Community discussions

MikroTik App
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Mon Apr 08, 2019 1:11 pm

*) fetch - added SFTP support;
Yes, can't wait to use this! Is there a way to use it with public key authentication?
Before we start discussing any advanced features... How does this work at all? Looks like mode=sftp is not a valid syntax for fetch.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.45beta [testing] is released!

Mon Apr 08, 2019 1:15 pm

@eworm with url=sftp://xxx.xx/
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 2:25 pm

Version 6.45beta31 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta31 (2019-Apr-12 10:29):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
*) conntrack - fixed "loose-tcp-tracking" parameter not taken in action (introduced in v6.44);
*) dhcp - create dual stack queue based on limitations specified on DHCPv4 server lease configuration;
*) dhcp - do not require lease and binding to have the same configuration for dual-stack queues;
*) dhcp - show warning in log if lease and binding dual-stack related parameters do not match and create separate queues;
*) dhcpv4-server - added "client-mac-limit" parameter (CLI only);
*) dhcpv6-server - added "insert-queue-before" and "parent-queue" parameters (CLI only);
*) dhcpv6-server - added "route-distance" parameter (CLI only);
*) dhcpv6-server - fixed binding setting update from RADIUS;
*) fetch - added SFTP support;
*) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods (CLI only);
*) ipsec - added traffic statistics to "active-peers" menu (CLI only);
*) ipsec - general improvements in policy handling;
*) ipsec - replaced policy SA address parameters with peer setting;
*) ipsec - use tunnel name for dynamic IPsec peer name;
*) ipv6 - adjusted IPv6 route cache max size;
*) lte - fixed session reactivation on R11e-LTE in UMTS mode;
*) snmp - added "radio-name" (mtxrWlRtabRadioName) OID support;
*) ssh - added "both", "local" and "remote" options for "forwarding-enabled" parameter;
*) tunnel - removed "local-address" requirement when "ipsec-secret" is used;
*) userman - added support for "Delegated-IPv6-Pool";
*) userman - added support for "Delegated-IPv6-Pool" and "DNS-Server-IPv6-Address" (CLI only);
*) wireless - improved wireless country settings for EU countries;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 197
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 2:39 pm

----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
----------------------
Amazing news! Thanks!
 
muetzekoeln
Member Candidate
Member Candidate
Posts: 167
Joined: Fri Jun 29, 2018 2:34 pm

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 2:53 pm

Version 6.45beta31 has been released.

*) wireless - improved wireless country settings for EU countries;

Please explain!
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 2:59 pm

Not all frequency ranges had designation "indoor only" or "outdoor only". One range was incorrectly labeled, this is fixed now. 5250-5330 now is correctly marked as indoor.
 
tangram
Member Candidate
Member Candidate
Posts: 132
Joined: Wed Nov 16, 2016 9:55 pm

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 3:25 pm

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);

Holy Jumpin' Jesus !
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 3:31 pm

Before anyone asks. Configuration options for dot1x are not yet enabled in this release. Coming in next beta, most likely next week.
 
Beone
Trainer
Trainer
Posts: 250
Joined: Fri Feb 11, 2011 1:11 pm

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 4:06 pm

Not all frequency ranges had designation "indoor only" or "outdoor only". One range was incorrectly labeled, this is fixed now. 5250-5330 now is correctly marked as indoor.

is the impact purely cosmetic or also effectively changes frequency list allowed to use depending installation type indoor/outdoor?

what about passive probing indication for unii-1 band?
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 953
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 4:36 pm

Version 6.45beta31 has been released.
*) ipsec - replaced policy SA address parameters with peer setting;
A dream come true! :D
Version 6.45beta31 has been released.
*) ipsec - general improvements in policy handling;
*) ipsec - use tunnel name for dynamic IPsec peer name;
What, exactly, these two mean?
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 11:05 pm

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);

I hope I can use this to authenticate to AT&T fiber services directly. I'll need a certificate, but that's obtainable.
 
Jinaria
just joined
Posts: 3
Joined: Fri Apr 12, 2019 11:38 pm

Re: v6.45beta [testing] is released!

Fri Apr 12, 2019 11:47 pm

Version 6.45beta31 has been released.
after upgrading RB3011 from Beta 27 to Beta 31, I was no longer been able to access the device by IP nor mac address via winbox or browser.
There was no error on the device display, dhcp server failed to assign any IP and setting manual ip address did not help either. So I reset the config and restored the backup config file, same issue.
The only solution was: downgrade to Beta 27 and restore the backup.
Last edited by Jinaria on Sat Apr 13, 2019 1:54 am, edited 1 time in total.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Sat Apr 13, 2019 12:41 am

An AC2 Lite TC ( RB 952-Ui-5ac2nD ) seems to have trouble with WiFi on beta 31.

- All ether* and wifi* are in a bridge
- wifi2 ( 5 GHz ) is in pseudo bridge mode - connects to upstream AC2
- wifi1 ( 2.4 GHz) is disabled
- ether1 feeds a notebook
- No firewall rules
- It's a basic wireless - to - wired bridge

The device is not able to obtain a DHCP client address - "searching...." which lasts forever. The few times it did work, ping to the upstream was very unstable - some took up to 2 seconds (normal is 1ms) and maybe 2/3 lost.

Did not occur on beta 27. I also updated Routerboard Firmware when updating from 27 to 31.

Reverting back to 6.44.2 "stable" immediately fixed the issue.

PS - looks very similar to the message above from @Jinaria, "after upgrading RB3011 from Beta 27 to Beta 31..."
 
huntermic
Member Candidate
Member Candidate
Posts: 111
Joined: Wed Oct 26, 2016 3:42 pm

Re: v6.45beta [testing] is released!

Sat Apr 13, 2019 10:02 am

Version 6.45beta31 has been released.
after upgrading RB3011 from Beta 27 to Beta 31, I was no longer been able to access the device by IP nor mac address via winbox or browser.
There was no error on the device display, dhcp server failed to assign any IP and setting manual ip address did not help either. So I reset the config and restored the backup config file, same issue.
The only solution was: downgrade to Beta 27 and restore the backup.
I had the same issue on a RB4011, plugging pc in another port did the trick.
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 197
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Sat Apr 13, 2019 10:47 am

I hope they'll add an option to remove single SAs in the future.
 
Jinaria
just joined
Posts: 3
Joined: Fri Apr 12, 2019 11:38 pm

Re: v6.45beta [testing] is released!

Sat Apr 13, 2019 12:15 pm


I had the same issue on a RB4011, plugging pc in another port did the trick.
The issue on my RB3011 affects all of the ports, connecting to different port/switch didn't fix the issue for me.
 
korniza
newbie
Posts: 26
Joined: Fri Jan 06, 2012 4:05 pm

Re: v6.45beta [testing] is released!

Sat Apr 13, 2019 2:49 pm

I have an CHR install which capsman is running. On 6.45beta27 I noticed that when I try to see on winbox the "Configurations" tab under Capsman settings or "CAP Interface", winbox close/crash without any error on Log window. I also updated to latest beta (6.45beta31) and sitll issue persist. My winbox is v3.18.
Anyone has same issue?
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 197
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Sat Apr 13, 2019 6:34 pm

I have an CHR install which capsman is running. On 6.45beta27 I noticed that when I try to see on winbox the "Configurations" tab under Capsman settings or "CAP Interface", winbox close/crash without any error on Log window. I also updated to latest beta (6.45beta31) and sitll issue persist. My winbox is v3.18.
Anyone has same issue?
Happens to me, too.
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: v6.45beta [testing] is released!

Sun Apr 14, 2019 5:24 am

I have an CHR install which capsman is running. On 6.45beta27 I noticed that when I try to see on winbox the "Configurations" tab under Capsman settings or "CAP Interface", winbox close/crash without any error on Log window. I also updated to latest beta (6.45beta31) and sitll issue persist. My winbox is v3.18.
Anyone has same issue?
Happens to me, too.
By my experience, sometime, crash of winbox produces autosupout. If you get it, it would be good if you can send it to mikrotik support so they can fix it :)
 
korniza
newbie
Posts: 26
Joined: Fri Jan 06, 2012 4:05 pm

Re: v6.45beta [testing] is released!

Sun Apr 14, 2019 10:45 pm

I have an CHR install which capsman is running. On 6.45beta27 I noticed that when I try to see on winbox the "Configurations" tab under Capsman settings or "CAP Interface", winbox close/crash without any error on Log window. I also updated to latest beta (6.45beta31) and sitll issue persist. My winbox is v3.18.
Anyone has same issue?
Happens to me, too.
By my experience, sometime, crash of winbox produces autosupout. If you get it, it would be good if you can send it to mikrotik support so they can fix it :)
I just send the autosupport.rif. thank you for your advice
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Mon Apr 15, 2019 12:04 pm

*) lte - fixed session reactivation on R11e-LTE in UMTS mode;
I think this hit me a lot in the past... Hope this will make its way into next stable release.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: v6.45beta [testing] is released!

Mon Apr 15, 2019 3:04 pm

I think this hit me a lot in the past... Hope this will make its way into next stable release.
Quite probably ... when 6.45 branch will be the stable branch.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Mon Apr 15, 2019 3:07 pm

I think this hit me a lot in the past... Hope this will make its way into next stable release.
Quite probably ... when 6.45 branch will be the stable branch.
I hope for 6.44.3. :wink:
 
phin
just joined
Posts: 19
Joined: Mon Dec 04, 2017 11:25 pm

Re: v6.45beta [testing] is released!

Mon Apr 15, 2019 9:52 pm

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);

I hope I can use this to authenticate to AT&T fiber services directly. I'll need a certificate, but that's obtainable.
Oh man, that would be awesome!
 
UserDude
just joined
Posts: 1
Joined: Tue Apr 16, 2019 9:01 am

Re: v6.45beta [testing] is released!

Tue Apr 16, 2019 9:12 am


What's new in 6.45beta31 (2019-Apr-12 10:29):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
So this means wired 802.1x is now supported I guess. Any idea how we can configure this through CLI ?
Also is there a planned GUI support version of it coming soon ?
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 197
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Tue Apr 16, 2019 11:08 am

So this means wired 802.1x is now supported I guess. Any idea how we can configure this through CLI ?
Also is there a planned GUI support version of it coming soon ?
Before anyone asks. Configuration options for dot1x are not yet enabled in this release. Coming in next beta, most likely next week.
 
nostromog
Member Candidate
Member Candidate
Posts: 226
Joined: Wed Jul 18, 2018 3:39 pm

Re: v6.45beta [testing] is released!

Tue Apr 16, 2019 7:06 pm

After I had big problems with ipsec in 6.44.1/hAP ac I remained using 44.1 for a while. Thinking that beta31 had already those issues fixed, I tried to upgrade with the following IPsec configuration:
/ip ipsec peer
  add exchange-mode=ike2 name=router passive=yes
/ip ipsec policy group
  add name=RoadWarrior
/ip pool
  add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
  add address-pool=vpn2 name=RW-cfg split-include=\
    192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec identity
  add generate-policy=port-strict mode-config=RW-cfg my-id=\
    fqdn:router.mydns.com peer=router policy-template-group=RoadWarrior
/ip ipsec policy
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
    template=yes
  add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
    0.0.0.0/0 template=yes
After the upgrade, the CPU was 100%, most of it in ipsec, and / export would stop
after /ip hotspot, just where /ip ipsec should be printed, until I Ctrl-C it.

Same problem as before. :( The router was sluggish but I could select long-term and downgrade to 6.43.13.

Then the machine went up, but ssh was not responding. I got suspicious and checked: telnet was working. When
I got in, security was disabled. I went in, re-ebabled it, rebooted and the following IPsec configuration appeared:
/ip ipsec policy group
  add name=RoadWarrior
/ip pool
  add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
  add address-pool=vpn2 name=RW-cfg split-include=\
    192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec peer
  add exchange-mode=ike2 passive=yes
/ip ipsec policy
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
    template=yes
  add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
    0.0.0.0/0 template=yes
I copied away the ipsec config, which was broken in any case, and tried an experiment: remove all ipsec config, piece by piece
until /ip ipsec export would produce an empty comment. Then I upgraded to get:
* 6.44.2 (100% CPU, could not get /ip ipsec export working)
* 6.45beta31 (same, 100% CPU, could not get /ip ipsec export working).

Is RouterOS keeping all configs hidden somethere, or where is this 100% CPU spinning coming from?

I settled by returning to long term and reconstructing my ipsec config, changing it to xauth and adding users. It is now working well... I was trying to test ike2,
but instead I'm now stuck in long-term.

Any way to empty ipsec and upgrade to 6.44.2 or 6.45betas without CPU spinning at 100%?

Thanks for any help, things are getting messy in this router. Other routers are having no problems at all with ipsec/6.44/6.54beta. I have a production h AP ac running 6.44, as I'm afraid to update it and get the same behaviour
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: v6.45beta [testing] is released!

Tue Apr 16, 2019 10:19 pm

Any way to empty ipsec and upgrade to 6.44.2 or 6.45betas without CPU spinning at 100%?
Almost certain way would be netinstall directly to desired ROS version. And then import config from textual export.
 
nostromog
Member Candidate
Member Candidate
Posts: 226
Joined: Wed Jul 18, 2018 3:39 pm

Re: v6.45beta [testing] is released!

Tue Apr 16, 2019 11:50 pm

Any way to empty ipsec and upgrade to 6.44.2 or 6.45betas without CPU spinning at 100%?
Almost certain way would be netinstall directly to desired ROS version. And then import config from textual export.
I'm leaving the place where the machine that failed to upgrade yesterday is in a few hours, not to return in more than one month... I could upgrade/downgrade remotely, but certainly not netinstall.

The place where I'm running 6.44 and I don't dare upgrade is remote also, I might have an opportunity to get there and upgrade with possible netinstall in 2/3 months... Also, I tried to netinstall once and was not working, it seems to be really tricky with linux machines and difficult reset procedures... I'll do more experiments in 5 weeks when I return here.

Unreliable upgrades are a big problem, I can't understand how deleting configuration still leds to failure to upgrade
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 197
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Wed Apr 17, 2019 12:52 am

After I had big problems with ipsec in 6.44.1/hAP ac I remained using 44.1 for a while. Thinking that beta31 had already those issues fixed, I tried to upgrade with the following IPsec configuration:
/ip ipsec peer
  add exchange-mode=ike2 name=router passive=yes
/ip ipsec policy group
  add name=RoadWarrior
/ip pool
  add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
  add address-pool=vpn2 name=RW-cfg split-include=\
    192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec identity
  add generate-policy=port-strict mode-config=RW-cfg my-id=\
    fqdn:router.mydns.com peer=router policy-template-group=RoadWarrior
/ip ipsec policy
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
    template=yes
  add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
    0.0.0.0/0 template=yes
After the upgrade, the CPU was 100%, most of it in ipsec, and / export would stop
after /ip hotspot, just where /ip ipsec should be printed, until I Ctrl-C it.

Same problem as before. :( The router was sluggish but I could select long-term and downgrade to 6.43.13.

Then the machine went up, but ssh was not responding. I got suspicious and checked: telnet was working. When
I got in, security was disabled. I went in, re-ebabled it, rebooted and the following IPsec configuration appeared:
/ip ipsec policy group
  add name=RoadWarrior
/ip pool
  add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
  add address-pool=vpn2 name=RW-cfg split-include=\
    192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec peer
  add exchange-mode=ike2 passive=yes
/ip ipsec policy
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
    template=yes
  add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
    0.0.0.0/0 template=yes
I copied away the ipsec config, which was broken in any case, and tried an experiment: remove all ipsec config, piece by piece
until /ip ipsec export would produce an empty comment. Then I upgraded to get:
* 6.44.2 (100% CPU, could not get /ip ipsec export working)
* 6.45beta31 (same, 100% CPU, could not get /ip ipsec export working).

Is RouterOS keeping all configs hidden somethere, or where is this 100% CPU spinning coming from?

I settled by returning to long term and reconstructing my ipsec config, changing it to xauth and adding users. It is now working well... I was trying to test ike2,
but instead I'm now stuck in long-term.

Any way to empty ipsec and upgrade to 6.44.2 or 6.45betas without CPU spinning at 100%?

Thanks for any help, things are getting messy in this router. Other routers are having no problems at all with ipsec/6.44/6.54beta. I have a production h AP ac running 6.44, as I'm afraid to update it and get the same behaviour
Looks similar to the problem I had with 6.44. Bad news is, I had to netinstall to get rid of the broken parts, caused by the migration of configuration, when I up/down-graded the firmware.
viewtopic.php?f=21&t=145793&start=150#p719370
 
ssbaksa
newbie
Posts: 31
Joined: Tue Oct 20, 2015 10:38 am

Re: v6.45beta [testing] is released!

Wed Apr 17, 2019 8:39 am

Before anyone asks. Configuration options for dot1x are not yet enabled in this release. Coming in next beta, most likely next week.
When dot1x become official, will it be applied to all switches (Router OS based as well as Switch OS)?
 
estdata
Member Candidate
Member Candidate
Posts: 100
Joined: Mon Feb 20, 2012 9:05 pm
Contact:

Re: v6.45beta [testing] is released!

Wed Apr 17, 2019 1:38 pm

Help me adjust the speeds so that the patch goes. I have a 500/500 connection but do not come through the RB2011 router
 
User avatar
null31
Member Candidate
Member Candidate
Posts: 183
Joined: Fri Dec 23, 2016 6:07 pm
Location: Brazil

Re: v6.45beta [testing] is released!

Wed Apr 17, 2019 9:18 pm

Also, I tried to netinstall once and was not working, it seems to be really tricky with linux machines and difficult reset procedures...

Connect your machine and router to an switch, then run netinstall with Wine as sudo and will work flawlessly.
I didn't had problems with netinstall on 3 mAP and all of them installed ROS on the first try with no fails.

I'm using wine 4.5 with staging patch.
 
EvgeniyV
just joined
Posts: 6
Joined: Sun Oct 28, 2018 5:49 pm

Re: v6.45beta [testing] is released!

Wed Apr 17, 2019 10:29 pm

I'm back to the future. Time bug in Interface - Last link time. See the attached picture.
My time zone GMT +3 , time update by cloud. Routerboard time (clock) is normal.
6.45beta22
mikrotik date bag.png
You do not have the required permissions to view the files attached to this post.
 
vikinggeek
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Sat Aug 02, 2014 4:14 am

Re: v6.45beta [testing] is released!

Thu Apr 18, 2019 9:47 am

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);

I hope I can use this to authenticate to AT&T fiber services directly. I'll need a certificate, but that's obtainable.
@pcunite - Can you provide a pointer to how to obtain the certificate? Currently, Still need to have the AT&T Modem attached while booting, but thereafter running directly on the fiber via the OSP port (behind a Cienna 5000 series building concentrator)
 
palii
just joined
Posts: 23
Joined: Sun Nov 19, 2017 6:57 pm

Re: v6.45beta [testing] is released!

Thu Apr 18, 2019 11:51 am

The command ssh-exec with rsa key pairs works like a charm shutting down my Synology now. Thanks a million!
 
nostromog
Member Candidate
Member Candidate
Posts: 226
Joined: Wed Jul 18, 2018 3:39 pm

Re: v6.45beta [testing] is released!

Thu Apr 18, 2019 12:32 pm

Also, I tried to netinstall once and was not working, it seems to be really tricky with linux machines and difficult reset procedures...
Connect your machine and router to an switch, then run netinstall with Wine as sudo and will work flawlessly.
I have no switch, I connected them straight, which gives perfect connection. Not sure if this could interfere with netinstall

I didn't had problems with netinstall on 3 mAP and all of them installed ROS on the first try with no fails.

I'm using wine 4.5 with staging patch.
I could not in a mAP Lite which I have as laboratory in several tries.

I used both wine-stable-3.0-1ubuntu1 and wine-development-3.6-1 on Ubuntu 18.04.2 LTS. I have not used windows in the last 15 years, so I might have made some mistake in either the windows stuff or how linux runs it.

I think the problems were due to being very tricky to handle connect power while hold-pushing the button for some time, with such small button, so close to the USB power, and my hand too big for such small piece.
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Thu Apr 18, 2019 1:32 pm

Version 6.45beta34 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta34 (2019-Apr-18 08:59):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
*) dhcp - create dual stack queue based on limitations specified on DHCPv4 server lease configuration;
*) dhcp - do not require lease and binding to have the same configuration for dual-stack queues;
*) dhcp - show warning in log if lease and binding dual-stack related parameters do not match and create separate queues;
*) dhcpv4-server - replaced "busy" lease status with "conflict" and "declined";
*) dhcpv6-client - fixed status update when leaving "bound" state;
*) dhcpv6-server - override prefix pool and/or DNS server settings by values received from RADIUS;
*) e-mail - include "message-id" identification field in e-mail header;
*) ike1 - fixed rekeying process when NAT is detected (introduced in v6.45beta16);
*) ospf - added support for link scope opaque LSAs (Type 9) for OSPFv2;
*) ospf - improved "unknown" LSA handling in OSPFv3;
*) supout - changed IPv6 pool section to output detailed print;
*) tr069-client - added LTE CQI and IMSI parameter support;
*) tr069-client - fixed potential memory corruption;
*) winbox - fixed crash when opening CAPsMAN menu (introduced in v6.45beta27);
*) wireless - fixed "country-info" printing (introduced in v6.45beta27);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: v6.45beta [testing] is released!

Thu Apr 18, 2019 3:52 pm

dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
I hope I can use this to authenticate to AT&T fiber services directly. I'll need a certificate, but that's obtainable.

@pcunite - Can you provide a pointer to how to obtain the certificate? Currently, Still need to have the AT&T Modem attached while booting, but thereafter running directly on the fiber via the OSP port (behind a Cienna 5000 series building concentrator)

It is discussed here (and elsewhere) based on the findings of this blog.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Thu Apr 18, 2019 11:54 pm

Anyone seeing trouble with IPSec in 6.45beta34?

I received a new RB 4011 today - updated to 6.45beta34 right away - rebuilt my config (copy / pasted snippets from .asc file, piece by piece).

My IPSec tunnels come (GRE, cert auth) come up partially to "SA established" on the server - and then get "deleted" from the RB 4011 side. And it repeats like this, with policy stuck as "no phase 2".

Tried switching from ECDSA to RSA certificates (I have a script) - no difference.

Downgraded to 6.44.2 - after fixing "local address" in polices (required in 6.44, can be left as 0.0.0.0/0 in 6.45) - they got to "established" immediately.

Upgraded to 6.45beta34 again - broken again.

Should I send a support request with supout.rif?

PS - one of my two *idential* tunnels - I mean they use same CA, just different "remote" certs - got to "established" once or twice without my doing anything. But disabling / re-enabling the policy brought the problem back.

PPS - changed SA proposal from aes128-ctr to aes256-gcm and now both policies / peers are working, I can disable / re-enable.

But I had them at aes256-gcm initially! Changed back to aes128-ctr and working again!

Seems like there is something funny going on in 6.45-31 maybe with programming the cpu according to encryption settings (both aes-ctr and aes-gcm are HW accel on this device).
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 197
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Fri Apr 19, 2019 3:56 am

After ugrading from beta31 to beta34, none of the ipsec tunnels work. Reverted back to b31.
 
pawelkopec88
just joined
Posts: 10
Joined: Wed Mar 14, 2018 11:06 pm

Re: v6.45beta [testing] is released!

Fri Apr 19, 2019 8:38 am

Anyone seeing trouble with IPSec in 6.45beta34?

I received a new RB 4011 today - updated to 6.45beta34 right away - rebuilt my config (copy / pasted snippets from .asc file, piece by piece).

My IPSec tunnels come (GRE, cert auth) come up partially to "SA established" on the server - and then get "deleted" from the RB 4011 side. And it repeats like this, with policy stuck as "no phase 2".

Tried switching from ECDSA to RSA certificates (I have a script) - no difference.

Downgraded to 6.44.2 - after fixing "local address" in polices (required in 6.44, can be left as 0.0.0.0/0 in 6.45) - they got to "established" immediately.

Upgraded to 6.45beta34 again - broken again.

Should I send a support request with supout.rif?

PS - one of my two *idential* tunnels - I mean they use same CA, just different "remote" certs - got to "established" once or twice without my doing anything. But disabling / re-enabling the policy brought the problem back.

PPS - changed SA proposal from aes128-ctr to aes256-gcm and now both policies / peers are working, I can disable / re-enable.

But I had them at aes256-gcm initially! Changed back to aes128-ctr and working again!

Seems like there is something funny going on in 6.45-31 maybe with programming the cpu according to encryption settings (both aes-ctr and aes-gcm are HW accel on this device).

I have same issue. But i have the ipsec static tunnels. GRE tunnel doesnt up. I have CCR1009 6.45beta34, the second site have is CCR1009 on 6.43.1. On IPsec peers I changed from IKE2 to main mode on both side. After that my GRE Tunnel going up.
 
pawelkopec88
just joined
Posts: 10
Joined: Wed Mar 14, 2018 11:06 pm

Re: v6.45beta [testing] is released!

Fri Apr 19, 2019 8:40 am

After I had big problems with ipsec in 6.44.1/hAP ac I remained using 44.1 for a while. Thinking that beta31 had already those issues fixed, I tried to upgrade with the following IPsec configuration:
/ip ipsec peer
  add exchange-mode=ike2 name=router passive=yes
/ip ipsec policy group
  add name=RoadWarrior
/ip pool
  add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
  add address-pool=vpn2 name=RW-cfg split-include=\
    192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec identity
  add generate-policy=port-strict mode-config=RW-cfg my-id=\
    fqdn:router.mydns.com peer=router policy-template-group=RoadWarrior
/ip ipsec policy
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
    template=yes
  add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
    0.0.0.0/0 template=yes
After the upgrade, the CPU was 100%, most of it in ipsec, and / export would stop
after /ip hotspot, just where /ip ipsec should be printed, until I Ctrl-C it.

Same problem as before. :( The router was sluggish but I could select long-term and downgrade to 6.43.13.

Then the machine went up, but ssh was not responding. I got suspicious and checked: telnet was working. When
I got in, security was disabled. I went in, re-ebabled it, rebooted and the following IPsec configuration appeared:
/ip ipsec policy group
  add name=RoadWarrior
/ip pool
  add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
  add address-pool=vpn2 name=RW-cfg split-include=\
    192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec peer
  add exchange-mode=ike2 passive=yes
/ip ipsec policy
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
    template=yes
  add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
    0.0.0.0/0 template=yes
I copied away the ipsec config, which was broken in any case, and tried an experiment: remove all ipsec config, piece by piece
until /ip ipsec export would produce an empty comment. Then I upgraded to get:
* 6.44.2 (100% CPU, could not get /ip ipsec export working)
* 6.45beta31 (same, 100% CPU, could not get /ip ipsec export working).

Is RouterOS keeping all configs hidden somethere, or where is this 100% CPU spinning coming from?

I settled by returning to long term and reconstructing my ipsec config, changing it to xauth and adding users. It is now working well... I was trying to test ike2,
but instead I'm now stuck in long-term.

Any way to empty ipsec and upgrade to 6.44.2 or 6.45betas without CPU spinning at 100%?

Thanks for any help, things are getting messy in this router. Other routers are having no problems at all with ipsec/6.44/6.54beta. I have a production h AP ac running 6.44, as I'm afraid to update it and get the same behaviour
Looks similar to the problem I had with 6.44. Bad news is, I had to netinstall to get rid of the broken parts, caused by the migration of configuration, when I up/down-graded the firmware.
viewtopic.php?f=21&t=145793&start=150#p719370
Change main mode frome IKE2 to main for example. Should be work. I think that on the newest beta IKE2 doesn't work
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: v6.45beta [testing] is released!

Fri Apr 19, 2019 8:43 am

Please create a supout.rif as soon as you realize something is wrong and send it - with description of what you expected versus what happened instead - to support with supout.rif.

This instruction is posted in every release note:

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Fri Apr 19, 2019 8:55 am

Change main mode frome IKE2 to main for example. Should be work. I think that on the newest beta IKE2 doesn't work
I think changing IPSec settings (I tried crypto) makes it more likely to "estabilsh". But then it breaks again later (when the lifetime expires? happened while I was sleeping).

It's even funny - changing one tunnel's server settings from IKEv2 to v1 fixed both tunnels. Don't think it'll last though.

// RB 4011
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Fri Apr 19, 2019 8:58 am

Change main mode frome IKE2 to main for example. Should be work. I think that on the newest beta IKE2 doesn't work
I think changing IPSec settings (I tried crypto) makes it more likely to "estabilsh". But then it breaks again later (when the lifetime expires? happened while I was sleeping).

It's even funny - changing one tunnel's server settings from IKEv2 to v1 fixed both tunnels. Don't think it'll last though.

// RB 4011
Could be related to:
*) ike1 - fixed rekeying process when NAT is detected (introduced in v6.45beta16);
Funny thing, re-keying (when I trigger it from the server using swanctl --rekey) does work. But I'm using IKEv2 and there is no NAT.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: v6.45beta [testing] is released!

Mon Apr 22, 2019 9:05 am

After upgrade of CRS125 it stopped to be visible in a neigherhood and for WinBox.
 
CharliesTheMan
just joined
Posts: 1
Joined: Mon May 14, 2018 11:22 pm

Re: v6.45beta [testing] is released!

Mon Apr 22, 2019 6:52 pm

I just had a similar problem. When updating to 6.45beta34 from the previous beta version, I lost IP config, IP address changed to 0.0.0.0 and checking for package updates in winbox brought up a DNS error, "Could not resolve DNS host name" and trying to load web pages brought me the same results. I tried restoring known working config and did not resolve anything. After downgrading back to 6.44.2 everything worked perfect immediately. It's definitely something related to beta34 because on previous 6.45beta (Ibelieve it may have been beta27) everything worked great.
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Tue Apr 23, 2019 9:18 am

Thank you very much for reporting the issues. It seems that IKEv2 over NAT is broken in v6.45beta34. We will resolve the issue in the next beta.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Tue Apr 23, 2019 11:08 am

Thank you very much for reporting the issues. It seems that IKEv2 over NAT is broken in v6.45beta34. We will resolve the issue in the next beta.
emils - just to be clear about the bug's scenario:

My IPSec endpoints (Mikrotik client / strongSwan server) are not behind NATs. But they do use IKEv2 on port 4500.

Thank you.
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Tue Apr 23, 2019 11:24 am

Can you post your IPsec debug logs (topics=ipsec,!packet) from when the tunnel is established and dropped so we can make sure it is the same issue?

Edit: managed to reproduce the issue without NAT as well.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Tue Apr 23, 2019 1:37 pm

Can you post your IPsec debug logs (topics=ipsec,!packet) from when the tunnel is established and dropped so we can make sure it is the same issue?

Edit: managed to reproduce the issue without NAT as well.
I sent a bug report with supout on Friday, April 19, 2019 8:49 AM (Moscow time). Don't have the ticket # sorry.

Looks like you already managed - but if you still need something, hopefully you can find it, or you can contact me off forum.
 
User avatar
DogHead
Member Candidate
Member Candidate
Posts: 196
Joined: Thu Jan 03, 2008 9:36 pm
Location: Anywhere you want me to be

Re: v6.45beta [testing] is released!

Thu Apr 25, 2019 4:49 pm

After upgrade to 6.45rc34 all ports in bridge disappeared. Cannot add them back as the system says they are still in a bridge. Will downgrade bac to rc31 which was working.
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri Apr 26, 2019 9:04 am

Version 6.45beta37 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta37 (2019-Apr-25 12:20):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap) as initiator (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap) as initiator (CLI only);
*) bridge - correctly add interface list as bridge port (introduced in v6.45beta34);
*) crs3xx - correctly handle switch reset (introduced in v6.45beta34);
*) ike2 - fixed first child SA generation (introduced in v6.45beta34);
*) ipsec - general improvements in policy handling;
*) lte - allow setting empty APN;
*) supout - added IPv6 ND section to supout file;
*) tftp - added "max-block-size" parameter under TFTP "settings" menu (CLI only);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Fri Apr 26, 2019 10:18 am

Version 6.45beta37 has been released.

*) ike2 - fixed first child SA generation (introduced in v6.45beta34);
Confirming - appears fixed ( RB 4011, AC ^ 2 ).
 
extremej
just joined
Posts: 1
Joined: Fri Apr 26, 2019 2:37 pm

Re: v6.45beta [testing] is released!

Fri Apr 26, 2019 2:50 pm

can you add EAP-MSCHAPv2 to the authentication method list?
 
branto
just joined
Posts: 8
Joined: Mon Aug 21, 2017 2:03 am

Re: v6.45beta [testing] is released!

Mon Apr 29, 2019 4:19 am

Is there any word on when DHCPv6 Snooping will be available?
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri May 03, 2019 8:20 am

can you add EAP-MSCHAPv2 to the authentication method list?

Yes, it is coming as well.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Fri May 03, 2019 12:27 pm

can you add EAP-MSCHAPv2 to the authentication method list?
Yes, it is coming as well.
Does this means that Mikrotik can be removed from the not supported router list at NordVPN and is going to use ike2 to connect?
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri May 03, 2019 12:42 pm

Hopefully, yes.
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Thu May 09, 2019 2:06 pm

Version 6.45beta42 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta42 (2019-May-08 12:44):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap) as initiator (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
*) capsman - fixed interface-list usage in access list;
*) cloud - added "replace" parameter for backup "upload-file" command;
*) crs3xx - correctly handle switch reset (introduced in v6.45beta31);
*) defconf - added "custom-script" field that prints custom configuration installed by Netinstall;
*) defconf - automatically set "installation" parameter for outdoor devices;
*) dhcp - create dual stack queue based on limitations specified on DHCPv4 server lease configuration;
*) dhcpv4-server - added RADIUS accounting support with queue based statistics;
*) dhcpv6-server - added "insert-queue-before" and "parent-queue" parameters (CLI only);
*) discovery - correctly create neighbors from VLAN tagged discovery messages;
*) discovery - show neighbors on actual mesh ports;
*) ethernet - increased loop warning threshold to 5 packets per second;
*) gps - make sure "direction" parameter is upper case;
*) gps - strip unnecessary trailing characters from "longtitude" and "latitude" values;
*) hotspot - moved "title" HTML tag after "meta" tags;
*) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods (CLI only);
*) rb921 - improved system stability ("/system routerboard upgrade" required);
*) ssh - accept remote forwarding requests with empty hostnames;
*) ssh - improved remote forwarding handling (introduced in v6.44.3);
*) tr069-client - improved error reporting with incorrect firware upgrade XML file;
*) w60g - do not show unused "dmg" parameter;
*) w60g - show running frequency under "monitor" command;
*) winbox - show "LCD" menu only on boards that have LCD screen;
*) wireless - fixed frequency duplication in the frequency selection menu;
*) wireless - improved 160MHz channel width stability on rb4011;
*) wireless - improved installation mode selection for wireless outdoor equipment;
*) wireless - set default SSID and supplicant-identity the same as router's identity;
*) wireless - updated "china" regulatory domain information;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
buset1974
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Wed Sep 13, 2006 12:12 pm
Location: Jakarta

Re: v6.45beta [testing] is released!

Thu May 09, 2019 4:04 pm

when will you start to fix the problem with BGP and OSPF?

thx
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.45beta [testing] is released!

Thu May 09, 2019 5:01 pm

the problem with BGP and OSPF?
One problem with both protocols? Are you sure? :)
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 197
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Thu May 09, 2019 5:54 pm

After upgrading from beta31 to beta34-42, all IKEv2 PSK ipsec tunnels don't come up, getting Authentication failed in the logs (yes, psk is the same on both sides, hasn't been changed).
Downgrading to beta31 again resolves the issue.

16:50:20 ipsec notify: AUTHENTICATION_FAILED
16:50:20 ipsec,error got fatal error: AUTHENTICATION_FAILED
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri May 10, 2019 9:34 am

osc86, I can not reproduce the issue. Can you please send a supout.rif file to support@mikrotik.com?
 
buset1974
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Wed Sep 13, 2006 12:12 pm
Location: Jakarta

Re: v6.45beta [testing] is released!

Fri May 10, 2019 9:59 am

the problem with BGP and OSPF?
One problem with both protocols? Are you sure? :)
still waiting, hope can fix soon in v6
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 197
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Fri May 10, 2019 5:58 pm

osc86, I can not reproduce the issue. Can you please send a supout.rif file to support@mikrotik.com?
Done. [Ticket#2019051022005463]
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.45beta [testing] is released!

Fri May 10, 2019 6:46 pm

the problem with BGP and OSPF?
One problem with both protocols? Are you sure? :)
still waiting, hope can fix soon in v6
Waiting for what? A miracle?
 
anuser
Long time Member
Long time Member
Posts: 601
Joined: Sat Nov 29, 2014 7:27 pm

Re: v6.45beta [testing] is released!

Fri May 10, 2019 10:05 pm

Is there an ETA for a bugfix for 5 GHz problem mentioned on viewtopic.php?f=7&t=148263?
 
Ulypka
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Wed Jan 09, 2013 8:26 am

Re: v6.45beta [testing] is released!

Sat May 11, 2019 12:07 am

I'm waiting for 8 months when the bug 2018101022007579 will be fixed.
I started refusing from CCR wherever such an opportunity arises

And the funny thing is that in half a year, the support responded only once “Sorry, we will reconsider the priorities”
Your top router dies completely from two packages and you can reproduce it, which is even more important for you?
maybe another fix LCD?

even dlink's support is better.
 
mistry7
Forum Guru
Forum Guru
Posts: 1480
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: v6.45beta [testing] is released!

Sat May 11, 2019 3:56 pm

which is even more important for you?
maybe another fix LCD?
no, KidControl.......
 
User avatar
anthonws
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Sat Jan 09, 2016 6:46 pm

Re: v6.45beta [testing] is released!

Sat May 11, 2019 6:46 pm

I'm waiting for 8 months when the bug 2018101022007579 will be fixed.
I started refusing from CCR wherever such an opportunity arises

And the funny thing is that in half a year, the support responded only once “Sorry, we will reconsider the priorities”
Your top router dies completely from two packages and you can reproduce it, which is even more important for you?
maybe another fix LCD?

even dlink's support is better.
A proper network admin likes watching graphs and stuff on an LCD :) Much more important than stability. Want stability, buy a Nintendo Switch. Nintendo is expert in stability updates! ahahaha

And Kids control in CCR is something very important! How would you control all of your employees?!?

Ahhh.... The joys of visiting this forum :) Priceless!
 
biatche
Member Candidate
Member Candidate
Posts: 128
Joined: Tue Oct 13, 2015 6:50 am

Re: v6.45beta [testing] is released!

Sat May 11, 2019 11:18 pm

which is even more important for you?
maybe another fix LCD?
no, KidControl.......
I agree. KidControl needs major improvement, like the full removal of it.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Sun May 12, 2019 8:37 pm

With 6.45beta42 two Linux installs had trouble getting DHCP over Ethernet.

Sorry can't provide supout - already downgraded to 6.43.* stable, will stay on that.

The only "custom" DHCP setting I have is - lease time is 7 days.

No trouble with WiFi clients.

Router: AC^2.
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Mon May 13, 2019 2:10 pm

Version 6.45beta45 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta45 (2019-May-13 09:22):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator (CLI only);
----------------------

Changes in this release:

!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator (CLI only);
*) conntrack - significant stability and performance improvements;
*) dhcpv6-server - fixed dynamic IPv6 binding without proper reference to the server;
*) firewall - fixed fragmented packet processing when only RAW firewall is configured;
*) gps - fixed missing minus close to zero coordinates in dd format;
*) wireless - improved installation mode selection for wireless outdoor equipment;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
R1CH
Forum Guru
Forum Guru
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Re: v6.45beta [testing] is released!

Mon May 13, 2019 2:36 pm

conntrack - significant stability and performance improvements;
Can you elaborate on what was changed here? The last time conntrack was changed with the loose TCP tracking option it introduced a regression, so I'd like to know exactly what changed and what to look out for.
 
rzirzi
Member
Member
Posts: 393
Joined: Mon Oct 09, 2006 2:33 pm

Re: v6.45beta [testing] is released!

Mon May 13, 2019 2:39 pm

conntrack - significant stability and performance improvements;
Can you elaborate on what was changed here? The last time conntrack was changed with the loose TCP tracking option it introduced a regression, so I'd like to know exactly what changed and what to look out for.
YES, We would like to know what exactly was changed?!
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Mon May 13, 2019 3:04 pm

There are no new features added with this conntrack fix as you are comparing to TCP loose setting. The fix addresses some stability issues in setups with large connection tracking tables. It also improves connection tracking processing performance.
 
anuser
Long time Member
Long time Member
Posts: 601
Joined: Sat Nov 29, 2014 7:27 pm

Re: v6.45beta [testing] is released!

Mon May 13, 2019 4:04 pm

There are no new features added with this conntrack fix as you are comparing to TCP loose setting. The fix addresses some stability issues in setups with large connection tracking tables. It also improves connection tracking processing performance.
What do you consider as large? How many connections are we talking about? 1000, 10000, 100000, 1000000?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.45beta [testing] is released!

Mon May 13, 2019 4:15 pm

It does not depend on specific number. You can consider large as 10k+
 
buset1974
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Wed Sep 13, 2006 12:12 pm
Location: Jakarta

Re: v6.45beta [testing] is released!

Mon May 13, 2019 5:26 pm

I'm waiting for 8 months when the bug 2018101022007579 will be fixed.
I started refusing from CCR wherever such an opportunity arises

And the funny thing is that in half a year, the support responded only once “Sorry, we will reconsider the priorities”
Your top router dies completely from two packages and you can reproduce it, which is even more important for you?
maybe another fix LCD?

even dlink's support is better.
A proper network admin likes watching graphs and stuff on an LCD :) Much more important than stability. Want stability, buy a Nintendo Switch. Nintendo is expert in stability updates! ahahaha

And Kids control in CCR is something very important! How would you control all of your employees?!?

Ahhh.... The joys of visiting this forum :) Priceless!
Mikrotik must be aware that the product they have is not only a CPE, but they also have another advanced product with different purposed than CPE such as CCR, a quick fix on the underlying problem should be a priority without having to wait for version 7 which is never clear.
 
marcbou
just joined
Posts: 13
Joined: Tue Jul 03, 2018 11:19 am

Re: v6.45beta [testing] is released!

Mon May 13, 2019 9:00 pm

Had CHR 6.45beta42 and now beta45 running under ESXi VM as VPN gateway ipsec IKEv2 EAP username auth (via freeradius 3.0 on Debian Buster) with Let's Encrypt Signed certificate + fullchain.

Works with road warrior iOS, MacOS, and Windows 10 (where due to buggy VPN control panel it was necessary to add using PowerShell Add-VpnConnection -Name “vpn.domain.com" -ServerAddress "vpn.domain.com" -AuthenticationMethod "Eap" -EncryptionLevel "Maximum" -RememberCredential -TunnelType “Ikev2") .

Not working with Android clients (using https://play.google.com/store/apps/deta ... an.android .

Any tips towards getting Android working would be appreciated.

Also I noticed occasional VPN connections failing using beta42 and 45. Downgrading to 6.44.3 made that issue go away but hopefully it will get fixed in the betas.

Relevant config portions are:

# may/13/2019 13:29:01 by RouterOS 6.45beta45
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface ipip
add name=ipsec-vpn
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1w name=proposal_1
/ip ipsec peer
add exchange-mode=ike2 name=peer_vpn passive=yes profile=proposal_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc,3des lifetime=2d pfs-group=none
/ip pool
add name=vpn-pool ranges=10.11.22.10-10.11.22.190
/ip ipsec mode-config
add address-pool=vpn-pool address-prefix-length=32 name=ipsec-modecfg-nosplit
/system logging action
set 0 memory-lines=5000
/ip address
add address=132.200.10.24/28 interface=ether1 network=132.200.10.16
add address=10.11.22.1/24 interface=ipsec-vpn network=10.11.22.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.0.0/16 list=rfc1918-private
add address=10.0.0.0/8 list=rfc1918-private
add address=172.16.0.0/12 list=rfc1918-private
add address=10.11.22.0/24 list=myvpn
add address=10.0.0.0/8 list=onnet
add address=192.168.0.0/16 list=onnet
add address=172.16.0.0/12 list=onnet
add address=132.200.10.0/24 list=onnet
/ip firewall nat
add action=src-nat chain=srcnat comment="My VPN public IP" dst-address-list=\
!onnet out-interface=ether1 src-address=10.11.22.0/24 \
src-address-list=rfc1918-private to-addresses=132.200.10.24
/ip ipsec identity
add auth-method=eap-radius certificate=\
vpn.domain.com.pem_0,fullchain.pem_0 generate-policy=port-strict \
mode-config=ipsec-modecfg-nosplit peer=peer_vpn
/ip ipsec policy
set 0 dst-address=10.11.22.0/24 src-address=0.0.0.0/0
/ip route
add distance=1 gateway=132.200.10.17
/ip service
set www-ssl certificate=vpn.domain.com.pem_0 disabled=no port=443
/radius
add address=132.200.10.22 secret=\
blahblahblah
add address=132.200.10.17
/system logging
add action=remote topics=!async,!debug,!snmp,!dns
add action=echo disabled=yes topics=l2tp,ipsec,certificate
add disabled=yes topics=ipsec,!packet
/system package update
set channel=testing
 
ckleea
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Sun Apr 21, 2013 12:19 pm

Re: v6.45beta [testing] is released!

Tue May 14, 2019 1:10 am

With 6.45beta42 two Linux installs had trouble getting DHCP over Ethernet.

Sorry can't provide supout - already downgraded to 6.43.* stable, will stay on that.

The only "custom" DHCP setting I have is - lease time is 7 days.

No trouble with WiFi clients.

Router: AC^2.
Similar issues encountered in my linux clients. When the network service restarts in linux, no ip address is assigned by routerOS DHCP server
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Tue May 14, 2019 7:36 am

Not working with Android clients (using https://play.google.com/store/apps/deta ... an.android .

Any tips towards getting Android working would be appreciated.

Also I noticed occasional VPN connections failing using beta42 and 45. Downgrading to 6.44.3 made that issue go away but hopefully it will get fixed in the betas.
It would be better if you opened a new support ticket by sending an e-mail to support@mikrotik.com. Also please enable IPsec debug logs and generate a new supout.rif file each time the issue occurs (for example, an Android client failed to connect) and attach the file to the e-mail.
 
anuser
Long time Member
Long time Member
Posts: 601
Joined: Sat Nov 29, 2014 7:27 pm

Re: v6.45beta [testing] is released!

Tue May 14, 2019 8:11 am

With 6.45beta42 two Linux installs had trouble getting DHCP over Ethernet.

Sorry can't provide supout - already downgraded to 6.43.* stable, will stay on that.

The only "custom" DHCP setting I have is - lease time is 7 days.

No trouble with WiFi clients.

Router: AC^2.
Similar issues encountered in my linux clients. When the network service restarts in linux, no ip address is assigned by routerOS DHCP server
Have you already reported your findings to MikroTik support? (support@mikrotik.com)
 
mezzovide
just joined
Posts: 7
Joined: Tue Jun 11, 2013 8:02 am

Re: v6.45beta [testing] is released!

Tue May 14, 2019 1:58 pm

*) conntrack - significant stability and performance improvements;
Is this have something to do with multiple IPsec peers sometimes getting stuck after reboot / after public IP changes?
Because i have problems with multiple WAN ipsec peers (same dst peer with different routes) with different local loopback addresses attached, sometimes one of the connection stuck (most probably when public ip changes, i have dynamic public ip. or after a reboot). disabling/enabling peer works, or manually kill connection on the conntrack also works.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released! IKEv2

Tue May 14, 2019 9:37 pm

Now mschapv2 is supported I tried to connect with IKEv2 to a VPN provider. This provider does not supply a certificate so I match on FQDN which is *.pointtoserver.com (the "*." needs to be there)

ip ipsec identity
add auth-method=eap certificate="" disabled=yes eap-methods=eap-mschapv2 peer=PureIKEv2 remote-id=fqdn:*.pointtoserver.com username=purevpnxxxxxxxxxxx
I get the error in the log that the AUTH NOT MATCH, peer failed to authorize: xx.xx.xx.xx[4500]-xx.xx.xx.xx[4500] spi: xxxxxxxxxxxxxxxxx:xxxxxxxxxxxxx, send notify: AUTHENTICICATION_FAILED

I have tested it in windows 10 and with the same name and password and I can connect through IKEv2.
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Wed May 15, 2019 9:45 am

msatter All EAP methods require at least the root CA certificate for IKEv2. On Windows, it is possible, that the CA certificate is already in the Trusted Windows Certificate store so you do not have to import anything. Either ask your provider for the CA certificate or try finding out which certificate is used on Windows and export it to RouterOS.

Also there is no wildcard support for remote-id fqdn field. I would suggest leaving the remote-id to auto.

mezzovide no, conntrack has nothing to do with it, however we have already fixes for your described issues in previous betas. Did you try the latest beta and can verify the issue is still present?
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Wed May 15, 2019 11:20 am

Thanks Emils. It is PureVPN and using PossitiveSSL (pointoserver.com / ptoserver.com) and that is the root certificate of Comodo which I tried.

I contacted support and they don't provide a certificate to connect as NordVPN is doing. I will a look at the current certificates in the windows store to see if can find the matching one.

Update: the certificate line
OU=Domain Control Validated, OU=PositiveSSL Multi-Domain, CN=PointtoServer.com

Update 2:
Beside the Comodo root cert I just tried the add Trust External CA Root, also to no avail.

Update 3
Found the PossitiveSSL CA 2 cert but that did also not work.

I searched on and it looks to me that in windows the needed certificate is included by Microsoft in its own certificate.

https://crt.sh/?caid=1455

Microsoft Trusted Root programme
https://docs.microsoft.com/en-us/securi ... quirements
Last edited by msatter on Wed May 15, 2019 7:56 pm, edited 2 times in total.
 
mezzovide
just joined
Posts: 7
Joined: Tue Jun 11, 2013 8:02 am

Re: v6.45beta [testing] is released!

Wed May 15, 2019 5:17 pm

mezzovide no, conntrack has nothing to do with it, however we have already fixes for your described issues in previous betas. Did you try the latest beta and can verify the issue is still present?
Sure, I have some spare routers to do experiment with, will upgrade to beta tonight and see if it fixed my issues. Thanks.
Still need that to be fixed in production though, probably next year until 6.45 become long-term
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Wed May 15, 2019 11:26 pm

I am a bit further and I needed two certificates to be in the certificates box.

https://blogger.davidmanouchehri.com/2017/09/

Now I get twice the error that the [b]peer's ID does not match certificate[/b] and the line above that reads in the log: unable to get certificate CRL(3) at depth:0 SubjectName:/OU=domain Control Validated/OU=positiveSSL Multi-Domain/CN=*.pointtoserver.com

When I look in the certificates the CRL line is blank.
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Thu May 16, 2019 10:48 am

Try setting the remote-id to ignore.
 
chubbs596
Frequent Visitor
Frequent Visitor
Posts: 90
Joined: Fri Dec 06, 2013 6:07 pm

Re: v6.45beta [testing] is released!

Thu May 16, 2019 1:02 pm

Hi Mikrotik

Are you aware if Router OS is patched for this threat?

https://www.tomsguide.com/us/zombieload ... 30082.html
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: v6.45beta [testing] is released!

Thu May 16, 2019 1:28 pm

Since you can't run any sort of binary which could misuse this vulnerability on your RouterOS, this is not really concern.
 
nostromog
Member Candidate
Member Candidate
Posts: 226
Joined: Wed Jul 18, 2018 3:39 pm

Re: v6.45beta [testing] is released!

Thu May 16, 2019 2:40 pm

Hi Mikrotik

Are you aware if Router OS is patched for this threat?

https://www.tomsguide.com/us/zombieload ... 30082.html
I think an accurate answer would be that RouterOS running on a x86 is not itself vulnerable, but the vulnerability could be exploited in the unlatched host or another VM to disclose RouterOS information.

Sent from my Redmi Note 5 using Tapatalk

 
chubbs596
Frequent Visitor
Frequent Visitor
Posts: 90
Joined: Fri Dec 06, 2013 6:07 pm

Re: v6.45beta [testing] is released!

Thu May 16, 2019 5:57 pm

Hi Mikrotik

Are you aware if Router OS is patched for this threat?

https://www.tomsguide.com/us/zombieload ... 30082.html
I think an accurate answer would be that RouterOS running on a x86 is not itself vulnerable, but the vulnerability could be exploited in the unlatched host or another VM to disclose RouterOS information.

Sent from my Redmi Note 5 using Tapatalk
So only if it is CHR and the VM HOST is not patched could the CHR be expoilted?
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: v6.45beta [testing] is released!

Fri May 17, 2019 8:51 am

If we talk about bare metal, then RouterOS (x86) is vulnerable but there is practically no way to misuse the vulnerability because attacker can't run binary (and if attacker can run binary, it won't matter because your device is already compromised)

If we talk about VM, then RouterOS (CHR) vulnerability depends on its hypervisor which needs to be patched. Patching CHR wouldn't change anything because it does not control, how are processes assigned to cores.

In any case, nothing can be done from mikrotik's side
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Fri May 17, 2019 11:11 am

Try setting the remote-id to ignore.
I tried that and it still complains that it can't get local certificate from configuration and it not a dealbreaker and it goes on till it processes payloads: NOTIFY and then I get the error that the notify is TS_UNACCEPTABLE and the next line it is a got error:TS_UNACCEPTABLE

In Ipsec Policy the Src. Addres stayed on 0.0.0.0/0 to I put in IPsec Peer, my external IP address.

Update: I have started again and I have now mangaged to have an established connection. I have to manually enter the TS_I which is not automatically matched/taken over by RouterOS.

In Ipsec Policy I have to manually add the source address: 10.4.33.22 for that specific IKEv2 connection.


Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src. Address match and the tunnel is made.
I can see the success when I get in the log get my IP and the two DNS IP addresses show and the tunnel is connected.

I hope that we also get a client in PPP for this because then we can run script to put the received IP into the NAT to make routing easy.

Update...again: so I finally discovered that I could use "template" to fix the TC_UNEXPECTED error and that works fine. The only problem is that the IP changes regular and that I have to adapt the SRC-NAT IP manually. I am route-marking the packets I want to through the IKEv2 connection (split horizon)

I could try to just put an IP address in or use my DNS to steady the changes.
 
User avatar
josep
just joined
Posts: 1
Joined: Sat May 18, 2019 8:52 pm

Re: v6.45beta [testing] is released!

Sat May 18, 2019 9:25 pm

Very good news about EAP support in IKEv2, please, we need EAP-AKA and EAP-AKA', with this, all Mikrotik routers can be used as basic ePDG, for a non-3GPP Access Networks. Next steps are GTP-U Tunneling support, but with EAP-AKA is good starting.

More info:

https://www.gsma.com/newsroom/wp-conten ... 1-v7.0.pdf
http://www.3gpp.org/ftp//Specs/archive/ ... 02-f10.zip
 
Tw0kings
just joined
Posts: 7
Joined: Fri Feb 02, 2018 11:29 am

Re: v6.45beta [testing] is released!

Sun May 19, 2019 9:12 pm

Im using BCP over L2TP. With latest beta builds it doesnt work. Didn´t have time to test what exactly doesnt work. Looks like DHCP over BCP, but maybe there is more.
In stable release all is working as it should.
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Mon May 20, 2019 9:42 am

Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src. Address match and the tunnel is made.
I can see the success when I get in the log get my IP and the two DNS IP addresses show and the tunnel is connected.
Check out the src-address-list parameter under mode-config.

https://wiki.mikrotik.com/wiki/Manual:I ... de_configs
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Mon May 20, 2019 10:22 am

Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src. Address match and the tunnel is made.
I can see the success when I get in the log get my IP and the two DNS IP addresses show and the tunnel is connected.
Check out the src-address-list parameter under mode-config.

https://wiki.mikrotik.com/wiki/Manual:I ... de_configs
Thanks Emils, I tried that before and now again but it did not change the IP to on out of the range.....O I see there is a new line inserted into NAT. When I use different addresslists I can split horizon...I think.
Going to work that out late today or tomorrow.

Thanks again for the help in this.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Mon May 20, 2019 10:31 pm

I have tried now with addresslist and I can make a split horizon. The TS_I is given by PureVPN (10.4.48.178) for that fixed IP server. The only address in the addresslist (Marker) is not to be seen the log. The ST_R is 0.0.0.0/0.

The NAT is generated and then I have change my original source address to the one in address list so that can use MANGLE to split it up. The packetcount on the generated NAT line stays zero. I thought that I could use the address list IP address as an marker to have it src-nat to 10.4.48.178 but the Dst. Addresslist is !Addreslist so that having a marker goes out of the window.

So I think to have do a double NAT (cascade) and so going twice around and twice around back.
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Tue May 21, 2019 12:58 pm

Version 6.45beta50 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta50 (2019-May-20 09:30):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
*) bridge - fixed port running state for non-ethernet interfaces (introduced in v6.45beta33);
*) ccr - improved packet processing after overloading interface;
*) crs3xx - added ethernet tx-drop counter;
*) crs3xx - improved switch-chip resource allocation on CRS326, CRS328, CRS305;
*) defconf - changed default configuration type to AP for cAP series devices;
*) dhcpv6-client - added option to disable rapid-commit (CLI only);
*) dhcpv6-server - added RADIUS accounting support with queue based statistics;
*) discovery - fixed CDP packets not including address on slave ports (introduced in v6.44);
*) firewall - process packets by firewall when accepted by RAW with disabled connection tracking;
*) ike2 - fixed pre-shared-key authentication failure (introduced in v6.45beta34);
*) ike2 - improved certificate verification when multiple CA certificates received from responder;
*) ippool - improved logging for IPv6 Pool when prefix is already in use;
*) ipv6 - improved system stability when receiving bogus packets;
*) lte - improved firmware upgrade process;
*) ospf - fixed opaque LSA type checking in OSPFv2;
*) rb3011 - improved system stability when receiving bogus packets;
*) rb4011 - fixed MAC address duplication between sfp-sfpplus1 and wlan1 interfaces (wlan1 configuration reset required);
*) snmp - improved reliability on SNMP service packet validation;
*) ssh - fixed non-interactive multiple command execution;
*) supout - added "pwr-line" section to supout file;
*) traceroute - improved stability when sending large ping amounts;
*) traffic-generator - improved stability when stopping traffic generator;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
freemannnn
Forum Veteran
Forum Veteran
Posts: 700
Joined: Sun Oct 13, 2013 7:29 pm

Re: v6.45beta [testing] is released!

Tue May 21, 2019 4:07 pm

*) defconf - changed default configuration type to AP for cAP series devices;

this should be done also for wap series.
 
User avatar
rdelacruz
newbie
Posts: 39
Joined: Thu Jul 14, 2016 8:12 pm

Re: v6.45beta [testing] is released!

Tue May 21, 2019 4:33 pm

*) dhcpv4-server - added RADIUS accounting support with queue based statistics;


I tried to test it, but it's not working yet. Is it an added feature that works if we use RADIUS for accounting and lease?
 
TimurA
Member Candidate
Member Candidate
Posts: 199
Joined: Sat Dec 15, 2018 6:13 am
Location: Tashkent
Contact:

Re: v6.45beta [testing] is released!

Tue May 21, 2019 5:03 pm


*) rb4011 - fixed MAC address duplication between sfp-sfpplus1 and wlan1 interfaces (wlan1 configuration reset required);
fine! thanks emils We are waiting for a stable branch.
 
Ulypka
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Wed Jan 09, 2013 8:26 am

Re: v6.45beta [testing] is released!

Tue May 21, 2019 5:22 pm

*) ccr - improved packet processing after overloading interface;
Is this a fix for the problem 2018101022007579?
 
marekm
Member
Member
Posts: 379
Joined: Tue Feb 01, 2011 11:27 pm

Re: v6.45beta [testing] is released!

Tue May 21, 2019 7:46 pm

*) ipv6 - improved system stability when receiving bogus packets;
Which CVE - a new one, or more fixes for the already known ones?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Tue May 21, 2019 10:35 pm

*) dhcpv6-client - added option to disable rapid-commit (CLI only);
When you are working on dhcpv6-client: I would like to see an option in the client so that it does NOT save the obtained information in nonvolatile storage,
and/or to delete it when the interface goes down.

Reason: ISP uses the request for prefix to enable the route in their router/bras. When MikroTik client router reboots and still has stored a nonexpired lease it
will continue to use that when the first attempt to renew it fails (e.g. because PPPoE is not yet up after the reboot). But as the ISP has cleared the route,
IPv6 will not work until the router attempts to renew it (because it is expiring).

With this option the router will not have stored information about the lease and will try to obtain it immediately, so it will get it as soon as the interface comes up.
 
User avatar
rdelacruz
newbie
Posts: 39
Joined: Thu Jul 14, 2016 8:12 pm

Re: v6.45beta [testing] is released!

Tue May 21, 2019 10:50 pm

*) dhcpv4-server - added RADIUS accounting support with queue based statistics;


I tried to test it, but it's not working yet. Is it an added feature that works if we use RADIUS for accounting and lease?
Please confirm this. Thanks
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.45beta [testing] is released!

Wed May 22, 2019 6:34 am

rdelacruz - Please note that accounting will work only for those users which has a queue. Data for accounting is taken from queue statistics
 
bbs2web
Member Candidate
Member Candidate
Posts: 232
Joined: Sun Apr 22, 2012 6:25 pm
Location: Johannesburg, South Africa
Contact:

Re: v6.45beta [testing] is released!

Wed May 22, 2019 6:45 am

*) firewall - process packets by firewall when accepted by RAW with disabled connection tracking;

Please could we have a little more detail regarding this change? We use raw 'no-track' rules extensively, to avoid packet loss on core routers and filtering appears to be working.

I assume this is a fix for a bug introduced in 6.45 development branch?
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Wed May 22, 2019 9:55 am

"no-track" is not the same as "accepted by RAW". It fixes a specific case when connection tracking is disabled, RAW firewall rules are accepting (sending to connection tracking) some traffic, but the firewall rules are invalid, because the connection tracking is disabled. The firewall rules should be working fine in this case.
 
MILONI
just joined
Posts: 1
Joined: Sat May 11, 2019 11:55 am

Re: v6.45beta [testing] is released!

Wed May 22, 2019 10:41 am

Configuration options for dot1x are now enabled. Hooray
 
Zito
just joined
Posts: 14
Joined: Tue Feb 19, 2013 11:41 pm

Re: v6.45beta [testing] is released!

Wed May 22, 2019 11:14 am

*) crs3xx - improved switch-chip resource allocation on CRS326, CRS328, CRS305;
If this was to fix the problem [Ticket#2019051422003403], then unfortunately without success:
1.PNG
2.PNG
You do not have the required permissions to view the files attached to this post.
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 197
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Wed May 22, 2019 1:42 pm

for some reason, my device isn't responding to SNMPv3 queries anymore, since I upgraded to beta50.
I'm using LibreNMS for monitoring my devices, also tried manually with snmpwalk -> no response.

EDIT:
[admin@CORE] /snmp community> pr d 
Flags: * - default 
 0 * name="librenms" addresses=::/0 security=private read-access=yes write-access=no authentication-protocol=SHA1 encryption-protocol=AES 
     authentication-password="mysecretpassword" encryption-password="anothersecretpassword" 
snmpwalk -a SHA -A mysecretpassword -l authpriv -u librenms -x AES -X anothersecretpassword 192.168.99.1
Timeout: No Response from 192.168.99.1

Code: Select all

15:37:39 snmp packet(v4) from: 192.168.2.111
15:37:39 snmp v3 user: librenms
15:37:39 snmp,debug unsupported v3 security level
15:37:39 snmp,packet 30 71 02 01 03 30 11 02 04 5b e1 da 3b 02 03 00
15:37:39 snmp,packet ff e3 04 01 07 02 01 03 04 31 30 2f 04 05 80 00
15:37:39 snmp,packet 3a 8c 04 02 01 00 02 01 04 04 08 6c 69 62 72 65
15:37:39 snmp,packet 6e 6d 73 04 0c 7a 37 32 ff d4 32 65 1f 54 e8 1d
15:37:39 snmp,packet 01 04 08 a1 62 da 91 4e 10 b8 7b 30 24 04 05 80
15:37:39 snmp,packet 00 3a 8c 04 04 00 a1 19 02 04 47 a1 60 24 02 01
15:37:39 snmp,packet 00 02 01 00 30 0b 30 09 06 05 2b 06 01 02 01 05
15:37:39 snmp,packet 00
15:37:39 snmp,debug v3 err: 0 unsupported security level
15:37:39 snmp,debug bad packet

same works perfectly on 6.44.3 and 6.45beta31, maybe it's related to this:
*) snmp - improved reliability on SNMP service packet validation;
Last edited by osc86 on Wed May 22, 2019 5:03 pm, edited 1 time in total.
 
User avatar
rdelacruz
newbie
Posts: 39
Joined: Thu Jul 14, 2016 8:12 pm

Re: v6.45beta [testing] is released!

Wed May 22, 2019 3:41 pm

rdelacruz - Please note that accounting will work only for those users which has a queue. Data for accounting is taken from queue statistics
Yes, I'm aware of it. Are you referring to this queue?

Image

If yes, can you please confirm that this added feature will work if we use RADIUS for accounting and lease? Thanks
 
User avatar
slackR
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Sat May 23, 2009 1:46 pm
Location: Buffalo, New York, USA

Re: v6.45beta [testing] is released!

Thu May 23, 2019 1:31 am

I can also confirm snmpv3 does not work in 6.45rc50 with Observium or snmpwalk.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Sat May 25, 2019 11:07 am

Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src. Address match and the tunnel is made.
I can see the success when I get in the log get my IP and the two DNS IP addresses show and the tunnel is connected.
Check out the src-address-list parameter under mode-config.

https://wiki.mikrotik.com/wiki/Manual:I ... de_configs
I have it working with mode configs. I made a different setup because I could not use PCC on source port for distribute the traffic over multiple channels.
I have now two 760iGS in series (cascade) and router 1 is only doing PPPoE/encrypting/routing and the NAT for mode config. Router 2 is doing the rest except for what router 1 is doing now.

By separating the load I could increase the speed for IKEv2 from 70Mbits to 150Mbits and then Router 1 is then running at 100% and Router 2 is is running below 50% processor usage.

Sindy suggested to use IPIP to see if can run it on one router but I have see how that is going to be setup.

viewtopic.php?f=2&t=148651
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 197
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Sat May 25, 2019 12:25 pm

I can also confirm snmpv3 does not work in 6.45rc50 with Observium or snmpwalk.
@slackR Did you already open a ticket at Mikrotik Support?
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Tue May 28, 2019 1:02 pm

Version 6.45beta54 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta54 (2019-May-24 07:51):

Important note!!!
Downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading.


MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator (CLI only);
!) user - removed insecure password storage;
----------------------

Changes in this release:

!) user - removed insecure password storage;
*) bridge - correctly display bridge FastPath status when vlan-filtering or dhcp-snooping is used;
*) conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160);
*) crs317 - fixed known multicast flooding to the CPU;
*) ike1 - general stability improvements (introduced in v6.45beta);
*) ike2 - added support for IKE rekeying for initiator;
*) ike2 - improved child SA rekeying process;
*) lte - added initial support for Vodafone R216-Z;
*) ovpn - added "verify-server-certificate" parameter for OVPN client (CVE-2018-10066);
*) winbox - added "System/SwOS" menu for all dual-boot devices;
*) www - improved client-initiated renegotiation within the SSL and TLS protocols (CVE-2011-1473);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Tue May 28, 2019 1:02 pm

osc86, SNMPv3 issues will be fixed in the next release.
 
ditonet
Forum Veteran
Forum Veteran
Posts: 835
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: v6.45beta [testing] is released!

Tue May 28, 2019 2:39 pm

Hello Emils,

Could You explain this?
!) user - removed insecure password storage;
Regards,
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Tue May 28, 2019 2:45 pm

Hello Emils,

Could You explain this?
!) user - removed insecure password storage;
Regards,
This is the final step for this changlog entry from 6.43:
*) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Tue May 28, 2019 2:46 pm

When we introduced the new hashing and encryption for user passwords in v6.43, we had to leave the old type of passwords for downgrade possibility. Now they are removed and only strong encrypted passwords are stored. Note that downgrading below 6.43 will cause all passwords to be blank.
What's new in 6.43 (2018-Sep-06 12:44):

*) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);
 
ditonet
Forum Veteran
Forum Veteran
Posts: 835
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: v6.45beta [testing] is released!

Tue May 28, 2019 3:04 pm

Thanks, completely forgot about it, it was a few months ago.

Regards,
 
rzirzi
Member
Member
Posts: 393
Joined: Mon Oct 09, 2006 2:33 pm

Re: v6.45beta [testing] is released!

Tue May 28, 2019 7:01 pm

* www - improved client-initiated renegotiation within the SSL and TLS protocols.
How to understand it? That mean http server (instance for hotspot) at RouterOS or via RouterOS to externat http server???
 
LeftyTs
Frequent Visitor
Frequent Visitor
Posts: 88
Joined: Thu Nov 03, 2016 2:39 am
Location: Athens, Greece
Contact:

Re: v6.45beta [testing] is released!

Tue May 28, 2019 9:57 pm

First time I see tx-queue1-packet being used in a CRS326 switch. It was always the tx-queue0-packet all the time. The switch seems to work faster now in some tests I have done.
 
gurnec
just joined
Posts: 6
Joined: Wed Jul 14, 2010 9:42 pm

Re: v6.45beta [testing] is released!

Wed May 29, 2019 3:12 am

!) user - removed insecure password storage;
Could we get password hashes exported with the user accounts now please? E.g.:
[admin@gate] > /user export
# may/28/2019 20:15:28 by RouterOS 6.45
...
/user
add comment="system default user" group=full name=admin password_hash=<base64-encoded-hash>
...
 
rzirzi
Member
Member
Posts: 393
Joined: Mon Oct 09, 2006 2:33 pm

Re: v6.45beta [testing] is released!

Wed May 29, 2019 9:25 pm

*) www - improved client-initiated renegotiation within the SSL and TLS protocols;
MikroTik team - could You explain? - please.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Wed May 29, 2019 9:42 pm

*) www - improved client-initiated renegotiation within the SSL and TLS protocols;
MikroTik team - could You explain? - please.
Let's hope this is not related to TLS protocol downgrade attacks...
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 953
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: v6.45beta [testing] is released!

Thu May 30, 2019 4:23 pm

*) www - improved client-initiated renegotiation within the SSL and TLS protocols;
MikroTik team - could You explain? - please.
Let's hope this is not related to TLS protocol downgrade attacks...
Let's hope it is? Better to find, and close, than to leave it open...
 
rzirzi
Member
Member
Posts: 393
Joined: Mon Oct 09, 2006 2:33 pm

Re: v6.45beta [testing] is released!

Thu May 30, 2019 4:51 pm

We ask, We hope, but MiktoTik... is silent...
 
User avatar
rdelacruz
newbie
Posts: 39
Joined: Thu Jul 14, 2016 8:12 pm

Re: v6.45beta [testing] is released!

Thu May 30, 2019 7:09 pm

We ask, We hope, but MiktoTik... is silent...
+1
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.45beta [testing] is released!

Fri May 31, 2019 10:20 am

This article now describes the new security measures in v6.45 and newer:
https://wiki.mikrotik.com/wiki/Manual:Security
*) www - improved client-initiated renegotiation within the SSL and TLS protocols;
This issue fixes DoS possibility in Webfig, related to CVE-2011-1473. We will update the changelog, CVE was not included by mistake.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Fri May 31, 2019 11:11 am

We ask, We hope, but MiktoTik... is silent...
In many countries Thu May 30 was a holiday. Some businesses are closed on friday (today) as well.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Sun Jun 02, 2019 6:42 pm

I am now using IKEv2 peer to connect to a VPN provider. I have the problem that the connection is rebuild and that old connection stays in the connection table. I am using a ping to test it and I get a timeout till I remove that connection out of the connection table. I thought that dead-peer-detection would help but it did not even not on 1 sec 1 failure.
The lifetime provided by the provider is 30 minutes.

So I made a schedule to remove those inactive connections which don't timeout in connections.
:local ip "XXX.XX.XX.X";
:local con "IKEV2";
:local addressPOLICY  [/ip ipsec policy get [find where peer="$con"] value-name=src-address];
:local addressCONTRACK [/ip firewall connection get [find where src-address="$ip"] value-name=reply-dst-address];
:local address ("$addressCONTRACK".""."/32")
:if ("$addressPOLICY" != "$address")  do={ /ip firewall connection remove [find where src-address="$ip"]; :log info "Removed $con address $addressCONTRACK who became stuck in connection tracking"};

The src-address is a static address that is used as 'marker' to have the generated dynamic NAT line triggered. For each IKEv2 connection I have a separate static address.

Can I set something in the setting so I don't have that schedule every second?

Update:

I disabled the schedule and tried to tip the IKEv2 connection out of balance by disabling and enabling PPPoE and flush and retart Peers but it stayed up. So I am going to run without the schedule to see if it still runs in 30 minutes or more.

Update 2:

Observation, all worked while the unused tunnel connection switched of by themselves and the ping tunnel stayed op. I made a new request through calling a speed-test page and all connections were made including a new one for the ping connection. The old connection line went down to 6-5 seconds timeout and then went up to 9 seconds while there is no connection matching it.

So I can tip it out of balance and I see it again timing out so I reactivate the schedule.

Update 3

This seems to be only happening when running a constant PING through the IKEv2 connection. I have also updated the script to be more flexible and working correctly. ;-)
 
cse2012
just joined
Posts: 12
Joined: Tue May 15, 2012 7:13 am

php api login failure at 6.45beta54

Mon Jun 03, 2019 9:31 am

php api login failure at 6.45beta54.

Login failed, incorrect username or password.
please confirm.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: php api login failure at 6.45beta54

Mon Jun 03, 2019 11:56 am

php api login failure at 6.45beta54.

Login failed, incorrect username or password.
please confirm.
You need to update your scripts (the logon method). You could have done that earlier.
 
cse2012
just joined
Posts: 12
Joined: Tue May 15, 2012 7:13 am

Re: php api login failure at 6.45beta54

Mon Jun 03, 2019 2:49 pm

php api login failure at 6.45beta54.

Login failed, incorrect username or password.
please confirm.
You need to update your scripts (the logon method). You could have done that earlier.
thank you. ^^
https://github.com/BenMenking/routeros- ... .class.php
 
kugla007
just joined
Posts: 8
Joined: Thu Mar 29, 2018 12:43 pm

Re: v6.45beta [testing] is released!

Mon Jun 10, 2019 2:47 pm

Hi,

I'm testing wired dot1x with NPS. Is it possible to put the interface in a "guest" VLAN if 802.1x authentication fails?

In my example the devices/users that authenticate successfully are put in Corporate VLAN (let's say VLAN10). And I'd like to put all other devices/user into the "guest" VLAN (let's say VLAN20). When devices successfully authenticate they are put into VLAN10. If I connect an unauthorised device (a computer that is not in our domain, doesn't have 802.1 ethernet enabled on their NIC) nothing happens. Port is UP but no MAC is added to the MAC table (/interface bridge hosts print). I tried configuring the port in VLAN20 access statically but nothing happens either.

Is this something that's not yet implemented? Will this be added in a future release?
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Mon Jun 10, 2019 3:09 pm

No, it is not possible at the moment. Please post your request to this thread. We are monitoring the feature requests and will implement them in future updates.

viewtopic.php?f=1&t=128439
 
LeftyTs
Frequent Visitor
Frequent Visitor
Posts: 88
Joined: Thu Nov 03, 2016 2:39 am
Location: Athens, Greece
Contact:

Re: v6.45beta [testing] is released!

Mon Jun 10, 2019 3:19 pm

I am still having problems with ethernet ports of a CRS326 switch. It happened again twice in the same port the past week. A 10Mbit half duplex port, only 2 meters away from the switch, stopped from responding to IPv4 pings and I had to disable and enable the port twice within a week in order to come back to life. I have send the supout of the switch a few minutes ago. At least now I don't have to reboot the switch to start working again.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Wed Jun 12, 2019 2:53 pm

It is now quiet around the beta and using now the new IKEv2 EAP possibilities for a time, I want to made a suggestion how to direct traffic using policy routing. I am now using a second router to take care of PPPoE and IKEv2 as those two are bound together more or less.
I set in the 'inside' router through NAT the source address of the traffic and marking/tagging it so that in the outer router (PPPoE/IKEv2) it can be caught by the dynamic generated NAT for that specific IKEv2 traffic. This way I can have multiple IKEv2 providers/connections.
This is done by setting in IPSEC in mode config the name of the address-list containing the source address I set in through NAT on the inner router.

This is all fine but I have now a double NAT for that traffic and two routers handling that traffic.

I am using policy routing with other VPN connections and so only needing a single NAT for the traffic.

My request/suggestion is to enable a extra field in IPSEC mode config containing the name of the router mark for policy routing. Mangle is used to mark the routing that is intended to go through the router and if entered also in mode config then there is a dynamic NAT line generated on UP and removed on DOWN.

When nothing is entered in mode config then there is not dynamic NAT rule generates as is the case now.
If an address list name is entered then a dynamic NAT line is generated, matching on the list name and source address and not destination address as is the case now.
If the new field with the name of the routing mark is filled then a new dynamic NAT line is generated with only matching on that routing mark.

You can even think about interpreting source address and router mark if both are present but that will no immediate use in my eyes.
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Wed Jun 12, 2019 2:57 pm

msatter we have already plans for such feature. But connection marks will be used instead of routing marks.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Wed Jun 12, 2019 4:33 pm

msatter we have already plans for such feature. But connection marks will be used instead of routing marks.
Great, much appreciated! Can't wait for it...
Will we see this before version 6.45 final release?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: v6.45beta [testing] is released!

Wed Jun 12, 2019 8:55 pm

I hope I'm not missing the point, but isn't this IKEv2 & policy routing something that would be best solved by what's known as route/interface-based VPN, VTI, etc? I remember it used to be popular request here few years ago. If I understand it correctly, Linux implementation provides interfaces for IPSec connections, but internally it's still regular policy-based tunnels (often with 0.0.0.0/0 on both sides, but it can be anything). And some marks transparently assigned to outgoing traffic via that interface (it basically serves as additional filter for policy) are used to control what traffic it will actually apply to. So this should nicely cover the use case for multiple outgoing IPSec connections (like popular commercial VPN services). But not only that, distinct interfaces would make everything more clear and admin friendly. More interoperable too. And the whole thing doesn't even sound too complicated.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Wed Jun 12, 2019 9:14 pm

That would be even more welcome. :D
However I thing Mikrotik has its reasons to do it one way, not the other. I am happy either way.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 2096
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: v6.45beta [testing] is released!

Thu Jun 13, 2019 12:08 am

I hope I'm not missing the point, but isn't this IKEv2 & policy routing something that would be best solved by what's known as route/interface-based VPN, VTI, etc? I remember it used to be popular request here few years ago. If I understand it correctly, Linux implementation provides interfaces for IPSec connections, but internally it's still regular policy-based tunnels (often with 0.0.0.0/0 on both sides, but it can be anything). And some marks transparently assigned to outgoing traffic via that interface (it basically serves as additional filter for policy) are used to control what traffic it will actually apply to. So this should nicely cover the use case for multiple outgoing IPSec connections (like popular commercial VPN services). But not only that, distinct interfaces would make everything more clear and admin friendly. More interoperable too. And the whole thing doesn't even sound too complicated.
Mikrotik support have acknowledged the VTI request, but said it requires a newer kernel.

They will revisit the request once v7 beta is out.
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Thu Jun 13, 2019 11:11 am


Great, much appreciated! Can't wait for it...
Will we see this before version 6.45 final release?
Currently looks like no, it will not make it into 6.45. We are already finalizing the 6.45 version. VTI support requires new kernel and we are still not sure whether it should or should not be implemented in version 7.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Thu Jun 13, 2019 11:47 am

No rc versions this time?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Thu Jun 13, 2019 12:07 pm

But not only that, distinct interfaces would make everything more clear and admin friendly. More interoperable too. And the whole thing doesn't even sound too complicated.
Well, I remember the days when all Linux systems did that, but it was changed because others (BSD, Cisco) were not using separate interfaces but only those policies.
I always considered it a bad move. Dedicated interfaces for IPsec traffic were so much clearer.
Apparently later (and currently) the option to use interfaces was re-introduced, but today I am not using plain Linux systems as routers anymore so I lost track of that.

Whenever possible, I use a tunnel over IPsec transport. I use GRE because it has some other use cases, but you can use IPIP too.
In fact, IPIP over IPsec transport is almost the same as an IPsec tunnel at the protocol layer. I.e. there is no extra overhead.
But of course this can only be done when you manage both ends, as they cannot be interconnected.
 
bnw
just joined
Posts: 22
Joined: Thu Jun 13, 2019 5:56 pm

Re: v6.45beta [testing] is released!

Thu Jun 13, 2019 6:02 pm

One thing I would like to see in 6.45 is some hardware SNMP improvement for the CCR1072.
As stated in ticket #2019032822004818, many hardware OIDs are missing for this device, compared to what Winbox shows :
- Board temperature
- Board temparature 2
- Fan speed 3
- Fan speed 4
- PSU1 status (should be OID .15 (*))
- PSU2 status (should be OID .16 (*))
(*) as seen on other models such as the CRS317-1G-16S+.

We are then clearly at risk with our CCR1072-1G-8S+, not being able to monitor all their hardware components, which is a rather tricky situation for core devices.

I found other topics complaining about this : viewtopic.php?f=1&t=143899 / viewtopic.php?f=2&t=117322

Many thanks for your support Mikrotik dev' team !
 
LynxChaus
newbie
Posts: 29
Joined: Tue Jul 08, 2014 2:24 pm

Re: v6.45beta [testing] is released!

Thu Jun 13, 2019 8:26 pm


*) tr069-client - added LTE CQI and IMSI parameter support;
Why only in tr069? Export in SNMP too, with all other info.
 
LeftyTs
Frequent Visitor
Frequent Visitor
Posts: 88
Joined: Thu Nov 03, 2016 2:39 am
Location: Athens, Greece
Contact:

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 12:32 am

One thing I would like to see in 6.45 is some hardware SNMP improvement for the CCR1072.
As stated in ticket #2019032822004818, many hardware OIDs are missing for this device, compared to what Winbox shows :
- Board temperature
- Board temparature 2
- Fan speed 3
- Fan speed 4
- PSU1 status (should be OID .15 (*))
- PSU2 status (should be OID .16 (*))
(*) as seen on other models such as the CRS317-1G-16S+.

We are then clearly at risk with our CCR1072-1G-8S+, not being able to monitor all their hardware components, which is a rather tricky situation for core devices.

I found other topics complaining about this : viewtopic.php?f=1&t=143899 / viewtopic.php?f=2&t=117322

Many thanks for your support Mikrotik dev' team !
+1
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 12:46 am

If you can see this system info in the cli, you can easily send it out to a monitor system using script and Syslog.

I have stopped using SNMP, since for every new unit I setup, I have to tell the system that there are a nye Router/Switch, or have a program that scan a net. Scanning net does not work it the router are spread around in many net.

Using Sylog is easy. Just add a script to the router when you are setting it up. It will then call home with all info you need.

Look at my Mikrotik for Splunk in my signature.
 
bnw
just joined
Posts: 22
Joined: Thu Jun 13, 2019 5:56 pm

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 1:31 am

If you can see this system info in the cli, you can easily send it out to a monitor system using script and Syslog.
We use SNMP for all our (network) devices from our enterprise monitoring & reporting solution, I think as many other companies.
We simply can't rely on workarounds.
We then expect Mikrotik to complete the SNMP tree for the CCR1072 hardware components, to have something reliable.
Thank you anyway !
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 8:37 am

Version 6.45beta62 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta62 (2019-Jun-13 10:13):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control;
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
!) user - removed insecure password storage;
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control;
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
*) bridge - correctly handle bridge host table;
*) capsman - fixed CAP system upgrading process for MMIPS;
*) certificate - added "key-type" field;
*) certificate - added support for ECDSA certificates (prime256v1, secp384r1, secp521r1);
*) crs3xx - fixed "tx-drop" counter;
*) defconf - fixed channel width selection for RU locked devices;
*) dhcpv4-server - added "client-mac-limit" parameter;
*) dhcpv6-client - added option to disable rapid-commit;
*) dhcpv6-server - added additional RADIUS parameters for Prefix delegation, "rate-limit" and "life-time";
*) dhcpv6-server - added "address-list" support for bindings;
*) dhcpv6-server - added "insert-queue-before" and "parent-queue" parameters;
*) dhcpv6-server - added RADIUS accounting support with queue based statistics;
*) dhcpv6-server - added "route-distance" parameter;
*) e-mail - properly release e-mail sending session if the server's domain name can not be resolved;
*) ipsec - added dynamic comment field for "active-peers" menu inherited from identity;
*) ipsec - added "ph2-total" counter to "active-peers" menu;
*) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods;
*) ipsec - added traffic statistics to "active-peers" menu;
*) ipsec - disallow setting "src-address" and "dst-address" for transport mode policies;
*) ipsec - renamed "remote-peers" to "active-peers";
*) ltap - renamed SIM slots "up" and "down" to "2" and "3";
*) lte - added passthrough interface subnet selection;
*) lte - fixed LTE interface running state on RBSXTLTE3-7 (introduced in v6.45beta);
*) m33g - added support for additional Serial Console port on GPIO headers;
*) routerboard - renamed 'sim' menu to 'modem';
*) snmp - fixed "send-trap" not working when "trap-generators" does not contain "temp-exception";
*) snmp - improved reliability on SNMP service packet validation;
*) winbox - added "System/SwOS" menu for all dual-boot devices;
*) winbox - do not allow setting "dns-lookup-interval" to "0";

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 10:58 am

*) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods;
Will it also work for "rsa-signature-hybrid"?
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 11:43 am

Does anyone knows where to find this setting? I am looking for it for years now.

*) winbox - do not allow setting "dns-lookup-interval" to "0";

Many support mails about addresslists and DNS timings but this was never mentioned to me. I have now a limiter only for DNS so that when there is no upstream DNS it will not flood my local DNS server with countless resolve requests.

Update:
Found it on a Polish site and it a setting not applying to what I was looking for.

So the limiter and drop line stays active.
 
anuser
Long time Member
Long time Member
Posts: 601
Joined: Sat Nov 29, 2014 7:27 pm

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 2:05 pm

Version 6.45beta62 has been released.
*) bridge - correctly handle bridge host table;
What kind of issue was there actually?
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 197
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 2:42 pm

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 5:38 pm

Please implement "advertise-local-dns" option in IPv6 ND that makes router advertise the local address (same as gateway) as DNS server, instead of the IPv6 DNS servers configured in /ip dns.
(to make IPv6 systems use the local DNS resolver instead of going directly to the ISP DNS servers)

This is necessary to make locally configured DNS static names visible to IPv6 capable clients.
 
raffav
Member
Member
Posts: 345
Joined: Wed Oct 24, 2012 4:40 am

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 5:46 pm

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
+1K
I think the log part need to be rebuild, for betther debugging
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1139
Joined: Tue Oct 11, 2005 4:53 pm

Re: v6.45beta [testing] is released!

Sat Jun 15, 2019 2:18 pm

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
+1
 
Florian
Member Candidate
Member Candidate
Posts: 117
Joined: Sun Mar 13, 2016 9:45 am
Location: France

Re: v6.45beta [testing] is released!

Sat Jun 15, 2019 7:29 pm

Please implement "advertise-local-dns" option in IPv6 ND that makes router advertise the local address (same as gateway) as DNS server, instead of the IPv6 DNS servers configured in /ip dns.
(to make IPv6 systems use the local DNS resolver instead of going directly to the ISP DNS servers)

This is necessary to make locally configured DNS static names visible to IPv6 capable clients.
You can do this :

viewtopic.php?t=132657

That's what I do, it's working.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Sat Jun 15, 2019 10:11 pm

I don't think I understand what is going on there. I use ND, not DHCPv6, for setting those parameters.
 
LeftyTs
Frequent Visitor
Frequent Visitor
Posts: 88
Joined: Thu Nov 03, 2016 2:39 am
Location: Athens, Greece
Contact:

Re: v6.45beta [testing] is released!

Sun Jun 16, 2019 3:23 am

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
+1K
I think the log part need to be rebuild, for betther debugging
For better debugging and analysis you should consider sending to a remote log server. Makes life much easier.
 
pawelkopec88
just joined
Posts: 10
Joined: Wed Mar 14, 2018 11:06 pm

Re: v6.45beta [testing] is released!

Sun Jun 16, 2019 10:34 am

Hi,

HW Offloading doesnt work on HAP AC on RouterBOARD 962UiGS-5HacT2HnT ROS 6.45beta62 . On stable Stable 6.44.3 HW Offloading is working. I was send an email to your support with rif files
You do not have the required permissions to view the files attached to this post.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Sun Jun 16, 2019 11:25 am

I don't think I understand what is going on there. I use ND, not DHCPv6, for setting those parameters.
That's the point. With ND you can not specify the DNS server, with DHCPv6 you can. Consider to switch...
Works just fine, I've set it up this way as well. Only Android does not support DHCPv6 and does not get this specific setting.
 
TimurA
Member Candidate
Member Candidate
Posts: 199
Joined: Sat Dec 15, 2018 6:13 am
Location: Tashkent
Contact:

Re: v6.45beta [testing] is released!

Sun Jun 16, 2019 12:06 pm

Good job 6.45beta62! wifi 5ghz, 2 days running without crashing on RB4011.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Sun Jun 16, 2019 12:50 pm

I don't think I understand what is going on there. I use ND, not DHCPv6, for setting those parameters.
That's the point. With ND you can not specify the DNS server, with DHCPv6 you can. Consider to switch...
Works just fine, I've set it up this way as well. Only Android does not support DHCPv6 and does not get this specific setting.
~85% of our users have Android. then maybe 10% Apple and 5% Windows.

I think it should not be that difficult to add an option to have ND advertise the local address (same as it advertises for gateway) as DNS server instead of the IPv6 addresses configured in /ip dns.
And when at that, also have some option in the DHCPv6 server to do the same thing. Other changes in DHCPv6 are in the changelist so apparently someone is working on it.
In the DHCPv4 server there is a field to specify own DNS servers and even a special checkmark to suppress the automatic advertisement of DNS servers... why not in IPv6?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Sun Jun 16, 2019 12:54 pm

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
+1K
I think the log part need to be rebuild, for betther debugging
For better debugging and analysis you should consider sending to a remote log server. Makes life much easier.
Well, I agree that when you are running a lot of tunnels and you try to debug one of them, enabling packet-level debugging makes a terrible mess and/or load, even with remote log server.
It could be useful to have some option to enable ipsec debug logging for a single peer, preferably not by filtering but by only logging for that specific peer.
 
User avatar
rdelacruz
newbie
Posts: 39
Joined: Thu Jul 14, 2016 8:12 pm

Re: v6.45beta [testing] is released!

Tue Jun 18, 2019 2:21 am

rdelacruz - Please note that accounting will work only for those users which has a queue. Data for accounting is taken from queue statistics
Yes, I'm aware of it. Are you referring to this queue?

Image

If yes, can you please confirm that this added feature will work if we use RADIUS for accounting and lease? Thanks
Have you successfully tested this one?
 
EdPa
MikroTik Support
MikroTik Support
Posts: 278
Joined: Fri Sep 15, 2017 10:05 am
Location: Riga
Contact:

Re: v6.45beta [testing] is released!

Tue Jun 18, 2019 11:36 am

Version 6.45beta62 has been released.
*) bridge - correctly handle bridge host table;
What kind of issue was there actually?
Under some occasions, hosts did not timed out correctly. Now bridge will make sure hosts are removed.
 
toxmost
just joined
Posts: 3
Joined: Tue Jun 18, 2019 7:25 pm

Re: v6.45beta [testing] is released!

Tue Jun 18, 2019 7:34 pm

Hello!
I have RB4011iGS+5HacQ2HnD with dlink DPN-100 (TW2362H-CDEL-CLX) GPON SFP module (WAN).
IP address receive via DHCP. ALL WORK GREAT! ---> firmware 6.44.3

If im update firmware to 6.45beta62, SFP module have status "link ok", but DHCP address not received, DHCP client all time in status "searching", packet (in module window) TXed, but not RXed.

Can you fix it?

Thank you.
 
Boomish
just joined
Posts: 5
Joined: Wed Jun 05, 2019 12:07 am

Re: v6.45beta [testing] is released!

Tue Jun 18, 2019 8:40 pm

Can we get the ability to define an ip instead of using the detected IP for ip cloud ddns updates.
I'd like the ability to force the update before i deploy the unit to the field on it's static ip.


It would also be handy if we could force delete a published DDNS Record.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: v6.45beta [testing] is released!

Tue Jun 18, 2019 9:12 pm

Can we get the ability to define an ip instead of using the detected IP for ip cloud ddns updates.
I'd like the ability to force the update before i deploy the unit to the field on it's static ip.


It would also be handy if we could force delete a published DDNS Record.
Ability to define IP address would bring in all sorts of problems, probability of mis-configuration is just too big.
And, BTW, what benefit would one get by having DDNS configured before unit was up&running instead a minute or two later?

It's been explained that DDNS record gets removed when DDNS is disabled on the unit (but it needs internet connectivity at zhat time).
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Tue Jun 18, 2019 11:25 pm

Hello!
I have RB4011iGS+5HacQ2HnD with dlink DPN-100 (TW2362H-CDEL-CLX) GPON SFP module (WAN).
IP address receive via DHCP. ALL WORK GREAT! ---> firmware 6.44.3

If im update firmware to 6.45beta62, SFP module have status "link ok", but DHCP address not received, DHCP client all time in status "searching", packet (in module window) TXed, but not RXed.

Can you fix it?

Thank you.
Did you try with auto-negotiation disabled?
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Tue Jun 18, 2019 11:29 pm


Great, much appreciated! Can't wait for it...
Will we see this before version 6.45 final release?
Currently looks like no, it will not make it into 6.45. We are already finalizing the 6.45 version. VTI support requires new kernel and we are still not sure whether it should or should not be implemented in version 7.
There is now a wiki-page how to set. I can't place the word 'local' in the last sentence because all is local.

https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS
 
Boomish
just joined
Posts: 5
Joined: Wed Jun 05, 2019 12:07 am

Re: v6.45beta [testing] is released!

Wed Jun 19, 2019 12:10 am

Can we get the ability to define an ip instead of using the detected IP for ip cloud ddns updates.
I'd like the ability to force the update before i deploy the unit to the field on it's static ip.


It would also be handy if we could force delete a published DDNS Record.
Ability to define IP address would bring in all sorts of problems, probability of mis-configuration is just too big.
And, BTW, what benefit would one get by having DDNS configured before unit was up&running instead a minute or two later?

It's been explained that DDNS record gets removed when DDNS is disabled on the unit (but it needs internet connectivity at zhat time).

It is rather inconvenient to have to disable the individual peers on the hub when they all have the same IP address.

When building all of the spokes prior to sending them out they update their ddns and as a result they all have the same ip address because they are built on the same system.

Even after i disabled the DDNS Update the record wasn't deleted in fact it persisted for multiple days.

Furthermore it would be nice to be able to publish a specific UP when your router is behind another natting device such as a PPPOE AT&T Router that only gives you your static ip's via a 1-1 nat
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Wed Jun 19, 2019 10:56 am

*) ipsec - added dynamic comment field for "active-peers" menu inherited from identity;

Where can I set that identity?

I also noticed that the counters are all the same and these are L2tp/IPSEC connections:
wrong-counters.JPG
The local addresses, in PPP screen, are in the 172.20.12.xxx range (multiple connections). Suggestion attach the counters from the Remote Address because the same 172.20.12.xxx can be in the PPP list.

I see in the other screen of IPsec in Identities twice in the list colum "My ID"
You do not have the required permissions to view the files attached to this post.
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Wed Jun 19, 2019 11:37 am

The comment from the Identity that was used for the peer to identify itself is carried over to the active-peers menu. For example, if you have a comment "L2TP server" for the IPsec identity, then this comment will be shown for all active peers which used this Identity. Obviously, it is not possible to set such comment for the dynamic Identity created by L2TP server's "use-ipsec" parameter.

Statistics counters for IKEv1 with no unique ID's will be fixed shortly.

Not sure what you meant with the third paragraph. Can you clarify?

There is nothing we can do about the multiple My-ID fields under Identity menu at this moment because of multiple data types stored in this parameter.

Regarding the IPsec logging requests. We have our thoughts about this and agree it should be improved, however the current logging mechanism in RouterOS is currently limiting what we can do. We will try to come up with a solution in future.

andriys, will see if we can enable RADIUS accounting for rsa-signature-hybrid authentication as well.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Wed Jun 19, 2019 12:55 pm

The comment from the Identity that was used for the peer to identify itself is carried over to the active-peers menu. For example, if you have a comment "L2TP server" for the IPsec identity, then this comment will be shown for all active peers which used this Identity. Obviously, it is not possible to set such comment for the dynamic Identity created by L2TP server's "use-ipsec" parameter.
For dynamic created ones there is naming available in the PPP menu as name. Limit displaying it to a certain amount of characters. Now I have to identify peers by other means because "peer1205 etc." is not much to go on in relation to the used names in PPP.

Statistics counters for IKEv1 with no unique ID's will be fixed shortly.
Thanks
Not sure what you meant with the third paragraph. Can you clarify?
That was belonging to the picture and as long there is a unique identification in the background I am happy.

There is nothing we can do about the multiple My-ID fields under Identity menu at this moment because of multiple data types stored in this parameter.
It looked already familiar to me being multple My-ID pressent and I have never any content in there. I am only using it as client so this may be for server.
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Wed Jun 19, 2019 1:07 pm

The thing is, PPP and IPsec are completely unrelated things and currently there is no way to associate the L2TP and the IPsec sessions with each other.
 
zryny4
just joined
Posts: 9
Joined: Sun Apr 17, 2016 12:29 pm

Re: v6.45beta [testing] is released!

Wed Jun 19, 2019 5:36 pm

Is routeros affected to CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479?
 
toxmost
just joined
Posts: 3
Joined: Tue Jun 18, 2019 7:25 pm

Re: v6.45beta [testing] is released!

Thu Jun 20, 2019 12:01 pm

Hello!
I have RB4011iGS+5HacQ2HnD with dlink DPN-100 (TW2362H-CDEL-CLX) GPON SFP module (WAN).
IP address receive via DHCP. ALL WORK GREAT! ---> firmware 6.44.3

If im update firmware to 6.45beta62, SFP module have status "link ok", but DHCP address not received, DHCP client all time in status "searching", packet (in module window) TXed, but not RXed.

Can you fix it?

Thank you.
Did you try with auto-negotiation disabled?
I try it. No effect.
 
nostromog
Member Candidate
Member Candidate
Posts: 226
Joined: Wed Jul 18, 2018 3:39 pm

Re: v6.45beta [testing] is released!

Fri Jun 21, 2019 5:08 pm

I have two devices upgraded to 6.45beta62, but today I'm seeing this error (several times) while trying to upgrade another one:
 15:04:27 system,error broken package routeros-mipsbe-6.45beta62.npk 
Has the download file became corrupt? Is it some problem in this device?
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: v6.45beta [testing] is released!

Sat Jun 22, 2019 4:03 am

First time I see tx-queue1-packet being used in a CRS326 switch. It was always the tx-queue0-packet all the time. The switch seems to work faster now in some tests I have done.
will be nice to see multiple queues on each port to make QoS
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: v6.45beta [testing] is released!

Sat Jun 22, 2019 10:34 am

I have two devices upgraded to 6.45beta62, but today I'm seeing this error (several times) while trying to upgrade another one:
 15:04:27 system,error broken package routeros-mipsbe-6.45beta62.npk 
Has the download file became corrupt? Is it some problem in this device?

It is likely that the flash of device became corrupt (check output of /system resource print if it mentions bad blocks higher than 0%). But it can also happen that the downloaded npk got corrupted somewhere.

You can try to manually download the package from download.mikrotik.com - choose extra packages which is a ZIP file. Then extract all the packages (npk files) you need - get the list of installed and enabled packages from router itself. Upload those npk files to router and reboot the router afterwards.
If it doesn't upgrade during reboot, check the log for any information.
 
nostromog
Member Candidate
Member Candidate
Posts: 226
Joined: Wed Jul 18, 2018 3:39 pm

Re: v6.45beta [testing] is released!

Sat Jun 22, 2019 2:03 pm

You can try to manually download the package from download.mikrotik.com - choose extra packages which is a ZIP file. Then extract all the packages (npk files) you need - get the list of installed and enabled packages from router itself. Upload those npk files to router and reboot the router afterwards.
If it doesn't upgrade during reboot, check the log for any information.
I did it this way and I worked, so I guess either the CDN or the copy in the download site itself got corrupted...

Still a pretty useless thing, given that packages with patches for the linux SACK of death thing are forthcoming... :)
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 953
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: v6.45beta [testing] is released!

Sat Jun 22, 2019 8:05 pm

I know the router tests integrity before installation, but Mikrotik could put the md5sums on the site too. It would be one easy way to find out if our download was corrupted.

EDIT

Nevermind, silly me. Just found the link to them. Not very practical, but it is there.
 
611
newbie
Posts: 37
Joined: Wed Oct 17, 2018 10:12 am

Re: v6.45beta [testing] is released!

Sat Jun 22, 2019 9:10 pm

Does anyone knows where to find this setting? I am looking for it for years now.
*) winbox - do not allow setting "dns-lookup-interval" to "0";
Update:
Found it on a Polish site and it a setting not applying to what I was looking for.
It was a very "funny" bug actually - a device added to Dude via Winbox with default settings caused instant 100% CPU load with 50% going to Dude server and another 50% to DNS resolver as Dude was polling it with zero interval.
Creating a device with such settings is impossible with Dude client.
 
LynxChaus
newbie
Posts: 29
Joined: Tue Jul 08, 2014 2:24 pm

Re: v6.45beta [testing] is released!

Mon Jun 24, 2019 4:34 pm

Has the download file became corrupt? Is it some problem in this device?
Upload is corrupt - CDN (upgrade.mikrotik.com) serve broken files:
# ls -1las routeros-mipsbe-6.45beta62.npk-*
12056166 Jun 14 08:28 routeros-mipsbe-6.45beta62.npk-download.mikrotik.com
11583488 Jun 14 08:31 routeros-mipsbe-6.45beta62.npk-upgrade.mikrotik.com

# md5sum routeros-mipsbe-6.45beta62.npk-*
d7b9284935f8123cbf4df0c735c995c3  routeros-mipsbe-6.45beta62.npk-download.mikrotik.com
637a0bbb58bb0a3012ae9289dc9e7cbc  routeros-mipsbe-6.45beta62.npk-upgrade.mikrotik.com
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: v6.45beta [testing] is released!

Mon Jun 24, 2019 8:26 pm

Are there any plans to add a simple EAP server authentication where there is no RADIUS server? i.e. Something like xauth for IKEv1 where you can define local users on the router itself? We have a few situations where there is no local RADIUS and certificates are more complicated for end users where they would like to use IKEv2.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Mon Jun 24, 2019 10:22 pm

MikroTik has a RADIUS server called "usermanager" that can run on some router models.
Unfortunately it is quite limited. The natural way to solve this is to make it capable of handling these requests.
 
Tobei
newbie
Posts: 25
Joined: Sun Sep 11, 2016 3:25 pm

Re: v6.45beta [testing] is released!

Wed Jun 26, 2019 3:45 pm

Hi,

HW Offloading doesnt work on HAP AC on RouterBOARD 962UiGS-5HacT2HnT ROS 6.45beta62 . On stable Stable 6.44.3 HW Offloading is working. I was send an email to your support with rif files

the user 611 and I observe the same, see also viewtopic.php?f=1&t=149552

Best regards
Tobias
 
ztx
just joined
Posts: 17
Joined: Sun Nov 05, 2017 4:46 am

Re: v6.45beta [testing] is released!

Sat Jun 29, 2019 5:13 pm

Version 6.45beta62 has been released.


!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
I can connect to a vpn server in windows using ikev2 with username and password only, can this work on routeros?
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Sat Jun 29, 2019 5:22 pm

Have a look at this page for NordVPN, if your provider has no specific certificate then you need the root cert from/for that provider

https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS
 
ztx
just joined
Posts: 17
Joined: Sun Nov 05, 2017 4:46 am

Re: v6.45beta [testing] is released!

Sat Jun 29, 2019 9:00 pm

Have a look at this page for NordVPN, if your provider has no specific certificate then you need the root cert from/for that provider

https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS
In windows, it needs username and password only.
I found a setup guide for strongswan:
1. launch the app and then tap on Add VPN profile.
2. Now you’ll need to enter a VPN server address.
3. Now choose the VPN type. Select Ikev2 EAP (username/password).
4. Next, enter PureVPN provided credentials in Username and Password fields.
5. Next, check the CA certificate.
6. Profile Name: PureVPN Ikev2 (you may type anything).
Now tap on show advanced settings and type in server identity: pointtoserver.com
Finally, hit save and then connect to the newly created Ikev2 profile.
How can I setup on routeros?
thanks!
 
ztx
just joined
Posts: 17
Joined: Sun Nov 05, 2017 4:46 am

Re: v6.45beta [testing] is released!

Sun Jun 30, 2019 9:36 am

msatter All EAP methods require at least the root CA certificate for IKEv2. On Windows, it is possible, that the CA certificate is already in the Trusted Windows Certificate store so you do not have to import anything. Either ask your provider for the CA certificate or try finding out which certificate is used on Windows and export it to RouterOS.

Also there is no wildcard support for remote-id fqdn field. I would suggest leaving the remote-id to auto.

mezzovide no, conntrack has nothing to do with it, however we have already fixes for your described issues in previous betas. Did you try the latest beta and can verify the issue is still present?
emils How can I find which certificate is used? thanks!
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Sun Jun 30, 2019 10:58 am

I am not Emils however I can answer your question.

You need the comodo-root.crt and import it in system-certificate. Stae that you ignore the check on it in the ipsec screen.

viewtopic.php?f=21&t=146087&p=731038&hi ... er#p731253
 
mattgorecki
just joined
Posts: 2
Joined: Sat Jun 01, 2019 12:17 am
Location: Helena, Montana
Contact:

Re: v6.45beta [testing] is released!

Sun Jun 30, 2019 10:28 pm

The current download of 6.45beta62 for MIPSBE is giving me a checksum error.

On my mac:
MD5 (routeros-mipsbe-6.45beta62.npk) = 637a0bbb58bb0a3012ae9289dc9e7cbc
The website says it should be:
MD5 routeros-mipsbe-6.45beta62.npk: d7b9284935f8123cbf4df0c735c995c3
 
User avatar
emils
Forum Veteran
Forum Veteran
Topic Author
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Mon Jul 01, 2019 10:15 am

New version 6.45.1 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=149786

Who is online

Users browsing this forum: ernieball17 and 15 guests