Εδώ μιλάμε για Mikrotik RouterBoard

[deniSun]

εχουν γραφτει καποια Bugs με αυτην την εκδοση στο forum της mikrotik.προσοχη λοιπον με αυτην την εκδοση.

καλημερα! οπως βλέπω και εγω οντως http://forum.mikrotik.com/viewtopic.php?t=116821
και εφοσον δεν εχουμε ακομα καμια εκδοση current που να μην τρεχει με το προηγουμενο, δεν βλεπω και λογο αλλαγης του ακομα.

Σε όλες τις εκδόσεις υπάρχουν bugs.
Οπότε δεν τρέχει κάτι.
Το δοκιμάζεις και αν σου βγάζει προβλήματα γυρίζεις στο προηγούμενο.

[Nikiforos]

Δεν εχω δει κανενα προβλημα στην 3.7, anyway θα περιμενω λιγο να μην χανω χρονο τσαμπα.
εξαλου μεχρι να βγει η current 6.39 δεν επιβαλλεται η χρηση του, πραγμα που εγινε και με το προηγουμενη και την προηγουμενη current (δεν θυμαμαι ποια ηταν). Οι χρηστες της RC προφανως πρεπει να πανε στο 3.8.

Οπως βλεπουμε παρακατω πολλες αλλαγες σχετικες με το Winbox! την RC την αναφερω ΜΟΝΟ για να δουμε τις αλλαγες σχετικα με τη νεα εκδοση του winbox...
Mikrotik RC version changelog

Κώδικας:

What's new in 6.39rc12 (2017-Jan-12 13:38):

!) quickset - configuration changes are now applied only on "OK" and "Apply" (not on mode change);
!) winbox - minimal required version is v3.8 (because of new quickset);
*) bridge - disallow manual removal of dynamic bridge ports;
*) bridge - fixed access loss to device through bridge if master port had a loop (introduced in v6.38);
*) bridge - fixed rare conflicts between hardware and software STP (introduced in v6.38);
*) certificate - added year cap (invalid-after date will not exceed year 2039);
*) certificate - allow CRL address to be specified as DNS name;
*) certificate - fixed fail on import from CAPs when both key and name already exist;
*) dhcpv6-server - fixed server removal crash if static binding was present;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=21&t=116471);
*) fan - improved RPM monitor on CCR1009;
*) firewall - fixed import of exported configuration that had updated "limit" setting;
*) graphs - fixed graph disappearance after power outage;
*) ike1 - fixed ph1 rekey in setups with mode-cfg;
*) ike2 - auto-negotiate split nets;
*) ike2 - default to tunnel mode in setups without policy;
*) ike2 - fixed initiator TS updating;
*) ike2 - fixed policy setting for /0 selector with different address families;
*) ike2 - fixed split policy active flag;
*) ike2 - fixed xauth add check;
*) ike2 - include identity in peer address info;
*) ike2 - log empty TS payload;
*) ike2 - minor logging update;
*) ike2 - traffic selector improvements;
*) ike2 - use first split net for empty TS;
*) ike2 - use standard retransmission timers for DPD;
*) ike2 - xauth like auth method with user support;
*) ipsec - added ability to kill particular remote-peer;
*) ipv6 - added warning about having interface MTU less than minimal IPv6 packet fragment (1280);
*) leds - added LTE modem access technology trigger;
*) leds - do not update single LED state when it is not changed;
*) license - fixed demo license expiration after installation on x86;
*) logs - work on false CPU/RAM overclocked alarms;
*) mpls - fixed crash on active tunnel loss in MPLS TE setups;
*) ppp - fixed rare kernel failure on PPP client connection;
*) pppoe - make default keepalive 10s for PPPoE clients;
*) profile - classify ethernet driver activity properly in ARM architecture;
*) quickset - various small changes;
*) rb751u - fixed ethernet LEDs (broken since 6.38rc16);
*) tr069-client - added connection request authentication;
*) tr069-client - added parameters for DNS client management support;
*) tr069-client - generate random connection request target path;
*) webfig - allow shorten bytes to k,M,G in firewall "connection-bytes" and "connection-rates";
*) webfig - show properly large BGP AS numbers;
*) winbox - added "add-relay-info" and "relay-info-remote-id" to DHCP relay;
*) winbox - added "group-key-update" to CAPsMAN security settings;
*) winbox - added "make-static" to IPv6 DHCP server bindings;
*) winbox - added "prefix-pool" to DHCPv6 server binding;
*) winbox - added IPsec to radius services;
*) winbox - added upstream flag to IGMP proxy interfaces;
*) winbox - allow shorten bytes to k,M,G in bridge firewall just like in “/ip firewall”;
*) winbox - allow shorten bytes to k,M,G in firewall "connection-bytes" and "connection-rates";
*) winbox - allow to change user password to empty one;
*) winbox - allow to specify "connection-bytes" & "connection-rate" for any protocol in “/ip firewall” rules;
*) winbox - allow to specify "sip-timeout" under ip firewall service-ports;
*) winbox - allow to specify certificate type when exporting it;
*) winbox - allow to specify interfaces that CAPsMAN can use for management;
*) winbox - do not create empty rates.vht-basic/supported-mcs if not specified in CAPsMAN;
*) winbox - do not create time field when copying CAPsMAN access list entry;
*) winbox - do not try to disable dynamic items from firewall tables;
*) winbox - fixed typo in “/system resources pci” list;
*) winbox - hide "nat-traversal" setting in IPsec peer if IKEv2 is selected;
*) winbox - removed "sfp-rate-select" setting from ethernet interface;
*) winbox - show dynamic IPv6 pools properly;
*) winbox - show errors on IPv6 addresses ;
*) winbox - specify metric for “/ip dns cache-used” setting;
*) winbox - updated fan management menu;
*) wireless - added "station-roaming" setting;
*) wireless - fixed rare wireless ac interface lockup;
*) wireless - show comment on "security-profile" if it is set;

[asimako]

Version 6.38.1 Current

Κώδικας:

What's new in 6.38.1 (2017-Jan-13 05:51):

*) bridge - disallow manual removal of dynamic bridge ports;
*) bridge - fixed MAC address learning from switch master-port;
*) bridge - fixed access loss to device through bridge if master port had a loop (introduced in v6.38);
*) certificate - added year cap (invalid-after date will not exceed year 2039);
*) certificate - fixed fail on import from CAPs when both key and name already exist;
*) dhcpv6-client - fixed DHCPv6 rebind on startup;
*) dhcpv6-server - fixed server removal crash if static binding was present;
*) dns - fixed typo in regexp error message;
*) dude - (changes discussed here: viewtopic.php?f=8&t=112599);
*) fan - improved RPM monitor on CCR1009;
*) firewall - nat action "netmap" now requires to-addresses to be specified;
*) health - report fan speed for RB800 and RB1100 when 3-pin fan is being used;
*) ike1 - fixed ph1 rekey in setups with mode-cfg;
*) ike2 - allow empty selectors to reach policy handler;
*) ike2 - auto-negotiate split nets;
*) ike2 - default to tunnel mode in setups without policy;
*) ike2 - fixed error packet from initiator on responder reply;
*) ike2 - fixed initiator TS updating;
*) ike2 - fixed ph1 initial-contact rare desync;
*) ike2 - fixed policy setting for /0 selector with different address families;
*) ike2 - fixed split policy active flag;
*) ike2 - fixed traffic selector prefix calculation;
*) ike2 - fixed xauth add check;
*) ike2 - include identity in peer address info;
*) ike2 - log empty TS payload;
*) ike2 - minor logging update;
*) ike2 - show peer identity of connected peers;
*) ike2 - traffic selector improvements;
*) ike2 - update also local port when peer changes port;
*) ike2 - use first split net for empty TS;
*) ike2 - use standard retransmission timers for DPD;
*) ike2 - xauth like auth method with user support;
*) ipsec - added ability to kill particular remote-peer;
*) ipsec - fixed flush speed and SAs on startup;
*) ipsec - fixed peer port export;
*) ipsec - port is used only for initiators;
*) ipv6 - added warning about having interface MTU less than minimal IPv6 packet fragment (1280);
*) license - fixed demo license expiration after installation on x86;
*) log - improved firewall log messages when NAT has changed only connection ports;
*) logs - work on false CPU/RAM overclocked alarms;
*) mpls - fixed crash on active tunnel loss in MPLS TE setups;
*) ovpn - fixed address acquisition when ovpn-in interface becomes slave;
*) proxy - fixed "max-cache-object-size" export;
*) proxy - speed-up almost empty disk cache clean-up;
*) quickset - various small changes;
*) rb751u - fixed ethernet LEDs (broken since 6.38rc16);
*) ssh - fixed high memory consumption when transferring file over ssh tunnel;
*) webfig - show properly large BGP AS numbers;
*) winbox - added "make-static" to IPv6 DHCP server bindings;
*) winbox - added "prefix-pool" to DHCPv6 server binding;
*) winbox - added IPsec to radius services;
*) winbox - added upstream flag to IGMP proxy interfaces;
*) winbox - allow to specify "connection-bytes" & "connection-rate" for any protocol in “/ip firewall†rules;
*) winbox - allow to specify "sip-timeout" under ip firewall service-ports;
*) winbox - do not create empty rates.vht-basic/supported-mcs if not specified in CAPsMAN;
*) winbox - hide "nat-traversal" setting in IPsec peer if IKEv2 is selected;
*) winbox - show dynamic IPv6 pools properly;
*) winbox - show errors on IPv6 addresses;
*) winbox - specify metric for “/ip dns cache-used†setting;
*) wireless - show comment on "security-profile" if it is set;

- - - Updated - - -

RouterBOARD 941-2nD : Firm 3.33 to 3.36

[deniSun]

RouterBOARD 941-2nD : Firm 3.33 to 3.36

Έτσι μόνο του ή με κάποιο ROS;

[asimako]

Εκανα update στην 6.38.1 πρώτα και μετά μου το έβγαλε. Οχι όμως και στο 951.

[Nikiforos]

Εκανα update στην 6.38.1 πρώτα και μετά μου το έβγαλε. Οχι όμως και στο 951.

καλημερα! χαχαχαχαχ απιστευτο! μελετουσα χτες τις αλλαγες στην RC για την 6.38.1 και πηγε στην current!!!
αρα τωρα θελει αναγκαστικα το winbox 3.8 σωστα?
ναι το FW ειναι αναλογα το μοντελο, μπορει να μην εχει δλδ για ολα, τελικα εκανα στα δικα μου την αναβαθμιση στη νεα current και σε κανενα δεν εβγαλε και αναβαθμιση στο firmware. Eχουμε κολλησει εδω και καιρο στο 3.33.

[airbus]

Version 6.37.4 has been released in bugfix channel.

What's new in 6.37.4 (2017-Jan-13 06:52):
*) bonding - fixed "tx-drop" on VLAN over bonding on x86;
*) certificates - added year cap (invalid-after date will not exceed year 2039);
*) certificates - fixed crash when crl is removed while it is being fetched;
*) certificates - fixed fail on import from CAPs when both key and name already exist;
*) crs - added comment ability in more switch menus;
*) dhcpv6-client - fixed DHCPv6 rebind on startup;
*) dhcpv6-server - fixed server removal crash if static binding was present;
*) dns - fixed typo in regexp error message;
*) dude - (changes here: http://wiki.mikrotik.com/wiki/Manual:Th ... _changelog);
*) export - updated default values to clean up export compact;
*) fan - improved RPM monitor on CCR1009;
*) firewall - do not defragment packets which are marked with "notrack" in raw firewall;
*) firewall - fixed "time" option by recognizing weekday properly (introduced in v6.37.2);
*) firewall - fixed dynamic raw rule behaviour;
*) firewall - fixed rule activation if "time" option is used and no other active rules are present;
*) firewall - nat action "netmap" now requires to-addresses to be specified;
*) health - report fan speed for RB800 and RB1100 when 3-pin fan is being used;
*) hotspot - fixed nat rule port setting in "hs-unauth-to" chain by changing it from "dst-port" to "src-port" on Walled Garden ip "return" rules;
*) ipsec - fixed kernel failure on tile with sha256 when hardware encryption is not being used;
*) ipv6 - added warning about having interface MTU less than minimal IPv6 packet fragment (1280);
*) ipv6 - moved empty IPv6 pool error message to error topic;
*) led - fixed dark mode for cAP 2nD (http://wiki.mikrotik.com/wiki/Manual:Sy ... ds_Setting);
*) license - fixed demo license expiration after installation on x86;
*) log - improved firewall log messages when NAT has changed only connection ports;
*) lte - increased delay when setting sms send mode;
*) metarouter - fixed startup process (introduced in 6.37.2);
*) ppp - fixed packet size calculation when MRRU is set (was 2 bytes bigger than MTU allows);
*) ppp - significantly improved shutdown speed on servers with many active tunnels;
*) ppp - significantly improved tunnel termination process on servers with many active tunnels;
*) profile - added "bfd" and "remote-access" processes;
*) profile - added ability to monitor cpu usage per core;
*) profile - make profile work on mmips devices;
*) profile - properly classify "wireless" processes;
*) proxy - fixed "max-cache-object-size" export;
*) proxy - speed-up almost empty disk cache clean-up;
*) queue - fixed "time" option by recognizing weekday properly (introduced in v6.37.2);
*) quickset - various small changes;
*) rb750Gr3 - fixed ipsec with 3des+md5 to work on this board;
*) rb751u - fixed ethernet LEDs;
*) snmp - always report bonding speed as speed from first bonding slave;
*) snmp - fixed rare crash when incorrectly formatted packet was received;
*) ssh - fixed high memory consumption when transferring file over ssh tunnel;
*) switch - fix BPDU dynamic Host table entry on Atheros Gigabit switch chips;
*) time - updated time zones;
*) traceroute - fixed memory leak;
*) trafficgen - fixed compact export when "header-stack" includes tcp;
*) vlan - allow to add multiple VLANs which name starts with same number and has same length;
*) vrrp - do not show unrelated log warning messages about version mismatch;
*) watchdog - do not send supout file if "auto-send-supout" is disabled;
*) webfig - added extra protection against XSS exploits;
*) webfig - show properly interface last-link-up/down times;
*) webfig - show properly large BGP AS numbers;
*) winbox - added "Complete" flag to arp table;
*) winbox - added "make-static" to IPv6 DHCP server bindings;
*) winbox - added "prefix-pool" to DHCPv6 server binding;
*) winbox - added upstream flag to IGMP proxy interfaces;
*) winbox - allow to enable/disable traffic flow targets;
*) winbox - allow to specify "connection-bytes" & "connection-rate" for any protocol in “/ip firewall†rules;
*) winbox - allow to specify "sip-timeout" under ip firewall service-ports;
*) winbox - do not allow to set "loop-protect-send-interval" to 0s;
*) winbox - do not create empty rates.vht-basic/supported-mcs if not specified in CAPsMAN;
*) winbox - fixed crash when legacy Winbox version was used;
*) winbox - fixed default values for interface "loop-protect-disable-time" and "loop-protect-send-interval";
*) winbox - fixed missing "IPv6/Settings" menu;
*) winbox - fixed typo in "propagate-ttl" setting;
*) winbox - properly show VHT basic and supported rates in CAPsMAN;
*) winbox - show all related HT tab settings in 2GHz-g/n mode;
*) winbox - show dynamic IPv6 pools properly;
*) winbox - show errors on IPv6 addresses;
*) winbox - show proper ipv6 connection timeout;
*) winbox - specify metric for “/ip dns cache-used†setting;
*) wireless - fixed full "spectral-history" header print on AP modes;
*) wireless - fixed upgrade from older wireless packages when AP interface had empty SSID;
*) wireless - show comment on "security-profile" if it is set;

[Nikiforos]

Και για να μην ξεχνιόμαστε...
Winbox 3.8 released!

http://www.mikrotik.com/download
γιατι λεει 3.9 στο download? τι εγινε?

προφανως μετα απο τα πολλα προβληματα βγηκε το επομενο γρηγορα!!!

http://forum.mikrotik.com/viewtopic.php?f=21&t=116947

What's new in v3.9:

*) fixed problem - some item disable did not work;
*) fixed problem - port numbers & related info could not be specified in firewall after tcp protocol was selected;

[deniSun]

Σήμερα... καταιγισμός...
v6.37.4 [bugfix]
v6.38.1 [current]
Winbox 3.9
Έκανα την αναβάθμιση σε 6.37.4 [bugfix πάντα] με το ανάλογο fw.
Είχαμε και αλλαγές στα configuration files:
Στο ipv6 έχουμε προσθήκη νέου πεδίου στα αντίστοιχα limits του icmp.
Οπότε οι εγγραφές διαμορφώνονται σε:

Κώδικας:

add action=accept chain=input comment="Allow input ICMPv6" limit=\
    5/5s,5:packet protocol=icmpv6
add action=accept chain=forward comment="Allow forward ICMPv6" limit=\
    5/5s,5:packet protocol=icmpv6

Αν δεν το διορθώσετε θα πάρει τιμές 50/5s.
Επίσης στο system δεν υπάρχει πλέον η δήλωση:

Κώδικας:

/system routerboard settings
set protected-routerboot=disabled

[nikos201]

Καλημέρα,

Δεν μπορώ να μπώ από εξωτερική IP σε εσωτερική.
Επισυνάπτω φωτό.
Εκδοση V6.38.

[teodor_ch]

Στο νήμα του firewall είναι το σωστό μέρος.
Έχεις στο ip firewall filter accept στο input και forward (ή μόνο σε όποιο χρειάζεσαι) να σου επιτρέπει τις dst-nat connections?
Στο πρώτο tab κάτω κάτω είναι το dst-nat.

Δεν έχω winbox για να μπώ στα γρήγορα να σου δώσω παράδειγμα.

Αυτά τα δύο

ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=input connection-nat-state=dstnat

[nikos201]

Στέλνω το
/ip firewall filter print:

[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection
connection-state=established,related log=no log-prefix=""

2 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no
log-prefix=""

3 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""

4 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface=ether1 log=no log-prefix=""

5 ;;; echo reply
chain=icmp action=accept protocol=icmp icmp-options=0:0

6 ;;; net unreachable
chain=icmp action=accept protocol=icmp icmp-options=3:0

7 ;;; host unreachable
chain=icmp action=accept protocol=icmp icmp-options=3:1

8 ;;; allow source quench
chain=icmp action=accept protocol=icmp icmp-options=4:0

9 ;;; allow echo request
chain=icmp action=accept protocol=icmp icmp-options=8:0

10 ;;; allow time exceed
chain=icmp action=accept protocol=icmp icmp-options=11:0

11 ;;; allow parameter bad
chain=icmp action=accept protocol=icmp icmp-options=12:0

12 ;;; deny all other types
chain=icmp action=drop

13 ;;; Drop Traceroute
chain=forward action=drop protocol=icmp icmp-options=11:0

14 chain=forward action=drop protocol=icmp icmp-options=3:3

15 ;;; dropping port scanners
chain=forward action=drop src-address-list=port scanners

16 ;;; drop invalid connections
chain=forward action=drop connection-state=invalid

17 chain=forward action=accept connection-state=established

18 ;;; allow related connections
chain=forward action=accept connection-state=related

19 chain=forward action=drop src-address=127.0.0.0/8

20 chain=forward action=drop dst-address=127.0.0.0/8

21 chain=forward action=drop src-address=169.254.0.0/16

22 chain=forward action=drop dst-address=169.254.0.0/16

23 chain=forward action=drop src-address=172.16.0.0/12

24 chain=forward action=drop dst-address=172.16.0.0/12

25 chain=forward action=drop src-address=192.0.0.0/24

26 chain=forward action=drop dst-address=192.0.0.0/24

27 chain=forward action=drop src-address=192.0.2.0/24

28 chain=forward action=drop dst-address=192.0.2.0/24

29 chain=forward action=drop src-address=198.18.0.0/15

30 chain=forward action=drop dst-address=198.18.0.0/15

31 chain=forward action=drop src-address=198.51.100.0/24

32 chain=forward action=drop dst-address=198.51.100.0/24

33 chain=forward action=drop src-address=203.0.113.0/24

34 chain=forward action=drop dst-address=203.0.113.0/24

35 chain=forward action=drop src-address=224.0.0.0/3

36 chain=forward action=drop dst-address=224.0.0.0/3

37 ;;; Make jumps to new chains
chain=forward action=jump jump-target=tcp protocol=tcp

38 chain=forward action=jump jump-target=udp protocol=udp

39 chain=forward action=jump jump-target=icmp protocol=icmp

40 ;;; deny TFTP
chain=tcp action=drop protocol=tcp dst-port=69

41 ;;; deny RPC portmapper
chain=tcp action=drop protocol=tcp dst-port=111

42 ;;; deny RPC portmapper
chain=tcp action=drop protocol=tcp dst-port=135

43 ;;; deny NBT
chain=tcp action=drop protocol=tcp dst-port=137-139

44 ;;; deny cifs
chain=tcp action=drop protocol=tcp dst-port=445

45 ;;; deny NFS
chain=tcp action=drop protocol=tcp dst-port=2049

46 ;;; deny NetBus
chain=tcp action=drop protocol=tcp dst-port=12345-12346

47 ;;; deny NetBus
chain=tcp action=drop protocol=tcp dst-port=20034

48 ;;; deny BackOriffice
chain=tcp action=drop protocol=tcp dst-port=3133

49 ;;; deny TFTP
chain=udp action=drop protocol=udp dst-port=69

50 ;;; deny PRC portmapper
chain=udp action=drop protocol=udp dst-port=111

51 ;;; deny PRC portmapper
chain=udp action=drop protocol=udp dst-port=135

52 ;;; deny NBT
chain=udp action=drop protocol=udp dst-port=137-139

53 ;;; deny NFS
chain=udp action=drop protocol=udp dst-port=2049

54 ;;; deny BackOriffice
chain=udp action=drop protocol=udp dst-port=3133

55 chain=input action=accept protocol=icmp

56 chain=input action=accept connection-state=established

57 chain=input action=accept connection-state=related

58 chain=input action=drop in-interface=pppoe-out1

59 chain=forward action=accept connection-nat-state=dstnat log=no
log-prefix=""

60 chain=input action=accept connection-nat-state=dstnat log=no


Ευχαριστώ.

[teodor_ch]

Μετέφερε αυτά που έβαλες πιο ψηλά (βάλε τα στην αρχή αφού δε προκαλούν κάποιο πρόβλημα).

Στο φόρουμε να κάνεις export και να τα βάζεις μέσα σε <code> για να είναι πιο ευανάγνωστα

[nikos201]

Ενώ βλέπω κάποια κίνηση πακέτων στο ΝΑΤ, δεν μου ανοίγει την σελίδα.
Μάλλον κάτι συμβαίνει στο FireWall;

Ευχαριστώ.

[teodor_ch]

Ενώ βλέπω κάποια κίνηση πακέτων στο ΝΑΤ, δεν μου ανοίγει την σελίδα.
Μάλλον κάτι συμβαίνει στο FireWall;

Ευχαριστώ.

Μα αυτό στο λέω.
Αφού τα πρόσθεσες ανέβασε τα λίγο πιο πάνω να μήν είναι κάτω απο τα "drop all others".
Τώρα που το ξαναείδα, τον 60 κανόνα βάλε τον πάνω απο τον 58.
Και τον 59 σβήσε τον γιατί τελικά είχες βάλει πιο πάνω περιορισμό οπότε δε χρειάζεται