Mikrotik Router OS 6.29 released

The fastTrack improvements are a big improvement for those of you doing such things.

What’s new in 6.29 (2015-May-27 11:19):

*) ssh server – use custom generated DH primes when possible;
*) ipsec – allow to specify custom IP address for my_id parameter;
*) ovpn server – use subnet topology in ip mode if netmask is provided (makes android & ios
clients work);
*) console – allow ‘-‘ characters in unknown command argument names;
*) snmp – fix rare bug when some OIDs where skipped;
*) ssh – added aes-ctr cipher support;
*) mesh – fixed kernel crash;
*) ipv4 fasttrack fastpath – accelerates connection tracking and nat for marked
connections (more than 5x performance improvement compared to regular slow
path conntrack/nat) – currently limited to TCP/UDP only;
*) added ~fasttrack-connection~ firewall action in filter/mangle tables for marking
connections as fasttrack;
*) added fastpath support for bridge interfaces – packets received and transmitted
on bridge interface can go fastpath (previously only bridge forwarded packets
could go fastpath);
*) packets now can go half-fastpath – if input interface supports fastpath and
packet gets forwarded in fastpath but output interface does not support fastpath
or has interface queue other than only-hw-queue packet gets converted
to slow path only at the dst interface transmit time;
*) trafflow: add natted addrs/ports to ipv4 flow info;
*) queue tree: some queues would stop working after some configuration changes;
*) tilegx: enable autoneg for sfp ports in netinstall;
*) health – fix voltage on some RB4xx;
*) romon – fix 100% CPU usage;
*) romon – moved under tools menu in console;
*) email – store hostname for consistency;
*) vrrp – do not reset interface when no interesting config changes;
*) fixed async. ppp server;
*) sstp – fixed router lockup.
*) queue tree: some queues would stop working after some configuration changes;
*) fixed CRS226 10G ports could lose link (introduced in 6.28);
*) fixed FREAK vulnerability in SSL & TLS;
*) improved support for new hEX lite;

What is AirMax priority?

From UBNT:

airMAX Priority is a setting which can be changed on station devices in an airMAX network. This option can be found on the airMAX logo tab.

It defines the number of time slots (or amount of airtime) assigned to each client. By default the AP gives all active clients the same amount of time. However, if the clients are configured with different priorities, the AP will give clients more or less time, depending on the priority. For the best performance, an airMAX network whose clients have the best signals should receive the higher priorities, while clients with poorer signals should have less/no priority.

Note: airMAX Priority only functions when multiple clients have it enabled.

airMAX Priority options include:

–  High 4 time slots (4:1 ratio)
–  Medium 3 time slots (3:1 ratio)
–  Low 2 time slots (2:1 ratio)
–  None 1 time slot (Default setting for clients; 1:1 ratio)

Clients with a higher priority have access to more of the AP’s airtime, providing higher possible throughput and lower latency when sharing with other active clients.

For example, if there are 3 clients, 1 set to None, 1 set to Medium, and 1 set to High, the None client will get 1 time slot, the Medium client will get 3 time slots, and the High client will get 4 time slots.

Protecting your Mikrotik from DNS Amplification

There are several reasons and benefits to using your Mikrotik as a DNS caching server.  Queries to the client are just a tad faster, which makes the overall user experience seem snappier.  It also allows you to quickly change upstream DNS servers in the even of an outage, attack, etc.

There are two main avenues to think about when protecting Mikrotik from DNS.

The first is the incoming port 53 requests to the router.  You only want your customers to have access to query the Mikrotik.  In a simple scenario we have this:.


ether1 is our upstream ISP connection.  Customers are other ports.  In this case if we want to block all port 53 requests from the outside world we specify the WAN interface to drop in the following code:

/ip firewall filter
add chain=input in-interface=ether1 protocol=udp dst-port=53 action=drop
add chain=input in-interface=ether1 protocol=tcp dst-port=53 action=drop

This will still allow your Mikrotik to send out DNS queries because they are sourced from a non reserved port. We are simply blocking the Mikrotik from not answering port 53 requests on the external interface.

In a later post we will talk about what to do if you have multiple wan interfaces or multiple exit paths on your router (say running OSPF)

Upgrading EPMP GPS Firmware

Beginning with System Release 2.0, users can upgrade the firmware of the on-board GPS chip present on the Connectorized Radio with Sync.

To upgrade the on-board GPS chip on a Connectorized Radio with Sync:
1. Navigate to Monitor => GPS to check the GPS Firmware Version that is currently present on the radio.

2.If the GPS Firmware Version displays AXN_1.51_2801, navigate to Tools => Software Upgrade

3.Under the G P S F i r m w a r e upgrade section, select the same package used to upgrade the device’s firmware ex: ePMP-GPS_Synced-v2.4.2.tar.gz.

4.Click upgrade

5. The upgrade can take up to 3 minutes. Once the upgrade is done, the radio’s UI prompts for a reboot and the reboot button will be highlighted.

6.Click the Reboot button on the top right corner of the UI.

7.Once the radio has completed its reboot process, check under the Monitor => GPS page to check the firmware version