Mikrotik RouterOS 6.43

Verze 6.43 přináší opravdu VELKÉ množství změn.

Vzhledem k release předchozí verze 6.42.7 která řešila zranitelnosti ve webserveru došlo ve verzi 6.43 k přepracování interních procesů ověření. Přidány byly i funkcionality mikrotik switchů BPDU guard, opravy v CHR, IPSECu, IKE, velkých oprav se doznaly LTE modemy a hromady dalších oprav.

Stahujte jako vždy na webu Mikrotiku nebo přes winbox v system > packages > check for updates. U Routerboardu nezapomeňte po upgrade ROS udělat i upgrade firmware pokud v balíků je nová verze.

Seznam změn

MAJOR CHANGES IN v6.43:
———————-
!) api – changed authentication process (https://wiki.mikrotik.com/wiki/Manual:API#Initial_login);
!) backup – do not encrypt backup file unless password is provided;
!) btest – requires at least v6.43 Bandwidth Test client when connecting to v6.43 or later version server except when authentication is not required;
!) cloud – added IPv6 support;
!) cloud – added support for licensed CHR instances (including trial);
!) cloud – reworked “/ip cloud ddns-enabled” implementation (suggested to disable service and re-enable after installation process);
!) radius – use MS-CHAPv2 for “login” service authentication;
!) romon – require at least v6.43 RoMON agent when connecting to v6.43 or later RoMON client device;
!) webfig – improved authentication process;
!) winbox – improved authentication process excluding man-in-the-middle possibility;
!) winbox – minimal required version is v3.15;
———————-

Changes in this release:

*) backup – added support for new backup file encryption (AES128-CTR) with signatures (SHA256);
*) backup – generate proper file name when devices identity is longer than 32 symbols;
*) bridge – add dynamic CAP interface to tagged ports if “vlan-mode=use-tag” is enabled;
*) bridge – added an option to manually specify ports that have a multicast router (CLI only);
*) bridge – added a warning when untrusted port receives a DHCP Server message when DCHP Snooping is enabled;
*) bridge – added ingress filtering options to bridge interface;
*) bridge – added initial Q-in-Q support;
*) bridge – added more options to fine-tune IGMP Snooping enabled bridges (CLI only);
*) bridge – added per-port based “tag-stacking” feature;
*) bridge – added support for BPDU Guard;
*) bridge – added support for DHCP Option 82;
*) bridge – added support for DHCP Snooping;
*) bridge – added support for IGMP Snooping fast-leave feature (CLI only);
*) bridge – fixed dynamic VLAN table entries when using ingress filtering;
*) bridge – fixed “ingress-filtering”, “frame-types” and “tag-stacking” value storing;
*) bridge – forward LACPDUs when “protocol-mode=none”;
*) bridge – ignore tagged BPDUs when bridge VLAN filtering is used;
*) bridge – improved packet handling;
*) bridge – improved packet processing when bridge port changes states;
*) bridge – improved performance when bridge VLAN filtering is used without hardware offloading;
*) bridge – renamed option “vlan-protocol” to “ether-type”;
*) capsman – added ability to use chain 3 for “HT TX chains” and “HT RX chains” selections (CLI only);
*) capsman – allow to change “radio-name” (CLI only);
*) capsman – increase timeout for the CAP to CAPsMAN communication;
*) certificate – added “expires-after” parameter;
*) certificate – do not allow to perform “undo” on certificate changes;
*) certificate – fixed RA “server-url” setting;
*) check-installation – improved system integrity checking;
*) chr – added checksum offload support for Hyper-V installations;
*) chr – added large send offload support for Hyper-V installations;
*) chr – added multiqueue support on Xen installations;
*) chr – added support for multiqueue feature on “virtio-net”;
*) chr – added virtual Receive Side Scaling support for Hyper-V installations (might require more RAM assigned than in previous versions);
*) chr – by default enable link state tracking for virtual drivers with “/interface ethernet disable-running-check=no”;
*) chr – do not show IRQ entries from removed devices;
*) chr – fixed interface name assign process when running CHR on Hyper-V;
*) chr – fixed interface name order when “virtio-net is not being used on KVM installations;
*) chr – fixed MTU changing process when running CHR on Hyper-V;
*) chr – fixed NIC hotplug for “virtio-net”;
*) chr – improved balooning process;
*) chr – improved boot time for Hyper-V installations;
*) chr – provide part of network interface GUID at the beginning of “bindstr2” value when running CHR on Hyper-V;
*) chr – reduced RAM memory required per interface;
*) cloud – added simultaneous IPv4/IPv6 support;
*) cloud – close local UDP port if no activity;
*) console – added “dont-require-permissions” parameter for scripts;
*) console – added error log message when netwatch tries to execute script with insufficient permissions;
*) console – added error log message when scheduler tries to execute script with insufficient permissions;
*) console – do not show spare parameters on ping command;
*) console – made “once” parameter mandatory when using “as-value” on “monitor” commands;
*) console – removed automatic swapping of “from=” and “to=” in “for” loops;
*) crs317 – fixed Ethernet inteface stuck on 100 Mbps speed;
*) crs326/crs328 – fixed packet forwarding when port changes states with IGMP Snooping enabled;
*) crs328 – fixed transmit on sfp-sfpplus1 and sfp-sfpplus2 interfaces;
*) crs3xx – added hardware support for DHCP Snooping and Option 82;
*) crs3xx – added Q-in-Q hardware offloading support;
*) crs3xx – do not report SFP interface as running when interface on opposite side is disabled;
*) crs3xx – fixed ACL rate rules (introduced in v6.41rc27);
*) crs3xx – fixed flow control;
*) crs3xx – fixed SwOS config import;
*) defconf – fixed default configuration for RBSXTsq5nD;
*) defconf – fixed missing bridge ports after configuration reset;
*) dhcp – added dynamic IPv4/IPv6 “dual-stack” simple queue support, based on client’s MAC address;
*) dhcp – reduced resource usage of DHCP services;
*) dhcpv4-client – fixed DHCP client that was stuck on invalid state;
*) dhcpv4-client – fixed double ACK packet handling;
*) dhcpv4-server – added “allow-dual-stack-queue” implementation (CLI only);
*) dhcpv4-server – do not allow override lease “always-broadcast” value based on offer type;
*) dhcpv4-server – improved performance when “rate-limit” and/or “address-list” setting is present;
*) dhcpv6-client – added missing “Server identifier” parameter in release message;
*) dhcpv6-client – fixed “add-default-route” parameter;
*) dhcpv6-client – fixed option handling;
*) dhcpv6-client – improved dynamic IPv6 pool addition process;
*) dhcpv6-server – added additional RADIUS parameters for Prefix delegation, “rate-limit” and “life-time”;
*) dhcpv6-server – added “allow-dual-stack-queue” implementation (CLI only);
*) dhcpv6-server – added initial dynamic simple queue support;
*) dhcpv6-server – do not allow to run DHCPv6 server on slave interface;
*) dhcpv6-server – fixed dynamic simple queue creation for RADIUS bindings;
*) dns – fixed DNS cache service becoming unresponsive when active Hotspot server is present on the router (introduced in 6.42);
*) dude – fixed client auto upgrade (broken since 6.43rc17);
*) ethernet – do not show “combo-state” field if interface is not SFP or copper;
*) ethernet – properly handle Ethernet interface default configuration;
*) export – do not show w60g password on “hide-sensitive” type of export;
*) fetch – added “as-value” output format;
*) fetch – fixed address and DNS verification in certificates;
*) filesystem – fixed NAND memory going into read-only mode (requires “factory-firmware” >= 3.41.1 and “current-firmware” >= 6.43);
*) filesystem – improved software crash handling on devices with FLASH type memory;
*) health – added missing parameters from export;
*) health – fixed voltage measurements for RB493G devices;
*) health – improved speed of health measurement readings;
*) hotspot – allow to properly configure Hotspot directory on external disk for devices that have flash type storage;
*) hotspot – fixed RADIUS CoA & PoD by allowing to accept “NAS-Port-Id”;
*) ike1 – added unsafe configuration warning for main mode with pre-shared-key authentication;
*) ike1 – purge both SAs when timer expires;
*) ike1 – zero out reserved bytes in NAT-OA payload;
*) ike2 – fixed initiator first policy selection;
*) ike2 – fixed rekeyed child deletion during another exchange;
*) ike2 – improved basic exchange logging readability;
*) ike2 – use “/32” netmask by default on initiator if not provided by responder;
*) interface – improved interface “last-link-down-time” and “last-link-up-time” values;
*) interface – improved reliability on dynamic interface handling;
*) ippool – improved used address error message;
*) ipsec – added “responder” parameter for “mode-config” to allow multiple initiator configurations;
*) ipsec – added “src-address-list” parameter for “mode-config” that generates dynamic “src-nat” rule;
*) ipsec – added warning messages for incorrect peer configuration;
*) ipsec – do not allow removal of “proposal” and “mode-config” entries that are in use;
*) ipsec – fixed AES-192-CTR fallback to software AEAD on ARM devices with wireless and RB3011UiAS-RM;
*) ipsec – fixed AES-CTR and AES-GCM key size proposing as initiator;
*) ipsec – fixed “static-dns” value storing;
*) ipsec – improved invalid policy handling when a valid policy is uninstalled;
*) ipsec – improved reliability on generated policy addition when IKEv1 or IKEv2 used;
*) ipsec – improved stability when using IPsec with disabled route cache;
*) ipsec – install all DNS server addresses provided by “mode-config” server;
*) ipsec – separate phase1 proposal configuration from peer menu;
*) ipsec – separate phase1 proposal configuration from peer menu;
*) ipsec – use monotonic timer for SA lifetime check;
*) kidcontrol – allow to edit discovered devices;
*) l2tp – allow setting “max-mtu” and “max-mru” bigger than 1500;
*) led – improved w60g alignment trigger;
*) leds – fixed LED behaviour when bonding is configured on SFP+ interfaces;
*) log – fixed false log warnings about system status after power on for CRS328-4C-20S-4S+;
*) log – show interface name on OSPF “different MTU” info log messages;
*) lte – added additional D-Link PIDs;
*) lte – added additional ID support for SIM7600 modem;
*) lte – added additional low endpoint SIM7600 PIDs;
*) lte – added eNB ID to info command;
*) lte – added extended LTE signal info for SIM7600 modules;
*) lte – added extended signal information for Quectel LTE EC25 and EP06 modem;
*) lte – added ICCID reading for info command R11e-LTE and R11e-LTE-US;
*) lte – added “registration-status” parameter under “/interface lte info” command;
*) lte – added roaming status reading for info command;
*) lte – added “sector-id” to info command;
*) lte – added support for alternative SIM7600 PID;
*) lte – added support for Novatel USB730LN modem with new ID;
*) lte – added support for Quanta 1k6e modem;
*) lte – allow to execute concurrent internal AT commands;
*) lte – allow to use multiple PLS modems at the same time;
*) lte – do not allow to remove default APN profile;
*) lte – do not allow to send “at-chat” commands for configless modems;
*) lte – expose GPS channel for PLS modems;
*) lte – fixed LTE registration in 2G/3G mode;
*) lte – fixed SIM7600 registration info;
*) lte – fixed SIM7600 series module support with newer device IDs;
*) lte – ignore empty MAC addresses during Passthrough discovery phase;
*) lte – improved modem event processing;
*) lte – improved r11e-LTE and r11e-LTE-US dialling process;
*) lte – improved r11e-LTE configuration exchange process;
*) lte – improved reading of SMS message after entering running state;
*) lte – improved readings of info command results for the SXT LTE;
*) lte – improved stability of USB LTE interface detection process;
*) lte – properly detect interface state when running for IPv6 only connection for R11e-LTE modem;
*) lte – renamed LTE scan tool field “scan-code” to “mcc-mnc”;
*) lte – show UICC in correct format for SXT LTE devices;
*) lte – use “/32” address for the Passthrough feature when R11e-LTE module is used;
*) lte – use alphanumeric operator format in info command;
*) mac-telnet – improved reliability when connecting from RouterOS versions prior 6.43;
*) multicast – allow to add more than one RP per IP address for PIM;
*) ntp – allow to specify link-local address for NTP server;
*) ospf – improved link-local LSA flooding;
*) ospf – improved stability when originating LSAs with OSPFv3;
*) package – renamed “current-version” to “installed-version” under “/system package install”;
*) ppp – added support for additional ID for E3531 modem;
*) ppp – added support for Alfa Network U4G modem;
*) ppp – added support for Telit LM940 modem;
*) ppp – improved modem mode switching;
*) ppp – show comments from “/ppp secrets” menu within “/ppp active” menu when client is connected;
*) quickset – recognize 160 MHz channel as HomeAP mode;
*) rb1100ahx4 – added DES and 3DES hardware acceleration support;
*) romon – fixed RoMON services becoming unavailable after disabled once during active scanning process;
*) romon – properly classify RoMON sessions in log and active users list;
*) routerboard – allow to fill up to half of the RAM memory with files on devices with FLASH storage;
*) routerboard – fixed “protected-routerboot” feature (introduced in v6.42);
*) routerboard – fixed wrongly reported RAM size on ARM devices;
*) routerboot – removed RAM test from TILE devices (routerboot upgrade required);
*) sfp – fixed default advertised link speeds;
*) smb – fixed valid request handling when additional options are used;
*) sms – converted “keep-max-sms” feature to “auto-erase”;
*) sms – do not require “port” and “interface” parameters when sending SMS if already present in configuration;
*) sms – improved reliability on SMS reader;
*) snmp – added CAPsMAN “remote-cap” table;
*) snmp – added EAP identity to CAPsMAN registration table;
*) snmp – added “phy-rate” reading for “station-bridge” mode;
*) snmp – added “temp-exception” trap;
*) snmp – fixed interface speed reporting for predefined rates;
*) snmp – fixed “remote-cap” peer MAC address format;
*) ssh – disconnect all active connections when device gets rebooted or turned off;
*) ssh – strengthen strong-crypto (add aes-128-ctr and disallow hmac sha1 and groups with sha1);
*) supout – added “files” section to supout file;
*) supout – added info log message when supout file is created;
*) supout – added monitored bridge VLAN table to supout file;
*) supout – added “w60g” section to supout file;
*) switch – added CPU Flow Control settings for devices with a Atheros8227, QCA8337, Atheros8327, Atheros7240 or Atheros8316 switch chip;
*) switch – added support for port isolation by switch chip;
*) switch – fixed possible switch chip hangs after initialization on MediaTek and Atheros8327 switch chips;
*) swos – implemented “/system swos” menu that allows to upgrade, reset, save or load configuration and change address for dual-boot CRS devices (CLI only);
*) tile – added DES and 3DES hardware acceleration support;
*) tile – fixed false HW offloading flag for MPLS;
*) tr069-client – allow editing of “provisioning-code” attribute;
*) tr069-client – fixed setting of “DeviceInfo.ProvisioningCode” parameter;
*) tr069-client – use SNI extension for HTTPS;
*) upgrade – fixed RouterOS upgrade process from RouterOS v5 on PowerPC;
*) ups – improved UPS serial parsing stability;
*) usb – fixed modem initialisation on LtAP mini;
*) usb – fixed power-reset for hAP ac^2 devices;
*) user – all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);
*) userman – fixed “shared-secret” parameter requiring “sensitive” policy;
*) vrrp – improved reliability on VRRP interface configured as a bridge port when “use-ip-firewall” is enabled;
*) w60g – added ability to specify MCS range (CLI only);
*) w60g – added “beamforming-event” stats counter;
*) w60g – fixed random disconnects;
*) w60g – general stability and performance improvements;
*) watchdog – added “ping-timeout” setting;
*) webfig – do not automatically re-log in after logging out;
*) webfig – fixed occasional authentication failure when logging in;
*) webfig – fixed www service becoming unresponsive;
*) webfig – properly display time interval within Kid Control menu;
*) webfig – properly handle double clicking when logging in or out;
*) webfig – properly show NTP clients “last-adjustment” value;
*) winbox – added bridge Fast Forward statistics counters;
*) winbox – added “poe-fault” LED trigger;
*) winbox – added “tag-stacking” option to “Bridge/Ports”;
*) winbox – allow to specify LTE interface when sending SMS;
*) winbox – fixed arrow key handling within table filter fields;
*) winbox – fixed “bad-blocks” value presence under “System/Resources”;
*) winbox – fixed bridge port MAC learning parameter values;
*) winbox – fixed “IP/IPsec/Peers” section sorting;
*) winbox – fixed “write-sect-since-reboot” value presence under “System/Resources”;
*) winbox – properly close session when uploading multiple files to the device at the same time;
*) winbox – removed duplicate “20/40/80MHz” value from “channel-width” setting options;
*) winbox – renamed “VLAN Protocol” to “EtherType” under bridge interface “VLAN” tab;
*) winbox – show HT MCS tab when “5ghz-n/ac” band is used;
*) winbox – show “Switch” menu on hAP ac^2 devices;
*) winbox – show “System/RouterBOARD/Mode Button” on devices that has such feature;
*) wireless – accept only valid path for sniffer output file parameter;
*) wireless – accept only valid path for sniffer output file parameter;
*) wireless – added “czech republic 5.8” regulatory domain information;
*) wireless – added “etsi2” regulatory domain information;
*) wireless – added option for RADIUS “called-station-id” format selection;
*) wireless – added option to disable PMKID for WPA2;
*) wireless – do not disconnect clients when WDS master connects with MAC address “00:00:00:00:00:00”;
*) wireless – fixed “/interface wireless sniffer packet print follow” output;
*) wireless – fixed wireless interface lockup after period of inactivity;
*) wireless – improved Nv2 reliability on ARM devices;
*) wireless – improved Nv2 stability for 802.11n interfaces on RB953, hAP ac and wAP ac devices;
*) wireless – require “sniff” policy for wireless sniffer;
*) wireless – updated “czech republic” regulatory domain information;
*) wireless – updated “germany 5.8 ap” and “germany 5.8 fixed p-p” regulatory domain information;
*) x86 – improved Ethernet driver for Davicom DM9x0x;

 

Zdroj mikrotik.com

Štítky , , , , .Záložka pro permanentní odkaz.

Napsat komentář

Vaše emailová adresa nebude zveřejněna. Vyžadované informace jsou označeny *