Community discussions

 
User avatar
Bergante
Member Candidate
Member Candidate
Posts: 131
Joined: Tue Feb 28, 2012 12:27 pm
Location: Bilbao, Spain

Re: v6.40rc [release candidate] is released!

Mon May 22, 2017 11:09 am

Currently SNMP is broken for those devices which has no IPv6 package enabled. We hope to include fix in next rc release.
Confirmed. Enabling IPv6 fixed it for me.
 
User avatar
blue
Member Candidate
Member Candidate
Posts: 265
Joined: Sun Dec 12, 2004 1:48 pm
Location: Serbia

Re: v6.40rc [release candidate] is released!

Mon May 22, 2017 11:13 am

Currently SNMP is broken for those devices which has no IPv6 package enabled. We hope to include fix in next rc release.
Confirmed. Enabling IPv6 fixed it for me.
For me also. It's a workaround.

BR...
 
dhoulbrooke
newbie
Posts: 45
Joined: Sun Apr 19, 2015 7:24 am
Location: Whakatane, New Zealand

Re: v6.40rc [release candidate] is released!

Mon May 22, 2017 12:05 pm

*) defconf - replaced IPv4 firewall configuration with improved one;
I've been looking at the new default firewall config - and the below doesn't seem quite right:
/ip firewall raw
add action=drop chain=prerouting comment="defconf: drop the rest"
This rule drops all traffic and nothing is passed to the clients behind the router.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5913
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.40rc [release candidate] is released!

Mon May 22, 2017 2:22 pm

Finally someone actually tried default configuration :))
Next RC will have rule set improvements.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8292
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.40rc [release candidate] is released!

Mon May 22, 2017 5:19 pm

Finally someone actually tried default configuration :))
you mean, even in MikroTik? :D
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
jarda
Forum Guru
Forum Guru
Posts: 7601
Joined: Mon Oct 22, 2012 4:46 pm

Re: v6.40rc [release candidate] is released!

Mon May 22, 2017 6:07 pm

Mikrotik is well aware of it. They are just testing us...
 
asaf23
just joined
Posts: 2
Joined: Tue May 23, 2017 7:22 pm

Re: v6.40rc [release candidate] is released!

Tue May 23, 2017 8:18 pm

Seems like a mess in the response for info command at the LTE interface:
[asaf23@MikroTik] /interface lte> info
number: 0
         pin-status: no password required
      functionality: full
       manufacturer: 
              model: Huawei Technologies Co., Ltd.
           revision: ME909u-521
   current-operator: MTS RUS
     current-cellid: 150xxxxx
  access-technology: Evolved 3G (LTE)
     session-uptime: 49m2s
               imei: 12.636.12.01.00
               imsi: 25001xxxxxxxxxxx
               uicc: 89xxxxxxxxxxxxxx
  subscriber-number: ,"+7xxxxxxxxxxx",145
               rssi: -63dBm
               rsrp: -84dBm
               rsrq: -9dB
               sinr: 12dB
-- [Q quit|D dump|C-z pause]
manufacturer = null, model = manufacturer, revision = model, imei = revision.
And in the winbox after clicking "Info" button in the LTE interface dialog the winbox is closing suddenly.
Please confirm.
Best regards
 
User avatar
boldsuck
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Sun Sep 01, 2013 1:07 am
Location: Germany

Re: v6.40rc [release candidate] is released!

Wed May 24, 2017 8:56 pm

Finally someone actually tried default configuration :))
That was the first thing I did after reading change log 6.40rc8.
Finally someone actually tried default configuration :))
Next RC will have rule set improvements.
Yes, please add:

/ipv6 firewall filter
add action=accept chain=input comment="Accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16

To get the iPv6-Prefix from ISP, we need DHCPv6-PD.
╰_╯ Ciao Marco!
 
uldis
MikroTik Support
MikroTik Support
Posts: 3424
Joined: Mon May 31, 2004 2:55 pm

Re: v6.40rc [release candidate] is released!

Thu May 25, 2017 12:34 am

*) wireless - added option to change "nv2-downlink-ratio" for nv2 protocol (CLI only);
*) wireless - added option to set "fixed-downlink" mode for nv2 protocol (CLI only);

Thanks very much for this. Tested it straight away it and works great. Throughput went way up for nv2 sector with 20 clients on. Latency stabilized mostly. It did however make client with low ccq on uplink almost useless and in dynamic mode the client is getting decent 4mpbs down and 1mbps up.

nv2 period size =3 ms
nv2 downlink-ratio= 65

Just want to know if that is normal or will final version not punish low ccq so badly? I will rather make a plan for that client and have stable latency and increased clients per sector.

Thanks
Mikrotik Devs
For the uplink you have left 45% and it looks like it is not enough for poor connections client to send the traffic to the AP. With dnamic-downlink mode most likely the client uses more than 45% and that is why you get more speed.
 
marianob85
just joined
Posts: 15
Joined: Wed Feb 08, 2017 9:47 pm

Re: v6.40rc [release candidate] is released!

Thu May 25, 2017 10:26 am

6.40rc8 - LTE modem huawei e3372 stops working. Modem is recognise but can not make any connection.
Works correct on 6.40rc6
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5913
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.40rc [release candidate] is released!

Thu May 25, 2017 11:32 am

/ipv6 firewall filter
add action=accept chain=input comment="Accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16

To get the iPv6-Prefix from ISP, we need DHCPv6-PD.
Thanks, maybe you have more suggestions what to add or change?
 
User avatar
boldsuck
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Sun Sep 01, 2013 1:07 am
Location: Germany

Re: v6.40rc [release candidate] is released!

Thu May 25, 2017 8:28 pm

Thanks, maybe you have more suggestions what to add or change?

I've been looking at the new default firewall config - and the below doesn't seem quite right:
/ip firewall raw
add action=drop chain=prerouting comment="defconf: drop the rest"
This rule drops all traffic and nothing is passed to the clients behind the router.
In
/ipv6 firewall raw
the same.

Cosmetic:
In WebFig, the four TCP flags are not displayed when the rule is added in the terminal. (v6.40rc8 on RB2011UAS)
/ip firewall raw
add action=drop chain=bad_tcp comment="defconf: TCP flag filte" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
╰_╯ Ciao Marco!
 
irghost
Member Candidate
Member Candidate
Posts: 277
Joined: Sun Feb 21, 2016 1:49 pm

Re: v6.40rc [release candidate] is released!

Fri May 26, 2017 8:37 am

Version 6.40rc8 has been released.
*) defconf - added IPv6 firewall configuration (IPv6 package must be enabled on reset);
*) defconf - replaced IPv4 firewall configuration with improved one;
nice RC
it's messed up everything
MTCNA MTCRE MTCTCE MTCUME MTCWE MTCIPv6E MTCINE
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1406
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.40rc [release candidate] is released!

Fri May 26, 2017 11:15 am

Version 6.40rc13 has been released.
Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

Changes since previous version:
*) bonding - do not add bonding interface if "could not set MTU" error is received;
*) defconf - added IPv6 firewall configuration (IPv6 package must be enabled on reset);
*) defconf - renamed 192.168.88.1 address static DNS entry from "router" to "router.lan";
*) export - removed spare "caller-id-type" value from compact export;
*) firewall - do not allow to set "rate" value to 0 for "limit" parameter;
*) gps - removed duplicate logs;
*) hotspot - require "dns-name" to contain "." symbol under Hotspot Server Profile configuration;
*) ike1 - removed xauth login length limitation;
*) ike2 - by default use "/24" netmask for peer IP address in split net;
*) ike2 - fixed situation when traffic selector prefix was parsed incorrectly;
*) ipsec - fixed generated policy priority;
*) ipsec - fixed peer "my-id" address reset;
*) ipsec - renamed "remote-dynamic-address" to "dynamic-address";
*) lte - fixed configless modem running state (introduced in 6.40rc);
*) ppp - fixed "change-mss" functionality (introduced in 6.39);
*) ppp - send correct IP address in RADIUS "accounting-stop" messages (introduced in 6.39);
*) pppoe-client - removed false warning from client interface if it starts running on non-slave interface;
*) proxy - fixed potential crash;
*) queue - fixed queuing when at least one child queue has "default-small" and other/s is/are different (introduced in 6.35);
*) quickset - fixed LTE "signal-strength" graphs;
*) quickset - use active user name and permissions when applying changes;
*) snmp - added ability to set "src-address";
*) tile - fixed rare encryption kernel failure when small packets are processed;
*) ups - show correct "line-voltage" value for usbhid UPS devices;
*) winbox - fixed LTE info button;
*) winbox - removed spare values from "loop-protect" setting for EoIPv6 tunnels;
*) wireless - added option to change "nv2-downlink-ratio" for nv2 protocol;
*) wireless - added option to set "fixed-downlink" mode for nv2 protocol;
*) wireless - reduced load on CPU for high speed wireless links;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
irghost
Member Candidate
Member Candidate
Posts: 277
Joined: Sun Feb 21, 2016 1:49 pm

Re: v6.40rc [release candidate] is released!

Fri May 26, 2017 12:59 pm

Version 6.40rc13 has been released.


Changes since previous version:

*) defconf - added IPv6 firewall configuration (IPv6 package must be enabled on reset);
*) defconf - renamed 192.168.88.1 address static DNS entry from "router" to "router.lan";
Prefect
there is no problem with firewall ipv4-v6
MTCNA MTCRE MTCTCE MTCUME MTCWE MTCIPv6E MTCINE
 
User avatar
GreySer
just joined
Posts: 17
Joined: Thu Apr 21, 2016 9:38 am
Location: Cheboksary

Re: v6.40rc [release candidate] is released!

Fri May 26, 2017 1:29 pm

Version 6.40rc13 has been released.
RB3011 dead after update.
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1406
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.40rc [release candidate] is released!

Fri May 26, 2017 1:56 pm

GreySer - From which version did you upgrade your device?
 
User avatar
GreySer
just joined
Posts: 17
Joined: Thu Apr 21, 2016 9:38 am
Location: Cheboksary

Re: v6.40rc [release candidate] is released!

Fri May 26, 2017 1:58 pm

GreySer - From which version did you upgrade your device?
From the previous one RC.
It seems 6.40rc8 or rc9
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8292
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.40rc [release candidate] is released!

Fri May 26, 2017 2:07 pm

Version 6.40rc13 has been released.
Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.
what's so special in this version?..
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1406
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.40rc [release candidate] is released!

Fri May 26, 2017 2:33 pm

GreySer - Connect serial console to router, power it on and send output of serial console to support@mikrotik.com
Chupaka - Nothing! Just added this for the first time. Many users forget about such things and blame version, however problem is not related to it at all.
 
User avatar
GreySer
just joined
Posts: 17
Joined: Thu Apr 21, 2016 9:38 am
Location: Cheboksary

Re: v6.40rc [release candidate] is released!

Fri May 26, 2017 2:37 pm

GreySer - Connect serial console to router, power it on and send output of serial console to support@mikrotik.com
So lazily.
First I'll try netinstall. But after 17:00 msk.
 
MartinT
newbie
Posts: 26
Joined: Wed Jul 22, 2009 1:28 am
Location: CZ

Re: v6.40rc [release candidate] is released!

Fri May 26, 2017 3:33 pm

Version 6.40rc13 has been released.
*) queue - fixed queuing when at least one child queue has "default-small" and other/s is/are different (introduced in 6.35);
Can you point to some more info about this problem ?

Thanks in advance
MartinT
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1406
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.40rc [release candidate] is released!

Fri May 26, 2017 3:44 pm

MartinT - Due to this problem it was possible that queue limit is set, for example, 10M, but you can not reach such high value in any way.
 
nkourtzis
Member Candidate
Member Candidate
Posts: 202
Joined: Tue Dec 11, 2012 12:56 am
Location: Greece

Re: v6.40rc [release candidate] is released!

Fri May 26, 2017 4:54 pm

*) wireless - reduced load on CPU for high speed wireless links;
Can you elaborate on this? What types of links are benefited and by how much?
Passionate about networks
Enthusiastic about Mikrotik
MTCNA | MTCRE | MTCINE

No trees were killed to send this message,
but a large number of electrons were terribly inconvenienced.
 
antonsb
MikroTik Support
MikroTik Support
Posts: 194
Joined: Sun Jul 24, 2016 3:12 pm
Location: Riga, Latvia

Re: v6.40rc [release candidate] is released!

Fri May 26, 2017 5:00 pm

*) wireless - reduced load on CPU for high speed wireless links;
Can you elaborate on this? What types of links are benefited and by how much?
Reduced 802.11ac load on processor. This may reduce processor usage for other protocols too.
 
nkourtzis
Member Candidate
Member Candidate
Posts: 202
Joined: Tue Dec 11, 2012 12:56 am
Location: Greece

Re: v6.40rc [release candidate] is released!

Fri May 26, 2017 5:07 pm

*) wireless - reduced load on CPU for high speed wireless links;
Can you elaborate on this? What types of links are benefited and by how much?
Reduced 802.11ac load on processor. This may reduce processor usage for other protocols too.
Can this mean that NV2 on 802.11ac will also run better?
Passionate about networks
Enthusiastic about Mikrotik
MTCNA | MTCRE | MTCINE

No trees were killed to send this message,
but a large number of electrons were terribly inconvenienced.
 
Ramas
just joined
Posts: 2
Joined: Fri May 26, 2017 8:04 pm
Location: Lithuania

Re: v6.40rc [release candidate] is released!

Fri May 26, 2017 8:33 pm

Prefect
there is no problem with firewall ipv4-v6
Well,
i suggest to add this rule to IPv6 firewall (after "defconf: rfc4890 drop hop-limit=1"):
/ipv6 firewall filter
add action=accept chain=forward comment="defconf: accept ICMPv6 to LAN" protocol=icmpv6
In IPv6 networks, ICMP traffic needs to be allowed throughout the entire data path to support fragmentation. This means that even from external networks, you must allow at least ICMP Type 2 packets into your network.

Suggest to remove another RAW rule also:
/ip firewall raw
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" in-interface-list=LAN src-address=!192.168.88.0/24
I see troubles getting IP address from DHCP in local LAN.
I see in Log these messages when enabling logging for this rule:
18:13:48 firewall,info prerouting: in:bridge out:(none), src-mac *:*:*:*:*:*, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 333
18:22:50 firewall,info prerouting: in:bridge out:(none), src-mac *:*:*:*:*:*, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 333

After that default firewall config almoust ideal in my opinion.
For myself i changed rule in IPv4 firewall from
action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
to
action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related dscp=0
and in mangle added
/ip firewall mangle
add action=set-priority chain=postrouting comment="Respect DSCP tagging" new-priority=from-dscp-high-3-bits passthrough=yes
---
Ramas
Last edited by Ramas on Sat May 27, 2017 3:24 am, edited 3 times in total.
 
ivicask
Member Candidate
Member Candidate
Posts: 230
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: v6.40rc [release candidate] is released!

Fri May 26, 2017 9:09 pm

Hm, i upgraded my WAP AC to RC 13 and i cant connect to router anymore via HTTP or WINBOX via IP, i can only connect via WINBOX via MAC address.Also router it self doesn't have access to internet anymore(cant check for new version, connection timed out)Other than that everything else works, internet on rest of network, port forwarding and remote access etc..
I tried disabling all firewall rules for test that didint help.All interfaces have proper ip addresses just as before and i can ping router from CMD.What could possible cause this?I can try reverting router to previous version but only tomorrow..
 
Z12
just joined
Posts: 1
Joined: Sat May 27, 2017 9:00 pm

Re: v6.40rc [release candidate] is released!

Sat May 27, 2017 9:07 pm

Version 6.40rc13
RB2011 boot loop

upgrade from 6.40rc8
 
biatche
Member Candidate
Member Candidate
Posts: 128
Joined: Tue Oct 13, 2015 6:50 am

Re: v6.40rc [release candidate] is released!

Sun May 28, 2017 1:33 pm

can anyone paste what the new default firewall config look like right now? i dont wanna install the latest rc as of yet.
 
dhoulbrooke
newbie
Posts: 45
Joined: Sun Apr 19, 2015 7:24 am
Location: Whakatane, New Zealand

Re: v6.40rc [release candidate] is released!

Sun May 28, 2017 1:58 pm

can anyone paste what the new default firewall config look like right now? i dont wanna install the latest rc as of yet.
Here you go:
           /ip firewall nat add chain=srcnat out-interface-list=WAN action=masquerade comment="defconf: masquerade"
           /ip firewall {
             filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP after RAW"
             filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
             filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
             filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
             filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
             filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
             filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf:  drop all from WAN not DSTNATed"
             address-list add list=bad_ipv4 address=0.0.0.0/8 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=172.16.0.0/12 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=192.168.0.0/16 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=10.0.0.0/8 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=169.254.0.0/16 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=127.0.0.0/8 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=224.0.0.0/4 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=198.18.0.0/15 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=192.0.0.0/24 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=192.0.2.0/24 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=198.51.100.0/24 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=203.0.113.0/24 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=100.64.0.0/10 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=240.0.0.0/4 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=192.88.99.0/24 comment="defconf: 6to4 relay Anycast RFC 3068"
             raw add chain=prerouting action=accept disabled=yes comment="defconf: enable for transparent firewall"
             raw add chain=prerouting action=drop in-interface-list=WAN src-address-list=bad_ipv4 comment="defconf: drop from bogon IP's"
             raw add chain=prerouting action=drop in-interface-list=LAN src-address=!192.168.88.0/24 comment="defconf: drop local if not from default IP range"
             raw add chain=prerouting action=drop protocol=udp port=0 comment="defconf: drop bad UDP"
             raw add chain=prerouting action=jump jump-target=icmp4 protocol=icmp comment="defconf: jump to ICMP chain"
             raw add chain=prerouting action=jump jump-target=bad_tcp protocol=tcp comment="defconf: jump to TCP chain"
             raw add chain=prerouting action=accept in-interface-list=LAN comment="defconf: accept everything else from LAN"
             raw add chain=prerouting action=accept in-interface-list=WAN comment="defconf: accept everything else from WAN"
             raw add chain=prerouting action=drop comment="defconf: drop the rest"
             raw add chain=icmp4 action=accept protocol=icmp icmp-options=0:0 limit=5,10:packet comment="defconf: echo reply"
             raw add chain=icmp4 action=accept protocol=icmp icmp-options=3:0 comment="defconf: net unreachable"
             raw add chain=icmp4 action=accept protocol=icmp icmp-options=3:1 comment="defconf: host unreachable"
             raw add chain=icmp4 action=accept protocol=icmp icmp-options=3:2 comment="defconf: protocol unreachable"
             raw add chain=icmp4 action=accept protocol=icmp icmp-options=3:3 comment="defconf: port unreachable"
             raw add chain=icmp4 action=accept protocol=icmp icmp-options=3:4 comment="defconf: fragmentation needed"
             raw add chain=icmp4 action=accept protocol=icmp icmp-options=8:0 limit=5,10:packet comment="defconf: echo"
             raw add chain=icmp4 action=accept protocol=icmp icmp-options=11:0-255 comment="defconf: time exceeded "
             raw add chain=icmp4 action=drop protocol=icmp comment="defconf: drop other icmp"
             raw add chain=bad_tcp action=drop protocol=tcp tcp-flags=!fin,!syn,!rst,!ack comment="defconf: TCP flag filte"
             raw add chain=bad_tcp action=drop protocol=tcp tcp-flags=fin,syn comment="defconf"
             raw add chain=bad_tcp action=drop protocol=tcp tcp-flags=fin,rst comment="defconf"
             raw add chain=bad_tcp action=drop protocol=tcp tcp-flags=fin,!ack comment="defconf"
             raw add chain=bad_tcp action=drop protocol=tcp tcp-flags=fin,urg comment="defconf"
             raw add chain=bad_tcp action=drop protocol=tcp tcp-flags=syn,rst comment="defconf"
             raw add chain=bad_tcp action=drop protocol=tcp tcp-flags=rst,urg comment="defconf"
             raw add chain=bad_tcp action=drop protocol=tcp port=0 comment="defconf: TCP port 0 drop"
           }
 
biatche
Member Candidate
Member Candidate
Posts: 128
Joined: Tue Oct 13, 2015 6:50 am

Re: v6.40rc [release candidate] is released!

Sun May 28, 2017 8:00 pm

can anyone paste what the new default firewall config look like right now? i dont wanna install the latest rc as of yet.
Here you go:
           /ip firewall nat add chain=srcnat out-interface-list=WAN action=masquerade comment="defconf: masquerade"
           /ip firewall {
             filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP after RAW"
             filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
             filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
             filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
             filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
             filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
             filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf:  drop all from WAN not DSTNATed"
             address-list add list=bad_ipv4 address=0.0.0.0/8 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=172.16.0.0/12 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=192.168.0.0/16 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=10.0.0.0/8 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=169.254.0.0/16 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=127.0.0.0/8 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=224.0.0.0/4 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=198.18.0.0/15 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=192.0.0.0/24 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=192.0.2.0/24 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=198.51.100.0/24 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=203.0.113.0/24 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=100.64.0.0/10 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=240.0.0.0/4 comment="defconf: RFC6890"
             address-list add list=bad_ipv4 address=192.88.99.0/24 comment="defconf: 6to4 relay Anycast RFC 3068"
             raw add chain=prerouting action=accept disabled=yes comment="defconf: enable for transparent firewall"
             raw add chain=prerouting action=drop in-interface-list=WAN src-address-list=bad_ipv4 comment="defconf: drop from bogon IP's"
             raw add chain=prerouting action=drop in-interface-list=LAN src-address=!192.168.88.0/24 comment="defconf: drop local if not from default IP range"
             raw add chain=prerouting action=drop protocol=udp port=0 comment="defconf: drop bad UDP"
             raw add chain=prerouting action=jump jump-target=icmp4 protocol=icmp comment="defconf: jump to ICMP chain"
             raw add chain=prerouting action=jump jump-target=bad_tcp protocol=tcp comment="defconf: jump to TCP chain"
             raw add chain=prerouting action=accept in-interface-list=LAN comment="defconf: accept everything else from LAN"
             raw add chain=prerouting action=accept in-interface-list=WAN comment="defconf: accept everything else from WAN"
             raw add chain=prerouting action=drop comment="defconf: drop the rest"
             raw add chain=icmp4 action=accept protocol=icmp icmp-options=0:0 limit=5,10:packet comment="defconf: echo reply"
             raw add chain=icmp4 action=accept protocol=icmp icmp-options=3:0 comment="defconf: net unreachable"
             raw add chain=icmp4 action=accept protocol=icmp icmp-options=3:1 comment="defconf: host unreachable"
             raw add chain=icmp4 action=accept protocol=icmp icmp-options=3:2 comment="defconf: protocol unreachable"
             raw add chain=icmp4 action=accept protocol=icmp icmp-options=3:3 comment="defconf: port unreachable"
             raw add chain=icmp4 action=accept protocol=icmp icmp-options=3:4 comment="defconf: fragmentation needed"
             raw add chain=icmp4 action=accept protocol=icmp icmp-options=8:0 limit=5,10:packet comment="defconf: echo"
             raw add chain=icmp4 action=accept protocol=icmp icmp-options=11:0-255 comment="defconf: time exceeded "
             raw add chain=icmp4 action=drop protocol=icmp comment="defconf: drop other icmp"
             raw add chain=bad_tcp action=drop protocol=tcp tcp-flags=!fin,!syn,!rst,!ack comment="defconf: TCP flag filte"
             raw add chain=bad_tcp action=drop protocol=tcp tcp-flags=fin,syn comment="defconf"
             raw add chain=bad_tcp action=drop protocol=tcp tcp-flags=fin,rst comment="defconf"
             raw add chain=bad_tcp action=drop protocol=tcp tcp-flags=fin,!ack comment="defconf"
             raw add chain=bad_tcp action=drop protocol=tcp tcp-flags=fin,urg comment="defconf"
             raw add chain=bad_tcp action=drop protocol=tcp tcp-flags=syn,rst comment="defconf"
             raw add chain=bad_tcp action=drop protocol=tcp tcp-flags=rst,urg comment="defconf"
             raw add chain=bad_tcp action=drop protocol=tcp port=0 comment="defconf: TCP port 0 drop"
           }
thanks, with this ruleset, will i need
7x similar rules for: raw add chain=prerouting action=drop in-interface-list=LAN src-address=!192.168.88.0/24 comment="defconf: drop local if not from default IP range" ?

i have 7 different vlans for 7 different lan subnets.
 
dhoulbrooke
newbie
Posts: 45
Joined: Sun Apr 19, 2015 7:24 am
Location: Whakatane, New Zealand

Re: v6.40rc [release candidate] is released!

Mon May 29, 2017 7:48 am

thanks, with this ruleset, will i need
7x similar rules for: raw add chain=prerouting action=drop in-interface-list=LAN src-address=!192.168.88.0/24 comment="defconf: drop local if not from default IP range" ?

i have 7 different vlans for 7 different lan subnets.
You could still have the one rule and use an address list:

https://wiki.mikrotik.com/wiki/Manual:I ... dress_list
 
sparker
just joined
Posts: 23
Joined: Mon Jan 23, 2012 5:48 pm
Location: Russia / Chelyabinsk

Re: v6.40rc [release candidate] is released!

Mon May 29, 2017 7:48 am

Hello. When will it be possible to test mstp? :)
Sorry for my English.
 
biatche
Member Candidate
Member Candidate
Posts: 128
Joined: Tue Oct 13, 2015 6:50 am

Re: v6.40rc [release candidate] is released!

Mon May 29, 2017 10:15 am

Hello. When will it be possible to test mstp? :)
ive had numerous temptations to ask. so yeah lets see mstp, say next rc?
 
joserudi
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Thu Nov 22, 2007 10:16 pm

Re: v6.40rc [release candidate] is released!

Mon May 29, 2017 11:22 am

Fixed the correct ip but continues to stop users with time until you make a database rebuild

ppp - send correct IP address in RADIUS "accounting-stop" messages (introduced in 6.39);
 
anuser
Member
Member
Posts: 372
Joined: Sat Nov 29, 2014 7:27 pm

Re: v6.40rc [release candidate] is released!

Mon May 29, 2017 11:50 am

Version 6.40rc13 has been released.
*) wireless - added option to change "nv2-downlink-ratio" for nv2 protocol;
*) wireless - added option to set "fixed-downlink" mode for nv2 protocol;
*) wireless - reduced load on CPU for high speed wireless links;
Wireless with CAPSMAN forwarding seems to be improved for me, at least somehow. I currently have ~300 connected clients on ~25 WAP AC/HAP AC/HAP AC lite and find less "disconnected, group key timeout" messages on 2.4Ghz connected clients within logging. Before that release I had hundreds/too much of them. Did you change anything else with wireless package?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5913
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.40rc [release candidate] is released!

Mon May 29, 2017 2:00 pm

Prefect
there is no problem with firewall ipv4-v6
Well,
i suggest to add this rule to IPv6 firewall (after "defconf: rfc4890 drop hop-limit=1"):
/ipv6 firewall filter
add action=accept chain=forward comment="defconf: accept ICMPv6 to LAN" protocol=icmpv6
---
Ramas
Thanks for the input. We will improve FW rule set.
 
timking
just joined
Posts: 6
Joined: Fri Feb 12, 2016 4:26 pm

Re: v6.40rc [release candidate] is released!

Mon May 29, 2017 3:57 pm

Have emailed suppport but cannot set scan-list in /interface wireless to a bespoke value if you set it to eg bandb it actually sets it to bandb;bandb and then the radio stops working.
Can't set it in webfig either. Tools/telnet in webfig also broken.
 
jarda
Forum Guru
Forum Guru
Posts: 7601
Joined: Mon Oct 22, 2012 4:46 pm

Re: v6.40rc [release candidate] is released!

Mon May 29, 2017 4:22 pm

Looks like SNMP problems with earlier RC versions are corrected. Thanks.
 
andreadg88
just joined
Posts: 5
Joined: Mon May 22, 2017 1:50 pm

Re: v6.40rc [release candidate] is released!

Mon May 29, 2017 8:15 pm

Hi,
have you identified a date that rel v.6.40 exit from release candidate roadmap?
 
jarda
Forum Guru
Forum Guru
Posts: 7601
Joined: Mon Oct 22, 2012 4:46 pm

Re: v6.40rc [release candidate] is released!

Mon May 29, 2017 9:38 pm

None knows that.
 
biatche
Member Candidate
Member Candidate
Posts: 128
Joined: Tue Oct 13, 2015 6:50 am

Re: v6.40rc [release candidate] is released!

Tue May 30, 2017 9:47 am

None knows that.
i do -- right after mstp.

i hope
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1406
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.40rc [release candidate] is released!

Tue May 30, 2017 10:03 am

Version 6.40rc14 has been released.
Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

Changes since previous version:
*) chr - maximal system disk size now limited to 16GB;
*) fetch - added "src-address" parameter for HTTP and HTTPS;
*) pppoe-server - fixed "one-session-per-host" issue where 2 simultaneous sessions were possible from the same host;
*) snmp - fixed crash on interface table get;
*) winbox - added "reselect-channel" to CAPsMAN interfaces;
*) winbox - fixed firewall port selection with Winbox v2;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
User avatar
GreySer
just joined
Posts: 17
Joined: Thu Apr 21, 2016 9:38 am
Location: Cheboksary

Re: v6.40rc [release candidate] is released!

Tue May 30, 2017 10:41 am

Version 6.40rc14 has been released.
RB2011 RB3011 bootlop fixed ? Safe to install ?
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1406
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.40rc [release candidate] is released!

Tue May 30, 2017 10:46 am

GreySer - There is not generic bootloop with RB2011 and RB3011. It must be caused either by problems during upgrade process (for example, power cycle during upgrade) or specific configuration. Please write to support@mikrotik.com and report your problem. Provide configuration files, explanation and serial output during reboot loop and even better - one from upgrade process.
 
User avatar
GreySer
just joined
Posts: 17
Joined: Thu Apr 21, 2016 9:38 am
Location: Cheboksary

Re: v6.40rc [release candidate] is released!

Tue May 30, 2017 10:59 am

GreySer - There is not generic bootloop with RB2011 and RB3011. It must be caused either by problems during upgrade process (for example, power cycle during upgrade) or specific configuration. Please write to support@mikrotik.com and report your problem. Provide configuration files, explanation and serial output during reboot loop and even better - one from upgrade process.
Updated now from 6.39.1 , succesfull.
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1406
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.40rc [release candidate] is released!

Wed May 31, 2017 11:18 am

Version 6.40rc15 has been released.
Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

Changes since previous version:
!) ipsec - added support for dynamic "action=notrack" RAW rules for policies;
*) defconf - added accept ICMPv6 in forward and DHCP discover in RAW prerouting;
*) ike2 - added pfkey kernel return checks;
*) ipsec - added information in console XML for "mode-config" menu;
*) ipsec - fixed connections cleanup on policy or proposal modification;
*) ipsec - removed policy priority;
*) ppp - fixed MLPPP over multiple channels/interfaces (introduced in v6.39);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
biatche
Member Candidate
Member Candidate
Posts: 128
Joined: Tue Oct 13, 2015 6:50 am

Re: v6.40rc [release candidate] is released!

Wed May 31, 2017 12:41 pm

!) ipsec - added support for dynamic "action=notrack" RAW rules for policies;
can anybody share optimal firewall rules for l2tp/ipsec and ikev2 ipsec with regards to fasttrack
 
jKonstantin
just joined
Posts: 2
Joined: Wed May 31, 2017 2:29 pm

Re: v6.40rc [release candidate] is released!

Wed May 31, 2017 2:41 pm

Now 2017 year. Device rb750gr3 dont support metarouter because uses "SPI flash" category. Where UDP and LZO support in openvpn? Where fairy tale about ROS7? Zyxel is already support both.

Who is online

Users browsing this forum: No registered users and 6 guests