Community discussions

 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

v6.45beta [testing] is released!

Tue Mar 05, 2019 11:55 am

Version 6.45beta6 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta6 (2019-Mar-05 08:51):

Changes in this release:

*) bridge - fixed possible memory leak when using "ingress-filtering=yes" on bridge interface;
*) certificate - added support for ECC (Elliptic Curve Cryptography);
*) certificate - force 3DES encryption for P12 certificate export;
*) crs3xx - correctly display auto-negotiation information for SFP/SFP+ interfaces in 1Gbps rate;
*) crs3xx - fixed auto negotiation when 2-pair twisted cable is used (downshift feature);
*) dhcp - fixed dual stack queue addition;
*) dhcpv4-server - added "vendor-class-id" matcher (CLI only);
*) dhcpv6-server - use MAC address for RADIUS user when "allow-dual-stack-queue=yes";
*) ethernet - added support for 25Gbps and 40Gbps rates;
*) fetch - improved user policy lookup;
*) gps - increase precision for dd format;
*) ipsec - fixed dynamic L2TP peer and identity configuration missing after reboot (introduced in v6.44);
*) ipsec - use "remote-id=ignore" for dynamic L2TP configuration (introduced in v6.44);
*) ipv6 - do not allow setting "preferred-lifetime" longer than "valid-lifetime";
*) lte - added passthrough interface subnet selection;
*) lte - added support for manual operator selection;
*) lte - do not show error message for info commands that are not supported;
*) lte - do not show "session-uptime" if session is not up;
*) lte - improved R11e-4G modem operation;
*) lte - renamed firmware upgrade "path" command to "firmware-file" (CLI only);
*) lte - reset LTE modem only when SIM slot is changed on dual SIM slot devices;
*) lte - show alphanumeric value for operator info;
*) lte - show correct firmware revision after firmware upgrade;
*) lte - use secondary DNS for DNS server configuration;
*) ppp - added initial support for Quectel BG96;
*) rb4011 - fixed ether10 failing to auto negotiate link speed to 1Gbps;
*) sfp - fixed S-35LC20D transceiver DDMI readouts after reboot;
*) sms - improved delivery report logging;
*) snmp - added "dot1dStpPortTable" OID;
*) ssh - use correct user when "output-to-file" parameter is used;
*) switch - fixed possible crash when interface state changes and DHCP Snooping is enabled;
*) tile - improved link fault detection on SFP+ ports;
*) winbox - added "use-local-address" parameter in "IP/Cloud" menus;
*) wireless - fixed incorrect IP header for RADIUS accounting packet;
*) wireless - updated "india" regulatory domain information;
*) wireless - updated "new zealand" regulatory domain information;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
anav
Forum Guru
Forum Guru
Posts: 2969
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: v6.45beta [testing] is released!

Tue Mar 05, 2019 1:24 pm

*) bridge - fixed possible memory leak when using "ingress-filtering=yes" on bridge interface;

How did this bug manifest itself?? Been using this setup for a while and didnt notice any issues, on the other hand I dont really monitor that closely.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
nimbo78
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Tue Jan 14, 2014 9:09 pm

Re: v6.45beta [testing] is released!

Tue Mar 05, 2019 2:33 pm

is there any chance to add some internal variables to dhcp-server alert script? like in dhcp-client script.
need to send alerts with mac and ip to messengers and some APIs..
 
anuser
Member
Member
Posts: 397
Joined: Sat Nov 29, 2014 7:27 pm

Re: v6.45beta [testing] is released!

Tue Mar 05, 2019 2:39 pm

Will a new wireless driver package for 802.11ac be released in 6.45 or is it planned for a later RouterOS version?
 
paulct
Member Candidate
Member Candidate
Posts: 295
Joined: Fri Jul 12, 2013 5:38 pm

Re: v6.45beta [testing] is released!

Tue Mar 05, 2019 3:42 pm

*) ethernet - added support for 25Gbps and 40Gbps rates

Cough, MUM, new hardware?
Those new switches? And hopefully some new powerful routers.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8308
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.45beta [testing] is released!

Tue Mar 05, 2019 5:05 pm

a new wireless driver package for 802.11ac
What package?..
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2287
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: v6.45beta [testing] is released!

Tue Mar 05, 2019 5:38 pm

Will a new wireless driver package for 802.11ac be released in 6.45 or is it planned for a later RouterOS version?
Do you have any specific information about something to happen?
LAN, FTTx, Wireless. ISP operator
 
mistry7
Forum Guru
Forum Guru
Posts: 1314
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: v6.45beta [testing] is released!

Tue Mar 05, 2019 5:43 pm

Will a new wireless driver package for 802.11ac be released in 6.45 or is it planned for a later RouterOS version?
Do you have any specific information about something to happen?
Normis told that in an another thread, but he did not say it will happen this year
 
TimurA
Member Candidate
Member Candidate
Posts: 186
Joined: Sat Dec 15, 2018 6:13 am
Location: Tashkent
Contact:

Re: v6.45beta [testing] is released!

Tue Mar 05, 2019 5:48 pm

a new wireless driver package for 802.11ac
What package?..
Maybe waiting MU-MIMO?
Image
 
jrpaz
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Wed Jun 05, 2013 5:54 am

Re: v6.45beta [testing] is released!

Tue Mar 05, 2019 5:54 pm

The new package is in ROS v7 along with every other fix needed.
 
User avatar
paoloaga
Member Candidate
Member Candidate
Posts: 222
Joined: Tue Mar 08, 2011 2:52 am
Location: Vaprio d'Agogna (NO) - Italy
Contact:

Re: v6.45beta [testing] is released!

Tue Mar 05, 2019 6:00 pm

The new package is in ROS v7 along with every other fix needed.

😅
 
User avatar
osc86
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Tue Mar 05, 2019 6:38 pm

*) bridge - fixed possible memory leak when using "ingress-filtering=yes" on bridge interface;

How did this bug manifest itself?? Been using this setup for a while and didnt notice any issues, on the other hand I dont really monitor that closely.
I reported this problem to mt support.
It occured on my CCR1009 when vlan-filtering was enabled and frame-types set to admit-only-vlan-tagged.
In 24h it filled up the 2GB RAM ending in a kernel panic / reboot
6.45beta6 seems to have fixed this issue.
CCR1009-7G-1C-1S+ ROS6.45.2
 
anuser
Member
Member
Posts: 397
Joined: Sat Nov 29, 2014 7:27 pm

Re: v6.45beta [testing] is released!

Tue Mar 05, 2019 9:43 pm

Will a new wireless driver package for 802.11ac be released in 6.45 or is it planned for a later RouterOS version?
Do you have any specific information about something to happen?
Normis told that in an another thread, but he did not say it will happen this year
Found it:
viewtopic.php?f=1&t=145047&p=713806&hil ... er#p713800 :
You are right, that MikroTik made wireless driver doesn't have Wave2 support, so new chipset benefits are not there. We are working on a new driver.
For testing purposes a second wireless package would be great.
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2287
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: v6.45beta [testing] is released!

Tue Mar 05, 2019 11:27 pm

I hope to hear new information on MUM
LAN, FTTx, Wireless. ISP operator
 
buset1974
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Wed Sep 13, 2006 12:12 pm
Location: Jakarta

Re: v6.45beta [testing] is released!

Wed Mar 06, 2019 2:41 am

Waiting fix for BGP Withdraw on multihoming PE-CE, mt said must rewrite bgp module, so do it ASAP it's a very important matter.
this issue not exist on other brand router and it's use more than 10 years software.
A lot of mikrotik device running mpls now and a lot of them on production.

thx
Last edited by buset1974 on Wed Mar 06, 2019 4:00 am, edited 1 time in total.
 
lelmus
just joined
Posts: 20
Joined: Wed Oct 17, 2012 5:50 am

Re: v6.45beta [testing] is released!

Wed Mar 06, 2019 3:56 am

6.45beta6 kills SPF+ port in RB4011iGS+5HacQ2HnD-IN.

I'm using the Maxxwave MW-SX+MM-US in the SFP+ port of the RB4011iGS+5HacQ2HnD-IN. With 6.45beta6 the SFP tab under interface its all empty and SFP+ is not functional. Tried a different Maxxwave MW-SX+MM-US and same issue.

Downgraded to 6.44 (Stable) and SFP tab under interface is filled up correctly and Maxxwave MW-SX+MM-US is normally functioning.


Also, 6.45beta6 in CCR1016-12S-1S+ with Maxxwave MW-SX+MM-US in the SFP+ port works fine.
 
ste
Forum Guru
Forum Guru
Posts: 1805
Joined: Sun Feb 13, 2005 11:21 pm

Re: v6.45beta [testing] is released!

Wed Mar 06, 2019 8:13 am

Will a new wireless driver package for 802.11ac be released in 6.45 or is it planned for a later RouterOS version?
Do you have any specific information about something to happen?
There are .ax Chipsets available for a while now. I guess all WISP vendors do at least some testing in Lab now. So they have to touch wireless package to make them work.
 
mistry7
Forum Guru
Forum Guru
Posts: 1314
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: v6.45beta [testing] is released!

Wed Mar 06, 2019 9:25 am

Don´t cry for next new Hardware, we had to wait over 12 Month for new Arm Chipsets to get running in most cases, most here had buyed 802.11n Hardware until there is no working 802.11ac available from Mikrotik, Wave2 is completely unsupported (most available devices from MT has Wave 2 Chipset).

So don´t cry for something new, cry for something working.
 
ste
Forum Guru
Forum Guru
Posts: 1805
Joined: Sun Feb 13, 2005 11:21 pm

Re: v6.45beta [testing] is released!

Wed Mar 06, 2019 10:32 am

Don´t cry for next new Hardware, we had to wait over 12 Month for new Arm Chipsets to get running in most cases, most here had buyed 802.11n Hardware until there is no working 802.11ac available from Mikrotik, Wave2 is completely unsupported (most available devices from MT has Wave 2 Chipset).

So don´t cry for something new, cry for something working.

You probably wont see MT to tweak Wifi-HW to an extend where it will be realy good for WISP usage (HW-accelerated TDMA, GPS-Sync ...). With .ac you are more or less limited to what the chipvendor does to get higher performance (plain 802.11 mode with rts/cts). So the only senseful option at the moment is to shop where this tweaking has bin done (anyone still did not manage to realize this?).

With 802.11ax the chipsetvendors have to put a lot of stuff into the chipset which helps WISPs. There is Scheduling, there is OFDMA. MT do not have to implement it. It is just there and it is vendor neutral. This is the way to go as fast as possible.

You try to ride a dead horse ...
 
mistry7
Forum Guru
Forum Guru
Posts: 1314
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: v6.45beta [testing] is released!

Wed Mar 06, 2019 10:59 am



With 802.11ax the chipsetvendors have to put a lot of stuff into the chipset which helps WISPs. There is Scheduling, there is OFDMA. MT do not have to implement it. It is just there and it is vendor neutral. This is the way to go as fast as possible.

You try to ride a dead horse ...
And this features will not work without working driver, and since MT write there own Drivers this features need to implement.
With own Drivers there is nothing out of Box from the chipset.
 
isacalmeida
just joined
Posts: 7
Joined: Wed Oct 03, 2018 2:58 pm

Re: v6.45beta [testing] is released!

Wed Mar 06, 2019 6:53 pm

Hello,

Fix: ppp - fixed dynamic route creation towards VPN server when "add-default-route" is used;

This fix came in version 6.44, but it fixes the bug only for a PPPoE connection with an L2TP tunnel over it. Is it possible to include in this version the adjustment of this bug so that there is no problem of a PPTP tunnel over a PPPoE tunnel?

Thanks
 
lvader
just joined
Posts: 2
Joined: Tue Mar 27, 2018 8:10 pm

Re: v6.45beta [testing] is released!

Wed Mar 06, 2019 7:35 pm

*) ipsec - fixed dynamic L2TP peer and identity configuration missing after reboot (introduced in v6.44);
would be great to get this fix also to stable 6.44. Very annoying.
 
bdallen
just joined
Posts: 8
Joined: Fri Nov 07, 2014 12:28 pm
Location: Brisbane, Straya

Re: v6.45beta [testing] is released!

Thu Mar 07, 2019 1:16 pm

I see this in 6.44

*) snmp - added "dot1qPortVlanTable" and "dot1dBasePortTable" OIDs;
*) snmp - changed fan speed value type to Gauge32;
*) snmp - fixed "rsrq" reported precision;
*) snmp - fixed w60g station table;
*) snmp - removed "rx-sector" ("Wl60gRxSector") value;
*) snmp - report bridge ifSpeed as "0";
*) snmp - report ifSpeed 0 for sub-layer interfaces;

Can 6.45 chain have the following?

*) snmp - added BGP4 OIDs
 
User avatar
rdelacruz
newbie
Posts: 34
Joined: Thu Jul 14, 2016 8:12 pm

Re: v6.45beta [testing] is released!

Thu Mar 07, 2019 5:08 pm

Image

It would be best if Mikrotik can send these accounting data to the RADIUS when using DHCP+RADIUS authentication.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Mon Mar 11, 2019 10:39 am

Version 6.45beta11 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta11 (2019-Mar-08 13:24):

Changes in this release:

*) bridge - fixed log message when hardware offloading is being enabled;
*) dhcpv4-server - added "vendor-class-id" matcher (CLI only);
*) dhcpv6-server - added RADIUS accounting support;
*) e-mail - fixed missing "from" address for sent e-mails (introduced in v6.44);
*) gps - removed unnecessary leading "0" for dd format;
*) ipsec - allow identities with empty XAuth login and password if RADIUS is enabled (introduced in v6.44);
*) lte - fixed LTE interface band setting on RBSXTLTE3-7 (introduced in v6.44);
*) lte - improved "info" command query;
*) rb4011 - fixed SFP linking (introduced in v6.45beta6);
*) sms - allow specifying multiple "allowed-number" values;
*) snmp - properly return multicast and broadcast packet counters for IF-MIB OIDs;
*) wireless - fixed antenna gain setting on RBSXT5nDr2;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1715
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: v6.45beta [testing] is released!

Mon Mar 11, 2019 11:02 am

*) e-mail - fixed missing "from" address for sent e-mails (introduced in v6.44);
Emils

I'm interested how did it happen? What someone had been messing for with e-mail part of ROS?
Real admins use real keyboards.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8308
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.45beta [testing] is released!

Mon Mar 11, 2019 11:42 am

"All changes are listed in Changelog" (c) :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Mon Mar 11, 2019 12:24 pm

Somehow we have lost these change log entries in 6.44beta50 release. I will add them to 6.44 change log. Sorry for the error.

*) e-mail - added support for multiple transactions on single connection;
*) log - accumulate multiple e-mail messages before sending;
 
buset1974
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Wed Sep 13, 2006 12:12 pm
Location: Jakarta

Re: v6.45beta [testing] is released!

Mon Mar 11, 2019 5:32 pm

today i'am experiencing problem with nat on 6.44,i think it has related with new conntrack @ ccr1009
*) conntrack - added new "loose-tcp-tracking" parameter (equivalent to "nf_conntrack_tcp_loose" in netfilter)

sorry if i miss judge the problem, i degrade to 6.43.12 everything went normal.

thx
 
buset1974
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Wed Sep 13, 2006 12:12 pm
Location: Jakarta

Re: v6.45beta [testing] is released!

Mon Mar 11, 2019 6:10 pm

Somehow we have lost these change log entries in 6.44beta50 release. I will add them to 6.44 change log. Sorry for the error.

*) e-mail - added support for multiple transactions on single connection;
*) log - accumulate multiple e-mail messages before sending;
Hi emils, when this bgp problem will be fix ?
[Ticket#2018112922000575]

thx
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5934
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.45beta [testing] is released!

Tue Mar 12, 2019 5:36 pm

@buset1974 not in v6
 
mducharme
Trainer
Trainer
Posts: 799
Joined: Tue Jul 19, 2016 6:45 pm

Re: v6.45beta [testing] is released!

Wed Mar 13, 2019 9:21 am

*) dhcpv6-server - added RADIUS accounting support;
This is excellent news - does this also work with DHCPv6 servers over PPP (ex. PPPoE)?
 
rutujajadhav
just joined
Posts: 1
Joined: Tue Mar 05, 2019 11:55 am

Re: v6.45beta [testing] is released!

Wed Mar 13, 2019 11:42 am

is there any opportunity to add some interior factors to DHCP-server ready content? like in DHCP-customer content.

need to send alarms with Macintosh and up to errand people and some APIs.
Last edited by rutujajadhav on Thu Mar 14, 2019 8:03 am, edited 1 time in total.
 
nimbo78
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Tue Jan 14, 2014 9:09 pm

Re: v6.45beta [testing] is released!

Wed Mar 13, 2019 11:47 am

*) dhcpv4-server - added "vendor-class-id" matcher (CLI only);
plz more info about this. syntax? format? etc
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5934
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.45beta [testing] is released!

Wed Mar 13, 2019 3:54 pm

check/ip dhcp-server vendor-class-id menu
 
bbs2web
Member Candidate
Member Candidate
Posts: 198
Joined: Sun Apr 22, 2012 6:25 pm
Location: Johannesburg, South Africa
Contact:

Re: v6.45beta [testing] is released!

Wed Mar 13, 2019 8:58 pm

Would be really useful to have if then logic within DHCP.

The following snippet servers no file to Snom VoIP phone, x64 EFI PXE executable to UEFI PXE devices and normal PXE binary to compatibility devices.

From ISC DHCP subnet declaration:
if substring(binary-to-ascii(16, 8, ":", hardware), 0, 9) = "1:0:4:13:" {
# 1: prefix = Ethernet, SNOM phone MAC address prefix (00:04:13)
    filename "";
} elsif option unknown-93 = 00:07 {
#pxe-system-type or arch
    filename "pxe/efi/bootx64.efi";
} else {
    filename "pxe/pxelinux.0";
}
 
nimbo78
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Tue Jan 14, 2014 9:09 pm

Re: v6.45beta [testing] is released!

Wed Mar 13, 2019 10:03 pm

Would be really useful to have if then logic within DHCP.

The following snippet servers no file to Snom VoIP phone, x64 EFI PXE executable to UEFI PXE devices and normal PXE binary to compatibility devices.

From ISC DHCP subnet declaration:
if substring(binary-to-ascii(16, 8, ":", hardware), 0, 9) = "1:0:4:13:" {
# 1: prefix = Ethernet, SNOM phone MAC address prefix (00:04:13)
    filename "";
} elsif option unknown-93 = 00:07 {
#pxe-system-type or arch
    filename "pxe/efi/bootx64.efi";
} else {
    filename "pxe/pxelinux.0";
}
+++
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Thu Mar 14, 2019 2:43 pm

After seeing this

> *) certificate - added support for ECC (Elliptic Curve Cryptography);

in beta changelog, I'm trying to use an ECDSA certificate for IPSec authentication.

Doesn't seem to work:

- Key generation:

openssl ecparam -genkey -name secp384r1

- Certificate generation:

Same as before with RSA keys

- Server config - strongSwan, certificate auth

Loads its private EC key just fine

- Client config - another client also strongSwan to same server

Loads its private EC key just fine, is able to connect to the server

- Client config - Mikrotik AC2

I was able to import the certificates and an EC key (for the client's certificate), the cert gets marked as "KT" (T for trusted). So far so good.

And then trying to establish the connection:

The IKEv2 is negotiated.

At SA creation time apparently the Mikrotik AC2 can't authenticate, and it doesn't send an auth error back to the server (because I see the server keep retrying).

This keeps appearing in the logs:

> can't get private key

So it looks like "system / certificates" is able to match a certificate with its EC key (when both are imported, the cert is marked with "T" for "trusted").

But IPSec is not able to.

-----

Will this be fixed please so that EC certificates can be used for IPSec auth?

And one more thing - it seems that right now EC key support does not include ed25519. Could this be added please?
Last edited by kmansoft on Thu Mar 14, 2019 2:59 pm, edited 2 times in total.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5934
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.45beta [testing] is released!

Thu Mar 14, 2019 2:54 pm

EC certificates can be used only for www services. Ipsec does not support them.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Thu Mar 14, 2019 3:08 pm

EC certificates can be used only for www services. Ipsec does not support them.
OK, any plans to make use for IPSec possible? And for ed25519 curve?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5934
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.45beta [testing] is released!

Thu Mar 14, 2019 4:59 pm

IKE2 rfc states the use of RSA.
What would be the client devices that support EC? Why exactly you need this?
 
Note
newbie
Posts: 49
Joined: Fri Jun 03, 2016 12:39 pm

Re: v6.45beta [testing] is released!

Fri Mar 15, 2019 8:58 am


*) bridge - fixed possible memory leak when using "ingress-filtering=yes" on bridge interface;
That is supposed that was fixed on 6.44 stable............
 
bommi
just joined
Posts: 24
Joined: Fri Jan 24, 2014 9:13 am
Location: Germany
Contact:

Re: v6.45beta [testing] is released!

Fri Mar 15, 2019 2:41 pm

IKE2 rfc states the use of RSA.
What would be the client devices that support EC? Why exactly you need this?
EC key exchanges are much faster than RSA, because the keysize is much smaller.
My usecase are mobile devices on bad mobile connections.
 
ppptran
just joined
Posts: 5
Joined: Sun Dec 30, 2018 9:18 am

Re: v6.45beta [testing] is released!

Sun Mar 17, 2019 7:37 am


*) rb4011 - fixed SFP linking (introduced in v6.45beta6);
This .

If there's a fix for SFP with 100M fiber link would be greatly appreacited
 
idlemind
Forum Guru
Forum Guru
Posts: 1101
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: v6.45beta [testing] is released!

Mon Mar 18, 2019 5:39 am

IKE2 rfc states the use of RSA.
What would be the client devices that support EC? Why exactly you need this?

RFC 4754

https://tools.ietf.org/html/rfc4754

Not finalized but per usual MikroTik is behind almost all other vendors in supporting valid technology.

Of course we still can't ping IPv6 only hosts by name in the CLI, or provide clients with IPv6 addresses over DHCPv6.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Mon Mar 18, 2019 1:29 pm

Version 6.45beta16 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta16 (2019-Mar-18 07:49):

Changes in this release:

*) dhcpv4-server - improved stability when performing "check-status" command;
*) ike2 - do not send "User-Name" attribute to RADIUS server if not provided;
*) ike2 - improved XAuth identity conversion on upgrade;
*) ipsec - added dynamic comment field for "active-peers" menu inherited from identity (CLI only);
*) ipsec - added "ph2-total" counter to "active-peers" menu (CLI only);
*) ipsec - added support for RADIUS accounting;
*) ipsec - added traffic statistics to "active-peers" menu (CLI only);
*) ipsec - do not allow adding identity to a dynamic peer;
*) ipsec - renamed "remote-peers" to "active-peers" (CLI only);
*) lte - use default APN name "internet" when not provided;
*) proxy - increased minimal free RAM that can not be used for proxy services;
*) switch - properly reapply settings after switch chip reset;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
Farseer
just joined
Posts: 17
Joined: Sat Feb 09, 2019 11:25 pm

Re: v6.45beta [testing] is released!

Mon Mar 18, 2019 2:15 pm

For this patch, could you allow sa-dst-address and sa-src-address in IPSec to accept DDNS names? It's great and all to create scripts and to put it on a scheduler to resolve the ip's and update those fields, but can't it just accept the ddns name/cloud host name instead?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5934
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.45beta [testing] is released!

Mon Mar 18, 2019 2:28 pm

In what scenario? If it's road warrior (typical when src is unknown or when src has dynamic IP) then policies should be already auto generated.
 
Farseer
just joined
Posts: 17
Joined: Sat Feb 09, 2019 11:25 pm

Re: v6.45beta [testing] is released!

Mon Mar 18, 2019 3:18 pm

In what scenario? If it's road warrior (typical when src is unknown or when src has dynamic IP) then policies should be already auto generated.
In the scenario where an ISP doesn't provide a static IP to it's client, instead using Dynamic IP or PPPoE with a dynamic IP. In such cases, a DDNS hostname is always needed to achieve VPN/Online Cameras/RDP. But when it comes to doing an IPSec VPN setup with a Mikrotik router, the hostnames can't be used as you can't enter them into sa-dst-address, thereby forcing you to go make a script and putting that script on a scheduler.

Edit: Non-road warrior basically.
 
Zoolander06
just joined
Posts: 22
Joined: Thu Jan 03, 2019 5:26 pm

Re: v6.45beta [testing] is released!

Mon Mar 18, 2019 6:06 pm


*) dhcpv4-server - added "vendor-class-id" matcher (CLI only);
Hi,

Is there a documentation somewhere about this new feature ?

Joris
 
Neilson
Member Candidate
Member Candidate
Posts: 174
Joined: Tue Nov 06, 2012 10:42 pm
Location: Auckland, New Zealand

Re: v6.45beta [testing] is released!

Mon Mar 18, 2019 6:26 pm

I installed the latest Beta 6.45Beta16 on an hAP ac lite (Coming from 6.45Beta11).

Reboot to install packages
Reboot to update routerboot
- wlan2 interface disappears
Reboot again
- wlan2 interface appears again

So for other users this may need a further reboot.

Mikrotik may want to run this test themselves to see if reproducible. I can make a supout if needed.

Regards
Alexander
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 901
Joined: Tue Oct 11, 2005 4:53 pm

Re: v6.45beta [testing] is released!

Tue Mar 19, 2019 6:47 pm

In what scenario? If it's road warrior (typical when src is unknown or when src has dynamic IP) then policies should be already auto generated.
In the scenario where an ISP doesn't provide a static IP to it's client, instead using Dynamic IP or PPPoE with a dynamic IP. In such cases, a DDNS hostname is always needed to achieve VPN/Online Cameras/RDP. But when it comes to doing an IPSec VPN setup with a Mikrotik router, the hostnames can't be used as you can't enter them into sa-dst-address, thereby forcing you to go make a script and putting that script on a scheduler.

Edit: Non-road warrior basically.
++
 
Zoolander06
just joined
Posts: 22
Joined: Thu Jan 03, 2019 5:26 pm

Re: v6.45beta [testing] is released!

Wed Mar 20, 2019 4:37 pm

So I gave a try to the new vendor class identifier matcher feature, it works well but it's quite limited : one can only reserve a pool of IPs to a certain type of devices.
It would be nice to be able to send different options to certain devices.
Example : I have Yealink and Cisco IP phones on my network, each one need a different TFTP server name (option 66) to provision, but I can only set one per dhcp server.
With this beta version I can control which IP my phones will have, but I still can't specify a distinct option 66 for each type.

Or am I missing something ?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5934
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.45beta [testing] is released!

Thu Mar 21, 2019 2:39 pm

You can specify DHCP option set per DHCP network.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri Mar 22, 2019 12:47 pm

Version 6.45beta19 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta19 (2019-Mar-22 07:30):

Changes in this release:

*) certificate - added support for ECDSA certificates (prime256v1, secp384r1, secp521r1) (CLI only);
*) certificate - removed DSA (D) flag;
*) ike1 - improved stability for transport mode policies on initiator side;
*) ike2 - added support for ECDSA certificate authentication (rfc4754);
*) ike2 - prefer SAN instead of DN from certificate for ID payload;
*) ipsec - renamed "rsa-signature" authentication method to "digital-signature";
*) smb - fixed possible buffer overflow;
*) sms - added USSD message functionality under "/tool sms" (CLI only);
*) ssh - do not generate host key on configuration export;
*) wireless - improved DFS radar detection when using non-ETSI regulated country;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
Mikrotiker
just joined
Posts: 10
Joined: Wed Oct 05, 2005 4:08 pm

Re: v6.45beta [testing] is released!

Fri Mar 22, 2019 2:48 pm

after the update to 6.45beta19 the wireless interface can no longer be found.

Model: SXT HG5 ac

Code: Select all

ROS Update, reboot
Wireless interface disappeared

Routerboot update, reboot
Wireless interface disappeared

reboot
Wireless interface disappeared

Log: DefConf gen: Unable to find Wireless interface(s)

I will send you a supout with the reference to this thread.

I did a downgrade to 6.45beta16 and everything is back and running. except the remote unit.
Last edited by Mikrotiker on Fri Mar 22, 2019 4:36 pm, edited 1 time in total.
 
Zoolander06
just joined
Posts: 22
Joined: Thu Jan 03, 2019 5:26 pm

Re: v6.45beta [testing] is released!

Fri Mar 22, 2019 3:56 pm

You can specify DHCP option set per DHCP network.
You're right, but I usually need all my phones to be on the same network.
I think I could make some subnets, maybe it would work, but it would be easier and more logical to set the options in the vendor class identifier matcher, or in the pool.

Thank you for answering me :)
 
kitit
just joined
Posts: 4
Joined: Mon Aug 03, 2015 11:13 am

Re: v6.45beta [testing] is released!

Fri Mar 22, 2019 4:25 pm

after the update to 6.45beta19 the wireless interface can no longer be found.

Model: SXT HG5 ac

Code: Select all

ROS Update, reboot
Wireless interface disappeared

Routerboot update, reboot
Wireless interface disappeared

reboot
Wireless interface disappeared

Log: DefConf gen: Unable to find Wireless interface(s)
RouterBOARD 962UiGS-5HacT2HnT

In Log: 15:26:21 script,warning DefConf gen: Unable to find wireless interface(s)

Wireless 5GHz not found in interafaces
 
User avatar
ArtursL
MikroTik Support
MikroTik Support
Posts: 6
Joined: Wed Jul 05, 2017 4:50 pm

Re: v6.45beta [testing] is released!

Fri Mar 22, 2019 7:21 pm

In RouterOS 6.45beta19 there is a known bug that 5GHz WLAN interface disappears. Affects only specific devices - those that have wireless 5GHz interface-type=Atheros AR9888.
Downgrading back to 6.45beta16 or earlier returns the interface.
Thank you Mikrotiker and kitit for reporting.
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2287
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: v6.45beta [testing] is released!

Fri Mar 22, 2019 7:42 pm

In RouterOS 6.45beta19 there is a known bug that 5GHz WLAN interface disappears. Affects only specific devices - those that have wireless 5GHz interface-type=Atheros AR9888.
Downgrading back to 6.45beta16 or earlier returns the interface.
Thank you Mikrotiker and kitit for reporting.
The same problem on AR5008 (711GA-5HnD). Please check it.
LAN, FTTx, Wireless. ISP operator
 
dhoulbrooke
newbie
Posts: 48
Joined: Sun Apr 19, 2015 7:24 am
Location: Whakatane, New Zealand

Re: v6.45beta [testing] is released!

Fri Mar 22, 2019 7:46 pm

Hi Arturs,

In RouterOS 6.45beta19 there is a known bug that 5GHz WLAN interface disappears. Affects only specific devices - those that have wireless 5GHz interface-type=Atheros AR9888.

The 5GHz interface disappears on the wAP ac also.
 
User avatar
arnis128
just joined
Posts: 3
Joined: Mon Aug 29, 2016 1:03 pm
Location: Riga, Latvia

Re: v6.45beta [testing] is released!

Sat Mar 23, 2019 11:50 am

Hi, all!
I can confirm, that 5ghz band does not work on RouterBOARD M33G with Athereros 5008 pci-e card installed.

Also upgrade of any of my mipsbe (mAP 2n,mAP L-2nD) platform fails, because ipv6 package is broken.
-----------------
Mar/23/2019 10:54:24 system,error broken package system-6.45beta19-mipsbe.npk
Mar/23/2019 10:54:24 system,error can not install ipv6-6.45beta19: system-6.45beta19 is not installed, but is required
Mar/23/2019 10:54:24 system,info router rebooted
-----------------
Arnis
 
korniza
newbie
Posts: 26
Joined: Fri Jan 06, 2012 4:05 pm

Re: v6.45beta [testing] is released!

Sun Mar 24, 2019 5:26 pm

Same here! I'm afraid this update killed my old rb751 :(
 
msatter
Forum Guru
Forum Guru
Posts: 1240
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Sun Mar 24, 2019 11:33 pm

Thanks for adding ECDSA certificates!
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
wispmikrotik
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Tue Apr 25, 2017 10:43 am

Re: v6.45beta [testing] is released!

Mon Mar 25, 2019 2:42 pm

Hi, all!
I can confirm, that 5ghz band does not work on RouterBOARD M33G with Athereros 5008 pci-e card installed.

Also upgrade of any of my mipsbe (mAP 2n,mAP L-2nD) platform fails, because ipv6 package is broken.
-----------------
Mar/23/2019 10:54:24 system,error broken package system-6.45beta19-mipsbe.npk
Mar/23/2019 10:54:24 system,error can not install ipv6-6.45beta19: system-6.45beta19 is not installed, but is required
Mar/23/2019 10:54:24 system,info router rebooted
-----------------
Arnis
Hi,

Same problem in a mAP Lite, after restarting and testing again to install the version this is installed correctly. Verified the correct installation.

Greeting
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Tue Mar 26, 2019 8:53 am

Version 6.45beta20 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta20 (2019-Mar-25 10:07):

Changes in this release:

*) certificate - made RAM the default CRL storage location;
*) ike1 - adjusted debug packet logging topics;
*) ipsec - fixed freshly created identity not taken in action;
*) lte - allow to specify URL for firmware upgrade "firmware-file" parameter;
*) sms - fixed long message parsing (introduced in v6.45beta19);
*) wireless - fixed 5GHz interface disappearing after upgrade (introduced in v6.45beta19);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Tue Mar 26, 2019 9:41 pm

Will this be fixed please so that EC certificates can be used for IPSec auth?
Thank you for this in beta 19!

( now support for ed25519 would be great too... hint hint... )
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri Mar 29, 2019 1:03 pm

Version 6.45beta22 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta22 (2019-Mar-29 08:37):

Changes in this release:

!) ipv6 - fixed soft lockup when forwarding IPv6 packets (CVE-2018-19299);
!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table (CVE-2018-19298);
*) certificate - added "key-type" field (CLI only);
*) certificate - fixed SAN being duplicated on status change (introduced in v6.44);
*) dhcpv6-server - added "address-list" support for bindings (CLI only);
*) export - fixed SMS "allowed-number" compact export (introduced in v6.45beta);
*) fetch - added SFTP support;
*) ike2 - prefer SAN instead of DN from certificate for ID payload;
*) ipsec - added support for RADIUS accounting;
*) ipsec - fixed policies becoming invalid after changing priority;
*) snmp - added OID for neighbor "interface";
*) snmp - added "write-access" column to community print;
*) snmp - allow setting interface "adminStatus";
*) ssh - fixed multiline non-interactive command execution;
*) ssh - improved session rekeying process on exchanged data size threshold;
*) supout - added "kid-control devices" section to supout file;
*) userman - updated authorize.net gateway DNS name;
*) w60g - prefer AP with strongest signal when multiple APs with same SSID present;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
eworm
Member
Member
Posts: 393
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Fri Mar 29, 2019 1:12 pm

*) fetch - added SFTP support;
Yes, can't wait to use this! Is there a way to use it with public key authentication?
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
ludvik
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Mon May 26, 2008 4:36 pm

Re: v6.45beta [testing] is released!

Fri Mar 29, 2019 1:34 pm

will it be backported to versions 6.40.x and 6.43.x?
Version 6.45beta22 has been released.

!) ipv6 - fixed soft lockup when forwarding IPv6 packets (CVE-2018-19299);
!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table (CVE-2018-19298);
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 197
Joined: Tue May 05, 2015 11:12 am
Location: Manchester, UK
Contact:

Re: v6.45beta [testing] is released!

Fri Mar 29, 2019 1:40 pm

will it be backported to versions 6.40.x and 6.43.x?
Version 6.45beta22 has been released.

!) ipv6 - fixed soft lockup when forwarding IPv6 packets (CVE-2018-19299);
!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table (CVE-2018-19298);
Sorry, but CVE-2018-19299 is not fixed in 6.45beta22.
Marek
 
marekm
Member Candidate
Member Candidate
Posts: 203
Joined: Tue Feb 01, 2011 11:27 pm

Re: v6.45beta [testing] is released!

Fri Mar 29, 2019 1:43 pm

What's new in 6.45beta22 (2019-Mar-29 08:37):

!) ipv6 - fixed soft lockup when forwarding IPv6 packets (CVE-2018-19299);
!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table (CVE-2018-19298);

*) w60g - prefer AP with strongest signal when multiple APs with same SSID present;
1. ipv6 - thanks for the CVE fixes, hope to see them in stable/long-term soon. Then, with this out of the way, please work on Delegated-IPv6-Prefix for PPPoE so many people can actually deploy IPv6 :)
2. w60g - does it try weaker APs in turn after it fails to connect to the strongest one? Could happen with wrong key, or exceeded limit of stations per AP (1 or 8 depending on license), or denied by MAC ACL (if ever implemented for w60g, as in 2.4/5GHz wifi).
 
msatter
Forum Guru
Forum Guru
Posts: 1240
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Fri Mar 29, 2019 1:53 pm

@markim the creator of the CVE states in the post above yours, that the first CVE 19299 was not fixed by this beta.

When Mikrotik is giving more info about this we will know if it is fixed in their eyes.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
marekm
Member Candidate
Member Candidate
Posts: 203
Joined: Tue Feb 01, 2011 11:27 pm

Re: v6.45beta [testing] is released!

Fri Mar 29, 2019 2:30 pm

The two posts were written at about the same time. I guess there will be another beta to test soon...
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24206
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.45beta [testing] is released!

Fri Mar 29, 2019 2:50 pm

Issues that were reported to Mikrotik have been fixed. Device no longer can be crashed. maznu, if you have any more details, please email support and explain what you meant.
No answer to your question? How to write posts
 
User avatar
ErfanDL
Member Candidate
Member Candidate
Posts: 276
Joined: Thu Sep 29, 2016 9:13 am
Location: IRAN
Contact:

Re: v6.45beta [testing] is released!

Fri Mar 29, 2019 4:38 pm

and when release for stable channel ?!
 
Farseer
just joined
Posts: 17
Joined: Sat Feb 09, 2019 11:25 pm

Re: v6.45beta [testing] is released!

Fri Mar 29, 2019 8:04 pm

@emils

Is the scenario sufficient for IPSec sa-dst/src-address hostname name usage?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8308
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.45beta [testing] is released!

Fri Mar 29, 2019 11:03 pm

and when release for stable channel ?!
As soon as it’s ready
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
kiler129
Member Candidate
Member Candidate
Posts: 227
Joined: Tue Mar 31, 2015 4:32 pm
Contact:

Re: v6.45beta [testing] is released!

Sun Mar 31, 2019 6:48 am

Is there any plans to address the 5Ghz interface crash on RB4011?
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1407
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.45beta [testing] is released!

Sun Mar 31, 2019 11:30 am

There were two IPv6 related issues resolved in this version:
1) IPv6 packet forwarding might get stuck (due to IPv6 route cache processing) that could lead to Watchdog reboot;
2) IPv6 neighbor table processing might get stuck (due to large neighbor table) that could lead to Watchdog reboot.

Seems that one of these was considered as CVE and another one was not. Since author of these CVEs still has a problem, seems that actually #1 was not included in this CVE. However, this "problem" actually is not much of an issue. RouterOS IPv6 route cache max size by default is 1 million. If you try to reach 1 million hosts in your network, route cache grows and can take up to 500 MB. If you have device that does not have such resources, it will reboot itself. If router has, for example, 1 GB of RAM - there is no problem. We will most likely allow to change cache size or will decide its size based on RAM size. However, it can not be considered as a bug or vulnerability. You make router work and then complain that resources are required to do the job. This is not a bug.
 
jrpaz
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Wed Jun 05, 2013 5:54 am

Re: v6.45beta [testing] is released!

Sun Mar 31, 2019 3:28 pm

it can not be considered as a bug or vulnerability
That's not what they are saying here viewtopic.php?f=2&t=147048
They are talking about CCR's and CHR's crashing I don't know what more resources people need.
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 197
Joined: Tue May 05, 2015 11:12 am
Location: Manchester, UK
Contact:

Re: v6.45beta [testing] is released!

Sun Mar 31, 2019 3:45 pm

Seems that one of these was considered as CVE and another one was not. Since author of these CVEs still has a problem, seems that actually #1 was not included in this CVE. However, this "problem" actually is not much of an issue. RouterOS IPv6 route cache max size by default is 1 million. If you try to reach 1 million hosts in your network, route cache grows and can take up to 500 MB. If you have device that does not have such resources, it will reboot itself. If router has, for example, 1 GB of RAM - there is no problem. We will most likely allow to change cache size or will decide its size based on RAM size. However, it can not be considered as a bug or vulnerability. You make router work and then complain that resources are required to do the job. This is not a bug.
I agree with the technical assessment above: if someone else tries to reach 1 million hosts in your network and you have less than 500Mb of free RAM, then your router will crash.

I believe MikroTik produces five devices which are not vulnerable in the configuration as shipped by MikroTik if those devices are used as transit routers (i.e. with full BGP IPv4 and IPv6 tables loaded).
Marek
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 197
Joined: Tue May 05, 2015 11:12 am
Location: Manchester, UK
Contact:

Re: v6.45beta [testing] is released!

Sun Mar 31, 2019 3:48 pm

Seems that one of these was considered as CVE and another one was not. Since author of these CVEs still has a problem, seems that actually #1 was not included in this CVE. However, this "problem" actually is not much of an issue. RouterOS IPv6 route cache max size by default is 1 million. If you try to reach 1 million hosts in your network, route cache grows and can take up to 500 MB. If you have device that does not have such resources, it will reboot itself. If router has, for example, 1 GB of RAM - there is no problem. We will most likely allow to change cache size or will decide its size based on RAM size. However, it can not be considered as a bug or vulnerability. You make router work and then complain that resources are required to do the job. This is not a bug.
As a side note, now that MikroTik has publicly released full details about the vulnerability, I hope nobody is going to be worried about what I am presenting on April 9th. The content of the talk will not increase the risk to your networks.
Marek
 
jrpaz
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Wed Jun 05, 2013 5:54 am

Re: v6.45beta [testing] is released!

Sun Mar 31, 2019 3:50 pm

It's not on the security blog. I'm assuming it will be there sooner rather than later.
 
Samot
Member Candidate
Member Candidate
Posts: 109
Joined: Sat Nov 25, 2017 10:01 pm

Re: v6.45beta [testing] is released!

Sun Mar 31, 2019 5:31 pm

it can not be considered as a bug or vulnerability
That's not what they are saying here viewtopic.php?f=2&t=147048
They are talking about CCR's and CHR's crashing I don't know what more resources people need.
Actually there is at least one person in that thread that confirmed when taking their CHR from 300MB RAM to 3GB RAM the issue goes away. That does sound like a memory resource problem there. Let's just not assume that because they are running CHR they must have all the resources in the world. The youtube videos that were posted about this issue and showing the CHR crashing was a CHR with 256MB RAM. If people are saying their CCR's are crashing over this I would then ask, which model of the CCR? Because if it's the 1009 series, I could see it having an issue since it has 1GB RAM and this issue can eat up over 500MB on its own it could cause the CCR1009's to have issues.

Was anyone able to reproduce this on a CCR's that have 2-4GBRAM? Did this eat them up too?
 
User avatar
marlow
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Mar 16, 2006 6:59 pm
Location: Ireland

Re: v6.45beta [testing] is released!

Mon Apr 01, 2019 12:37 am

Also, if Mikrotik RouterOS allows the cache to eat up more memory than what is available on the device, then that is a bug. Simply because the device knows what amount of ram it has to begin with. It should not be able to allow the device to allocate more ram than what it has or has available.

Not having that sort of limitation in there in the first place begs to be exploited. Shortsighted development.

/M
Communication is the beginning of understanding
-- AT&T
 
kiler129
Member Candidate
Member Candidate
Posts: 227
Joined: Tue Mar 31, 2015 4:32 pm
Contact:

Re: v6.45beta [testing] is released!

Mon Apr 01, 2019 3:56 am

The atmosphere here is becoming slightly toxic...

Like freaking really, how many of you worked with software as a developer? It’s very easy to say when you have very little clue how hard such problems are. I understand the frustration at the end effect, but it seems like MT is doing what they can to mitigate. Even though the device may know it’s memory its growth may not be as easy to predict as you think.

These IPv6 problems aren’t new or present really a huge danger with properly configured environment. If you expect a small router with 64MB of the memory to handle a lot of incoming connections you’re already in trouble with contrack.
 
User avatar
marlow
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Mar 16, 2006 6:59 pm
Location: Ireland

Re: v6.45beta [testing] is released!

Mon Apr 01, 2019 4:08 am

These IPv6 problems aren’t new or present really a huge danger with properly configured environment. If you expect a small router with 64MB of the memory to handle a lot of incoming connections you’re already in trouble with contrack.

The issue here is, that the memory usage of the cache can't be limited by configuration .. (unless you switch ipv6 off) and that it basically can arbitrarily triggered by an external attacker which results in a DoS scenario as the router even stops forwarding traffic or constantly reboots triggered by watchdog while under attack (as far as I understand).

The other issue is, that Mikrotik has known and acknowledged, that this is an issue since March 2018 and has not done anything about it until now, where they've been told, that the exploit is to be known public.

/M
Communication is the beginning of understanding
-- AT&T
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Mon Apr 01, 2019 9:52 am

Version 6.45beta23 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta23 (2019-Apr-01 05:51):

Important note!!! Backup before upgrade!
Due to major IPsec configuration changes in RouterOS v6.44beta39+ (see changelog below), it is advised to make a backup before upgrading. Regular downgrade will still be possible as long as no changes in IPsec peer menu are done.

MAJOR CHANGES IN v6.45:
----------------------
!) ipv6 - fixed soft lockup when forwarding IPv6 packets;
!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table;
----------------------

Changes in this release:

*) ipsec - properly drop already established tunnel when address change detected;
*) ipv6 - adjust IPv6 route cache max size based on total RAM memory;
*) smb - fixed possible buffer overflow;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
nkourtzis
Member Candidate
Member Candidate
Posts: 204
Joined: Tue Dec 11, 2012 12:56 am
Location: Greece

Re: v6.45beta [testing] is released!

Mon Apr 01, 2019 9:59 am

There were two IPv6 related issues resolved in this version:
1) IPv6 packet forwarding might get stuck (due to IPv6 route cache processing) that could lead to Watchdog reboot;
2) IPv6 neighbor table processing might get stuck (due to large neighbor table) that could lead to Watchdog reboot.

Seems that one of these was considered as CVE and another one was not. Since author of these CVEs still has a problem, seems that actually #1 was not included in this CVE. However, this "problem" actually is not much of an issue. RouterOS IPv6 route cache max size by default is 1 million. If you try to reach 1 million hosts in your network, route cache grows and can take up to 500 MB. If you have device that does not have such resources, it will reboot itself. If router has, for example, 1 GB of RAM - there is no problem. We will most likely allow to change cache size or will decide its size based on RAM size. However, it can not be considered as a bug or vulnerability. You make router work and then complain that resources are required to do the job. This is not a bug.

As a matter of fact, silently allowing any data structure to grow beyond the available system resources without any safegard or alternative mechanism in place, is a bug. Even more so, since the default is inappropriate for most of the devices in your product lineup.

-- EDIT: I just saw the new beta changelog. Thank you for fixing for IPv6! Does it also apply to the IPv4 route cache?
Passionate about networks
Enthusiastic about Mikrotik
MTCNA | MTCRE | MTCINE

No trees were killed to send this message,
but a large number of electrons were terribly inconvenienced.
 
rkj
just joined
Posts: 15
Joined: Sun Jun 11, 2006 7:38 pm

Re: v6.45beta [testing] is released!

Mon Apr 01, 2019 10:30 am

There were two IPv6 related issues resolved in this version:
1) IPv6 packet forwarding might get stuck (due to IPv6 route cache processing) that could lead to Watchdog reboot;
2) IPv6 neighbor table processing might get stuck (due to large neighbor table) that could lead to Watchdog reboot.

Seems that one of these was considered as CVE and another one was not. Since author of these CVEs still has a problem, seems that actually #1 was not included in this CVE. However, this "problem" actually is not much of an issue. RouterOS IPv6 route cache max size by default is 1 million. If you try to reach 1 million hosts in your network, route cache grows and can take up to 500 MB. If you have device that does not have such resources, it will reboot itself. If router has, for example, 1 GB of RAM - there is no problem. We will most likely allow to change cache size or will decide its size based on RAM size. However, it can not be considered as a bug or vulnerability. You make router work and then complain that resources are required to do the job. This is not a bug.
Actually, it's. In networking cache-based forwarding has been considered harmful for reasons such as this problem, and replaced by topology-based forwarding. So it at least one the bugs shouldn't even exist. But even topology-based systems require neighbour tables, so this one needs to be managed both in size and in rate, while also managing rate of packets targeted at in progress neighbours.
 
User avatar
jprietove
Trainer
Trainer
Posts: 93
Joined: Fri Jun 03, 2016 3:00 pm
Location: Cádiz, Spain
Contact:

Re: v6.45beta [testing] is released!

Mon Apr 01, 2019 11:17 am

Version 6.45beta23 has been released.
What's new in 6.45beta23 (2019-Apr-01 05:51):
!) ipv6 - fixed soft lockup when forwarding IPv6 packets;
!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table;
----------------------
Congratulations! I have tested this beta and I confirm that with 300 Mb RAM the router's memory doesn't fill. A CHR with 300 Mb of RAM with OSPF-v3 has 237 Mb of free-memory and during the attack it keeps on around 200 Mb.

Hopefully this fix will be in long-term and current branches soon.
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 197
Joined: Tue May 05, 2015 11:12 am
Location: Manchester, UK
Contact:

Re: v6.45beta [testing] is released!

Mon Apr 01, 2019 12:08 pm

Congratulations! I have tested this beta and I confirm that with 300 Mb RAM the router's memory doesn't fill. A CHR with 300 Mb of RAM with OSPF-v3 has 237 Mb of free-memory and during the attack it keeps on around 200 Mb.

Hopefully this fix will be in long-term and current branches soon.
I concur.

I look forward to everyone being able to push this live, given that MikroTik has disclosed the nature of the vulnerability before making the fix available in the "bugfix" and "current" versions of RouterOS.
Marek
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1303
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: v6.45beta [testing] is released!

Mon Apr 01, 2019 1:48 pm

Its not that your router will go down if you do not install a fix for IPv6 to your router.

You need IPv6 enabled.
You need some that know you are running IPv6.
You need someone targeting you with an attack.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
Erayd
just joined
Posts: 6
Joined: Mon Nov 09, 2015 9:59 pm

Re: v6.45beta [testing] is released!

Mon Apr 01, 2019 2:16 pm

You need someone targeting you with an attack.
Or targeting somebody else, but transiting your routers on the way. But you make good points. It's still a serious issue though.
 
ste
Forum Guru
Forum Guru
Posts: 1805
Joined: Sun Feb 13, 2005 11:21 pm

Re: v6.45beta [testing] is released!

Mon Apr 01, 2019 2:24 pm

Its not that your router will go down if you do not install a fix for IPv6 to your router.

You need IPv6 enabled.
You need some that know you are running IPv6.
You need someone targeting you with an attack.
Quite simple. Do a traceroute to a customer. Identify the BGP-Gateway. Start Attack. Any WISP doing not IPV6 now ?
You will find humans doing this just for fun.

We need the fix in the Long-Term Release ASAP.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1303
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: v6.45beta [testing] is released!

Mon Apr 01, 2019 3:06 pm

You will find humans doing this just for fun.
That is true.
I installed Cowrie on port 22/23 (SSH and Telnet honeypot). Looking trough the logs 99.99% is automatic scripts that tries to install various stuff automatically, so lots of bots end little fun :)

80-90% of the SSH conections tries this:
direct-tcp connection request to ya.ru:80 from 0.0.0.0:0
Just to test if they can use SSH as proxy i guess. (99% uses ya.ru as a test server)
Some of the log:
New connection: 5.188.86.165:64944 (10.10.10.50:2222) [session: 42d69d743f2c]
Remote SSH version: 'SSH-2.0-Go'
login attempt [root/admin] succeeded
direct-tcp connection request to ya.ru:80 from 0.0.0.0:0
Connection lost after 0 seconds

New connection: 189.46.216.87:38040 (10.10.10.50:2223) [session: 8a47a991d959]
login attempt [root/1234] succeeded
enable
system
shell
sh
cat /proc/mounts; /bin/busybox LPPBJ
cd /dev/shm; cat .s || cp /bin/echo .s; /bin/busybox LPPBJ
tftp; wget; /bin/busybox LPPBJ
dd bs=52 count=1 if=.s || cat .s || while read i; do echo $i; done < .s
/bin/busybox LPPBJ
rm .s; exit
Connection lost after 2 seconds

New connection: 46.48.231.3:43837 (10.10.10.50:2222) [session: ababf7a7cf75]
Remote SSH version: 'SSH-2.0-libssh2_1.8.1'
login attempt [root/root] failed
login attempt [root/admin] succeeded
/ip cloud print
ifconfig
uname -a
cat /proc/cpuinfo
ps | grep '[Mm]iner'
ps -ef | grep '[Mm]iner'
echo Hi | cat -n
Connection lost after 33 seconds

New connection: 189.46.216.87:38040 (10.10.10.50:2223) [session: 8a47a991d959]
login attempt [root/1234] succeeded
enable
system
shell
sh
cat /proc/mounts; /bin/busybox LPPBJ
cd /dev/shm; cat .s || cp /bin/echo .s; /bin/busybox LPPBJ
tftp; wget; /bin/busybox LPPBJ
dd bs=52 count=1 if=.s || cat .s || while read i; do echo $i; done < .s
/bin/busybox LPPBJ
rm .s; exit
Connection lost after 2 seconds

New connection: 46.48.231.3:43837 (10.10.10.50:2222) [session: ababf7a7cf75]
Remote SSH version: 'SSH-2.0-libssh2_1.8.1'
login attempt [root/root] failed
login attempt [root/admin] succeeded
/ip cloud print
ifconfig
uname -a
cat /proc/cpuinfo
ps | grep '[Mm]iner'
ps -ef | grep '[Mm]iner'
echo Hi | cat -n
Connection lost after 33 seconds
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Thu Apr 04, 2019 12:31 pm

Version 6.45beta27 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta27 (2019-Apr-03 13:53):

Changes in this release:

*) dhcpv4-server - fixed commenting option for alerts;
*) dhcpv6-server - added "address-list" support for bindings (CLI only);
*) discovery - limit max neighbour count per interface based on total RAM memory;
*) discovery - improved neighbour's MAC address detection;
*) fetch - added SFTP support;
*) ipsec - fixed possible configuration corruption after import;
*) ipv6 - improved IPv6 neighbor table updating process;
*) rb2011 - removed "sfp-led" from "System/LEDs" menu;
*) ssh - added new "ssh-exec" command for non-interactive command execution;
*) ssh - fixed multiline non-interactive command execution;
*) wireless - added support for US FCC UNII-2 and Canada country profiles for LHG-5HPnD-US, RBLHG-5HPnD-XL-US and SXTsq5HPnD-US devices;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
osc86
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Fri Apr 05, 2019 12:27 am

igmp-snooping is killing ipv6 connectivity, by not forwarding neighbor solicitation messages.
FF02:1:XXXX:XXXX isn't listed in MDB table, so no NS messages are exchanged between hosts.
This happens at least since beta22.
CCR1009-7G-1C-1S+ ROS6.45.2
 
davidzodelin
just joined
Posts: 1
Joined: Fri Sep 28, 2018 2:52 pm

Re: v6.45beta [testing] is released!

Fri Apr 05, 2019 2:27 am

*) wireless - added support for US FCC UNII-2 and Canada country profiles for LHG-5HPnD-US, RBLHG-5HPnD-XL-US and SXTsq5HPnD-US devices;

Please add support US FCC UNII-2 for RBSXT5nDr2 (SXT Lite 5)
 
erty
just joined
Posts: 1
Joined: Sat Apr 06, 2019 4:24 pm

Re: v6.45beta [testing] is released!

Sat Apr 06, 2019 4:32 pm

RouterOS 6.45beta27
When I set neighbor discovery interface to "!WAN" and then do "export" command I've see in console print:
/ip neighbor discovery-settings
set discover-interface-list=WAN
Without "!" symbol. But if I do "export verbose" it show me
set discover-interface-list=!WAN
It is not good in case of simple copy/paste exported settings
 
User avatar
eworm
Member
Member
Posts: 393
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Mon Apr 08, 2019 1:11 pm

*) fetch - added SFTP support;
Yes, can't wait to use this! Is there a way to use it with public key authentication?
Before we start discussing any advanced features... How does this work at all? Looks like mode=sftp is not a valid syntax for fetch.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5934
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.45beta [testing] is released!

Mon Apr 08, 2019 1:15 pm

@eworm with url=sftp://xxx.xx/
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 2:25 pm

Version 6.45beta31 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta31 (2019-Apr-12 10:29):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
*) conntrack - fixed "loose-tcp-tracking" parameter not taken in action (introduced in v6.44);
*) dhcp - create dual stack queue based on limitations specified on DHCPv4 server lease configuration;
*) dhcp - do not require lease and binding to have the same configuration for dual-stack queues;
*) dhcp - show warning in log if lease and binding dual-stack related parameters do not match and create separate queues;
*) dhcpv4-server - added "client-mac-limit" parameter (CLI only);
*) dhcpv6-server - added "insert-queue-before" and "parent-queue" parameters (CLI only);
*) dhcpv6-server - added "route-distance" parameter (CLI only);
*) dhcpv6-server - fixed binding setting update from RADIUS;
*) fetch - added SFTP support;
*) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods (CLI only);
*) ipsec - added traffic statistics to "active-peers" menu (CLI only);
*) ipsec - general improvements in policy handling;
*) ipsec - replaced policy SA address parameters with peer setting;
*) ipsec - use tunnel name for dynamic IPsec peer name;
*) ipv6 - adjusted IPv6 route cache max size;
*) lte - fixed session reactivation on R11e-LTE in UMTS mode;
*) snmp - added "radio-name" (mtxrWlRtabRadioName) OID support;
*) ssh - added "both", "local" and "remote" options for "forwarding-enabled" parameter;
*) tunnel - removed "local-address" requirement when "ipsec-secret" is used;
*) userman - added support for "Delegated-IPv6-Pool";
*) userman - added support for "Delegated-IPv6-Pool" and "DNS-Server-IPv6-Address" (CLI only);
*) wireless - improved wireless country settings for EU countries;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
osc86
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 2:39 pm

----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
----------------------
Amazing news! Thanks!
CCR1009-7G-1C-1S+ ROS6.45.2
 
muetzekoeln
Member Candidate
Member Candidate
Posts: 142
Joined: Fri Jun 29, 2018 2:34 pm

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 2:53 pm

Version 6.45beta31 has been released.

*) wireless - improved wireless country settings for EU countries;

Please explain!
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24206
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 2:59 pm

Not all frequency ranges had designation "indoor only" or "outdoor only". One range was incorrectly labeled, this is fixed now. 5250-5330 now is correctly marked as indoor.
No answer to your question? How to write posts
 
tangram
Member Candidate
Member Candidate
Posts: 132
Joined: Wed Nov 16, 2016 9:55 pm

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 3:25 pm

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);

Holy Jumpin' Jesus !
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 3:31 pm

Before anyone asks. Configuration options for dot1x are not yet enabled in this release. Coming in next beta, most likely next week.
 
Beone
Member Candidate
Member Candidate
Posts: 243
Joined: Fri Feb 11, 2011 1:11 pm

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 4:06 pm

Not all frequency ranges had designation "indoor only" or "outdoor only". One range was incorrectly labeled, this is fixed now. 5250-5330 now is correctly marked as indoor.

is the impact purely cosmetic or also effectively changes frequency list allowed to use depending installation type indoor/outdoor?

what about passive probing indication for unii-1 band?
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 4:36 pm

Version 6.45beta31 has been released.
*) ipsec - replaced policy SA address parameters with peer setting;
A dream come true! :D
Version 6.45beta31 has been released.
*) ipsec - general improvements in policy handling;
*) ipsec - use tunnel name for dynamic IPsec peer name;
What, exactly, these two mean?
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 11:05 pm

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);

I hope I can use this to authenticate to AT&T fiber services directly. I'll need a certificate, but that's obtainable.
 
Jinaria
just joined
Posts: 2
Joined: Fri Apr 12, 2019 11:38 pm

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 11:47 pm

Version 6.45beta31 has been released.
after upgrading RB3011 from Beta 27 to Beta 31, I was no longer been able to access the device by IP nor mac address via winbox or browser.
There was no error on the device display, dhcp server failed to assign any IP and setting manual ip address did not help either. So I reset the config and restored the backup config file, same issue.
The only solution was: downgrade to Beta 27 and restore the backup.
Last edited by Jinaria on Sat Apr 13, 2019 1:54 am, edited 1 time in total.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Sat Apr 13, 2019 12:41 am

An AC2 Lite TC ( RB 952-Ui-5ac2nD ) seems to have trouble with WiFi on beta 31.

- All ether* and wifi* are in a bridge
- wifi2 ( 5 GHz ) is in pseudo bridge mode - connects to upstream AC2
- wifi1 ( 2.4 GHz) is disabled
- ether1 feeds a notebook
- No firewall rules
- It's a basic wireless - to - wired bridge

The device is not able to obtain a DHCP client address - "searching...." which lasts forever. The few times it did work, ping to the upstream was very unstable - some took up to 2 seconds (normal is 1ms) and maybe 2/3 lost.

Did not occur on beta 27. I also updated Routerboard Firmware when updating from 27 to 31.

Reverting back to 6.44.2 "stable" immediately fixed the issue.

PS - looks very similar to the message above from @Jinaria, "after upgrading RB3011 from Beta 27 to Beta 31..."
 
huntermic
newbie
Posts: 40
Joined: Wed Oct 26, 2016 3:42 pm

Re: v6.45beta [testing] is released!

Sat Apr 13, 2019 10:02 am

Version 6.45beta31 has been released.
after upgrading RB3011 from Beta 27 to Beta 31, I was no longer been able to access the device by IP nor mac address via winbox or browser.
There was no error on the device display, dhcp server failed to assign any IP and setting manual ip address did not help either. So I reset the config and restored the backup config file, same issue.
The only solution was: downgrade to Beta 27 and restore the backup.
I had the same issue on a RB4011, plugging pc in another port did the trick.
 
User avatar
osc86
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Sat Apr 13, 2019 10:47 am

I hope they'll add an option to remove single SAs in the future.
CCR1009-7G-1C-1S+ ROS6.45.2
 
Jinaria
just joined
Posts: 2
Joined: Fri Apr 12, 2019 11:38 pm

Re: v6.45beta [testing] is released!

Sat Apr 13, 2019 12:15 pm


I had the same issue on a RB4011, plugging pc in another port did the trick.
The issue on my RB3011 affects all of the ports, connecting to different port/switch didn't fix the issue for me.
 
korniza
newbie
Posts: 26
Joined: Fri Jan 06, 2012 4:05 pm

Re: v6.45beta [testing] is released!

Sat Apr 13, 2019 2:49 pm

I have an CHR install which capsman is running. On 6.45beta27 I noticed that when I try to see on winbox the "Configurations" tab under Capsman settings or "CAP Interface", winbox close/crash without any error on Log window. I also updated to latest beta (6.45beta31) and sitll issue persist. My winbox is v3.18.
Anyone has same issue?
 
User avatar
osc86
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Sat Apr 13, 2019 6:34 pm

I have an CHR install which capsman is running. On 6.45beta27 I noticed that when I try to see on winbox the "Configurations" tab under Capsman settings or "CAP Interface", winbox close/crash without any error on Log window. I also updated to latest beta (6.45beta31) and sitll issue persist. My winbox is v3.18.
Anyone has same issue?
Happens to me, too.
CCR1009-7G-1C-1S+ ROS6.45.2
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 644
Joined: Fri Nov 10, 2017 8:19 am

Re: v6.45beta [testing] is released!

Sun Apr 14, 2019 5:24 am

I have an CHR install which capsman is running. On 6.45beta27 I noticed that when I try to see on winbox the "Configurations" tab under Capsman settings or "CAP Interface", winbox close/crash without any error on Log window. I also updated to latest beta (6.45beta31) and sitll issue persist. My winbox is v3.18.
Anyone has same issue?
Happens to me, too.
By my experience, sometime, crash of winbox produces autosupout. If you get it, it would be good if you can send it to mikrotik support so they can fix it :)
 
korniza
newbie
Posts: 26
Joined: Fri Jan 06, 2012 4:05 pm

Re: v6.45beta [testing] is released!

Sun Apr 14, 2019 10:45 pm

I have an CHR install which capsman is running. On 6.45beta27 I noticed that when I try to see on winbox the "Configurations" tab under Capsman settings or "CAP Interface", winbox close/crash without any error on Log window. I also updated to latest beta (6.45beta31) and sitll issue persist. My winbox is v3.18.
Anyone has same issue?
Happens to me, too.
By my experience, sometime, crash of winbox produces autosupout. If you get it, it would be good if you can send it to mikrotik support so they can fix it :)
I just send the autosupport.rif. thank you for your advice
 
User avatar
eworm
Member
Member
Posts: 393
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Mon Apr 15, 2019 12:04 pm

*) lte - fixed session reactivation on R11e-LTE in UMTS mode;
I think this hit me a lot in the past... Hope this will make its way into next stable release.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
mkx
Forum Guru
Forum Guru
Posts: 2954
Joined: Thu Mar 03, 2016 10:23 pm

Re: v6.45beta [testing] is released!

Mon Apr 15, 2019 3:04 pm

I think this hit me a lot in the past... Hope this will make its way into next stable release.
Quite probably ... when 6.45 branch will be the stable branch.
BR,
Metod
 
User avatar
eworm
Member
Member
Posts: 393
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Mon Apr 15, 2019 3:07 pm

I think this hit me a lot in the past... Hope this will make its way into next stable release.
Quite probably ... when 6.45 branch will be the stable branch.
I hope for 6.44.3. :wink:
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
phin
just joined
Posts: 15
Joined: Mon Dec 04, 2017 11:25 pm

Re: v6.45beta [testing] is released!

Mon Apr 15, 2019 9:52 pm

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);

I hope I can use this to authenticate to AT&T fiber services directly. I'll need a certificate, but that's obtainable.
Oh man, that would be awesome!
 
UserDude
just joined
Posts: 1
Joined: Tue Apr 16, 2019 9:01 am

Re: v6.45beta [testing] is released!

Tue Apr 16, 2019 9:12 am


What's new in 6.45beta31 (2019-Apr-12 10:29):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
So this means wired 802.1x is now supported I guess. Any idea how we can configure this through CLI ?
Also is there a planned GUI support version of it coming soon ?
 
User avatar
osc86
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Tue Apr 16, 2019 11:08 am

So this means wired 802.1x is now supported I guess. Any idea how we can configure this through CLI ?
Also is there a planned GUI support version of it coming soon ?
Before anyone asks. Configuration options for dot1x are not yet enabled in this release. Coming in next beta, most likely next week.
CCR1009-7G-1C-1S+ ROS6.45.2
 
nostromog
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Jul 18, 2018 3:39 pm

Re: v6.45beta [testing] is released!

Tue Apr 16, 2019 7:06 pm

After I had big problems with ipsec in 6.44.1/hAP ac I remained using 44.1 for a while. Thinking that beta31 had already those issues fixed, I tried to upgrade with the following IPsec configuration:
/ip ipsec peer
  add exchange-mode=ike2 name=router passive=yes
/ip ipsec policy group
  add name=RoadWarrior
/ip pool
  add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
  add address-pool=vpn2 name=RW-cfg split-include=\
    192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec identity
  add generate-policy=port-strict mode-config=RW-cfg my-id=\
    fqdn:router.mydns.com peer=router policy-template-group=RoadWarrior
/ip ipsec policy
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
    template=yes
  add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
    0.0.0.0/0 template=yes
After the upgrade, the CPU was 100%, most of it in ipsec, and / export would stop
after /ip hotspot, just where /ip ipsec should be printed, until I Ctrl-C it.

Same problem as before. :( The router was sluggish but I could select long-term and downgrade to 6.43.13.

Then the machine went up, but ssh was not responding. I got suspicious and checked: telnet was working. When
I got in, security was disabled. I went in, re-ebabled it, rebooted and the following IPsec configuration appeared:
/ip ipsec policy group
  add name=RoadWarrior
/ip pool
  add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
  add address-pool=vpn2 name=RW-cfg split-include=\
    192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec peer
  add exchange-mode=ike2 passive=yes
/ip ipsec policy
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
    template=yes
  add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
    0.0.0.0/0 template=yes
I copied away the ipsec config, which was broken in any case, and tried an experiment: remove all ipsec config, piece by piece
until /ip ipsec export would produce an empty comment. Then I upgraded to get:
* 6.44.2 (100% CPU, could not get /ip ipsec export working)
* 6.45beta31 (same, 100% CPU, could not get /ip ipsec export working).

Is RouterOS keeping all configs hidden somethere, or where is this 100% CPU spinning coming from?

I settled by returning to long term and reconstructing my ipsec config, changing it to xauth and adding users. It is now working well... I was trying to test ike2,
but instead I'm now stuck in long-term.

Any way to empty ipsec and upgrade to 6.44.2 or 6.45betas without CPU spinning at 100%?

Thanks for any help, things are getting messy in this router. Other routers are having no problems at all with ipsec/6.44/6.54beta. I have a production h AP ac running 6.44, as I'm afraid to update it and get the same behaviour
 
mkx
Forum Guru
Forum Guru
Posts: 2954
Joined: Thu Mar 03, 2016 10:23 pm

Re: v6.45beta [testing] is released!

Tue Apr 16, 2019 10:19 pm

Any way to empty ipsec and upgrade to 6.44.2 or 6.45betas without CPU spinning at 100%?
Almost certain way would be netinstall directly to desired ROS version. And then import config from textual export.
BR,
Metod
 
nostromog
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Jul 18, 2018 3:39 pm

Re: v6.45beta [testing] is released!

Tue Apr 16, 2019 11:50 pm

Any way to empty ipsec and upgrade to 6.44.2 or 6.45betas without CPU spinning at 100%?
Almost certain way would be netinstall directly to desired ROS version. And then import config from textual export.
I'm leaving the place where the machine that failed to upgrade yesterday is in a few hours, not to return in more than one month... I could upgrade/downgrade remotely, but certainly not netinstall.

The place where I'm running 6.44 and I don't dare upgrade is remote also, I might have an opportunity to get there and upgrade with possible netinstall in 2/3 months... Also, I tried to netinstall once and was not working, it seems to be really tricky with linux machines and difficult reset procedures... I'll do more experiments in 5 weeks when I return here.

Unreliable upgrades are a big problem, I can't understand how deleting configuration still leds to failure to upgrade
 
User avatar
osc86
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Wed Apr 17, 2019 12:52 am

After I had big problems with ipsec in 6.44.1/hAP ac I remained using 44.1 for a while. Thinking that beta31 had already those issues fixed, I tried to upgrade with the following IPsec configuration:
/ip ipsec peer
  add exchange-mode=ike2 name=router passive=yes
/ip ipsec policy group
  add name=RoadWarrior
/ip pool
  add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
  add address-pool=vpn2 name=RW-cfg split-include=\
    192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec identity
  add generate-policy=port-strict mode-config=RW-cfg my-id=\
    fqdn:router.mydns.com peer=router policy-template-group=RoadWarrior
/ip ipsec policy
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
    template=yes
  add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
    0.0.0.0/0 template=yes
After the upgrade, the CPU was 100%, most of it in ipsec, and / export would stop
after /ip hotspot, just where /ip ipsec should be printed, until I Ctrl-C it.

Same problem as before. :( The router was sluggish but I could select long-term and downgrade to 6.43.13.

Then the machine went up, but ssh was not responding. I got suspicious and checked: telnet was working. When
I got in, security was disabled. I went in, re-ebabled it, rebooted and the following IPsec configuration appeared:
/ip ipsec policy group
  add name=RoadWarrior
/ip pool
  add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
  add address-pool=vpn2 name=RW-cfg split-include=\
    192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec peer
  add exchange-mode=ike2 passive=yes
/ip ipsec policy
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
    template=yes
  add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
    0.0.0.0/0 template=yes
I copied away the ipsec config, which was broken in any case, and tried an experiment: remove all ipsec config, piece by piece
until /ip ipsec export would produce an empty comment. Then I upgraded to get:
* 6.44.2 (100% CPU, could not get /ip ipsec export working)
* 6.45beta31 (same, 100% CPU, could not get /ip ipsec export working).

Is RouterOS keeping all configs hidden somethere, or where is this 100% CPU spinning coming from?

I settled by returning to long term and reconstructing my ipsec config, changing it to xauth and adding users. It is now working well... I was trying to test ike2,
but instead I'm now stuck in long-term.

Any way to empty ipsec and upgrade to 6.44.2 or 6.45betas without CPU spinning at 100%?

Thanks for any help, things are getting messy in this router. Other routers are having no problems at all with ipsec/6.44/6.54beta. I have a production h AP ac running 6.44, as I'm afraid to update it and get the same behaviour
Looks similar to the problem I had with 6.44. Bad news is, I had to netinstall to get rid of the broken parts, caused by the migration of configuration, when I up/down-graded the firmware.
viewtopic.php?f=21&t=145793&start=150#p719370
CCR1009-7G-1C-1S+ ROS6.45.2
 
ssbaksa
newbie
Posts: 28
Joined: Tue Oct 20, 2015 10:38 am

Re: v6.45beta [testing] is released!

Wed Apr 17, 2019 8:39 am

Before anyone asks. Configuration options for dot1x are not yet enabled in this release. Coming in next beta, most likely next week.
When dot1x become official, will it be applied to all switches (Router OS based as well as Switch OS)?
 
estdata
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Mon Feb 20, 2012 9:05 pm
Contact:

Re: v6.45beta [testing] is released!

Wed Apr 17, 2019 1:38 pm

Help me adjust the speeds so that the patch goes. I have a 500/500 connection but do not come through the RB2011 router
don't forget to give me karma if got help
....
 
User avatar
null31
Member Candidate
Member Candidate
Posts: 177
Joined: Fri Dec 23, 2016 6:07 pm
Location: Brazil

Re: v6.45beta [testing] is released!

Wed Apr 17, 2019 9:18 pm

Also, I tried to netinstall once and was not working, it seems to be really tricky with linux machines and difficult reset procedures...

Connect your machine and router to an switch, then run netinstall with Wine as sudo and will work flawlessly.
I didn't had problems with netinstall on 3 mAP and all of them installed ROS on the first try with no fails.

I'm using wine 4.5 with staging patch.
 
EvgeniyV
just joined
Posts: 5
Joined: Sun Oct 28, 2018 5:49 pm

Re: v6.45beta [testing] is released!

Wed Apr 17, 2019 10:29 pm

I'm back to the future. Time bug in Interface - Last link time. See the attached picture.
My time zone GMT +3 , time update by cloud. Routerboard time (clock) is normal.
6.45beta22
mikrotik date bag.png
You do not have the required permissions to view the files attached to this post.
 
vikinggeek
just joined
Posts: 22
Joined: Sat Aug 02, 2014 4:14 am

Re: v6.45beta [testing] is released!

Thu Apr 18, 2019 9:47 am

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);

I hope I can use this to authenticate to AT&T fiber services directly. I'll need a certificate, but that's obtainable.
@pcunite - Can you provide a pointer to how to obtain the certificate? Currently, Still need to have the AT&T Modem attached while booting, but thereafter running directly on the fiber via the OSP port (behind a Cienna 5000 series building concentrator)
 
palii
just joined
Posts: 19
Joined: Sun Nov 19, 2017 6:57 pm

Re: v6.45beta [testing] is released!

Thu Apr 18, 2019 11:51 am

The command ssh-exec with rsa key pairs works like a charm shutting down my Synology now. Thanks a million!
 
nostromog
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Jul 18, 2018 3:39 pm

Re: v6.45beta [testing] is released!

Thu Apr 18, 2019 12:32 pm

Also, I tried to netinstall once and was not working, it seems to be really tricky with linux machines and difficult reset procedures...
Connect your machine and router to an switch, then run netinstall with Wine as sudo and will work flawlessly.
I have no switch, I connected them straight, which gives perfect connection. Not sure if this could interfere with netinstall

I didn't had problems with netinstall on 3 mAP and all of them installed ROS on the first try with no fails.

I'm using wine 4.5 with staging patch.
I could not in a mAP Lite which I have as laboratory in several tries.

I used both wine-stable-3.0-1ubuntu1 and wine-development-3.6-1 on Ubuntu 18.04.2 LTS. I have not used windows in the last 15 years, so I might have made some mistake in either the windows stuff or how linux runs it.

I think the problems were due to being very tricky to handle connect power while hold-pushing the button for some time, with such small button, so close to the USB power, and my hand too big for such small piece.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Thu Apr 18, 2019 1:32 pm

Version 6.45beta34 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta34 (2019-Apr-18 08:59):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
*) dhcp - create dual stack queue based on limitations specified on DHCPv4 server lease configuration;
*) dhcp - do not require lease and binding to have the same configuration for dual-stack queues;
*) dhcp - show warning in log if lease and binding dual-stack related parameters do not match and create separate queues;
*) dhcpv4-server - replaced "busy" lease status with "conflict" and "declined";
*) dhcpv6-client - fixed status update when leaving "bound" state;
*) dhcpv6-server - override prefix pool and/or DNS server settings by values received from RADIUS;
*) e-mail - include "message-id" identification field in e-mail header;
*) ike1 - fixed rekeying process when NAT is detected (introduced in v6.45beta16);
*) ospf - added support for link scope opaque LSAs (Type 9) for OSPFv2;
*) ospf - improved "unknown" LSA handling in OSPFv3;
*) supout - changed IPv6 pool section to output detailed print;
*) tr069-client - added LTE CQI and IMSI parameter support;
*) tr069-client - fixed potential memory corruption;
*) winbox - fixed crash when opening CAPsMAN menu (introduced in v6.45beta27);
*) wireless - fixed "country-info" printing (introduced in v6.45beta27);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: v6.45beta [testing] is released!

Thu Apr 18, 2019 3:52 pm

dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
I hope I can use this to authenticate to AT&T fiber services directly. I'll need a certificate, but that's obtainable.

@pcunite - Can you provide a pointer to how to obtain the certificate? Currently, Still need to have the AT&T Modem attached while booting, but thereafter running directly on the fiber via the OSP port (behind a Cienna 5000 series building concentrator)

It is discussed here (and elsewhere) based on the findings of this blog.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Thu Apr 18, 2019 11:54 pm

Anyone seeing trouble with IPSec in 6.45beta34?

I received a new RB 4011 today - updated to 6.45beta34 right away - rebuilt my config (copy / pasted snippets from .asc file, piece by piece).

My IPSec tunnels come (GRE, cert auth) come up partially to "SA established" on the server - and then get "deleted" from the RB 4011 side. And it repeats like this, with policy stuck as "no phase 2".

Tried switching from ECDSA to RSA certificates (I have a script) - no difference.

Downgraded to 6.44.2 - after fixing "local address" in polices (required in 6.44, can be left as 0.0.0.0/0 in 6.45) - they got to "established" immediately.

Upgraded to 6.45beta34 again - broken again.

Should I send a support request with supout.rif?

PS - one of my two *idential* tunnels - I mean they use same CA, just different "remote" certs - got to "established" once or twice without my doing anything. But disabling / re-enabling the policy brought the problem back.

PPS - changed SA proposal from aes128-ctr to aes256-gcm and now both policies / peers are working, I can disable / re-enable.

But I had them at aes256-gcm initially! Changed back to aes128-ctr and working again!

Seems like there is something funny going on in 6.45-31 maybe with programming the cpu according to encryption settings (both aes-ctr and aes-gcm are HW accel on this device).
 
User avatar
osc86
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Fri Apr 19, 2019 3:56 am

After ugrading from beta31 to beta34, none of the ipsec tunnels work. Reverted back to b31.
CCR1009-7G-1C-1S+ ROS6.45.2
 
pawelkopec88
just joined
Posts: 9
Joined: Wed Mar 14, 2018 11:06 pm

Re: v6.45beta [testing] is released!

Fri Apr 19, 2019 8:38 am

Anyone seeing trouble with IPSec in 6.45beta34?

I received a new RB 4011 today - updated to 6.45beta34 right away - rebuilt my config (copy / pasted snippets from .asc file, piece by piece).

My IPSec tunnels come (GRE, cert auth) come up partially to "SA established" on the server - and then get "deleted" from the RB 4011 side. And it repeats like this, with policy stuck as "no phase 2".

Tried switching from ECDSA to RSA certificates (I have a script) - no difference.

Downgraded to 6.44.2 - after fixing "local address" in polices (required in 6.44, can be left as 0.0.0.0/0 in 6.45) - they got to "established" immediately.

Upgraded to 6.45beta34 again - broken again.

Should I send a support request with supout.rif?

PS - one of my two *idential* tunnels - I mean they use same CA, just different "remote" certs - got to "established" once or twice without my doing anything. But disabling / re-enabling the policy brought the problem back.

PPS - changed SA proposal from aes128-ctr to aes256-gcm and now both policies / peers are working, I can disable / re-enable.

But I had them at aes256-gcm initially! Changed back to aes128-ctr and working again!

Seems like there is something funny going on in 6.45-31 maybe with programming the cpu according to encryption settings (both aes-ctr and aes-gcm are HW accel on this device).

I have same issue. But i have the ipsec static tunnels. GRE tunnel doesnt up. I have CCR1009 6.45beta34, the second site have is CCR1009 on 6.43.1. On IPsec peers I changed from IKE2 to main mode on both side. After that my GRE Tunnel going up.
 
pawelkopec88
just joined
Posts: 9
Joined: Wed Mar 14, 2018 11:06 pm

Re: v6.45beta [testing] is released!

Fri Apr 19, 2019 8:40 am

After I had big problems with ipsec in 6.44.1/hAP ac I remained using 44.1 for a while. Thinking that beta31 had already those issues fixed, I tried to upgrade with the following IPsec configuration:
/ip ipsec peer
  add exchange-mode=ike2 name=router passive=yes
/ip ipsec policy group
  add name=RoadWarrior
/ip pool
  add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
  add address-pool=vpn2 name=RW-cfg split-include=\
    192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec identity
  add generate-policy=port-strict mode-config=RW-cfg my-id=\
    fqdn:router.mydns.com peer=router policy-template-group=RoadWarrior
/ip ipsec policy
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
    template=yes
  add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
    0.0.0.0/0 template=yes
After the upgrade, the CPU was 100%, most of it in ipsec, and / export would stop
after /ip hotspot, just where /ip ipsec should be printed, until I Ctrl-C it.

Same problem as before. :( The router was sluggish but I could select long-term and downgrade to 6.43.13.

Then the machine went up, but ssh was not responding. I got suspicious and checked: telnet was working. When
I got in, security was disabled. I went in, re-ebabled it, rebooted and the following IPsec configuration appeared:
/ip ipsec policy group
  add name=RoadWarrior
/ip pool
  add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
  add address-pool=vpn2 name=RW-cfg split-include=\
    192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec peer
  add exchange-mode=ike2 passive=yes
/ip ipsec policy
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
    template=yes
  add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
    0.0.0.0/0 template=yes
I copied away the ipsec config, which was broken in any case, and tried an experiment: remove all ipsec config, piece by piece
until /ip ipsec export would produce an empty comment. Then I upgraded to get:
* 6.44.2 (100% CPU, could not get /ip ipsec export working)
* 6.45beta31 (same, 100% CPU, could not get /ip ipsec export working).

Is RouterOS keeping all configs hidden somethere, or where is this 100% CPU spinning coming from?

I settled by returning to long term and reconstructing my ipsec config, changing it to xauth and adding users. It is now working well... I was trying to test ike2,
but instead I'm now stuck in long-term.

Any way to empty ipsec and upgrade to 6.44.2 or 6.45betas without CPU spinning at 100%?

Thanks for any help, things are getting messy in this router. Other routers are having no problems at all with ipsec/6.44/6.54beta. I have a production h AP ac running 6.44, as I'm afraid to update it and get the same behaviour
Looks similar to the problem I had with 6.44. Bad news is, I had to netinstall to get rid of the broken parts, caused by the migration of configuration, when I up/down-graded the firmware.
viewtopic.php?f=21&t=145793&start=150#p719370
Change main mode frome IKE2 to main for example. Should be work. I think that on the newest beta IKE2 doesn't work
 
nescafe2002
Long time Member
Long time Member
Posts: 622
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: v6.45beta [testing] is released!

Fri Apr 19, 2019 8:43 am

Please create a supout.rif as soon as you realize something is wrong and send it - with description of what you expected versus what happened instead - to support with supout.rif.

This instruction is posted in every release note:

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Fri Apr 19, 2019 8:55 am

Change main mode frome IKE2 to main for example. Should be work. I think that on the newest beta IKE2 doesn't work
I think changing IPSec settings (I tried crypto) makes it more likely to "estabilsh". But then it breaks again later (when the lifetime expires? happened while I was sleeping).

It's even funny - changing one tunnel's server settings from IKEv2 to v1 fixed both tunnels. Don't think it'll last though.

// RB 4011
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Fri Apr 19, 2019 8:58 am

Change main mode frome IKE2 to main for example. Should be work. I think that on the newest beta IKE2 doesn't work
I think changing IPSec settings (I tried crypto) makes it more likely to "estabilsh". But then it breaks again later (when the lifetime expires? happened while I was sleeping).

It's even funny - changing one tunnel's server settings from IKEv2 to v1 fixed both tunnels. Don't think it'll last though.

// RB 4011
Could be related to:
*) ike1 - fixed rekeying process when NAT is detected (introduced in v6.45beta16);
Funny thing, re-keying (when I trigger it from the server using swanctl --rekey) does work. But I'm using IKEv2 and there is no NAT.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1715
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: v6.45beta [testing] is released!

Mon Apr 22, 2019 9:05 am

After upgrade of CRS125 it stopped to be visible in a neigherhood and for WinBox.
Real admins use real keyboards.
 
CharliesTheMan
just joined
Posts: 1
Joined: Mon May 14, 2018 11:22 pm

Re: v6.45beta [testing] is released!

Mon Apr 22, 2019 6:52 pm

I just had a similar problem. When updating to 6.45beta34 from the previous beta version, I lost IP config, IP address changed to 0.0.0.0 and checking for package updates in winbox brought up a DNS error, "Could not resolve DNS host name" and trying to load web pages brought me the same results. I tried restoring known working config and did not resolve anything. After downgrading back to 6.44.2 everything worked perfect immediately. It's definitely something related to beta34 because on previous 6.45beta (Ibelieve it may have been beta27) everything worked great.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Tue Apr 23, 2019 9:18 am

Thank you very much for reporting the issues. It seems that IKEv2 over NAT is broken in v6.45beta34. We will resolve the issue in the next beta.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Tue Apr 23, 2019 11:08 am

Thank you very much for reporting the issues. It seems that IKEv2 over NAT is broken in v6.45beta34. We will resolve the issue in the next beta.
emils - just to be clear about the bug's scenario:

My IPSec endpoints (Mikrotik client / strongSwan server) are not behind NATs. But they do use IKEv2 on port 4500.

Thank you.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Tue Apr 23, 2019 11:24 am

Can you post your IPsec debug logs (topics=ipsec,!packet) from when the tunnel is established and dropped so we can make sure it is the same issue?

Edit: managed to reproduce the issue without NAT as well.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Tue Apr 23, 2019 1:37 pm

Can you post your IPsec debug logs (topics=ipsec,!packet) from when the tunnel is established and dropped so we can make sure it is the same issue?

Edit: managed to reproduce the issue without NAT as well.
I sent a bug report with supout on Friday, April 19, 2019 8:49 AM (Moscow time). Don't have the ticket # sorry.

Looks like you already managed - but if you still need something, hopefully you can find it, or you can contact me off forum.
 
User avatar
DogHead
Member Candidate
Member Candidate
Posts: 194
Joined: Thu Jan 03, 2008 9:36 pm
Location: Anywhere you want me to be

Re: v6.45beta [testing] is released!

Thu Apr 25, 2019 4:49 pm

After upgrade to 6.45rc34 all ports in bridge disappeared. Cannot add them back as the system says they are still in a bridge. Will downgrade bac to rc31 which was working.
WOOF BANG!
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri Apr 26, 2019 9:04 am

Version 6.45beta37 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta37 (2019-Apr-25 12:20):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap) as initiator (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap) as initiator (CLI only);
*) bridge - correctly add interface list as bridge port (introduced in v6.45beta34);
*) crs3xx - correctly handle switch reset (introduced in v6.45beta34);
*) ike2 - fixed first child SA generation (introduced in v6.45beta34);
*) ipsec - general improvements in policy handling;
*) lte - allow setting empty APN;
*) supout - added IPv6 ND section to supout file;
*) tftp - added "max-block-size" parameter under TFTP "settings" menu (CLI only);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Fri Apr 26, 2019 10:18 am

Version 6.45beta37 has been released.

*) ike2 - fixed first child SA generation (introduced in v6.45beta34);
Confirming - appears fixed ( RB 4011, AC ^ 2 ).
 
extremej
just joined
Posts: 1
Joined: Fri Apr 26, 2019 2:37 pm

Re: v6.45beta [testing] is released!

Fri Apr 26, 2019 2:50 pm

can you add EAP-MSCHAPv2 to the authentication method list?
 
branto
just joined
Posts: 8
Joined: Mon Aug 21, 2017 2:03 am

Re: v6.45beta [testing] is released!

Mon Apr 29, 2019 4:19 am

Is there any word on when DHCPv6 Snooping will be available?
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri May 03, 2019 8:20 am

can you add EAP-MSCHAPv2 to the authentication method list?

Yes, it is coming as well.
 
msatter
Forum Guru
Forum Guru
Posts: 1240
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Fri May 03, 2019 12:27 pm

can you add EAP-MSCHAPv2 to the authentication method list?
Yes, it is coming as well.
Does this means that Mikrotik can be removed from the not supported router list at NordVPN and is going to use ike2 to connect?
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri May 03, 2019 12:42 pm

Hopefully, yes.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Thu May 09, 2019 2:06 pm

Version 6.45beta42 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta42 (2019-May-08 12:44):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap) as initiator (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
*) capsman - fixed interface-list usage in access list;
*) cloud - added "replace" parameter for backup "upload-file" command;
*) crs3xx - correctly handle switch reset (introduced in v6.45beta31);
*) defconf - added "custom-script" field that prints custom configuration installed by Netinstall;
*) defconf - automatically set "installation" parameter for outdoor devices;
*) dhcp - create dual stack queue based on limitations specified on DHCPv4 server lease configuration;
*) dhcpv4-server - added RADIUS accounting support with queue based statistics;
*) dhcpv6-server - added "insert-queue-before" and "parent-queue" parameters (CLI only);
*) discovery - correctly create neighbors from VLAN tagged discovery messages;
*) discovery - show neighbors on actual mesh ports;
*) ethernet - increased loop warning threshold to 5 packets per second;
*) gps - make sure "direction" parameter is upper case;
*) gps - strip unnecessary trailing characters from "longtitude" and "latitude" values;
*) hotspot - moved "title" HTML tag after "meta" tags;
*) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods (CLI only);
*) rb921 - improved system stability ("/system routerboard upgrade" required);
*) ssh - accept remote forwarding requests with empty hostnames;
*) ssh - improved remote forwarding handling (introduced in v6.44.3);
*) tr069-client - improved error reporting with incorrect firware upgrade XML file;
*) w60g - do not show unused "dmg" parameter;
*) w60g - show running frequency under "monitor" command;
*) winbox - show "LCD" menu only on boards that have LCD screen;
*) wireless - fixed frequency duplication in the frequency selection menu;
*) wireless - improved 160MHz channel width stability on rb4011;
*) wireless - improved installation mode selection for wireless outdoor equipment;
*) wireless - set default SSID and supplicant-identity the same as router's identity;
*) wireless - updated "china" regulatory domain information;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
buset1974
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Wed Sep 13, 2006 12:12 pm
Location: Jakarta

Re: v6.45beta [testing] is released!

Thu May 09, 2019 4:04 pm

when will you start to fix the problem with BGP and OSPF?

thx
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8308
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.45beta [testing] is released!

Thu May 09, 2019 5:01 pm

the problem with BGP and OSPF?
One problem with both protocols? Are you sure? :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
osc86
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Thu May 09, 2019 5:54 pm

After upgrading from beta31 to beta34-42, all IKEv2 PSK ipsec tunnels don't come up, getting Authentication failed in the logs (yes, psk is the same on both sides, hasn't been changed).
Downgrading to beta31 again resolves the issue.

16:50:20 ipsec notify: AUTHENTICATION_FAILED
16:50:20 ipsec,error got fatal error: AUTHENTICATION_FAILED
CCR1009-7G-1C-1S+ ROS6.45.2
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri May 10, 2019 9:34 am

osc86, I can not reproduce the issue. Can you please send a supout.rif file to support@mikrotik.com?
 
buset1974
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Wed Sep 13, 2006 12:12 pm
Location: Jakarta

Re: v6.45beta [testing] is released!

Fri May 10, 2019 9:59 am

the problem with BGP and OSPF?
One problem with both protocols? Are you sure? :)
still waiting, hope can fix soon in v6
 
User avatar
osc86
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Fri May 10, 2019 5:58 pm

osc86, I can not reproduce the issue. Can you please send a supout.rif file to support@mikrotik.com?
Done. [Ticket#2019051022005463]
CCR1009-7G-1C-1S+ ROS6.45.2
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8308
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.45beta [testing] is released!

Fri May 10, 2019 6:46 pm

the problem with BGP and OSPF?
One problem with both protocols? Are you sure? :)
still waiting, hope can fix soon in v6
Waiting for what? A miracle?
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
anuser
Member
Member
Posts: 397
Joined: Sat Nov 29, 2014 7:27 pm

Re: v6.45beta [testing] is released!

Fri May 10, 2019 10:05 pm

Is there an ETA for a bugfix for 5 GHz problem mentioned on viewtopic.php?f=7&t=148263?
 
Ulypka
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Wed Jan 09, 2013 8:26 am

Re: v6.45beta [testing] is released!

Sat May 11, 2019 12:07 am

I'm waiting for 8 months when the bug 2018101022007579 will be fixed.
I started refusing from CCR wherever such an opportunity arises

And the funny thing is that in half a year, the support responded only once “Sorry, we will reconsider the priorities”
Your top router dies completely from two packages and you can reproduce it, which is even more important for you?
maybe another fix LCD?

even dlink's support is better.
 
mistry7
Forum Guru
Forum Guru
Posts: 1314
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: v6.45beta [testing] is released!

Sat May 11, 2019 3:56 pm

which is even more important for you?
maybe another fix LCD?
no, KidControl.......
 
User avatar
anthonws
just joined
Posts: 21
Joined: Sat Jan 09, 2016 6:46 pm

Re: v6.45beta [testing] is released!

Sat May 11, 2019 6:46 pm

I'm waiting for 8 months when the bug 2018101022007579 will be fixed.
I started refusing from CCR wherever such an opportunity arises

And the funny thing is that in half a year, the support responded only once “Sorry, we will reconsider the priorities”
Your top router dies completely from two packages and you can reproduce it, which is even more important for you?
maybe another fix LCD?

even dlink's support is better.
A proper network admin likes watching graphs and stuff on an LCD :) Much more important than stability. Want stability, buy a Nintendo Switch. Nintendo is expert in stability updates! ahahaha

And Kids control in CCR is something very important! How would you control all of your employees?!?

Ahhh.... The joys of visiting this forum :) Priceless!
 
biatche
Member Candidate
Member Candidate
Posts: 128
Joined: Tue Oct 13, 2015 6:50 am

Re: v6.45beta [testing] is released!

Sat May 11, 2019 11:18 pm

which is even more important for you?
maybe another fix LCD?
no, KidControl.......
I agree. KidControl needs major improvement, like the full removal of it.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Sun May 12, 2019 8:37 pm

With 6.45beta42 two Linux installs had trouble getting DHCP over Ethernet.

Sorry can't provide supout - already downgraded to 6.43.* stable, will stay on that.

The only "custom" DHCP setting I have is - lease time is 7 days.

No trouble with WiFi clients.

Router: AC^2.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Mon May 13, 2019 2:10 pm

Version 6.45beta45 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta45 (2019-May-13 09:22):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator (CLI only);
----------------------

Changes in this release:

!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator (CLI only);
*) conntrack - significant stability and performance improvements;
*) dhcpv6-server - fixed dynamic IPv6 binding without proper reference to the server;
*) firewall - fixed fragmented packet processing when only RAW firewall is configured;
*) gps - fixed missing minus close to zero coordinates in dd format;
*) wireless - improved installation mode selection for wireless outdoor equipment;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
R1CH
Forum Veteran
Forum Veteran
Posts: 896
Joined: Sun Oct 01, 2006 11:44 pm

Re: v6.45beta [testing] is released!

Mon May 13, 2019 2:36 pm

conntrack - significant stability and performance improvements;
Can you elaborate on what was changed here? The last time conntrack was changed with the loose TCP tracking option it introduced a regression, so I'd like to know exactly what changed and what to look out for.
 
rzirzi
Member
Member
Posts: 378
Joined: Mon Oct 09, 2006 2:33 pm

Re: v6.45beta [testing] is released!

Mon May 13, 2019 2:39 pm

conntrack - significant stability and performance improvements;
Can you elaborate on what was changed here? The last time conntrack was changed with the loose TCP tracking option it introduced a regression, so I'd like to know exactly what changed and what to look out for.
YES, We would like to know what exactly was changed?!
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Mon May 13, 2019 3:04 pm

There are no new features added with this conntrack fix as you are comparing to TCP loose setting. The fix addresses some stability issues in setups with large connection tracking tables. It also improves connection tracking processing performance.
 
anuser
Member
Member
Posts: 397
Joined: Sat Nov 29, 2014 7:27 pm

Re: v6.45beta [testing] is released!

Mon May 13, 2019 4:04 pm

There are no new features added with this conntrack fix as you are comparing to TCP loose setting. The fix addresses some stability issues in setups with large connection tracking tables. It also improves connection tracking processing performance.
What do you consider as large? How many connections are we talking about? 1000, 10000, 100000, 1000000?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5934
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.45beta [testing] is released!

Mon May 13, 2019 4:15 pm

It does not depend on specific number. You can consider large as 10k+
 
buset1974
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Wed Sep 13, 2006 12:12 pm
Location: Jakarta

Re: v6.45beta [testing] is released!

Mon May 13, 2019 5:26 pm

I'm waiting for 8 months when the bug 2018101022007579 will be fixed.
I started refusing from CCR wherever such an opportunity arises

And the funny thing is that in half a year, the support responded only once “Sorry, we will reconsider the priorities”
Your top router dies completely from two packages and you can reproduce it, which is even more important for you?
maybe another fix LCD?

even dlink's support is better.
A proper network admin likes watching graphs and stuff on an LCD :) Much more important than stability. Want stability, buy a Nintendo Switch. Nintendo is expert in stability updates! ahahaha

And Kids control in CCR is something very important! How would you control all of your employees?!?

Ahhh.... The joys of visiting this forum :) Priceless!
Mikrotik must be aware that the product they have is not only a CPE, but they also have another advanced product with different purposed than CPE such as CCR, a quick fix on the underlying problem should be a priority without having to wait for version 7 which is never clear.
 
marcbou
just joined
Posts: 5
Joined: Tue Jul 03, 2018 11:19 am

Re: v6.45beta [testing] is released!

Mon May 13, 2019 9:00 pm

Had CHR 6.45beta42 and now beta45 running under ESXi VM as VPN gateway ipsec IKEv2 EAP username auth (via freeradius 3.0 on Debian Buster) with Let's Encrypt Signed certificate + fullchain.

Works with road warrior iOS, MacOS, and Windows 10 (where due to buggy VPN control panel it was necessary to add using PowerShell Add-VpnConnection -Name “vpn.domain.com" -ServerAddress "vpn.domain.com" -AuthenticationMethod "Eap" -EncryptionLevel "Maximum" -RememberCredential -TunnelType “Ikev2") .

Not working with Android clients (using https://play.google.com/store/apps/deta ... an.android .

Any tips towards getting Android working would be appreciated.

Also I noticed occasional VPN connections failing using beta42 and 45. Downgrading to 6.44.3 made that issue go away but hopefully it will get fixed in the betas.

Relevant config portions are:

# may/13/2019 13:29:01 by RouterOS 6.45beta45
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface ipip
add name=ipsec-vpn
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1w name=proposal_1
/ip ipsec peer
add exchange-mode=ike2 name=peer_vpn passive=yes profile=proposal_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc,3des lifetime=2d pfs-group=none
/ip pool
add name=vpn-pool ranges=10.11.22.10-10.11.22.190
/ip ipsec mode-config
add address-pool=vpn-pool address-prefix-length=32 name=ipsec-modecfg-nosplit
/system logging action
set 0 memory-lines=5000
/ip address
add address=132.200.10.24/28 interface=ether1 network=132.200.10.16
add address=10.11.22.1/24 interface=ipsec-vpn network=10.11.22.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.0.0/16 list=rfc1918-private
add address=10.0.0.0/8 list=rfc1918-private
add address=172.16.0.0/12 list=rfc1918-private
add address=10.11.22.0/24 list=myvpn
add address=10.0.0.0/8 list=onnet
add address=192.168.0.0/16 list=onnet
add address=172.16.0.0/12 list=onnet
add address=132.200.10.0/24 list=onnet
/ip firewall nat
add action=src-nat chain=srcnat comment="My VPN public IP" dst-address-list=\
!onnet out-interface=ether1 src-address=10.11.22.0/24 \
src-address-list=rfc1918-private to-addresses=132.200.10.24
/ip ipsec identity
add auth-method=eap-radius certificate=\
vpn.domain.com.pem_0,fullchain.pem_0 generate-policy=port-strict \
mode-config=ipsec-modecfg-nosplit peer=peer_vpn
/ip ipsec policy
set 0 dst-address=10.11.22.0/24 src-address=0.0.0.0/0
/ip route
add distance=1 gateway=132.200.10.17
/ip service
set www-ssl certificate=vpn.domain.com.pem_0 disabled=no port=443
/radius
add address=132.200.10.22 secret=\
blahblahblah
add address=132.200.10.17
/system logging
add action=remote topics=!async,!debug,!snmp,!dns
add action=echo disabled=yes topics=l2tp,ipsec,certificate
add disabled=yes topics=ipsec,!packet
/system package update
set channel=testing
 
ckleea
newbie
Posts: 47
Joined: Sun Apr 21, 2013 12:19 pm

Re: v6.45beta [testing] is released!

Tue May 14, 2019 1:10 am

With 6.45beta42 two Linux installs had trouble getting DHCP over Ethernet.

Sorry can't provide supout - already downgraded to 6.43.* stable, will stay on that.

The only "custom" DHCP setting I have is - lease time is 7 days.

No trouble with WiFi clients.

Router: AC^2.
Similar issues encountered in my linux clients. When the network service restarts in linux, no ip address is assigned by routerOS DHCP server
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Tue May 14, 2019 7:36 am

Not working with Android clients (using https://play.google.com/store/apps/deta ... an.android .

Any tips towards getting Android working would be appreciated.

Also I noticed occasional VPN connections failing using beta42 and 45. Downgrading to 6.44.3 made that issue go away but hopefully it will get fixed in the betas.
It would be better if you opened a new support ticket by sending an e-mail to support@mikrotik.com. Also please enable IPsec debug logs and generate a new supout.rif file each time the issue occurs (for example, an Android client failed to connect) and attach the file to the e-mail.
 
anuser
Member
Member
Posts: 397
Joined: Sat Nov 29, 2014 7:27 pm

Re: v6.45beta [testing] is released!

Tue May 14, 2019 8:11 am

With 6.45beta42 two Linux installs had trouble getting DHCP over Ethernet.

Sorry can't provide supout - already downgraded to 6.43.* stable, will stay on that.

The only "custom" DHCP setting I have is - lease time is 7 days.

No trouble with WiFi clients.

Router: AC^2.
Similar issues encountered in my linux clients. When the network service restarts in linux, no ip address is assigned by routerOS DHCP server
Have you already reported your findings to MikroTik support? (support@mikrotik.com)
 
mezzovide
just joined
Posts: 6
Joined: Tue Jun 11, 2013 8:02 am

Re: v6.45beta [testing] is released!

Tue May 14, 2019 1:58 pm

*) conntrack - significant stability and performance improvements;
Is this have something to do with multiple IPsec peers sometimes getting stuck after reboot / after public IP changes?
Because i have problems with multiple WAN ipsec peers (same dst peer with different routes) with different local loopback addresses attached, sometimes one of the connection stuck (most probably when public ip changes, i have dynamic public ip. or after a reboot). disabling/enabling peer works, or manually kill connection on the conntrack also works.
 
msatter
Forum Guru
Forum Guru
Posts: 1240
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released! IKEv2

Tue May 14, 2019 9:37 pm

Now mschapv2 is supported I tried to connect with IKEv2 to a VPN provider. This provider does not supply a certificate so I match on FQDN which is *.pointtoserver.com (the "*." needs to be there)

ip ipsec identity
add auth-method=eap certificate="" disabled=yes eap-methods=eap-mschapv2 peer=PureIKEv2 remote-id=fqdn:*.pointtoserver.com username=purevpnxxxxxxxxxxx
I get the error in the log that the AUTH NOT MATCH, peer failed to authorize: xx.xx.xx.xx[4500]-xx.xx.xx.xx[4500] spi: xxxxxxxxxxxxxxxxx:xxxxxxxxxxxxx, send notify: AUTHENTICICATION_FAILED

I have tested it in windows 10 and with the same name and password and I can connect through IKEv2.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Wed May 15, 2019 9:45 am

msatter All EAP methods require at least the root CA certificate for IKEv2. On Windows, it is possible, that the CA certificate is already in the Trusted Windows Certificate store so you do not have to import anything. Either ask your provider for the CA certificate or try finding out which certificate is used on Windows and export it to RouterOS.

Also there is no wildcard support for remote-id fqdn field. I would suggest leaving the remote-id to auto.

mezzovide no, conntrack has nothing to do with it, however we have already fixes for your described issues in previous betas. Did you try the latest beta and can verify the issue is still present?
 
msatter
Forum Guru
Forum Guru
Posts: 1240
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Wed May 15, 2019 11:20 am

Thanks Emils. It is PureVPN and using PossitiveSSL (pointoserver.com / ptoserver.com) and that is the root certificate of Comodo which I tried.

I contacted support and they don't provide a certificate to connect as NordVPN is doing. I will a look at the current certificates in the windows store to see if can find the matching one.

Update: the certificate line
OU=Domain Control Validated, OU=PositiveSSL Multi-Domain, CN=PointtoServer.com

Update 2:
Beside the Comodo root cert I just tried the add Trust External CA Root, also to no avail.

Update 3
Found the PossitiveSSL CA 2 cert but that did also not work.

I searched on and it looks to me that in windows the needed certificate is included by Microsoft in its own certificate.

https://crt.sh/?caid=1455

Microsoft Trusted Root programme
https://docs.microsoft.com/en-us/securi ... quirements
Last edited by msatter on Wed May 15, 2019 7:56 pm, edited 2 times in total.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
mezzovide
just joined
Posts: 6
Joined: Tue Jun 11, 2013 8:02 am

Re: v6.45beta [testing] is released!

Wed May 15, 2019 5:17 pm

mezzovide no, conntrack has nothing to do with it, however we have already fixes for your described issues in previous betas. Did you try the latest beta and can verify the issue is still present?
Sure, I have some spare routers to do experiment with, will upgrade to beta tonight and see if it fixed my issues. Thanks.
Still need that to be fixed in production though, probably next year until 6.45 become long-term
 
msatter
Forum Guru
Forum Guru
Posts: 1240
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Wed May 15, 2019 11:26 pm

I am a bit further and I needed two certificates to be in the certificates box.

https://blogger.davidmanouchehri.com/2017/09/

Now I get twice the error that the [b]peer's ID does not match certificate[/b] and the line above that reads in the log: unable to get certificate CRL(3) at depth:0 SubjectName:/OU=domain Control Validated/OU=positiveSSL Multi-Domain/CN=*.pointtoserver.com

When I look in the certificates the CRL line is blank.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Thu May 16, 2019 10:48 am

Try setting the remote-id to ignore.
 
chubbs596
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Fri Dec 06, 2013 6:07 pm

Re: v6.45beta [testing] is released!

Thu May 16, 2019 1:02 pm

Hi Mikrotik

Are you aware if Router OS is patched for this threat?

https://www.tomsguide.com/us/zombieload ... 30082.html
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 644
Joined: Fri Nov 10, 2017 8:19 am

Re: v6.45beta [testing] is released!

Thu May 16, 2019 1:28 pm

Since you can't run any sort of binary which could misuse this vulnerability on your RouterOS, this is not really concern.
 
nostromog
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Jul 18, 2018 3:39 pm

Re: v6.45beta [testing] is released!

Thu May 16, 2019 2:40 pm

Hi Mikrotik

Are you aware if Router OS is patched for this threat?

https://www.tomsguide.com/us/zombieload ... 30082.html
I think an accurate answer would be that RouterOS running on a x86 is not itself vulnerable, but the vulnerability could be exploited in the unlatched host or another VM to disclose RouterOS information.

Sent from my Redmi Note 5 using Tapatalk

 
chubbs596
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Fri Dec 06, 2013 6:07 pm

Re: v6.45beta [testing] is released!

Thu May 16, 2019 5:57 pm

Hi Mikrotik

Are you aware if Router OS is patched for this threat?

https://www.tomsguide.com/us/zombieload ... 30082.html
I think an accurate answer would be that RouterOS running on a x86 is not itself vulnerable, but the vulnerability could be exploited in the unlatched host or another VM to disclose RouterOS information.

Sent from my Redmi Note 5 using Tapatalk
So only if it is CHR and the VM HOST is not patched could the CHR be expoilted?
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 644
Joined: Fri Nov 10, 2017 8:19 am

Re: v6.45beta [testing] is released!

Fri May 17, 2019 8:51 am

If we talk about bare metal, then RouterOS (x86) is vulnerable but there is practically no way to misuse the vulnerability because attacker can't run binary (and if attacker can run binary, it won't matter because your device is already compromised)

If we talk about VM, then RouterOS (CHR) vulnerability depends on its hypervisor which needs to be patched. Patching CHR wouldn't change anything because it does not control, how are processes assigned to cores.

In any case, nothing can be done from mikrotik's side
 
msatter
Forum Guru
Forum Guru
Posts: 1240
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Fri May 17, 2019 11:11 am

Try setting the remote-id to ignore.
I tried that and it still complains that it can't get local certificate from configuration and it not a dealbreaker and it goes on till it processes payloads: NOTIFY and then I get the error that the notify is TS_UNACCEPTABLE and the next line it is a got error:TS_UNACCEPTABLE

In Ipsec Policy the Src. Addres stayed on 0.0.0.0/0 to I put in IPsec Peer, my external IP address.

Update: I have started again and I have now mangaged to have an established connection. I have to manually enter the TS_I which is not automatically matched/taken over by RouterOS.

In Ipsec Policy I have to manually add the source address: 10.4.33.22 for that specific IKEv2 connection.


Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src. Address match and the tunnel is made.
I can see the success when I get in the log get my IP and the two DNS IP addresses show and the tunnel is connected.

I hope that we also get a client in PPP for this because then we can run script to put the received IP into the NAT to make routing easy.

Update...again: so I finally discovered that I could use "template" to fix the TC_UNEXPECTED error and that works fine. The only problem is that the IP changes regular and that I have to adapt the SRC-NAT IP manually. I am route-marking the packets I want to through the IKEv2 connection (split horizon)

I could try to just put an IP address in or use my DNS to steady the changes.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
josep
just joined
Posts: 1
Joined: Sat May 18, 2019 8:52 pm

Re: v6.45beta [testing] is released!

Sat May 18, 2019 9:25 pm

Very good news about EAP support in IKEv2, please, we need EAP-AKA and EAP-AKA', with this, all Mikrotik routers can be used as basic ePDG, for a non-3GPP Access Networks. Next steps are GTP-U Tunneling support, but with EAP-AKA is good starting.

More info:

https://www.gsma.com/newsroom/wp-conten ... 1-v7.0.pdf
http://www.3gpp.org/ftp//Specs/archive/ ... 02-f10.zip
 
Tw0kings
just joined
Posts: 3
Joined: Fri Feb 02, 2018 11:29 am

Re: v6.45beta [testing] is released!

Sun May 19, 2019 9:12 pm

Im using BCP over L2TP. With latest beta builds it doesnt work. Didn´t have time to test what exactly doesnt work. Looks like DHCP over BCP, but maybe there is more.
In stable release all is working as it should.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Mon May 20, 2019 9:42 am

Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src. Address match and the tunnel is made.
I can see the success when I get in the log get my IP and the two DNS IP addresses show and the tunnel is connected.
Check out the src-address-list parameter under mode-config.

https://wiki.mikrotik.com/wiki/Manual:I ... de_configs
 
msatter
Forum Guru
Forum Guru
Posts: 1240
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Mon May 20, 2019 10:22 am

Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src. Address match and the tunnel is made.
I can see the success when I get in the log get my IP and the two DNS IP addresses show and the tunnel is connected.
Check out the src-address-list parameter under mode-config.

https://wiki.mikrotik.com/wiki/Manual:I ... de_configs
Thanks Emils, I tried that before and now again but it did not change the IP to on out of the range.....O I see there is a new line inserted into NAT. When I use different addresslists I can split horizon...I think.
Going to work that out late today or tomorrow.

Thanks again for the help in this.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
msatter
Forum Guru
Forum Guru
Posts: 1240
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Mon May 20, 2019 10:31 pm

I have tried now with addresslist and I can make a split horizon. The TS_I is given by PureVPN (10.4.48.178) for that fixed IP server. The only address in the addresslist (Marker) is not to be seen the log. The ST_R is 0.0.0.0/0.

The NAT is generated and then I have change my original source address to the one in address list so that can use MANGLE to split it up. The packetcount on the generated NAT line stays zero. I thought that I could use the address list IP address as an marker to have it src-nat to 10.4.48.178 but the Dst. Addresslist is !Addreslist so that having a marker goes out of the window.

So I think to have do a double NAT (cascade) and so going twice around and twice around back.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Tue May 21, 2019 12:58 pm

Version 6.45beta50 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta50 (2019-May-20 09:30):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
*) bridge - fixed port running state for non-ethernet interfaces (introduced in v6.45beta33);
*) ccr - improved packet processing after overloading interface;
*) crs3xx - added ethernet tx-drop counter;
*) crs3xx - improved switch-chip resource allocation on CRS326, CRS328, CRS305;
*) defconf - changed default configuration type to AP for cAP series devices;
*) dhcpv6-client - added option to disable rapid-commit (CLI only);
*) dhcpv6-server - added RADIUS accounting support with queue based statistics;
*) discovery - fixed CDP packets not including address on slave ports (introduced in v6.44);
*) firewall - process packets by firewall when accepted by RAW with disabled connection tracking;
*) ike2 - fixed pre-shared-key authentication failure (introduced in v6.45beta34);
*) ike2 - improved certificate verification when multiple CA certificates received from responder;
*) ippool - improved logging for IPv6 Pool when prefix is already in use;
*) ipv6 - improved system stability when receiving bogus packets;
*) lte - improved firmware upgrade process;
*) ospf - fixed opaque LSA type checking in OSPFv2;
*) rb3011 - improved system stability when receiving bogus packets;
*) rb4011 - fixed MAC address duplication between sfp-sfpplus1 and wlan1 interfaces (wlan1 configuration reset required);
*) snmp - improved reliability on SNMP service packet validation;
*) ssh - fixed non-interactive multiple command execution;
*) supout - added "pwr-line" section to supout file;
*) traceroute - improved stability when sending large ping amounts;
*) traffic-generator - improved stability when stopping traffic generator;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
freemannnn
Long time Member
Long time Member
Posts: 669
Joined: Sun Oct 13, 2013 7:29 pm

Re: v6.45beta [testing] is released!

Tue May 21, 2019 4:07 pm

*) defconf - changed default configuration type to AP for cAP series devices;

this should be done also for wap series.
 
User avatar
rdelacruz
newbie
Posts: 34
Joined: Thu Jul 14, 2016 8:12 pm

Re: v6.45beta [testing] is released!

Tue May 21, 2019 4:33 pm

*) dhcpv4-server - added RADIUS accounting support with queue based statistics;


I tried to test it, but it's not working yet. Is it an added feature that works if we use RADIUS for accounting and lease?
 
TimurA
Member Candidate
Member Candidate
Posts: 186
Joined: Sat Dec 15, 2018 6:13 am
Location: Tashkent
Contact:

Re: v6.45beta [testing] is released!

Tue May 21, 2019 5:03 pm


*) rb4011 - fixed MAC address duplication between sfp-sfpplus1 and wlan1 interfaces (wlan1 configuration reset required);
fine! thanks emils We are waiting for a stable branch.
Image
 
Ulypka
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Wed Jan 09, 2013 8:26 am

Re: v6.45beta [testing] is released!

Tue May 21, 2019 5:22 pm

*) ccr - improved packet processing after overloading interface;
Is this a fix for the problem 2018101022007579?
 
marekm
Member Candidate
Member Candidate
Posts: 203
Joined: Tue Feb 01, 2011 11:27 pm

Re: v6.45beta [testing] is released!

Tue May 21, 2019 7:46 pm

*) ipv6 - improved system stability when receiving bogus packets;
Which CVE - a new one, or more fixes for the already known ones?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Tue May 21, 2019 10:35 pm

*) dhcpv6-client - added option to disable rapid-commit (CLI only);
When you are working on dhcpv6-client: I would like to see an option in the client so that it does NOT save the obtained information in nonvolatile storage,
and/or to delete it when the interface goes down.

Reason: ISP uses the request for prefix to enable the route in their router/bras. When MikroTik client router reboots and still has stored a nonexpired lease it
will continue to use that when the first attempt to renew it fails (e.g. because PPPoE is not yet up after the reboot). But as the ISP has cleared the route,
IPv6 will not work until the router attempts to renew it (because it is expiring).

With this option the router will not have stored information about the lease and will try to obtain it immediately, so it will get it as soon as the interface comes up.
 
User avatar
rdelacruz
newbie
Posts: 34
Joined: Thu Jul 14, 2016 8:12 pm

Re: v6.45beta [testing] is released!

Tue May 21, 2019 10:50 pm

*) dhcpv4-server - added RADIUS accounting support with queue based statistics;


I tried to test it, but it's not working yet. Is it an added feature that works if we use RADIUS for accounting and lease?
Please confirm this. Thanks
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1407
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.45beta [testing] is released!

Wed May 22, 2019 6:34 am

rdelacruz - Please note that accounting will work only for those users which has a queue. Data for accounting is taken from queue statistics
 
bbs2web
Member Candidate
Member Candidate
Posts: 198
Joined: Sun Apr 22, 2012 6:25 pm
Location: Johannesburg, South Africa
Contact:

Re: v6.45beta [testing] is released!

Wed May 22, 2019 6:45 am

*) firewall - process packets by firewall when accepted by RAW with disabled connection tracking;

Please could we have a little more detail regarding this change? We use raw 'no-track' rules extensively, to avoid packet loss on core routers and filtering appears to be working.

I assume this is a fix for a bug introduced in 6.45 development branch?
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Wed May 22, 2019 9:55 am

"no-track" is not the same as "accepted by RAW". It fixes a specific case when connection tracking is disabled, RAW firewall rules are accepting (sending to connection tracking) some traffic, but the firewall rules are invalid, because the connection tracking is disabled. The firewall rules should be working fine in this case.
 
MILONI
just joined
Posts: 1
Joined: Sat May 11, 2019 11:55 am

Re: v6.45beta [testing] is released!

Wed May 22, 2019 10:41 am

Configuration options for dot1x are now enabled. Hooray
 
Zito
just joined
Posts: 14
Joined: Tue Feb 19, 2013 11:41 pm

Re: v6.45beta [testing] is released!

Wed May 22, 2019 11:14 am

*) crs3xx - improved switch-chip resource allocation on CRS326, CRS328, CRS305;
If this was to fix the problem [Ticket#2019051422003403], then unfortunately without success:
1.PNG
2.PNG
You do not have the required permissions to view the files attached to this post.
 
User avatar
osc86
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Wed May 22, 2019 1:42 pm

for some reason, my device isn't responding to SNMPv3 queries anymore, since I upgraded to beta50.
I'm using LibreNMS for monitoring my devices, also tried manually with snmpwalk -> no response.

EDIT:
[admin@CORE] /snmp community> pr d 
Flags: * - default 
 0 * name="librenms" addresses=::/0 security=private read-access=yes write-access=no authentication-protocol=SHA1 encryption-protocol=AES 
     authentication-password="mysecretpassword" encryption-password="anothersecretpassword" 
snmpwalk -a SHA -A mysecretpassword -l authpriv -u librenms -x AES -X anothersecretpassword 192.168.99.1
Timeout: No Response from 192.168.99.1

Code: Select all

15:37:39 snmp packet(v4) from: 192.168.2.111
15:37:39 snmp v3 user: librenms
15:37:39 snmp,debug unsupported v3 security level
15:37:39 snmp,packet 30 71 02 01 03 30 11 02 04 5b e1 da 3b 02 03 00
15:37:39 snmp,packet ff e3 04 01 07 02 01 03 04 31 30 2f 04 05 80 00
15:37:39 snmp,packet 3a 8c 04 02 01 00 02 01 04 04 08 6c 69 62 72 65
15:37:39 snmp,packet 6e 6d 73 04 0c 7a 37 32 ff d4 32 65 1f 54 e8 1d
15:37:39 snmp,packet 01 04 08 a1 62 da 91 4e 10 b8 7b 30 24 04 05 80
15:37:39 snmp,packet 00 3a 8c 04 04 00 a1 19 02 04 47 a1 60 24 02 01
15:37:39 snmp,packet 00 02 01 00 30 0b 30 09 06 05 2b 06 01 02 01 05
15:37:39 snmp,packet 00
15:37:39 snmp,debug v3 err: 0 unsupported security level
15:37:39 snmp,debug bad packet

same works perfectly on 6.44.3 and 6.45beta31, maybe it's related to this:
*) snmp - improved reliability on SNMP service packet validation;
Last edited by osc86 on Wed May 22, 2019 5:03 pm, edited 1 time in total.
CCR1009-7G-1C-1S+ ROS6.45.2
 
User avatar
rdelacruz
newbie
Posts: 34
Joined: Thu Jul 14, 2016 8:12 pm

Re: v6.45beta [testing] is released!

Wed May 22, 2019 3:41 pm

rdelacruz - Please note that accounting will work only for those users which has a queue. Data for accounting is taken from queue statistics
Yes, I'm aware of it. Are you referring to this queue?

Image

If yes, can you please confirm that this added feature will work if we use RADIUS for accounting and lease? Thanks
 
slackR
newbie
Posts: 32
Joined: Sat May 23, 2009 1:46 pm
Location: Buffalo, New York, USA
Contact:

Re: v6.45beta [testing] is released!

Thu May 23, 2019 1:31 am

I can also confirm snmpv3 does not work in 6.45rc50 with Observium or snmpwalk.
 
msatter
Forum Guru
Forum Guru
Posts: 1240
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Sat May 25, 2019 11:07 am

Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src. Address match and the tunnel is made.
I can see the success when I get in the log get my IP and the two DNS IP addresses show and the tunnel is connected.
Check out the src-address-list parameter under mode-config.

https://wiki.mikrotik.com/wiki/Manual:I ... de_configs
I have it working with mode configs. I made a different setup because I could not use PCC on source port for distribute the traffic over multiple channels.
I have now two 760iGS in series (cascade) and router 1 is only doing PPPoE/encrypting/routing and the NAT for mode config. Router 2 is doing the rest except for what router 1 is doing now.

By separating the load I could increase the speed for IKEv2 from 70Mbits to 150Mbits and then Router 1 is then running at 100% and Router 2 is is running below 50% processor usage.

Sindy suggested to use IPIP to see if can run it on one router but I have see how that is going to be setup.

viewtopic.php?f=2&t=148651
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
osc86
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Sat May 25, 2019 12:25 pm

I can also confirm snmpv3 does not work in 6.45rc50 with Observium or snmpwalk.
@slackR Did you already open a ticket at Mikrotik Support?
CCR1009-7G-1C-1S+ ROS6.45.2
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Tue May 28, 2019 1:02 pm

Version 6.45beta54 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta54 (2019-May-24 07:51):

Important note!!!
Downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading.


MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator (CLI only);
!) user - removed insecure password storage;
----------------------

Changes in this release:

!) user - removed insecure password storage;
*) bridge - correctly display bridge FastPath status when vlan-filtering or dhcp-snooping is used;
*) conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160);
*) crs317 - fixed known multicast flooding to the CPU;
*) ike1 - general stability improvements (introduced in v6.45beta);
*) ike2 - added support for IKE rekeying for initiator;
*) ike2 - improved child SA rekeying process;
*) lte - added initial support for Vodafone R216-Z;
*) ovpn - added "verify-server-certificate" parameter for OVPN client (CVE-2018-10066);
*) winbox - added "System/SwOS" menu for all dual-boot devices;
*) www - improved client-initiated renegotiation within the SSL and TLS protocols (CVE-2011-1473);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Tue May 28, 2019 1:02 pm

osc86, SNMPv3 issues will be fixed in the next release.
 
ditonet
Forum Veteran
Forum Veteran
Posts: 839
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: v6.45beta [testing] is released!

Tue May 28, 2019 2:39 pm

Hello Emils,

Could You explain this?
!) user - removed insecure password storage;
Regards,
Grzegorz | MTCNA, MTCRE, MTCSE | konsultacje MikroTik Warszawa
It is a book about a Spanish guy called Manual. You should read it. - Dilbert
 
User avatar
eworm
Member
Member
Posts: 393
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Tue May 28, 2019 2:45 pm

Hello Emils,

Could You explain this?
!) user - removed insecure password storage;
Regards,
This is the final step for this changlog entry from 6.43:
*) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Tue May 28, 2019 2:46 pm

When we introduced the new hashing and encryption for user passwords in v6.43, we had to leave the old type of passwords for downgrade possibility. Now they are removed and only strong encrypted passwords are stored. Note that downgrading below 6.43 will cause all passwords to be blank.
What's new in 6.43 (2018-Sep-06 12:44):

*) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);
 
ditonet
Forum Veteran
Forum Veteran
Posts: 839
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: v6.45beta [testing] is released!

Tue May 28, 2019 3:04 pm

Thanks, completely forgot about it, it was a few months ago.

Regards,
Grzegorz | MTCNA, MTCRE, MTCSE | konsultacje MikroTik Warszawa
It is a book about a Spanish guy called Manual. You should read it. - Dilbert
 
rzirzi
Member
Member
Posts: 378
Joined: Mon Oct 09, 2006 2:33 pm

Re: v6.45beta [testing] is released!

Tue May 28, 2019 7:01 pm

* www - improved client-initiated renegotiation within the SSL and TLS protocols.
How to understand it? That mean http server (instance for hotspot) at RouterOS or via RouterOS to externat http server???
 
LeftyTs
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Thu Nov 03, 2016 2:39 am
Location: Athens, Greece
Contact:

Re: v6.45beta [testing] is released!

Tue May 28, 2019 9:57 pm

First time I see tx-queue1-packet being used in a CRS326 switch. It was always the tx-queue0-packet all the time. The switch seems to work faster now in some tests I have done.
 
gurnec
just joined
Posts: 5
Joined: Wed Jul 14, 2010 9:42 pm

Re: v6.45beta [testing] is released!

Wed May 29, 2019 3:12 am

!) user - removed insecure password storage;
Could we get password hashes exported with the user accounts now please? E.g.:
[admin@gate] > /user export
# may/28/2019 20:15:28 by RouterOS 6.45
...
/user
add comment="system default user" group=full name=admin password_hash=<base64-encoded-hash>
...
 
rzirzi
Member
Member
Posts: 378
Joined: Mon Oct 09, 2006 2:33 pm

Re: v6.45beta [testing] is released!

Wed May 29, 2019 9:25 pm

*) www - improved client-initiated renegotiation within the SSL and TLS protocols;
MikroTik team - could You explain? - please.
 
User avatar
eworm
Member
Member
Posts: 393
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Wed May 29, 2019 9:42 pm

*) www - improved client-initiated renegotiation within the SSL and TLS protocols;
MikroTik team - could You explain? - please.
Let's hope this is not related to TLS protocol downgrade attacks...
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: v6.45beta [testing] is released!

Thu May 30, 2019 4:23 pm

*) www - improved client-initiated renegotiation within the SSL and TLS protocols;
MikroTik team - could You explain? - please.
Let's hope this is not related to TLS protocol downgrade attacks...
Let's hope it is? Better to find, and close, than to leave it open...
 
rzirzi
Member
Member
Posts: 378
Joined: Mon Oct 09, 2006 2:33 pm

Re: v6.45beta [testing] is released!

Thu May 30, 2019 4:51 pm

We ask, We hope, but MiktoTik... is silent...
 
User avatar
rdelacruz
newbie
Posts: 34
Joined: Thu Jul 14, 2016 8:12 pm

Re: v6.45beta [testing] is released!

Thu May 30, 2019 7:09 pm

We ask, We hope, but MiktoTik... is silent...
+1
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24206
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.45beta [testing] is released!

Fri May 31, 2019 10:20 am

This article now describes the new security measures in v6.45 and newer:
https://wiki.mikrotik.com/wiki/Manual:Security
*) www - improved client-initiated renegotiation within the SSL and TLS protocols;
This issue fixes DoS possibility in Webfig, related to CVE-2011-1473. We will update the changelog, CVE was not included by mistake.
No answer to your question? How to write posts
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Fri May 31, 2019 11:11 am

We ask, We hope, but MiktoTik... is silent...
In many countries Thu May 30 was a holiday. Some businesses are closed on friday (today) as well.
 
msatter
Forum Guru
Forum Guru
Posts: 1240
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Sun Jun 02, 2019 6:42 pm

I am now using IKEv2 peer to connect to a VPN provider. I have the problem that the connection is rebuild and that old connection stays in the connection table. I am using a ping to test it and I get a timeout till I remove that connection out of the connection table. I thought that dead-peer-detection would help but it did not even not on 1 sec 1 failure.
The lifetime provided by the provider is 30 minutes.

So I made a schedule to remove those inactive connections which don't timeout in connections.
:local ip "XXX.XX.XX.X";
:local con "IKEV2";
:local addressPOLICY  [/ip ipsec policy get [find where peer="$con"] value-name=src-address];
:local addressCONTRACK [/ip firewall connection get [find where src-address="$ip"] value-name=reply-dst-address];
:local address ("$addressCONTRACK".""."/32")
:if ("$addressPOLICY" != "$address")  do={ /ip firewall connection remove [find where src-address="$ip"]; :log info "Removed $con address $addressCONTRACK who became stuck in connection tracking"};

The src-address is a static address that is used as 'marker' to have the generated dynamic NAT line triggered. For each IKEv2 connection I have a separate static address.

Can I set something in the setting so I don't have that schedule every second?

Update:

I disabled the schedule and tried to tip the IKEv2 connection out of balance by disabling and enabling PPPoE and flush and retart Peers but it stayed up. So I am going to run without the schedule to see if it still runs in 30 minutes or more.

Update 2:

Observation, all worked while the unused tunnel connection switched of by themselves and the ping tunnel stayed op. I made a new request through calling a speed-test page and all connections were made including a new one for the ping connection. The old connection line went down to 6-5 seconds timeout and then went up to 9 seconds while there is no connection matching it.

So I can tip it out of balance and I see it again timing out so I reactivate the schedule.

Update 3

This seems to be only happening when running a constant PING through the IKEv2 connection. I have also updated the script to be more flexible and working correctly. ;-)
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
cse2012
just joined
Posts: 12
Joined: Tue May 15, 2012 7:13 am

php api login failure at 6.45beta54

Mon Jun 03, 2019 9:31 am

php api login failure at 6.45beta54.

Login failed, incorrect username or password.
please confirm.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: php api login failure at 6.45beta54

Mon Jun 03, 2019 11:56 am

php api login failure at 6.45beta54.

Login failed, incorrect username or password.
please confirm.
You need to update your scripts (the logon method). You could have done that earlier.
 
cse2012
just joined
Posts: 12
Joined: Tue May 15, 2012 7:13 am

Re: php api login failure at 6.45beta54

Mon Jun 03, 2019 2:49 pm

php api login failure at 6.45beta54.

Login failed, incorrect username or password.
please confirm.
You need to update your scripts (the logon method). You could have done that earlier.
thank you. ^^
https://github.com/BenMenking/routeros- ... .class.php
 
kugla007
just joined
Posts: 5
Joined: Thu Mar 29, 2018 12:43 pm

Re: v6.45beta [testing] is released!

Mon Jun 10, 2019 2:47 pm

Hi,

I'm testing wired dot1x with NPS. Is it possible to put the interface in a "guest" VLAN if 802.1x authentication fails?

In my example the devices/users that authenticate successfully are put in Corporate VLAN (let's say VLAN10). And I'd like to put all other devices/user into the "guest" VLAN (let's say VLAN20). When devices successfully authenticate they are put into VLAN10. If I connect an unauthorised device (a computer that is not in our domain, doesn't have 802.1 ethernet enabled on their NIC) nothing happens. Port is UP but no MAC is added to the MAC table (/interface bridge hosts print). I tried configuring the port in VLAN20 access statically but nothing happens either.

Is this something that's not yet implemented? Will this be added in a future release?
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Mon Jun 10, 2019 3:09 pm

No, it is not possible at the moment. Please post your request to this thread. We are monitoring the feature requests and will implement them in future updates.

viewtopic.php?f=1&t=128439
 
LeftyTs
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Thu Nov 03, 2016 2:39 am
Location: Athens, Greece
Contact:

Re: v6.45beta [testing] is released!

Mon Jun 10, 2019 3:19 pm

I am still having problems with ethernet ports of a CRS326 switch. It happened again twice in the same port the past week. A 10Mbit half duplex port, only 2 meters away from the switch, stopped from responding to IPv4 pings and I had to disable and enable the port twice within a week in order to come back to life. I have send the supout of the switch a few minutes ago. At least now I don't have to reboot the switch to start working again.
 
msatter
Forum Guru
Forum Guru
Posts: 1240
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Wed Jun 12, 2019 2:53 pm

It is now quiet around the beta and using now the new IKEv2 EAP possibilities for a time, I want to made a suggestion how to direct traffic using policy routing. I am now using a second router to take care of PPPoE and IKEv2 as those two are bound together more or less.
I set in the 'inside' router through NAT the source address of the traffic and marking/tagging it so that in the outer router (PPPoE/IKEv2) it can be caught by the dynamic generated NAT for that specific IKEv2 traffic. This way I can have multiple IKEv2 providers/connections.
This is done by setting in IPSEC in mode config the name of the address-list containing the source address I set in through NAT on the inner router.

This is all fine but I have now a double NAT for that traffic and two routers handling that traffic.

I am using policy routing with other VPN connections and so only needing a single NAT for the traffic.

My request/suggestion is to enable a extra field in IPSEC mode config containing the name of the router mark for policy routing. Mangle is used to mark the routing that is intended to go through the router and if entered also in mode config then there is a dynamic NAT line generated on UP and removed on DOWN.

When nothing is entered in mode config then there is not dynamic NAT rule generates as is the case now.
If an address list name is entered then a dynamic NAT line is generated, matching on the list name and source address and not destination address as is the case now.
If the new field with the name of the routing mark is filled then a new dynamic NAT line is generated with only matching on that routing mark.

You can even think about interpreting source address and router mark if both are present but that will no immediate use in my eyes.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Wed Jun 12, 2019 2:57 pm

msatter we have already plans for such feature. But connection marks will be used instead of routing marks.
 
User avatar
eworm
Member
Member
Posts: 393
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Wed Jun 12, 2019 4:33 pm

msatter we have already plans for such feature. But connection marks will be used instead of routing marks.
Great, much appreciated! Can't wait for it...
Will we see this before version 6.45 final release?
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
Sob
Forum Guru
Forum Guru
Posts: 4676
Joined: Mon Apr 20, 2009 9:11 pm

Re: v6.45beta [testing] is released!

Wed Jun 12, 2019 8:55 pm

I hope I'm not missing the point, but isn't this IKEv2 & policy routing something that would be best solved by what's known as route/interface-based VPN, VTI, etc? I remember it used to be popular request here few years ago. If I understand it correctly, Linux implementation provides interfaces for IPSec connections, but internally it's still regular policy-based tunnels (often with 0.0.0.0/0 on both sides, but it can be anything). And some marks transparently assigned to outgoing traffic via that interface (it basically serves as additional filter for policy) are used to control what traffic it will actually apply to. So this should nicely cover the use case for multiple outgoing IPSec connections (like popular commercial VPN services). But not only that, distinct interfaces would make everything more clear and admin friendly. More interoperable too. And the whole thing doesn't even sound too complicated.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
eworm
Member
Member
Posts: 393
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Wed Jun 12, 2019 9:14 pm

That would be even more welcome. :D
However I thing Mikrotik has its reasons to do it one way, not the other. I am happy either way.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 1818
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: v6.45beta [testing] is released!

Thu Jun 13, 2019 12:08 am

I hope I'm not missing the point, but isn't this IKEv2 & policy routing something that would be best solved by what's known as route/interface-based VPN, VTI, etc? I remember it used to be popular request here few years ago. If I understand it correctly, Linux implementation provides interfaces for IPSec connections, but internally it's still regular policy-based tunnels (often with 0.0.0.0/0 on both sides, but it can be anything). And some marks transparently assigned to outgoing traffic via that interface (it basically serves as additional filter for policy) are used to control what traffic it will actually apply to. So this should nicely cover the use case for multiple outgoing IPSec connections (like popular commercial VPN services). But not only that, distinct interfaces would make everything more clear and admin friendly. More interoperable too. And the whole thing doesn't even sound too complicated.
Mikrotik support have acknowledged the VTI request, but said it requires a newer kernel.

They will revisit the request once v7 beta is out.
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Thu Jun 13, 2019 11:11 am


Great, much appreciated! Can't wait for it...
Will we see this before version 6.45 final release?
Currently looks like no, it will not make it into 6.45. We are already finalizing the 6.45 version. VTI support requires new kernel and we are still not sure whether it should or should not be implemented in version 7.
 
User avatar
eworm
Member
Member
Posts: 393
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Thu Jun 13, 2019 11:47 am

No rc versions this time?
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Thu Jun 13, 2019 12:07 pm

But not only that, distinct interfaces would make everything more clear and admin friendly. More interoperable too. And the whole thing doesn't even sound too complicated.
Well, I remember the days when all Linux systems did that, but it was changed because others (BSD, Cisco) were not using separate interfaces but only those policies.
I always considered it a bad move. Dedicated interfaces for IPsec traffic were so much clearer.
Apparently later (and currently) the option to use interfaces was re-introduced, but today I am not using plain Linux systems as routers anymore so I lost track of that.

Whenever possible, I use a tunnel over IPsec transport. I use GRE because it has some other use cases, but you can use IPIP too.
In fact, IPIP over IPsec transport is almost the same as an IPsec tunnel at the protocol layer. I.e. there is no extra overhead.
But of course this can only be done when you manage both ends, as they cannot be interconnected.
 
bnw
just joined
Posts: 10
Joined: Thu Jun 13, 2019 5:56 pm

Re: v6.45beta [testing] is released!

Thu Jun 13, 2019 6:02 pm

One thing I would like to see in 6.45 is some hardware SNMP improvement for the CCR1072.
As stated in ticket #2019032822004818, many hardware OIDs are missing for this device, compared to what Winbox shows :
- Board temperature
- Board temparature 2
- Fan speed 3
- Fan speed 4
- PSU1 status (should be OID .15 (*))
- PSU2 status (should be OID .16 (*))
(*) as seen on other models such as the CRS317-1G-16S+.

We are then clearly at risk with our CCR1072-1G-8S+, not being able to monitor all their hardware components, which is a rather tricky situation for core devices.

I found other topics complaining about this : viewtopic.php?f=1&t=143899 / viewtopic.php?f=2&t=117322

Many thanks for your support Mikrotik dev' team !
 
LynxChaus
just joined
Posts: 24
Joined: Tue Jul 08, 2014 2:24 pm

Re: v6.45beta [testing] is released!

Thu Jun 13, 2019 8:26 pm


*) tr069-client - added LTE CQI and IMSI parameter support;
Why only in tr069? Export in SNMP too, with all other info.
 
LeftyTs
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Thu Nov 03, 2016 2:39 am
Location: Athens, Greece
Contact:

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 12:32 am

One thing I would like to see in 6.45 is some hardware SNMP improvement for the CCR1072.
As stated in ticket #2019032822004818, many hardware OIDs are missing for this device, compared to what Winbox shows :
- Board temperature
- Board temparature 2
- Fan speed 3
- Fan speed 4
- PSU1 status (should be OID .15 (*))
- PSU2 status (should be OID .16 (*))
(*) as seen on other models such as the CRS317-1G-16S+.

We are then clearly at risk with our CCR1072-1G-8S+, not being able to monitor all their hardware components, which is a rather tricky situation for core devices.

I found other topics complaining about this : viewtopic.php?f=1&t=143899 / viewtopic.php?f=2&t=117322

Many thanks for your support Mikrotik dev' team !
+1
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1303
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 12:46 am

If you can see this system info in the cli, you can easily send it out to a monitor system using script and Syslog.

I have stopped using SNMP, since for every new unit I setup, I have to tell the system that there are a nye Router/Switch, or have a program that scan a net. Scanning net does not work it the router are spread around in many net.

Using Sylog is easy. Just add a script to the router when you are setting it up. It will then call home with all info you need.

Look at my Mikrotik for Splunk in my signature.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
bnw
just joined
Posts: 10
Joined: Thu Jun 13, 2019 5:56 pm

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 1:31 am

If you can see this system info in the cli, you can easily send it out to a monitor system using script and Syslog.
We use SNMP for all our (network) devices from our enterprise monitoring & reporting solution, I think as many other companies.
We simply can't rely on workarounds.
We then expect Mikrotik to complete the SNMP tree for the CCR1072 hardware components, to have something reliable.
Thank you anyway !
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 8:37 am

Version 6.45beta62 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta62 (2019-Jun-13 10:13):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control;
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
!) user - removed insecure password storage;
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control;
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
*) bridge - correctly handle bridge host table;
*) capsman - fixed CAP system upgrading process for MMIPS;
*) certificate - added "key-type" field;
*) certificate - added support for ECDSA certificates (prime256v1, secp384r1, secp521r1);
*) crs3xx - fixed "tx-drop" counter;
*) defconf - fixed channel width selection for RU locked devices;
*) dhcpv4-server - added "client-mac-limit" parameter;
*) dhcpv6-client - added option to disable rapid-commit;
*) dhcpv6-server - added additional RADIUS parameters for Prefix delegation, "rate-limit" and "life-time";
*) dhcpv6-server - added "address-list" support for bindings;
*) dhcpv6-server - added "insert-queue-before" and "parent-queue" parameters;
*) dhcpv6-server - added RADIUS accounting support with queue based statistics;
*) dhcpv6-server - added "route-distance" parameter;
*) e-mail - properly release e-mail sending session if the server's domain name can not be resolved;
*) ipsec - added dynamic comment field for "active-peers" menu inherited from identity;
*) ipsec - added "ph2-total" counter to "active-peers" menu;
*) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods;
*) ipsec - added traffic statistics to "active-peers" menu;
*) ipsec - disallow setting "src-address" and "dst-address" for transport mode policies;
*) ipsec - renamed "remote-peers" to "active-peers";
*) ltap - renamed SIM slots "up" and "down" to "2" and "3";
*) lte - added passthrough interface subnet selection;
*) lte - fixed LTE interface running state on RBSXTLTE3-7 (introduced in v6.45beta);
*) m33g - added support for additional Serial Console port on GPIO headers;
*) routerboard - renamed 'sim' menu to 'modem';
*) snmp - fixed "send-trap" not working when "trap-generators" does not contain "temp-exception";
*) snmp - improved reliability on SNMP service packet validation;
*) winbox - added "System/SwOS" menu for all dual-boot devices;
*) winbox - do not allow setting "dns-lookup-interval" to "0";

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
andriys
Forum Guru
Forum Guru
Posts: 1179
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 10:58 am

*) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods;
Will it also work for "rsa-signature-hybrid"?
 
msatter
Forum Guru
Forum Guru
Posts: 1240
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 11:43 am

Does anyone knows where to find this setting? I am looking for it for years now.

*) winbox - do not allow setting "dns-lookup-interval" to "0";

Many support mails about addresslists and DNS timings but this was never mentioned to me. I have now a limiter only for DNS so that when there is no upstream DNS it will not flood my local DNS server with countless resolve requests.

Update:
Found it on a Polish site and it a setting not applying to what I was looking for.

So the limiter and drop line stays active.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
anuser
Member
Member
Posts: 397
Joined: Sat Nov 29, 2014 7:27 pm

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 2:05 pm

Version 6.45beta62 has been released.
*) bridge - correctly handle bridge host table;
What kind of issue was there actually?
 
User avatar
osc86
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 2:42 pm

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
CCR1009-7G-1C-1S+ ROS6.45.2
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 5:38 pm

Please implement "advertise-local-dns" option in IPv6 ND that makes router advertise the local address (same as gateway) as DNS server, instead of the IPv6 DNS servers configured in /ip dns.
(to make IPv6 systems use the local DNS resolver instead of going directly to the ISP DNS servers)

This is necessary to make locally configured DNS static names visible to IPv6 capable clients.
 
raffav
Member Candidate
Member Candidate
Posts: 288
Joined: Wed Oct 24, 2012 4:40 am

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 5:46 pm

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
+1K
I think the log part need to be rebuild, for betther debugging
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 901
Joined: Tue Oct 11, 2005 4:53 pm

Re: v6.45beta [testing] is released!

Sat Jun 15, 2019 2:18 pm

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
+1
 
Florian
Frequent Visitor
Frequent Visitor
Posts: 67
Joined: Sun Mar 13, 2016 9:45 am
Location: France

Re: v6.45beta [testing] is released!

Sat Jun 15, 2019 7:29 pm

Please implement "advertise-local-dns" option in IPv6 ND that makes router advertise the local address (same as gateway) as DNS server, instead of the IPv6 DNS servers configured in /ip dns.
(to make IPv6 systems use the local DNS resolver instead of going directly to the ISP DNS servers)

This is necessary to make locally configured DNS static names visible to IPv6 capable clients.
You can do this :

viewtopic.php?t=132657

That's what I do, it's working.
- Sorry for my english -
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Sat Jun 15, 2019 10:11 pm

I don't think I understand what is going on there. I use ND, not DHCPv6, for setting those parameters.
 
LeftyTs
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Thu Nov 03, 2016 2:39 am
Location: Athens, Greece
Contact:

Re: v6.45beta [testing] is released!

Sun Jun 16, 2019 3:23 am

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
+1K
I think the log part need to be rebuild, for betther debugging
For better debugging and analysis you should consider sending to a remote log server. Makes life much easier.
 
pawelkopec88
just joined
Posts: 9
Joined: Wed Mar 14, 2018 11:06 pm

Re: v6.45beta [testing] is released!

Sun Jun 16, 2019 10:34 am

Hi,

HW Offloading doesnt work on HAP AC on RouterBOARD 962UiGS-5HacT2HnT ROS 6.45beta62 . On stable Stable 6.44.3 HW Offloading is working. I was send an email to your support with rif files
You do not have the required permissions to view the files attached to this post.
 
User avatar
eworm
Member
Member
Posts: 393
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Sun Jun 16, 2019 11:25 am

I don't think I understand what is going on there. I use ND, not DHCPv6, for setting those parameters.
That's the point. With ND you can not specify the DNS server, with DHCPv6 you can. Consider to switch...
Works just fine, I've set it up this way as well. Only Android does not support DHCPv6 and does not get this specific setting.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
TimurA
Member Candidate
Member Candidate
Posts: 186
Joined: Sat Dec 15, 2018 6:13 am
Location: Tashkent
Contact:

Re: v6.45beta [testing] is released!

Sun Jun 16, 2019 12:06 pm

Good job 6.45beta62! wifi 5ghz, 2 days running without crashing on RB4011.
Image
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Sun Jun 16, 2019 12:50 pm

I don't think I understand what is going on there. I use ND, not DHCPv6, for setting those parameters.
That's the point. With ND you can not specify the DNS server, with DHCPv6 you can. Consider to switch...
Works just fine, I've set it up this way as well. Only Android does not support DHCPv6 and does not get this specific setting.
~85% of our users have Android. then maybe 10% Apple and 5% Windows.

I think it should not be that difficult to add an option to have ND advertise the local address (same as it advertises for gateway) as DNS server instead of the IPv6 addresses configured in /ip dns.
And when at that, also have some option in the DHCPv6 server to do the same thing. Other changes in DHCPv6 are in the changelist so apparently someone is working on it.
In the DHCPv4 server there is a field to specify own DNS servers and even a special checkmark to suppress the automatic advertisement of DNS servers... why not in IPv6?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Sun Jun 16, 2019 12:54 pm

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
+1K
I think the log part need to be rebuild, for betther debugging
For better debugging and analysis you should consider sending to a remote log server. Makes life much easier.
Well, I agree that when you are running a lot of tunnels and you try to debug one of them, enabling packet-level debugging makes a terrible mess and/or load, even with remote log server.
It could be useful to have some option to enable ipsec debug logging for a single peer, preferably not by filtering but by only logging for that specific peer.
 
User avatar
rdelacruz
newbie
Posts: 34
Joined: Thu Jul 14, 2016 8:12 pm

Re: v6.45beta [testing] is released!

Tue Jun 18, 2019 2:21 am

rdelacruz - Please note that accounting will work only for those users which has a queue. Data for accounting is taken from queue statistics
Yes, I'm aware of it. Are you referring to this queue?

Image

If yes, can you please confirm that this added feature will work if we use RADIUS for accounting and lease? Thanks
Have you successfully tested this one?
 
EdPa
MikroTik Support
MikroTik Support
Posts: 28
Joined: Fri Sep 15, 2017 10:05 am
Location: Riga
Contact:

Re: v6.45beta [testing] is released!

Tue Jun 18, 2019 11:36 am

Version 6.45beta62 has been released.
*) bridge - correctly handle bridge host table;
What kind of issue was there actually?
Under some occasions, hosts did not timed out correctly. Now bridge will make sure hosts are removed.
 
toxmost
just joined
Posts: 3
Joined: Tue Jun 18, 2019 7:25 pm

Re: v6.45beta [testing] is released!

Tue Jun 18, 2019 7:34 pm

Hello!
I have RB4011iGS+5HacQ2HnD with dlink DPN-100 (TW2362H-CDEL-CLX) GPON SFP module (WAN).
IP address receive via DHCP. ALL WORK GREAT! ---> firmware 6.44.3

If im update firmware to 6.45beta62, SFP module have status "link ok", but DHCP address not received, DHCP client all time in status "searching", packet (in module window) TXed, but not RXed.

Can you fix it?

Thank you.
 
Boomish
just joined
Posts: 5
Joined: Wed Jun 05, 2019 12:07 am

Re: v6.45beta [testing] is released!

Tue Jun 18, 2019 8:40 pm

Can we get the ability to define an ip instead of using the detected IP for ip cloud ddns updates.
I'd like the ability to force the update before i deploy the unit to the field on it's static ip.


It would also be handy if we could force delete a published DDNS Record.
 
mkx
Forum Guru
Forum Guru
Posts: 2954
Joined: Thu Mar 03, 2016 10:23 pm

Re: v6.45beta [testing] is released!

Tue Jun 18, 2019 9:12 pm

Can we get the ability to define an ip instead of using the detected IP for ip cloud ddns updates.
I'd like the ability to force the update before i deploy the unit to the field on it's static ip.


It would also be handy if we could force delete a published DDNS Record.
Ability to define IP address would bring in all sorts of problems, probability of mis-configuration is just too big.
And, BTW, what benefit would one get by having DDNS configured before unit was up&running instead a minute or two later?

It's been explained that DDNS record gets removed when DDNS is disabled on the unit (but it needs internet connectivity at zhat time).
BR,
Metod
 
msatter
Forum Guru
Forum Guru
Posts: 1240
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Tue Jun 18, 2019 11:25 pm

Hello!
I have RB4011iGS+5HacQ2HnD with dlink DPN-100 (TW2362H-CDEL-CLX) GPON SFP module (WAN).
IP address receive via DHCP. ALL WORK GREAT! ---> firmware 6.44.3

If im update firmware to 6.45beta62, SFP module have status "link ok", but DHCP address not received, DHCP client all time in status "searching", packet (in module window) TXed, but not RXed.

Can you fix it?

Thank you.
Did you try with auto-negotiation disabled?
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
msatter
Forum Guru
Forum Guru
Posts: 1240
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Tue Jun 18, 2019 11:29 pm


Great, much appreciated! Can't wait for it...
Will we see this before version 6.45 final release?
Currently looks like no, it will not make it into 6.45. We are already finalizing the 6.45 version. VTI support requires new kernel and we are still not sure whether it should or should not be implemented in version 7.
There is now a wiki-page how to set. I can't place the word 'local' in the last sentence because all is local.

https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
Boomish
just joined
Posts: 5
Joined: Wed Jun 05, 2019 12:07 am

Re: v6.45beta [testing] is released!

Wed Jun 19, 2019 12:10 am

Can we get the ability to define an ip instead of using the detected IP for ip cloud ddns updates.
I'd like the ability to force the update before i deploy the unit to the field on it's static ip.


It would also be handy if we could force delete a published DDNS Record.
Ability to define IP address would bring in all sorts of problems, probability of mis-configuration is just too big.
And, BTW, what benefit would one get by having DDNS configured before unit was up&running instead a minute or two later?

It's been explained that DDNS record gets removed when DDNS is disabled on the unit (but it needs internet connectivity at zhat time).

It is rather inconvenient to have to disable the individual peers on the hub when they all have the same IP address.

When building all of the spokes prior to sending them out they update their ddns and as a result they all have the same ip address because they are built on the same system.

Even after i disabled the DDNS Update the record wasn't deleted in fact it persisted for multiple days.

Furthermore it would be nice to be able to publish a specific UP when your router is behind another natting device such as a PPPOE AT&T Router that only gives you your static ip's via a 1-1 nat
 
msatter
Forum Guru
Forum Guru
Posts: 1240
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Wed Jun 19, 2019 10:56 am

*) ipsec - added dynamic comment field for "active-peers" menu inherited from identity;

Where can I set that identity?

I also noticed that the counters are all the same and these are L2tp/IPSEC connections:
wrong-counters.JPG
The local addresses, in PPP screen, are in the 172.20.12.xxx range (multiple connections). Suggestion attach the counters from the Remote Address because the same 172.20.12.xxx can be in the PPP list.

I see in the other screen of IPsec in Identities twice in the list colum "My ID"
You do not have the required permissions to view the files attached to this post.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Wed Jun 19, 2019 11:37 am

The comment from the Identity that was used for the peer to identify itself is carried over to the active-peers menu. For example, if you have a comment "L2TP server" for the IPsec identity, then this comment will be shown for all active peers which used this Identity. Obviously, it is not possible to set such comment for the dynamic Identity created by L2TP server's "use-ipsec" parameter.

Statistics counters for IKEv1 with no unique ID's will be fixed shortly.

Not sure what you meant with the third paragraph. Can you clarify?

There is nothing we can do about the multiple My-ID fields under Identity menu at this moment because of multiple data types stored in this parameter.

Regarding the IPsec logging requests. We have our thoughts about this and agree it should be improved, however the current logging mechanism in RouterOS is currently limiting what we can do. We will try to come up with a solution in future.

andriys, will see if we can enable RADIUS accounting for rsa-signature-hybrid authentication as well.
 
msatter
Forum Guru
Forum Guru
Posts: 1240
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Wed Jun 19, 2019 12:55 pm

The comment from the Identity that was used for the peer to identify itself is carried over to the active-peers menu. For example, if you have a comment "L2TP server" for the IPsec identity, then this comment will be shown for all active peers which used this Identity. Obviously, it is not possible to set such comment for the dynamic Identity created by L2TP server's "use-ipsec" parameter.
For dynamic created ones there is naming available in the PPP menu as name. Limit displaying it to a certain amount of characters. Now I have to identify peers by other means because "peer1205 etc." is not much to go on in relation to the used names in PPP.

Statistics counters for IKEv1 with no unique ID's will be fixed shortly.
Thanks
Not sure what you meant with the third paragraph. Can you clarify?
That was belonging to the picture and as long there is a unique identification in the background I am happy.

There is nothing we can do about the multiple My-ID fields under Identity menu at this moment because of multiple data types stored in this parameter.
It looked already familiar to me being multple My-ID pressent and I have never any content in there. I am only using it as client so this may be for server.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 494
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Wed Jun 19, 2019 1:07 pm

The thing is, PPP and IPsec are completely unrelated things and currently there is no way to associate the L2TP and the IPsec sessions with each other.
 
zryny4
just joined
Posts: 9
Joined: Sun Apr 17, 2016 12:29 pm

Re: v6.45beta [testing] is released!

Wed Jun 19, 2019 5:36 pm

Is routeros affected to CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479?
 
toxmost
just joined
Posts: 3
Joined: Tue Jun 18, 2019 7:25 pm

Re: v6.45beta [testing] is released!

Thu Jun 20, 2019 12:01 pm

Hello!
I have RB4011iGS+5HacQ2HnD with dlink DPN-100 (TW2362H-CDEL-CLX) GPON SFP module (WAN).
IP address receive via DHCP. ALL WORK GREAT! ---> firmware 6.44.3

If im update firmware to 6.45beta62, SFP module have status "link ok", but DHCP address not received, DHCP client all time in status "searching", packet (in module window) TXed, but not RXed.

Can you fix it?

Thank you.
Did you try with auto-negotiation disabled?
I try it. No effect.
 
nostromog
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Jul 18, 2018 3:39 pm

Re: v6.45beta [testing] is released!

Fri Jun 21, 2019 5:08 pm

I have two devices upgraded to 6.45beta62, but today I'm seeing this error (several times) while trying to upgrade another one:
 15:04:27 system,error broken package routeros-mipsbe-6.45beta62.npk 
Has the download file became corrupt? Is it some problem in this device?
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1740
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: v6.45beta [testing] is released!

Sat Jun 22, 2019 4:03 am

First time I see tx-queue1-packet being used in a CRS326 switch. It was always the tx-queue0-packet all the time. The switch seems to work faster now in some tests I have done.
will be nice to see multiple queues on each port to make QoS
 
mkx
Forum Guru
Forum Guru
Posts: 2954
Joined: Thu Mar 03, 2016 10:23 pm

Re: v6.45beta [testing] is released!

Sat Jun 22, 2019 10:34 am

I have two devices upgraded to 6.45beta62, but today I'm seeing this error (several times) while trying to upgrade another one:
 15:04:27 system,error broken package routeros-mipsbe-6.45beta62.npk 
Has the download file became corrupt? Is it some problem in this device?

It is likely that the flash of device became corrupt (check output of /system resource print if it mentions bad blocks higher than 0%). But it can also happen that the downloaded npk got corrupted somewhere.

You can try to manually download the package from download.mikrotik.com - choose extra packages which is a ZIP file. Then extract all the packages (npk files) you need - get the list of installed and enabled packages from router itself. Upload those npk files to router and reboot the router afterwards.
If it doesn't upgrade during reboot, check the log for any information.
BR,
Metod
 
nostromog
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Jul 18, 2018 3:39 pm

Re: v6.45beta [testing] is released!

Sat Jun 22, 2019 2:03 pm

You can try to manually download the package from download.mikrotik.com - choose extra packages which is a ZIP file. Then extract all the packages (npk files) you need - get the list of installed and enabled packages from router itself. Upload those npk files to router and reboot the router afterwards.
If it doesn't upgrade during reboot, check the log for any information.
I did it this way and I worked, so I guess either the CDN or the copy in the download site itself got corrupted...

Still a pretty useless thing, given that packages with patches for the linux SACK of death thing are forthcoming... :)
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: v6.45beta [testing] is released!

Sat Jun 22, 2019 8:05 pm

I know the router tests integrity before installation, but Mikrotik could put the md5sums on the site too. It would be one easy way to find out if our download was corrupted.

EDIT

Nevermind, silly me. Just found the link to them. Not very practical, but it is there.
 
611
just joined
Posts: 22
Joined: Wed Oct 17, 2018 10:12 am

Re: v6.45beta [testing] is released!

Sat Jun 22, 2019 9:10 pm

Does anyone knows where to find this setting? I am looking for it for years now.
*) winbox - do not allow setting "dns-lookup-interval" to "0";
Update:
Found it on a Polish site and it a setting not applying to what I was looking for.
It was a very "funny" bug actually - a device added to Dude via Winbox with default settings caused instant 100% CPU load with 50% going to Dude server and another 50% to DNS resolver as Dude was polling it with zero interval.
Creating a device with such settings is impossible with Dude client.
 
LynxChaus
just joined
Posts: 24
Joined: Tue Jul 08, 2014 2:24 pm

Re: v6.45beta [testing] is released!

Mon Jun 24, 2019 4:34 pm

Has the download file became corrupt? Is it some problem in this device?
Upload is corrupt - CDN (upgrade.mikrotik.com) serve broken files:
# ls -1las routeros-mipsbe-6.45beta62.npk-*
12056166 Jun 14 08:28 routeros-mipsbe-6.45beta62.npk-download.mikrotik.com
11583488 Jun 14 08:31 routeros-mipsbe-6.45beta62.npk-upgrade.mikrotik.com

# md5sum routeros-mipsbe-6.45beta62.npk-*
d7b9284935f8123cbf4df0c735c995c3  routeros-mipsbe-6.45beta62.npk-download.mikrotik.com
637a0bbb58bb0a3012ae9289dc9e7cbc  routeros-mipsbe-6.45beta62.npk-upgrade.mikrotik.com
 
mducharme
Trainer
Trainer
Posts: 799
Joined: Tue Jul 19, 2016 6:45 pm

Re: v6.45beta [testing] is released!

Mon Jun 24, 2019 8:26 pm

Are there any plans to add a simple EAP server authentication where there is no RADIUS server? i.e. Something like xauth for IKEv1 where you can define local users on the router itself? We have a few situations where there is no local RADIUS and certificates are more complicated for end users where they would like to use IKEv2.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Mon Jun 24, 2019 10:22 pm

MikroTik has a RADIUS server called "usermanager" that can run on some router models.
Unfortunately it is quite limited. The natural way to solve this is to make it capable of handling these requests.
 
Tobei
just joined
Posts: 24
Joined: Sun Sep 11, 2016 3:25 pm

Re: v6.45beta [testing] is released!

Wed Jun 26, 2019 3:45 pm

Hi,

HW Offloading doesnt work on HAP AC on RouterBOARD 962UiGS-5HacT2HnT ROS 6.45beta62 . On stable Stable 6.44.3 HW Offloading is working. I was send an email to your support with rif files

the user 611 and I observe the same, see also viewtopic.php?f=1&t=149552

Best regards
Tobias
 
ztx
just joined
Posts: 5
Joined: Sun Nov 05, 2017 4:46 am

Re: v6.45beta [testing] is released!

Sat Jun 29, 2019 5:13 pm

Version 6.45beta62 has been released.


!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
I can connect to a vpn server in windows using ikev2 with username and password only, can this work on routeros?

Who is online

Users browsing this forum: No registered users and 5 guests