v6.44beta [testing] is released!

Fri Dec 21, 2018 1:22 pm

They push us to not using "czech_republic" settings, if we wants to be comply with our laws rules.

That's not true. Please read this thread carefully. The next Beta release will have indoor/outdoor option, so I guess the next stable release for your production environment will have it too.
Unfortunately the change to regulatory conformance was badly communicated by Mikrotik in the release notes.

What will be more of a concern is the future of Omnitik 5 devices in Europe. The regulators are about to shut them down soon. Let's hope Mikrotik really can prevent this from happening.

The "Outdoor" setting is already in released versions, it's called "installation=outdoor/indoor/any".

human1982 · Fri Dec 21, 2018 1:28 pm

... and second, according to CZ rules I can set 5480MHz ...
Which channel width do you use when trying to set centre frequency to 5480MHz?

5480Ce in Poland too. 5470-5725.

cowgirl · Fri Dec 21, 2018 2:20 pm

6.44beta50 is crashing on my CRS328-24P-4S+. It reboots every few hours. (approx every 4h)

And on myCRS317-1G-16S+ the management IP address is not reachable (over my lacp-bonding link) for a while and then it comes back, while switching is working the whole time and the systems connected to it are reachable. Currently i can not check for reboots on the 317, cause managment is not reachable also mac-telnet from the 328 is not working.....

The 317´s managment just came back now, no unexpected reboots there....

cowgirl · Fri Dec 21, 2018 3:17 pm

CRS328-24P-4S+ crashed again. Only with approx. 2hours gap. Doing a little bit SMB File Copy jobs (50Gbyte)

TheCondor · Sun Dec 30, 2018 12:16 pm

In 6.44beta50 when i create a certificate, both with web GUI or shell command, i set subAltName but it disappear when saved (or signed). On stable i didn't have this problem.

kabal · Sun Dec 30, 2018 11:45 pm

*) ppp - added "at-chat" command;

Does not work with USSD commands.

with at-chat:

/interface ppp-client at-chat 3 input="AT+CUSD=1,AA582C3602,15"
output: AT+CUSD=1,AA582C3602,15
OK

with serial-terminal:

/system serial-terminal port=usb4 channel=2
AT+CUSD=1,AA582C3602,15
OK

+CUSD: 1,"C2303BEC9E83602E980C2D77B340E2B7BB3E07C15C30185AEE7629542A95C2596E87F365
D0FA3D47D3D3F61FF10D8AC16067B91BE40E83E46174DDFD5E83F420F87BCEAE9FDFF93A88F82687E9
EBB73D0D3ACBDF73743A046587E961903D4D06C9CE72B722E6A286D70A",15

TheCondor · Wed Jan 02, 2019 8:16 pm

mutiple mode-config doesn't be as intended with certificate matching.
I've tried to add 2 mode-configs and i want to assign a different ip pool each.
apart the fact that is better to implement an object of type "list" populated with multiple certificate, currently it's impossible to add multiple client certificate matching...
policy matching chould be intended as this, imho:

a group of client certificates that, when matched with a specific mode-config policy, assign an ip pool and a split tunnel.

currently it's impossible to add a group of client certificate, just one cert.
Moreover, and this is what isn't working, the client check just the first mode-config policy and if it's not matched skips the others. It should be a sequential checking trough the all mode-config matching policy...

emils · Mon Jan 07, 2019 2:09 pm

Version 6.44beta54 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.44beta54 (2019-Jan-07 08:27):

Important note!!! Backup before upgrade!
Due to major IPsec configuration changes in RouterOS v6.44beta39+ (see changelog below), it is advised to make a backup before upgrading. Regular downgrade will still be possible as long as no changes in IPsec peer menu are done.

MAJOR CHANGES IN v6.44:
----------------------
!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);
!) ipsec - added new "identity" menu with common peer distinguishers;
!) ipsec - removed "main-l2tp" exchange-mode, it is the same as "main" exchange-mode;
!) ipsec - removed "users" menu, XAuth user configuration is now handled by "identity" menu;
!) radius - initial implementation of RadSec (Radius communication over TLS);
!) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only);
!) telnet - do not allow to set "tracefile" parameter;
!) upgrade - release channels renamed - "bugfix" to "long-term", "current" to "stable" and "release candidate" to "testing";
!) upgrade - "testing" release channel now can contain "beta" together with "release-candidate" versions;
----------------------

Changes in this release:

*) bridge - count routed FastPath packets between bridge ports under FastPath bridge statistics;
*) bridge - fixed BOOTP packet forwarding when DHCP Snooping is enabled;
*) crs317 - fixed packet forwarding when LACP is used with hw=no;
*) dhcpv6-server - allow to add DHCPv6 server with pool that does not exist;
*) ethernet - fixed VLAN1 forwarding on RB1100AHx4 and RB4011 devices;
*) ipsec - added new "remote-id" peer matcher (CLI only);
*) l2tp - fixed IPsec secret not being updated when "ipsec-secret" is changed under L2TP client configuration;
*) led - fixed PWR-LINE AP Ethernet LED polarity ("/system routerboard upgrade" required);
*) lte - added initial support for multiple APN for R11e-4G (new modem firmware required);
*) lte - fixed DHCP IP acquire (introduced in v6.43.7);
*) netinstall - do not show kernel failure critical messages in the log after fresh install;
*) routerboard - removed "RB" prefix from PWR-LINE AP devices;
*) sniffer - save packet capture in "802.11" type when sniffing on w60g interface in "sniff" mode;
*) snmp - fixed "rsrq" reported precision;
*) usb - improved power-reset error message when no bus specified on CCR1072-8G-1S+;
*) wireless - added new "installation" parameter to specify router's location;
*) wireless - show indoor/outdoor frequency limitations under "/interface wireless info country-info <country>" command;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

doush · Mon Jan 07, 2019 3:26 pm

Are you guys working for a fix for CCR1072 lockups ?

Mon Jan 07, 2019 5:17 pm

doush - Unfortunately we can not tell from description "lockups" to what kind of problem you are referring to. Please contact support@mikrotik,com directly, provide proper problem description (when did problem start to appear, how often do you see this issue, do you have any information what processes might trigger lockup) and supout file from your router/s. At the moment there are no known bugs that would lock up router. Either this is an unknown problem, hardware related issue or it is a configuration related problem. Without debugging we can not tell why is this happening with your router. At the moment of "lockup" can you access router over serial console?

nescafe2002 · Mon Jan 07, 2019 11:10 pm

To anyone experiencing connectivity issues on bridge interface after upgrade to 6.44beta50 like me:
The RB is now sending out MNDP (udp/5678) packets with ip address of bridge and mac address of slave (physical port).
(In 6.44beta40 and before the packets were sent with the bridges mac address as source)
Client devices are now learning incorrect ip/mac combinations and will be unable to communicate with the RB, intermittently (arp is not affected).
This has been reported.

A work-around is to disable neighbor discovery for these interfaces.

(Note that there is a similar problem regarding internet-detect which causes same problem when enabled on slave interfaces)

Another (dirty) work-around is to enable bridge filtering (of any kind) after which RB will accept packets directed to the slave (physical) mac address.

emils · Tue Jan 08, 2019 8:27 am

mutiple mode-config doesn't be as intended with certificate matching.
I've tried to add 2 mode-configs and i want to assign a different ip pool each.
apart the fact that is better to implement an object of type "list" populated with multiple certificate, currently it's impossible to add multiple client certificate matching...
policy matching chould be intended as this, imho:

a group of client certificates that, when matched with a specific mode-config policy, assign an ip pool and a split tunnel.

currently it's impossible to add a group of client certificate, just one cert.
Moreover, and this is what isn't working, the client check just the first mode-config policy and if it's not matched skips the others. It should be a sequential checking trough the all mode-config matching policy...

What exactly have you configured currently? Are you creating multiple IPsec identities and specifying different remote-certificates for each of them? Are these certificates from the same CA chain? That is not quite how we planned it to work. There is a 'remote-id' parameter, which is not in Winbox and is not implemented fully yet. You will be able to match the IPsec identity to a specific peer by this parameter.

doush · Sat Jan 12, 2019 4:39 pm

doush - Unfortunately we can not tell from description "lockups" to what kind of problem you are referring to. Please contact support@mikrotik,com directly, provide proper problem description (when did problem start to appear, how often do you see this issue, do you have any information what processes might trigger lockup) and supout file from your router/s. At the moment there are no known bugs that would lock up router. Either this is an unknown problem, hardware related issue or it is a configuration related problem. Without debugging we can not tell why is this happening with your router. At the moment of "lockup" can you access router over serial console?

Strods;
viewtopic.php?f=3&t=122525&start=50
There are watchdog reboots !
Please see the above thread. We have also contacted support and we have been told to turn off watchdog and check. When we do that, the router hangs and stays in that state.
We cant just stop gbits of traffic just to collect supout files for you over the serial interface. This is what you guys have to do. Issue is easily reproducable.
There are many people in the above thread having the same exact issue.
Ticket#2018091822007067 is also available but as I said we cannot just stop 8gbit/s of traffic for you for hours to collect supout files.
Please do not ignore this issue as it is not a config related problem at all.
At the moment of lockup (when watchdog is turned off) , I havent tried the serial because of panic that it creates when all your traffic stops. Powercycle fixes the problem.
When watchdog is on, it reboots.
Please work with us in this issue.

notToNew · Sat Jan 12, 2019 7:26 pm

When watchdog is on, it reboots.
Please work with us in this issue.

And where is the version specific part of this? As I see it it's nothing new to this beta.... So please stay in the other thread.

doush · Mon Jan 14, 2019 3:52 pm

When watchdog is on, it reboots.
Please work with us in this issue.
And where is the version specific part of this? As I see it it's nothing new to this beta.... So please stay in the other thread.

This problem is still valid with the latest stable build !
And we dont see any work about it in the latest beta versions at all. Should be fair enough to post in this thread and raise awareness.

Mon Jan 14, 2019 9:01 pm

doush Nobody except you complains, which means it's either faulty hardware or a configuration specific issue. A couple of posts ago you said you are not willing to supply support@ with the info they asked you for. Being software developer myself, I can assure you this is a road to nowhere...

null31 · Tue Jan 15, 2019 12:00 am

Dear MikroTik Staff.

*) dhcpv6-server - allow to add DHCPv6 server with pool that does not exist;

Does this fix is related to the ticket #2018122622000391?
I ask because I didn't receive a reply for the ticket.

pe1chl · Tue Jan 15, 2019 3:20 pm

It is probably related to a problem I also reported to them: when you import an export which contains a server and pool
the import fails because the pool appears in the export after the server. Apparently it was not easy to export the pool
definitions before the server definitions (or there would be another unresolved reference) and it was now solved this way.

null31 · Wed Jan 16, 2019 8:42 pm

So isn't related.
The bug I reported is when DHCPv6-PD get the pool name through Radius and create a route with blank next-hop to the CPE. The router receive the link-local addr from cpe, but doesn't add to the prefix that was delegated.
The connection method I tested was plain DHCPv6 (IPoE without op82).

Like the image https://i.imgur.com/Oq08c0U.png

doush · Thu Jan 17, 2019 2:32 pm

doush Nobody except you complains, which means it's either faulty hardware or a configuration specific issue. A couple of posts ago you said you are not willing to supply support@ with the info they asked you for. Being software developer myself, I can assure you this is a road to nowhere...

Did you even read my post ?
Check the below thread and see if I am the only one complaining.
viewtopic.php?f=3&t=122525

We are still desperately waiting for a fix for this issue and ready to try any possible fix in new beta versions.. and NO I cannot just turn off watchdog and wait for the next halt which may happen anytime in the middle of the night to collect support files while all the network is down.

Thu Jan 17, 2019 4:44 pm

"My router reboots" is a very generic problem, all kinds of issues are gathered in that topic.

eworm · Thu Jan 17, 2019 6:30 pm

I am running testing versions on my wAP with R11e-LTE. Recently the lte interface does not reliably connect after boot, I have to reboot the device then. This worked pretty well before, so I am sure this is a regression from beta50 to beta54.

zyzelis · Thu Jan 17, 2019 8:03 pm

"My router reboots" is a very generic problem, all kinds of issues are gathered in that topic.

Normis, are you work for ubnt?

emils · Fri Jan 18, 2019 9:50 am

Version 6.44beta61 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.44beta61 (2019-Jan-17 13:24):

Important note!!! Backup before upgrade!
Due to major IPsec configuration changes in RouterOS v6.44beta39+ (see changelog below), it is advised to make a backup before upgrading. Regular downgrade will still be possible as long as no changes in IPsec peer menu are done.

MAJOR CHANGES IN v6.44:
----------------------
!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);
!) ipsec - added new "identity" menu with common peer distinguishers;
!) ipsec - removed "main-l2tp" exchange-mode, it is the same as "main" exchange-mode;
!) ipsec - removed "users" menu, XAuth user configuration is now handled by "identity" menu;
!) radius - initial implementation of RadSec (Radius communication over TLS);
!) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only);
!) telnet - do not allow to set "tracefile" parameter;
!) upgrade - release channels renamed - "bugfix" to "long-term", "current" to "stable" and "release candidate" to "testing";
!) upgrade - "testing" release channel now can contain "beta" together with "release-candidate" versions;
----------------------

Changes in this release:

!) ipsec - added new "identity" menu with common peer distinguishers;
*) bridge - fixed BOOTP packet forwarding when DHCP Snooping is enabled;
*) certificate - added support for multiple "Subject Alt. Names";
*) certificate - enabled RC2 cipher to allow P12 certificate decryption;
*) chr - improved system stability when insufficient resources are allocated to the guest;
*) console - updated copyright notice;
*) crs3xx - fixed slow bootup, upgrade and SFP status read (introduced in v6.44beta20);
*) gps - moved "coordinate-format" from "monitor" command to "set" parameter;
*) ike1 - fixed "rsa-key" authentication (introduced in v6.44beta);
*) ipsec - accept only valid path for "export-pub-key" parameter in "key" menu;
*) ipsec - added new "remote-id" peer matcher;
*) ipsec - fixed all policies not getting installed after startup (introduced in v6.43.8);
*) ipsec - moved "profile" menu outside "peer" menu;
*) lcd - made "pin" parameter sensitive;
*) led - fixed default LED configuration for RBSXTsq-60ad;
*) lte - fixed DHCP IP acquire in 3G mode for r11e-lte (introduced in v6.44beta54);
*) lte - fixed reported "rsrq" precision (introduced in v6.43.8);
*) profile - removed obsolete "file-name" parameter;
*) radius - implemented Proxy-State attribute handling in CoA and disconnect requests;
*) rb4011 - improved SFP+ interface linking to 1Gbps;
*) ssh - close active SSH connections before IPsec connections on shutdown;
*) ssh - fixed public key format compatibility with RFC4716;
*) supout - fixed "poe-out" output not showing all interfaces;
*) system - accept only valid path for "log-file" parameter in "port" menu;
*) system - removed obsolete "/driver" command;
*) tr069-client - added "check-certificate" parameter to allow communication without certificates;
*) tr069-client - added support for InformParameter object;
*) tr069-client - fixed certificate verification for certificates with IP address;
*) tr069-client - increased reported "rsrq" precision;
*) vrrp - made "password" parameter sensitive;
*) winbox - added "allow-dual-stack-queue" parameter in "IP/DHCP Server" and "IPv6/DHCP Server" menus;
*) winbox - added "conflict-detection" parameter in "IP/DHCP Server" menu;
*) winbox - added "coordinate-format" parameter in LTE interface settings;
*) winbox - allow specifying interface lists in "CAPsMAN/Access List" menu;
*) winbox - fixed "IPv6/Firewall" "Connection limit" parameter not allowing complete IPv6 prefix lengths;
*) winbox - fixed L2MTU parameter setting on "W60G" type interfaces;
*) winbox - fixed "LCD" menu not shown on RB2011UiAS-2HnD;
*) winbox - moved "Too Long" statistics counter to Ethernet "Rx Stats" tab;
*) winbox - show "System/RouterBOARD/Mode Button" on devices that have such feature;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

eworm · Fri Jan 18, 2019 12:16 pm

!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);

[admin@MikroTik] /system backup cloud> print 
-- connecting
Server error: Backend error. Try again later.

Breakage in version or issue with servers?
Edit: Works again, was a server issue.

*) console - updated copyright notice;

The copyright notice still has a link with http-schema. You should really change that to https.

*) ipsec - added new "remote-id" peer matcher;

Thanks, have to play with this...

*) lte - fixed DHCP IP acquire in 3G mode for r11e-lte (introduced in v6.44beta54);

Thanks for fixing!

*) ssh - close active SSH connections before IPsec connections on shutdown;

That change is very welcome. Thanks a lot!

Jotne · Fri Jan 18, 2019 2:26 pm

Please remove OS version from telnet. It is not needed.

I do use telnet to connect to Mikrotik Router using VPN connection.
It does respond by telling both what it is and what version it has before you login.

/system telnet 10.2.0.16
Trying 10.2.0.16...
Connected to 10.2.0.16.
Escape character is '^]'.

MikroTik v6.43.8 (stable)
Login:

Fri Jan 18, 2019 4:24 pm

Jotne, sorry, I do not understand. Where is the problem with the version in Telnet?

Chupaka · Fri Jan 18, 2019 4:29 pm

The problem is it tells you about version number even if you're not logged in

Cha0s · Fri Jan 18, 2019 4:35 pm

Same with the web interface.

patrick7 · Fri Jan 18, 2019 4:52 pm

security by obscurity

pcunite · Sat Jan 19, 2019 1:41 am

Version 6.44beta61 has been released.

rb4011 - improved SFP+ interface linking to 1Gbps;

Does this mean the S-RJ01 is now compatible with the RB4011?

Jotne · Sat Jan 19, 2019 9:53 am

With any communication you should not give away any information before login.
If you look at forum.mikrotik.com it does use phpBB. On older version you could see at the bottom, what version it was.
This was removed due to security and that hacker was target some specific version.

As I did write in my post above, I do not need it, so remove it.
And as @Cha0s write, same for web interface. Remove it.

pe1chl · Sat Jan 19, 2019 11:49 am

Does this mean the S-RJ01 is now compatible with the RB4011?

The RB4011 is not an actively-cooled device so it will never be compatible with the S-RJ01.
Look at the S-RJ01 page. It is only for actively-cooled devices!
Hopefully some time, after yet more advances in technology, it will be possible to produce and SFP+ ethernet adapter that does not dissipate so much power.
Then it could work.

msatter · Sat Jan 19, 2019 1:17 pm

All software/interfaces by Mikrotik mention the software version before login, including the Android app.

Then this must be something Mikrotik wants to communicate up front. So you can think to have RouterOS not share the current version of it and state a null value.

marcbou · Sat Jan 19, 2019 1:42 pm

Hi

Installed 6.44beta61, but it seems there are issues with "/ip ipsec identity my-id" matching for fqdn:, user-fqdn: and even address:ipv4 types. It doesn't seem to work with Remote ID on iOS devices with IKEv2 in pre-shared-key mode.

I was only able to get it to work by specifying the router's static IP as RemoteID on the client iOS device and keeping my-id set to auto (default) in /ip ipsec identity.

my-id=fqdn:domain.com matching does however work if auth-method=rsa-signature with certificate.

It is a road-warrior type setup with the MikroTik router as VPN server on a static IP, and client iOS and MacOS X devices connecting from dynamic IPs.

This is with a RB3011. We have a similar setup with a CCR1009 where it seems the ipsec crashes (hangs) upon access attempts with auth-method=pre-shared-key. Works with sa-signature/certificate.

Also would it be possible to add support for disabling/enabling /ip ipsec identity entries?

The config looks like:

# jan/19/2019 06:31:50 by RouterOS 6.44beta61
#
# model = RouterBOARD 3011UiAS
/ip ipsec mode-config
add address-pool=vpn-pool address-prefix-length=32 name=\
ipsec-modecfg
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1w \
name=proposal_1
/ip ipsec peer
add exchange-mode=ike2 local-address=<routerspublicipv4> name=peer_vpn passive=yes \
profile=proposal_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
lifetime=2d pfs-group=none
/ip ipsec identity
add generate-policy=port-strict mode-config=ipsec-modecfg peer=\
peer_vpn remote-id=user-fqdn:usera@domain.com secret=usera_secret
add generate-policy=port-strict mode-config=ipsec-modecfg peer=\
peer_vpn remote-id=user-fqdn:userb@domain.com secret=userb_secret
/ip ipsec policy
set 0 dst-address=192.168.71.0/24 src-address=0.0.0.0/0
add dst-address=192.168.72.0/24 src-address=0.0.0.0/0 template=yes

Thanks,

Marc

Paternot · Sat Jan 19, 2019 3:50 pm

Does this mean the S-RJ01 is now compatible with the RB4011?
The RB4011 is not an actively-cooled device so it will never be compatible with the S-RJ01.
Look at the S-RJ01 page. It is only for actively-cooled devices!
Hopefully some time, after yet more advances in technology, it will be possible to produce and SFP+ ethernet adapter that does not dissipate so much power.
Then it could work.

The compatibility table disagrees with You:
https://wiki.mikrotik.com/wiki/MikroTik ... lity_table

They are supported on the CSS/CRS326-24G-2S+ models - and they are passive cooled switches. Also, they run on RB3011, RB2011, RB260 and many others passive cooled devices.

nescafe2002 · Sat Jan 19, 2019 5:19 pm

What's new in 6.44beta61 (2019-Jan-17 13:24):

*) rb4011 - improved SFP+ interface linking to 1Gbps;

I can confirm FS 1000BASE-BX BiDi SFP 1310nm-TX/1490nm-RX 20km DOM Transceiver Module ( https://www.fs.com/products/20184.html ) is working fine together with a 1Gbit FTTH provider, as long as the speed matches (note that winbox hides this setting when autonegotation is on, so you'll have to disable autoneg to change speed or use cli).

/interface ethernet
set sfp-sfpplus1 auto-negotiation=yes full-duplex=yes&no speed=1Gbps # link
set sfp-sfpplus1 auto-negotiation=yes full-duplex=no speed=10Mbps # link (detected/actual rate 1Gpbs FD)
set sfp-sfpplus1 auto-negotiation=yes full-duplex=yes&no speed=100Mpbs # flapping
set sfp-sfpplus1 auto-negotiation=yes full-duplex=yes&no speed=10Gbps # flapping
set sfp-sfpplus1 auto-negotiation=no full-duplex=yes speed=1Gbps # link
set sfp-sfpplus1 auto-negotiation=no full-duplex=no speed=1Gbps # router crash
set sfp-sfpplus1 auto-negotiation=no full-duplex=yes&no speed=10Mbps # link (detected rate 10Mbps, actual rate 1Gpbs)
set sfp-sfpplus1 auto-negotiation=no full-duplex=yes&no speed=100Mbps # flapping
set sfp-sfpplus1 auto-negotiation=no full-duplex=yes speed=10Gbps # no link

pcunite · Sat Jan 19, 2019 5:28 pm

The RB4011 is not an actively-cooled device so it will never be compatible with the S-RJ01.

The compatibility table disagrees with You:
https://wiki.mikrotik.com/wiki/MikroTik ... lity_table

The S-RJ01 is supported on the CSS/CRS326-24G-2S+ models - and they are passive cooled switches. Also, they run on RB3011, RB2011, RB260 and many others passively cooled devices.

Yeah, I guess its not clear what works unless one consults the compatibility table. So, the S+RJ10 does work, but the S-RJ01 does not? I have not been able to get my S-RJ01 to work with the RB4011 and was hoping it was only a software issue.

Paternot · Sat Jan 19, 2019 8:36 pm

The RB4011 is not an actively-cooled device so it will never be compatible with the S-RJ01.

The compatibility table disagrees with You:
https://wiki.mikrotik.com/wiki/MikroTik ... lity_table

The S-RJ01 is supported on the CSS/CRS326-24G-2S+ models - and they are passive cooled switches. Also, they run on RB3011, RB2011, RB260 and many others passively cooled devices.

Yeah, I guess its not clear what works unless one consults the compatibility table. So, the S+RJ10 does work, but the S-RJ01 does not? I have not been able to get my S-RJ01 to work with the RB4011 and was hoping it was only a software issue.

Yes, it is weird. I have no idea where this limitation comes from.

Bergante · Mon Jan 21, 2019 11:02 am

security by obscurity

Anyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering. So the version display is harmless in my opinion.

Bergante · Mon Jan 21, 2019 11:05 am

Version 6.44beta61 has been released.

*) rb4011 - improved SFP+ interface linking to 1Gbps;

This one looks promising and, indeed, there is a clear improvement.

I am testing a rb4011 linked to a HP switch and now it works with autonegotiation on it seems. I am using a pair of Mikrotik 1000BASE-LH transceivers (S-31DLC20D).

That's great because autonegotiation is considered mandatory in GbE and disabling it can lead to unpredictable problems.

So, I hope SFPs will be properly supported in SFP+ cages. Otherwise the only real solution would be to include both types of cages like some manufacturers do.

muetzekoeln · Mon Jan 21, 2019 12:15 pm

Please remove OS version from telnet. It is not needed.

+1

I too plead for data stinginess. Only disclose data when/where needed. This is the same thinking as a default deny-all rule in firewalls.
For me the ROS version is of no value at login prompt. And MT did not explain why they broadcast ROS version in WiFi beacons
(viewtopic.php?p=709410).

At login prompt it makes much more sense to me, to display given system identity name (/System identity). So you can check if you are logging into the intended system (if you have more than one, that is).

Mon Jan 21, 2019 2:46 pm

security by obscurity
Anyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering. So the version display is harmless in my opinion.

I agree. If the untrusted person can see your TELNET interface, you are in much bigger trouble than an exposed version number

skylark · Tue Jan 22, 2019 10:19 am

Version 6.44beta61 has been released.

rb4011 - improved SFP+ interface linking to 1Gbps;

Does this mean the S-RJ01 is now compatible with the RB4011?

Yes, with the latest beta S-RJ01 also should work.

We will update compatibility table when this fix will be included in the stable version.

msatter · Tue Jan 22, 2019 12:44 pm

security by obscurity
Anyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering. So the version display is harmless in my opinion.
I agree. If the untrusted person can see your TELNET interface, you are in much bigger trouble than an exposed version number

But it saves the untrusted person the trouble to test which tool to use. Or just see on forehand that none of the available tools is going to work and moves on.

Make it the owners choice/responsability if the it is shown or not.

Bergante · Tue Jan 22, 2019 1:21 pm

Version 6.44beta61 has been released.

rb4011 - improved SFP+ interface linking to 1Gbps;

Does this mean the S-RJ01 is now compatible with the RB4011?
Yes, with the latest beta S-RJ01 also should work.

We will update compatibility table when this fix will be included in the stable version.

The Interface/Ethernet section of the documentation should be updated as well.

The manual says that the speed attribute of an Ethernet interface only takes effect when auto negotiation is disabled.

Actually, at least on a rb4011 running 6.44beta61 speed does work with auto negotiation on. The SFP I have tried,
Mikrotik's single mode ones (S-31DLC20D) work with auto negotiation set to on as long as the speed attribute is set to 1 Gbps.

So it's working as a mode selector for the SFP/SFP+ cage.

Now I wonder, can't you make that automatic? Reading the EEPROM of the SFP the system determines which kind of SFP is it. So it
should be easy to decide wether to configure it for 1 Gbps or 10 Gbps.

pe1chl · Wed Jan 23, 2019 12:52 pm

61 builds in the 6.44 beta and we are still waiting for IPv6 improvements!
Come on guys, it is 2019 now. We really need IPv6 policy routing, IPv6 per-connection queueing, IPv6 firewall features on par with IPv4 (like L7 matching), etc etc etc.

You cannot handle IPv6 as a bolt-on feature to satisfy a small number of demanding users. It has to be part of the mainstream, with all the support that there is for IPv4.

muetzekoeln · Wed Jan 23, 2019 1:15 pm

Anyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering.

You are right with this statement, but impacts of the latest ROS vulnerability show this ideal is not the real world.

wilsonlmh · Wed Jan 23, 2019 2:03 pm

security by obscurity
Anyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering. So the version display is harmless in my opinion.
I agree. If the untrusted person can see your TELNET interface, you are in much bigger trouble than an exposed version number

This isn't true for SSH:

telnet 192.168.88.1 22
Trying 192.168.88.1...
Connected to 192.168.88.1.
Escape character is '^]'.
SSH-2.0-ROSSSH

emils · Thu Jan 31, 2019 10:40 am

Installed 6.44beta61, but it seems there are issues with "/ip ipsec identity my-id" matching for fqdn:, user-fqdn: and even address:ipv4 types. It doesn't seem to work with Remote ID on iOS devices with IKEv2 in pre-shared-key mode.

It works for me. Please check the IPsec debug logs and find out what ID_I and ID_R fields are actually received from the client.

10:35:04 ipsec processing payload: ID_I 
10:35:04 ipsec ID_I (RFC822): usera@domain.com 
10:35:04 ipsec processing payload: ID_R 
10:35:04 ipsec ID_R (ADDR4): 10.155.130.204

ID_I is the initiators id (what you specify as Local ID under your iOS). ID_R is the responders id (the Remote ID when looking from iOS). You can enable debug logs with

/system logging add topics=ipsec,!debug

As for the crashing part, it would be necessary to see the supout.rif file from your device. Please generate and send this file to support@mikrotik.com

BG4DRL · Thu Jan 31, 2019 6:08 pm

wap 60G ap udp both up to 850Mbps ! very nice this Beta61

nescafe2002 · Tue Feb 05, 2019 1:07 pm

Since I've spent some time restoring VPN functionality.. here are my 6.44beta61 IKEv2 settings for iOS, macOS and Windows clients.
Windows only seems to work with identity my-id=auto and remote-id=auto.
Afaik you cannot add a secondary peer for Windows default ipsec settings, so you should alter these using powershell.

Certificate generation:

/certificate
add name=my.ca common-name=my.ca key-usage=key-cert-sign,crl-sign
sign my.ca
add name=vpn.server common-name=vpn.server subject-alt-name=DNS:vpn.company.com key-usage=tls-server
sign vpn.server ca=my.ca
add name=vpn.client.ios common-name=vpn.client.ios key-usage=tls-client
sign vpn.client.ios ca=my.ca
add name=vpn.client.macos common-name=vpn.client.macos key-usage=tls-client
sign vpn.client.macos ca=my.ca
add name=vpn.client.windows common-name=vpn.client.windows key-usage=tls-client
sign vpn.client.windows ca=my.ca

(Certificates don't have to be trusted)

Certificate export:

/certificate
export-certificate my.ca
export-certificate vpn.client.ios export-passphrase=1234 type=pkcs12
export-certificate vpn.client.macos export-passphrase=1234 type=pkcs12
export-certificate vpn.client.windows export-passphrase=1234 type=pkcs12

IKEv2 server setup:

/ip ipsec policy group
add name=ike2
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1d name=ike2 pfs-group=none
/ip ipsec policy
add comment=ike2 group=ike2 proposal=ike2 template=yes
/ip pool
add name=ike2 ranges=192.168.88.100-192.168.88.150
/ip ipsec mode-config
add address-pool=ike2 name=ike2

Peer setup:

/ip ipsec peer
add comment=ike2 exchange-mode=ike2 name=ike2 passive=yes profile=ike2

Identity setup:

/ip ipsec identity
add auth-method=rsa-signature certificate=vpn.server generate-policy=port-strict mode-config=ike2 my-id=fqdn:vpn.company.com \
    peer=ike2 policy-template-group=ike2 remote-certificate=vpn.client.ios remote-id=fqdn:vpn.client.ios
add auth-method=rsa-signature certificate=vpn.server generate-policy=port-strict mode-config=ike2 my-id=fqdn:vpn.company.com \
    peer=ike2 policy-template-group=ike2 remote-certificate=vpn.client.macos remote-id=fqdn:vpn.client.macos
add auth-method=rsa-signature certificate=vpn.server generate-policy=port-strict mode-config=ike2 \
    peer=ike2 policy-template-group=ike2 remote-certificate=vpn.client.windows

iOS setup:

Type: IKEv2
Server: vpn.company.com
External ID: vpn.company.com
Local ID: vpn.client.ios
User authentication: None
Use certificate: Yes
Certificate: vpn.client.ios

macOS setup:

Type: IKEv2
Server: vpn.company.com
External ID: vpn.company.com
Local ID: vpn.client.macos
User authentication: None
Use certificate: Yes
Certificate: vpn.client.macos

Windows client setup (you need Powershell to set hash/enc/dh/pfs, so I scripted all):

$securePassword = ConvertTo-SecureString -String "1234" -AsPlainText -Force
Import-PfxCertificate -FilePath cert_export_vpn.client.windows.p12 -CertStoreLocation Cert:\LocalMachine\My -Password $securePassword
Import-Certificate -FilePath cert_export_my.ca.crt -CertStoreLocation Cert:\LocalMachine\Root
Add-VpnConnection -Name "Company" -ServerAddress vpn.company.com -TunnelType Ikev2 -AuthenticationMethod MachineCertificate
Set-VpnConnectionIPsecConfiguration -ConnectionName "Company" -AuthenticationTransformConstants SHA256128 `
    -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 `
    -DHGroup Group14 -PfsGroup None -Force

emils · Tue Feb 05, 2019 1:19 pm

The next version will have some more changes for IPsec Identities to make it more clearer what you are actually matching. First of all, in beta61 it is pointless to specify remote-certificate on responder - certificate matching is not yet implemented. To match certain remote IDs, you have to check the IPsec debug logs and find out what actual ID (IDi) value is sent by the initiator.

I will update the wiki page when we come closer to the actual 6.44 release. Basically "auto" will check (verify) the IDi with clients certificate, so they have to match! "ignore" will not care about the initiators ID.

pe1chl · Tue Feb 05, 2019 3:13 pm

Would it be possible (during the rework of the IPsec code) to also add a phase1 "on up" and "on down" script?
(that receives parameters like the remote-id, remote-IP etc)
This script could then add/delete phase2 settings e.g. a GRE tunnel.

eworm · Tue Feb 05, 2019 4:01 pm

Would it be possible (during the rework of the IPsec code) to also add a phase1 "on up" and "on down" script?
(that receives parameters like the remote-id, remote-IP etc)
This script could then add/delete phase2 settings e.g. a GRE tunnel.

Yes, please! Hooking a script would be much appreciated. Currently I have a script running every 30 seconds to update gre interfaces...

emils · Tue Feb 05, 2019 4:15 pm

Thank you for the feedback. Definitely not in this release, but I will see if we can add it in the near future.

biatche · Sat Feb 09, 2019 2:10 am

Much time spent on ipsec when one could spend time on wireguard and have better VPN.

pe1chl · Sat Feb 09, 2019 11:18 am

Much time spent on ipsec when one could spend time on wireguard and have better VPN.

Wireguard is not a better VPN. It is an immature product with a vocal community around it.
IPsec is widely supported amongst industry standard routers and does not require lame "+1 for Wireguard" 1-time posters.

berzerker · Mon Feb 11, 2019 6:12 am

CRS328-24P-4S+RM: I'm unable to log into the console on 6.44beta61, anyone experiencing a similar issue? Tried with multiple cables. Couple of CRS112s I have on 6.43.8 work fine.

emils · Mon Feb 11, 2019 3:35 pm

Version 6.44beta75 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.44beta75 (2019-Feb-08 08:02):

Important note!!! Backup before upgrade!
Due to major IPsec configuration changes in RouterOS v6.44beta39+ (see changelog below), it is advised to make a backup before upgrading. Regular downgrade will still be possible as long as no changes in IPsec peer menu are done.

MAJOR CHANGES IN v6.44:
----------------------
!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);
!) ipsec - added new "identity" menu with common peer distinguishers;
!) ipsec - removed "main-l2tp" exchange-mode, it is the same as "main" exchange-mode;
!) ipsec - removed "users" menu, XAuth user configuration is now handled by "identity" menu;
!) radius - initial implementation of RadSec (Radius communication over TLS);
!) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only);
!) telnet - do not allow to set "tracefile" parameter;
!) upgrade - release channels renamed - "bugfix" to "long-term", "current" to "stable" and "release candidate" to "testing";
!) upgrade - "testing" release channel now can contain "beta" together with "release-candidate" versions;
----------------------

Changes in this release:

!) ipsec - added new "identity" menu with common peer distinguishers;
!) winbox - improvements in connection handling to router with open winbox service (CVE-2019–3924);
*) bridge - fixed log message when hardware offloading is being enabled;
*) bridge - fixed packet forwarding with enabled DHCP Snooping and Option 82;
*) bridge - fixed system's identity change when DHCP Snooping is enabled (introduced in v6.44beta61);
*) bridge - improved packet handling when hardware offloading is being disabled;
*) certificate - show digest algorithm used in signature;
*) chr - distribute NIC queue IRQ's evenly across all CPUs;
*) chr - fixed IRQ balancing when using more than 32 CPUs;
*) crs3xx - fixed packet forwarding through SFP+ ports when using 100Mbps link speed;
*) crs3xx - fixed SFP+ linking using 1.25G SFP modules (introduced in v6.44beta39);
*) dhcpv6-server - fixed missing gateway for binding's network if RADIUS authentication was used;
*) dhcpv6-server - show "client-address" parameter for bindings;
*) ethernet - added "tx-rx-1024-max" counter to Ethernet stats;
*) ethernet - fixed packet forwarding when SFP interface is disabled on hEX S;
*) fetch - added option to specify multiple headers under "http-header-field", including content type;
*) fetch - improved stability when using HTTP mode;
*) fetch - removed "http-content-type" parameter;
*) gps - increase precision for dd format;
*) hotspot - added "https-redirect" under server profiles;
*) ike2 - retry RSA signature validation with deduced digest from certificate;
*) ipsec - require write policy for key generation;
*) kidcontrol - use "/128" prefix-length for IPv6 addresses;
*) lldp - fixed missing capabilities fields on some devices;
*) lte - added multiple APN support for R11e-4G;
*) lte - fixed passthrough DHCP address forward when other address is acquired from operator;
*) lte - improved SIM7600 initialization after reset;
*) lte - query "cfun" on initialization;
*) lte - require write policy for at-chat;
*) lte - update firmware version information after R11e-LTE/R11e-4G firmware upgrade;
*) ntp-client - fixed "dst-active" and "gmt-offset" being updated after synchronization with server;
*) ppp - fixed dynamic route creation towards VPN server when "add-default-route" is used;
*) quickset - fixed "country" parameter not properly setting regulatory domain configuration;
*) rb4011 - fixed SFP+ interface full duplex and speed parameter behavior;
*) rb4011 - improved SFP+ interface linking to 1Gbps;
*) sfp - fixed possible reboot loop when inserting SFP modules in CRS328-4C-20S-4S+ (introduced in v6.44beta61);
*) smb - fixed macOS clients not showing share contents;
*) smb - fixed possible buffer overflow;
*) smb - fixed Windows 10 clients not able to establish connection to share;
*) snmp - fixed "rsrq" reported precision;
*) snmp - report ifSpeed 0 for sub-layer interfaces;
*) switch - added comment field to switch ACL rules;
*) tr069-client - added "connection-request-port" parameter (CLI only);
*) usb - improved USB device powering on startup for hAP ac^2 devices;
*) usb - increased default power-reset timeout to 5 seconds;
*) userman - added first and last name fields for signup form;
*) w60g - fixed disconnection issues in PtMP setups;
*) winbox - renamed "Default AP Tx Rate" to "Default AP Tx Limit";
*) winbox - renamed "Default Client Tx Rate" to "Default Client Tx Limit";
*) winbox - show "System/RouterBOARD/Mode Button" on devices that have such feature;
*) wireless - improved antenna gain setting for devices with built in antennas;
*) wireless - improved connection stability for new model Apple devices;
*) wireless - improved system stability when scanning for other networks;
*) wireless - show "installation" parameter when printing configuration;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

crau1000 · Tue Feb 12, 2019 11:07 am

Normis,

6.44Beta75 has an issue with GPS lat/longs. The new algorithm is inserting "00" after the decimal point. So originally lat/long would be 33.9686/-117.7432. NOW... from the GPS itself.... it is 33.009686/-117.007432. Ive attached a screen shot..

Screen Shot 2019-02-12 at 12.58.38 AM.png

kmansoft · Wed Feb 13, 2019 10:10 pm

The next version will have some more changes for IPsec Identities to make it more clearer what you are actually matching. First of all, in beta61 it is pointless to specify remote-certificate on responder - certificate matching is not yet implemented. To match certain remote IDs, you have to check the IPsec debug logs and find out what actual ID (IDi) value is sent by the initiator.

[...]

Separate but related...

I'm using a GRE interface with IPSec using certificate auth.

GRE interface properties has a setting for IPSec Secret.

When using PSK it seems redundant - there already is a PSK setting in peer / identity.

When using key or cert auth it's also redundant and unnecessary - there is no "secret" for key or cert auth. But when the "secret" is removed, the GRE tunnel doesn't get secured by IPSec (even if IPSec setting are left exactly the same), I mean IPSec is not brought up.

I think the idea is for the router to "know" that the GRE interface is supposed to be secured by IPSec - but perhaps there is a better way to set this up in the UI?

[SOLVED]

kmansoft · Wed Feb 13, 2019 10:34 pm

The next version will have some more changes for IPsec Identities to make it more clearer what you are actually matching. First of all, in beta61 it is pointless to specify remote-certificate on responder - certificate matching is not yet implemented. To match certain remote IDs, you have to check the IPsec debug logs and find out what actual ID (IDi) value is sent by the initiator.

[...]
Separate but related...

I'm using a GRE interface with IPSec using certificate auth.

GRE interface properties has a setting for IPSec Secret.

When using PSK it seems redundant - there already is a PSK setting in peer / identity.

When using key or cert auth it's also redundant and unnecessary - there is no "secret" for key or cert auth. But when the "secret" is removed, the GRE tunnel doesn't get secured by IPSec (even if IPSec setting are left exactly the same), I mean IPSec is not brought up.

I think the idea is for the router to "know" that the GRE interface is supposed to be secured by IPSec - but perhaps there is a better way to set this up in the UI?

And another thing about GRE + IPSec with cert auth. This one really looks like a bug.

When the GRE interface is brought up, it brings up the configured IPSec peer but *also* creates a redundant peer (with names like "peer6", "peer7") and a related item under Identities. Both are not necessary.

Not sure if it's new in 6.44 or was there before.

My "real" Peer is already set up, obviously, and uses IKEv2 and cert auth. The "bogus" peers have "main" as exchange mode and PSK auth but the local IP and remote IP are the same as in the "real" peer.

I really don't think it's in response to server (other side) initiated connections - first the server is set to IKEv2 only, second it uses cert auth (matching my "real" peer in Mikrotik) and not PSK.

Can be reproduced without reboot by disabling and then re-enabling the GRE interface in WebFig.

[SOLVED]

nescafe2002 · Wed Feb 13, 2019 10:55 pm

You can setup an ipsec transport policy with protocol=47 and ensure gre traffic is secured using the firewall ipsec policy matcher:

https://wiki.mikrotik.com/wiki/Manual:I ... ed_traffic

Dynamic peer will disappear as soon as you unset ipsec secret in gre tunnel.

sindy · Wed Feb 13, 2019 11:40 pm

Not sure if it's new in 6.44 or was there before.

kmansoft, It's not a bug, it's a feature, and definitely not version-related.

Either set the ipsec-psk field in gre (ipip, l2tp) tunnel interface settings and the peer and policy will be generated automatically ("dynamically" is the RouterOS name for it), using the default peer profile and proposal. Or define the IPsec peer & policy necesssary to secure the transport packets of your tunnel manually (and use security options as per your choice, not just the IKE(v1) main mode with PSK), and in that case do NOT fill the ipsec-psk field to prevent the dynamic peer&policy from being generated.

kmansoft · Thu Feb 14, 2019 7:56 am

@nescafe2002, @sindy

Went to check IPSec / Policy and there was one for my GRE - but it had a "D" = "dynamic". Aha!

Did this:

- Removed "IPSec Secret" from GRE tunnel interface properties
- Manually added a policy for it

/ip ipsec policy
add comment=myservertunnel dst-address=139.0.0.1/32 protocol=gre src-address=89.0.0.1/32

And now disabling and re-enabling the GRE interface:

- Keeps the IPSec connection running, with SAs and stuff
- Does not create those "peer8" policies

Both "bugs"

solved. Wonderful!

Thank you both for your help!

Who is online