Community discussions

  • 1
  • 3
  • 4
  • 5
  • 6
  • 7
 
Tw0kings
just joined
Posts: 3
Joined: Fri Feb 02, 2018 11:29 am

Re: v6.45beta [testing] is released!

Sun May 19, 2019 9:12 pm

Im using BCP over L2TP. With latest beta builds it doesnt work. Didn´t have time to test what exactly doesnt work. Looks like DHCP over BCP, but maybe there is more.
In stable release all is working as it should.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 459
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Mon May 20, 2019 9:42 am

Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src. Address match and the tunnel is made.
I can see the success when I get in the log get my IP and the two DNS IP addresses show and the tunnel is connected.
Check out the src-address-list parameter under mode-config.

https://wiki.mikrotik.com/wiki/Manual:I ... de_configs
 
msatter
Forum Guru
Forum Guru
Posts: 1158
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Mon May 20, 2019 10:22 am

Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src. Address match and the tunnel is made.
I can see the success when I get in the log get my IP and the two DNS IP addresses show and the tunnel is connected.
Check out the src-address-list parameter under mode-config.

https://wiki.mikrotik.com/wiki/Manual:I ... de_configs
Thanks Emils, I tried that before and now again but it did not change the IP to on out of the range.....O I see there is a new line inserted into NAT. When I use different addresslists I can split horizon...I think.
Going to work that out late today or tomorrow.

Thanks again for the help in this.
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.10
Having an Android device, use https://github.com/M66B/NetGuard/releases no root required
 
msatter
Forum Guru
Forum Guru
Posts: 1158
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Mon May 20, 2019 10:31 pm

I have tried now with addresslist and I can make a split horizon. The TS_I is given by PureVPN (10.4.48.178) for that fixed IP server. The only address in the addresslist (Marker) is not to be seen the log. The ST_R is 0.0.0.0/0.

The NAT is generated and then I have change my original source address to the one in address list so that can use MANGLE to split it up. The packetcount on the generated NAT line stays zero. I thought that I could use the address list IP address as an marker to have it src-nat to 10.4.48.178 but the Dst. Addresslist is !Addreslist so that having a marker goes out of the window.

So I think to have do a double NAT (cascade) and so going twice around and twice around back.
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.10
Having an Android device, use https://github.com/M66B/NetGuard/releases no root required
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 459
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Tue May 21, 2019 12:58 pm

Version 6.45beta50 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta50 (2019-May-20 09:30):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
*) bridge - fixed port running state for non-ethernet interfaces (introduced in v6.45beta33);
*) ccr - improved packet processing after overloading interface;
*) crs3xx - added ethernet tx-drop counter;
*) crs3xx - improved switch-chip resource allocation on CRS326, CRS328, CRS305;
*) defconf - changed default configuration type to AP for cAP series devices;
*) dhcpv6-client - added option to disable rapid-commit (CLI only);
*) dhcpv6-server - added RADIUS accounting support with queue based statistics;
*) discovery - fixed CDP packets not including address on slave ports (introduced in v6.44);
*) firewall - process packets by firewall when accepted by RAW with disabled connection tracking;
*) ike2 - fixed pre-shared-key authentication failure (introduced in v6.45beta34);
*) ike2 - improved certificate verification when multiple CA certificates received from responder;
*) ippool - improved logging for IPv6 Pool when prefix is already in use;
*) ipv6 - improved system stability when receiving bogus packets;
*) lte - improved firmware upgrade process;
*) ospf - fixed opaque LSA type checking in OSPFv2;
*) rb3011 - improved system stability when receiving bogus packets;
*) rb4011 - fixed MAC address duplication between sfp-sfpplus1 and wlan1 interfaces (wlan1 configuration reset required);
*) snmp - improved reliability on SNMP service packet validation;
*) ssh - fixed non-interactive multiple command execution;
*) supout - added "pwr-line" section to supout file;
*) traceroute - improved stability when sending large ping amounts;
*) traffic-generator - improved stability when stopping traffic generator;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
freemannnn
Long time Member
Long time Member
Posts: 655
Joined: Sun Oct 13, 2013 7:29 pm

Re: v6.45beta [testing] is released!

Tue May 21, 2019 4:07 pm

*) defconf - changed default configuration type to AP for cAP series devices;

this should be done also for wap series.
 
User avatar
rdelacruz
newbie
Posts: 33
Joined: Thu Jul 14, 2016 8:12 pm

Re: v6.45beta [testing] is released!

Tue May 21, 2019 4:33 pm

*) dhcpv4-server - added RADIUS accounting support with queue based statistics;


I tried to test it, but it's not working yet. Is it an added feature that works if we use RADIUS for accounting and lease?
 
TimurA
Member Candidate
Member Candidate
Posts: 138
Joined: Sat Dec 15, 2018 6:13 am
Location: Tashkent
Contact:

Re: v6.45beta [testing] is released!

Tue May 21, 2019 5:03 pm


*) rb4011 - fixed MAC address duplication between sfp-sfpplus1 and wlan1 interfaces (wlan1 configuration reset required);
fine! thanks emils We are waiting for a stable branch.
Image
 
Ulypka
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Wed Jan 09, 2013 8:26 am

Re: v6.45beta [testing] is released!

Tue May 21, 2019 5:22 pm

*) ccr - improved packet processing after overloading interface;
Is this a fix for the problem 2018101022007579?
 
marekm
Member Candidate
Member Candidate
Posts: 195
Joined: Tue Feb 01, 2011 11:27 pm

Re: v6.45beta [testing] is released!

Tue May 21, 2019 7:46 pm

*) ipv6 - improved system stability when receiving bogus packets;
Which CVE - a new one, or more fixes for the already known ones?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5522
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Tue May 21, 2019 10:35 pm

*) dhcpv6-client - added option to disable rapid-commit (CLI only);
When you are working on dhcpv6-client: I would like to see an option in the client so that it does NOT save the obtained information in nonvolatile storage,
and/or to delete it when the interface goes down.

Reason: ISP uses the request for prefix to enable the route in their router/bras. When MikroTik client router reboots and still has stored a nonexpired lease it
will continue to use that when the first attempt to renew it fails (e.g. because PPPoE is not yet up after the reboot). But as the ISP has cleared the route,
IPv6 will not work until the router attempts to renew it (because it is expiring).

With this option the router will not have stored information about the lease and will try to obtain it immediately, so it will get it as soon as the interface comes up.
 
User avatar
rdelacruz
newbie
Posts: 33
Joined: Thu Jul 14, 2016 8:12 pm

Re: v6.45beta [testing] is released!

Tue May 21, 2019 10:50 pm

*) dhcpv4-server - added RADIUS accounting support with queue based statistics;


I tried to test it, but it's not working yet. Is it an added feature that works if we use RADIUS for accounting and lease?
Please confirm this. Thanks
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1406
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.45beta [testing] is released!

Wed May 22, 2019 6:34 am

rdelacruz - Please note that accounting will work only for those users which has a queue. Data for accounting is taken from queue statistics
 
bbs2web
Member Candidate
Member Candidate
Posts: 197
Joined: Sun Apr 22, 2012 6:25 pm
Location: Johannesburg, South Africa
Contact:

Re: v6.45beta [testing] is released!

Wed May 22, 2019 6:45 am

*) firewall - process packets by firewall when accepted by RAW with disabled connection tracking;

Please could we have a little more detail regarding this change? We use raw 'no-track' rules extensively, to avoid packet loss on core routers and filtering appears to be working.

I assume this is a fix for a bug introduced in 6.45 development branch?
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 459
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Wed May 22, 2019 9:55 am

"no-track" is not the same as "accepted by RAW". It fixes a specific case when connection tracking is disabled, RAW firewall rules are accepting (sending to connection tracking) some traffic, but the firewall rules are invalid, because the connection tracking is disabled. The firewall rules should be working fine in this case.
 
MILONI
just joined
Posts: 1
Joined: Sat May 11, 2019 11:55 am

Re: v6.45beta [testing] is released!

Wed May 22, 2019 10:41 am

Configuration options for dot1x are now enabled. Hooray
 
Zito
just joined
Posts: 14
Joined: Tue Feb 19, 2013 11:41 pm

Re: v6.45beta [testing] is released!

Wed May 22, 2019 11:14 am

*) crs3xx - improved switch-chip resource allocation on CRS326, CRS328, CRS305;
If this was to fix the problem [Ticket#2019051422003403], then unfortunately without success:
1.PNG
2.PNG
You do not have the required permissions to view the files attached to this post.
 
User avatar
osc86
newbie
Posts: 46
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Wed May 22, 2019 1:42 pm

for some reason, my device isn't responding to SNMPv3 queries anymore, since I upgraded to beta50.
I'm using LibreNMS for monitoring my devices, also tried manually with snmpwalk -> no response.

EDIT:
[admin@CORE] /snmp community> pr d 
Flags: * - default 
 0 * name="librenms" addresses=::/0 security=private read-access=yes write-access=no authentication-protocol=SHA1 encryption-protocol=AES 
     authentication-password="mysecretpassword" encryption-password="anothersecretpassword" 
snmpwalk -a SHA -A mysecretpassword -l authpriv -u librenms -x AES -X anothersecretpassword 192.168.99.1
Timeout: No Response from 192.168.99.1

Code: Select all

15:37:39 snmp packet(v4) from: 192.168.2.111
15:37:39 snmp v3 user: librenms
15:37:39 snmp,debug unsupported v3 security level
15:37:39 snmp,packet 30 71 02 01 03 30 11 02 04 5b e1 da 3b 02 03 00
15:37:39 snmp,packet ff e3 04 01 07 02 01 03 04 31 30 2f 04 05 80 00
15:37:39 snmp,packet 3a 8c 04 02 01 00 02 01 04 04 08 6c 69 62 72 65
15:37:39 snmp,packet 6e 6d 73 04 0c 7a 37 32 ff d4 32 65 1f 54 e8 1d
15:37:39 snmp,packet 01 04 08 a1 62 da 91 4e 10 b8 7b 30 24 04 05 80
15:37:39 snmp,packet 00 3a 8c 04 04 00 a1 19 02 04 47 a1 60 24 02 01
15:37:39 snmp,packet 00 02 01 00 30 0b 30 09 06 05 2b 06 01 02 01 05
15:37:39 snmp,packet 00
15:37:39 snmp,debug v3 err: 0 unsupported security level
15:37:39 snmp,debug bad packet

same works perfectly on 6.44.3 and 6.45beta31, maybe it's related to this:
*) snmp - improved reliability on SNMP service packet validation;
Last edited by osc86 on Wed May 22, 2019 5:03 pm, edited 1 time in total.
CCR1009-7G-1C-1S+ ROS6.45.2
 
User avatar
rdelacruz
newbie
Posts: 33
Joined: Thu Jul 14, 2016 8:12 pm

Re: v6.45beta [testing] is released!

Wed May 22, 2019 3:41 pm

rdelacruz - Please note that accounting will work only for those users which has a queue. Data for accounting is taken from queue statistics
Yes, I'm aware of it. Are you referring to this queue?

Image

If yes, can you please confirm that this added feature will work if we use RADIUS for accounting and lease? Thanks
 
slackR
newbie
Posts: 32
Joined: Sat May 23, 2009 1:46 pm
Location: Buffalo, New York, USA
Contact:

Re: v6.45beta [testing] is released!

Thu May 23, 2019 1:31 am

I can also confirm snmpv3 does not work in 6.45rc50 with Observium or snmpwalk.
 
msatter
Forum Guru
Forum Guru
Posts: 1158
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Sat May 25, 2019 11:07 am

Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src. Address match and the tunnel is made.
I can see the success when I get in the log get my IP and the two DNS IP addresses show and the tunnel is connected.
Check out the src-address-list parameter under mode-config.

https://wiki.mikrotik.com/wiki/Manual:I ... de_configs
I have it working with mode configs. I made a different setup because I could not use PCC on source port for distribute the traffic over multiple channels.
I have now two 760iGS in series (cascade) and router 1 is only doing PPPoE/encrypting/routing and the NAT for mode config. Router 2 is doing the rest except for what router 1 is doing now.

By separating the load I could increase the speed for IKEv2 from 70Mbits to 150Mbits and then Router 1 is then running at 100% and Router 2 is is running below 50% processor usage.

Sindy suggested to use IPIP to see if can run it on one router but I have see how that is going to be setup.

viewtopic.php?f=2&t=148651
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.10
Having an Android device, use https://github.com/M66B/NetGuard/releases no root required
 
User avatar
osc86
newbie
Posts: 46
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Sat May 25, 2019 12:25 pm

I can also confirm snmpv3 does not work in 6.45rc50 with Observium or snmpwalk.
@slackR Did you already open a ticket at Mikrotik Support?
CCR1009-7G-1C-1S+ ROS6.45.2
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 459
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Tue May 28, 2019 1:02 pm

Version 6.45beta54 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta54 (2019-May-24 07:51):

Important note!!!
Downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading.


MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator (CLI only);
!) user - removed insecure password storage;
----------------------

Changes in this release:

!) user - removed insecure password storage;
*) bridge - correctly display bridge FastPath status when vlan-filtering or dhcp-snooping is used;
*) conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160);
*) crs317 - fixed known multicast flooding to the CPU;
*) ike1 - general stability improvements (introduced in v6.45beta);
*) ike2 - added support for IKE rekeying for initiator;
*) ike2 - improved child SA rekeying process;
*) lte - added initial support for Vodafone R216-Z;
*) ovpn - added "verify-server-certificate" parameter for OVPN client (CVE-2018-10066);
*) winbox - added "System/SwOS" menu for all dual-boot devices;
*) www - improved client-initiated renegotiation within the SSL and TLS protocols (CVE-2011-1473);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 459
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Tue May 28, 2019 1:02 pm

osc86, SNMPv3 issues will be fixed in the next release.
 
ditonet
Forum Veteran
Forum Veteran
Posts: 837
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: v6.45beta [testing] is released!

Tue May 28, 2019 2:39 pm

Hello Emils,

Could You explain this?
!) user - removed insecure password storage;
Regards,
Grzegorz | MTCNA, MTCRE, MTCSE | konsultacje MikroTik Warszawa
It is a book about a Spanish guy called Manual. You should read it. - Dilbert
 
User avatar
eworm
Member
Member
Posts: 354
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Tue May 28, 2019 2:45 pm

Hello Emils,

Could You explain this?
!) user - removed insecure password storage;
Regards,
This is the final step for this changlog entry from 6.43:
*) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 459
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Tue May 28, 2019 2:46 pm

When we introduced the new hashing and encryption for user passwords in v6.43, we had to leave the old type of passwords for downgrade possibility. Now they are removed and only strong encrypted passwords are stored. Note that downgrading below 6.43 will cause all passwords to be blank.
What's new in 6.43 (2018-Sep-06 12:44):

*) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);
 
ditonet
Forum Veteran
Forum Veteran
Posts: 837
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: v6.45beta [testing] is released!

Tue May 28, 2019 3:04 pm

Thanks, completely forgot about it, it was a few months ago.

Regards,
Grzegorz | MTCNA, MTCRE, MTCSE | konsultacje MikroTik Warszawa
It is a book about a Spanish guy called Manual. You should read it. - Dilbert
 
rzirzi
Member
Member
Posts: 376
Joined: Mon Oct 09, 2006 2:33 pm

Re: v6.45beta [testing] is released!

Tue May 28, 2019 7:01 pm

* www - improved client-initiated renegotiation within the SSL and TLS protocols.
How to understand it? That mean http server (instance for hotspot) at RouterOS or via RouterOS to externat http server???
 
LeftyTs
Frequent Visitor
Frequent Visitor
Posts: 67
Joined: Thu Nov 03, 2016 2:39 am
Location: Athens, Greece
Contact:

Re: v6.45beta [testing] is released!

Tue May 28, 2019 9:57 pm

First time I see tx-queue1-packet being used in a CRS326 switch. It was always the tx-queue0-packet all the time. The switch seems to work faster now in some tests I have done.
 
gurnec
just joined
Posts: 5
Joined: Wed Jul 14, 2010 9:42 pm

Re: v6.45beta [testing] is released!

Wed May 29, 2019 3:12 am

!) user - removed insecure password storage;
Could we get password hashes exported with the user accounts now please? E.g.:
[admin@gate] > /user export
# may/28/2019 20:15:28 by RouterOS 6.45
...
/user
add comment="system default user" group=full name=admin password_hash=<base64-encoded-hash>
...
 
rzirzi
Member
Member
Posts: 376
Joined: Mon Oct 09, 2006 2:33 pm

Re: v6.45beta [testing] is released!

Wed May 29, 2019 9:25 pm

*) www - improved client-initiated renegotiation within the SSL and TLS protocols;
MikroTik team - could You explain? - please.
 
User avatar
eworm
Member
Member
Posts: 354
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Wed May 29, 2019 9:42 pm

*) www - improved client-initiated renegotiation within the SSL and TLS protocols;
MikroTik team - could You explain? - please.
Let's hope this is not related to TLS protocol downgrade attacks...
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
Paternot
Long time Member
Long time Member
Posts: 578
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: v6.45beta [testing] is released!

Thu May 30, 2019 4:23 pm

*) www - improved client-initiated renegotiation within the SSL and TLS protocols;
MikroTik team - could You explain? - please.
Let's hope this is not related to TLS protocol downgrade attacks...
Let's hope it is? Better to find, and close, than to leave it open...
 
rzirzi
Member
Member
Posts: 376
Joined: Mon Oct 09, 2006 2:33 pm

Re: v6.45beta [testing] is released!

Thu May 30, 2019 4:51 pm

We ask, We hope, but MiktoTik... is silent...
 
User avatar
rdelacruz
newbie
Posts: 33
Joined: Thu Jul 14, 2016 8:12 pm

Re: v6.45beta [testing] is released!

Thu May 30, 2019 7:09 pm

We ask, We hope, but MiktoTik... is silent...
+1
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24042
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.45beta [testing] is released!

Fri May 31, 2019 10:20 am

This article now describes the new security measures in v6.45 and newer:
https://wiki.mikrotik.com/wiki/Manual:Security
*) www - improved client-initiated renegotiation within the SSL and TLS protocols;
This issue fixes DoS possibility in Webfig, related to CVE-2011-1473. We will update the changelog, CVE was not included by mistake.
No answer to your question? How to write posts
 
pe1chl
Forum Guru
Forum Guru
Posts: 5522
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Fri May 31, 2019 11:11 am

We ask, We hope, but MiktoTik... is silent...
In many countries Thu May 30 was a holiday. Some businesses are closed on friday (today) as well.
 
msatter
Forum Guru
Forum Guru
Posts: 1158
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Sun Jun 02, 2019 6:42 pm

I am now using IKEv2 peer to connect to a VPN provider. I have the problem that the connection is rebuild and that old connection stays in the connection table. I am using a ping to test it and I get a timeout till I remove that connection out of the connection table. I thought that dead-peer-detection would help but it did not even not on 1 sec 1 failure.
The lifetime provided by the provider is 30 minutes.

So I made a schedule to remove those inactive connections which don't timeout in connections.
:local ip "XXX.XX.XX.X";
:local con "IKEV2";
:local addressPOLICY  [/ip ipsec policy get [find where peer="$con"] value-name=src-address];
:local addressCONTRACK [/ip firewall connection get [find where src-address="$ip"] value-name=reply-dst-address];
:local address ("$addressCONTRACK".""."/32")
:if ("$addressPOLICY" != "$address")  do={ /ip firewall connection remove [find where src-address="$ip"]; :log info "Removed $con address $addressCONTRACK who became stuck in connection tracking"};

The src-address is a static address that is used as 'marker' to have the generated dynamic NAT line triggered. For each IKEv2 connection I have a separate static address.

Can I set something in the setting so I don't have that schedule every second?

Update:

I disabled the schedule and tried to tip the IKEv2 connection out of balance by disabling and enabling PPPoE and flush and retart Peers but it stayed up. So I am going to run without the schedule to see if it still runs in 30 minutes or more.

Update 2:

Observation, all worked while the unused tunnel connection switched of by themselves and the ping tunnel stayed op. I made a new request through calling a speed-test page and all connections were made including a new one for the ping connection. The old connection line went down to 6-5 seconds timeout and then went up to 9 seconds while there is no connection matching it.

So I can tip it out of balance and I see it again timing out so I reactivate the schedule.

Update 3

This seems to be only happening when running a constant PING through the IKEv2 connection. I have also updated the script to be more flexible and working correctly. ;-)
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.10
Having an Android device, use https://github.com/M66B/NetGuard/releases no root required
 
cse2012
just joined
Posts: 12
Joined: Tue May 15, 2012 7:13 am

php api login failure at 6.45beta54

Mon Jun 03, 2019 9:31 am

php api login failure at 6.45beta54.

Login failed, incorrect username or password.
please confirm.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5522
Joined: Mon Jun 08, 2015 12:09 pm

Re: php api login failure at 6.45beta54

Mon Jun 03, 2019 11:56 am

php api login failure at 6.45beta54.

Login failed, incorrect username or password.
please confirm.
You need to update your scripts (the logon method). You could have done that earlier.
 
cse2012
just joined
Posts: 12
Joined: Tue May 15, 2012 7:13 am

Re: php api login failure at 6.45beta54

Mon Jun 03, 2019 2:49 pm

php api login failure at 6.45beta54.

Login failed, incorrect username or password.
please confirm.
You need to update your scripts (the logon method). You could have done that earlier.
thank you. ^^
https://github.com/BenMenking/routeros- ... .class.php
 
kugla007
just joined
Posts: 5
Joined: Thu Mar 29, 2018 12:43 pm

Re: v6.45beta [testing] is released!

Mon Jun 10, 2019 2:47 pm

Hi,

I'm testing wired dot1x with NPS. Is it possible to put the interface in a "guest" VLAN if 802.1x authentication fails?

In my example the devices/users that authenticate successfully are put in Corporate VLAN (let's say VLAN10). And I'd like to put all other devices/user into the "guest" VLAN (let's say VLAN20). When devices successfully authenticate they are put into VLAN10. If I connect an unauthorised device (a computer that is not in our domain, doesn't have 802.1 ethernet enabled on their NIC) nothing happens. Port is UP but no MAC is added to the MAC table (/interface bridge hosts print). I tried configuring the port in VLAN20 access statically but nothing happens either.

Is this something that's not yet implemented? Will this be added in a future release?
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 459
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Mon Jun 10, 2019 3:09 pm

No, it is not possible at the moment. Please post your request to this thread. We are monitoring the feature requests and will implement them in future updates.

viewtopic.php?f=1&t=128439
 
LeftyTs
Frequent Visitor
Frequent Visitor
Posts: 67
Joined: Thu Nov 03, 2016 2:39 am
Location: Athens, Greece
Contact:

Re: v6.45beta [testing] is released!

Mon Jun 10, 2019 3:19 pm

I am still having problems with ethernet ports of a CRS326 switch. It happened again twice in the same port the past week. A 10Mbit half duplex port, only 2 meters away from the switch, stopped from responding to IPv4 pings and I had to disable and enable the port twice within a week in order to come back to life. I have send the supout of the switch a few minutes ago. At least now I don't have to reboot the switch to start working again.
 
msatter
Forum Guru
Forum Guru
Posts: 1158
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Wed Jun 12, 2019 2:53 pm

It is now quiet around the beta and using now the new IKEv2 EAP possibilities for a time, I want to made a suggestion how to direct traffic using policy routing. I am now using a second router to take care of PPPoE and IKEv2 as those two are bound together more or less.
I set in the 'inside' router through NAT the source address of the traffic and marking/tagging it so that in the outer router (PPPoE/IKEv2) it can be caught by the dynamic generated NAT for that specific IKEv2 traffic. This way I can have multiple IKEv2 providers/connections.
This is done by setting in IPSEC in mode config the name of the address-list containing the source address I set in through NAT on the inner router.

This is all fine but I have now a double NAT for that traffic and two routers handling that traffic.

I am using policy routing with other VPN connections and so only needing a single NAT for the traffic.

My request/suggestion is to enable a extra field in IPSEC mode config containing the name of the router mark for policy routing. Mangle is used to mark the routing that is intended to go through the router and if entered also in mode config then there is a dynamic NAT line generated on UP and removed on DOWN.

When nothing is entered in mode config then there is not dynamic NAT rule generates as is the case now.
If an address list name is entered then a dynamic NAT line is generated, matching on the list name and source address and not destination address as is the case now.
If the new field with the name of the routing mark is filled then a new dynamic NAT line is generated with only matching on that routing mark.

You can even think about interpreting source address and router mark if both are present but that will no immediate use in my eyes.
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.10
Having an Android device, use https://github.com/M66B/NetGuard/releases no root required
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 459
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Wed Jun 12, 2019 2:57 pm

msatter we have already plans for such feature. But connection marks will be used instead of routing marks.
 
User avatar
eworm
Member
Member
Posts: 354
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Wed Jun 12, 2019 4:33 pm

msatter we have already plans for such feature. But connection marks will be used instead of routing marks.
Great, much appreciated! Can't wait for it...
Will we see this before version 6.45 final release?
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
Sob
Forum Guru
Forum Guru
Posts: 4361
Joined: Mon Apr 20, 2009 9:11 pm

Re: v6.45beta [testing] is released!

Wed Jun 12, 2019 8:55 pm

I hope I'm not missing the point, but isn't this IKEv2 & policy routing something that would be best solved by what's known as route/interface-based VPN, VTI, etc? I remember it used to be popular request here few years ago. If I understand it correctly, Linux implementation provides interfaces for IPSec connections, but internally it's still regular policy-based tunnels (often with 0.0.0.0/0 on both sides, but it can be anything). And some marks transparently assigned to outgoing traffic via that interface (it basically serves as additional filter for policy) are used to control what traffic it will actually apply to. So this should nicely cover the use case for multiple outgoing IPSec connections (like popular commercial VPN services). But not only that, distinct interfaces would make everything more clear and admin friendly. More interoperable too. And the whole thing doesn't even sound too complicated.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
eworm
Member
Member
Posts: 354
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Wed Jun 12, 2019 9:14 pm

That would be even more welcome. :D
However I thing Mikrotik has its reasons to do it one way, not the other. I am happy either way.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7

Who is online

Users browsing this forum: No registered users and 17 guests