MikroTik RouterOS 6.45.x (Stable)

Материал из MikroTik Wiki
Перейти к навигации Перейти к поиску

Подробное описание изменений в MikroTik RouterOS 6.45.x (Stable). Официальный список исправленных ошибок, добавленного функционала и прочих доработок. Дата выхода первого набора изменений – 21 июня 2019, дата выхода последнего набора изменений – 24 октября 2019.

Чек-лист по настройке MikroTik
Проверьте свою конфигурацию по 28-ми пунктам

MikroTik RouterOS 6.45

Дата выхода: 21 июня 2019

Релиз только для внутреннего использования компанией MikroTik.

MikroTik RouterOS 6.45.1

Дата выхода: 27 июня 2019

Важные примечания:

  • Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading.
  • Old API authentication method will also no longer work, see documentation for new login procedure: https://wiki.mikrotik.com/wiki/Manual:API#Initial_login


Важные изменения:

  • dot1x - added support for IEEE 802.1X Port-Based Network Access Control;
  • ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
  • security - fixed vulnerabilities CVE-2019-13954, CVE-2019-13955;
  • security - fixed vulnerabilities CVE-2019-11477, CVE-2019-11478, CVE-2019-11479;
  • security - fixed vulnerability CVE-2019-13074;
  • user - removed insecure password storage.


Изменения:

  • bridge - correctly display bridge FastPath status when vlan-filtering or dhcp-snooping is used;
  • bridge - correctly handle bridge host table;
  • bridge - fixed log message when hardware offloading is being enabled;
  • bridge - improved stability when receiving traffic over USB modem with bridge firewall enabled;
  • capsman - fixed CAP system upgrading process for MMIPS;
  • capsman - fixed interface-list usage in access list;
  • ccr - improved packet processing after overloading interface;
  • certificate - added "key-type" field;
  • certificate - added support for ECDSA certificates (prime256v1, secp384r1, secp521r1);
  • certificate - fixed self signed CA certificate handling by SCEP client;
  • certificate - made RAM the default CRL storage location;
  • certificate - removed DSA (D) flag;
  • certificate - removed "set-ca-passphrase" parameter;
  • chr - legacy adapters require "disable-running-check=yes" to be set;
  • cloud - added "replace" parameter for backup "upload-file" command;
  • conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160);
  • conntrack - significant stability and performance improvements;
  • crs317 - fixed known multicast flooding to the CPU;
  • crs3xx - added ethernet tx-drop counter;
  • crs3xx - correctly display auto-negotiation information for SFP/SFP+ interfaces in 1Gbps rate;
  • crs3xx - fixed auto negotiation when 2-pair twisted cable is used (downshift feature);
  • crs3xx - fixed "tx-drop" counter;
  • crs3xx - improved switch-chip resource allocation on CRS326, CRS328, CRS305;
  • defconf - added "custom-script" field that prints custom configuration installed by Netinstall;
  • defconf - automatically set "installation" parameter for outdoor devices;
  • defconf - changed default configuration type to AP for cAP series devices;
  • defconf - fixed channel width selection for RU locked devices;
  • dhcp - create dual stack queue based on limitations specified on DHCPv4 server lease configuration;
  • dhcp - do not require lease and binding to have the same configuration for dual-stack queues;
  • dhcp - show warning in log if lease and binding dual-stack related parameters do not match and create separate queues;
  • dhcpv4-server - added "client-mac-limit" parameter;
  • dhcpv4-server - added IP conflict logging;
  • dhcpv4-server - added RADIUS accounting support with queue based statistics;
  • dhcpv4-server - added "vendor-class-id" matcher (CLI only);
  • dhcpv4-server - improved stability when performing "check-status" command;
  • dhcpv4-server - replaced "busy" lease status with "conflict" and "declined";
  • dhcpv6-client - added option to disable rapid-commit;
  • dhcpv6-client - fixed status update when leaving "bound" state;
  • dhcpv6-server - added additional RADIUS parameters for Prefix delegation, "rate-limit" and "life-time";
  • dhcpv6-server - added "address-list" support for bindings;
  • dhcpv6-server - added "insert-queue-before" and "parent-queue" parameters;
  • dhcpv6-server - added RADIUS accounting support with queue based statistics;
  • dhcpv6-server - added "route-distance" parameter;
  • dhcpv6-server - fixed dynamic IPv6 binding without proper reference to the server;
  • dhcpv6-server - override prefix pool and/or DNS server settings by values received from RADIUS;
  • discovery - correctly create neighbors from VLAN tagged discovery messages;
  • discovery - fixed CDP packets not including address on slave ports (introduced in v6.44);
  • discovery - improved neighbour's MAC address detection;
  • discovery - limit max neighbour count per interface based on total RAM memory;
  • discovery - show neighbors on actual mesh ports;
  • e-mail - include "message-id" identification field in e-mail header;
  • e-mail - properly release e-mail sending session if the server's domain name can not be resolved;
  • ethernet - added support for 25Gbps and 40Gbps rates;
  • ethernet - fixed running (R) flag not present on x86 interfaces and CHR legacy adapters;
  • ethernet - increased loop warning threshold to 5 packets per second;
  • fetch - added SFTP support;
  • fetch - improved user policy lookup;
  • firewall - fixed fragmented packet processing when only RAW firewall is configured;
  • firewall - process packets by firewall when accepted by RAW with disabled connection tracking;
  • gps - fixed missing minus close to zero coordinates in dd format;
  • gps - make sure "direction" parameter is upper case;
  • gps - strip unnecessary trailing characters from "longtitude" and "latitude" values;
  • gps - use "serial0" as default port on LtAP mini;
  • hotspot - added "interface-mac" variable to HTML pages;
  • hotspot - moved "title" HTML tag after "meta" tags;
  • ike1 - adjusted debug packet logging topics;
  • ike2 - added support for ECDSA certificate authentication (rfc4754);
  • ike2 - added support for IKE SA rekeying for initiator;
  • ike2 - do not send "User-Name" attribute to RADIUS server if not provided;
  • ike2 - improved certificate verification when multiple CA certificates received from responder;
  • ike2 - improved child SA rekeying process;
  • ike2 - improved XAuth identity conversion on upgrade;
  • ike2 - prefer SAN instead of DN from certificate for ID payload;
  • ippool - improved logging for IPv6 Pool when prefix is already in use;
  • ipsec - added dynamic comment field for "active-peers" menu inherited from identity;
  • ipsec - added "ph2-total" counter to "active-peers" menu;
  • ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods;
  • ipsec - added traffic statistics to "active-peers" menu;
  • ipsec - disallow setting "src-address" and "dst-address" for transport mode policies;
  • ipsec - do not allow adding identity to a dynamic peer;
  • ipsec - fixed policies becoming invalid after changing priority;
  • ipsec - general improvements in policy handling;
  • ipsec - properly drop already established tunnel when address change detected;
  • ipsec - renamed "remote-peers" to "active-peers";
  • ipsec - renamed "rsa-signature" authentication method to "digital-signature";
  • ipsec - replaced policy SA address parameters with peer setting;
  • ipsec - use tunnel name for dynamic IPsec peer name;
  • ipv6 - improved system stability when receiving bogus packets;
  • ltap - renamed SIM slots "up" and "down" to "2" and "3";
  • lte - added initial support for Vodafone R216-Z;
  • lte - added passthrough interface subnet selection;
  • lte - added support for manual operator selection;
  • lte - allow setting empty APN;
  • lte - allow to specify URL for firmware upgrade "firmware-file" parameter;
  • lte - do not show error message for info commands that are not supported;
  • lte - fixed session reactivation on R11e-LTE in UMTS mode;
  • lte - improved firmware upgrade process;
  • lte - improved "info" command query;
  • lte - improved R11e-4G modem operation;
  • lte - renamed firmware upgrade "path" command to "firmware-file" (CLI only);
  • lte - show alphanumeric value for operator info;
  • lte - show correct firmware revision after firmware upgrade;
  • lte - use default APN name "internet" when not provided;
  • lte - use secondary DNS for DNS server configuration;
  • m33g - added support for additional Serial Console port on GPIO headers;
  • ospf - added support for link scope opaque LSAs (Type 9) for OSPFv2;
  • ospf - fixed opaque LSA type checking in OSPFv2;
  • ospf - improved "unknown" LSA handling in OSPFv3;
  • ovpn - added "verify-server-certificate" parameter for OVPN client (CVE-2018-10066);
  • ppp - added initial support for Quectel BG96;
  • proxy - increased minimal free RAM that can not be used for proxy services;
  • rb3011 - improved system stability when receiving bogus packets;
  • rb4011 - fixed MAC address duplication between sfp-sfpplus1 and wlan1 interfaces (wlan1 configuration reset required);
  • rb921 - improved system stability ("/system routerboard upgrade" required);
  • routerboard - renamed 'sim' menu to 'modem';
  • sfp - fixed S-35LC20D transceiver DDMI readouts after reboot;
  • sms - added USSD message functionality under "/tool sms" (CLI only);
  • sms - allow specifying multiple "allowed-number" values;
  • sms - improved delivery report logging;
  • snmp - added "dot1dStpPortTable" OID;
  • snmp - added OID for neighbor "interface";
  • snmp - added "write-access" column to community print;
  • snmp - allow setting interface "adminStatus";
  • snmp - fixed "send-trap" not working when "trap-generators" does not contain "temp-exception";
  • snmp - fixed "send-trap" with multiple "trap-targets";
  • snmp - improved reliability on SNMP service packet validation;
  • snmp - properly return multicast and broadcast packet counters for IF-MIB OIDs;
  • ssh - accept remote forwarding requests with empty hostnames;
  • ssh - added new "ssh-exec" command for non-interactive command execution;
  • ssh - fixed non-interactive multiple command execution;
  • ssh - improved remote forwarding handling (introduced in v6.44.3);
  • ssh - improved session rekeying process on exchanged data size threshold;
  • ssh - keep host keys when resetting configuration with "keep-users=yes";
  • ssh - use correct user when "output-to-file" parameter is used;
  • sstp - improved stability when received traffic hits tarpit firewall;
  • supout - added IPv6 ND section to supout file;
  • supout - added "kid-control devices" section to supout file;
  • supout - added "pwr-line" section to supout file;
  • supout - changed IPv6 pool section to output detailed print;
  • switch - properly reapply settings after switch chip reset;
  • tftp - added "max-block-size" parameter under TFTP "settings" menu (CLI only);
  • tile - improved link fault detection on SFP+ ports;
  • tr069-client - added LTE CQI and IMSI parameter support;
  • tr069-client - fixed potential memory corruption;
  • tr069-client - improved error reporting with incorrect firware upgrade XML file;
  • traceroute - improved stability when sending large ping amounts;
  • traffic-generator - improved stability when stopping traffic generator;
  • tunnel - removed "local-address" requirement when "ipsec-secret" is used;
  • userman - added support for "Delegated-IPv6-Pool" and "DNS-Server-IPv6-Address" (CLI only);
  • w60g - do not show unused "dmg" parameter;
  • w60g - prefer AP with strongest signal when multiple APs with same SSID present;
  • w60g - show running frequency under "monitor" command;
  • winbox - added "System/SwOS" menu for all dual-boot devices;
  • winbox - do not allow setting "dns-lookup-interval" to "0";
  • winbox - show "LCD" menu only on boards that have LCD screen;
  • wireless - fixed frequency duplication in the frequency selection menu;
  • wireless - fixed incorrect IP header for RADIUS accounting packet;
  • wireless - improved 160MHz channel width stability on rb4011;
  • wireless - improved DFS radar detection when using non-ETSI regulated country;
  • wireless - improved installation mode selection for wireless outdoor equipment;
  • wireless - set default SSID and supplicant-identity the same as router's identity;
  • wireless - updated "china" regulatory domain information;
  • wireless - updated "new zealand" regulatory domain information;
  • www - improved client-initiated renegotiation within the SSL and TLS protocols (CVE-2011-1473).

MikroTik RouterOS 6.45.2

Дата выхода: 17 июля 2019

Важные примечания:

  • Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading.
  • Old API authentication method will also no longer work, see documentation for new login procedure: https://wiki.mikrotik.com/wiki/Manual:API#Initial_login


Изменения:

  • bonding - fixed bonding running status after reboot when using other bonds as slave interfaces (introduced in v6.45);
  • cloud - properly stop "time-zone-autodetect" after disable;
  • interface - fixed missing PWR-LINE section on PL7411-2nD and PL6411-2nD (introduced v6.44);
  • ipsec - added "connection-mark" parameter for mode-config initiator;
  • ipsec - allow peer argument only for "encrypt" policies (introduced in v6.45);
  • ipsec - fixed peer configuration migration from versions older than v6.43 (introduced in v6.45);
  • ipsec - improved stability for peer initialization (introduced in v6.45);
  • ipsec - show warning for policies with "unknown" peer;
  • ospf - fixed possible busy loop condition when accessing OSPF LSAs;
  • profile - added "internet-detect" process classificator;
  • radius - fixed "User-Password" encoding (introduced in v6.45);
  • ssh - do not enable "none-crypto" if "strong-crypto" is enabled on upgrade (introduced in v6.45);
  • ssh - fixed executed command output printing (introduced in v6.45);
  • supout - fixed supout file generation outside of internal storage with insufficient space;
  • upgrade - fixed "auto-upgrade" to use new style authentication (introduced in v6.45);
  • vlan - fixed "slave" flag for non-running interfaces (introduced in v6.45);
  • wireless - improved 802.11ac stability for all ARM devices with wireless;
  • wireless - improved range selection when distance set to "dynamic".

MikroTik RouterOS 6.45.3

Дата выхода: 29 июля 2019

Важные примечания:

  • Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading.
  • Old API authentication method will also no longer work, see documentation for new login procedure: https://wiki.mikrotik.com/wiki/Manual:API#Initial_login


Изменения:

  • certificate - renew certificates via SCEP when 3/4 of lifetime reached;
  • crs317 - fixed multicast packet receiving (introduced in v6.45);
  • hotspot - fixed default profile values not being used (introduced in v6.45);
  • rb4011 - fixed SFP+ interface linking (introduced in v6.45.2);
  • smips - reduced RouterOS main package size (disabled LTE modem, dot1x and SwOS support);
  • supout - fixed SIM slot printing (introduced in v6.45);
  • wireless - improved U-APSD (WMM Power Save) support for 802.11e;

MikroTik RouterOS 6.45.4

Дата выхода: 13 августа 2019

Релиз только для внутреннего использования компанией MikroTik.

MikroTik RouterOS 6.45.5

Дата выхода: 26 августа 2019

Важные примечания:

  • Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading.
  • Old API authentication method will also no longer work, see documentation for new login procedure:https://wiki.mikrotik.com/wiki/Manual:API#Initial_login


Изменения:

  • crs328 - adjust fan speed based on SFP and CPU temperature;
  • dhcpv4-server - fixed "Acct-Output-Octets" reporting to RADIUS;
  • health - improved fan control on CRS3xx and CCR1016-12S-1S+r2;
  • ike2 - don't release policy on rekey when child not found;
  • ike2 - fixed ID validation with multiple SAN;
  • ike2 - fixed policy port selection for responder with natted initiator;
  • ike2 - fixed traffic selector address family selection when using IPv6;
  • ike2 - improved rekeying process with Windows initiators;
  • ike2 - properly start all initiators to the same remote address;
  • ipsec - allow inline "passphrase" parameter when importing keys;
  • ipsec - fixed "eap-radius" authentication method (introduced in v6.45);
  • ipsec - fixed minor spelling mistakes in logs;
  • lte - fixed cell information monitoring on R11e-LTE-US (introduced in v6.45.2);
  • lte - fixed LTE interface disappearing on RBSXTLTE3-7;
  • smb - improved stability on x86 and CHR (CVE-2019-16160);
  • snmp - fixed encrypted data sequence (introduced in v6.44.5);
  • ssh - fixed carriage return presence in subsequent sessions;
  • switch - fix port isolation for non-CRS series switch chips;
  • system - accept only valid string for "name" parameter in "disk" menu (CVE-2019-15055);
  • upnp - fixed XML parsing (FG-VD-19-110);
  • watchdog - renamed "no-ping-delay" parameter to "ping-start-after-boot";
  • winbox - added "auto-erase" parameter to "Tools/SMS" menu;
  • winbox - added "https-redirect" parameter to "IP/Hotspot/Profiles menu";
  • winbox - added "revision" parameter to "System/Routerboard" menu;
  • winbox - removed "max-sms" parameter from "Tools/SMS" menu;
  • wireless - fixed basic rate reporting in snooper;

MikroTik RouterOS 6.45.6

Дата выхода: 10 сентября 2019

Важные примечания:

  • Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading.
  • Old API authentication method will also no longer work, see documentation for new login procedure: https://wiki.mikrotik.com/wiki/Manual:API#Initial_login


Изменения:

  • capsman - fixed regulatory domain information checking when doing background scan;
  • conntrack - improved system stability when using h323 helper (introduced in v6.45);
  • crs3xx - fixed "egress-rate" property on CRS309-1G-8S+, CRS312-4C+8XG, CRS326-24S+2Q+ devices;
  • qsfp - clear SFP monitoring data on port enable;
  • qsfp - correctly display SFP monitoring data;
  • qsfp - fixed EEPROM checksum validation;
  • qsfp - show more QSFP module diagnostics;
  • wireless - include last frequency when manually setting frequency step in "scan-list";

MikroTik RouterOS 6.45.7

Дата выхода: 24 октября 2019

Важные изменения:

  • lora - added support for LoRaWAN low-power wide-area network technology for MIPSBE, MMIPS and ARM;
  • package - accept only packages with original filenames (CVE-2019-3976);
  • package - improved package signature verification (CVE-2019-3977);
  • security - fixed improper handling of DNS responses (CVE-2019-3978, CVE-2019-3979);

Изменения:

  • capsman - fixed frequency setting requiring multiple frequencies;
  • capsman - fixed newline character missing on some logging messages;
  • conntrack - properly start manually enabled connection tracking;
  • crs312 - fixed combo SFP port toggling (introduced in v6.44.5);
  • crs3xx - correctly display link rate when 10/100/1000BASE-T SFP modules are used in SFP+ interfaces;
  • crs3xx - fixed management access when using switch rule "new-vlan-priority" property;
  • export - fixed "bootp-support" parameter export;
  • ike2 - fixed phase 1 rekeying (introduced in v6.45);
  • led - fixed default LED configuration for RBLHG5nD;
  • lte - fixed modem not receiving IP configuration when roaming (introduced in v6.45);
  • radius - fixed open socket leak when invalid packet is received (introduced in v6.44);
  • sfp - fixed "sfp-rx-power" value for some transceivers;
  • snmp - improved reliability on SNMP service packet validation;
  • system - improved system stability for devices with AR9342 SoC;
  • winbox - show SFP tab for QSFP interfaces;
  • wireless - added "canada2" regulatory domain information;
  • wireless - improved stability when setting fixed primary and secondary channels on RB4011iGS+5HacQ2HnD-IN;
Чек-лист по настройке MikroTik
Проверьте свою конфигурацию по 28-ми пунктам