v6.40rc [release candidate] is released! (New bridge implementation delayed till 6.41rc)

msatter · Sat Jul 15, 2017 10:27 pm

Give it a rest. It is known at Mikrotik and they will fix it before the final version...I assume.

Chupaka · Mon Jul 17, 2017 2:52 pm

WinBox: in IP -> Neighbours it says 'UPtime'. Should be 'Uptime', I believe

kometchtech · Mon Jul 17, 2017 4:34 pm

Unable to export configuration to a file

Is anyone else having this issue? I can run /export from the CLI, but if I do:

/export file=x (or /export file="x")

No files get created.
I had the same problem yesterday. RB2011UAS
I thought I was too stupid to find the file.

ISSUE since rc38
Webfig:
No File download possible
ftp download is OK

It seems that it was corrected by rc41 as in Changelog of RouterOS 6.40rc41.
It applied by CCR 1009 and confirmed.

idlemind · Mon Jul 17, 2017 5:22 pm

Speaking of rc41 ... No announcment on the forums yet.

Most curiously:

!) bridge hw-offload implementation reverted back to pre-6.40rc36 state (testing will continue in v6.41rc);

^^ MikroTik, what does this mean for rc38 to rc41? Will our bridge configs be mangled or useless? Will the become full software based VLAN aware bridges?

Chupaka · Mon Jul 17, 2017 5:30 pm

No more IGMP Snooping?

Mon Jul 17, 2017 6:31 pm

v6.40 is scheduled for release, so we reverted hw-offload as well as igmp-snooping, because it requires more testing and bugfixes.
Most likely it will be back in v6.41rc

pe1chl · Mon Jul 17, 2017 7:06 pm

Does that mean that "master port" functionality will remain? Or will everything still be converted to bridges but now without hw offload and IGMP snooping?

upower3 · Mon Jul 17, 2017 7:34 pm

There is one interesting line in CHANGES for 6.40.rc42:

*) pppoe-server - fixed situation when some of 100+ pppoe-servers can become invalid on reboot;

Is it possible to know since which version this bug exists? 6.39 is vulnerable or not, for CCR1009?

idlemind · Mon Jul 17, 2017 9:08 pm

v6.40 is scheduled for release, so we reverted hw-offload as well as igmp-snooping, because it requires more testing and bugfixes.
Most likely it will be back in v6.41rc

I'll keep on 6.40rc38 until 6.41rc hits the downloads then. Can't say i'm interested in reverting my new VLAN aware bridges back to the old way and then back again into VLAN aware bridges. Good progress. Don't fall asleep at the wheel. I hope you guys got some good initial testing on MSTP / VLAN ware bridging.

Xymox · Mon Jul 17, 2017 9:53 pm

Well... That was fun... hahahaha..

Not exactly sure what happened on my CCR, it seemed fine at first.. My bridges seemed fine. I have no master/slave ports.. That was last nite.. This morning I wake up and things are astray.. I have a DNS server and its TX port on ethernet seems to have nothing coming from it. Ive hooked it to a few devices. So something in a Linux server has gone astray - really odd timing if its unrelated.. The CCR is still working I just changed to a external DNS to bypass the server and all is well. Im going to look at the server shortly.

I moved back to the stable release during troubleshooting on the CCR.

When i read the warning about backing up, I decided to copy over to a partition before doing anything. You guys should recommend that more often. Its a great reason to have partitions. I have not flipped back yet, but, I think I will as going from 38 to 41 who knows...

Now the more interesting router was the 2011UiAS-2HnD ... While that seemed to work ok and I did not notice any obvious networking issues, the display light was now tied to port one activity light. So the display was going on/off with the activity light.. SOrta "Help me ! Im in trouble here !"... haha..

Your beta's are normally pretty much like stable releases. So im sure to a lot of people this might have been alarming to have issues with a beta. BUT. I found your beta procedures really great. Your WARNED EVERYBODY - DO A BACKUP -.. In my case I READ the release notes before pushing the button. So I grabbed EVERYTHING off each router and then set a partition before running the beta.. SO for me these were ZERO issues when things got weird.

Not sure any of the above really helps with the beta test, but I try and give feedback when on a beta and something goes astray.

Xymox · Mon Jul 17, 2017 9:59 pm

Everybody using RC's should also be using partitions. This makes for instant fall back and no worries.

Xymox · Mon Jul 17, 2017 11:41 pm

Hmmm.. Did I see the routerboard firmware go from 3.33 to 3.39 during that someplace ? Maybe I have just not checked in a while. It would be a lot more annoying to have to fact reset it to get back to its factory 3.18 and then update firmware and then restore settings from a export/import.

Hopefully 3.39 in routerboard firmware is OK to use with 6.40.RC21 ? or 6.39.2 ?

I saw a lot of weird things occur on my network. I cant say they are related, but, ive never had anything go wacky in 6 months and then everything went wacky at the same time I did 6.40RC38..Then 41..

That was a pretty weird set of events. Im back on 6.39.2 on the 2011 and 6.40.RC21 on the CCR. These were my last stable partitions.

Maybe cuz it was monday ?

idlemind · Tue Jul 18, 2017 1:59 am

I confirmed w/6.40rc41 the VLAN aware bridges are reverted. I did not test what happens when they are reverted when upgrading from 6.40rc38 to 6.40rc41. Also, odd to have such limited communication on the release from MikroTik.

When can we expect to see 6.40 announced and 6.41rc started back with the VLAN aware implementation.

Tue Jul 18, 2017 8:59 am

What's new in 6.40rc41 (2017-Jul-17 09:03):

!) bridge hw-offload implementation reverted back to pre-6.40rc36 state (testing will continue in v6.41rc);
!) wireless - added Nv2 AP synchronization feature "nv2-modes" and "nv2-sync-secret" option;
*) bonding - fixed 802.3ad mode on RB1100AHx4;
*) export - fixed export to a file (introduced in v6.40rc39);
*) hotspot - added "address-list" support in "walled-garden" IP section;
*) hotspot - fixed firewall accept rules created by "/ip hotspot walled garden ip" (introduced in v6.40rc18);
*) ike1 - create tunnel policy when no split net provided;
*) ike1 - wait for cfg set reply before ph2 creation with xAuth;
*) ipsec - allow to specify chain in "firewall" peer option;
*) ppp - fixed non-standard PAP or CHAP packet handling;
*) pppoe-server - fixed situation when some of 100+ pppoe-servers can become invalid on reboot;
*) routerboard - added "caps-mode" option for "reset-configuration";
*) sfp - fixed invalid temperature reporting when ambient temperature is less than 0;
*) winbox - make IPSec policies table an order list;
*) winbox - show "/interface wireless cap print" warnings;

Important: This means all the new bridge/switch/igmp-snooping functionality is removed and will return in 6.41rc. The reason is that we found that these new features need more testing, and v6.40 was too close to release, so it would delay the release for some time. Those of you who used the RC, there is no painless way to upgrade or downgrade.

The choices are:
1) reconfigure and repair by hand
2) wait until 6.41RC

Xymox · Tue Jul 18, 2017 11:46 am

This was very easy to roll back with a partition. Just make the partition active that was right before the upgrade. Took seconds.. As I mentioned, everyone doing RCs should use partitions. I copy my current RC and config over to a partition before I try out a new RC. Any issue, I just move back..

I had to with 38, upgraded to 41. On the 2011 it was still causing the display to flash. So 41 did not fix something from 38. So I "made active" my original partition and the issue was gone.

I really think Mikrotik should discuss using partitions in addition to backups.

expert · Tue Jul 18, 2017 12:16 pm

I really think Mikrotik should discuss using partitions in addition to backups.

Can I make partition(s) on my mAP Lite? It has only 32MB disk space.

bajodel · Tue Jul 18, 2017 12:17 pm

This was very easy to roll back with a partition. Just make the partition..

You are right, but try to use partitioning on a hEX (or any other "zero flash") devices!
There is no common sense in putting 16mb flash on new devices.. IMHO .. the real reason is obviously NOT save 2 bucks

bratislav · Tue Jul 18, 2017 12:31 pm

I really think Mikrotik should discuss using partitions in addition to backups.
Can I make partition(s) on my mAP Lite? It has only 32MB disk space.

Are you sure about that? mAP lite should have 64MB RAM and 16MB flash ... and no you cant use partitions ...

anuser · Tue Jul 18, 2017 2:04 pm

After upgrading from 6.40rc38 to 6.40rc41 I do not see any 5Ghz client being connected on many of my WAP AC devices. Normally I get a ratio of 60:40 for 2.4Ghz:5Ghz.

biatche · Tue Jul 18, 2017 3:21 pm

This was very easy to roll back with a partition. Just make the partition active that was right before the upgrade. Took seconds.. As I mentioned, everyone doing RCs should use partitions. I copy my current RC and config over to a partition before I try out a new RC. Any issue, I just move back..

I had to with 38, upgraded to 41. On the 2011 it was still causing the display to flash. So 41 did not fix something from 38. So I "made active" my original partition and the issue was gone.

I really think Mikrotik should discuss using partitions in addition to backups.

+1

This is a wonderful idea. I didn't even know this was possible till you mentioned so as well some means to boot once off a secondary partition?

Chupaka · Tue Jul 18, 2017 5:11 pm

https://wiki.mikrotik.com/wiki/Manual:I ... pt_example

DHCP-Client does not run 'script=' on lease refresh (e.g. when gateway changes but IP address stays the same).

idlemind · Tue Jul 18, 2017 5:40 pm

Important: This means all the new bridge/switch/igmp-snooping functionality is removed and will return in 6.41rc. The reason is that we found that these new features need more testing, and v6.40 was too close to release, so it would delay the release for some time. Those of you who used the RC, there is no painless way to upgrade or downgrade.

Normis, what is the time-line for 6.40 GA and 6.41rc?

pe1chl · Tue Jul 18, 2017 7:15 pm

This is a wonderful idea. I didn't even know this was possible till you mentioned so as well some means to boot once off a secondary partition?

It can boot off the secondary partition when booting off the first partition fails. Although it is not clearly defined what failing to boot really means.
I would have liked some feature like "boot off secondary partition when internet connection (or some VPN) fails to establish within X minutes" but
you will have to program that yourself using a script, and it is not straightforward, you cannot e.g. use a "/tool netwatch down-script" directly because
it is ALWAYS called on reboot.

Furthermore, unfortunately the use of partitions is no longer possible on the low-end models of the current product programme. A year or two ago
the low-end models still had enough flash to use partitions, but today many models have ony 16GB flash.

idlemind · Tue Jul 18, 2017 7:41 pm

I'm with you guys. I'm not sure what class embedded designers are taught to use tiniest flash chip available on the market but I'd like to alter that curriculum. That said, I do get that in the hardware world, cents does multiply out to dollars when the sale quantity gets high enough. It seems like an area were you could cheaply separate yourself from other router brands even with a 128mb or 256mb flash chip.

For poops and giggles, a quick google search shows:

0.61 USD = 32MB flash chip
3.43 USD = 256MB flash chip
9.52 USD = 1GB flash chip

These numbers are very quick and dirty. Naturally the product would have to be vetted to make sure it fits the design and volume purchase discounts could soften the cost. I was just hoping to put a cost per unit for the upgrade into print in hopes of giving us all a little perspective on what kind of price impact we'd see if MikroTik moved to larger chips and passed that cost onto consumers. A device like the hap AC already in that +100 USD cost may handle an additional ~9 USD different easier than say a cap lite. I personally would be very happy with a 256MB (even 128MB) upgrade at a ~3 USD impact per device across the product line. The cost increase for storage capacity would be a justifiable reason that would increase my likelyhood to purchase MikroTik. That is just me, I can't speak for all forum members in all markets.

buzzdee · Tue Jul 18, 2017 10:41 pm

As of version 6.37 I had some trouble using RoMon with R52 equipped devices in station mode.
viewtopic.php?f=21&t=114926&p=569766#p569766

The 6.40rc's i've tried so far (6.40rc32 and 6.40rc41) have solved this issue.

qq4569712 · Tue Jul 18, 2017 10:42 pm

Currently RouterOS6.40rc does support any of EAP authentication methods?
Yes, the below methods.

In the V6.40rc41 version, I can not find this option. Please tell me the details of the setup steps and methods, thanks. Please forgive me, my English is very bad

null31 · Tue Jul 18, 2017 11:45 pm

In the V6.40rc41 version, I can not find this option. Please tell me the details of the setup steps and methods, thanks. Please forgive me, my English is very bad

The EAP section is on Wireless > Security Profiles > Profile entries (via winbox).

I forgot to ask.
Do you want the Mikrotik as EAP Client or as EAP Access Point?
The print that I showed is about EAP Client.

Now about EAP AP:
Page 16.
> https://mum.mikrotik.com//presentations ... 009077.pdf (Spanish language)

biatche · Tue Jul 18, 2017 11:59 pm

I'm with you guys. I'm not sure what class embedded designers are taught to use tiniest flash chip available on the market but I'd like to alter that curriculum. That said, I do get that in the hardware world, cents does multiply out to dollars when the sale quantity gets high enough. It seems like an area were you could cheaply separate yourself from other router brands even with a 128mb or 256mb flash chip.

For poops and giggles, a quick google search shows:

0.61 USD = 32MB flash chip
3.43 USD = 256MB flash chip
9.52 USD = 1GB flash chip

These numbers are very quick and dirty. Naturally the product would have to be vetted to make sure it fits the design and volume purchase discounts could soften the cost. I was just hoping to put a cost per unit for the upgrade into print in hopes of giving us all a little perspective on what kind of price impact we'd see if MikroTik moved to larger chips and passed that cost onto consumers. A device like the hap AC already in that +100 USD cost may handle an additional ~9 USD different easier than say a cap lite. I personally would be very happy with a 256MB (even 128MB) upgrade at a ~3 USD impact per device across the product line. The cost increase for storage capacity would be a justifiable reason that would increase my likelyhood to purchase MikroTik. That is just me, I can't speak for all forum members in all markets.

+1

MT products come to many of us as an enterprise product, failover/secondary boot would be awesome. Of course I'll mention it in feature requests later otherwise that @andriys will flame for 'spamming' this thread.

Wed Jul 19, 2017 12:36 am

You are right, but try to use partitioning on a hEX (or any other "zero flash") devices!
There is no common sense in putting 16mb flash on new devices.. IMHO .. the real reason is obviously NOT save 2 bucks

This does seem strange in today's world.... but then again, as Idlemind points out - $2 for every unit sold can translate to hundreds of thousands or millions of dollars less in profits for a particular unit if it's popular...

bajodel · Wed Jul 19, 2017 3:36 am

.. less in profits ..

I see yours point, but ..

hEX/RB750Gr3 >> 5 Gbit ethernet, poe in, CPU with 4 Threads 2 core 880 MHz, usb port, sd port, 256 mb ram, voltage sensor and pcb temp sensor.. and 16mb flash !?

I think there were other rooms for saving 2 $ , why put 256 mb ram and quad core cpu .. temp and voltage monitor, usb and SD interfaces..
I can easily understand that design choice on a mAP or similar device, but on hEX it's seems unbalanced.. IMHO.

qq4569712 · Wed Jul 19, 2017 8:40 am

In the V6.40rc41 version, I can not find this option. Please tell me the details of the setup steps and methods, thanks. Please forgive me, my English is very bad
The EAP section is on Wireless > Security Profiles > Profile entries (via winbox).

I forgot to ask.
Do you want the Mikrotik as EAP Client or as EAP Access Point?
The print that I showed is about EAP Client.

Now about EAP AP:
Page 16.
> https://mum.mikrotik.com//presentations ... 009077.pdf (Spanish language)

Thanks null31, i try to try mikrotik route to build an iKEV2 VPN server, i have no radius, my client is windows7, i read wik i but still can not succeed. Would you like to help me?

bratislav · Wed Jul 19, 2017 12:10 pm

You got this wrong ... flash chips are declared in Megabits ... so the prices you found are for 4MB, 32MB and 128MB respectively ...

I'm with you guys. I'm not sure what class embedded designers are taught to use tiniest flash chip available on the market but I'd like to alter that curriculum. That said, I do get that in the hardware world, cents does multiply out to dollars when the sale quantity gets high enough. It seems like an area were you could cheaply separate yourself from other router brands even with a 128mb or 256mb flash chip.

For poops and giggles, a quick google search shows:

0.61 USD = 32MB flash chip
3.43 USD = 256MB flash chip
9.52 USD = 1GB flash chip

These numbers are very quick and dirty. Naturally the product would have to be vetted to make sure it fits the design and volume purchase discounts could soften the cost. I was just hoping to put a cost per unit for the upgrade into print in hopes of giving us all a little perspective on what kind of price impact we'd see if MikroTik moved to larger chips and passed that cost onto consumers. A device like the hap AC already in that +100 USD cost may handle an additional ~9 USD different easier than say a cap lite. I personally would be very happy with a 256MB (even 128MB) upgrade at a ~3 USD impact per device across the product line. The cost increase for storage capacity would be a justifiable reason that would increase my likelyhood to purchase MikroTik. That is just me, I can't speak for all forum members in all markets.

qoole · Wed Jul 19, 2017 2:18 pm

You got this wrong ... flash chips are declared in Megabits ... so the prices you found are for 4MB, 32MB and 128MB respectively ...

I don't think he did get it wrong, 8gbit (1gbyte) FLASH on digikey can cost as little as between $6.16 (each in 1000 of quantity) and $9.45 (each in 1 of quantity).
That's Micron branded stuff too.

Digikey search: https://goo.gl/4ACaA5

msatter · Wed Jul 19, 2017 2:54 pm

I have myself a RB750Gr3 and have indeed had some troubles with only 16MB flash. After getting some direction by Mikrotik I got the way it is meant to work. Firm upgrades don't are uploaded to the flash but the RAM.

It works very well and a liitle over half of the Flash os used for the firmware. All the stuff that not has to survive a restart is put in RAM.

To save stuff that has to be saved but not in the flash for that you can put SD card in.

I am very satisfied how all this works and if needed Mikrotik can put extra loadable packages on the SD card.

The Mikrotik not that expensive for the value you get back and constant development is a great addition.

On that development I advise to activate besides RC also development for the bold steps like Master to Bridge because many are using RC as current and a rollback is not without some nasty catches as I had to undergo. The solution was for me to flash the current and the step to to the wanted RC. Otherwise the backups made before were not usable.

Wed Jul 19, 2017 3:08 pm

Mikrotik will not put extra loadable packages to external storage due to safety reasons. And 16MB flash is really too small because it does not allow you to use multiple partitions for your safety purposes.

msatter · Wed Jul 19, 2017 8:37 pm

Ehm, putting packages even on the SD is not smart but I was carried away by the thought of Mikrotik offering compression not only in the. npk files.

Maybe a plus version of the low cost routers is doable allowing more advanced users to have space to use partitions and the CPU supports that.

Kindis · Thu Jul 20, 2017 12:28 am

Can we close this thread and open a new one with a better title as the new bridge is removed. Less confusing

Chupaka · Thu Jul 20, 2017 11:16 am

Renamed the topic a bit

anuser · Fri Jul 21, 2017 1:12 pm

I´m standing directly in front of the WAP AC and got disconnect with group key timeout on 5Ghz while downloading files (Sony Z1 Compact with Android 5.1) RouterOS release is 6.40.rc41
I updated to routerboard firmware: 3.39 before I saw this behavior. How can I downgrade routerboard firmware?

pe1chl · Fri Jul 21, 2017 2:29 pm

You can downgrade RouterOS, it is not required to downgrade the firmware.
Just select the "Current" branch in System->Packages->Update.

mducharme · Sun Jul 23, 2017 9:21 pm

Any chance you could add 'Radio Name' in the SNMP wireless registrations table? It is great having graphs of wireless clients but I do not know which is which without the name. Thanks.

upower3 · Sun Jul 23, 2017 9:24 pm

Any chance you could add 'Radio Name' in the SNMP wireless registrations table? It is great having graphs of wireless clients but I do not know which is which without the name. Thanks.

Better use API call, will be faster way I suppose, like

/interface/wireless/registration-table

and play with.

Cha0s · Sun Jul 23, 2017 9:32 pm

Any chance you could add 'Radio Name' in the SNMP wireless registrations table? It is great having graphs of wireless clients but I do not know which is which without the name. Thanks.
Better use API call, will be faster way I suppose, like
Code: Select all
/interface/wireless/registration-table
and play with.

This is not realistic.
SNMP is the defacto standard. All monitoring software (Cacti, Observium/LibreNMS, etc) supports SNMP. None that I know of supports RouterOS API. At least not without custom/3rd party plugins.

You can already monitor the signal using SNMP but you only get a MAC Address to identify the client by and it's not really easy to tell which is which as mducharme mentioned.

upower3 · Sun Jul 23, 2017 9:38 pm

This is not realistic.

I do understand your pain but Mikrotik is quite slow with SNMP so far. Keep asking, maybe one day?..

What I can offer (well, kind of) is to use you own SNMP server software to reply to specific SNMP requests while query MT's API for information. Not nice at all but at least it'll work.

I did that trick with Zabbix by feeding values to Zabbix server with zabbix-send for values I wasn't able to get via SNMP. I compute the list of calls I need to do, then connect to mikrotik, run one by one these requests and in one bunch send it via zabbix-send. So to say, it lowered the burned o MT CPU, since every new connection (with auth) seems to adds up load.

Dirty and unstable trick, I know, for API calls may be changed one day, but the same is true for OIDs.

Cha0s · Sun Jul 23, 2017 9:50 pm

For a single router or even a few, I understand that this is a solution. I've done similar stuff myself for BGP monitoring.

But when you already manage hundreds of routers with limited access policy (ie: NO API) using these kinds of 'hacks' are not scalable or manageable. Hence not realistic for production environment.

Not to mention the fact that you will flood the logs with tons of API logins/logouts every X (usually 1 or 5) minutes.
And disabling the logins logging is not realistic either

upower3 · Sun Jul 23, 2017 10:24 pm

scalable or manageable. Hence not realistic for production environment.

Oh, I see you're wise person already, will not teach you this way

I can't say how many routers you need to monitor from you initial question. Yes, let's wait for MT to help with this.

They should add scripting into SNMP server, so you can set OID and which script to execute to reply the query

This is where MT win all the time - scripting!

biatche · Sun Jul 23, 2017 10:51 pm

Any chance you could add 'Radio Name' in the SNMP wireless registrations table? It is great having graphs of wireless clients but I do not know which is which without the name. Thanks.

+1 support for this

pe1chl · Sun Jul 23, 2017 11:10 pm

They should add scripting into SNMP server, so you can set OID and which script to execute to reply the query This is where MT win all the time - scripting!

That feature is actually available! But it is a bit hard to find and understand.

Jotne · Mon Jul 24, 2017 12:32 am

Any chance you could add 'Radio Name' in the SNMP wireless registrations table? It is great having graphs of wireless clients but I do not know which is which without the name. Thanks.
+1 support for this

+1

I do use SYSLOG and SNMP with SPLUNK to get all what I need for monitoring.

idlemind · Mon Jul 24, 2017 1:28 am

APIs are good but tbh SNMP is far easier to work with in NMS tools. I've found a handful of OIDs I'd really like to see supported. Particularly IPv6 traffic tracking and connection counts. Saying it's solved with scripting to custom OIDs is a total hack over supporting standardized mibs.

mducharme · Mon Jul 24, 2017 6:33 am

APIs are good but tbh SNMP is far easier to work with in NMS tools. I've found a handful of OIDs I'd really like to see supported. Particularly IPv6 traffic tracking and connection counts. Saying it's solved with scripting to custom OIDs is a total hack over supporting standardized mibs.

Yes, and adding the "Radio Name" field is something that should, IMO, be relatively easy for them to do.

pe1chl · Mon Jul 24, 2017 11:59 am

that should, IMO, be relatively easy for them to do.

There is probably a list of things that are relatively easy to do that is so long that it requires considerable effort to sort it all out...

upower3 · Mon Jul 24, 2017 12:46 pm

By the way, I now can see two block diagrams for routers, one for non-switched config and other is for switched. So as 6.41 is out both still be there but "switched" become "attached to the same bridge", right?

Also, on this diagram:

am I right to say that if I set 2-4 ports to be switched, and port 1 as non-switched, then port 1 will be 1 Gbps, and four remaining will share another 1 Gpbs in routing scenario?

idlemind · Mon Jul 24, 2017 5:31 pm

By the way, I now can see two block diagrams for routers, one for non-switched config and other is for switched. So as 6.41 is out both still be there but "switched" become "attached to the same bridge", right?

Also, on this diagram:

am I right to say that if I set 2-4 ports to be switched, and port 1 as non-switched, then port 1 will be 1 Gbps, and four remaining will share another 1 Gpbs in routing scenario?

Running 6.40rc38 (won't be upgrading until 6.41rc is released) I don't get hardware offload on any ports. That's ok for me because I have the hex doing intervlan routing which is done in CPU anyways per MikroTik support. I have a separate layer 2 switch that is capable of faster speeds between the hex and my various devices for intravlan traffic.

HeadCraft · Tue Jul 25, 2017 11:39 am

As in v6.39.2 still not changing dynamic ipsec src. address in policies and peers, when setting it in ipip tunnel interface in local address setting. And if I delete dynamic entries in ipsec policies or peers, the will not appear anymore until reboot, or set another dst address.

Tue Jul 25, 2017 11:47 am

@HeadCraft be more specific, what you described works:

[admin@rack1_b3] /interface ipip> /ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes priority=0x10000 

 1  D  ;;; ipip-tunnel4
       src-address=1.1.1.1/32 src-port=any dst-address=1.1.1.2/32 dst-port=any protocol=ipencap action=encrypt 
       level=require ipsec-protocols=esp tunnel=no proposal=default priority=0x20000 ph2-count=0 
[admin@rack1_b3] /interface ipip> print 
Flags: X - disabled, R - running, D - dynamic 
 #     NAME         MTU ACTUAL-MTU LOCAL-ADDRESS   REMOTE-ADDRESS       KEEPALIVE                               DSCP
 0     ipip-tu...  auto       1480 1.1.1.1         1.1.1.2              10s,10                               inherit
 
 [admin@rack1_b3] /interface ipip> set 0 local-address=2.2.2.2 
[admin@rack1_b3] /interface ipip> /ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes priority=0x10000 

 1  D  ;;; ipip-tunnel4
       src-address=2.2.2.2/32 src-port=any dst-address=1.1.1.2/32 dst-port=any protocol=ipencap action=encrypt 
       level=require ipsec-protocols=esp tunnel=no proposal=default priority=0x20000 ph2-count=0

HeadCraft · Tue Jul 25, 2017 3:02 pm

@HeadCraft be more specific, what you described works:

[admin@rack1_b3] /interface ipip> /ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes priority=0x10000 

 1  D  ;;; ipip-tunnel4
       src-address=1.1.1.1/32 src-port=any dst-address=1.1.1.2/32 dst-port=any protocol=ipencap action=encrypt 
       level=require ipsec-protocols=esp tunnel=no proposal=default priority=0x20000 ph2-count=0 
[admin@rack1_b3] /interface ipip> print 
Flags: X - disabled, R - running, D - dynamic 
 #     NAME         MTU ACTUAL-MTU LOCAL-ADDRESS   REMOTE-ADDRESS       KEEPALIVE                               DSCP
 0     ipip-tu...  auto       1480 1.1.1.1         1.1.1.2              10s,10                               inherit
 
 [admin@rack1_b3] /interface ipip> set 0 local-address=2.2.2.2 
[admin@rack1_b3] /interface ipip> /ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes priority=0x10000 

 1  D  ;;; ipip-tunnel4
       src-address=2.2.2.2/32 src-port=any dst-address=1.1.1.2/32 dst-port=any protocol=ipencap action=encrypt 
       level=require ipsec-protocols=esp tunnel=no proposal=default priority=0x20000 ph2-count=0

Sorry, I just found why it is not working correct (may be I doing it incorrect). The reason is that I use mikrotik DDNS as destination address in tunnel. So situation is:

[admin@MikroTik] > /interface ipip
add allow-fast-path=no ipsec-secret=123 !keepalive local-address=1.1.1.1 name=\
    ipip-tunnel1 remote-address=google-public-dns-a.google.com

After creating interface with dns there is no ipsec policies at all.

[admin@MikroTik] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default 
       template=yes

Lets reboot the router, and we see the policy:

[admin@MikroTik] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default 
       template=yes 

 1  D  ;;; ipip-tunnel1
       src-address=1.1.1.1/32 src-port=any dst-address=8.8.8.8/32 dst-port=any 
       protocol=ipencap action=encrypt level=require ipsec-protocols=esp tunnel=no 
       proposal=default priority=0 ph2-count=0

Now we will change settings in tunnel interface:

[admin@MikroTik] > /interface ipip set [find name=ipip-tunnel1] local-address=3.3.3.3

But we still see old ip in policies

[admin@MikroTik] > ip ipsec policy print                                             
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default 
       template=yes 

 1  D  ;;; ipip-tunnel1
       src-address=1.1.1.1/32 src-port=any dst-address=8.8.8.8/32 dst-port=any 
       protocol=ipencap action=encrypt level=require ipsec-protocols=esp tunnel=no 
       proposal=default priority=0 ph2-count=0

And in peers

[admin@MikroTik] > ip ipsec peer print  
Flags: X - disabled, D - dynamic, R - responder 
 0  D  ;;; ipip-tunnel1
       address=8.8.8.8/32 local-address=1.1.1.1 auth-method=pre-shared-key secret="123" 
       generate-policy=no policy-template-group=default exchange-mode=main 
       send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 
       enc-algorithm=aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m 
       dpd-maximum-failures=5

After rebooting the router we will see new ip.

Wed Jul 26, 2017 2:37 pm

Version 6.41rc has been released:
viewtopic.php?f=21&t=123936

Who is online