Community discussions

  • 1
  • 4
  • 5
  • 6
  • 7
  • 8
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23996
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Fri Dec 21, 2018 1:22 pm

They push us to not using "czech_republic" settings, if we wants to be comply with our laws rules.

That's not true. Please read this thread carefully. The next Beta release will have indoor/outdoor option, so I guess the next stable release for your production environment will have it too.
Unfortunately the change to regulatory conformance was badly communicated by Mikrotik in the release notes.

What will be more of a concern is the future of Omnitik 5 devices in Europe. The regulators are about to shut them down soon. Let's hope Mikrotik really can prevent this from happening.
The "Outdoor" setting is already in released versions, it's called "installation=outdoor/indoor/any".
No answer to your question? How to write posts
 
human1982
newbie
Posts: 29
Joined: Thu Aug 13, 2015 2:36 am

Re: v6.44beta [testing] is released!

Fri Dec 21, 2018 1:28 pm

... and second, according to CZ rules I can set 5480MHz ...
Which channel width do you use when trying to set centre frequency to 5480MHz?
5480Ce in Poland too. 5470-5725.
 
cowgirl
just joined
Posts: 5
Joined: Tue Dec 18, 2018 12:10 am
Location: South-West-Germany
Contact:

Re: v6.44beta [testing] is released!

Fri Dec 21, 2018 2:20 pm

6.44beta50 is crashing on my CRS328-24P-4S+. It reboots every few hours. (approx every 4h)

And on myCRS317-1G-16S+ the management IP address is not reachable (over my lacp-bonding link) for a while and then it comes back, while switching is working the whole time and the systems connected to it are reachable. Currently i can not check for reboots on the 317, cause managment is not reachable also mac-telnet from the 328 is not working.....

The 317´s managment just came back now, no unexpected reboots there....
 
cowgirl
just joined
Posts: 5
Joined: Tue Dec 18, 2018 12:10 am
Location: South-West-Germany
Contact:

Re: v6.44beta [testing] is released!

Fri Dec 21, 2018 3:17 pm

CRS328-24P-4S+ crashed again. Only with approx. 2hours gap. Doing a little bit SMB File Copy jobs (50Gbyte)
 
TheCondor
just joined
Posts: 12
Joined: Sun Jul 26, 2015 4:00 pm

Re: v6.44beta [testing] is released!

Sun Dec 30, 2018 12:16 pm

In 6.44beta50 when i create a certificate, both with web GUI or shell command, i set subAltName but it disappear when saved (or signed). On stable i didn't have this problem.
 
kabal
just joined
Posts: 9
Joined: Sat Dec 25, 2010 6:03 pm
Location: Ukraine

Re: v6.44beta [testing] is released!

Sun Dec 30, 2018 11:45 pm

*) ppp - added "at-chat" command;

Does not work with USSD commands.

with at-chat:

/interface ppp-client at-chat 3 input="AT+CUSD=1,AA582C3602,15"
output: AT+CUSD=1,AA582C3602,15
OK


with serial-terminal:

/system serial-terminal port=usb4 channel=2
AT+CUSD=1,AA582C3602,15
OK

+CUSD: 1,"C2303BEC9E83602E980C2D77B340E2B7BB3E07C15C30185AEE7629542A95C2596E87F365
D0FA3D47D3D3F61FF10D8AC16067B91BE40E83E46174DDFD5E83F420F87BCEAE9FDFF93A88F82687E9
EBB73D0D3ACBDF73743A046587E961903D4D06C9CE72B722E6A286D70A",15
 
TheCondor
just joined
Posts: 12
Joined: Sun Jul 26, 2015 4:00 pm

Re: v6.44beta [testing] is released!

Wed Jan 02, 2019 8:16 pm

mutiple mode-config doesn't be as intended with certificate matching.
I've tried to add 2 mode-configs and i want to assign a different ip pool each.
apart the fact that is better to implement an object of type "list" populated with multiple certificate, currently it's impossible to add multiple client certificate matching...
policy matching chould be intended as this, imho:

a group of client certificates that, when matched with a specific mode-config policy, assign an ip pool and a split tunnel.

currently it's impossible to add a group of client certificate, just one cert.
Moreover, and this is what isn't working, the client check just the first mode-config policy and if it's not matched skips the others. It should be a sequential checking trough the all mode-config matching policy...
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 446
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Mon Jan 07, 2019 2:09 pm

Version 6.44beta54 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.44beta54 (2019-Jan-07 08:27):

Important note!!! Backup before upgrade!
Due to major IPsec configuration changes in RouterOS v6.44beta39+ (see changelog below), it is advised to make a backup before upgrading. Regular downgrade will still be possible as long as no changes in IPsec peer menu are done.

MAJOR CHANGES IN v6.44:
----------------------
!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);
!) ipsec - added new "identity" menu with common peer distinguishers;
!) ipsec - removed "main-l2tp" exchange-mode, it is the same as "main" exchange-mode;
!) ipsec - removed "users" menu, XAuth user configuration is now handled by "identity" menu;
!) radius - initial implementation of RadSec (Radius communication over TLS);
!) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only);
!) telnet - do not allow to set "tracefile" parameter;
!) upgrade - release channels renamed - "bugfix" to "long-term", "current" to "stable" and "release candidate" to "testing";
!) upgrade - "testing" release channel now can contain "beta" together with "release-candidate" versions;
----------------------

Changes in this release:

*) bridge - count routed FastPath packets between bridge ports under FastPath bridge statistics;
*) bridge - fixed BOOTP packet forwarding when DHCP Snooping is enabled;
*) crs317 - fixed packet forwarding when LACP is used with hw=no;
*) dhcpv6-server - allow to add DHCPv6 server with pool that does not exist;
*) ethernet - fixed VLAN1 forwarding on RB1100AHx4 and RB4011 devices;
*) ipsec - added new "remote-id" peer matcher (CLI only);
*) l2tp - fixed IPsec secret not being updated when "ipsec-secret" is changed under L2TP client configuration;
*) led - fixed PWR-LINE AP Ethernet LED polarity ("/system routerboard upgrade" required);
*) lte - added initial support for multiple APN for R11e-4G (new modem firmware required);
*) lte - fixed DHCP IP acquire (introduced in v6.43.7);
*) netinstall - do not show kernel failure critical messages in the log after fresh install;
*) routerboard - removed "RB" prefix from PWR-LINE AP devices;
*) sniffer - save packet capture in "802.11" type when sniffing on w60g interface in "sniff" mode;
*) snmp - fixed "rsrq" reported precision;
*) usb - improved power-reset error message when no bus specified on CCR1072-8G-1S+;
*) wireless - added new "installation" parameter to specify router's location;
*) wireless - show indoor/outdoor frequency limitations under "/interface wireless info country-info <country>" command;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
doush
Long time Member
Long time Member
Posts: 615
Joined: Thu Jun 04, 2009 3:11 pm

Re: v6.44beta [testing] is released!

Mon Jan 07, 2019 3:26 pm

Are you guys working for a fix for CCR1072 lockups ?
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1405
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Mon Jan 07, 2019 5:17 pm

doush - Unfortunately we can not tell from description "lockups" to what kind of problem you are referring to. Please contact support@mikrotik,com directly, provide proper problem description (when did problem start to appear, how often do you see this issue, do you have any information what processes might trigger lockup) and supout file from your router/s. At the moment there are no known bugs that would lock up router. Either this is an unknown problem, hardware related issue or it is a configuration related problem. Without debugging we can not tell why is this happening with your router. At the moment of "lockup" can you access router over serial console?
 
nescafe2002
Long time Member
Long time Member
Posts: 597
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: v6.44beta [testing] is released!

Mon Jan 07, 2019 11:10 pm

To anyone experiencing connectivity issues on bridge interface after upgrade to 6.44beta50 like me:
The RB is now sending out MNDP (udp/5678) packets with ip address of bridge and mac address of slave (physical port).
(In 6.44beta40 and before the packets were sent with the bridges mac address as source)
Client devices are now learning incorrect ip/mac combinations and will be unable to communicate with the RB, intermittently (arp is not affected).
This has been reported.

A work-around is to disable neighbor discovery for these interfaces.

(Note that there is a similar problem regarding internet-detect which causes same problem when enabled on slave interfaces)

Another (dirty) work-around is to enable bridge filtering (of any kind) after which RB will accept packets directed to the slave (physical) mac address.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 446
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Tue Jan 08, 2019 8:27 am

mutiple mode-config doesn't be as intended with certificate matching.
I've tried to add 2 mode-configs and i want to assign a different ip pool each.
apart the fact that is better to implement an object of type "list" populated with multiple certificate, currently it's impossible to add multiple client certificate matching...
policy matching chould be intended as this, imho:

a group of client certificates that, when matched with a specific mode-config policy, assign an ip pool and a split tunnel.

currently it's impossible to add a group of client certificate, just one cert.
Moreover, and this is what isn't working, the client check just the first mode-config policy and if it's not matched skips the others. It should be a sequential checking trough the all mode-config matching policy...
What exactly have you configured currently? Are you creating multiple IPsec identities and specifying different remote-certificates for each of them? Are these certificates from the same CA chain? That is not quite how we planned it to work. There is a 'remote-id' parameter, which is not in Winbox and is not implemented fully yet. You will be able to match the IPsec identity to a specific peer by this parameter.
 
doush
Long time Member
Long time Member
Posts: 615
Joined: Thu Jun 04, 2009 3:11 pm

Re: v6.44beta [testing] is released!

Sat Jan 12, 2019 4:39 pm

doush - Unfortunately we can not tell from description "lockups" to what kind of problem you are referring to. Please contact support@mikrotik,com directly, provide proper problem description (when did problem start to appear, how often do you see this issue, do you have any information what processes might trigger lockup) and supout file from your router/s. At the moment there are no known bugs that would lock up router. Either this is an unknown problem, hardware related issue or it is a configuration related problem. Without debugging we can not tell why is this happening with your router. At the moment of "lockup" can you access router over serial console?
Strods;
viewtopic.php?f=3&t=122525&start=50
There are watchdog reboots !
Please see the above thread. We have also contacted support and we have been told to turn off watchdog and check. When we do that, the router hangs and stays in that state.
We cant just stop gbits of traffic just to collect supout files for you over the serial interface. This is what you guys have to do. Issue is easily reproducable.
There are many people in the above thread having the same exact issue.
Ticket#2018091822007067 is also available but as I said we cannot just stop 8gbit/s of traffic for you for hours to collect supout files.
Please do not ignore this issue as it is not a config related problem at all.
At the moment of lockup (when watchdog is turned off) , I havent tried the serial because of panic that it creates when all your traffic stops. Powercycle fixes the problem.
When watchdog is on, it reboots.
Please work with us in this issue.
 
notToNew
Member Candidate
Member Candidate
Posts: 146
Joined: Fri Feb 19, 2016 3:15 pm

Re: v6.44beta [testing] is released!

Sat Jan 12, 2019 7:26 pm


When watchdog is on, it reboots.
Please work with us in this issue.
And where is the version specific part of this? As I see it it's nothing new to this beta.... So please stay in the other thread.
--------------------------------------------------------------------------------------------
CCR1036-12G-4S, several 952Ui-5ac2nD, ...
 
doush
Long time Member
Long time Member
Posts: 615
Joined: Thu Jun 04, 2009 3:11 pm

Re: v6.44beta [testing] is released!

Mon Jan 14, 2019 3:52 pm


When watchdog is on, it reboots.
Please work with us in this issue.
And where is the version specific part of this? As I see it it's nothing new to this beta.... So please stay in the other thread.
This problem is still valid with the latest stable build !
And we dont see any work about it in the latest beta versions at all. Should be fair enough to post in this thread and raise awareness.
 
andriys
Forum Guru
Forum Guru
Posts: 1079
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: v6.44beta [testing] is released!

Mon Jan 14, 2019 9:01 pm

doush Nobody except you complains, which means it's either faulty hardware or a configuration specific issue. A couple of posts ago you said you are not willing to supply support@ with the info they asked you for. Being software developer myself, I can assure you this is a road to nowhere...
 
User avatar
null31
Member Candidate
Member Candidate
Posts: 177
Joined: Fri Dec 23, 2016 6:07 pm
Location: Brazil

Re: v6.44beta [testing] is released!

Tue Jan 15, 2019 12:00 am

Dear MikroTik Staff.
*) dhcpv6-server - allow to add DHCPv6 server with pool that does not exist;
Does this fix is related to the ticket #2018122622000391?
I ask because I didn't receive a reply for the ticket.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5354
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.44beta [testing] is released!

Tue Jan 15, 2019 3:20 pm

It is probably related to a problem I also reported to them: when you import an export which contains a server and pool
the import fails because the pool appears in the export after the server. Apparently it was not easy to export the pool
definitions before the server definitions (or there would be another unresolved reference) and it was now solved this way.
 
User avatar
null31
Member Candidate
Member Candidate
Posts: 177
Joined: Fri Dec 23, 2016 6:07 pm
Location: Brazil

Re: v6.44beta [testing] is released!

Wed Jan 16, 2019 8:42 pm

So isn't related.
The bug I reported is when DHCPv6-PD get the pool name through Radius and create a route with blank next-hop to the CPE. The router receive the link-local addr from cpe, but doesn't add to the prefix that was delegated.
The connection method I tested was plain DHCPv6 (IPoE without op82).

Like the image https://i.imgur.com/Oq08c0U.png
 
doush
Long time Member
Long time Member
Posts: 615
Joined: Thu Jun 04, 2009 3:11 pm

Re: v6.44beta [testing] is released!

Thu Jan 17, 2019 2:32 pm

doush Nobody except you complains, which means it's either faulty hardware or a configuration specific issue. A couple of posts ago you said you are not willing to supply support@ with the info they asked you for. Being software developer myself, I can assure you this is a road to nowhere...
Did you even read my post ?
Check the below thread and see if I am the only one complaining.
viewtopic.php?f=3&t=122525

We are still desperately waiting for a fix for this issue and ready to try any possible fix in new beta versions.. and NO I cannot just turn off watchdog and wait for the next halt which may happen anytime in the middle of the night to collect support files while all the network is down.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23996
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Thu Jan 17, 2019 4:44 pm

"My router reboots" is a very generic problem, all kinds of issues are gathered in that topic.
No answer to your question? How to write posts
 
User avatar
eworm
Member
Member
Posts: 332
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.44beta [testing] is released!

Thu Jan 17, 2019 6:30 pm

I am running testing versions on my wAP with R11e-LTE. Recently the lte interface does not reliably connect after boot, I have to reboot the device then. This worked pretty well before, so I am sure this is a regression from beta50 to beta54.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
zyzelis
Member Candidate
Member Candidate
Posts: 212
Joined: Sun Apr 08, 2012 9:25 pm

Re: v6.44beta [testing] is released!

Thu Jan 17, 2019 8:03 pm

"My router reboots" is a very generic problem, all kinds of issues are gathered in that topic.
Normis, are you work for ubnt?
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 446
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Fri Jan 18, 2019 9:50 am

Version 6.44beta61 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.44beta61 (2019-Jan-17 13:24):

Important note!!! Backup before upgrade!
Due to major IPsec configuration changes in RouterOS v6.44beta39+ (see changelog below), it is advised to make a backup before upgrading. Regular downgrade will still be possible as long as no changes in IPsec peer menu are done.

MAJOR CHANGES IN v6.44:
----------------------
!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);
!) ipsec - added new "identity" menu with common peer distinguishers;
!) ipsec - removed "main-l2tp" exchange-mode, it is the same as "main" exchange-mode;
!) ipsec - removed "users" menu, XAuth user configuration is now handled by "identity" menu;
!) radius - initial implementation of RadSec (Radius communication over TLS);
!) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only);
!) telnet - do not allow to set "tracefile" parameter;
!) upgrade - release channels renamed - "bugfix" to "long-term", "current" to "stable" and "release candidate" to "testing";
!) upgrade - "testing" release channel now can contain "beta" together with "release-candidate" versions;
----------------------

Changes in this release:

!) ipsec - added new "identity" menu with common peer distinguishers;
*) bridge - fixed BOOTP packet forwarding when DHCP Snooping is enabled;
*) certificate - added support for multiple "Subject Alt. Names";
*) certificate - enabled RC2 cipher to allow P12 certificate decryption;
*) chr - improved system stability when insufficient resources are allocated to the guest;
*) console - updated copyright notice;
*) crs3xx - fixed slow bootup, upgrade and SFP status read (introduced in v6.44beta20);
*) gps - moved "coordinate-format" from "monitor" command to "set" parameter;
*) ike1 - fixed "rsa-key" authentication (introduced in v6.44beta);
*) ipsec - accept only valid path for "export-pub-key" parameter in "key" menu;
*) ipsec - added new "remote-id" peer matcher;
*) ipsec - fixed all policies not getting installed after startup (introduced in v6.43.8);
*) ipsec - moved "profile" menu outside "peer" menu;
*) lcd - made "pin" parameter sensitive;
*) led - fixed default LED configuration for RBSXTsq-60ad;
*) lte - fixed DHCP IP acquire in 3G mode for r11e-lte (introduced in v6.44beta54);
*) lte - fixed reported "rsrq" precision (introduced in v6.43.8);
*) profile - removed obsolete "file-name" parameter;
*) radius - implemented Proxy-State attribute handling in CoA and disconnect requests;
*) rb4011 - improved SFP+ interface linking to 1Gbps;
*) ssh - close active SSH connections before IPsec connections on shutdown;
*) ssh - fixed public key format compatibility with RFC4716;
*) supout - fixed "poe-out" output not showing all interfaces;
*) system - accept only valid path for "log-file" parameter in "port" menu;
*) system - removed obsolete "/driver" command;
*) tr069-client - added "check-certificate" parameter to allow communication without certificates;
*) tr069-client - added support for InformParameter object;
*) tr069-client - fixed certificate verification for certificates with IP address;
*) tr069-client - increased reported "rsrq" precision;
*) vrrp - made "password" parameter sensitive;
*) winbox - added "allow-dual-stack-queue" parameter in "IP/DHCP Server" and "IPv6/DHCP Server" menus;
*) winbox - added "conflict-detection" parameter in "IP/DHCP Server" menu;
*) winbox - added "coordinate-format" parameter in LTE interface settings;
*) winbox - allow specifying interface lists in "CAPsMAN/Access List" menu;
*) winbox - fixed "IPv6/Firewall" "Connection limit" parameter not allowing complete IPv6 prefix lengths;
*) winbox - fixed L2MTU parameter setting on "W60G" type interfaces;
*) winbox - fixed "LCD" menu not shown on RB2011UiAS-2HnD;
*) winbox - moved "Too Long" statistics counter to Ethernet "Rx Stats" tab;
*) winbox - show "System/RouterBOARD/Mode Button" on devices that have such feature;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
eworm
Member
Member
Posts: 332
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.44beta [testing] is released!

Fri Jan 18, 2019 12:16 pm

!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);
[admin@MikroTik] /system backup cloud> print 
-- connecting
Server error: Backend error. Try again later.

Breakage in version or issue with servers?
Edit: Works again, was a server issue.
*) console - updated copyright notice;
The copyright notice still has a link with http-schema. You should really change that to https.
*) ipsec - added new "remote-id" peer matcher;
Thanks, have to play with this...
*) lte - fixed DHCP IP acquire in 3G mode for r11e-lte (introduced in v6.44beta54);
Thanks for fixing!
*) ssh - close active SSH connections before IPsec connections on shutdown;
That change is very welcome. Thanks a lot!
Last edited by eworm on Fri Jan 18, 2019 5:37 pm, edited 1 time in total.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1126
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: v6.44beta [testing] is released!

Fri Jan 18, 2019 2:26 pm

Please remove OS version from telnet. It is not needed.

I do use telnet to connect to Mikrotik Router using VPN connection.
It does respond by telling both what it is and what version it has before you login.
/system telnet 10.2.0.16
Trying 10.2.0.16...
Connected to 10.2.0.16.
Escape character is '^]'.

MikroTik v6.43.8 (stable)
Login:
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23996
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Fri Jan 18, 2019 4:24 pm

Jotne, sorry, I do not understand. Where is the problem with the version in Telnet?
No answer to your question? How to write posts
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8275
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.44beta [testing] is released!

Fri Jan 18, 2019 4:29 pm

The problem is it tells you about version number even if you're not logged in
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 875
Joined: Tue Oct 11, 2005 4:53 pm

Re: v6.44beta [testing] is released!

Fri Jan 18, 2019 4:35 pm

Same with the web interface.
 
patrick7
Member Candidate
Member Candidate
Posts: 298
Joined: Sat Jul 20, 2013 2:40 pm

Re: v6.44beta [testing] is released!

Fri Jan 18, 2019 4:52 pm

security by obscurity
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 1:41 am

Version 6.44beta61 has been released.

rb4011 - improved SFP+ interface linking to 1Gbps;

Does this mean the S-RJ01 is now compatible with the RB4011?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1126
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 9:53 am

With any communication you should not give away any information before login.
If you look at forum.mikrotik.com it does use phpBB. On older version you could see at the bottom, what version it was.
This was removed due to security and that hacker was target some specific version.

As I did write in my post above, I do not need it, so remove it.
And as @Cha0s write, same for web interface. Remove it.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
pe1chl
Forum Guru
Forum Guru
Posts: 5354
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 11:49 am

Does this mean the S-RJ01 is now compatible with the RB4011?
The RB4011 is not an actively-cooled device so it will never be compatible with the S-RJ01.
Look at the S-RJ01 page. It is only for actively-cooled devices!
Hopefully some time, after yet more advances in technology, it will be possible to produce and SFP+ ethernet adapter that does not dissipate so much power.
Then it could work.
 
msatter
Forum Guru
Forum Guru
Posts: 1113
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 1:17 pm

All software/interfaces by Mikrotik mention the software version before login, including the Android app.

Then this must be something Mikrotik wants to communicate up front. So you can think to have RouterOS not share the current version of it and state a null value.
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.6
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
marcbou
just joined
Posts: 4
Joined: Tue Jul 03, 2018 11:19 am

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 1:42 pm

Hi

Installed 6.44beta61, but it seems there are issues with "/ip ipsec identity my-id" matching for fqdn:, user-fqdn: and even address:ipv4 types. It doesn't seem to work with Remote ID on iOS devices with IKEv2 in pre-shared-key mode.

I was only able to get it to work by specifying the router's static IP as RemoteID on the client iOS device and keeping my-id set to auto (default) in /ip ipsec identity.

my-id=fqdn:domain.com matching does however work if auth-method=rsa-signature with certificate.

It is a road-warrior type setup with the MikroTik router as VPN server on a static IP, and client iOS and MacOS X devices connecting from dynamic IPs.

This is with a RB3011. We have a similar setup with a CCR1009 where it seems the ipsec crashes (hangs) upon access attempts with auth-method=pre-shared-key. Works with sa-signature/certificate.

Also would it be possible to add support for disabling/enabling /ip ipsec identity entries?

The config looks like:

# jan/19/2019 06:31:50 by RouterOS 6.44beta61
#
# model = RouterBOARD 3011UiAS
/ip ipsec mode-config
add address-pool=vpn-pool address-prefix-length=32 name=\
ipsec-modecfg
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1w \
name=proposal_1
/ip ipsec peer
add exchange-mode=ike2 local-address=<routerspublicipv4> name=peer_vpn passive=yes \
profile=proposal_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
lifetime=2d pfs-group=none
/ip ipsec identity
add generate-policy=port-strict mode-config=ipsec-modecfg peer=\
peer_vpn remote-id=user-fqdn:usera@domain.com secret=usera_secret
add generate-policy=port-strict mode-config=ipsec-modecfg peer=\
peer_vpn remote-id=user-fqdn:userb@domain.com secret=userb_secret
/ip ipsec policy
set 0 dst-address=192.168.71.0/24 src-address=0.0.0.0/0
add dst-address=192.168.72.0/24 src-address=0.0.0.0/0 template=yes

Thanks,

Marc
 
Paternot
Long time Member
Long time Member
Posts: 573
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 3:50 pm

Does this mean the S-RJ01 is now compatible with the RB4011?
The RB4011 is not an actively-cooled device so it will never be compatible with the S-RJ01.
Look at the S-RJ01 page. It is only for actively-cooled devices!
Hopefully some time, after yet more advances in technology, it will be possible to produce and SFP+ ethernet adapter that does not dissipate so much power.
Then it could work.
The compatibility table disagrees with You:
https://wiki.mikrotik.com/wiki/MikroTik ... lity_table

They are supported on the CSS/CRS326-24G-2S+ models - and they are passive cooled switches. Also, they run on RB3011, RB2011, RB260 and many others passive cooled devices.
 
nescafe2002
Long time Member
Long time Member
Posts: 597
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 5:19 pm

What's new in 6.44beta61 (2019-Jan-17 13:24):

*) rb4011 - improved SFP+ interface linking to 1Gbps;

I can confirm FS 1000BASE-BX BiDi SFP 1310nm-TX/1490nm-RX 20km DOM Transceiver Module ( https://www.fs.com/products/20184.html ) is working fine together with a 1Gbit FTTH provider, as long as the speed matches (note that winbox hides this setting when autonegotation is on, so you'll have to disable autoneg to change speed or use cli).

/interface ethernet
set sfp-sfpplus1 auto-negotiation=yes full-duplex=yes&no speed=1Gbps # link
set sfp-sfpplus1 auto-negotiation=yes full-duplex=no speed=10Mbps # link (detected/actual rate 1Gpbs FD)
set sfp-sfpplus1 auto-negotiation=yes full-duplex=yes&no speed=100Mpbs # flapping
set sfp-sfpplus1 auto-negotiation=yes full-duplex=yes&no speed=10Gbps # flapping
set sfp-sfpplus1 auto-negotiation=no full-duplex=yes speed=1Gbps # link
set sfp-sfpplus1 auto-negotiation=no full-duplex=no speed=1Gbps # router crash
set sfp-sfpplus1 auto-negotiation=no full-duplex=yes&no speed=10Mbps # link (detected rate 10Mbps, actual rate 1Gpbs)
set sfp-sfpplus1 auto-negotiation=no full-duplex=yes&no speed=100Mbps # flapping
set sfp-sfpplus1 auto-negotiation=no full-duplex=yes speed=10Gbps # no link
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 5:28 pm

The RB4011 is not an actively-cooled device so it will never be compatible with the S-RJ01.

The compatibility table disagrees with You:
https://wiki.mikrotik.com/wiki/MikroTik ... lity_table

The S-RJ01 is supported on the CSS/CRS326-24G-2S+ models - and they are passive cooled switches. Also, they run on RB3011, RB2011, RB260 and many others passively cooled devices.

Yeah, I guess its not clear what works unless one consults the compatibility table. So, the S+RJ10 does work, but the S-RJ01 does not? I have not been able to get my S-RJ01 to work with the RB4011 and was hoping it was only a software issue.
 
Paternot
Long time Member
Long time Member
Posts: 573
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 8:36 pm

The RB4011 is not an actively-cooled device so it will never be compatible with the S-RJ01.

The compatibility table disagrees with You:
https://wiki.mikrotik.com/wiki/MikroTik ... lity_table

The S-RJ01 is supported on the CSS/CRS326-24G-2S+ models - and they are passive cooled switches. Also, they run on RB3011, RB2011, RB260 and many others passively cooled devices.

Yeah, I guess its not clear what works unless one consults the compatibility table. So, the S+RJ10 does work, but the S-RJ01 does not? I have not been able to get my S-RJ01 to work with the RB4011 and was hoping it was only a software issue.
Yes, it is weird. I have no idea where this limitation comes from.
 
User avatar
Bergante
Member Candidate
Member Candidate
Posts: 130
Joined: Tue Feb 28, 2012 12:27 pm
Location: Bilbao, Spain

Re: v6.44beta [testing] is released!

Mon Jan 21, 2019 11:02 am

security by obscurity
Anyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering. So the version display is harmless in my opinion.
 
User avatar
Bergante
Member Candidate
Member Candidate
Posts: 130
Joined: Tue Feb 28, 2012 12:27 pm
Location: Bilbao, Spain

Re: v6.44beta [testing] is released!

Mon Jan 21, 2019 11:05 am

Version 6.44beta61 has been released.

*) rb4011 - improved SFP+ interface linking to 1Gbps;
This one looks promising and, indeed, there is a clear improvement.

I am testing a rb4011 linked to a HP switch and now it works with autonegotiation on it seems. I am using a pair of Mikrotik 1000BASE-LH transceivers (S-31DLC20D).

That's great because autonegotiation is considered mandatory in GbE and disabling it can lead to unpredictable problems.

So, I hope SFPs will be properly supported in SFP+ cages. Otherwise the only real solution would be to include both types of cages like some manufacturers do.
 
muetzekoeln
Member Candidate
Member Candidate
Posts: 104
Joined: Fri Jun 29, 2018 2:34 pm

Re: v6.44beta [testing] is released!

Mon Jan 21, 2019 12:15 pm

Please remove OS version from telnet. It is not needed.
+1

I too plead for data stinginess. Only disclose data when/where needed. This is the same thinking as a default deny-all rule in firewalls.
For me the ROS version is of no value at login prompt. And MT did not explain why they broadcast ROS version in WiFi beacons
(viewtopic.php?p=709410).

At login prompt it makes much more sense to me, to display given system identity name (/System identity). So you can check if you are logging into the intended system (if you have more than one, that is).
Last edited by muetzekoeln on Wed Jan 23, 2019 1:12 pm, edited 3 times in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23996
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Mon Jan 21, 2019 2:46 pm

security by obscurity
Anyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering. So the version display is harmless in my opinion.
I agree. If the untrusted person can see your TELNET interface, you are in much bigger trouble than an exposed version number
No answer to your question? How to write posts
 
User avatar
skylark
MikroTik Support
MikroTik Support
Posts: 92
Joined: Wed Feb 10, 2016 3:55 pm

Re: v6.44beta [testing] is released!

Tue Jan 22, 2019 10:19 am

Version 6.44beta61 has been released.

rb4011 - improved SFP+ interface linking to 1Gbps;

Does this mean the S-RJ01 is now compatible with the RB4011?
Yes, with the latest beta S-RJ01 also should work.

We will update compatibility table when this fix will be included in the stable version.
 
msatter
Forum Guru
Forum Guru
Posts: 1113
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.44beta [testing] is released!

Tue Jan 22, 2019 12:44 pm

security by obscurity
Anyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering. So the version display is harmless in my opinion.
I agree. If the untrusted person can see your TELNET interface, you are in much bigger trouble than an exposed version number
But it saves the untrusted person the trouble to test which tool to use. Or just see on forehand that none of the available tools is going to work and moves on.

Make it the owners choice/responsability if the it is shown or not.
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.6
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
Bergante
Member Candidate
Member Candidate
Posts: 130
Joined: Tue Feb 28, 2012 12:27 pm
Location: Bilbao, Spain

Re: v6.44beta [testing] is released!

Tue Jan 22, 2019 1:21 pm

Version 6.44beta61 has been released.

rb4011 - improved SFP+ interface linking to 1Gbps;

Does this mean the S-RJ01 is now compatible with the RB4011?
Yes, with the latest beta S-RJ01 also should work.

We will update compatibility table when this fix will be included in the stable version.
The Interface/Ethernet section of the documentation should be updated as well.

The manual says that the speed attribute of an Ethernet interface only takes effect when auto negotiation is disabled.

Actually, at least on a rb4011 running 6.44beta61 speed does work with auto negotiation on. The SFP I have tried,
Mikrotik's single mode ones (S-31DLC20D) work with auto negotiation set to on as long as the speed attribute is set to 1 Gbps.

So it's working as a mode selector for the SFP/SFP+ cage.

Now I wonder, can't you make that automatic? Reading the EEPROM of the SFP the system determines which kind of SFP is it. So it
should be easy to decide wether to configure it for 1 Gbps or 10 Gbps.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5354
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.44beta [testing] is released!

Wed Jan 23, 2019 12:52 pm

61 builds in the 6.44 beta and we are still waiting for IPv6 improvements!
Come on guys, it is 2019 now. We really need IPv6 policy routing, IPv6 per-connection queueing, IPv6 firewall features on par with IPv4 (like L7 matching), etc etc etc.

You cannot handle IPv6 as a bolt-on feature to satisfy a small number of demanding users. It has to be part of the mainstream, with all the support that there is for IPv4.
 
muetzekoeln
Member Candidate
Member Candidate
Posts: 104
Joined: Fri Jun 29, 2018 2:34 pm

Re: v6.44beta [testing] is released!

Wed Jan 23, 2019 1:15 pm

Anyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering.

You are right with this statement, but impacts of the latest ROS vulnerability show this ideal is not the real world.
 
wilsonlmh
newbie
Posts: 26
Joined: Fri Oct 10, 2014 9:44 pm

Re: v6.44beta [testing] is released!

Wed Jan 23, 2019 2:03 pm

security by obscurity
Anyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering. So the version display is harmless in my opinion.
I agree. If the untrusted person can see your TELNET interface, you are in much bigger trouble than an exposed version number
This isn't true for SSH:
telnet 192.168.88.1 22
Trying 192.168.88.1...
Connected to 192.168.88.1.
Escape character is '^]'.
SSH-2.0-ROSSSH
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 446
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Thu Jan 31, 2019 10:40 am

Installed 6.44beta61, but it seems there are issues with "/ip ipsec identity my-id" matching for fqdn:, user-fqdn: and even address:ipv4 types. It doesn't seem to work with Remote ID on iOS devices with IKEv2 in pre-shared-key mode.
It works for me. Please check the IPsec debug logs and find out what ID_I and ID_R fields are actually received from the client.
10:35:04 ipsec processing payload: ID_I 
10:35:04 ipsec ID_I (RFC822): usera@domain.com 
10:35:04 ipsec processing payload: ID_R 
10:35:04 ipsec ID_R (ADDR4): 10.155.130.204 
ID_I is the initiators id (what you specify as Local ID under your iOS). ID_R is the responders id (the Remote ID when looking from iOS). You can enable debug logs with
/system logging add topics=ipsec,!debug

As for the crashing part, it would be necessary to see the supout.rif file from your device. Please generate and send this file to support@mikrotik.com
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8

Who is online

Users browsing this forum: No registered users and 2 guests