I had some SFP+ link flapping up to a few times a day before the upgrade to 6.43.7. Since the upgrade I have seen one link flap only. The CRS328 is connected using DAC (FS.com) to my CRS317. I upgraded both switches last Friday.Do any of the CRS328 fixes have anything to do with the SFP+ link up down issue?
[admin@MikroTik] > :global firmware [ / interface lte firmware-upgrade lte once as-value ];
[admin@Mikrotik] > :put ($firmware->"installed")
MikroTik_CP_2.160.000_v010
[admin@MikroTik] > :put ($firmware->"latest")
MikroTik_CP_2.160.000_v010
[admin@MikroTik] > :if (($firmware->"installed") != ($firmware->"latest")) do={ :put "Versions differ!"; }
Versions differ!
[admin@MikroTik] >
After restoring my settings I can not set the country for my interface:Updated wAP LTE to version 6.44beta50 and lost the wireless package. :-/
The LTE connection was really weak, though - no idea if that caused the issue.
[admin@MikroTik] /interface wireless> set country=germany wlan1
failure: only regulatory-domain mode allowed for this country
What is this about?.. Why is this marked as important?!) telnet - do not allow to set "tracefile" parameter;
That works, thanks! Can this be the cause for my trouble with wireless package?set frequency-mode to regulatory-domain
That works, thanks! Can this be the cause for my trouble with wireless package?set frequency-mode to regulatory-domain
*) package - use bundled package by default if standalone packages are installed as well;
Ah, right, that could cause the culprit. But I have standalone packages, no bundle.That works, thanks! Can this be the cause for my trouble with wireless package?set frequency-mode to regulatory-domainwhat set of packages did you have? and what did you use to upgrade?Code: Select all*) package - use bundled package by default if standalone packages are installed as well;
/ system package upgrade install
The wireless package did no longer show under System/Package, had to copy the npk file manually to recover. Tried to reproduce with a mAP lite that has very similar configuration, but its update succeeds (and regulatory-domain was updated correctly).What do you mean with lost package? Did you actually lose wireless package under System/Packages menu or wireless interface did not work properly?
I wouldn´t call the RB4011 unstable, but I simply cannot connect to it with Intel AC-8260 on 5.0Ghz. There´s no problem wuth cAP AC, though. Both are running the same config pushed by CAPSMAN controller. May I ask what kind of wireless instability is fixed with ARM based devices?Version 6.44beta50 has been released.
*) wireless - improved system stability for all ARM devices with wireless;
It is not good. Have you been thinking about the fact that not everyone reads changelogs before upgrade?If you have set EU country under wireless configuration, but you did not use regulatory-domain, then configuration will be changed to fit these requirements. Otherwise you violate the law. So if you are legal, then everything will work just fine after an upgrade
emils - Unfortunately, not possible. When it is happening, I ask my router to generate supout and it sits there not responding. I tried stopping and restarting and I get "Couldn't start - busy (12)". I'll keep trying though.mducharme, please generate a supout.rif file when the issue is present and send it to support@mikrotik.com
We use official sources for frequencies allowed in each country. Are you sure you are correct on this one? We use information from Qualcomm chip and European Union.This frequency is not legal in our country. And this problem is due to simple upgrade RouterOS :(
There was some obscure proof of concept that allowed to do strange things, but it only affected you if you gave a user account to the attacker.What is this about?.. Why is this marked as important?!) telnet - do not allow to set "tracefile" parameter;
Then we need Option to set Indoor or Outdoor use!Honzam
We use official sources for frequencies allowed in each country. Are you sure you are correct on this one? We use information from Qualcomm chip and European Union.This frequency is not legal in our country. And this problem is due to simple upgrade RouterOS :(
+1Which ETSI you are comply with? Because as I know there is a band between 5470MHz to 5725Mhz, this leting me select this variety of frequencies, but if YOU apply on your restrictions, I cannot use 5480MHz, why?
cannot use 5480MHz, why?
.Then we need Option to set Indoor or Outdoor use!
5180-5320 in Germany is only allowed for Indoor use!
You must manually used allowed frequency, but you are right, next beta will have "auto" frequency follow the country "indoor/outdoor" rules, you will have a new setting for that.I set the frequency 5640 - in log say - radar detected on 5640. The AP is automatically tuned to the 5240 frequency.
This frequency is not legal in our country (Czech)
No, there are no files at all in the files menu. I had rebooted and tried again. It is still trying to generate the supout 5 hours later.Most likely a supout.rif file is already generating in the backgound. Is there an autosupout.rif file in the Files menu?
Does not respect outdoor / indoor settings for EU countries.Honzam
We use official sources for frequencies allowed in each country. Are you sure you are correct on this one? We use information from Qualcomm chip and European Union.This frequency is not legal in our country. And this problem is due to simple upgrade RouterOS :(
Did you try Scanlist 5470-5720 ???Does not respect outdoor / indoor settings for EU countries.Honzam
We use official sources for frequencies allowed in each country. Are you sure you are correct on this one? We use information from Qualcomm chip and European Union.This frequency is not legal in our country. And this problem is due to simple upgrade RouterOS :(
In Czech Republic is outdoor 5500-5700. Indoor is 5180-5320.
After upgrade (6.44beta50) is AP running (with auto enabled DFS) on channel 5280 which is indoor !!! But selected channel is 5620. Thanks
I know the scan list will solve it. But would you think that this line:Did you try Scanlist 5470-5720 ???
I experienced the same on my ccr, only chance was to downgrade to latest stable firmware.No, there are no files at all in the files menu. I had rebooted and tried again. It is still trying to generate the supout 5 hours later.Most likely a supout.rif file is already generating in the backgound. Is there an autosupout.rif file in the Files menu?
If I go to the command line and type "/ip ipsec export" it also hangs forever.
First of all, this is a BETA release which should not be used anywhere near production.means you need to create a scan list before upgrading RouterOS to 6.44? I find it unclear and it cause a number of problems....
The fact that the EU forces Mikrotik to comply with the law is clear to me
The main point is that there is going to be a move from the outdoors to the indoors. Outdoor frequencies 5500-5700 are tuned anywhere from 5180 to 5700. So quietly indoors which is not legally correct. Is it written clearly?What do you mean by that? With scan list you will only reduce number of frequencies. After an upgrade your list will use all frequencies that are available in your country. From previous version point of view, nothing has been changed related to scan list or indoor/outdoor solutions. Indoor/outdoor selection should be introduced in upcoming beta versions.
Yes, I known. I tested it on non production part of network.
First of all, this is a BETA release which should not be used anywhere near production.
Yes, that's exactly what I was suggesting. Divide it into indoor / outdoorWe have made a new setting for one of the next BETA releases, that will honour the "indoor/outdoor" parameter in the country-info list, and will not move you to an indoor-only frequency, so you will not have to make any custom scan lists.
THIS IS NOT CORRECT! try to read this link and you will have a CLEAR knowledge which is allowed in Czech Republic and which is not ... https://www.ctu.cz/cs/download/oop/rok_ ... 010-12.pdfDoes not respect outdoor / indoor settings for EU countries.Honzam
We use official sources for frequencies allowed in each country. Are you sure you are correct on this one? We use information from Qualcomm chip and European Union.This frequency is not legal in our country. And this problem is due to simple upgrade RouterOS :(
In Czech Republic is outdoor 5500-5700. Indoor is 5180-5320.
After upgrade (6.44beta50) is AP running (with auto enabled DFS) on channel 5280 which is indoor !!! But selected channel is 5620. Thanks
I know this document. What exactly is wrong?THIS IS NOT CORRECT! try to read this link and you will have a CLEAR knowledge which is allowed in Czech Republic and which is not .
outdoor is exactly 5470MHz-5725MHz not 5500MHz-5700MHz mentioned by you in older posts .. indoor exactly 5150MHz-5350MHz not 5180MHz-5320MHz mentioned by you.I know this document. What exactly is wrong?
Yes it is 5470-5725Mhz , but it is commonly referred to as I wrote. (fully channels)outdoor is exactly 5470MHz-5725MHz not 5500MHz-5700MHz mentioned by you in older posts .. indoor exactly 5150MHz-5350MHz not 5180MHz-5320MHz mentioned by you.I know this document. What exactly is wrong?
If Mikrotik wants to restrict use of superchannels, they have to follow ETSI/CZ rules at least. They don't. They push us to not using "czech_republic" settings, if we wants to be comply with our laws rules.Yes it is 5470-5725Mhz , but it is commonly referred to as I wrote. (fully channels)
They push us to not using "czech_republic" settings, if we wants to be comply with our laws rules.
Which channel width do you use when trying to set centre frequency to 5480MHz?... and second, according to CZ rules I can set 5480MHz ...
The "Outdoor" setting is already in released versions, it's called "installation=outdoor/indoor/any".They push us to not using "czech_republic" settings, if we wants to be comply with our laws rules.
That's not true. Please read this thread carefully. The next Beta release will have indoor/outdoor option, so I guess the next stable release for your production environment will have it too.
Unfortunately the change to regulatory conformance was badly communicated by Mikrotik in the release notes.
What will be more of a concern is the future of Omnitik 5 devices in Europe. The regulators are about to shut them down soon. Let's hope Mikrotik really can prevent this from happening.
5480Ce in Poland too. 5470-5725.Which channel width do you use when trying to set centre frequency to 5480MHz?... and second, according to CZ rules I can set 5480MHz ...
What exactly have you configured currently? Are you creating multiple IPsec identities and specifying different remote-certificates for each of them? Are these certificates from the same CA chain? That is not quite how we planned it to work. There is a 'remote-id' parameter, which is not in Winbox and is not implemented fully yet. You will be able to match the IPsec identity to a specific peer by this parameter.mutiple mode-config doesn't be as intended with certificate matching.
I've tried to add 2 mode-configs and i want to assign a different ip pool each.
apart the fact that is better to implement an object of type "list" populated with multiple certificate, currently it's impossible to add multiple client certificate matching...
policy matching chould be intended as this, imho:
a group of client certificates that, when matched with a specific mode-config policy, assign an ip pool and a split tunnel.
currently it's impossible to add a group of client certificate, just one cert.
Moreover, and this is what isn't working, the client check just the first mode-config policy and if it's not matched skips the others. It should be a sequential checking trough the all mode-config matching policy...
Strods;doush - Unfortunately we can not tell from description "lockups" to what kind of problem you are referring to. Please contact support@mikrotik,com directly, provide proper problem description (when did problem start to appear, how often do you see this issue, do you have any information what processes might trigger lockup) and supout file from your router/s. At the moment there are no known bugs that would lock up router. Either this is an unknown problem, hardware related issue or it is a configuration related problem. Without debugging we can not tell why is this happening with your router. At the moment of "lockup" can you access router over serial console?
And where is the version specific part of this? As I see it it's nothing new to this beta.... So please stay in the other thread.
When watchdog is on, it reboots.
Please work with us in this issue.
This problem is still valid with the latest stable build !And where is the version specific part of this? As I see it it's nothing new to this beta.... So please stay in the other thread.
When watchdog is on, it reboots.
Please work with us in this issue.
*) dhcpv6-server - allow to add DHCPv6 server with pool that does not exist;
Did you even read my post ?doush Nobody except you complains, which means it's either faulty hardware or a configuration specific issue. A couple of posts ago you said you are not willing to supply support@ with the info they asked you for. Being software developer myself, I can assure you this is a road to nowhere...
Normis, are you work for ubnt?"My router reboots" is a very generic problem, all kinds of issues are gathered in that topic.
!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);
[admin@MikroTik] /system backup cloud> print
-- connecting
Server error: Backend error. Try again later.
The copyright notice still has a link with http-schema. You should really change that to https.*) console - updated copyright notice;
Thanks, have to play with this...*) ipsec - added new "remote-id" peer matcher;
Thanks for fixing!*) lte - fixed DHCP IP acquire in 3G mode for r11e-lte (introduced in v6.44beta54);
That change is very welcome. Thanks a lot!*) ssh - close active SSH connections before IPsec connections on shutdown;
/system telnet 10.2.0.16
Trying 10.2.0.16...
Connected to 10.2.0.16.
Escape character is '^]'.
MikroTik v6.43.8 (stable)
Login:
Version 6.44beta61 has been released.
rb4011 - improved SFP+ interface linking to 1Gbps;
The RB4011 is not an actively-cooled device so it will never be compatible with the S-RJ01.Does this mean the S-RJ01 is now compatible with the RB4011?
The compatibility table disagrees with You:The RB4011 is not an actively-cooled device so it will never be compatible with the S-RJ01.Does this mean the S-RJ01 is now compatible with the RB4011?
Look at the S-RJ01 page. It is only for actively-cooled devices!
Hopefully some time, after yet more advances in technology, it will be possible to produce and SFP+ ethernet adapter that does not dissipate so much power.
Then it could work.
What's new in 6.44beta61 (2019-Jan-17 13:24):
*) rb4011 - improved SFP+ interface linking to 1Gbps;
/interface ethernet
set sfp-sfpplus1 auto-negotiation=yes full-duplex=yes&no speed=1Gbps # link
set sfp-sfpplus1 auto-negotiation=yes full-duplex=no speed=10Mbps # link (detected/actual rate 1Gpbs FD)
set sfp-sfpplus1 auto-negotiation=yes full-duplex=yes&no speed=100Mpbs # flapping
set sfp-sfpplus1 auto-negotiation=yes full-duplex=yes&no speed=10Gbps # flapping
set sfp-sfpplus1 auto-negotiation=no full-duplex=yes speed=1Gbps # link
set sfp-sfpplus1 auto-negotiation=no full-duplex=no speed=1Gbps # router crash
set sfp-sfpplus1 auto-negotiation=no full-duplex=yes&no speed=10Mbps # link (detected rate 10Mbps, actual rate 1Gpbs)
set sfp-sfpplus1 auto-negotiation=no full-duplex=yes&no speed=100Mbps # flapping
set sfp-sfpplus1 auto-negotiation=no full-duplex=yes speed=10Gbps # no link
The RB4011 is not an actively-cooled device so it will never be compatible with the S-RJ01.
The compatibility table disagrees with You:
https://wiki.mikrotik.com/wiki/MikroTik ... lity_table
The S-RJ01 is supported on the CSS/CRS326-24G-2S+ models - and they are passive cooled switches. Also, they run on RB3011, RB2011, RB260 and many others passively cooled devices.
Yes, it is weird. I have no idea where this limitation comes from.The RB4011 is not an actively-cooled device so it will never be compatible with the S-RJ01.
The compatibility table disagrees with You:
https://wiki.mikrotik.com/wiki/MikroTik ... lity_table
The S-RJ01 is supported on the CSS/CRS326-24G-2S+ models - and they are passive cooled switches. Also, they run on RB3011, RB2011, RB260 and many others passively cooled devices.
Yeah, I guess its not clear what works unless one consults the compatibility table. So, the S+RJ10 does work, but the S-RJ01 does not? I have not been able to get my S-RJ01 to work with the RB4011 and was hoping it was only a software issue.
Anyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering. So the version display is harmless in my opinion.security by obscurity
This one looks promising and, indeed, there is a clear improvement.Version 6.44beta61 has been released.
*) rb4011 - improved SFP+ interface linking to 1Gbps;
+1Please remove OS version from telnet. It is not needed.
I agree. If the untrusted person can see your TELNET interface, you are in much bigger trouble than an exposed version numberAnyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering. So the version display is harmless in my opinion.security by obscurity
Yes, with the latest beta S-RJ01 also should work.Version 6.44beta61 has been released.
rb4011 - improved SFP+ interface linking to 1Gbps;
Does this mean the S-RJ01 is now compatible with the RB4011?
But it saves the untrusted person the trouble to test which tool to use. Or just see on forehand that none of the available tools is going to work and moves on.I agree. If the untrusted person can see your TELNET interface, you are in much bigger trouble than an exposed version numberAnyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering. So the version display is harmless in my opinion.security by obscurity
The Interface/Ethernet section of the documentation should be updated as well.Yes, with the latest beta S-RJ01 also should work.Version 6.44beta61 has been released.
rb4011 - improved SFP+ interface linking to 1Gbps;
Does this mean the S-RJ01 is now compatible with the RB4011?
We will update compatibility table when this fix will be included in the stable version.
Anyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering.
This isn't true for SSH:I agree. If the untrusted person can see your TELNET interface, you are in much bigger trouble than an exposed version numberAnyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering. So the version display is harmless in my opinion.security by obscurity
telnet 192.168.88.1 22
Trying 192.168.88.1...
Connected to 192.168.88.1.
Escape character is '^]'.
SSH-2.0-ROSSSH
It works for me. Please check the IPsec debug logs and find out what ID_I and ID_R fields are actually received from the client.Installed 6.44beta61, but it seems there are issues with "/ip ipsec identity my-id" matching for fqdn:, user-fqdn: and even address:ipv4 types. It doesn't seem to work with Remote ID on iOS devices with IKEv2 in pre-shared-key mode.
10:35:04 ipsec processing payload: ID_I
10:35:04 ipsec ID_I (RFC822): usera@domain.com
10:35:04 ipsec processing payload: ID_R
10:35:04 ipsec ID_R (ADDR4): 10.155.130.204
/system logging add topics=ipsec,!debug
/certificate
add name=my.ca common-name=my.ca key-usage=key-cert-sign,crl-sign
sign my.ca
add name=vpn.server common-name=vpn.server subject-alt-name=DNS:vpn.company.com key-usage=tls-server
sign vpn.server ca=my.ca
add name=vpn.client.ios common-name=vpn.client.ios key-usage=tls-client
sign vpn.client.ios ca=my.ca
add name=vpn.client.macos common-name=vpn.client.macos key-usage=tls-client
sign vpn.client.macos ca=my.ca
add name=vpn.client.windows common-name=vpn.client.windows key-usage=tls-client
sign vpn.client.windows ca=my.ca
/certificate
export-certificate my.ca
export-certificate vpn.client.ios export-passphrase=1234 type=pkcs12
export-certificate vpn.client.macos export-passphrase=1234 type=pkcs12
export-certificate vpn.client.windows export-passphrase=1234 type=pkcs12
/ip ipsec policy group
add name=ike2
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1d name=ike2 pfs-group=none
/ip ipsec policy
add comment=ike2 group=ike2 proposal=ike2 template=yes
/ip pool
add name=ike2 ranges=192.168.88.100-192.168.88.150
/ip ipsec mode-config
add address-pool=ike2 name=ike2
/ip ipsec peer
add comment=ike2 exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec identity
add auth-method=rsa-signature certificate=vpn.server generate-policy=port-strict mode-config=ike2 my-id=fqdn:vpn.company.com \
peer=ike2 policy-template-group=ike2 remote-certificate=vpn.client.ios remote-id=fqdn:vpn.client.ios
add auth-method=rsa-signature certificate=vpn.server generate-policy=port-strict mode-config=ike2 my-id=fqdn:vpn.company.com \
peer=ike2 policy-template-group=ike2 remote-certificate=vpn.client.macos remote-id=fqdn:vpn.client.macos
add auth-method=rsa-signature certificate=vpn.server generate-policy=port-strict mode-config=ike2 \
peer=ike2 policy-template-group=ike2 remote-certificate=vpn.client.windows
Type: IKEv2
Server: vpn.company.com
External ID: vpn.company.com
Local ID: vpn.client.ios
User authentication: None
Use certificate: Yes
Certificate: vpn.client.ios
Type: IKEv2
Server: vpn.company.com
External ID: vpn.company.com
Local ID: vpn.client.macos
User authentication: None
Use certificate: Yes
Certificate: vpn.client.macos
$securePassword = ConvertTo-SecureString -String "1234" -AsPlainText -Force
Import-PfxCertificate -FilePath cert_export_vpn.client.windows.p12 -CertStoreLocation Cert:\LocalMachine\My -Password $securePassword
Import-Certificate -FilePath cert_export_my.ca.crt -CertStoreLocation Cert:\LocalMachine\Root
Add-VpnConnection -Name "Company" -ServerAddress vpn.company.com -TunnelType Ikev2 -AuthenticationMethod MachineCertificate
Set-VpnConnectionIPsecConfiguration -ConnectionName "Company" -AuthenticationTransformConstants SHA256128 `
-CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 `
-DHGroup Group14 -PfsGroup None -Force
Yes, please! Hooking a script would be much appreciated. Currently I have a script running every 30 seconds to update gre interfaces...Would it be possible (during the rework of the IPsec code) to also add a phase1 "on up" and "on down" script?
(that receives parameters like the remote-id, remote-IP etc)
This script could then add/delete phase2 settings e.g. a GRE tunnel.
Wireguard is not a better VPN. It is an immature product with a vocal community around it.Much time spent on ipsec when one could spend time on wireguard and have better VPN.
Separate but related...The next version will have some more changes for IPsec Identities to make it more clearer what you are actually matching. First of all, in beta61 it is pointless to specify remote-certificate on responder - certificate matching is not yet implemented. To match certain remote IDs, you have to check the IPsec debug logs and find out what actual ID (IDi) value is sent by the initiator.
[...]
And another thing about GRE + IPSec with cert auth. This one really looks like a bug.Separate but related...The next version will have some more changes for IPsec Identities to make it more clearer what you are actually matching. First of all, in beta61 it is pointless to specify remote-certificate on responder - certificate matching is not yet implemented. To match certain remote IDs, you have to check the IPsec debug logs and find out what actual ID (IDi) value is sent by the initiator.
[...]
I'm using a GRE interface with IPSec using certificate auth.
GRE interface properties has a setting for IPSec Secret.
When using PSK it seems redundant - there already is a PSK setting in peer / identity.
When using key or cert auth it's also redundant and unnecessary - there is no "secret" for key or cert auth. But when the "secret" is removed, the GRE tunnel doesn't get secured by IPSec (even if IPSec setting are left exactly the same), I mean IPSec is not brought up.
I think the idea is for the router to "know" that the GRE interface is supposed to be secured by IPSec - but perhaps there is a better way to set this up in the UI?
kmansoft, It's not a bug, it's a feature, and definitely not version-related.Not sure if it's new in 6.44 or was there before.
/ip ipsec policy
add comment=myservertunnel dst-address=139.0.0.1/32 protocol=gre src-address=89.0.0.1/32