But did you test it before writing?Hi,
it seems that there is no fix for the problem with WiFi and wrong password.
I repeat... you should test it before writing.I do not see any fix in this RC so it must be there.
So what do you want?I did not create the SUP [–]
Im sorry but wife was working from home and I did not have time to elaborate and create anything.......What about the next SUP-116195? It also fixed itself? :)We can only fix things that are reported to support. Above mentioned SUP ticket mentions that issue was gone by itself. If you also have a WiFi issue, rather than post here, make a detailed report, including what devices were connected, what happened, when. Then email to support@mikrotik
Cheers thats helpful!cAP ax, ax2, ax3 no PMKSA error when using WPA2/WPA3 for now, tested with Samsung S10, 2 x Xiaomi 11 Lite 5G NE, Laptop with Intel AX200 WiFi card.
And case closed after further investigation.Noticed one thing on AX3 ...
HP printer Officejet Pro 8715 directly connected to AX3 starts up with 100M link, after 5 minutes the link shuts down and comes back up with 10M.
Disabling interface and enabling again, brings it back to 100M. But after 5 minutes ... 10M again.
From what I can remember I never saw that happening before.
Supout created and send to support - SUP-117505.
Can we get this for IPv6 as well PLEASE?*) snmp - added BGP peer table support IPv4 only (1.3.6.1.2.1.15.3.1);
Will not be fixed in 7.10. This is a RC and will only fix broken stuff that prevents if from being a stable release.I implore MikroTik to *please* reconsider the extremely jarring webfig UI changes
Maybe it is enabled by default like in ROSv6.*) mpls - added FastPath support;
how to activate the this feature?
thx
*) ike2 - improved child SA delete request processing;
frequency 1.3.6.1.4.1.14988.1.1.1.8.1.6.1 GHz
phy rate iso.3.6.1.4.1.14988.1.1.1.8.1.13.1 Gbps
rssi 1.3.6.1.4.1.14988.1.1.1.8.1.12.1 dB
signal quality iso.3.6.1.4.1.14988.1.1.1.8.1.8.1 %
tx sector iso.3.6.1.4.1.14988.1.1.1.8.1.9.1
Wow, hAP Lite is back on stage? Good news!*) system - reduced RAM usage for SMIPS devices;
or the RFC definition:Endpoint-independent mapping: The NAT uses the same IP address and port mapping for packets sent from the same private IP address and port to any public IP address and port.
Endpoint-Independent Mapping:
The NAT reuses the port mapping for subsequent packets sent
from the same internal IP address and port (X:x) to any
external IP address and port. Specifically, X1':x1' equals
X2':x2' for all values of Y2:y2.
I have the same issue on 7.9. A device after coming from sleep connects to 10M instead of 1000M. I manually set 1000M on the router side to avoid this.And case closed after further investigation.Disabling interface and enabling again, brings it back to 100M. But after 5 minutes ... 10M again.
Someone here at home changed the power settings on the printer so it went to power safe mode after 5 minutes.
Time to set an admin passwd on that device too and have a chat about changing settings for material which is not your own.
Why not solve the "problem" at the source?I have the same issue on 7.9. A device after coming from sleep connects to 10M instead of 1000M. I manually set 1000M on the router side to avoid this.
Ask that in the topic about "Full-Cone NAT"... those people seem to have a use for it.But in what real-world use-cases should I select this new option over the "normal" SNAT or Masquerading action?
My device is not a printer, it's a dock (with Ethernet adapter) connected to a notebook. Indeed, it was my mistake that I told it was connected to router with 7.9. Actually it was connected to a switch with 6.48.5, I forgot this fact and saw it only after today's re-check. Why I set to strictly "1000M full": because it has issues with re-connection every minute: 10M/1G/10M/1G and so on, and these issues are not cured even after notebook (so a dock too) awakes from sleep. So, this issue is not related to 7.x branch, sorry, just some incompatibility between devices. But the case is similar to the one described by the commentator, so I remembered it.I agree with above what onnoossendrijver said. Why need to have a printer constantly at 1G? Printers will never have the need for such speed anyway, and it's apparently doing this to save power. Let it do it's thing.
I remember that topic, this was a very specific use-case.Ask that in the topic about "Full-Cone NAT"... those people seem to have a use for it.
Just did: [SUP-117869] - Hopefully support team starts to work on it soon... I'm not having the best support experience for some time now...meconiotronic, msilcher - Have you opened support ticket regarding this issue? If not, then please do so and provide supout file which would be generated after the problem has been present on your router.
Still there, but probably related to capsman.Works on hAP ax2 (2.4GHz AX 20/40MHz, 5GHz AX 20/40/80MHz, WPA2/WPA3 PSK, disabled PMKID). First brief look shows no wireless conectivity issues. Wlan connectivity seems stable, no random disconnects. Works without any configuration changes. Wireless issues from 7.9 seems fixed. Will test more.
rejected, can't find PMKSA
That's probably WPA3-related.Still there, but probably related to capsman.Works on hAP ax2 (2.4GHz AX 20/40MHz, 5GHz AX 20/40/80MHz, WPA2/WPA3 PSK, disabled PMKID). First brief look shows no wireless conectivity issues. Wlan connectivity seems stable, no random disconnects. Works without any configuration changes. Wireless issues from 7.9 seems fixed. Will test more.
Got:, supout provided in SUP-116463Code: Select allrejected, can't find PMKSA
The same here with 7.9. Some Apple devices refuse to connect with wrong password. Restarting them helps, sometimes trying connecting to another network and switching back also helps.ok, lets wait till it happend to someone alse..I just wanted to notice, that the issue is not properly sorted out.
Hi,The same here with 7.9. Some Apple devices refuse to connect with wrong password. Restarting them helps, sometimes trying connecting to another network and switching back also helps.ok, lets wait till it happend to someone alse..I just wanted to notice, that the issue is not properly sorted out.
You need to allow BFD on the required interfaces, like "/routing bfd configuration add forbid-bfd=no interfaces=LAN".BFD for OSPF does not appear to actually run within the vrf. I opened SUP-117843
1 I ;;; BFD forbidden for interface
multihop=no vrf=main remote-address=172.16.0.162%vlan3020
local-address=172.16.0.161%vlan3020@vrf1 desired-tx-interval=0ms
required-min-rx=0ms multiplier=0
.The date show in webfig is worng with this rc1.
Now its showing "2023-05-30" and "/system/clock/print" on console shows correct date 2023-05-31.
I'm using RG751G.I don't see that behavior on RB5009.
All time/date indications are correct for me. Terminal, webfig and winbox.
(and before anyone starts about the time diff on terminal output, I did not refresh the terminal screen ...)
RouterOS version 7.10rc has been released on the "v7 testing" channel!
[admin@MikroTik] > /export terse
# may/31/2023 21:02:30 by RouterOS 7.9.2
# software id =
#
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group add name=group1
/ip ipsec profile add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=profile1 prf-algorithm=sha256 proposal-check=strict
/ip ipsec peer add exchange-mode=ike2 local-address=192.168.2.18 name=peer1 passive=yes profile=profile1
/ip ipsec proposal add auth-algorithms="" enc-algorithms=aes-256-gcm lifetime=8h name=proposal1 pfs-group=ecp256
/ip pool add name=r1-r2 ranges=192.168.99.2
/ip ipsec mode-config add address-pool=r1-r2 address-prefix-length=32 name=r1-r2 split-include=0.0.0.0/0 system-dns=no
/ip dhcp-client add interface=ether1
/ip ipsec identity add auth-method=digital-signature certificate=r1 generate-policy=port-strict match-by=certificate mode-config=r1-r2 peer=peer1 policy-template-group=group1 remote-certificate=r1-r2-ether
/ip ipsec policy add dst-address=192.168.99.0/24 group=group1 proposal=proposal1 src-address=0.0.0.0/0 template=yes
/system logging add topics=ipsec,!packet
/system note set show-at-login=no
[admin@MikroTik] >
[admin@MikroTik] > /export terse
# 2023-05-31 21:03:35 by RouterOS 7.10rc1
# software id =
#
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config add name=cfg1 responder=no
/ip ipsec policy group add name=group1
/ip ipsec profile add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=profile1 prf-algorithm=sha256 proposal-check=strict
/ip ipsec peer add address=192.168.2.18/32 exchange-mode=ike2 name=peer1 profile=profile1
/ip ipsec proposal add auth-algorithms="" enc-algorithms=aes-256-gcm lifetime=8h name=proposal1 pfs-group=ecp256
/ip dhcp-client add interface=ether1
/ip ipsec identity add auth-method=digital-signature certificate=r1-r2-ether generate-policy=port-strict match-by=certificate mode-config=cfg1 my-id=dn peer=peer1 policy-template-group=group1 remote-certificate=r1
/ip ipsec policy add dst-address=0.0.0.0/0 group=group1 proposal=proposal1 src-address=0.0.0.0/0 template=yes
/ip route add distance=254 dst-address=192.168.99.0/24 gateway=ether1 pref-src=192.168.99.2
/system logging add topics=ipsec,!packet
/system note set show-at-login=no
[admin@MikroTik] >
21:14:45 ipsec issuer: <CN=r1-ca>
21:14:45 ipsec subject: <CN=r1-r2-ether>
21:14:45 ipsec notBefore: Sat Dec 31 21:00:00 2022
21:14:45 ipsec notAfter: Thu Dec 30 21:00:00 2032
21:14:45 ipsec selfSigned:0
21:14:45 ipsec extensions:
21:14:45 ipsec key usage: digital-signature, key-encipherment, data-encipherment, key-agreement
21:14:45 ipsec extended key usage: tls-client
21:14:45 ipsec subject key id: f3:05:75:fc:1c:8f:e9:f1:6c:31:73:f2:44:07:c6:87:04:65:5a:9f
21:14:45 ipsec authority key id:e5:a8:d5:03:ec:8f:45:7d:9e:6a:76:4d:c3:c0:4b:2a:b3:be:a8:d7
21:14:45 ipsec subject alternative name:
21:14:45 ipsec rfc822: r1-r2-ether
21:14:45 ipsec signed with: 1.2.840.10045.4.3.2 (1.2.840.10045.4.3.2)
21:14:45 ipsec [EC-PUBLIC]
21:14:45 ipsec pub.x: a1335a3f.4b9c7e10.7bddff81.160586b9.4186b4e7.9a72bd4b.8b98f5fa.341a7e4e
21:14:45 ipsec pub.y: c08ba383.7659f821.829013ab.ac296ea1.a7932d33.b3d338c5.71b9baf2.dc635863
21:14:45 ipsec curveId: 3
21:14:45 ipsec order: ffffffff.00000000.ffffffff.ffffffff.bce6faad.a7179e84.f3b9cac2.fc632551
21:14:45 ipsec,debug => certificate (size 0x1a0)
21:14:45 ipsec,debug 3082019c 30820141 a0030201 02020866 79fd396e f722bb30 0a06082a 8648ce3d
21:14:45 ipsec,debug 04030230 10310e30 0c060355 04030c05 72312d63 61301e17 0d323231 32333132
21:14:45 ipsec,debug 31303030 305a170d 33323132 33303231 30303030 5a301631 14301206 03550403
21:14:45 ipsec,debug 0c0b7231 2d72322d 65746865 72305930 1306072a 8648ce3d 02010608 2a8648ce
21:14:45 ipsec,debug 3d030107 03420004 a1335a3f 4b9c7e10 7bddff81 160586b9 4186b4e7 9a72bd4b
21:14:45 ipsec,debug 8b98f5fa 341a7e4e c08ba383 7659f821 829013ab ac296ea1 a7932d33 b3d338c5
21:14:45 ipsec,debug 71b9baf2 dc635863 a37f307d 300e0603 551d0f01 01ff0404 030203b8 30130603
21:14:45 ipsec,debug 551d2504 0c300a06 082b0601 05050703 02301d06 03551d0e 04160414 f30575fc
21:14:45 ipsec,debug
21:14:45 ipsec,debug 1c8fe9f1 6c3173f2 4407c687 04655a9f 301f0603 551d2304 18301680 14e5a8d5
21:14:45 ipsec,debug 03ec8f45 7d9e6a76 4dc3c04b 2ab3bea8 d7301606 03551d11 040f300d 810b7231
21:14:45 ipsec,debug 2d72322d 65746865 72300a06 082a8648 ce3d0403 02034900 30460221 00d6a2ee
21:14:45 ipsec,debug e9dfaafd 854998bf 4f9abe1a ea4f789e 4674d5e9 f7e27d27 8d5249ba e2022100
21:14:45 ipsec,debug c0d393c7 7387fe6d 2b14b72a 10913dea 47e24b6e 59ea1978 83948560 c513b6b6
21:14:45 ipsec processing payloads: NOTIFY
21:14:45 ipsec notify: INITIAL_CONTACT
21:14:45 ipsec processing payload: AUTH
21:14:45 ipsec requested auth method: ECDSA-256
21:14:45 ipsec,debug => peer's auth (size 0x47)
21:14:45 ipsec,debug 30450221 00fee495 1a16030a 0404d221 b2d84888 f73f8475 bec3a3f7 15bf9a97
21:14:45 ipsec,debug 2c45d75e 4a02206b e01beed9 66b9ed42 35f7356b 7c0de460 a216e8e1 3691c751
21:14:45 ipsec,debug d4c122b3 df8517
21:14:45 ipsec trust chain:
21:14:45 ipsec 0: SKID: f3:05:75:fc:1c:8f:e9:f1:6c:31:73:f2:44:07:c6:87:04:65:5a:9f
21:14:45 ipsec AKID: e5:a8:d5:03:ec:8f:45:7d:9e:6a:76:4d:c3:c0:4b:2a:b3:be:a8:d7
21:14:45 ipsec 1: SKID: e5:a8:d5:03:ec:8f:45:7d:9e:6a:76:4d:c3:c0:4b:2a:b3:be:a8:d7
21:14:45 ipsec,debug => auth nonce (size 0x18)
21:14:45 ipsec,debug 3cb6c1d9 2d4632ec feb8104b 9f26bb31 a5e1a669 42dd08b6
21:14:45 ipsec,debug => SK_p (size 0x20)
21:14:45 ipsec,debug c04e1158 877afc72 b90c0d8e 8d6a500b 6a65b9ac 060e69e5 a03d97ca 764effee
21:14:45 ipsec,debug => idhash (size 0x20)
21:14:45 ipsec,debug b5947ef5 6006bd06 82601f43 d1122790 7b3b8db9 95569c46 fa3bba62 835dbafb
21:14:45 ipsec,error digital signature verification failed
21:14:45 ipsec reply notify: AUTHENTICATION_FAILED
21:14:45 ipsec adding notify: AUTHENTICATION_FAILED
21:14:45 ipsec,debug => (size 0x8)
21:14:45 ipsec,debug 00000008 00000018
21:14:45 ipsec <- ike2 reply, exchange: AUTH:1 192.168.2.19[4500] 95b82e65302f0cc5:c574be21d1653097
21:14:45 ipsec,debug ===== sending 224 bytes from 192.168.2.18[4500] to 192.168.2.19[4500]
21:14:45 ipsec,debug 1 times of 228 bytes message will be sent to 192.168.2.19[4500]
21:14:45 ipsec,info,account peer failed to authorize: peer1 192.168.2.18[4500]-192.168.2.19[4500] spi:c574be21d1653097:95b82e65302f0cc5
21:14:45 ipsec,info killing ike2 SA: peer1 192.168.2.18[4500]-192.168.2.19[4500] spi:c574be21d1653097:95b82e65302f0cc5
21:14:37 ipsec key usage: digital-signature, key-encipherment, data-encipherment, key-agreement
21:14:37 ipsec extended key usage: tls-client
21:14:37 ipsec subject key id: f3:05:75:fc:1c:8f:e9:f1:6c:31:73:f2:44:07:c6:87:04:65:5a:9f
21:14:37 ipsec authority key id:e5:a8:d5:03:ec:8f:45:7d:9e:6a:76:4d:c3:c0:4b:2a:b3:be:a8:d7
21:14:37 ipsec subject alternative name:
21:14:37 ipsec rfc822: r1-r2-ether
21:14:37 ipsec signed with: 1.2.840.10045.4.3.2 (1.2.840.10045.4.3.2)
21:14:37 ipsec [EC-PUBLIC]
21:14:37 ipsec pub.x: a1335a3f.4b9c7e10.7bddff81.160586b9.4186b4e7.9a72bd4b.8b98f5fa.341a7e4e
21:14:37 ipsec pub.y: c08ba383.7659f821.829013ab.ac296ea1.a7932d33.b3d338c5.71b9baf2.dc635863
21:14:37 ipsec curveId: 3
21:14:37 ipsec order: ffffffff.00000000.ffffffff.ffffffff.bce6faad.a7179e84.f3b9cac2.fc632551
21:14:37 ipsec adding payload: CERT
21:14:37 ipsec,debug => (first 0x100 of 0x1a5)
21:14:37 ipsec,debug 000001a5 04308201 9c308201 41a00302 01020208 6679fd39 6ef722bb 300a0608
21:14:37 ipsec,debug 2a8648ce 3d040302 3010310e 300c0603 5504030c 0572312d 6361301e 170d3232
21:14:37 ipsec,debug 31323331 32313030 30305a17 0d333231 32333032 31303030 305a3016 31143012
21:14:37 ipsec,debug 06035504 030c0b72 312d7232 2d657468 65723059 30130607 2a8648ce 3d020106
21:14:37 ipsec,debug 082a8648 ce3d0301 07034200 04a1335a 3f4b9c7e 107bddff 81160586 b94186b4
21:14:37 ipsec,debug e79a72bd 4b8b98f5 fa341a7e 4ec08ba3 837659f8 21829013 abac296e a1a7932d
21:14:37 ipsec,debug 33b3d338 c571b9ba f2dc6358 63a37f30 7d300e06 03551d0f 0101ff04 04030203
21:14:37 ipsec,debug b8301306 03551d25 040c300a 06082b06 01050507 0302301d 0603551d 0e041604
21:14:37 ipsec adding notify: INITIAL_CONTACT
21:14:37 ipsec,debug => (size 0x8)
21:14:37 ipsec,debug 00000008 00004000
21:14:37 ipsec adding payload: SA
21:14:37 ipsec,debug => (size 0x24)
21:14:37 ipsec,debug 00000024 00000020 01030402 0d437032 0300000c 01000014 800e0100 00000008
21:14:37 ipsec,debug 05000000
21:14:37 ipsec initiator selector: 0.0.0.0/0
21:14:37 ipsec adding payload: TS_I
21:14:37 ipsec,debug => (size 0x18)
21:14:37 ipsec,debug 00000018 01000000 07000010 0000ffff 00000000 ffffffff
21:14:37 ipsec responder selector: 0.0.0.0/0
21:14:37 ipsec adding payload: TS_R
21:14:37 ipsec,debug => (size 0x18)
21:14:37 ipsec,debug 00000018 01000000 07000010 0000ffff 00000000 ffffffff
21:14:37 ipsec preparing internal IPv4 address
21:14:37 ipsec preparing internal IPv4 netmask
21:14:37 ipsec preparing internal IPv6 subnet
21:14:37 ipsec preparing internal IPv4 DNS
21:14:37 ipsec preparing internal DNS domain
21:14:37 ipsec adding payload: CONFIG
21:14:37 ipsec,debug => (size 0x30)
21:14:37 ipsec,debug 00000030 01000000 00010004 00000000 00020004 00000000 000d0008 00000000
21:14:37 ipsec,debug 00000000 00030004 00000000 00190000
21:14:37 ipsec <- ike2 request, exchange: AUTH:1 192.168.2.18[4500] 95b82e65302f0cc5:c574be21d1653097
21:14:37 ipsec,debug ===== sending 896 bytes from 192.168.2.19[4500] to 192.168.2.18[4500]
21:14:37 ipsec,debug 1 times of 900 bytes message will be sent to 192.168.2.18[4500]
21:14:37 ipsec,debug ===== received 224 bytes from 192.168.2.18[4500] to 192.168.2.19[4500]
21:14:37 ipsec -> ike2 reply, exchange: AUTH:1 192.168.2.18[4500] 95b82e65302f0cc5:c574be21d1653097
21:14:37 ipsec payload seen: ENC (196 bytes)
21:14:37 ipsec processing payload: ENC
21:14:37 ipsec,debug => iv (size 0x10)
21:14:37 ipsec,debug a84d118a 88a01c7b 3d44a137 4aa7ac75
21:14:37 ipsec,debug decrypted packet
21:14:37 ipsec payload seen: NOTIFY (8 bytes)
21:14:37 ipsec processing payloads: NOTIFY
21:14:37 ipsec notify: AUTHENTICATION_FAILED
21:14:37 ipsec,error got fatal error: AUTHENTICATION_FAILED
21:14:37 ipsec,info killing ike2 SA: peer1 192.168.2.19[4500]-192.168.2.18[4500] spi:95b82e65302f0cc5:c574be21d1653097
Any got the SNMP for BGP working on Observium? where can we find the latest mib file? so I can ask Observium to update@Mikrotik; I'm really happy with the BGP addition in SNMP (1.3.6.1.2.1.15.3.1), could you please also add bgpLocalAs (1.3.6.1.2.1.15.2) :)?
Any got the SNMP for BGP working on Observium? where can we find the latest mib file? so I can ask Observium to update@Mikrotik; I'm really happy with the BGP addition in SNMP (1.3.6.1.2.1.15.3.1), could you please also add bgpLocalAs (1.3.6.1.2.1.15.2) :)?
It's indeed standard :)That OID is a standard MIB-2 one.
//
// Load OS specific file
//
if (file_exists(Config::get('install_dir') . "/includes/discovery/bgp-peers/{$device['os']}.inc.php")) {
include Config::get('install_dir') . "/includes/discovery/bgp-peers/{$device['os']}.inc.php";
}
<?php
if ($device['os'] == 'routeros' && $device['hostname'] == 'router123') {
$bgpLocalAs = 65123;
} elseif ($device['os'] == 'routeros' && $device['hostname'] == 'router456') {
$bgpLocalAs = 65456;
}
+1 for LibreNMS compatibilityIt's indeed standard :)
I'm using LibreNMS (which is an fork of Observium) and it only detects this SNMP tree if bgpLocalAs is present. For that reason I really wish Mikrotik will add this with the next release :)
Who is talking about “fault”? We are talking about a Release Candidate, which is, hence the name, not yet released and therefore open for suggestions/feature requests/adjustments.Other management tools works just fine. Maybe you should contact Librenms for adjustments. In my opinion MT is not at fault here,
Why SUP-117980 Broken PKI in 7.10rc1 Closed with resolution Done?What's new in 7.10rc3 (2023-Jun-02 09:43):
!) route - added BFD;
*) l3hw - fixed route table offloading during large volume of route updates;
*) l3hw - improved system stability when creating supout.rif file (introduced in v7.10beta5);
*) leds - fixed modem RAT mode indication on hAP ac^3 LTE6 WPS mode button LEDs;
*) sfp - fixed "combo-mode" copper functionality for CRS312 switch (introduced in v7.10rc1);
*) sfp - fixed "rate" monitor value for SFP interface on L009UiGS series devices;
*) winbox - added "MPLS/Settings" menu;
Why SUP-117980 Broken PKI in 7.10rc1 Closed with resolution Done?What's new in 7.10rc3 (2023-Jun-02 09:43):
!) route - added BFD;
*) l3hw - fixed route table offloading during large volume of route updates;
*) l3hw - improved system stability when creating supout.rif file (introduced in v7.10beta5);
*) leds - fixed modem RAT mode indication on hAP ac^3 LTE6 WPS mode button LEDs;
*) sfp - fixed "combo-mode" copper functionality for CRS312 switch (introduced in v7.10rc1);
*) sfp - fixed "rate" monitor value for SFP interface on L009UiGS series devices;
*) winbox - added "MPLS/Settings" menu;
IKEv2 7.9.2 <> 7.10rc3
1.png
/certificate/add name="r1-ca" common-name="r1-ca" subject-alt-name="email:r1-ca" key-size=prime256v1 key-usage=key-cert-sign,crl-sign
:do {/certificate/sign [find name=r1-ca] name=r1-ca} on-error={:delay 2}
/certificate/add name="r1" common-name="192.168.2.18" subject-alt-name="IP:192.168.2.18" key-size=prime256v1 key-usage=digital-signature,content-commitment,key-encipherment,key-agreement,tls-server
:do {/certificate/sign [find name=r1] ca=r1-ca name=r1} on-error={:delay 2}
/certificate/add name="r1-r2" common-name="r1-r2" subject-alt-name="email:r1-r2" key-size=prime256v1 key-usage=digital-signature,key-encipherment,data-encipherment,key-agreement,tls-client
:do {/certificate/sign [find name=r1-r2] ca=r1-ca name=r1-r2} on-error={:delay 2}
:delay 2
/certificate/export-certificate r1-ca file-name=r1-ca
/certificate/export-certificate r1 file-name=r1
/certificate/export-certificate r1-r2 file-name=r1-r2 type=pkcs12 export-passphrase=passphrase
/ip/pool/add name=r1-r2 ranges=192.168.99.2
/ip/ipsec/mode-config/add address-pool=r1-r2 address-prefix-length=32 name=r1-r2 split-include=0.0.0.0/0 system-dns=no
/ip/ipsec/policy/group/add name=group1
/ip/ipsec/profile/add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=profile1 prf-algorithm=sha256 proposal-check=strict
/ip/ipsec/peer/add exchange-mode=ike2 local-address=192.168.2.18 name=peer1 passive=yes profile=profile1
/ip/ipsec/proposal/add auth-algorithms="" enc-algorithms=aes-256-gcm lifetime=8h name=proposal1 pfs-group=ecp256
/ip/ipsec/identity/add auth-method=digital-signature certificate=r1 generate-policy=port-strict match-by=certificate mode-config=r1-r2 peer=peer1 policy-template-group=group1 remote-certificate=r1-r2
/ip/ipsec/policy/add dst-address=192.168.99.0/24 group=group1 proposal=proposal1 src-address=0.0.0.0/0 template=yes
/certificate/import file-name="r1-ca.crt" name="r1-ca" passphrase=""
/certificate/import file-name="r1.crt" name="r1" passphrase=""
/certificate/import file-name="r1-r2.p12" name="r1-r2" passphrase="passphrase"
/ip/ipsec/mode-config/add name=cfg1 responder=no
/ip/ipsec/policy/group/add name=group1
/ip/ipsec/profile/add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=profile1 prf-algorithm=sha256 proposal-check=strict
/ip/ipsec/peer/add address=192.168.2.18/32 exchange-mode=ike2 name=peer1 profile=profile1
/ip/ipsec/proposal/add auth-algorithms="" enc-algorithms=aes-256-gcm lifetime=8h name=proposal1 pfs-group=ecp256
/ip/ipsec/identity/add auth-method=digital-signature certificate=r1-r2 generate-policy=port-strict match-by=certificate mode-config=cfg1 my-id=dn peer=peer1 policy-template-group=group1 remote-certificate=r1
/ip/ipsec/policy/add dst-address=0.0.0.0/0 group=group1 proposal=proposal1 src-address=0.0.0.0/0 template=yes
Hi, could you explain the working of *) mpls - added FastPath support; and how to implement it?Welldone...
*) console - improved stability when using command completion;
*) mpls - added FastPath support;
So sadMPLS FastPath feature Is enabled by default, but only works for switched traffic.
RB4011 and L3HW ??? What???Still issue on rb4011 with rc3 with vlan and l3hw
/iot gpio digital
set pin5 script=":global scriptRunning; :global pulse;\
:if (\$scriptRunning!=true) do={\
:set \$scriptRunning true;\
:set \$pulse (\$pulse+1);\
:log info message=(\"GPIO pulse No. \".\$pulse);\
:delay 1s;\
:set \$scriptRunning false;\
}"
This was posted for beta5, SUP-117843 was supposed to be corrected in rc1. I so however still have an issue with rc3 where each side is TX'ing BFD packet on the VRF interface, but none are being RX'd. BFD on the main VRF is however working just fine.You need to allow BFD on the required interfaces, like "/routing bfd configuration add forbid-bfd=no interfaces=LAN".BFD for OSPF does not appear to actually run within the vrf. I opened SUP-117843
1 I ;;; BFD forbidden for interface
multihop=no vrf=main remote-address=172.16.0.162%vlan3020
local-address=172.16.0.161%vlan3020@vrf1 desired-tx-interval=0ms
required-min-rx=0ms multiplier=0
I just enabled BFD for OSPF (v2 and v3) and it simply works :)
Then I misinterpretted the "So if you are testing any alpha with wifi fixes they should be already all in RC."thats what I wrote...
Got response from support team.Still issue on rb4011 with rc3 with vlan and bridge hw offloading.
Created SUP-118205 with supout file.
Will post updates if I get any response.
My issue was that my bridge interface had pvid set to the same value as vlan id.
...
Can’t claim to understand however why it is not right.
Not true.after update to 7.10rc4 the ntp client not working !
[xyz@AXLite] /system/ntp/client> print
enabled: yes
mode: unicast
servers: be.pool.ntp.org
vrf: main
freq-drift: 0 PPM
status: synchronized
synced-server: be.pool.ntp.org
synced-stratum: 2
system-offset: 70.003 ms
Can you at least show what is not working for you?after update to 7.10rc4 the ntp client not working !
/system/ntp/client> print
That in fact is also a "problem with the ISP"...
Most RouterOS code is not dependent on the device it is running on.The symptoms of the global variables now appear again in an hAP ax3, something is not being done right in the RouterOS code, they reintroduce bugs that were solved at least in the RB750Gr3.
Have an issue with OVPN server on 7.10RC3 (and also 7.9.2) where Mikrotik Clients disconnect after exactly 1 hour of connected time...
Not helping me, unfortunately. autosupout.rif sent to support....*) w60g - improved interface stability for PTMP setups;
I've been keeping at least 1 CCR1009v1 up to date with the testing/dev releases (now 7.10rc4). Although I don't do ipsec or advanced routing, everything else seems to be on par with the other architectures.Anyone with experience with these versions on the CCR1009 or other CCR10xx devices?
peca@eleservice-mkt] > ping fdff:255::2
SEQ HOST SIZE TTL TIME STATUS
0 fdff:255::2 56 64 7ms408us echo reply
1 fdff:255::2 56 64 7ms567us echo reply
2 fdff:255::2 56 64 7ms440us echo reply
peca@eleservice-mkt] > ping fd00:2:1::1
SEQ HOST SIZE TTL TIME STATUS
0 fdff:255::1 104 64 165us address unreachable
1 fdff:255::1 104 64 164us address unreachable
2 fdff:255::1 104 64 351us address unreachable
sent=3 received=0 packet-loss=100%
[peca@eleservice-mkt] /interface/wireguard/peers> export verbose
add allowed-address=fdff:255::2/128,fd00:2::/32,169.254.255.202/32,169.254.2.0/24 comment="202 - Soada" disabled=no endpoint-address=XXXXXXXXX endpoint-port=8000 \
interface="wg: Mgmn (NMS)" persistent-keepalive=15s public-key="XXXXXXXXXXXXXXXXXXXXXXX="
/ipv6 route
add disabled=no distance=1 dst-address=fd00:2::/32 gateway=fdff:255::2 routing-table=main scope=30 target-scope=10
may you explain the issue you experience about bgp advertisement?When you will fix bgp advertisement?
Thx
This command missing in v7 /routing/bgp/advertisements printmay you explain the issue you experience about bgp advertisement?When you will fix bgp advertisement?
Thx
I have just a delay in advertisement, delay that icrease over time.
So could u tech me or maybe us how?You will have to understand that v7 bgp is different from v6 bgp, many commands are different and some things are no longer there.
fornthe last Screenshot with the "???".... that is the negate checkbox to invert the matchPlease revert to the old WebFig Style or at least give the user the choice.
- The new one is confusing
- Everything needs more clicks.
- Traffic stats now have the size of a stamp
- There is no (really, 0) advantage
- The width of columns is not saved which is annoying.
I'm using it on a 24" screen, not on the smartwatch. Please urgently revert.
Mikrotik New UI.png
traffic stats.png
confusing mikrotik.png
I agree 100%Please revert to the old WebFig Style or at least give the user the choice.
- The new one is confusing
- Everything needs more clicks.
- Traffic stats now have the size of a stamp
- There is no (really, 0) advantage
- The width of columns is not saved which is annoying.
Also also, to all of the above.I agree 100%Please revert to the old WebFig Style or at least give the user the choice.
- The new one is confusing
- Everything needs more clicks.
- Traffic stats now have the size of a stamp
- There is no (really, 0) advantage
- The width of columns is not saved which is annoying.
I trust there must be some good reason they are making such changes, as I, like you, fail to see any tangible benefit. I posed a general question to anyone to explain the changes in my linked previous post and of course there is no information forthcoming. What is the benefit of changing webfig in this manner? Is it supposed to be easier to use or understand? It's definitely not.
That would everyone clearly see 😁fornthe last Screenshot with the "???".... that is the negate checkbox to invert the match
Especially for people who are color blind.. ;-)To make it more easy to see, it should have used color, some like this:
For color blind it won't make any difference. For the rest (I'm estimating to cover at least 99% of MT admins) would make quite some difference.Especially for people who are color blind.. ;-)To make it more easy to see, it should have used color, some like this:
Well, when use winbox, a firewall rule and open the "connection state" matcher, there also is a single "not" box that is unmarked and applies to all the others.Then you have to click it to see that its a not. Problem is the position of the not.
In firewall rules, not are in front of all places it can be selected. Like this:
Thank you*) bridge - fixed incorrect host moving between ports with enabled FastPath;
and from what would you have deduced that it concerns the wi fi? from the description it seems anything but...could you please share with us what is SUP-116233? is it the wifi problem?
you wouldn't be the only one wearing eyeglasses ;)sorry Im idiot :) I saw FT - as fast transitions but there is FastPath. Im blind going to see doctor :)
Fix this:could you please share with us what is SUP-116233? is it the wifi problem?
What's new in 7.10rc6 (2023-Jun-13 10:52):
!) route - added BFD;
What's new in 7.10rc3 (2023-Jun-02 09:43):
!) route - added BFD;
It's been over a decade since this topic exists: viewtopic.php?t=47189is there any plan to add feature to make mikrotik can resolve ipv6 domain.
example:
ping6 microsoft.com
thx
above is not fixed in 7.10rc6. still get same 'authentication failure' when accessing remote SSH host as ssh-exec and 'welcome back' message as ssh.What's new in 7.10rc6 (2023-Jun-13 10:52):
*) ssh - fixed RouterOS SSH client login when using a key (introduced in v7.9);
They added BFD to CLI for BGP first (7.10b8).Same with:
7.10beta8 added BFD (CLI only)
7.10rc1 added BFD (CLI only)
Not sure why MT repeat the same stuff in various releases.
But I guess:
!) route - added BFD;
is telling that its also added to gui.
But why two times?
That is not written in the change log, just:Then they added "Use BFD" flag to OSPF in Webfig (7.10rc6).
I know that, which is why I shared what I noticed in each of those releases where something related to BFD was changed. Whoever updated the changelog just regurgitated the same "route - added BFD" tag for each fix.That is not written in the change log, just:Then they added "Use BFD" flag to OSPF in Webfig (7.10rc6).
!) route - added BFD;
Same as in 7.10rc3