RouterOS 6.38 [current] が公開になりました
Important note!!! To avoid STP/RSTP compatibility issues with older RouterOS versions upgrade RouterOS on all routers in Layer2 networks with VLAN and STP/RSTP configurations. !) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set xauth-use-radius=yes"; !) ipsec - added IKEv2 support; !) ipsec - added IKEv2 EAP RADIUS passthrough authentication for responder; !) ipsec - added support for unique policy generation; !) ipsec - removed IKEv1 ah+esp support; !) snmp - added basic get and walk functionality "/tool snmp-[get|walk]"; !) switch - added hardware STP functionality for CRS devices and small Atheros switch chips (http://wiki.mikrotik.com/wiki/Manual:CR ... e_Protocol); !) tr069-client - initial implementation (as separate package) (cli only); !) winbox - Winbox 3.7 is the minimum version that can connect to RouterOS; *) arp - added "local-proxy-arp" feature; *) bonding - added "forced-mac-address" option; *) bonding - fixed "tx-drop" on VLAN over bonding on x86; *) bridge - fixed rare crash on bridge port removal; *) bridge - fixed VLAN BPDU rx and tx when connected to non-RouterOS device with STP functionality; *) bridge - require admin-mac to be specified if auto-mac is disabled; *) bridge - show bridge port name in port monitor; *) capsman - added "group-key-update" parameter; *) capsman - added possibility to change arp, mtu, l2mtu values in datapath configuration; *) capsman - fixed CAP upgrade when separate wireless package is used (introduced in 6.37); *) capsman - use correct source address in reply to unicast discovery requests; *) ccr - added AHCI driver for Samsung XP941 128GB AHCI M.2; *) certificates - added support for PKCS#12 export; *) certificates - allow import multiple certs with the same key; *) certificates - fixed crash when crl is removed while it is being fetched; *) certificates - fixed trust chain update on local certificate revocation in programs using ssl; *) certificates - if no name provided create certificate name automatically from certificate fields; *) console - fixed multi argument value unset; *) crs - added comment ability in more switch menus; *) crs - fixed rare kernel failure on switch reset (for example, reboot); *) dhcp - fixed DNS server assignment to client if dynamic server exists and is from another IP family; *) dhcp - fixed issue when dhcp-client was still possible on interfaces with "slave" flag and using slave interface MAC address; *) dhcp - show dhcp server as invalid and log an error when interface becomes a slave; *) dhcp-server - fixed when wizard was unable to create pool >dhcp_pool99; *) discovery - added LLDP support; *) discovery - removed 6to4 tunnels from "/ip neighbor discovery menu"; *) dns - added "max-concurrent-queries" and "max-concurrent-tcp-sessions" settings; *) dude - (changes discussed here: viewtopic.php?f=8&t=112599); *) ethernet - added "k" and "M" unit support to Ethernet Bandwidth setting; *) ethernet - fixed "tx-fcs-error" on SFP+ interfaces when loop-protect is enabled; *) export - do not show interface comment in "/ip neighbor discovery" menu; *) export - updated default values to clean up export compact; *) fastpath - fixed rare crash; *) fastpath - fixed x86 bridge fast-path status shown as active even if it is manually disabled; *) file - fixed file manager crash when file transfer gets cancelled; *) firewall - added "creation-time" to address list entries; *) firewall - added sctp/dccp/udp-lite support for "src-port", "dst-port", "port" and "to-ports" firewall options; *) firewall - do not defragment packets which are marked with "notrack" in raw firewall; *) firewall - fixed "time" option by recognizing weekday properly (introduced in v6.37.2); *) firewall - fixed dynamic raw rule behaviour; *) firewall - fixed rule activation if "time" option is used and no other active rules are present; *) firewall - increased max size of connection tracking table to 1048576; *) firewall - new faster "connection-limit" option implementation; *) firewall - significantly improved large firewall rule set import performance; *) graphing - fixed queue graphs showing up in web interface if aggregate name size >57840 symbols; *) health - show power consumption on devices which has voltage and current monitor; *) hotspot - fixed nat rule port setting in "hs-unauth-to" chain by changing it from "dst-port" to "src-port" on Walled Garden ip "return" rules; *) interface - changed loopback interface mtu to 1500; *) interface - do not treat multiple zeros as single zero on name comparison; *) interface - show link stats in "/interface print stats-detail" output; *) ipsec - added ability to specify static IP address at "send-dns" option; *) ipsec - added ph2 accounting for each policy "/ip ipsec policy ph2-count"; *) ipsec - allow to specify explicit split dns address; *) ipsec - changed logging topic from error to debug when empty pfkey messages are received; *) ipsec - do not auto-negotiate more SAs than needed; *) ipsec - ensure generated policy refers to valid proposal; *) ipsec - fixed camellia crypto algorithm module loading; *) ipsec - fixed IPv6 remote prefix; *) ipsec - fixed kernel failure on tile with sha256 when hardware encryption is not being used; *) ipsec - fixed peer configuration my-id IPv4 address endianness; *) ipsec - fixed ph2 auto-negotiation by checking policies in correct order; *) ipsec - load ipv6 related modules only when ipv6 package is enabled; *) ipsec - make generated policies always as unique; *) ipsec - non passive peers will also establish SAs from policy without waiting for the first packet; *) ipsec - optimized logging under ipsec topic; *) ipsec - show active flag when policy has active SA; *) ipsec - show SA "enc-key-size"; *) ipsec - split "mode-config" and "send-dns" arguments; *) ipv6 - added "no-dad" setting to ipv6 addresses; *) ipv6 - fixed "accept-router-advertisements" behaviour; *) ipv6 - moved empty IPv6 pool error message to error topic; *) lcd - improved performance, causes less cpu load; *) led - fixed dark mode for cAP 2nD (http://wiki.mikrotik.com/wiki/Manual:Sy ... ds_Setting); *) log - fixed "System rebooted because of kernel failure" message to show after 1st crash reboot; *) lte - added support for more Vodafone K4201-Z, Novatel USB620L, PANTECH UML295 and ZTE MF90 modems; *) lte - allow to execute concurrent info commands; *) lte - fixed dwm-222, Pantech UML296 support; *) lte - fixed init delay after power reset; *) lte - increased delay when setting sms send mode; *) lte - return info data when all the fields are populated; *) metarouter - fixed startup process (introduced in 6.37.2); *) mmips - fixed traffic accounting in "/interface" menu; *) ospf - fixed route crash caused by memory corruption when there are multiple active interfaces; *) ppp - fixed packet size calculation when MRRU is set (was 2 bytes bigger than MTU allows); *) ppp - significantly improved shutdown speed on servers with many active tunnels; *) ppp - significantly improved tunnel termination process on servers with many active tunnels; *) profile - added "bfd" and "remote-access" processes; *) profile - added ability to monitor cpu usage per core; *) profile - make profile work on mmips devices; *) profile - properly classify "wireless" processes; *) queue - fixed "time" option by recognizing weekday properly (introduced in v6.37.2); *) radius - added IPSec service (cli only); *) rb750Gr3 - fixed ipsec with 3des+md5 to work on this board; *) rb850Gx2 - fixed pcb temperature monitor if temperature was above 60C; *) resolver - ignore cache entries if specific server is used; *) routerboot - show log message if router CPU/RAM is overclocked; *) script - increment run count value when script is executed from snmp; *) snmp - always report bonding speed as speed from first bonding slave; *) snmp - fixed rare crash when incorrectly formatted packet was received; *) snmp - provide sinr in lte table; *) ssh - added routing-table setting (cli only); *) ssh - fixed lost "/ip ssh" settings on upgrade from version older than 5.15; *) system - reboot device on critical program crash; *) tile - fixed kernel failure when when IPv6 ICMP packet is sent through PPP interface; *) time - updated time zones; *) traceroute - fixed memory leak; *) traffic-flow - fixed flow sequence counter and length; *) trafficgen - fixed compact export when "header-stack" includes tcp; *) trafficgen - fixed crash when IPv6 traffic is processed; *) trafficgen - fixed potential crash when very big frame is generated; *) trafficgen - improved fastpath support; *) tunnel - fixed transmit packets occasionally not going through fastpath; *) tunnel - properly export keepalive value; *) usb - fixed kernel failure when Nexus 6P device is removed; *) users - added minimal required permission set for full user group; *) users - added TikApp policy; *) vlan - allow to add multiple VLANs which name starts with same number and has same length; *) vrrp - do not show unrelated log warning messages about version mismatch; *) watchdog - do not send supout file if "auto-send-supout" is disabled; *) webfig - added extra protection against XSS exploits; *) webfig - show ipv6 addresses correctly; *) webfig - show properly interface last-link-up/down times; *) winbox - added "Complete" flag to arp table; *) winbox - added "untracked" option to firewall "connection-state" setting; *) winbox - added Dude icon to Dude menu; *) winbox - allow to enable/disable traffic flow targets; *) winbox - allow to run profile from "/system resources" menu; *) winbox - allow to specify interface for leds with "interface-speed" trigger; *) winbox - do not allow to set "loop-protect-send-interval" to 0s; *) winbox - do not show hotspot user profile incoming and outgoing filters and marks as set if there is no value specified; *) winbox - fixed crash when legacy Winbox version was used; *) winbox - fixed default values for interface "loop-protect-disable-time" and "loop-protect-send-interval"; *) winbox - fixed missing "IPv6/Settings" menu; *) winbox - fixed typo in "propagate-ttl" setting; *) winbox - make cert signing include provided ca-crl-host; *) winbox - moved ipsec peer "exchange-mode" to General tab; *) winbox - properly show VHT basic and supported rates in CAPsMAN; *) winbox - removed spare values from loop-protect menu; *) winbox - show all related HT tab settings in 2GHz-g/n mode; *) winbox - show primary and secondary ntp addresses as 0.0.0.0 if none are set; *) winbox - show proper ipv6 connection timeout; *) wireless - added API command to report country-list (/interface/wireless/info/country-list); *) wireless - added CRL checking for eap-tls; *) wireless - fixed action frame handling for WDS nodes; *) wireless - fixed custom channel extension-channel appearance in console; *) wireless - fixed full "spectral-history" header print on AP modes; *) wireless - fixed rare kernel failure when connecting to nv2 access point with legacy rate select; *) wireless - fixed upgrade from older wireless packages when AP interface had empty SSID; *) wireless - take in account channel width when returning supported channels; *) wireless - use VLAN ID 0 in RADIUS message to disable VLAN tagging; If you experience version related issues, then please send supout file from your router to [email protected] File must be generated while router is not working as suspected or after crash.
最初に、重要な更新点として、古いのRouterOSとのSTP / RSTP互換性の問題を回避するために、VLANおよびSTP / RSTP設定を使用するL2ネットワークのすべてのルータ上でRouterOSをアップグレードします。
- 他にRouterOS 6.38からは新機能として、IPsecにおいてIKEv1/v2に対応しました。
- DNSに “max-concurrent-queries"と"max-concurrent-tcp-sessions"が追加になり、詳細に制御できるようになりました。