v7.1beta2 [development] is released!

emils · Fri Aug 21, 2020 2:00 pm

RouterOS version 7.1beta2 has been released in public "development" channel!

What's new in 7.1beta2 (2020-Aug-21 12:29):

!) added "bgp-network" output filter flag;
!) added bonding interface support for Layer3 hardware offloading;
!) added IPv6 nexthop support for IPv4 routes;
!) added Layer3 hardware offloading support for CRS309-1G-8S+IN, CRS312-4C+8XG-RM and CRS326-24S+2Q+RM;
!) added WireGuard support;
*) disk - improved external disk read/write speeds;
*) ospf - fixed point to point routes becoming inactive;
*) route - fixed source address selection of outgoing packets;
*) other minor fixes and improvements;

All released RouterOS v7 changelogs are available here:
https://mikrotik.com/download/changelog ... lease-tree

How to report RouterOS v7 bugs:
viewtopic.php?f=1&t=152006

Kindis · Fri Aug 21, 2020 2:07 pm

This level 3 offloading looks very interesting. Do we have any numbers to show what it can mean as this has the potential to put emphasis on the R in CRS :-)

santyx32 · Fri Aug 21, 2020 2:15 pm

Finally Wireguard

mafiosa · Fri Aug 21, 2020 2:36 pm

RouterOS version 7.1beta2 has been released in public "development" channel!

What's new in 7.1beta2 (2020-Aug-21 12:29):

!) added "bgp-network" output filter flag;
!) added bonding interface support for Layer3 hardware offloading;
!) added IPv6 nexthop support for IPv4 routes;
!) added Layer3 hardware offloading support for CRS309-1G-8S+IN, CRS312-4C+8XG-RM, CRS326-24S+2Q+RM and CRS354-48G-4S+2Q+RM;
!) added WireGuard support;
*) disk - improved external disk read/write speeds;
*) ospf - fixed point to point routes becoming inactive;
*) route - fixed source address selection of outgoing packets;
*) other minor fixes and improvements;

All released RouterOS v7 changelogs are available here:
https://mikrotik.com/download/changelog ... lease-tree

How to report RouterOS v7 bugs:
viewtopic.php?f=1&t=152006

Good to see ospf issue to be resolved. Also wireguard is a much awaited feature. Thanks!

leoktv · Fri Aug 21, 2020 2:40 pm

Any update in the v7 Routing Protocol Status?

Paternot · Fri Aug 21, 2020 2:49 pm

This level 3 offloading looks very interesting. Do we have any numbers to show what it can mean as this has the potential to put emphasis on the R in CRS :-)

It does routing at wirespeed, in all ports. There are several constraints, and a limit of 4096 connections, if I'm not wrong. But in some use cases it will be a killing feature.

pe1chl · Fri Aug 21, 2020 2:55 pm

Observations (not really new for this build but maybe off the radar):
- when a static route is disabled, it disappears from the listing entirely, as if it has been deleted. when the window is closed/reopened, it appears again in greyed-out status.
- the BGP functionality still exists only in CLI and not in winbox. I would have hoped (or maybe this is the time to do that!) that all GUI info is derived from a common set of tables that is shared by all the user interfaces, so the work does not have to be done 3 times...
- when I close the Log window and re-open it, winbox completely hangs.

null31 · Fri Aug 21, 2020 3:07 pm

WireGuard implementation was done like MikroTik did to OpenVPN or kept as is in Linux 5.6?
Thank you.

mrshark · Fri Aug 21, 2020 3:09 pm

any hint on how to flash this on a HAP MINI? On previous beta, it said internal storage is not enough to upgrade... it's a brand new model, factory reset... maybe because of beta and so build not optimized yet? Will it ever be a version for low storage devices?

thanks in advance

null31 · Fri Aug 21, 2020 3:13 pm

any hint on how to flash this on a HAP MINI?
thanks in advance

Use NetInstall to flash hAP Mini.

ludvik · Fri Aug 21, 2020 3:14 pm

winbox 3.24 64bit on win7, rb450gx4. Open interfaces, add Virtual ethernet. Winbox closed.

Quasar · Fri Aug 21, 2020 3:26 pm

WireGuard implementation was done like MikroTik did to OpenVPN or kept as is in Linux 5.6?
Thank you.

It's Wireguard v1.0.0 proper (as shipped with v5.6).

Note for whoever wants to give it a spin: you need to use the cli to set the peer endpoint - Winbox doesn't allow you to set the port (it will default to 0).

Cha0s · Fri Aug 21, 2020 3:42 pm

!) added WireGuard support;

Gave it a try on a hEX (RB750Gr3) and it worked out of the box!

The performance was capped at around 100mbit though. Maybe the hEX is not powerful enough.
More tests are warranted :)

mozerd · Fri Aug 21, 2020 3:43 pm

This level 3 offloading looks very interesting. Do we have any numbers to show what it can mean as this has the potential to put emphasis on the R in CRS :-)
It does routing at wirespeed, in all ports. There are several constraints, and a limit of 4096 connections, if I'm not wrong. But in some use cases it will be a killing feature.

@Paternot
I 4 1 do NOT believe that It will do routing at wire-speed ... why I do not believe that .... because for L3 wire-speed requires an ASIC and non of the hardware specs I see have that L3 ASIC in the gear. Yes there will be an improvement in performance but nowhere near wire-speed.

Fri Aug 21, 2020 3:54 pm

@Paternot
I 4 1 do NOT believe that It will do routing at wire-speed ... why I do not believe that .... because for L3 wire-speed requires an ASIC and non of the hardware specs I see have that L3 ASIC in the gear. Yes there will be an improvement in performance but nowhere near wire-speed.

https://i.mt.lv/cdn/product_files/CRS32 ... 200149.png
Are you sure that mention switchip doesn't have that feature?

msatter · Fri Aug 21, 2020 3:55 pm

Just tried this version and had to go back to 6.4x.

Bug [SUP-15464] which is partly fixed in 6.4x is still present in 7.1x (retain correct MTU PPPoE through a SFP on a 4011) restarting the SFP does not help.

Changing the MTU manually on a interface crashes the router (tested it on a 4011 and 750-Gr2) remark, MTU set in the configuration by a 6.4x seems to be honored

In routing I noticed something different on the route for the gateway PPPoE connection, the first was 0.0.0.0/0 but that a label DAv instead of DAS (v from VPN) and I have IKEv2 defined but not all traffic has to go through a tunnel. I assume this "v" indicates that the IKEv2 tunnels are terminated on the PPPoE.

I did upgrade my firmware to 7.1x but to no avail. And I first downgraded to 6.47.2 before upgrading to the 7.1beta2

mbovenka · Fri Aug 21, 2020 4:09 pm

I 4 1 do NOT believe that It will do routing at wire-speed ... why I do not believe that .... because for L3 wire-speed requires an ASIC and non of the hardware specs I see have that L3 ASIC in the gear. Yes there will be an improvement in performance but nowhere near wire-speed.

What do you think the, let's say 98DX8208 chip in the CRS309 is? It's a switching ASIC that has lots of functionality built in, L3 forwarding among them. MT simply didn't implement it up to now.

DarkNate · Fri Aug 21, 2020 4:17 pm

WireGuard Support! Finally! About time!

honzam · Fri Aug 21, 2020 4:32 pm

Any update in wireless?

mozerd · Fri Aug 21, 2020 4:33 pm

https://i.mt.lv/cdn/product_files/CRS32 ... 200149.png
Are you sure that mention switchip doesn't have that feature?

@macgaiver
I am not familiar with that specific switch chip so I am in part writing out of ignorance of that specific chip.

I am familiar with how CISCO does in on their MLS devices. Typically for wire-speed routing in the Cisco Switch world Cisco requires three entities to implement multilayer switching: the switching engine (SE), the route processor (RP), and the MLS protocol. The SE performs the switching function, the RP performs the routing function, and the MLS protocol provides for communication between these two devices. This aside, there is one very simple concept that makes it all possible: the flow. A flow can be defined as a stream of packets from the same source to the same destination using the same application. As an example, a flow could be an HTTP session between a source browser and a target server. In a Cisco MLS network, the initial packet in a session is routed via the RP, but all subsequent packets in that particular session are switched by the SE. The SE maintains a cache about these flows and can determine whether or not a given packet is part of an established session. If so, the SE rewrites the pertinent packet info as if it had been processed by the router and then switches the packet. This process is commonly referred to as “route once, switch many.” It occurs at switch speed, not at the slower router speed.

So in terms of MikroTik and RouterOS I do not see ANY functionality that mimics or deals with wire-speed Routing at the switch level.

reddin · Fri Aug 21, 2020 4:38 pm

Hello!
Just upgraded to v7.1b2 and spotted a few issues:
First and most important is routing marks don't work
The second one is about wireguard. Why I can't specify the port number for peer? Is it intended or a bug as well?

mrshark · Fri Aug 21, 2020 4:55 pm

any hint on how to flash this on a HAP MINI?
thanks in advance
Use NetInstall to flash hAP Mini.

not able to put device in netboot mode in any way tried... short, direct cable from pc eth to eth2, i add this command:
/system routerboard settings set boot-device=try-ethernet-once-then-nand
then unplug power and eth, move eth to eth1 port, replug power, it never appears in netinstall...

left eth cable in eth1, unplug power, keep pressed reset for more than 2 minutes, nothing, never appeared in netinstall...
again, unplugged power, keep pressed reset, replug power, left reset after lights went off, nothing again...

windows firewall disabled, av disabled, ip pc 192.168.88.2/24-->.1, ip netboot 192.168.88.3...

mrshark · Fri Aug 21, 2020 4:57 pm

The second one is about wireguard. Why I can't specify the port number for peer? Is it intended or a bug as well?

in comments above is said to use cli for now, probably winbox is not yet updated to include gui for wireguard

cxcool · Fri Aug 21, 2020 5:03 pm

Wireguard endpoint port need to be fix in winbox .
there is no way to enter IP:port in winbox
CLI OK

reddin · Fri Aug 21, 2020 5:04 pm

The second one is about wireguard. Why I can't specify the port number for peer? Is it intended or a bug as well?
in comments above is said to use cli for now, probably winbox is not yet updated to include gui for wireguard

Yeah, it works via cli, thanks.

Cha0s · Fri Aug 21, 2020 5:14 pm

So in terms of MikroTik and RouterOS I do not see ANY functionality that mimics or deals with wire-speed Routing at the switch level.

L3 offloading happens on the switch chip.
That's why it's called "L3 offloading". They offload the routing functionality from the CPU, to the switch chip, thus achieving wirespeed.

The switch chips used in those RB models (which are ASICs basically) do support L3 routing at wirespeed as per Marvell's datasheet.
The hardware support was already there, but MikroTik just started supporting it on ROS.

null31 · Fri Aug 21, 2020 5:14 pm

not able to put device in netboot mode in any way tried... short, direct cable from pc eth to eth2

@mrshark
You need to use a switch between pc and router. Direct connection is prone to fail, since you have a change on link state.
So, the netinstall "become" slow to detect the router.
Also, typically ether1 is used by netboot, except if is identified another port for that role.

mozerd · Fri Aug 21, 2020 5:23 pm

The switch chips used in those RB models (which are ASICs basically) do support L3 routing at wirespeed as per Marvell's datasheet.
The hardware support was already there, but MikroTik just started supporting it on ROS.

@Cha0s
Do you have a link to the Marvell's datasheet.for the Chjp referred to please?

Cha0s · Fri Aug 21, 2020 5:27 pm

I don't have it at hand, but I remember someone had posted it in the forum a while ago.

mozerd · Fri Aug 21, 2020 5:44 pm

I don't have it at hand, but I remember someone had posted it in the forum a while ago.

OK thanks .... I found the following that looks very interesting and exciting for MikroTik users :-)
Marvell PRESTERA 98DX83xx Family

In reading the specs I do not see L3 wire-speed benefits.

Paternot · Fri Aug 21, 2020 6:02 pm

This level 3 offloading looks very interesting. Do we have any numbers to show what it can mean as this has the potential to put emphasis on the R in CRS :-)
It does routing at wirespeed, in all ports. There are several constraints, and a limit of 4096 connections, if I'm not wrong. But in some use cases it will be a killing feature.
@Paternot
I 4 1 do NOT believe that It will do routing at wire-speed ... why I do not believe that .... because for L3 wire-speed requires an ASIC and non of the hardware specs I see have that L3 ASIC in the gear. Yes there will be an improvement in performance but nowhere near wire-speed.

Well, the switch chipset has the circuitry. If they will implement it all they way is another question. But the hardware is already there.

pe1chl · Fri Aug 21, 2020 6:18 pm

There is no need to question the possibility of doing L3 routing on a switch, there have been competing switches from other companies that do wirespeed routing for a long time.
It must be like 20 years ago when I got my first 3com L3 switch and was amazed at how it could route so fast, for that price, when compared to Cisco routers of the day (3640 etc).
And indeed, it normally works as described: the first packet for a src/dst ip pair is handled by the CPU, then an item is programmed in the switch that forwards the remainder of the traffic.
Just like it is done for L2 switching (where a MAC table is kept in the switch hardware to know where to forward the traffic.

poisons · Fri Aug 21, 2020 6:40 pm

Wireguard support cool thing, but where is an instruction how to use it?

mistry7 · Fri Aug 21, 2020 6:41 pm

Any update in wireless?

Still waiting for something?

eworm · Fri Aug 21, 2020 6:50 pm

Wireguard support cool thing, but where is an instruction how to use it?

Configuring wireguard is pretty straight forward. Just look at the options available.

ksteink · Fri Aug 21, 2020 7:02 pm

Very nice features!!! love them so far and keep going!!

Any time frame to move off development phase and make it ready for production / stable?

mducharme · Fri Aug 21, 2020 7:34 pm

IPv6 BGP is working now! Thanks MikroTik!

mducharme · Fri Aug 21, 2020 7:53 pm

Any time frame to move off development phase and make it ready for production / stable?

They still have to implement MPLS - I think that is the one major feature still missing from the current beta. Otherwise, there are probably many small fixes needed here and there.

Jotne · Fri Aug 21, 2020 8:22 pm

any hint on how to flash this on a HAP MINI? On previous beta, it said internal storage is not enough to upgrade... it's a brand new model, factory

Do a search on this forum and you find many answer. Netinstall is one way. You can also downgrade to an older version that is much smaller, like some 6.44.x version, then upgrade to latest.

IPAsupport · Fri Aug 21, 2020 8:28 pm

Any time frame to move off development phase and make it ready for production / stable?
They still have to implement MPLS - I think that is the one major feature still missing from the current beta. Otherwise, there are probably many small fixes needed here and there.

Totally agree! I will love to see MPLS implemented

metricmoose · Fri Aug 21, 2020 9:08 pm

Wireguard is working well, except for that minor winbox issue with the endpoint port. With how easy it was to setup, I totally get the Wireguard hype now. IPSEC has a frustrating amount of knobs to turn.

Between a couple hAP ac² routers, I was getting about 280 Mbps UDP. When I changed out one of those hAP ac² routers with an older RB951G-2HnD, I was getting about 75 Mbps. That's probably better than I'd get out of IPSEC on the same device!

rooted · Fri Aug 21, 2020 9:35 pm

Wireguard is included in the beta, that's awesome. Thank you to all the devs for the addition, looking forward to setting it up then I get home.

mducharme · Fri Aug 21, 2020 10:30 pm

P.S. One thing I would really like to see in the new RouterOS v7 MPLS implementation is MPLS mangle for QoS purposes - specifically, "mark packet" and "set priority" actions for MPLS. Right now to do MPLS QoS on RouterOS we have to create a bunch of extra bridges and use bridge filters for QoS. A simple MPLS mangle table would allow us to get rid of those extra bridges.

Also, please add "set priority" to the IPv6 Mangle. We have to use bridge filters as a workaround for that too at the moment.

IPAsupport · Fri Aug 21, 2020 11:32 pm

This level 3 offloading looks very interesting. Do we have any numbers to show what it can mean as this has the potential to put emphasis on the R in CRS :-)

Here is the preliminary testing we have done on this version with two CHRs on ProxMox that are each on a different VLAN and the CRS317 routes between the VLANs

This is very quick UDP test - we will do more work using TCP with traffic generator and iperf3

4 to 5 Gbps with UDP and 0 to 3% CPU load

anuser · Fri Aug 21, 2020 11:39 pm

Any update in wireless?
Still waiting for something?

We are waiting for the usual stuff:
1. airtime fairness improvvements (http://blog.cerowrt.org/post/real_results/, https://forum.openwrt.org/t/aql-and-the ... vely/59002)
2. MU-MIMO
3. 802.11 k/v/r
...

anuser · Fri Aug 21, 2020 11:43 pm

There is no need to question the possibility of doing L3 routing on a switch, there have been competing switches from other companies that do wirespeed routing for a long time.

3Com 4800G switch from 2009 is my bread and butter switch: IS-IS, BGP, OSPF, VRF; PIM-SSM all running with full IPv4 and IPv6 support.

santyx32 · Sat Aug 22, 2020 1:23 am

Any update in wireless?
Still waiting for something?
We are waiting for the usual stuff:
1. airtime fairness improvvements (http://blog.cerowrt.org/post/real_results/, https://forum.openwrt.org/t/aql-and-the ... vely/59002)
2. MU-MIMO
3. 802.11 k/v/r
...

For sure we'll get those features on ROS just wait till WiFi 7 gets announced xD

sfrode · Sat Aug 22, 2020 2:27 am

This level 3 offloading looks very interesting. Do we have any numbers to show what it can mean as this has the potential to put emphasis on the R in CRS :-)

I have no problem pushing ~9.3Gbit/s IPv4 in a single thread using iperf3 between two hosts routed on the CRS317 with L3 offloading enabled. IPv6 is, as expected, another story - it gives me ~370Mbit/s.

UpRunTech · Sat Aug 22, 2020 3:35 am

WireGuard implementation was done like MikroTik did to OpenVPN or kept as is in Linux 5.6?
Thank you.

You'd be a fool to reimplement it yourself. Have a look at the Wireguard site and code and see for yourself how carefully it's been developed. Mikrotik would/might have only done some interface changes to make it work the ROS way.

reddin · Sat Aug 22, 2020 3:48 am

Can't add key in wireguard via cli with "=" at the end. But can add it later via edit and can add it via gui.

killersoft · Sat Aug 22, 2020 4:11 am

I still cannot get MACSEC running between devices("Gets to negotiating only").
Any suggestions ?

/interface macsec
add cak=4cb39ed149d0e0dbea5fad4b91e5456f ckn=f98446584e49ad9e2cd99b2aff00adb73e0b4109eb916b8d5bbe208dda274abb \
    disabled=no interface=ether5 name=macsec1 profile=default

[admin@under desk] /interface/macsec> print
Flags: I - inactive, X - disabled, R - running 
 0   name="macsec1" interface=ether5 status="negotiating" cak=4cb39ed149d0e0dbea5fad4b91e5456f 
     ckn=f98446584e49ad9e2cd99b2aff00adb73e0b4109eb916b8d5bbe208dda274abb profile=default 
[admin@under desk] /interface/macsec>

nathan1 · Sat Aug 22, 2020 4:38 am

OpenVPN UDP still broken in this release. :(
For anyone else wondering, 7.0beta5 is the latest version that has OpenVPN UDP working. 7.1beta1 and and 7.1beta2 both have kernel crashes when you attempt to use it.

I reported it to Mikrotik and it has been acknowledged but it seemingly did not make it into this release.

nescafe2002 · Sat Aug 22, 2020 10:11 am

Can't add key in wireguard via cli with "=" at the end. But can add it later via edit and can add it via gui.

Put the key value between quotes, you may find the correct syntax using the export command.

[admin@MikroTik] /interface/wireguard> add private-key="EMjwk8mpDylWKGU0c/z9TR1e5u1D75OUz2jsv3lZu3k="
[admin@MikroTik] /interface/wireguard> peers/
[admin@MikroTik] /interface/wireguard/peers> add allowed-address=10.20.30.40 public-key="ObVREVOUlpRvqPxshivdYGiirVhb/U/dt1T7rQE2WFk=" interface=wireguard1

[admin@MikroTik] /interface/wireguard/peers> export 
# aug/22/2020 09:10:46 by RouterOS 7.1beta2
/interface wireguard peers
add allowed-address=10.20.30.40/32 interface=wireguard1 public-key="ObVREVOUlpRvqPxshivdYGiirVhb/U/dt1T7rQE2WFk="

Chupaka · Sat Aug 22, 2020 1:03 pm

By the way, there's no "export" command under new /routing menus :(

Chupaka · Sat Aug 22, 2020 1:21 pm

I tried to setup point-to-point OSPF via SSTP tunnel, and in /routing/route/print I see duplicated routes without gateway. WAIDW?

Flags: I - INACTIVE, U - UNREACHABLE, A - ACTIVE; c - CONNECT, o - OSPF, d - DHCP, l - LDP-MAPPING
Columns: DST-ADDRESS, GATEWAY, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW
      DST-ADDRESS               GATEWAY         DIS  SC  TA  IMMEDIATE-GW   
  Ad  0.0.0.0/0                 10.0.0.1          1  30  10  10.0.0.1%ether1
  Io  10.0.0.0/23                               110  20  10                 
  Ao  10.0.0.0/23               sstp-odesskaya  110  20  10  sstp-odesskaya 
  Ac  10.0.0.0/24               ether1            0  10      ether1         
  Io  10.52.56.0/24                             110  20  10                 
  Ao  10.52.56.0/24             sstp-odesskaya  110  20  10  sstp-odesskaya 
  Io  100.64.0.0                                110  20  10                 
  Ao  100.64.0.0                sstp-odesskaya  110  20  10  sstp-odesskaya 
  Io  100.64.0.1                                110  20  10                 
  Ao  100.64.0.1                sstp-odesskaya  110  20  10  sstp-odesskaya 
  Io  100.64.0.2                                110  20  10                 
  Ao  100.64.0.2                sstp-odesskaya  110  20  10  sstp-odesskaya 
  Io  100.64.0.3                                110  20  10                 
   o  100.64.0.3                sstp-odesskaya  110  20  10  sstp-odesskaya 
  Ac  100.64.0.3                sstp-odesskaya    0  10      sstp-odesskaya 
  Io  100.64.0.4                                110  20  10                 
  Ao  100.64.0.4                sstp-odesskaya  110  20  10  sstp-odesskaya 
  Io  100.64.0.5                                110  20  10                 
  Ao  100.64.0.5                sstp-odesskaya  110  20  10  sstp-odesskaya 
  Io  100.64.0.6                                110  20  10                 
  Io  100.64.1.0/24                             110  20  10                 
  Ao  100.64.1.0/24             sstp-odesskaya  110  20  10  sstp-odesskaya 
  Io  100.64.3.0/24                             110  20  10                 
  Ao  100.64.3.0/24             sstp-odesskaya  110  20  10  sstp-odesskaya 
  Io  100.64.6.0/24                             110  20  10                 
  Ao  100.64.6.0/24             sstp-odesskaya  110  20  10  sstp-odesskaya

The config is the simplest one:

/routing ospf instance
add name=ospf_v2 router-id=100.64.0.7 version=2
/routing ospf area
add area-id=0.0.0.0 instance=ospf_v2 name=backbone_v2
/routing ospf interface
add area=backbone_v2 network=sstp-odesskaya network-type=point-to-point

danbit · Sat Aug 22, 2020 2:12 pm

Is there any examples on how to configure wireguard as client on mikrotik? I'd like to connect my mikrotik router to an existing wireguard server. Also, while setting up the peer endpoint, only IP addresses are allowed? Can't I use a domain name?

Thanks!

pe1chl · Sat Aug 22, 2020 2:13 pm

Wireguard is working well, except for that minor winbox issue with the endpoint port. With how easy it was to setup, I totally get the Wireguard hype now. IPSEC has a frustrating amount of knobs to turn.

When you don't like that, just don't turn the knobs!
It is always easy (at least at first) to create something as a single supplier and focus on a single use-case, and make it look simple. Look at Microsoft Windows.
But as more and more features are added (e.g. multiple different encryption methods, as in IPsec), it becomes more complicated over time.
See how it went with OpenVPN, that was also simple at first but got more complicated on the way, especially because there was little forethought on how to accomodate future flexibility in the initial protocol.
IMHO the same will happen with wireguard.
In IPsec it happened right from the start because lots of options for lots of selections were there all the time. But without that, it would have been even more difficult to introduce stronger encryption and hashing protocols, for example.

Paternot · Sat Aug 22, 2020 3:20 pm

One thing that need to be done is to allow Wireguard to use FQDN instead of just IP addresses. For two reasons, basically:

1) Not everyone have a static IP
2) With IPv6, DNS names will make a huge difference. So much easier to remember and to check the spelling...

Yes, yes, I know. Wireguard doesn't do FQDNs. It doesn't matter: just put the name on the configuration, and do a DNS lookup at connection time. Exactly like we have with IPSEC today.

comet48 · Sat Aug 22, 2020 6:10 pm

So announcement says CRS309-1G-8S+IN, CRS312-4C+8XG-RM, CRS326-24S+2Q+RM and CRS354-48G-4S+2Q+RM for L3 offload but CRS317 mentioned above as working.

I have CRS326-24G-2S+ (arm). Will it take advantage of L3 offloading? If so, what else will?

xvo · Sat Aug 22, 2020 7:27 pm

For CRS317 it was added earlier.

amirali · Sat Aug 22, 2020 8:03 pm

hi
please help about wg config
i setup peer and wg interface but cant get any traffic throw the tunnel

[admin@MikroTik] /interface/wireguard> export
# aug/22/2020 21:33:34 by RouterOS 7.1beta2
# software id = xxxx-xxxx
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = xxxxxxxxxxxxx
/interface wireguard
add listen-port=53 mtu=1420 name=wireguard private-key=\
    "private_key"
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint=185.253.xx.x:53 interface=wireguard \
    preshared-key="preshared key" public-key=\
    "pub_key"

parham · Sat Aug 22, 2020 8:13 pm

RouterOS version 7.1beta2 has been released in public "development" channel!

What's new in 7.1beta2 (2020-Aug-21 12:29):

!) added "bgp-network" output filter flag;
!) added bonding interface support for Layer3 hardware offloading;
!) added IPv6 nexthop support for IPv4 routes;
!) added Layer3 hardware offloading support for CRS309-1G-8S+IN, CRS312-4C+8XG-RM, CRS326-24S+2Q+RM and CRS354-48G-4S+2Q+RM;
!) added WireGuard support;
*) disk - improved external disk read/write speeds;
*) ospf - fixed point to point routes becoming inactive;
*) route - fixed source address selection of outgoing packets;
*) other minor fixes and improvements;

All released RouterOS v7 changelogs are available here:
https://mikrotik.com/download/changelog ... lease-tree

How to report RouterOS v7 bugs:
viewtopic.php?f=1&t=152006

WOW, fantastic job, RouterOS getting better and better, thanks, we just need letsencrypt integrated to RouterOS.

mozerd · Sat Aug 22, 2020 8:42 pm

But as more and more features are added (e.g. multiple different encryption methods, as in IPsec), it becomes more complicated over time.
See how it went with OpenVPN, that was also simple at first but got more complicated on the way, especially because there was little forethought on how to accomodate future flexibility in the initial protocol.
IMHO the same will happen with wireguard.

i absolutely disagree with you @pe1chl
https://www.wireguard.com/#conceptual-overview
“ WireGuard securely encapsulates IP packets over UDP. You add a WireGuard interface, configure it with your private key and your peers' public keys, and then you send packets across it. All issues of key distribution and pushed configurations are out of scope of WireGuard; these are issues much better left for other layers, lest we end up with the bloat of IKE or OpenVPN. In contrast, it more mimics the model of SSH and Mosh; both parties have each other's public keys, and then they're simply able to begin exchanging packets through the interface.”

floaty · Sat Aug 22, 2020 8:43 pm

L3-offloading is a broad topic ... the prestera-chip also supports "NVGRE, VXLAN-GPE, GENEVE, SPB, and 802.1BR port extender"
... is vxlan-tunneling now also implemented with hardware-flow-support ... or we talking just base L3-forwarding capabilities ( ... for now) ?

FezzFest · Sat Aug 22, 2020 9:03 pm

Both Sierra MC7430 and Quectel EC25 work in MBIM mode in ROS7. Big difference with 6.47.x, as the MC7430 was only supported in PPP mode and the EC25 was supported in PPP and ECM modes. I do notice the amount of information the cards report is different. The MC7430 only reports RSSI, whereas the Quectel cards report RSSI, RSRP, SINR and RSRQ.

EC25AU.PNG

MC7430.PNG

Edit: I noticed the APN doesn't get set up properly on EC25. I can make it work with AT+CGDCONT=1,"IP","apn-name". This was not needed in 6.47.

BrokenLink · Sun Aug 23, 2020 11:46 am

hi
please help about wg config
i setup peer and wg interface but cant get any traffic throw the tunnel

[admin@MikroTik] /interface/wireguard> export
# aug/22/2020 21:33:34 by RouterOS 7.1beta2
# software id = xxxx-xxxx
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = xxxxxxxxxxxxx
/interface wireguard
add listen-port=53 mtu=1420 name=wireguard private-key=\
    "private_key"
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint=185.253.xx.x:53 interface=wireguard \
    preshared-key="preshared key" public-key=\
    "pub_key"

I have the same issue, I think firewall rules are not setup correctly (although I accept traffic on the listening port and forward to/from the interface), it doesn't seem to flow. The tunnel sets up correctly and the client routes to the WG server, but I can't figure out how to correctly set it up so that traffic is routed back correctly. Does anyone have a complete example including firewall rules where how to connect a roaming client to the WG server such that all (internet) traffic is routed through the MikroTik WG system?

pe1chl · Sun Aug 23, 2020 2:38 pm

“ WireGuard securely encapsulates IP packets over UDP. You add a WireGuard interface, configure it with your private key and your peers' public keys, and then you send packets across it. All issues of key distribution and pushed configurations are out of scope of WireGuard; these are issues much better left for other layers, lest we end up with the bloat of IKE or OpenVPN. In contrast, it more mimics the model of SSH and Mosh; both parties have each other's public keys, and then they're simply able to begin exchanging packets through the interface.”

When you restrict yourself to site-to-site tunnels between equipment running the same software, IPsec is not complicated either. E.g. a GRE/IPsec tunnel using pre-shared keys between two MikroTik routers can be configured with a couple of mouseclicks.
It becomes more complicated when you want more advanced functionality, like auto-config road warrior clients, certificates, etc. Simply declaring that "out of scope" is like burying your head in the sand; that is not going to be sustainable. Like with OpenVPN, the demand for those features will sooner or later lead to additions to wireguard, and by then it (including its new layer of additions) will be as "complicated" as OpenVPN.
Sure, IPsec can be frustrating. But only when dealing with unknown and uncontrollable peers that inconsistently publish their config. Between routers of the same manufacturer that you both control, it isn't a problem.
And with wireguard that is (for now) essentially what you have: the same software at either end.
Once the protocol develops and diverts between implementations, that will no longer be the case.

Znevna · Sun Aug 23, 2020 3:05 pm

So.. little broblem.
I've upgraded from 6.46.6 to 7.1beta2 directly (I know, bad) ...and this happend with my static routes. I made an export before and after the upgrade to see what changed.
I get the missing gateway, but the IP in pref-src? (and only there?) why?
before:

/ip route
add distance=1 dst-address=172.28.248.0/24 gateway=ipip-tunnel-z3 pref-src=\
    192.168.69.1
add distance=1 dst-address=192.168.134.0/24 gateway=ipip-tunnel-z3 pref-src=\
    192.168.69.1
add distance=1 dst-address=192.168.135.0/24 gateway=ipip-tunnel-z3 pref-src=\
    192.168.69.1
add distance=1 dst-address=192.168.136.0/24 gateway=ipip-tunnel-z3 pref-src=\
    192.168.69.1
add distance=1 dst-address=192.168.248.0/24 gateway=ipip-tunnel-z3 pref-src=\
    192.168.69.1

after:

/ip route
add dst-address=172.28.248.0/24 gateway="" pref-src=1.69.168.192
add dst-address=192.168.134.0/24 gateway="" pref-src=1.69.168.192
add dst-address=192.168.135.0/24 gateway="" pref-src=1.69.168.192
add dst-address=192.168.136.0/24 gateway="" pref-src=1.69.168.192
add dst-address=192.168.248.0/24 gateway="" pref-src=1.69.168.192

LE: I do have to read and understand the routing changes from the manual for v7.
For now I can't seem to get the IPIP tunnel to work properly over IKEv2. The other end (running 6.46.6) shows the tunnel coming up and running but nothing on the v7.1b2, and I can't send anything over it.

ujsd · Sun Aug 23, 2020 3:21 pm

Both Sierra MC7430 and Quectel EC25 work great in MBIM mode in ROS7. Big difference with 6.47.x, as the MC7430 was only supported in PPP mode and the EC25 was supported in PPP and ECM modes. I do notice the amount of information the cards report is different. The MC7430 only reports RSSI, whereas the Quectel cards report RSSI, RSRP, SINR and RSRQ.

EC25AU.PNG
MC7430.PNG

I also notice the lte1 interface of the device with the EC25 card sometimes disappears after a reboot.

I like to add and ask others (if they are seeing the same) that I am seeing a similar issue with the LTE modem disappearing after a Router boot or USB Modem unplugging and plugging
The Quectel USB Modem EM12 reports no SIM detected,
I have to go into teh Qucetel EM12 modem and use AT commands to reset the SIM detect

miroslaw · Sun Aug 23, 2020 5:39 pm

Thank you guys for wireguard support, that's what I've been waiting for.
One minor bug I found, can't set comment for wireguard peers (cli & webfig, havent tried winbox).
I'm using hap ac2 RBD52G-5HacD2HnD

rpress · Sun Aug 23, 2020 8:44 pm

Yes, I noticed also comments don't save for wireguard peers at all. Also ipv6 addresses can only be used in CLI.

pe1chl · Sun Aug 23, 2020 8:56 pm

I've upgraded from 6.46.6 to 7.1beta2 directly (I know, bad) ...and this happend with my static routes.

For now I'd assume that conversion from older versions does not work yet (for those features that drastically changed, like routing) and setup everything from scratch.

msatter · Sun Aug 23, 2020 10:50 pm

Request: make it possible to ignore the provided dynamic DNS by the VPN providers, also for WireGuard?

vitalys · Mon Aug 24, 2020 9:20 am

OpenVPN realization in Mikrotik is still useless due to lack of SHA256/SHA512 support (SHA-1 deprecated https://shattered.io/)

When SHA512 will be supported in Mikrotik?

bratislav · Mon Aug 24, 2020 11:57 am

OpenVPN realization in Mikrotik is still useless due to lack of SHA256/SHA512 support (SHA-1 deprecated https://shattered.io/)

When SHA512 will be supported in Mikrotik?

There is a difference between hashing (as SHA1) and encryption (as AES...) and just because someone is able to generate 2 different PDF files that produce same SHA1 hash does not mean he could reversely generate private keys used in VPN ...

Mon Aug 24, 2020 2:25 pm

The wiki page has been updated with the most-recent information regarding L3 HW Offloading:
https://wiki.mikrotik.com/wiki/Manual:C ... Offloading

rpress · Mon Aug 24, 2020 3:48 pm

In IPv6 firewall filter the "reject" action is not working. It causes the whole IPv6 firewall to be bypassed and the counters show bogus numbers. I tried on both "input" and "forward" chains.

npeca75 · Tue Aug 25, 2020 6:26 am

rb 760igs
if i try to make any change on PoE / eth5 router is rebooting with kernek failure message
PoE does not work with "auto", aways say "too low"
in prev v6 release this was worked without problem

tpedko · Tue Aug 25, 2020 9:39 am

model: RB4011iGS+5HacQ2HnD
add

/queue simple
add max-limit=30M/30M name=All_30Mbit queue=pcq-upload-default/pcq-download-default target=192.168.0.0/24

result, boot loop

krisjanisj · Tue Aug 25, 2020 10:09 am

@miroslaw & @rpress - Wireguard peers unable to set a comment has been reported to our developers and fix will be included in next RouterOS release.
@npeca75 & @tpedko - Is it possible for You to send supout.rif files to support@mikrotik.com, referencing this forum thread, so we can troubleshoot this further?

evgenij · Tue Aug 25, 2020 12:28 pm

ROS: 7.1beta2

1) Unable to create GRE6 and IPIPv6 interfaces
CLI and winbox says - failure: adding tunnel failed

2) Unable to set peer Endpoint port in winbox. CLI works

3) Unable to add IPv6 routes using the winbox: routes are deleted immediately after creation or disabling. CLI works

4) IPv4 routes are deleted immediately after disabling (winbox)

msatter · Tue Aug 25, 2020 12:43 pm

ROS: 7.1beta2

2) Unable to set peer Endpoint port in winbox. CLI works

4) IPv4 routes are deleted immediately after disabling (winbox)

Number two was already mentioned in this thread. Number four is cosmetic and on re-entering the route window they are displayed as disabled.

Tue Aug 25, 2020 2:52 pm

So announcement says CRS309-1G-8S+IN, CRS312-4C+8XG-RM, CRS326-24S+2Q+RM and CRS354-48G-4S+2Q+RM for L3 offload but CRS317 mentioned above as working.

I have CRS326-24G-2S+ (arm). Will it take advantage of L3 offloading? If so, what else will?

CRS326-24G-2S+ has an older switch chip, for which L3 offloading is not supported yet. Here is the list of supported devices:
https://help.mikrotik.com/docs/display/ ... heirlimits

elbob2002 · Tue Aug 25, 2020 3:05 pm

Upgraded my RB3011 this morning to 7.1beta 2.

I reset the router before upgrading and only configured it with a WAN connection to upgrade to Beta2.

Upgrade seemed to go okay so I set about configuring it correctly.

First issue was renaming an interface (ether1 renamed to WAN) would result in a reboot as soon as I clicked OK or Apply.

Second issue was a deal breaker and that was all 10 interfaces were limited to 10Mb only. I tried manually setting them to 1Gb full duplex but to no avail.

I reverted back to 6.47.2 so unfortunately I can't generate a supout but just wondering if anyone has seen anything similar? Surely there are other RB3011 users out there that have upgraded?

evgenij · Tue Aug 25, 2020 3:14 pm

Does anyone have problems with GRE/IPIP (v4) tunnels (interfaces don't work)? EoIP works

eworm · Tue Aug 25, 2020 3:21 pm

You have to unset the timeout for GRE interfaces:

/ interface gre unset timeout [ find ]

evgenij · Tue Aug 25, 2020 4:29 pm

You have to unset the timeout for GRE interfaces:
Code: Select all
/ interface gre unset timeout [ find ]

Are you sure about timeout? there is no such option

eworm · Tue Aug 25, 2020 4:49 pm

Ah, stupid me... Of course it's keepalive.

/ interface gre unset keepalive [ find ]

evgenij · Tue Aug 25, 2020 5:01 pm

@eworm Thanks, now it works

Znevna · Tue Aug 25, 2020 5:12 pm

Ah, stupid me... Of course it's keepalive.
Code: Select all
/ interface gre unset keepalive [ find ]

!!!!! this fixed my IPIP tunnel too. lol (unsetting keepalive for ipip that is).
THANKS.

[admin@gw-viper-rds] /interface/ipip> print       
Flags: R - RUNNING
Columns: NAME, MTU, ACTUAL-MTU, LOCAL-ADDRESS, REMOTE-ADDRESS, DSCP
  #     NAME            MTU   ACTU  LOCAL-ADDRESS  REMOTE-ADDRE  DSCP   
  0  R  ipip-tunnel-z3  auto  1402  172.28.252.69  172.28.252.1  inherit

Running! ^^

sinisa · Tue Aug 25, 2020 5:30 pm

Hello!
You have done a very nice work with Wireguard, I honestly did not expect it this year.

My problem with 7.1 is that recursive routes are not working (same problem as here: viewtopic.php?t=165021)

Everything else that I use is working fine (and since now we have Wiregiard, I don't need OpenVPN any more, do I don't care about UDP support)

Best regards...

msatter · Tue Aug 25, 2020 5:35 pm

Upgraded my RB3011 this morning to 7.1beta 2.

I reset the router before upgrading and only configured it with a WAN connection to upgrade to Beta2.

Upgrade seemed to go okay so I set about configuring it correctly.

First issue was renaming an interface (ether1 renamed to WAN) would result in a reboot as soon as I clicked OK or Apply.

Second issue was a deal breaker and that was all 10 interfaces were limited to 10Mb only. I tried manually setting them to 1Gb full duplex but to no avail.

I reverted back to 6.47.2 so unfortunately I can't generate a supout but just wondering if anyone has seen anything similar? Surely there are other RB3011 users out there that have upgraded?

I still consider 7.x as a pre-Beta as it just reboots you touch someting that is untouchable. You only will know it was untouchable because, after the reboot the change was lost.

I went back to a stable Beta within minutes after walking into reboot walls.

Znevna · Tue Aug 25, 2020 6:02 pm

Are the issues with RAW Firewall known?
If you have any rules there (two+) issuing a disable/enable on any of them makes the counters for the existing enabled rules go crazy.
Also I have a rule that keeps counting packets when enabled even though there shouldn't be any matching traffic (the notrack one), setting a log for it doesn't show anything..

/ip/firewall/raw> print stats
Flags: X - DISABLED, I - INVALID
Columns: CHAIN, ACTION, BYTES, PACKETS
  #     CHAIN       ACTION                           BYTES                     PACKETS
  0     prerouting  drop             7 182 164 577 801 072   9 367 141 933 521 187 617
  1  X  prerouting  drop                                 0                           0
  2  X  prerouting  notrack      9 890 406 038 755 190 484  15 743 512 066 554 732 580
  3  X  prerouting  passthrough  3 821 585 153 310 984 802       6 668 097 643 014 512

npeca75 · Tue Aug 25, 2020 6:40 pm

@npeca75 & @tpedko - Is it possible for You to send supout.rif files to support@mikrotik.com, referencing this forum thread, so we can troubleshoot this further?

Ok
supout was sent today
SUP-25925

elbob2002 · Tue Aug 25, 2020 7:43 pm

I still consider 7.x as a pre-Beta as it just reboots you touch someting that is untouchable. You only will know it was untouchable because, after the reboot the change was lost.

I went back to a stable Beta within minutes after walking into reboot walls.

Yeah. I wasn't expecting too much but I found the RB3011 much more unstable than the CHR and two CRS125s I have it running on.

npeca75 · Tue Aug 25, 2020 8:44 pm

Is there a plan for resolving DNS peer names in WireGuard properties?
or we are doomed to script/resolve/set wireguard peer endpoint?

Paternot · Tue Aug 25, 2020 10:17 pm

Is there a plan for resolving DNS peer names in WireGuard properties?
or we are doomed to script/resolve/set wireguard peer endpoint?

Yes, this is a must! Is so easy to do, since almost all the needed code is already there.

danbit · Tue Aug 25, 2020 11:14 pm

Is there a plan for resolving DNS peer names in WireGuard properties?
or we are doomed to script/resolve/set wireguard peer endpoint?
Yes, this is a must! Is so easy to do, since almost all the needed code is already there.

+1 on that request. Using a domain would make things much easier indeed.

Also, I can't seem to find a way to enable logging for wireguard. Is this not yet implemented in this latest beta?

Paternot · Wed Aug 26, 2020 12:16 am

Also, I can't seem to find a way to enable logging for wireguard. Is this not yet implemented in this latest beta?

Yes, it is. Just like the rest:

1) Choose the topic (info, debug, etc)
2) Choose the prefix (wireguard)

romas · Wed Aug 26, 2020 12:32 am

It's good news about wireguard! I updated my RB951G-2HnD and all works well. But might you help me? I have wireguard remote server (172.16.0.1) my mikrotik (172.16.0.3 / 192.168.1.1) and my laptop (192.168.1.2) and I can't understand how to setup vpn to my remote server for my laptop without mark routing?

redskilldough · Wed Aug 26, 2020 3:27 am

Hi,

Let's say I have this in my wireguard configuration file, how would I deploy it in my mikrotik router?
Also, how would I route traffic from client 192.168.0.44 only, through this tunnel?

Any help would be greatly appreciated

Thanks!

[Interface]
PrivateKey = 123456=
Address = 172.16.0.12/32
Address =111:222:aaa/128
DNS = 8.8.8.8
[Peer]
PublicKey = 456789=
AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0
Endpoint = aaa.bbb.com:2255

rplant · Wed Aug 26, 2020 1:22 pm

Minor issue with Wireguard
Mostly seems great, quite impressed with it, I have not used wireguard before.

If I don't set the peer address, so any address can connect, when a peer does connect to it
it seems to set the peer address/port itself in its config :(

I would also like DNS connect
Thanks

eworm · Wed Aug 26, 2020 1:29 pm

This is by design. Peers are identified by their public key, changing the endpoint automatically makes it roam seamlessly.
If the peer changes its address the configuration should update again.

npeca75 · Wed Aug 26, 2020 6:29 pm

hi @krisjanisj

another issue with rb760igs

temperature sensor is missing
no such item in Winbox and also sensor is missing from SNMP

:( pitty

UserFan · Wed Aug 26, 2020 9:20 pm

Please add parent proxy authentication

m0x35 · Thu Aug 27, 2020 12:54 am

Does anyone have some issues with wifi? On my hap ac^2 from time to time wifi clients can't get ip addresses from dhcp. I have tried to reset wifi settings to default, reset router itself, configure wifi via quick setup web page. Nothing works for me. I have downgraded routeros back to the stable version and everything works just fine again. Only strange thing in logs that I saw was something like "disconnected, group exchange timeout".

subway · Thu Aug 27, 2020 6:26 pm

What I tried to find out if the ROS 7 betas can run on anything else than ARM based devices? For example can it work on the CCRs?

Maybe a bit of clarification on the supported hardware would be nice as I cant find anything about that except for a single entry by Normis from 2019 (only ARM for now).

Paternot · Thu Aug 27, 2020 6:37 pm

What I tried to find out if the ROS 7 betas can run on anything else than ARM based devices? For example can it work on the CCRs?

Maybe a bit of clarification on the supported hardware would be nice as I cant find anything about that except for a single entry by Normis from 2019 (only ARM for now).

Here you will find the RoS 7.1beta download link. It shows each supported architecture.
https://mikrotik.com/download

rpress · Thu Aug 27, 2020 9:27 pm

Looks like only one wireguard interface is working at a time, whatever is started first. Only the first shows as "running".

Does anyone have more than one simultaneous wireguard interface working?

mozerd · Thu Aug 27, 2020 10:32 pm

Does anyone have more than one simultaneous wireguard interface working?

I am not running the MikroTik implementation so I have no idea if in its current state of RouterOS 7.1beta2 how may peers can be run .... and yes under ubnt EdgeRouter I have multiple Peers running in client sites.

Following link shows how it should be done ... hope this helps you ... assuming the TiK way does not imped.

https://www.zahradnik.io/wireguard-a-vp ... ge-in-mind
scroll down to Everyone is a peer where the CLI info is shown.

Paternot · Fri Aug 28, 2020 12:21 am

Looks like only one wireguard interface is working at a time, whatever is started first. Only the first shows as "running".

Does anyone have more than one simultaneous wireguard interface working?

I have one little test, with 3 CHRs. I named them after their IP, so we have 115, 116 and 118 machines.

I inserted static routes, sou The left machine should be able to ping the right machine - passing through the center one. Pay attention to the IP addresses on the Wireguard config - You will have to adjust them to your network.

This is NOT a production example. It is just the absolute minimum, in order to test two wireguard interfaces on a single machine. I didn't even set a password to the admin user.

rpress · Fri Aug 28, 2020 12:50 am

Looks like only one wireguard interface is working at a time, whatever is started first. Only the first shows as "running".

Does anyone have more than one simultaneous wireguard interface working?

Thanks both for your input. I have found the problem: using WebFig the listen-port always defaults to 12321. Although I was not using the port, it would conflict with the other interface. Setting one of the listen-port to something else worked fine.

Interestingly using the terminal, the listen-port seems to be randomly generated, thereby not having this issue. But I wonder if this seemingly random port could have it's own problems. With Wireguard is it possible to disable listening altogether? Maybe this would be the best default.

Mannsean · Fri Aug 28, 2020 1:56 am

winbox 3.24 64bit on win7, rb450gx4. Open interfaces, add Virtual ethernet. Winbox closed.

Same issue

kylepharo · Sat Aug 29, 2020 2:18 am

Does anyone have some issues with wifi? On my hap ac^2 from time to time wifi clients can't get ip addresses from dhcp. I have tried to reset wifi settings to default, reset router itself, configure wifi via quick setup web page. Nothing works for me. I have downgraded routeros back to the stable version and everything works just fine again. Only strange thing in logs that I saw was something like "disconnected, group exchange timeout".

I'm having similar problems on my rb4011igs+5hacq2hnd-in. Also did a reset to defaults with minor adjustments (ssid, wpa2 psk etc).
Clients appear to lose DHCP lease, then disconnect completely. Phones (iphones) appears to to experience the problem the most often

Clearing and netinstalling the latest testing 6.48beta27 issues go away, no dhcp loss/disconnections on wifi

romas · Sat Aug 29, 2020 9:47 am

I have a small issue with DNS over HTTPS. It works perfectly in 6.47.2, but now mikrotik can't verify certificate. I tried to re-import it, but nothing helps.

pe1chl · Sat Aug 29, 2020 12:09 pm

I have a small issue with DNS over HTTPS. It works perfectly in 6.47.2, but now mikrotik can't verify certificate. I tried to re-import it, but nothing helps.

Are you sure you have imported the entire chain from the root, and not only the server certificate?

romas · Sat Aug 29, 2020 1:56 pm

I have a small issue with DNS over HTTPS. It works perfectly in 6.47.2, but now mikrotik can't verify certificate. I tried to re-import it, but nothing helps.
Are you sure you have imported the entire chain from the root, and not only the server certificate?

Yes I'm, and it was validated succesfully on stable branch

romas · Sat Aug 29, 2020 2:02 pm

Hi,

Let's say I have this in my wireguard configuration file, how would I deploy it in my mikrotik router?
Also, how would I route traffic from client 192.168.0.44 only, through this tunnel?

Any help would be greatly appreciated

Thanks!
Code: Select all
[Interface]
PrivateKey = 123456=
Address = 172.16.0.12/32
Address =111:222:aaa/128
DNS = 8.8.8.8
[Peer]
PublicKey = 456789=
AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0
Endpoint = aaa.bbb.com:2255

You might be interested this howto : https://rickfreyconsulting.com/wireguard/ , but how to route one client without marking I don't know, unfortunately.

Znevna · Sat Aug 29, 2020 3:00 pm

Tiny (not realy) bug:
I don't know why but my dynamic DNS servers went *poof* from the config. (Which are set by the pppoe client).
No wan disconnect, nothing in the logs. They just went missing.
And I was wondering why the DNS cache is empty...

redskilldough · Sat Aug 29, 2020 3:08 pm

Hi,

Let's say I have this in my wireguard configuration file, how would I deploy it in my mikrotik router?
Also, how would I route traffic from client 192.168.0.44 only, through this tunnel?

Any help would be greatly appreciated

Thanks!
Code: Select all
[Interface]
PrivateKey = 123456=
Address = 172.16.0.12/32
Address =111:222:aaa/128
DNS = 8.8.8.8
[Peer]
PublicKey = 456789=
AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0
Endpoint = aaa.bbb.com:2255
You might be interested this howto : https://rickfreyconsulting.com/wireguard/ , but how to route one client without marking I don't know, unfortunately.

Hi,

Thanks for the reply.

Anyway, I managed to get it to work, this should help those who want to connect to vpn providers that provide wireguard support, eg. I think nordvpn does.

Once you have such a configuration file for the wireguard client in windows, mac, do this, using winbox

1. Go to the wireguard menu, add a new interface

2. Leave the default setting, just add the private key from the interface section of the wireguard config file, in this example, 123456=, click apply

3. Go to the peer tab, add a new peer, use the public key from the peer section of the wireguard config file, in this example,456789=,
Since I want to route all traffic from specific clients to through this interface, put 0.0.0.0/0 in allowed ips

4. Use nslookup, resolve the endpoint, in this case, aaa.bbb.com to its ip address. Put that ip address in the end point.

5. Use the terminal go to /interface/wireguard/peers. if there is only 1 peer, run this, set 0 endpoint=[ip address]:2255

6. Go to IP addresses, set the ip address for the wireguard interface, in this case, 172.16.0.2/32

7. Go to IP firewall NAT, add a masquerade rule, chain srcnat, outgoing interface -> your wireguard interface, action=masquerade

8. Run this command in the terminal, /routing table add name=VPNProvider fib

9. Go to IP firewall mangle, add a mangle rule, use source address for the client whose traffic you want to route through the vpn interface, or use source address list for several clients.
Chain=prerouting, Action=mark routing, new routing mark, choose VPNProvider from the combo box. (This was the tricky part, you cant just type in VPNProvider like in ROS 6, you have to add it to the routing table first, the only can you choose it as a new routing mark)

10. Finally add a new route in the terminal, like this, /ip route add dst-address=0.0.0.0/0 gateway=[your wireguard interface]@main routing-table=VPNProvider

That's it, your specified clients should now be routed through your vpn connection

erkexzcx · Sat Aug 29, 2020 9:32 pm

Does this beta release work great with Winbox? Or is it console-only while it's beta?

Sob · Sat Aug 29, 2020 9:47 pm

Most of it is ok in WinBox. There's problem with Wireguard port mentioned in this thread. Also 'routing-table' parameter is missing from IP->Route.

romas · Sun Aug 30, 2020 11:52 am

10. Finally add a new route in the terminal, like this, /ip route add dst-address=0.0.0.0/0 gateway=[your wireguard interface]@main routing-table=VPNProvider

That's it, your specified clients should now be routed through your vpn connection

Thank you for the tricky way with marking. I did it, pings between server and mikrotik is good, DNS is working on well, but internet on the client is incredibly slow, trying to troubleshoot it

Sun Aug 30, 2020 11:57 am

@romas:

Do you REALLY need to quote such a long post? What for?

Please edit it.

redskilldough · Sun Aug 30, 2020 1:18 pm

Thank you for the tricky way with marking. I did it, pings between server and mikrotik is good, DNS is working on well, but internet on the client is incredibly slow, trying to troubleshoot it

Yes, I noticed that too. I can max out my 500/100 internet connection with ROS 6.47.2, fasttrack enabled, but with ROS 7.1b2, I'm getting only about 100+/100, even with fasttrack enabled (using a mikrotik hex).

I guess it's still in beta and will probably get better later.

Chupaka · Sun Aug 30, 2020 3:53 pm

Could somebody check SOCKS5 with password auth in ROS v7? It's not working for me. SOCKS4 looks good.

NilKad · Wed Sep 02, 2020 3:12 pm

lte1 receives DNS via DHCP (from the modem) with the checkbox off in LTE APN - Use Peer DNS. I can't turn off the use of DNS from the router side.

Mikr_DNS.png

pe1chl · Wed Sep 02, 2020 3:38 pm

You need to turn it off in the DHCP client!

sindy · Wed Sep 02, 2020 4:28 pm

You need to turn it off in the DHCP client!

For some modem types, the DHCP client is dynamically created and cannot be modified (nor prevented from being dynamically generated and created manually), so this advice is not applicable. For the dynamically created DHCP client, the setting in question (plus other ones) is (in theory) inherited from the apn profile.

For yet other modems (R11e-LTE6), there is no DHCP client at all, and nevertheless the IP address is assigned and the default route and other settings from apn profile are used (also in "direct IP" mode, i.e. not PPP/serial).

pe1chl · Wed Sep 02, 2020 4:59 pm

You need to turn it off in the DHCP client!
For some modem types, the DHCP client is dynamically created and cannot be modified (nor prevented from being dynamically generated and created manually), so this advice is not applicable. For the dynamically created DHCP client, the setting in question (plus other ones) is (in theory) inherited from the apn profile.

Ok, but it can be clearly seen above that "Use peer DNS" is OFF in the LTE profile and it is ON in the DHCP client. So that is a bug?

Gnubyte · Wed Sep 02, 2020 5:22 pm

Hi all,
I just installed v7.1beta2 on the CCR2004 I have here in tests. I was looking for better support of 1Gbps+ SFPs interfaces inserted in SFP+ ports, and I found a bug.

*********************************************
Presentation of reproduction conditions
*********************************************

A brand New CCR2004, with an Optical GPON ONU SFP recognized as brand "ODI"
The ONU is fully functionnal under v6.47.2, seems to let change the AUto Negotiation Speed to more than 1000M Full, but allways limited to 1000M.
According to https://www.dslreports.com/forum/r32230 ... 57810S-NIC SGMII linux patches can let SFP sticks run at more that 1000M, so I give a try to v7.1beta2.
I upgraded the fimrware, go to the sfp-sfpplus interface, doble clic, and yes, it's still recognized, but this time eligible speeds are not pre checked. So I check 2.5G Full, and instant reboot.
No way to change the neciable speed. Everytime I try to change it, it reboots. Unfortunately, It seems limited to 1000M.

Capture1.PNG

I give a try with another stick of this kind, and I come back. I do have several sticks of this kind.

When I do exactly the same procedure with another SFP ONU Stick (CarllitoxxPro), it reboots.

It's exactly the same reboot changing the negociated speed of a S+RJ10 Mikrotik Interface

This bug, about SFP speed negociation, seems generic, including with Mikrotik Interfaces.

I can make you more explicit capture CLI, most of all for the first ONU stick of course, If you can let it run 2.5Gbps patching this bug, I would be gracefull.

Hope this helps. Feel free to contact me by email.

lupusx · Wed Sep 02, 2020 7:00 pm

Do beta releases require licence for testing ?

In other words can I install it f.e. on x86 for tests without any additional licence ?

rpress · Wed Sep 02, 2020 7:09 pm

Do beta releases require licence for testing ?

In other words can I install it f.e. on x86 for tests without any additional licence ?

Yes it requires a license. You can get a trial as usual.

And actually, when upgrading from v6 the old license is now invalid. So the license must be transferred to the new v7 install, making it not easy to go back to v6.

redskilldough · Thu Sep 03, 2020 6:31 am

Thank you for the tricky way with marking. I did it, pings between server and mikrotik is good, DNS is working on well, but internet on the client is incredibly slow, trying to troubleshoot it

Hi, disabling fasttrack seems to solve this problem

kylepharo · Thu Sep 03, 2020 8:03 am

A brand New CCR2004, with an Optical GPON ONU SFP recognized as brand "ODI"
The ONU is fully functionnal under v6.47.2, seems to let change the AUto Negotiation Speed to more than 1000M Full, but allways limited to 1000M.
According to https://www.dslreports.com/forum/r32230 ... 57810S-NIC SGMII linux patches can let SFP sticks run at more that 1000M, so I give a try to v7.1beta2.
I upgraded the fimrware, go to the sfp-sfpplus interface, doble clic, and yes, it's still recognized, but this time eligible speeds are not pre checked. So I check 2.5G Full, and instant reboot.
No way to change the neciable speed. Everytime I try to change it, it reboots. Unfortunately, It seems limited to 1000M.

Capture1.PNG

I give a try with another stick of this kind, and I come back. I do have several sticks of this kind.

When I do exactly the same procedure with another SFP ONU Stick (CarllitoxxPro), it reboots.

It's exactly the same reboot changing the negociated speed of a S+RJ10 Mikrotik Interface
This bug, about SFP speed negociation, seems generic, including with Mikrotik Interfaces.

I can make you more explicit capture CLI, most of all for the first ONU stick of course, If you can let it run 2.5Gbps patching this bug, I would be gracefull.

Hope this helps. Feel free to contact me by email.

Have you tried changing the speed/duplex etc via the CLI instead of via the web ui?

I had a similar issue forcing a 10gbit interface to be 1gbit on a CRS 317 running 7.1beta2. Via winbox would cause the router to crash, via CLI worked fine.

bozko · Thu Sep 03, 2020 9:31 am

Hello,

Can someone provide a working example of wireguard setup WITHOUT Endpoint on RouterOS device?

eworm · Thu Sep 03, 2020 9:39 am

Wireguard endpoints are set and updated automatically on handshake.

Gnubyte · Thu Sep 03, 2020 10:23 am

Have you tried changing the speed/duplex etc via the CLI instead of via the web ui?

I had a similar issue forcing a 10gbit interface to be 1gbit on a CRS 317 running 7.1beta2. Via winbox would cause the router to crash, via CLI worked fine.

Thanks for the advice. I try it.

bozko · Thu Sep 03, 2020 10:29 am

Wireguard endpoints are set and updated automatically on handshake.

Huh. Are you sure that both of endpoint can be updated automatically?

Nevertheless, I can't find any example of routeros setup with one of the peers is with endpoint (e.g. "client") and other is without ("server"). May be I'm on wrong path...

eworm · Thu Sep 03, 2020 12:02 pm

Wireguard endpoints are set and updated automatically on handshake.
Huh. Are you sure that both of endpoint can be updated automatically?

Nevertheless, I can't find any example of routeros setup with one of the peers is with endpoint (e.g. "client") and other is without ("server"). May be I'm on wrong path...

No, only one endpoint (at a time). The other side has to initiate the handshake.

But Wireguard does not follow a classic client and server model. It has just peers, so both sides can initiate the handshake.

thadrumr · Thu Sep 03, 2020 4:40 pm

7.1 beta2 no longer boots in i686/32bit mode. This kernel seems to only have 64bit enabled. Is this on purpose? Are 32bit machines finally getting the ax?

rpress · Thu Sep 03, 2020 4:53 pm

Huh. Are you sure that both of endpoint can be updated automatically?

Nevertheless, I can't find any example of routeros setup with one of the peers is with endpoint (e.g. "client") and other is without ("server"). May be I'm on wrong path...

I don't have a single Wireguard interface with one peer as server and one as client. But I do have two Wireguard interfaces, where one is a server (listening) and has two peers. On these, the peer endpoints update automatically as already mentioned. My other Wireguard interface is a client with one peer. The CLI is needed to set the endpoint port for this one.

As I found the hard way the Wireguard interface listens regardless if you want it to or not. I expect that you should have no problem having one Wireguard interface like you want.

rooted · Sat Sep 05, 2020 7:40 pm

Removed due to complaining.

nostromog · Sat Sep 05, 2020 9:17 pm

lte1 receives DNS via DHCP (from the modem) with the checkbox off in LTE APN - Use Peer DNS. I can't turn off the use of DNS from the router side.
Mikr_DNS.png

In my case, even with user-peer-dns off both in lte1 and the dynamic dhcp-client, ip dns is showing it in the "dynamic-servers" and there is no way to get rid of them once installed, no matter what I do.

I'm using a USB cable with an android phone in "USB tethering" mode with a hAP ac^2. Other than this it works like a charm. The /ip/dns/dynamic-servers remain set when I unplug the cable and lte1 disapperars and remains visible only as something like *00008 in some places.

Znevna · Sat Sep 05, 2020 9:59 pm

This gentlemen wrote an in-depth tutorial for MikroTik site to site VPN:

https://rickfreyconsulting.com/wireguar ... n-example/

That's hardly an "in depth tutorial". And don't get me started on the quality of the screenshots, missing accompanied selectable text for whatever goods are or aren't in them, or the discrepancies between the screenshots and the settings export provided. Or the missing proper explanation of allowed address fields with proper examples.
Or how about the MTU? barely mentions something about it but that's it, nothing about setting up proper MTU for the interface.
"in depth", pft.
It's not rocket science to build up a Wireguard tunnel and route something over it.
Do you guys get a cut for traffic generated to his site or out of how many "clients" that guy "gets" thanks to you?:)

evgenij · Sun Sep 06, 2020 12:09 am

Does anyone have a problem with the bridge firewall?

IP firewall is enabled
I can see network traffic between the two interfaces, but not in the bridge statistics and the bridge-firewall is not catching any packets in the forward chain

mozerd · Sun Sep 06, 2020 2:38 am

This gentlemen wrote an in-depth tutorial for MikroTik site to site VPN:

https://rickfreyconsulting.com/wireguar ... n-example/
It's not rocket science to build up a Wireguard tunnel and route something over it.
Do you guys get a cut for traffic generated to his site or out of how many "clients" that guy "gets" thanks to you?:)

@ Znevna ....
IMO Rick Frey provides an excellent tutorial on using WireGuard and MikroTik and I hope that he gets as many clients as he deserves.

Arcticfox · Sun Sep 06, 2020 11:12 am

Nice version, but on CRS326-24S+2Q something goes wrong: Kernel panic on much of reasons.
1. Connected to HP virtual connect via SFP+ - kernel panic
2. Connected to Procurve switch and assigned vlan to port via Copper SFP- kernel panic
3. Connected to cisco n3k-c3064pq kernel panic

And this panic is so deep that console is unreachable after reboot. Only reset to factory defaults helps to move it out.

What I did wrong (else trying beta).

Znevna · Sun Sep 06, 2020 12:08 pm

This gentlemen wrote an in-depth tutorial for MikroTik site to site VPN:

https://rickfreyconsulting.com/wireguar ... n-example/
It's not rocket science to build up a Wireguard tunnel and route something over it.
Do you guys get a cut for traffic generated to his site or out of how many "clients" that guy "gets" thanks to you?:)
@ Znevna ....
IMO Rick Frey provides an excellent tutorial on using WireGuard and MikroTik and I hope that he gets as many clients as he deserves.

Ofc you'd say that, you're in the same business model. I also hope he gets as many clients as he deserves.
"excellent" and "in depth" tutorials should be written on the forum if the intention was to share some knowledge with the users, not on some personal website for personal gain *cough* and drop the link randomly on the forum so that his website would get hits from the curious users. Luckily those two tutorials by him fits neither.
Writing a tutorial on the forum also allows you to get some feedback on your solution from other experienced users and maybe ways to improve your tutorial/solution (see the VLAN articles by pcunite for example).
As a bonus the forum provides support for proper CODE blocks that the users are used to.
As I've said, dropping links to your personal website on this forum and reddit screams only one thing and nothing good about it.

pe1chl · Sun Sep 06, 2020 12:12 pm

...

I fully agree with you, and also I think he is mainly a wireguard fanboi and makes false claims about the alternative methods (especially on RouterOS).
But hey, there are many of them.

huntermic · Sun Sep 06, 2020 12:43 pm

I have an issue here with the 7.1 beta 2 on 3 hAp ac^2 devices. Had te return to the stable branch for wireless to become stable again.
On all devices i had serious stability issues.

pe1chl · Sun Sep 06, 2020 12:45 pm

I have an issue here with the 7.1 beta 2 on 3 hAp ac^2 devices. Had te return to the stable branch for wireless to become stable again.
On all devices i had serious stability issues.

Such a posting would actually be useful when it included relevant details of what you were experiencing.

nostromog · Sun Sep 06, 2020 1:22 pm

I have an issue here with the 7.1 beta 2 on 3 hAp ac^2 devices. Had te return to the stable branch for wireless to become stable again.
On all devices i had serious stability issues.

He told that the same I am seeing: devices get stuck but otherwise connected on both interfaces.
Some time after last disable/enable cycle or reboot, any of the devices stop flowing through the wireless connection. If they are "clever" they migrate to the other, say wlan2. I often find after a few hours that all devices except one are in, say wlan1 and only one is in registration table at wlan2, but not working. disable/enable makes it work again, until it failed
It was not happening in 7.1beta1, it takes a few hours to happen, seems to be related with noise and distance, as it got better to me by:
* increasing the antenna gain in both interfaces (which also made for better signal overall and less warm router, BTW).
* changing a few other wireless settings.
Currently I have:

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-key-update=1h mode=dynamic-keys supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode antenna-gain=4 band=2ghz-onlyn channel-width=\
    20/40mhz-Ce country=spain disabled=no frequency=auto installation=indoor mode=ap-bridge ssid=MT \
    wireless-protocol=802.11 wmm-support=enabled
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode antenna-gain=5 band=5ghz-onlyac basic-rates-a/g=12Mbps \
    channel-width=20/40/80mhz-XXXX country=spain disabled=no frequency=auto installation=indoor mode=ap-bridge rate-set=configured \
    ssid=MT vht-supported-mcs=mcs0-9,mcs0-9,none wireless-protocol=802.11 wmm-support=enabled

and it happens less than with the default settings. Failing devices are mostly android, but also a windows and a linux laptop occassionally. I have set wireless debug in one of the phones and saw a message like NETWORK_UNAVAILABLE DHCP NOT RESPONDING=1 (I'm inventing the message but it was the idea). The router thought that the phone was happily connected, BTW, but it disappeared from registration table when I switched wifi off / on in the phone, only to return to the same when I forced to reconnect. After disable/enable of the wlanN interface everything works again... for a few hours.

huntermic · Sun Sep 06, 2020 1:39 pm

I have an issue here with the 7.1 beta 2 on 3 hAp ac^2 devices. Had te return to the stable branch for wireless to become stable again.
On all devices i had serious stability issues.
Such a posting would actually be useful when it included relevant details of what you were experiencing.

I know and i'm sorry for that but i had to revert to a stable situation because of work i had to do. But still i thought it might be usefull to report.
The issues i had were with wifi.
Clients disconnected frequently and could often not get an ip address.
Sometimes wifi totally stopt functioning until turned of and on again on the hAp ac^2.

rooted · Sun Sep 06, 2020 2:02 pm

I don't know the guy who wrote the tutorial and I'm not a network engineer, seemed in depth enough to help me so I thought it may help others.

Lighten up, I removed the post...

Znevna · Sun Sep 06, 2020 8:20 pm

bug: 7.1beta2, hAP ac2
changing any interface name belonging to the internal switch using WinBox GUI makes the router reboot:

sep/06/2020 20:14:55 system,error,critical router rebooted because some critical program crashed

Doing the same thing from terminal however: /interface/ethernet/print; /interface/ethernet/set X name=ethX; works fine.

LE: another bug(?) same version/hardware.
Leaving CPU Frequency to auto, I can see the frequency going up to 896MHz on high load. Ain't this dangerous?
Shouldn't we have an option to set max freq to the default frequency of the CPU? and not overclock it? As overclocking it can lead to .. well, problems?
Thanks.

subway · Sun Sep 06, 2020 11:13 pm

Bug:

1. After the upgrade (from latest stable), the PPPoE server was completely gone, but just that: the Secrets, Profiles and the rest of the PPP interfaces stayed.
2. After (or since) the upgrade, it is not possible to configure an interface as gateway under IP --> Routes. The only possibility is to set an IP as gateway.

Znevna · Sun Sep 06, 2020 11:19 pm

You can write the interface name manually and it will work even if there's no list from which you could easily select it.
On another note, I can't figure out how to setup load balancing using ECMP. More exactly how to adapt this old tutorial for v7: https://wiki.mikrotik.com/wiki/ECMP_loa ... masquerade

teleport · Tue Sep 08, 2020 12:01 am

have RBG450GX4 with latest stable version. am trying to apply 7.1 beta 2. no matter what approach i take(use webfig/winbox->quickset/winbox->system->packages for upgrade,dropping npk file), i get the 'not enough space for upgrade' in the log after reboot.
here is log line 1 and 2 after reboot:
system,info 'installed system-7.1beta2'
system,error 'not enough space for upgrade'

mine is a plain vanilla install for home use with no additional configurations/packages/customizations.
please let me know

subway · Tue Sep 08, 2020 1:15 pm

You can write the interface name manually and it will work even if there's no list from which you could easily select it.

Thanks! Is this just a bug in the beta that the drop down list is not visible?

After the upgrade the routes that had interfaces as gateway were all in red, and the interfaces were gone.

nostromog · Tue Sep 08, 2020 1:22 pm

. Failing devices are mostly android, but also a windows and a linux laptop occasionally. I have set wireless debug in one of the phones and saw a message like NETWORK_UNAVAILABLE DHCP NOT RESPONDING=1 (I'm inventing the message but it was the idea).

I saw it again. The message was "NETWORK_SELECTION_DISABLED_DHCP_FAILURE=2 " (It was 1 last time I saw it. It recovers with disable/enable in wlan2 , disable/enable wlan1 in the router.

I'm not sure if the problem is due to connection o some other corruption: the wireless logs indicate good association followed by "sending station leaving (3)" about 8 seconds later, as if the station couldn't get dhcp going... but the router does not see any dhcp packet.

casus · Tue Sep 08, 2020 3:10 pm

Wireguard does not connect from Mikrotik behind NAT to a Linux server with a white IP.

eworm · Tue Sep 08, 2020 3:15 pm

Wireguard does not connect from Mikrotik behind NAT to a Linux server with a white IP.

What is a "white IP"?
But Wireguard with Mikrotik behind NAT is not a problem for me.

sindy · Tue Sep 08, 2020 3:25 pm

What is a "white IP"?

"White IP" is used in the post-soviet area instead of "public IP". "Grey" means "private". No idea what's the origin of this.

casus · Tue Sep 08, 2020 3:30 pm

What is a "white IP"?

Without using NAT. Without port forwarding, the interface address is not in the private or gray IP range.
Linux - conditionally server, Mikrotik - peer.

But Wireguard with Mikrotik behind NAT is not a problem for me.

Share a secret )

eworm · Tue Sep 08, 2020 3:48 pm

But Wireguard with Mikrotik behind NAT is not a problem for me.
Share a secret )

I'm sorry, but there's no secret... Just works for me.
Show you configuration export, possibly there's something fishy.

/interface/wireguard/export hide-sensitive

casus · Tue Sep 08, 2020 4:51 pm

follow the instructions from here : https://rickfreyconsulting.com/wireguar ... n-example/
and: https://www.cyberciti.biz/faq/ubuntu-20 ... pn-server/

# model = 960PGS
# serial number = CB540BCF02D3
/interface wireguard
add listen-port=8526 mtu=1420 name=3001
/interface wireguard peers
add allowed-address=192.168.160.0/24 endpoint=XX.181.201.XXX:61830 interface=3001 public-key=\
    "Fp9D00OEAHH9zotl3pw6cMTmwICL/OkZEj7KBo4ZWns="

Tinuva · Wed Sep 09, 2020 9:32 am

Upgraded my RB3011 this morning to 7.1beta 2.

I reset the router before upgrading and only configured it with a WAN connection to upgrade to Beta2.

Upgrade seemed to go okay so I set about configuring it correctly.

First issue was renaming an interface (ether1 renamed to WAN) would result in a reboot as soon as I clicked OK or Apply.

Second issue was a deal breaker and that was all 10 interfaces were limited to 10Mb only. I tried manually setting them to 1Gb full duplex but to no avail.

I reverted back to 6.47.2 so unfortunately I can't generate a supout but just wondering if anyone has seen anything similar? Surely there are other RB3011 users out there that have upgraded?

I have a similar issue like this on my RB750Gr3.

Upgraded to 7.2beta2 from 6.47 without resetting the router before the upgrade. It was then in a reboot loop until I reset it.

Afterwards, all 5 ports would connect at 1Gbps however, after a while, my WAN port ether1 would be stuck on 10Mbps sync, no matter what I do, different cables, different devices, it was stuck.
So moved the WAN port to ether5 and after a week same thing, except now I have both ether1 and ether5 stuck on 10Mbps sync.
I have moved the WAN to ether2 now, but if this keeps on happening, I will have to look at downgrading too :(

Really liked using wireguard, but 1Gbps ports are more important.

edit:
Actually I see this:

[admin@MikroTik] >> /interface/ethernet/export                                                
# sep/09/2020 08:38:45 by RouterOS 7.1beta2
# software id = VQDT-J37Q
#
# model = RouterBOARD 750G r3
# serial number = 8AFF080AF8C6
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full
set [ find default-name=ether5 ] advertise=10M-half,10M-full

Trying unset doesnt work:

/interface ethernet unset [ find default-name=ether1 ] value-name=advertise

What is the correct way to unset this advertise command ?

sindy · Wed Sep 09, 2020 11:06 am

What is the correct way to unset this advertise command ?

/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full

Before issuing the command above, use /interface ethernet export verbose - it will show you that the value of the advertise parameter is set to this list for ether2-ether4; it's just that without the verbose modifier, the export does not show parameters with default values.

Tinuva · Wed Sep 09, 2020 11:18 am

Thank you @sindy that fixed it for me ;)

rplant · Thu Sep 10, 2020 4:18 am

Minor SFTP issue

winscp logging into router (hapac^2)
The top level directories (/flash, /disk1) show as broken links.
I can't click on them and go there.
I can type in /flash into winscp's open directory menu and that works fine.

reddin · Thu Sep 10, 2020 4:53 am

Wireguard does not connect from Mikrotik behind NAT to a Linux server with a white IP.

I've tried to connect like this to a dozen of a servers and everything worked well enough for me.

I've been wondering is it possible to generate keys on mikrotik for wireguard peers?

huntermic · Thu Sep 10, 2020 7:37 am

I would like to install v7.1beta2 on a RB4011 but it complains that it is missing multicast-7.1beta2-arm.npk
At the moment i'm running 6.48beta35 with the multicast package as extra package.
How do i upgrade without loosing the multicast functionality ( i use it for igmp-proxy ) ?

I got an answer from mikrotik: There is no multicast package, it is now part of system package, however IGMP-Proxy is not available in ROSv7 at the moment.

casus · Thu Sep 10, 2020 10:18 am

I've tried to connect like this to a dozen of a servers and everything worked well enough for me.

I've been wondering is it possible to generate keys on mikrotik for wireguard peers?

The Packet Sniffer on Mikrotik itself does not see any attempts to communicate with the server at all, filters by IP or port do not catch any packets in the direction of the server when the Wireguard interface is turned on and off.
Settings are made after Hard Reset, minimal - external interface and wireguard (+ manual IP for Wireguard interface).

rplant · Fri Sep 11, 2020 2:45 am

I've been wondering is it possible to generate keys on mikrotik for wireguard peers?

You can make a second wireguard interface, and copy the private and public key out of it.
Then delete it.

rplant · Fri Sep 11, 2020 2:46 am

Wireguard implementation seems to have gone pretty smoothly.

I don't suppose a backport to V6 is possible :)

rplant · Fri Sep 11, 2020 9:01 am

One issue with wireguard.

Sometimes It doesn't seem to keep its connection mark on output
The input to wg is coming in with a connection mark, but the output sometimes has
no connection mark.

Actually, on further review, its only when the output needs to go via a non default route.
(route marking needed), and also happens with Openvpn (and perhaps others)
sstp (tcp) using the same connection and route marking works correctly.

cihancan · Fri Sep 11, 2020 10:35 pm

Ive asked in the forums before updating to V7. One of the supports said it wont harm your device. I did it and it bricked my device. Thanks and sadly i will need to buy another retarded mikrotik device because its my only option. Plus LDF-5 doesnt work in net install mode my computer doesnt recognize it. Sad...

pe1chl · Fri Sep 11, 2020 11:05 pm

Users claiming netinstall doesn't work normally have made a mistake. It is not wise to try netinstall first on a device that already is in trouble, as when you tried it on a working device you would have found it is usually finicky.
You have to get the feel of it, and of course you have to have all the necessary preconditions present.
When you do it all correctly, it will also work on your dead LDF 5.

nostromog · Sat Sep 12, 2020 3:20 pm

Ive asked in the forums before updating to V7. One of the supports said it wont harm your device. I did it and it bricked my device. Thanks and sadly i will need to buy another retarded mikrotik device because its my only option. Plus LDF-5 doesnt work in net install mode my computer doesnt recognize it. Sad...

Follow the manual until you arrive to configure netbooting. Then ignore what the image days (192.168.88.3) and set instead 192.168.88.1.

Then it will work.

Enviado desde mi Redmi Note 5 mediante Tapatalk

sapphire112 · Sat Sep 12, 2020 11:43 pm

downgrade V7.1 beta2 impossible to downgrade Mikrotik chateau LTE12 stable version 6.47.3 no working Need help

sindy · Sun Sep 13, 2020 4:22 pm

Any change on the wireguard interface changes the mtu to 1420.

[me@chr-7-1] > interface/wireguard/print
 0 name="wg-0" mtu=1500 listen-port=5555 private-key="CE8v6Js/u5gw4qyIvVbY0idQ7fu4dArDK2dwDz4q33c=" public-key="Mrm8SbfGOmEnIUfmWrI+YBRV8fClymdgaceY+EjHqhY="
[me@chr-7-1] > interface/wireguard/set [find name=wg-0] name=wg-1
[me@chr-7-1] > interface/wireguard/print
 0 name="wg-1" mtu=1420 listen-port=5555 private-key="CE8v6Js/u5gw4qyIvVbY0idQ7fu4dArDK2dwDz4q33c=" public-key="Mrm8SbfGOmEnIUfmWrI+YBRV8fClymdgaceY+EjHqhY="

santyx32 · Sun Sep 13, 2020 4:24 pm

downgrade V7.1 beta2 impossible to downgrade Mikrotik chateau LTE12 stable version 6.47.3 no working Need help

The device was launched with 7.X out of the box, you can't go lower than that

sapphire112 · Sun Sep 13, 2020 6:43 pm

downgrade V7.1 beta2 impossible to downgrade Mikrotik chateau LTE12 stable version 6.47.3 no working Need help
The device was launched with 7.X out of the box, you can't go lower than that

thank
to select the external antenna the menu which I must select both div main! ::

Shizumi · Sun Sep 13, 2020 9:44 pm

I have an issue here with the 7.1 beta 2 on 3 hAp ac^2 devices. Had te return to the stable branch for wireless to become stable again.
On all devices i had serious stability issues.
He told that the same I am seeing: devices get stuck but otherwise connected on both interfaces.
Some time after last disable/enable cycle or reboot, any of the devices stop flowing through the wireless connection. If they are "clever" they migrate to the other, say wlan2. I often find after a few hours that all devices except one are in, say wlan1 and only one is in registration table at wlan2, but not working. disable/enable makes it work again, until it failed
It was not happening in 7.1beta1, it takes a few hours to happen, seems to be related with noise and distance, as it got better to me by:
* increasing the antenna gain in both interfaces (which also made for better signal overall and less warm router, BTW).
* changing a few other wireless settings.
Currently I have:
Code: Select all
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-key-update=1h mode=dynamic-keys supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode antenna-gain=4 band=2ghz-onlyn channel-width=\
    20/40mhz-Ce country=spain disabled=no frequency=auto installation=indoor mode=ap-bridge ssid=MT \
    wireless-protocol=802.11 wmm-support=enabled
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode antenna-gain=5 band=5ghz-onlyac basic-rates-a/g=12Mbps \
    channel-width=20/40/80mhz-XXXX country=spain disabled=no frequency=auto installation=indoor mode=ap-bridge rate-set=configured \
    ssid=MT vht-supported-mcs=mcs0-9,mcs0-9,none wireless-protocol=802.11 wmm-support=enabled
and it happens less than with the default settings. Failing devices are mostly android, but also a windows and a linux laptop occassionally. I have set wireless debug in one of the phones and saw a message like NETWORK_UNAVAILABLE DHCP NOT RESPONDING=1 (I'm inventing the message but it was the idea). The router thought that the phone was happily connected, BTW, but it disappeared from registration table when I switched wifi off / on in the phone, only to return to the same when I forced to reconnect. After disable/enable of the wlanN interface everything works again... for a few hours.

Can confirm the DHCP issue on RB4011iGS+5HacQ2HnD-IN, though I've only had it happen with one laptop (AC 9560, Arch Linux: linux 5.8.7.arch1-1 networkmanager 1.26.2-1). I was initially reluctant to blame RouterOS since I do tinker with a lot of experimental stuff (and the network card allegedly sometimes has issues with BT, got a new BT mouse recently, etc.), and all other devices seemed to operate normally, but after finally spending a few hours troubleshooting this I have to assume it's the router. RouterOS log only shows the client connecting and disconnecting. Linux/networkmanager log shows a DHCP timeout, which will (by default) make it disconnect after 45s and try reconnecting again. I noticed a DHCP lease does exist for the MAC address.

It isn't very consistent though, 7.1b2 worked normally at first, then the issue would occasionally kill the connection, but would be successfully reestablished after a few reconnects. It gets worse over time, from 1-2 times per day to every few minutes, until DHCP would fail every single time (no clear indication why). All other devices I checked worked normally at the time. Router restart fixes the issue temporarily.
Everything worked fine with 7.0 (I think b5, pretty sure I didn't test out 7.0b7 onwards with the new kernel).

gzgenm · Mon Sep 14, 2020 12:48 am

Can't make ptp ospf work with mikrotik running 6.47

Chupaka · Mon Sep 14, 2020 10:22 pm

I have ospf working over L2TP and SSTP, but there's some (visual?) weirdness in /ip routes with dynamic routes...

Tue Sep 15, 2020 10:00 am

What kind of weirdness? Known issue is that ospf route can appear twice in routing table.

2be · Tue Sep 15, 2020 10:37 am

Hello guys,

Could you please tell me, how can I set gateway value to the specific interface for incoming BGP filter?

/routing/filter/rule/add action=accept chain=bgp_in set-in-nexthop-direct=gateway1

doesn't seem to work. Perhaps set-in-nexthop-direct isn't implemented yet in ROS 7?

Is there any workaround for this?

Chupaka · Tue Sep 15, 2020 3:56 pm

What kind of weirdness? Known issue is that ospf route can appear twice in routing table.

Exactly: viewtopic.php?p=812440#p812440

Fopwoc · Tue Sep 15, 2020 11:28 pm

my router was hacked on this beta version!

Ip of the malware from Hong Kong

Jotne · Tue Sep 15, 2020 11:31 pm

I guess you have opened the admin (web/winbox/ssh or other) from internet.
Do you use VPN or secure your ruter better.

Chupaka · Wed Sep 16, 2020 12:03 am

my router was hacked on this beta version!

Ip of the malware from Hong Kong

Any details?

4903000 · Thu Sep 17, 2020 4:56 am

Consider IPv6 NAT function please!
In my network enviroment I use 6in4 tunnel to access IPv6 resource ,It's just provide only one IPv6 address,so I need IPv6 NAT(ip6tables) to masquerade private IPv6 address.
Thanks!

spaxton · Thu Sep 17, 2020 10:26 am

Hello,

I didn't install this version but I would like to ask if there will be any FTTH GPON settings parameters in this version..? Means that if I insert a GPON L2 SFP like Huawei HPSP2120, will there be any settings in mikrotik to add like LOID, password, PON serial...?

Best Regards.

xayide · Fri Sep 18, 2020 4:26 pm

Can you get 1Gbps wireguard throughput on any of the mikrotik devices at this time?

Paternot · Fri Sep 18, 2020 7:33 pm

Can you get 1Gbps wireguard throughput on any of the mikrotik devices at this time?

They posted a print with one hAP AC2 doing 700 Mbps. Given the CPU used by the RB4011, with also 4 cores and much higher processing power, I'd say yes.

xayide · Fri Sep 18, 2020 9:18 pm

Thats a dream coming true. Getting away from the monster high frequency Intel Xeon (running openvpn at 700Mbps and now wireguard at 1Gbps, which is no problem) down to a single small router with poe and 1 gbps of protected internet....Just move all servers over to a tiny intel nuc to, if one can do with mikrotik I will not even need dual NIC or 2,5gbps to do full duplex firewalling at 1gbps. This is awesome!

sku · Sat Sep 19, 2020 11:35 am

They posted a print with one hAP AC2 doing 700 Mbps. Given the CPU used by the RB4011, with also 4 cores and much higher processing power, I'd say yes.

I just setup Wireguard on my hAP AC² to replace the IPSEC tunnel I had before and am seeing around ~ 230 Mbit/s with max overclocked CPU on it. Would be nice to squeeze out a little bit more. Here is the CPU load while it's running and I have fasttrack disabled.

Thanks to Mikrotik for Wireguard in the first place it's an amazing addition.

I can also confirm that 2,4 GHZ Wifi is broken and client's don't get dhcp on that one, 5 GHZ seems to work fine.

nostromog · Sun Sep 20, 2020 1:09 pm

I just setup Wireguard on my hAP AC²

(...)

I can also confirm that 2,4 GHZ Wifi is broken and client's don't get dhcp on that one, 5 GHZ seems to work fine.

For me it works... until it stops working. Then I do

/interface/wireless { disable wlan1; enable wlan1}

ant it works again... until it stops working again, in a few hours.