v7.11beta [testing] is released!

ivicask · Wed Jul 19, 2023 10:39 am

I added the following to 'enable' steering

On the CAPsMAN
/interface wifiwave2 steering
add name=<NameOfSteeringGroup> neighbor-group=dynamic-<wifiSSID>-<RandomHex> rrm=yes wnm=yes
Note: You do not get autocomplete for the neighbor-group-dynamic= parameter, you need to obtain the name of the group manually first.

To get the dynamic group name:
/interface/wifiwave2/steering/neighbor-group/print

This will list all of your SSIDs and the MAC addresses from each AP wifi interface that carry the SSID. Unfortunately the random hex digits making up the end of the neighbor group name appear to change on each reboot - which creates a problem with creating a steering rule connected to that neighbor group.

I need to update the config on the CAPsMAN each time I reboot it, to ensure the neighbor-group name is updated to the new dynamic group name.

I get good roaming across the AX3's using 5GHz channel (Disabled 2GHz because all client devices are 5GHz capable and it forces the devices to roam quicker than they do when holding onto a weak 2GHz signal).

Don't know anything more about this, no docs, and I am sure Mikrotik will need to update the implementation so we don't get neighbor group names changing all the time. Would be nice to get more definitive information about this, but it looks like it is a work in progress. Lets see what Mikrotik can come up with.

:local DynamicGroupName
:foreach i in=[/interface wifiwave2 steering neighbor-group find] do={
  :local DynamicGroupName [/interface wifiwave2 steering neighbor-group get $i name]
  :set $nameValue $DynamicGroupName
/interface wifiwave2 steering
add name=$DynamicGroupName neighbor-group=$DynamicGroupName rrm=yes wnm=yes
}

If you want one click solution for auto setting it on boot.

Wed Jul 19, 2023 11:04 am

What's new in 7.11beta6 (2023-Jul-18 14:06):

*) bfd - improved system stability;
*) bth - added "Back To Home" VPN service for ARM, ARM64 and TILE devices;
*) certificate - removed request for "passphrase" property on import;
*) defconf - do not change admin password if resetting with "keep-users=yes";
*) modem - fixed missing sender's last symbol in SMS inbox if the sender is an alphabetic string;
*) ssh - fixed host public key export (introduced in v7.9);
*) tftp - improved file name matching;

rextended · Wed Jul 19, 2023 11:16 am

*) bth - added "Back To Home" VPN service for ARM, ARM64 and TILE devices;

Regardless of the model? (and wifiwave2 is no longer needed?)

Thanks.

Wed Jul 19, 2023 11:30 am

yes, regardless of model. no package needed.

usx · Wed Jul 19, 2023 11:39 am

Could you please fix the issue with rows in Webfig tables not getting visually synchronized with the enable toggle action?

For example, if I disable a Firewall rule (click D) and then enable it again (click E), this action of enabling won't give it back the black color, it still looks greyed out as if it were disabled. I always need to change to another section and then back in order to ensure that everything is ok.

This has been broken for months now and I've pointed it out every time.

Wed Jul 19, 2023 11:50 am

usx, issue is known and is in our bug tracker. will get fixed

pe1chl · Wed Jul 19, 2023 12:05 pm

I installed BTH on my hap ac2 and I note that even though IPv6 is disabled on that device, it still keeps trying to connect (probably with no network traffic).
Maybe it would be more efficient to skip IPv6 attempts when IPv6 is globally disabled on the device (also to avoid anxiety with IPv6 haters).

When viewing the QR code in Winbox (3.38 on Linux) it is left-adjusted (all multi spaces reduced to 1), so that is difficult to scan.
(besides that, the window is too small to show it in one)

Wed Jul 19, 2023 12:06 pm

For Qr code, print to terminal
/ip cloud print and zoom WAY out.

It's the only way I got it working.

mantouboji · Wed Jul 19, 2023 12:09 pm

in 7.11beta6 . ssh-exec to remote host still
`
failure: authentication failure
`

ToTheFull · Wed Jul 19, 2023 12:21 pm

Even Zoomed all the way out I couldn't see all of the QR image. If I zoom out first it only shows Half of the image.
Display 1440x900 so that might be the problem.

Wed Jul 19, 2023 12:26 pm

Winbox QR code broken, known issue. Next Winbox release fixes it.

elbantany · Wed Jul 19, 2023 12:35 pm

Help me pleas...
Wifi cAP AC can not connect after upgrade to v7 from v6.
AX2 too can not connect to wifi
viewtopic.php?t=197789

Wed Jul 19, 2023 1:24 pm

Don't know anything more about this, no docs,

The /interface/wifiwave2/steering menu is a configuration profile section, just like 'security' or 'channel'.
In the menu, you can create a steering profile, specifying a neighbor group name of you choosing as well whether BSS transition management requests (wnm) and neighbor reports (rrm) are enabled and then apply this profile to an interface.
/interface/wifiwave2/steering/neighbour-group is a read-only section where you can see the active, functioning neighbour groups.
You don't need to do anything to enable steering via wnm and rrm by default.

gigabyte091 · Wed Jul 19, 2023 4:18 pm

Tried, I get this:

/interface/wifiwave2/steering print
Flags: X - disabled

Then i tried to enable it:

/interface/wifiwave2/steering enable
numbers: 0 - 3
Script Error: action cancelled

Numbers I presume are for wireless interface I want to be in roaming ?

elbantany · Wed Jul 19, 2023 7:06 pm

Picture 1 cAP ac ROS v7.10.2 CAN NOT CONNECT AFTER UPGRADE
Picture 2 cAP ac ROS v6.48.7 connect wifi NORMAL
Help me please...
How i connect to wifi using MIKROTIK AX2 ?
viewtopic.php?p=1014118#p1014118

ksteink · Wed Jul 19, 2023 7:08 pm

How odd ... it doesn't show in RB5009, AX2, mAP, MAP Lite, Hex, ...
But it does on AX3 and AX Lite ?

It seems to create a WG itf with own address range.

See screenshots.

IPcloud1.jpg

ipcloud2.jpg

ipcloud3.jpg

Print from terminal with QR code (but you need to zoom WAY OUT)

ipcloud4.jpg

And that QR code can be used to add new tunnel in WG client on smartphone (briefly tested the creation, did not test the tunnel since that AX3 is behind another router, so it will not work that way).

Can someone elaborate further the intent of these functionalities and its use cases? Can be this used to create a Zero touch provisioning so the router can call a home / hub router for remote management and provisioning?

Wed Jul 19, 2023 7:24 pm

Correct.
And in the mean time I've seen it on AX2 as well.

Thu Jul 20, 2023 7:56 am

Numbers I presume are for wireless interface I want to be in roaming ?

No, it's the numbers of steering configuration profiles, of which you have none.
The '/interface/wifiwave2/steering' menu is a where you can, optionally, create configuration profiles for distinct neighbour groups, if for some reason you do not like the default neighbour groups created by RouterOS.
As I stated in this thread before, steering is enabled by default.

gigabyte091 · Thu Jul 20, 2023 8:28 am

I think I don't have default neighbour group, when i go to print neighbour group i get bad command.

daaf · Fri Jul 21, 2023 5:57 am

Storm rate via winbox...

storm rate.jpeg

mazel · Fri Jul 21, 2023 9:58 am

ROS 7.11beta6 on hAP ax2 works very well - no wireless clients issues (also will try BTH soon).
(Config: home 2.4ax+5ax and guest 2.4ax (w/ VLAN), both WPA2/3 and disabled PMKID)

Fri Jul 21, 2023 3:11 pm

Storm rate via winbox...

storm rate.jpeg

Fixed in Release 7.11beta4
https://mikrotik.com/download/changelog ... lease-tree
*) winbox - fixed "Storm Rate" property under "Switch/Port" menu;

epkulse · Sun Jul 23, 2023 9:30 pm

I have some issues with my Macbook Pro being tossed out from wifi with SA Query Timeout. Have issued a ticket (SUP-122243) and received answer from Support stating this is normal behaviour, and possibly a client issue. Still, would be of interest to know if this is encountered by other clients using the 7.11 Beta. Have never encountered this before, when using ASUS gear. And I am only 3 m away from a HAP AX3, so should not be related to low signal...

epkulse · Sun Jul 23, 2023 10:43 pm

Really annoying - bouncing in and out means file copying etc impossible...

21:35:26 wireless,info 9C:3E:53:70:A6:22@Nere-50 disconnected, SA Query timeout, signal strength -54
21:35:27 wireless,info 9C:3E:53:70:A6:22@Nere-50 connected, signal strength -58
21:35:34 wireless,info 9C:3E:53:70:A6:22@Nere-50 disconnected, SA Query timeout, signal strength -54
21:35:34 wireless,info 9C:3E:53:70:A6:22@Nere-50 connected, signal strength -57
21:36:01 wireless,info 9C:3E:53:70:A6:22@Nere-50 disconnected, connection lost, signal strength -54
21:36:05 wireless,info 9C:3E:53:70:A6:22@Nere-50 connected, signal strength -59
21:36:13 wireless,info 9C:3E:53:70:A6:22@Nere-50 disconnected, SA Query timeout, signal strength -54
21:36:13 wireless,info 9C:3E:53:70:A6:22@Nere-50 connected, signal strength -56
21:36:22 wireless,info 9C:3E:53:70:A6:22@Nere-50 disconnected, SA Query timeout, signal strength -54
21:36:22 wireless,info 9C:3E:53:70:A6:22@Nere-50 connected, signal strength -58

Signal strength is strange also - I am located 3 m from the router...

karhill · Mon Jul 24, 2023 7:58 am

7.11 beta5 had some fixes for VLANs over wireless interfaces:

*) wifiwave2 - automatically add wifi interfaces to appropriate bridge VLAN when wireless clients with new VLAN IDs connect;

And beta5 did fix some issues with wireless clients on VLANs. However, I think there might still be some problems. I am actually testing with 7.11 beta6.

Using a hAP AX2, I have a simple setup: a guest VLAN (PVID 3) and a hosts VLAN (PVID 99). The hAP is connected with a trunk line to switch. Connected to the switch is a PC, which is on an access port that is part of the guest VLAN. Connected to the hAP is a laptop.

config.png

1) When the laptop is connected with a wire to a port on the hAP that is an access port on the guest VLAN, everything works. (The laptop can ping the PC.)
2) When the laptop is connected wirelessly to one of the "master" wireless SSIDs on the hAP, and that SSID is PVID'ed to be part of the guest VLAN, everything works. (The laptop can ping the PC.)
3) When the laptop is connected wirelessly to a wireless SSID that is derived from one of the master wireless interfaces, e.g.:

/interface/wifiwave2 add name=wifiguest1 master-interface=wifi1 configuration.ssid=guest security=guest disabled=no
/interface/bridge/port/add bridge="bridge" interface=wifiguest1

The master interface is part of the hosts VLAN (PVID 99). However, the derived wifiguest1 interface is configured as part of the guest VLAN (PVID 3). In this case, the laptop is not able to ping the PC...the laptop is not correctly treated as part of the guest VLAN. I believe this is a bug.

In instance 3, this is what the bridge ports look like:

bridge_ports.png

cwilmo · Mon Jul 24, 2023 8:46 pm

I'm having trouble with FS SFP MM fiber adapters (SFP-10GSR-85) no longer negotiating a link. I've tried changing advertisements and rate without luck. I've got a 4 links with 3 different switches all on 7.11 beta 6 with the same behavior. This worked fine on a previous version around 7.10 and with SwOS - I'm not sure when it stopped working since I have redundant copper 1G connections as well. I have other SFP (MikroTik S+RJ10) in the same switches working fine. Anyone experiencing this?

SFP1.jpg

SFP2.jpg

kalamaja · Mon Jul 24, 2023 10:09 pm

hAP AX lite, default password written on a router and reset configuration returns to this.
Upgraded to 7.11b6, logged into webfig, cancelled changing default password, and accidentally found it's really easy to half-accidentally NULLIFY admin password: open webfig Terminal, it orders to set a new admin password, tap enter 2 times as to cancel to this action, done: no admin password, although I just didn't want to change it. If there's cancel button in the UI, there should be possibility to cancel it in webfig Terminal also, or explanation or prevention or warning for zero password.

bbs2web · Mon Jul 24, 2023 11:21 pm

DHCP snooping is an issue on RouterOS 7.10.2 on the following devices. I don't see this in the change logs, is this a known issue?

CRS328-24P-4S+
CRS112-8P-4S
CRS354-48P-4S+2Q+
RB5009UG+S+

It either filters all DHCP queries, or sometimes works intermittently. In the case of the RB5009 it's the DHCP server itself so no interface has `trusted=yes` configured and in the case of a CRS328 some ports work whilst others don't although the correct interfaces have `trusted=yes` set on them.

osc86 · Tue Jul 25, 2023 10:27 am

it's the DHCP server itself so no interface has `trusted=yes` configured

Every uplink port on every switch between the dhcp server and client needs to have trusted=yes set (both directions).

Tue Jul 25, 2023 11:37 am

What's new in 7.11beta7 (2023-Jul-24 14:45):

*) certificate - allow to import certificate with DNS name constraint;
*) certificate - require CRL presence when using "crl-use=yes" setting;
*) conntrack - fixed "active-ipv4" property;
*) console - added ":convert" command;
*) dhcp-server - fixed setting "bootp-lease-time=lease-time";
*) ike2 - log "reply ignored" as non-debug log message;
*) modem - added initial support for BG77 modem DFOTA firmware update;
*) modem - changed Quectel EC25 portmap to expose DM (diag port), DM channel=0, GPS channel=1;
*) ovpn - do not try to use the "bridge" setting from PPP/Profile, if the OVPN server is used in IP mode (introduced in v7.10);
*) ovpn - improved key renegotiation process;
*) ovpn - include "connect-retry 1" and "reneg-sec" parameters into the OVPN configuration export file;
*) routerboot - increased etherboot bootp timeout to 40s on MIPSBE and MMIPS devices ("/system routerboard upgrade" required);
*) ssh - fixed private key import (introduced in v7.9);
*) user - added "sensitive" policy requirement for SSH key and certificate export;
*) webfig - fixed gray-out italic font for entries after enable;

pe1chl · Tue Jul 25, 2023 11:44 am

When you are busy with maintenance of user info, please cleanup the situation with export of users/groups.
/user is not exported in a global /export, but it is exported in a export from /user.
However, even with show-sensitive the (encrypted) password is not exported.
But /user/group is always exported.
This should be made consistent so that user information can be more easily transferred from one router to another via export/import.
(and the same is in fact true for all info not being exported but only being stored in backups)

mantouboji · Tue Jul 25, 2023 11:56 am

What's new in 7.11beta7 (2023-Jul-24 14:45):

*) ssh - fixed private key import (introduced in v7.9);

Good news, this is fixed at least.

LetsEncrypt certificates still broken when the DNS name only has a IPv6 AAAA address no IPv4 .

[yaofei@MikrotikAX2] > /certificate/enable-ssl-certificate dns-name=XXXX.dynv6.net
progress: [error] could not resolve 'XXXX.dynv6.net'

Tue Jul 25, 2023 11:58 am

This is done on purpose and supout file includes export, not "/user export". So the supout does not contain any user configuration information besides groups. This works properly as designed. You can see user configuration if you run export manually

pe1chl · Tue Jul 25, 2023 2:02 pm

The problem is that when you re-import a previously exported file after reset configuration, depending on if you choose "keep user configuration", you either end up with missing users, or your import fails with a fatal error because the export contains user groups which are kept.
It is so annoying that export information is not complete and in this regard is even inconsistent.
/user export show-sensitive should include a password field that can be transported to another device (of course the password cannot be shown because it is hashed, but the hash value can).

Jotne · Tue Jul 25, 2023 3:12 pm

What's new in 7.11beta7 (2023-Jul-24 14:45):

*) console - added ":convert" command;

What does this convert?

rextended · Tue Jul 25, 2023 3:12 pm

*) console - added ":convert" command;

What do, please?

About /user export: is more logical how actually work, please do not change,
but if possible "/user export" export also ***disabled*** usernames and assigned group (everytime with NO password, hashed or not.)

Tue Jul 25, 2023 3:17 pm

:put [:convert value=001 to=hex ]
:put [convert [/ip/dhcp-client/option/get hostname raw-value ] from=hex to=raw ]
MikroTik

anav · Tue Jul 25, 2023 3:22 pm

Nice, this could be helpful in some extremely rare configs........., whereas Zerotrust cloudflare tunnel for all users would have so much more utility, but then again the programmers would actually have to do work vice simply inject a conversion schema into the mix.

Jotne · Tue Jul 25, 2023 3:25 pm

If the backup/export file did not contain date, I would like to have a tool to compare files. Then if new backup file is different from previous file, send the backup file externally.

Rox169 · Tue Jul 25, 2023 3:44 pm

Nice, this could be helpful in some extremely rare configs........., whereas Zerotrust cloudflare tunnel for all users would have so much more utility, but then again the programmers would actually have to do work vice simply inject a conversion schema into the mix.

Zerotrust cloudflare tunnel is commercial product...why should MT involve this ...it is not open source like zerotier...

pe1chl · Tue Jul 25, 2023 3:46 pm

I remember having seen a Youtube video explaining Cloudflare Zerotrust tunnel. Apparently that already works.

Tue Jul 25, 2023 3:47 pm

You can already use CF Zero Trust tunnel via Container.
Anav is just trolling. It will not be "built into" RouterOS.

rextended · Tue Jul 25, 2023 3:53 pm

:put [:convert value=001 to=hex ]
:put [convert [/ip/dhcp-client/option/get hostname raw-value ] from=hex to=raw ]
MikroTik

hex... base64... base32... url...

Did you use the scripts I made as a base??? :lol: :lol: :lol:

Amm0 · Tue Jul 25, 2023 3:55 pm

*) console - added ":convert" command;

"url" should likely encode spaces...

:put [:convert from=raw to=url  "plus for space = no"]

plus for space %3d no

Perhaps to=urlencoded be better term than to=url? IMO, a "url" implies it might help with "fixing" URLs, but it will urlencode even the chars in the protocol stuff:

:put [:convert from=raw to=url  "http://example.com?myval =854"]

http%3a%2f%2fexample.com%3fmyval %3d854

As an enhancement, the "url" should take an array to give you a value "querystring", so IDEALLY this be possible:
:convert from=raw to=url {"my num"=843;"my str"="i love spaces"}
my+num=843&my+str=I+love+spaces

rextended · Tue Jul 25, 2023 3:58 pm

Ah, not, with that error... haven't used my scripts...

" " (space) must be encoded with "+"

From:
viewtopic.php?t=177551#p980163

Only 4 characters - . _ ~ must not be escaped, and space must be replaced with +

anav · Tue Jul 25, 2023 4:00 pm

You can already use CF Zero Trust tunnel via Container.
Anav is just trolling. It will not be "built into" RouterOS.

I am not trolling, your answer makes it crystal clear you are ABANDONING all users without arm64 processor.
The semi-stolen script inject into RoS, is a small very niche case that is going to be used by what, .005 percent of MT owners???
Whereas, I personally read posts everyday of people with Servers on their LANs, probably safe to say approx 50% of MT users.

Furthermore, you would be forcing users to also learn containers and if they are having any scan/probe firwall issues and make a mistake the container will make them more vulnerable.
The Cloudflare approach negates opening up the public IP and ports to the world and simplifies the port fowarding for beginner to intermediate users for sure.
I understand it may not be an RoS core code option (not on the planning tree), but it could be put in an options package for all users.

When you show me some logic, Normis, I will be all ears. Until then, you are only creating disillusionment and lack of trust in your word and confirmation of a biased outlook.

We can do a teams/zoom/skype/discord chat if you want to keep your corporate dirty laundry out of the forum :-) Be it technical or whatever, I am assuming the above is not true and you have good reasons, but I have not seen anything yet to dissuade me from the above discourse ~~~

Tue Jul 25, 2023 4:20 pm

1) Container feature needs a powerful CPU and plenty of RAM.
2) ARM64 is a natural requirement to resolve these requirements
3) All new products have ARM family chips, so this is our direction going forward
4) It takes a lot of human resources to support other architectures for CPU hungry features.

Amm0 · Tue Jul 25, 2023 4:38 pm

Another :convert one... 🤬 is "F09FA4AC" in UTF-8 as "hex"

But I'd expect "%F0%9F%A4%AC" not 🤬 from this:

:put [:convert from=hex to=url "F09FA4AC"]

pe1chl · Tue Jul 25, 2023 4:41 pm

The problem with containers usually is not the CPU and RAM, but the nonvolatile storage. That tends to be tiny in MikroTik routers.
There are only very few models that have M.2 slot, and the alternative of USB3 is disappearing as well.
(I bought a CCR2004-16G-2S+ reading on the spec sheet that it has USB3, but in reality that is no longer true)

Amm0 · Tue Jul 25, 2023 5:04 pm

The problem with containers usually is not the CPU and RAM, but the nonvolatile storage. That tends to be tiny in MikroTik routers.

ROSE storage works surprisingly well to mount a disk for a container when the router doesn't have the internal storage or USB/M.2/etc...

But the issue is they still sell platforms that are not ARM – KNOT and LtAP specifically. So there isn't even a container (nor zerotier) on these...

Tue Jul 25, 2023 5:05 pm

Back To Home then ...

anav · Tue Jul 25, 2023 5:10 pm

As I said, this is not providing service its forcing customers in a certain direction, why do I feel MT is run by Elon Musk....... :-(

pe1chl · Tue Jul 25, 2023 5:30 pm

The problem with containers usually is not the CPU and RAM, but the nonvolatile storage. That tends to be tiny in MikroTik routers.
ROSE storage works surprisingly well to mount a disk for a container when the router doesn't have the internal storage or USB/M.2/etc...

Usually one wants containers on the router to add some niche functionality to the network that is as independent as possible from other hardware.
When using ROSE storage, there presumably is an NFS mount from some NAS, but often those NAS devices provide containers themselves.
I have considered loading a container image in RAMDISK, but it would be preferable when the router config has better support for that.
(to download the image every time the router is booted)

ToTheFull · Tue Jul 25, 2023 5:49 pm

I was going to try this...
https://youtu.be/KO9wbarVPOk?t=209

rextended · Tue Jul 25, 2023 6:00 pm

Another :convert one... 🤬 is "F09FA4AC" in UTF-8 as "hex"

But I'd expect "%F0%9F%A4%AC" not 🤬 from this:
Code: Select all
:put [:convert from=hex to=url "F09FA4AC"]

Not....
🤬 is at least "\F0\9F\A4\AC"......
and at least must be "from=utf-8 to=url"...

or... [$UTF8toURLencode ("\F0\9F\A4\AC")]...
so, it's still too early to retire my functions...

Amm0 · Tue Jul 25, 2023 7:16 pm

Don't worry I think it will be a while to work through the possible matrix in :convert. There does seem to be an unused to-scheme= and from-scheme= in the new :convert, so signs of future expansion...

Dealing with building the querystring from array, and json be useful for /tool/fetch. e.g. I'm hoping for a ":convert from=array to=json" and vise-versa...

Not....
🤬 is at least "\F0\9F\A4\AC"......
and at least must be "from=utf-8 to=url"...

The UTF-8 emoji was for fun. It's still just a "hex string" and the bytes should be the % version if to=url since it's NOT a text conversion and should just encode what's given in the hex if it's unsafe URL char... e.g. any extended/unsafe lower ASCII should be % encoded, regardless of the underlying text encoding...

Basically I think the ":convert $something to=url" seems buggy. But :convert with various text encoding would useful too, and seemingly possible in this new scheme.

Anyway happy with the progress in this area!

bommi · Tue Jul 25, 2023 8:52 pm

The possibility to use SSH Keys based on ed25519 would be a nice Feature addition ;-)

nichky · Wed Jul 26, 2023 3:41 am

please fix bgp-vrf.
It doesn't redistribute default route over BGP if we are using the same gateway with @

mantouboji · Wed Jul 26, 2023 8:49 am

call for ed25519 key

buset1974 · Thu Jul 27, 2023 6:11 am

Does MT aware of this CVE 2023-30799

bbs2web · Thu Jul 27, 2023 7:37 am

it's the DHCP server itself so no interface has `trusted=yes` configured
Every uplink port on every switch between the dhcp server and client needs to have trusted=yes set (both directions).

Yip, aware of that...

Router running DHCP would not have trusted set on any of its ports, any downstream switches would however need this set on the uplink ports, same again on downstream switches.

There appears to be a problem with DHCP snooping on bridges where downstream ports are tagged VLAN members, it however works on hAP ax^3 as expected when the trusted uplink is configured as a member of both untagged and tagged VLANs.

PS: Perhaps an issue where we don't explicitly define untagged VLAN membership, relying on the bridge port PVID dynamically authorising the interface as an untagged member? (I'll test today).

Pea · Thu Jul 27, 2023 4:22 pm

Does MT aware of this CVE 2023-30799

see just published: https://blog.mikrotik.com/security/cve-2023-30799.html

rextended · Thu Jul 27, 2023 4:31 pm

To all user obsessed by all CVE that involving all RouterOS versions after 6.44.5:

This is really stupid and ridiculous, like all CVE that start with something like "an authenticated administrative user can..."
Once someone has full administrative credentials they can even downgrade to a version full of exploits, who cares if RouterOS 7.10.x / 7.11betaX has this fix or not...
Instead of obsessing over CVE, think about configuring your firewall correctly, using a complex administrative username, and a really complex, non-recycled password,
and don't do the usual bullshit of leaving open winbox, webfig, ftp, api, romon(*), ssh, rest, telnet, snmp, dns, (s)ntp, etc. towards the internet...
The remote control excuse is not worth it. Get yourself a VPN, and don't use pptp, which is almost more ridiculous.

pe1chl · Fri Jul 28, 2023 1:56 pm

It looks like ICMP packets returned on invalid traffic (e.g. host unreachable) do not obey any routing rules.
Rules with source address equal to the source of the returned ICMP are not processed, and neither firewall route marking rules (for forward or output).
In a dual-ISP (failover/load balancing) setup where such rules are used to direct the traffic to the proper ISP the ICMP packets always go out to the default route in the main table.

This happens, for example, when a device that had an open TCP connection leaves the network without closing it, and then the remote attempts to close it. The FIN packet cannot be mapped to an open connection, is treated as towards an unreachable host (by the firewall) and the returned ICMP packet is not sent over the interface where the FIN was received.

mkx · Fri Jul 28, 2023 2:09 pm

This happens, for example, when a device that had an open TCP connection leaves the network without closing it, and then the remote attempts to close it. The FIN packet cannot be mapped to an open connection, is treated as towards an unreachable host (by the firewall) and the returned ICMP packet is not sent over the interface where the FIN was received.

It would be nice if we could get some comment from somebody who actually knows how MT FW and routing works.

However, it seems to me that the ICMP packet, informing sender that destination is not reachable, actually originates from router itself. So output chain applies (when speaking about firewall). Additionally the information about original ingress interface might be lost due to this, so it might be impossible to "guess" which particular interface should be used to send out that particular ICMP packet.

pe1chl · Fri Jul 28, 2023 3:26 pm

It would be nice if we could get some comment from somebody who actually knows how MT FW and routing works.

However, it seems to me that the ICMP packet, informing sender that destination is not reachable, actually originates from router itself. So output chain applies (when speaking about firewall). Additionally the information about original ingress interface might be lost due to this, so it might be impossible to "guess" which particular interface should be used to send out that particular ICMP packet.

Yes, I expect that it would be processed by the output mangle chain and can get a routing mark there, but that does not actually work.
There are other issues. E.g. when a TTL exceeded ICMP reply is sent (as is happening with traceroute), the source IP of the ICMP is some global default IP (maybe the first IP in the router?), not the IP of the interface where the packet came in, neither the IP of the interface where it would go out if it had sufficient TTL. That is a known issue that I have reported before and "would be looked at", this behavior is actually configurable in Linux via sysctl.conf.

However, even with all this, it seems impossible to policy-route the replies. Even a ICMP reply with source address 1.2.3.4 and an IP route rule with match on source address 1.2.3.4 will not route the packets out the correct interface. And I would prefer to use route mark instead.

cyrq · Fri Jul 28, 2023 6:58 pm

Currently, HW offloaded bridge support for the IPQ-PPE switch chip is still a work in progress. We recommend using, the default, non-HW offloaded bridge (enabled RSTP).

Hello,
any news/ plans regarding the above?

bbs2web · Sat Jul 29, 2023 8:38 am

However, it seems to me that the ICMP packet, informing sender that destination is not reachable, actually originates from router itself. So output chain applies (when speaking about firewall). Additionally the information about original ingress interface might be lost due to this, so it might be impossible to "guess" which particular interface should be used to send out that particular ICMP packet.

We configure routers so that the main routing table is for management/internet access of the router itself and then associate all client interfaces by associating those interfaces with a VRF. This results in path MTU discovery, traceroutes and other unreachable ICMP messages not being sent through to client devices as the router would send them out via the default gateway on the main routing table. We name this VRF table 'mpls' in the below example.

Simple solution is to define the internal RFC1918 subnets and then create a mangle rule to lookup routing in an alternative table instead:

/ip firewall mangle
add action=mark-routing chain=output dst-address-list=local new-routing-mark=mpls passthrough=no protocol=icmp
/ip firewall address-list
add address=10.0.0.0/8 list=local
add address=100.64.0.0/10 list=local
add address=172.16.0.0/12 list=local
add address=192.168.0.0/16 list=local

PS: The source IP of the generated ICMP message will have a source IP associated with the main gateway in the main routing table. This may look weird but works just perfectly as the recipient system processes these just fine, the same way it would should any hop along the path return an ICMP message to the sender.

pe1chl · Sat Jul 29, 2023 11:45 am

But the return of ICMP messages does not use that! This is what I explained above.
I do have a mark-routing rule in the output chain that marks the routing table according to the source address (different for each ISP), but it still goes out the wrong interface. All other router-originated traffic (like DNS requests, outgoing VPN traffic) is working fine with those same rules.

msatter · Sat Jul 29, 2023 12:45 pm

I assume the wrong interface is the first WAN. Traffic answered on behalf by the router is related. In a earlier topic it was just dropped or set to TTL:0

viewtopic.php?p=1010043

zervan · Sun Jul 30, 2023 10:47 pm

*) certificate - allow to import certificate with DNS name constraint;

Thank you, it is working! (reference: viewtopic.php?t=195195)
I can install new router with RouterOS 7 soon, after release of stable 7.11 🙂

Network5 · Mon Jul 31, 2023 12:19 am

The IS-IS row in the Routing Protocol Overview is something new? :-)

oeyre · Mon Jul 31, 2023 10:43 am

The IS-IS row in the Routing Protocol Overview is something new? :-)

Very recently :)

https://help.mikrotik.com/docs/pages/di ... ersions=75

Mon Jul 31, 2023 11:14 am

Version 7.11rc1 has been released.

viewtopic.php?t=198228

Who is online