RouterOSのcurrentブランチが約二ヶ月ぶりにアップデートされました。
rcブランチがrc70までいったこともあり、更新内容は多岐にわたっています。
Release 6.39 2017-04-28 What's new in 6.39 (2017-Apr-27 10:06): !) bridge - added "fast-forward" setting and counters (enabled by default only for new bridges) (CLI only); !) bridge - added support for special and faster case of fastpath called "fast-forward" (available only on bridges with 2 interfaces); !) bridge - reverted bridge BPDU processing back to pre-v6.38 behaviour; (v6.40 will have another separate VLAN-aware bridge implementation); !) filesystem - fixed rare situation when filesystem failed to read all configuration on startup; !) filesystem - fixed rare situation when filesystem went into read-only mode (some configuration might have gotten lost on reboot); !) firewall - discontinued support for p2p matcher (old rules will become invalid); !) kernel - fixed UDP checksum handling in rare oveflow situations; !) l2tp - added fastpath support when MRRU is enabled; !) ppp - completely rewritten internal fragmentation algorithm (when MRRU is used), optimized for multicore; !) ppp - implemented internal algorithm for "change-mss", no mangle rules necessary; !) pppoe - added fastpath support when MRRU and MLPPP are enabled; !) quickset - configuration changes are now applied only on "OK" and "Apply" (not on mode change); !) tile - fixed IPSec hardware acceleration out-of-order packet problem, significantly improved performance; !) winbox - minimal required version is v3.11; *) address - fixed crash when address is assigned to another bridge port; *) api - fixed double dynamic flags for "/ip firewall address-list print"; *) capsman - added "extension-channel" XX and XXXX auto matching modes; *) capsman - added "keepalive-frames" setting; *) capsman - added "skip-dfs-channels" setting; *) capsman - added CAP discovery interface list support; *) capsman - added DFS support; *) capsman - added EAP identity to registration table; *) capsman - added ability to specify multiple channels in frequency field; *) capsman - added save-channel option to speed up frequency selection on CAPsMAN restart; *) capsman - added support for "background-scan" and channel "reselect-interval"; *) capsman - added support for static virtual interfaces on CAP; *) capsman - changed channel "width" name to "control-channel-width" and changed default values; *) capsman - improved CAP status querying; *) capsman - improved support for communicating frame priority between CAP and CAPsMAN; *) certificate - SCEP client now supports FQDN URL and port; *) certificate - allow CRL address to be specified as DNS name; *) console - fixed "/ip neighbor discovery" export; *) console - fixed DHCP/PPP add-default-route distance minimal value to 1; *) console - fixed crash; *) console - fixed incorrect ":put [/lcd get enabled]" value; *) ddns - improved "dns-update" authentication validation; *) defconf - fixed Groove 52 ac band settings; *) defconf - fixed default configuration generation when wireless package is disabled; *) dhcp-client - added "script" option which executes script on state changes; *) dhcpv4 - fixed string option parser; *) dhcpv4-server - added "lease-hostname" script parameter; *) dhcpv4-server - by default make server authoritative; *) dhcpv4-server - do some lease checks only on enabled object; *) discovery - fixed LLDP discovery, IPv6 address was not parsed correctly; *) dude - (changes discussed here: https://forum.mikrotik.com/viewtopic.php?f=21&t=116471); *) email - check for errors during SMTP exchange process; *) ethernet - added "voltage-too-low" status for single port power injector devices; *) ethernet - fixed "loop-protect" on "master-port"; *) ethernet - fixed rare switch chip hang (could cause port flapping); *) ethernet - fixed unnecessary power cycle of powered device when changing any poe-out related setting on single port power injector devices; *) ethernet - renamed "rx-lose" to "rx-loss" in ethernet statistics; *) ethernet - reversed poe-priority on hEX PoE and OmniTIK 5 PoE to make "poe-priority" consistent to all other RouterOS priorities; *) fastpath - fixed rare crash on devices with dynamic interfaces; *) fetch - added "http-data" and "http-method" parameters to allow delete, get, post, put methods (content-type=application/x-www-form-urlencoded by default); *) fetch - fixed authentication failure; *) fetch - fixed download issue over HTTPS; *) gps - added "fix-quality" and "horizontal-dilution" parameters; *) graphing - fixed graph disappearance after power outage; *) hotspot - added access to HTTP headers using $(http-header-name); *) ike1 - fixed ph2 ID logging; *) ike2 - allow multiple child SA traffic selectors on re-key; *) ike2 - always replace empty TSi with configured address if it is available; *) ike2 - check child state before allowing rekey; *) ike2 - default to /32 peer address mask; *) ike2 - fixed CTR mode; *) ike2 - fixed EAP message length; *) ike2 - fixed ISA handler object removal on SA delete; *) ike2 - fixed RSA authentication without EAP; *) ike2 - fixed ctr mode; *) ike2 - fixed disabled DPD; *) ike2 - fixed last EAP auth payload type; *) ike2 - fixed ph2 state when sending notify; *) ike2 - fixed policy release during SA negotion; *) ike2 - fixed state when sending delete packet; *) ike2 - improved logging; *) ike2 - kill only child SAs which are not re-keyed by remote peer; *) ike2 - log RADIUS timeout message under error topic; *) ike2 - remove old SA after rekey; *) ike2 - send EAP identity as user-name RADIUS attribute; *) ike2 - update "calling_station_id" RADIUS attribute; *) ike2 - update peer identity after successful EAP authentication; *) ippool - return proper error message when trying to create duplicate name; *) ipsec - added "last-seen" parameter to active connection list; *) ipsec - allow mixing aead algorithms in proposal; *) ipsec - better responder flag calculator for console; *) ipsec - disallow AH+ESP combined policies ; *) ipsec - do not loose "use-ipsec=yes" parameter after downgrade; *) ipsec - enable aes-ni on i386 and x64 for cbc, ctr and gcm modes; *) ipsec - fixed "/ip ipsec policy group export verbose"; *) ipsec - fixed "mode-cfg" verbose export; *) ipsec - fixed SA authentication flag; *) ipsec - renamed "hw-authenc" flag to "hw-aead"; *) ipsec - show hardware accelerated authenticated SAs; *) ipsec - updated tilera classifier for UDP encapsulated ESP; *) l2tp - added support for multiple L2TP tunnels (not to be confused with sessions) between same endpoints (required in some LNS configurations); *) l2tp - fixed hidden attribute decryption in forwarded CHAP responses for LNS; *) l2tp-server - added "caller-id-type" to forward calling station number to RADIUS on authentication; *) l2tp-server - added "use-ipsec=required" option; *) l2tp-server - fixed upgrade to keep "use-ipsec=yes" in L2TP server; *) leds - added LTE modem access technology trigger; *) leds - changed error message on unsupported board; *) leds - do not update single LED state when it is not changed; *) leds - show warning on print when "modem-signal-threshold" is not available; *) log - added "gps" topic; *) log - added "tr069" topic; *) log - added missing "license limit exceeded" log entry; *) log - added warning when Winbox/Dude sessions were denied; *) log - do not show changes in packet if NAT has not been used; *) log - make SNMP logs more compact; *) lte - added "session-uptime" in info command; *) lte - added LTE signal level reading for Cinterion modems; *) lte - added error handling for remote AT execute; *) lte - added initial support for DWR-910 modem; *) lte - added initial support for Quectel ec25; *) lte - added initialization for Cinterion; *) lte - added log entry for SMS delivery report; *) lte - added support for Vodafone R216 (Huawei); *) lte - buffer AT events while info command is active; *) lte - fixed "/interface lte info X once"; *) lte - fixed IPv6 address prefix on interface *) lte - fixed network mode selection for me909u, mu609; *) lte - fixed older standard CEREG parsing; *) lte - fixed support for Huawai R216; *) lte - fixed user-command; *) lte - reset interface stats on "link-down"; *) netinstall - fixed typos; *) ntp - restart NTP client when it is stuck in error state; *) ppp - added "bridge-horizon" option under PPP/Profile; *) ppp - added option to specify "interface-list" in PPP/Profile; *) ppp - fixed rare kernel failure on PPP client connection; *) ppp - fixed rare kernel failure when receiving IPv6 address on PPP interface; *) ppp - include rates, limits and address-lists parameters in RADIUS accounting requests; *) ppp-client - added support for Datacard 750UL, DWR-730 and K4607-Zr; *) pppoe - added warning on PPPoE client/server, if it is configured on slave interface; *) pppoe - set default keepalive 10s for newly created PPPoE clients; *) quickset - added initial LTE AP mode support; *) rb1100ahx2 - fixed random counter resets for ether12,13; *) rb3011 - added partitioning support; *) smb - fixed different memory leaks and crashes; *) smb - fixed share path on devices with "/flash" directory; *) smips - reduced RouterOS main package size; *) snmp - "No Such Instance" error message is replaced with "No Such Object"; *) snmp - added fan-speed OIDs in "/system health print oid"; *) snmp - added optical table; *) snmp - fixed rare crash; *) snmp - improved getall filter; *) snmp - improved response speed when multiple requests are received within short period of time; *) snmp - increase engineBoots value on reboot; *) snmp - optimized bridge table processing; *) tile - added initial support for NVMe SSD disk drives; *) tile - fixed IPSec crash (introduced in 6.39rc64); *) tile - optimized hardware encryption; *) tr069-client - added "Device.Hosts.Host.{i}." support; *) tr069-client - added "Device.WiFi.NeighboringWiFiDiagnostic." support; *) tr069-client - added "Ethernet.Interface.{i}.MACAddress" parameter; *) tr069-client - added DHCP server support; *) tr069-client - added Upload RPC "2 Vendor Log File" support; *) tr069-client - added architecture name parameter (X_MIKROTIK_ArchName - vendor specific); *) tr069-client - added basic stats parameters for some interface types; *) tr069-client - added basic support for "/ip firewall filters"; *) tr069-client - added connection request authentication; *) tr069-client - added firewall NAT support using vendor Parameters; *) tr069-client - added parameters for DNS client management support; *) tr069-client - added ping diagnostics support; *) tr069-client - added support for escaped entity references (& < > ' "); *) tr069-client - added support for managing "/system/identity/" value; *) tr069-client - added support for memory and CPU load parameters; *) tr069-client - added support for uploading/downloading factory script; *) tr069-client - added traceroute diagnostics support; *) tr069-client - close connection if CPE considers XML as invalid; *) tr069-client - fixed "AddObjectResponse" InstanceNumber value; *) tr069-client - fixed "Device.ManagementServer." value update; *) tr069-client - fixed XML special character parsing; *) tr069-client - fixed crash on =acs-url change special case; *) tr069-client - fixed special escape characters on XML data send; *) tr069-client - fixed write for "Device.ManagementServer.URL"; *) tr069-client - general improvements on reducing storage space; *) tr069-client - generate random connection request target path; *) tr069-client - hide "Device.PPP.Interface.{i}.Password" value; *) tr069-client - improved LTE monitoring process; *) tr069-client - increased performance on GetParameterValues; *) tr069-client - made any Download RPC overwrite configuration except ".alter"; *) tr069-client - make more Parameters deny active notifications; *) tr069-client - set CHR license ID as ".SerialNumber" value to avoid "no serial number" error in ACS; *) traceroute - small fix; *) tunnels - fixed reboot loop on configurations with IPIP and EoIP tunnels (introduced in 6.39rc68); *) usb - added support for more CP210X devices; *) userman - allow "name-for-user" to be empty and not unique; *) userman - automatically select all newly created users to generate vouchers; *) userman - fixed rare crash when User Manager requested file does not exist on router; *) userman - fixed rare web interface crash while using Users section; *) wAP ac - improved 2.4GHz wireless performance; *) webfig - added menu bar to quickly select between Webfig, Quickset and Terminal; *) webfig - allow shorten bytes to k,M,G in firewall "connection-bytes" and "connection-rates"; *) webfig - allow to change global variable contents; *) webfig - allow to enter frequency ranges in wireless scan list; *) webfig - allow to select "default-encryption" profile on PPP tunnels; *) webfig - correctly specify routing filter prefix; *) webfig - do not allow to reorder items if table is sorted by some column; *) webfig - fixed bridge property display; *) webfig - fixed delays on key press in terminal; *) webfig - fixed tab ordering on Google Chrome; *) webfig - fixed last-link-up & last-link-down time information; *) webfig - improved field layout; *) webfig - make Terminal window work within Webfig window; *) webfig - show all available options under Advanced Mode for wireless interfaces; *) webfig - show proper error messages for optional erroneous text fields; *) winbox - added "Flush" button under unicast-fdb menu; *) winbox - added "group-key-update" to CAPsMAN security settings; *) winbox - added "k" and "M" unit support to PPP secret limit-bytes parameters; *) winbox - added "memory-scroll", "filter-cpu", "filter-ipv6-address", "filter-operation-between-entries" parameters; *) winbox - added "save-selected" setting under CAPsMAN channels; *) winbox - added "static-virtual" to wireless CAP; *) winbox - added GPS menu; *) winbox - added protected routerboard parameters under routerboard settings menu; *) winbox - allow shorten bytes to k,M,G in firewall "connection-bytes" and "connection-rates"; *) winbox - allow to change user password to empty one; *) winbox - allow to not specify certificate in IPSec peer settings; *) winbox - allow to specify "route-distance" in "dhcp-client" if "special-classless" mode is selected; *) winbox - allow to specify certificate type when exporting it; *) winbox - allow to specify interfaces that CAPsMAN can use for management; *) winbox - allow unhide SNMP passwords; *) winbox - allowed to specify static-dns as list; *) winbox - do not allow Packet Sniffer "memory-limit" and "file-limit" lower than 10KiB; *) winbox - do not create time field when copying CAPsMAN access list entry; *) winbox - do not show "dpd-max-failures" on IKEv2; *) winbox - do not show empty LTE fields in Info menu; *) winbox - do not start Traffic Generator automatically when opening "Quick Start"; *) winbox - do not try to disable dynamic items from firewall tables; *) winbox - fixed "Montly" typo to "Monthly" in Graphing menu; *) winbox - fixed CAPsMAN channels frequency (allow to specify a list of them); *) winbox - fixed IPSec "mode-config" DNS settings; *) winbox - fixed issue when working IPSec policies were shown as invalid; *) winbox - fixed misleading error when trying to export certificate; *) winbox - fixed typo in BGP advertisements menu Aggragator->Aggregator; *) winbox - hide "wps-mode" & "security-profile" in wireless nv2 mode; *) winbox - hide health menu on RB450; *) winbox - improved "/tool torch"; *) winbox - increased maximal number of Winbox sessions 20->100; *) winbox - properly name CAP Interface on new interface creation; *) winbox - properly show "dhcp-server" warnings; *) winbox - properly show IPSec "installed-sa" "enc-algorithm" when it is aes-gcm; *) winbox - properly show wireless registration table stat counters; *) winbox - removed "sfp-rate-select" setting from ethernet interface; *) winbox - removed unnecessary "/system health" menu on "hAP ac lite"; *) winbox - set default "dhcp-client" "default-route-distance" value to 1; *) winbox - show "A" flag for IPSec policies; *) winbox - show "H" flag for IPSec installed SAs; *) winbox - show PoE-OUT current, voltage and power only on devices which can report these values; *) wireless - added Egypt 5.8 country settings; *) wireless - added PEAP authentication support for wireless station mode; *) wireless - apply broadcast bit to DHCP requests when using "station-pseudobridge" mode; *) wireless - do not allow equal MAC addresses between multiple Virtual APs when same "master-interface" is used; *) wireless - fixed RBSXT5HacD2nr2 small channel support; *) wireless - fixed crash while running "spectral-scan"; *) wireless - fixed dynamic wireless interface removal from bridge ports when changing wireless mode; *) wireless - fixed false positive DFS radar detection caused by iPhone 6s devices; *) wireless - fixed issue when wireless interfaces might not show up in CAP mode; *) wireless - fixed occasional crash on interface disabling; *) wireless - fixed rare crash on nv2 configurations; *) wireless - fixed rare wireless ac interface lockup; *) x86 - added support for NVMe SSD disk drives;
bridgeインターフェイスには、新規作成時からfast-forwardがサポートされるようになりました。もしくはCLIから設定変更も可能です。
firewallルールについては、p2pマッチがディスコンになります。代替手段についてはアナウンスされていませんが、たぶんLayer7ルールで代替できるんじゃないかなと思います。(ただしCPUコストは高いと思いますが)
このバージョンからwinboxの最低要件はv3.11以上になりました。接続自体は可能かと思いますが、表示などの問題が発生する可能性があります。
Wi-Fiのリモート管理が可能になるCAPsMANについては、extension-channelの自動選択モードの実装、DFSチャンネルのSkipの実装、などがあります。
変わったところだと、fetchコマンドの認証周りが変更になっています。DDNSの更新をScriptなどで実装している場合は、修正する必要があると思います。
IPsec/IKEv2周りも多くの修正が入っています。このあたりは筆者も確認しきれていませんので、適用にあたっては十分な検証が必要かと思います。
最後にこのバージョンからネットワーク機器の管理プロトコルであるTR069への実装が多く入っています。国内での使用例が多くないため参考資料になるものが出せないのですが、これからRouterboardを管理する上では面白いものになるのではないかと思います。
currentブランチが更新されたばかりですが、同時にrcブランチも早速rc2が公開になっています。こちらはテストしてみたところ、DHCPv6が受信できないなどの問題が出ています。