Community discussions

MikroTik App
 
dgrififth
just joined
Posts: 8
Joined: Sat Oct 15, 2016 10:35 am

Re: v6.44beta [testing] is released!

Thu Nov 01, 2018 3:49 am

I would not know a legitimate reason why proxy-arp would work and normal arp would not, when the client is correctly configured.
Hence why I suspect it's a bug in ROS. :-P

They're remote clients running a full screen app on winCE, so it's difficult to debug. Disturbing the port in any way (eg unplug/re-plug, disable/enable in ROS) fixes the issue temporarily, other brands of switches don't present this problem to the device, etc, etc. It's the combo of Mikrotik Hex switch + this device that has the issue. Anyway, I've left a few units on proxy-arp and a few units running 6.42.9, so will observe for a while.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7793
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.44beta [testing] is released!

Thu Nov 01, 2018 10:30 am

While the device cannot communicate (I presume to an outside network, not internal to the LAN subnet), is it still possible to ping the device from the router (i.e. from within the same subnet)?
And is it possible to ping the device from outside and wake-up the stalled connection?
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 836
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.44beta [testing] is released!

Fri Nov 02, 2018 10:20 am

Nice catch. It is because of the new IKEv2 feature which works with DHCP. I will update the changelog.
Will devices be able to handle that on its own? Or more important... Will CAPsMAN handle this for connected devices?
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
For contact join the RouterOS-Scripts Telegram group!
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Fri Nov 02, 2018 12:21 pm

Will devices be able to handle that on its own? Or more important... Will CAPsMAN handle this for connected devices?

We will see if we can remove the dependency, but most likely users with standalone packages will have to handle the upgrade process by themselves.
 
User avatar
hknet
Member Candidate
Member Candidate
Posts: 114
Joined: Sun Jul 17, 2016 6:05 pm
Location: Vienna, Austria
Contact:

Re: v6.44beta [testing] is released!

Fri Nov 02, 2018 9:29 pm

Hi
regarding the issue:

bridge - fixed packet forwarding when changing MSTI VLAN mappings

could someone from MT please elaborate?
we have been quite unsuccessfull integrating crs317 devices in our network using MSTP
the RSTP from other devices arriving on vlans is simply not being replicated to other memberports of the same VLAN (untagged/tagged).

please advise
hk
 
dgrififth
just joined
Posts: 8
Joined: Sat Oct 15, 2016 10:35 am

Re: v6.44beta [testing] is released!

Sat Nov 03, 2018 11:13 pm

While the device cannot communicate (I presume to an outside network, not internal to the LAN subnet), is it still possible to ping the device from the router (i.e. from within the same subnet)?
And is it possible to ping the device from outside and wake-up the stalled connection?
Nope. Link to the device from the switch is reported as being up by both the device and the switch, but it's completely unpingable. Device can't connect to a server on the same subnet, server or any other IP on the subnet can't ping the device. ARP pings fail as well. Packet sniffing shows ping packets making it to the port that the device is connected to (according to ROS when I packet sniff on the port, anyway), but nothing from the device, not even normal idle packets (arps, windows networking packets,etc). Zero bytes / packets come from the port when the fault is present.

It's very mysterious.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7793
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.44beta [testing] is released!

Sat Nov 03, 2018 11:32 pm

It is a bit contradictory. When you say you see outgoing pings to the device, that is only possible when the device has answered ARP requests (so the router knows the device MAC address, if not you would see ARP requests to the device), but then you say that ARP pings fail.
When turning on proxy-arp fixes it it suggests that ARP is involved and maybe the device does not get answers on its ARP requests (to the router), but when changing something in the router fixes that, you would think that ARP requests *are* in fact sent by the device, but not answered by the router when not in proxy-arp mode.
That could happen e.g. when the requested address in the ARP does not match the address of the router, and this the ARP request is ignored, while it is answered in proxy-arp mode.
But in this case you still should see incoming ARP requests from the device whenever it does not answer pings.
(sometimes devices do not send them "in response to" the incoming packet that requires a reply, but send them at some fixed rate when the first one had not been answered)

I think you need to trace a bit longer to know for sure that really nothing comes in from the device, and especially look for malformed ARP requests.
 
DezsiIstvan
just joined
Posts: 3
Joined: Sat Nov 24, 2012 8:20 pm

Re: v6.44beta [testing] is released!

Sun Nov 04, 2018 9:26 pm

I test radsec (RFC 6614) radius connection.
It's works (connecting over SSL encrypted tcp connection to radius server)

I got the following request on our freeradius server
(1) Received Access-Request Id 23 from y.y.y.y:40627 to 0.0.0.0:2083 length 146
(1) Service-Type = Login-User
(1) User-Name = "username"
(1) MS-CHAP-Challenge = 0x...3e
(1) MS-CHAP2-Response = 0x...bc
(1) Calling-Station-Id = "x.x.x.x"
(1) NAS-Identifier = "AP-name"
(1) NAS-IP-Address = y.y.y.y

I have some problems,questions and future requests:

- for all authentication services (SSH/Winbox/HTTPS/API-SSL/...) we need Clear-Text password not MS-CHAP / MS-CHAP2 because on radius server passwords are hashed
THIS IS VERY IMPORTANT
radsec with mschap is useless

- for us be useful if we differentiate mikrotik auth service in "Service-Type" for example
for ssh put in Service-Type = ssh (like linux machines)
with this we can decide on radius server which user have access via which service
for example "john have access only via winbox, bob via ssh,winbox,https

- mikrotik radsec client how authenticate the server ?

Future requests I need to email to support ?
 
User avatar
artz
MikroTik Support
MikroTik Support
Posts: 88
Joined: Tue Oct 17, 2017 5:51 pm
Location: Riga
Contact:

Re: v6.44beta [testing] is released!

Mon Nov 05, 2018 10:07 am

Hi
regarding the issue:

bridge - fixed packet forwarding when changing MSTI VLAN mappings

could someone from MT please elaborate?
we have been quite unsuccessfull integrating crs317 devices in our network using MSTP
the RSTP from other devices arriving on vlans is simply not being replicated to other memberports of the same VLAN (untagged/tagged).

please advise
hk
The bug affected all devices. Traffic stopped forwarding when you started to change MSTI VLAN mappings, but you could easily fix it by disabling it and re-enabling it.
MSTP is compatible with RSTP, this means that BPDUs should not be replicated anywhere, each device sends out its own BPDU.
It sounds a lot more like you have misconfigured device:
https://wiki.mikrotik.com/wiki/Manual:L ... _interface
 
mducharme
Trainer
Trainer
Posts: 1474
Joined: Tue Jul 19, 2016 6:45 pm

Re: v6.44beta [testing] is released!

Tue Nov 06, 2018 6:04 pm

I see some complaining about MS-CHAPv2 support in Winbox. We like the MS-CHAPv2 support for Winbox because it allows us to no longer have to store the passwords unencrypted on the authentication server, so I hope it is retained in some way. We do not wish to go back to regular CHAP in our case.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 1968
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: v6.44beta [testing] is released!

Wed Nov 07, 2018 1:00 am

I see some complaining about MS-CHAPv2 support in Winbox. We like the MS-CHAPv2 support for Winbox because it allows us to no longer have to store the passwords unencrypted on the authentication server, so I hope it is retained in some way. We do not wish to go back to regular CHAP in our case.
Agreed

Security first!
Mikrotik MTCNA, MTCRE, MTCINE
http://thebrotherswisp.com/
 
User avatar
mozerd
Long time Member
Long time Member
Posts: 550
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: v6.44beta [testing] is released!

Wed Nov 07, 2018 1:45 pm

I see some complaining about MS-CHAPv2 support in Winbox. We like the MS-CHAPv2 support for Winbox because it allows us to no longer have to store the passwords unencrypted on the authentication server, so I hope it is retained in some way. We do not wish to go back to regular CHAP in our case.
Agreed

Security first!
ABSOLUTELY, security first.
 
DezsiIstvan
just joined
Posts: 3
Joined: Sat Nov 24, 2012 8:20 pm

Re: v6.44beta [testing] is released!

Wed Nov 07, 2018 2:39 pm

I see some complaining about MS-CHAPv2 support in Winbox. We like the MS-CHAPv2 support for Winbox because it allows us to no longer have to store the passwords unencrypted on the authentication server, so I hope it is retained in some way. We do not wish to go back to regular CHAP in our case.
MS-CHAPv2 need clear-text / decryptable password or MD4 hash of password on radius server side
this mean that in radius server we need to store clear text or decryptable password in database (very insecure, MD4 is also very insecure)
Storing clear-text or reversible password is not allowed. We store only a SHA512 hash of salt+password.
To authenticate a password we need it in clear-text to compute the hash and compare with stored hash

Using MS-CHAP(v2) in a TLS tunnel (radsec) is a nonsense because TLS is a safe encrypted transfer protocol and can be used to transfer password in clear-text like every webpage (https).
So:
1) radsec uses TLS like HTTPS and safe for clear-text password transfer.
2) clear-text password transfer is needed to authenticate against hashed password, stored on radius server

radsec + mschap mean double encrypt the password in tranzit with a secure (radsec) and an unsecure (ms chap v2) algorithm with the price of insecure password store on radius server
radsec + clear-text password mean encrypt the password in tranzit with a secure (radsec) algorithm and on password server passwords can be stored with any algorithm for example with the seucre SHA512

because security is first, is important to send the password in clear-text format to radius server over a secure TLS encrypted (radsec) way

this method is used by every https webpage (clear-text password over TLS)
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8580
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.44beta [testing] is released!

Wed Nov 07, 2018 4:32 pm

Clear-text password over any channel is a source of MitM. In MS-CHAPv2 client has to prove he knows the password and also the server has to prove he knows the same password (two-way authentication)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 249
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: v6.44beta [testing] is released!

Thu Nov 08, 2018 4:17 am

All hash options is useless, Static passwords is insecure. I use OTP (One time Password) can't hash anything because there is nothing to hash on. Please reimplement PAP so I may once again be secure.
 
anuser
Long time Member
Long time Member
Posts: 556
Joined: Sat Nov 29, 2014 7:27 pm

Re: v6.44beta [testing] is released!

Wed Nov 14, 2018 10:24 am

Version 6.44beta9 has been released.
*) winbox - added 4th chain selection for "HT TX chains" and "HT RX chains" under "CAPsMAN/CAP Interface/Wireless" tab;
I cannot find that setting...
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8580
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.44beta [testing] is released!

Wed Nov 14, 2018 11:30 am

I cannot find that setting...
You do not have the required permissions to view the files attached to this post.
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2340
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: v6.44beta [testing] is released!

Fri Nov 16, 2018 12:53 pm

No new beta?
LAN, FTTx, Wireless. ISP operator
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8580
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.44beta [testing] is released!

Fri Nov 16, 2018 1:25 pm

No new beta?
Bettar beta? =)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2342
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: v6.44beta [testing] is released!

Fri Nov 16, 2018 4:23 pm

They are working with the new 7.xx, so be patient.
 
Try Splunk> to monitor your MikroTik Router(s). How to set it up. :mrgreen:

MikroTik->Splunk
 
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8580
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.44beta [testing] is released!

Fri Nov 16, 2018 4:48 pm

This topic is not the place where we're joking about v7 :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
paulct
Member
Member
Posts: 327
Joined: Fri Jul 12, 2013 5:38 pm

Re: v6.44beta [testing] is released!

Fri Nov 16, 2018 4:59 pm

 
psannz
Frequent Visitor
Frequent Visitor
Posts: 90
Joined: Mon Nov 09, 2015 3:52 pm
Location: Renningen, Germany

Re: v6.44beta [testing] is released!

Fri Nov 16, 2018 5:09 pm

 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8580
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.44beta [testing] is released!

Fri Nov 16, 2018 6:48 pm

Try again :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
server8
Long time Member
Long time Member
Posts: 532
Joined: Fri Apr 22, 2011 1:27 pm

Re: v6.44beta [testing] is released!

Sat Nov 17, 2018 6:38 pm

4 chains without mu-mimo it's a joke?
I cannot find that setting...
 
mistry7
Forum Guru
Forum Guru
Posts: 1475
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: v6.44beta [testing] is released!

Sun Nov 18, 2018 2:29 pm

4 chains without mu-mimo it's a joke?
I cannot find that setting...
No, that is a feature!
 
mkx
Forum Guru
Forum Guru
Posts: 6652
Joined: Thu Mar 03, 2016 10:23 pm

Re: v6.44beta [testing] is released!

Sun Nov 18, 2018 2:45 pm

4 chains without mu-mimo it's a joke?
I cannot find that setting...
No, that is a feature!
mimo 4x4 using 2 TX and 2 RX chains works much better than mimo 2x2 using same hardware.
BR,
Metod
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 912
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: v6.44beta [testing] is released!

Sun Nov 18, 2018 3:27 pm

 
mistry7
Forum Guru
Forum Guru
Posts: 1475
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: v6.44beta [testing] is released!

Sun Nov 18, 2018 9:50 pm

4 chains without mu-mimo it's a joke?
I cannot find that setting...
No, that is a feature!
mimo 4x4 using 2 TX and 2 RX chains works much better than mimo 2x2 using same hardware.
You Are not really benefiting without mumimo, and Status today ROS doesn’t support MU-Mimo or Wave2 or something else new..
Mikrotik Wireless is outdated!
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 1968
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: v6.44beta [testing] is released!

Mon Nov 19, 2018 5:40 am

Mikrotik MTCNA, MTCRE, MTCINE
http://thebrotherswisp.com/
 
Punkley
just joined
Posts: 4
Joined: Fri Sep 01, 2017 9:24 am

Re: v6.44beta [testing] is released!

Mon Nov 19, 2018 9:27 am

using a w60G and beta28 im not getting any information on the interface page eg

Frequency 64800
Remote MAC
Signal
MCS
PHY Rate
RSSI
TX Sector
TX Sector Info
RX Sector
Distance

All blank, and the quickset page is showing 0 for signal and MCS

Kingsley
 
tiftok
newbie
Posts: 48
Joined: Thu Apr 07, 2016 1:40 pm

Re: v6.44beta [testing] is released!

Sat Nov 24, 2018 12:55 pm

GREET MY PROBLEM SOLVE
l2tp server ISAKMP-SA deleted problem if dhcp enable solve in 6.44beta28
Khaled mulsi ->>> I love mikrotik :D --TIFTOK--
 
Stril
Member Candidate
Member Candidate
Posts: 175
Joined: Fri Nov 12, 2010 7:18 pm

Re: v6.44beta [testing] is released!

Sun Nov 25, 2018 1:07 am

using a w60G and beta28 im not getting any information on the interface page eg

Frequency 64800
Remote MAC
Signal
MCS
PHY Rate
RSSI
TX Sector
TX Sector Info
RX Sector
Distance

All blank, and the quickset page is showing 0 for signal and MCS

Kingsley
I can confirm this on LHG60
 
rzirzi
Member
Member
Posts: 393
Joined: Mon Oct 09, 2006 2:33 pm

Re: v6.44beta [testing] is released!

Mon Nov 26, 2018 10:54 pm

Have MikroTik stopped working at new version of RouterOS ? :(
 
raffav
Member
Member
Posts: 339
Joined: Wed Oct 24, 2012 4:40 am

Re: v6.44beta [testing] is released!

Mon Nov 26, 2018 11:07 pm

Have MikroTik stopped working at new version of RouterOS ? :(
I think maybe but just maybe they are ready for the 7v beta :)
would be a very nice Christmas present
 
server8
Long time Member
Long time Member
Posts: 532
Joined: Fri Apr 22, 2011 1:27 pm

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 9:39 am

We are bad boys so no new ROS from Santa Claus this year :-)
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 9:57 am

New beta build will be released later today. Had to polish some new features before releasing the version.
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2340
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 1:37 pm

New beta build will be released later today. Had to polish some new features before releasing the version.
Please no new 6.44beta...
We wait for V7
LAN, FTTx, Wireless. ISP operator
 
msatter
Forum Guru
Forum Guru
Posts: 2317
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 1:40 pm

We are now all sitting on the edge of our seats.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS. However, 'happy' with giving money to Italy.

Running:
RouterOS 7RC4 and 6.49RC / Winbox 3.31 64bits
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 3:23 pm

Version 6.44beta39 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.44beta39 (2018-Nov-27 12:14):

Important note!!! Backup before upgrade!
Due to major IPsec configuration changes in RouterOS v6.44beta39+ (see changelog below), it is advised to make a backup before upgrading. Regular downgrade will still be possible as long as no changes in IPsec peer menu are done.

MAJOR CHANGES IN v6.44:
----------------------
!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);
!) radius - initial implementation of RadSec (Radius communication over TLS);
!) upgrade - release channels renamed - "bugfix" to "long-term", "current" to "stable" and "release candidate" to "testing";
!) upgrade - "testing" release channel now can contain "beta" together with "release-candidate" versions;
----------------------

Changes in this release:

!) ipsec - added new "identity" menu with common peer distinguishers;
!) ipsec - removed "main-l2tp" exchange-mode, it is the same as "main" exchange-mode;
!) ipsec - removed "users" menu, XAuth user configuration is now handled by "identity" menu;
!) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only);
*) btest - added multithreading support for both UDP and TCP tests;
*) bridge - properly disable dynamic CAP interfaces;
*) btest - added warning message when CPU load exceeds 90% (CLI only);
*) certificate - fixed "expires-after" parameter calculation;
*) certificate - properly flush old CRLs when changing store location;
*) certificate - added support for multiple "Subject Alt. Names" (CLI only);
*) chr - correctly initialize grant table version 1;
*) cloud - added "ddns-update-interval" parameter (CLI only);
*) cloud - do not reuse old UDP socket if routing changes are detected;
*) cloud - made address updating faster when new public address detected;
*) conntrack - added new "loose-tcp-tracking" parameter (equivalent to "nf_conntrack_tcp_loose" in netfilter) (CLI only);
*) console - renamed IP protocol 41 to "ipv6-encap";
*) dhcpv4-server - added "User-Name" attribute to RADIUS accounting messages;
*) ethernet - fixed IPv4 and IPv6 packet forwarding on IPQ4018 devices;
*) ethernet - improved per core ethernet traffic classificator on mmips devices;
*) gps - added "coordinate-format" parameter (CLI only);
*) ike2 - added peer identity validation for RSA auth (disabled after upgrade);
*) ike2 - allow to match responder peer by "my-id=fqdn" field;
*) ike2 - properly handle certificates with empty "Subject";
*) ike2 - send split networks over DHCP (option 249) to Windows initiators if DHCP Inform is received;
*) interface - improved system stability when including/excluding a list to itself;
*) ipsec - added new "remote-id" peer matcher (CLI only);
*) ipsec - allow to specify single address instead of IP pool under "mode-config";
*) ipsec - hide empty prefixes on "peer" menu;
*) ipsec - made dynamic "src-nat" rule more specific;
*) ipsec - made peers autosort themselves based on reachability status;
*) ipsec - properly detect AES-NI extension as hardware AEAD;
*) ipsec - properly handle peer profiles on downgrade;
*) ipsec - removed limitation that allowed only single "auth-method" with the same "exchange-mode" as responder;
*) kidcontrol - added statistics web interface for kids (http://router.lan/kid-control);
*) kidcontrol - do not allow users with "read" policy to pause and resume kids;
*) kidcontrol - properly detect time zone changes;
*) log - properly handle long echo messages;
*) led - fixed default LED configuration for wAP 60G AP devices;
*) lte - added "ecno" field for "info" command;
*) lte - added "firmware-upgrade" command for R11e-LTE international modems (CLI only);
*) lte - added support for more ZTE MF90 modems;
*) lte - improved compatibility for Alt38xx modems;
*) lte - increased reported "rsrq" precision (CLI only);
*) profiler - classify kernel crypto processing as "encrypting";
*) routerboard - renamed SIM slots to "a" and "b" on SXT LTE kit;
*) sniffer - save packet capture in "802.11" type when sniffing on w60g interface in "sniff" mode;
*) snmp - do not initialise interface traps on bootup if they are not enabled;
*) ssh - added "allow-none-crypto" parameter to disable "none" encryption usage (CLI only);
*) timezone - updated timezone information from tzdata2018g release;
*) traffic-flow - fixed "src-mac-address" and added "post-src-mac-address" fields;
*) traffic-flow - reduced minimal value of "active-flow-timeout" parameter to 1s;
*) tunnel - properly clear dynamic IPsec configuration when removing/disabling EoIP with DNS as "remote-address";
*) upgrade - made security package depend on DHCP package;
*) usb - fixed power-reset for hAP ac^2 devices;
*) user - speed up first time login process after upgrade from version older than v6.43;
*) userman - show redirect location in error messages;
*) w60g - added "10s-average-rssi" parameter to align mode (CLI only);
*) w60g - improved reconnection detection;
*) w60g - improved "tx-packet-error-rate" reading;
*) winbox - allow to specify SIM slot on LtAP mini;
*) winbox - enabled "fast-forward" by default when adding new bridge;
*) winbox - show "Switch" menu on RB4011iGS+5HacQ2HnD;
*) winbox - show "System/Health" only on boards that have health monitoring;
*) winbox - show "W60G" wireless tab on wAP 60G AP;
*) wireless - improved system stability for all ARM devices with wireless;
*) wireless - report last seen IP address in RADIUS accounting messages;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
muetzekoeln
Member Candidate
Member Candidate
Posts: 166
Joined: Fri Jun 29, 2018 2:34 pm

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 3:51 pm

"/tool speed-test"
No iperf?? :?
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1742
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 4:11 pm

Average Joe will not know how to use iperf. I think target audience for this feature is defferent from iperf users :)
But it is fun anyway:
[admin@1072_bonding_test_1] > /tool speed-test 192.168.1.2 test-duration=60
                  ;;; results can be limited by cpu, note that traffic generation/termination performance might not be 
                      representative of forwarding performance
              status: done
      time-remaining: 0s
    ping-min-avg-max: 111us / 123us / 2.14ms
  jitter-min-avg-max: 0s / 10us / 2.01ms
                loss: 0% (0/1200)
        tcp-download: 11.6Gbps local-cpu-load:83%
          tcp-upload: 12.1Gbps local-cpu-load:89% remote-cpu-load:84%
        udp-download: 24.3Gbps local-cpu-load:5% remote-cpu-load:79%
          udp-upload: 23.1Gbps local-cpu-load:87% remote-cpu-load:20%
Why there are no tcp-download "remote-cpu-load"?
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
msatter
Forum Guru
Forum Guru
Posts: 2317
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 4:12 pm

I have my DNS cache being flooded with I think IP coming from the Addresslists.

Screen content of DNS Cache
N IP:xxx.xxx.xxx.xxx type: unknown Data: 0.0.0.0 TTL: 24H

Update: After a reboot it worked again as expected. I think the firmware had to be updated too and that update was already standing ready for the next reboot...which was executed during that reboot.

Thanks for the update of IPSEC and MMIPS and the throughput on my L2TP/IPSEC are really great!
Last edited by msatter on Tue Nov 27, 2018 6:27 pm, edited 3 times in total.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS. However, 'happy' with giving money to Italy.

Running:
RouterOS 7RC4 and 6.49RC / Winbox 3.31 64bits
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 4:17 pm

Why there are no tcp-download "remote-cpu-load"?
Current implementation allow only include this data into test connection, but waiting for it impacts results, we need to implement data collection as separate connection to get this working, it is in our to-do list.
 
anuser
Long time Member
Long time Member
Posts: 556
Joined: Sat Nov 29, 2014 7:27 pm

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 4:20 pm

*) wireless - improved system stability for all ARM devices with wireless;
I ask myself what issues my cAP ac devices have? Can you please give some more information about it?
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 4:31 pm

I ask myself what issues my cAP ac devices have? Can you please give some more information about it?
The router could have rebooted due to kernel failure in some rare occasions.
 
msatter
Forum Guru
Forum Guru
Posts: 2317
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 4:49 pm

I have L2PT/IPSEC connections that are "dail on demand" and those are displayed in IPSEC-Peers as entries that are unreachable. This is true, however after the connection is up they are still seen as unreachable (colour red).
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS. However, 'happy' with giving money to Italy.

Running:
RouterOS 7RC4 and 6.49RC / Winbox 3.31 64bits
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8580
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 4:55 pm

*) chr - correctly initialize grant table version 1;
Huh?.. (O_o)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 4:59 pm

I have L2PT/IPSEC connections that are "dail on demand" and those are displayed in IPSEC-Peers as entries that are unreachable. This is true, however after the connection is up they are still seen as unreachable (colour red).
Can you post some screenshots of your peer menu?
 
flyfinlander
just joined
Posts: 4
Joined: Tue Nov 27, 2018 4:47 pm

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 5:01 pm

Hi,

What is the idea of that I can't use IKE2 with "pre shared key xauth" ?
When I try to set it up I get the message in attached picture.
You do not have the required permissions to view the files attached to this post.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 5:13 pm

Hi,

What is the idea of that I can't use IKE2 with "pre shared key xauth" ?
When I try to set it up I get the message in attached picture.
Pre-shared key with XAuth was never really supported in IKEv2. Also IKEv2 rfc does not acknowledge XAuth as an authentication method.
 
User avatar
blue
Member Candidate
Member Candidate
Posts: 267
Joined: Sun Dec 12, 2004 1:48 pm
Location: Serbia

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 5:24 pm

Many, many, many thanx for speedtest. Finally test uses all cores of the routerboard...
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8580
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 5:41 pm

Finally test uses all cores of the routerboard...
Have you checked BTest?

MT Staff: why create speed-test? You already have BTest - develop it! :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
g22113
just joined
Posts: 9
Joined: Sat Aug 19, 2017 3:21 pm

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 5:45 pm

What's new in 6.44beta39 (2018-Nov-27 12:14):
!) ipsec - added new "identity" menu with common peer distinguishers;
This new menu keeps complaining about my IKEv2-PSK configuration. After upgrade, I have 5 entries autogenerated in "/ip ipsec identity", but all of them (except one) show an error:

initiator peer can have only one identity

I don't know why that restriction was added -- it is completely valid in IKEv2 to use same IDi but a different PSK for each different remote peer (and I've been doing so for quite a while).

Also, the corresponding "/ip ipsec peer" entries also show This entry is unreachable... but oddly, they're connected and established despite that.
 
flyfinlander
just joined
Posts: 4
Joined: Tue Nov 27, 2018 4:47 pm

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 5:53 pm

Hi,

What is the idea of that I can't use IKE2 with "pre shared key xauth" ?
When I try to set it up I get the message in attached picture.
Pre-shared key with XAuth was never really supported in IKEv2. Also IKEv2 rfc does not acknowledge XAuth as an authentication method.
Very strange... Below are logs before and after on remote device(77.70.x.x with ROS 6.43).
Before - device (46.23.x.x with ROS 6.44beta28)
After - device (46.23.x.x with ROS 6.44beta39)
You do not have the required permissions to view the files attached to this post.
 
flyfinlander
just joined
Posts: 4
Joined: Tue Nov 27, 2018 4:47 pm

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 5:55 pm

Hi,

What is the idea of that I can't use IKE2 with "pre shared key xauth" ?
When I try to set it up I get the message in attached picture.
Pre-shared key with XAuth was never really supported in IKEv2. Also IKEv2 rfc does not acknowledge XAuth as an authentication method.
Very strange... Below are logs before and after on remote device(77.70.x.x with ROS 6.43).
Before - device (46.23.x.x with ROS 6.44beta28)
After - device (46.23.x.x with ROS 6.44beta39)


P.S. First log (before) is generated due wrong Xauth user name
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 6:00 pm

g22113, that is not a limitation, simply the warning messages are misleading. The limitation should be - one identity per one initiator peer. We will resolve the issue in the next beta.

The same goes for "this peer is unreachable" warnings - they are not working as expected. Also resolved in the next beta.

Another known issue - identity generated by L2TP server does not have generate-policy set to port-strict, meaning phase 2 will fail.

flyfinlander, if XAuth was configured with IKEv2 exchange-mode in older versions, asymmetric authentication was actually used. It worked between two RouterOS devices and most likely nowhere else without some weird configuration. We have plans to implement asymmetric authentication in the future and not mix it with XAuth which has nothing to do with it.
 
g22113
just joined
Posts: 9
Joined: Sat Aug 19, 2017 3:21 pm

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 6:19 pm

g22113, that is not a limitation, simply the warning messages are misleading. The limitation should be - one identity per one initiator peer. We will resolve the issue in the next beta.

The same goes for "this peer is unreachable" warnings - they are not working as expected. Also resolved in the next beta.
Thanks very much for the response.
 
dakotabcn
newbie
Posts: 46
Joined: Thu Apr 21, 2016 11:16 pm

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 6:35 pm

L2TP/IPSEC no work, the message are "failed to pre-process ph2 packet"
config
# nov/27/2018 17:36:36 by RouterOS 6.44beta39
#
# model = 951G-2HnD
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile=default enabled=yes ipsec-secret=********** use-ipsec=yes

config by default, i have deleted all old config ipsec an created by default
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8580
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 6:55 pm

Isn't the answer two posts above?..
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
dakotabcn
newbie
Posts: 46
Joined: Thu Apr 21, 2016 11:16 pm

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 7:07 pm

Isn't the answer two posts above?..
i use this config in 6.4.34 in all clients, in the new beta no work the peer, the port-override and main-l2tp no work
if upgrade to next version all vpn l2tp/ipsec with this config will they stop working?

/interface l2tp-server server
set authentication=mschap2 enabled=yes
/ppp profile
add change-tcp-mss=yes dns-server=8.8.4.4,8.8.8.8 name="VPN IPSEC" only-one=\
yes use-upnp=yes
/ip firewall filter
add action=accept chain=input comment="ipsec-ike-natt - VPN ROAMING - IPSEC" \
dst-port=4500 in-interface=ether1 protocol=udp
add action=accept chain=input comment="ipsec-ike-natt - VPN ROAMING" \
dst-port=500 in-interface=ether1 protocol=udp
add action=accept chain=input comment="ipsec-ike-natt - VPN ROAMING" \
dst-port=1701 in-interface=ether1 protocol=udp
/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=port-override passive=yes secret=SECRETL2TPPASSWORD
 
User avatar
blue
Member Candidate
Member Candidate
Posts: 267
Joined: Sun Dec 12, 2004 1:48 pm
Location: Serbia

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 7:08 pm

Finally test uses all cores of the routerboard...
Have you checked BTest?

MT Staff: why create speed-test? You already have BTest - develop it! :)
I gave up on btest long time ago, and iperf is not always possible :(
 
msatter
Forum Guru
Forum Guru
Posts: 2317
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 8:54 pm

Isn't the answer two posts above?..
i use this config in 6.4.34 in all clients, in the new beta no work the peer, the port-override and main-l2tp no work
if upgrade to next version all vpn l2tp/ipsec with this config will they stop working?
.
.
/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=port-override passive=yes secret=SECRETL2TPPASSWORD
What if you try:
add exchange-mode=main generate-policy=port-override passive=yes secret=SECRETL2TPPASSWORD
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS. However, 'happy' with giving money to Italy.

Running:
RouterOS 7RC4 and 6.49RC / Winbox 3.31 64bits
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 9:10 pm

L2TP/IPSEC no work, the message are "failed to pre-process ph2 packet"
config
# nov/27/2018 17:36:36 by RouterOS 6.44beta39
#
# model = 951G-2HnD
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile=default enabled=yes ipsec-secret=********** use-ipsec=yes

config by default, i have deleted all old config ipsec an created by default
As stated above, we are aware of the issue and will be fixed in the next beta versions.
i use this config in 6.4.34 in all clients, in the new beta no work the peer, the port-override and main-l2tp no work
if upgrade to next version all vpn l2tp/ipsec with this config will they stop working?

/interface l2tp-server server
set authentication=mschap2 enabled=yes
/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=port-override passive=yes secret=SECRETL2TPPASSWORD
The configuration will automatically convert to the new format on upgrade. If you wish to configure the same configuration on new versions, you have to change the IPsec peer configuration to something like this:
/ip ipsec peer
add exchange-mode=main passive=yes name=l2tpserver
/ip ipsec identity
add generate-policy=port-override auth-method=pre-shared-key secret=SECRETL2TPPASSWORD peer=l2tpserver
 
rememberme
just joined
Posts: 19
Joined: Fri Nov 13, 2015 10:13 pm
Location: Chicago, USA

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 9:47 pm

After upgrade:

RouterBOOT booter 3.41

CCR1036-8G-2S+

CPU frequency: 1200 MHz
Memory size: 4096 MiB
NAND size: 1024 MiB

Press any key within 2 seconds to enter setup..

loading kernel... OK
setting up elf image... OK
jumping to kernel code
ERROR: no system package found!
Kernel panic - not syncing: Attempted to kill init!

Starting stack dump of tid 1, pid 1 (init) on cpu 4 at cycle 36191216532
frame 0: 0xfffffff70051f768 dump_stack+0x0/0x20 (sp 0xfffffe407fdbfc08)
frame 1: 0xfffffff700518700 panic+0x168/0x398 (sp 0xfffffe407fdbfc08)
frame 2: 0xfffffff700053a78 do_exit+0x1c8/0xd48 (sp 0xfffffe407fdbfcb0)
frame 3: 0xfffffff700054740 do_group_exit+0xf0/0x1e8 (sp 0xfffffe407fdbfd78)
frame 4: 0xfffffff700054858 __wake_up_parent+0x0/0x18 (sp 0xfffffe407fdbfdb0)
frame 5: 0xfffffff7005204d8 handle_syscall+0x210/0x2d0 (sp 0xfffffe407fdbfdc0)
<syscall while in user mode>
frame 6: 0x8e2f0 0x8e2f0 (sp 0x7f8bf990)
Stack dump complete
Rebooting in 1 seconds..Resetting chip and restarting.
 
rememberme
just joined
Posts: 19
Joined: Fri Nov 13, 2015 10:13 pm
Location: Chicago, USA

Re: v6.44beta [testing] is released!

Tue Nov 27, 2018 11:00 pm

Netinstall fixed the router. Same package files.
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1446
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Wed Nov 28, 2018 4:32 am

Netinstall fixed the router. Same package files.
Unfurtunately this serial console output is the result of the problem. Not the output from the moment when packages were lost.

Upgrade happens on old version (one from which you upgrade router). Which version was installed on your router before an upgrade? Based on old firmware I assume that it was not one of the latest ones.
 
antonsb
MikroTik Support
MikroTik Support
Posts: 234
Joined: Sun Jul 24, 2016 3:12 pm
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Wed Nov 28, 2018 7:31 am

Finally test uses all cores of the routerboard...
Have you checked BTest?

MT Staff: why create speed-test? You already have BTest - develop it! :)
I gave up on btest long time ago, and iperf is not always possible :(
Please read carefully through change log:
*) btest - added multithreading support for both UDP and TCP tests;
 
dakotabcn
newbie
Posts: 46
Joined: Thu Apr 21, 2016 11:16 pm

Re: v6.44beta [testing] is released!

Wed Nov 28, 2018 10:07 am

As stated above, we are aware of the issue and will be fixed in the next beta versions.
i use this config in 6.4.34 in all clients, in the new beta no work the peer, the port-override and main-l2tp no work
if upgrade to next version all vpn l2tp/ipsec with this config will they stop working?

/interface l2tp-server server
set authentication=mschap2 enabled=yes
/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=port-override passive=yes secret=SECRETL2TPPASSWORD
The configuration will automatically convert to the new format on upgrade. If you wish to configure the same configuration on new versions, you have to change the IPsec peer configuration to something like this:
/ip ipsec peer
add exchange-mode=main passive=yes name=l2tpserver
/ip ipsec identity
add generate-policy=port-override auth-method=pre-shared-key secret=SECRETL2TPPASSWORD peer=l2tpserver

PERFECT, this code works
I made the following test, 2 users with windows 10, a team with the 1803 and another with the 1809, two VPN L2TP, the two connected perfectly, I perform a continuous ping to the VPN GW, in the first responds for about 15 seconds and in the second one, it is suddenly inverted, the one that was working the ping stops responding and the other one starts, the two active VPNs but they alternate
This is already an advance, before when the second VPN connection L2TP was disconnected the first, now it maintains it but the two at the same time do not work
 
User avatar
Bergante
Member Candidate
Member Candidate
Posts: 143
Joined: Tue Feb 28, 2012 12:27 pm
Location: Bilbao, Spain

Re: v6.44beta [testing] is released!

Wed Nov 28, 2018 10:54 am

Please read carefully through change log:
*) btest - added multithreading support for both UDP and TCP tests;
Great job. Now a single Btest can saturate a w60 link :)
 
nkourtzis
Member Candidate
Member Candidate
Posts: 213
Joined: Tue Dec 11, 2012 12:56 am
Location: Greece

Re: v6.44beta [testing] is released!

Wed Nov 28, 2018 12:36 pm

Dear Mikrotik engineers,

Thank you for the relentless development of new and improved features.

Would you consider fixing this issue: viewtopic.php?f=2&t=119267
Imagine relying on l2tp for a backup (failover) connection, only to realise that it is not working when you need it. Well, it just happened to me. :-)

Regards
Passionate about networks
Enthusiastic about Mikrotik
MTCNA | MTCRE | MTCINE

No trees were killed to send this message,
but a large number of electrons were terribly inconvenienced.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Wed Nov 28, 2018 3:32 pm

Version 6.44beta40 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.44beta40 (2018-Nov-28 12:46):

Important note!!! Backup before upgrade!
Due to major IPsec configuration changes in RouterOS v6.44beta39+ (see changelog below), it is advised to make a backup before upgrading. Regular downgrade will still be possible as long as no changes in IPsec peer menu are done.

MAJOR CHANGES IN v6.44:
----------------------
!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);
!) radius - initial implementation of RadSec (Radius communication over TLS);
!) upgrade - release channels renamed - "bugfix" to "long-term", "current" to "stable" and "release candidate" to "testing";
!) upgrade - "testing" release channel now can contain "beta" together with "release-candidate" versions;
!) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only);
----------------------

Changes in this release:

!) ipsec - added new "identity" menu with common peer distinguishers;
!) ipsec - removed "main-l2tp" exchange-mode, it is the same as "main" exchange-mode;
!) ipsec - removed "users" menu, XAuth user configuration is now handled by "identity" menu;
*) capsman - fixed "group-key-update" parameter not using correct units;
*) certificate - fixed certificate signing by SCEP client if multiple CA certificates are provided;
*) crs317 - fixed TX not working on sfp-sfpplus9 interface (introduced in v6.40beta12);
*) dhcpv6-client - use default route distance also for unreachable route added by DHCPv6 client;
*) discovery - fixed malformed neighbor information for routers that has incomplete IPv6 configuration;
*) discovery - fixed neighbor discovery for PPP interfaces;
*) ipsec - fixed active connection killing when changing peer configuration;
*) ipsec - made peers autosort themselves based on reachability status;
*) ipsec - moved "profile" menu outside "peer" menu (CLI only);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
Stril
Member Candidate
Member Candidate
Posts: 175
Joined: Fri Nov 12, 2010 7:18 pm

Re: v6.44beta [testing] is released!

Wed Nov 28, 2018 6:42 pm


*) winbox - show "W60G" wireless tab on wAP 60G AP;
Hi!

That problem still exists with 6.44beta40
w60g monitoring is still only valid on CLI. GUI shows empty values.
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1446
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Wed Nov 28, 2018 10:42 pm

Stril - Is "W60G" tab missing for your wAP device on Winbox interface under Wireless menu? That is the problem which was fixed. If tab is still missing or you have another problem which has not been addressed in this release, then please send message to support@mikrotik.com and include supout file in attachment.
 
anuser
Long time Member
Long time Member
Posts: 556
Joined: Sat Nov 29, 2014 7:27 pm

Re: v6.44beta [testing] is released!

Thu Nov 29, 2018 10:12 pm

Version 6.44beta40 has been released.
*) capsman - fixed "group-key-update" parameter not using correct units;
Can you please give some more information about this one?
 
msatter
Forum Guru
Forum Guru
Posts: 2317
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.44beta [testing] is released!

Thu Nov 29, 2018 11:35 pm

With the last two betas if have Winbox glitching and crashing. I re-downloaded Winbox but it still sometimes does not the windows and while typing all the windows disappear. Only a restart helps and then I have still sometimes manually reload the layout.

I find this strange because Winbox always worked great for me while others had problems with it.

I forgot to mention that I can't drag-and-drop anymore between file in Winbox and folders outside Winbox and vice versa. Really strange. I am using Win10 x64.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS. However, 'happy' with giving money to Italy.

Running:
RouterOS 7RC4 and 6.49RC / Winbox 3.31 64bits
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Fri Nov 30, 2018 9:35 am

anuser the parameter was not set properly and a different interval was used in the background.

msatter if there is an autosupout.rif file generated on the router after such crashes, it is worth to send it to us.
 
msatter
Forum Guru
Forum Guru
Posts: 2317
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.44beta [testing] is released!

Fri Nov 30, 2018 11:59 am

Thanks Emils and this morning I tried drag and drop from the Files window in Winbox and it worked again. :D

I hope that it was a temporary problem and downloading/install and clearing the Winbox cache did not work.

One thing that is interesting now it working again I could not connect to the router by means of the MAC address despite it is shown in Neighbors of the connect screen. During the glitches and crashes I could again use the MAC to connect, today all is back to normal not glitches till now and connect through the MAC address.

If it returns I don't thing that the router will notice it except that the Winbox connection is gone.

So all is good now.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS. However, 'happy' with giving money to Italy.

Running:
RouterOS 7RC4 and 6.49RC / Winbox 3.31 64bits
 
Extrems
just joined
Posts: 2
Joined: Tue Sep 11, 2018 8:09 pm
Location: Quebec, Canada
Contact:

Re: v6.44beta [testing] is released!

Fri Nov 30, 2018 5:13 pm

DHCP Snooping is causing reboots (no kernel panic) on CRS326-24G-2S+ since v6.44beta39.
 
User avatar
amt
Long time Member
Long time Member
Posts: 527
Joined: Fri Jan 16, 2015 2:05 pm

Re: v6.44beta [testing] is released!

Fri Nov 30, 2018 10:28 pm

Average Joe will not know how to use iperf. I think target audience for this feature is defferent from iperf users :)
But it is fun anyway:
[admin@1072_bonding_test_1] > /tool speed-test 192.168.1.2 test-duration=60
                  ;;; results can be limited by cpu, note that traffic generation/termination performance might not be 
                      representative of forwarding performance
              status: done
      time-remaining: 0s
    ping-min-avg-max: 111us / 123us / 2.14ms
  jitter-min-avg-max: 0s / 10us / 2.01ms
                loss: 0% (0/1200)
        tcp-download: 11.6Gbps local-cpu-load:83%
          tcp-upload: 12.1Gbps local-cpu-load:89% remote-cpu-load:84%
        udp-download: 24.3Gbps local-cpu-load:5% remote-cpu-load:79%
          udp-upload: 23.1Gbps local-cpu-load:87% remote-cpu-load:20%
Why there are no tcp-download "remote-cpu-load"?
tested beta version on CCR1072 ?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8580
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.44beta [testing] is released!

Sat Dec 01, 2018 1:21 am

Why not? It's 1072 for tests, anyway :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
amt
Long time Member
Long time Member
Posts: 527
Joined: Fri Jan 16, 2015 2:05 pm

Re: v6.44beta [testing] is released!

Sat Dec 01, 2018 9:04 am

if it is worked without problem, I will install too :)
 
Lakis
Forum Veteran
Forum Veteran
Posts: 704
Joined: Wed Sep 23, 2009 7:52 pm

Re: v6.44beta [testing] is released!

Sat Dec 01, 2018 11:20 am

Dude multithreading support when?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8580
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.44beta [testing] is released!

Sat Dec 01, 2018 11:24 am

if it is worked without problem, I will install too :)
Only on test CCR, which you can Netinetall any time!
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
amt
Long time Member
Long time Member
Posts: 527
Joined: Fri Jan 16, 2015 2:05 pm

Re: v6.44beta [testing] is released!

Sat Dec 01, 2018 12:56 pm

if it is worked without problem, I will install too :)
Only on test CCR, which you can Netinetall any time!
exatly, both 1072 are at very critic area, so I will wait :)
 
User avatar
amt
Long time Member
Long time Member
Posts: 527
Joined: Fri Jan 16, 2015 2:05 pm

Re: v6.44beta [testing] is released!

Sat Dec 01, 2018 1:01 pm

Dude multithreading support when?
and bgp multithreading support when?
 
msatter
Forum Guru
Forum Guru
Posts: 2317
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.44beta [testing] is released!

Sat Dec 01, 2018 1:14 pm

...and bgp multithreading support when?
First the hell has to freeze over. ;-)

viewtopic.php?f=1&t=141920#p699481
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS. However, 'happy' with giving money to Italy.

Running:
RouterOS 7RC4 and 6.49RC / Winbox 3.31 64bits
 
raffav
Member
Member
Posts: 339
Joined: Wed Oct 24, 2012 4:40 am

Re: v6.44beta [testing] is released!

Sat Dec 01, 2018 2:25 pm

...and bgp multithreading support when?
First the hell has to freeze over. ;-)

viewtopic.php?f=1&t=141920#p699481
I have the feeling that maybe this will be last beta if not the last is going to a close ending..
Maybe we have some v7 beta to play with on this Christmas [emoji848][emoji4]

Sent from my XT1580 using Tapatalk

 
server8
Long time Member
Long time Member
Posts: 532
Joined: Fri Apr 22, 2011 1:27 pm

Re: v6.44beta [testing] is released!

Sun Dec 02, 2018 9:03 pm

I am too old I don't believe in Santa Claus :-)
Maybe we have some v7 beta to play with on this Christmas [emoji848][emoji4]
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8580
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.44beta [testing] is released!

Sun Dec 02, 2018 9:55 pm

Me too. I bet Europe MUM :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 1968
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: v6.44beta [testing] is released!

Mon Dec 03, 2018 4:14 am

Me too. I bet Europe MUM :)
I gave up betting on RouterOS v7 release dates many years ago after incurring significant losses :D

I do still hope it will be released at next years European MUM !
Mikrotik MTCNA, MTCRE, MTCINE
http://thebrotherswisp.com/
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1742
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: v6.44beta [testing] is released!

Mon Dec 03, 2018 12:15 pm

tested beta version on CCR1072 ?
All deployments that are scheduled for deployment are stress-tested here on the table, it just happens to be bonding setup with pair of CCR1072, at that particular moment.
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 154
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.44beta [testing] is released!

Tue Dec 04, 2018 10:40 pm

I still see SAs are not removed when they expire. Why isn't it possible to remove single SAs?
 
heaven
just joined
Posts: 13
Joined: Mon Aug 15, 2016 12:14 pm

Re: v6.44beta [testing] is released!

Wed Dec 05, 2018 6:23 am

You could check the ARP table of the client to see if it has any strange entries (other IP addresses than the router, with the router's MAC address).
If so you need to debug the client.
I would not know a legitimate reason why proxy-arp would work and normal arp would not, when the client is correctly configured.
(correct subnet on the LAN interface and a default route via the router's IP address)
The same situation. In DHCP Server/Lease many ip addresses with router MAC address and other.
 
nkourtzis
Member Candidate
Member Candidate
Posts: 213
Joined: Tue Dec 11, 2012 12:56 am
Location: Greece

Re: v6.44beta [testing] is released!

Wed Dec 05, 2018 11:28 am

and bgp multithreading support when?

Normis has already answered this one: not in the foreseeable future. It appears that BGP is very hard to make multithreaded, due to transaction integrity issues. No vendor has done it, as far as I know. But he has also promised that v7 will bring significant improvements in BGP performance, even though it will still be single-threaded.
Passionate about networks
Enthusiastic about Mikrotik
MTCNA | MTCRE | MTCINE

No trees were killed to send this message,
but a large number of electrons were terribly inconvenienced.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6349
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.44beta [testing] is released!

Wed Dec 05, 2018 4:49 pm

will still be single-threaded
kind of but not exactly
 
ivn
just joined
Posts: 12
Joined: Sun Mar 11, 2018 3:37 pm

Re: v6.44beta [testing] is released!

Wed Dec 05, 2018 7:25 pm

Hi! Can you please tell us when approximately will 6.44 be released? Several weeks or a mounth or maybe more?
Just waiting for "*) ike2 - added option to specify certificate chain;" sooo much :) Do not want to use beta in production.
Thanks!
 
raffav
Member
Member
Posts: 339
Joined: Wed Oct 24, 2012 4:40 am

Re: v6.44beta [testing] is released!

Wed Dec 05, 2018 7:49 pm

will still be single-threaded
kind of but not exactly
Enigmatic affirmation
:mrgreen:
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 912
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: v6.44beta [testing] is released!

Wed Dec 05, 2018 9:44 pm

will still be single-threaded
kind of but not exactly
Enigmatic affirmation
:mrgreen:
Normis beeing Normis. :lol: :lol:

If I remember correctly, the BGP process will be broken in multiple threads. The system route update itself will be single threaded - but we will have multiple threads doing another tasks. Won't be perfect - but will be far better than what we have today.
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1446
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Thu Dec 06, 2018 11:26 pm

msatter - Usually there is no such thing as temporary "crash". If problem was related to network situation (just, for example, fully saturated link) or not enough resources (for example, full RAM), then it would be understandable. But if there is an actual service crashing, then this problem should not just disappear.
Extrems - Please provide supout file to support@mikrotik.com.
amt - Test is running just fine on any system that is powered by RouterOS.
Lakis, amt - Not in v6.44 :)
osc86 - Can you please provide supout file to support@mikrotik.com? We will look into this problem since this is not a common problem and SAs are usually removed.
heaven - Do you mean that there are leases that has DHCP servers MAC address? Can you provide an example?
ivn - At the moment this is a question that we can not answer. We will release this (and any other stable/long-term version) when there will be no critical, known crashes and new features will be finalized. Starting from v6.44 beta and rc versions can be released in testing channel so you will see rc when we will be finalizing things.
 
keefe007
Member Candidate
Member Candidate
Posts: 124
Joined: Sun Jun 25, 2006 3:01 am

Re: v6.44beta [testing] is released!

Tue Dec 11, 2018 10:21 pm

Do any of the CRS328 fixes have anything to do with the SFP+ link up down issue?
 
llag
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Sat Aug 04, 2018 12:12 am

Re: v6.44beta [testing] is released!

Wed Dec 12, 2018 12:12 am

Do any of the CRS328 fixes have anything to do with the SFP+ link up down issue?
I had some SFP+ link flapping up to a few times a day before the upgrade to 6.43.7. Since the upgrade I have seen one link flap only. The CRS328 is connected using DAC (FS.com) to my CRS317. I upgraded both switches last Friday.

So the upgrade seems to have improved the stability, but not completely eliminated link flapping.
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 836
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.44beta [testing] is released!

Fri Dec 14, 2018 11:52 pm

[admin@MikroTik] > :global firmware [ / interface lte firmware-upgrade lte once as-value ];
[admin@Mikrotik] > :put ($firmware->"installed")                                            
MikroTik_CP_2.160.000_v010
[admin@MikroTik] > :put ($firmware->"latest")         
MikroTik_CP_2.160.000_v010

[admin@MikroTik] > :if (($firmware->"installed") != ($firmware->"latest")) do={ :put "Versions differ!"; }
Versions differ!
[admin@MikroTik] >
Can we please get rid of the extra line break in latest version?
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
For contact join the RouterOS-Scripts Telegram group!
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Tue Dec 18, 2018 12:31 pm

Version 6.44beta50 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.44beta50 (2018-Dec-17 13:01):

Important note!!! Backup before upgrade!
Due to major IPsec configuration changes in RouterOS v6.44beta39+ (see changelog below), it is advised to make a backup before upgrading. Regular downgrade will still be possible as long as no changes in IPsec peer menu are done.

MAJOR CHANGES IN v6.44:
----------------------
!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);
!) radius - initial implementation of RadSec (Radius communication over TLS);
!) upgrade - release channels renamed - "bugfix" to "long-term", "current" to "stable" and "release candidate" to "testing";
!) upgrade - "testing" release channel now can contain "beta" together with "release-candidate" versions;
!) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only);
!) ipsec - added new "identity" menu with common peer distinguishers;
!) ipsec - removed "main-l2tp" exchange-mode, it is the same as "main" exchange-mode;
!) ipsec - removed "users" menu, XAuth user configuration is now handled by "identity" menu;
----------------------

Changes in this release:

!) ipsec - added new "identity" menu with common peer distinguishers;
!) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only);
!) telnet - do not allow to set "tracefile" parameter;
*) bgp - properly update keepalive time after peer restart;
*) bridge - fixed BOOTP packet forwarding when DHCP Snooping is enabled;
*) bridge - fixed IPv6 link-local address generation when auto-mac=yes;
*) capsman - always accept connections from loopback address;
*) certificate - added support for multiple "Subject Alt. Names";
*) cloud - added "ddns-update-interval" parameter;
*) conntrack - added new "loose-tcp-tracking" parameter (equivalent to "nf_conntrack_tcp_loose" in netfilter);
*) console - properly remove system note after configuration reset;
*) crs3xx - improved fan control stability;
*) crs3xx - improved stability when adding ACL rules on CRS326 and CRS328 devices (introduced in 6.44beta39);
*) defconf - fixed default configuration loading on RB4011iGS+5HacQ2HnD-IN;
*) defconf - fixed IPv6 link-local address range in firewall rules;
*) dhcp - added "allow-dual-stack-queue" setting for IPv4/IPv6 DHCP servers to control dynamic lease/binding behaviour;
*) dhcpv4-server - added "parent-queue" parameter (CLI only);
*) dhcpv6-server - properly handle DHCP requests that include prefix hint;
*) discovery - detect proper slave interface on bounded interfaces;
*) discovery - fixed malformed neighbor information for routers that has incomplete IPv6 configuration;
*) discovery - send master port in "interface-name" parameter;
*) discovery - show neighbors on actual bridge port instead of bridge itself for LLDP;
*) ethernet - fixed VLAN1 forwarding on RB1100AHx4 and RB4011 devices;
*) export - fixed "silent-boot" compact export;
*) fetch - added "http-header-field" parameter;
*) gps - added "coordinate-format" parameter (CLI only);
*) ike2 - allow to match responder peer by "my-id=fqdn" field;
*) ipsec - improved invalid policy handling when a valid policy is uninstalled;
*) kidcontrol - added IPv6 support;
*) kidcontrol - added statistics web interface for kids (http://router.lan/kid-control);
*) led - fixed default LED configuration for RBMetalG-52SHPacn;
*) lte - added "ecno" field for "info" command;
*) lte - disallow setting LTE interface as passthrough target;
*) lte - fixed passthrough functionality when interface is removed;
*) lte - improved SimCom 7100e support;
*) lte - increased reported "rsrq" precision;
*) lte - reset USB when non-default slot is used;
*) package - use bundled package by default if standalone packages are installed as well;
*) ppp - added "at-chat" command;
*) resource - fixed "total-memory" reporting on ARM devices;
*) snmp - added "tx-ccq" ("mtxrWlStatTxCCQ") and "rx-ccq" ("mtxrWlStatRxCCQ") values;
*) snmp - changed fan speed value type to Gauge32;
*) snmp - removed "rx-sector" ("Wl60gRxSector") value;
*) ssh - fixed public key format compatibility with RFC4716;
*) switch - fixed MAC learning when disabling interfaces on devices with Atheros8327 and QCA8337 switch chips;
*) system - fixed situation when all configuration was not properly loaded on bootup;
*) timezone - fixed "Europe/Dublin" time zone;
*) traceroute - improved stability when sending large ping amounts;
*) upgrade - automatically uninstall standalone package if already installed in bundle;
*) user - require "write" permissions for LTE firmware update;
*) watchdog - allow specifying DNS name for "send-smtp-server" parameter;
*) webfig - do not show bogus VHT field in wireless interface advanced mode;
*) winbox - added "allow-roaming" parameter in "Interface/LTE" menu;
*) winbox - added "challenge-password" field when signing certificate with SCEP;
*) winbox - added "conflict-detection" parameter in "IP/DHCP server" menu;
*) winbox - added src/dst address and in/out interface list columns to default firewall menu view;
*) winbox - added support for dynamic devices in "IP/Kid Control/Devices" tab;
*) winbox - allow to change VHT rates when 5ghz-n/ac band is used;
*) winbox - fixed missing w60g interface status values;
*) winbox - renamed "Radius" to "RADIUS";
*) winbox - show "R" flag under "IPv6/DHCP Server/Bindings" tab;
*) winbox - show "Switch" menu on RB4011iGS+5HacQ2HnD;
*) wireless - improvements in wireless frequency selection;
*) wireless - improved system stability for all ARM devices with wireless;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 836
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.44beta [testing] is released!

Tue Dec 18, 2018 1:12 pm

Updated wAP LTE to version 6.44beta50 and lost the wireless package. :-/
The LTE connection was really weak, though - no idea if that caused the issue.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
For contact join the RouterOS-Scripts Telegram group!
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 836
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.44beta [testing] is released!

Tue Dec 18, 2018 1:40 pm

Updated wAP LTE to version 6.44beta50 and lost the wireless package. :-/
The LTE connection was really weak, though - no idea if that caused the issue.
After restoring my settings I can not set the country for my interface:
[admin@MikroTik] /interface wireless> set country=germany wlan1
failure: only regulatory-domain mode allowed for this country
What's the deal with this failure?
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
For contact join the RouterOS-Scripts Telegram group!
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6349
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.44beta [testing] is released!

Tue Dec 18, 2018 1:44 pm

set frequency-mode to regulatory-domain
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8580
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.44beta [testing] is released!

Tue Dec 18, 2018 2:01 pm

!) telnet - do not allow to set "tracefile" parameter;
What is this about?.. Why is this marked as important?
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 836
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.44beta [testing] is released!

Tue Dec 18, 2018 2:06 pm

set frequency-mode to regulatory-domain
That works, thanks! Can this be the cause for my trouble with wireless package?
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
For contact join the RouterOS-Scripts Telegram group!
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1742
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: v6.44beta [testing] is released!

Tue Dec 18, 2018 2:19 pm

set frequency-mode to regulatory-domain
That works, thanks! Can this be the cause for my trouble with wireless package?
*) package - use bundled package by default if standalone packages are installed as well;
what set of packages did you have? and what did you use to upgrade?
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 836
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.44beta [testing] is released!

Tue Dec 18, 2018 2:23 pm

set frequency-mode to regulatory-domain
That works, thanks! Can this be the cause for my trouble with wireless package?
*) package - use bundled package by default if standalone packages are installed as well;
what set of packages did you have? and what did you use to upgrade?
Ah, right, that could cause the culprit. But I have standalone packages, no bundle.

Upgraded from 6.44beta40 with:
/ system package upgrade install
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
For contact join the RouterOS-Scripts Telegram group!
 
marianob85
just joined
Posts: 15
Joined: Wed Feb 08, 2017 9:47 pm

Re: v6.44beta [testing] is released!

Tue Dec 18, 2018 7:25 pm

Version 6.44b50
RouterBOARD wAP R-2nD

Problem: LTE interface does not work
Logs says: LTE1 SMS storage set failed.
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1446
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Tue Dec 18, 2018 10:02 pm

If you have set EU country under wireless configuration, but you did not use regulatory-domain, then configuration will be changed to fit these requirements. Otherwise you violate the law. So if you are legal, then everything will work just fine after an upgrade ;)

What do you mean with lost package? Did you actually lose wireless package under System/Packages menu or wireless interface did not work properly?
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 836
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.44beta [testing] is released!

Tue Dec 18, 2018 10:31 pm

What do you mean with lost package? Did you actually lose wireless package under System/Packages menu or wireless interface did not work properly?
The wireless package did no longer show under System/Package, had to copy the npk file manually to recover. Tried to reproduce with a mAP lite that has very similar configuration, but its update succeeds (and regulatory-domain was updated correctly).
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
For contact join the RouterOS-Scripts Telegram group!
 
anuser
Long time Member
Long time Member
Posts: 556
Joined: Sat Nov 29, 2014 7:27 pm

Re: v6.44beta [testing] is released!

Tue Dec 18, 2018 10:40 pm

Version 6.44beta50 has been released.
*) wireless - improved system stability for all ARM devices with wireless;
I wouldn´t call the RB4011 unstable, but I simply cannot connect to it with Intel AC-8260 on 5.0Ghz. There´s no problem wuth cAP AC, though. Both are running the same config pushed by CAPSMAN controller. May I ask what kind of wireless instability is fixed with ARM based devices?
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2340
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: v6.44beta [testing] is released!

Tue Dec 18, 2018 10:51 pm

If you have set EU country under wireless configuration, but you did not use regulatory-domain, then configuration will be changed to fit these requirements. Otherwise you violate the law. So if you are legal, then everything will work just fine after an upgrade ;)
It is not good. Have you been thinking about the fact that not everyone reads changelogs before upgrade?
If a simple upgrade changes the configuration and the user is not informed about it, that's not good.
Example: I set the frequency 5640 - in log say - radar detected on 5640. The AP is automatically tuned to the 5240 frequency.
This frequency is not legal in our country. And this problem is due to simple upgrade RouterOS :( :(
LAN, FTTx, Wireless. ISP operator
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1446
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Wed Dec 19, 2018 6:26 am

honzam - It simply is not possible to do anything from our side if network administrator can not read changelog before an upgrade. This is 100% responsibility of network admin. We do not change configuration usually on upgrade, however, since this change is required due to a law, we have made an exception. Can you please send supout file from your router to support@mikrotik.com? Generate file while your router is using illegal frequency while you have selected country and regulatory domain settings on your routers wireless configuration.
anuser - Please provide supout file from your router to support@mikrotik.com. We will try to reproduce this problem in our lab.
 
mducharme
Trainer
Trainer
Posts: 1474
Joined: Tue Jul 19, 2016 6:45 pm

Re: v6.44beta [testing] is released!

Wed Dec 19, 2018 6:57 am

I tried to upgrade to the latest 6.44 beta (6.44beta50) but it was not successful - I end up with 100% CPU usage continuously caused by ipsec process. In winbox I cannot go into IP->IPSEC and view settings, or /ip ipsec export. If I try to export ipsec I get no output.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Wed Dec 19, 2018 7:27 am

mducharme, please generate a supout.rif file when the issue is present and send it to support@mikrotik.com
 
mducharme
Trainer
Trainer
Posts: 1474
Joined: Tue Jul 19, 2016 6:45 pm

Re: v6.44beta [testing] is released!

Wed Dec 19, 2018 8:21 am

mducharme, please generate a supout.rif file when the issue is present and send it to support@mikrotik.com
emils - Unfortunately, not possible. When it is happening, I ask my router to generate supout and it sits there not responding. I tried stopping and restarting and I get "Couldn't start - busy (12)". I'll keep trying though.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Wed Dec 19, 2018 8:22 am

Most likely a supout.rif file is already generating in the backgound. Is there an autosupout.rif file in the Files menu?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 25042
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Wed Dec 19, 2018 9:18 am

Honzam
This frequency is not legal in our country. And this problem is due to simple upgrade RouterOS :(:(
We use official sources for frequencies allowed in each country. Are you sure you are correct on this one? We use information from Qualcomm chip and European Union.
No answer to your question? How to write posts
 
tetecko
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Sun Jun 11, 2006 7:44 pm

Re: v6.44beta [testing] is released!

Wed Dec 19, 2018 11:00 am

Why this is forced? According to EU law ... it is not a obligatory for equipment provider, it is obligatory for company who runs it. So please let us chose, what we want to set up on your hardware/software and do not put this restrictions. Can you please explain why you put this restrictions on?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 25042
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Wed Dec 19, 2018 11:04 am

That is not correct. If you have questions about EU laws and regulations, I can suggest to email our certification or legal department.
You are still free to select a country that does not have such laws, but I don't recommend it, it might get you into trouble.
No answer to your question? How to write posts
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 25042
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Wed Dec 19, 2018 11:06 am

!) telnet - do not allow to set "tracefile" parameter;
What is this about?.. Why is this marked as important?
There was some obscure proof of concept that allowed to do strange things, but it only affected you if you gave a user account to the attacker.
No answer to your question? How to write posts
 
mistry7
Forum Guru
Forum Guru
Posts: 1475
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: v6.44beta [testing] is released!

Wed Dec 19, 2018 11:13 am

Honzam
This frequency is not legal in our country. And this problem is due to simple upgrade RouterOS :(:(
We use official sources for frequencies allowed in each country. Are you sure you are correct on this one? We use information from Qualcomm chip and European Union.
Then we need Option to set Indoor or Outdoor use!
5180-5320 in Germany is only allowed for Indoor use!
 
tetecko
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Sun Jun 11, 2006 7:44 pm

Re: v6.44beta [testing] is released!

Wed Dec 19, 2018 11:23 am

Which ETSI you are comply with? Because as I know there is a band between 5470MHz to 5725Mhz, this leting me select this variety of frequencies, but if YOU apply on your restrictions, I cannot use 5480MHz, why?
 
mistry7
Forum Guru
Forum Guru
Posts: 1475
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: v6.44beta [testing] is released!

Wed Dec 19, 2018 12:32 pm

Which ETSI you are comply with? Because as I know there is a band between 5470MHz to 5725Mhz, this leting me select this variety of frequencies, but if YOU apply on your restrictions, I cannot use 5480MHz, why?
+1
 
muetzekoeln
Member Candidate
Member Candidate
Posts: 166
Joined: Fri Jun 29, 2018 2:34 pm

Re: v6.44beta [testing] is released!

Wed Dec 19, 2018 12:47 pm

cannot use 5480MHz, why?

This would be channel 96. You can ask the same for channel 32 (5160MHz). At least with 20MHz bandwidth and OFDM it should be allowed to use. But this two channels are not selectable with any equipment I know. And the only webpage I found which lists them as allowed for Europe is here:
https://en.wikipedia.org/wiki/List_of_WLAN_channels

There is something about energy leaking into frequencies lower than 5150 resp. 5470MHz, I guess.
Last edited by muetzekoeln on Wed Dec 19, 2018 3:42 pm, edited 1 time in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 25042
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Wed Dec 19, 2018 12:56 pm

Then we need Option to set Indoor or Outdoor use!
5180-5320 in Germany is only allowed for Indoor use!
.
I set the frequency 5640 - in log say - radar detected on 5640. The AP is automatically tuned to the 5240 frequency.
This frequency is not legal in our country (Czech)
You must manually used allowed frequency, but you are right, next beta will have "auto" frequency follow the country "indoor/outdoor" rules, you will have a new setting for that.
No answer to your question? How to write posts
 
mducharme
Trainer
Trainer
Posts: 1474
Joined: Tue Jul 19, 2016 6:45 pm

Re: v6.44beta [testing] is released!

Wed Dec 19, 2018 1:47 pm

Most likely a supout.rif file is already generating in the backgound. Is there an autosupout.rif file in the Files menu?
No, there are no files at all in the files menu. I had rebooted and tried again. It is still trying to generate the supout 5 hours later.

If I go to the command line and type "/ip ipsec export" it also hangs forever.
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2340
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: v6.44beta [testing] is released!

Wed Dec 19, 2018 2:10 pm

Honzam
This frequency is not legal in our country. And this problem is due to simple upgrade RouterOS :(:(
We use official sources for frequencies allowed in each country. Are you sure you are correct on this one? We use information from Qualcomm chip and European Union.
Does not respect outdoor / indoor settings for EU countries.
In Czech Republic is outdoor 5500-5700. Indoor is 5180-5320.
After upgrade (6.44beta50) is AP running (with auto enabled DFS) on channel 5280 which is indoor !!! But selected channel is 5620. Thanks
LAN, FTTx, Wireless. ISP operator
 
mistry7
Forum Guru
Forum Guru
Posts: 1475
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: v6.44beta [testing] is released!

Wed Dec 19, 2018 2:32 pm

Honzam
This frequency is not legal in our country. And this problem is due to simple upgrade RouterOS :(:(
We use official sources for frequencies allowed in each country. Are you sure you are correct on this one? We use information from Qualcomm chip and European Union.
Does not respect outdoor / indoor settings for EU countries.
In Czech Republic is outdoor 5500-5700. Indoor is 5180-5320.
After upgrade (6.44beta50) is AP running (with auto enabled DFS) on channel 5280 which is indoor !!! But selected channel is 5620. Thanks
Did you try Scanlist 5470-5720 ???
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2340
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: v6.44beta [testing] is released!

Wed Dec 19, 2018 8:47 pm

Did you try Scanlist 5470-5720 ???
I know the scan list will solve it. But would you think that this line:

*) wireless - fixed compliance with EU regulatory domain rules;

means you need to create a scan list before upgrading RouterOS to 6.44? I find it unclear and it cause a number of problems....
The fact that the EU forces Mikrotik to comply with the law is clear to me
LAN, FTTx, Wireless. ISP operator
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1446
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Wed Dec 19, 2018 9:08 pm

What do you mean by that? With scan list you will only reduce number of frequencies. After an upgrade your list will use all frequencies that are available in your country. From previous version point of view, nothing has been changed related to scan list or indoor/outdoor solutions. Indoor/outdoor selection should be introduced in upcoming beta versions.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7793
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.44beta [testing] is released!

Wed Dec 19, 2018 9:53 pm

For outdoor I normally select the country "etsi 5.5-5.7 outdoor" that has those frequencies in the scanlist.
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 154
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.44beta [testing] is released!

Wed Dec 19, 2018 10:47 pm

Most likely a supout.rif file is already generating in the backgound. Is there an autosupout.rif file in the Files menu?
No, there are no files at all in the files menu. I had rebooted and tried again. It is still trying to generate the supout 5 hours later.

If I go to the command line and type "/ip ipsec export" it also hangs forever.
I experienced the same on my ccr, only chance was to downgrade to latest stable firmware.
Some settings were missing or changed after the downgrade, but I got it all working again.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 25042
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Thu Dec 20, 2018 7:33 am

means you need to create a scan list before upgrading RouterOS to 6.44? I find it unclear and it cause a number of problems....
The fact that the EU forces Mikrotik to comply with the law is clear to me
First of all, this is a BETA release which should not be used anywhere near production.
Yes, the new change will enable radar-detect which could move your frequency to something you did not use before.
As a temporary workaround, you can use other country (ETSI, like suggested above) or use custom scan list.
We have made a new setting for one of the next BETA releases, that will honour the "indoor/outdoor" parameter in the country-info list, and will not move you to an indoor-only frequency, so you will not have to make any custom scan lists.
No answer to your question? How to write posts
 
pe1chl
Forum Guru
Forum Guru
Posts: 7793
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.44beta [testing] is released!

Thu Dec 20, 2018 10:54 am

Are you also working on the DFS function and possibly more logging of what is going on when DFS decides to change the frequency?
We would like to use DFS but now we can't because of the false detections... and no information about what is detected.
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2340
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: v6.44beta [testing] is released!

Thu Dec 20, 2018 1:52 pm

What do you mean by that? With scan list you will only reduce number of frequencies. After an upgrade your list will use all frequencies that are available in your country. From previous version point of view, nothing has been changed related to scan list or indoor/outdoor solutions. Indoor/outdoor selection should be introduced in upcoming beta versions.
The main point is that there is going to be a move from the outdoors to the indoors. Outdoor frequencies 5500-5700 are tuned anywhere from 5180 to 5700. So quietly indoors which is not legally correct. Is it written clearly?
LAN, FTTx, Wireless. ISP operator
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2340
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: v6.44beta [testing] is released!

Thu Dec 20, 2018 1:57 pm


First of all, this is a BETA release which should not be used anywhere near production.
Yes, I known. I tested it on non production part of network.
We have made a new setting for one of the next BETA releases, that will honour the "indoor/outdoor" parameter in the country-info list, and will not move you to an indoor-only frequency, so you will not have to make any custom scan lists.
Yes, that's exactly what I was suggesting. Divide it into indoor / outdoor

Anyway, I have to say that I would be more pleased if you solve ARM problems that you NOT comment in another topic.
LAN, FTTx, Wireless. ISP operator
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 25042
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Thu Dec 20, 2018 2:03 pm

Not entirely correct. Our devices are certified to use those TX powers in Indoor frequencies too.
You are in the clear anyway
No answer to your question? How to write posts
 
tetecko
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Sun Jun 11, 2006 7:44 pm

Re: v6.44beta [testing] is released!

Thu Dec 20, 2018 9:40 pm

Honzam
This frequency is not legal in our country. And this problem is due to simple upgrade RouterOS :(:(
We use official sources for frequencies allowed in each country. Are you sure you are correct on this one? We use information from Qualcomm chip and European Union.
Does not respect outdoor / indoor settings for EU countries.
In Czech Republic is outdoor 5500-5700. Indoor is 5180-5320.
After upgrade (6.44beta50) is AP running (with auto enabled DFS) on channel 5280 which is indoor !!! But selected channel is 5620. Thanks
THIS IS NOT CORRECT! try to read this link and you will have a CLEAR knowledge which is allowed in Czech Republic and which is not ... https://www.ctu.cz/cs/download/oop/rok_ ... 010-12.pdf
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2340
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: v6.44beta [testing] is released!

Thu Dec 20, 2018 10:45 pm

THIS IS NOT CORRECT! try to read this link and you will have a CLEAR knowledge which is allowed in Czech Republic and which is not .
I know this document. What exactly is wrong?
LAN, FTTx, Wireless. ISP operator
 
tetecko
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Sun Jun 11, 2006 7:44 pm

Re: v6.44beta [testing] is released!

Thu Dec 20, 2018 11:59 pm

I know this document. What exactly is wrong?
outdoor is exactly 5470MHz-5725MHz not 5500MHz-5700MHz mentioned by you in older posts .. indoor exactly 5150MHz-5350MHz not 5180MHz-5320MHz mentioned by you.
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2340
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: v6.44beta [testing] is released!

Fri Dec 21, 2018 12:48 am

I know this document. What exactly is wrong?
outdoor is exactly 5470MHz-5725MHz not 5500MHz-5700MHz mentioned by you in older posts .. indoor exactly 5150MHz-5350MHz not 5180MHz-5320MHz mentioned by you.
Yes it is 5470-5725Mhz , but it is commonly referred to as I wrote. (fully channels)
LAN, FTTx, Wireless. ISP operator
 
tetecko
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Sun Jun 11, 2006 7:44 pm

Re: v6.44beta [testing] is released!

Fri Dec 21, 2018 8:14 am

Yes it is 5470-5725Mhz , but it is commonly referred to as I wrote. (fully channels)
If Mikrotik wants to restrict use of superchannels, they have to follow ETSI/CZ rules at least. They don't. They push us to not using "czech_republic" settings, if we wants to be comply with our laws rules.
 
muetzekoeln
Member Candidate
Member Candidate
Posts: 166
Joined: Fri Jun 29, 2018 2:34 pm

Re: v6.44beta [testing] is released!

Fri Dec 21, 2018 10:34 am

They push us to not using "czech_republic" settings, if we wants to be comply with our laws rules.

That's not true. Please read this thread carefully. The next Beta release will have indoor/outdoor option, so I guess the next stable release for your production environment will have it too.
Unfortunately the change to regulatory conformance was badly communicated by Mikrotik in the release notes.

What will be more of a concern is the future of Omnitik 5 devices in Europe. The regulators are about to shut them down soon. Let's hope Mikrotik really can prevent this from happening.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 25042
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Fri Dec 21, 2018 10:47 am

You guys are mixing up edge frequencies and center frequencies. Both ranges are correct.
MikroTik has many devices that are certified both for indoor and outdoor ranges, they can be used in those frequencies.
To avoid the possbility that DFS throws you into indoor/outdoor range, we have made another new setting in all next releases, where you can specify indoor or outdoor, or default = any.

None of these changes will break anything if you are already trying to follow country regulations, your links will remain the same.
If you have specific license to use other settings than defined by your country, you still have those options within other modes.
No answer to your question? How to write posts
 
mkx
Forum Guru
Forum Guru
Posts: 6652
Joined: Thu Mar 03, 2016 10:23 pm

Re: v6.44beta [testing] is released!

Fri Dec 21, 2018 1:18 pm

... and second, according to CZ rules I can set 5480MHz ...
Which channel width do you use when trying to set centre frequency to 5480MHz?
BR,
Metod
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 25042
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Fri Dec 21, 2018 1:22 pm

They push us to not using "czech_republic" settings, if we wants to be comply with our laws rules.

That's not true. Please read this thread carefully. The next Beta release will have indoor/outdoor option, so I guess the next stable release for your production environment will have it too.
Unfortunately the change to regulatory conformance was badly communicated by Mikrotik in the release notes.

What will be more of a concern is the future of Omnitik 5 devices in Europe. The regulators are about to shut them down soon. Let's hope Mikrotik really can prevent this from happening.
The "Outdoor" setting is already in released versions, it's called "installation=outdoor/indoor/any".
No answer to your question? How to write posts
 
human1982
newbie
Posts: 29
Joined: Thu Aug 13, 2015 2:36 am

Re: v6.44beta [testing] is released!

Fri Dec 21, 2018 1:28 pm

... and second, according to CZ rules I can set 5480MHz ...
Which channel width do you use when trying to set centre frequency to 5480MHz?
5480Ce in Poland too. 5470-5725.
 
cowgirl
just joined
Posts: 5
Joined: Tue Dec 18, 2018 12:10 am
Location: South-West-Germany
Contact:

Re: v6.44beta [testing] is released!

Fri Dec 21, 2018 2:20 pm

6.44beta50 is crashing on my CRS328-24P-4S+. It reboots every few hours. (approx every 4h)

And on myCRS317-1G-16S+ the management IP address is not reachable (over my lacp-bonding link) for a while and then it comes back, while switching is working the whole time and the systems connected to it are reachable. Currently i can not check for reboots on the 317, cause managment is not reachable also mac-telnet from the 328 is not working.....

The 317´s managment just came back now, no unexpected reboots there....
 
cowgirl
just joined
Posts: 5
Joined: Tue Dec 18, 2018 12:10 am
Location: South-West-Germany
Contact:

Re: v6.44beta [testing] is released!

Fri Dec 21, 2018 3:17 pm

CRS328-24P-4S+ crashed again. Only with approx. 2hours gap. Doing a little bit SMB File Copy jobs (50Gbyte)
 
TheCondor
just joined
Posts: 12
Joined: Sun Jul 26, 2015 4:00 pm

Re: v6.44beta [testing] is released!

Sun Dec 30, 2018 12:16 pm

In 6.44beta50 when i create a certificate, both with web GUI or shell command, i set subAltName but it disappear when saved (or signed). On stable i didn't have this problem.
 
kabal
just joined
Posts: 9
Joined: Sat Dec 25, 2010 6:03 pm
Location: Ukraine

Re: v6.44beta [testing] is released!

Sun Dec 30, 2018 11:45 pm

*) ppp - added "at-chat" command;

Does not work with USSD commands.

with at-chat:

/interface ppp-client at-chat 3 input="AT+CUSD=1,AA582C3602,15"
output: AT+CUSD=1,AA582C3602,15
OK


with serial-terminal:

/system serial-terminal port=usb4 channel=2
AT+CUSD=1,AA582C3602,15
OK

+CUSD: 1,"C2303BEC9E83602E980C2D77B340E2B7BB3E07C15C30185AEE7629542A95C2596E87F365
D0FA3D47D3D3F61FF10D8AC16067B91BE40E83E46174DDFD5E83F420F87BCEAE9FDFF93A88F82687E9
EBB73D0D3ACBDF73743A046587E961903D4D06C9CE72B722E6A286D70A",15
 
TheCondor
just joined
Posts: 12
Joined: Sun Jul 26, 2015 4:00 pm

Re: v6.44beta [testing] is released!

Wed Jan 02, 2019 8:16 pm

mutiple mode-config doesn't be as intended with certificate matching.
I've tried to add 2 mode-configs and i want to assign a different ip pool each.
apart the fact that is better to implement an object of type "list" populated with multiple certificate, currently it's impossible to add multiple client certificate matching...
policy matching chould be intended as this, imho:

a group of client certificates that, when matched with a specific mode-config policy, assign an ip pool and a split tunnel.

currently it's impossible to add a group of client certificate, just one cert.
Moreover, and this is what isn't working, the client check just the first mode-config policy and if it's not matched skips the others. It should be a sequential checking trough the all mode-config matching policy...
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Mon Jan 07, 2019 2:09 pm

Version 6.44beta54 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.44beta54 (2019-Jan-07 08:27):

Important note!!! Backup before upgrade!
Due to major IPsec configuration changes in RouterOS v6.44beta39+ (see changelog below), it is advised to make a backup before upgrading. Regular downgrade will still be possible as long as no changes in IPsec peer menu are done.

MAJOR CHANGES IN v6.44:
----------------------
!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);
!) ipsec - added new "identity" menu with common peer distinguishers;
!) ipsec - removed "main-l2tp" exchange-mode, it is the same as "main" exchange-mode;
!) ipsec - removed "users" menu, XAuth user configuration is now handled by "identity" menu;
!) radius - initial implementation of RadSec (Radius communication over TLS);
!) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only);
!) telnet - do not allow to set "tracefile" parameter;
!) upgrade - release channels renamed - "bugfix" to "long-term", "current" to "stable" and "release candidate" to "testing";
!) upgrade - "testing" release channel now can contain "beta" together with "release-candidate" versions;
----------------------

Changes in this release:

*) bridge - count routed FastPath packets between bridge ports under FastPath bridge statistics;
*) bridge - fixed BOOTP packet forwarding when DHCP Snooping is enabled;
*) crs317 - fixed packet forwarding when LACP is used with hw=no;
*) dhcpv6-server - allow to add DHCPv6 server with pool that does not exist;
*) ethernet - fixed VLAN1 forwarding on RB1100AHx4 and RB4011 devices;
*) ipsec - added new "remote-id" peer matcher (CLI only);
*) l2tp - fixed IPsec secret not being updated when "ipsec-secret" is changed under L2TP client configuration;
*) led - fixed PWR-LINE AP Ethernet LED polarity ("/system routerboard upgrade" required);
*) lte - added initial support for multiple APN for R11e-4G (new modem firmware required);
*) lte - fixed DHCP IP acquire (introduced in v6.43.7);
*) netinstall - do not show kernel failure critical messages in the log after fresh install;
*) routerboard - removed "RB" prefix from PWR-LINE AP devices;
*) sniffer - save packet capture in "802.11" type when sniffing on w60g interface in "sniff" mode;
*) snmp - fixed "rsrq" reported precision;
*) usb - improved power-reset error message when no bus specified on CCR1072-8G-1S+;
*) wireless - added new "installation" parameter to specify router's location;
*) wireless - show indoor/outdoor frequency limitations under "/interface wireless info country-info <country>" command;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
doush
Long time Member
Long time Member
Posts: 647
Joined: Thu Jun 04, 2009 3:11 pm

Re: v6.44beta [testing] is released!

Mon Jan 07, 2019 3:26 pm

Are you guys working for a fix for CCR1072 lockups ?
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1446
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Mon Jan 07, 2019 5:17 pm

doush - Unfortunately we can not tell from description "lockups" to what kind of problem you are referring to. Please contact support@mikrotik,com directly, provide proper problem description (when did problem start to appear, how often do you see this issue, do you have any information what processes might trigger lockup) and supout file from your router/s. At the moment there are no known bugs that would lock up router. Either this is an unknown problem, hardware related issue or it is a configuration related problem. Without debugging we can not tell why is this happening with your router. At the moment of "lockup" can you access router over serial console?
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 846
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: v6.44beta [testing] is released!

Mon Jan 07, 2019 11:10 pm

To anyone experiencing connectivity issues on bridge interface after upgrade to 6.44beta50 like me:
The RB is now sending out MNDP (udp/5678) packets with ip address of bridge and mac address of slave (physical port).
(In 6.44beta40 and before the packets were sent with the bridges mac address as source)
Client devices are now learning incorrect ip/mac combinations and will be unable to communicate with the RB, intermittently (arp is not affected).
This has been reported.

A work-around is to disable neighbor discovery for these interfaces.

(Note that there is a similar problem regarding internet-detect which causes same problem when enabled on slave interfaces)

Another (dirty) work-around is to enable bridge filtering (of any kind) after which RB will accept packets directed to the slave (physical) mac address.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Tue Jan 08, 2019 8:27 am

mutiple mode-config doesn't be as intended with certificate matching.
I've tried to add 2 mode-configs and i want to assign a different ip pool each.
apart the fact that is better to implement an object of type "list" populated with multiple certificate, currently it's impossible to add multiple client certificate matching...
policy matching chould be intended as this, imho:

a group of client certificates that, when matched with a specific mode-config policy, assign an ip pool and a split tunnel.

currently it's impossible to add a group of client certificate, just one cert.
Moreover, and this is what isn't working, the client check just the first mode-config policy and if it's not matched skips the others. It should be a sequential checking trough the all mode-config matching policy...
What exactly have you configured currently? Are you creating multiple IPsec identities and specifying different remote-certificates for each of them? Are these certificates from the same CA chain? That is not quite how we planned it to work. There is a 'remote-id' parameter, which is not in Winbox and is not implemented fully yet. You will be able to match the IPsec identity to a specific peer by this parameter.
 
doush
Long time Member
Long time Member
Posts: 647
Joined: Thu Jun 04, 2009 3:11 pm

Re: v6.44beta [testing] is released!

Sat Jan 12, 2019 4:39 pm

doush - Unfortunately we can not tell from description "lockups" to what kind of problem you are referring to. Please contact support@mikrotik,com directly, provide proper problem description (when did problem start to appear, how often do you see this issue, do you have any information what processes might trigger lockup) and supout file from your router/s. At the moment there are no known bugs that would lock up router. Either this is an unknown problem, hardware related issue or it is a configuration related problem. Without debugging we can not tell why is this happening with your router. At the moment of "lockup" can you access router over serial console?
Strods;
viewtopic.php?f=3&t=122525&start=50
There are watchdog reboots !
Please see the above thread. We have also contacted support and we have been told to turn off watchdog and check. When we do that, the router hangs and stays in that state.
We cant just stop gbits of traffic just to collect supout files for you over the serial interface. This is what you guys have to do. Issue is easily reproducable.
There are many people in the above thread having the same exact issue.
Ticket#2018091822007067 is also available but as I said we cannot just stop 8gbit/s of traffic for you for hours to collect supout files.
Please do not ignore this issue as it is not a config related problem at all.
At the moment of lockup (when watchdog is turned off) , I havent tried the serial because of panic that it creates when all your traffic stops. Powercycle fixes the problem.
When watchdog is on, it reboots.
Please work with us in this issue.
 
notToNew
Member Candidate
Member Candidate
Posts: 173
Joined: Fri Feb 19, 2016 3:15 pm

Re: v6.44beta [testing] is released!

Sat Jan 12, 2019 7:26 pm


When watchdog is on, it reboots.
Please work with us in this issue.
And where is the version specific part of this? As I see it it's nothing new to this beta.... So please stay in the other thread.
--------------------------------------------------------------------------------------------
CCR1036-12G-4S, several 952Ui-5ac2nD, ...
 
doush
Long time Member
Long time Member
Posts: 647
Joined: Thu Jun 04, 2009 3:11 pm

Re: v6.44beta [testing] is released!

Mon Jan 14, 2019 3:52 pm


When watchdog is on, it reboots.
Please work with us in this issue.
And where is the version specific part of this? As I see it it's nothing new to this beta.... So please stay in the other thread.
This problem is still valid with the latest stable build !
And we dont see any work about it in the latest beta versions at all. Should be fair enough to post in this thread and raise awareness.
 
andriys
Forum Guru
Forum Guru
Posts: 1464
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: v6.44beta [testing] is released!

Mon Jan 14, 2019 9:01 pm

doush Nobody except you complains, which means it's either faulty hardware or a configuration specific issue. A couple of posts ago you said you are not willing to supply support@ with the info they asked you for. Being software developer myself, I can assure you this is a road to nowhere...
 
User avatar
null31
Member Candidate
Member Candidate
Posts: 184
Joined: Fri Dec 23, 2016 6:07 pm
Location: Brazil

Re: v6.44beta [testing] is released!

Tue Jan 15, 2019 12:00 am

Dear MikroTik Staff.
*) dhcpv6-server - allow to add DHCPv6 server with pool that does not exist;
Does this fix is related to the ticket #2018122622000391?
I ask because I didn't receive a reply for the ticket.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7793
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.44beta [testing] is released!

Tue Jan 15, 2019 3:20 pm

It is probably related to a problem I also reported to them: when you import an export which contains a server and pool
the import fails because the pool appears in the export after the server. Apparently it was not easy to export the pool
definitions before the server definitions (or there would be another unresolved reference) and it was now solved this way.
 
User avatar
null31
Member Candidate
Member Candidate
Posts: 184
Joined: Fri Dec 23, 2016 6:07 pm
Location: Brazil

Re: v6.44beta [testing] is released!

Wed Jan 16, 2019 8:42 pm

So isn't related.
The bug I reported is when DHCPv6-PD get the pool name through Radius and create a route with blank next-hop to the CPE. The router receive the link-local addr from cpe, but doesn't add to the prefix that was delegated.
The connection method I tested was plain DHCPv6 (IPoE without op82).

Like the image https://i.imgur.com/Oq08c0U.png
 
doush
Long time Member
Long time Member
Posts: 647
Joined: Thu Jun 04, 2009 3:11 pm

Re: v6.44beta [testing] is released!

Thu Jan 17, 2019 2:32 pm

doush Nobody except you complains, which means it's either faulty hardware or a configuration specific issue. A couple of posts ago you said you are not willing to supply support@ with the info they asked you for. Being software developer myself, I can assure you this is a road to nowhere...
Did you even read my post ?
Check the below thread and see if I am the only one complaining.
viewtopic.php?f=3&t=122525

We are still desperately waiting for a fix for this issue and ready to try any possible fix in new beta versions.. and NO I cannot just turn off watchdog and wait for the next halt which may happen anytime in the middle of the night to collect support files while all the network is down.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 25042
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Thu Jan 17, 2019 4:44 pm

"My router reboots" is a very generic problem, all kinds of issues are gathered in that topic.
No answer to your question? How to write posts
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 836
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.44beta [testing] is released!

Thu Jan 17, 2019 6:30 pm

I am running testing versions on my wAP with R11e-LTE. Recently the lte interface does not reliably connect after boot, I have to reboot the device then. This worked pretty well before, so I am sure this is a regression from beta50 to beta54.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
For contact join the RouterOS-Scripts Telegram group!
 
zyzelis
Member Candidate
Member Candidate
Posts: 213
Joined: Sun Apr 08, 2012 9:25 pm

Re: v6.44beta [testing] is released!

Thu Jan 17, 2019 8:03 pm

"My router reboots" is a very generic problem, all kinds of issues are gathered in that topic.
Normis, are you work for ubnt?
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Fri Jan 18, 2019 9:50 am

Version 6.44beta61 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.44beta61 (2019-Jan-17 13:24):

Important note!!! Backup before upgrade!
Due to major IPsec configuration changes in RouterOS v6.44beta39+ (see changelog below), it is advised to make a backup before upgrading. Regular downgrade will still be possible as long as no changes in IPsec peer menu are done.

MAJOR CHANGES IN v6.44:
----------------------
!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);
!) ipsec - added new "identity" menu with common peer distinguishers;
!) ipsec - removed "main-l2tp" exchange-mode, it is the same as "main" exchange-mode;
!) ipsec - removed "users" menu, XAuth user configuration is now handled by "identity" menu;
!) radius - initial implementation of RadSec (Radius communication over TLS);
!) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only);
!) telnet - do not allow to set "tracefile" parameter;
!) upgrade - release channels renamed - "bugfix" to "long-term", "current" to "stable" and "release candidate" to "testing";
!) upgrade - "testing" release channel now can contain "beta" together with "release-candidate" versions;
----------------------

Changes in this release:

!) ipsec - added new "identity" menu with common peer distinguishers;
*) bridge - fixed BOOTP packet forwarding when DHCP Snooping is enabled;
*) certificate - added support for multiple "Subject Alt. Names";
*) certificate - enabled RC2 cipher to allow P12 certificate decryption;
*) chr - improved system stability when insufficient resources are allocated to the guest;
*) console - updated copyright notice;
*) crs3xx - fixed slow bootup, upgrade and SFP status read (introduced in v6.44beta20);
*) gps - moved "coordinate-format" from "monitor" command to "set" parameter;
*) ike1 - fixed "rsa-key" authentication (introduced in v6.44beta);
*) ipsec - accept only valid path for "export-pub-key" parameter in "key" menu;
*) ipsec - added new "remote-id" peer matcher;
*) ipsec - fixed all policies not getting installed after startup (introduced in v6.43.8);
*) ipsec - moved "profile" menu outside "peer" menu;
*) lcd - made "pin" parameter sensitive;
*) led - fixed default LED configuration for RBSXTsq-60ad;
*) lte - fixed DHCP IP acquire in 3G mode for r11e-lte (introduced in v6.44beta54);
*) lte - fixed reported "rsrq" precision (introduced in v6.43.8);
*) profile - removed obsolete "file-name" parameter;
*) radius - implemented Proxy-State attribute handling in CoA and disconnect requests;
*) rb4011 - improved SFP+ interface linking to 1Gbps;
*) ssh - close active SSH connections before IPsec connections on shutdown;
*) ssh - fixed public key format compatibility with RFC4716;
*) supout - fixed "poe-out" output not showing all interfaces;
*) system - accept only valid path for "log-file" parameter in "port" menu;
*) system - removed obsolete "/driver" command;
*) tr069-client - added "check-certificate" parameter to allow communication without certificates;
*) tr069-client - added support for InformParameter object;
*) tr069-client - fixed certificate verification for certificates with IP address;
*) tr069-client - increased reported "rsrq" precision;
*) vrrp - made "password" parameter sensitive;
*) winbox - added "allow-dual-stack-queue" parameter in "IP/DHCP Server" and "IPv6/DHCP Server" menus;
*) winbox - added "conflict-detection" parameter in "IP/DHCP Server" menu;
*) winbox - added "coordinate-format" parameter in LTE interface settings;
*) winbox - allow specifying interface lists in "CAPsMAN/Access List" menu;
*) winbox - fixed "IPv6/Firewall" "Connection limit" parameter not allowing complete IPv6 prefix lengths;
*) winbox - fixed L2MTU parameter setting on "W60G" type interfaces;
*) winbox - fixed "LCD" menu not shown on RB2011UiAS-2HnD;
*) winbox - moved "Too Long" statistics counter to Ethernet "Rx Stats" tab;
*) winbox - show "System/RouterBOARD/Mode Button" on devices that have such feature;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 836
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.44beta [testing] is released!

Fri Jan 18, 2019 12:16 pm

!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);
[admin@MikroTik] /system backup cloud> print 
-- connecting
Server error: Backend error. Try again later.

Breakage in version or issue with servers?
Edit: Works again, was a server issue.
*) console - updated copyright notice;
The copyright notice still has a link with http-schema. You should really change that to https.
*) ipsec - added new "remote-id" peer matcher;
Thanks, have to play with this...
*) lte - fixed DHCP IP acquire in 3G mode for r11e-lte (introduced in v6.44beta54);
Thanks for fixing!
*) ssh - close active SSH connections before IPsec connections on shutdown;
That change is very welcome. Thanks a lot!
Last edited by eworm on Fri Jan 18, 2019 5:37 pm, edited 1 time in total.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
For contact join the RouterOS-Scripts Telegram group!
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2342
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: v6.44beta [testing] is released!

Fri Jan 18, 2019 2:26 pm

Please remove OS version from telnet. It is not needed.

I do use telnet to connect to Mikrotik Router using VPN connection.
It does respond by telling both what it is and what version it has before you login.
/system telnet 10.2.0.16
Trying 10.2.0.16...
Connected to 10.2.0.16.
Escape character is '^]'.

MikroTik v6.43.8 (stable)
Login:
 
Try Splunk> to monitor your MikroTik Router(s). How to set it up. :mrgreen:

MikroTik->Splunk
 
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 25042
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Fri Jan 18, 2019 4:24 pm

Jotne, sorry, I do not understand. Where is the problem with the version in Telnet?
No answer to your question? How to write posts
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8580
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.44beta [testing] is released!

Fri Jan 18, 2019 4:29 pm

The problem is it tells you about version number even if you're not logged in
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1072
Joined: Tue Oct 11, 2005 4:53 pm

Re: v6.44beta [testing] is released!

Fri Jan 18, 2019 4:35 pm

Same with the web interface.
 
patrick7
Member
Member
Posts: 304
Joined: Sat Jul 20, 2013 2:40 pm

Re: v6.44beta [testing] is released!

Fri Jan 18, 2019 4:52 pm

security by obscurity
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1189
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 1:41 am

Version 6.44beta61 has been released.

rb4011 - improved SFP+ interface linking to 1Gbps;

Does this mean the S-RJ01 is now compatible with the RB4011?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2342
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 9:53 am

With any communication you should not give away any information before login.
If you look at forum.mikrotik.com it does use phpBB. On older version you could see at the bottom, what version it was.
This was removed due to security and that hacker was target some specific version.

As I did write in my post above, I do not need it, so remove it.
And as @Cha0s write, same for web interface. Remove it.
 
Try Splunk> to monitor your MikroTik Router(s). How to set it up. :mrgreen:

MikroTik->Splunk
 
 
pe1chl
Forum Guru
Forum Guru
Posts: 7793
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 11:49 am

Does this mean the S-RJ01 is now compatible with the RB4011?
The RB4011 is not an actively-cooled device so it will never be compatible with the S-RJ01.
Look at the S-RJ01 page. It is only for actively-cooled devices!
Hopefully some time, after yet more advances in technology, it will be possible to produce and SFP+ ethernet adapter that does not dissipate so much power.
Then it could work.
 
msatter
Forum Guru
Forum Guru
Posts: 2317
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 1:17 pm

All software/interfaces by Mikrotik mention the software version before login, including the Android app.

Then this must be something Mikrotik wants to communicate up front. So you can think to have RouterOS not share the current version of it and state a null value.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS. However, 'happy' with giving money to Italy.

Running:
RouterOS 7RC4 and 6.49RC / Winbox 3.31 64bits
 
marcbou
just joined
Posts: 9
Joined: Tue Jul 03, 2018 11:19 am

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 1:42 pm

Hi

Installed 6.44beta61, but it seems there are issues with "/ip ipsec identity my-id" matching for fqdn:, user-fqdn: and even address:ipv4 types. It doesn't seem to work with Remote ID on iOS devices with IKEv2 in pre-shared-key mode.

I was only able to get it to work by specifying the router's static IP as RemoteID on the client iOS device and keeping my-id set to auto (default) in /ip ipsec identity.

my-id=fqdn:domain.com matching does however work if auth-method=rsa-signature with certificate.

It is a road-warrior type setup with the MikroTik router as VPN server on a static IP, and client iOS and MacOS X devices connecting from dynamic IPs.

This is with a RB3011. We have a similar setup with a CCR1009 where it seems the ipsec crashes (hangs) upon access attempts with auth-method=pre-shared-key. Works with sa-signature/certificate.

Also would it be possible to add support for disabling/enabling /ip ipsec identity entries?

The config looks like:

# jan/19/2019 06:31:50 by RouterOS 6.44beta61
#
# model = RouterBOARD 3011UiAS
/ip ipsec mode-config
add address-pool=vpn-pool address-prefix-length=32 name=\
ipsec-modecfg
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1w \
name=proposal_1
/ip ipsec peer
add exchange-mode=ike2 local-address=<routerspublicipv4> name=peer_vpn passive=yes \
profile=proposal_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
lifetime=2d pfs-group=none
/ip ipsec identity
add generate-policy=port-strict mode-config=ipsec-modecfg peer=\
peer_vpn remote-id=user-fqdn:usera@domain.com secret=usera_secret
add generate-policy=port-strict mode-config=ipsec-modecfg peer=\
peer_vpn remote-id=user-fqdn:userb@domain.com secret=userb_secret
/ip ipsec policy
set 0 dst-address=192.168.71.0/24 src-address=0.0.0.0/0
add dst-address=192.168.72.0/24 src-address=0.0.0.0/0 template=yes

Thanks,

Marc
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 912
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 3:50 pm

Does this mean the S-RJ01 is now compatible with the RB4011?
The RB4011 is not an actively-cooled device so it will never be compatible with the S-RJ01.
Look at the S-RJ01 page. It is only for actively-cooled devices!
Hopefully some time, after yet more advances in technology, it will be possible to produce and SFP+ ethernet adapter that does not dissipate so much power.
Then it could work.
The compatibility table disagrees with You:
https://wiki.mikrotik.com/wiki/MikroTik ... lity_table

They are supported on the CSS/CRS326-24G-2S+ models - and they are passive cooled switches. Also, they run on RB3011, RB2011, RB260 and many others passive cooled devices.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 846
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 5:19 pm

What's new in 6.44beta61 (2019-Jan-17 13:24):

*) rb4011 - improved SFP+ interface linking to 1Gbps;

I can confirm FS 1000BASE-BX BiDi SFP 1310nm-TX/1490nm-RX 20km DOM Transceiver Module ( https://www.fs.com/products/20184.html ) is working fine together with a 1Gbit FTTH provider, as long as the speed matches (note that winbox hides this setting when autonegotation is on, so you'll have to disable autoneg to change speed or use cli).

/interface ethernet
set sfp-sfpplus1 auto-negotiation=yes full-duplex=yes&no speed=1Gbps # link
set sfp-sfpplus1 auto-negotiation=yes full-duplex=no speed=10Mbps # link (detected/actual rate 1Gpbs FD)
set sfp-sfpplus1 auto-negotiation=yes full-duplex=yes&no speed=100Mpbs # flapping
set sfp-sfpplus1 auto-negotiation=yes full-duplex=yes&no speed=10Gbps # flapping
set sfp-sfpplus1 auto-negotiation=no full-duplex=yes speed=1Gbps # link
set sfp-sfpplus1 auto-negotiation=no full-duplex=no speed=1Gbps # router crash
set sfp-sfpplus1 auto-negotiation=no full-duplex=yes&no speed=10Mbps # link (detected rate 10Mbps, actual rate 1Gpbs)
set sfp-sfpplus1 auto-negotiation=no full-duplex=yes&no speed=100Mbps # flapping
set sfp-sfpplus1 auto-negotiation=no full-duplex=yes speed=10Gbps # no link
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1189
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 5:28 pm

The RB4011 is not an actively-cooled device so it will never be compatible with the S-RJ01.

The compatibility table disagrees with You:
https://wiki.mikrotik.com/wiki/MikroTik ... lity_table

The S-RJ01 is supported on the CSS/CRS326-24G-2S+ models - and they are passive cooled switches. Also, they run on RB3011, RB2011, RB260 and many others passively cooled devices.

Yeah, I guess its not clear what works unless one consults the compatibility table. So, the S+RJ10 does work, but the S-RJ01 does not? I have not been able to get my S-RJ01 to work with the RB4011 and was hoping it was only a software issue.
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 912
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 8:36 pm

The RB4011 is not an actively-cooled device so it will never be compatible with the S-RJ01.

The compatibility table disagrees with You:
https://wiki.mikrotik.com/wiki/MikroTik ... lity_table

The S-RJ01 is supported on the CSS/CRS326-24G-2S+ models - and they are passive cooled switches. Also, they run on RB3011, RB2011, RB260 and many others passively cooled devices.

Yeah, I guess its not clear what works unless one consults the compatibility table. So, the S+RJ10 does work, but the S-RJ01 does not? I have not been able to get my S-RJ01 to work with the RB4011 and was hoping it was only a software issue.
Yes, it is weird. I have no idea where this limitation comes from.
 
User avatar
Bergante
Member Candidate
Member Candidate
Posts: 143
Joined: Tue Feb 28, 2012 12:27 pm
Location: Bilbao, Spain

Re: v6.44beta [testing] is released!

Mon Jan 21, 2019 11:02 am

security by obscurity
Anyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering. So the version display is harmless in my opinion.
 
User avatar
Bergante
Member Candidate
Member Candidate
Posts: 143
Joined: Tue Feb 28, 2012 12:27 pm
Location: Bilbao, Spain

Re: v6.44beta [testing] is released!

Mon Jan 21, 2019 11:05 am

Version 6.44beta61 has been released.

*) rb4011 - improved SFP+ interface linking to 1Gbps;
This one looks promising and, indeed, there is a clear improvement.

I am testing a rb4011 linked to a HP switch and now it works with autonegotiation on it seems. I am using a pair of Mikrotik 1000BASE-LH transceivers (S-31DLC20D).

That's great because autonegotiation is considered mandatory in GbE and disabling it can lead to unpredictable problems.

So, I hope SFPs will be properly supported in SFP+ cages. Otherwise the only real solution would be to include both types of cages like some manufacturers do.
 
muetzekoeln
Member Candidate
Member Candidate
Posts: 166
Joined: Fri Jun 29, 2018 2:34 pm

Re: v6.44beta [testing] is released!

Mon Jan 21, 2019 12:15 pm

Please remove OS version from telnet. It is not needed.
+1

I too plead for data stinginess. Only disclose data when/where needed. This is the same thinking as a default deny-all rule in firewalls.
For me the ROS version is of no value at login prompt. And MT did not explain why they broadcast ROS version in WiFi beacons
(viewtopic.php?p=709410).

At login prompt it makes much more sense to me, to display given system identity name (/System identity). So you can check if you are logging into the intended system (if you have more than one, that is).
Last edited by muetzekoeln on Wed Jan 23, 2019 1:12 pm, edited 3 times in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 25042
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Mon Jan 21, 2019 2:46 pm

security by obscurity
Anyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering. So the version display is harmless in my opinion.
I agree. If the untrusted person can see your TELNET interface, you are in much bigger trouble than an exposed version number
No answer to your question? How to write posts
 
User avatar
skylark
MikroTik Support
MikroTik Support
Posts: 141
Joined: Wed Feb 10, 2016 3:55 pm

Re: v6.44beta [testing] is released!

Tue Jan 22, 2019 10:19 am

Version 6.44beta61 has been released.

rb4011 - improved SFP+ interface linking to 1Gbps;

Does this mean the S-RJ01 is now compatible with the RB4011?
Yes, with the latest beta S-RJ01 also should work.

We will update compatibility table when this fix will be included in the stable version.
 
msatter
Forum Guru
Forum Guru
Posts: 2317
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.44beta [testing] is released!

Tue Jan 22, 2019 12:44 pm

security by obscurity
Anyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering. So the version display is harmless in my opinion.
I agree. If the untrusted person can see your TELNET interface, you are in much bigger trouble than an exposed version number
But it saves the untrusted person the trouble to test which tool to use. Or just see on forehand that none of the available tools is going to work and moves on.

Make it the owners choice/responsability if the it is shown or not.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS. However, 'happy' with giving money to Italy.

Running:
RouterOS 7RC4 and 6.49RC / Winbox 3.31 64bits
 
User avatar
Bergante
Member Candidate
Member Candidate
Posts: 143
Joined: Tue Feb 28, 2012 12:27 pm
Location: Bilbao, Spain

Re: v6.44beta [testing] is released!

Tue Jan 22, 2019 1:21 pm

Version 6.44beta61 has been released.

rb4011 - improved SFP+ interface linking to 1Gbps;

Does this mean the S-RJ01 is now compatible with the RB4011?
Yes, with the latest beta S-RJ01 also should work.

We will update compatibility table when this fix will be included in the stable version.
The Interface/Ethernet section of the documentation should be updated as well.

The manual says that the speed attribute of an Ethernet interface only takes effect when auto negotiation is disabled.

Actually, at least on a rb4011 running 6.44beta61 speed does work with auto negotiation on. The SFP I have tried,
Mikrotik's single mode ones (S-31DLC20D) work with auto negotiation set to on as long as the speed attribute is set to 1 Gbps.

So it's working as a mode selector for the SFP/SFP+ cage.

Now I wonder, can't you make that automatic? Reading the EEPROM of the SFP the system determines which kind of SFP is it. So it
should be easy to decide wether to configure it for 1 Gbps or 10 Gbps.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7793
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.44beta [testing] is released!

Wed Jan 23, 2019 12:52 pm

61 builds in the 6.44 beta and we are still waiting for IPv6 improvements!
Come on guys, it is 2019 now. We really need IPv6 policy routing, IPv6 per-connection queueing, IPv6 firewall features on par with IPv4 (like L7 matching), etc etc etc.

You cannot handle IPv6 as a bolt-on feature to satisfy a small number of demanding users. It has to be part of the mainstream, with all the support that there is for IPv4.
 
muetzekoeln
Member Candidate
Member Candidate
Posts: 166
Joined: Fri Jun 29, 2018 2:34 pm

Re: v6.44beta [testing] is released!

Wed Jan 23, 2019 1:15 pm

Anyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering.

You are right with this statement, but impacts of the latest ROS vulnerability show this ideal is not the real world.
 
wilsonlmh
newbie
Posts: 26
Joined: Fri Oct 10, 2014 9:44 pm

Re: v6.44beta [testing] is released!

Wed Jan 23, 2019 2:03 pm

security by obscurity
Anyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering. So the version display is harmless in my opinion.
I agree. If the untrusted person can see your TELNET interface, you are in much bigger trouble than an exposed version number
This isn't true for SSH:
telnet 192.168.88.1 22
Trying 192.168.88.1...
Connected to 192.168.88.1.
Escape character is '^]'.
SSH-2.0-ROSSSH
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Thu Jan 31, 2019 10:40 am

Installed 6.44beta61, but it seems there are issues with "/ip ipsec identity my-id" matching for fqdn:, user-fqdn: and even address:ipv4 types. It doesn't seem to work with Remote ID on iOS devices with IKEv2 in pre-shared-key mode.
It works for me. Please check the IPsec debug logs and find out what ID_I and ID_R fields are actually received from the client.
10:35:04 ipsec processing payload: ID_I 
10:35:04 ipsec ID_I (RFC822): usera@domain.com 
10:35:04 ipsec processing payload: ID_R 
10:35:04 ipsec ID_R (ADDR4): 10.155.130.204 
ID_I is the initiators id (what you specify as Local ID under your iOS). ID_R is the responders id (the Remote ID when looking from iOS). You can enable debug logs with
/system logging add topics=ipsec,!debug

As for the crashing part, it would be necessary to see the supout.rif file from your device. Please generate and send this file to support@mikrotik.com
 
User avatar
BG4DRL
just joined
Posts: 7
Joined: Sat Jan 26, 2019 4:00 pm

Re: v6.44beta [testing] is released!

Thu Jan 31, 2019 6:08 pm

wap 60G ap udp both up to 850Mbps ! very nice this Beta61
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 846
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: v6.44beta [testing] is released!

Tue Feb 05, 2019 1:07 pm

Since I've spent some time restoring VPN functionality.. here are my 6.44beta61 IKEv2 settings for iOS, macOS and Windows clients.
Windows only seems to work with identity my-id=auto and remote-id=auto.
Afaik you cannot add a secondary peer for Windows default ipsec settings, so you should alter these using powershell.

Certificate generation:

/certificate
add name=my.ca common-name=my.ca key-usage=key-cert-sign,crl-sign
sign my.ca
add name=vpn.server common-name=vpn.server subject-alt-name=DNS:vpn.company.com key-usage=tls-server
sign vpn.server ca=my.ca
add name=vpn.client.ios common-name=vpn.client.ios key-usage=tls-client
sign vpn.client.ios ca=my.ca
add name=vpn.client.macos common-name=vpn.client.macos key-usage=tls-client
sign vpn.client.macos ca=my.ca
add name=vpn.client.windows common-name=vpn.client.windows key-usage=tls-client
sign vpn.client.windows ca=my.ca

(Certificates don't have to be trusted)

Certificate export:

/certificate
export-certificate my.ca
export-certificate vpn.client.ios export-passphrase=1234 type=pkcs12
export-certificate vpn.client.macos export-passphrase=1234 type=pkcs12
export-certificate vpn.client.windows export-passphrase=1234 type=pkcs12

IKEv2 server setup:

/ip ipsec policy group
add name=ike2
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1d name=ike2 pfs-group=none
/ip ipsec policy
add comment=ike2 group=ike2 proposal=ike2 template=yes
/ip pool
add name=ike2 ranges=192.168.88.100-192.168.88.150
/ip ipsec mode-config
add address-pool=ike2 name=ike2

Peer setup:

/ip ipsec peer
add comment=ike2 exchange-mode=ike2 name=ike2 passive=yes profile=ike2

Identity setup:

/ip ipsec identity
add auth-method=rsa-signature certificate=vpn.server generate-policy=port-strict mode-config=ike2 my-id=fqdn:vpn.company.com \
    peer=ike2 policy-template-group=ike2 remote-certificate=vpn.client.ios remote-id=fqdn:vpn.client.ios
add auth-method=rsa-signature certificate=vpn.server generate-policy=port-strict mode-config=ike2 my-id=fqdn:vpn.company.com \
    peer=ike2 policy-template-group=ike2 remote-certificate=vpn.client.macos remote-id=fqdn:vpn.client.macos
add auth-method=rsa-signature certificate=vpn.server generate-policy=port-strict mode-config=ike2 \
    peer=ike2 policy-template-group=ike2 remote-certificate=vpn.client.windows

iOS setup:

Type: IKEv2
Server: vpn.company.com
External ID: vpn.company.com
Local ID: vpn.client.ios
User authentication: None
Use certificate: Yes
Certificate: vpn.client.ios

macOS setup:

Type: IKEv2
Server: vpn.company.com
External ID: vpn.company.com
Local ID: vpn.client.macos
User authentication: None
Use certificate: Yes
Certificate: vpn.client.macos

Windows client setup (you need Powershell to set hash/enc/dh/pfs, so I scripted all):

$securePassword = ConvertTo-SecureString -String "1234" -AsPlainText -Force
Import-PfxCertificate -FilePath cert_export_vpn.client.windows.p12 -CertStoreLocation Cert:\LocalMachine\My -Password $securePassword
Import-Certificate -FilePath cert_export_my.ca.crt -CertStoreLocation Cert:\LocalMachine\Root
Add-VpnConnection -Name "Company" -ServerAddress vpn.company.com -TunnelType Ikev2 -AuthenticationMethod MachineCertificate
Set-VpnConnectionIPsecConfiguration -ConnectionName "Company" -AuthenticationTransformConstants SHA256128 `
    -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 `
    -DHGroup Group14 -PfsGroup None -Force
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Tue Feb 05, 2019 1:19 pm

The next version will have some more changes for IPsec Identities to make it more clearer what you are actually matching. First of all, in beta61 it is pointless to specify remote-certificate on responder - certificate matching is not yet implemented. To match certain remote IDs, you have to check the IPsec debug logs and find out what actual ID (IDi) value is sent by the initiator.

I will update the wiki page when we come closer to the actual 6.44 release. Basically "auto" will check (verify) the IDi with clients certificate, so they have to match! "ignore" will not care about the initiators ID.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7793
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.44beta [testing] is released!

Tue Feb 05, 2019 3:13 pm

Would it be possible (during the rework of the IPsec code) to also add a phase1 "on up" and "on down" script?
(that receives parameters like the remote-id, remote-IP etc)
This script could then add/delete phase2 settings e.g. a GRE tunnel.
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 836
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.44beta [testing] is released!

Tue Feb 05, 2019 4:01 pm

Would it be possible (during the rework of the IPsec code) to also add a phase1 "on up" and "on down" script?
(that receives parameters like the remote-id, remote-IP etc)
This script could then add/delete phase2 settings e.g. a GRE tunnel.
Yes, please! Hooking a script would be much appreciated. Currently I have a script running every 30 seconds to update gre interfaces...
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
For contact join the RouterOS-Scripts Telegram group!
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Tue Feb 05, 2019 4:15 pm

Thank you for the feedback. Definitely not in this release, but I will see if we can add it in the near future.
 
biatche
Member Candidate
Member Candidate
Posts: 128
Joined: Tue Oct 13, 2015 6:50 am

Re: v6.44beta [testing] is released!

Sat Feb 09, 2019 2:10 am

Much time spent on ipsec when one could spend time on wireguard and have better VPN.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7793
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.44beta [testing] is released!

Sat Feb 09, 2019 11:18 am

Much time spent on ipsec when one could spend time on wireguard and have better VPN.
Wireguard is not a better VPN. It is an immature product with a vocal community around it.
IPsec is widely supported amongst industry standard routers and does not require lame "+1 for Wireguard" 1-time posters.
 
berzerker
just joined
Posts: 23
Joined: Thu Oct 26, 2017 6:55 am

Re: v6.44beta [testing] is released!

Mon Feb 11, 2019 6:12 am

CRS328-24P-4S+RM: I'm unable to log into the console on 6.44beta61, anyone experiencing a similar issue? Tried with multiple cables. Couple of CRS112s I have on 6.43.8 work fine.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Mon Feb 11, 2019 3:35 pm

Version 6.44beta75 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.44beta75 (2019-Feb-08 08:02):

Important note!!! Backup before upgrade!
Due to major IPsec configuration changes in RouterOS v6.44beta39+ (see changelog below), it is advised to make a backup before upgrading. Regular downgrade will still be possible as long as no changes in IPsec peer menu are done.

MAJOR CHANGES IN v6.44:
----------------------
!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);
!) ipsec - added new "identity" menu with common peer distinguishers;
!) ipsec - removed "main-l2tp" exchange-mode, it is the same as "main" exchange-mode;
!) ipsec - removed "users" menu, XAuth user configuration is now handled by "identity" menu;
!) radius - initial implementation of RadSec (Radius communication over TLS);
!) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only);
!) telnet - do not allow to set "tracefile" parameter;
!) upgrade - release channels renamed - "bugfix" to "long-term", "current" to "stable" and "release candidate" to "testing";
!) upgrade - "testing" release channel now can contain "beta" together with "release-candidate" versions;
----------------------

Changes in this release:

!) ipsec - added new "identity" menu with common peer distinguishers;
!) winbox - improvements in connection handling to router with open winbox service (CVE-2019–3924);
*) bridge - fixed log message when hardware offloading is being enabled;
*) bridge - fixed packet forwarding with enabled DHCP Snooping and Option 82;
*) bridge - fixed system's identity change when DHCP Snooping is enabled (introduced in v6.44beta61);
*) bridge - improved packet handling when hardware offloading is being disabled;
*) certificate - show digest algorithm used in signature;
*) chr - distribute NIC queue IRQ's evenly across all CPUs;
*) chr - fixed IRQ balancing when using more than 32 CPUs;
*) crs3xx - fixed packet forwarding through SFP+ ports when using 100Mbps link speed;
*) crs3xx - fixed SFP+ linking using 1.25G SFP modules (introduced in v6.44beta39);
*) dhcpv6-server - fixed missing gateway for binding's network if RADIUS authentication was used;
*) dhcpv6-server - show "client-address" parameter for bindings;
*) ethernet - added "tx-rx-1024-max" counter to Ethernet stats;
*) ethernet - fixed packet forwarding when SFP interface is disabled on hEX S;
*) fetch - added option to specify multiple headers under "http-header-field", including content type;
*) fetch - improved stability when using HTTP mode;
*) fetch - removed "http-content-type" parameter;
*) gps - increase precision for dd format;
*) hotspot - added "https-redirect" under server profiles;
*) ike2 - retry RSA signature validation with deduced digest from certificate;
*) ipsec - require write policy for key generation;
*) kidcontrol - use "/128" prefix-length for IPv6 addresses;
*) lldp - fixed missing capabilities fields on some devices;
*) lte - added multiple APN support for R11e-4G;
*) lte - fixed passthrough DHCP address forward when other address is acquired from operator;
*) lte - improved SIM7600 initialization after reset;
*) lte - query "cfun" on initialization;
*) lte - require write policy for at-chat;
*) lte - update firmware version information after R11e-LTE/R11e-4G firmware upgrade;
*) ntp-client - fixed "dst-active" and "gmt-offset" being updated after synchronization with server;
*) ppp - fixed dynamic route creation towards VPN server when "add-default-route" is used;
*) quickset - fixed "country" parameter not properly setting regulatory domain configuration;
*) rb4011 - fixed SFP+ interface full duplex and speed parameter behavior;
*) rb4011 - improved SFP+ interface linking to 1Gbps;
*) sfp - fixed possible reboot loop when inserting SFP modules in CRS328-4C-20S-4S+ (introduced in v6.44beta61);
*) smb - fixed macOS clients not showing share contents;
*) smb - fixed possible buffer overflow;
*) smb - fixed Windows 10 clients not able to establish connection to share;
*) snmp - fixed "rsrq" reported precision;
*) snmp - report ifSpeed 0 for sub-layer interfaces;
*) switch - added comment field to switch ACL rules;
*) tr069-client - added "connection-request-port" parameter (CLI only);
*) usb - improved USB device powering on startup for hAP ac^2 devices;
*) usb - increased default power-reset timeout to 5 seconds;
*) userman - added first and last name fields for signup form;
*) w60g - fixed disconnection issues in PtMP setups;
*) winbox - renamed "Default AP Tx Rate" to "Default AP Tx Limit";
*) winbox - renamed "Default Client Tx Rate" to "Default Client Tx Limit";
*) winbox - show "System/RouterBOARD/Mode Button" on devices that have such feature;
*) wireless - improved antenna gain setting for devices with built in antennas;
*) wireless - improved connection stability for new model Apple devices;
*) wireless - improved system stability when scanning for other networks;
*) wireless - show "installation" parameter when printing configuration;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
crau1000
just joined
Posts: 6
Joined: Thu Jan 31, 2019 3:52 am

Re: v6.44beta [testing] is released!

Tue Feb 12, 2019 11:07 am

Normis,

6.44Beta75 has an issue with GPS lat/longs. The new algorithm is inserting "00" after the decimal point. So originally lat/long would be 33.9686/-117.7432. NOW... from the GPS itself.... it is 33.009686/-117.007432. Ive attached a screen shot..
Screen Shot 2019-02-12 at 12.58.38 AM.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.44beta [testing] is released!

Wed Feb 13, 2019 10:10 pm

The next version will have some more changes for IPsec Identities to make it more clearer what you are actually matching. First of all, in beta61 it is pointless to specify remote-certificate on responder - certificate matching is not yet implemented. To match certain remote IDs, you have to check the IPsec debug logs and find out what actual ID (IDi) value is sent by the initiator.

[...]
Separate but related...

I'm using a GRE interface with IPSec using certificate auth.

GRE interface properties has a setting for IPSec Secret.

When using PSK it seems redundant - there already is a PSK setting in peer / identity.

When using key or cert auth it's also redundant and unnecessary - there is no "secret" for key or cert auth. But when the "secret" is removed, the GRE tunnel doesn't get secured by IPSec (even if IPSec setting are left exactly the same), I mean IPSec is not brought up.

I think the idea is for the router to "know" that the GRE interface is supposed to be secured by IPSec - but perhaps there is a better way to set this up in the UI?

[SOLVED]
Last edited by kmansoft on Thu Feb 14, 2019 7:59 am, edited 1 time in total.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.44beta [testing] is released!

Wed Feb 13, 2019 10:34 pm

The next version will have some more changes for IPsec Identities to make it more clearer what you are actually matching. First of all, in beta61 it is pointless to specify remote-certificate on responder - certificate matching is not yet implemented. To match certain remote IDs, you have to check the IPsec debug logs and find out what actual ID (IDi) value is sent by the initiator.

[...]
Separate but related...

I'm using a GRE interface with IPSec using certificate auth.

GRE interface properties has a setting for IPSec Secret.

When using PSK it seems redundant - there already is a PSK setting in peer / identity.

When using key or cert auth it's also redundant and unnecessary - there is no "secret" for key or cert auth. But when the "secret" is removed, the GRE tunnel doesn't get secured by IPSec (even if IPSec setting are left exactly the same), I mean IPSec is not brought up.

I think the idea is for the router to "know" that the GRE interface is supposed to be secured by IPSec - but perhaps there is a better way to set this up in the UI?
And another thing about GRE + IPSec with cert auth. This one really looks like a bug.

When the GRE interface is brought up, it brings up the configured IPSec peer but *also* creates a redundant peer (with names like "peer6", "peer7") and a related item under Identities. Both are not necessary.

Not sure if it's new in 6.44 or was there before.

My "real" Peer is already set up, obviously, and uses IKEv2 and cert auth. The "bogus" peers have "main" as exchange mode and PSK auth but the local IP and remote IP are the same as in the "real" peer.

I really don't think it's in response to server (other side) initiated connections - first the server is set to IKEv2 only, second it uses cert auth (matching my "real" peer in Mikrotik) and not PSK.

Can be reproduced without reboot by disabling and then re-enabling the GRE interface in WebFig.

[SOLVED]
Last edited by kmansoft on Thu Feb 14, 2019 7:59 am, edited 1 time in total.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 846
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: v6.44beta [testing] is released!

Wed Feb 13, 2019 10:55 pm

You can setup an ipsec transport policy with protocol=47 and ensure gre traffic is secured using the firewall ipsec policy matcher:

https://wiki.mikrotik.com/wiki/Manual:I ... ed_traffic

Dynamic peer will disappear as soon as you unset ipsec secret in gre tunnel.
 
sindy
Forum Guru
Forum Guru
Posts: 7910
Joined: Mon Dec 04, 2017 9:19 pm

Re: v6.44beta [testing] is released!

Wed Feb 13, 2019 11:40 pm

Not sure if it's new in 6.44 or was there before.
kmansoft, It's not a bug, it's a feature, and definitely not version-related.

Either set the ipsec-psk field in gre (ipip, l2tp) tunnel interface settings and the peer and policy will be generated automatically ("dynamically" is the RouterOS name for it), using the default peer profile and proposal. Or define the IPsec peer & policy necesssary to secure the transport packets of your tunnel manually (and use security options as per your choice, not just the IKE(v1) main mode with PSK), and in that case do NOT fill the ipsec-psk field to prevent the dynamic peer&policy from being generated.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.44beta [testing] is released!

Thu Feb 14, 2019 7:56 am

@nescafe2002, @sindy

Went to check IPSec / Policy and there was one for my GRE - but it had a "D" = "dynamic". Aha!

Did this:

- Removed "IPSec Secret" from GRE tunnel interface properties
- Manually added a policy for it
/ip ipsec policy
add comment=myservertunnel dst-address=139.0.0.1/32 protocol=gre src-address=89.0.0.1/32
And now disabling and re-enabling the GRE interface:

- Keeps the IPSec connection running, with SAs and stuff
- Does not create those "peer8" policies

Both "bugs" :) solved. Wonderful!

Thank you both for your help!

Who is online

Users browsing this forum: No registered users and 8 guests