v6.45beta [testing] is released!

emils · Tue Mar 05, 2019 11:55 am

Version 6.45beta6 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta6 (2019-Mar-05 08:51):

Changes in this release:

*) bridge - fixed possible memory leak when using "ingress-filtering=yes" on bridge interface;
*) certificate - added support for ECC (Elliptic Curve Cryptography);
*) certificate - force 3DES encryption for P12 certificate export;
*) crs3xx - correctly display auto-negotiation information for SFP/SFP+ interfaces in 1Gbps rate;
*) crs3xx - fixed auto negotiation when 2-pair twisted cable is used (downshift feature);
*) dhcp - fixed dual stack queue addition;
*) dhcpv4-server - added "vendor-class-id" matcher (CLI only);
*) dhcpv6-server - use MAC address for RADIUS user when "allow-dual-stack-queue=yes";
*) ethernet - added support for 25Gbps and 40Gbps rates;
*) fetch - improved user policy lookup;
*) gps - increase precision for dd format;
*) ipsec - fixed dynamic L2TP peer and identity configuration missing after reboot (introduced in v6.44);
*) ipsec - use "remote-id=ignore" for dynamic L2TP configuration (introduced in v6.44);
*) ipv6 - do not allow setting "preferred-lifetime" longer than "valid-lifetime";
*) lte - added passthrough interface subnet selection;
*) lte - added support for manual operator selection;
*) lte - do not show error message for info commands that are not supported;
*) lte - do not show "session-uptime" if session is not up;
*) lte - improved R11e-4G modem operation;
*) lte - renamed firmware upgrade "path" command to "firmware-file" (CLI only);
*) lte - reset LTE modem only when SIM slot is changed on dual SIM slot devices;
*) lte - show alphanumeric value for operator info;
*) lte - show correct firmware revision after firmware upgrade;
*) lte - use secondary DNS for DNS server configuration;
*) ppp - added initial support for Quectel BG96;
*) rb4011 - fixed ether10 failing to auto negotiate link speed to 1Gbps;
*) sfp - fixed S-35LC20D transceiver DDMI readouts after reboot;
*) sms - improved delivery report logging;
*) snmp - added "dot1dStpPortTable" OID;
*) ssh - use correct user when "output-to-file" parameter is used;
*) switch - fixed possible crash when interface state changes and DHCP Snooping is enabled;
*) tile - improved link fault detection on SFP+ ports;
*) winbox - added "use-local-address" parameter in "IP/Cloud" menus;
*) wireless - fixed incorrect IP header for RADIUS accounting packet;
*) wireless - updated "india" regulatory domain information;
*) wireless - updated "new zealand" regulatory domain information;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

anav · Tue Mar 05, 2019 1:24 pm

*) bridge - fixed possible memory leak when using "ingress-filtering=yes" on bridge interface;

How did this bug manifest itself?? Been using this setup for a while and didnt notice any issues, on the other hand I dont really monitor that closely.

nimbo78 · Tue Mar 05, 2019 2:33 pm

is there any chance to add some internal variables to dhcp-server alert script? like in dhcp-client script.
need to send alerts with mac and ip to messengers and some APIs..

anuser · Tue Mar 05, 2019 2:39 pm

Will a new wireless driver package for 802.11ac be released in 6.45 or is it planned for a later RouterOS version?

paulct · Tue Mar 05, 2019 3:42 pm

*) ethernet - added support for 25Gbps and 40Gbps rates

Cough, MUM, new hardware?
Those new switches? And hopefully some new powerful routers.

Chupaka · Tue Mar 05, 2019 5:05 pm

a new wireless driver package for 802.11ac

What package?..

honzam · Tue Mar 05, 2019 5:38 pm

Will a new wireless driver package for 802.11ac be released in 6.45 or is it planned for a later RouterOS version?

Do you have any specific information about something to happen?

mistry7 · Tue Mar 05, 2019 5:43 pm

Will a new wireless driver package for 802.11ac be released in 6.45 or is it planned for a later RouterOS version?
Do you have any specific information about something to happen?

Normis told that in an another thread, but he did not say it will happen this year

TimurA · Tue Mar 05, 2019 5:48 pm

a new wireless driver package for 802.11ac
What package?..

Maybe waiting MU-MIMO?

jrpaz · Tue Mar 05, 2019 5:54 pm

The new package is in ROS v7 along with every other fix needed.

paoloaga · Tue Mar 05, 2019 6:00 pm

The new package is in ROS v7 along with every other fix needed.

osc86 · Tue Mar 05, 2019 6:38 pm

*) bridge - fixed possible memory leak when using "ingress-filtering=yes" on bridge interface;

How did this bug manifest itself?? Been using this setup for a while and didnt notice any issues, on the other hand I dont really monitor that closely.

I reported this problem to mt support.
It occured on my CCR1009 when vlan-filtering was enabled and frame-types set to admit-only-vlan-tagged.
In 24h it filled up the 2GB RAM ending in a kernel panic / reboot
6.45beta6 seems to have fixed this issue.

anuser · Tue Mar 05, 2019 9:43 pm

Will a new wireless driver package for 802.11ac be released in 6.45 or is it planned for a later RouterOS version?
Do you have any specific information about something to happen?
Normis told that in an another thread, but he did not say it will happen this year

Found it:
viewtopic.php?f=1&t=145047&p=713806&hil ... er#p713800 :

You are right, that MikroTik made wireless driver doesn't have Wave2 support, so new chipset benefits are not there. We are working on a new driver.

For testing purposes a second wireless package would be great.

honzam · Tue Mar 05, 2019 11:27 pm

I hope to hear new information on MUM

buset1974 · Wed Mar 06, 2019 2:41 am

Waiting fix for BGP Withdraw on multihoming PE-CE, mt said must rewrite bgp module, so do it ASAP it's a very important matter.
this issue not exist on other brand router and it's use more than 10 years software.
A lot of mikrotik device running mpls now and a lot of them on production.

thx

lelmus · Wed Mar 06, 2019 3:56 am

6.45beta6 kills SPF+ port in RB4011iGS+5HacQ2HnD-IN.

I'm using the Maxxwave MW-SX+MM-US in the SFP+ port of the RB4011iGS+5HacQ2HnD-IN. With 6.45beta6 the SFP tab under interface its all empty and SFP+ is not functional. Tried a different Maxxwave MW-SX+MM-US and same issue.

Downgraded to 6.44 (Stable) and SFP tab under interface is filled up correctly and Maxxwave MW-SX+MM-US is normally functioning.

Also, 6.45beta6 in CCR1016-12S-1S+ with Maxxwave MW-SX+MM-US in the SFP+ port works fine.

Wed Mar 06, 2019 8:13 am

Will a new wireless driver package for 802.11ac be released in 6.45 or is it planned for a later RouterOS version?
Do you have any specific information about something to happen?

There are .ax Chipsets available for a while now. I guess all WISP vendors do at least some testing in Lab now. So they have to touch wireless package to make them work.

mistry7 · Wed Mar 06, 2019 9:25 am

Don´t cry for next new Hardware, we had to wait over 12 Month for new Arm Chipsets to get running in most cases, most here had buyed 802.11n Hardware until there is no working 802.11ac available from Mikrotik, Wave2 is completely unsupported (most available devices from MT has Wave 2 Chipset).

So don´t cry for something new, cry for something working.

Wed Mar 06, 2019 10:32 am

Don´t cry for next new Hardware, we had to wait over 12 Month for new Arm Chipsets to get running in most cases, most here had buyed 802.11n Hardware until there is no working 802.11ac available from Mikrotik, Wave2 is completely unsupported (most available devices from MT has Wave 2 Chipset).

So don´t cry for something new, cry for something working.

You probably wont see MT to tweak Wifi-HW to an extend where it will be realy good for WISP usage (HW-accelerated TDMA, GPS-Sync ...). With .ac you are more or less limited to what the chipvendor does to get higher performance (plain 802.11 mode with rts/cts). So the only senseful option at the moment is to shop where this tweaking has bin done (anyone still did not manage to realize this?).

With 802.11ax the chipsetvendors have to put a lot of stuff into the chipset which helps WISPs. There is Scheduling, there is OFDMA. MT do not have to implement it. It is just there and it is vendor neutral. This is the way to go as fast as possible.

You try to ride a dead horse ...

mistry7 · Wed Mar 06, 2019 10:59 am

With 802.11ax the chipsetvendors have to put a lot of stuff into the chipset which helps WISPs. There is Scheduling, there is OFDMA. MT do not have to implement it. It is just there and it is vendor neutral. This is the way to go as fast as possible.

You try to ride a dead horse ...

And this features will not work without working driver, and since MT write there own Drivers this features need to implement.
With own Drivers there is nothing out of Box from the chipset.

isacalmeida · Wed Mar 06, 2019 6:53 pm

Hello,

Fix: ppp - fixed dynamic route creation towards VPN server when "add-default-route" is used;

This fix came in version 6.44, but it fixes the bug only for a PPPoE connection with an L2TP tunnel over it. Is it possible to include in this version the adjustment of this bug so that there is no problem of a PPTP tunnel over a PPPoE tunnel?

Thanks

lvader · Wed Mar 06, 2019 7:35 pm

*) ipsec - fixed dynamic L2TP peer and identity configuration missing after reboot (introduced in v6.44);

would be great to get this fix also to stable 6.44. Very annoying.

bdallen · Thu Mar 07, 2019 1:16 pm

I see this in 6.44

*) snmp - added "dot1qPortVlanTable" and "dot1dBasePortTable" OIDs;
*) snmp - changed fan speed value type to Gauge32;
*) snmp - fixed "rsrq" reported precision;
*) snmp - fixed w60g station table;
*) snmp - removed "rx-sector" ("Wl60gRxSector") value;
*) snmp - report bridge ifSpeed as "0";
*) snmp - report ifSpeed 0 for sub-layer interfaces;

Can 6.45 chain have the following?

*) snmp - added BGP4 OIDs

rdelacruz · Thu Mar 07, 2019 5:08 pm

It would be best if Mikrotik can send these accounting data to the RADIUS when using DHCP+RADIUS authentication.

emils · Mon Mar 11, 2019 10:39 am

Version 6.45beta11 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta11 (2019-Mar-08 13:24):

Changes in this release:

*) bridge - fixed log message when hardware offloading is being enabled;
*) dhcpv4-server - added "vendor-class-id" matcher (CLI only);
*) dhcpv6-server - added RADIUS accounting support;
*) e-mail - fixed missing "from" address for sent e-mails (introduced in v6.44);
*) gps - removed unnecessary leading "0" for dd format;
*) ipsec - allow identities with empty XAuth login and password if RADIUS is enabled (introduced in v6.44);
*) lte - fixed LTE interface band setting on RBSXTLTE3-7 (introduced in v6.44);
*) lte - improved "info" command query;
*) rb4011 - fixed SFP linking (introduced in v6.45beta6);
*) sms - allow specifying multiple "allowed-number" values;
*) snmp - properly return multicast and broadcast packet counters for IF-MIB OIDs;
*) wireless - fixed antenna gain setting on RBSXT5nDr2;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

Mon Mar 11, 2019 11:02 am

*) e-mail - fixed missing "from" address for sent e-mails (introduced in v6.44);

Emils

I'm interested how did it happen? What someone had been messing for with e-mail part of ROS?

Chupaka · Mon Mar 11, 2019 11:42 am

"All changes are listed in Changelog" (c)

emils · Mon Mar 11, 2019 12:24 pm

Somehow we have lost these change log entries in 6.44beta50 release. I will add them to 6.44 change log. Sorry for the error.

*) e-mail - added support for multiple transactions on single connection;
*) log - accumulate multiple e-mail messages before sending;

buset1974 · Mon Mar 11, 2019 5:32 pm

today i'am experiencing problem with nat on 6.44,i think it has related with new conntrack @ ccr1009
*) conntrack - added new "loose-tcp-tracking" parameter (equivalent to "nf_conntrack_tcp_loose" in netfilter)

sorry if i miss judge the problem, i degrade to 6.43.12 everything went normal.

thx

buset1974 · Mon Mar 11, 2019 6:10 pm

Somehow we have lost these change log entries in 6.44beta50 release. I will add them to 6.44 change log. Sorry for the error.

*) e-mail - added support for multiple transactions on single connection;
*) log - accumulate multiple e-mail messages before sending;

Hi emils, when this bgp problem will be fix ?
[Ticket#2018112922000575]

thx

Tue Mar 12, 2019 5:36 pm

@buset1974 not in v6

mducharme · Wed Mar 13, 2019 9:21 am

*) dhcpv6-server - added RADIUS accounting support;

This is excellent news - does this also work with DHCPv6 servers over PPP (ex. PPPoE)?

nimbo78 · Wed Mar 13, 2019 11:47 am

*) dhcpv4-server - added "vendor-class-id" matcher (CLI only);

plz more info about this. syntax? format? etc

Wed Mar 13, 2019 3:54 pm

check/ip dhcp-server vendor-class-id menu

bbs2web · Wed Mar 13, 2019 8:58 pm

Would be really useful to have if then logic within DHCP.

The following snippet servers no file to Snom VoIP phone, x64 EFI PXE executable to UEFI PXE devices and normal PXE binary to compatibility devices.

From ISC DHCP subnet declaration:

if substring(binary-to-ascii(16, 8, ":", hardware), 0, 9) = "1:0:4:13:" {
# 1: prefix = Ethernet, SNOM phone MAC address prefix (00:04:13)
    filename "";
} elsif option unknown-93 = 00:07 {
#pxe-system-type or arch
    filename "pxe/efi/bootx64.efi";
} else {
    filename "pxe/pxelinux.0";
}

nimbo78 · Wed Mar 13, 2019 10:03 pm

Would be really useful to have if then logic within DHCP.

The following snippet servers no file to Snom VoIP phone, x64 EFI PXE executable to UEFI PXE devices and normal PXE binary to compatibility devices.

From ISC DHCP subnet declaration:
Code: Select all
if substring(binary-to-ascii(16, 8, ":", hardware), 0, 9) = "1:0:4:13:" {
# 1: prefix = Ethernet, SNOM phone MAC address prefix (00:04:13)
    filename "";
} elsif option unknown-93 = 00:07 {
#pxe-system-type or arch
    filename "pxe/efi/bootx64.efi";
} else {
    filename "pxe/pxelinux.0";
}

+++

kmansoft · Thu Mar 14, 2019 2:43 pm

After seeing this

> *) certificate - added support for ECC (Elliptic Curve Cryptography);

in beta changelog, I'm trying to use an ECDSA certificate for IPSec authentication.

Doesn't seem to work:

- Key generation:

openssl ecparam -genkey -name secp384r1

- Certificate generation:

Same as before with RSA keys

- Server config - strongSwan, certificate auth

Loads its private EC key just fine

- Client config - another client also strongSwan to same server

Loads its private EC key just fine, is able to connect to the server

- Client config - Mikrotik AC2

I was able to import the certificates and an EC key (for the client's certificate), the cert gets marked as "KT" (T for trusted). So far so good.

And then trying to establish the connection:

The IKEv2 is negotiated.

At SA creation time apparently the Mikrotik AC2 can't authenticate, and it doesn't send an auth error back to the server (because I see the server keep retrying).

This keeps appearing in the logs:

> can't get private key

So it looks like "system / certificates" is able to match a certificate with its EC key (when both are imported, the cert is marked with "T" for "trusted").

But IPSec is not able to.

-----

Will this be fixed please so that EC certificates can be used for IPSec auth?

And one more thing - it seems that right now EC key support does not include ed25519. Could this be added please?

Thu Mar 14, 2019 2:54 pm

EC certificates can be used only for www services. Ipsec does not support them.

kmansoft · Thu Mar 14, 2019 3:08 pm

EC certificates can be used only for www services. Ipsec does not support them.

OK, any plans to make use for IPSec possible? And for ed25519 curve?

Thu Mar 14, 2019 4:59 pm

IKE2 rfc states the use of RSA.
What would be the client devices that support EC? Why exactly you need this?

Note · Fri Mar 15, 2019 8:58 am

*) bridge - fixed possible memory leak when using "ingress-filtering=yes" on bridge interface;

That is supposed that was fixed on 6.44 stable............

bommi · Fri Mar 15, 2019 2:41 pm

IKE2 rfc states the use of RSA.
What would be the client devices that support EC? Why exactly you need this?

EC key exchanges are much faster than RSA, because the keysize is much smaller.
My usecase are mobile devices on bad mobile connections.

ppptran · Sun Mar 17, 2019 7:37 am

*) rb4011 - fixed SFP linking (introduced in v6.45beta6);

This .

If there's a fix for SFP with 100M fiber link would be greatly appreacited

idlemind · Mon Mar 18, 2019 5:39 am

IKE2 rfc states the use of RSA.
What would be the client devices that support EC? Why exactly you need this?

RFC 4754

https://tools.ietf.org/html/rfc4754

Not finalized but per usual MikroTik is behind almost all other vendors in supporting valid technology.

Of course we still can't ping IPv6 only hosts by name in the CLI, or provide clients with IPv6 addresses over DHCPv6.

emils · Mon Mar 18, 2019 1:29 pm

Version 6.45beta16 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta16 (2019-Mar-18 07:49):

Changes in this release:

*) dhcpv4-server - improved stability when performing "check-status" command;
*) ike2 - do not send "User-Name" attribute to RADIUS server if not provided;
*) ike2 - improved XAuth identity conversion on upgrade;
*) ipsec - added dynamic comment field for "active-peers" menu inherited from identity (CLI only);
*) ipsec - added "ph2-total" counter to "active-peers" menu (CLI only);
*) ipsec - added support for RADIUS accounting;
*) ipsec - added traffic statistics to "active-peers" menu (CLI only);
*) ipsec - do not allow adding identity to a dynamic peer;
*) ipsec - renamed "remote-peers" to "active-peers" (CLI only);
*) lte - use default APN name "internet" when not provided;
*) proxy - increased minimal free RAM that can not be used for proxy services;
*) switch - properly reapply settings after switch chip reset;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

Farseer · Mon Mar 18, 2019 2:15 pm

For this patch, could you allow sa-dst-address and sa-src-address in IPSec to accept DDNS names? It's great and all to create scripts and to put it on a scheduler to resolve the ip's and update those fields, but can't it just accept the ddns name/cloud host name instead?

Mon Mar 18, 2019 2:28 pm

In what scenario? If it's road warrior (typical when src is unknown or when src has dynamic IP) then policies should be already auto generated.

Farseer · Mon Mar 18, 2019 3:18 pm

In what scenario? If it's road warrior (typical when src is unknown or when src has dynamic IP) then policies should be already auto generated.

In the scenario where an ISP doesn't provide a static IP to it's client, instead using Dynamic IP or PPPoE with a dynamic IP. In such cases, a DDNS hostname is always needed to achieve VPN/Online Cameras/RDP. But when it comes to doing an IPSec VPN setup with a Mikrotik router, the hostnames can't be used as you can't enter them into sa-dst-address, thereby forcing you to go make a script and putting that script on a scheduler.

Edit: Non-road warrior basically.

Zoolander06 · Mon Mar 18, 2019 6:06 pm

*) dhcpv4-server - added "vendor-class-id" matcher (CLI only);

Hi,

Is there a documentation somewhere about this new feature ?

Joris

Neilson · Mon Mar 18, 2019 6:26 pm

I installed the latest Beta 6.45Beta16 on an hAP ac lite (Coming from 6.45Beta11).

Reboot to install packages
Reboot to update routerboot
- wlan2 interface disappears
Reboot again
- wlan2 interface appears again

So for other users this may need a further reboot.

Mikrotik may want to run this test themselves to see if reproducible. I can make a supout if needed.

Regards
Alexander

Cha0s · Tue Mar 19, 2019 6:47 pm

In what scenario? If it's road warrior (typical when src is unknown or when src has dynamic IP) then policies should be already auto generated.
In the scenario where an ISP doesn't provide a static IP to it's client, instead using Dynamic IP or PPPoE with a dynamic IP. In such cases, a DDNS hostname is always needed to achieve VPN/Online Cameras/RDP. But when it comes to doing an IPSec VPN setup with a Mikrotik router, the hostnames can't be used as you can't enter them into sa-dst-address, thereby forcing you to go make a script and putting that script on a scheduler.

Edit: Non-road warrior basically.

++

Zoolander06 · Wed Mar 20, 2019 4:37 pm

So I gave a try to the new vendor class identifier matcher feature, it works well but it's quite limited : one can only reserve a pool of IPs to a certain type of devices.
It would be nice to be able to send different options to certain devices.
Example : I have Yealink and Cisco IP phones on my network, each one need a different TFTP server name (option 66) to provision, but I can only set one per dhcp server.
With this beta version I can control which IP my phones will have, but I still can't specify a distinct option 66 for each type.

Or am I missing something ?

Thu Mar 21, 2019 2:39 pm

You can specify DHCP option set per DHCP network.

emils · Fri Mar 22, 2019 12:47 pm

Version 6.45beta19 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta19 (2019-Mar-22 07:30):

Changes in this release:

*) certificate - added support for ECDSA certificates (prime256v1, secp384r1, secp521r1) (CLI only);
*) certificate - removed DSA (D) flag;
*) ike1 - improved stability for transport mode policies on initiator side;
*) ike2 - added support for ECDSA certificate authentication (rfc4754);
*) ike2 - prefer SAN instead of DN from certificate for ID payload;
*) ipsec - renamed "rsa-signature" authentication method to "digital-signature";
*) smb - fixed possible buffer overflow;
*) sms - added USSD message functionality under "/tool sms" (CLI only);
*) ssh - do not generate host key on configuration export;
*) wireless - improved DFS radar detection when using non-ETSI regulated country;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

Mikrotiker · Fri Mar 22, 2019 2:48 pm

after the update to 6.45beta19 the wireless interface can no longer be found.

Model: SXT HG5 ac

Code: Select all

ROS Update, reboot

Wireless interface disappeared



Routerboot update, reboot

Wireless interface disappeared



reboot

Wireless interface disappeared



Log: DefConf gen: Unable to find Wireless interface(s)

I will send you a supout with the reference to this thread.

I did a downgrade to 6.45beta16 and everything is back and running. except the remote unit.

Zoolander06 · Fri Mar 22, 2019 3:56 pm

You can specify DHCP option set per DHCP network.

You're right, but I usually need all my phones to be on the same network.
I think I could make some subnets, maybe it would work, but it would be easier and more logical to set the options in the vendor class identifier matcher, or in the pool.

Thank you for answering me

kitit · Fri Mar 22, 2019 4:25 pm

after the update to 6.45beta19 the wireless interface can no longer be found.

Model: SXT HG5 ac

Code: Select all
ROS Update, reboot Wireless interface disappeared Routerboot update, reboot Wireless interface disappeared reboot Wireless interface disappeared Log: DefConf gen: Unable to find Wireless interface(s)

RouterBOARD 962UiGS-5HacT2HnT

In Log: 15:26:21 script,warning DefConf gen: Unable to find wireless interface(s)

Wireless 5GHz not found in interafaces

ArtursL · Fri Mar 22, 2019 7:21 pm

In RouterOS 6.45beta19 there is a known bug that 5GHz WLAN interface disappears. Affects only specific devices - those that have wireless 5GHz interface-type=Atheros AR9888.
Downgrading back to 6.45beta16 or earlier returns the interface.
Thank you Mikrotiker and kitit for reporting.

honzam · Fri Mar 22, 2019 7:42 pm

In RouterOS 6.45beta19 there is a known bug that 5GHz WLAN interface disappears. Affects only specific devices - those that have wireless 5GHz interface-type=Atheros AR9888.
Downgrading back to 6.45beta16 or earlier returns the interface.
Thank you Mikrotiker and kitit for reporting.

The same problem on AR5008 (711GA-5HnD). Please check it.

dhoulbrooke · Fri Mar 22, 2019 7:46 pm

Hi Arturs,

In RouterOS 6.45beta19 there is a known bug that 5GHz WLAN interface disappears. Affects only specific devices - those that have wireless 5GHz interface-type=Atheros AR9888.

The 5GHz interface disappears on the wAP ac also.

arnis128 · Sat Mar 23, 2019 11:50 am

Hi, all!
I can confirm, that 5ghz band does not work on RouterBOARD M33G with Athereros 5008 pci-e card installed.

Also upgrade of any of my mipsbe (mAP 2n,mAP L-2nD) platform fails, because ipv6 package is broken.
-----------------
Mar/23/2019 10:54:24 system,error broken package system-6.45beta19-mipsbe.npk
Mar/23/2019 10:54:24 system,error can not install ipv6-6.45beta19: system-6.45beta19 is not installed, but is required
Mar/23/2019 10:54:24 system,info router rebooted
-----------------
Arnis

korniza · Sun Mar 24, 2019 5:26 pm

Same here! I'm afraid this update killed my old rb751

msatter · Sun Mar 24, 2019 11:33 pm

Thanks for adding ECDSA certificates!

wispmikrotik · Mon Mar 25, 2019 2:42 pm

Hi, all!
I can confirm, that 5ghz band does not work on RouterBOARD M33G with Athereros 5008 pci-e card installed.

Also upgrade of any of my mipsbe (mAP 2n,mAP L-2nD) platform fails, because ipv6 package is broken.
-----------------
Mar/23/2019 10:54:24 system,error broken package system-6.45beta19-mipsbe.npk
Mar/23/2019 10:54:24 system,error can not install ipv6-6.45beta19: system-6.45beta19 is not installed, but is required
Mar/23/2019 10:54:24 system,info router rebooted
-----------------
Arnis

Hi,

Same problem in a mAP Lite, after restarting and testing again to install the version this is installed correctly. Verified the correct installation.

Greeting

emils · Tue Mar 26, 2019 8:53 am

Version 6.45beta20 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta20 (2019-Mar-25 10:07):

Changes in this release:

*) certificate - made RAM the default CRL storage location;
*) ike1 - adjusted debug packet logging topics;
*) ipsec - fixed freshly created identity not taken in action;
*) lte - allow to specify URL for firmware upgrade "firmware-file" parameter;
*) sms - fixed long message parsing (introduced in v6.45beta19);
*) wireless - fixed 5GHz interface disappearing after upgrade (introduced in v6.45beta19);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

kmansoft · Tue Mar 26, 2019 9:41 pm

Will this be fixed please so that EC certificates can be used for IPSec auth?

Thank you for this in beta 19!

( now support for ed25519 would be great too... hint hint... )

emils · Fri Mar 29, 2019 1:03 pm

Version 6.45beta22 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta22 (2019-Mar-29 08:37):

Changes in this release:

!) ipv6 - fixed soft lockup when forwarding IPv6 packets (CVE-2018-19299);
!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table (CVE-2018-19298);
*) certificate - added "key-type" field (CLI only);
*) certificate - fixed SAN being duplicated on status change (introduced in v6.44);
*) dhcpv6-server - added "address-list" support for bindings (CLI only);
*) export - fixed SMS "allowed-number" compact export (introduced in v6.45beta);
*) fetch - added SFTP support;
*) ike2 - prefer SAN instead of DN from certificate for ID payload;
*) ipsec - added support for RADIUS accounting;
*) ipsec - fixed policies becoming invalid after changing priority;
*) snmp - added OID for neighbor "interface";
*) snmp - added "write-access" column to community print;
*) snmp - allow setting interface "adminStatus";
*) ssh - fixed multiline non-interactive command execution;
*) ssh - improved session rekeying process on exchanged data size threshold;
*) supout - added "kid-control devices" section to supout file;
*) userman - updated authorize.net gateway DNS name;
*) w60g - prefer AP with strongest signal when multiple APs with same SSID present;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

eworm · Fri Mar 29, 2019 1:12 pm

*) fetch - added SFTP support;

Yes, can't wait to use this! Is there a way to use it with public key authentication?

ludvik · Fri Mar 29, 2019 1:34 pm

will it be backported to versions 6.40.x and 6.43.x?

Version 6.45beta22 has been released.

!) ipv6 - fixed soft lockup when forwarding IPv6 packets (CVE-2018-19299);
!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table (CVE-2018-19298);

maznu · Fri Mar 29, 2019 1:40 pm

will it be backported to versions 6.40.x and 6.43.x?
Version 6.45beta22 has been released.

!) ipv6 - fixed soft lockup when forwarding IPv6 packets (CVE-2018-19299);
!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table (CVE-2018-19298);

Sorry, but CVE-2018-19299 is not fixed in 6.45beta22.

marekm · Fri Mar 29, 2019 1:43 pm

What's new in 6.45beta22 (2019-Mar-29 08:37):

!) ipv6 - fixed soft lockup when forwarding IPv6 packets (CVE-2018-19299);
!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table (CVE-2018-19298);

*) w60g - prefer AP with strongest signal when multiple APs with same SSID present;

1. ipv6 - thanks for the CVE fixes, hope to see them in stable/long-term soon. Then, with this out of the way, please work on Delegated-IPv6-Prefix for PPPoE so many people can actually deploy IPv6

2. w60g - does it try weaker APs in turn after it fails to connect to the strongest one? Could happen with wrong key, or exceeded limit of stations per AP (1 or 8 depending on license), or denied by MAC ACL (if ever implemented for w60g, as in 2.4/5GHz wifi).

msatter · Fri Mar 29, 2019 1:53 pm

@markim the creator of the CVE states in the post above yours, that the first CVE 19299 was not fixed by this beta.

When Mikrotik is giving more info about this we will know if it is fixed in their eyes.

marekm · Fri Mar 29, 2019 2:30 pm

The two posts were written at about the same time. I guess there will be another beta to test soon...

Fri Mar 29, 2019 2:50 pm

Issues that were reported to Mikrotik have been fixed. Device no longer can be crashed. maznu, if you have any more details, please email support and explain what you meant.

ErfanDL · Fri Mar 29, 2019 4:38 pm

and when release for stable channel ?!

Farseer · Fri Mar 29, 2019 8:04 pm

@emils

Is the scenario sufficient for IPSec sa-dst/src-address hostname name usage?

Chupaka · Fri Mar 29, 2019 11:03 pm

and when release for stable channel ?!

As soon as it’s ready

kiler129 · Sun Mar 31, 2019 6:48 am

Is there any plans to address the 5Ghz interface crash on RB4011?

Sun Mar 31, 2019 11:30 am

There were two IPv6 related issues resolved in this version:
1) IPv6 packet forwarding might get stuck (due to IPv6 route cache processing) that could lead to Watchdog reboot;
2) IPv6 neighbor table processing might get stuck (due to large neighbor table) that could lead to Watchdog reboot.

Seems that one of these was considered as CVE and another one was not. Since author of these CVEs still has a problem, seems that actually #1 was not included in this CVE. However, this "problem" actually is not much of an issue. RouterOS IPv6 route cache max size by default is 1 million. If you try to reach 1 million hosts in your network, route cache grows and can take up to 500 MB. If you have device that does not have such resources, it will reboot itself. If router has, for example, 1 GB of RAM - there is no problem. We will most likely allow to change cache size or will decide its size based on RAM size. However, it can not be considered as a bug or vulnerability. You make router work and then complain that resources are required to do the job. This is not a bug.

jrpaz · Sun Mar 31, 2019 3:28 pm

it can not be considered as a bug or vulnerability

That's not what they are saying here viewtopic.php?f=2&t=147048
They are talking about CCR's and CHR's crashing I don't know what more resources people need.

maznu · Sun Mar 31, 2019 3:45 pm

Seems that one of these was considered as CVE and another one was not. Since author of these CVEs still has a problem, seems that actually #1 was not included in this CVE. However, this "problem" actually is not much of an issue. RouterOS IPv6 route cache max size by default is 1 million. If you try to reach 1 million hosts in your network, route cache grows and can take up to 500 MB. If you have device that does not have such resources, it will reboot itself. If router has, for example, 1 GB of RAM - there is no problem. We will most likely allow to change cache size or will decide its size based on RAM size. However, it can not be considered as a bug or vulnerability. You make router work and then complain that resources are required to do the job. This is not a bug.

I agree with the technical assessment above: if someone else tries to reach 1 million hosts in your network and you have less than 500Mb of free RAM, then your router will crash.

I believe MikroTik produces five devices which are not vulnerable in the configuration as shipped by MikroTik if those devices are used as transit routers (i.e. with full BGP IPv4 and IPv6 tables loaded).

maznu · Sun Mar 31, 2019 3:48 pm

Seems that one of these was considered as CVE and another one was not. Since author of these CVEs still has a problem, seems that actually #1 was not included in this CVE. However, this "problem" actually is not much of an issue. RouterOS IPv6 route cache max size by default is 1 million. If you try to reach 1 million hosts in your network, route cache grows and can take up to 500 MB. If you have device that does not have such resources, it will reboot itself. If router has, for example, 1 GB of RAM - there is no problem. We will most likely allow to change cache size or will decide its size based on RAM size. However, it can not be considered as a bug or vulnerability. You make router work and then complain that resources are required to do the job. This is not a bug.

As a side note, now that MikroTik has publicly released full details about the vulnerability, I hope nobody is going to be worried about what I am presenting on April 9th. The content of the talk will not increase the risk to your networks.

jrpaz · Sun Mar 31, 2019 3:50 pm

It's not on the security blog. I'm assuming it will be there sooner rather than later.

Samot · Sun Mar 31, 2019 5:31 pm

it can not be considered as a bug or vulnerability
That's not what they are saying here viewtopic.php?f=2&t=147048
They are talking about CCR's and CHR's crashing I don't know what more resources people need.

Actually there is at least one person in that thread that confirmed when taking their CHR from 300MB RAM to 3GB RAM the issue goes away. That does sound like a memory resource problem there. Let's just not assume that because they are running CHR they must have all the resources in the world. The youtube videos that were posted about this issue and showing the CHR crashing was a CHR with 256MB RAM. If people are saying their CCR's are crashing over this I would then ask, which model of the CCR? Because if it's the 1009 series, I could see it having an issue since it has 1GB RAM and this issue can eat up over 500MB on its own it could cause the CCR1009's to have issues.

Was anyone able to reproduce this on a CCR's that have 2-4GBRAM? Did this eat them up too?

marlow · Mon Apr 01, 2019 12:37 am

Also, if Mikrotik RouterOS allows the cache to eat up more memory than what is available on the device, then that is a bug. Simply because the device knows what amount of ram it has to begin with. It should not be able to allow the device to allocate more ram than what it has or has available.

Not having that sort of limitation in there in the first place begs to be exploited. Shortsighted development.

/M

kiler129 · Mon Apr 01, 2019 3:56 am

The atmosphere here is becoming slightly toxic...

Like freaking really, how many of you worked with software as a developer? It’s very easy to say when you have very little clue how hard such problems are. I understand the frustration at the end effect, but it seems like MT is doing what they can to mitigate. Even though the device may know it’s memory its growth may not be as easy to predict as you think.

These IPv6 problems aren’t new or present really a huge danger with properly configured environment. If you expect a small router with 64MB of the memory to handle a lot of incoming connections you’re already in trouble with contrack.

marlow · Mon Apr 01, 2019 4:08 am

These IPv6 problems aren’t new or present really a huge danger with properly configured environment. If you expect a small router with 64MB of the memory to handle a lot of incoming connections you’re already in trouble with contrack.

The issue here is, that the memory usage of the cache can't be limited by configuration .. (unless you switch ipv6 off) and that it basically can arbitrarily triggered by an external attacker which results in a DoS scenario as the router even stops forwarding traffic or constantly reboots triggered by watchdog while under attack (as far as I understand).

The other issue is, that Mikrotik has known and acknowledged, that this is an issue since March 2018 and has not done anything about it until now, where they've been told, that the exploit is to be known public.

/M

emils · Mon Apr 01, 2019 9:52 am

Version 6.45beta23 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta23 (2019-Apr-01 05:51):

Important note!!! Backup before upgrade!
Due to major IPsec configuration changes in RouterOS v6.44beta39+ (see changelog below), it is advised to make a backup before upgrading. Regular downgrade will still be possible as long as no changes in IPsec peer menu are done.

MAJOR CHANGES IN v6.45:
----------------------
!) ipv6 - fixed soft lockup when forwarding IPv6 packets;
!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table;
----------------------

Changes in this release:

*) ipsec - properly drop already established tunnel when address change detected;
*) ipv6 - adjust IPv6 route cache max size based on total RAM memory;
*) smb - fixed possible buffer overflow;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

nkourtzis · Mon Apr 01, 2019 9:59 am

There were two IPv6 related issues resolved in this version:
1) IPv6 packet forwarding might get stuck (due to IPv6 route cache processing) that could lead to Watchdog reboot;
2) IPv6 neighbor table processing might get stuck (due to large neighbor table) that could lead to Watchdog reboot.

Seems that one of these was considered as CVE and another one was not. Since author of these CVEs still has a problem, seems that actually #1 was not included in this CVE. However, this "problem" actually is not much of an issue. RouterOS IPv6 route cache max size by default is 1 million. If you try to reach 1 million hosts in your network, route cache grows and can take up to 500 MB. If you have device that does not have such resources, it will reboot itself. If router has, for example, 1 GB of RAM - there is no problem. We will most likely allow to change cache size or will decide its size based on RAM size. However, it can not be considered as a bug or vulnerability. You make router work and then complain that resources are required to do the job. This is not a bug.

As a matter of fact, silently allowing any data structure to grow beyond the available system resources without any safegard or alternative mechanism in place, is a bug. Even more so, since the default is inappropriate for most of the devices in your product lineup.

-- EDIT: I just saw the new beta changelog. Thank you for fixing for IPv6! Does it also apply to the IPv4 route cache?

rkj · Mon Apr 01, 2019 10:30 am

There were two IPv6 related issues resolved in this version:
1) IPv6 packet forwarding might get stuck (due to IPv6 route cache processing) that could lead to Watchdog reboot;
2) IPv6 neighbor table processing might get stuck (due to large neighbor table) that could lead to Watchdog reboot.

Seems that one of these was considered as CVE and another one was not. Since author of these CVEs still has a problem, seems that actually #1 was not included in this CVE. However, this "problem" actually is not much of an issue. RouterOS IPv6 route cache max size by default is 1 million. If you try to reach 1 million hosts in your network, route cache grows and can take up to 500 MB. If you have device that does not have such resources, it will reboot itself. If router has, for example, 1 GB of RAM - there is no problem. We will most likely allow to change cache size or will decide its size based on RAM size. However, it can not be considered as a bug or vulnerability. You make router work and then complain that resources are required to do the job. This is not a bug.

Actually, it's. In networking cache-based forwarding has been considered harmful for reasons such as this problem, and replaced by topology-based forwarding. So it at least one the bugs shouldn't even exist. But even topology-based systems require neighbour tables, so this one needs to be managed both in size and in rate, while also managing rate of packets targeted at in progress neighbours.

jprietove · Mon Apr 01, 2019 11:17 am

Version 6.45beta23 has been released.
What's new in 6.45beta23 (2019-Apr-01 05:51):
!) ipv6 - fixed soft lockup when forwarding IPv6 packets;
!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table;
----------------------

Congratulations! I have tested this beta and I confirm that with 300 Mb RAM the router's memory doesn't fill. A CHR with 300 Mb of RAM with OSPF-v3 has 237 Mb of free-memory and during the attack it keeps on around 200 Mb.

Hopefully this fix will be in long-term and current branches soon.

maznu · Mon Apr 01, 2019 12:08 pm

Congratulations! I have tested this beta and I confirm that with 300 Mb RAM the router's memory doesn't fill. A CHR with 300 Mb of RAM with OSPF-v3 has 237 Mb of free-memory and during the attack it keeps on around 200 Mb.

Hopefully this fix will be in long-term and current branches soon.

I concur.

I look forward to everyone being able to push this live, given that MikroTik has disclosed the nature of the vulnerability before making the fix available in the "bugfix" and "current" versions of RouterOS.

Jotne · Mon Apr 01, 2019 1:48 pm

Its not that your router will go down if you do not install a fix for IPv6 to your router.

You need IPv6 enabled.
You need some that know you are running IPv6.
You need someone targeting you with an attack.

Erayd · Mon Apr 01, 2019 2:16 pm

You need someone targeting you with an attack.

Or targeting somebody else, but transiting your routers on the way. But you make good points. It's still a serious issue though.

Mon Apr 01, 2019 2:24 pm

Its not that your router will go down if you do not install a fix for IPv6 to your router.

You need IPv6 enabled.
You need some that know you are running IPv6.
You need someone targeting you with an attack.

Quite simple. Do a traceroute to a customer. Identify the BGP-Gateway. Start Attack. Any WISP doing not IPV6 now ?
You will find humans doing this just for fun.

We need the fix in the Long-Term Release ASAP.

Jotne · Mon Apr 01, 2019 3:06 pm

You will find humans doing this just for fun.

That is true.
I installed Cowrie on port 22/23 (SSH and Telnet honeypot). Looking trough the logs 99.99% is automatic scripts that tries to install various stuff automatically, so lots of bots end little fun

80-90% of the SSH conections tries this:
direct-tcp connection request to ya.ru:80 from 0.0.0.0:0
Just to test if they can use SSH as proxy i guess. (99% uses ya.ru as a test server)
Some of the log:

New connection: 5.188.86.165:64944 (10.10.10.50:2222) [session: 42d69d743f2c]
Remote SSH version: 'SSH-2.0-Go'
login attempt [root/admin] succeeded
direct-tcp connection request to ya.ru:80 from 0.0.0.0:0
Connection lost after 0 seconds

New connection: 189.46.216.87:38040 (10.10.10.50:2223) [session: 8a47a991d959]
login attempt [root/1234] succeeded
enable
system
shell
sh
cat /proc/mounts; /bin/busybox LPPBJ
cd /dev/shm; cat .s || cp /bin/echo .s; /bin/busybox LPPBJ
tftp; wget; /bin/busybox LPPBJ
dd bs=52 count=1 if=.s || cat .s || while read i; do echo $i; done < .s
/bin/busybox LPPBJ
rm .s; exit
Connection lost after 2 seconds

New connection: 46.48.231.3:43837 (10.10.10.50:2222) [session: ababf7a7cf75]
Remote SSH version: 'SSH-2.0-libssh2_1.8.1'
login attempt [root/root] failed
login attempt [root/admin] succeeded
/ip cloud print
ifconfig
uname -a
cat /proc/cpuinfo
ps | grep '[Mm]iner'
ps -ef | grep '[Mm]iner'
echo Hi | cat -n
Connection lost after 33 seconds

New connection: 189.46.216.87:38040 (10.10.10.50:2223) [session: 8a47a991d959]
login attempt [root/1234] succeeded
enable
system
shell
sh
cat /proc/mounts; /bin/busybox LPPBJ
cd /dev/shm; cat .s || cp /bin/echo .s; /bin/busybox LPPBJ
tftp; wget; /bin/busybox LPPBJ
dd bs=52 count=1 if=.s || cat .s || while read i; do echo $i; done < .s
/bin/busybox LPPBJ
rm .s; exit
Connection lost after 2 seconds

New connection: 46.48.231.3:43837 (10.10.10.50:2222) [session: ababf7a7cf75]
Remote SSH version: 'SSH-2.0-libssh2_1.8.1'
login attempt [root/root] failed
login attempt [root/admin] succeeded
/ip cloud print
ifconfig
uname -a
cat /proc/cpuinfo
ps | grep '[Mm]iner'
ps -ef | grep '[Mm]iner'
echo Hi | cat -n
Connection lost after 33 seconds

emils · Thu Apr 04, 2019 12:31 pm

Version 6.45beta27 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta27 (2019-Apr-03 13:53):

Changes in this release:

*) dhcpv4-server - fixed commenting option for alerts;
*) dhcpv6-server - added "address-list" support for bindings (CLI only);
*) discovery - limit max neighbour count per interface based on total RAM memory;
*) discovery - improved neighbour's MAC address detection;
*) fetch - added SFTP support;
*) ipsec - fixed possible configuration corruption after import;
*) ipv6 - improved IPv6 neighbor table updating process;
*) rb2011 - removed "sfp-led" from "System/LEDs" menu;
*) ssh - added new "ssh-exec" command for non-interactive command execution;
*) ssh - fixed multiline non-interactive command execution;
*) wireless - added support for US FCC UNII-2 and Canada country profiles for LHG-5HPnD-US, RBLHG-5HPnD-XL-US and SXTsq5HPnD-US devices;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

osc86 · Fri Apr 05, 2019 12:27 am

igmp-snooping is killing ipv6 connectivity, by not forwarding neighbor solicitation messages.
FF02:1:XXXX:XXXX isn't listed in MDB table, so no NS messages are exchanged between hosts.
This happens at least since beta22.

davidzodelin · Fri Apr 05, 2019 2:27 am

*) wireless - added support for US FCC UNII-2 and Canada country profiles for LHG-5HPnD-US, RBLHG-5HPnD-XL-US and SXTsq5HPnD-US devices;

Please add support US FCC UNII-2 for RBSXT5nDr2 (SXT Lite 5)

erty · Sat Apr 06, 2019 4:32 pm

RouterOS 6.45beta27
When I set neighbor discovery interface to "!WAN" and then do "export" command I've see in console print:

/ip neighbor discovery-settings
set discover-interface-list=WAN

Without "!" symbol. But if I do "export verbose" it show me

set discover-interface-list=!WAN

It is not good in case of simple copy/paste exported settings

eworm · Mon Apr 08, 2019 1:11 pm

*) fetch - added SFTP support;
Yes, can't wait to use this! Is there a way to use it with public key authentication?

Before we start discussing any advanced features... How does this work at all? Looks like mode=sftp is not a valid syntax for fetch.

Mon Apr 08, 2019 1:15 pm

@eworm with url=sftp://xxx.xx/

emils · Fri Apr 12, 2019 2:25 pm

Version 6.45beta31 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta31 (2019-Apr-12 10:29):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
*) conntrack - fixed "loose-tcp-tracking" parameter not taken in action (introduced in v6.44);
*) dhcp - create dual stack queue based on limitations specified on DHCPv4 server lease configuration;
*) dhcp - do not require lease and binding to have the same configuration for dual-stack queues;
*) dhcp - show warning in log if lease and binding dual-stack related parameters do not match and create separate queues;
*) dhcpv4-server - added "client-mac-limit" parameter (CLI only);
*) dhcpv6-server - added "insert-queue-before" and "parent-queue" parameters (CLI only);
*) dhcpv6-server - added "route-distance" parameter (CLI only);
*) dhcpv6-server - fixed binding setting update from RADIUS;
*) fetch - added SFTP support;
*) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods (CLI only);
*) ipsec - added traffic statistics to "active-peers" menu (CLI only);
*) ipsec - general improvements in policy handling;
*) ipsec - replaced policy SA address parameters with peer setting;
*) ipsec - use tunnel name for dynamic IPsec peer name;
*) ipv6 - adjusted IPv6 route cache max size;
*) lte - fixed session reactivation on R11e-LTE in UMTS mode;
*) snmp - added "radio-name" (mtxrWlRtabRadioName) OID support;
*) ssh - added "both", "local" and "remote" options for "forwarding-enabled" parameter;
*) tunnel - removed "local-address" requirement when "ipsec-secret" is used;
*) userman - added support for "Delegated-IPv6-Pool";
*) userman - added support for "Delegated-IPv6-Pool" and "DNS-Server-IPv6-Address" (CLI only);
*) wireless - improved wireless country settings for EU countries;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

osc86 · Fri Apr 12, 2019 2:39 pm

----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
----------------------
Amazing news! Thanks!

muetzekoeln · Fri Apr 12, 2019 2:53 pm

Version 6.45beta31 has been released.

*) wireless - improved wireless country settings for EU countries;

Please explain!

Fri Apr 12, 2019 2:59 pm

Not all frequency ranges had designation "indoor only" or "outdoor only". One range was incorrectly labeled, this is fixed now. 5250-5330 now is correctly marked as indoor.

tangram · Fri Apr 12, 2019 3:25 pm

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);

Holy Jumpin' Jesus !

emils · Fri Apr 12, 2019 3:31 pm

Before anyone asks. Configuration options for dot1x are not yet enabled in this release. Coming in next beta, most likely next week.

Beone · Fri Apr 12, 2019 4:06 pm

Not all frequency ranges had designation "indoor only" or "outdoor only". One range was incorrectly labeled, this is fixed now. 5250-5330 now is correctly marked as indoor.

is the impact purely cosmetic or also effectively changes frequency list allowed to use depending installation type indoor/outdoor?

what about passive probing indication for unii-1 band?

Paternot · Fri Apr 12, 2019 4:36 pm

Version 6.45beta31 has been released.
*) ipsec - replaced policy SA address parameters with peer setting;

A dream come true!

Version 6.45beta31 has been released.
*) ipsec - general improvements in policy handling;
*) ipsec - use tunnel name for dynamic IPsec peer name;

What, exactly, these two mean?

pcunite · Fri Apr 12, 2019 11:05 pm

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);

I hope I can use this to authenticate to AT&T fiber services directly. I'll need a certificate, but that's obtainable.

Jinaria · Fri Apr 12, 2019 11:47 pm

Version 6.45beta31 has been released.

after upgrading RB3011 from Beta 27 to Beta 31, I was no longer been able to access the device by IP nor mac address via winbox or browser.
There was no error on the device display, dhcp server failed to assign any IP and setting manual ip address did not help either. So I reset the config and restored the backup config file, same issue.
The only solution was: downgrade to Beta 27 and restore the backup.

kmansoft · Sat Apr 13, 2019 12:41 am

An AC2 Lite TC ( RB 952-Ui-5ac2nD ) seems to have trouble with WiFi on beta 31.

- All ether* and wifi* are in a bridge
- wifi2 ( 5 GHz ) is in pseudo bridge mode - connects to upstream AC2
- wifi1 ( 2.4 GHz) is disabled
- ether1 feeds a notebook
- No firewall rules
- It's a basic wireless - to - wired bridge

The device is not able to obtain a DHCP client address - "searching...." which lasts forever. The few times it did work, ping to the upstream was very unstable - some took up to 2 seconds (normal is 1ms) and maybe 2/3 lost.

Did not occur on beta 27. I also updated Routerboard Firmware when updating from 27 to 31.

Reverting back to 6.44.2 "stable" immediately fixed the issue.

PS - looks very similar to the message above from @Jinaria, "after upgrading RB3011 from Beta 27 to Beta 31..."

huntermic · Sat Apr 13, 2019 10:02 am

Version 6.45beta31 has been released.

after upgrading RB3011 from Beta 27 to Beta 31, I was no longer been able to access the device by IP nor mac address via winbox or browser.
There was no error on the device display, dhcp server failed to assign any IP and setting manual ip address did not help either. So I reset the config and restored the backup config file, same issue.
The only solution was: downgrade to Beta 27 and restore the backup.

I had the same issue on a RB4011, plugging pc in another port did the trick.

osc86 · Sat Apr 13, 2019 10:47 am

I hope they'll add an option to remove single SAs in the future.

Jinaria · Sat Apr 13, 2019 12:15 pm

I had the same issue on a RB4011, plugging pc in another port did the trick.

The issue on my RB3011 affects all of the ports, connecting to different port/switch didn't fix the issue for me.

korniza · Sat Apr 13, 2019 2:49 pm

I have an CHR install which capsman is running. On 6.45beta27 I noticed that when I try to see on winbox the "Configurations" tab under Capsman settings or "CAP Interface", winbox close/crash without any error on Log window. I also updated to latest beta (6.45beta31) and sitll issue persist. My winbox is v3.18.
Anyone has same issue?

osc86 · Sat Apr 13, 2019 6:34 pm

I have an CHR install which capsman is running. On 6.45beta27 I noticed that when I try to see on winbox the "Configurations" tab under Capsman settings or "CAP Interface", winbox close/crash without any error on Log window. I also updated to latest beta (6.45beta31) and sitll issue persist. My winbox is v3.18.
Anyone has same issue?

Happens to me, too.

vecernik87 · Sun Apr 14, 2019 5:24 am

I have an CHR install which capsman is running. On 6.45beta27 I noticed that when I try to see on winbox the "Configurations" tab under Capsman settings or "CAP Interface", winbox close/crash without any error on Log window. I also updated to latest beta (6.45beta31) and sitll issue persist. My winbox is v3.18.
Anyone has same issue?
Happens to me, too.

By my experience, sometime, crash of winbox produces autosupout. If you get it, it would be good if you can send it to mikrotik support so they can fix it

korniza · Sun Apr 14, 2019 10:45 pm

I have an CHR install which capsman is running. On 6.45beta27 I noticed that when I try to see on winbox the "Configurations" tab under Capsman settings or "CAP Interface", winbox close/crash without any error on Log window. I also updated to latest beta (6.45beta31) and sitll issue persist. My winbox is v3.18.
Anyone has same issue?
Happens to me, too.
By my experience, sometime, crash of winbox produces autosupout. If you get it, it would be good if you can send it to mikrotik support so they can fix it

I just send the autosupport.rif. thank you for your advice

eworm · Mon Apr 15, 2019 12:04 pm

*) lte - fixed session reactivation on R11e-LTE in UMTS mode;

I think this hit me a lot in the past... Hope this will make its way into next stable release.

mkx · Mon Apr 15, 2019 3:04 pm

I think this hit me a lot in the past... Hope this will make its way into next stable release.

Quite probably ... when 6.45 branch will be the stable branch.

eworm · Mon Apr 15, 2019 3:07 pm

I think this hit me a lot in the past... Hope this will make its way into next stable release.
Quite probably ... when 6.45 branch will be the stable branch.

I hope for 6.44.3.

phin · Mon Apr 15, 2019 9:52 pm

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);

I hope I can use this to authenticate to AT&T fiber services directly. I'll need a certificate, but that's obtainable.

Oh man, that would be awesome!

UserDude · Tue Apr 16, 2019 9:12 am

What's new in 6.45beta31 (2019-Apr-12 10:29):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);

So this means wired 802.1x is now supported I guess. Any idea how we can configure this through CLI ?
Also is there a planned GUI support version of it coming soon ?

osc86 · Tue Apr 16, 2019 11:08 am

So this means wired 802.1x is now supported I guess. Any idea how we can configure this through CLI ?
Also is there a planned GUI support version of it coming soon ?

Before anyone asks. Configuration options for dot1x are not yet enabled in this release. Coming in next beta, most likely next week.

nostromog · Tue Apr 16, 2019 7:06 pm

After I had big problems with ipsec in 6.44.1/hAP ac I remained using 44.1 for a while. Thinking that beta31 had already those issues fixed, I tried to upgrade with the following IPsec configuration:

/ip ipsec peer
  add exchange-mode=ike2 name=router passive=yes
/ip ipsec policy group
  add name=RoadWarrior
/ip pool
  add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
  add address-pool=vpn2 name=RW-cfg split-include=\
    192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec identity
  add generate-policy=port-strict mode-config=RW-cfg my-id=\
    fqdn:router.mydns.com peer=router policy-template-group=RoadWarrior
/ip ipsec policy
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
    template=yes
  add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
    0.0.0.0/0 template=yes

After the upgrade, the CPU was 100%, most of it in ipsec, and / export would stop
after /ip hotspot, just where /ip ipsec should be printed, until I Ctrl-C it.

Same problem as before.

The router was sluggish but I could select long-term and downgrade to 6.43.13.

Then the machine went up, but ssh was not responding. I got suspicious and checked: telnet was working. When
I got in, security was disabled. I went in, re-ebabled it, rebooted and the following IPsec configuration appeared:

/ip ipsec policy group
  add name=RoadWarrior
/ip pool
  add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
  add address-pool=vpn2 name=RW-cfg split-include=\
    192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec peer
  add exchange-mode=ike2 passive=yes
/ip ipsec policy
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
    template=yes
  add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
    0.0.0.0/0 template=yes

I copied away the ipsec config, which was broken in any case, and tried an experiment: remove all ipsec config, piece by piece
until /ip ipsec export would produce an empty comment. Then I upgraded to get:
* 6.44.2 (100% CPU, could not get /ip ipsec export working)
* 6.45beta31 (same, 100% CPU, could not get /ip ipsec export working).

Is RouterOS keeping all configs hidden somethere, or where is this 100% CPU spinning coming from?

I settled by returning to long term and reconstructing my ipsec config, changing it to xauth and adding users. It is now working well... I was trying to test ike2,
but instead I'm now stuck in long-term.

Any way to empty ipsec and upgrade to 6.44.2 or 6.45betas without CPU spinning at 100%?

Thanks for any help, things are getting messy in this router. Other routers are having no problems at all with ipsec/6.44/6.54beta. I have a production h AP ac running 6.44, as I'm afraid to update it and get the same behaviour

mkx · Tue Apr 16, 2019 10:19 pm

Any way to empty ipsec and upgrade to 6.44.2 or 6.45betas without CPU spinning at 100%?

Almost certain way would be netinstall directly to desired ROS version. And then import config from textual export.

nostromog · Tue Apr 16, 2019 11:50 pm

Any way to empty ipsec and upgrade to 6.44.2 or 6.45betas without CPU spinning at 100%?
Almost certain way would be netinstall directly to desired ROS version. And then import config from textual export.

I'm leaving the place where the machine that failed to upgrade yesterday is in a few hours, not to return in more than one month... I could upgrade/downgrade remotely, but certainly not netinstall.

The place where I'm running 6.44 and I don't dare upgrade is remote also, I might have an opportunity to get there and upgrade with possible netinstall in 2/3 months... Also, I tried to netinstall once and was not working, it seems to be really tricky with linux machines and difficult reset procedures... I'll do more experiments in 5 weeks when I return here.

Unreliable upgrades are a big problem, I can't understand how deleting configuration still leds to failure to upgrade

osc86 · Wed Apr 17, 2019 12:52 am

After I had big problems with ipsec in 6.44.1/hAP ac I remained using 44.1 for a while. Thinking that beta31 had already those issues fixed, I tried to upgrade with the following IPsec configuration:
Code: Select all
/ip ipsec peer
  add exchange-mode=ike2 name=router passive=yes
/ip ipsec policy group
  add name=RoadWarrior
/ip pool
  add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
  add address-pool=vpn2 name=RW-cfg split-include=\
    192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec identity
  add generate-policy=port-strict mode-config=RW-cfg my-id=\
    fqdn:router.mydns.com peer=router policy-template-group=RoadWarrior
/ip ipsec policy
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
    template=yes
  add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
    0.0.0.0/0 template=yes
After the upgrade, the CPU was 100%, most of it in ipsec, and / export would stop
after /ip hotspot, just where /ip ipsec should be printed, until I Ctrl-C it.

Same problem as before. The router was sluggish but I could select long-term and downgrade to 6.43.13.

Then the machine went up, but ssh was not responding. I got suspicious and checked: telnet was working. When
I got in, security was disabled. I went in, re-ebabled it, rebooted and the following IPsec configuration appeared:
Code: Select all
/ip ipsec policy group
  add name=RoadWarrior
/ip pool
  add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
  add address-pool=vpn2 name=RW-cfg split-include=\
    192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec peer
  add exchange-mode=ike2 passive=yes
/ip ipsec policy
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
    template=yes
  add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
    0.0.0.0/0 template=yes
I copied away the ipsec config, which was broken in any case, and tried an experiment: remove all ipsec config, piece by piece
until /ip ipsec export would produce an empty comment. Then I upgraded to get:
* 6.44.2 (100% CPU, could not get /ip ipsec export working)
* 6.45beta31 (same, 100% CPU, could not get /ip ipsec export working).

Is RouterOS keeping all configs hidden somethere, or where is this 100% CPU spinning coming from?

I settled by returning to long term and reconstructing my ipsec config, changing it to xauth and adding users. It is now working well... I was trying to test ike2,
but instead I'm now stuck in long-term.

Any way to empty ipsec and upgrade to 6.44.2 or 6.45betas without CPU spinning at 100%?

Thanks for any help, things are getting messy in this router. Other routers are having no problems at all with ipsec/6.44/6.54beta. I have a production h AP ac running 6.44, as I'm afraid to update it and get the same behaviour

Looks similar to the problem I had with 6.44. Bad news is, I had to netinstall to get rid of the broken parts, caused by the migration of configuration, when I up/down-graded the firmware.
viewtopic.php?f=21&t=145793&start=150#p719370

ssbaksa · Wed Apr 17, 2019 8:39 am

Before anyone asks. Configuration options for dot1x are not yet enabled in this release. Coming in next beta, most likely next week.

When dot1x become official, will it be applied to all switches (Router OS based as well as Switch OS)?

estdata · Wed Apr 17, 2019 1:38 pm

Help me adjust the speeds so that the patch goes. I have a 500/500 connection but do not come through the RB2011 router

null31 · Wed Apr 17, 2019 9:18 pm

Also, I tried to netinstall once and was not working, it seems to be really tricky with linux machines and difficult reset procedures...

Connect your machine and router to an switch, then run netinstall with Wine as sudo and will work flawlessly.
I didn't had problems with netinstall on 3 mAP and all of them installed ROS on the first try with no fails.

I'm using wine 4.5 with staging patch.

EvgeniyV · Wed Apr 17, 2019 10:29 pm

I'm back to the future. Time bug in Interface - Last link time. See the attached picture.
My time zone GMT +3 , time update by cloud. Routerboard time (clock) is normal.
6.45beta22

mikrotik date bag.png

vikinggeek · Thu Apr 18, 2019 9:47 am

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);

I hope I can use this to authenticate to AT&T fiber services directly. I'll need a certificate, but that's obtainable.

@pcunite - Can you provide a pointer to how to obtain the certificate? Currently, Still need to have the AT&T Modem attached while booting, but thereafter running directly on the fiber via the OSP port (behind a Cienna 5000 series building concentrator)

palii · Thu Apr 18, 2019 11:51 am

The command ssh-exec with rsa key pairs works like a charm shutting down my Synology now. Thanks a million!

nostromog · Thu Apr 18, 2019 12:32 pm

Also, I tried to netinstall once and was not working, it seems to be really tricky with linux machines and difficult reset procedures...
Connect your machine and router to an switch, then run netinstall with Wine as sudo and will work flawlessly.

I have no switch, I connected them straight, which gives perfect connection. Not sure if this could interfere with netinstall

I didn't had problems with netinstall on 3 mAP and all of them installed ROS on the first try with no fails.

I'm using wine 4.5 with staging patch.

I could not in a mAP Lite which I have as laboratory in several tries.

I used both wine-stable-3.0-1ubuntu1 and wine-development-3.6-1 on Ubuntu 18.04.2 LTS. I have not used windows in the last 15 years, so I might have made some mistake in either the windows stuff or how linux runs it.

I think the problems were due to being very tricky to handle connect power while hold-pushing the button for some time, with such small button, so close to the USB power, and my hand too big for such small piece.

emils · Thu Apr 18, 2019 1:32 pm

Version 6.45beta34 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta34 (2019-Apr-18 08:59):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
*) dhcp - create dual stack queue based on limitations specified on DHCPv4 server lease configuration;
*) dhcp - do not require lease and binding to have the same configuration for dual-stack queues;
*) dhcp - show warning in log if lease and binding dual-stack related parameters do not match and create separate queues;
*) dhcpv4-server - replaced "busy" lease status with "conflict" and "declined";
*) dhcpv6-client - fixed status update when leaving "bound" state;
*) dhcpv6-server - override prefix pool and/or DNS server settings by values received from RADIUS;
*) e-mail - include "message-id" identification field in e-mail header;
*) ike1 - fixed rekeying process when NAT is detected (introduced in v6.45beta16);
*) ospf - added support for link scope opaque LSAs (Type 9) for OSPFv2;
*) ospf - improved "unknown" LSA handling in OSPFv3;
*) supout - changed IPv6 pool section to output detailed print;
*) tr069-client - added LTE CQI and IMSI parameter support;
*) tr069-client - fixed potential memory corruption;
*) winbox - fixed crash when opening CAPsMAN menu (introduced in v6.45beta27);
*) wireless - fixed "country-info" printing (introduced in v6.45beta27);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

pcunite · Thu Apr 18, 2019 3:52 pm

dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
I hope I can use this to authenticate to AT&T fiber services directly. I'll need a certificate, but that's obtainable.

@pcunite - Can you provide a pointer to how to obtain the certificate? Currently, Still need to have the AT&T Modem attached while booting, but thereafter running directly on the fiber via the OSP port (behind a Cienna 5000 series building concentrator)

It is discussed here (and elsewhere) based on the findings of this blog.

kmansoft · Thu Apr 18, 2019 11:54 pm

Anyone seeing trouble with IPSec in 6.45beta34?

I received a new RB 4011 today - updated to 6.45beta34 right away - rebuilt my config (copy / pasted snippets from .asc file, piece by piece).

My IPSec tunnels come (GRE, cert auth) come up partially to "SA established" on the server - and then get "deleted" from the RB 4011 side. And it repeats like this, with policy stuck as "no phase 2".

Tried switching from ECDSA to RSA certificates (I have a script) - no difference.

Downgraded to 6.44.2 - after fixing "local address" in polices (required in 6.44, can be left as 0.0.0.0/0 in 6.45) - they got to "established" immediately.

Upgraded to 6.45beta34 again - broken again.

Should I send a support request with supout.rif?

PS - one of my two *idential* tunnels - I mean they use same CA, just different "remote" certs - got to "established" once or twice without my doing anything. But disabling / re-enabling the policy brought the problem back.

PPS - changed SA proposal from aes128-ctr to aes256-gcm and now both policies / peers are working, I can disable / re-enable.

But I had them at aes256-gcm initially! Changed back to aes128-ctr and working again!

Seems like there is something funny going on in 6.45-31 maybe with programming the cpu according to encryption settings (both aes-ctr and aes-gcm are HW accel on this device).

osc86 · Fri Apr 19, 2019 3:56 am

After ugrading from beta31 to beta34, none of the ipsec tunnels work. Reverted back to b31.

pawelkopec88 · Fri Apr 19, 2019 8:38 am

Anyone seeing trouble with IPSec in 6.45beta34?

I received a new RB 4011 today - updated to 6.45beta34 right away - rebuilt my config (copy / pasted snippets from .asc file, piece by piece).

My IPSec tunnels come (GRE, cert auth) come up partially to "SA established" on the server - and then get "deleted" from the RB 4011 side. And it repeats like this, with policy stuck as "no phase 2".

Tried switching from ECDSA to RSA certificates (I have a script) - no difference.

Downgraded to 6.44.2 - after fixing "local address" in polices (required in 6.44, can be left as 0.0.0.0/0 in 6.45) - they got to "established" immediately.

Upgraded to 6.45beta34 again - broken again.

Should I send a support request with supout.rif?

PS - one of my two *idential* tunnels - I mean they use same CA, just different "remote" certs - got to "established" once or twice without my doing anything. But disabling / re-enabling the policy brought the problem back.

PPS - changed SA proposal from aes128-ctr to aes256-gcm and now both policies / peers are working, I can disable / re-enable.

But I had them at aes256-gcm initially! Changed back to aes128-ctr and working again!

Seems like there is something funny going on in 6.45-31 maybe with programming the cpu according to encryption settings (both aes-ctr and aes-gcm are HW accel on this device).

I have same issue. But i have the ipsec static tunnels. GRE tunnel doesnt up. I have CCR1009 6.45beta34, the second site have is CCR1009 on 6.43.1. On IPsec peers I changed from IKE2 to main mode on both side. After that my GRE Tunnel going up.

pawelkopec88 · Fri Apr 19, 2019 8:40 am

After I had big problems with ipsec in 6.44.1/hAP ac I remained using 44.1 for a while. Thinking that beta31 had already those issues fixed, I tried to upgrade with the following IPsec configuration:
Code: Select all
/ip ipsec peer
  add exchange-mode=ike2 name=router passive=yes
/ip ipsec policy group
  add name=RoadWarrior
/ip pool
  add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
  add address-pool=vpn2 name=RW-cfg split-include=\
    192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec identity
  add generate-policy=port-strict mode-config=RW-cfg my-id=\
    fqdn:router.mydns.com peer=router policy-template-group=RoadWarrior
/ip ipsec policy
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
    template=yes
  add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
    0.0.0.0/0 template=yes
After the upgrade, the CPU was 100%, most of it in ipsec, and / export would stop
after /ip hotspot, just where /ip ipsec should be printed, until I Ctrl-C it.

Same problem as before. The router was sluggish but I could select long-term and downgrade to 6.43.13.

Then the machine went up, but ssh was not responding. I got suspicious and checked: telnet was working. When
I got in, security was disabled. I went in, re-ebabled it, rebooted and the following IPsec configuration appeared:
Code: Select all
/ip ipsec policy group
  add name=RoadWarrior
/ip pool
  add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
  add address-pool=vpn2 name=RW-cfg split-include=\
    192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec peer
  add exchange-mode=ike2 passive=yes
/ip ipsec policy
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
    template=yes
  add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
    template=yes
  add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
    0.0.0.0/0 template=yes
I copied away the ipsec config, which was broken in any case, and tried an experiment: remove all ipsec config, piece by piece
until /ip ipsec export would produce an empty comment. Then I upgraded to get:
* 6.44.2 (100% CPU, could not get /ip ipsec export working)
* 6.45beta31 (same, 100% CPU, could not get /ip ipsec export working).

Is RouterOS keeping all configs hidden somethere, or where is this 100% CPU spinning coming from?

I settled by returning to long term and reconstructing my ipsec config, changing it to xauth and adding users. It is now working well... I was trying to test ike2,
but instead I'm now stuck in long-term.

Any way to empty ipsec and upgrade to 6.44.2 or 6.45betas without CPU spinning at 100%?

Thanks for any help, things are getting messy in this router. Other routers are having no problems at all with ipsec/6.44/6.54beta. I have a production h AP ac running 6.44, as I'm afraid to update it and get the same behaviour
Looks similar to the problem I had with 6.44. Bad news is, I had to netinstall to get rid of the broken parts, caused by the migration of configuration, when I up/down-graded the firmware.
viewtopic.php?f=21&t=145793&start=150#p719370

Change main mode frome IKE2 to main for example. Should be work. I think that on the newest beta IKE2 doesn't work

nescafe2002 · Fri Apr 19, 2019 8:43 am

Please create a supout.rif as soon as you realize something is wrong and send it - with description of what you expected versus what happened instead - to support with supout.rif.

This instruction is posted in every release note:

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

kmansoft · Fri Apr 19, 2019 8:55 am

Change main mode frome IKE2 to main for example. Should be work. I think that on the newest beta IKE2 doesn't work

I think changing IPSec settings (I tried crypto) makes it more likely to "estabilsh". But then it breaks again later (when the lifetime expires? happened while I was sleeping).

It's even funny - changing one tunnel's server settings from IKEv2 to v1 fixed both tunnels. Don't think it'll last though.

// RB 4011

kmansoft · Fri Apr 19, 2019 8:58 am

Change main mode frome IKE2 to main for example. Should be work. I think that on the newest beta IKE2 doesn't work
I think changing IPSec settings (I tried crypto) makes it more likely to "estabilsh". But then it breaks again later (when the lifetime expires? happened while I was sleeping).

It's even funny - changing one tunnel's server settings from IKEv2 to v1 fixed both tunnels. Don't think it'll last though.

// RB 4011

Could be related to:

*) ike1 - fixed rekeying process when NAT is detected (introduced in v6.45beta16);

Funny thing, re-keying (when I trigger it from the server using swanctl --rekey) does work. But I'm using IKEv2 and there is no NAT.

Mon Apr 22, 2019 9:05 am

After upgrade of CRS125 it stopped to be visible in a neigherhood and for WinBox.

CharliesTheMan · Mon Apr 22, 2019 6:52 pm

I just had a similar problem. When updating to 6.45beta34 from the previous beta version, I lost IP config, IP address changed to 0.0.0.0 and checking for package updates in winbox brought up a DNS error, "Could not resolve DNS host name" and trying to load web pages brought me the same results. I tried restoring known working config and did not resolve anything. After downgrading back to 6.44.2 everything worked perfect immediately. It's definitely something related to beta34 because on previous 6.45beta (Ibelieve it may have been beta27) everything worked great.

emils · Tue Apr 23, 2019 9:18 am

Thank you very much for reporting the issues. It seems that IKEv2 over NAT is broken in v6.45beta34. We will resolve the issue in the next beta.

kmansoft · Tue Apr 23, 2019 11:08 am

Thank you very much for reporting the issues. It seems that IKEv2 over NAT is broken in v6.45beta34. We will resolve the issue in the next beta.

emils - just to be clear about the bug's scenario:

My IPSec endpoints (Mikrotik client / strongSwan server) are not behind NATs. But they do use IKEv2 on port 4500.

Thank you.

emils · Tue Apr 23, 2019 11:24 am

Can you post your IPsec debug logs (topics=ipsec,!packet) from when the tunnel is established and dropped so we can make sure it is the same issue?

Edit: managed to reproduce the issue without NAT as well.

kmansoft · Tue Apr 23, 2019 1:37 pm

Can you post your IPsec debug logs (topics=ipsec,!packet) from when the tunnel is established and dropped so we can make sure it is the same issue?

Edit: managed to reproduce the issue without NAT as well.

I sent a bug report with supout on Friday, April 19, 2019 8:49 AM (Moscow time). Don't have the ticket # sorry.

Looks like you already managed - but if you still need something, hopefully you can find it, or you can contact me off forum.

DogHead · Thu Apr 25, 2019 4:49 pm

After upgrade to 6.45rc34 all ports in bridge disappeared. Cannot add them back as the system says they are still in a bridge. Will downgrade bac to rc31 which was working.

emils · Fri Apr 26, 2019 9:04 am

Version 6.45beta37 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta37 (2019-Apr-25 12:20):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap) as initiator (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap) as initiator (CLI only);
*) bridge - correctly add interface list as bridge port (introduced in v6.45beta34);
*) crs3xx - correctly handle switch reset (introduced in v6.45beta34);
*) ike2 - fixed first child SA generation (introduced in v6.45beta34);
*) ipsec - general improvements in policy handling;
*) lte - allow setting empty APN;
*) supout - added IPv6 ND section to supout file;
*) tftp - added "max-block-size" parameter under TFTP "settings" menu (CLI only);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

kmansoft · Fri Apr 26, 2019 10:18 am

Version 6.45beta37 has been released.

*) ike2 - fixed first child SA generation (introduced in v6.45beta34);

Confirming - appears fixed ( RB 4011, AC ^ 2 ).

extremej · Fri Apr 26, 2019 2:50 pm

can you add EAP-MSCHAPv2 to the authentication method list?

branto · Mon Apr 29, 2019 4:19 am

Is there any word on when DHCPv6 Snooping will be available?

emils · Fri May 03, 2019 8:20 am

can you add EAP-MSCHAPv2 to the authentication method list?

Yes, it is coming as well.

msatter · Fri May 03, 2019 12:27 pm

can you add EAP-MSCHAPv2 to the authentication method list?
Yes, it is coming as well.

Does this means that Mikrotik can be removed from the not supported router list at NordVPN and is going to use ike2 to connect?

emils · Fri May 03, 2019 12:42 pm

Hopefully, yes.

emils · Thu May 09, 2019 2:06 pm

Version 6.45beta42 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta42 (2019-May-08 12:44):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap) as initiator (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
*) capsman - fixed interface-list usage in access list;
*) cloud - added "replace" parameter for backup "upload-file" command;
*) crs3xx - correctly handle switch reset (introduced in v6.45beta31);
*) defconf - added "custom-script" field that prints custom configuration installed by Netinstall;
*) defconf - automatically set "installation" parameter for outdoor devices;
*) dhcp - create dual stack queue based on limitations specified on DHCPv4 server lease configuration;
*) dhcpv4-server - added RADIUS accounting support with queue based statistics;
*) dhcpv6-server - added "insert-queue-before" and "parent-queue" parameters (CLI only);
*) discovery - correctly create neighbors from VLAN tagged discovery messages;
*) discovery - show neighbors on actual mesh ports;
*) ethernet - increased loop warning threshold to 5 packets per second;
*) gps - make sure "direction" parameter is upper case;
*) gps - strip unnecessary trailing characters from "longtitude" and "latitude" values;
*) hotspot - moved "title" HTML tag after "meta" tags;
*) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods (CLI only);
*) rb921 - improved system stability ("/system routerboard upgrade" required);
*) ssh - accept remote forwarding requests with empty hostnames;
*) ssh - improved remote forwarding handling (introduced in v6.44.3);
*) tr069-client - improved error reporting with incorrect firware upgrade XML file;
*) w60g - do not show unused "dmg" parameter;
*) w60g - show running frequency under "monitor" command;
*) winbox - show "LCD" menu only on boards that have LCD screen;
*) wireless - fixed frequency duplication in the frequency selection menu;
*) wireless - improved 160MHz channel width stability on rb4011;
*) wireless - improved installation mode selection for wireless outdoor equipment;
*) wireless - set default SSID and supplicant-identity the same as router's identity;
*) wireless - updated "china" regulatory domain information;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

buset1974 · Thu May 09, 2019 4:04 pm

when will you start to fix the problem with BGP and OSPF?

thx

Chupaka · Thu May 09, 2019 5:01 pm

the problem with BGP and OSPF?

One problem with both protocols? Are you sure?

osc86 · Thu May 09, 2019 5:54 pm

After upgrading from beta31 to beta34-42, all IKEv2 PSK ipsec tunnels don't come up, getting Authentication failed in the logs (yes, psk is the same on both sides, hasn't been changed).
Downgrading to beta31 again resolves the issue.

16:50:20 ipsec notify: AUTHENTICATION_FAILED
16:50:20 ipsec,error got fatal error: AUTHENTICATION_FAILED

emils · Fri May 10, 2019 9:34 am

osc86, I can not reproduce the issue. Can you please send a supout.rif file to support@mikrotik.com?

buset1974 · Fri May 10, 2019 9:59 am

the problem with BGP and OSPF?
One problem with both protocols? Are you sure?

still waiting, hope can fix soon in v6

osc86 · Fri May 10, 2019 5:58 pm

osc86, I can not reproduce the issue. Can you please send a supout.rif file to support@mikrotik.com?

Done. [Ticket#2019051022005463]

Chupaka · Fri May 10, 2019 6:46 pm

the problem with BGP and OSPF?
One problem with both protocols? Are you sure?
still waiting, hope can fix soon in v6

Waiting for what? A miracle?

anuser · Fri May 10, 2019 10:05 pm

Is there an ETA for a bugfix for 5 GHz problem mentioned on viewtopic.php?f=7&t=148263?

Ulypka · Sat May 11, 2019 12:07 am

I'm waiting for 8 months when the bug 2018101022007579 will be fixed.
I started refusing from CCR wherever such an opportunity arises

And the funny thing is that in half a year, the support responded only once “Sorry, we will reconsider the priorities”
Your top router dies completely from two packages and you can reproduce it, which is even more important for you?
maybe another fix LCD?

even dlink's support is better.

mistry7 · Sat May 11, 2019 3:56 pm

which is even more important for you?
maybe another fix LCD?

no, KidControl.......

anthonws · Sat May 11, 2019 6:46 pm

I'm waiting for 8 months when the bug 2018101022007579 will be fixed.
I started refusing from CCR wherever such an opportunity arises

And the funny thing is that in half a year, the support responded only once “Sorry, we will reconsider the priorities”
Your top router dies completely from two packages and you can reproduce it, which is even more important for you?
maybe another fix LCD?

even dlink's support is better.

A proper network admin likes watching graphs and stuff on an LCD

Much more important than stability. Want stability, buy a Nintendo Switch. Nintendo is expert in stability updates! ahahaha

And Kids control in CCR is something very important! How would you control all of your employees?!?

Ahhh.... The joys of visiting this forum

Priceless!

biatche · Sat May 11, 2019 11:18 pm

which is even more important for you?
maybe another fix LCD?

no, KidControl.......

I agree. KidControl needs major improvement, like the full removal of it.

kmansoft · Sun May 12, 2019 8:37 pm

With 6.45beta42 two Linux installs had trouble getting DHCP over Ethernet.

Sorry can't provide supout - already downgraded to 6.43.* stable, will stay on that.

The only "custom" DHCP setting I have is - lease time is 7 days.

No trouble with WiFi clients.

Router: AC^2.

emils · Mon May 13, 2019 2:10 pm

Version 6.45beta45 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta45 (2019-May-13 09:22):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator (CLI only);
----------------------

Changes in this release:

!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator (CLI only);
*) conntrack - significant stability and performance improvements;
*) dhcpv6-server - fixed dynamic IPv6 binding without proper reference to the server;
*) firewall - fixed fragmented packet processing when only RAW firewall is configured;
*) gps - fixed missing minus close to zero coordinates in dd format;
*) wireless - improved installation mode selection for wireless outdoor equipment;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

R1CH · Mon May 13, 2019 2:36 pm

conntrack - significant stability and performance improvements;

Can you elaborate on what was changed here? The last time conntrack was changed with the loose TCP tracking option it introduced a regression, so I'd like to know exactly what changed and what to look out for.

rzirzi · Mon May 13, 2019 2:39 pm

conntrack - significant stability and performance improvements;
Can you elaborate on what was changed here? The last time conntrack was changed with the loose TCP tracking option it introduced a regression, so I'd like to know exactly what changed and what to look out for.

YES, We would like to know what exactly was changed?!

emils · Mon May 13, 2019 3:04 pm

There are no new features added with this conntrack fix as you are comparing to TCP loose setting. The fix addresses some stability issues in setups with large connection tracking tables. It also improves connection tracking processing performance.

anuser · Mon May 13, 2019 4:04 pm

There are no new features added with this conntrack fix as you are comparing to TCP loose setting. The fix addresses some stability issues in setups with large connection tracking tables. It also improves connection tracking processing performance.

What do you consider as large? How many connections are we talking about? 1000, 10000, 100000, 1000000?

Mon May 13, 2019 4:15 pm

It does not depend on specific number. You can consider large as 10k+

buset1974 · Mon May 13, 2019 5:26 pm

I'm waiting for 8 months when the bug 2018101022007579 will be fixed.
I started refusing from CCR wherever such an opportunity arises

And the funny thing is that in half a year, the support responded only once “Sorry, we will reconsider the priorities”
Your top router dies completely from two packages and you can reproduce it, which is even more important for you?
maybe another fix LCD?

even dlink's support is better.
A proper network admin likes watching graphs and stuff on an LCD Much more important than stability. Want stability, buy a Nintendo Switch. Nintendo is expert in stability updates! ahahaha

And Kids control in CCR is something very important! How would you control all of your employees?!?

Ahhh.... The joys of visiting this forum Priceless!

Mikrotik must be aware that the product they have is not only a CPE, but they also have another advanced product with different purposed than CPE such as CCR, a quick fix on the underlying problem should be a priority without having to wait for version 7 which is never clear.

marcbou · Mon May 13, 2019 9:00 pm

Had CHR 6.45beta42 and now beta45 running under ESXi VM as VPN gateway ipsec IKEv2 EAP username auth (via freeradius 3.0 on Debian Buster) with Let's Encrypt Signed certificate + fullchain.

Works with road warrior iOS, MacOS, and Windows 10 (where due to buggy VPN control panel it was necessary to add using PowerShell Add-VpnConnection -Name “vpn.domain.com" -ServerAddress "vpn.domain.com" -AuthenticationMethod "Eap" -EncryptionLevel "Maximum" -RememberCredential -TunnelType “Ikev2") .

Not working with Android clients (using https://play.google.com/store/apps/deta ... an.android .

Any tips towards getting Android working would be appreciated.

Also I noticed occasional VPN connections failing using beta42 and 45. Downgrading to 6.44.3 made that issue go away but hopefully it will get fixed in the betas.

Relevant config portions are:

# may/13/2019 13:29:01 by RouterOS 6.45beta45
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface ipip
add name=ipsec-vpn
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1w name=proposal_1
/ip ipsec peer
add exchange-mode=ike2 name=peer_vpn passive=yes profile=proposal_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc,3des lifetime=2d pfs-group=none
/ip pool
add name=vpn-pool ranges=10.11.22.10-10.11.22.190
/ip ipsec mode-config
add address-pool=vpn-pool address-prefix-length=32 name=ipsec-modecfg-nosplit
/system logging action
set 0 memory-lines=5000
/ip address
add address=132.200.10.24/28 interface=ether1 network=132.200.10.16
add address=10.11.22.1/24 interface=ipsec-vpn network=10.11.22.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.0.0/16 list=rfc1918-private
add address=10.0.0.0/8 list=rfc1918-private
add address=172.16.0.0/12 list=rfc1918-private
add address=10.11.22.0/24 list=myvpn
add address=10.0.0.0/8 list=onnet
add address=192.168.0.0/16 list=onnet
add address=172.16.0.0/12 list=onnet
add address=132.200.10.0/24 list=onnet
/ip firewall nat
add action=src-nat chain=srcnat comment="My VPN public IP" dst-address-list=\
!onnet out-interface=ether1 src-address=10.11.22.0/24 \
src-address-list=rfc1918-private to-addresses=132.200.10.24
/ip ipsec identity
add auth-method=eap-radius certificate=\
vpn.domain.com.pem_0,fullchain.pem_0 generate-policy=port-strict \
mode-config=ipsec-modecfg-nosplit peer=peer_vpn
/ip ipsec policy
set 0 dst-address=10.11.22.0/24 src-address=0.0.0.0/0
/ip route
add distance=1 gateway=132.200.10.17
/ip service
set www-ssl certificate=vpn.domain.com.pem_0 disabled=no port=443
/radius
add address=132.200.10.22 secret=\
blahblahblah
add address=132.200.10.17
/system logging
add action=remote topics=!async,!debug,!snmp,!dns
add action=echo disabled=yes topics=l2tp,ipsec,certificate
add disabled=yes topics=ipsec,!packet
/system package update
set channel=testing

ckleea · Tue May 14, 2019 1:10 am

With 6.45beta42 two Linux installs had trouble getting DHCP over Ethernet.

Sorry can't provide supout - already downgraded to 6.43.* stable, will stay on that.

The only "custom" DHCP setting I have is - lease time is 7 days.

No trouble with WiFi clients.

Router: AC^2.

Similar issues encountered in my linux clients. When the network service restarts in linux, no ip address is assigned by routerOS DHCP server

emils · Tue May 14, 2019 7:36 am

Not working with Android clients (using https://play.google.com/store/apps/deta ... an.android .

Any tips towards getting Android working would be appreciated.

Also I noticed occasional VPN connections failing using beta42 and 45. Downgrading to 6.44.3 made that issue go away but hopefully it will get fixed in the betas.

It would be better if you opened a new support ticket by sending an e-mail to support@mikrotik.com. Also please enable IPsec debug logs and generate a new supout.rif file each time the issue occurs (for example, an Android client failed to connect) and attach the file to the e-mail.

anuser · Tue May 14, 2019 8:11 am

With 6.45beta42 two Linux installs had trouble getting DHCP over Ethernet.

Sorry can't provide supout - already downgraded to 6.43.* stable, will stay on that.

The only "custom" DHCP setting I have is - lease time is 7 days.

No trouble with WiFi clients.

Router: AC^2.
Similar issues encountered in my linux clients. When the network service restarts in linux, no ip address is assigned by routerOS DHCP server

Have you already reported your findings to MikroTik support? (support@mikrotik.com)

mezzovide · Tue May 14, 2019 1:58 pm

*) conntrack - significant stability and performance improvements;

Is this have something to do with multiple IPsec peers sometimes getting stuck after reboot / after public IP changes?
Because i have problems with multiple WAN ipsec peers (same dst peer with different routes) with different local loopback addresses attached, sometimes one of the connection stuck (most probably when public ip changes, i have dynamic public ip. or after a reboot). disabling/enabling peer works, or manually kill connection on the conntrack also works.

msatter · Tue May 14, 2019 9:37 pm

Now mschapv2 is supported I tried to connect with IKEv2 to a VPN provider. This provider does not supply a certificate so I match on FQDN which is *.pointtoserver.com (the "*." needs to be there)

ip ipsec identity

add auth-method=eap certificate="" disabled=yes eap-methods=eap-mschapv2 peer=PureIKEv2 remote-id=fqdn:*.pointtoserver.com username=purevpnxxxxxxxxxxx

I get the error in the log that the AUTH NOT MATCH, peer failed to authorize: xx.xx.xx.xx[4500]-xx.xx.xx.xx[4500] spi: xxxxxxxxxxxxxxxxx:xxxxxxxxxxxxx, send notify: AUTHENTICICATION_FAILED

I have tested it in windows 10 and with the same name and password and I can connect through IKEv2.

emils · Wed May 15, 2019 9:45 am

msatter All EAP methods require at least the root CA certificate for IKEv2. On Windows, it is possible, that the CA certificate is already in the Trusted Windows Certificate store so you do not have to import anything. Either ask your provider for the CA certificate or try finding out which certificate is used on Windows and export it to RouterOS.

Also there is no wildcard support for remote-id fqdn field. I would suggest leaving the remote-id to auto.

mezzovide no, conntrack has nothing to do with it, however we have already fixes for your described issues in previous betas. Did you try the latest beta and can verify the issue is still present?

msatter · Wed May 15, 2019 11:20 am

Thanks Emils. It is PureVPN and using PossitiveSSL (pointoserver.com / ptoserver.com) and that is the root certificate of Comodo which I tried.

I contacted support and they don't provide a certificate to connect as NordVPN is doing. I will a look at the current certificates in the windows store to see if can find the matching one.

Update: the certificate line
OU=Domain Control Validated, OU=PositiveSSL Multi-Domain, CN=PointtoServer.com

Update 2:
Beside the Comodo root cert I just tried the add Trust External CA Root, also to no avail.

Update 3
Found the PossitiveSSL CA 2 cert but that did also not work.

I searched on and it looks to me that in windows the needed certificate is included by Microsoft in its own certificate.

https://crt.sh/?caid=1455

Microsoft Trusted Root programme
https://docs.microsoft.com/en-us/securi ... quirements

mezzovide · Wed May 15, 2019 5:17 pm

mezzovide no, conntrack has nothing to do with it, however we have already fixes for your described issues in previous betas. Did you try the latest beta and can verify the issue is still present?

Sure, I have some spare routers to do experiment with, will upgrade to beta tonight and see if it fixed my issues. Thanks.
Still need that to be fixed in production though, probably next year until 6.45 become long-term

msatter · Wed May 15, 2019 11:26 pm

I am a bit further and I needed two certificates to be in the certificates box.

https://blogger.davidmanouchehri.com/2017/09/

Now I get twice the error that the [b]peer's ID does not match certificate[/b] and the line above that reads in the log: unable to get certificate CRL(3) at depth:0 SubjectName:/OU=domain Control Validated/OU=positiveSSL Multi-Domain/CN=*.pointtoserver.com

When I look in the certificates the CRL line is blank.

emils · Thu May 16, 2019 10:48 am

Try setting the remote-id to ignore.

chubbs596 · Thu May 16, 2019 1:02 pm

Hi Mikrotik

Are you aware if Router OS is patched for this threat?

https://www.tomsguide.com/us/zombieload ... 30082.html

vecernik87 · Thu May 16, 2019 1:28 pm

Since you can't run any sort of binary which could misuse this vulnerability on your RouterOS, this is not really concern.

nostromog · Thu May 16, 2019 2:40 pm

Hi Mikrotik

Are you aware if Router OS is patched for this threat?

https://www.tomsguide.com/us/zombieload ... 30082.html

I think an accurate answer would be that RouterOS running on a x86 is not itself vulnerable, but the vulnerability could be exploited in the unlatched host or another VM to disclose RouterOS information.

Sent from my Redmi Note 5 using Tapatalk

chubbs596 · Thu May 16, 2019 5:57 pm

Hi Mikrotik

Are you aware if Router OS is patched for this threat?

https://www.tomsguide.com/us/zombieload ... 30082.html
I think an accurate answer would be that RouterOS running on a x86 is not itself vulnerable, but the vulnerability could be exploited in the unlatched host or another VM to disclose RouterOS information.

Sent from my Redmi Note 5 using Tapatalk

So only if it is CHR and the VM HOST is not patched could the CHR be expoilted?

vecernik87 · Fri May 17, 2019 8:51 am

If we talk about bare metal, then RouterOS (x86) is vulnerable but there is practically no way to misuse the vulnerability because attacker can't run binary (and if attacker can run binary, it won't matter because your device is already compromised)

If we talk about VM, then RouterOS (CHR) vulnerability depends on its hypervisor which needs to be patched. Patching CHR wouldn't change anything because it does not control, how are processes assigned to cores.

In any case, nothing can be done from mikrotik's side

msatter · Fri May 17, 2019 11:11 am

Try setting the remote-id to ignore.

I tried that and it still complains that it can't get local certificate from configuration and it not a dealbreaker and it goes on till it processes payloads: NOTIFY and then I get the error that the notify is TS_UNACCEPTABLE and the next line it is a got error:TS_UNACCEPTABLE

In Ipsec Policy the Src. Addres stayed on 0.0.0.0/0 to I put in IPsec Peer, my external IP address.

Update: I have started again and I have now mangaged to have an established connection. I have to manually enter the TS_I which is not automatically matched/taken over by RouterOS.

In Ipsec Policy I have to manually add the source address: 10.4.33.22 for that specific IKEv2 connection.

Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src. Address match and the tunnel is made.
I can see the success when I get in the log get my IP and the two DNS IP addresses show and the tunnel is connected.

I hope that we also get a client in PPP for this because then we can run script to put the received IP into the NAT to make routing easy.

Update...again: so I finally discovered that I could use "template" to fix the TC_UNEXPECTED error and that works fine. The only problem is that the IP changes regular and that I have to adapt the SRC-NAT IP manually. I am route-marking the packets I want to through the IKEv2 connection (split horizon)

I could try to just put an IP address in or use my DNS to steady the changes.

josep · Sat May 18, 2019 9:25 pm

Very good news about EAP support in IKEv2, please, we need EAP-AKA and EAP-AKA', with this, all Mikrotik routers can be used as basic ePDG, for a non-3GPP Access Networks. Next steps are GTP-U Tunneling support, but with EAP-AKA is good starting.

More info:

https://www.gsma.com/newsroom/wp-conten ... 1-v7.0.pdf
http://www.3gpp.org/ftp//Specs/archive/ ... 02-f10.zip

Tw0kings · Sun May 19, 2019 9:12 pm

Im using BCP over L2TP. With latest beta builds it doesnt work. Didn´t have time to test what exactly doesnt work. Looks like DHCP over BCP, but maybe there is more.
In stable release all is working as it should.