Community discussions

 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 1805
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: v6.45beta [testing] is released!

Thu Jun 13, 2019 12:08 am

I hope I'm not missing the point, but isn't this IKEv2 & policy routing something that would be best solved by what's known as route/interface-based VPN, VTI, etc? I remember it used to be popular request here few years ago. If I understand it correctly, Linux implementation provides interfaces for IPSec connections, but internally it's still regular policy-based tunnels (often with 0.0.0.0/0 on both sides, but it can be anything). And some marks transparently assigned to outgoing traffic via that interface (it basically serves as additional filter for policy) are used to control what traffic it will actually apply to. So this should nicely cover the use case for multiple outgoing IPSec connections (like popular commercial VPN services). But not only that, distinct interfaces would make everything more clear and admin friendly. More interoperable too. And the whole thing doesn't even sound too complicated.
Mikrotik support have acknowledged the VTI request, but said it requires a newer kernel.

They will revisit the request once v7 beta is out.
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 431
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Thu Jun 13, 2019 11:11 am


Great, much appreciated! Can't wait for it...
Will we see this before version 6.45 final release?
Currently looks like no, it will not make it into 6.45. We are already finalizing the 6.45 version. VTI support requires new kernel and we are still not sure whether it should or should not be implemented in version 7.
 
User avatar
eworm
Member Candidate
Member Candidate
Posts: 298
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Thu Jun 13, 2019 11:47 am

No rc versions this time?
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
pe1chl
Forum Guru
Forum Guru
Posts: 5267
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Thu Jun 13, 2019 12:07 pm

But not only that, distinct interfaces would make everything more clear and admin friendly. More interoperable too. And the whole thing doesn't even sound too complicated.
Well, I remember the days when all Linux systems did that, but it was changed because others (BSD, Cisco) were not using separate interfaces but only those policies.
I always considered it a bad move. Dedicated interfaces for IPsec traffic were so much clearer.
Apparently later (and currently) the option to use interfaces was re-introduced, but today I am not using plain Linux systems as routers anymore so I lost track of that.

Whenever possible, I use a tunnel over IPsec transport. I use GRE because it has some other use cases, but you can use IPIP too.
In fact, IPIP over IPsec transport is almost the same as an IPsec tunnel at the protocol layer. I.e. there is no extra overhead.
But of course this can only be done when you manage both ends, as they cannot be interconnected.
 
bnw
just joined
Posts: 2
Joined: Thu Jun 13, 2019 5:56 pm

Re: v6.45beta [testing] is released!

Thu Jun 13, 2019 6:02 pm

One thing I would like to see in 6.45 is some hardware SNMP improvement for the CCR1072.
As stated in ticket #2019032822004818, many hardware OIDs are missing for this device, compared to what Winbox shows :
- Board temperature
- Board temparature 2
- Fan speed 3
- Fan speed 4
- PSU1 status (should be OID .15 (*))
- PSU2 status (should be OID .16 (*))
(*) as seen on other models such as the CRS317-1G-16S+.

We are then clearly at risk with our CCR1072-1G-8S+, not being able to monitor all their hardware components, which is a rather tricky situation for core devices.

I found other topics complaining about this : viewtopic.php?f=1&t=143899 / viewtopic.php?f=2&t=117322

Many thanks for your support Mikrotik dev' team !
 
LynxChaus
just joined
Posts: 23
Joined: Tue Jul 08, 2014 2:24 pm

Re: v6.45beta [testing] is released!

Thu Jun 13, 2019 8:26 pm


*) tr069-client - added LTE CQI and IMSI parameter support;
Why only in tr069? Export in SNMP too, with all other info.
 
LeftyTs
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Thu Nov 03, 2016 2:39 am
Location: Athens, Greece
Contact:

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 12:32 am

One thing I would like to see in 6.45 is some hardware SNMP improvement for the CCR1072.
As stated in ticket #2019032822004818, many hardware OIDs are missing for this device, compared to what Winbox shows :
- Board temperature
- Board temparature 2
- Fan speed 3
- Fan speed 4
- PSU1 status (should be OID .15 (*))
- PSU2 status (should be OID .16 (*))
(*) as seen on other models such as the CRS317-1G-16S+.

We are then clearly at risk with our CCR1072-1G-8S+, not being able to monitor all their hardware components, which is a rather tricky situation for core devices.

I found other topics complaining about this : viewtopic.php?f=1&t=143899 / viewtopic.php?f=2&t=117322

Many thanks for your support Mikrotik dev' team !
+1
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1029
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 12:46 am

If you can see this system info in the cli, you can easily send it out to a monitor system using script and Syslog.

I have stopped using SNMP, since for every new unit I setup, I have to tell the system that there are a nye Router/Switch, or have a program that scan a net. Scanning net does not work it the router are spread around in many net.

Using Sylog is easy. Just add a script to the router when you are setting it up. It will then call home with all info you need.

Look at my Mikrotik for Splunk in my signature.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
bnw
just joined
Posts: 2
Joined: Thu Jun 13, 2019 5:56 pm

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 1:31 am

If you can see this system info in the cli, you can easily send it out to a monitor system using script and Syslog.
We use SNMP for all our (network) devices from our enterprise monitoring & reporting solution, I think as many other companies.
We simply can't rely on workarounds.
We then expect Mikrotik to complete the SNMP tree for the CCR1072 hardware components, to have something reliable.
Thank you anyway !
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 431
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 8:37 am

Version 6.45beta62 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta62 (2019-Jun-13 10:13):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control;
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
!) user - removed insecure password storage;
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control;
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
*) bridge - correctly handle bridge host table;
*) capsman - fixed CAP system upgrading process for MMIPS;
*) certificate - added "key-type" field;
*) certificate - added support for ECDSA certificates (prime256v1, secp384r1, secp521r1);
*) crs3xx - fixed "tx-drop" counter;
*) defconf - fixed channel width selection for RU locked devices;
*) dhcpv4-server - added "client-mac-limit" parameter;
*) dhcpv6-client - added option to disable rapid-commit;
*) dhcpv6-server - added additional RADIUS parameters for Prefix delegation, "rate-limit" and "life-time";
*) dhcpv6-server - added "address-list" support for bindings;
*) dhcpv6-server - added "insert-queue-before" and "parent-queue" parameters;
*) dhcpv6-server - added RADIUS accounting support with queue based statistics;
*) dhcpv6-server - added "route-distance" parameter;
*) e-mail - properly release e-mail sending session if the server's domain name can not be resolved;
*) ipsec - added dynamic comment field for "active-peers" menu inherited from identity;
*) ipsec - added "ph2-total" counter to "active-peers" menu;
*) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods;
*) ipsec - added traffic statistics to "active-peers" menu;
*) ipsec - disallow setting "src-address" and "dst-address" for transport mode policies;
*) ipsec - renamed "remote-peers" to "active-peers";
*) ltap - renamed SIM slots "up" and "down" to "2" and "3";
*) lte - added passthrough interface subnet selection;
*) lte - fixed LTE interface running state on RBSXTLTE3-7 (introduced in v6.45beta);
*) m33g - added support for additional Serial Console port on GPIO headers;
*) routerboard - renamed 'sim' menu to 'modem';
*) snmp - fixed "send-trap" not working when "trap-generators" does not contain "temp-exception";
*) snmp - improved reliability on SNMP service packet validation;
*) winbox - added "System/SwOS" menu for all dual-boot devices;
*) winbox - do not allow setting "dns-lookup-interval" to "0";

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
andriys
Forum Guru
Forum Guru
Posts: 1074
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 10:58 am

*) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods;
Will it also work for "rsa-signature-hybrid"?
 
msatter
Forum Guru
Forum Guru
Posts: 1082
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 11:43 am

Does anyone knows where to find this setting? I am looking for it for years now.

*) winbox - do not allow setting "dns-lookup-interval" to "0";

Many support mails about addresslists and DNS timings but this was never mentioned to me. I have now a limiter only for DNS so that when there is no upstream DNS it will not flood my local DNS server with countless resolve requests.

Update:
Found it on a Polish site and it a setting not applying to what I was looking for.

So the limiter and drop line stays active.
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.45Beta / Winbox 3.18 / MikroTik APP 1.2.5
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
anuser
Member
Member
Posts: 338
Joined: Sat Nov 29, 2014 7:27 pm

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 2:05 pm

Version 6.45beta62 has been released.
*) bridge - correctly handle bridge host table;
What kind of issue was there actually?
 
User avatar
osc86
newbie
Posts: 38
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 2:42 pm

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
CCR1009-7G-1C-1S+ ROS6.45beta62
 
pe1chl
Forum Guru
Forum Guru
Posts: 5267
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 5:38 pm

Please implement "advertise-local-dns" option in IPv6 ND that makes router advertise the local address (same as gateway) as DNS server, instead of the IPv6 DNS servers configured in /ip dns.
(to make IPv6 systems use the local DNS resolver instead of going directly to the ISP DNS servers)

This is necessary to make locally configured DNS static names visible to IPv6 capable clients.
 
raffav
Member Candidate
Member Candidate
Posts: 278
Joined: Wed Oct 24, 2012 4:40 am

Re: v6.45beta [testing] is released!

Fri Jun 14, 2019 5:46 pm

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
+1K
I think the log part need to be rebuild, for betther debugging
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 864
Joined: Tue Oct 11, 2005 4:53 pm

Re: v6.45beta [testing] is released!

Sat Jun 15, 2019 2:18 pm

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
+1
 
Florian
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Sun Mar 13, 2016 9:45 am
Location: France

Re: v6.45beta [testing] is released!

Sat Jun 15, 2019 7:29 pm

Please implement "advertise-local-dns" option in IPv6 ND that makes router advertise the local address (same as gateway) as DNS server, instead of the IPv6 DNS servers configured in /ip dns.
(to make IPv6 systems use the local DNS resolver instead of going directly to the ISP DNS servers)

This is necessary to make locally configured DNS static names visible to IPv6 capable clients.
You can do this :

viewtopic.php?t=132657

That's what I do, it's working.
- Sorry for my english -
 
pe1chl
Forum Guru
Forum Guru
Posts: 5267
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Sat Jun 15, 2019 10:11 pm

I don't think I understand what is going on there. I use ND, not DHCPv6, for setting those parameters.
 
LeftyTs
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Thu Nov 03, 2016 2:39 am
Location: Athens, Greece
Contact:

Re: v6.45beta [testing] is released!

Sun Jun 16, 2019 3:23 am

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
+1K
I think the log part need to be rebuild, for betther debugging
For better debugging and analysis you should consider sending to a remote log server. Makes life much easier.
 
pawelkopec88
just joined
Posts: 8
Joined: Wed Mar 14, 2018 11:06 pm

Re: v6.45beta [testing] is released!

Sun Jun 16, 2019 10:34 am

Hi,

HW Offloading doesnt work on HAP AC on RouterBOARD 962UiGS-5HacT2HnT ROS 6.45beta62 . On stable Stable 6.44.3 HW Offloading is working. I was send an email to your support with rif files
You do not have the required permissions to view the files attached to this post.
 
User avatar
eworm
Member Candidate
Member Candidate
Posts: 298
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Sun Jun 16, 2019 11:25 am

I don't think I understand what is going on there. I use ND, not DHCPv6, for setting those parameters.
That's the point. With ND you can not specify the DNS server, with DHCPv6 you can. Consider to switch...
Works just fine, I've set it up this way as well. Only Android does not support DHCPv6 and does not get this specific setting.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
TimurA
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Sat Dec 15, 2018 6:13 am
Location: Tashkent
Contact:

Re: v6.45beta [testing] is released!

Sun Jun 16, 2019 12:06 pm

Good job 6.45beta62! wifi 5ghz, 2 days running without crashing on RB4011.
Image
 
pe1chl
Forum Guru
Forum Guru
Posts: 5267
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Sun Jun 16, 2019 12:50 pm

I don't think I understand what is going on there. I use ND, not DHCPv6, for setting those parameters.
That's the point. With ND you can not specify the DNS server, with DHCPv6 you can. Consider to switch...
Works just fine, I've set it up this way as well. Only Android does not support DHCPv6 and does not get this specific setting.
~85% of our users have Android. then maybe 10% Apple and 5% Windows.

I think it should not be that difficult to add an option to have ND advertise the local address (same as it advertises for gateway) as DNS server instead of the IPv6 addresses configured in /ip dns.
And when at that, also have some option in the DHCPv6 server to do the same thing. Other changes in DHCPv6 are in the changelist so apparently someone is working on it.
In the DHCPv4 server there is a field to specify own DNS servers and even a special checkmark to suppress the automatic advertisement of DNS servers... why not in IPv6?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5267
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.45beta [testing] is released!

Sun Jun 16, 2019 12:54 pm

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
+1K
I think the log part need to be rebuild, for betther debugging
For better debugging and analysis you should consider sending to a remote log server. Makes life much easier.
Well, I agree that when you are running a lot of tunnels and you try to debug one of them, enabling packet-level debugging makes a terrible mess and/or load, even with remote log server.
It could be useful to have some option to enable ipsec debug logging for a single peer, preferably not by filtering but by only logging for that specific peer.
 
User avatar
rdelacruz
newbie
Posts: 30
Joined: Thu Jul 14, 2016 8:12 pm

Re: v6.45beta [testing] is released!

Tue Jun 18, 2019 2:21 am

rdelacruz - Please note that accounting will work only for those users which has a queue. Data for accounting is taken from queue statistics
Yes, I'm aware of it. Are you referring to this queue?

Image

If yes, can you please confirm that this added feature will work if we use RADIUS for accounting and lease? Thanks
Have you successfully tested this one?

Who is online

Users browsing this forum: Exabot [Bot] and 2 guests