.
 
alexjhart
Member Candidate
Member Candidate
Posts: 197
Joined: Thu Jan 20, 2011 8:03 pm

Re: v6.38rc [release candidate] is released

Mon Nov 21, 2016 7:13 pm

What's new in 6.37.2 ? Changelog is empty.
From download page:

What's new in 6.37.2 (2016-Nov-08 13:15):

Important note!!!
Dude doesn't work in this version, it will be fixed in soon to be released v6.37.3

Changes since 6.37.1:

!) ethernet - optimized packet processing on low load when irq re-balance is not necessary;
!) fastpath - let one packet per second through slow path to properly update connection timeouts;
!) queues - significantly improved hashing algorithm in dynamic simple queue setups (fixes CPU load spikes on queue removal);
*) arm - improved watchdog reliability;
*) bonding - fixed 802.3ad load balancing over routed VLANs with fastpath enabled;
*) bonding - fixed mac address selection after upgrade;
*) crs - fixed port mirroring halt after L2MTU change;
*) dhcp - do not allow to create dhcp-server on slave interface;
*) ethernet - fixed interface speed reporting for x86 in log after reboot or if "disable-running-check=yes";
*) ethernet - fixed potential loopprotect crash;
*) export - fixed "/interface ethernet switch export" on some boards;
*) export - fixed CRS switch egress-vlan-tag export;
*) fastpath - fixed kernel failure when fastpath traffic goes into loop;
*) fastpath - improved connection tracking timeout updates;
*) firewall - do not allow to increase/decrease ttl and hop-limit by 0;
*) firewall - fixed "connection-state" value disappearance in rules that were created before v6.22;
*) firewall - fixed compact export (introduced in 6.37rc14);
*) firewall - improved "time" option (ranges like 22h-10h now are acceptable);
*) hotspot - fixed nat rule dst-port by making it visible again for Walled Garden ip return rules;
*) ipsec - changed logging topic from error to debug for ph2 transform mismatch messages;
*) ipv6 - increased default max-neighbor-entries value to 8192, same as ipv4;
*) mmips - improved watchdog reliability;
*) package - show minimal supported RouterOS version under "/system resource" menu if it is specified;
*) queue - fixed rare crash on statistic gathering in "/queue tree";
*) queue - improved "time" option (ranges like 22h-10h are now usable);
*) rb2011 - fixed crash on l2mtu changes;
*) sms - fixed crash after modem has failed to start;
*) ssl - fixed potential memory leak ( when using dude for example);
*) torch - fixed aggregate statistics appearance;
*) traffic-flow - fixed dst-port reporting if connection is not maintained by connection tracking;
*) userman - fixed memory leak on user limitation calculations;
*) winbox - added led settings menu;
*) winbox - fixed missing switch menu for mmips devices;
 
User avatar
noyo
Member Candidate
Member Candidate
Posts: 116
Joined: Sat Jan 28, 2012 12:25 am
Location: Mazury - Poland
Contact:

Re: v6.38rc [release candidate] is released

Mon Nov 21, 2016 7:17 pm

What's new in 6.37.2 ? Changelog is empty.
From download page:

What's new in 6.37.2 (2016-Nov-08 13:15):

Important note!!!
Dude doesn't work in this version, it will be fixed in soon to be released v6.37.3
I saw it.
For me, it do not say anything.
 
User avatar
ErfanDL
Member
Member
Posts: 366
Joined: Thu Sep 29, 2016 9:13 am

Re: v6.38rc [release candidate] is released

Mon Nov 21, 2016 7:19 pm

6.37.2 just releasing for make dude bugy? :|
Please post 6.37.2 changelogs

Sent from my C6833 using Tapatalk
 
alexjhart
Member Candidate
Member Candidate
Posts: 197
Joined: Thu Jan 20, 2011 8:03 pm

Re: v6.38rc [release candidate] is released

Mon Nov 21, 2016 7:25 pm

6.37.2 just releasing for make dude bugy? :|
I think it was released early to fix important issues. Hopefully 6.38rc either isn't affected or will also have another release soon
 
User avatar
linkwave
Trainer
Trainer
Posts: 57
Joined: Fri May 25, 2007 9:13 pm
Location: Grosseto, Italy
Contact:

Re: v6.38rc [release candidate] is released

Mon Nov 21, 2016 7:31 pm

It seems that is now supported the new cpu architecture MMIPS, fo the (future?) RB750Gr3.

The MMIPS package wasn't present with the 6.37.1 version.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.38rc [release candidate] is released

Mon Nov 21, 2016 8:38 pm

It seems that is now supported the new cpu architecture MMIPS, fo the (future?) RB750Gr3.

The MMIPS package wasn't present with the 6.37.1 version.
My (current) RB750Gr3 is running 6.37.1 (MMIPS).
It came with an earlier version, I am not sure exactly which but it was in the 6.36 series.
Anyway, this thread is not for discussing 6.37 versions.
 
celeritynetworks
just joined
Posts: 9
Joined: Wed Sep 09, 2015 10:23 pm

Re: v6.38rc [release candidate] is released

Tue Nov 22, 2016 2:07 am

Email notifiers are broken (for us) in 6.38rc30 and 31. RouterOS log shows:

"Nov/21/2016 16:56:34 system,e-mail,error Error sending e-mail <Service [Probe.Name] on [Device.Name] is now [Service.Status]>: error connecting to server"

When I send a test email from within Winbox in RouterOS, it works successfully, but not from within the Dude (either via Dude client or via Dude/Notifications menu).

I even changed the notification entry to remove the variables and just have words - same error.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.38rc [release candidate] is released

Tue Nov 22, 2016 1:47 pm

6.37.2 just releasing for make dude bugy? :|
Please post 6.37.2 changelogs
Changes since 6.37.1:
this means, 'Changes in 6.37.2 compared to 6.37.1'
 
User avatar
ErfanDL
Member
Member
Posts: 366
Joined: Thu Sep 29, 2016 9:13 am

Re: RE: Re: v6.38rc [release candidate] is released

Tue Nov 22, 2016 2:05 pm

6.37.2 just releasing for make dude bugy? :|
Please post 6.37.2 changelogs
Changes since 6.37.1:
this means, 'Changes in 6.37.2 compared to 6.37.1'
So 6.37.2 is real version of 6.37.1 :D
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: RE: Re: v6.38rc [release candidate] is released

Tue Nov 22, 2016 2:14 pm

this means, 'Changes in 6.37.2 compared to 6.37.1'
So 6.37.2 is real version of 6.37.1 :D
no, this means what I said, but not 'Changes since 6.37' or 'Changes since 6.36.4' or 'Changes since 6.38rcXX' or some other version
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Tue Nov 22, 2016 2:14 pm

No!

6.37.1 and 6.37.2 have separate changelogs. Please read carefully.
 
raffav
Member
Member
Posts: 345
Joined: Wed Oct 24, 2012 4:40 am

Re: v6.38rc [release candidate] is released

Tue Nov 22, 2016 2:24 pm

Hello i think maybe is better talk about 6.37.1/6.37.2 on the 6.37.x Topic
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Tue Nov 22, 2016 3:28 pm

Version 6.38rc34 has been released.

Changes since 6.38rc31:
!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set xauth-use-radius=yes" (cli only);
!) ipsec - added IKEv2 EAP RADIUS passthrough authentication for responder (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
!) ipsec - added support unique policy generation (cli only);
!) tr069-client - initial implementation (as separate package);
*) bonding - added "forced-mac-address" option;
*) certificates - added support for PKCS#12 export;
*) chr - fixed crash on "/interface print" (introduced in 6.36.4);
*) chr - fixed crash on "/system shutdown" and "/system shutdown";
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) firewall - new faster "connection-limit" option implementation;
*) ospf - fixed route crash caused by memory corruption when there are multiple active interfaces;
*) smb - fixed crash on connect (introduced in 6.38rc1);
*) tile - fixed rare kernel failure when IPv6 neighbor discovery packet is received;
*) traceroute - fixed crash when too many sessions are active;
*) winbox - recognize properly tcp in traffic-generator packet-template header type;
*) winbox - show HT MCS tab if 2GHz-G/N band is used;
*) wireless - added CRL checking for eap-tls;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
MartijnVdS
Frequent Visitor
Frequent Visitor
Posts: 93
Joined: Wed Aug 13, 2014 9:36 am

Re: v6.38rc [release candidate] is released

Tue Nov 22, 2016 4:52 pm

*) certificates - added support for PKCS#12 export;
This will make deployment so much easier! Thanks :)
 
Kindis
Member
Member
Posts: 434
Joined: Tue Nov 01, 2011 6:54 pm
Location: Sweden

Re: v6.38rc [release candidate] is released

Tue Nov 22, 2016 7:26 pm

Version 6.38rc34 has been released.

Changes since 6.38rc31:
*) chr - fixed crash on "/interface print" (introduced in 6.36.4);
*) chr - fixed crash on "/system shutdown" and "/system shutdown";
I think this may have solved my issues with my CHR in Hyper-V. :-)
I can boot a fresh copy now without issues. Will try to upgrade my CHR asap to verify.
 
Kindis
Member
Member
Posts: 434
Joined: Tue Nov 01, 2011 6:54 pm
Location: Sweden

Re: v6.38rc [release candidate] is released

Tue Nov 22, 2016 8:29 pm

Version 6.38rc34 has been released.

Changes since 6.38rc31:
*) chr - fixed crash on "/interface print" (introduced in 6.36.4);
*) chr - fixed crash on "/system shutdown" and "/system shutdown";
I think this may have solved my issues with my CHR in Hyper-V. :-)
I can boot a fresh copy now without issues. Will try to upgrade my CHR asap to verify.
Yepp this have solved my issues with CHR on Hyper-V (2012 R2). Upgrade went just fine from 6.36.3 and tested several reboots without any hickup.
So good work Mikrotik :-)
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Wed Nov 23, 2016 2:44 pm

Version 6.38rc35 has been released.

Changes since previous version:
*) disk - fixed issue when disk was renamed after reboot on devices with flash disks;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) ospf - fixed route crash caused by memory corruption when there are multiple active interfaces;
*) tunnel - allow to force mtu value when actual-mtu is already the same;
*) tunnel - fixed transmit packets occasionally not going through fastpath;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
hechz
just joined
Posts: 18
Joined: Fri Jan 23, 2015 1:36 pm

Re: v6.38rc [release candidate] is released

Thu Nov 24, 2016 5:01 am

Hi All,

I've just updated to rc35 and would like to report that the ipsec multi session behind a single NAT seems a bit buggy. While both sessions work for a few moments, as soon as traffic is passed, the session that connected first eventually becomes unuseable. I'm new to Mikrotik reporting, so if you'd like me to collect client side, and server side pcaps or anything, let me know.
/ppp profile
set *0 address-list="" !bridge !bridge-path-cost !bridge-port-priority \
    change-tcp-mss=yes !dns-server !idle-timeout !incoming-filter \
    !insert-queue-before !local-address name=default on-down="" on-up="" \
    only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit \
    !remote-address remote-ipv6-prefix-pool=none !session-timeout \
    use-compression=default use-encryption=default use-ipv6=yes use-mpls=\
    default use-upnp=default !wins-server

/ppp profile
set *0 address-list="" !bridge !bridge-path-cost !bridge-port-priority \
    change-tcp-mss=yes !dns-server !idle-timeout !incoming-filter \
    !insert-queue-before !local-address name=default on-down="" on-up="" \
    only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit \
    !remote-address remote-ipv6-prefix-pool=none !session-timeout \
    use-compression=default use-encryption=default use-ipv6=yes use-mpls=\
    default use-upnp=default !wins-server
add address-list="" bridge=bridge-local !bridge-path-cost \
    !bridge-port-priority change-tcp-mss=yes dns-server=\
    192.168.88.2,192.168.88.20 !idle-timeout !incoming-filter \
    !insert-queue-before local-address=192.168.99.1 name=\
    L2TP-IPSec-VPN-Mobile on-down="" on-up="" only-one=default \
    !outgoing-filter !parent-queue !queue-type !rate-limit remote-address=\
    vpnClients !session-timeout use-compression=no use-encryption=required \
    use-ipv6=yes use-mpls=no use-upnp=yes wins-server=\
    192.168.88.20,192.168.88.5
/interface l2tp-server server
set allow-fast-path=no authentication=mschap2 default-profile=\
    L2TP-IPSec-VPN-Mobile enabled=yes keepalive-timeout=30 max-mru=1460 \
    max-mtu=1460 max-sessions=unlimited mrru=disabled use-ipsec=yes
/interface ovpn-server server
set auth=sha1 certificate=1_vpn.photosphere.net_bundle.crt_0 cipher=aes256 \
    default-profile=L2TP-IPSec-VPN-Mobile enabled=yes keepalive-timeout=60 \
    mac-address=x:x:x:x:x:x max-mtu=1500 mode=ip netmask=24 port=1194 \
    require-client-certificate=no
add address=0.0.0.0/0 auth-method=pre-shared-key comment=\
    "L2TP/IPSEC Dial-in Mobile Clients" dh-group=modp1024 disabled=no \
    dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128,3des \
    exchange-mode=main-l2tp generate-policy=port-strict hash-algorithm=sha1 \
    lifetime=1d local-address=:: mode-config=pdn-vpn-split nat-traversal=yes \
    passive=no policy-template-group=default proposal-check=obey \
    send-initial-contact=yes
add address=0.0.0.0/0 auth-method=pre-shared-key comment=\
    "L2TP/IPSEC Dial-in Laptop Clients" dh-group=modp1024 disabled=no \
    dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128,3des \
    exchange-mode=main-l2tp generate-policy=port-strict hash-algorithm=sha1 \
    lifetime=1d local-address=:: mode-config=pdn-vpn-split nat-traversal=yes \
    passive=no policy-template-group=pdn-vpn proposal-check=obey \
    send-initial-contact=yes
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key comment=\
    "L2TP/IPSEC Dial-in Mobile Clients" dh-group=modp1024 disabled=no \
    dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128,3des \
    exchange-mode=main-l2tp generate-policy=port-strict hash-algorithm=sha1 \
    lifetime=1d local-address=:: mode-config=pdn-vpn-split nat-traversal=yes \
    passive=no policy-template-group=default proposal-check=obey \
    send-initial-contact=yes
add address=0.0.0.0/0 auth-method=pre-shared-key comment=\
    "L2TP/IPSEC Dial-in Laptop Clients" dh-group=modp1024 disabled=no \
    dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128,3des \
    exchange-mode=main-l2tp generate-policy=port-strict hash-algorithm=sha1 \
    lifetime=1d local-address=:: mode-config=pdn-vpn-split nat-traversal=yes \
    passive=no policy-template-group=pdn-vpn proposal-check=obey \
    send-initial-contact=yes
/ip ipsec policy
set 0 disabled=no dst-address=0.0.0.0/0 group=default level=require proposal=\
    L2TP-VPN-IPsec protocol=all src-address=0.0.0.0/0 template=yes
add disabled=no dst-address=0.0.0.0/0 group=pdn-vpn level=require proposal=\
    "L2TP/IPSEC Dial-in Laptop Clients" protocol=all src-address=0.0.0.0/0 \
    template=yes
add action=encrypt comment=MARS-PDN<->ADMS-DUB disabled=yes dst-address=\
    0.0.0.0/0 dst-port=any ipsec-protocols=esp level=require priority=0 \
    proposal="L2TP/IPSEC Dial-in Laptop Clients" protocol=all sa-dst-address=\
    185.58.18.243 sa-src-address=x.x.x.x src-address=0.0.0.0/0 src-port=\
    any tunnel=yes
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Thu Nov 24, 2016 11:51 am

Version 6.38rc36 has been released.

Changes since 6.38rc35:
!) tr069-client - initial implementation (as separate package);
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) file - fixed file manager crash when file transfer gets cancelled;
*) mipsbe - improved memory allocation on devices with nand when file transfer and tcp traffic processing is on progress;
*) ppp - significantly improved shutdown speed on servers with many active tunnels;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
alexspils
Member Candidate
Member Candidate
Posts: 180
Joined: Thu Jun 05, 2008 8:57 pm

Re: v6.38rc [release candidate] is released

Thu Nov 24, 2016 3:01 pm

bug:
Reset TR-069 data? [y/N]:
y
/pckg/tr069-client/home/TR069-reset.sh: 3: pkill: not found
done
 
barracuda
newbie
Posts: 38
Joined: Thu Jul 09, 2015 12:41 am

Re: v6.38rc [release candidate] is released

Thu Nov 24, 2016 10:20 pm

I have a problem with latest 6.38rc build when I try to update Mikrotik hAP lite (RB941-2nD).When the upgrade is finish and router reboot I can't connect to the router anymore.
No wireles signal and no neighbors mac address.The only way is netinstall.Does anyone have the same problems because I never before have the same problem?
 
User avatar
Gennadiy51
newbie
Posts: 30
Joined: Fri Nov 06, 2009 4:33 pm
Location: Moldova, Chisinau

Re: v6.38rc [release candidate] is released

Thu Nov 24, 2016 10:49 pm

I have a problem with latest 6.38rc build when I try to update Mikrotik hAP lite (RB941-2nD).When the upgrade is finish and router reboot I can't connect to the router anymore.
No wireles signal and no neighbors mac address.The only way is netinstall.Does anyone have the same problems because I never before have the same problem?
+1 with two RouterBoards hAP lite (RB941-2nD) on v6.38rc35. On v6.38rc36 all OK.
 
pyjamasam
just joined
Posts: 21
Joined: Wed Jun 03, 2015 9:26 pm

Re: v6.38rc [release candidate] is released

Fri Nov 25, 2016 3:54 am

Attempting to upgrade a CHR install of 6.38rc31 to 6.38rc36 results in the following log entries:
licence does not permit to upgrade routeros-x86-6.38rc36
licence does not permit to upgrade dude-6.38rc36
open /dev/panics failed
I have the dude package installed as well (this is my dude test install).
This is a system running a P1 level licence as its a test system.

Next Renewal is listed as November 25th 2016, Deadline is listed as November 18th 2016.
Limited upgrades is checked.

I just tried renewing the licence and there was no change to the next renewal date or the deadline date.

So the upgrade seams to be limited by my licence, though looking at the dates shown in the licence dialog it would seem to me that things are still ok...

Just curious for some clarification to my understanding, or if this is a bug.

chris.
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 551
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: v6.38rc [release candidate] is released

Fri Nov 25, 2016 12:35 pm

Version 6.38rc36 has been released.
Changes since 6.38rc35:
.. [CUT]..
If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
CRS125-24G-1S upgraded from 6.38rc34 (or 6.38rc35) to 6.38rc36 went in 'dead state' (probable kernel panic, I had no possibility to check with console cable). After manually power cycling two times it came back alive correctly on 6.38rc36 and now seems to work normally. Probably this is an isolated/local issue but maybe someone has the same problem and go directly to netinstall; try to power cycle the device a couple of time before netinstall.

No problem noticed instead on upgrading a hEX (gr3) and a hAP lite (lab devices). Conversely, from rc34 on, the new hEX (gr3) seems has definitely more stable ethernet interfaces ..they sometimes were flapping in a strange way > links down counters increasing without notices in log , Gbit links flapping and going 100M after half dozen negotiation tries (linked to CRS125)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Fri Nov 25, 2016 1:28 pm

bug:
Reset TR-069 data? [y/N]:
y
/pckg/tr069-client/home/TR069-reset.sh: 3: pkill: not found
done
Fix included in next built, but in general, this command should not be used. We will remove it. It was meant to completely reset the TR069 program, if it is completely crashed. Not needed in normal use.
 
User avatar
horza
just joined
Posts: 6
Joined: Sun Oct 19, 2014 3:30 pm

Re: v6.38rc [release candidate] is released

Fri Nov 25, 2016 1:55 pm

After upgrading to rc36 from the previous rc, my RB2011UAS-2HnD went to 100% CPU usage. It used to be under 15%.
It doesn't crash, just runs at 100%. Routing is noticeably slow, so it's not a CPU usage reading error, but a real 100% usage.

I haven't seen this problem with any of the previous RCs (I upgrade this router as soon as there's an RC update).
I'm not seeing any problems on x86_64, so I'm guessing it might be related to the latest memory allocation update for mipsbe :)

Here's a screenshot: https://dl.horza.org/routeros/routeros- ... -usage.png


Update: I've rebooted it and it's fine now. Will keep monitoring.
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Fri Nov 25, 2016 2:51 pm

Version 6.38rc37 has been released.

Changes since 6.38rc36:
!) tr069-client - initial implementation (as separate package);
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) firewall - fixed filter rule "limit" parameter by making it visible again;
*) hAP lite - fixed bootup (broken in v6.38rc35);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: v6.38rc [release candidate] is released

Fri Nov 25, 2016 3:51 pm

After upgrading to rc36 from the previous rc, my RB2011UAS-2HnD went to 100% CPU usage.
Please report to support; i've had similar issue with RB2011 which could not be reproduced.

In my case the router spiked to 100% cpu after upgrade from 6.38rc25 to 6.38rc31 with a certificate bundle present.

Ticket#2016110822001251
 
BorislavTP
just joined
Posts: 3
Joined: Fri Nov 25, 2016 3:52 pm

Re: v6.38rc [release candidate] is released

Fri Nov 25, 2016 4:06 pm

Hello,
I have installed this version as I already want to connect Vodafone K4201-Z LTE USB Modem in RB2011UAS-IN router.
I have tried to configure it, but without any success.
Could someone help me?
Thank you in advance.
 
irico
newbie
Posts: 47
Joined: Thu Nov 10, 2016 5:35 pm

Re: v6.38rc [release candidate] is released

Fri Nov 25, 2016 4:26 pm

IPSEC IKEv2 not working in latest RCs.
In version 6.38rc31 was working fine. Updated to 6.38rc35 IPsec cannot establish tunnel. Update to 6.38rc37 same problem.

This is a test environment.

R1:
Logs:
Nov/25/2016 14:08:39 ipsec,debug ==========
Nov/25/2016 14:08:39 ipsec,debug 268 bytes message received from 10.1.0.1[500] to 10.0.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet e58e1a2e bdaa3dc0 00000000 00000000 29202208 00000000 0000010c 28000008
Nov/25/2016 14:08:39 ipsec,debug,packet 00004000 2200001c 2f303127 c4ca221f 0a3f66de 303a3904 ce77e2d8 14c1b8e9
Nov/25/2016 14:08:39 ipsec,debug,packet 21000088 00020000 be28d5e3 63b9b4f1 0270204c 3a25fe10 ce529482 d2a42f81
Nov/25/2016 14:08:39 ipsec,debug,packet 4bd1caf9 1dbecd12 6afcbf51 71b11f3b 02152329 6e15a0e2 c9d743f9 893b2835
Nov/25/2016 14:08:39 ipsec,debug,packet 250741df ad128056 b3d4c9e1 4d38d551 8a5993e5 75eb4eec cae195d3 7c36470c
Nov/25/2016 14:08:39 ipsec,debug,packet 7c27a5ea 40fe6f87 0add9e36 839bf114 42ba3794 470df073 0b24263f ec96e130
Nov/25/2016 14:08:39 ipsec,debug,packet b4e8c55e 7412a936 00000044 00000040 01010006 0300000c 0100000c 800e0100
Nov/25/2016 14:08:39 ipsec,debug,packet 0300000c 0100000c 800e0080 03000008 01000003 03000008 02000005 03000008
Nov/25/2016 14:08:39 ipsec,debug,packet 03000003 00000008 04000002
Nov/25/2016 14:08:39 ipsec,debug ike2 request exchange: SA_INIT id: 0
Nov/25/2016 14:08:39 ipsec,debug ike2 respond
Nov/25/2016 14:08:39 ipsec,debug payload seen: NOTIFY
Nov/25/2016 14:08:39 ipsec,debug payload seen: NONCE
Nov/25/2016 14:08:39 ipsec,debug payload seen: KE
Nov/25/2016 14:08:39 ipsec,debug payload seen: SA
Nov/25/2016 14:08:39 ipsec,debug processing payload: NONCE
Nov/25/2016 14:08:39 ipsec,debug processing payload: SA
Nov/25/2016 14:08:39 ipsec,debug IKE Protocol: IKE
Nov/25/2016 14:08:39 ipsec,debug  proposal #1
Nov/25/2016 14:08:39 ipsec,debug   enc: aes256-cbc
Nov/25/2016 14:08:39 ipsec,debug   enc: aes128-cbc
Nov/25/2016 14:08:39 ipsec,debug   enc: 3des-cbc
Nov/25/2016 14:08:39 ipsec,debug   prf: hmac-sha256
Nov/25/2016 14:08:39 ipsec,debug   auth: sha256
Nov/25/2016 14:08:39 ipsec,debug   dh: modp1024
Nov/25/2016 14:08:39 ipsec,debug matched proposal:
Nov/25/2016 14:08:39 ipsec,debug  proposal #1
Nov/25/2016 14:08:39 ipsec,debug   enc: aes256-cbc
Nov/25/2016 14:08:39 ipsec,debug   prf: hmac-sha256
Nov/25/2016 14:08:39 ipsec,debug   auth: sha256
Nov/25/2016 14:08:39 ipsec,debug   dh: modp1024
Nov/25/2016 14:08:39 ipsec,debug processing payload: KE
Nov/25/2016 14:08:39 ipsec,debug => shared secret (size 0x80)
Nov/25/2016 14:08:39 ipsec,debug ea813706 7c9cb1c4 b6cdaf4c 73158754 df387020 4d154f95 7bbd26e7 4c14159e
Nov/25/2016 14:08:39 ipsec,debug ac2a98eb 6fbc5eb0 6c78b12b a784e89b d7f59b31 9b9f8bcb b6cd9b84 4a1d6e1e
Nov/25/2016 14:08:39 ipsec,debug 707023d1 45d7b35f 78b6c342 f967894d 784ea3ea 7d9ced9d ceb909f8 67e1c99a
Nov/25/2016 14:08:39 ipsec,debug fe2bdd3d 80bfb5a2 f69f8f1a 6d0fa025 08571c3c 0d197aa9 72fc6f96 7b674e68
Nov/25/2016 14:08:39 ipsec,debug adding payload: SA
Nov/25/2016 14:08:39 ipsec,debug => (size 0x30)
Nov/25/2016 14:08:39 ipsec,debug 00000030 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005
Nov/25/2016 14:08:39 ipsec,debug 03000008 03000003 00000008 04000002
Nov/25/2016 14:08:39 ipsec,debug adding payload: KE
Nov/25/2016 14:08:39 ipsec,debug => (size 0x88)
Nov/25/2016 14:08:39 ipsec,debug 00000088 00020000 414aaee4 22891380 c2743b6e f2441419 d8bcf44b c88ce7f0
Nov/25/2016 14:08:39 ipsec,debug 09481773 cff0e6ca f69867bc 724fab65 d8aea6a7 88e5febe 05c2079e 9b319632
Nov/25/2016 14:08:39 ipsec,debug 4ca94d42 63a8811f 4a21e1d9 cdeb9d31 b9176be7 c390ceee 057db503 d81f9055
Nov/25/2016 14:08:39 ipsec,debug 4164b805 0e5afa77 e9ed3f91 9e047fee 64e2acc1 c9f28a5b b8e63853 15b1ca07
Nov/25/2016 14:08:39 ipsec,debug 63a442df b4d8da49
Nov/25/2016 14:08:39 ipsec,debug adding payload: NONCE
Nov/25/2016 14:08:39 ipsec,debug => (size 0x1c)
Nov/25/2016 14:08:39 ipsec,debug 0000001c 8b24f42f aada2a63 b1d521de 55c5e635 450f145c 1e79b6cc
Nov/25/2016 14:08:39 ipsec,debug adding payload: NOTIFY
Nov/25/2016 14:08:39 ipsec,debug => (size 0x8)
Nov/25/2016 14:08:39 ipsec,debug 00000008 00004000
Nov/25/2016 14:08:39 ipsec,debug ==========
Nov/25/2016 14:08:39 ipsec,debug sending 248 bytes from 10.0.0.1[500] to 10.1.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet sockname 10.0.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet send packet from 10.0.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet send packet to 10.1.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet src4 10.0.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet dst4 10.1.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet 1 times of 248 bytes message will be sent to 10.1.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet e58e1a2e bdaa3dc0 b26151ae a98a503f 21202220 00000000 000000f8 22000030
Nov/25/2016 14:08:39 ipsec,debug,packet 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005 03000008
Nov/25/2016 14:08:39 ipsec,debug,packet 03000003 00000008 04000002 28000088 00020000 414aaee4 22891380 c2743b6e
Nov/25/2016 14:08:39 ipsec,debug,packet f2441419 d8bcf44b c88ce7f0 09481773 cff0e6ca f69867bc 724fab65 d8aea6a7
Nov/25/2016 14:08:39 ipsec,debug,packet 88e5febe 05c2079e 9b319632 4ca94d42 63a8811f 4a21e1d9 cdeb9d31 b9176be7
Nov/25/2016 14:08:39 ipsec,debug,packet c390ceee 057db503 d81f9055 4164b805 0e5afa77 e9ed3f91 9e047fee 64e2acc1
Nov/25/2016 14:08:39 ipsec,debug,packet c9f28a5b b8e63853 15b1ca07 63a442df b4d8da49 2900001c 8b24f42f aada2a63
Nov/25/2016 14:08:39 ipsec,debug,packet b1d521de 55c5e635 450f145c 1e79b6cc 00000008 00004000
Nov/25/2016 14:08:39 ipsec,debug => skeyseed (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug e4140415 f6c44305 b00e772f 2466e965 bd5a5c9f f88cc90f a8e2e020 f978fffb
Nov/25/2016 14:08:39 ipsec,debug => keymat (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 42bcaf55 017ee579 f0cf1406 ae2804f2 2053defe 36bac9b5 8c047b64 8c8b26c1
Nov/25/2016 14:08:39 ipsec,debug => SK_ai (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 5b6ba7eb 373defbd 5833af59 d361276d 0540c19f 32e71f1c b9e26b21 435e2a06
Nov/25/2016 14:08:39 ipsec,debug => SK_ar (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug a094c725 7da338e8 ce4c92fd e9121181 8545e8fd 5a669f98 cd3d06ac 5fad4592
Nov/25/2016 14:08:39 ipsec,debug => SK_ei (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 3394c436 817ff745 0222fd60 ef8fe617 afb60465 56be2644 237d496e c63274ff
Nov/25/2016 14:08:39 ipsec,debug => SK_er (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 22038ce2 fe68beaa db466833 42d47dd7 79cf05ea e761d595 f5f8b33b 57790d5f
Nov/25/2016 14:08:39 ipsec,debug => SK_pi (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 495a755b 48b30049 bf76c375 b1e01717 69f17677 1f995bf9 4ab7ab04 e89fe417
Nov/25/2016 14:08:39 ipsec,debug => SK_pr (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 83695fe0 bf978030 63483518 38c7b456 1546dfbc 17f56c56 c31ba125 2035315f
Nov/25/2016 14:08:39 ipsec,debug processing payloads: NOTIFY
Nov/25/2016 14:08:39 ipsec,debug new ph1 responder connection established
Nov/25/2016 14:08:39 ipsec,info new ike2 responder connection: 10.0.0.1[4500]<->10.1.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug child negitiation timeout in state 0
Nov/25/2016 14:09:09 ipsec,info killing connection: 10.0.0.1[4500]<->10.1.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug ==========
Nov/25/2016 14:09:09 ipsec,debug 260 bytes message received from 10.1.0.1[500] to 10.0.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet 08533b26 8e569ae1 00000000 00000000 28202208 00000000 00000104 2200001c
Nov/25/2016 14:09:09 ipsec,debug,packet e9fcdb31 8ef511b8 4e5cf796 a155c900 8f4bbc9d 0e584fde 21000088 00020000
Nov/25/2016 14:09:09 ipsec,debug,packet 3535e12f bb56e239 39d369f0 e6766003 afdfa3f2 c71523d1 919bf021 02226348
Nov/25/2016 14:09:09 ipsec,debug,packet c18f9279 ef1d1c31 0a94b87a 9ad02c67 2034e9c8 8c9605e6 14af48f7 e215c8fd
Nov/25/2016 14:09:09 ipsec,debug,packet 2626d63e 32a5f288 8cc3897d 6cdf73e2 6bb9bed6 b5e161a7 2d7d5d15 d5d48abd
Nov/25/2016 14:09:09 ipsec,debug,packet 946cf3bd 2b5ee323 ca76cc4c 9c8fb360 f3d226ad 2d68cee9 f9852e1a e044d755
Nov/25/2016 14:09:09 ipsec,debug,packet 00000044 00000040 01010006 0300000c 0100000c 800e0100 0300000c 0100000c
Nov/25/2016 14:09:09 ipsec,debug,packet 800e0080 03000008 01000003 03000008 02000005 03000008 03000003 00000008
Nov/25/2016 14:09:09 ipsec,debug,packet 04000002
Nov/25/2016 14:09:09 ipsec,debug ike2 request exchange: SA_INIT id: 0
Nov/25/2016 14:09:09 ipsec,debug ike2 respond
Nov/25/2016 14:09:09 ipsec,debug payload seen: NONCE
Nov/25/2016 14:09:09 ipsec,debug payload seen: KE
Nov/25/2016 14:09:09 ipsec,debug payload seen: SA
Nov/25/2016 14:09:09 ipsec,debug processing payload: NONCE
Nov/25/2016 14:09:09 ipsec,debug processing payload: SA
Nov/25/2016 14:09:09 ipsec,debug IKE Protocol: IKE
Nov/25/2016 14:09:09 ipsec,debug  proposal #1
Nov/25/2016 14:09:09 ipsec,debug   enc: aes256-cbc
Nov/25/2016 14:09:09 ipsec,debug   enc: aes128-cbc
Nov/25/2016 14:09:09 ipsec,debug   enc: 3des-cbc
Nov/25/2016 14:09:09 ipsec,debug   prf: hmac-sha256
Nov/25/2016 14:09:09 ipsec,debug   auth: sha256
Nov/25/2016 14:09:09 ipsec,debug   dh: modp1024
Nov/25/2016 14:09:09 ipsec,debug matched proposal:
Nov/25/2016 14:09:09 ipsec,debug  proposal #1
Nov/25/2016 14:09:09 ipsec,debug   enc: aes256-cbc
Nov/25/2016 14:09:09 ipsec,debug   prf: hmac-sha256
Nov/25/2016 14:09:09 ipsec,debug   auth: sha256
Nov/25/2016 14:09:09 ipsec,debug   dh: modp1024
Nov/25/2016 14:09:09 ipsec,debug processing payload: KE
Nov/25/2016 14:09:09 ipsec,debug => shared secret (size 0x80)
Nov/25/2016 14:09:09 ipsec,debug 9afb5527 4cafbb2e d54bceb4 8f6c0456 2622a823 febd9a56 27d12929 e0b10668
Nov/25/2016 14:09:09 ipsec,debug d0b9e0fa 149f33c6 9e27a0c0 27370b9f 5628f91c 485c6969 039a3dfd 210e72f2
Nov/25/2016 14:09:09 ipsec,debug 156393e0 da565391 bf7a93ea 17eed1a3 e0cb643c f57638a8 b6034a6c 726c60a3
Nov/25/2016 14:09:09 ipsec,debug 97cb47d5 2376dfbc e6b11b4e 9b42ca8b 2e7b1b3c 11f44b05 79d2e373 ef1e10c9
Nov/25/2016 14:09:09 ipsec,debug adding payload: SA
Nov/25/2016 14:09:09 ipsec,debug => (size 0x30)
Nov/25/2016 14:09:09 ipsec,debug 00000030 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005
Nov/25/2016 14:09:09 ipsec,debug 03000008 03000003 00000008 04000002
Nov/25/2016 14:09:09 ipsec,debug adding payload: KE
Nov/25/2016 14:09:09 ipsec,debug => (size 0x88)
Nov/25/2016 14:09:09 ipsec,debug 00000088 00020000 81d9a1a9 70eaef1f f42a0eb5 8040e55e 7733abf4 5ff4370c
Nov/25/2016 14:09:09 ipsec,debug c1554259 afef4c14 4eef9d9b 40ff484c 81418660 a56d311c a0c4e99a 5d52365e
Nov/25/2016 14:09:09 ipsec,debug f99e3492 efad4281 d441f7a9 4032ce8a 1b69f2f8 30a6573d cada7ada 9cedc372
Nov/25/2016 14:09:09 ipsec,debug 85dc22e9 519b2ede a5c000ee c932ca6e 8110e8c0 9fbe3edb e19d4a0d 52b861c3
Nov/25/2016 14:09:09 ipsec,debug e5f7b8b4 eb3215d2
Nov/25/2016 14:09:09 ipsec,debug adding payload: NONCE
Nov/25/2016 14:09:09 ipsec,debug => (size 0x1c)
Nov/25/2016 14:09:09 ipsec,debug 0000001c 649ccbf5 fc6dedcb ab685964 6981c266 640942fa 1e48d13a
Nov/25/2016 14:09:09 ipsec,debug ==========
Nov/25/2016 14:09:09 ipsec,debug sending 240 bytes from 10.0.0.1[500] to 10.1.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet sockname 10.0.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet send packet from 10.0.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet send packet to 10.1.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet src4 10.0.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet dst4 10.1.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet 1 times of 240 bytes message will be sent to 10.1.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet 08533b26 8e569ae1 2867bb59 b21566a3 21202220 00000000 000000f0 22000030
Nov/25/2016 14:09:09 ipsec,debug,packet 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005 03000008
Nov/25/2016 14:09:09 ipsec,debug,packet 03000003 00000008 04000002 28000088 00020000 81d9a1a9 70eaef1f f42a0eb5
Nov/25/2016 14:09:09 ipsec,debug,packet 8040e55e 7733abf4 5ff4370c c1554259 afef4c14 4eef9d9b 40ff484c 81418660
Nov/25/2016 14:09:09 ipsec,debug,packet a56d311c a0c4e99a 5d52365e f99e3492 efad4281 d441f7a9 4032ce8a 1b69f2f8
Nov/25/2016 14:09:09 ipsec,debug,packet 30a6573d cada7ada 9cedc372 85dc22e9 519b2ede a5c000ee c932ca6e 8110e8c0
Nov/25/2016 14:09:09 ipsec,debug,packet 9fbe3edb e19d4a0d 52b861c3 e5f7b8b4 eb3215d2 0000001c 649ccbf5 fc6dedcb
Nov/25/2016 14:09:09 ipsec,debug,packet ab685964 6981c266 640942fa 1e48d13a
Nov/25/2016 14:09:09 ipsec,debug => skeyseed (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 6fa0aa32 750b1ef1 8eb224c6 dd61cf88 6d387e37 3156c620 0a747f71 87ff6603
Nov/25/2016 14:09:09 ipsec,debug => keymat (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug d7d2ed58 f4df921d 752a7a7a 843c19ee c3f739bd 13f4b887 d4efc8fd 2be5fb07
Nov/25/2016 14:09:09 ipsec,debug => SK_ai (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug b14d5740 de4f8e9d 3ca9e169 e11f01a7 6ed882a3 58c2aede 50edf2de 3d9cefcf
Nov/25/2016 14:09:09 ipsec,debug => SK_ar (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 089c8f67 f8f6355a 82e3307b c0f71b52 c5af09fd 4ec0f978 4cfd8b83 aed91574
Nov/25/2016 14:09:09 ipsec,debug => SK_ei (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 5830aa26 cd8feaec c13e1e82 db08986e c74f66fa d9028500 9e6b7e09 96913fa7
Nov/25/2016 14:09:09 ipsec,debug => SK_er (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 908529fd 65bd352b 27077fba 1ff189a5 420f46cf 22e65764 ab1454ec c39c215d
Nov/25/2016 14:09:09 ipsec,debug => SK_pi (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 4a8407ff f9d596ae d280d852 f640c3fe e5dd4dda 09113595 fe702fa7 b98f1b4f
Nov/25/2016 14:09:09 ipsec,debug => SK_pr (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 108fd66f cce6c2f8 f1219c9a c1da7f0e 3fe9cba0 b8002026 42cbdd90 41ab0b61
Nov/25/2016 14:09:09 ipsec,debug processing payloads: NOTIFY
Nov/25/2016 14:09:09 ipsec,debug none payloads found!
Nov/25/2016 14:09:09 ipsec,debug new ph1 responder connection established
Nov/25/2016 14:09:09 ipsec,info new ike2 responder connection: 10.0.0.1[4500]<->10.1.0.1[500]
Nov/25/2016 14:09:29 ipsec,info killing connection: 10.0.0.1[4500]<->10.1.0.1[500]
IPsec export:
# nov/25/2016 14:22:17 by RouterOS 6.38rc37
# software id = 
#
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc,3des name=VPN pfs-group=none
/ip ipsec peer
add address=10.1.0.1/32 disabled=yes dpd-interval=disable-dpd enc-algorithm=aes-256,aes-128,3des exchange-mode=ike2 hash-algorithm=sha256 \
    nat-traversal=no passive=yes secret=TEST
/ip ipsec policy
add dst-address=192.168.170.0/24 proposal=VPN sa-dst-address=10.1.0.1 sa-src-address=10.0.0.1 src-address=192.168.160.0/24 tunnel=yes
R2:
Logs:
Nov/25/2016 14:08:39 ipsec,debug ike2 initialize send for: 10.0.0.1
Nov/25/2016 14:08:39 ipsec,debug adding payload: NOTIFY
Nov/25/2016 14:08:39 ipsec,debug => (size 0x8)
Nov/25/2016 14:08:39 ipsec,debug 00000008 00004000
Nov/25/2016 14:08:39 ipsec,debug adding payload: NONCE
Nov/25/2016 14:08:39 ipsec,debug => (size 0x1c)
Nov/25/2016 14:08:39 ipsec,debug 0000001c 2f303127 c4ca221f 0a3f66de 303a3904 ce77e2d8 14c1b8e9
Nov/25/2016 14:08:39 ipsec,debug adding payload: KE
Nov/25/2016 14:08:39 ipsec,debug => (size 0x88)
Nov/25/2016 14:08:39 ipsec,debug 00000088 00020000 be28d5e3 63b9b4f1 0270204c 3a25fe10 ce529482 d2a42f81
Nov/25/2016 14:08:39 ipsec,debug 4bd1caf9 1dbecd12 6afcbf51 71b11f3b 02152329 6e15a0e2 c9d743f9 893b2835
Nov/25/2016 14:08:39 ipsec,debug 250741df ad128056 b3d4c9e1 4d38d551 8a5993e5 75eb4eec cae195d3 7c36470c
Nov/25/2016 14:08:39 ipsec,debug 7c27a5ea 40fe6f87 0add9e36 839bf114 42ba3794 470df073 0b24263f ec96e130
Nov/25/2016 14:08:39 ipsec,debug b4e8c55e 7412a936
Nov/25/2016 14:08:39 ipsec,debug adding payload: SA
Nov/25/2016 14:08:39 ipsec,debug => (size 0x44)
Nov/25/2016 14:08:39 ipsec,debug 00000044 00000040 01010006 0300000c 0100000c 800e0100 0300000c 0100000c
Nov/25/2016 14:08:39 ipsec,debug 800e0080 03000008 01000003 03000008 02000005 03000008 03000003 00000008
Nov/25/2016 14:08:39 ipsec,debug 04000002
Nov/25/2016 14:08:39 ipsec,debug ==========
Nov/25/2016 14:08:39 ipsec,debug sending 268 bytes from 10.1.0.1[500] to 10.0.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet sockname 10.1.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet send packet from 10.1.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet send packet to 10.0.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet src4 10.1.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet dst4 10.0.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet 1 times of 268 bytes message will be sent to 10.0.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet e58e1a2e bdaa3dc0 00000000 00000000 29202208 00000000 0000010c 28000008
Nov/25/2016 14:08:39 ipsec,debug,packet 00004000 2200001c 2f303127 c4ca221f 0a3f66de 303a3904 ce77e2d8 14c1b8e9
Nov/25/2016 14:08:39 ipsec,debug,packet 21000088 00020000 be28d5e3 63b9b4f1 0270204c 3a25fe10 ce529482 d2a42f81
Nov/25/2016 14:08:39 ipsec,debug,packet 4bd1caf9 1dbecd12 6afcbf51 71b11f3b 02152329 6e15a0e2 c9d743f9 893b2835
Nov/25/2016 14:08:39 ipsec,debug,packet 250741df ad128056 b3d4c9e1 4d38d551 8a5993e5 75eb4eec cae195d3 7c36470c
Nov/25/2016 14:08:39 ipsec,debug,packet 7c27a5ea 40fe6f87 0add9e36 839bf114 42ba3794 470df073 0b24263f ec96e130
Nov/25/2016 14:08:39 ipsec,debug,packet b4e8c55e 7412a936 00000044 00000040 01010006 0300000c 0100000c 800e0100
Nov/25/2016 14:08:39 ipsec,debug,packet 0300000c 0100000c 800e0080 03000008 01000003 03000008 02000005 03000008
Nov/25/2016 14:08:39 ipsec,debug,packet 03000003 00000008 04000002
Nov/25/2016 14:08:39 ipsec,debug ==========
Nov/25/2016 14:08:39 ipsec,debug 248 bytes message received from 10.0.0.1[500] to 10.1.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet e58e1a2e bdaa3dc0 b26151ae a98a503f 21202220 00000000 000000f8 22000030
Nov/25/2016 14:08:39 ipsec,debug,packet 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005 03000008
Nov/25/2016 14:08:39 ipsec,debug,packet 03000003 00000008 04000002 28000088 00020000 414aaee4 22891380 c2743b6e
Nov/25/2016 14:08:39 ipsec,debug,packet f2441419 d8bcf44b c88ce7f0 09481773 cff0e6ca f69867bc 724fab65 d8aea6a7
Nov/25/2016 14:08:39 ipsec,debug,packet 88e5febe 05c2079e 9b319632 4ca94d42 63a8811f 4a21e1d9 cdeb9d31 b9176be7
Nov/25/2016 14:08:39 ipsec,debug,packet c390ceee 057db503 d81f9055 4164b805 0e5afa77 e9ed3f91 9e047fee 64e2acc1
Nov/25/2016 14:08:39 ipsec,debug,packet c9f28a5b b8e63853 15b1ca07 63a442df b4d8da49 2900001c 8b24f42f aada2a63
Nov/25/2016 14:08:39 ipsec,debug,packet b1d521de 55c5e635 450f145c 1e79b6cc 00000008 00004000
Nov/25/2016 14:08:39 ipsec,debug ike2 answer exchange: SA_INIT id: 0
Nov/25/2016 14:08:39 ipsec,debug ike2 initialize recv
Nov/25/2016 14:08:39 ipsec,debug payload seen: SA
Nov/25/2016 14:08:39 ipsec,debug payload seen: KE
Nov/25/2016 14:08:39 ipsec,debug payload seen: NONCE
Nov/25/2016 14:08:39 ipsec,debug payload seen: NOTIFY
Nov/25/2016 14:08:39 ipsec,debug processing payload: NONCE
Nov/25/2016 14:08:39 ipsec,debug processing payload: SA
Nov/25/2016 14:08:39 ipsec,debug IKE Protocol: IKE
Nov/25/2016 14:08:39 ipsec,debug  proposal #1
Nov/25/2016 14:08:39 ipsec,debug   enc: aes256-cbc
Nov/25/2016 14:08:39 ipsec,debug   prf: hmac-sha256
Nov/25/2016 14:08:39 ipsec,debug   auth: sha256
Nov/25/2016 14:08:39 ipsec,debug   dh: modp1024
Nov/25/2016 14:08:39 ipsec,debug matched proposal:
Nov/25/2016 14:08:39 ipsec,debug  proposal #1
Nov/25/2016 14:08:39 ipsec,debug   enc: aes256-cbc
Nov/25/2016 14:08:39 ipsec,debug   prf: hmac-sha256
Nov/25/2016 14:08:39 ipsec,debug   auth: sha256
Nov/25/2016 14:08:39 ipsec,debug   dh: modp1024
Nov/25/2016 14:08:39 ipsec,debug processing payload: KE
Nov/25/2016 14:08:39 ipsec,debug => shared secret (size 0x80)
Nov/25/2016 14:08:39 ipsec,debug ea813706 7c9cb1c4 b6cdaf4c 73158754 df387020 4d154f95 7bbd26e7 4c14159e
Nov/25/2016 14:08:39 ipsec,debug ac2a98eb 6fbc5eb0 6c78b12b a784e89b d7f59b31 9b9f8bcb b6cd9b84 4a1d6e1e
Nov/25/2016 14:08:39 ipsec,debug 707023d1 45d7b35f 78b6c342 f967894d 784ea3ea 7d9ced9d ceb909f8 67e1c99a
Nov/25/2016 14:08:39 ipsec,debug fe2bdd3d 80bfb5a2 f69f8f1a 6d0fa025 08571c3c 0d197aa9 72fc6f96 7b674e68
Nov/25/2016 14:08:39 ipsec,debug => skeyseed (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug e4140415 f6c44305 b00e772f 2466e965 bd5a5c9f f88cc90f a8e2e020 f978fffb
Nov/25/2016 14:08:39 ipsec,debug => keymat (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 42bcaf55 017ee579 f0cf1406 ae2804f2 2053defe 36bac9b5 8c047b64 8c8b26c1
Nov/25/2016 14:08:39 ipsec,debug => SK_ai (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 5b6ba7eb 373defbd 5833af59 d361276d 0540c19f 32e71f1c b9e26b21 435e2a06
Nov/25/2016 14:08:39 ipsec,debug => SK_ar (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug a094c725 7da338e8 ce4c92fd e9121181 8545e8fd 5a669f98 cd3d06ac 5fad4592
Nov/25/2016 14:08:39 ipsec,debug => SK_ei (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 3394c436 817ff745 0222fd60 ef8fe617 afb60465 56be2644 237d496e c63274ff
Nov/25/2016 14:08:39 ipsec,debug => SK_er (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 22038ce2 fe68beaa db466833 42d47dd7 79cf05ea e761d595 f5f8b33b 57790d5f
Nov/25/2016 14:08:39 ipsec,debug => SK_pi (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 495a755b 48b30049 bf76c375 b1e01717 69f17677 1f995bf9 4ab7ab04 e89fe417
Nov/25/2016 14:08:39 ipsec,debug => SK_pr (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 83695fe0 bf978030 63483518 38c7b456 1546dfbc 17f56c56 c31ba125 2035315f
Nov/25/2016 14:08:39 ipsec,debug processing payloads: NOTIFY
Nov/25/2016 14:08:39 ipsec,debug new ph1 initiator connection established
Nov/25/2016 14:08:39 ipsec,info new ike2 initiator connection: 10.1.0.1[4500]<->10.0.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug init child for policy: 192.168.170.0/24/24:0 <=> 192.168.160.0/24/24:0 ipproto:255
Nov/25/2016 14:08:39 ipsec,debug GETSPI sent: 10.0.0.1->10.1.0.1
Nov/25/2016 14:08:39 ipsec,debug ikev2 got spi 0xb7705da
Nov/25/2016 14:08:39 ipsec,debug init child continue
Nov/25/2016 14:08:39 ipsec,debug offering proto: 3
Nov/25/2016 14:08:39 ipsec,debug  proposal #1
Nov/25/2016 14:08:39 ipsec,debug   enc: aes256-cbc
Nov/25/2016 14:08:39 ipsec,debug   enc: aes128-cbc
Nov/25/2016 14:08:39 ipsec,debug   enc: 3des-cbc
Nov/25/2016 14:08:39 ipsec,debug   auth: sha512
Nov/25/2016 14:08:39 ipsec,debug   auth: sha256
Nov/25/2016 14:08:39 ipsec,debug   auth: sha1
Nov/25/2016 14:08:39 ipsec,debug   auth: md5
Nov/25/2016 14:08:39 ipsec,debug   esn: off
Nov/25/2016 14:08:39 ipsec,debug initiator selector: 192.168.170.0/24/24 ipproto:0
Nov/25/2016 14:08:39 ipsec,debug => selector created (size 0x18)
Nov/25/2016 14:08:39 ipsec,debug 00000018 01000000 07000010 0000ffff c0a8aa00 c0a8aaff
Nov/25/2016 14:08:39 ipsec,debug responder selector: 192.168.160.0/24/24 ipproto:0
Nov/25/2016 14:08:39 ipsec,debug => selector created (size 0x18)
Nov/25/2016 14:08:39 ipsec,debug 00000018 01000000 07000010 0000ffff c0a8a000 c0a8a0ff
Nov/25/2016 14:08:39 ipsec,debug my ID (ADDR): 10.1.0.1
Nov/25/2016 14:08:39 ipsec,debug processing payload: NONCE
Nov/25/2016 14:08:39 ipsec,debug => auth nonce (size 0x18)
Nov/25/2016 14:08:39 ipsec,debug 8b24f42f aada2a63 b1d521de 55c5e635 450f145c 1e79b6cc
Nov/25/2016 14:08:39 ipsec,debug => SK_p (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 495a755b 48b30049 bf76c375 b1e01717 69f17677 1f995bf9 4ab7ab04 e89fe417
Nov/25/2016 14:08:39 ipsec,debug => idhash (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 210cb837 b8674af3 9816ad00 6507ff08 52ed8dac 178c368a 5ec94589 a8fcc964
Nov/25/2016 14:08:39 ipsec,debug => my auth (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 6b080158 8bbdd7ce 600b89dc 2bc0a967 a8bb4183 16d4c066 9bd42eb3 54a29d5b
Nov/25/2016 14:08:39 ipsec,debug adding payload: ID_I
Nov/25/2016 14:08:39 ipsec,debug => (size 0xc)
Nov/25/2016 14:08:39 ipsec,debug 0000000c 01000000 0a010001
Nov/25/2016 14:08:39 ipsec,debug adding payload: AUTH
Nov/25/2016 14:08:39 ipsec,debug => (size 0x28)
Nov/25/2016 14:08:39 ipsec,debug 00000028 02000000 6b080158 8bbdd7ce 600b89dc 2bc0a967 a8bb4183 16d4c066
Nov/25/2016 14:08:39 ipsec,debug 9bd42eb3 54a29d5b
Nov/25/2016 14:08:39 ipsec,debug adding payload: SA
Nov/25/2016 14:08:39 ipsec,debug => (size 0x58)
Nov/25/2016 14:08:39 ipsec,debug 00000058 00000054 01030408 0b7705da 0300000c 0100000c 800e0100 0300000c
Nov/25/2016 14:08:39 ipsec,debug 0100000c 800e0080 03000008 01000003 03000008 03000004 03000008 03000003
Nov/25/2016 14:08:39 ipsec,debug 03000008 03000002 03000008 03000001 00000008 05000000
Nov/25/2016 14:08:39 ipsec,debug adding payload: TS_I
Nov/25/2016 14:08:39 ipsec,debug => (size 0x18)
Nov/25/2016 14:08:39 ipsec,debug 00000018 01000000 07000010 0000ffff c0a8aa00 c0a8aaff
Nov/25/2016 14:08:39 ipsec,debug adding payload: TS_R
Nov/25/2016 14:08:39 ipsec,debug => (size 0x18)
Nov/25/2016 14:08:39 ipsec,debug 00000018 01000000 07000010 0000ffff c0a8a000 c0a8a0ff
Nov/25/2016 14:08:39 ipsec,debug,packet => outgoing plain packet (size 0x200)
Nov/25/2016 14:08:39 ipsec,debug,packet e58e1a2e bdaa3dc0 b26151ae a98a503f 23202308 00000001 00000000 2700000c
Nov/25/2016 14:08:39 ipsec,debug,packet 01000000 0a010001 21000028 02000000 6b080158 8bbdd7ce 600b89dc 2bc0a967
Nov/25/2016 14:08:39 ipsec,debug,packet a8bb4183 16d4c066 9bd42eb3 54a29d5b 2c000058 00000054 01030408 0b7705da
Nov/25/2016 14:08:39 ipsec,debug,packet 0300000c 0100000c 800e0100 0300000c 0100000c 800e0080 03000008 01000003
Nov/25/2016 14:08:39 ipsec,debug,packet 03000008 03000004 03000008 03000003 03000008 03000002 03000008 03000001
Nov/25/2016 14:08:39 ipsec,debug,packet 00000008 05000000 2d000018 01000000 07000010 0000ffff c0a8aa00 c0a8aaff
Nov/25/2016 14:08:39 ipsec,debug,packet 00000018 01000000 07000010 0000ffff c0a8a000 c0a8a0ff dbf5102c 496786a6
Nov/25/2016 14:08:39 ipsec,debug,packet b7c9dcf0 051b324a 637d98b4 d1ef0e2e 3f516478 8da3bad2 eb05203c 597796b6
Nov/25/2016 14:08:39 ipsec,debug,packet 
Nov/25/2016 14:08:39 ipsec,debug,packet c7d9ec00 152b425a 738da8c4 e1ff1e3e 4f617488 9db3cae2 fb15304c 6987a6c6
Nov/25/2016 14:08:39 ipsec,debug,packet d7e9fc10 253b526a 839db8d4 f10f2e4e 5f718498 adc3daf2 0b25405c 7997b6d6
Nov/25/2016 14:08:39 ipsec,debug,packet e7f90c20 354b627a 93adc8e4 011f3e5e 6f8194a8 bdd3ea02 1b35506c 89a7c6e6
Nov/25/2016 14:08:39 ipsec,debug,packet f7091c30 455b728a a3bdd8f4 112f4e6e 7f91a4b8 cde3fa12 2b45607c 99b7d6f6
Nov/25/2016 14:08:39 ipsec,debug,packet 07192c40 556b829a b3cde804 213f5e7e 8fa1b4c8 ddf30a22 3b55708c a9c7e606
Nov/25/2016 14:08:39 ipsec,debug,packet 17293c50 657b92aa c3ddf814 314f6e8e 9fb1c4d8 ed031a32 4b65809c b9d7f616
Nov/25/2016 14:08:39 ipsec,debug,packet 27394c60 758ba2ba d3ed0824 415f7e9e afc1d4e8 fd132a42 5b7590ac c9e70626
Nov/25/2016 14:08:39 ipsec,debug,packet 37495c70 859bb2ca e3fd1834 516f8eae bfd1e4f8 0d233a52 6b85a0bc d9f71636
Nov/25/2016 14:08:39 ipsec,debug adding payload: ENC
Nov/25/2016 14:08:39 ipsec,debug => (first 0x100 of 0x154)
Nov/25/2016 14:08:39 ipsec,debug 23000154 8716500b 1b9c3166 219dddfc 7bc4e2ac 81be62c3 6ff2529b 93f7350f
Nov/25/2016 14:08:39 ipsec,debug 842c8e51 f636b245 2859d1ac 1cf432e7 8bbcd520 a6bdd963 7e65b952 cba1cbbe
Nov/25/2016 14:08:39 ipsec,debug 25c21978 80e6d469 01a025d2 3e713b18 d9f3e9da 84e211f5 f3224ff2 5b50c32c
Nov/25/2016 14:08:39 ipsec,debug 5140dda4 47c96401 79066910 e9e0331b d3fb1edd 555c5e94 147a5662 e86d2560
Nov/25/2016 14:08:39 ipsec,debug 7d062cdc a9f43c03 29635238 8e91f410 58af94d5 6eddebf8 fb067e2a d61679e1
Nov/25/2016 14:08:39 ipsec,debug 540fb62f 04cde8de bb8de40b 39ccc1fa 4a7226bd 91578454 0bd5f5af d393c41d
Nov/25/2016 14:08:39 ipsec,debug c4c6545e 687f9ce0 3a079396 aa4e6ebf 7900b5f7 7e3c593d 41374cc4 3a42c60a
Nov/25/2016 14:08:39 ipsec,debug 9c86e189 7566385f ef610851 aa60afca 52e441ab 0cbcb744 6f830417 cd11bac7
Nov/25/2016 14:08:39 ipsec,debug unknown socket
Nov/25/2016 14:08:44 ipsec,debug retransmit
Nov/25/2016 14:08:44 ipsec,debug unknown socket
Nov/25/2016 14:08:49 ipsec,debug retransmit
Nov/25/2016 14:08:49 ipsec,debug unknown socket
Nov/25/2016 14:08:54 ipsec,debug retransmit
Nov/25/2016 14:08:54 ipsec,debug unknown socket
Nov/25/2016 14:08:59 ipsec,debug retransmit
Nov/25/2016 14:08:59 ipsec,debug unknown socket
Nov/25/2016 14:09:04 ipsec,debug retransmit
Nov/25/2016 14:09:04 ipsec,info killing connection: 10.1.0.1[4500]<->10.0.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug ike2 initialize send for: 10.0.0.1
Nov/25/2016 14:09:09 ipsec,debug adding payload: NONCE
Nov/25/2016 14:09:09 ipsec,debug => (size 0x1c)
Nov/25/2016 14:09:09 ipsec,debug 0000001c e9fcdb31 8ef511b8 4e5cf796 a155c900 8f4bbc9d 0e584fde
Nov/25/2016 14:09:09 ipsec,debug adding payload: KE
Nov/25/2016 14:09:09 ipsec,debug => (size 0x88)
Nov/25/2016 14:09:09 ipsec,debug 00000088 00020000 3535e12f bb56e239 39d369f0 e6766003 afdfa3f2 c71523d1
Nov/25/2016 14:09:09 ipsec,debug 919bf021 02226348 c18f9279 ef1d1c31 0a94b87a 9ad02c67 2034e9c8 8c9605e6
Nov/25/2016 14:09:09 ipsec,debug 14af48f7 e215c8fd 2626d63e 32a5f288 8cc3897d 6cdf73e2 6bb9bed6 b5e161a7
Nov/25/2016 14:09:09 ipsec,debug 2d7d5d15 d5d48abd 946cf3bd 2b5ee323 ca76cc4c 9c8fb360 f3d226ad 2d68cee9
Nov/25/2016 14:09:09 ipsec,debug f9852e1a e044d755
Nov/25/2016 14:09:09 ipsec,debug adding payload: SA
Nov/25/2016 14:09:09 ipsec,debug => (size 0x44)
Nov/25/2016 14:09:09 ipsec,debug 00000044 00000040 01010006 0300000c 0100000c 800e0100 0300000c 0100000c
Nov/25/2016 14:09:09 ipsec,debug 800e0080 03000008 01000003 03000008 02000005 03000008 03000003 00000008
Nov/25/2016 14:09:09 ipsec,debug 04000002
Nov/25/2016 14:09:09 ipsec,debug ==========
Nov/25/2016 14:09:09 ipsec,debug sending 260 bytes from 10.1.0.1[500] to 10.0.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet sockname 10.1.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet send packet from 10.1.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet send packet to 10.0.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet src4 10.1.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet dst4 10.0.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet 1 times of 260 bytes message will be sent to 10.0.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet 08533b26 8e569ae1 00000000 00000000 28202208 00000000 00000104 2200001c
Nov/25/2016 14:09:09 ipsec,debug,packet e9fcdb31 8ef511b8 4e5cf796 a155c900 8f4bbc9d 0e584fde 21000088 00020000
Nov/25/2016 14:09:09 ipsec,debug,packet 3535e12f bb56e239 39d369f0 e6766003 afdfa3f2 c71523d1 919bf021 02226348
Nov/25/2016 14:09:09 ipsec,debug,packet c18f9279 ef1d1c31 0a94b87a 9ad02c67 2034e9c8 8c9605e6 14af48f7 e215c8fd
Nov/25/2016 14:09:09 ipsec,debug,packet 2626d63e 32a5f288 8cc3897d 6cdf73e2 6bb9bed6 b5e161a7 2d7d5d15 d5d48abd
Nov/25/2016 14:09:09 ipsec,debug,packet 946cf3bd 2b5ee323 ca76cc4c 9c8fb360 f3d226ad 2d68cee9 f9852e1a e044d755
Nov/25/2016 14:09:09 ipsec,debug,packet 00000044 00000040 01010006 0300000c 0100000c 800e0100 0300000c 0100000c
Nov/25/2016 14:09:09 ipsec,debug,packet 800e0080 03000008 01000003 03000008 02000005 03000008 03000003 00000008
Nov/25/2016 14:09:09 ipsec,debug,packet 04000002
Nov/25/2016 14:09:09 ipsec,debug ==========
Nov/25/2016 14:09:09 ipsec,debug 240 bytes message received from 10.0.0.1[500] to 10.1.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet 08533b26 8e569ae1 2867bb59 b21566a3 21202220 00000000 000000f0 22000030
Nov/25/2016 14:09:09 ipsec,debug,packet 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005 03000008
Nov/25/2016 14:09:09 ipsec,debug,packet 03000003 00000008 04000002 28000088 00020000 81d9a1a9 70eaef1f f42a0eb5
Nov/25/2016 14:09:09 ipsec,debug,packet 8040e55e 7733abf4 5ff4370c c1554259 afef4c14 4eef9d9b 40ff484c 81418660
Nov/25/2016 14:09:09 ipsec,debug,packet a56d311c a0c4e99a 5d52365e f99e3492 efad4281 d441f7a9 4032ce8a 1b69f2f8
Nov/25/2016 14:09:09 ipsec,debug,packet 30a6573d cada7ada 9cedc372 85dc22e9 519b2ede a5c000ee c932ca6e 8110e8c0
Nov/25/2016 14:09:09 ipsec,debug,packet 9fbe3edb e19d4a0d 52b861c3 e5f7b8b4 eb3215d2 0000001c 649ccbf5 fc6dedcb
Nov/25/2016 14:09:09 ipsec,debug,packet ab685964 6981c266 640942fa 1e48d13a
Nov/25/2016 14:09:09 ipsec,debug ike2 answer exchange: SA_INIT id: 0
Nov/25/2016 14:09:09 ipsec,debug ike2 initialize recv
Nov/25/2016 14:09:09 ipsec,debug payload seen: SA
Nov/25/2016 14:09:09 ipsec,debug payload seen: KE
Nov/25/2016 14:09:09 ipsec,debug payload seen: NONCE
Nov/25/2016 14:09:09 ipsec,debug processing payload: NONCE
Nov/25/2016 14:09:09 ipsec,debug processing payload: SA
Nov/25/2016 14:09:09 ipsec,debug IKE Protocol: IKE
Nov/25/2016 14:09:09 ipsec,debug  proposal #1
Nov/25/2016 14:09:09 ipsec,debug   enc: aes256-cbc
Nov/25/2016 14:09:09 ipsec,debug   prf: hmac-sha256
Nov/25/2016 14:09:09 ipsec,debug   auth: sha256
Nov/25/2016 14:09:09 ipsec,debug   dh: modp1024
Nov/25/2016 14:09:09 ipsec,debug matched proposal:
Nov/25/2016 14:09:09 ipsec,debug  proposal #1
Nov/25/2016 14:09:09 ipsec,debug   enc: aes256-cbc
Nov/25/2016 14:09:09 ipsec,debug   prf: hmac-sha256
Nov/25/2016 14:09:09 ipsec,debug   auth: sha256
Nov/25/2016 14:09:09 ipsec,debug   dh: modp1024
Nov/25/2016 14:09:09 ipsec,debug processing payload: KE
Nov/25/2016 14:09:09 ipsec,debug => shared secret (size 0x80)
Nov/25/2016 14:09:09 ipsec,debug 9afb5527 4cafbb2e d54bceb4 8f6c0456 2622a823 febd9a56 27d12929 e0b10668
Nov/25/2016 14:09:09 ipsec,debug d0b9e0fa 149f33c6 9e27a0c0 27370b9f 5628f91c 485c6969 039a3dfd 210e72f2
Nov/25/2016 14:09:09 ipsec,debug 156393e0 da565391 bf7a93ea 17eed1a3 e0cb643c f57638a8 b6034a6c 726c60a3
Nov/25/2016 14:09:09 ipsec,debug 97cb47d5 2376dfbc e6b11b4e 9b42ca8b 2e7b1b3c 11f44b05 79d2e373 ef1e10c9
Nov/25/2016 14:09:09 ipsec,debug => skeyseed (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 6fa0aa32 750b1ef1 8eb224c6 dd61cf88 6d387e37 3156c620 0a747f71 87ff6603
Nov/25/2016 14:09:09 ipsec,debug => keymat (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug d7d2ed58 f4df921d 752a7a7a 843c19ee c3f739bd 13f4b887 d4efc8fd 2be5fb07
Nov/25/2016 14:09:09 ipsec,debug => SK_ai (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug b14d5740 de4f8e9d 3ca9e169 e11f01a7 6ed882a3 58c2aede 50edf2de 3d9cefcf
Nov/25/2016 14:09:09 ipsec,debug => SK_ar (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 089c8f67 f8f6355a 82e3307b c0f71b52 c5af09fd 4ec0f978 4cfd8b83 aed91574
Nov/25/2016 14:09:09 ipsec,debug => SK_ei (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 5830aa26 cd8feaec c13e1e82 db08986e c74f66fa d9028500 9e6b7e09 96913fa7
Nov/25/2016 14:09:09 ipsec,debug => SK_er (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 908529fd 65bd352b 27077fba 1ff189a5 420f46cf 22e65764 ab1454ec c39c215d
Nov/25/2016 14:09:09 ipsec,debug => SK_pi (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 4a8407ff f9d596ae d280d852 f640c3fe e5dd4dda 09113595 fe702fa7 b98f1b4f
Nov/25/2016 14:09:09 ipsec,debug => SK_pr (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 108fd66f cce6c2f8 f1219c9a c1da7f0e 3fe9cba0 b8002026 42cbdd90 41ab0b61
Nov/25/2016 14:09:09 ipsec,debug processing payloads: NOTIFY
Nov/25/2016 14:09:09 ipsec,debug none payloads found!
Nov/25/2016 14:09:09 ipsec,debug new ph1 initiator connection established
Nov/25/2016 14:09:09 ipsec,info new ike2 initiator connection: 10.1.0.1[4500]<->10.0.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug init child for policy: 192.168.170.0/24/24:0 <=> 192.168.160.0/24/24:0 ipproto:255
Nov/25/2016 14:09:09 ipsec,debug GETSPI sent: 10.0.0.1->10.1.0.1
Nov/25/2016 14:09:09 ipsec,debug ikev2 got spi 0x1bdbd32
Nov/25/2016 14:09:09 ipsec,debug init child continue
Nov/25/2016 14:09:09 ipsec,debug offering proto: 3
Nov/25/2016 14:09:09 ipsec,debug  proposal #1
Nov/25/2016 14:09:09 ipsec,debug   enc: aes256-cbc
Nov/25/2016 14:09:09 ipsec,debug   enc: aes128-cbc
Nov/25/2016 14:09:09 ipsec,debug   enc: 3des-cbc
Nov/25/2016 14:09:09 ipsec,debug   auth: sha512
Nov/25/2016 14:09:09 ipsec,debug   auth: sha256
Nov/25/2016 14:09:09 ipsec,debug   auth: sha1
Nov/25/2016 14:09:09 ipsec,debug   auth: md5
Nov/25/2016 14:09:09 ipsec,debug   esn: off
Nov/25/2016 14:09:09 ipsec,debug initiator selector: 192.168.170.0/24/24 ipproto:0
Nov/25/2016 14:09:09 ipsec,debug => selector created (size 0x18)
Nov/25/2016 14:09:09 ipsec,debug 00000018 01000000 07000010 0000ffff c0a8aa00 c0a8aaff
Nov/25/2016 14:09:09 ipsec,debug responder selector: 192.168.160.0/24/24 ipproto:0
Nov/25/2016 14:09:09 ipsec,debug => selector created (size 0x18)
Nov/25/2016 14:09:09 ipsec,debug 00000018 01000000 07000010 0000ffff c0a8a000 c0a8a0ff
Nov/25/2016 14:09:09 ipsec,debug my ID (ADDR): 10.1.0.1
Nov/25/2016 14:09:09 ipsec,debug processing payload: NONCE
Nov/25/2016 14:09:09 ipsec,debug => auth nonce (size 0x18)
Nov/25/2016 14:09:09 ipsec,debug 649ccbf5 fc6dedcb ab685964 6981c266 640942fa 1e48d13a
Nov/25/2016 14:09:09 ipsec,debug => SK_p (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 4a8407ff f9d596ae d280d852 f640c3fe e5dd4dda 09113595 fe702fa7 b98f1b4f
Nov/25/2016 14:09:09 ipsec,debug => idhash (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug cbb46cdb 333a3830 8a1918a0 eebe09c0 51d9a97c 84486288 85088b75 5284b9c3
Nov/25/2016 14:09:09 ipsec,debug => my auth (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug d8ba1466 584647a5 e4167ec2 8015b2e7 5a3ee807 2121d4d7 e1deb6f7 83676146
Nov/25/2016 14:09:09 ipsec,debug adding payload: ID_I
Nov/25/2016 14:09:09 ipsec,debug => (size 0xc)
Nov/25/2016 14:09:09 ipsec,debug 0000000c 01000000 0a010001
Nov/25/2016 14:09:09 ipsec,debug adding payload: AUTH
Nov/25/2016 14:09:09 ipsec,debug => (size 0x28)
Nov/25/2016 14:09:09 ipsec,debug 00000028 02000000 d8ba1466 584647a5 e4167ec2 8015b2e7 5a3ee807 2121d4d7
Nov/25/2016 14:09:09 ipsec,debug e1deb6f7 83676146
Nov/25/2016 14:09:09 ipsec,debug adding payload: SA
Nov/25/2016 14:09:09 ipsec,debug => (size 0x58)
Nov/25/2016 14:09:09 ipsec,debug 00000058 00000054 01030408 01bdbd32 0300000c 0100000c 800e0100 0300000c
Nov/25/2016 14:09:09 ipsec,debug 0100000c 800e0080 03000008 01000003 03000008 03000004 03000008 03000003
Nov/25/2016 14:09:09 ipsec,debug 03000008 03000002 03000008 03000001 00000008 05000000
Nov/25/2016 14:09:09 ipsec,debug adding payload: TS_I
Nov/25/2016 14:09:09 ipsec,debug => (size 0x18)
Nov/25/2016 14:09:09 ipsec,debug 00000018 01000000 07000010 0000ffff c0a8aa00 c0a8aaff
Nov/25/2016 14:09:09 ipsec,debug adding payload: TS_R
Nov/25/2016 14:09:09 ipsec,debug => (size 0x18)
Nov/25/2016 14:09:09 ipsec,debug 00000018 01000000 07000010 0000ffff c0a8a000 c0a8a0ff
Nov/25/2016 14:09:09 ipsec,debug,packet => outgoing plain packet (size 0x200)
Nov/25/2016 14:09:09 ipsec,debug,packet 08533b26 8e569ae1 2867bb59 b21566a3 23202308 00000001 00000000 2700000c
Nov/25/2016 14:09:09 ipsec,debug,packet 01000000 0a010001 21000028 02000000 d8ba1466 584647a5 e4167ec2 8015b2e7
Nov/25/2016 14:09:09 ipsec,debug,packet 5a3ee807 2121d4d7 e1deb6f7 83676146 2c000058 00000054 01030408 01bdbd32
Nov/25/2016 14:09:09 ipsec,debug,packet 0300000c 0100000c 800e0100 0300000c 0100000c 800e0080 03000008 01000003
Nov/25/2016 14:09:09 ipsec,debug,packet 03000008 03000004 03000008 03000003 03000008 03000002 03000008 03000001
Nov/25/2016 14:09:09 ipsec,debug,packet 00000008 05000000 2d000018 01000000 07000010 0000ffff c0a8aa00 c0a8aaff
Nov/25/2016 14:09:09 ipsec,debug,packet 00000018 01000000 07000010 0000ffff c0a8a000 c0a8a0ff 859fbad6 f3113050
Nov/25/2016 14:09:09 ipsec,debug,packet 6173869a afc5dcf4 0d27425e 7b99b8d8 e9fb0e22 374d647c 95afcae6 03214060
Nov/25/2016 14:09:09 ipsec,debug,packet 
Nov/25/2016 14:09:09 ipsec,debug,packet 718396aa bfd5ec04 1d37526e 8ba9c8e8 f90b1e32 475d748c a5bfdaf6 13315070
Nov/25/2016 14:09:09 ipsec,debug,packet 8193a6ba cfe5fc14 2d47627e 9bb9d8f8 091b2e42 576d849c b5cfea06 23416080
Nov/25/2016 14:09:09 ipsec,debug,packet 91a3b6ca dff50c24 3d57728e abc9e808 192b3e52 677d94ac c5dffa16 33517090
Nov/25/2016 14:09:09 ipsec,debug,packet a1b3c6da ef051c34 4d67829e bbd9f818 293b4e62 778da4bc d5ef0a26 436180a0
Nov/25/2016 14:09:09 ipsec,debug,packet b1c3d6ea ff152c44 5d7792ae cbe90828 394b5e72 879db4cc e5ff1a36 537190b0
Nov/25/2016 14:09:09 ipsec,debug,packet c1d3e6fa 0f253c54 6d87a2be dbf91838 495b6e82 97adc4dc f50f2a46 6381a0c0
Nov/25/2016 14:09:09 ipsec,debug,packet d1e3f60a 1f354c64 7d97b2ce eb092848 596b7e92 a7bdd4ec 051f3a56 7391b0d0
Nov/25/2016 14:09:09 ipsec,debug,packet e1f3061a 2f455c74 8da7c2de fb193858 697b8ea2 b7cde4fc 152f4a66 83a1c0e0
Nov/25/2016 14:09:09 ipsec,debug adding payload: ENC
Nov/25/2016 14:09:09 ipsec,debug => (first 0x100 of 0x134)
Nov/25/2016 14:09:09 ipsec,debug 23000134 e0412176 e401d02c fc492bf1 50ce4f78 205394f5 9842d44f d1bbb9a8
Nov/25/2016 14:09:09 ipsec,debug 5c448d6d d8e3a74e bd0cd642 9431d62c 9f0257ba c4d60b70 eee1e367 9c275630
Nov/25/2016 14:09:09 ipsec,debug eef2455a 801acd6f b6bd5e03 d1c7fcc9 f728be73 35f8aae3 8071ee82 8d86e708
Nov/25/2016 14:09:09 ipsec,debug 915245e3 4c8bf018 742e3383 6067ff61 eb3e4134 320ac273 e81eb7a0 9a188078
Nov/25/2016 14:09:09 ipsec,debug 9c0f22fb 4a8ebfbe 16fa42c6 66ebe0d6 ee33e38b e67c620c 9dd0a4aa ae3d5485
Nov/25/2016 14:09:09 ipsec,debug c1ad6ea5 a33a00dd ad7ada68 5dd515aa d60888ec 4a4942b3 928cc526 4a8216e9
Nov/25/2016 14:09:09 ipsec,debug fcf13c1f b4635757 7ad1b56b bffbb916 beb79170 e382692d 18b54be4 aaf29355
Nov/25/2016 14:09:09 ipsec,debug 946d7338 c3d72725 e93c697e 32442f7f 3fc4983c 9bb3e593 7984fb50 b2d93355
Nov/25/2016 14:09:09 ipsec,debug unknown socket
Nov/25/2016 14:09:14 ipsec,debug retransmit
Nov/25/2016 14:09:14 ipsec,debug unknown socket
Nov/25/2016 14:09:19 ipsec,debug retransmit
Nov/25/2016 14:09:19 ipsec,debug unknown socket
Nov/25/2016 14:09:24 ipsec,debug retransmit
Nov/25/2016 14:09:24 ipsec,debug unknown socket
Nov/25/2016 14:09:26 ipsec,info killing connection: 10.1.0.1[4500]<->10.0.0.1[500]
IPsec export:
# nov/25/2016 14:23:12 by RouterOS 6.38rc37
# software id = 
#
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1,md5 enc-algorithms=aes-256-cbc,aes-128-cbc,3des name=VPN pfs-group=none
/ip ipsec peer
add address=10.0.0.1/32 disabled=yes dpd-interval=disable-dpd enc-algorithm=aes-256,aes-128,3des exchange-mode=ike2 hash-algorithm=
    nat-traversal=no secret=TEST
/ip ipsec policy
add dst-address=192.168.160.0/24 proposal=VPN sa-dst-address=10.0.0.1 sa-src-address=10.1.0.1 src-address=192.168.170.0/24 tunnel=y
 
alexjhart
Member Candidate
Member Candidate
Posts: 197
Joined: Thu Jan 20, 2011 8:03 pm

Re: v6.38rc [release candidate] is released

Fri Nov 25, 2016 7:37 pm

For folks having trouble with IPsec in latest RCs, change your peer generate policy from port-strict to port-override. Support says they are working on a fix for this, but that was enough to get it working for me.
 
huntermic
Member Candidate
Member Candidate
Posts: 111
Joined: Wed Oct 26, 2016 3:42 pm

Re: v6.38rc [release candidate] is released

Fri Nov 25, 2016 7:47 pm

For folks having trouble with IPsec in latest RCs, change your peer generate policy from port-strict to port-override. Support says they are working on a fix for this, but that was enough to get it working for me.

Thanks, this works for me!
 
barracuda
newbie
Posts: 38
Joined: Thu Jul 09, 2015 12:41 am

Re: v6.38rc [release candidate] is released

Fri Nov 25, 2016 8:24 pm

I have a problem with latest 6.38rc build when I try to update Mikrotik hAP lite (RB941-2nD).When the upgrade is finish and router reboot I can't connect to the router anymore.
No wireles signal and no neighbors mac address.The only way is netinstall.Does anyone have the same problems because I never before have the same problem?
Today I upgrade to Version 6.38rc37 and the problem gone.. :)

Thank you to fix bootup bug!
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: v6.38rc [release candidate] is released

Sat Nov 26, 2016 5:13 pm

hEX RB750Gr3 got in a bootloop after upgrade from 6.37.2 to 6.38rc37 via system package update install. Netinstall to 6.38rc37 fixed it.
 
colanderman
newbie
Posts: 44
Joined: Wed Oct 28, 2015 5:21 am

Re: v6.38rc [release candidate] is released

Sun Nov 27, 2016 8:09 am

At the risk of straying off-topic…
We are having a lot of problems here with Mikrotik Queues X Windows 10 Updates. When a customer have one PC downloading Windows 10 updates, his queue is 100% used, most of the time is impossible to do anything else, even open an web page.
I have fought this problem in my home network for a long time. This is Windows's fault; it opens hundreds of TCP connections to flout TCP link sharing. I solved it with the following:
add action=reject chain=forward comment="limit MS BITS" connection-bytes=0-1500 connection-limit=8,0 content=\
    "User-Agent: Microsoft BITS" dst-port=80 out-interface=ether1-gateway protocol=tcp reject-with=tcp-reset
add action=reject chain=forward comment="limit Windows Update" connection-bytes=0-1500 connection-limit=8,0 content=\
    "User-Agent: Microsoft-Delivery-Optimization" dst-port=80 out-interface=ether1-gateway protocol=tcp reject-with=\
    tcp-reset
 
colanderman
newbie
Posts: 44
Joined: Wed Oct 28, 2015 5:21 am

Re: v6.38rc [release candidate] is released

Sun Nov 27, 2016 8:27 am

*) bridge - fixed filter Ingress Priority option (broken in v6.38rc16);
I haven't been able to get bridge filtering on Ingress Priority to work since at least 6.25 (e.g. while ingress-priority=!0 matches packets in IP firewall, it matches nothing in bridge firewall; and new-priority=from-ingress does nothing; see ticket #2016042566000016). Is this fix for a different problem than what I've described?
 
Borizo
newbie
Posts: 40
Joined: Thu Oct 28, 2010 4:38 pm

Re: v6.38rc [release candidate] is released

Wed Nov 30, 2016 1:39 am

Cannot enter into settings of Virtual wireless adapter through WinBox: WinBox silently closes.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.38rc [release candidate] is released

Wed Nov 30, 2016 1:52 am

Huh... Needed to shape one link and noticed that I cannot set max-limit more than 4,295G:
[admin@TestPlace] > /queue simple add max-limit=?

MaxLimit ::= UploadMaxLimit/DownloadMaxLimit
  UploadMaxLimit,DownloadMaxLimit ::= 0..4294967295    (integer number)


[admin@TestPlace] > /queue simple add max-limit=4295M/0
value of upload-max-limit out of range (0..4294967295)
[admin@TestPlace] > /queue simple add max-limit=4294M/0
[admin@TestPlace] > 
Please fix this limitation of limit :)
 
savage
Forum Guru
Forum Guru
Posts: 1263
Joined: Mon Oct 18, 2004 12:07 am
Location: Cape Town, South Africa
Contact:

Re: v6.38rc [release candidate] is released

Wed Nov 30, 2016 6:55 am

Huh... Needed to shape one link and noticed that I cannot set max-limit more than 4,295G:
[admin@TestPlace] > /queue simple add max-limit=?

MaxLimit ::= UploadMaxLimit/DownloadMaxLimit
  UploadMaxLimit,DownloadMaxLimit ::= 0..4294967295    (integer number)


[admin@TestPlace] > /queue simple add max-limit=4295M/0
value of upload-max-limit out of range (0..4294967295)
[admin@TestPlace] > /queue simple add max-limit=4294M/0
[admin@TestPlace] > 
Please fix this limitation of limit :)

Has long since been an issue. I reported it a few years ago already I think :) There's quite a few places where 32 bit counters are still very much active and enforced :(
 
User avatar
toto99303
just joined
Posts: 16
Joined: Thu Sep 17, 2015 11:26 pm

Re: v6.38rc [release candidate] is released

Wed Nov 30, 2016 2:52 pm

v6.38rc37 and I'm still having trouble with L2TP/IPSec VPN. Policy is "port override" and I'm getting "...failed to pre-process ph2 packet." Anyone with the same issue?
 
ThomasLevering
just joined
Posts: 8
Joined: Mon Nov 14, 2016 8:38 am
Location: Germany

Re: v6.38rc [release candidate] is released

Wed Nov 30, 2016 3:41 pm

v6.38rc37 RB750Gr3
L2TP/IPSec is working with port override (I need to open the Port 1701 in Firewall) (Windows, iPhone)
IPSec from iPhone ist not working, previous Version OK
IKEv2 wait for Stable Version...
One CPU Core is 100%
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Thu Dec 01, 2016 10:36 am

Version 6.38rc38 has been released.
Changes since previous rc:
!) tr069-client - initial implementation (as separate package);
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) fastpath - fixed x86 bridge fast-path status shown as active even if it is manually disabled;
*) firewall - added sctp/dccp/udp-lite support for "src-port", "dst-port", "port" and "to-ports" firewall options;
*) lcd - improved performance, causes less cpu load;
*) rb3011 - fixed lcd and health (broken in v6.38rc35);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
hubber
just joined
Posts: 7
Joined: Wed Nov 11, 2015 12:26 am

Re: v6.38rc [release candidate] is released

Thu Dec 01, 2016 1:27 pm

Hello.
I have not worked on version 6.38.24 and 6.38.38

what am I doing wrong?

/interface bridge
add arp=proxy-arp name=bridge1
/ip ipsec policy group
add name=group1
/ip pool
add name=l2tpUSERS ranges=192.168.100.129-192.168.100.140
/ppp profile
add bridge=bridge1 change-tcp-mss=yes local-address=192.168.100.3 name=outsideEncryption only-one=yes remote-address=l2tpUSERS use-encryption=yes
/interface bridge port
add bridge=bridge1 interface=ether2
/interface l2tp-server server
set authentication=mschap2 default-profile=outsideEncryption enabled=yes ipsec-secret=***** use-ipsec=yes
/ip firewall filter
add action=accept chain=input comment=estebl connection-state=established,related in-interface=ether1
add action=accept chain=input dst-port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
add enc-algorithm=aes-256,aes-128,3des exchange-mode=main-l2tp generate-policy=port-override passive=yes secret=********
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: v6.38rc [release candidate] is released

Thu Dec 01, 2016 9:42 pm

Version 6.38rc38 has been released.
Changes since previous rc:
!) tr069-client - initial implementation (as separate package);
Great, is there any info as to what has changed in the tr-069 client in this new RC? Is it just bug fixes, or are there new features? It would be nice to get a little bit more info in the changelog between rc's in regards to what changes were made.
 
alexjhart
Member Candidate
Member Candidate
Posts: 197
Joined: Thu Jan 20, 2011 8:03 pm

Re: v6.38rc [release candidate] is released

Thu Dec 01, 2016 9:48 pm

Hello.
I have not worked on version 6.38.24 and 6.38.38

what am I doing wrong?

/interface bridge
add arp=proxy-arp name=bridge1
/ip ipsec policy group
add name=group1
/ip pool
add name=l2tpUSERS ranges=192.168.100.129-192.168.100.140
/ppp profile
add bridge=bridge1 change-tcp-mss=yes local-address=192.168.100.3 name=outsideEncryption only-one=yes remote-address=l2tpUSERS use-encryption=yes
/interface bridge port
add bridge=bridge1 interface=ether2
/interface l2tp-server server
set authentication=mschap2 default-profile=outsideEncryption enabled=yes ipsec-secret=***** use-ipsec=yes
/ip firewall filter
add action=accept chain=input comment=estebl connection-state=established,related in-interface=ether1
add action=accept chain=input dst-port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
add enc-algorithm=aes-256,aes-128,3des exchange-mode=main-l2tp generate-policy=port-override passive=yes secret=********
Currently, this won't work. You will need to do this:
/interface l2tp-server server set use-ipsec=no

Otherwise, your connection won't use your custom /ip ipsec peer entry with port-override, rather it will use a dynamic entry that uses port-strict. I believe Mikrotik is working to fix this per my ticket with them.
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Fri Dec 02, 2016 12:07 pm

Version 6.38rc40 has been released!
Changes since previous version:
*) certificate - remove invalid CRLs after upgrade; (broken since v6.38rc32);
*) export - updated default values to clean up export compact;
*) firewall - fixed "time" option by recognizing weekday properly (broken in 6.37.2);
*) firewall - fixed dynamic raw rule behaviour;
*) ike1 - fixed natted transport mode port-strict policy generation;
*) ipsec - fixed camellia crypto algorithm module loading;
*) ipsec - load ipv6 related modules only when ipv6 package is enabled;
*) ipsec - various additional work in IKEv2 support;
*) lte - added support for novatel USB620L;
*) queue - fixed "time" option by recognizing weekday properly (broken in 6.37.2);
*) rb750Gr3 - fixed ipsec with 3des+md5 to work on this board;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
User avatar
arnis128
just joined
Posts: 5
Joined: Mon Aug 29, 2016 1:03 pm
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Fri Dec 02, 2016 2:27 pm

Hello!
I think - something is broken LTE connection to LMT mobile network after upgrade from 6.37.3 to 6.38.rc40. Last version, where it works fine, was 6.38.rc24 (or 25) - if i remember correct.
Routerboard - 922UAGS-5HPacD
modem - HUAWEI Mobile, vendor = 0x12d1, device = 0x1573
Symptoms - router gets its ip address from mobile operator, as usual, but no traffic flows to any reachable public host. After downgrade back to 6.37.3 everything works well.

Support files will be sent.
Thanks, Arnis.
 
irghost
Member
Member
Posts: 302
Joined: Sun Feb 21, 2016 1:49 pm

Re: v6.38rc [release candidate] is released

Fri Dec 02, 2016 3:48 pm

 system,error,critical failed to enable panics driver
X86 vmware
 
jondavy
Member Candidate
Member Candidate
Posts: 143
Joined: Tue May 12, 2009 11:14 pm
Location: Brasil

Re: v6.38rc [release candidate] is released

Sat Dec 03, 2016 4:33 am

How can I see how many sectors on the nand have already been written and if there are bad blocks on the Cloud Core Router?
 
nicecloud
just joined
Posts: 6
Joined: Tue Nov 15, 2016 3:34 pm
Contact:

Re: v6.38rc [release candidate] is released

Sat Dec 03, 2016 10:52 am

Version 6.38rc40 has been released!
Changes since previous version:
*) certificate - remove invalid CRLs after upgrade; (broken since v6.38rc32);
*) export - updated default values to clean up export compact;
*) firewall - fixed "time" option by recognizing weekday properly (broken in 6.37.2);
*) firewall - fixed dynamic raw rule behaviour;
*) ike1 - fixed natted transport mode port-strict policy generation;
*) ipsec - fixed camellia crypto algorithm module loading;
*) ipsec - load ipv6 related modules only when ipv6 package is enabled;
*) ipsec - various additional work in IKEv2 support;
*) lte - added support for novatel USB620L;
*) queue - fixed "time" option by recognizing weekday properly (broken in 6.37.2);
*) rb750Gr3 - fixed ipsec with 3des+md5 to work on this board;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
It doesn't work against Azure since version rc29 on my RB751G-2HnD
 
maxkrok
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Tue Aug 28, 2012 9:09 pm

Re: v6.38rc [release candidate] is released

Sat Dec 03, 2016 12:45 pm

Dude 6.38rc40 again adding custom files on 750gr3 MMIPS is not possible AT ALL.... Please repair...
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: v6.38rc [release candidate] is released

Sun Dec 04, 2016 3:45 pm

I have added routes for all ipsec tunnels to a bogus interface for local outgoing data to ipsec, especially for netwatch to work.

6.38rc40 seems to require explicit /ip route pref-src address to be set to correctly ping these ipsec tunnelled hosts.

Config:
/ip address
add address=192.168.88.1/24 interface=ether2-lan network=192.168.88.0
/tool netwatch
add host=10.0.0.254 interval=30s
This worked correctly before rc40:
/ip route
add comment=netwatch distance=50 dst-address=10.0.0.0/24 gateway=ether2-lan
In rc40 I need to add pref-src:
/ip route
add comment=netwatch distance=50 dst-address=10.0.0.0/24 gateway=ether2-lan \
    pref-src=192.168.88.1
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: v6.38rc [release candidate] is released

Sun Dec 04, 2016 5:47 pm

6.38rc40 seems to require explicit /ip route pref-src address to be set to correctly ping these ipsec tunnelled hosts.
I think a better solution would be to explicitly specify a correct local-address in your IPsec peer configuration instead of (or in addition to) specifying pref-src in the route.

PS. If you read through this whole thread you will see that this behavior is constantly changing from one rc to another.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: v6.38rc [release candidate] is released

Sun Dec 04, 2016 5:55 pm

I have set specific local-address in /ip ipsec peer and specific sa-src-address in /ip ipsec policy.

This routing issue is a new issue (for me) in rc40.

(Not really an issue but more of an observation)
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Mon Dec 05, 2016 3:28 pm

Version 6.38rc41 has been released.
Changes since previous version:
*) bridge - ignore dynamic switch ports when selecting bridge MAC address (introduced in v6.38rc7);
*) dns - added max-concurrent-queries and max-concurrent-tcp-sessions settings (CLI only);
*) firewall - fixed rule activation if "time" option is used and no other active rules are present;
*) ipsec - various additional work in IKEv2 support;
*) ppp - fixed packet size calculation when MRRU is set (was 2 bytes bigger than MTU allows);
*) ppp - significantly improved tunnel termination process on servers with many active tunnels;
*) ssh - added routing-table setting (CLI only);
*) x86 - fixed "system,error,critical failed to enable panics driver" (introduced in v6.38rc30);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 2096
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: v6.38rc [release candidate] is released

Mon Dec 05, 2016 8:11 pm

*) ssh - added routing-table setting (CLI only);

Thanks for adding this!
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 207
Joined: Tue May 05, 2015 11:12 am
Location: 74, FR / SA48, UK
Contact:

Re: v6.38rc [release candidate] is released

Mon Dec 05, 2016 10:37 pm

*) ipsec - various additional work in IKEv2 support;
I will admit that I've not kept up with how quickly the IKEv2 support has moved in these RCs. Well done to MikroTik's developers for doing this so fast!

My question is whether or not it is possible to create an IKEv2 configuration on RouterOS which will support iOS road-warriors using username/password authentication. I'm guessing that is EAP and XAuth (with RADIUS), but haven't found the correct incantation of commands to get it to work. I'm left staring at ipsec debugging logs which say "EAP neeeds certificate if EAP-only is not used" and "reply notify: AUTHENTICATION_FAILED" (no RADIUS packet is emitted?). I'm also puzzled by what auth settings iOS is using in some of its proposals that the debug logs show "auth: unknown".

Any clues would be gratefully received — we've got several end users who would love to test this :-)
 
NBspeedworks
just joined
Posts: 1
Joined: Tue Dec 06, 2016 2:37 am

Re: v6.38rc [release candidate] is released

Tue Dec 06, 2016 2:40 am

Dude client error

Error 10061 Connect failed because the target machine actively refused it.


Re started router
re installed the dude on a win 10 machine


Any other Ideas ?
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Tue Dec 06, 2016 9:18 am

Version 6.38rc43 has been released.
Changes since previous version:
*) dhcp - fixed issue when dhcp-client was still possible on interfaces with "slave" flag and using slave interface MAC address;
*) firewall - significantly improved large firewall rule set import performance;
*) time - updated time zones;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
hubber
just joined
Posts: 7
Joined: Wed Nov 11, 2015 12:26 am

Re: v6.38rc [release candidate] is released

Tue Dec 06, 2016 2:09 pm

Hello.
I have not worked on version 6.38.24 and 6.38.38

what am I doing wrong?

/interface bridge
add arp=proxy-arp name=bridge1
/ip ipsec policy group
add name=group1
/ip pool
add name=l2tpUSERS ranges=192.168.100.129-192.168.100.140
/ppp profile
add bridge=bridge1 change-tcp-mss=yes local-address=192.168.100.3 name=outsideEncryption only-one=yes remote-address=l2tpUSERS use-encryption=yes
/interface bridge port
add bridge=bridge1 interface=ether2
/interface l2tp-server server
set authentication=mschap2 default-profile=outsideEncryption enabled=yes ipsec-secret=***** use-ipsec=yes
/ip firewall filter
add action=accept chain=input comment=estebl connection-state=established,related in-interface=ether1
add action=accept chain=input dst-port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
add enc-algorithm=aes-256,aes-128,3des exchange-mode=main-l2tp generate-policy=port-override passive=yes secret=********
Currently, this won't work. You will need to do this:
/interface l2tp-server server set use-ipsec=no

Otherwise, your connection won't use your custom /ip ipsec peer entry with port-override, rather it will use a dynamic entry that uses port-strict. I believe Mikrotik is working to fix this per my ticket with them.
/interface l2tp-server server set use-ipsec=no
i'm do this.
But second client behind the same NAT don't connect.
error 638

in log -
ipsec-sa established: ESP/transport *.*.*.*[4500]->*.*.*.*[4500] spi=0x91d071a2
purged ISAKMP-SA *.*.*.*<=>*.*.*.* spi=*******

someone's work?
on what version rc?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.38rc [release candidate] is released

Tue Dec 06, 2016 3:07 pm

L2TP/ipsec is not going to work behind the same NAT, but Ikev2 and ikev1 in tunnel mode will.
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Wed Dec 07, 2016 11:45 am

Version 6.38rc44 has been released.
Changes since previous version:
*) crs - added comment ability in more switch menus;
*) dns - added "max-concurrent-queries" and "max-concurrent-tcp-sessions" settings;
*) ipsec - split "mode-config" "send-dns" argument;
*) ipsec - various additional work in IKEv1/IKEv2 support;
*) routerboot - show log message if router CPU/RAM is overclocked;
*) tr069-client - various additional work;
*) traceroute - fixed memory leak;
*) users - added minimal required permission set for full user group;
*) webfig - fixed preview of values bigger than 2 billion and lower than 4 billion (introduced in v6.38rc);
*) webfig - show ipv6 addresses correctly;
*) winbox - added "Complete" flag to arp table;
*) winbox - added "untracked" option to firewall "connection-state" setting;
*) winbox - added Dude icon to Dude menu;
*) winbox - allow to enable/disable traffic flow targets;
*) winbox - fixed default values for interface "loop-protect-disable-time" & "loop-protect-send-interval";
*) winbox - fixed missing "ipv6/settings" menu;
*) winbox - fixed typo in "propagate-ttl" setting;
*) winbox - make cert signing include provided ca-crl-host;
*) winbox - show proper ipv6 connection timeout;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
drees
just joined
Posts: 22
Joined: Tue Sep 20, 2016 9:39 pm

Re: v6.38rc [release candidate] is released

Wed Dec 07, 2016 12:21 pm

*) routerboot - show log message if router CPU/RAM is overclocked;
I just updated to rc44 and the first message after router rebooted is "memory overclocked". This is on a 951G-2HnD.
[admin@MikroTik-router] > /system routerboard settings print
                   ;;; Warning: memory overclocked
           init-delay: 0s
          boot-device: nand-if-fail-then-ethernet
        cpu-frequency: 600MHz
        boot-protocol: bootp
  force-backup-booter: no
          silent-boot: no
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: v6.38rc [release candidate] is released

Wed Dec 07, 2016 2:41 pm

Just had an unexpected reboot on 6.38rc40. Timeline:

winbox with ip firewall rules and interfaces open but not active
30 seconds before crash: <sstp-user>: terminating... - terminated by remote peer
on crash (from another RB): ether2-lan link down
after crash: system,error,critical router was rebooted without proper shutdown

There is no auto supout, perhaps auto supout is stored in RAM and gone on reboot?
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Wed Dec 07, 2016 3:00 pm

drees - Do not worry if you have not overclocked it manually. We are still fixing these false messages.
nescafe2002 - Reboot without proper shutdown is not caused by software. It could be powering or hardware issue. In most cases kernel failure, out of memory or watchdog reboots ar caused by software, power outage and without proper shutdown is caused by hardware or wires, etc.
 
blingblouw
Member
Member
Posts: 345
Joined: Wed Aug 25, 2010 9:43 am

Re: v6.38rc [release candidate] is released

Wed Dec 07, 2016 5:53 pm

Could you elaborate on the TR-069 additional work? Can we add/modify PPPoE now?
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: v6.38rc [release candidate] is released

Thu Dec 08, 2016 3:49 am

Could you elaborate on the TR-069 additional work? Can we add/modify PPPoE now?
I am wondering the same, has PPPoE support been added?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.38rc [release candidate] is released

Thu Dec 08, 2016 11:24 am

Could you elaborate on the TR-069 additional work? Can we add/modify PPPoE now?
Hopefully, work on security.
As you can see in the security news, TR-069 has become a major nightmare.

Suggestions:
- use a low TTL on responses from the TR-069 software so attackers "on the wide internet" cannot reach the TR-069 service.
- have a list of allowed source addresses for TR-069 similar to SNMP.
- quality programming that rules out any buffer overflows from the start.
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Thu Dec 08, 2016 1:56 pm

Version 6.38rc45 has been released.
Changes since previous version:
*) certificates - fixed pkcs12 export crash;
*) ipsec - fixed peer configuration my-id IPv4 address endianness;
*) ipsec - various additional work on IKEv1/IKEv2 support;
*) winbox - added new ipsec feature (IKEv1/IKEv2/etc.) support (introduced in v6.38rc);
*) winbox - fixed crash when legacy Winbox version was used;
*) winbox - fixed icons in disabled state (introduced in v6.38rc44);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
raffav
Member
Member
Posts: 345
Joined: Wed Oct 24, 2012 4:40 am

Re: v6.38rc [release candidate] is released

Thu Dec 08, 2016 2:34 pm

Version 6.38rc45 has been released.
Changes since previous version:
*) certificates - fixed pkcs12 export crash;
*) ipsec - fixed peer configuration my-id IPv4 address endianness;
*) ipsec - various additional work on IKEv1/IKEv2 support;
*) winbox - added new ipsec feature (IKEv1/IKEv2/etc.) support (introduced in v6.38rc);
*) winbox - fixed crash when legacy Winbox version was used;
*) winbox - fixed icons in disabled state (introduced in v6.38rc44);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
lol, very nice the news tabs on peer and policy now is more clear
good work
 
rzirzi
Member
Member
Posts: 393
Joined: Mon Oct 09, 2006 2:33 pm

Re: v6.38rc [release candidate] is released

Thu Dec 08, 2016 5:59 pm

MikroTik RouterOS version 6.38 will be THE BEST VERSION EVER!? :)
 
23q
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Thu Sep 02, 2010 2:54 pm
Location: Ukraine

Re: v6.38rc [release candidate] is released

Thu Dec 08, 2016 9:39 pm

ImageImage
not timeout
 
Nissarin
just joined
Posts: 19
Joined: Fri Feb 20, 2015 4:01 pm

Re: v6.38rc [release candidate] is released

Thu Dec 08, 2016 10:15 pm

*) winbox - fixed icons in disabled state (introduced in v6.38rc44);
I see no change on my system (linux/wine), when I tried removing current winbox config/cache I noticed there were no files for rc45 and it seems winbox (re)creates "6.38rc44-763096560" instead.

On another note, I've been testing local-proxy-arp and it seems it still sends icmp redirects, it would be nice if it was disabled automatically on interface running it.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.38rc [release candidate] is released

Thu Dec 08, 2016 11:51 pm

ImageImage
not timeout
timeout in Terminal is on the right on 'Creation time'. make the window wider or use 'print detail'
 
23q
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Thu Sep 02, 2010 2:54 pm
Location: Ukraine

Re: v6.38rc [release candidate] is released

Fri Dec 09, 2016 12:06 pm

ImageImage
not timeout
timeout in Terminal is on the right on 'Creation time'. make the window wider or use 'print detail'
ip firewall address-list print file=22222
timeout miss
 
alfonzz
just joined
Posts: 16
Joined: Wed Oct 15, 2014 12:16 pm
Location: CZ

Re: v6.38rc [release candidate] is released

Fri Dec 09, 2016 12:27 pm

"winbox - fixed crash when legacy Winbox version was used"
realy? from dude rc45 "tool>winbox>loaded" but if i doubleclick to wlan then winbox crash - no message, nothing
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Fri Dec 09, 2016 12:31 pm

alfonzz - Is 6.38rc45 installed on router to which you connect?
 
alfonzz
just joined
Posts: 16
Joined: Wed Oct 15, 2014 12:16 pm
Location: CZ

Re: v6.38rc [release candidate] is released

Fri Dec 09, 2016 12:59 pm

alfonzz - Is 6.38rc45 installed on router to which you connect?
no, there is 6.37.3 but until 6.37.2 it works... i know that i may downgrade...
 
ExibiTT
just joined
Posts: 1
Joined: Fri Dec 09, 2016 2:21 pm

Re: v6.38rc [release candidate] is released

Fri Dec 09, 2016 2:49 pm

Hi!
v6.38rc10, v6.38rc45:
In the DUDE when I create a new notification with the following parameters:
Type - execute on server
Command - /interface disable vlan5
press test - OK (vlan off on mikrotik).
But if command: /tool fetch url="https://api.telegram.org/bot30(...)4/se ... xt=Service [Probe.Name] on [Device.Name] is now [Service.Status]" keep-result=no
Nothing happens and do not appear in the log entry.

!!!
the command should look like this:
:execute {/tool fetch url="https://api.telegram.org/bot30(...)4/sendMessage\?chat_id=-1(...)2&text=Service [Probe.Name] on [Device.Name] is now [Service.Status]" keep-result=no}
Last edited by ExibiTT on Mon Dec 12, 2016 11:12 am, edited 2 times in total.
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Fri Dec 09, 2016 4:36 pm

6.38rc46 has been released.
Changes since previous version:
*) dhcp-server - fixed when wizard was unable to create pool >dhcp_pool99;
*) ipsec - allow empty policy SA dst-address in tunnel mode;
*) ipsec - always listen to port TCP/4500 (fixes some IKEv2 setups without NAT-T);
*) ipsec - various additional work on IKEv1/IKEv2 support;
*) vrrp - do not show unrelated log warning messages about version mismatch;
*) webfig - added extra protection against XSS exploits;
*) webfig - show properly interface last-link-up/down times;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.38rc [release candidate] is released

Fri Dec 09, 2016 5:03 pm

Any chance that support for WPA2-EAP with username/password/anonymous_id can be added in station(client) mode?
It has been requested in several threads on the forum, and I think it is on the "nice to have" list, but still not present.
It is working on the access point, with password validation via RADIUS, and Ubiquiti stations can connect to it,
but now that the MikroTik LHG5 is such an attractive option for users we really miss this capability in station mode.
(we need to give all the users the common WPA2-PSK key instead of having separate user/password per user)
 
User avatar
w32pamela
Member Candidate
Member Candidate
Posts: 212
Joined: Fri Jul 12, 2013 4:22 pm

Re: v6.38rc [release candidate] is released

Fri Dec 09, 2016 8:18 pm

v6.38rc46, Groove 52Hpn factory default configuration; Scan window in webfig page cannot be used to make connection to a WPA/WPA2 AP. "Default" security profile mode remains at "none" when wifi password entered and Connect button clicked.

I'm not sure when this began but it has been the case in the last few rc versions I've tried. Winbox works fine.
 
Zorro
Long time Member
Long time Member
Posts: 675
Joined: Wed Apr 16, 2014 2:43 pm

Re: v6.38rc [release candidate] is released

Sat Dec 10, 2016 1:13 am

would also like to have "anti-bruteforce" feats in Wireless package (eg in WPA2/CCM within/inside)with blocking on L1/L2 levels,eg like made PSD for generic traffic on L3.
and then in future - same against bruteforcing to winbox, webfig and telnet, API interfaces.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.38rc [release candidate] is released

Sat Dec 10, 2016 7:33 pm

ip firewall address-list print file=22222
timeout miss
confirming (seems like 'print file=' uses narrow terminal). that's why I asked you to do some other actions which definitely work (yes, I tested it first ;))
 
patrick7
Member
Member
Posts: 341
Joined: Sat Jul 20, 2013 2:40 pm

Re: v6.38rc [release candidate] is released

Sun Dec 11, 2016 7:24 pm

Please also fix "use-dns=yes" in IPv6 traceroute. Overdue for a long time now (both reverse and forward)
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Mon Dec 12, 2016 12:10 pm

Version 6.38rc47 has been released.
Changes since previous version:
*) bridge - require admin-mac to be specified if auto-mac is disabled;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) ipsec - ensure generated policy refers to valid proposal;
*) ipsec - always listen to port IPv6 UDP/4500;
*) ipsec - various additional work on IKEv1/IKEv2 support;
*) metarouter - fixed startup process (introduced in 6.37.2);
*) profiler - make profiler work on mmips devices;
*) snmp - fixed rare crash when incorrectly formatted packet was received;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Mon Dec 12, 2016 12:23 pm

ip firewall address-list print file=22222
timeout miss
confirming (seems like 'print file=' uses narrow terminal). that's why I asked you to do some other actions which definitely work (yes, I tested it first ;))
print file=
will always be narrow. That is the limitation of the console in RouterOS. It is not going to change soon.

edit: even if you log into the console with wider login-parameters set - print to file will not get these values.
 
Drakh
just joined
Posts: 13
Joined: Wed Nov 30, 2016 9:24 pm

Re: v6.38rc [release candidate] is released

Tue Dec 13, 2016 2:58 am

About metarouter on MIPSBE:
When booting a child ROS or OpenWRT, the host networking process CPU usage goes high; for example, if I do a bandwidth test to the host router (let's say 10Mb both ways) with all child VMs off CPU usage is around 0-2% (normal behaviour) whereas if I do the same bandwidth test with any VM booted ( it doesn't matter if there is a virtual network attached to the VM) the networking process CPU usage goes to 50-60% and network connectivity becomes unstable.
There is a direct relation between running a child ROS or OpenWRT and huge network degradation on the host router when there is some network traffic, I tested on hEX lite and RB2011UiAS.
Let me know if that expected and ditch metarouter altogether, I can understand some overhead if It were traffic to the child OS because of some translation but traffic to the host shouldn't be affected.
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Tue Dec 13, 2016 10:23 am

Version 6.38rc48 has been released.
Changes since previous version:
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) profile - added ability to monitor cpu usage per core;
*) profile - added "bfd" and "remote-access" processes;
*) profile - make profile work on mmips devices;
*) profile - properly classify "wireless" processes;
*) winbox - allow to specify interface for leds with "interface-speed" trigger;
*) winbox - do not allow to set "loop-protect-send-interval" to 0s;
*) winbox - do not show ph2-state on policy templates;
*) winbox - moved ipsec peer "exchange-mode" to General tab;
*) winbox - show all related HT tab settings in 2GHz-g/n mode;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Tue Dec 13, 2016 10:42 am

About metarouter on MIPSBE:
.
BTest causes very high load on the CPU, if you are running it on the same router you are checking the load in. Also, CPU load is not working very precisely if you have a virtual guest
 
MartijnVdS
Frequent Visitor
Frequent Visitor
Posts: 93
Joined: Wed Aug 13, 2014 9:36 am

Re: v6.38rc [release candidate] is released

Tue Dec 13, 2016 11:51 am

Version 6.38rc38 has been released.
I assume this is a typo, and it's actually rc48? Or did the number go down?
 
User avatar
HarBenly
newbie
Posts: 37
Joined: Wed Dec 07, 2016 1:04 pm
Location: London, United Kingdom

Re: v6.38rc [release candidate] is released

Tue Dec 13, 2016 12:24 pm

Woah! LLDD support added. Thanks1
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.38rc [release candidate] is released

Tue Dec 13, 2016 12:38 pm

Although I do not see it mentioned in release notes, IPv6 configuration is finally working again in WebFig!!
Hooray!
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Tue Dec 13, 2016 12:52 pm

MartijnVdS - Yes, sorry about that. It was a typo;
pe1chl - Fixed in 6.38rc44 - http://forum.mikrotik.com/viewtopic.php ... 50#p571674
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.38rc [release candidate] is released

Tue Dec 13, 2016 2:29 pm

pe1chl - Fixed in 6.38rc44
Ah I overlooked that and this time updated from rc41 to rc48 - releases are coming out quick these days :-)
Thanks!
 
Nissarin
just joined
Posts: 19
Joined: Fri Feb 20, 2015 4:01 pm

Re: v6.38rc [release candidate] is released

Tue Dec 13, 2016 6:31 pm

*) profile - added ability to monitor cpu usage per core;
IMHO it would be better to change current drop down list with standard filter, at least it would make much more sense on CCRs, where I would be able to tell how specific task (like firewall) is spread among the cores.
 
expert
Frequent Visitor
Frequent Visitor
Posts: 97
Joined: Sun Dec 04, 2016 1:22 pm

Re: v6.38rc [release candidate] is released

Wed Dec 14, 2016 3:06 pm

Does it solve the following Metarouter issue? http://forum.mikrotik.com/viewtopic.php?f=15&t=115422
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Wed Dec 14, 2016 5:13 pm

expert - Yes, it should.
 
didomir
just joined
Posts: 17
Joined: Tue Dec 22, 2015 9:45 pm

Re: v6.38rc [release candidate] is released

Wed Dec 14, 2016 6:01 pm

L2TP/ipsec is not going to work behind the same NAT, but Ikev2 and ikev1 in tunnel mode will.
Is that issue related with some underlying technology (Kernel , IP stack) ?
AFAIK, Cisco/Juniper/CP hasn’t got similar issues.

When is planned a fix ?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.38rc [release candidate] is released

Wed Dec 14, 2016 6:05 pm

Since every vendor is already switching to ikev2, there is no practical benefit to invest development time for old l2tp/ipsec setups.
 
parham
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Sun Feb 15, 2015 11:35 pm

Re: v6.38rc [release candidate] is released

Wed Dec 14, 2016 7:43 pm

Image
Since every vendor is already switching to ikev2, there is no practical benefit to invest development time for old l2tp/ipsec setups.
I have just managed to stablished 3x l2tp over ipse behind a IP address to my vpn server router, thanks guys

request time out was because I disconnected the vpn.
 
parham
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Sun Feb 15, 2015 11:35 pm

Re: v6.38rc [release candidate] is released

Wed Dec 14, 2016 7:51 pm

This is a SpeedTest.net run over 3x device over L2TP+IPSec

CPU was increased by %24

Image
 
drees
just joined
Posts: 22
Joined: Tue Sep 20, 2016 9:39 pm

Re: v6.38rc [release candidate] is released

Thu Dec 15, 2016 10:04 am

I had my 951G-2HnD running v6.38rc44 with two 941-2nDs running in station bridge mode.

Under moderate wireless traffic, I would occasionally get brief WiFi disconnects - the bridges would report "no beacons received".

On the AP 951G-2HnD, it would report a management protection error, but after disabling management protection the connection would still briefly disconnect.

Flashing 6.37.3 to the AP and have had no disconnects in a few days now when they were occurring at least daily.

Anyone else seeing this and/or have any suggestions?
Last edited by drees on Thu Dec 15, 2016 10:19 am, edited 1 time in total.
 
notToNew
Member Candidate
Member Candidate
Posts: 174
Joined: Fri Feb 19, 2016 3:15 pm

Re: v6.38rc [release candidate] is released

Thu Dec 15, 2016 10:08 am

On the AP 951G-2HnD, it would report a management protection error, but after disabling management protection the connection would still brief disconnects.
I ssee the same on 6.36.4, so i wonder why 6.37.3 is working... didn' test this version.
So please report if you find a solution!
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Thu Dec 15, 2016 10:54 am

Version 6.38rc49 has been released.
Changes since previous version:
*) bridge - show bridge port name in port monitor;
*) capsman - added "group-key-update" parameter;
*) capsman - use correct source address in reply to unicast discovery requests;
*) discovery - fixed crash on sending LLDP packet over IPv6 (introduced in 6.38rc3);
*) graphing - fixed queue graphs showing up in web interface if aggregate name size >57840 symbols;
*) ipsec - fixed IPv6 remote prefix;
*) ipsec - fixed larval SA state update;
*) ipsec - optimized logging under ipsec topic;
*) ipsec - show SA "enc-key-size";
*) ipsec - various additional work on IKEv1/IKEv2 support;
*) trafficgen - fixed compact export when "header-stack" includes tcp;
*) wireless - fixed upgrade from older wireless packages when AP interface had empty SSID by changing it to router identity;
*) wireless - use vlan ID 0 in RADIUS message to disable vlan tagging;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
notToNew
Member Candidate
Member Candidate
Posts: 174
Joined: Fri Feb 19, 2016 3:15 pm

Re: v6.38rc [release candidate] is released

Thu Dec 15, 2016 10:57 am

Version 6.38rc49 has been released.
*) wireless - fixed upgrade from older wireless packages when AP interface had empty SSID;
How? Ist it now allowed again?
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.38rc [release candidate] is released

Thu Dec 15, 2016 2:05 pm

notToNew - We edited changelog entry. Now it is more precise.
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 551
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: v6.38rc [release candidate] is released

Thu Dec 15, 2016 8:44 pm

Version 6.38rc49 has been released.
..
*) capsman - added "group-key-update" parameter;
...
finally! ..great news!
 
Zorro
Long time Member
Long time Member
Posts: 675
Joined: Wed Apr 16, 2014 2:43 pm

Re: v6.38rc [release candidate] is released

Sat Dec 17, 2016 5:41 am

as for TR-069 - we're struggled more than 3 years with some DOCSIS and EPON and VDSL vendors with hardwired TR-69/64 and its a NIGHTMARE !!!
its not only partially-implemented, hardwired and extremely insecure(and to some extend cannot be shielded at all, because of implementation. and failure in approach to), but totally %@!@ to use. one of vendors did showl mild interests in improvements(but at say 12x-16x slower rates than NECESSARY even from "purely security viewpoint"), rest was simply not giving !@$ about, so we're finally give up and ditched it ~ALL.
separate TR-69 package may be viable palliative to those who cannot live w/o it w/o compromising rest of customers a lot.
as for LT2P traversabiliy as generic NAT-T didn't take off (and carrier grade nat with hole punching lack some things) and Port Control Protocol didn't matured yet, perhas(some say otherwise) not much options.
since early ROS6 versions - MT remove SSTP feats, but generally its good(yet with Huge latency)option to user-cases where traversability was Major priority.
personally i would like PCP support in ROS too.
https://tools.ietf.org/html/rfc6887
(not sure about NAT-T, but plenty of "legacy" projects still use it and will in future, perhaps).
 
moep
newbie
Posts: 48
Joined: Mon Jul 02, 2012 2:12 pm

Re: v6.38rc [release candidate] is released

Sat Dec 17, 2016 11:40 pm

IPsec with xAuth seems to be broken with v6.38rc49 as responder and v6.37.3 as initiator
CCR is responder and several other routerboards (RB3011, RB750Gr3, RB951G, hAPac lite, etc.) are initators.

When I upgrade the CCR to the RC the initators cannot log on anymore with "xauth login failed for xyz"
Furthermore, when I downgraqde back to v6.37 the IPsec configuration on the initiators is "gone" and the CPU is at 100% (one core if more than one) until the IPsec process is (seems to be) forcefully terminated.

I tried to change the xauth passwords, but this did not work. I even upgraded an initiator (RB3011) to v6.38rc49, this did not work either.
After downgrading the responder to v6.37.3 an leaving the remote side at v6.38rc49 the connection worked again

It seems that the xauth user DB on responder side gets broken with the upgrade.

Off-Topic: I have another thread regading dual WAN IPIP over IPsec single connection TCP performance. Will this get any better with v6.38?
UPDATE to Off-Topic: does not seem to get better (with RC)
UPDATE2 to Off-Topic: Speed problem seems to be related to the provider of WAN2, if is directly connect a notebook to wan2 (thus diconnecting the router) and testing single stream tcp to btest server, the speed value is exactly the same
UPDATE3 to Off-Topic: the problem ist not provider related. When I connect a RB1100AH to WAN2 exclusivly and make a btest. I can get 25Mbit/s upstream. now I have no idea anymore

UPDATE:
there seems to be a bug in xauth password length
If I crop the password in xauth DB on responder side to max. 31 characters, the connection is okay. it is irrelevant if the password of initiator side is longer
UPDATE2:
uploaded supout.rif
Last edited by moep on Thu Dec 22, 2016 4:35 pm, edited 1 time in total.

Who is online

Users browsing this forum: No registered users and 18 guests