Just a question without intention of doubting what you say: why use NV2 on PtP?*) wireless - improved Nv2 reliability on ARM devices;
The first point-to-point tests with nv2 on arm are not satisfactory. We will perform more tests
Just a question without intention of doubting what you say: why use NV2 on PtP?*) wireless - improved Nv2 reliability on ARM devices;
The first point-to-point tests with nv2 on arm are not satisfactory. We will perform more tests
yeah, that's funnyOk so now I test the RC45 Build. My setup scripts fail can't rename user admin anymore? WHY?
[admin@internal] > user set admin name=adminn
failure: user name can't be changed
Changing name of logged in user is not good idea. What if you are logged as different user?
[sergey@router.home] > /user set admin name adminn
failure: user name can't be changed
I always use nv2 with mikrotik. There are some noise in my city.Just a question without intention of doubting what you say: why use NV2 on PtP?*) wireless - improved Nv2 reliability on ARM devices;
The first point-to-point tests with nv2 on arm are not satisfactory. We will perform more tests
I agree.Drop of RADIUS PAP support for ssh logins is a big problem for us too.
We're using a one-time password implementation which is impossible to integrate with MS-CHAPv2 - the security appliance only stores the hash of the PIN (fixed part of the password) and because of this cannot support MS-CHAPv2 since it would require to store PIN as clear-text. 6.43rc is forcing us to drop the OTP, actually decreasing security of the network.
Please allow us to make decisions on how to secure our network ourselves and make a setting allowing to select PAP for "login" service authentication. In any case RADIUS requests can always be sent via encrypted tunnels, while MS-CHAPv2 security strength has been watered down to level of a long obsolete single DES56 - one can find online services that will crack it in a day.
This is definitely the wrong thread for your request. There are separate threads and parts of the forum for those kind of questions. This thread is solely for issues with this particular release version and it's update.Hi, need some help to configure a paypal payment option with hotspot and usermanager. Just found this and update it to the RC version, but still need help on this.
Thank you, I will test it soon and report.Version 6.43rc51 has been released.
*) ike1 - zero out reserved bytes in NAT-OA payload;
Please clarify:*) filesystem - fixed NAND memory going into read-only mode (requires "factory-firmware" >= 3.41.1 and "current-firmware" >= 6.43);
routerboard: yes
model: RouterBOARD 3011UiAS
serial-number: 689A05572F46
firmware-type: ipq8060
factory-firmware: 3.27
current-firmware: 3.41
upgrade-firmware: 3.41
Is it stable enough for LtAP device at least?*) usb - fixed modem initialisation on LtAP mini;
Unfortunately it is the same - report sent to support.Thank you, I will test it soon and report.Version 6.43rc51 has been released.
*) ike1 - zero out reserved bytes in NAT-OA payload;
I think factory routerboard firmware = backup bootloader.Will the fix be included only in later production runs?
I was under the assumption that the factory-firmware identifies the firmware ver# the device initially shipped with,
and it can't be somehow upgraded.
Or we are talking about bakup routerboot code... (in which case I still think it is not user-upgradeable?).
Nothing relevant on the wiki.
I usually assumed the factory/backup version to be completely irrelevant unless you force it by a RESET button sequence (or possibly some other means).The backup RouterBOOT version can not be older than v3.24 version. A special package is provided to upgrade the backup RouterBOOT (DANGEROUS). Newer devices will have this new backup loader already installed at the factory. Download the package for:
All valid considerations.I think factory routerboard firmware = backup bootloader.Will the fix be included only in later production runs?
I was under the assumption that the factory-firmware identifies the firmware ver# the device initially shipped with,
and it can't be somehow upgraded.
Or we are talking about bakup routerboot code... (in which case I still think it is not user-upgradeable?).
Nothing relevant on the wiki.
It's normally not allowed but seems possible to upgrade the factory version: https://wiki.mikrotik.com/wiki/Manual:R ... D_settingsI usually assumed the factory/backup version to be completely irrelevant unless you force it by a RESET button sequence (or possibly some other means).The backup RouterBOOT version can not be older than v3.24 version. A special package is provided to upgrade the backup RouterBOOT (DANGEROUS). Newer devices will have this new backup loader already installed at the factory. Download the package for:
I still think this is the case here. The new feature will probably be available when using the normal boot loader (of a high enough version) but be absent when using the backup bootloader (either manually forced or may be automatically triggered if the "main" one is too corrupted to do anything).
I never tried but thought the secondary (factory) version can be upgraded too, either via Netinstall or even just by using the "force backup booter" and initiating an upgrade from ROS. But I never felt the need, so never tried... I just tried to latter (force backup and upgrade from ROS) but it's not that easy. I wonder if Netinstall could do it.
Edit:
Oh! And I think even though we now have a matching ROS and bootloader version (even for every incremental, let alone RC version), that firmware still has some internal version number (probably still somewhere around 3.4x for ROS 6.4x). So this change only complicates this question (it's probably possible to have basically the same factory backup and "main" booloader on a device even though the visible version number is seemingly much higher on the normally-upgradeable "main" firmware).
I think they just rebuild the source code of the bootloader for every ROS release, so it has a matching version number but this no longer indicates they made any change to the source. But this seems to be impractical because now we don't know when the code actually changes.
In my opinion the best solution would be to always auto-upgrade the main bootloader along every ROS upgrade (without the need to issue manual reboot twice) and allow the user to manually upgrade the backup bootloader once the new ROS successfully booted with an upgraded main bootloader (which is a fair enough confirmation that the device is stable enough with the new bootloader to use ROS for bootloader changes, thus it's probably possible to downgrade if some small error occurs later on).in witch case they should provide a "special" package for the users who would want to upgrade the backup loader.
"sfp-connector-type" is still falsely displayed as "LC" for S-RJ01 modules in Winbox and CLI*) sfp - hide "sfp-wavelength" parameter for RJ45 transceivers;
Would also like this explained*) bridge - added per-port based "tag-stacking" feature
Can this also be explained. Similar to selective q-in-q?
Wiki has been updated with an example:*) bridge - added per-port based "tag-stacking" feature
Can this also be explained. Similar to selective q-in-q?
*) bridge - added support for DHCP Option 82 (disables hardware offloading, CLI only);
*) bridge - added support for DHCP Snooping (disables hardware offloading, CLI only);
All my everyday devices still connects just fine.*) wireless - added option to disable PMKID for WPA2 (CLI only);
Did you specify which ports are trusted ports under /interface bridge port?Could we please get some examples of how to use these features on the Wiki ?Code: Select all*) bridge - added support for DHCP Option 82 (disables hardware offloading, CLI only); *) bridge - added support for DHCP Snooping (disables hardware offloading, CLI only);
I cannot see any of the options I would expect, e.g. being able to set the contents of the Option-82 injection string with variables for the first feature, or being able to specify the valid DHCP server for the second.
I second that!Could we please get some examples of how to use these features on the Wiki ?Code: Select all*) bridge - added support for DHCP Option 82 (disables hardware offloading, CLI only); *) bridge - added support for DHCP Snooping (disables hardware offloading, CLI only);
I cannot see any of the options I would expect, e.g. being able to set the contents of the Option-82 injection string with variables for the first feature, or being able to specify the valid DHCP server for the second.
I tested it again with Draytek router behind NAT and now it works OK!*) ike1 - zero out reserved bytes in NAT-OA payload;
How does this one work? Any specific commands that it works with?*) console - added "dont-require-permissions" parameter for scripts;
Where I can change this settings via CLI?*) bridge - added support for BPDU Guard (CLI only);
Funny thing after Version 6.43rc56 , my DHCPv6 client is showing in red in winbox, even though everything is working, and my ipv6 connectivity is ok. Still after after re-creating it from scratch... Not a big deal, but...
[admin@migo] /ipv6 route> check
status: ok
interface: pppoe-out1
nexthop: ::
[admin@migo] /ipv6 route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable
# DST-ADDRESS GATEWAY DISTANCE
0 ADS ::/0 pppoe-out1 1
1 DS ::/0 fe80::90:1a00:2a3:47c... 1
2 ADSU 2001:4dd2:8986::/48 1
3 ADC 2001:4dd2:8986::/64 bridge-local 0
[admin@migo] /ipv6 dhcp-client> print
Flags: D - dynamic, X - disabled, I - invalid
# INTERFACE STATUS REQUEST PREFIX ADDRESS
0 I pppoe-out1 bound prefix 2001:4dd2:8986::/48, 22h28m17s
I have to report, that distance measurement does not work correctly. On AP side it reports 706.54m while on client side just 374.28m (374.28 is the correct distance)Version 6.43rc56 has been released.
*) w60g - stop doing distance measurements after first successful measurement;
I agree with that, it should be possible to have a system setting that changes the date format everywhere, but it would be feature request not something for the v6.43rc topic.hi guys, it seems to me that it is still not possible to change the date format in dd / mm / yyyy. It would be very useful as I also work with userman reports.
Does anyone have a solution?
thank you
Valerio
viewtopic.php?t=134098very strange, now all the devices have the ability to change the format of the date ....
I am amazed that until now nobody has raised the problem
*) rb3011 - added IPsec hardware acceleration support;
very-very-very-very big thanks for the Miki stuff if it worksThat was.. unexpected!*) rb3011 - added IPsec hardware acceleration support;
*) rb3011 - added IPsec hardware acceleration support;
That was.. unexpected!
Yes i know that.Already possible with RADIUS server.
[admin@MikroTik] > :put [/tool fetch https://www.eworm.de/ip/ output=user as-value ]
data=80.133.168.147;downloaded=0;duration=00:00:01;status=finished
Maybe we could have some hope that RB750Gr3 would get HW support sooooon.*) rb3011 - added IPsec hardware acceleration support;
It has support for harware ipsec for a long time...Maybe we could have some hope that RB750Gr3 would get HW support sooooon.*) rb3011 - added IPsec hardware acceleration support;
RB750 Gr3 does have hardware acceleration of IPsec ever since the first release. What it does not have is "hardware acceleration" of VLAN handling on the switch chip.Maybe we could have some hope that RB750Gr3 would get HW support sooooon.
Unfortunately this is true for most devices, some of them have quite a decent switch chip built in.What it does not have is "hardware acceleration" of VLAN handling on the switch chip.
Finally we can fetch data without writing and reading a file. Thanks a lot!Code: Select all[admin@MikroTik] > :put [/tool fetch https://www.eworm.de/ip/ output=user as-value ] data=80.133.168.147;downloaded=0;duration=00:00:01;status=finished
Looks like it's required to cut the data part, though... Or is there a way to put the data only into a variable?
[admin@MikroTik] > :global test
[admin@MikroTik] > :set test [ / tool fetch https://www.eworm.de/ip/ output=user as-value ]
[admin@MikroTik] > :put [ :pick $test 0 ]
80.133.168.147
:local test ([tool fetch url="https://www.eworm.de/ip" output=user as-value]->"data");
:put $test;
Even better! Thanks a lot!eworm, proper syntax would be:
Code: Select all:local test ([tool fetch url="https://www.eworm.de/ip" output=user as-value]->"data"); :put $test;
https://wiki.mikrotik.com/wiki/Manual:T ... a_variable
You have to use preview and add some empty lines before the [code] ones where necessary.(BTW, what the hell make the formatting go nuts?)
Something must have been changed with ipsec processing in rc64. No traffic is passing through the tunnels.osc86, we are aware of the issue. It will be fixed until 6.43 is released in current release channel.
It would be nice if that would also be communicated in the changelog if something gets broken in the process and there is knowledge about that. Preferable also in red to warn.osc86, we are aware of the issue. It will be fixed until 6.43 is released in current release channel.
Contact support with attached supout file.Something must have been changed with ipsec processing in rc64. No traffic is passing through the tunnels.osc86, we are aware of the issue. It will be fixed until 6.43 is released in current release channel.
I moved back to 56, where everything works fine.
And what about making radius login scheme selectable. chap for people who use static shit that can be challenged pap for us who only use one time passwords. And therefore Inherrently dosen't have anything to do a challenge on. (CHAP is unusable in this case)
Same problem here, I updated from rc51 to rc64 and now the mikrotik does not seems to forward ipv6 packets anymore.I updated to rc64, but it seems I can not communicate with ipv6. There was no problem with at least rc56.
Strange, all works fine here after upgrading to rc64Same problem here, I updated from rc51 to rc64 and now the mikrotik does not seems to forward ipv6 packets anymore.I updated to rc64, but it seems I can not communicate with ipv6. There was no problem with at least rc56.
VERY VERY welcome! Thanks Mktik!*) rb3011 - added IPsec hardware acceleration support;
Has anybody tried it? Any positive changes? Are CPU loads lower? Is it stable?VERY VERY welcome! Thanks Mktik!*) rb3011 - added IPsec hardware acceleration support;
IPsec throughput test results will be published on the RB3011 product page in the next few days. Currently one user has reported a kernel failure caused by the new hardware acceleration. We are looking into it and hopefully will be able to fix it in the next release candidate version. Initial tests show approximately 4 times higher throughput compared to software encryption.Has anybody tried it? Any positive changes? Are CPU loads lower? Is it stable?
[admin@Mikrotik] > / ip ipsec peer set mode-config=request-only [ find where !dynamic ]
failure: Wrong mode-config
Done, Ticket#2018083022003478Send a supout.rif file to support@mikrotik.com
Worked around the issue:I updated a system from 6.42.7 to 6.43rc66, now my ipsec connections are broken... Peer configuration had a comment about wrong parameter (can't give the exact wording). Switched mode-config to "none", now setting it to "request-only" fails:
Code: Select all[admin@Mikrotik] > / ip ipsec peer set mode-config=request-only [ find where !dynamic ] failure: Wrong mode-config
/ ip ipsec mode-config add name=request responder=no system-dns=no
/ ip ipsec peer set mode-config=request [ find where !dynamic ]
Problems were solved by netinstalling Routerboard, which can not be connected normally from client PC under Routerboard with ipv6.As usual, client PC under Routerboard can not connect with IPv6.
Also, if you try to disable dhcp-snooping or option 82 again and enable it again, it is confirmed that the command times out.
[Ticket#2018083022003334]
Me device is running current version 6.42.7 and I want to update the latest release candidate. Looks like disabling ddns fails:!) cloud - reworked "/ip cloud ddns-enabled" implementation (suggested to disable service and re-enable after installation process);
[admin@MikroTik] > / ip cloud set ddns-enabled=no
[admin@MikroTik] > / ip cloud print
ddns-enabled: no
update-time: yes
public-address: 198.51.100.65
dns-name: xxxxxxxx.sn.mynetname.net
status: Error: request timed out
No. From https://wiki.mikrotik.com/wiki/Manual:IP/Cloud:After a while ... depends on how often is RB supposed to renew the DDNS record. If you turn cloud off, cloud (hopefully) doesn't know it and records have to expire.
After router sends it's IP address to the cloud server, it will stay on the server permanently. DNS name (/ip cloud dns-name) will resolve to last sent IP address. When user set /ip cloud set ddns-enabled=no router will send message to server to disable DNS name for this routerboard.
No. From https://wiki.mikrotik.com/wiki/Manual:IP/Cloud:After a while ... depends on how often is RB supposed to renew the DDNS record. If you turn cloud off, cloud (hopefully) doesn't know it and records have to expire.
After router sends it's IP address to the cloud server, it will stay on the server permanently. DNS name (/ip cloud dns-name) will resolve to last sent IP address. When user set /ip cloud set ddns-enabled=no router will send message to server to disable DNS name for this routerboard.
Works now, at least after some retries. Possibly the servers were too loaded?Technically this is not about the release candidate version, posting here because of changelog:
Me device is running current version 6.42.7 and I want to update the latest release candidate. Looks like disabling ddns fails:!) cloud - reworked "/ip cloud ddns-enabled" implementation (suggested to disable service and re-enable after installation process);
I can still query dns for my address. This should remove the record from dns, no?Code: Select all[admin@MikroTik] > / ip cloud set ddns-enabled=no [admin@MikroTik] > / ip cloud print ddns-enabled: no update-time: yes public-address: 198.51.100.65 dns-name: xxxxxxxx.sn.mynetname.net status: Error: request timed out
If IPv6 is configured on a bridge, you may need to mark the bridge port as "Trusted".As usual, client PC under Routerboard can not connect with IPv6.
Also, if you try to disable dhcp-snooping or option 82 again and enable it again, it is confirmed that the command times out.
[Ticket#2018083022003334]
same here.I can't change the name of the admin user:
[admin@MikroTik] > /user set 0 name=test
failure: user name can't be changed
nor any other user.