MikroTik RouterOS v6.39 [current] publicado

Se ha publicado la versión v6.39 de la rama current del RouterOS con un gigante lista de cambios y agregados.

Tiene un llamado de atención importante para quienes utilicen únicamente WebFig para administrar el equipo.

Si únicamente se ha usado Webfig en el router a actualizar y nunca se ha usado CLI o Winbox, después de actualizar/reiniciar el router, éste se reseteará a la configuración por defecto.

Para evitar eso hay que conectarse al router vía CLI o Winbox antes de actualizar a la v6.39. Rechazar la configuración por defecto y luego actualizar. Este inconveniente será resuelto en la v6.39.1.

En éste release tenemos algunos cambios significativos como por ejemplo que ya no se tiene soporte a la regla p2p del firewall, en caso de tener alguna regla, ésta se convertirá en invalida.

El algoritmo de fragmentación interna ha sido completamente reescrito (cuando MRRU es usado) y ha sido optimizado para multicore.

El listado completo de cambios es:

WARNING!
This is applicable only for users using Webfig.
If you have only used Webfig on specific router and have never used CLI or Winbox on this device, then after upgrade/reboot device will be reset to default configuration.

Instructions to avoid this:
1) Connect to device through CLI or Winbox before upgrade to 6.39;
2) Reject default configuration;
3) Upgrade device.

The issue will be fixed in 6.39.1.

What's new in 6.39 (2017-Apr-27 10:06):

!) bridge - added "fast-forward" setting and counters (enabled by default only for new bridges) (CLI only);
!) bridge - added support for special and faster case of fastpath called "fast-forward" (available only on bridges with 2 interfaces);
!) bridge - reverted bridge BPDU processing back to pre-v6.38 behaviour; (v6.40 will have another separate VLAN-aware bridge implementation);
!) filesystem - fixed rare situation when filesystem failed to read all configuration on startup;
!) filesystem - fixed rare situation when filesystem went into read-only mode (some configuration might have gotten lost on reboot);
!) firewall - discontinued support for p2p matcher (old rules will become invalid);
!) kernel - fixed UDP checksum handling in rare oveflow situations;
!) l2tp - added fastpath support when MRRU is enabled;
!) ppp - completely rewritten internal fragmentation algorithm (when MRRU is used), optimized for multicore;
!) ppp - implemented internal algorithm for "change-mss", no mangle rules necessary;
!) pppoe - added fastpath support when MRRU and MLPPP are enabled;
!) quickset - configuration changes are now applied only on "OK" and "Apply" (not on mode change);
!) tile - fixed IPSec hardware acceleration out-of-order packet problem, significantly improved performance;
!) winbox - minimal required version is v3.11;
*) address - fixed crash when address is assigned to another bridge port;
*) api - fixed double dynamic flags for "/ip firewall address-list print";
*) capsman - added "extension-channel" XX and XXXX auto matching modes;
*) capsman - added "keepalive-frames" setting;
*) capsman - added "skip-dfs-channels" setting;
*) capsman - added CAP discovery interface list support;
*) capsman - added DFS support;
*) capsman - added EAP identity to registration table;
*) capsman - added ability to specify multiple channels in frequency field;
*) capsman - added save-channel option to speed up frequency selection on CAPsMAN restart;
*) capsman - added support for "background-scan" and channel "reselect-interval";
*) capsman - added support for static virtual interfaces on CAP;
*) capsman - changed channel "width" name to "control-channel-width" and changed default values;
*) capsman - improved CAP status querying;
*) capsman - improved support for communicating frame priority between CAP and CAPsMAN;
*) certificate - SCEP client now supports FQDN URL and port;
*) certificate - allow CRL address to be specified as DNS name;
*) console - fixed "/ip neighbor discovery" export;
*) console - fixed DHCP/PPP add-default-route distance minimal value to 1;
*) console - fixed crash;
*) console - fixed incorrect ":put [/lcd get enabled]" value;
*) ddns - improved "dns-update" authentication validation;
*) defconf - fixed Groove 52 ac band settings;
*) defconf - fixed default configuration generation when wireless package is disabled;
*) dhcp-client - added "script" option which executes script on state changes;
*) dhcpv4 - fixed string option parser;
*) dhcpv4-server - added "lease-hostname" script parameter;
*) dhcpv4-server - by default make server "authoritative";
*) dhcpv4-server - do some lease checks only on enabled object;
*) discovery - fixed LLDP discovery, IPv6 address was not parsed correctly;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=21&t=116471);
*) email - check for errors during SMTP exchange process;
*) ethernet - added "voltage-too-low" status for single port power injector devices;
*) ethernet - fixed "loop-protect" on "master-port";
*) ethernet - fixed rare switch chip hang (could cause port flapping);
*) ethernet - fixed unnecessary power cycle of powered device when changing any poe-out related setting on single port power injector devices;
*) ethernet - renamed "rx-lose" to "rx-loss" in ethernet statistics;
*) ethernet - reversed poe-priority on hEX PoE and OmniTIK 5 PoE to make "poe-priority" consistent to all other RouterOS priorities;
*) fastpath - fixed rare crash on devices with dynamic interfaces;
*) fetch - added "http-data" and "http-method" parameters to allow delete, get, post, put methods (content-type=application/x-www-form-urlencoded by default);
*) fetch - fixed authentication failure;
*) fetch - fixed download issue over HTTPS;
*) gps - added "fix-quality" and "horizontal-dilution" parameters;
*) graphing - fixed graph disappearance after power outage;
*) hotspot - added access to HTTP headers using $(http-header-name);
*) ike1 - fixed ph2 ID logging;
*) ike2 - allow multiple child SA traffic selectors on re-key;
*) ike2 - always replace empty TSi with configured address if it is available;
*) ike2 - check child state before allowing rekey;
*) ike2 - default to /32 peer address mask;
*) ike2 - fixed CTR mode;
*) ike2 - fixed EAP message length;
*) ike2 - fixed ISA handler object removal on SA delete;
*) ike2 - fixed RSA authentication without EAP;
*) ike2 - fixed ctr mode;
*) ike2 - fixed disabled DPD;
*) ike2 - fixed last EAP auth payload type;
*) ike2 - fixed ph2 state when sending notify;
*) ike2 - fixed policy release during SA negotion;
*) ike2 - fixed state when sending delete packet;
*) ike2 - improved logging;
*) ike2 - kill only child SAs which are not re-keyed by remote peer;
*) ike2 - log RADIUS timeout message under error topic;
*) ike2 - remove old SA after rekey;
*) ike2 - send EAP identity as user-name RADIUS attribute;
*) ike2 - update "calling_station_id" RADIUS attribute;
*) ike2 - update peer identity after successful EAP authentication;
*) ippool - return proper error message when trying to create duplicate name;
*) ipsec - added "last-seen" parameter to active connection list;
*) ipsec - allow mixing aead algorithms in proposal;
*) ipsec - better responder flag calculator for console;
*) ipsec - disallow AH+ESP combined policies ;
*) ipsec - do not loose "use-ipsec=yes" parameter after downgrade;
*) ipsec - enable aes-ni on i386 and x64 for cbc, ctr and gcm modes;
*) ipsec - fixed "/ip ipsec policy group export verbose";
*) ipsec - fixed "mode-cfg" verbose export;
*) ipsec - fixed SA authentication flag;
*) ipsec - renamed "hw-authenc" flag to "hw-aead";
*) ipsec - show hardware accelerated authenticated SAs;
*) ipsec - updated tilera classifier for UDP encapsulated ESP;
*) l2tp - added support for multiple L2TP tunnels (not to be confused with sessions) between same endpoints (required in some LNS configurations);
*) l2tp - fixed hidden attribute decryption in forwarded CHAP responses for LNS;
*) l2tp-server - added "caller-id-type" to forward calling station number to RADIUS on authentication;
*) l2tp-server - added "use-ipsec=required" option;
*) l2tp-server - fixed upgrade to keep "use-ipsec=yes" in L2TP server;
*) leds - added LTE modem access technology trigger;
*) leds - changed error message on unsupported board;
*) leds - do not update single LED state when it is not changed;
*) leds - show warning on print when "modem-signal-threshold" is not available;
*) log - added "gps" topic;
*) log - added "tr069" topic;
*) log - added missing "license limit exceeded" log entry;
*) log - added warning when Winbox/Dude sessions were denied;
*) log - do not show changes in packet if NAT has not been used;
*) log - make SNMP logs more compact;
*) lte - added "session-uptime" in info command;
*) lte - added LTE signal level reading for Cinterion modems;
*) lte - added error handling for remote AT execute;
*) lte - added initial support for DWR-910 modem;
*) lte - added initial support for Quectel ec25;
*) lte - added initialization for Cinterion;
*) lte - added log entry for SMS delivery report;
*) lte - added support for Vodafone R216 (Huawei);
*) lte - buffer AT events while info command is active;
*) lte - fixed "/interface lte info X once";
*) lte - fixed IPv6 address prefix on interface
*) lte - fixed network mode selection for me909u, mu609;
*) lte - fixed older standard CEREG parsing;
*) lte - fixed support for Huawai R216;
*) lte - fixed user-command;
*) lte - reset interface stats on "link-down";
*) netinstall - fixed typos;
*) ntp - restart NTP client when it is stuck in error state;
*) ppp - added "bridge-horizon" option under PPP/Profile;
*) ppp - added option to specify "interface-list" in PPP/Profile;
*) ppp - fixed rare kernel failure on PPP client connection;
*) ppp - fixed rare kernel failure when receiving IPv6 address on PPP interface;
*) ppp - include rates, limits and address-lists parameters in RADIUS accounting requests;
*) ppp-client - added support for Datacard 750UL, DWR-730 and K4607-Zr;
*) pppoe - added warning on PPPoE client/server, if it is configured on slave interface;
*) pppoe - set default keepalive 10s for newly created PPPoE clients;
*) quickset - added initial LTE AP mode support;
*) rb1100ahx2 - fixed random counter resets for ether12,13;
*) rb3011 - added partitioning support;
*) smb - fixed different memory leaks and crashes;
*) smb - fixed share path on devices with "/flash" directory;
*) smips - reduced RouterOS main package size;
*) snmp - "No Such Instance" error message is replaced with "No Such Object";
*) snmp - added fan-speed OIDs in "/system health print oid";
*) snmp - added optical table;
*) snmp - fixed rare crash;
*) snmp - improved getall filter;
*) snmp - improved response speed when multiple requests are received within short period of time;
*) snmp - increase "engineBoots" value on reboot;
*) snmp - optimized bridge table processing;
*) tile - added initial support for NVMe SSD disk drives;
*) tile - fixed IPSec crash (introduced in 6.39rc64);
*) tile - optimized hardware encryption;
*) tr069-client - added "Device.Hosts.Host.{i}." support;
*) tr069-client - added "Device.WiFi.NeighboringWiFiDiagnostic." support;
*) tr069-client - added "Ethernet.Interface.{i}.MACAddress" parameter;
*) tr069-client - added DHCP server support;
*) tr069-client - added Upload RPC "2 Vendor Log File" support;
*) tr069-client - added architecture name parameter (X_MIKROTIK_ArchName - vendor specific);
*) tr069-client - added basic stats parameters for some interface types;
*) tr069-client - added basic support for "/ip firewall filters";
*) tr069-client - added connection request authentication;
*) tr069-client - added firewall NAT support using vendor Parameters;
*) tr069-client - added parameters for DNS client management support;
*) tr069-client - added ping diagnostics support;
*) tr069-client - added support for escaped entity references (& < > ' ");
*) tr069-client - added support for managing "/system/identity/" value;
*) tr069-client - added support for memory and CPU load parameters;
*) tr069-client - added support for uploading/downloading factory script;
*) tr069-client - added traceroute diagnostics support;
*) tr069-client - close connection if CPE considers XML as invalid;
*) tr069-client - fixed "AddObjectResponse" "InstanceNumber" value;
*) tr069-client - fixed "Device.ManagementServer." value update;
*) tr069-client - fixed XML special character parsing;
*) tr069-client - fixed crash on =acs-url change special case;
*) tr069-client - fixed special escape characters on XML data send;
*) tr069-client - fixed write for "Device.ManagementServer.URL";
*) tr069-client - general improvements on reducing storage space;
*) tr069-client - generate random connection request target path;
*) tr069-client - hide "Device.PPP.Interface.{i}.Password" value;
*) tr069-client - improved LTE monitoring process;
*) tr069-client - increased performance on GetParameterValues;
*) tr069-client - made any Download RPC overwrite configuration except ".alter";
*) tr069-client - make more Parameters deny active notifications;
*) tr069-client - set CHR license ID as ".SerialNumber" value to avoid "no serial number" error in ACS;
*) traceroute - small fix;
*) tunnels - fixed reboot loop on configurations with IPIP and EoIP tunnels (introduced in 6.39rc68);
*) usb - added support for more CP210X devices;
*) userman - allow "name-for-user" to be empty and not unique;
*) userman - automatically select all newly created users to generate vouchers;
*) userman - fixed rare crash when User Manager requested file does not exist on router;
*) userman - fixed rare web interface crash while using Users section;
*) wAP ac - improved 2.4GHz wireless performance;
*) webfig - added menu bar to quickly select between Webfig, Quickset and Terminal;
*) webfig - allow shorten bytes to k,M,G in firewall "connection-bytes" and "connection-rates";
*) webfig - allow to change global variable contents;
*) webfig - allow to enter frequency ranges in wireless scan list;
*) webfig - allow to select "default-encryption" profile on PPP tunnels;
*) webfig - correctly specify routing filter prefix;
*) webfig - do not allow to reorder items if table is sorted by some column;
*) webfig - fixed bridge property display;
*) webfig - fixed delays on key press in terminal;
*) webfig - fixed tab ordering on Google Chrome;
*) webfig - fixed "last-link-up" & "last-link-down" time information;
*) webfig - improved field layout;
*) webfig - make Terminal window work within Webfig window;
*) webfig - show all available options under "Advanced Mode" for wireless interfaces;
*) webfig - show proper error messages for optional erroneous text fields;
*) winbox - added "Flush" button under unicast-fdb menu;
*) winbox - added "group-key-update" to CAPsMAN security settings;
*) winbox - added "k" and "M" unit support to PPP secret limit-bytes parameters;
*) winbox - added "memory-scroll", "filter-cpu", "filter-ipv6-address", "filter-operation-between-entries" parameters;
*) winbox - added "save-selected" setting under CAPsMAN channels;
*) winbox - added "static-virtual" to wireless CAP;
*) winbox - added GPS menu;
*) winbox - added protected routerboard parameters under routerboard settings menu;
*) winbox - allow shorten bytes to k,M,G in firewall "connection-bytes" and "connection-rates";
*) winbox - allow to change user password to empty one;
*) winbox - allow to not specify certificate in IPSec peer settings;
*) winbox - allow to specify "route-distance" in "dhcp-client" if "special-classless" mode is selected;
*) winbox - allow to specify certificate type when exporting it;
*) winbox - allow to specify interfaces that CAPsMAN can use for management;
*) winbox - allow unhide SNMP passwords;
*) winbox - allowed to specify static-dns as list;
*) winbox - do not allow Packet Sniffer "memory-limit" and "file-limit" lower than 10KiB;
*) winbox - do not create time field when copying CAPsMAN access list entry;
*) winbox - do not show "dpd-max-failures" on IKEv2;
*) winbox - do not show empty LTE fields in Info menu;
*) winbox - do not start Traffic Generator automatically when opening "Quick Start";
*) winbox - do not try to disable dynamic items from firewall tables;
*) winbox - fixed "Montly" typo to "Monthly" in Graphing menu;
*) winbox - fixed CAPsMAN channels frequency (allow to specify a list of them);
*) winbox - fixed IPSec "mode-config" DNS settings;
*) winbox - fixed issue when working IPSec policies were shown as invalid;
*) winbox - fixed misleading error when trying to export certificate;
*) winbox - fixed typo in BGP advertisements menu Aggragator->Aggregator;
*) winbox - hide "wps-mode" & "security-profile" in wireless nv2 mode;
*) winbox - hide health menu on RB450;
*) winbox - improved "/tool torch";
*) winbox - increased maximal number of Winbox sessions 20->100;
*) winbox - properly name CAP Interface on new interface creation;
*) winbox - properly show "dhcp-server" warnings;
*) winbox - properly show IPSec "installed-sa" "enc-algorithm" when it is aes-gcm;
*) winbox - properly show wireless registration table stat counters;
*) winbox - removed "sfp-rate-select" setting from ethernet interface;
*) winbox - removed unnecessary "/system health" menu on "hAP ac lite";
*) winbox - set default "dhcp-client" "default-route-distance" value to 1;
*) winbox - show "A" flag for IPSec policies;
*) winbox - show "H" flag for IPSec installed SAs;
*) winbox - show PoE-OUT current, voltage and power only on devices which can report these values;
*) wireless - added Egypt 5.8 country settings;
*) wireless - added PEAP authentication support for wireless station mode;
*) wireless - apply broadcast bit to DHCP requests when using "station-pseudobridge" mode;
*) wireless - do not allow equal MAC addresses between multiple Virtual APs when same "master-interface" is used;
*) wireless - fixed RBSXT5HacD2nr2 small channel support;
*) wireless - fixed crash while running "spectral-scan";
*) wireless - fixed dynamic wireless interface removal from bridge ports when changing wireless mode;
*) wireless - fixed false positive DFS radar detection caused by iPhone 6s devices;
*) wireless - fixed issue when wireless interfaces might not show up in CAP mode;
*) wireless - fixed occasional crash on interface disabling;
*) wireless - fixed rare crash on nv2 configurations;
*) wireless - fixed rare wireless ac interface lockup;
*) x86 - added support for NVMe SSD disk drives;

Puede ser descargado desde el sitio de MikroTik en la sección descargas o desde el Winbox en System > Packges.