Community discussions

 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 1806
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: v6.45beta [testing] is released!

Thu Jun 13, 2019 12:08 am

I hope I'm not missing the point, but isn't this IKEv2 & policy routing something that would be best solved by what's known as route/interface-based VPN, VTI, etc? I remember it used to be popular request here few years ago. If I understand it correctly, Linux implementation provides interfaces for IPSec connections, but internally it's still regular policy-based tunnels (often with 0.0.0.0/0 on both sides, but it can be anything). And some marks transparently assigned to outgoing traffic via that interface (it basically serves as additional filter for policy) are used to control what traffic it will actually apply to. So this should nicely cover the use case for multiple outgoing IPSec connections (like popular commercial VPN services). But not only that, distinct interfaces would make everything more clear and admin friendly. More interoperable too. And the whole thing doesn't even sound too complicated.
Mikrotik support have acknowledged the VTI request, but said it requires a newer kernel.

They will revisit the request once v7 beta is out.
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 433
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Thu Jun 13, 2019 11:11 am


Great, much appreciated! Can't wait for it...
Will we see this before version 6.45 final release?
Currently looks like no, it will not make it into 6.45. We are already finalizing the 6.45 version. VTI support requires new kernel and we are still not sure whether it should or should not be implemented in version 7.
 
User avatar
eworm
Member
Member
Posts: 304
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Thu Jun 13, 2019 11:47 am

No rc versions this time?
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
pe1chl
Forum Guru
Forum Guru
Posts: 5276
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Thu Jun 13, 2019 12:07 pm

But not only that, distinct interfaces would make everything more clear and admin friendly. More interoperable too. And the whole thing doesn't even sound too complicated.
Well, I remember the days when all Linux systems did that, but it was changed because others (BSD, Cisco) were not using separate interfaces but only those policies.
I always considered it a bad move. Dedicated interfaces for IPsec traffic were so much clearer.
Apparently later (and currently) the option to use interfaces was re-introduced, but today I am not using plain Linux systems as routers anymore so I lost track of that.

Whenever possible, I use a tunnel over IPsec transport. I use GRE because it has some other use cases, but you can use IPIP too.
In fact, IPIP over IPsec transport is almost the same as an IPsec tunnel at the protocol layer. I.e. there is no extra overhead.
But of course this can only be done when you manage both ends, as they cannot be interconnected.
 
bnw
just joined
Posts: 2
Joined: Thu Jun 13, 2019 5:56 pm

Re: v6.45beta [testing] is released!

Thu Jun 13, 2019 6:02 pm

One thing I would like to see in 6.45 is some hardware SNMP improvement for the CCR1072.
As stated in ticket #2019032822004818, many hardware OIDs are missing for this device, compared to what Winbox shows :
- Board temperature
- Board temparature 2
- Fan speed 3
- Fan speed 4
- PSU1 status (should be OID .15 (*))
- PSU2 status (should be OID .16 (*))
(*) as seen on other models such as the CRS317-1G-16S+.

We are then clearly at risk with our CCR1072-1G-8S+, not being able to monitor all their hardware components, which is a rather tricky situation for core devices.

I found other topics complaining about this : viewtopic.php?f=1&t=143899 / viewtopic.php?f=2&t=117322

Many thanks for your support Mikrotik dev' team !
 
LynxChaus
just joined
Posts: 23
Joined: Tue Jul 08, 2014 2:24 pm

Re: v6.45beta [testing] is released!

Thu Jun 13, 2019 8:26 pm


*) tr069-client - added LTE CQI and IMSI parameter support;
Why only in tr069? Export in SNMP too, with all other info.
 
LeftyTs
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Thu Nov 03, 2016 2:39 am
Location: Athens, Greece
Contact:

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 12:32 am

One thing I would like to see in 6.45 is some hardware SNMP improvement for the CCR1072.
As stated in ticket #2019032822004818, many hardware OIDs are missing for this device, compared to what Winbox shows :
- Board temperature
- Board temparature 2
- Fan speed 3
- Fan speed 4
- PSU1 status (should be OID .15 (*))
- PSU2 status (should be OID .16 (*))
(*) as seen on other models such as the CRS317-1G-16S+.

We are then clearly at risk with our CCR1072-1G-8S+, not being able to monitor all their hardware components, which is a rather tricky situation for core devices.

I found other topics complaining about this : viewtopic.php?f=1&t=143899 / viewtopic.php?f=2&t=117322

Many thanks for your support Mikrotik dev' team !
+1
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1060
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 12:46 am

If you can see this system info in the cli, you can easily send it out to a monitor system using script and Syslog.

I have stopped using SNMP, since for every new unit I setup, I have to tell the system that there are a nye Router/Switch, or have a program that scan a net. Scanning net does not work it the router are spread around in many net.

Using Sylog is easy. Just add a script to the router when you are setting it up. It will then call home with all info you need.

Look at my Mikrotik for Splunk in my signature.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
bnw
just joined
Posts: 2
Joined: Thu Jun 13, 2019 5:56 pm

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 1:31 am

If you can see this system info in the cli, you can easily send it out to a monitor system using script and Syslog.
We use SNMP for all our (network) devices from our enterprise monitoring & reporting solution, I think as many other companies.
We simply can't rely on workarounds.
We then expect Mikrotik to complete the SNMP tree for the CCR1072 hardware components, to have something reliable.
Thank you anyway !
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 433
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 8:37 am

Version 6.45beta62 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta62 (2019-Jun-13 10:13):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control;
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
!) user - removed insecure password storage;
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control;
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
*) bridge - correctly handle bridge host table;
*) capsman - fixed CAP system upgrading process for MMIPS;
*) certificate - added "key-type" field;
*) certificate - added support for ECDSA certificates (prime256v1, secp384r1, secp521r1);
*) crs3xx - fixed "tx-drop" counter;
*) defconf - fixed channel width selection for RU locked devices;
*) dhcpv4-server - added "client-mac-limit" parameter;
*) dhcpv6-client - added option to disable rapid-commit;
*) dhcpv6-server - added additional RADIUS parameters for Prefix delegation, "rate-limit" and "life-time";
*) dhcpv6-server - added "address-list" support for bindings;
*) dhcpv6-server - added "insert-queue-before" and "parent-queue" parameters;
*) dhcpv6-server - added RADIUS accounting support with queue based statistics;
*) dhcpv6-server - added "route-distance" parameter;
*) e-mail - properly release e-mail sending session if the server's domain name can not be resolved;
*) ipsec - added dynamic comment field for "active-peers" menu inherited from identity;
*) ipsec - added "ph2-total" counter to "active-peers" menu;
*) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods;
*) ipsec - added traffic statistics to "active-peers" menu;
*) ipsec - disallow setting "src-address" and "dst-address" for transport mode policies;
*) ipsec - renamed "remote-peers" to "active-peers";
*) ltap - renamed SIM slots "up" and "down" to "2" and "3";
*) lte - added passthrough interface subnet selection;
*) lte - fixed LTE interface running state on RBSXTLTE3-7 (introduced in v6.45beta);
*) m33g - added support for additional Serial Console port on GPIO headers;
*) routerboard - renamed 'sim' menu to 'modem';
*) snmp - fixed "send-trap" not working when "trap-generators" does not contain "temp-exception";
*) snmp - improved reliability on SNMP service packet validation;
*) winbox - added "System/SwOS" menu for all dual-boot devices;
*) winbox - do not allow setting "dns-lookup-interval" to "0";

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
andriys
Forum Guru
Forum Guru
Posts: 1074
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 10:58 am

*) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods;
Will it also work for "rsa-signature-hybrid"?
 
msatter
Forum Guru
Forum Guru
Posts: 1093
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 11:43 am

Does anyone knows where to find this setting? I am looking for it for years now.

*) winbox - do not allow setting "dns-lookup-interval" to "0";

Many support mails about addresslists and DNS timings but this was never mentioned to me. I have now a limiter only for DNS so that when there is no upstream DNS it will not flood my local DNS server with countless resolve requests.

Update:
Found it on a Polish site and it a setting not applying to what I was looking for.

So the limiter and drop line stays active.
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.45Beta / Winbox 3.18 / MikroTik APP 1.2.6
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
anuser
Member
Member
Posts: 338
Joined: Sat Nov 29, 2014 7:27 pm

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 2:05 pm

Version 6.45beta62 has been released.
*) bridge - correctly handle bridge host table;
What kind of issue was there actually?
 
User avatar
osc86
newbie
Posts: 38
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 2:42 pm

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
CCR1009-7G-1C-1S+ ROS6.45beta62
 
pe1chl
Forum Guru
Forum Guru
Posts: 5276
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 5:38 pm

Please implement "advertise-local-dns" option in IPv6 ND that makes router advertise the local address (same as gateway) as DNS server, instead of the IPv6 DNS servers configured in /ip dns.
(to make IPv6 systems use the local DNS resolver instead of going directly to the ISP DNS servers)

This is necessary to make locally configured DNS static names visible to IPv6 capable clients.
 
raffav
Member Candidate
Member Candidate
Posts: 278
Joined: Wed Oct 24, 2012 4:40 am

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 5:46 pm

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
+1K
I think the log part need to be rebuild, for betther debugging
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 865
Joined: Tue Oct 11, 2005 4:53 pm

Re: v6.45beta [testing] is released!

Sat Jun 15, 2019 2:18 pm

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
+1
 
Florian
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Sun Mar 13, 2016 9:45 am
Location: France

Re: v6.45beta [testing] is released!

Sat Jun 15, 2019 7:29 pm

Please implement "advertise-local-dns" option in IPv6 ND that makes router advertise the local address (same as gateway) as DNS server, instead of the IPv6 DNS servers configured in /ip dns.
(to make IPv6 systems use the local DNS resolver instead of going directly to the ISP DNS servers)

This is necessary to make locally configured DNS static names visible to IPv6 capable clients.
You can do this :

viewtopic.php?t=132657

That's what I do, it's working.
- Sorry for my english -
 
pe1chl
Forum Guru
Forum Guru
Posts: 5276
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Sat Jun 15, 2019 10:11 pm

I don't think I understand what is going on there. I use ND, not DHCPv6, for setting those parameters.
 
LeftyTs
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Thu Nov 03, 2016 2:39 am
Location: Athens, Greece
Contact:

Re: v6.45beta [testing] is released!

Sun Jun 16, 2019 3:23 am

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
+1K
I think the log part need to be rebuild, for betther debugging
For better debugging and analysis you should consider sending to a remote log server. Makes life much easier.
 
pawelkopec88
just joined
Posts: 8
Joined: Wed Mar 14, 2018 11:06 pm

Re: v6.45beta [testing] is released!

Sun Jun 16, 2019 10:34 am

Hi,

HW Offloading doesnt work on HAP AC on RouterBOARD 962UiGS-5HacT2HnT ROS 6.45beta62 . On stable Stable 6.44.3 HW Offloading is working. I was send an email to your support with rif files
You do not have the required permissions to view the files attached to this post.
 
User avatar
eworm
Member
Member
Posts: 304
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Sun Jun 16, 2019 11:25 am

I don't think I understand what is going on there. I use ND, not DHCPv6, for setting those parameters.
That's the point. With ND you can not specify the DNS server, with DHCPv6 you can. Consider to switch...
Works just fine, I've set it up this way as well. Only Android does not support DHCPv6 and does not get this specific setting.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
TimurA
Frequent Visitor
Frequent Visitor
Posts: 93
Joined: Sat Dec 15, 2018 6:13 am
Location: Tashkent
Contact:

Re: v6.45beta [testing] is released!

Sun Jun 16, 2019 12:06 pm

Good job 6.45beta62! wifi 5ghz, 2 days running without crashing on RB4011.
Image
 
pe1chl
Forum Guru
Forum Guru
Posts: 5276
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Sun Jun 16, 2019 12:50 pm

I don't think I understand what is going on there. I use ND, not DHCPv6, for setting those parameters.
That's the point. With ND you can not specify the DNS server, with DHCPv6 you can. Consider to switch...
Works just fine, I've set it up this way as well. Only Android does not support DHCPv6 and does not get this specific setting.
~85% of our users have Android. then maybe 10% Apple and 5% Windows.

I think it should not be that difficult to add an option to have ND advertise the local address (same as it advertises for gateway) as DNS server instead of the IPv6 addresses configured in /ip dns.
And when at that, also have some option in the DHCPv6 server to do the same thing. Other changes in DHCPv6 are in the changelist so apparently someone is working on it.
In the DHCPv4 server there is a field to specify own DNS servers and even a special checkmark to suppress the automatic advertisement of DNS servers... why not in IPv6?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5276
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Sun Jun 16, 2019 12:54 pm

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
+1K
I think the log part need to be rebuild, for betther debugging
For better debugging and analysis you should consider sending to a remote log server. Makes life much easier.
Well, I agree that when you are running a lot of tunnels and you try to debug one of them, enabling packet-level debugging makes a terrible mess and/or load, even with remote log server.
It could be useful to have some option to enable ipsec debug logging for a single peer, preferably not by filtering but by only logging for that specific peer.
 
User avatar
rdelacruz
newbie
Posts: 31
Joined: Thu Jul 14, 2016 8:12 pm

Re: v6.45beta [testing] is released!

Tue Jun 18, 2019 2:21 am

rdelacruz - Please note that accounting will work only for those users which has a queue. Data for accounting is taken from queue statistics
Yes, I'm aware of it. Are you referring to this queue?

Image

If yes, can you please confirm that this added feature will work if we use RADIUS for accounting and lease? Thanks
Have you successfully tested this one?
 
EdPa
MikroTik Support
MikroTik Support
Posts: 15
Joined: Fri Sep 15, 2017 10:05 am
Location: Riga
Contact:

Re: v6.45beta [testing] is released!

Tue Jun 18, 2019 11:36 am

Version 6.45beta62 has been released.
*) bridge - correctly handle bridge host table;
What kind of issue was there actually?
Under some occasions, hosts did not timed out correctly. Now bridge will make sure hosts are removed.
 
toxmost
just joined
Posts: 2
Joined: Tue Jun 18, 2019 7:25 pm

Re: v6.45beta [testing] is released!

Tue Jun 18, 2019 7:34 pm

Hello!
I have RB4011iGS+5HacQ2HnD with dlink DPN-100 (TW2362H-CDEL-CLX) GPON SFP module (WAN).
IP address receive via DHCP. ALL WORK GREAT! ---> firmware 6.44.3

If im update firmware to 6.45beta62, SFP module have status "link ok", but DHCP address not received, DHCP client all time in status "searching", packet (in module window) TXed, but not RXed.

Can you fix it?

Thank you.
 
Boomish
just joined
Posts: 5
Joined: Wed Jun 05, 2019 12:07 am

Re: v6.45beta [testing] is released!

Tue Jun 18, 2019 8:40 pm

Can we get the ability to define an ip instead of using the detected IP for ip cloud ddns updates.
I'd like the ability to force the update before i deploy the unit to the field on it's static ip.


It would also be handy if we could force delete a published DDNS Record.
 
mkx
Forum Guru
Forum Guru
Posts: 2278
Joined: Thu Mar 03, 2016 10:23 pm

Re: v6.45beta [testing] is released!

Tue Jun 18, 2019 9:12 pm

Can we get the ability to define an ip instead of using the detected IP for ip cloud ddns updates.
I'd like the ability to force the update before i deploy the unit to the field on it's static ip.


It would also be handy if we could force delete a published DDNS Record.
Ability to define IP address would bring in all sorts of problems, probability of mis-configuration is just too big.
And, BTW, what benefit would one get by having DDNS configured before unit was up&running instead a minute or two later?

It's been explained that DDNS record gets removed when DDNS is disabled on the unit (but it needs internet connectivity at zhat time).
BR,
Metod
 
msatter
Forum Guru
Forum Guru
Posts: 1093
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Tue Jun 18, 2019 11:25 pm

Hello!
I have RB4011iGS+5HacQ2HnD with dlink DPN-100 (TW2362H-CDEL-CLX) GPON SFP module (WAN).
IP address receive via DHCP. ALL WORK GREAT! ---> firmware 6.44.3

If im update firmware to 6.45beta62, SFP module have status "link ok", but DHCP address not received, DHCP client all time in status "searching", packet (in module window) TXed, but not RXed.

Can you fix it?

Thank you.
Did you try with auto-negotiation disabled?
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.45Beta / Winbox 3.18 / MikroTik APP 1.2.6
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
msatter
Forum Guru
Forum Guru
Posts: 1093
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Tue Jun 18, 2019 11:29 pm


Great, much appreciated! Can't wait for it...
Will we see this before version 6.45 final release?
Currently looks like no, it will not make it into 6.45. We are already finalizing the 6.45 version. VTI support requires new kernel and we are still not sure whether it should or should not be implemented in version 7.
There is now a wiki-page how to set. I can't place the word 'local' in the last sentence because all is local.

https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.45Beta / Winbox 3.18 / MikroTik APP 1.2.6
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
Boomish
just joined
Posts: 5
Joined: Wed Jun 05, 2019 12:07 am

Re: v6.45beta [testing] is released!

Wed Jun 19, 2019 12:10 am

Can we get the ability to define an ip instead of using the detected IP for ip cloud ddns updates.
I'd like the ability to force the update before i deploy the unit to the field on it's static ip.


It would also be handy if we could force delete a published DDNS Record.
Ability to define IP address would bring in all sorts of problems, probability of mis-configuration is just too big.
And, BTW, what benefit would one get by having DDNS configured before unit was up&running instead a minute or two later?

It's been explained that DDNS record gets removed when DDNS is disabled on the unit (but it needs internet connectivity at zhat time).

It is rather inconvenient to have to disable the individual peers on the hub when they all have the same IP address.

When building all of the spokes prior to sending them out they update their ddns and as a result they all have the same ip address because they are built on the same system.

Even after i disabled the DDNS Update the record wasn't deleted in fact it persisted for multiple days.

Furthermore it would be nice to be able to publish a specific UP when your router is behind another natting device such as a PPPOE AT&T Router that only gives you your static ip's via a 1-1 nat
 
msatter
Forum Guru
Forum Guru
Posts: 1093
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Wed Jun 19, 2019 10:56 am

*) ipsec - added dynamic comment field for "active-peers" menu inherited from identity;

Where can I set that identity?

I also noticed that the counters are all the same and these are L2tp/IPSEC connections:
wrong-counters.JPG
The local addresses, in PPP screen, are in the 172.20.12.xxx range (multiple connections). Suggestion attach the counters from the Remote Address because the same 172.20.12.xxx can be in the PPP list.

I see in the other screen of IPsec in Identities twice in the list colum "My ID"
You do not have the required permissions to view the files attached to this post.
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.45Beta / Winbox 3.18 / MikroTik APP 1.2.6
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 433
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Wed Jun 19, 2019 11:37 am

The comment from the Identity that was used for the peer to identify itself is carried over to the active-peers menu. For example, if you have a comment "L2TP server" for the IPsec identity, then this comment will be shown for all active peers which used this Identity. Obviously, it is not possible to set such comment for the dynamic Identity created by L2TP server's "use-ipsec" parameter.

Statistics counters for IKEv1 with no unique ID's will be fixed shortly.

Not sure what you meant with the third paragraph. Can you clarify?

There is nothing we can do about the multiple My-ID fields under Identity menu at this moment because of multiple data types stored in this parameter.

Regarding the IPsec logging requests. We have our thoughts about this and agree it should be improved, however the current logging mechanism in RouterOS is currently limiting what we can do. We will try to come up with a solution in future.

andriys, will see if we can enable RADIUS accounting for rsa-signature-hybrid authentication as well.
 
msatter
Forum Guru
Forum Guru
Posts: 1093
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Wed Jun 19, 2019 12:55 pm

The comment from the Identity that was used for the peer to identify itself is carried over to the active-peers menu. For example, if you have a comment "L2TP server" for the IPsec identity, then this comment will be shown for all active peers which used this Identity. Obviously, it is not possible to set such comment for the dynamic Identity created by L2TP server's "use-ipsec" parameter.
For dynamic created ones there is naming available in the PPP menu as name. Limit displaying it to a certain amount of characters. Now I have to identify peers by other means because "peer1205 etc." is not much to go on in relation to the used names in PPP.

Statistics counters for IKEv1 with no unique ID's will be fixed shortly.
Thanks
Not sure what you meant with the third paragraph. Can you clarify?
That was belonging to the picture and as long there is a unique identification in the background I am happy.

There is nothing we can do about the multiple My-ID fields under Identity menu at this moment because of multiple data types stored in this parameter.
It looked already familiar to me being multple My-ID pressent and I have never any content in there. I am only using it as client so this may be for server.
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.45Beta / Winbox 3.18 / MikroTik APP 1.2.6
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 433
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Wed Jun 19, 2019 1:07 pm

The thing is, PPP and IPsec are completely unrelated things and currently there is no way to associate the L2TP and the IPsec sessions with each other.
 
zryny4
just joined
Posts: 9
Joined: Sun Apr 17, 2016 12:29 pm

Re: v6.45beta [testing] is released!

Wed Jun 19, 2019 5:36 pm

Is routeros affected to CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479?
 
toxmost
just joined
Posts: 2
Joined: Tue Jun 18, 2019 7:25 pm

Re: v6.45beta [testing] is released!

Thu Jun 20, 2019 12:01 pm

Hello!
I have RB4011iGS+5HacQ2HnD with dlink DPN-100 (TW2362H-CDEL-CLX) GPON SFP module (WAN).
IP address receive via DHCP. ALL WORK GREAT! ---> firmware 6.44.3

If im update firmware to 6.45beta62, SFP module have status "link ok", but DHCP address not received, DHCP client all time in status "searching", packet (in module window) TXed, but not RXed.

Can you fix it?

Thank you.
Did you try with auto-negotiation disabled?
I try it. No effect.
 
nostromog
Member Candidate
Member Candidate
Posts: 117
Joined: Wed Jul 18, 2018 3:39 pm

Re: v6.45beta [testing] is released!

Fri Jun 21, 2019 5:08 pm

I have two devices upgraded to 6.45beta62, but today I'm seeing this error (several times) while trying to upgrade another one:
 15:04:27 system,error broken package routeros-mipsbe-6.45beta62.npk 
Has the download file became corrupt? Is it some problem in this device?
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1646
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: v6.45beta [testing] is released!

Sat Jun 22, 2019 4:03 am

First time I see tx-queue1-packet being used in a CRS326 switch. It was always the tx-queue0-packet all the time. The switch seems to work faster now in some tests I have done.
will be nice to see multiple queues on each port to make QoS
 
mkx
Forum Guru
Forum Guru
Posts: 2278
Joined: Thu Mar 03, 2016 10:23 pm

Re: v6.45beta [testing] is released!

Sat Jun 22, 2019 10:34 am

I have two devices upgraded to 6.45beta62, but today I'm seeing this error (several times) while trying to upgrade another one:
 15:04:27 system,error broken package routeros-mipsbe-6.45beta62.npk 
Has the download file became corrupt? Is it some problem in this device?

It is likely that the flash of device became corrupt (check output of /system resource print if it mentions bad blocks higher than 0%). But it can also happen that the downloaded npk got corrupted somewhere.

You can try to manually download the package from download.mikrotik.com - choose extra packages which is a ZIP file. Then extract all the packages (npk files) you need - get the list of installed and enabled packages from router itself. Upload those npk files to router and reboot the router afterwards.
If it doesn't upgrade during reboot, check the log for any information.
BR,
Metod
 
nostromog
Member Candidate
Member Candidate
Posts: 117
Joined: Wed Jul 18, 2018 3:39 pm

Re: v6.45beta [testing] is released!

Sat Jun 22, 2019 2:03 pm

You can try to manually download the package from download.mikrotik.com - choose extra packages which is a ZIP file. Then extract all the packages (npk files) you need - get the list of installed and enabled packages from router itself. Upload those npk files to router and reboot the router afterwards.
If it doesn't upgrade during reboot, check the log for any information.
I did it this way and I worked, so I guess either the CDN or the copy in the download site itself got corrupted...

Still a pretty useless thing, given that packages with patches for the linux SACK of death thing are forthcoming... :)
 
Paternot
Long time Member
Long time Member
Posts: 570
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: v6.45beta [testing] is released!

Sat Jun 22, 2019 8:05 pm

I know the router tests integrity before installation, but Mikrotik could put the md5sums on the site too. It would be one easy way to find out if our download was corrupted.

EDIT

Nevermind, silly me. Just found the link to them. Not very practical, but it is there.
 
611
just joined
Posts: 16
Joined: Wed Oct 17, 2018 10:12 am

Re: v6.45beta [testing] is released!

Sat Jun 22, 2019 9:10 pm

Does anyone knows where to find this setting? I am looking for it for years now.
*) winbox - do not allow setting "dns-lookup-interval" to "0";
Update:
Found it on a Polish site and it a setting not applying to what I was looking for.
It was a very "funny" bug actually - a device added to Dude via Winbox with default settings caused instant 100% CPU load with 50% going to Dude server and another 50% to DNS resolver as Dude was polling it with zero interval.
Creating a device with such settings is impossible with Dude client.

Who is online

Users browsing this forum: No registered users and 3 guests