Mikrotik Releases 6.42

From Mikrotik

We have released new RouterOS versions in current channel.

To upgrade, click “Check for updates” at “System/Package” in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

What’s new in 6.42 (2018-Apr-13 11:03):

!) tile – improved system performance and stability (“/system routerboard upgrade” required);
!) w60g – increased distance for wAP 60G to 200+ meters;
*) bridge – added host aging timer for CRS3xx and Atheros hw-bridges;
*) bridge – added per-port forwarding options for broadcasts, unknown-multicasts and unknown-unicasts;
*) bridge – added per-port learning options;
*) bridge – added support for static hosts;
*) bridge – fixed “master-port” configuration conversion from pre-v6.41 RouterOS versions;
*) bridge – fixed bridge port interface parameter under “/interface bridge host print detail”;
*) bridge – fixed false MAC address learning on hAP ac^2 and cAP ac devices;
*) bridge – fixed incorrect “fast-forward” enabling when ports were switched;
*) bridge – fixed MAC learning for VRRP interfaces on bridge;
*) bridge – fixed reliability on software bridges when used on devices without switch chip;
*) bridge – hide options for disabled bridge features in CLI;
*) bridge – show “hw” flags only on Ethernet interfaces and interface lists;
*) capsman – added “allow-signal-out-of-range” option for Access List entries;
*) capsman – added support for “interface-list” in Access List and Datapath entries;
*) capsman – improved CAPsMAN responsiveness with large amount of CAP interfaces;
*) capsman – log “signal-strength” when successfully connected to AP;
*) certificate – added PKCS#10 version check;
*) certificate – dropped DES support and added AES instead for SCEP;
*) certificate – dropped MD5 support and require SHA1 as minimum for SCEP;
*) certificate – fixed incorrect SCEP URL after an upgrade;
*) chr – added “open-vm-tools” on VMware installations;
*) chr – added “qemu-guest-agent” and “virtio-scsi” driver on KVM installations;
*) chr – added “xe-daemon” on Xen installations;
*) chr – added support for Amazon Elastic Network Adapter (ENA) driver;
*) chr – added support for booting from NVMe disks;
*) chr – added support for Hyper-V ballooning, guest quiescing, host-guest file transfer, integration services and static IP injection;
*) chr – added support for NIC hot-plug on VMware and Xen installations;
*) chr – fixed additional disk detaching on Xen installations;
*) chr – fixed interface matching by name on VMware installations;
*) chr – fixed interface naming order when adding more than 4 interfaces on VMware installations;
*) chr – fixed suspend on Xen installations;
*) chr – make additional disks visible under “/disk” on Xen installations;
*) chr – make Virtio disks visible under “/disk” on KVM installations;
*) chr – run startup scripts on the first boot on AWS and Google Cloud installations;
*) console – fixed “idpr-cmtp” protocol by changing its value from 39 to 38;
*) console – improved console stability after it has not been used for a long time;
*) crs1xx/2xx – added BPDU value for “ingress-vlan-translation” menu “protocol” option;
*) crs212 – fixed Ethernet boot when connected to boot server through CRS326 device;
*) crs326 – fixed known multicast flooding to the CPU;
*) crs3xx – added switch port “storm-rate” limiting options;
*) crs3xx – added “hw-offload” support for 802.3ad and “balance-xor” bonding;
*) detnet – fixed “detect-internet” feature unavailability if router had too long identity (introduced in v6.41);
*) dhcp – improved DHCP service reliability when it is configured on bridge interface;
*) dhcp – reduced resource usage of DHCP services;
*) dhcpv4-server – added “dns-none” option to “/ip dhcp-server network dns”;
*) dhcpv6 – make sure that time is set before restoring bindings;
*) dhcpv6-client – added info exchange support;
*) dhcpv6-client – added possibility to specify options;
*) dhcpv6-client – added support for options 15 and 16;
*) dhcpv6-client – implement confirm after reboot;
*) dhcpv6-server – added DHCPv4 style user options;
*) dns – do not generate “Undo” messages on changes to dynamic servers;
*) email – set maximum number of sessions to 100;
*) fetch – added “http-content-type” option to allow setting MIME type of the data in free text form;
*) fetch – added “output” option for all modes in order to return result to file, variable or ignore it;
*) fetch – increased maximum number of sessions to 100;
*) filesystem – implemented additional system storage maintenance checks on ARM CPU based devices;
*) flashfig – properly apply configuration provided by Flashfig;
*) gps – improved NMEA sentence handling;
*) health – added log warning when switching between redundant power supplies;
*) health – fixed empty measurements on CRS328-24P-4S+RM;
*) hotspot – improved HTTPS matching in Walled Garden rules;
*) ike1 – display error message when peer requests “mode-config” when it is not configured;
*) ike1 – do not accept “mode-config” reply more than once;
*) ike1 – fixed wildcard policy lookup on responder;
*) ike2 – fixed framed IP address received from RADIUS server;
*) interface – improved interface configuration responsiveness;
*) ippool – added ability to specify comment;
*) ippool6 – added pool name to “no more addresses left” error message;
*) ipsec – fixed AES-CTR and AES-GCM support on RB1200;
*) ipsec – improved single tunnel hardware acceleration performance on MMIPS devices;
*) ipsec – properly detect interface for “mode-config” client IP address assignment;
*) ipv6 – fixed IPv6 behaviour when bridge port leaves bridge;
*) ipv6 – update IPv6 DNS from RA only when it is changed;
*) kidcontrol – initial work on “/ip kid-control” feature;
*) led – added “Dark Mode” support for wAP 60G;
*) led – added w60g alignment trigger;
*) led – fixed unused “link-act-led” LED trigger on RBLHG 2nD, RBLHG 2nD-XL and RBSXTsq 2nD;
*) led – removed unused “link-act-led” trigger for devices which does not use it;
*) lte – added initial support for Quectel LTE EP06-E;
*) lte – added initial support for SIM7600 LTE modem interface;
*) lte – added support for the user and password authentication for wAP-LTE-kit-US (R11e-LTE-US);
*) lte – do not add DHCP client on LTE modems that doesn’t use DHCP;
*) lte – fixed DHCP client adding for MF823 modem;
*) lte – fixed LTE band setting for SXT LTE;
*) mac-ping – fixed duplicate responses;
*) modem – added initial support for AC340U;
*) netinstall – fixed MMIPS RouterOS package description;
*) netinstall – sign Netinstall executable with an Extended Validation Code Signing Certificate;
*) netwatch – limit to read, write, test and reboot policies for Netwatch script execution;
*) poe – do not show “poe-out-current” on devices which can not determine it;
*) poe – hide PoE related properties on interfaces that does not provide power output;
*) ppp – added initial support for NETGEAR AC340U and ZyXEL WAH1604;
*) ppp – allow to override remote user PPP profile via “Mikrotik-Group”;
*) quickset – fixed NAT if PPPoE client is used for Internet access;
*) quickset – properly detect IP address when one of the bridge modes is used;
*) quickset – properly detect LTE interface on startup;
*) quickset – show “G” flag for guest users;
*) quickset – use “/24” subnet for local network by default;
*) r11e-lte – improved LTE connection initialization process;
*) rb1100ahx4 – improved reliability on hardware encryption;
*) routerboard – added RouterBOOT “auto-upgrade” after RouterOS upgrade (extra reboot required);
*) routerboard – properly detect hAP ac^2 RAM size;
*) sniffer – fixed “/tool sniffer packet” results listed in incorrect order;
*) snmp – added “/caps-man interface print oid”;
*) snmp – added “/interface w60g print oid”;
*) snmp – added “board-name” OID;
*) snmp – improved request processing performance for wireless and CAP interfaces;
*) ssh – fixed SSH service becoming unavailable;
*) ssh – generate SSH keys only on the first connect attempt instead of the first boot;
*) ssh – improved key import error messages;
*) ssh – remove imported public SSH keys when their owner user is removed;
*) switch – hide “ingress-rate” and “egress-rate” for non-CRS3xx switches;
*) tile – added “aes-ctr” hardware acceleration support;
*) tr069-client – added “DownloadDiagnostics” and “UploadDiagnostics”;
*) tr069-client – correctly return “TransferComplete” after vendor configuration file transfer;
*) tr069-client – fixed “/tool fetch” commands executed with “.alter” script;
*) tr069-client – fixed HTTPS authentication process;
*) traffic-flow – fixed IPv6 destination address value when IPFIX protocol is used;
*) upgrade – improved RouterOS upgrade process and restrict upgrade from RouterOS older than v5.16;
*) ups – improved communication between router and UPS;
*) ups – improved disconnect message handling between RouterOS and UPS;
*) userman – added support for ARM and MMIPS platform;
*) w60g – added “tx-power” setting (CLI only);
*) w60g – added RSSI information (CLI only);
*) w60g – added TX sector alignment information (CLI only);
*) watchdog – retry to send “autosupout.rif” file to an e-mail if initial delivery failed up to 3 times within 20 second interval;
*) winbox – added “antenna” setting under GPS settings for MIPS platform devices;
*) winbox – added “crl-store” setting to certificate settings;
*) winbox – added “insert-queue-before” to DHCP server;
*) winbox – added “use-dn” setting in OSPF instance General menu;
*) winbox – added 160 MHz “channel-width” to wireless settings;
*) winbox – added DHCPv6 client info request type and updated statuses;
*) winbox – added missing protocol numbers to IPv4 and IPv6 firewall;
*) winbox – added possibility to delete SMS from inbox;
*) winbox – allow to comment new object without committing it;
*) winbox – allow to open bridge host entry;
*) winbox – fixed name for “out-bridge-list” parameter under bridge firewall rules;
*) winbox – fixed typo from “UPtime” to “Uptime”;
*) winbox – fixed Winbox closing when viewing graph which does not contain any data;
*) winbox – improved stability when using trackpad scrolling in large lists;
*) winbox – made UDP local and remote TX size parameters optional in Bandwidth Test tool;
*) winbox – moved “ageing-time” setting from STP to General tab;
*) winbox – moved OSPF instance “routing-table” setting in OSPF instance General menu;
*) winbox – removed “VLAN” section from “Switch” menu for CRS3xx devices;
*) winbox – show Bridge Port PVID column by default;
*) winbox – show CQI in LTE info;
*) winbox – show dual SIM options only for RouterBOARDS which does have two SIM slots;
*) winbox – show only master CAP interfaces under CAPsMAN wireless scan tool;
*) winbox – use proper graph name for HDD graphs;
*) wireless – added “realm-raw” setting for “/interface wireless interworking-profiles” (CLI only);
*) wireless – added initial support for “nstreme-plus”;
*) wireless – added support for “band=5ghz-n/ac”;
*) wireless – added support for “interface-list” for Access List entries;
*) wireless – added support for legacy AR9485 chipset;
*) wireless – enable all chains by default on devices without external antennas after configuration reset;
*) wireless – fixed “wds-slave” channel selection when single frequency is specified;
*) wireless – fixed incompatibility with macOS clients;
*) wireless – fixed long “scan-list” entries not working for ARM based wireless interfaces;
*) wireless – fixed nv2 protocol on ARM platform SXTsq devices;
*) wireless – fixed RB911-5HnD low transmit power issue;
*) wireless – fixed RTS/CTS option for the ARM based wireless devices;
*) wireless – fixed wsAP wrong 5 GHz interface MAC address;
*) wireless – improved compatibility with specific wireless AC standard clients;
*) wireless – improved Nv2 PtMP performance;
*) wireless – improved packet processing on ARM platform devices;
*) wireless – improved wireless performance on hAP ac^2 devices while USB is being used;
*) wireless – improved wireless scan functionality;

LetsEncrypt and Mikrotik

Recently there has been some activity on integration with LetsEncrypt and Mikrotik.   WHile Mikrotik does not directly support Letsencrypt directly yet, you can make it work with this setup

https://github.com/gitpel/letsencrypt-routeros

 

 

From the GitHub Page:

How it works:

  • Dedicated Linux renew and push certificates to RouterOS / Mikrotik
  • After CertBot renew your certificates
  • The script connects to RouterOS / Mikrotik using DSA Key (without password or user input)
  • Delete previous certificate files
  • Delete the previous certificate
  • Upload two new files: Certificate and Key
  • Import Certificate and Key
  • Change SSTP Server Settings to use new certificate
  • Delete certificate and key files form RouterOS / Mikrotik storage

While not perfect is a start.

It’s day like this…

Today a major vulnerability was released to the public from a well-known vendor.  All of our consulting customers have been notified of this critical update.  Those whom we manage the network for already have a mitigation plan in place and a course of action.

If you are not a regular customer ask us howe.  For as little as $50 a month you can be notified of critical updates for your infrastructure. With all of the information out there, having a customized notification service for your ISP means you can spend more time making money instead of worrying about your network.  Contact us today for details on this service.

Mikrotik changes their firmware version numbering

While troubleshooting an issue this morning I went to upgrade the routerboard firmware on a CCR after bringing it up to 6.42.  The upgrade-firmware now appears to match with the router-os version.

/system routerboard print
routerboard: yes
model: CCR1016-12S-1S+
firmware-type: tilegx
factory-firmware: 3.22
current-firmware: 3.41
upgrade-firmware: 6.42

Now, if Mikrotik would just provide release notes on the routerboard firmware in a handy place.

Helpful Tool: WiFi Texas WS-PoE-Tester

The WS-PoE-Tester reports voltage and current for PoE systems. It works with 802.3af and passive PoE, and also 802.3at.

Dual displays show the voltage and current on each set of power pairs (Mode A and Mode B) used in PoE. In 802.3at – both power pairs should be active – and both will be displayed.

The tester is protected from reversed power, with a warning LED in case reversed power is applied. Dual inputs allow with straight or crossover ethernet connections ( 568A or 568B ).

In addition, a power supply brick can be tested using the 2.1mm DC power connectors. This allows DC power supplies for laptops, printers or any other application to be tested.

Available at:
https://www.ispsupplies.com/Voltage-and-Current-tester-for-PoE

MTIN announces updated Indianapolis bandwidth pricing

MTIN would like to announce updated bandwidth pricing for connectivity at the following locations in Indianapolis Indiana
733 West Henry Street
401 North Shadeland
701 West Henry *
731 West Henry*

Single Carrier Bandwidth
as low as $.17 per meg

Blended BGP
Multi-carrier blend + CDNS + IX routes
As low as $.25 per meg

-Commit Levels as low as 50 megs
-95th percentile billing available
-Cross-connects as low as $50 per month
-Bandwidth options include Cogent, Hurricane Electric, MidWest-IX, and many others

*extended cross-connect fees may apply to these locations

IPV6 Firewall rules for Mikrotik

Some basic IPV6 Firewall Rules for Mikrotik. Replace in-interface=”” with your appropriate interface.

/ipv6 firewall filter
add chain=input protocol=icmpv6
add chain=input connection-state=established,related
add chain=input dst-port=546 in-interface=ether1-wan protocol=udp src-port=547
add action=drop chain=input connection-state=invalid
add action=drop chain=input connection-state=new in-interface=ether1-wan
add chain=forward protocol=icmpv6
add chain=forward connection-state=established,related
add chain=forward connection-state=new in-interface=!ether1-wan
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-state=new in-interface=ether1-wan

Mikrotik and two unique subnets across an Ipsec Tunnel

Recently we had an issue with an IPsec tunnel on Mikrotik passing multiple subnets across a tunnel with multiple policies. The problem is Packet forwarding and encryption only works for one destination (the first matched IPSec Policy) and the other subnet, which has the second policy did not work.  In our case, we had two subnets 192.168.115.0/24 and 192.168.116.0/24 going across the tunnel.  We could reach things on 116, but not 115.  The following blog post was the fix for our issue.

Mikrotik IPSec VPNs with multiple destination Networks/Policies and SA(s) management.

Once the level was set to “unique” everything was good.