RouterOS – Changelog – 15.12.2015

Hier der aktuelle Changelog des RouterOS – Stand: 15.12.2015


What’s new in 6.33.3 (2015-Dec-03 16:08):
*) ethernet – fixed 10/100Mbps autonegotiation fails on RB922UAGS ether1 (introduced in v6.33.2);
*) upnp – fixed memory leak;
*) ssh – avoid double session cleanup;
*) email – make password field sensitive in console.
What’s new in 6.33.2 (2015-Nov-27 15:00):
*) bridge – fixed power-cycle-ping for bridge ports (was affecting all bridge);
*) ethernet – fixed link resetting on power-cycle-ping value change;
*) ppp – fixed dynamic filter rule adding on some firewall filter configurations;
*) pppoe – improved MTU discovery compatibility with other vendors;
*) pppoe – made MTU discovery more robust;
*) pppoe – fixed compliance to RFC4638 (MTU larger than 1488) again;
*) vrrp – fix arp=reply-only;
*) vrrp – do not warn about version mismatch if VRID does not match;
*) vrrp – allow VRRP to work behind firewall and NAT rules;
*) vrrp – fixed on-backup script;
*) dhcpv4 server – fix kernel crash when restoring lease with queue for non-existent server;
*) dhcpv4-client – support /32 address assignment;
*) ssh – fix key exchange when first kex packet follows.
What’s new in 6.33.1 (2015-Nov-17 09:55):
*) licensing – fix unneeded connection attempts to 169.254.x.x must be CHR only (introduced in 6.33);
*) pppoe – fixed compliance to RFC4638 for MTU larger than 1488 (introduced in 6.33);
*) CRS2xx – fixed occasional switchip resets (broken in 6.33);
*) fastpath – fixed wireless interface fastpath (broken in 6.33);
*) smb – fixed SMB share crash when connection was cancelled;
*) lcd – fixed LCD crash on fast disable/enable;
*) lcd – refresh LCD after display command is executed;
*) vrrp – fix enabling disabled vrrp interface when vrrp program has exited;
*) winbox – do not send any changes on OK button press if nothing has been changed;
*) www – put correct path to Winbox v3.0 for new installations with branding package;
*) webfig – show correctly SFP Tx/Rx;
*) winbox – renamed power-cycle-ping-interval to power-cycle-ping-timeout;
*) hotspot – fixed missing image at login;
*) netinstall – fix branding pack parsing;
*) packages – show version tag when no bundle is installed.
What’s new in 6.33 (2015-Nov-06 12:49):
*) dns – initial fix for situation when dynamic dns servers could disappear;
*) winbox – dropped support for winbox v3.0beta and v3.0rc (use winbox v3.0);
*) dhcpv6 – various improvement and fixes for dhcp-pd client and ippool6;
*) defconf – fixed rare situation where configuration was only partially loaded;
*) net – fix possible never ending loop when bad CDP discovery packet is received;
*) log – make default disk file name to reside in flash dir if it exists;
*) romon – change port list to be not ordered in export;
*) capsman – limit number of simultaneous DTLS handshakes;
*) capsman – fixed memory leak on CAP joining CAPsMAN when ssld is used;
*) winbox – added allow-fast-path to eoip, gre & ipip;
*) winbox – do not show power-cycle properties on non poe ports;
*) l2tp: implemented PPPoE over L2TP in LNS mode, RFC3817;
*) webfig – some of the setting were shifted to the right;
*) packages – allow to reinstall from bundle to separate packages & vice versa;
*) packages – prefer out of bundle packages when both of them are installed;
*) packages – fix a problem of upgrading bundle package to non bundled ones;
*) ipsec – force flow cache validation once in 1h;
*) winbox – make sure that all setting names get shown in full;
*) winbox – added poe power-cycle-ping settings to ethernet interfaces;
*) ppp – handle properly case were ppp client is given same address for local & remote end;
*) winbox – added vlan-mode & vlan-id to virtual-ap interface;
*) winbox – added timeout column to ipv6 address lists;
*) winbox – show SFP Tx/Rx Power properly;
*) winbox – added min-links to bonding interface;
*) winbox – do not show health menu on RB951Ui-2HnD;
*) winbox – added support for Login-Timeout & MAC-Auth-Mode in hotspot;
*) cerm – added option to disable crl download in ‚/certificate settings‘;
*) winbox – make user ssh key import work again;
*) webfig – make „Copy to Access List“ work in CAPsMAN Registration Table;
*) userman – fix report generation problem which could result in some users being skipped from it;
*) winbox – fix to allow cpu-port as mirror-target
*) proxy – error.html parsing enhancement to improve performance
*) CCR1072 – improve ether1 performance under heavy load
*) routerboard – indicate RouterBOOT type in /system routerboard print;
*) mpls – properly use mpls mtu for routes;
*) cerm – fix key description for signed certificates;
*) trafflow – report flow addresses in v1 and v5 without NAT awareness;
*) hotspot – add mac-auth-mode setting for mac-as-passwd option;
*) hotspot – add login-timeout setting to force login for unauth hosts;
*) auto-upgrade – fixed auto upgrade for smipsbe;
*) dns – do not create duplicate entries for same dynamic dns server addresses;
*) ipsec – fix set on multiple policies which could result in adding non existent dynamic policies to the list;
*) email – allow server to be specified as fqdn which is resolved on each send;
*) fastpath – eoip,gre,ipip tunnels support fastpath (new per tunnel setting „allow-fast-path“);
*) ppp, pptp, l2tp, pppoe – fix ppp compression related crashes;
*) cerm – also accept downloaded CRLs in PEM format;
*) userman – added ‚history clear‘ to allow flushing undo history, which may take up significant amount of memory for huge databases with hundreds of users;
*) health – fix voltage for CRS109, CRS112 and CRS210 if powered from external adapter;
*) userman – added phone number support to signup form;
*) ip pool6 – try to acquire the same prefix if info matches recently freed;
*) ipsec – fix transport mode ph2 ID ports when policy selects specific ip protocol on initiator;
*) ipsec – use local-address for phase 1 matching and initiation;
*) route – fixed crash on removing route that was aggregated;
*) ipsec – fix replay window, was accidentally disabled since version 6.30;
*) ssh – allow host key import/export;
*) ssh – use 2048bit RSA host key when strong-crypto enabled;
*) ssh – support RSA keys for user authentication;
*) wlan – improved WMM-PowerSave support in wireless-cm2 package;
*) pptp & l2tp – fixed problem where android client could not connect if both dns names were not provided (was broken since v6.30);
*) auto-upgrade – added ability to select which versions to select when upgrading;
*) quickset – fixed HomeAP mode;
*) lte – improved modem identification to better support multiple identical modems;
*) snmp – fix system scripts table;
*) tunnels – eoip,eoipv6,gre,gre6,ipip,ipipv6,6to4 tunnels now support dns name as remote address;
*) fastpath – active mac-winbox or mac-telnet session no longer suspends fastpath;
*) fastpath – added per interface fastpath counters;
*) fastpath – added trafflow support in basic ipv4 and fasttrack ipv4 fastpath;
*) ppp – added on-up & on-down scripts to ppp profile;
*) winbox – allow to specify dns name in all the tunnels;
*) pppoe – added support for MTU > 1492 on PPPoE;
*) cerm – fix scep server certificate-reply degenerate PKCS#7 signed-data content;
*) ppp-client – added default channels for Alcatel OneTouch L100V;
*) defconf – fix for boards that had bridge with only wlan ports;
*) ovpn: support OpenWRT ovpn clients (or any other with enable-small option enabled);
*) cerm – use certificate file name for imported cert name;
*) fetch – fixed error message when error code 200 was received;
*) cerm – rebuild crl for local ca if crl file does not exist;
*) winbox – make directed broadcasts work for neighbor discovery;
*) upnp: automatically adjust mappings to new external ip change;
*) ppp – added ppp interface to upnp internals/externals if requested;
*) ppp – when adding ipv6 default route use user provided distance;
*) userman – allow to correctly enable CoA on router;
*) cerm – show crl nextupdate time;
*) ppp – added CoA support to PPPoE, PPTP & L2TP (Mikrotik-Recv-Limit, Mikrotik-Xmit-Limit, Mikrotik-Rate-Limit, Ascend-Data-Rate, Ascend-XMit-Rate, Session-Timeout);
*) ppp – added new option under „ppp aaa“ – „use-circuit-id-in-nas-port-id“;
*) userman – refresh active sessions/users view dynamically;
*) package – added version tag and show everywhere alongside of version number;
*) wlan – improved 802.11 protocol single connection TCP performance for ac chipset with cm2 package.
What’s new in 6.32.2 (2015-Sep-17 15:20):
*) cerm – guard template from parallel use
*) mipsle – fixed missing second level menu in CLI;
*) sstp – avoid routing loops on client when adding default route;
*) sstp – fixed problem where sometimes sstp ip addresses were invalid;
*) switch – fixed bogus log messages about excessive broadcasts/multicasts on master-port;
*) tftp – fix request file name reading from packet
*) pptp encryption – better handling for out-of-order packets;
*) ethernet – added support for new ASIX USB Ethernet dongles;
*) CAPsMAN – fix 100% CPU usage when trying to upgrade RouterOS on CAP;
*) upgrade – fixed default configuration export;
*) ppp – fixed ppp interface stuck in not running state;
*) ipsec – fixed kernel failure when packets were not ordered on first call;
*) upnp – randomize action urls to fix „filet-o-firewall“ vulnerability;
*) RB532/RB564 – fixed no link after ethernet disable/enable;
*) romon – fixed default configuration export;
*) tile – fixed occasional deadlock on module unload;
*) mesh – fix router lock-up when interface is added/removed;
*) ipsec – fix sockaddr buf size on id generation for ipv6 address;
*) health – show correct voltage for CRS109,CRS112,CRS210 when powered through PSU and show voltage up to 27V when powered through PoE;
*) email – resolve server address;
*) snmp – show firmware upgrade info;
*) upgrade – report status in check-for-updates.
What’s new in 6.32.1 (2015-Sep-07 13:03):
*) RB911/912 – fixed lock-up;
*) RB493G – fixed reboot loop;
*) firewall – do not lose firewall mangle rules on start-up;
*) defconf – fix default configuration for routers without wireless package.
What’s new in 6.32 (2015-Aug-31 14:47):
*) trafflow – added support for IPv6 targets;
*) switch – fixed port flapping on switch ports of RB750, RB750UP, RB751U-2HnD and RB951-2N (introduced in 6.31)
*) ipsec – added compatibility option skip-peer-id-check;
*) flash – fix kernel failure (exposed by 6.31);
*) bridge firewall – add ipv6 src/dst addr, ip protocol, src/dst port matching to bridge firewall;
*) RB911/RB912 – fix SPI bus lock after fast led blink;
*) ipsec – fix potential memory leak;
*) bridge firewall – vlan matchers support service tag – 0x88a8;
*) ippool6 – try to acquire the same prefix if info matches recently freed;
*) crs switch – allow to unset port learn-limit, new default is unset to allow more than 1023 hosts per port;
*) x86 – fixed 32bit multi-cpu kernel support;
*) chr – add hotspot,btest,traffgen support;
*) revised change that caused reboot by watchdog problems introduced in v6.31;
*) ipsec – use local-address for phase 1 matching and initiation;
*) ipsec – fix transport mode ph2 ID ports when policy selects specific ip protocol on initiator;
*) certificates -fixed bug where crl stopped working after a while;
*) ip accounting – fixed kernel crash;
*) snmp – fix system scripts get;
*) hotspot – ignore PoD remote requests if no HotSpot configured;
*) hotspot – fix kernel failure when www plugin aborts on broken html source;
*) torch – add invert filter for src/dst/src6/dst6 addresses ;
*) bonding – add min_links property for 802.3ad mode;
*) snmp – get vlan speed from master interface;
*) hotspot – fix html-directory path on small flash devices;
*) mipsbe – make system shutdown work again;
*) lcd – fixed parallel port LCD display support on multi-cpu x86;
*) bridge – fixed use-ip-firewall-for-vlan in setups with multiple bridges;
*) ipv6 – fixed DHCP-PD client skips some steps when renewing lease;
*) upnp – fixed protocol port selection for upnp protocol comunications;
*) firewall – fixed limit and dst-limit options.
*) winbox – fixed wireless interface l2mtu (VirtualAP and WDS interface creation in winbox)
*) winbox – fixed multiple firewall rule moving in Winbox 2
*) simple queues – restrict all changes in dynamic simple queues
What’s new in 6.31 (2015-Aug-14 15:42):
*) check-for-update – added ability to select versions channel to check
(bugfix, current, RC or development)
*) demo mode of Cloud Hosted Router (CHR) added
*) chr – added x86_64 image for use in virtual environments
*) chr – added support for VMware SCSI virtual disks
*) chr – added support for VMware vmxnet3 network card
*) chr – added support for HyperV SCSI disks
*) chr – added support for HyperV Ethernet interfaces
*) chr – added support for virtio disks
*) fixed occasional interface resetting on CRS switches
*) fixed ethernet stopping on RB NetMetal / SXTG-5HPacD 10Mbit and 100Mbit links
*) ipsec – fixed crash in when gcm encryption was used
*) ipsec – allow to set peer address as „::/0“
*) ipsec – fixed empty sa-src address on acquire in tun mode
*) ipsec – show proposal info in export ipsec section
*) ipsec – preserve port wildcard when generating policy without port override
*) ipsec – fixed replay window, was accidentally disabled since version 6.30;
*) certificate manager – fixed memory leak
*) ssh – allow host key import/export
*) ssh – use 2048bit RSA host key when strong-crypto enabled
*) ssh – support RSA keys for user authentication
*) conntrack – fixed problem with manual connection removal
*) conntrack – added tcp-max-retrans-timeout and tcp-unacked-timeout
*) wireless – implemented l2mtu update if wireless-cm2 is enabled
*) wireless – improved WMM-PowerSave support in wireless-cm2 package
*) mpls – better multicore support for VPLS ingress/egress
*) ovpn – better multicore support for interface initialization/authentication/creation.
*) mesh – performance improvement
*) pptp & l2tp – fixed problem where android client could not connect if both dns names were not provided (was broken since v6.30)
*) user-manager – fixed username was not shown in /tool user-manager user
*) user-manager – fixed zoom for user-manager homepage when mobile devices used
*) winbox – restrict change dynamic interface fields
*) winbox – also hide passphrase in CAPsMAN with „Hide Password“
*) winbox – restrict reversed ranges in dst-port under firewall
*) quickset – fixed HomeAP mode
*) lcd – added LCD package for all architectures (for serial port LCD modules)
*) lcd – fixed crash (and 100% cpu usage) when interface gets removed from „stats-all“ screen
*) tool fetch – fixed incomplete ftp download
*) tool fetch – don’t trim [t]ftp leading slashes
*) proxy – adjust time according to time-zone settings in proxy cache contents.
*) bridge fastpath – fixed updating bridge FDB on receive (could cause TX traffic flooding on all bridge ports)
*) bonding fastpath – fixed possible crash when bonding master was also a bridge port
*) route – fixed crash on removing route that was aggregated
*) romon – fixed crash on SACKed tx segments
*) lte – improved modem identification to better support multiple identical modems
*) snmp – fixed system scripts table
*) traffic flow – fixed dynamic input/output interface reporting
*) ipv6 dhcp-relay – fixed problem loading configuration
known issue:
*) Dynamic DNS servers can disappear when „allow-remote-requests“ are not enabled
What’s new in 6.30 (2015-Jul-08 09:07):
*) wireless – added WMM power save suport for mobile devices;
*) firewall – sip helper improved, large packets no longer dropped;
*) fixed encryption ‚out of order‘ problem on SMP systems;
*) email – fix sending multiple consecutive emails;
*) fixed router lockup on leap seconds with installed ntp package;
*) ccr – made hardware watchdog work again (was broken since v6.26);
*) console – allow users with ‚policy‘ policy to change script owner;
*) icmp – use receive interface address when responding with icmp errors;
*) ipsec – fail ph2 negitioation when initiator proposed key length
does not match proposal configuration;
*) timezone – updated timezone information to 2015e release;
*) ssh – added option ‚/ip ssh stong-crypto‘
*) wireless – improve ac radio coexistence with other wireless clients, optimized
transmit times to not interfere with other devices;
*) console – values of $“.id“, $“.nextid“ and $“.dead“ are avaliable for
use in ‚print where‘ expressions;
*) console – ‚:execute‘ command now accepts script source in „{}“ braces,
like ‚/system scripts add source=‘ does;
*) console – ‚:execute‘ command now returns internal number of running job,
that can be used to check and stop execution. For example:
:local j [:execute {/interface print follow where [:log info „$name“]}]
:delay 10s
:do { /system script job remove $j } on-error={}
*) console – firewall ‚print‘ commands now show all entries including
dynamic, ‚all‘ argument now has no effect;
*) ipsec – increase replay window to 128;
*) fixed file transfer on devices with large RAM memory;
*) pptp – fixed „encryption got out of sync“ problem;
*) ppp – disable vj tcp header compression;
*) api – reduce api tcp connection keepalive delay to 30 seconds,
will timeout idle connections in about 5 minutes;
*) pptp & l2tp & sstp client: support the case were server issues its tunnel
ip address the same as its public one;
*) removed wireless package from routeros bundle package,
new wireless-fp is left in place and wireless-cm2 added as option;
*) pptp & l2tp client: when adding default route, add special exception route for
a tunnel itself (no need to add it manually anymore);
*) improved connection list: added connection packet/byte counters,
added separate counters for fasttrack, added current rate display,
added flag wheather connection is fasttracked/srcnated/dstnated,
removed 2048 connection entry limit;
*) tunnels – eoip, eoipv6, gre,gre6, ipip, ipipv6, 6to4 tunnels
have new property – ipsec-secret – for easy setup of ipsec
encryption and authentication;
*) firewall – added ipsec-policy matcher to check wheather packet
was/will be ipsec processed or not;
*) possibility to disable route cache – improves DDOS attack
handling performance up to 2x (note that ipv4 fastpath depends on route cache);
*) fasttrack – added dummy firewall rule in filter and mangle tables
to show packets/bytes that get processed in fasttrack and bypass firewall;
*) fastpath – vlan interfaces support fastpath;
*) fastpath – partial support for bonding interfaces (rx only);
*) fastpath – vrrp interfaces support fastpath;
*) fixed memory leak on CCR devices (introduced in 6.28);
*) lte – improved modem identification to better support multiple identical modems;
*) snmp – fix system scripts table;
What’s new in 6.29 (2015-May-27 11:19):
*) ssh server – use custom generated DH primes when possible;
*) ipsec – allow to specify custom IP address for my_id parameter;
*) ovpn server – use subnet topology in ip mode if netmask is provided (makes android & ios
clients work);
*) console – allow ‚-‚ characters in unknown command argument names;
*) snmp – fix rare bug when some OIDs where skipped;
*) ssh – added aes-ctr cipher support;
*) mesh – fixed kernel crash;
*) ipv4 fasttrack fastpath – accelerates connection tracking and nat for marked
connections (more than 5x performance improvement compared to regular slow
path conntrack/nat) – currently limited to TCP/UDP only;
*) added ~fasttrack-connection~ firewall action in filter/mangle tables for marking
connections as fasttrack;
*) added fastpath support for bridge interfaces – packets received and transmitted
on bridge interface can go fastpath (previously only bridge forwarded packets
could go fastpath);
*) packets now can go half-fastpath – if input interface supports fastpath and
packet gets forwarded in fastpath but output interface does not support fastpath
or has interface queue other than only-hw-queue packet gets converted
to slow path only at the dst interface transmit time;
*) trafflow: add natted addrs/ports to ipv4 flow info;
*) tilegx: enable autoneg for sfp ports in netinstall;
*) health – fix voltage on some RB4xx;
*) romon – fix 100% CPU usage;
*) romon – moved under tools menu in console;
*) email – store hostname for consistency;
*) vrrp – do not reset interface when no interesting config changes;
*) fixed async. ppp server;
*) sstp – fixed router lockup.
*) queue tree: some queues would stop working after some configuration changes;
*) fixed CRS226 10G ports could lose link (introduced in 6.28);
*) fixed FREAK vulnerability in SSL & TLS;
*) firewall – fixed sector writes rising starting since 6.28;
*) improved support for new hEX lite;
What’s new in 6.28 (2015-Apr-15 15:18):
*) email – increase server greeting timeout to 60s;
*) lte – ZTE MF823 may loose configuration;
*) userman – update paypal root certificate;
*) timezone – updated timezone information to 2015b release;
*) cm2 – fixed capsman v2 100% CPU and other stability improvements;
*) route – using ldp could cause connected routes with
invalid interface nexthop;
*) added support for SiS 190/191 PCI Ethernet adapter;
*) made metarouter work on boards with 802.11ac support or usb LTE;
*) sstp server – allow ADH only when no certificate set;
*) make fat32 disk formatting support disks bigger than 134GiB;
*) fixed tunnels – could crash when clamp-tcp-mss was enabled;
*) added basic counters for ipv4/bridge fast path, also show status wether fast
path is active at all;
*) trafflow: – fixed crash on disable;
*) pppoe over eoip – fixed crash with large packets;
*) tilegx – fixed memory leak when queue settings are changed;
*) ar9888 – fixed crash when hw reports invalid rate;
*) console – fixed „in“ operator in console;
*) console – make „/system package update print“ work again.
*) tile – rare situation when CCR devices failed to auto-negotiate ethernet link (introduced in v6.25);
*) dhcpv4 client – it is now possible to unset default clientid and hostname options
*) initial RoMon (Router Management Overlay Network) support added.
What’s new in 6.27 (2015-Feb-11 13:24):
*) console – added ‚comment‘ parameter for ‚/system script‘
*) api – return sentences can have property „.section“ that groups values
from commands such as „monitor“, „traceroute“,
„print“ (with non-zero ‚interval‘ value);
*) cloud – add time zone detection feature „/system clock time-zone-autodetect“;
*) cloud – rename „/ip cloud enabled“ to „/ip cloud ddns-enabled“;
*) cloud – make „/ip cloud update-time“ independent from „/ip cloud ddns-enabled“
*) cloud – when setting „/ip cloud ddns-enabled“ to „no“ router will send
message to server to disable DNS name for this routerboard;
*) cloud – „/ip cloud force-update“ command now will work also when
„/ip cloud ddns-enabled = no“. usefull if user wants to disable DDNS;
*) RB4xxGL – improved ethernet throughput (less dropped packets);
*) RouterBOARD – fixed health reporting;
*) check-installation: fixed wrong kernel crc on powerpc boards
*) watchdog: fix software watchdog for x86
*) ssh – check conn state before sending disconnect message;
*) ipsec – fixed crash that happened in specific situation;

Schreibe einen Kommentar