Page 1 of 2

v6.44rc [testing] is released!

Posted: Fri Feb 15, 2019 3:58 pm
by emils
Version 6.44rc1 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.44rc1 (2019-Feb-15 07:12):

Important note!!! Backup before upgrade!
Due to major IPsec configuration changes in RouterOS v6.44beta39+ (see changelog below), it is advised to make a backup before upgrading. Regular downgrade will still be possible as long as no changes in IPsec peer menu are done.

MAJOR CHANGES IN v6.44:
----------------------
!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);
!) ipsec - added new "identity" menu with common peer distinguishers;
!) ipsec - removed "main-l2tp" exchange-mode, it is the same as "main" exchange-mode;
!) ipsec - removed "users" menu, XAuth user configuration is now handled by "identity" menu;
!) radius - initial implementation of RadSec (Radius communication over TLS);
!) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only);
!) telnet - do not allow to set "tracefile" parameter;
!) upgrade - release channels renamed - "bugfix" to "long-term", "current" to "stable" and "release candidate" to "testing";
!) upgrade - "testing" release channel now can contain "beta" together with "release-candidate" versions;
----------------------

Changes since last beta release:

!) ipsec - added new "identity" menu with common peer distinguishers;
!) radius - initial implementation of RadSec (Radius communication over TLS);
*) dhcpv4-server - use ARP for conflict detection;
*) discovery - use source MAC address from master interface for MNDP packets (introduced in v6.44beta50);
*) fetch - improved file downloading to slow memory;
*) hotspot - added per-user NAT rule generation based on "incoming-filter" and "outgoing-filter" parameters;
*) ike1 - fixed memory leak;
*) ipsec - allow to specify single address instead of IP pool under "mode-config";
*) kidcontrol - added "tur-fri", "tur-mon", "tur-sat", "tur-sun", "tur-thu", "tur-tue", "tur-wed" parameters;
*) lte - added initial support for Telit LN940;
*) lte - added option to lock the LTE operator;
*) smb - added commenting option for SMB users (CLI only);
*) supout - fixed Profile output on single core devices;
*) userman - added first and last name fields for signup form;
*) webfig - improved file handling;
*) winbox - improved file handling;
*) wireless - improved AR5212 response to incoming ACK frames;
*) wireless - improved system stability for all ARM devices with wireless;
*) wireless - improved system stability for all devices with 802.11ac wireless;

Full changelog is available here: https://mikrotik.com/download/changelog ... lease-tree

Re: v6.44rc [testing] is released!

Posted: Fri Feb 15, 2019 4:02 pm
by emils
We are getting close to v6.44 stable release. Please report any version related issues found to support@mikrotik.com

Re: v6.44rc [testing] is released!

Posted: Fri Feb 15, 2019 4:21 pm
by R1CH
Just to clarify,
*) wireless - improved system stability for all ARM devices with wireless;
*) wireless - improved system stability for all MIPSBE devices with 802.11ac wireless;
Does this improve wireless performance or only RouterOS software stability?

Also what devices are using AR5212? This is a chipset from 2003!

Re: v6.44rc [testing] is released!

Posted: Fri Feb 15, 2019 5:21 pm
by kmansoft
Checking for updates in WebFig gives an error:
ERROR: file not found
Channel testing
Installed Version 6.44beta75
Latest Version 6.44rc1

What's new in 6.43.12 (2019-Feb-08 11:46):

*) winbox - improvements in connection handling to router with open winbox service;
Perhaps the changelog file for 6.44rc1 is missing on the server?

The changelog is now there but starts with:

What's new in 5.9 (2011-Nov-29 14:32):

Re: v6.44rc [testing] is released!

Posted: Fri Feb 15, 2019 5:52 pm
by yottabit
What is the default setting for nf_conntrack_loose? It should be 0 (disabled) for better scaling against TCP DoS attacks. Had it been 0 or 1 before being exposed? Or is it new to the MT kernel branch?

Sent from my Pixel 3 using Tapatalk


Re: v6.44rc [testing] is released!

Posted: Fri Feb 15, 2019 5:57 pm
by R1CH
That setting should have no effect on DoS resistance unless you aren't properly filtering your inbound traffic. It's set to 1 which is the default, for good reason, otherwise any time a router reboots every single active TCP connection would have to time out instead of continuing to work.

Re: v6.44rc [testing] is released!

Posted: Fri Feb 15, 2019 6:08 pm
by yottabit
You make a good point about reboots creating zombie TCP connections on the nodes, but you are wrong about the DoS mitigation.

Setting nf_conntrack_tcp_loose to 0 (not the default) stops false SYN-ACK and ACK packets before they hit the “listen” state lock, thereby allowing conntrack to scale much higher (also requires a drop invalid state rule).

RedHat says it allows conntrack to scale 20x higher in DoS attacks of these types.

It has no effect on basic SYN flooding, though.

Anyway, good to know what the default is; and sure it's probably best left that way. But at least we now have another mitigation option in the case of scaling problems and DoS attacks.

Re: v6.44rc [testing] is released!

Posted: Fri Feb 15, 2019 6:13 pm
by ErfanDL
ha ha ha. mikrotik goes crazy :)) the 6.44rc1 released in 2011 as 5.9 :)
Capture.PNG

Re: v6.44rc [testing] is released!

Posted: Fri Feb 15, 2019 6:16 pm
by R1CH
You make a good point about reboots creating zombie TCP connections on the nodes, but you are wrong about the DoS mitigation.

Setting nf_conntrack_tcp_loose to 0 (not the default) stops false SYN-ACK and ACK packets before they hit the “listen” state lock, thereby allowing conntrack to scale much higher (also requires a drop invalid state rule).

RedHat says it allows conntrack to scale 20x higher in DoS attacks of these types.

It has no effect on basic SYN flooding, though.

Anyway, good to know what the default is; and sure it's probably best left that way. But at least we now have another mitigation option in the case of scaling problems and DoS attacks.
While this is true for listening services, you should not have any of those exposed to the WAN side of your router, or you'll be a victim of the next Mikrotik vulnerability.

Re: v6.44rc [testing] is released!

Posted: Fri Feb 15, 2019 6:26 pm
by yottabit
While this is true for listening services, you should not have any of those exposed to the WAN side of your router, or you'll be a victim of the next Mikrotik vulnerability.
Hey great point.

I do expose SSH with public-key-only authentication for remote management in case tunnels go down. So this setting can help with that exposed service. (I also have an auto-upgrade script that checks for updates to stable every night and upgrades. A little dangerous, yes. But a zero-day is worse.)

Re: v6.44rc [testing] is released!

Posted: Fri Feb 15, 2019 7:14 pm
by blihtar
Checking for updates in WebFig gives an error:
ERROR: file not found
Channel testing
Installed Version 6.44beta75
Latest Version 6.44rc1

What's new in 6.43.12 (2019-Feb-08 11:46):

*) winbox - improvements in connection handling to router with open winbox service;
Perhaps the changelog file for 6.44rc1 is missing on the server?

The changelog is now there but starts with:

What's new in 5.9 (2011-Nov-29 14:32):
same to me starts with 5.9 on CHR where i test it

Re: v6.44rc [testing] is released!

Posted: Fri Feb 15, 2019 7:22 pm
by emils
The correct changelog should be displayed now under check for updates.

Re: v6.44rc [testing] is released!

Posted: Fri Feb 15, 2019 8:07 pm
by dhoulbrooke
Hi!

!) ipsec - added new "identity" menu with common peer distinguishers;

Following my upgrade to 6.44rc1 my IPsec IKEv2 eap radius VPN no longer seems to be working:

ipsec,error identity not found for peer: FQDN: *username*

Using eap radius how should I match the remote id? I have tried auto, ignore, and setting the fqdn to the username as shown in the logs but none seem to match. Config following upgrade from 6.43:

/ip ipsec identity
add auth-method=eap-radius certificate=fullchain.pem_0,fullchain.pem_1 generate-policy=port-strict mode-config=rw-config my-id=fqdn:vpn.example.com peer="IKE2 RW" policy-template-group=rw-policy

Re: v6.44rc [testing] is released!

Posted: Fri Feb 15, 2019 10:41 pm
by eworm
With this upgrade I lost the wireless package on wAP LTE, again. The files were downloaded via weak LTE connection.
Reported this before for the update to 6.44beta50: viewtopic.php?f=21&t=139057&start=250#p703960

Re: v6.44rc [testing] is released!

Posted: Fri Feb 15, 2019 10:44 pm
by nescafe2002
Reporting on forum again won't help much.

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

Re: v6.44rc [testing] is released!

Posted: Sat Feb 16, 2019 4:37 am
by BG4DRL
RB4011iGS+5HacQ2HnD-IN
and
wAP 60G AP x2 (Ap Bridge and Station Bridge)
upgraded to RC version

BandWidth test BOTH=756.1 Mbps/847.7 Mbps

recv=0 bps/1758.9 Mbps
send=1793.7 Mbps/0 bps

Re: v6.44rc [testing] is released!

Posted: Sat Feb 16, 2019 5:08 am
by joegoldman
what does /tool speed-test test to? Do we host a server? Is it same as bandwidth-test and will TCP tests be CPU limited?

Re: v6.44rc [testing] is released!

Posted: Sat Feb 16, 2019 12:37 pm
by anuser
*) wireless - improved system stability for all ARM devices with wireless;
*) wireless - improved system stability for all MIPSBE devices with 802.11ac wireless;
I can't find the posting anymore, but (Normis?) mentioned that there will be a new wireless driver package, but he didn't mention the time, when this will be published. So does this release include mentioned new drivers?

Re: v6.44rc [testing] is released!

Posted: Sat Feb 16, 2019 3:37 pm
by heizer

MAJOR CHANGES IN v6.44:

!) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only);
Hello there, for when will this new function be available? [i mean, out of beta]
I am really anxious to update the firmware of the routers once it comes out in stable [but preferably, in long-term]
Thanks in advance :D :)

Re: v6.44rc [testing] is released!

Posted: Sat Feb 16, 2019 4:38 pm
by Jotne
Simple answer.
When its ready.

Re: v6.44rc [testing] is released!

Posted: Sat Feb 16, 2019 9:29 pm
by mistry7
*) wireless - improved system stability for all ARM devices with wireless;
*) wireless - improved system stability for all MIPSBE devices with 802.11ac wireless;
I can't find the posting anymore, but (Normis?) mentioned that there will be a new wireless driver package, but he didn't mention the time, when this will be published. So does this release include mentioned new drivers?
No

Re: v6.44rc [testing] is released!

Posted: Sun Feb 17, 2019 2:37 am
by docmarius
Updated my RBM33G with a RB11E-LTE.
- Modem firmware update - OK
- New LTE additions like cell info - OK
Everything working as expected. :D

Re: v6.44rc [testing] is released!

Posted: Sun Feb 17, 2019 11:49 pm
by mducharme
I upgraded from 6.43.12 and had two IPsec peers with RSA key auth. After upgrading to 6.44rc1, only one of the two peers was added to the new ipsec identities tab. I had to recreate the other to bring it up again.

Re: v6.44rc [testing] is released!

Posted: Mon Feb 18, 2019 12:14 am
by vecernik87
@heizer
... when will this new function be available? [i mean, out of beta]...
its a bit OT, but since more people might be interested... It is not that significant improvement as it may seem. It works as an envelope command to usual ping and btest. These commands runs on background and speedtest just summarize the output. It does not do anything else, what these two commands wouldn't do on their own. Due to that, it can be run even with target devices which do not have support for the command. Only info, which I couldn't find anywhere else is the "jitter" value. Although it can be calculated from ping results, this tool makes it easier.
In the end, it is not some breakthrough, but I can't deny it is a nice simple tool for less experienced people.

Re: v6.44rc [testing] is released!

Posted: Mon Feb 18, 2019 10:27 am
by nkourtzis
@heizer
... when will this new function be available? [i mean, out of beta]...
its a bit OT, but since more people might be interested... It is not that significant improvement as it may seem. It works as an envelope command to usual ping and btest. These commands runs on background and speedtest just summarize the output. It does not do anything else, what these two commands wouldn't do on their own. Due to that, it can be run even with target devices which do not have support for the command. Only info, which I couldn't find anywhere else is the "jitter" value. Although it can be calculated from ping results, this tool makes it easier.
In the end, it is not some breakthrough, but I can't deny it is a nice simple tool for less experienced people.
It also displays the peak cpu load on both ends during the test, which is useful, and it also has a test timer, which is handy. And without being sure, I think it is multicore.

Re: v6.44rc [testing] is released!

Posted: Mon Feb 18, 2019 10:33 am
by emils
I upgraded from 6.43.12 and had two IPsec peers with RSA key auth. After upgrading to 6.44rc1, only one of the two peers was added to the new ipsec identities tab. I had to recreate the other to bring it up again.
Could you please send us the supout.rif file from the router?

Re: v6.44rc [testing] is released!

Posted: Mon Feb 18, 2019 10:58 am
by NanaK
Hi there,

I see v6.44rc doesn't have the IPSec policy option to "tunnel" as compared to the previous versions eg. v6.43.2.

Why is this?

Re: v6.44rc [testing] is released!

Posted: Mon Feb 18, 2019 11:09 am
by nescafe2002
Screenshots 1 shows ipsec policy template, screenshot 2 shows ipsec policy (not a template).

Re: v6.44rc [testing] is released!

Posted: Mon Feb 18, 2019 11:12 am
by DenisPDA
Hi there,

I see v6.44rc doesn't have the IPSec policy option to "tunnel" as compared to the previous versions eg. v6.43.2.

Why is this?
ipsec_mt.JPG

Re: v6.44rc [testing] is released!

Posted: Mon Feb 18, 2019 12:12 pm
by NanaK
Hi there,

I see v6.44rc doesn't have the IPSec policy option to "tunnel" as compared to the previous versions eg. v6.43.2.

Why is this?
ipsec_mt.JPG
Dennis, this is what I am still seeing

Re: v6.44rc [testing] is released!

Posted: Mon Feb 18, 2019 12:39 pm
by emils
As nescafe2002 already explained, you have checked the "Template" checkbox under General tab which makes "Tunnel" checkbox not available.

Re: v6.44rc [testing] is released!

Posted: Mon Feb 18, 2019 2:00 pm
by alejosalmon
Hello anyone has noticed any improvement in wireless in arm devices? Please commet.

Re: v6.44rc [testing] is released!

Posted: Mon Feb 18, 2019 4:28 pm
by Malosa
SFP is still flapping (link ok - no link - link ok - no link - link ok...) on a RB4011iGS+.

The SFP is a Cisco module working at 1 Gbps.

I have no problem with the same SFP module on a RB3011UiAS.

The only way to make it stable is disconnecting and connecting the fiber manually. It lasts until the Mikrotik is rebooted, at that moment, it starts flapping again.

Re: v6.44rc [testing] is released!

Posted: Mon Feb 18, 2019 5:23 pm
by mfr476
Any improvement in wireless device. Dame problem with arm i don't why mikrotik don't solve this problem yet.

Re: v6.44rc [testing] is released!

Posted: Mon Feb 18, 2019 6:07 pm
by Chupaka
Any improvement in wireless device. Dame problem with arm i don't why mikrotik don't solve this problem yet.
Isn't that the answer: viewtopic.php?p=713311#p713311 ?

Re: v6.44rc [testing] is released!

Posted: Mon Feb 18, 2019 6:27 pm
by mfr476
Is there an approximate date when the problem will be resolved?

Re: v6.44rc [testing] is released!

Posted: Mon Feb 18, 2019 9:21 pm
by strods
I might try to guess, but without more details we can not answer if, for example, "problem with ARM wireless" is resolved. If problem is related to this RouterOS release, then please post more details about it. If it is not related to release, then write e-mail to support@mikrotik.com. Unfortunately things are not so black and white. There might be a problem with configuration. software, hardware, limits of the chip, etc. It simply is not possible to answer anything about your problem as long as we are not aware about what exactly are you talking about.

Wireless related changes in this release should resolve little regression in wireless performance on ARM devices introduced in 6.44beta releases. Other fix is made in order to resolve problems that in most cases resulted in Watchdog reboot or 100% CPU usage on your router. However, these were rare cases and most of them were introduced in v6.43. Problem was possible also before, however, 6.43 made such problem to appear much more often.

Re: v6.44rc [testing] is released!

Posted: Tue Feb 19, 2019 10:20 am
by Bergante
I am trying several 1 Gbps SFP modules on a RB4011 and they seem to be working fine with the betas and rc.

Both Mikrotik (1000BASE-SX and 1000BASE-LX) and Solid Optics (again, single mode and multi mode).

They work with auto negotiation set to on and speed set to 1 Gbps.

Using the stable releases (6.43.12 included) I can't establish a link. With 6.44 betas and rc it works, it just needs to set the interface to 1 Gbps
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] speed=1Gbps

Re: v6.44rc [testing] is released!

Posted: Tue Feb 19, 2019 12:03 pm
by skylark
Using the stable releases (6.43.12 included) I can't establish a link. With 6.44 betas and rc it works, it just needs to set the interface to 1 Gbps
These fixes will be included in upcoming v6.44.

Re: v6.44rc [testing] is released!

Posted: Tue Feb 19, 2019 12:26 pm
by Malosa
I am trying several 1 Gbps SFP modules on a RB4011 and they seem to be working fine with the betas and rc.

Both Mikrotik (1000BASE-SX and 1000BASE-LX) and Solid Optics (again, single mode and multi mode).

They work with auto negotiation set to on and speed set to 1 Gbps.

Using the stable releases (6.43.12 included) I can't establish a link. With 6.44 betas and rc it works, it just needs to set the interface to 1 Gbps
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] speed=1Gbps

Okay, I didn't force to 1 Gbps. In my opinion, I think it should work with autonegotiation.

Perhaps in the 6.44 final, autonegotiation works.

I will test again in next rc, if not automatically, forcing the speed, like you said.

Thanks.

Re: v6.44rc [testing] is released!

Posted: Tue Feb 19, 2019 12:40 pm
by eworm
Upgrading from stable to testing I have allow-none-crypto enabled:
/ip ssh set allow-none-crypto=yes strong-crypto=yes
I think this should default to disabled.

If you want to keep the former behavior please consider setting it to disabled if strong-crypto has been enabled before. I am certain someone setting strong-crypto to enabled does not want allow-none-crypto.

Re: v6.44rc [testing] is released!

Posted: Tue Feb 19, 2019 12:54 pm
by szkalman
On ltap, the gps gives back wrong coordinates for me. After a downgrade to stable, i see the right coordinates.

Re: v6.44rc [testing] is released!

Posted: Tue Feb 19, 2019 1:29 pm
by Bergante
Using the stable releases (6.43.12 included) I can't establish a link. With 6.44 betas and rc it works, it just needs to set the interface to 1 Gbps
These fixes will be included in upcoming v6.44.
I imagined :)

So far I'm checking all the betas and rcs to make sure it still works.

Re: v6.44rc [testing] is released!

Posted: Tue Feb 19, 2019 1:31 pm
by normis
On ltap, the gps gives back wrong coordinates for me. After a downgrade to stable, i see the right coordinates.
How do you know which one is right? Give an example please

Re: v6.44rc [testing] is released!

Posted: Tue Feb 19, 2019 1:39 pm
by Bergante

Okay, I didn't force to 1 Gbps. In my opinion, I think it should work with autonegotiation.

Perhaps in the 6.44 final, autonegotiation works.

I will test again in next rc, if not automatically, forcing the speed, like you said.

Thanks.
I think negotiation is taking place. Otherwise the switch to which I am connecting probably wouldn't establish the link.

Making an educated guess, I think that by setting the speed parameter you are not forcing the interface, but changing the operating mode of the SFP/+ cage instead and telling autonegotiation not to advertise 10 Mbps, 100 Mbps nor 10 Gbps.

That said, it would make sense to do it automatically. They can identify the SFP module and it's obvious wether it's a SFP or SFP+ module.

Re: v6.44rc [testing] is released!

Posted: Tue Feb 19, 2019 2:10 pm
by eworm
On ltap, the gps gives back wrong coordinates for me. After a downgrade to stable, i see the right coordinates.
How do you know which one is right? Give an example please
Probably he knows the coordinates the device is located. Something about wrong coordinates has been reported for 6.44beta75:
viewtopic.php?f=21&t=139057&start=350#p714713

Re: v6.44rc [testing] is released!

Posted: Tue Feb 19, 2019 3:54 pm
by emils
Upgrading from stable to testing I have allow-none-crypto enabled:
/ip ssh set allow-none-crypto=yes strong-crypto=yes
I think this should default to disabled.

If you want to keep the former behavior please consider setting it to disabled if strong-crypto has been enabled before. I am certain someone setting strong-crypto to enabled does not want allow-none-crypto.
This is cosmetic only. Even when both are set to yes, null crypto is not allowed. We will adjust the "allow-none-crypto" parameter to better represent its value in the stable release.

Re: v6.44rc [testing] is released!

Posted: Wed Feb 20, 2019 8:45 am
by chubbs596
Hi Guys

I have ran into an issue with simple queues, seem rate-limiting is not working as expected, I have done testing on CCR1009-7G-1C-1S+ and hEX S (RB760iGS) with similar results

I don’t have access to the hEX S any more but now using the CCR1009-7G-1C-1S+, I have send a mail to support@mikrotik.com with supout.rif

uptime: 5h7m18s
version: 6.44rc1 (testing)
build-time: Feb/15/2019 07:12:10
factory-software: 6.38.5
free-memory: 1718.2MiB
total-memory: 1984.0MiB
cpu: tilegx
cpu-count: 9
cpu-frequency: 400MHz
cpu-load: 16%
free-hdd-space: 81.1MiB
total-hdd-space: 128.0MiB
architecture-name: tile
board-name: CCR1009-7G-1C-1S+
platform: MikroTik

Below is the configure queue at 150M/150M and if I run a speedtest on this I get below see screenshot

/queue simple
add max-limit=150M/150M name=INTERNET queue=default/default target=3_vl_data total-queue=default
add limit-at=2M/2M max-limit=150M/150M name=hi-prio packet-marks=ack,icmp,voice parent=INTERNET priority=1/1 queue=default/default target=3_vl_data total-priority=1 total-queue=default
add limit-at=20M/20M max-limit=150M/150M name=roku packet-marks=roku parent=INTERNET priority=3/3 queue=default/default target=3_vl_data total-priority=3 total-queue=default
add limit-at=15M/15M max-limit=150M/150M name=http packet-marks=HTTP parent=INTERNET priority=4/4 queue=default/default target=3_vl_data total-priority=4 total-queue=default
add limit-at=5M/5M max-limit=150M/150M name=guest packet-marks=guest parent=INTERNET priority=5/5 queue=default/default target=3_vl_data total-priority=5 total-queue=default
add limit-at=3M/3M max-limit=150M/150M name=data_unmarked packet-marks=no-mark parent=INTERNET priority=7/7 queue=default/default target=3_vl_data total-priority=6 total-queue=default
add bucket-size=0.03/0.03 disabled=yes max-limit=5M/5M name=Guest queue=default/default target=100_vl_guest

Speedtest result is 72Mbps down and 132Mbps up

With Queue disabled, and only limited from provider side to 150M/150M


144Mbps down and 145 Mbps up

Re: v6.44rc [testing] is released!

Posted: Wed Feb 20, 2019 1:41 pm
by szkalman
I'm next to the device and it shows that i'm ~100km far from the real place.

On ltap, the gps gives back wrong coordinates for me. After a downgrade to stable, i see the right coordinates.
How do you know which one is right? Give an example please
Probably he knows the coordinates the device is located. Something about wrong coordinates has been reported for 6.44beta75:
viewtopic.php?f=21&t=139057&start=350#p714713

Re: v6.44rc [testing] is released!

Posted: Wed Feb 20, 2019 1:48 pm
by normis
LtAP doesn't have a map inside, so the question again is - how are you checking this? Did you use the coordinates in google maps or somewhere else?