RouterOS – Changelog – 15.12.2015

Hier der aktuelle Changelog des RouterOS – Stand: 15.12.2015

What’s new in 6.33.3 (2015-Dec-03 16:08):

*) ethernet – fixed 10/100Mbps autonegotiation fails on RB922UAGS ether1 (introduced in v6.33.2);

*) upnp – fixed memory leak;

*) ssh – avoid double session cleanup;

*) email – make password field sensitive in console.

What’s new in 6.33.2 (2015-Nov-27 15:00):

*) bridge – fixed power-cycle-ping for bridge ports (was affecting all bridge);

*) ethernet – fixed link resetting on power-cycle-ping value change;

*) ppp – fixed dynamic filter rule adding on some firewall filter configurations;

*) pppoe – improved MTU discovery compatibility with other vendors;

*) pppoe – made MTU discovery more robust;

*) pppoe – fixed compliance to RFC4638 (MTU larger than 1488) again;

*) vrrp – fix arp=reply-only;

*) vrrp – do not warn about version mismatch if VRID does not match;

*) vrrp – allow VRRP to work behind firewall and NAT rules;

*) vrrp – fixed on-backup script;

*) dhcpv4 server – fix kernel crash when restoring lease with queue for non-existent server;

*) dhcpv4-client – support /32 address assignment;

*) ssh – fix key exchange when first kex packet follows.

What’s new in 6.33.1 (2015-Nov-17 09:55):

*) licensing – fix unneeded connection attempts to 169.254.x.x must be CHR only (introduced in 6.33);

*) pppoe – fixed compliance to RFC4638 for MTU larger than 1488 (introduced in 6.33);

*) CRS2xx – fixed occasional switchip resets (broken in 6.33);

*) fastpath – fixed wireless interface fastpath (broken in 6.33);

*) smb – fixed SMB share crash when connection was cancelled;

*) lcd – fixed LCD crash on fast disable/enable;

*) lcd – refresh LCD after display command is executed;

*) vrrp – fix enabling disabled vrrp interface when vrrp program has exited;

*) winbox – do not send any changes on OK button press if nothing has been changed;

*) www – put correct path to Winbox v3.0 for new installations with branding package;

*) webfig – show correctly SFP Tx/Rx;

*) winbox – renamed power-cycle-ping-interval to power-cycle-ping-timeout;

*) hotspot – fixed missing image at login;

*) netinstall – fix branding pack parsing;

*) packages – show version tag when no bundle is installed.

What’s new in 6.33 (2015-Nov-06 12:49):

*) dns – initial fix for situation when dynamic dns servers could disappear;

*) winbox – dropped support for winbox v3.0beta and v3.0rc (use winbox v3.0);

*) dhcpv6 – various improvement and fixes for dhcp-pd client and ippool6;

*) defconf – fixed rare situation where configuration was only partially loaded;

*) net – fix possible never ending loop when bad CDP discovery packet is received;

*) log – make default disk file name to reside in flash dir if it exists;

*) romon – change port list to be not ordered in export;

*) capsman – limit number of simultaneous DTLS handshakes;

*) capsman – fixed memory leak on CAP joining CAPsMAN when ssld is used;

*) winbox – added allow-fast-path to eoip, gre & ipip;

*) winbox – do not show power-cycle properties on non poe ports;

*) l2tp: implemented PPPoE over L2TP in LNS mode, RFC3817;

*) webfig – some of the setting were shifted to the right;

*) packages – allow to reinstall from bundle to separate packages & vice versa;

*) packages – prefer out of bundle packages when both of them are installed;

*) packages – fix a problem of upgrading bundle package to non bundled ones;

*) ipsec – force flow cache validation once in 1h;

*) winbox – make sure that all setting names get shown in full;

*) winbox – added poe power-cycle-ping settings to ethernet interfaces;

*) ppp – handle properly case were ppp client is given same address for local & remote end;

*) winbox – added vlan-mode & vlan-id to virtual-ap interface;

*) winbox – added timeout column to ipv6 address lists;

*) winbox – show SFP Tx/Rx Power properly;

*) winbox – added min-links to bonding interface;

*) winbox – do not show health menu on RB951Ui-2HnD;

*) winbox – added support for Login-Timeout & MAC-Auth-Mode in hotspot;

*) cerm – added option to disable crl download in ‚/certificate settings‘;

*) winbox – make user ssh key import work again;

*) webfig – make „Copy to Access List“ work in CAPsMAN Registration Table;

*) userman – fix report generation problem which could result in some users being skipped from it;

*) winbox – fix to allow cpu-port as mirror-target

*) proxy – error.html parsing enhancement to improve performance

*) CCR1072 – improve ether1 performance under heavy load

*) routerboard – indicate RouterBOOT type in /system routerboard print;

*) mpls – properly use mpls mtu for routes;

*) cerm – fix key description for signed certificates;

*) trafflow – report flow addresses in v1 and v5 without NAT awareness;

*) hotspot – add mac-auth-mode setting for mac-as-passwd option;

*) hotspot – add login-timeout setting to force login for unauth hosts;

*) auto-upgrade – fixed auto upgrade for smipsbe;

*) dns – do not create duplicate entries for same dynamic dns server addresses;

*) ipsec – fix set on multiple policies which could result in adding non existent dynamic policies to the list;

*) email – allow server to be specified as fqdn which is resolved on each send;

*) fastpath – eoip,gre,ipip tunnels support fastpath (new per tunnel setting „allow-fast-path“);

*) ppp, pptp, l2tp, pppoe – fix ppp compression related crashes;

*) cerm – also accept downloaded CRLs in PEM format;

*) userman – added ‚history clear‘ to allow flushing undo history, which may take up significant amount of memory for huge databases with hundreds of users;

*) health – fix voltage for CRS109, CRS112 and CRS210 if powered from external adapter;

*) userman – added phone number support to signup form;

*) ip pool6 – try to acquire the same prefix if info matches recently freed;

*) ipsec – fix transport mode ph2 ID ports when policy selects specific ip protocol on initiator;

*) ipsec – use local-address for phase 1 matching and initiation;

*) route – fixed crash on removing route that was aggregated;

*) ipsec – fix replay window, was accidentally disabled since version 6.30;

*) ssh – allow host key import/export;

*) ssh – use 2048bit RSA host key when strong-crypto enabled;

*) ssh – support RSA keys for user authentication;

*) wlan – improved WMM-PowerSave support in wireless-cm2 package;

*) pptp & l2tp – fixed problem where android client could not connect if both dns names were not provided (was broken since v6.30);

*) auto-upgrade – added ability to select which versions to select when upgrading;

*) quickset – fixed HomeAP mode;

*) lte – improved modem identification to better support multiple identical modems;

*) snmp – fix system scripts table;

*) tunnels – eoip,eoipv6,gre,gre6,ipip,ipipv6,6to4 tunnels now support dns name as remote address;

*) fastpath – active mac-winbox or mac-telnet session no longer suspends fastpath;

*) fastpath – added per interface fastpath counters;

*) fastpath – added trafflow support in basic ipv4 and fasttrack ipv4 fastpath;

*) ppp – added on-up & on-down scripts to ppp profile;

*) winbox – allow to specify dns name in all the tunnels;

*) pppoe – added support for MTU > 1492 on PPPoE;

*) cerm – fix scep server certificate-reply degenerate PKCS#7 signed-data content;

*) ppp-client – added default channels for Alcatel OneTouch L100V;

*) defconf – fix for boards that had bridge with only wlan ports;

*) ovpn: support OpenWRT ovpn clients (or any other with enable-small option enabled);

*) cerm – use certificate file name for imported cert name;

*) fetch – fixed error message when error code 200 was received;

*) cerm – rebuild crl for local ca if crl file does not exist;

*) winbox – make directed broadcasts work for neighbor discovery;

*) upnp: automatically adjust mappings to new external ip change;

*) ppp – added ppp interface to upnp internals/externals if requested;

*) ppp – when adding ipv6 default route use user provided distance;

*) userman – allow to correctly enable CoA on router;

*) cerm – show crl nextupdate time;

*) ppp – added CoA support to PPPoE, PPTP & L2TP (Mikrotik-Recv-Limit, Mikrotik-Xmit-Limit, Mikrotik-Rate-Limit, Ascend-Data-Rate, Ascend-XMit-Rate, Session-Timeout);

*) ppp – added new option under „ppp aaa“ – „use-circuit-id-in-nas-port-id“;

*) userman – refresh active sessions/users view dynamically;

*) package – added version tag and show everywhere alongside of version number;

*) wlan – improved 802.11 protocol single connection TCP performance for ac chipset with cm2 package.

What’s new in 6.32.2 (2015-Sep-17 15:20):

*) cerm – guard template from parallel use

*) mipsle – fixed missing second level menu in CLI;

*) sstp – avoid routing loops on client when adding default route;

*) sstp – fixed problem where sometimes sstp ip addresses were invalid;

*) switch – fixed bogus log messages about excessive broadcasts/multicasts on master-port;

*) tftp – fix request file name reading from packet

*) pptp encryption – better handling for out-of-order packets;

*) ethernet – added support for new ASIX USB Ethernet dongles;

*) CAPsMAN – fix 100% CPU usage when trying to upgrade RouterOS on CAP;

*) upgrade – fixed default configuration export;

*) ppp – fixed ppp interface stuck in not running state;

*) ipsec – fixed kernel failure when packets were not ordered on first call;

*) upnp – randomize action urls to fix „filet-o-firewall“ vulnerability;

*) RB532/RB564 – fixed no link after ethernet disable/enable;

*) romon – fixed default configuration export;

*) tile – fixed occasional deadlock on module unload;

*) mesh – fix router lock-up when interface is added/removed;

*) ipsec – fix sockaddr buf size on id generation for ipv6 address;

*) health – show correct voltage for CRS109,CRS112,CRS210 when powered through PSU and show voltage up to 27V when powered through PoE;

*) email – resolve server address;

*) snmp – show firmware upgrade info;

*) upgrade – report status in check-for-updates.

What’s new in 6.32.1 (2015-Sep-07 13:03):

*) RB911/912 – fixed lock-up;

*) RB493G – fixed reboot loop;

*) firewall – do not lose firewall mangle rules on start-up;

*) defconf – fix default configuration for routers without wireless package.

What’s new in 6.32 (2015-Aug-31 14:47):

*) trafflow – added support for IPv6 targets;

*) switch – fixed port flapping on switch ports of RB750, RB750UP, RB751U-2HnD and RB951-2N (introduced in 6.31)

*) ipsec – added compatibility option skip-peer-id-check;

*) flash – fix kernel failure (exposed by 6.31);

*) bridge firewall – add ipv6 src/dst addr, ip protocol, src/dst port matching to bridge firewall;

*) RB911/RB912 – fix SPI bus lock after fast led blink;

*) ipsec – fix potential memory leak;

*) bridge firewall – vlan matchers support service tag – 0x88a8;

*) ippool6 – try to acquire the same prefix if info matches recently freed;

*) crs switch – allow to unset port learn-limit, new default is unset to allow more than 1023 hosts per port;

*) x86 – fixed 32bit multi-cpu kernel support;

*) chr – add hotspot,btest,traffgen support;

*) revised change that caused reboot by watchdog problems introduced in v6.31;

*) ipsec – use local-address for phase 1 matching and initiation;

*) ipsec – fix transport mode ph2 ID ports when policy selects specific ip protocol on initiator;

*) certificates -fixed bug where crl stopped working after a while;

*) ip accounting – fixed kernel crash;

*) snmp – fix system scripts get;

*) hotspot – ignore PoD remote requests if no HotSpot configured;

*) hotspot – fix kernel failure when www plugin aborts on broken html source;

*) torch – add invert filter for src/dst/src6/dst6 addresses ;

*) bonding – add min_links property for 802.3ad mode;

*) snmp – get vlan speed from master interface;

*) hotspot – fix html-directory path on small flash devices;

*) mipsbe – make system shutdown work again;

*) lcd – fixed parallel port LCD display support on multi-cpu x86;

*) bridge – fixed use-ip-firewall-for-vlan in setups with multiple bridges;

*) ipv6 – fixed DHCP-PD client skips some steps when renewing lease;

*) upnp – fixed protocol port selection for upnp protocol comunications;

*) firewall – fixed limit and dst-limit options.

*) winbox – fixed wireless interface l2mtu (VirtualAP and WDS interface creation in winbox)

*) winbox – fixed multiple firewall rule moving in Winbox 2

*) simple queues – restrict all changes in dynamic simple queues

What’s new in 6.31 (2015-Aug-14 15:42):

*) check-for-update – added ability to select versions channel to check

(bugfix, current, RC or development)

*) demo mode of Cloud Hosted Router (CHR) added

*) chr – added x86_64 image for use in virtual environments

*) chr – added support for VMware SCSI virtual disks

*) chr – added support for VMware vmxnet3 network card

*) chr – added support for HyperV SCSI disks

*) chr – added support for HyperV Ethernet interfaces

*) chr – added support for virtio disks

*) fixed occasional interface resetting on CRS switches

*) fixed ethernet stopping on RB NetMetal / SXTG-5HPacD 10Mbit and 100Mbit links

*) ipsec – fixed crash in when gcm encryption was used

*) ipsec – allow to set peer address as „::/0“

*) ipsec – fixed empty sa-src address on acquire in tun mode

*) ipsec – show proposal info in export ipsec section

*) ipsec – preserve port wildcard when generating policy without port override

*) ipsec – fixed replay window, was accidentally disabled since version 6.30;

*) certificate manager – fixed memory leak

*) ssh – allow host key import/export

*) ssh – use 2048bit RSA host key when strong-crypto enabled

*) ssh – support RSA keys for user authentication

*) conntrack – fixed problem with manual connection removal

*) conntrack – added tcp-max-retrans-timeout and tcp-unacked-timeout

*) wireless – implemented l2mtu update if wireless-cm2 is enabled

*) wireless – improved WMM-PowerSave support in wireless-cm2 package

*) mpls – better multicore support for VPLS ingress/egress

*) ovpn – better multicore support for interface initialization/authentication/creation.

*) mesh – performance improvement

*) pptp & l2tp – fixed problem where android client could not connect if both dns names were not provided (was broken since v6.30)

*) user-manager – fixed username was not shown in /tool user-manager user

*) user-manager – fixed zoom for user-manager homepage when mobile devices used

*) winbox – restrict change dynamic interface fields

*) winbox – also hide passphrase in CAPsMAN with „Hide Password“

*) winbox – restrict reversed ranges in dst-port under firewall

*) quickset – fixed HomeAP mode

*) lcd – added LCD package for all architectures (for serial port LCD modules)

*) lcd – fixed crash (and 100% cpu usage) when interface gets removed from „stats-all“ screen

*) tool fetch – fixed incomplete ftp download

*) tool fetch – don’t trim [t]ftp leading slashes

*) proxy – adjust time according to time-zone settings in proxy cache contents.

*) bridge fastpath – fixed updating bridge FDB on receive (could cause TX traffic flooding on all bridge ports)

*) bonding fastpath – fixed possible crash when bonding master was also a bridge port

*) route – fixed crash on removing route that was aggregated

*) romon – fixed crash on SACKed tx segments

*) lte – improved modem identification to better support multiple identical modems

*) snmp – fixed system scripts table

*) traffic flow – fixed dynamic input/output interface reporting

*) ipv6 dhcp-relay – fixed problem loading configuration

known issue:

*) Dynamic DNS servers can disappear when „allow-remote-requests“ are not enabled

What’s new in 6.30 (2015-Jul-08 09:07):

*) wireless – added WMM power save suport for mobile devices;

*) firewall – sip helper improved, large packets no longer dropped;

*) fixed encryption ‚out of order‘ problem on SMP systems;

*) email – fix sending multiple consecutive emails;

*) fixed router lockup on leap seconds with installed ntp package;

*) ccr – made hardware watchdog work again (was broken since v6.26);

*) console – allow users with ‚policy‘ policy to change script owner;

*) icmp – use receive interface address when responding with icmp errors;

*) ipsec – fail ph2 negitioation when initiator proposed key length

does not match proposal configuration;

*) timezone – updated timezone information to 2015e release;

*) ssh – added option ‚/ip ssh stong-crypto‘

*) wireless – improve ac radio coexistence with other wireless clients, optimized

transmit times to not interfere with other devices;

*) console – values of $“.id“, $“.nextid“ and $“.dead“ are avaliable for

use in ‚print where‘ expressions;

*) console – ‚:execute‘ command now accepts script source in „{}“ braces,

like ‚/system scripts add source=‘ does;

*) console – ‚:execute‘ command now returns internal number of running job,

that can be used to check and stop execution. For example:

:local j [:execute {/interface print follow where [:log info „$name“]}]

:delay 10s

:do { /system script job remove $j } on-error={}

*) console – firewall ‚print‘ commands now show all entries including

dynamic, ‚all‘ argument now has no effect;

*) ipsec – increase replay window to 128;

*) fixed file transfer on devices with large RAM memory;

*) pptp – fixed „encryption got out of sync“ problem;

*) ppp – disable vj tcp header compression;

*) api – reduce api tcp connection keepalive delay to 30 seconds,

will timeout idle connections in about 5 minutes;

*) pptp & l2tp & sstp client: support the case were server issues its tunnel

ip address the same as its public one;

*) removed wireless package from routeros bundle package,

new wireless-fp is left in place and wireless-cm2 added as option;

*) pptp & l2tp client: when adding default route, add special exception route for

a tunnel itself (no need to add it manually anymore);

*) improved connection list: added connection packet/byte counters,

added separate counters for fasttrack, added current rate display,

added flag wheather connection is fasttracked/srcnated/dstnated,

removed 2048 connection entry limit;

*) tunnels – eoip, eoipv6, gre,gre6, ipip, ipipv6, 6to4 tunnels

have new property – ipsec-secret – for easy setup of ipsec

encryption and authentication;

*) firewall – added ipsec-policy matcher to check wheather packet

was/will be ipsec processed or not;

*) possibility to disable route cache – improves DDOS attack

handling performance up to 2x (note that ipv4 fastpath depends on route cache);

*) fasttrack – added dummy firewall rule in filter and mangle tables

to show packets/bytes that get processed in fasttrack and bypass firewall;

*) fastpath – vlan interfaces support fastpath;

*) fastpath – partial support for bonding interfaces (rx only);

*) fastpath – vrrp interfaces support fastpath;

*) fixed memory leak on CCR devices (introduced in 6.28);

*) lte – improved modem identification to better support multiple identical modems;

*) snmp – fix system scripts table;

What’s new in 6.29 (2015-May-27 11:19):

*) ssh server – use custom generated DH primes when possible;

*) ipsec – allow to specify custom IP address for my_id parameter;

*) ovpn server – use subnet topology in ip mode if netmask is provided (makes android & ios

clients work);

*) console – allow ‚-‚ characters in unknown command argument names;

*) snmp – fix rare bug when some OIDs where skipped;

*) ssh – added aes-ctr cipher support;

*) mesh – fixed kernel crash;

*) ipv4 fasttrack fastpath – accelerates connection tracking and nat for marked

connections (more than 5x performance improvement compared to regular slow

path conntrack/nat) – currently limited to TCP/UDP only;

*) added ~fasttrack-connection~ firewall action in filter/mangle tables for marking

connections as fasttrack;

*) added fastpath support for bridge interfaces – packets received and transmitted

on bridge interface can go fastpath (previously only bridge forwarded packets

could go fastpath);

*) packets now can go half-fastpath – if input interface supports fastpath and

packet gets forwarded in fastpath but output interface does not support fastpath

or has interface queue other than only-hw-queue packet gets converted

to slow path only at the dst interface transmit time;

*) trafflow: add natted addrs/ports to ipv4 flow info;

*) tilegx: enable autoneg for sfp ports in netinstall;

*) health – fix voltage on some RB4xx;

*) romon – fix 100% CPU usage;

*) romon – moved under tools menu in console;

*) email – store hostname for consistency;

*) vrrp – do not reset interface when no interesting config changes;

*) fixed async. ppp server;

*) sstp – fixed router lockup.

*) queue tree: some queues would stop working after some configuration changes;

*) fixed CRS226 10G ports could lose link (introduced in 6.28);

*) fixed FREAK vulnerability in SSL & TLS;

*) firewall – fixed sector writes rising starting since 6.28;

*) improved support for new hEX lite;

What’s new in 6.28 (2015-Apr-15 15:18):

*) email – increase server greeting timeout to 60s;

*) lte – ZTE MF823 may loose configuration;

*) userman – update paypal root certificate;

*) timezone – updated timezone information to 2015b release;

*) cm2 – fixed capsman v2 100% CPU and other stability improvements;

*) route – using ldp could cause connected routes with

invalid interface nexthop;

*) added support for SiS 190/191 PCI Ethernet adapter;

*) made metarouter work on boards with 802.11ac support or usb LTE;

*) sstp server – allow ADH only when no certificate set;

*) make fat32 disk formatting support disks bigger than 134GiB;

*) fixed tunnels – could crash when clamp-tcp-mss was enabled;

*) added basic counters for ipv4/bridge fast path, also show status wether fast

path is active at all;

*) trafflow: – fixed crash on disable;

*) pppoe over eoip – fixed crash with large packets;

*) tilegx – fixed memory leak when queue settings are changed;

*) ar9888 – fixed crash when hw reports invalid rate;

*) console – fixed „in“ operator in console;

*) console – make „/system package update print“ work again.

*) tile – rare situation when CCR devices failed to auto-negotiate ethernet link (introduced in v6.25);

*) dhcpv4 client – it is now possible to unset default clientid and hostname options

*) initial RoMon (Router Management Overlay Network) support added.

What’s new in 6.27 (2015-Feb-11 13:24):

*) console – added ‚comment‘ parameter for ‚/system script‘

*) api – return sentences can have property „.section“ that groups values

from commands such as „monitor“, „traceroute“,

„print“ (with non-zero ‚interval‘ value);

*) cloud – add time zone detection feature „/system clock time-zone-autodetect“;

*) cloud – rename „/ip cloud enabled“ to „/ip cloud ddns-enabled“;

*) cloud – make „/ip cloud update-time“ independent from „/ip cloud ddns-enabled“

*) cloud – when setting „/ip cloud ddns-enabled“ to „no“ router will send

message to server to disable DNS name for this routerboard;

*) cloud – „/ip cloud force-update“ command now will work also when

„/ip cloud ddns-enabled = no“. usefull if user wants to disable DDNS;

*) RB4xxGL – improved ethernet throughput (less dropped packets);

*) RouterBOARD – fixed health reporting;

*) check-installation: fixed wrong kernel crc on powerpc boards

*) watchdog: fix software watchdog for x86

*) ssh – check conn state before sending disconnect message;

*) ipsec – fixed crash that happened in specific situation;