Community discussions

 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24186
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Fri Dec 21, 2018 1:22 pm

They push us to not using "czech_republic" settings, if we wants to be comply with our laws rules.

That's not true. Please read this thread carefully. The next Beta release will have indoor/outdoor option, so I guess the next stable release for your production environment will have it too.
Unfortunately the change to regulatory conformance was badly communicated by Mikrotik in the release notes.

What will be more of a concern is the future of Omnitik 5 devices in Europe. The regulators are about to shut them down soon. Let's hope Mikrotik really can prevent this from happening.
The "Outdoor" setting is already in released versions, it's called "installation=outdoor/indoor/any".
No answer to your question? How to write posts
 
human1982
newbie
Posts: 29
Joined: Thu Aug 13, 2015 2:36 am

Re: v6.44beta [testing] is released!

Fri Dec 21, 2018 1:28 pm

... and second, according to CZ rules I can set 5480MHz ...
Which channel width do you use when trying to set centre frequency to 5480MHz?
5480Ce in Poland too. 5470-5725.
 
cowgirl
just joined
Posts: 5
Joined: Tue Dec 18, 2018 12:10 am
Location: South-West-Germany
Contact:

Re: v6.44beta [testing] is released!

Fri Dec 21, 2018 2:20 pm

6.44beta50 is crashing on my CRS328-24P-4S+. It reboots every few hours. (approx every 4h)

And on myCRS317-1G-16S+ the management IP address is not reachable (over my lacp-bonding link) for a while and then it comes back, while switching is working the whole time and the systems connected to it are reachable. Currently i can not check for reboots on the 317, cause managment is not reachable also mac-telnet from the 328 is not working.....

The 317´s managment just came back now, no unexpected reboots there....
 
cowgirl
just joined
Posts: 5
Joined: Tue Dec 18, 2018 12:10 am
Location: South-West-Germany
Contact:

Re: v6.44beta [testing] is released!

Fri Dec 21, 2018 3:17 pm

CRS328-24P-4S+ crashed again. Only with approx. 2hours gap. Doing a little bit SMB File Copy jobs (50Gbyte)
 
TheCondor
just joined
Posts: 12
Joined: Sun Jul 26, 2015 4:00 pm

Re: v6.44beta [testing] is released!

Sun Dec 30, 2018 12:16 pm

In 6.44beta50 when i create a certificate, both with web GUI or shell command, i set subAltName but it disappear when saved (or signed). On stable i didn't have this problem.
 
kabal
just joined
Posts: 9
Joined: Sat Dec 25, 2010 6:03 pm
Location: Ukraine

Re: v6.44beta [testing] is released!

Sun Dec 30, 2018 11:45 pm

*) ppp - added "at-chat" command;

Does not work with USSD commands.

with at-chat:

/interface ppp-client at-chat 3 input="AT+CUSD=1,AA582C3602,15"
output: AT+CUSD=1,AA582C3602,15
OK


with serial-terminal:

/system serial-terminal port=usb4 channel=2
AT+CUSD=1,AA582C3602,15
OK

+CUSD: 1,"C2303BEC9E83602E980C2D77B340E2B7BB3E07C15C30185AEE7629542A95C2596E87F365
D0FA3D47D3D3F61FF10D8AC16067B91BE40E83E46174DDFD5E83F420F87BCEAE9FDFF93A88F82687E9
EBB73D0D3ACBDF73743A046587E961903D4D06C9CE72B722E6A286D70A",15
 
TheCondor
just joined
Posts: 12
Joined: Sun Jul 26, 2015 4:00 pm

Re: v6.44beta [testing] is released!

Wed Jan 02, 2019 8:16 pm

mutiple mode-config doesn't be as intended with certificate matching.
I've tried to add 2 mode-configs and i want to assign a different ip pool each.
apart the fact that is better to implement an object of type "list" populated with multiple certificate, currently it's impossible to add multiple client certificate matching...
policy matching chould be intended as this, imho:

a group of client certificates that, when matched with a specific mode-config policy, assign an ip pool and a split tunnel.

currently it's impossible to add a group of client certificate, just one cert.
Moreover, and this is what isn't working, the client check just the first mode-config policy and if it's not matched skips the others. It should be a sequential checking trough the all mode-config matching policy...
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 490
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Mon Jan 07, 2019 2:09 pm

Version 6.44beta54 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.44beta54 (2019-Jan-07 08:27):

Important note!!! Backup before upgrade!
Due to major IPsec configuration changes in RouterOS v6.44beta39+ (see changelog below), it is advised to make a backup before upgrading. Regular downgrade will still be possible as long as no changes in IPsec peer menu are done.

MAJOR CHANGES IN v6.44:
----------------------
!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);
!) ipsec - added new "identity" menu with common peer distinguishers;
!) ipsec - removed "main-l2tp" exchange-mode, it is the same as "main" exchange-mode;
!) ipsec - removed "users" menu, XAuth user configuration is now handled by "identity" menu;
!) radius - initial implementation of RadSec (Radius communication over TLS);
!) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only);
!) telnet - do not allow to set "tracefile" parameter;
!) upgrade - release channels renamed - "bugfix" to "long-term", "current" to "stable" and "release candidate" to "testing";
!) upgrade - "testing" release channel now can contain "beta" together with "release-candidate" versions;
----------------------

Changes in this release:

*) bridge - count routed FastPath packets between bridge ports under FastPath bridge statistics;
*) bridge - fixed BOOTP packet forwarding when DHCP Snooping is enabled;
*) crs317 - fixed packet forwarding when LACP is used with hw=no;
*) dhcpv6-server - allow to add DHCPv6 server with pool that does not exist;
*) ethernet - fixed VLAN1 forwarding on RB1100AHx4 and RB4011 devices;
*) ipsec - added new "remote-id" peer matcher (CLI only);
*) l2tp - fixed IPsec secret not being updated when "ipsec-secret" is changed under L2TP client configuration;
*) led - fixed PWR-LINE AP Ethernet LED polarity ("/system routerboard upgrade" required);
*) lte - added initial support for multiple APN for R11e-4G (new modem firmware required);
*) lte - fixed DHCP IP acquire (introduced in v6.43.7);
*) netinstall - do not show kernel failure critical messages in the log after fresh install;
*) routerboard - removed "RB" prefix from PWR-LINE AP devices;
*) sniffer - save packet capture in "802.11" type when sniffing on w60g interface in "sniff" mode;
*) snmp - fixed "rsrq" reported precision;
*) usb - improved power-reset error message when no bus specified on CCR1072-8G-1S+;
*) wireless - added new "installation" parameter to specify router's location;
*) wireless - show indoor/outdoor frequency limitations under "/interface wireless info country-info <country>" command;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
doush
Long time Member
Long time Member
Posts: 620
Joined: Thu Jun 04, 2009 3:11 pm

Re: v6.44beta [testing] is released!

Mon Jan 07, 2019 3:26 pm

Are you guys working for a fix for CCR1072 lockups ?
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1407
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Mon Jan 07, 2019 5:17 pm

doush - Unfortunately we can not tell from description "lockups" to what kind of problem you are referring to. Please contact support@mikrotik,com directly, provide proper problem description (when did problem start to appear, how often do you see this issue, do you have any information what processes might trigger lockup) and supout file from your router/s. At the moment there are no known bugs that would lock up router. Either this is an unknown problem, hardware related issue or it is a configuration related problem. Without debugging we can not tell why is this happening with your router. At the moment of "lockup" can you access router over serial console?
 
nescafe2002
Long time Member
Long time Member
Posts: 622
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: v6.44beta [testing] is released!

Mon Jan 07, 2019 11:10 pm

To anyone experiencing connectivity issues on bridge interface after upgrade to 6.44beta50 like me:
The RB is now sending out MNDP (udp/5678) packets with ip address of bridge and mac address of slave (physical port).
(In 6.44beta40 and before the packets were sent with the bridges mac address as source)
Client devices are now learning incorrect ip/mac combinations and will be unable to communicate with the RB, intermittently (arp is not affected).
This has been reported.

A work-around is to disable neighbor discovery for these interfaces.

(Note that there is a similar problem regarding internet-detect which causes same problem when enabled on slave interfaces)

Another (dirty) work-around is to enable bridge filtering (of any kind) after which RB will accept packets directed to the slave (physical) mac address.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 490
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Tue Jan 08, 2019 8:27 am

mutiple mode-config doesn't be as intended with certificate matching.
I've tried to add 2 mode-configs and i want to assign a different ip pool each.
apart the fact that is better to implement an object of type "list" populated with multiple certificate, currently it's impossible to add multiple client certificate matching...
policy matching chould be intended as this, imho:

a group of client certificates that, when matched with a specific mode-config policy, assign an ip pool and a split tunnel.

currently it's impossible to add a group of client certificate, just one cert.
Moreover, and this is what isn't working, the client check just the first mode-config policy and if it's not matched skips the others. It should be a sequential checking trough the all mode-config matching policy...
What exactly have you configured currently? Are you creating multiple IPsec identities and specifying different remote-certificates for each of them? Are these certificates from the same CA chain? That is not quite how we planned it to work. There is a 'remote-id' parameter, which is not in Winbox and is not implemented fully yet. You will be able to match the IPsec identity to a specific peer by this parameter.
 
doush
Long time Member
Long time Member
Posts: 620
Joined: Thu Jun 04, 2009 3:11 pm

Re: v6.44beta [testing] is released!

Sat Jan 12, 2019 4:39 pm

doush - Unfortunately we can not tell from description "lockups" to what kind of problem you are referring to. Please contact support@mikrotik,com directly, provide proper problem description (when did problem start to appear, how often do you see this issue, do you have any information what processes might trigger lockup) and supout file from your router/s. At the moment there are no known bugs that would lock up router. Either this is an unknown problem, hardware related issue or it is a configuration related problem. Without debugging we can not tell why is this happening with your router. At the moment of "lockup" can you access router over serial console?
Strods;
viewtopic.php?f=3&t=122525&start=50
There are watchdog reboots !
Please see the above thread. We have also contacted support and we have been told to turn off watchdog and check. When we do that, the router hangs and stays in that state.
We cant just stop gbits of traffic just to collect supout files for you over the serial interface. This is what you guys have to do. Issue is easily reproducable.
There are many people in the above thread having the same exact issue.
Ticket#2018091822007067 is also available but as I said we cannot just stop 8gbit/s of traffic for you for hours to collect supout files.
Please do not ignore this issue as it is not a config related problem at all.
At the moment of lockup (when watchdog is turned off) , I havent tried the serial because of panic that it creates when all your traffic stops. Powercycle fixes the problem.
When watchdog is on, it reboots.
Please work with us in this issue.
 
notToNew
Member Candidate
Member Candidate
Posts: 147
Joined: Fri Feb 19, 2016 3:15 pm

Re: v6.44beta [testing] is released!

Sat Jan 12, 2019 7:26 pm


When watchdog is on, it reboots.
Please work with us in this issue.
And where is the version specific part of this? As I see it it's nothing new to this beta.... So please stay in the other thread.
--------------------------------------------------------------------------------------------
CCR1036-12G-4S, several 952Ui-5ac2nD, ...
 
doush
Long time Member
Long time Member
Posts: 620
Joined: Thu Jun 04, 2009 3:11 pm

Re: v6.44beta [testing] is released!

Mon Jan 14, 2019 3:52 pm


When watchdog is on, it reboots.
Please work with us in this issue.
And where is the version specific part of this? As I see it it's nothing new to this beta.... So please stay in the other thread.
This problem is still valid with the latest stable build !
And we dont see any work about it in the latest beta versions at all. Should be fair enough to post in this thread and raise awareness.
 
andriys
Forum Guru
Forum Guru
Posts: 1177
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: v6.44beta [testing] is released!

Mon Jan 14, 2019 9:01 pm

doush Nobody except you complains, which means it's either faulty hardware or a configuration specific issue. A couple of posts ago you said you are not willing to supply support@ with the info they asked you for. Being software developer myself, I can assure you this is a road to nowhere...
 
User avatar
null31
Member Candidate
Member Candidate
Posts: 177
Joined: Fri Dec 23, 2016 6:07 pm
Location: Brazil

Re: v6.44beta [testing] is released!

Tue Jan 15, 2019 12:00 am

Dear MikroTik Staff.
*) dhcpv6-server - allow to add DHCPv6 server with pool that does not exist;
Does this fix is related to the ticket #2018122622000391?
I ask because I didn't receive a reply for the ticket.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5806
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.44beta [testing] is released!

Tue Jan 15, 2019 3:20 pm

It is probably related to a problem I also reported to them: when you import an export which contains a server and pool
the import fails because the pool appears in the export after the server. Apparently it was not easy to export the pool
definitions before the server definitions (or there would be another unresolved reference) and it was now solved this way.
 
User avatar
null31
Member Candidate
Member Candidate
Posts: 177
Joined: Fri Dec 23, 2016 6:07 pm
Location: Brazil

Re: v6.44beta [testing] is released!

Wed Jan 16, 2019 8:42 pm

So isn't related.
The bug I reported is when DHCPv6-PD get the pool name through Radius and create a route with blank next-hop to the CPE. The router receive the link-local addr from cpe, but doesn't add to the prefix that was delegated.
The connection method I tested was plain DHCPv6 (IPoE without op82).

Like the image https://i.imgur.com/Oq08c0U.png
 
doush
Long time Member
Long time Member
Posts: 620
Joined: Thu Jun 04, 2009 3:11 pm

Re: v6.44beta [testing] is released!

Thu Jan 17, 2019 2:32 pm

doush Nobody except you complains, which means it's either faulty hardware or a configuration specific issue. A couple of posts ago you said you are not willing to supply support@ with the info they asked you for. Being software developer myself, I can assure you this is a road to nowhere...
Did you even read my post ?
Check the below thread and see if I am the only one complaining.
viewtopic.php?f=3&t=122525

We are still desperately waiting for a fix for this issue and ready to try any possible fix in new beta versions.. and NO I cannot just turn off watchdog and wait for the next halt which may happen anytime in the middle of the night to collect support files while all the network is down.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24186
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Thu Jan 17, 2019 4:44 pm

"My router reboots" is a very generic problem, all kinds of issues are gathered in that topic.
No answer to your question? How to write posts
 
User avatar
eworm
Member
Member
Posts: 390
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.44beta [testing] is released!

Thu Jan 17, 2019 6:30 pm

I am running testing versions on my wAP with R11e-LTE. Recently the lte interface does not reliably connect after boot, I have to reboot the device then. This worked pretty well before, so I am sure this is a regression from beta50 to beta54.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
zyzelis
Member Candidate
Member Candidate
Posts: 212
Joined: Sun Apr 08, 2012 9:25 pm

Re: v6.44beta [testing] is released!

Thu Jan 17, 2019 8:03 pm

"My router reboots" is a very generic problem, all kinds of issues are gathered in that topic.
Normis, are you work for ubnt?
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 490
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Fri Jan 18, 2019 9:50 am

Version 6.44beta61 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.44beta61 (2019-Jan-17 13:24):

Important note!!! Backup before upgrade!
Due to major IPsec configuration changes in RouterOS v6.44beta39+ (see changelog below), it is advised to make a backup before upgrading. Regular downgrade will still be possible as long as no changes in IPsec peer menu are done.

MAJOR CHANGES IN v6.44:
----------------------
!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);
!) ipsec - added new "identity" menu with common peer distinguishers;
!) ipsec - removed "main-l2tp" exchange-mode, it is the same as "main" exchange-mode;
!) ipsec - removed "users" menu, XAuth user configuration is now handled by "identity" menu;
!) radius - initial implementation of RadSec (Radius communication over TLS);
!) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only);
!) telnet - do not allow to set "tracefile" parameter;
!) upgrade - release channels renamed - "bugfix" to "long-term", "current" to "stable" and "release candidate" to "testing";
!) upgrade - "testing" release channel now can contain "beta" together with "release-candidate" versions;
----------------------

Changes in this release:

!) ipsec - added new "identity" menu with common peer distinguishers;
*) bridge - fixed BOOTP packet forwarding when DHCP Snooping is enabled;
*) certificate - added support for multiple "Subject Alt. Names";
*) certificate - enabled RC2 cipher to allow P12 certificate decryption;
*) chr - improved system stability when insufficient resources are allocated to the guest;
*) console - updated copyright notice;
*) crs3xx - fixed slow bootup, upgrade and SFP status read (introduced in v6.44beta20);
*) gps - moved "coordinate-format" from "monitor" command to "set" parameter;
*) ike1 - fixed "rsa-key" authentication (introduced in v6.44beta);
*) ipsec - accept only valid path for "export-pub-key" parameter in "key" menu;
*) ipsec - added new "remote-id" peer matcher;
*) ipsec - fixed all policies not getting installed after startup (introduced in v6.43.8);
*) ipsec - moved "profile" menu outside "peer" menu;
*) lcd - made "pin" parameter sensitive;
*) led - fixed default LED configuration for RBSXTsq-60ad;
*) lte - fixed DHCP IP acquire in 3G mode for r11e-lte (introduced in v6.44beta54);
*) lte - fixed reported "rsrq" precision (introduced in v6.43.8);
*) profile - removed obsolete "file-name" parameter;
*) radius - implemented Proxy-State attribute handling in CoA and disconnect requests;
*) rb4011 - improved SFP+ interface linking to 1Gbps;
*) ssh - close active SSH connections before IPsec connections on shutdown;
*) ssh - fixed public key format compatibility with RFC4716;
*) supout - fixed "poe-out" output not showing all interfaces;
*) system - accept only valid path for "log-file" parameter in "port" menu;
*) system - removed obsolete "/driver" command;
*) tr069-client - added "check-certificate" parameter to allow communication without certificates;
*) tr069-client - added support for InformParameter object;
*) tr069-client - fixed certificate verification for certificates with IP address;
*) tr069-client - increased reported "rsrq" precision;
*) vrrp - made "password" parameter sensitive;
*) winbox - added "allow-dual-stack-queue" parameter in "IP/DHCP Server" and "IPv6/DHCP Server" menus;
*) winbox - added "conflict-detection" parameter in "IP/DHCP Server" menu;
*) winbox - added "coordinate-format" parameter in LTE interface settings;
*) winbox - allow specifying interface lists in "CAPsMAN/Access List" menu;
*) winbox - fixed "IPv6/Firewall" "Connection limit" parameter not allowing complete IPv6 prefix lengths;
*) winbox - fixed L2MTU parameter setting on "W60G" type interfaces;
*) winbox - fixed "LCD" menu not shown on RB2011UiAS-2HnD;
*) winbox - moved "Too Long" statistics counter to Ethernet "Rx Stats" tab;
*) winbox - show "System/RouterBOARD/Mode Button" on devices that have such feature;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
eworm
Member
Member
Posts: 390
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.44beta [testing] is released!

Fri Jan 18, 2019 12:16 pm

!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);
[admin@MikroTik] /system backup cloud> print 
-- connecting
Server error: Backend error. Try again later.

Breakage in version or issue with servers?
Edit: Works again, was a server issue.
*) console - updated copyright notice;
The copyright notice still has a link with http-schema. You should really change that to https.
*) ipsec - added new "remote-id" peer matcher;
Thanks, have to play with this...
*) lte - fixed DHCP IP acquire in 3G mode for r11e-lte (introduced in v6.44beta54);
Thanks for fixing!
*) ssh - close active SSH connections before IPsec connections on shutdown;
That change is very welcome. Thanks a lot!
Last edited by eworm on Fri Jan 18, 2019 5:37 pm, edited 1 time in total.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: v6.44beta [testing] is released!

Fri Jan 18, 2019 2:26 pm

Please remove OS version from telnet. It is not needed.

I do use telnet to connect to Mikrotik Router using VPN connection.
It does respond by telling both what it is and what version it has before you login.
/system telnet 10.2.0.16
Trying 10.2.0.16...
Connected to 10.2.0.16.
Escape character is '^]'.

MikroTik v6.43.8 (stable)
Login:
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24186
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Fri Jan 18, 2019 4:24 pm

Jotne, sorry, I do not understand. Where is the problem with the version in Telnet?
No answer to your question? How to write posts
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8308
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.44beta [testing] is released!

Fri Jan 18, 2019 4:29 pm

The problem is it tells you about version number even if you're not logged in
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 895
Joined: Tue Oct 11, 2005 4:53 pm

Re: v6.44beta [testing] is released!

Fri Jan 18, 2019 4:35 pm

Same with the web interface.
 
patrick7
Member Candidate
Member Candidate
Posts: 298
Joined: Sat Jul 20, 2013 2:40 pm

Re: v6.44beta [testing] is released!

Fri Jan 18, 2019 4:52 pm

security by obscurity
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 1:41 am

Version 6.44beta61 has been released.

rb4011 - improved SFP+ interface linking to 1Gbps;

Does this mean the S-RJ01 is now compatible with the RB4011?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 9:53 am

With any communication you should not give away any information before login.
If you look at forum.mikrotik.com it does use phpBB. On older version you could see at the bottom, what version it was.
This was removed due to security and that hacker was target some specific version.

As I did write in my post above, I do not need it, so remove it.
And as @Cha0s write, same for web interface. Remove it.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
pe1chl
Forum Guru
Forum Guru
Posts: 5806
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 11:49 am

Does this mean the S-RJ01 is now compatible with the RB4011?
The RB4011 is not an actively-cooled device so it will never be compatible with the S-RJ01.
Look at the S-RJ01 page. It is only for actively-cooled devices!
Hopefully some time, after yet more advances in technology, it will be possible to produce and SFP+ ethernet adapter that does not dissipate so much power.
Then it could work.
 
msatter
Forum Guru
Forum Guru
Posts: 1220
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 1:17 pm

All software/interfaces by Mikrotik mention the software version before login, including the Android app.

Then this must be something Mikrotik wants to communicate up front. So you can think to have RouterOS not share the current version of it and state a null value.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
marcbou
just joined
Posts: 5
Joined: Tue Jul 03, 2018 11:19 am

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 1:42 pm

Hi

Installed 6.44beta61, but it seems there are issues with "/ip ipsec identity my-id" matching for fqdn:, user-fqdn: and even address:ipv4 types. It doesn't seem to work with Remote ID on iOS devices with IKEv2 in pre-shared-key mode.

I was only able to get it to work by specifying the router's static IP as RemoteID on the client iOS device and keeping my-id set to auto (default) in /ip ipsec identity.

my-id=fqdn:domain.com matching does however work if auth-method=rsa-signature with certificate.

It is a road-warrior type setup with the MikroTik router as VPN server on a static IP, and client iOS and MacOS X devices connecting from dynamic IPs.

This is with a RB3011. We have a similar setup with a CCR1009 where it seems the ipsec crashes (hangs) upon access attempts with auth-method=pre-shared-key. Works with sa-signature/certificate.

Also would it be possible to add support for disabling/enabling /ip ipsec identity entries?

The config looks like:

# jan/19/2019 06:31:50 by RouterOS 6.44beta61
#
# model = RouterBOARD 3011UiAS
/ip ipsec mode-config
add address-pool=vpn-pool address-prefix-length=32 name=\
ipsec-modecfg
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1w \
name=proposal_1
/ip ipsec peer
add exchange-mode=ike2 local-address=<routerspublicipv4> name=peer_vpn passive=yes \
profile=proposal_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
lifetime=2d pfs-group=none
/ip ipsec identity
add generate-policy=port-strict mode-config=ipsec-modecfg peer=\
peer_vpn remote-id=user-fqdn:usera@domain.com secret=usera_secret
add generate-policy=port-strict mode-config=ipsec-modecfg peer=\
peer_vpn remote-id=user-fqdn:userb@domain.com secret=userb_secret
/ip ipsec policy
set 0 dst-address=192.168.71.0/24 src-address=0.0.0.0/0
add dst-address=192.168.72.0/24 src-address=0.0.0.0/0 template=yes

Thanks,

Marc
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 3:50 pm

Does this mean the S-RJ01 is now compatible with the RB4011?
The RB4011 is not an actively-cooled device so it will never be compatible with the S-RJ01.
Look at the S-RJ01 page. It is only for actively-cooled devices!
Hopefully some time, after yet more advances in technology, it will be possible to produce and SFP+ ethernet adapter that does not dissipate so much power.
Then it could work.
The compatibility table disagrees with You:
https://wiki.mikrotik.com/wiki/MikroTik ... lity_table

They are supported on the CSS/CRS326-24G-2S+ models - and they are passive cooled switches. Also, they run on RB3011, RB2011, RB260 and many others passive cooled devices.
 
nescafe2002
Long time Member
Long time Member
Posts: 622
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 5:19 pm

What's new in 6.44beta61 (2019-Jan-17 13:24):

*) rb4011 - improved SFP+ interface linking to 1Gbps;

I can confirm FS 1000BASE-BX BiDi SFP 1310nm-TX/1490nm-RX 20km DOM Transceiver Module ( https://www.fs.com/products/20184.html ) is working fine together with a 1Gbit FTTH provider, as long as the speed matches (note that winbox hides this setting when autonegotation is on, so you'll have to disable autoneg to change speed or use cli).

/interface ethernet
set sfp-sfpplus1 auto-negotiation=yes full-duplex=yes&no speed=1Gbps # link
set sfp-sfpplus1 auto-negotiation=yes full-duplex=no speed=10Mbps # link (detected/actual rate 1Gpbs FD)
set sfp-sfpplus1 auto-negotiation=yes full-duplex=yes&no speed=100Mpbs # flapping
set sfp-sfpplus1 auto-negotiation=yes full-duplex=yes&no speed=10Gbps # flapping
set sfp-sfpplus1 auto-negotiation=no full-duplex=yes speed=1Gbps # link
set sfp-sfpplus1 auto-negotiation=no full-duplex=no speed=1Gbps # router crash
set sfp-sfpplus1 auto-negotiation=no full-duplex=yes&no speed=10Mbps # link (detected rate 10Mbps, actual rate 1Gpbs)
set sfp-sfpplus1 auto-negotiation=no full-duplex=yes&no speed=100Mbps # flapping
set sfp-sfpplus1 auto-negotiation=no full-duplex=yes speed=10Gbps # no link
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 5:28 pm

The RB4011 is not an actively-cooled device so it will never be compatible with the S-RJ01.

The compatibility table disagrees with You:
https://wiki.mikrotik.com/wiki/MikroTik ... lity_table

The S-RJ01 is supported on the CSS/CRS326-24G-2S+ models - and they are passive cooled switches. Also, they run on RB3011, RB2011, RB260 and many others passively cooled devices.

Yeah, I guess its not clear what works unless one consults the compatibility table. So, the S+RJ10 does work, but the S-RJ01 does not? I have not been able to get my S-RJ01 to work with the RB4011 and was hoping it was only a software issue.
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: v6.44beta [testing] is released!

Sat Jan 19, 2019 8:36 pm

The RB4011 is not an actively-cooled device so it will never be compatible with the S-RJ01.

The compatibility table disagrees with You:
https://wiki.mikrotik.com/wiki/MikroTik ... lity_table

The S-RJ01 is supported on the CSS/CRS326-24G-2S+ models - and they are passive cooled switches. Also, they run on RB3011, RB2011, RB260 and many others passively cooled devices.

Yeah, I guess its not clear what works unless one consults the compatibility table. So, the S+RJ10 does work, but the S-RJ01 does not? I have not been able to get my S-RJ01 to work with the RB4011 and was hoping it was only a software issue.
Yes, it is weird. I have no idea where this limitation comes from.
 
User avatar
Bergante
Member Candidate
Member Candidate
Posts: 131
Joined: Tue Feb 28, 2012 12:27 pm
Location: Bilbao, Spain

Re: v6.44beta [testing] is released!

Mon Jan 21, 2019 11:02 am

security by obscurity
Anyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering. So the version display is harmless in my opinion.
 
User avatar
Bergante
Member Candidate
Member Candidate
Posts: 131
Joined: Tue Feb 28, 2012 12:27 pm
Location: Bilbao, Spain

Re: v6.44beta [testing] is released!

Mon Jan 21, 2019 11:05 am

Version 6.44beta61 has been released.

*) rb4011 - improved SFP+ interface linking to 1Gbps;
This one looks promising and, indeed, there is a clear improvement.

I am testing a rb4011 linked to a HP switch and now it works with autonegotiation on it seems. I am using a pair of Mikrotik 1000BASE-LH transceivers (S-31DLC20D).

That's great because autonegotiation is considered mandatory in GbE and disabling it can lead to unpredictable problems.

So, I hope SFPs will be properly supported in SFP+ cages. Otherwise the only real solution would be to include both types of cages like some manufacturers do.
 
muetzekoeln
Member Candidate
Member Candidate
Posts: 140
Joined: Fri Jun 29, 2018 2:34 pm

Re: v6.44beta [testing] is released!

Mon Jan 21, 2019 12:15 pm

Please remove OS version from telnet. It is not needed.
+1

I too plead for data stinginess. Only disclose data when/where needed. This is the same thinking as a default deny-all rule in firewalls.
For me the ROS version is of no value at login prompt. And MT did not explain why they broadcast ROS version in WiFi beacons
(viewtopic.php?p=709410).

At login prompt it makes much more sense to me, to display given system identity name (/System identity). So you can check if you are logging into the intended system (if you have more than one, that is).
Last edited by muetzekoeln on Wed Jan 23, 2019 1:12 pm, edited 3 times in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24186
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.44beta [testing] is released!

Mon Jan 21, 2019 2:46 pm

security by obscurity
Anyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering. So the version display is harmless in my opinion.
I agree. If the untrusted person can see your TELNET interface, you are in much bigger trouble than an exposed version number
No answer to your question? How to write posts
 
User avatar
skylark
MikroTik Support
MikroTik Support
Posts: 106
Joined: Wed Feb 10, 2016 3:55 pm

Re: v6.44beta [testing] is released!

Tue Jan 22, 2019 10:19 am

Version 6.44beta61 has been released.

rb4011 - improved SFP+ interface linking to 1Gbps;

Does this mean the S-RJ01 is now compatible with the RB4011?
Yes, with the latest beta S-RJ01 also should work.

We will update compatibility table when this fix will be included in the stable version.
 
msatter
Forum Guru
Forum Guru
Posts: 1220
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.44beta [testing] is released!

Tue Jan 22, 2019 12:44 pm

security by obscurity
Anyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering. So the version display is harmless in my opinion.
I agree. If the untrusted person can see your TELNET interface, you are in much bigger trouble than an exposed version number
But it saves the untrusted person the trouble to test which tool to use. Or just see on forehand that none of the available tools is going to work and moves on.

Make it the owners choice/responsability if the it is shown or not.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
Bergante
Member Candidate
Member Candidate
Posts: 131
Joined: Tue Feb 28, 2012 12:27 pm
Location: Bilbao, Spain

Re: v6.44beta [testing] is released!

Tue Jan 22, 2019 1:21 pm

Version 6.44beta61 has been released.

rb4011 - improved SFP+ interface linking to 1Gbps;

Does this mean the S-RJ01 is now compatible with the RB4011?
Yes, with the latest beta S-RJ01 also should work.

We will update compatibility table when this fix will be included in the stable version.
The Interface/Ethernet section of the documentation should be updated as well.

The manual says that the speed attribute of an Ethernet interface only takes effect when auto negotiation is disabled.

Actually, at least on a rb4011 running 6.44beta61 speed does work with auto negotiation on. The SFP I have tried,
Mikrotik's single mode ones (S-31DLC20D) work with auto negotiation set to on as long as the speed attribute is set to 1 Gbps.

So it's working as a mode selector for the SFP/SFP+ cage.

Now I wonder, can't you make that automatic? Reading the EEPROM of the SFP the system determines which kind of SFP is it. So it
should be easy to decide wether to configure it for 1 Gbps or 10 Gbps.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5806
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.44beta [testing] is released!

Wed Jan 23, 2019 12:52 pm

61 builds in the 6.44 beta and we are still waiting for IPv6 improvements!
Come on guys, it is 2019 now. We really need IPv6 policy routing, IPv6 per-connection queueing, IPv6 firewall features on par with IPv4 (like L7 matching), etc etc etc.

You cannot handle IPv6 as a bolt-on feature to satisfy a small number of demanding users. It has to be part of the mainstream, with all the support that there is for IPv4.
 
muetzekoeln
Member Candidate
Member Candidate
Posts: 140
Joined: Fri Jun 29, 2018 2:34 pm

Re: v6.44beta [testing] is released!

Wed Jan 23, 2019 1:15 pm

Anyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering.

You are right with this statement, but impacts of the latest ROS vulnerability show this ideal is not the real world.
 
wilsonlmh
newbie
Posts: 26
Joined: Fri Oct 10, 2014 9:44 pm

Re: v6.44beta [testing] is released!

Wed Jan 23, 2019 2:03 pm

security by obscurity
Anyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering. So the version display is harmless in my opinion.
I agree. If the untrusted person can see your TELNET interface, you are in much bigger trouble than an exposed version number
This isn't true for SSH:
telnet 192.168.88.1 22
Trying 192.168.88.1...
Connected to 192.168.88.1.
Escape character is '^]'.
SSH-2.0-ROSSSH
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 490
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Thu Jan 31, 2019 10:40 am

Installed 6.44beta61, but it seems there are issues with "/ip ipsec identity my-id" matching for fqdn:, user-fqdn: and even address:ipv4 types. It doesn't seem to work with Remote ID on iOS devices with IKEv2 in pre-shared-key mode.
It works for me. Please check the IPsec debug logs and find out what ID_I and ID_R fields are actually received from the client.
10:35:04 ipsec processing payload: ID_I 
10:35:04 ipsec ID_I (RFC822): usera@domain.com 
10:35:04 ipsec processing payload: ID_R 
10:35:04 ipsec ID_R (ADDR4): 10.155.130.204 
ID_I is the initiators id (what you specify as Local ID under your iOS). ID_R is the responders id (the Remote ID when looking from iOS). You can enable debug logs with
/system logging add topics=ipsec,!debug

As for the crashing part, it would be necessary to see the supout.rif file from your device. Please generate and send this file to support@mikrotik.com
 
User avatar
BG4DRL
just joined
Posts: 7
Joined: Sat Jan 26, 2019 4:00 pm

Re: v6.44beta [testing] is released!

Thu Jan 31, 2019 6:08 pm

wap 60G ap udp both up to 850Mbps ! very nice this Beta61
 
nescafe2002
Long time Member
Long time Member
Posts: 622
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: v6.44beta [testing] is released!

Tue Feb 05, 2019 1:07 pm

Since I've spent some time restoring VPN functionality.. here are my 6.44beta61 IKEv2 settings for iOS, macOS and Windows clients.
Windows only seems to work with identity my-id=auto and remote-id=auto.
Afaik you cannot add a secondary peer for Windows default ipsec settings, so you should alter these using powershell.

Certificate generation:

/certificate
add name=my.ca common-name=my.ca key-usage=key-cert-sign,crl-sign
sign my.ca
add name=vpn.server common-name=vpn.server subject-alt-name=DNS:vpn.company.com key-usage=tls-server
sign vpn.server ca=my.ca
add name=vpn.client.ios common-name=vpn.client.ios key-usage=tls-client
sign vpn.client.ios ca=my.ca
add name=vpn.client.macos common-name=vpn.client.macos key-usage=tls-client
sign vpn.client.macos ca=my.ca
add name=vpn.client.windows common-name=vpn.client.windows key-usage=tls-client
sign vpn.client.windows ca=my.ca

(Certificates don't have to be trusted)

Certificate export:

/certificate
export-certificate my.ca
export-certificate vpn.client.ios export-passphrase=1234 type=pkcs12
export-certificate vpn.client.macos export-passphrase=1234 type=pkcs12
export-certificate vpn.client.windows export-passphrase=1234 type=pkcs12

IKEv2 server setup:

/ip ipsec policy group
add name=ike2
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1d name=ike2 pfs-group=none
/ip ipsec policy
add comment=ike2 group=ike2 proposal=ike2 template=yes
/ip pool
add name=ike2 ranges=192.168.88.100-192.168.88.150
/ip ipsec mode-config
add address-pool=ike2 name=ike2

Peer setup:

/ip ipsec peer
add comment=ike2 exchange-mode=ike2 name=ike2 passive=yes profile=ike2

Identity setup:

/ip ipsec identity
add auth-method=rsa-signature certificate=vpn.server generate-policy=port-strict mode-config=ike2 my-id=fqdn:vpn.company.com \
    peer=ike2 policy-template-group=ike2 remote-certificate=vpn.client.ios remote-id=fqdn:vpn.client.ios
add auth-method=rsa-signature certificate=vpn.server generate-policy=port-strict mode-config=ike2 my-id=fqdn:vpn.company.com \
    peer=ike2 policy-template-group=ike2 remote-certificate=vpn.client.macos remote-id=fqdn:vpn.client.macos
add auth-method=rsa-signature certificate=vpn.server generate-policy=port-strict mode-config=ike2 \
    peer=ike2 policy-template-group=ike2 remote-certificate=vpn.client.windows

iOS setup:

Type: IKEv2
Server: vpn.company.com
External ID: vpn.company.com
Local ID: vpn.client.ios
User authentication: None
Use certificate: Yes
Certificate: vpn.client.ios

macOS setup:

Type: IKEv2
Server: vpn.company.com
External ID: vpn.company.com
Local ID: vpn.client.macos
User authentication: None
Use certificate: Yes
Certificate: vpn.client.macos

Windows client setup (you need Powershell to set hash/enc/dh/pfs, so I scripted all):

$securePassword = ConvertTo-SecureString -String "1234" -AsPlainText -Force
Import-PfxCertificate -FilePath cert_export_vpn.client.windows.p12 -CertStoreLocation Cert:\LocalMachine\My -Password $securePassword
Import-Certificate -FilePath cert_export_my.ca.crt -CertStoreLocation Cert:\LocalMachine\Root
Add-VpnConnection -Name "Company" -ServerAddress vpn.company.com -TunnelType Ikev2 -AuthenticationMethod MachineCertificate
Set-VpnConnectionIPsecConfiguration -ConnectionName "Company" -AuthenticationTransformConstants SHA256128 `
    -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 `
    -DHGroup Group14 -PfsGroup None -Force
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 490
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Tue Feb 05, 2019 1:19 pm

The next version will have some more changes for IPsec Identities to make it more clearer what you are actually matching. First of all, in beta61 it is pointless to specify remote-certificate on responder - certificate matching is not yet implemented. To match certain remote IDs, you have to check the IPsec debug logs and find out what actual ID (IDi) value is sent by the initiator.

I will update the wiki page when we come closer to the actual 6.44 release. Basically "auto" will check (verify) the IDi with clients certificate, so they have to match! "ignore" will not care about the initiators ID.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5806
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.44beta [testing] is released!

Tue Feb 05, 2019 3:13 pm

Would it be possible (during the rework of the IPsec code) to also add a phase1 "on up" and "on down" script?
(that receives parameters like the remote-id, remote-IP etc)
This script could then add/delete phase2 settings e.g. a GRE tunnel.
 
User avatar
eworm
Member
Member
Posts: 390
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.44beta [testing] is released!

Tue Feb 05, 2019 4:01 pm

Would it be possible (during the rework of the IPsec code) to also add a phase1 "on up" and "on down" script?
(that receives parameters like the remote-id, remote-IP etc)
This script could then add/delete phase2 settings e.g. a GRE tunnel.
Yes, please! Hooking a script would be much appreciated. Currently I have a script running every 30 seconds to update gre interfaces...
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 490
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Tue Feb 05, 2019 4:15 pm

Thank you for the feedback. Definitely not in this release, but I will see if we can add it in the near future.
 
biatche
Member Candidate
Member Candidate
Posts: 128
Joined: Tue Oct 13, 2015 6:50 am

Re: v6.44beta [testing] is released!

Sat Feb 09, 2019 2:10 am

Much time spent on ipsec when one could spend time on wireguard and have better VPN.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5806
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.44beta [testing] is released!

Sat Feb 09, 2019 11:18 am

Much time spent on ipsec when one could spend time on wireguard and have better VPN.
Wireguard is not a better VPN. It is an immature product with a vocal community around it.
IPsec is widely supported amongst industry standard routers and does not require lame "+1 for Wireguard" 1-time posters.
 
berzerker
just joined
Posts: 17
Joined: Thu Oct 26, 2017 6:55 am

Re: v6.44beta [testing] is released!

Mon Feb 11, 2019 6:12 am

CRS328-24P-4S+RM: I'm unable to log into the console on 6.44beta61, anyone experiencing a similar issue? Tried with multiple cables. Couple of CRS112s I have on 6.43.8 work fine.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 490
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.44beta [testing] is released!

Mon Feb 11, 2019 3:35 pm

Version 6.44beta75 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.44beta75 (2019-Feb-08 08:02):

Important note!!! Backup before upgrade!
Due to major IPsec configuration changes in RouterOS v6.44beta39+ (see changelog below), it is advised to make a backup before upgrading. Regular downgrade will still be possible as long as no changes in IPsec peer menu are done.

MAJOR CHANGES IN v6.44:
----------------------
!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);
!) ipsec - added new "identity" menu with common peer distinguishers;
!) ipsec - removed "main-l2tp" exchange-mode, it is the same as "main" exchange-mode;
!) ipsec - removed "users" menu, XAuth user configuration is now handled by "identity" menu;
!) radius - initial implementation of RadSec (Radius communication over TLS);
!) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only);
!) telnet - do not allow to set "tracefile" parameter;
!) upgrade - release channels renamed - "bugfix" to "long-term", "current" to "stable" and "release candidate" to "testing";
!) upgrade - "testing" release channel now can contain "beta" together with "release-candidate" versions;
----------------------

Changes in this release:

!) ipsec - added new "identity" menu with common peer distinguishers;
!) winbox - improvements in connection handling to router with open winbox service (CVE-2019–3924);
*) bridge - fixed log message when hardware offloading is being enabled;
*) bridge - fixed packet forwarding with enabled DHCP Snooping and Option 82;
*) bridge - fixed system's identity change when DHCP Snooping is enabled (introduced in v6.44beta61);
*) bridge - improved packet handling when hardware offloading is being disabled;
*) certificate - show digest algorithm used in signature;
*) chr - distribute NIC queue IRQ's evenly across all CPUs;
*) chr - fixed IRQ balancing when using more than 32 CPUs;
*) crs3xx - fixed packet forwarding through SFP+ ports when using 100Mbps link speed;
*) crs3xx - fixed SFP+ linking using 1.25G SFP modules (introduced in v6.44beta39);
*) dhcpv6-server - fixed missing gateway for binding's network if RADIUS authentication was used;
*) dhcpv6-server - show "client-address" parameter for bindings;
*) ethernet - added "tx-rx-1024-max" counter to Ethernet stats;
*) ethernet - fixed packet forwarding when SFP interface is disabled on hEX S;
*) fetch - added option to specify multiple headers under "http-header-field", including content type;
*) fetch - improved stability when using HTTP mode;
*) fetch - removed "http-content-type" parameter;
*) gps - increase precision for dd format;
*) hotspot - added "https-redirect" under server profiles;
*) ike2 - retry RSA signature validation with deduced digest from certificate;
*) ipsec - require write policy for key generation;
*) kidcontrol - use "/128" prefix-length for IPv6 addresses;
*) lldp - fixed missing capabilities fields on some devices;
*) lte - added multiple APN support for R11e-4G;
*) lte - fixed passthrough DHCP address forward when other address is acquired from operator;
*) lte - improved SIM7600 initialization after reset;
*) lte - query "cfun" on initialization;
*) lte - require write policy for at-chat;
*) lte - update firmware version information after R11e-LTE/R11e-4G firmware upgrade;
*) ntp-client - fixed "dst-active" and "gmt-offset" being updated after synchronization with server;
*) ppp - fixed dynamic route creation towards VPN server when "add-default-route" is used;
*) quickset - fixed "country" parameter not properly setting regulatory domain configuration;
*) rb4011 - fixed SFP+ interface full duplex and speed parameter behavior;
*) rb4011 - improved SFP+ interface linking to 1Gbps;
*) sfp - fixed possible reboot loop when inserting SFP modules in CRS328-4C-20S-4S+ (introduced in v6.44beta61);
*) smb - fixed macOS clients not showing share contents;
*) smb - fixed possible buffer overflow;
*) smb - fixed Windows 10 clients not able to establish connection to share;
*) snmp - fixed "rsrq" reported precision;
*) snmp - report ifSpeed 0 for sub-layer interfaces;
*) switch - added comment field to switch ACL rules;
*) tr069-client - added "connection-request-port" parameter (CLI only);
*) usb - improved USB device powering on startup for hAP ac^2 devices;
*) usb - increased default power-reset timeout to 5 seconds;
*) userman - added first and last name fields for signup form;
*) w60g - fixed disconnection issues in PtMP setups;
*) winbox - renamed "Default AP Tx Rate" to "Default AP Tx Limit";
*) winbox - renamed "Default Client Tx Rate" to "Default Client Tx Limit";
*) winbox - show "System/RouterBOARD/Mode Button" on devices that have such feature;
*) wireless - improved antenna gain setting for devices with built in antennas;
*) wireless - improved connection stability for new model Apple devices;
*) wireless - improved system stability when scanning for other networks;
*) wireless - show "installation" parameter when printing configuration;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
crau1000
just joined
Posts: 6
Joined: Thu Jan 31, 2019 3:52 am

Re: v6.44beta [testing] is released!

Tue Feb 12, 2019 11:07 am

Normis,

6.44Beta75 has an issue with GPS lat/longs. The new algorithm is inserting "00" after the decimal point. So originally lat/long would be 33.9686/-117.7432. NOW... from the GPS itself.... it is 33.009686/-117.007432. Ive attached a screen shot..
Screen Shot 2019-02-12 at 12.58.38 AM.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.44beta [testing] is released!

Wed Feb 13, 2019 10:10 pm

The next version will have some more changes for IPsec Identities to make it more clearer what you are actually matching. First of all, in beta61 it is pointless to specify remote-certificate on responder - certificate matching is not yet implemented. To match certain remote IDs, you have to check the IPsec debug logs and find out what actual ID (IDi) value is sent by the initiator.

[...]
Separate but related...

I'm using a GRE interface with IPSec using certificate auth.

GRE interface properties has a setting for IPSec Secret.

When using PSK it seems redundant - there already is a PSK setting in peer / identity.

When using key or cert auth it's also redundant and unnecessary - there is no "secret" for key or cert auth. But when the "secret" is removed, the GRE tunnel doesn't get secured by IPSec (even if IPSec setting are left exactly the same), I mean IPSec is not brought up.

I think the idea is for the router to "know" that the GRE interface is supposed to be secured by IPSec - but perhaps there is a better way to set this up in the UI?

[SOLVED]
Last edited by kmansoft on Thu Feb 14, 2019 7:59 am, edited 1 time in total.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.44beta [testing] is released!

Wed Feb 13, 2019 10:34 pm

The next version will have some more changes for IPsec Identities to make it more clearer what you are actually matching. First of all, in beta61 it is pointless to specify remote-certificate on responder - certificate matching is not yet implemented. To match certain remote IDs, you have to check the IPsec debug logs and find out what actual ID (IDi) value is sent by the initiator.

[...]
Separate but related...

I'm using a GRE interface with IPSec using certificate auth.

GRE interface properties has a setting for IPSec Secret.

When using PSK it seems redundant - there already is a PSK setting in peer / identity.

When using key or cert auth it's also redundant and unnecessary - there is no "secret" for key or cert auth. But when the "secret" is removed, the GRE tunnel doesn't get secured by IPSec (even if IPSec setting are left exactly the same), I mean IPSec is not brought up.

I think the idea is for the router to "know" that the GRE interface is supposed to be secured by IPSec - but perhaps there is a better way to set this up in the UI?
And another thing about GRE + IPSec with cert auth. This one really looks like a bug.

When the GRE interface is brought up, it brings up the configured IPSec peer but *also* creates a redundant peer (with names like "peer6", "peer7") and a related item under Identities. Both are not necessary.

Not sure if it's new in 6.44 or was there before.

My "real" Peer is already set up, obviously, and uses IKEv2 and cert auth. The "bogus" peers have "main" as exchange mode and PSK auth but the local IP and remote IP are the same as in the "real" peer.

I really don't think it's in response to server (other side) initiated connections - first the server is set to IKEv2 only, second it uses cert auth (matching my "real" peer in Mikrotik) and not PSK.

Can be reproduced without reboot by disabling and then re-enabling the GRE interface in WebFig.

[SOLVED]
Last edited by kmansoft on Thu Feb 14, 2019 7:59 am, edited 1 time in total.
 
nescafe2002
Long time Member
Long time Member
Posts: 622
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: v6.44beta [testing] is released!

Wed Feb 13, 2019 10:55 pm

You can setup an ipsec transport policy with protocol=47 and ensure gre traffic is secured using the firewall ipsec policy matcher:

https://wiki.mikrotik.com/wiki/Manual:I ... ed_traffic

Dynamic peer will disappear as soon as you unset ipsec secret in gre tunnel.
 
sindy
Forum Guru
Forum Guru
Posts: 3809
Joined: Mon Dec 04, 2017 9:19 pm

Re: v6.44beta [testing] is released!

Wed Feb 13, 2019 11:40 pm

Not sure if it's new in 6.44 or was there before.
kmansoft, It's not a bug, it's a feature, and definitely not version-related.

Either set the ipsec-psk field in gre (ipip, l2tp) tunnel interface settings and the peer and policy will be generated automatically ("dynamically" is the RouterOS name for it), using the default peer profile and proposal. Or define the IPsec peer & policy necesssary to secure the transport packets of your tunnel manually (and use security options as per your choice, not just the IKE(v1) main mode with PSK), and in that case do NOT fill the ipsec-psk field to prevent the dynamic peer&policy from being generated.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.44beta [testing] is released!

Thu Feb 14, 2019 7:56 am

@nescafe2002, @sindy

Went to check IPSec / Policy and there was one for my GRE - but it had a "D" = "dynamic". Aha!

Did this:

- Removed "IPSec Secret" from GRE tunnel interface properties
- Manually added a policy for it
/ip ipsec policy
add comment=myservertunnel dst-address=139.0.0.1/32 protocol=gre src-address=89.0.0.1/32
And now disabling and re-enabling the GRE interface:

- Keeps the IPSec connection running, with SAs and stuff
- Does not create those "peer8" policies

Both "bugs" :) solved. Wonderful!

Thank you both for your help!

Who is online

Users browsing this forum: No registered users and 10 guests