Guys! If there will be ROS 7 stable release, we should celebrate it with a big worldwide partyNow Beta. And Alpha? Alpha V7?
Tell me the truth, who decided that current is stable? It is bugfix that can be considered stable, while current is some bleeding-edge and sometimes even "never to use in prod" version.!) upgrade - release channels renamed - "bugfix" to "long-term", "current" to "stable" and "release candidate" to "testing";
Alpha V7 will be launched after v6.99 or v6.999 releasedNow Beta. And Alpha? Alpha V7?
So to say, MT used to down and up again PPP-interfaces when you change comment on it! It was this way some time ago, not sure for now, but this was some "bright" idea these days (and maybe today).currently peering session re-connects when it's comment is changed in Winbox.
I suspect they will release some absolutely new change in the system somewhere between 6.49 and 6.49.7, so noone will ever be able to predict that. Look at new bridge implementation introduction, some serious change that is there in current (sorry, so called stable) release but not in the bugfix, and you get the idea.Alpha V7 will be launched after v6.99 or v6.999 released :lol: :lol: :lol:Now Beta. And Alpha? Alpha V7? :)
Hi Mikrotik will this release channel naming be pushed down into other releases at a later time ?
!) upgrade - release channels renamed - "bugfix" to "long-term", "current" to "stable" and "release candidate" to "testing";
That's good, but we need another channel named oldstable, where 6.42 should go and stay for at least several weeks.!) upgrade - release channels renamed - "bugfix" to "long-term", "current" to "stable" and "release candidate" to "testing";
If MT is not going to release new versions in 6.42.x series, then this series does not need its own channel. If you want to downgrade your RB to some particular older version of ROS you can always download it (manually construct download URL if every other option to get DL link fails) and install.That's good, but we need another channel named oldstable, where 6.42 should go and stay for at least several weeks.
At least do make downgrading more seamless when necessary.
Upload 'old Firmware' to Router and reboot...That's good, but we need another channel named oldstable, where 6.42 should go and stay for at least several weeks.!) upgrade - release channels renamed - "bugfix" to "long-term", "current" to "stable" and "release candidate" to "testing";
At least do make downgrading more seamless when necessary.
Maybe they think the new Bridge module is mature enough, to mark as stable. This naming method was earlier too, so they only returned to that.Mikrotik, please explain why you needed to rename the release channels. Also please explain what real change does this mean. Without that the renaming of current to stable is very confusing for those who came recently or do not know that the only well tested bugfix could be considered as stable in reality.
Be aware this overlaps with 64800: https://en.wikipedia.org/wiki/Wireless_ ... e#Channelsseems this release gave us a wireless channel 66000 on w60g interface. Nice!
Currently the RB3011 IPsec performance is comparable with any of the IPQ4018 routers (like 450Gx4, hAP ac2), it actually shares the same driver, however there are 4 total crypto modules on RB3011 and as of now only 1 is enabled, meaning it has the potential to achieve even higher throughput. Anyway, we will continue to develop this driver, but in the mean time, 400Mbps over the 100Mbps which you were able to achieve with software crypto is a valuable gain in my opinion.IPSec results appeared on the RB3011 product page as the Mikrotik guys promised, but theese values are lower than IPSec results on the 750Gr3 page. The HW crypt core is weaker in the RB3011 or there will be optimalizations in further ROS releases?
Yes, thats true Only that was strange, the smaller and cheaper 750Gr3 is stronger in it, but I got a deep explanation from you. Thank you!Currently the RB3011 IPsec performance is comparable with any of the IPQ4018 routers (like 450Gx4, hAP ac2), it actually shares the same driver, however there are 4 total crypto modules on RB3011 and as of now only 1 is enabled, meaning it has the potential to achieve even higher throughput. Anyway, we will continue to develop this driver, but in the mean time, 400Mbps over the 100Mbps which you were able to achieve with software crypto is a valuable gain in my opinion.IPSec results appeared on the RB3011 product page as the Mikrotik guys promised, but theese values are lower than IPSec results on the 750Gr3 page. The HW crypt core is weaker in the RB3011 or there will be optimalizations in further ROS releases?
I reported the same problem to support. After upgrade to 6.43 rbM11 looses card. No answer yet.RBM11G and R11e-5HacT looses the R11e-5HacT in this software revision and in 6.43 downgrading to 6.42.7 auto-magically makes the wireless card come back so it is a software issue and not a hardware issue. it is also repeatable during testing.
RBM11G and R11e-5HacT looses the R11e-5HacT in this software revision and in 6.43 downgrading to 6.42.7 auto-magically makes the wireless card come back so it is a software issue and not a hardware issue. it is also repeatable during testing.
viewtopic.php?f=21&t=139189Upgraded now, and I am not able to login anymore. Password appears to be changed. Same problem in Webfig as SSH. Known issue? Any idea how to restore?
Hi,Well, I guess it should still be possible to login with Webfig or SSH?
Try to clear cache:Winbox 3.18 - not working... When running it on a PC...
!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);
Officially, yes, but if the device is being replaced with one of the same model and the MAC addresses are reset after the restore, if you are in a pinch and have nothing else, the .backup does work, even though it is not the best choice. I imagine that is why andriys is asking and I would echo it - even though it is bad practice, it can be better to have the .backup than to have to recreate a complicated config from scratch, if whoever was managing the router was not careful enough to keep good .rsc backups.Remember that in MikroTik RouterOS, backup file is for restoring past configuration on the same device, not a safeguard against a lost or damaged device, for restoring on other devices, you should be using "export" config files.
Why can't device-specific stuff like MAC-addresses simply be removed from the backup files?Remember that in MikroTik RouterOS, backup file is for restoring past configuration on the same device, not a safeguard against a lost or damaged device, for restoring on other devices, you should be using "export" config files.
Export config files is death for me. Tried everything what is mentioned in the wiki and forum but never succeeded to import a config file for years.Remember that in MikroTik RouterOS, backup file is for restoring past configuration on the same device, not a safeguard against a lost or damaged device, for restoring on other devices, you should be using "export" config files.
i'd like to have something like '/sys backup load name="filename.backup" password="dragon" keep-mac-addresses=yesWhy can't device-specific stuff like MAC-addresses simply be removed from the backup files?
in case of big export files you can run into situations, when the next command is just not accepted. like you add an object as nameA, then try to set something on the same object by its name, and CLI responds as "not found". carefully tuned delay statements help with these issues.Without an example we can not comment why you are not being able to import .rsc file.
plink.exe -v -ssh username@hostname -i .\mikrotik-priv.key.ppk -sshlog .\lkjlkj.log ":put 'hello';/quit"
...........
Event Log: Opened main channel
Outgoing packet #0x9, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
00000000 00 00 00 00 00 00 00 22 73 69 6d 70 6c 65 40 70 ......."simple@p
00000010 75 74 74 79 2e 70 72 6f 6a 65 63 74 73 2e 74 61 utty.projects.ta
00000020 72 74 61 72 75 73 2e 6f 72 67 00 rtarus.org.
Outgoing packet #0xa, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
00000000 00 00 00 00 00 00 00 04 65 78 65 63 01 00 00 00 ........exec....
00000010 12 3a 70 75 74 20 27 68 65 6c 6c 6f 27 3b 2f 71 .:put 'hello';/q
00000020 75 69 74 uit
Incoming packet #0x9, type 99 / 0x63 (SSH2_MSG_CHANNEL_SUCCESS)
00000000 00 00 01 00 ....
Event Log: Started a shell/command
Incoming packet #0xa, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
00000000 00 00 01 00 00 00 00 0b 65 78 69 74 2d 73 74 61 ........exit-sta
00000010 74 75 73 00 00 00 00 00 tus.....
Event Log: Server sent command exit status 0
Incoming packet #0xb, type 97 / 0x61 (SSH2_MSG_CHANNEL_CLOSE)
00000000 00 00 01 00 ....
Outgoing packet #0xb, type 96 / 0x60 (SSH2_MSG_CHANNEL_EOF)
00000000 00 00 00 00 ....
Outgoing packet #0xc, type 97 / 0x61 (SSH2_MSG_CHANNEL_CLOSE)
00000000 00 00 00 00 ....
Event Log: Disconnected: All channels closed
:while (true) do={delay 300; :put "999 BEG";/ip firewall address-list print terse without-paging where list="china"; :put "999 END"}
Also can use that third tool that someone biuld that can read rsc file and remove unnecessary lines like mac addressWithout an example we can not comment why you are not being able to import .rsc file.
We recommend that you import file step-by-step if it is failing. Then you will see at which point configuration is not accepted and you can fix it or report a problem to support@mikrotik.com if there is one.
Export/import must work without any problems on the same model RouterBOARD if the same RouterOS version is installed on both devices and the same software packages are enabled.
Oh, that's why. Thanks for clearing it up."Because it is whole system backup."
Is this specificially for Linux KVM or is it also for other virtual environments?*) chr - assign interface names based on underlying PCI device order on KVM;
I am in the same boat, and for me the fact that certificates are not in /export is a showstopping reason not to use certificates, even when the router is putting "insecure configuration, suggest to use certificates" comments in some config items.I have set up automated exports and the output is saved in version control system, so I know what exactly changed and when. And it's perfect for me, but sadly incomplete. Luckily not every router has certificates and recreating users is bearable. But it would be better if export had everything.
Can you give more info on your setup/workflow?I have set up automated exports and the output is saved in version control system, so I know what exactly changed and when.
for /F "tokens=*" %%A in (hosts.txt) do plink -ssh -i backup.ppk backup@%%A /export | grep "^[^#]" > %%A.rsc
git add *.rsc
git commit -m "automated backup"
/user group
add name=backup policy=ssh,read,sensitive,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!api
/user
add group=backup name=backup
RANCID works for this. There are runners for a lot of different NOS.Can you give more info on your setup/workflow?I have set up automated exports and the output is saved in version control system, so I know what exactly changed and when.
I am interested in implementing something similar.
Thanks.
Mikrotik 60 GHZ@66000 MHz ???2nd problem - I see only 4 frequencies - there is no 66000 MHz option
Mikrotik 60 GHZ@66000 MHz ???2nd problem - I see only 4 frequencies - there is no 66000 MHz option
I miss it thank you for the infoCLI only. You will also need to add it to frequency-list of remote end.
What are you talking about? What are USB U3 programs? Please stop posting such posts.Id like to find out about helping with the Beta test on this...Ive used the big program for many years now, and have been on the Beta list for quite some time.
I just started using PE, as Ive changed employers, and my new job wont allow me to install anything on my computer there, but I can use USB U3 programs. Im already really liking this, and would be glad to assist with your testing
Thanks
-Chris
After updating to 6.44beta9 I can not get output of command execution over SSH, using putty's plink. What I mean:Code: Select allplink.exe -v -ssh username@hostname -i .\mikrotik-priv.key.ppk -sshlog .\lkjlkj.log ":put 'hello';/quit"
ssh -i "mikrotik.key" admin@192.168.0.254 ":put \"hello\""
Currently the RB3011 IPsec performance is comparable with any of the IPQ4018 routers (like 450Gx4, hAP ac2), it actually shares the same driver, however there are 4 total crypto modules on RB3011 and as of now only 1 is enabled, meaning it has the potential to achieve even higher throughput. Anyway, we will continue to develop this driver, but in the mean time, 400Mbps over the 100Mbps which you were able to achieve with software crypto is a valuable gain in my opinion.
*) rb3011 - implemented multiple engine IPsec hardware acceleration support;
Hello, semester is starting, soon. So I´m asking myself what problems will our users will face without this patch? What stability problems exist? It would be great to have this in 6.43.3 aswell.Version 6.44beta14 has been released.
*) wireless - improved stability for 802.11ac;
Any description of improve? Thanks
*) wireless - improved stability for 802.11ac;
+1Any description of improve? Thanks
*) wireless - improved stability for 802.11ac;
This fix should provide better rate selection at higher rates and at higher load.Any description of improve? Thanks
*) wireless - improved stability for 802.11ac;
Will this be fixed for the RB922UAGS-5HPacD as well?*) wireless - improved signal strength at low TX power on LHG 5 ac, LHG 5 ac XL and LDF 5 ac ("/system routerboard upgrade" required);
[admin@MikroTik] > :put ([ /tool fetch https://www.eworm.de/ip/index.shtml output=user as-value ]->"data")
91.16.17.160
[admin@MikroTik] > /file print where name="index.shtml"
# NAME TYPE SIZE CREATION-TIME
0 index.shtml .shtml file 0 oct/10/2018 15:07:50
I've just finished writing something to automate git commit backups@Cha0s: What I currently use is a little old and messy (php + svn). Long-term plan is to write something nicer and share it here in the forum too, but it might take a while. But bare bones version can be:File backup.ppk is PuTTY's private key and hosts.txt is text file with list of addresses or hostnames. Grep strips comments, to only record real changes. On router there's backup user (with ssh key):Code: Select allfor /F "tokens=*" %%A in (hosts.txt) do plink -ssh -i backup.ppk backup@%%A /export | grep "^[^#]" > %%A.rsc git add *.rsc git commit -m "automated backup"
And that's it, just run it as often as needed, from scheduler or manually. There's a lot of room for improvements (logging, notifications on failure, ...), but even this is usable as quick'n'dirty solution. Or it could be done in reverse, with routers uploading their config to some central server and a script there could handle the rest. Now if only the export exported everything...Code: Select all/user group add name=backup policy=ssh,read,sensitive,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!api /user add group=backup name=backup
I updated to 6.44beta20 and this is still happening.Hi,
I'm getting the following on my devices after upgrading to beta17.
This eventually leads to the routers management interfaces to be unresponsive. For example you can run /ip route print via ssh and it will just hang forever and wont output anything. Same with winbox if you open interfaces menu or ppp menu the lists are just empty. Also it seems that you can not connect to the wireless network of the device when this happens.
I do have a snmp server that periodically queries the routers. I have tested this on a mAp, hAP ac lite and a rb2011.
I updated to 6.44beta20 and this is still happening.
U3 is a portable execution medium developed some years ago, and pushed by Sandisk.What are you talking about? What are USB U3 programs? Please stop posting such posts.
Sent from my XT1580 using TapatalkI think I'm running into a config bug in 6.44 Beta 20
I've upgraded my testing router and saw the L2TP/IPSec unsafe config notice. So I was playing around with configs to fix that.
Once the L2TP peer is initially added, any attempt to edit the peer config errors out with "Couldn't change IPSec Peer <::/0> - certificate chain is supported only in IKEv2 (6)"
This seems to affect both manually and dynamically added peers.
Any truly valid peer config commits successfully when initially configured, but any attempt to change them results in the same error.
Also, since Mikrotik is warning against L2TP/IPSec PSK, is there any plans to expand the L2TP setup in PPP to be more secure?
Is 008 still the current firmware?the recent betas [ eg 6.44beta20 ] allow for upgrade of the lte card's firmware in RBwAPR-2nD&R11e-LTE,
after an upgrade on RBwAPR-2nD&R11e-LTE /interface lte info lte1 shows "MikroTik_CP_2.160.000_v008", while RBwAPR-2nD&R11e-LTE-US - MPSS: R11eL_v12.09.171931 APSS: R11eL_v02.14.173531 CUSTAPPIs 008 still the current firmware?the recent betas [ eg 6.44beta20 ] allow for upgrade of the lte card's firmware in RBwAPR-2nD&R11e-LTE,
actually i can - that's why i stated my question: do you plan for allowing lte firmware upgrade on the US version?Change log for this beta clearly states that R11e firmware upgrade is available only for international version of devices .... can't you read?
Sorry, didn't see the question in your previous post.actually i can - that's why i stated my question: do you plan for allowing lte firmware upgrade on the US version?Change log for this beta clearly states that R11e firmware upgrade is available only for international version of devices .... can't you read?
Test on the current/stable channel
I was also trying to do that without success.
Sent from my XT1580 using Tapatalk
On the 43rc was also get the sames errorsI previously had 6.44 b(~6 or 8, can't recall) and it didn't warn about either l2tp/ipsec psk nor ipsec certificates.
I'm fairly certain it's a recent addition to the testing channel only.
Test on the current/stable channel
I was also trying to do that without success.
Sent from my XT1580 using Tapatalk
Thanks for heads up. I think I will eventually end up with this new board, as it seems I've became addicted to Mikrotik tech
I really hope that the new iPhone Xs/XsMax 5GHz AC problem is resolved before the 6.44 production release.
viewtopic.php?f=7&t=139608&sid=c8121250 ... cae5c96b71
Hmm... I respectfully disagree that reading the topic leads to your assumption; however, I am also willing to believe this is an Apple problem.I really hope that the new iPhone Xs/XsMax 5GHz AC problem is resolved before the 6.44 production release.
viewtopic.php?f=7&t=139608&sid=c8121250 ... cae5c96b71
Reading through the topic you've linked to makes me think it is an iPhone's problem, not Mikrotik's one.
From iOS 12.0.1 release notes:Reading through the topic you've linked to makes me think it is an iPhone's problem, not Mikrotik's one.I really hope that the new iPhone Xs/XsMax 5GHz AC problem is resolved before the 6.44 production release.
viewtopic.php?f=7&t=139608&sid=c8121250 ... cae5c96b71
12.0.1 does not resolve what we are seeing. I can confirm it did fix the issue you mentioned above when both 2.4GHz and 5GHz radios are broadcasting the same SSID, and was impacting all environments. The issue I am discussing makes these new iPhones almost totally dysfunctional within the Mikrotik framework using any 5GHz AC 80MHz XXXX channel width. If you configure your radio to 5GHz A/N 40MHz XX, the problem goes away. It's an "AC" issue...different problem than what was fixed in 12.0.1From iOS 12.0.1 release notes:Reading through the topic you've linked to makes me think it is an iPhone's problem, not Mikrotik's one.I really hope that the new iPhone Xs/XsMax 5GHz AC problem is resolved before the 6.44 production release.
viewtopic.php?f=7&t=139608&sid=c8121250 ... cae5c96b71
Resolves an issue that could cause iPhone XS devices to rejoin a Wi-Fi network at 2.4GHz instead of 5GHz
Please do not use the release topic for other things than reporting issues with the release.But what I cannot ping Miktrotik ipv6 addres from LAN, same subnet, same VLAN. Maybe someone have similar issue ?
sorry... I fixed this by using Router/48: from HE instead /64:Please do not use the release topic for other things than reporting issues with the release.But what I cannot ping Miktrotik ipv6 addres from LAN, same subnet, same VLAN. Maybe someone have similar issue ?
Make a new topic in the General or Beginners section describing your issue and include a /export of your configuration (no screenshots!).
Any Examples?ike2 - send split networks over DHCP (option 249) to Windows initiators if DHCP Inform is received;
/certificate
add common-name=TESTCA name=TESTCA days-valid=3650
sign TESTCA ca-crl-host=192.168.3.124
add common-name=192.168.3.124 subject-alt-name=DNS:192.168.3.124 key-usage=tls-server name=TestVPN days-valid=3600
sign TestVPN ca=TESTCA
add common-name=hunter key-usage=tls-client name=hunter days-valid=3600
sign hunter ca=TESTCA
/ip pool
add name=VPN-Pool ranges=192.168.222.100-192.168.222.150
/ip ipsec mode-config
add address-pool=VPN-Pool address-prefix-length=32 name=RW-cfg split-include=192.168.88.0/24
/ip ipsec peer profile
set [ find default=yes ] enc-algorithm=aes-128
/ip ipsec policy group
add name=RoadWarrior
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc name=proposal1 pfs-group=none
/ip ipsec peer
add auth-method=rsa-signature certificate=TestVPN exchange-mode=ike2 generate-policy=port-strict mode-config=RW-cfg passive=yes policy-template-group=RoadWarrior
/ip ipsec policy
add comment=IKEv2 dst-address=192.168.222.0/24 group=RoadWarrior proposal=proposal1 src-address=0.0.0.0/0 template=yes
0 14.46 ether1 192.168.222.146:68 (bootpc) 255.255.255.255:67 (bootps) udp 342 0 no
1 19.212 ether1 192.168.222.146:68 (bootpc) 255.255.255.255:67 (bootps) udp 342 0 no
2 24.21 ether1 192.168.222.146:68 (bootpc) 255.255.255.255:67 (bootps) udp 342 0 no
I'm a bit sleepy so I've mixed them up, that's all. Good you've found out yourself.I dont really understand what DNS (udp/53) has to do with DHCP (udp/67-68)
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.3.1 192.168.3.122 55
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.3.0 255.255.255.0 On-link 192.168.3.122 311
192.168.3.122 255.255.255.255 On-link 192.168.3.122 311
192.168.3.124 255.255.255.255 On-link 192.168.3.122 56
192.168.3.255 255.255.255.255 On-link 192.168.3.122 311
192.168.222.0 255.255.255.0 On-link 192.168.222.148 46
192.168.222.148 255.255.255.255 On-link 192.168.222.148 301
192.168.222.255 255.255.255.255 On-link 192.168.222.148 301
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.3.122 311
224.0.0.0 240.0.0.0 On-link 192.168.222.148 301
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.3.122 311
255.255.255.255 255.255.255.255 On-link 192.168.222.148 301
===========================================================================
Proposal: choice, to omit not on backup but on restore. So you will have allways a full backup and can select on restore if certain values should not be restored.Because it is whole system backup.
Let's imagine the internals of this restoration process. There's a database table with the list of interfaces, their parameters, their MAC addresses, etc. Now you restore it from backup leaving MAC address fields empty (?). So there's no connection between entries in the table and real interfaces. Configuration is in inconsistent state.Proposal: choice, to omit not on backup but on restore. So you will have allways a full backup and can select on restore if certain values should not be restored.
It will be greate to add this feature for PPP tunels too (SSTP, L2TP). Now I'm using forwarding DHCP Info packets to external DHCP server for DHCP option 249 (and another DHCP options for Windows clients).*) ike2 - send split networks over DHCP (option 249) to Windows initiators if DHCP Inform is received;
Then maybe a RSC script that does manual work after a restore. I can Reset MAC on a interface so I get the MAC of the restored to device and not the MAC from the backup.Let's imagine the internals of this restoration process. There's a database table with the list of interfaces, their parameters, their MAC addresses, etc. Now you restore it from backup leaving MAC address fields empty (?). So there's no connection between entries in the table and real interfaces. Configuration is in inconsistent state.Proposal: choice, to omit not on backup but on restore. So you will have allways a full backup and can select on restore if certain values should not be restored.
Don't think about backup like about an /export file. It's a bit different and more low-level thing.
just got word back from support. They have found the problem with split-include and it will be fixes in next beta..ike2 - send split networks over DHCP (option 249) to Windows initiators if DHCP Inform is received;
After implementing vlan-aware bridges with hw-offload you no longer need 1 bridge per vlan.I want to see HW Off-load enabled in all bridge interfaces, not just one. Specially knowing that you need 1 Bridge per VLAN having this limitation is a killer as I will limit the traffic throughput without unable to get wired speed only in just 1 VLAN. Really?? Seriously??
But with VLAN-aware bridges you have no hw-offload at all!After implementing vlan-aware bridges with hw-offload you no longer need 1 bridge per vlan.
The config mentioned above - with multiple bridges - was always purely software, and it was the only way for devices without switch chip.But with VLAN-aware bridges you have no hw-offload at all!After implementing vlan-aware bridges with hw-offload you no longer need 1 bridge per vlan.
*) ethernet - fixed linking issues on wAP ac, RB750Gr2 and Metal 52 ac (introduced in v6.43rc52);
That depends. It can be a bug in your client device too. E.g. Ubiquiti access points sometimes lose the default route (or it becomes ineffective) and then you need tricksTurning on "Proxy-arp" for that ethernet interface appears to fix it or at least make it work for hours instead of minutes, although there is no reason to have proxy-arp.
Yeah I was hoping that proxy arp would have a slightly different processing path, and it appears to work. It's a WinCE end device (that is, no routing, just a single IP address) that appeared to work ok with 6.39 across 15 or so units, so I'll probably revert to that and see if it makes a difference. But I've been trawling the changelogs looking for recent ROS ethernet changes, and this is the first one I've come across.It can be a bug in your client device too.
Hence why I suspect it's a bug in ROS.I would not know a legitimate reason why proxy-arp would work and normal arp would not, when the client is correctly configured.
Will devices be able to handle that on its own? Or more important... Will CAPsMAN handle this for connected devices?Nice catch. It is because of the new IKEv2 feature which works with DHCP. I will update the changelog.
Will devices be able to handle that on its own? Or more important... Will CAPsMAN handle this for connected devices?
Nope. Link to the device from the switch is reported as being up by both the device and the switch, but it's completely unpingable. Device can't connect to a server on the same subnet, server or any other IP on the subnet can't ping the device. ARP pings fail as well. Packet sniffing shows ping packets making it to the port that the device is connected to (according to ROS when I packet sniff on the port, anyway), but nothing from the device, not even normal idle packets (arps, windows networking packets,etc). Zero bytes / packets come from the port when the fault is present.While the device cannot communicate (I presume to an outside network, not internal to the LAN subnet), is it still possible to ping the device from the router (i.e. from within the same subnet)?
And is it possible to ping the device from outside and wake-up the stalled connection?
The bug affected all devices. Traffic stopped forwarding when you started to change MSTI VLAN mappings, but you could easily fix it by disabling it and re-enabling it.Hi
regarding the issue:
bridge - fixed packet forwarding when changing MSTI VLAN mappings
could someone from MT please elaborate?
we have been quite unsuccessfull integrating crs317 devices in our network using MSTP
the RSTP from other devices arriving on vlans is simply not being replicated to other memberports of the same VLAN (untagged/tagged).
please advise
hk
AgreedI see some complaining about MS-CHAPv2 support in Winbox. We like the MS-CHAPv2 support for Winbox because it allows us to no longer have to store the passwords unencrypted on the authentication server, so I hope it is retained in some way. We do not wish to go back to regular CHAP in our case.
ABSOLUTELY, security first.AgreedI see some complaining about MS-CHAPv2 support in Winbox. We like the MS-CHAPv2 support for Winbox because it allows us to no longer have to store the passwords unencrypted on the authentication server, so I hope it is retained in some way. We do not wish to go back to regular CHAP in our case.
Security first!
MS-CHAPv2 need clear-text / decryptable password or MD4 hash of password on radius server sideI see some complaining about MS-CHAPv2 support in Winbox. We like the MS-CHAPv2 support for Winbox because it allows us to no longer have to store the passwords unencrypted on the authentication server, so I hope it is retained in some way. We do not wish to go back to regular CHAP in our case.
I cannot find that setting...Version 6.44beta9 has been released.
*) winbox - added 4th chain selection for "HT TX chains" and "HT RX chains" under "CAPsMAN/CAP Interface/Wireless" tab;
I cannot find that setting...
Bettar beta? =)No new beta?
That was evil... well played!
I cannot find that setting...
No, that is a feature!4 chains without mu-mimo it's a joke?
I cannot find that setting...
mimo 4x4 using 2 TX and 2 RX chains works much better than mimo 2x2 using same hardware.No, that is a feature!4 chains without mu-mimo it's a joke?
I cannot find that setting...
I hate You so much...
You Are not really benefiting without mumimo, and Status today ROS doesn’t support MU-Mimo or Wave2 or something else new..mimo 4x4 using 2 TX and 2 RX chains works much better than mimo 2x2 using same hardware.No, that is a feature!4 chains without mu-mimo it's a joke?
I cannot find that setting...
hahahaha
l2tp server ISAKMP-SA deleted problem if dhcp enable solve in 6.44beta28
I can confirm this on LHG60using a w60G and beta28 im not getting any information on the interface page eg
Frequency 64800
Remote MAC
Signal
MCS
PHY Rate
RSSI
TX Sector
TX Sector Info
RX Sector
Distance
All blank, and the quickset page is showing 0 for signal and MCS
Kingsley
I think maybe but just maybe they are ready for the 7v betaHave MikroTik stopped working at new version of RouterOS ?
Please no new 6.44beta...New beta build will be released later today. Had to polish some new features before releasing the version.
No iperf??"/tool speed-test"
[admin@1072_bonding_test_1] > /tool speed-test 192.168.1.2 test-duration=60
;;; results can be limited by cpu, note that traffic generation/termination performance might not be
representative of forwarding performance
status: done
time-remaining: 0s
ping-min-avg-max: 111us / 123us / 2.14ms
jitter-min-avg-max: 0s / 10us / 2.01ms
loss: 0% (0/1200)
tcp-download: 11.6Gbps local-cpu-load:83%
tcp-upload: 12.1Gbps local-cpu-load:89% remote-cpu-load:84%
udp-download: 24.3Gbps local-cpu-load:5% remote-cpu-load:79%
udp-upload: 23.1Gbps local-cpu-load:87% remote-cpu-load:20%
Current implementation allow only include this data into test connection, but waiting for it impacts results, we need to implement data collection as separate connection to get this working, it is in our to-do list.Why there are no tcp-download "remote-cpu-load"?
I ask myself what issues my cAP ac devices have? Can you please give some more information about it?*) wireless - improved system stability for all ARM devices with wireless;
The router could have rebooted due to kernel failure in some rare occasions.I ask myself what issues my cAP ac devices have? Can you please give some more information about it?
*) chr - correctly initialize grant table version 1;
Can you post some screenshots of your peer menu?I have L2PT/IPSEC connections that are "dail on demand" and those are displayed in IPSEC-Peers as entries that are unreachable. This is true, however after the connection is up they are still seen as unreachable (colour red).
Pre-shared key with XAuth was never really supported in IKEv2. Also IKEv2 rfc does not acknowledge XAuth as an authentication method.Hi,
What is the idea of that I can't use IKE2 with "pre shared key xauth" ?
When I try to set it up I get the message in attached picture.
Have you checked BTest?Finally test uses all cores of the routerboard...
This new menu keeps complaining about my IKEv2-PSK configuration. After upgrade, I have 5 entries autogenerated in "/ip ipsec identity", but all of them (except one) show an error:What's new in 6.44beta39 (2018-Nov-27 12:14):
!) ipsec - added new "identity" menu with common peer distinguishers;
Very strange... Below are logs before and after on remote device(77.70.x.x with ROS 6.43).Pre-shared key with XAuth was never really supported in IKEv2. Also IKEv2 rfc does not acknowledge XAuth as an authentication method.Hi,
What is the idea of that I can't use IKE2 with "pre shared key xauth" ?
When I try to set it up I get the message in attached picture.
Very strange... Below are logs before and after on remote device(77.70.x.x with ROS 6.43).Pre-shared key with XAuth was never really supported in IKEv2. Also IKEv2 rfc does not acknowledge XAuth as an authentication method.Hi,
What is the idea of that I can't use IKE2 with "pre shared key xauth" ?
When I try to set it up I get the message in attached picture.
Before - device (46.23.x.x with ROS 6.44beta28)
After - device (46.23.x.x with ROS 6.44beta39)
Thanks very much for the response.g22113, that is not a limitation, simply the warning messages are misleading. The limitation should be - one identity per one initiator peer. We will resolve the issue in the next beta.
The same goes for "this peer is unreachable" warnings - they are not working as expected. Also resolved in the next beta.
i use this config in 6.4.34 in all clients, in the new beta no work the peer, the port-override and main-l2tp no workIsn't the answer two posts above?..
I gave up on btest long time ago, and iperf is not always possibleHave you checked BTest?Finally test uses all cores of the routerboard...
MT Staff: why create speed-test? You already have BTest - develop it!
What if you try:i use this config in 6.4.34 in all clients, in the new beta no work the peer, the port-override and main-l2tp no workIsn't the answer two posts above?..
if upgrade to next version all vpn l2tp/ipsec with this config will they stop working?
.
.
/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=port-override passive=yes secret=SECRETL2TPPASSWORD
add exchange-mode=main generate-policy=port-override passive=yes secret=SECRETL2TPPASSWORD
As stated above, we are aware of the issue and will be fixed in the next beta versions.L2TP/IPSEC no work, the message are "failed to pre-process ph2 packet"
config
# nov/27/2018 17:36:36 by RouterOS 6.44beta39
#
# model = 951G-2HnD
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile=default enabled=yes ipsec-secret=********** use-ipsec=yes
config by default, i have deleted all old config ipsec an created by default
The configuration will automatically convert to the new format on upgrade. If you wish to configure the same configuration on new versions, you have to change the IPsec peer configuration to something like this:i use this config in 6.4.34 in all clients, in the new beta no work the peer, the port-override and main-l2tp no work
if upgrade to next version all vpn l2tp/ipsec with this config will they stop working?
/interface l2tp-server server
set authentication=mschap2 enabled=yes
/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=port-override passive=yes secret=SECRETL2TPPASSWORD
/ip ipsec peer
add exchange-mode=main passive=yes name=l2tpserver
/ip ipsec identity
add generate-policy=port-override auth-method=pre-shared-key secret=SECRETL2TPPASSWORD peer=l2tpserver
Unfurtunately this serial console output is the result of the problem. Not the output from the moment when packages were lost.Netinstall fixed the router. Same package files.
Please read carefully through change log:I gave up on btest long time ago, and iperf is not always possibleHave you checked BTest?Finally test uses all cores of the routerboard...
MT Staff: why create speed-test? You already have BTest - develop it!
As stated above, we are aware of the issue and will be fixed in the next beta versions.
The configuration will automatically convert to the new format on upgrade. If you wish to configure the same configuration on new versions, you have to change the IPsec peer configuration to something like this:i use this config in 6.4.34 in all clients, in the new beta no work the peer, the port-override and main-l2tp no work
if upgrade to next version all vpn l2tp/ipsec with this config will they stop working?
/interface l2tp-server server
set authentication=mschap2 enabled=yes
/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=port-override passive=yes secret=SECRETL2TPPASSWORD
Code: Select all/ip ipsec peer add exchange-mode=main passive=yes name=l2tpserver /ip ipsec identity add generate-policy=port-override auth-method=pre-shared-key secret=SECRETL2TPPASSWORD peer=l2tpserver
Great job. Now a single Btest can saturate a w60 linkPlease read carefully through change log:
*) btest - added multithreading support for both UDP and TCP tests;
Hi!
*) winbox - show "W60G" wireless tab on wAP 60G AP;
Can you please give some more information about this one?Version 6.44beta40 has been released.
*) capsman - fixed "group-key-update" parameter not using correct units;
tested beta version on CCR1072 ?Average Joe will not know how to use iperf. I think target audience for this feature is defferent from iperf users
But it is fun anyway:Why there are no tcp-download "remote-cpu-load"?Code: Select all[admin@1072_bonding_test_1] > /tool speed-test 192.168.1.2 test-duration=60 ;;; results can be limited by cpu, note that traffic generation/termination performance might not be representative of forwarding performance status: done time-remaining: 0s ping-min-avg-max: 111us / 123us / 2.14ms jitter-min-avg-max: 0s / 10us / 2.01ms loss: 0% (0/1200) tcp-download: 11.6Gbps local-cpu-load:83% tcp-upload: 12.1Gbps local-cpu-load:89% remote-cpu-load:84% udp-download: 24.3Gbps local-cpu-load:5% remote-cpu-load:79% udp-upload: 23.1Gbps local-cpu-load:87% remote-cpu-load:20%
Only on test CCR, which you can Netinetall any time!if it is worked without problem, I will install too
exatly, both 1072 are at very critic area, so I will waitOnly on test CCR, which you can Netinetall any time!if it is worked without problem, I will install too
and bgp multithreading support when?Dude multithreading support when?
First the hell has to freeze over....and bgp multithreading support when?
I have the feeling that maybe this will be last beta if not the last is going to a close ending..First the hell has to freeze over....and bgp multithreading support when?
viewtopic.php?f=1&t=141920#p699481
Maybe we have some v7 beta to play with on this Christmas [emoji848][emoji4]
I gave up betting on RouterOS v7 release dates many years ago after incurring significant lossesMe too. I bet Europe MUM
All deployments that are scheduled for deployment are stress-tested here on the table, it just happens to be bonding setup with pair of CCR1072, at that particular moment.tested beta version on CCR1072 ?
The same situation. In DHCP Server/Lease many ip addresses with router MAC address and other.You could check the ARP table of the client to see if it has any strange entries (other IP addresses than the router, with the router's MAC address).
If so you need to debug the client.
I would not know a legitimate reason why proxy-arp would work and normal arp would not, when the client is correctly configured.
(correct subnet on the LAN interface and a default route via the router's IP address)
and bgp multithreading support when?
kind of but not exactlywill still be single-threaded
Enigmatic affirmationkind of but not exactlywill still be single-threaded
Normis beeing Normis.Enigmatic affirmationkind of but not exactlywill still be single-threaded
I had some SFP+ link flapping up to a few times a day before the upgrade to 6.43.7. Since the upgrade I have seen one link flap only. The CRS328 is connected using DAC (FS.com) to my CRS317. I upgraded both switches last Friday.Do any of the CRS328 fixes have anything to do with the SFP+ link up down issue?
[admin@MikroTik] > :global firmware [ / interface lte firmware-upgrade lte once as-value ];
[admin@Mikrotik] > :put ($firmware->"installed")
MikroTik_CP_2.160.000_v010
[admin@MikroTik] > :put ($firmware->"latest")
MikroTik_CP_2.160.000_v010
[admin@MikroTik] > :if (($firmware->"installed") != ($firmware->"latest")) do={ :put "Versions differ!"; }
Versions differ!
[admin@MikroTik] >
After restoring my settings I can not set the country for my interface:Updated wAP LTE to version 6.44beta50 and lost the wireless package. :-/
The LTE connection was really weak, though - no idea if that caused the issue.
[admin@MikroTik] /interface wireless> set country=germany wlan1
failure: only regulatory-domain mode allowed for this country
What is this about?.. Why is this marked as important?!) telnet - do not allow to set "tracefile" parameter;
That works, thanks! Can this be the cause for my trouble with wireless package?set frequency-mode to regulatory-domain
That works, thanks! Can this be the cause for my trouble with wireless package?set frequency-mode to regulatory-domain
*) package - use bundled package by default if standalone packages are installed as well;
Ah, right, that could cause the culprit. But I have standalone packages, no bundle.That works, thanks! Can this be the cause for my trouble with wireless package?set frequency-mode to regulatory-domainwhat set of packages did you have? and what did you use to upgrade?Code: Select all*) package - use bundled package by default if standalone packages are installed as well;
/ system package upgrade install
The wireless package did no longer show under System/Package, had to copy the npk file manually to recover. Tried to reproduce with a mAP lite that has very similar configuration, but its update succeeds (and regulatory-domain was updated correctly).What do you mean with lost package? Did you actually lose wireless package under System/Packages menu or wireless interface did not work properly?
I wouldn´t call the RB4011 unstable, but I simply cannot connect to it with Intel AC-8260 on 5.0Ghz. There´s no problem wuth cAP AC, though. Both are running the same config pushed by CAPSMAN controller. May I ask what kind of wireless instability is fixed with ARM based devices?Version 6.44beta50 has been released.
*) wireless - improved system stability for all ARM devices with wireless;
It is not good. Have you been thinking about the fact that not everyone reads changelogs before upgrade?If you have set EU country under wireless configuration, but you did not use regulatory-domain, then configuration will be changed to fit these requirements. Otherwise you violate the law. So if you are legal, then everything will work just fine after an upgrade
emils - Unfortunately, not possible. When it is happening, I ask my router to generate supout and it sits there not responding. I tried stopping and restarting and I get "Couldn't start - busy (12)". I'll keep trying though.mducharme, please generate a supout.rif file when the issue is present and send it to support@mikrotik.com
We use official sources for frequencies allowed in each country. Are you sure you are correct on this one? We use information from Qualcomm chip and European Union.This frequency is not legal in our country. And this problem is due to simple upgrade RouterOS :(
There was some obscure proof of concept that allowed to do strange things, but it only affected you if you gave a user account to the attacker.What is this about?.. Why is this marked as important?!) telnet - do not allow to set "tracefile" parameter;
Then we need Option to set Indoor or Outdoor use!Honzam
We use official sources for frequencies allowed in each country. Are you sure you are correct on this one? We use information from Qualcomm chip and European Union.This frequency is not legal in our country. And this problem is due to simple upgrade RouterOS :(
+1Which ETSI you are comply with? Because as I know there is a band between 5470MHz to 5725Mhz, this leting me select this variety of frequencies, but if YOU apply on your restrictions, I cannot use 5480MHz, why?
cannot use 5480MHz, why?
.Then we need Option to set Indoor or Outdoor use!
5180-5320 in Germany is only allowed for Indoor use!
You must manually used allowed frequency, but you are right, next beta will have "auto" frequency follow the country "indoor/outdoor" rules, you will have a new setting for that.I set the frequency 5640 - in log say - radar detected on 5640. The AP is automatically tuned to the 5240 frequency.
This frequency is not legal in our country (Czech)
No, there are no files at all in the files menu. I had rebooted and tried again. It is still trying to generate the supout 5 hours later.Most likely a supout.rif file is already generating in the backgound. Is there an autosupout.rif file in the Files menu?
Does not respect outdoor / indoor settings for EU countries.Honzam
We use official sources for frequencies allowed in each country. Are you sure you are correct on this one? We use information from Qualcomm chip and European Union.This frequency is not legal in our country. And this problem is due to simple upgrade RouterOS :(
Did you try Scanlist 5470-5720 ???Does not respect outdoor / indoor settings for EU countries.Honzam
We use official sources for frequencies allowed in each country. Are you sure you are correct on this one? We use information from Qualcomm chip and European Union.This frequency is not legal in our country. And this problem is due to simple upgrade RouterOS :(
In Czech Republic is outdoor 5500-5700. Indoor is 5180-5320.
After upgrade (6.44beta50) is AP running (with auto enabled DFS) on channel 5280 which is indoor !!! But selected channel is 5620. Thanks
I know the scan list will solve it. But would you think that this line:Did you try Scanlist 5470-5720 ???
I experienced the same on my ccr, only chance was to downgrade to latest stable firmware.No, there are no files at all in the files menu. I had rebooted and tried again. It is still trying to generate the supout 5 hours later.Most likely a supout.rif file is already generating in the backgound. Is there an autosupout.rif file in the Files menu?
If I go to the command line and type "/ip ipsec export" it also hangs forever.
First of all, this is a BETA release which should not be used anywhere near production.means you need to create a scan list before upgrading RouterOS to 6.44? I find it unclear and it cause a number of problems....
The fact that the EU forces Mikrotik to comply with the law is clear to me
The main point is that there is going to be a move from the outdoors to the indoors. Outdoor frequencies 5500-5700 are tuned anywhere from 5180 to 5700. So quietly indoors which is not legally correct. Is it written clearly?What do you mean by that? With scan list you will only reduce number of frequencies. After an upgrade your list will use all frequencies that are available in your country. From previous version point of view, nothing has been changed related to scan list or indoor/outdoor solutions. Indoor/outdoor selection should be introduced in upcoming beta versions.
Yes, I known. I tested it on non production part of network.
First of all, this is a BETA release which should not be used anywhere near production.
Yes, that's exactly what I was suggesting. Divide it into indoor / outdoorWe have made a new setting for one of the next BETA releases, that will honour the "indoor/outdoor" parameter in the country-info list, and will not move you to an indoor-only frequency, so you will not have to make any custom scan lists.
THIS IS NOT CORRECT! try to read this link and you will have a CLEAR knowledge which is allowed in Czech Republic and which is not ... https://www.ctu.cz/cs/download/oop/rok_ ... 010-12.pdfDoes not respect outdoor / indoor settings for EU countries.Honzam
We use official sources for frequencies allowed in each country. Are you sure you are correct on this one? We use information from Qualcomm chip and European Union.This frequency is not legal in our country. And this problem is due to simple upgrade RouterOS :(
In Czech Republic is outdoor 5500-5700. Indoor is 5180-5320.
After upgrade (6.44beta50) is AP running (with auto enabled DFS) on channel 5280 which is indoor !!! But selected channel is 5620. Thanks
I know this document. What exactly is wrong?THIS IS NOT CORRECT! try to read this link and you will have a CLEAR knowledge which is allowed in Czech Republic and which is not .
outdoor is exactly 5470MHz-5725MHz not 5500MHz-5700MHz mentioned by you in older posts .. indoor exactly 5150MHz-5350MHz not 5180MHz-5320MHz mentioned by you.I know this document. What exactly is wrong?
Yes it is 5470-5725Mhz , but it is commonly referred to as I wrote. (fully channels)outdoor is exactly 5470MHz-5725MHz not 5500MHz-5700MHz mentioned by you in older posts .. indoor exactly 5150MHz-5350MHz not 5180MHz-5320MHz mentioned by you.I know this document. What exactly is wrong?
If Mikrotik wants to restrict use of superchannels, they have to follow ETSI/CZ rules at least. They don't. They push us to not using "czech_republic" settings, if we wants to be comply with our laws rules.Yes it is 5470-5725Mhz , but it is commonly referred to as I wrote. (fully channels)
They push us to not using "czech_republic" settings, if we wants to be comply with our laws rules.
Which channel width do you use when trying to set centre frequency to 5480MHz?... and second, according to CZ rules I can set 5480MHz ...