MikroTik RouterOS 6.38.x (Stable)

Материал из MikroTik Wiki
Перейти к навигации Перейти к поиску

Подробное описание изменений в MikroTik RouterOS 6.38.x (Stable). Официальный список исправленных ошибок, добавленного функционала и прочих доработок. Дата выхода первого набора изменений – 30 декабря 2016, дата выхода последнего набора изменений – 9 марта 2017.

Чек-лист по настройке MikroTik
Проверьте свою конфигурацию по 28-ми пунктам

MikroTik RouterOS 6.38

Дата выхода: 30 декабря 2016

Важные примечания:

  • RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE 802.1Q-2014 by sending and processing BPDU packets without VLAN tag.
  • To avoid STP/RSTP compatibility issues with older RouterOS versions, upgrade RouterOS to v6.38 on all routers in Layer2 networks with VLAN and STP/RSTP configurations.
  • The recommended procedure is to start by upgrading the remotest routers and gradually do it to the Root Bridge device.
  • If after upgrade you experience loss of connectivity, then disabling STP/RSTP on RouterOS bridge interface will restore connectivity so you can complete upgrade process on your network.


Важные изменения:

  • ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set xauth-use-radius=yes";
  • ipsec - added IKEv2 support;
  • ipsec - added IKEv2 EAP RADIUS passthrough authentication for responder;
  • ipsec - added support for unique policy generation;
  • ipsec - removed IKEv1 ah+esp support;
  • snmp - added basic get and walk functionality "/tool snmp-[get|walk]";
  • switch - added hardware STP functionality for CRS devices and small Atheros switch chips (http://wiki.mikrotik.com/wiki/Manual:CRS_examples#Spanning_Tree_Protocol);
  • tr069-client - initial implementation (as separate package) (cli only);
  • winbox - Winbox 3.7 is the minimum version that can connect to RouterOS.


Изменения:

  • arp - added "local-proxy-arp" feature;
  • bonding - added "forced-mac-address" option;
  • bonding - fixed "tx-drop" on VLAN over bonding on x86;
  • bridge - fixed rare crash on bridge port removal;
  • bridge - fixed VLAN BPDU rx and tx when connected to non-RouterOS device with STP functionality;
  • bridge - require admin-mac to be specified if auto-mac is disabled;
  • bridge - show bridge port name in port monitor;
  • capsman - added "group-key-update" parameter;
  • capsman - added possibility to change arp, mtu, l2mtu values in datapath configuration;
  • capsman - fixed CAP upgrade when separate wireless package is used (introduced in 6.37);
  • capsman - use correct source address in reply to unicast discovery requests;
  • ccr - added AHCI driver for Samsung XP941 128GB AHCI M.2;
  • certificates - added support for PKCS#12 export;
  • certificates - allow import multiple certs with the same key;
  • certificates - fixed crash when crl is removed while it is being fetched;
  • certificates - fixed trust chain update on local certificate revocation in programs using ssl;
  • certificates - if no name provided create certificate name automatically from certificate fields;
  • console - fixed multi argument value unset;
  • crs - added comment ability in more switch menus;
  • crs - fixed rare kernel failure on switch reset (for example, reboot);
  • dhcp - fixed DNS server assignment to client if dynamic server exists and is from another IP family;
  • dhcp - fixed issue when dhcp-client was still possible on interfaces with "slave" flag and using slave interface MAC address;
  • dhcp - show dhcp server as invalid and log an error when interface becomes a slave;
  • dhcp-server - fixed when wizard was unable to create pool >dhcp_pool99;
  • discovery - added LLDP support;
  • discovery - removed 6to4 tunnels from "/ip neighbor discovery menu";
  • dns - added "max-concurrent-queries" and "max-concurrent-tcp-sessions" settings;
  • dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
  • ethernet - added "k" and "M" unit support to Ethernet Bandwidth setting;
  • ethernet - fixed "tx-fcs-error" on SFP+ interfaces when loop-protect is enabled;
  • export - do not show interface comment in "/ip neighbor discovery" menu;
  • export - updated default values to clean up export compact;
  • fastpath - fixed rare crash;
  • fastpath - fixed x86 bridge fast-path status shown as active even if it is manually disabled;
  • file - fixed file manager crash when file transfer gets cancelled;
  • firewall - added "creation-time" to address list entries;
  • firewall - added sctp/dccp/udp-lite support for "src-port", "dst-port", "port" and "to-ports" firewall options;
  • firewall - do not defragment packets which are marked with "notrack" in raw firewall;
  • firewall - fixed "time" option by recognizing weekday properly (introduced in v6.37.2);
  • firewall - fixed dynamic raw rule behaviour;
  • firewall - fixed rule activation if "time" option is used and no other active rules are present;
  • firewall - increased max size of connection tracking table to 1048576;
  • firewall - new faster "connection-limit" option implementation;
  • firewall - significantly improved large firewall rule set import performance;
  • graphing - fixed queue graphs showing up in web interface if aggregate name size >57840 symbols;
  • health - show power consumption on devices which has voltage and current monitor;
  • hotspot - fixed nat rule port setting in "hs-unauth-to" chain by changing it from "dst-port" to "src-port" on Walled Garden ip "return" rules;
  • interface - changed loopback interface mtu to 1500;
  • interface - do not treat multiple zeros as single zero on name comparison;
  • interface - show link stats in "/interface print stats-detail" output;
  • ipsec - added ability to specify static IP address at "send-dns" option;
  • ipsec - added ph2 accounting for each policy "/ip ipsec policy ph2-count";
  • ipsec - allow to specify explicit split dns address;
  • ipsec - changed logging topic from error to debug when empty pfkey messages are received;
  • ipsec - do not auto-negotiate more SAs than needed;
  • ipsec - ensure generated policy refers to valid proposal;
  • ipsec - fixed camellia crypto algorithm module loading;
  • ipsec - fixed IPv6 remote prefix;
  • ipsec - fixed kernel failure on tile with sha256 when hardware encryption is not being used;
  • ipsec - fixed peer configuration my-id IPv4 address endianness;
  • ipsec - fixed ph2 auto-negotiation by checking policies in correct order;
  • ipsec - load ipv6 related modules only when ipv6 package is enabled;
  • ipsec - make generated policies always as unique;
  • ipsec - non passive peers will also establish SAs from policy without waiting for the first packet;
  • ipsec - optimized logging under ipsec topic;
  • ipsec - show active flag when policy has active SA;
  • ipsec - show SA "enc-key-size";
  • ipsec - split "mode-config" and "send-dns" arguments;
  • ipv6 - added "no-dad" setting to ipv6 addresses;
  • ipv6 - fixed "accept-router-advertisements" behaviour;
  • ipv6 - moved empty IPv6 pool error message to error topic;
  • lcd - improved performance, causes less cpu load;
  • led - fixed dark mode for cAP 2nD (http://wiki.mikrotik.com/wiki/Manual:System/LEDS#Leds_Setting);
  • log - fixed "System rebooted because of kernel failure" message to show after 1st crash reboot;
  • lte - added support for more Vodafone K4201-Z, Novatel USB620L, PANTECH UML295 and ZTE MF90 modems;
  • lte - allow to execute concurrent info commands;
  • lte - fixed dwm-222, Pantech UML296 support;
  • lte - fixed init delay after power reset;
  • lte - increased delay when setting sms send mode;
  • lte - return info data when all the fields are populated;
  • metarouter - fixed startup process (introduced in 6.37.2);
  • mmips - fixed traffic accounting in "/interface" menu;
  • ospf - fixed route crash caused by memory corruption when there are multiple active interfaces;
  • ppp - fixed packet size calculation when MRRU is set (was 2 bytes bigger than MTU allows);
  • ppp - significantly improved shutdown speed on servers with many active tunnels;
  • ppp - significantly improved tunnel termination process on servers with many active tunnels;
  • profile - added "bfd" and "remote-access" processes;
  • profile - added ability to monitor cpu usage per core;
  • profile - make profile work on mmips devices;
  • profile - properly classify "wireless" processes;
  • queue - fixed "time" option by recognizing weekday properly (introduced in v6.37.2);
  • radius - added IPSec service (cli only);
  • rb750Gr3 - fixed ipsec with 3des+md5 to work on this board;
  • rb850Gx2 - fixed pcb temperature monitor if temperature was above 60C;
  • resolver - ignore cache entries if specific server is used;
  • routerboot - show log message if router CPU/RAM is overclocked;
  • script - increment run count value when script is executed from snmp;
  • snmp - always report bonding speed as speed from first bonding slave;
  • snmp - fixed rare crash when incorrectly formatted packet was received;
  • snmp - provide sinr in lte table;
  • ssh - added routing-table setting (cli only);
  • ssh - fixed lost "/ip ssh" settings on upgrade from version older than 5.15;
  • system - reboot device on critical program crash;
  • tile - fixed kernel failure when when IPv6 ICMP packet is sent through PPP interface;
  • time - updated time zones;
  • traceroute - fixed memory leak;
  • traffic-flow - fixed flow sequence counter and length;
  • trafficgen - fixed compact export when "header-stack" includes tcp;
  • trafficgen - fixed crash when IPv6 traffic is processed;
  • trafficgen - fixed potential crash when very big frame is generated;
  • trafficgen - improved fastpath support;
  • tunnel - fixed transmit packets occasionally not going through fastpath;
  • tunnel - properly export keepalive value;
  • usb - fixed kernel failure when Nexus 6P device is removed;
  • users - added minimal required permission set for full user group;
  • users - added TikApp policy;
  • vlan - allow to add multiple VLANs which name starts with same number and has same length;
  • vrrp - do not show unrelated log warning messages about version mismatch;
  • watchdog - do not send supout file if "auto-send-supout" is disabled;
  • webfig - added extra protection against XSS exploits;
  • webfig - show ipv6 addresses correctly;
  • webfig - show properly interface last-link-up/down times;
  • winbox - added "Complete" flag to arp table;
  • winbox - added "untracked" option to firewall "connection-state" setting;
  • winbox - added Dude icon to Dude menu;
  • winbox - allow to enable/disable traffic flow targets;
  • winbox - allow to run profile from "/system resources" menu;
  • winbox - allow to specify interface for leds with "interface-speed" trigger;
  • winbox - do not allow to set "loop-protect-send-interval" to 0s;
  • winbox - do not show hotspot user profile incoming and outgoing filters and marks as set if there is no value specified;
  • winbox - fixed crash when legacy Winbox version was used;
  • winbox - fixed default values for interface "loop-protect-disable-time" and "loop-protect-send-interval";
  • winbox - fixed missing "IPv6/Settings" menu;
  • winbox - fixed typo in "propagate-ttl" setting;
  • winbox - make cert signing include provided ca-crl-host;
  • winbox - moved ipsec peer "exchange-mode" to General tab;
  • winbox - properly show VHT basic and supported rates in CAPsMAN;
  • winbox - removed spare values from loop-protect menu;
  • winbox - show all related HT tab settings in 2GHz-g/n mode;
  • winbox - show primary and secondary ntp addresses as 0.0.0.0 if none are set;
  • winbox - show proper ipv6 connection timeout;
  • wireless - added API command to report country-list (/interface/wireless/info/country-list);
  • wireless - added CRL checking for eap-tls;
  • wireless - fixed action frame handling for WDS nodes;
  • wireless - fixed custom channel extension-channel appearance in console;
  • wireless - fixed full "spectral-history" header print on AP modes;
  • wireless - fixed rare kernel failure when connecting to nv2 access point with legacy rate select;
  • wireless - fixed upgrade from older wireless packages when AP interface had empty SSID;
  • wireless - take in account channel width when returning supported channels;
  • wireless - use VLAN ID 0 in RADIUS message to disable VLAN tagging.

MikroTik RouterOS 6.38.1

Дата выхода: 13 января 2017

Изменения:

  • bridge - disallow manual removal of dynamic bridge ports;
  • bridge - fixed MAC address learning from switch master-port;
  • bridge - fixed access loss to device through bridge if master port had a loop (introduced in v6.38);
  • certificate - added year cap (invalid-after date will not exceed year 2039);
  • certificate - fixed fail on import from CAPs when both key and name already exist;
  • dhcpv6-client - fixed DHCPv6 rebind on startup;
  • dhcpv6-server - fixed server removal crash if static binding was present;
  • dns - fixed typo in regexp error message;
  • dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=21&t=116356);
  • fan - improved RPM monitor on CCR1009;
  • firewall - nat action "netmap" now requires to-addresses to be specified;
  • health - report fan speed for RB800 and RB1100 when 3-pin fan is being used;
  • ike1 - fixed ph1 rekey in setups with mode-cfg;
  • ike2 - allow empty selectors to reach policy handler;
  • ike2 - auto-negotiate split nets;
  • ike2 - default to tunnel mode in setups without policy;
  • ike2 - fixed error packet from initiator on responder reply;
  • ike2 - fixed initiator TS updating;
  • ike2 - fixed ph1 initial-contact rare desync;
  • ike2 - fixed policy setting for /0 selector with different address families;
  • ike2 - fixed split policy active flag;
  • ike2 - fixed traffic selector prefix calculation;
  • ike2 - fixed xauth add check;
  • ike2 - include identity in peer address info;
  • ike2 - log empty TS payload;
  • ike2 - minor logging update;
  • ike2 - show peer identity of connected peers;
  • ike2 - traffic selector improvements;
  • ike2 - update also local port when peer changes port;
  • ike2 - use first split net for empty TS;
  • ike2 - use standard retransmission timers for DPD;
  • ike2 - xauth like auth method with user support;
  • ipsec - added ability to kill particular remote-peer;
  • ipsec - fixed flush speed and SAs on startup;
  • ipsec - fixed peer port export;
  • ipsec - port is used only for initiators;
  • ipv6 - added warning about having interface MTU less than minimal IPv6 packet fragment (1280);
  • license - fixed demo license expiration after installation on x86;
  • log - improved firewall log messages when NAT has changed only connection ports;
  • logs - work on false CPU/RAM overclocked alarms;
  • mpls - fixed crash on active tunnel loss in MPLS TE setups;
  • ovpn - fixed address acquisition when ovpn-in interface becomes slave;
  • proxy - fixed "max-cache-object-size" export;
  • proxy - speed-up almost empty disk cache clean-up;
  • quickset - various small changes;
  • rb751u - fixed ethernet LEDs (broken since 6.38rc16);
  • ssh - fixed high memory consumption when transferring file over ssh tunnel;
  • webfig - show properly large BGP AS numbers;
  • winbox - added "make-static" to IPv6 DHCP server bindings;
  • winbox - added "prefix-pool" to DHCPv6 server binding;
  • winbox - added IPsec to radius services;
  • winbox - added upstream flag to IGMP proxy interfaces;
  • winbox - allow to specify "connection-bytes" & "connection-rate" for any protocol in “/ip firewall” rules;
  • winbox - allow to specify "sip-timeout" under ip firewall service-ports;
  • winbox - do not create empty rates.vht-basic/supported-mcs if not specified in CAPsMAN;
  • winbox - hide "nat-traversal" setting in IPsec peer if IKEv2 is selected;
  • winbox - show dynamic IPv6 pools properly;
  • winbox - show errors on IPv6 addresses;
  • winbox - specify metric for “/ip dns cache-used” setting;
  • wireless - show comment on "security-profile" if it is set.

MikroTik RouterOS 6.38.2

Дата выхода: 17 января 2017

Релиз только для внутреннего использования компанией MikroTik.

MikroTik RouterOS 6.38.3

Дата выхода: 7 февраля 2017

Изменения:

  • bridge - do not add dynamic hardware STP ports if “master-port” is not capable of hardware STP;
  • bridge - fixed rare crash when hardware STP capable interface gets new “master-port” which already is in bridge;
  • bridge - fixed rare situation when port flapping occurs on bridge ports;
  • bridge - fixed STP/RSTP packet receive on all types of bridge ports;
  • bridge - minor improvements in performance when "master-port" is bridge port;
  • capsman - fixed SGI (Short Guard Interval) support;
  • dhcp - do not listen on IPv4/IPv6 client to IPv6 MLD packets;
  • dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=21&t=116356);
  • firewall - added "fasttrack" dummy rule to "/ip firewall raw" table;
  • firewall - do not show IPv4 “fastpath” as active if “route-cache” is disabled;
  • firewall - fixed import of exported configuration that had updated "limit" setting;
  • graphing - fixed graphing crash when high amount of traffic is processed;
  • hotspot - fixed rare kernel crash on multicore systems;
  • ike1 - fixed responder xauth trailing null;
  • leds - fixed defaults for RBSXT5HacD2nr2;
  • mmips - improved general stability;
  • rb3011 - fixed noise from buzzer after silent boot;
  • switch - fixed crash when trying to configure second master port on the same chipset (RB3011, RB2011, CCR1009-8G-1S+);
  • usb - added missing USB ethernet drivers to arm & tile architecture;
  • winbox - added "add-relay-info" and "relay-info-remote-id" to DHCP relay;
  • winbox - added H flag to "/ip arp" ;
  • winbox - added missing "use-fan2" and "active-fan2" to "/system health";
  • winbox - allow shorten bytes to k,M,G in bridge firewall just like in “/ip firewall”;
  • winbox - do not hide 00:00:00:00:00:00 MAC address in unpublished ARPs;
  • winbox - fixed matching "connection-state=untracked" connections;
  • winbox - fixed typo in “/system resources pci” list;
  • winbox - make "power-cycle-after" show correct value;
  • winbox - updated fan management menu;
  • wireless - added "station-roaming" setting;
  • wireless - update Thailand country frequency settings.

MikroTik RouterOS 6.38.4

Дата выхода: 8 марта 2017

Изменения:

  • chr - fixed problem when transmit speed was reduced by interface queues;
  • dhcpv6-server - require "address-pool" to be specified;
  • export - do not show "read-only" IRQ entries;
  • filesystem - implemented procedures to verify and restore internal file structure integrity upon upgrading;
  • firewall - do not allow to set "time" parameter to 0s for "limit" option;
  • hotspot - fixed redirect to URL where escape characters are used (requires newly generated HTML files);
  • hotspot - show Host table commentaries also in Active tab and vice versa;
  • ike1 - fixed “xauth” Radius login;
  • ike2 - also kill IKEv2 connections on proposal change;
  • ike2 - always limit empty remote selector;
  • ike2 - fixed proposal change crash;
  • ike2 - fixed responder subsequent new child creation when PFS is used;
  • ike2 - fixed responder TS updating on wild match;
  • ipsec - deducted policy SA src/dst address from src/dst address;
  • ipsec - do not require "sa-dst-address" if "action=none" or "action=discard";
  • ipsec - fixed SA address check in policy lookup;
  • ipsec - hide SA address for transport policies;
  • ipsec - keep policy in kernel even with bad proposal;
  • ipsec - kill ph2 on policy removal;
  • ipsec - updated/fixed Radius attributes;
  • irq - properly detect all IRQ entries;
  • l2tp-client - fixed IPSec policy generation after reboot;
  • l2tp-client - require working IPSec encryption if "use-ipsec=yes";
  • lcd - show fan2 speed only if it is available;
  • profile - classify ethernet driver activity properly in ARM architecture;
  • snmp - added SSID to CAPsMAN registration table;
  • snmp - fixed "/tool snmp-get" crash on session timeout;
  • snmp - fixed CAPsMAN registration table OID print;
  • snmp - fixed situation when SNMP could not read "/system health" values after reboot;
  • userman - allow access to User Manager users page only through "/user" URL;
  • userman - show warning when no users are selected for CSV file generation;
  • winbox - do not hide "power-cycle-after" option;
  • winbox - hide advertise tab in Hotspot user profile configuration if "transparent-proxy" is not enabled;
  • winbox - make "power-cycle-interval" not to depend on "power-cycle-ping-enabled" in PoE settings;
  • winbox - properly show BGP communities in routing filters table filter;
  • wireless - fixed scan tool stuck in background;
  • wireless - improved compatibility with Intel 2200BG wireless card.

MikroTik RouterOS 6.38.5

Дата выхода: 9 марта 2017

Важные изменения:

  • www - fixed http server vulnerability.
Чек-лист по настройке MikroTik
Проверьте свою конфигурацию по 28-ми пунктам