What's new in 6.49.13 (2024-Feb-05 15:39): *) defconf - fixed firewall rule for IPv6 UDP traceroute; What's new in 6.49.12 (2024-Jan-22 15:04): *) console - updated copyright notice; *) routerboard - added "reset-button" support for RBwAPR-2nD device; *) tftp - improved invalid request processing; *) timezone - updated timezone information from "tzdata2023d" release; What's new in 6.49.11 (2023-Dec-08 16:37): *) console - display "End-User License Agreement" prompt after configuration reset; *) defconf - use "WISP Bridge" default configuration mode for RBGrooveGA-52HPacn device; *) poe-out - improved "auto-on" mode for devices with single PoE-out port; *) pppoe-server - fixed connection count limit per license level; *) wireless - fixed "wlan1" default name for RBSXTsqG-5acD and RBLDFG-5acD; What's new in 6.49.9 (2023-May-30 14:46): (factory only release) What's new in 6.49.7 (2022-Oct-11 17:37): *) branding - fixed execution of "autorun.scr" file when installing branding package (introduced in v6.47); *) routerboot - prevent enabling "protected-routerboot" on unsupported factory firmware versions; *) routerboot - properly reset system configuration when protected bootloader is enabled and reset button used; *) system - improved handling of user policies; *) wireless - fixed disconnection of connected client while running background scan on wAP ac and wAP R ac devices; *) wireless - fixed missing wireless interface on some RB921GS-5HPacD devices; What's new in 6.49.6 (2022-Apr-07 17:53): *) led - fixed wireless signal strength led on Cube Lite60; *) routerboot - fixed packet receiving in etherboot on Wireless Wire nRAY; *) winbox - added missing "3GGP RAW" parameter under "Interface/Wireless/Interworking Profile" menu; *) wireless - fixed GUD version in 3gpp information; What's new in 6.49.5 (2022-Mar-14 13:31): *) defconf - fixed invalid default password setting after configuration reset (introduced in v6.49.4); *) sfp - improved SFP module detection on CRS106 and CRS112; What's new in 6.49.4 (2022-Feb-25 09:33): *) capsman - improved stability when running background scan on CAP; *) lora - fixed "antenna-gain" parameter unit; *) ssl - disabled RC4 and 3DES ciphers for "www-ssl", "www-api" and OVPN services; *) traffic-flow - do not handle NAT events when "nat-events" is disabled; *) wireless - added "3gpp-info" parameter to interworking configuration; *) wireless - added EAP-AKA to interworking's realm configuration; *) wireless - correctly preserve WMM priority when receiving packets; *) wireless - updated "philippines" regulatory domain information; New RouterOS 6.49.3 (Dec/22/2021 13:49:22): *) bridge - improved system stability when initialising bridge interface *) console - updated copyright notice; *) defconf - fixed secondary-frequency configuration; *) ethernet - improved system stability when receiving large packets on devices with 88F3720 CPU (nRAY, LHGG); *) led - fixed default LED configuration for CubeG-5ac60ad; *) netinstall - fixed x86 installation process; *) socks - fixed SOCKS5 support; *) upgrade - improved 404 error handling when checking for new versions; *) winbox - show "System/Health" only on boards that have health monitoring; *) wireless - added U-NII-2 support for US and Canada country profiles for OmniTik 5, Metal 52 ac, and GrooveA 52 devices; *) x86 - fixed downgrade from RouterOS v7.1.2 and above; What's new in 6.49.2 (2021-Dec-03 14:53): *) device-mode - improved flagged router configuration detection; What's new in 6.49.1 (2021-Nov-17 10:06): MAJOR CHANGES IN v6.49.1: ---------------------- !) device-mode - added feature locking mechanism; ---------------------- Changes in this release: *) certificate - improved stability when sending bogus SCEP message; *) conntrack - limit total connection tracking table size based on installed RAM size; *) crs3xx - fixed interface linking for some optical QSFP+ modules on CRS354 devices; *) dhcpv6-server - fixed DUID generation with timestamp; *) health - improved temperature reporting; *) led - added "dark-mode" functionality control with Mode button for cAP XL ac; *) leds - fixed LTE LED default mapping for LHGG; *) lte - improved RSSI reporting on R11e-LTE6; *) routerboot - enabling "protected-routerboot" feature requires a press of a button; *) snmp - fixed IPsec-SA byte and packet counter reporting; *) sstp - fixed client stuck in "nonce matching" state; *) system - improved system stability if device is upgraded from RouterOS and/or RouterBOOT v6.41.4 or older; *) traffic-flow - added systematic count-based packet sampling support; *) upgrade - added new "upgrade" channel for upgrades between major versions; *) winbox - added "Modbus" menu support; *) wireless - added U-NII-2 support for US and Canada country profiles for cAP ac XL and QRT 5 ac; *) wireless - fixed frequency range information on IPQ4019; What's new in 6.49 (2021-Oct-06 11:55): *) branding - fixed LCD logo loading from branding package when installed via Netinstall; *) branding - properly clean up old branding files before installing a new one; *) bridge - added IGMP and MLD querier monitoring; *) bridge - added IGMP snooping log when multicast table gets full; *) bridge - fixed external flag in the host table for wireless clients; *) bridge - improved controller bridge stability when adding RouterOS v7 port extender; *) bridge - improved port extender stability when creating bond interfaces on excluded ports; *) bridge - improved stability when quickly adding and removing bridge interface; *) certificate - improved stability when removing dynamic CRL entries; *) chr - fixed OS provisioning on Azure; *) chr - improved stability when changing "flow-control" settings on interfaces with e1000 drivers; *) conntrack - increased total connection tracking table size based on installed RAM size; *) console - require "write+ftp" permissions for executing script to file; *) console - require "write+ftp" permissions for printing to file; *) crs3xx - correctly filter packets by L2MTU on 1Gbps Ethernet interfaces for CRS354 devices; *) crs3xx - fixed LEDs for QSFP+ interface on CRS326-24S+2Q+ device; *) crs3xx - fixed SFP and SFP+ link rate reporting (introduced in v6.48beta11); *) crs3xx - fixed bridge controller and extender packet forwarding for CRS312, CRS326-24S+2Q+ and CRS354 devices; *) crs3xx - fixed default MAC address calculation on management Ethernet for CRS312, CRS326-24S+2Q+ and CRS354 devices; *) crs3xx - fixed interface flow control; *) crs3xx - improved QSFP+ linking and mode changing for CRS326-24S+2Q+ and CRS354 devices; *) crs3xx - improved packet transmit on SFP+ interfaces; *) crs3xx - improved switch resource allocation for CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices; *) defconf - apply default configuration from branding package when performing reset with button; *) defconf - removed overlapping IPv6 firewall rules; *) defconf - use router as DNS server for DHCP hosts; *) dhcp-server - fixed DHCP Option decimal value parsing; *) dhcpv4-server - reset dynamic "bcast" flag when receiving offer from DHCP relay; *) dhcpv4-server - reset lease's dynamic "bcast" flag on packets from relay; *) dhcpv6-server - check if pool name has changed from RADIUS on renew; *) dhcpv6-server - improved dynamic server entry update; *) discovery - do not send discovery packets on interfaces that are blocked by STP (introduced in v6.48); *) dns - fixed memory leak caused by large DNS replies; *) firewall - fixed "ingress-priority" matcher; *) firewall - fixed GRE protocol packets considered invalid when PPTP helper is disabled; *) gps - improved interface monitoring; *) health - added "phy-temperature" sensor monitoring for CRS312 device; *) health - improved temperature readings on hEX S; *) health - improved temperature reporting; *) ike2 - added support for ASN.1 DN "my-id" value setting for initiators; *) ike2 - check if TS is still valid after obtaining SPI; *) ike2 - fixed initiator packet retransmit with DDOS cookie; *) ipsec - fixed memory leak when processing DHCP packets; *) ipsec - improved SA update by SPI; *) ipsec - improved system stability on CHR; *) ipsec - improved system stability on MMIPS devices; *) kid-control - improved IPv6 firewall rule generation; *) led - added LTE LED support for LHGGR; *) leds - fixed LTE LED default mapping for wAP R ac LTE kit; *) lora - added additional predefined network servers; *) lora - added channel plan "il-917" for Israel; *) lora - fixed "PULL_DATA" token generation; *) m33g - improved support for "/system gpio" menu ("/system routerboard upgrade" required); *) m33g - removed 12..16 pins from "/system gpio" menu; *) mipsbe - improved booting speed on non-NAND devices ("/system routerboard upgrade" required); *) mpls - allow to disable FastPath (CLI only); *) mqtt - added server name indication; *) netinstall - fixed lock file persistence after reinstall; *) netinstall - improved bootp packet handling on Linux netinstall-cli version when multiple NIC's are present; *) netinstall - require Netinstall version to be the same or newer as "factory-software"; *) ntp - use correct IPv6 multicast group for SNTP client; *) package - always allow to uninstall package even if there is no free disk space left; *) poe - update PoE firmware only on devices that supports it; *) ppp - improved stability when receiving bogus response on modem channel; *) qsfp - improved system stability when setting unsupported link rates; *) quickset - use 5GHz interface's country for "Home AP Dual" configuration; *) routerboard - fixed "reformat-hold-button-max" validation for values below 10s; *) sfp - added "sfp-rate-select" setting; *) sfp - fixed GPON module linking (introduced in v6.47); *) sfp - improved 25Gbps optical module stability and linking; *) sfp - improved SFP, SFP+, SFP28 and QSFP+ interface stability for CRS3xx and CCR2004 devices; *) sfp - improved link stability for 10G, 25G and 40G modules on CRS309, CRS312, CRS326-24S+2Q+ CRS354 and CCR2004 devices; *) sfp28 - changed FEC auto mode to disabled; *) snmp - added "engine-id" OID support; *) snmp - fixed "ipNetToMediaType" OID for incomplete entries; *) ssh - fixed "undo" functionality; *) supout - added controller bridge section; *) supout - print detailed list of active user sessions; *) switch - fixed (R/M)STP port blocking right before switching them in HW bridge (fixes possible packet loop when changing bridge settings); *) switch - improved packet transmit between CPU and 98PX1012 for CCR2004-1G-12S+2XS device; *) swos - fixed "static-ip-address" parameter; *) tr069-client - added "X_MIKROTIK_LinkDowns" parameter for interface "link-downs" value reporting; *) tr069-client - added support for Ethernet link speed reporting; *) tr069-client - added support for interface comment reporting and editing; *) tr069-client - added support for supout file upload; *) tr069-client - fixed traceroute diagnostics time values; *) tr069-client - improved XML with new-lines for readable output; *) tr069-client - improved stability for download/upload diagnostics; *) upgrade - fixed free space checking on flash type memories when installing new packages; *) ups - added battery info for APC Back-UPS BX750MI; *) user - added "expired" user status with suggestion to change password (WinBox v3.29 required); *) user - fixed active user session purging on disconnect; *) user - show "expired password" prompt for users with blank password; *) w60g - general stability and performance improvements; *) w60g - limit power output when using region EU to match EN302567 on nRAY; *) w60g - use EU region by default; *) webfig - added support for logo image from branding package; *) webfig - do not show value units twice; *) webfig - fixed "Wireless/CAP" menu opening; *) webfig - fixed interface sorting by name; *) webfig - show only "Close" button under "Wireless/Wireless Sniffer/Sniffed Packets" menu; *) winbox - added "dhcp" option to "multicast-helper" setting; *) winbox - added "fec-mode" parameter under "Interface/Ethernet" menu; *) winbox - added "interface-speed-100G" LED type to "System/LEDs" menu; *) winbox - added "name" and "file-name" parameter when importing and exporting certificates; *) winbox - added "sfp-shutdown-temperature" setting to SFP interfaces; *) winbox - added SSH settings under "IP/SSH" menu; *) winbox - added TFTP settings under "IP/TFTP/Settings" menu; *) winbox - allow setting MCS (24-31) to 4x4 Wireless interfaces; *) winbox - do not allow to add/remove W60G interfaces; *) winbox - do not allow to set empty "init-string" field under "System/GPS" menu; *) winbox - do not show "GPS antenna" selection for devices without selection support; *) winbox - fixed "Secondary Frequency" parameter setting under "CAPsMAN/Channel" menu; *) winbox - fixed DNS "cache-size" parameter setting; *) winbox - fixed health reporting on RB960, hEX, hEX S and hAP ac3 devices; *) winbox - fixed order of weekdays under "IP/Firewall" menu; *) winbox - fixed support for "Delegated-IPv6-Prefix" for PPP services; *) winbox - match "MAC Protocol-Num" predefined values under "Bridge/Filters" menu; *) winbox - minimal required version is v3.30; *) winbox - properly show "CRL Signature" field under "System/Certificate" menu; *) winbox - separated CCQ Tx and Rx values in their own unique columns; *) winbox - show "System/Health/Settings" only on boards that have configurable values; *) winbox - show "current-channel" column by default for CAP interfaces; *) winbox - show IPv6 address in separate field under "IP/Cloud" menu; *) wireless - added U-NII-2 support for US and Canada country profiles for hAP ac lite; *) wireless - added override for multicast-to-unicast translation of DHCP traffic; *) wireless - do not remove channels >2462 MHz from "scanlist" if scanning for fixed channel; *) wireless - do not send packet back to station-bridge it was received from; *) wireless - fixed minor typo in debug logging messages; *) wireless - improve WMM priority assignment for packets with internal priority greater than 7; *) wireless - improve regulatory compliance with DFS requirements; *) wireless - improve signaling of QCA9984 interface capabilities when using 160/80+80MHz channel width; *) wireless - improved system stability when sending packets through interface after L2MTU is increased; *) wireless - log client signal strength on disconnect; *) wireless - renamed "secondary-channel" to "secondary-frequency"; *) wireless - updated "israel" regulatory domain information; *) wireless - updated "united kingdom" regulatory domain information; What's new in 6.48.4 (2021-Aug-18 06:43): *) branding - fixed missing branding skins if "skins" folder does not exist; *) bridge - added MAC and IP source addresses information for DHCP snooping log; *) bridge - fixed "vlan-encap" setting for filter and NAT rules; *) bridge - improved system stability when using IGMP snooping and changing bridge MAC address; *) capsman - use Bits instead of Bytes for "ap-tx-limit" and "client-tx-limit" parameters; *) crs3xx - fixed unknown multicast flood to CPU when IGMP snooping is used; *) crs3xx - improved system stability when increasing interface L2MTU for CRS318 devices; *) defconf - fixed default configuration loading on LHG R; *) defconf - fixed minor typo in configuration description; *) dhcpv6-server - fixed false missing IPv6 Pool warning for dynamic bindings; *) dns - fixed CNAME query when target record is not in cache; *) dns - fixed cache memory leak when resolving CNAME domains; *) health - fixed voltage monitor on BaseBox5 devices; *) health - improved temperature reporting; *) ike2 - added "MS-CHAP-Domain" attribute to RADIUS requests; *) leds - fixed "/system leds" menu on RBLHG-2nD; *) lora - added additional predefined network servers; *) lte - added support for Sharp 809SH; *) routerboard - fixed "reset-button" on hAP ac; *) system - improved stability when receiving bogus packets; *) telnet - fixed "routing-table" parameter usage; *) w60g - improved stability in low temperature environments; *) webfig - do not show "units" twice in multi list entries; *) winbox - added "Cloud Backup" options under "Files" menu; *) winbox - added "interworking-profile" parameter under "Wireless" menu; *) winbox - added support for PTP; *) winbox - do not show "Functionality" field for LTE interface if it is not provided; *) winbox - fixed "Switch" menu on RBwAPG; *) winbox - fixed "vid" parameter under "Bridge/Hosts" menu; *) winbox - show "System/Health" only on boards that have health monitoring; *) wireless - added U-NII-2 support for US and Canada country profiles for hAP ac^3; *) wireless - added U-NII-2 support for US and Canada country profiles for hap ac, hAP ac^3 LTE6, Audience and Audience LTE6; *) wireless - updated "israel" regulatory domain information; What's new in 6.48.3 (2021-May-25 06:09): MAJOR CHANGES IN v6.48.3: ---------------------- !) wireless - fixed all affecting 'FragAttacks' vulnerabilities (CVE-2020-24587, CVE-2020-24588, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147); ---------------------- *) branding - added option to upload custom files (newly generated branding package required); *) console - do not clear environment values if any global variable is set; *) crs3xx - fixed Ethernet LEDs after reboot for CRS354 devices; *) crs3xx - fixed VLAN priority removal for CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices; *) crs3xx - fixed port-isolation on bonding interfaces for CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices; *) crs3xx - improved LACP linking between CRS3xx series switches; *) crs3xx - improved system stability when receiving large frames on CPU for CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices; *) defconf - fixed default configuration loading on RBOmniTikPG-5HacD; *) dot1x - fixed "reject-vlan-id" for MAC authentication (introduced in v6.48); *) dot1x - fixed MAC authentication fallback (introduced in v6.48); *) ipsec - fixed SA address parameter exporting; *) lte - fixed "earfcn" to band translation for "cell-monitor"; *) package - added new "iot" package with Bluetooth (KNOT only) and MQTT publisher support; *) rb4011 - fixed SFP+ port MTU setting after link state change; *) rb4011 - improved SFP+ port stability after boot-up; *) route - improved stability when connected route is modified; *) sfp - improved cable length monitoring as defined per SFF-8472 and SFF-8636; *) ssh - return proper error code from executed command; *) system - improved resource allocation (improves several service stability e.g. HTTPS, PPPoE, VPN); *) tile - fixed bridge performance degradation (introduced in v6.47); *) webfig - fixed "PortMapping" button (introduced in v6.48.2); *) winbox - fixed health reporting on RB960, hEX and hEX S devices; *) winbox - show "System/Health" only on boards that have health monitoring; *) wireless - fixed issue with multicast traffic delivery to client devices using power-save; *) wireless - improved iOS compatibility with HotSpot 2.0 networks; *) www - added "X-Frame-Options" header information to disallow website embedding in other pages; What's new in 6.48.2 (2021-Apr-09 10:17): *) bonding - improved system stability when disabling/enabling bonding ports; *) bridge - improved bridge stability when host changes port (introduced in v6.47); *) console - require "write+ftp" permissions for exporting configuration to file; *) console - updated copyright notice; *) crs3xx - added "/system swos" menu for CRS354 devices, should only be used after SwOS 2.13 release; *) crs3xx - fixed interface LEDs for QSFP+ and SFP+ interfaces on CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices; *) crs3xx - fixed packet transmit in 5Gbps link rate for CRS312 device; *) crs3xx - improved 1Gbps Ethernet port group traffic forwarding for CRS354 devices; *) dhcp - fixed link state checking for DHCP client; *) ethernet - fixed cable-test for some devices (e.g. RB2011, RB951G-2HnD); *) ethernet - improved system stability when receiving large VLAN tagged packets on IPQ4018/IPQ4019 devices; *) fastpath - fixed IP packet receive on bridge and bonding interfaces when destination MAC address match with slave port MAC; *) health - fixed voltage monitor on BaseBox5 devices; *) ike2 - added "MS-CHAP-Domain" attribute to RADIUS requests; *) ike2 - fixed DH group negotiation with EAP; *) ike2 - fixed EAP MSK length validation (introduced in v6.48); *) ike2 - fixed initial traffic selector's protocol and port in transport mode; *) ipv6 - improved system stability when parsing IPv6 options; *) lora - added additional predefined network servers; *) lora - added option to hide CRC error messages in monitor; *) lora - improved downlink transmission; *) ospf - fixed type-7 LSA translation to type-5; *) ovpn - fixed route cache entry leak when establishing a new session; *) poe - do not perform PoE firmware upgrade procedure on RB960 and OmniTik devices without PoE out; *) ppp - do not fail "at-chat" command when issued on disabled PPP interface; *) ptp - improved management service stability when receiving bogus packets; *) quickset - prefer 5GHz interface for WiFi scan in CPE mode; *) rb3011 - improved system stability when changing RouterBOARD settings (introduced in v6.48); *) snmp - fixed SNMP trap agent address; *) supout - fixed "topic" column presence in "Log" section; *) switch - improved resource allocation on 98PX1012 switch chip for CCR2004-1G-12S+2XS device; *) switch - improved system stability with 98PX1012 switch chip for CCR2004-1G-12S+2XS device; *) telnet - do not send options if connecting to non standard port; *) telnet - fixed server when run on non standard port; *) tr069-client - improved management service stability when receiving bogus packets; *) upgrade - fixed upgrade procedure on 16MB devices; *) upgrade - improved "long-term" upgrade procedure on SMIPS devices; *) user - fixed "skin" configuration for user groups (introduced in v6.48); *) webfig - allow to specify "prefix" parameter under "IPv6/ND/Prefixes" menu; *) webfig - do not corrupt settings when starting "Wireless Sniffer"; *) webfig - do not move top right menu in opposite direction when scrolling horizontally; *) webfig - do not show newly created SMB shares as invalid; *) webfig - fixed new interface addition; *) webfig - show "Interfaces" menu by default after logging in; *) webfig - show "network-mode" for LTE modems that support it; *) winbox - added "Channel" parameter under "System/Console" menu; *) winbox - do not show empty "CPU Frequency" parameter under "System/Resources" menu; *) winbox - fixed "reachable-time" value unit under "IPv6/ND" menu; *) winbox - fixed QCA-8511 switch chip type reporting under "Switch/Settings" menu; *) winbox - fixed duplicate "Trusted" setting under "Interface/Bridge/Ports" menu; *) winbox - hide "Allow Roaming" parameter on LTE modems that do not support it; *) winbox - increased "target" field limit to 128 under "Queues" menu; *) winbox - renamed IP protocol 41 to "ipv6-encap"; *) winbox - show "LCD" only on boards that have LCD; *) winbox - show "System/Health" only on boards that have health monitoring; *) winbox - show "activity" column by default under "IP/Kid Control/Devices" menu; What's new in 6.48.1 (2021-Feb-03 10:54): *) crs312 - fixed missing SwOS firmware on revision 2 devices; *) crs3xx - fixed packet duplication when multiple bonding interfaces are created for CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices; *) crs3xx - fixed port-isolation on ether37-ether48 ports for CRS354 device; *) crs3xx - improved load balancing on bonding interfaces for CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices; *) crs3xx - improved system stability when bonding and IGMP snooping is used (introduced in v6.48); *) hotspot - fixed "idle-timeout" usage with RADIUS authentication; *) hotspot - fixed special character parsing in "target" variable (CVE-2021-3014); *) ike2 - fixed phase 2 rekeying with enabled PFS (introduced in v6.48); *) ike2 - improved stability when invalid certificate is configured (introduced in v6.48); *) ike2 - properly register packet time after expensive CPU operations; *) interface - fixed pwr-line interface linking (introduced in v6.48); *) ipsec - improved stability when processing IPv6 packets larger than interface MTU; *) led - fixed default LED configuration for RB911-5HnD; *) package - do not include multiple The Dude packages in HDD installer; *) snmp - fixed "send-trap" functionality (introduced in v6.48); *) switch - fixed interface toggling for devices with multiple QCA8337, Atheros8327 or RTL8367 switch chips (introduced in v6.48); *) winbox - fixed enable/disable button presence for "Bridge/Hosts" menu; *) wireless - renamed "macedonia" regulatory domain information to "north macedonia"; What's new in 6.48 (2020-Dec-22 11:20): *) arm - added support for automatic CPU frequency stepping for IPQ4018/IPQ4019 devices; *) arm - improved system stability; *) arm - improved watchdog and kernel panic reporting in log after reboots on IPQ4018/IPQ4019 devices; *) arm64 - improved reboot reason reporting in log; *) bgp - fixed VPNV4 RD byte order; *) bonding - added LACP monitoring; *) branding - fixed LCD logo loading from new style branding package; *) bridge - added "multicast-router" monitoring value for bridge interface; *) bridge - added fixes and improvements for IGMP and MLD snooping; *) bridge - added minor fixes and improvements for IGMP snooping with HW offloading; *) bridge - added warning message when port is disabled by the BPDU guard; *) bridge - allow to exclude interfaces from extended ports; *) bridge - automatically remove extended interfaces when deleting PE device from CB; *) bridge - correctly filter packets by L2MTU size; *) bridge - correctly remove dynamic VLAN assignment for bridge ports; *) bridge - fixed "multicast-router" setting on bridge enable; *) bridge - fixed MDB entry removal when using bridge port "fast-leave" property; *) bridge - fixed dynamic VLAN assignment when changing port "frame-type" property (introduced in v6.46); *) bridge - fixed dynamic VLAN assignment when changing port to tagged VLAN member; *) bridge - fixed link-local multicast forwarding when IGMP snooping and HW offloading is enabled; *) bridge - fixed local MAC address removal from host table when deleting bridge interface; *) bridge - fixed multicast table printing; *) bridge - improved BPDU guard logging; *) bridge - increased multicast table size to 4K entries; *) bridge - show "H" flag for extended bridge ports; *) bridge - show error when switch do not support controlling bridge or port extension; *) bridge - use "frame-types=admit-all" by default for extended bridge ports; *) cap - fixed L2MTU setting from CAPsMAN; *) certificate - clear challenge password on renew; *) certificate - fixed CRL URL length limit; *) certificate - fixed private key verification for CA certificate during signing process; *) certificate - generate CRL even when CRL URL not specified; *) certificate - properly flush expired SCEP OTP entries; *) chr - fixed SSH key import on Azure; *) chr - fixed VLAN tagged packet transmit on bridge for Hyper-V installations; *) chr - improved interface loading on startup on XEN; *) chr - improved system stability when changing flow control settings on e1000; *) cloud - improved backup generation process; *) conntrack - automatically reduce connection tracking timeouts when table is full; *) console - allow "once" parameter for bonding monitoring; *) crs3xx - added initial Bridge Port Extender support; *) crs3xx - added initial Controlling Bridge support for CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices; *) crs3xx - added switch-cpu port VLAN filtering (switch-cpu port is now mapped with bridge interface VLAN membership when vlan-filtering is enabled); *) crs3xx - correctly filter packets by L2MTU size; *) crs3xx - fixed "custom-drop-packet" and "not-learned" switch stats for CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices; *) crs3xx - fixed "mirror-source" property on switch port disable for CRS305, CRS326-24G-2S+, CRS328, CRS318 devices; *) crs3xx - fixed "storm-rate" traffic limiting for switch-cpu port on CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices; *) crs3xx - fixed "switch-cpu" VLAN membership on bridge disable; *) crs3xx - fixed CDP packet forwarding for CRS305, CRS318, CRS326-24G-2S+, CRS328 devices; *) crs3xx - fixed duplicate host entries when creating static switch hosts; *) crs3xx - fixed port isolation for "switch-cpu" port for CRS305, CRS326-24G-2S+, CRS328, CRS318 devices; *) crs3xx - fixed port isolation removal for "switch-cpu" port on CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices; *) crs3xx - fixed switch "copy-to-cpu" property for CRS305, CRS318, CRS326-24G-2S+, CRS328 devices; *) crs3xx - fixed switch "not-learned" stats for CRS305, CRS326-24G-2S+, CRS328-24P-4S+, CRS328-4C-20S-4S+, CRS318 devices; *) crs3xx - improved system stability on CRS354 devices; *) crs3xx - improved system stability when receiving large frames for CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices (introduced in v6.47.5); *) defconf - fixed default configuration loading on RBcAP-2nD and RBwAP-2nD; *) defconf - fixed static IP address setting in case default configuration loading fails; *) defconf - improved CAP interface bridging; *) defconf - improved default configuration generation on devices with non-default wireless interface names; *) detnet - fixed malformed dummy DHCP User Class option; *) detnet - use MAC address from bridge interface instead of slave port; *) dhcp - fixed DHCP packet forwarding to IPsec policies; *) dhcpv4-server - improved "client-id" value parsing; *) dhcpv6 server - added support for "Delegated-IPv6-Prefix" for PPP services; *) dhcpv6-server - added ability to generate binding on first request; *) dhcpv6-server - added support for "option18" and "option37" for RADIUS managed clients; *) dhcpv6-server - allow loose static binding "pool" parameter (introduced in v6.46.8); *) dhcpv6-server - make sure that calling station ID always contains DUID; *) discovery - added "lldp-med-net-policy-vlan" property for assigning VLAN ID; *) discovery - allow choosing which discovery protocol is used; *) discovery - fixed discovery on mesh ports; *) discovery - fixed discovery packet sending on newly bridged port with "protocol-mode=none"; *) discovery - fixed discovery when enabled only on master port; *) discovery - send the same "Chassis ID" on all interfaces for LLDP packets; *) discovery - use interface MAC address when sending MNDP from slave port; *) disk - fixed external EXT3 disk mounting on x86 systems; *) dns - added IPv6 support for DoH; *) dns - do not use type "A" for static entries with unspecified type; *) dns - end ongoing queries when changing DoH configuration; *) dns - fixed listening for DNS queries when only dynamic static entries exist (introduced in v6.47); *) dot1x - accept priority tagged (VLAN 0) EAP packets on dot1x client; *) dot1x - fixed reauthentication after server rejects a client into VLAN; *) dot1x - fixed unicast destination EAP packet receiving when a client is running on a bridge port; *) dude - fixed configuration menu presence on ARM64 devices; *) export - fixed RouterBOARD USB "type" parameter export; *) filesystem - fixed repartition on RB4011 series devices; *) filesystem - fixed repartition on non-first partition; *) filesystem - improved long-term filesystem stability and data integrity; *) gps - fixed "init-channel" release when not used; *) health - changed PSU state parameter type to read-only; *) health - removed unused "heater-control" and "heater-threshold" parameters; *) hotspot - added "vlan-id" parameter support for hosts and HTML pages; *) hotspot - added support for captive portal advertising using DHCP (RFC7710); *) hotspot - fixed "html-directory" parameter export; *) hotspot - improved management service stability when receiving bogus packets; *) ike1 - fixed "my-id=address" parameter usage together with certificate authentication; *) ike1 - fixed 'rsa-signature-hybrid' authentication method; *) ike1 - fixed memory leak on multiple CR payloads; *) ike1 - fixed policy update with and without mode configuration; *) ike1 - rekey phase 1 as responder for Windows initiators; *) ike2 - added "prf-algorithm" support for phase 1; *) ike2 - added support for IKEv2 Message Fragmentation (RFC7383); *) ike2 - fixed EAP MSK length validation; *) ike2 - fixed too small payload parsing; *) ike2 - improved EAP message integrity checking; *) ike2 - improved child SA rekeying process; *) interface - added temperature warning and interface disable on overheat for SFP and SFP+ interfaces (CLI only); *) interface - fixed pwr-line running state (introduced in v6.45); *) ipsec - added SHA384 hash algorithm support for phase 1; *) ipsec - do not kill connection when peer's "name" or "comment" is changed; *) ipsec - fixed client certificate usage when certificate is renewed with SCEP; *) ipsec - fixed multiple warning message display for peers; *) ipsec - inactivate peer's policy on disconnect; *) ipsec - refresh peer's DNS only when phase 1 is down; *) kidcontrol - allow creating static device entries without assigned user; *) led - fixed state persistence after device reboot on NetMetal 5 ac devices; *) lora - fixed device going into "ERROR" state caused by FSK modulated downlinks; *) lora - limited output power in RU region for range 868.7 MHz - 869.2 MHz according to regulations; *) lte - added "age" column and "max-age" parameter to "cell-monitor" (CLI only); *) lte - added "comment" parameter for APN profiles; *) lte - added support for Alcatel IK41VE1; *) lte - fixed "band" value reporting; *) lte - increased "at+cops" reply timeout to 90 seconds; *) m33g - added support for "/system gpio" menu (CLI only); *) metarouter - allow creating RouterOS metarouter instances on devices with 16MB flash storage; *) metarouter - fixed memory leak when tearing down metarouter instance; *) ppp - added "bridge-learning" parameter support; *) ppp - added "ipv6-routes" parameter to "secrets" menu; *) ppp - added support for "Framed-IPv6-Route" RADIUS attribute; *) ppp - store "last-caller-id" for PPP secrets; *) ppp - store "last-disconnect-reason" for PPP secrets; *) profile - added "lcd" process classificator; *) profile - improved idle process detection on x86 processors; *) profile - improved process classification on ARM devices; *) quickset - added "Port Mapping" to QuickSet; *) quickset - fixed local IP address setting on master interface; *) route - improved stability when 6to4 interface is configured with disabled IPv6 package; *) routerboard - fixed PCIe bus reset during power-on on MMIPS devices ("/system routerboard upgrade" required); *) routerboard - force power-down on PCIe bus during reboot on LHGR devices ("/system routerboard upgrade" required); *) script - added error message in the logs if startup script runtime limit was exceeded; *) snmp - added information from IPsec "active-peers" menu to MIKROTIK-MIB; *) snmp - added new LTE monitoring OID's to MIKROTIK-MIB; *) snmp - fixed value types for "dot1dStp"; *) snmp - fixed value types for "dot1qPvid"; *) ssh - fixed returned output saving to file when "output-to-file" parameter is used; *) ssh - skip interactive authentication when not running in interactive mode; *) supout - added bonding interface monitor information; *) supout - improved autosupout.rif file generation process; *) timezone - updated timezone information from "tzdata2020d" release; *) tr069-client - added "X_MIKROTIK_MimoRSRP" parameter for LTE RSRP value reporting; *) tr069-client - added LTE model and revision parameters; *) tr069-client - added additional wireless registration table parameters; *) tr069-client - added branding package build time parameter; *) tr069-client - added wireless "noise-floor" and "overall-tx-ccq" information parameters; *) tr069-client - allow passing LTE firmware update URL as XML; *) tr069-client - fixed RouterOS downgrade procedure; *) tr069-client - fixed TotalBytesReceived parameter value; *) tr069-client - send correct "ConnectionRequestURL" when using IPv6; *) traffic-flow - added "sys-init-time" parameter support; *) traffic-flow - added NAT event logging support for IPFIX; *) traffic-generator - fixed 32Gbps limitation; *) user-manager - do not allow creating limitation that crosses midnight; *) user-manager - updated PayPal's root certificate authorities; *) webfig - allow hiding QuickSet mode selector; *) webfig - allow hiding and renaming inline buttons; *) webfig - fixed default value presence when creating new entries under "IP/Kid Control"; *) webfig - properly stop background processes when switching away from QuickSet tab; *) winbox - added "src-mac-address" parameter under "IP/DHCP-Server/Leases" menu; *) winbox - added missing IGMP Snooping settings to "Bridge" menu; *) winbox - added missing MSTP settings to "Bridge" menu; *) winbox - added support for LTE Cell Monitor; *) winbox - allow adding bonding interface with one slave interface; *) winbox - allow performing "USB Power Reset" on "0" bus on RBM33G; *) winbox - do not show "network-mode" parameter for LTE interfaces that do not support it; *) winbox - fixed "IP->Kid Control->Devices" table automatic refreshing; *) winbox - fixed "interface" and "on-interface" parameter presence under "Bridge/Hosts" menu; *) winbox - fixed "receive-errors" setting persistence under "Wireless/Wireless Sniffer/Settings" menu; *) winbox - fixed "tls-version" parameter setting under "IP/Services" menu; *) winbox - fixed minor typo in "Users" menu; *) winbox - provide sane default values for bridge "VLAN IDs" parameter; *) winbox - use health values reported by gauges for "System/Health" menu; *) wireless - added U-NII-2 support for US and Canada country profiles for mANTBox series devices; *) wireless - create "connect-list" rule when address specified for "setup-repeater"; *) wireless - do not override MTU and ARP values from CAPsMAN with local forwarding; *) wireless - improved WPS process stability; *) wireless - increased "group-key-update" maximum value to 1 day; *) wireless - updated "indonesia5" regulatory domain information; *) wireless - updated "no_country_set" regulatory domain information; What's new in 6.47.8 (2020-Nov-25 10:10): *) arm - improved system stability; *) bgp - treat route target with AS 65535 as two byte AS; *) branding - fixed imported skin presence; *) bridge - fixed BPDU guard port disable/enable on HW offloaded interfaces; *) disk - improved disk management service stability when receiving bogus packets; *) dns - improved stability with large table of static records; *) ike1 - allow using "my-id" parameter with XAuth; *) leds - fixed LED type setting; *) metarouter - fixed directory entry reporting; *) profile - fixed process classification on x86 systems (introduced in v6.47); *) quickset - fixed wireless client "uptime" counter in "Home Mesh" mode; *) sstp - fixed "idle-timeout" on TILE and CHR devices; *) system - replace "3" in superscript to "^3" on RBD53GR devices; *) upgrade - do not try installing packages if download was not completed; *) winbox - added "operator" parameter under "Interface/LTE" menu; *) winbox - added "reformat-hold-button-max" parameter under "System/RouterBOARD/Settings" menu; *) winbox - added "tls-mode" parameter under "CAPsMAN/Security Cfg." menu; *) winbox - added "tx-rx-1024-max" counter under "Interface/Overall-Stats" for CRS3xx devices; *) winbox - do not allow MAC address changes on LTE interfaces; *) winbox - show "System/Health" only on boards that have health monitoring; *) winbox - show "System/RouterBOARD/Mode Button" on devices that have such feature; *) winbox - show "usb-bus" option on all boards that have it; *) winbox - show "usb-type" option on all boards that have it; *) winbox - sort IPv6 firewall "chain" parameter entries alphabetically; *) wireless - added support for U-NII-2 US and Canada country profiles for mANTBox series devices; What's new in 6.47.7 (2020-Oct-27 13:27): *) crs3xx - improved system stability on CRS354 devices; *) defconf - improved default configuration generation on devices without wireless package installed; *) poe - fixed automatic PoE firmware upgrade procedure; *) poe - improved PoE-out status detection; *) wireless - updated "kazakhstan" regulatory domain information; What's new in 6.47.6 (2020-Oct-21 10:41): *) cap - fixed L2MTU path discovery; *) crs3xx - fixed hardware offloaded LACP bonding on Ethernet interfaces for CRS354 devices; *) crs3xx - fixed switch rules for CRS309 and CRS317 devices (introduced in v6.47.3); *) defconf - fixed default configuration loading on RBmAP-2nD; *) dhcpv4-client - fixed DHCP offer packet parsing with overload option present; *) dhcpv6-server - properly save bindings when executing "make-static" command; *) fetch - improved SSL handshake processing; *) ike1 - allow using "my-id" parameter with XAuth; *) leds - fixed LED type setting; *) lora - expose "joinEui" un "devEui" values in the log; *) lte - fixed multiple APN passthrough on R11e-4G; *) lte - improved EARFCN reporting in 3G and LTE modes on Sierra modems; *) lte - limit allowed APN count to 3 on R11e-LTE; *) mpls - fixed duplicate "LabelRelease" message sending; *) ospf - optimized LSA printing for smaller message sizes; *) radius - added "Service-Type" attribute to Access-Request for IPv4 and IPv6 DHCP servers; *) smips - reduced RouterOS main package size; *) switch - fixed Ethernet padding for small packets; *) user - improved WinBox and The Dude authenticated session handling; *) vrrp - made "password" parameter sensitive; *) w60g - general stability and performance improvements; *) wireless - added support for US FCC UNII-2 and Canada country profiles for NetMetal series devices; *) wireless - fixed incorrect wireless capability information in association response frames; What's new in 6.47.5 (2020-Oct-08 06:48): (factory only release) What's new in 6.47.4 (2020-Sep-16 11:32): *) bridge - fixed STP alternate and backup port states for devices with switch chip (introduced in v6.47); *) crs3xx - fixed IGMP snooping for CRS312, CRS326-24S+2Q+ and CRS354 devices; *) crs3xx - fixed switch port "egress-rate" removal for CRS305, CRS326-24G-2S+, CRS328, CRS318 devices; *) fetch - fixed "src-address" usage for SFTP; *) filesystem - improved long-term filesystem stability and data integrity; *) hotspot - ignore packets from host while MAC authentication is in progress; *) kidcontrol - fixed "time-unlimited-rate" to engage in correct time; *) smb - fixed possible memory leak (CVE-2020-11881); *) sms - fixed SMS sending when both "interface" and "smsc" parameters are specified; *) snmp - fixed "/tool snmp-get" functionality (introduced in v 6.46beta43); *) user-manager - updated PayPal's root certificate authorities; *) wireless - added support for U-NII-2 for wAP ac; *) wireless - updated "canada" regulatory domain information; *) wireless - updated "united states" regulatory domain information; What's new in 6.47.3 (2020-Sep-01 05:24): *) bridge - fixed host table update on SNMP query; *) crs3xx - fixed hardware offloaded bonding on Ethernet interfaces for CRS354 devices; *) crs3xx - fixed hardware offloaded MPLS forwarding when using bonding interfaces; *) crs3xx - fixed switch ACL rules for CRS312, CRS326-24S+2Q+ and CRS354 devices; *) crs3xx - improved Ethernet port group traffic forwarding for CRS354 devices; *) crs3xx - improved system stability when using hardware offloaded MPLS; *) dns - fixed multiple TXT string replies; *) dns - hide default static entry "type" from export; *) dot1x - fixed duplicate EAP request packets for server; *) dot1x - fixed EAP packet version numbering; *) ike2 - fixed local side NAT detection; *) lte - fixed multiple passthrough APN default route installation; *) lte - fixed RSCP value reporting; *) lte - validate interface existence on initiation; *) ospf - fixed disappearing NSSA default route; *) ospf - fixed processing of "unknown" LSA type; *) poe - fixed "power-cycle" functionality on RB960GSP; *) routerboot - fixed etherboot FCS errors with 100Mbps rate for CRS305, CRS309 and CRS317 devices ("/system routerboard upgrade" required); *) webfig - fixed negative value usage in "spoof-gps" parameter (introduced in v6.47.1); *) wireless - allow setting "tx-power" up to 40; *) wireless - fixed potential wireless driver issue related to CVE-2020-3702; What's new in 6.47.2 (2020-Aug-13 06:39): *) arm - improved stability when forcing 25G speed on unsupported interface; *) crs3xx - fixed QSFP+ interface LEDs when using break-out cable for CRS326-24S+2Q+; *) crs3xx - fixed QSFP+ interface linking after reboot for CRS326-24S+2Q+ (introduced in v6.47); *) discovery - use "static" interface list by default instead of "!dynamic"; *) fetch - show status "uploaded" instead of "downloaded" when uploading a file; *) hotspot - do not verify Hotspot interface status when detecting if HTTP/HTTPS login method is allowed; *) interface - added new builtin "static" interface list; *) l2tp - fixed multiple tunnel establishment from the same remote IP address (introduced in v6.47); *) lora - fixed "spoof-gps" parameter padding (introduced in v6.47.1); *) lte - fixed dynamic DHCP client creation when editing APN profile; *) ospf - fixed case when changing one distribution metric changed metrics for other distribution options; *) ppp - fixed PPP interface editing for the first time after reboot or after 20 seconds; *) qsfp - fixed break-out cable linking after reboot (introduced in v6.47); *) routerboot - fixed memory test on CCR2004-1G-12S+2XS ("/system routerboard upgrade" required); *) sfp - stabilized CRS212 SFP port functionality and improved monitoring of optical modules; *) sftp - fixed "flash" directory access (introduced in v6.46); *) smb - fixed file path validation (introduced in v6.46); *) smb - fixed possible memory leak; *) smb - fixed SMB server (introduced in v6.47); *) smb - limit active session count to 5 per connection; *) snmp - fixed "current" value reporting on CCR series devices; *) snmp - fixed "fan-speed" value reporting on CCR series devices; *) wireless - added support for U-NII-2 for cAP ac; *) wireless - updated "indonesia5" regulatory domain information; *) www - improved WWW service stability when receiving bogus packets; What's new in 6.47.1 (2020-Jul-08 12:34): *) crs3xx - fixed HW offloading for netPower 15FR and netPower 16P devices (introduced in v6.47); *) crs3xx - fixed increased CPU temperature for CRS354-48G-4S+2Q+ device (introduced in v6.47); *) crs3xx - improved Ethernet port group traffic forwarding for CRS354 devices; *) defconf - fixed default configuration generation on devices without "wireless" package installed; *) defconf - fixed default configuration loading on RBmAPL-2nD; *) defconf - improved default configuration generation on devices with changed wireless interface names; *) dhcpv6-server - disallow changing binding's "prefix-pool"; *) dhcpv6-server - improved stability when changing server for static bindings; *) dns - do not allow setting "forward-to" same as "name" or "regex"; *) dns - do not allow setting zero value IP addresses for "A" and "AAAA" records; *) dns - do not use DoH for local queries when a server is specified; *) export - fixed HotSpot "address-per-mac" parameter export; *) filesystem - fixed increased "sector writes" reporting (introduced in v6.47); *) ftp - fixed possible buffer overflow; *) ike2 - fixed initiator child SA init without policy; *) ike2 - fixed policy reference for pending acquire; *) ike2 - retry RSA signature validation with deduced digest from certificate; *) ipsec - do not update peer endpoints for generated policy entries (introduced in v6.47); *) lora - added "spoof-gps" parameter for fake GPS coordinate sending; *) lora - fixed JSON statistics inaccuracies; *) lte - added support for MTS 8810FT; *) lte - fixed modem initialization when multiple modems are used simultaneously; *) lte - fixed PDP authentication configuration for SIM7600; *) metarouter - fixed image importing (introduced in v6.46); *) ospf - improved route tag processing for OSPFv3; *) ppp - allow specifying pool name for "remote-ipv6-prefix-pool" parameter; *) profile - fixed "unclassified" load reporting on PowerPC devices (introduced in v6.47); *) qsfp - fixed auto-negotiation status; *) qsfp - ignore FEC mode when set to fec91, only fec74 mode is supported (introduced in v6.47); *) routerboard - fixed "mode-button" support on SMIPS devices (introduced in v6.47); *) routerboard - fixed "reset-button" menu presence on all devices; *) supout - added "LoRa" section to supout file; *) switch - fixed MAC address learning on switch-cpu port for Atheros8316, Atheros8227 and Atheros7240 switch chips; *) w60g - added "mdmg-fix" parameter for RBwAP60Gx3 (CLI only); *) winbox - fixed flag displaying under "IP/DNS/Static" table; *) winbox - fixed minor typo in "BGP/Peer" menu; *) winbox - hide irrelevant switch port parameters; *) wireless - changed "station-roaming" default setting from "enabled" to "disabled"; *) wireless - updated "bangladesh" regulatory domain information; *) wireless - updated "egypt" regulatory domain information; What's new in 6.47 (2020-Jun-02 07:38): Important note!!! - The Dude server must be updated to monitor v6.46.4 and v6.47beta30+ RouterOS type devices. - The Dude client must be manually upgraded after upgrading The Dude server. - The Dude requires "winbox" policy instead of "dude" to monitor v6.46.4 and v6.47beta30+ RouterOS type devices. - Make sure LTE APN Profile name does not match any of the DHCP server's names if LTE passthrough is used. MAJOR CHANGES IN v6.47: ---------------------- !) dns - added client side support for DNS over HTTPS (DoH) (RFC8484); !) socks - added support for SOCKS5 (RFC 1928); !) user - enable "winbox" policy for groups with "dude" policy automatically on upgrade; ---------------------- Changes in this release: *) api - added ECDHE cipher support for "api-ssl" service; *) bonding - improved slave interface MAC address handling; *) bonding - prefer primary slave MAC address for bonding interface; *) branding - do not ask to confirm configuration applied from branding package; *) branding - fixed identity setting from branding package; *) branding - improved branding package installation process when another branding package is already installed; *) bridge - added logging debug message when a host MAC address is learned on a different bridge port; *) bridge - added warning message when a bridge port gets dynamically added to VLAN range; *) bridge - correctly remove disabled MSTI; *) bridge - improved hardware offloading enabling/disabling; *) certificate - added "skid" and "akid" values for detailed print; *) certificate - allow dynamic CRL removal; *) certificate - disabled CRL usage by default; *) certificate - do not use SSL for first CRL update; *) chr - added support for file system quiescing; *) chr - added support for hardware watchdog on ESXI; *) chr - enabled support for VMBus protocol version 4.1; *) chr - improved system stability when running CHR on Hyper-V; *) crs3xx - correctly remove switch rules on CRS317-1G-16S+ and CRS309-1G-8S+ devices; *) crs3xx - fixed "ingress-rate" property on CRS309-1G-8S+, CRS312-4C+8XG, CRS326-24S+2Q+ devices; *) crs3xx - fixed hardware offloaded bonding on Ethernet interfaces for CRS354 devices; *) crs3xx - improved 10G interface initialization on CRS312 devices; *) crs3xx - improved switch host table updating; *) crs3xx - show correct switch model for netPower 15FR device; *) defconf - fixed default configuration initialization if power loss occurred during the process; *) dhcpv4 - added end option (255) validation for both server and client; *) dhcpv4-client - improved stability when changing client while still receiving advertisements; *) dhcpv4-server - disallow zero lease-time setting; *) dhcpv6-client - improved error logging when when renewed address differs; *) dhcpv6-server - do not require "server" parameter for bindings; *) dhcpv6-server - fixed MAC address retrieving from DUID when timestamp is present; *) discovery - do not send discovery packets on inactive bonding slave interfaces; *) discovery - do not send discovery packets on interfaces that are blocked by STP; *) disk - improved disk management service stability when receiving bogus packets; *) disk - improved recently created file survival after reboots; *) dns - added support for exclusive dynamic DNS server usage from IPsec; *) dns - added support for forwarding DNS queries of static entries to specific server; *) dns - added support for multiple type static entries; *) dot1x - added "radius-mac-format" parameter; *) dot1x - added hex value support for RADIUS switch rules; *) dot1x - added range "dst-port" support for RADIUS switch rules; *) dot1x - added support for lower case "mac-auth" RADIUS formats; *) dot1x - fixed "reject-vlan-id" value range; *) dot1x - fixed dynamically created switch rule removal when client disconnects; *) dot1x - fixed port blocking when interface changes state from disabled to enabled; *) dot1x - improved Dot1X service stability when receiving bogus packets; *) dot1x - improved debug logging output to "dot1x" topic; *) dot1x - improved value validation for dynamically created switch rules; *) email - added support for multiple "to" recipients; *) ethernet - fixed interface stopping responding after blink command execution on CCR2004-1G-12S+2XS; *) fetch - fixed "User-Agent" usage if provided by "http-header-field"; *) graphing - improved graphing service stability when receiving bogus packets; *) health - added "gauges" submenu with SNMP OID reporting; *) health - improved stability for system health monitor on CCR2004-1G-12S+2XS; *) hotspot - updated splash page design ('/ip hotspot reset-html' required); *) ike1 - added error message when specifying "my-id" for XAuth identity; *) ike1 - added support for "UNITY_DEF_DOMAIN" and "UNITY_SPLITDNS_NAME" payload attributes; *) ike1 - do not try to keep phase 2 when purging phase 1; *) ike1 - improved policy lookup with specific protocol; *) ike1 - improved stability when performing policy lookup on non-existant peer; *) ike2 - added support for "INTERNAL_DNS_DOMAIN" payload attribute; *) ike2 - added support for RADIUS Disconnect-Request message handling; *) ike2 - added support for RFC8598; *) ike2 - allow initiator address change before authentication; *) ike2 - fixed authentication handling when initiator disconnects before RADIUS response; *) interface - improved system stability when receiving bogus packets; *) interface - increased loopback interface MTU to 65536; *) ipsec - added "split-dns" parameter support for mode configuration; *) ipsec - added "use-responder-dns" parameter support; *) ipsec - allow specifying two peers for a single policy for failover; *) ipsec - control CRL validation with global "use-crl" setting; *) ipsec - do full certificate validation for identities with explicit certificate; *) ipsec - fixed minor spelling mistake in logs; *) ipsec - improved IPsec service stability when receiving bogus packets; *) ipsec - place dynamically created IPsec policies by L2TP client at the begining of the table; *) kidcontrol - ignore IPv6 multicast MAC addresses; *) l2tp - added "src-address" parameter for L2TP client; *) l2tp - added "use-peer-dns" parameter for L2TP client; *) l2tp - improved dynamically created IPsec configuration updating; *) l2tp - use L2TP interface when adding dynamic IPsec peer; *) lcd - fixed LCD service becoming unavailable on devices without LCD screen; *) lcd - improved general system stability when LCD is not present; *) led - fixed minor typo in LED warning message; *) log - added logging entry when changing user's password; *) log - added tunnel endpoint address to establishment and disconnect logging entries; *) log - made startup script failures log as critical errors; *) lte - added support for Huawei K5161 modem; *) lte - added support for NEOWAY N720; *) lte - added support for multiple passthrough APN configuration; *) lte - do not allow running "scan" on R11e-4G; *) lte - fixed "allow-roaming" setting when using LTE network mode on R11e-LTE; *) lte - fixed "band" parameter persistence after disable/enable; *) lte - fixed "ecno" and "rscp" value reporting on R11e-LTE6; *) lte - fixed VLAN interface passthrough support; *) lte - fixed multiple APN reactivation after deactivation by operator; *) lte - improved stability during firmware upgrade; *) lte - made "mac-address" parameter read-only; *) lte - show "phy-cellid" value only in LTE mode; *) netinstall - removed "Flashfig" from Netinstall; *) netinstall - removed "Make Floppy" from Netinstall; *) netinstall - signed netinstall.exe with Digital Signature; *) netwatch - improved Netwatch service stability when invalid configuration values are passed; *) ovpn - added "use-peer-dns" parameter for OVPN client; *) port - removed serial console port on hEX S; *) ppp - added "Acct-Session-Id" attribute to "Access-Request" messages; *) ppp - added support for ZTE MF90; *) ppp - fixed minor typo when running "info" command; *) ppp - removed "comment", "set" and "edit" commands from "PPP->Active" menu; *) pptp - added "use-peer-dns" parameter for PPTP client; *) profile - added support for CCR2004-1G-12S+2XS; *) proxy - increased minimal free RAM that can not be used for proxy services; *) qsfp - added support for FEC mode (fec74), with the FEC mode disabled by default; *) quickset - do not show "SINR" field in Quick Set when there is no data; *) quickset - fixed invalid configuration applying when performing changes during LTE modem initialization process; *) quickset - removed "EARFCN" field from Quick Set; *) quickset - removed "LTE band" setting from Quick Set; *) quickset - show "Antenna Gain" setting on devices without built-in antennas; *) quickset - use "station-wds" mode when connecting to AP with RouterOS flag; *) route - improved system stability after reboot with large amount of VLAN interfaces with PPPoE servers attached; *) routerboard - added "hold-time" parameter to mode-button menu; *) routerboard - added "reset-button" menu - custom command execution with reset button; *) routing - improved IGMP-Proxy service stability when receiving bogus packets; *) routing - improved routing service stability when receiving bogus packets; *) sfp28 - added support for FEC modes (fec74 and fec91), with fec91 mode already enabled by default; *) sniffer - allow setting port for "streaming-server"; *) snmp - added "dot1qTpFdbTable" OID reporting for Q-BRIDGE-MIB; *) snmp - changed "upsEstimatedMinutesRemaining" reported value from seconds to minutes; *) snmp - fixed "dot1dBasePort" index offset for BRIDGE-MIB; *) snmp - improved OID policy checking and error reporting on "set" command; *) snmp - improved stability when polling MAC address related OID; *) ssh - improved SSH service stability when receiving bogus packets; *) supout - added "dot1x" section to supout files; *) supout - improved UPS information reporting; *) switch - correctly display switch statistics when all switch ports are disabled on RTL8367 switch chip; *) switch - correctly enable and disable CPU Flow Control on RB3011UiAS; *) switch - made "auto" the default value for "vlan-id" parameter when creating a new static host entry; *) system - correctly handle Generic Receive Offloading (GRO) for MPLS traffic; *) system - improved driver loading speed on startup; *) tr069-client - added LTE firmware update functionality support; *) tr069-client - added additional LTE information parameters; *) tr069-client - added additional wireless registration table parameters; *) tr069-client - added interface type parameter support; *) tr069-client - added multiple simultaneous session support for diagnostics test; *) tr069-client - added total connection tracking entries parameter; *) tr069-client - removed warning log message when not using HTTPS; *) traffic-flow - added "postDestinationMacAddress" parameter support for IPFIX and NetFlow v9; *) upgrade - fixed space handling in package file names; *) ups - added battery info for APC SmartUPS 2200; *) ups - improved compatibility with APC Smart UPS 1000 and 1500; *) user - improved user management service stability when receiving bogus packets; *) w60g - fixed link status logging; *) w60g - improved rate selection in low traffic conditions; *) w60g - use "arp" and "mtu" parameters from master interface when creating a new station; *) webfig - fixed 5 GHz wireless interface "frequency" parameter value list on Audience; *) webfig - fixed WinBox download link; *) webfig - fixed skin usage from branding package; *) webfig - updated icon design; *) winbox - added "Rate" parameter for switch ACL rules; *) winbox - added "auth-info" parameter under "Dot1X->Active" menu; *) winbox - added "auth-types", "comment", "mac-auth-mode" and "reject-vlan-id" parameters for Dot1X server; *) winbox - added "auto-erase" option to "Tool/SMS" menu; *) winbox - added "bus" parameter for "USB Power Reset" command on NetMetal ac^2; *) winbox - added "bus" parameter for "USB Power Reset" command on RBM33G; *) winbox - added "comment" parameter and "dynamic" flag support under "Switch->Rule" table; *) winbox - added "comment" parameter for Dot1X client; *) winbox - added "region" parameter for W60G interfaces; *) winbox - added "skip-dfs-channels" parameter to wireless interface menu; *) winbox - added comment support for "Switch->VLAN" menu; *) winbox - added enable and disable buttons for "MPLS->MPLS Interface" table; *) winbox - added support for inline bar graphs for LTE signal values; *) winbox - aligned all "IP->Traffic Flow->IPFIX" check boxes in single line (WinBox v3.22 required); *) winbox - allow setting "Primary" parameter for "balance-tlb" bonding interfaces; *) winbox - allow to specify any Ethernet like interface under "Tool/WoL" menu; *) winbox - do not allow to enter empty strings in "caps-man-names" and "common-name" parameters; *) winbox - fixed "BGP Origin" value display under "IPv6->Routes" menu; *) winbox - fixed "Data Rate" checkbox alignment (WinBox v3.22 required); *) winbox - fixed "Tx/Rx Signal Strength" value presence for 4 chain interfaces; *) winbox - fixed WDS usage when connecting to RouterOS access point using QuickSet; *) winbox - fixed bonding type interface support for "Switch->Host" table; *) winbox - fixed dates and times in interface link up/down properties (WinBox v3.24 required); *) winbox - fixed wireless interface "HT" tab setting presence when "band=5ghz-n/ac"; *) winbox - fixed wireless sniffer parameter setting; *) winbox - limit number of simultaneous WinBox sessions to 5 for users without "write" permission; *) winbox - made "yes" the default value for "Inject Summary LSAs" parameter when creating a new NSSA or STUB area; *) winbox - removed duplicate "join-eui", "dev-eui", "counter", "chain", "size" and "payload" parameters under "LoRa/Traffic"; *) winbox - renamed "Routerboard" to "RouterBOARD" under "System/RouterBOARD" menu; *) winbox - show "Hardware Offload" parameter for bonding interfaces; *) winbox - updated icon design; *) wireless - added "russia 6ghz" regulatory domain information; *) wireless - enabled unicast flood for DHCP traffic on ARM architecture access points; *) wireless - fixed Nstreme wireless protocol performance decrease; *) wireless - improved management service stability when receiving bogus packets; *) wireless - updated "egypt" regulatory domain information; *) wireless - updated "russia4" regulatory domain information; *) www - added "tls-version" parameter in "IP->Services" menu; What's new in 6.46.6 (2020-Apr-27 10:32): Important note!!! - The Dude server must be updated to monitor v6.46.4+ and v6.47beta30+ RouterOS type devices. - The Dude client must be manually upgraded after upgrading The Dude server. - The Dude requires "winbox" policy instead of "dude" to monitor v6.46.4+ and v6.47beta30+ RouterOS type devices. Changes in this release: *) crs3xx - fixed switch rule "dst-port" parameter for IPv6 traffic on CRS305-1G-4S+, CRS326-24G-2S+, CRS328-24P-4S+, CRS328-4C-20S-4S+, netPower 15FR devices; *) defconf - fixed default IP address assigning on non-paired 60 GHz devices; *) lora - added "altitude", "latitude" and "longitude" to stat json if GPS is available; *) lte - fixed "band" value setting when configuration is reset on R11e-4G; *) snmp - fixed "ifSpeed" reporting for tunnel interfaces; *) snmp - fixed multiple LTE interface OID reporting; *) ssh - fixed SHA256 user authentication algorithm checking (introduced in v6.46.4); *) winbox - fixed memory leak (introduced in v6.46.4); *) winbox - increased limit of multi-entry fields to 100; *) wireless - improved 5GHz interface stability on RB4011iGS+5HacQ2HnD and Audience; *) wireless - improved system stability on hAP ac^2; *) wireless - updated "south africa" regulatory domain information; What's new in 6.46.5 (2020-Apr-07 08:28): Important note!!! - The Dude server must be updated to monitor v6.46.4+ and v6.47beta30+ RouterOS type devices. - The Dude client must be manually upgraded after upgrading The Dude server. - The Dude requires "winbox" policy instead of "dude" to monitor v6.46.4+ and v6.47beta30+ RouterOS type devices. MAJOR CHANGES IN v6.46.5: ---------------------- !) user - enable "winbox" policy for groups with "dude" policy; ---------------------- Changes in this release: *) capsman - fixed "certificate" parameter updating on CAP; *) console - prevent incorrect type interfaces appearing in command hints; *) crs3xx - fixed interface statistics for CRS354-48G-4S+2Q+ and CRS354-48P-4S+2Q+ devices; *) crs3xx - fixed traffic forwarding after disabling/enabling bridge hardware offloading for CRS354-48G-4S+2Q+ and CRS354-48P-4S+2Q+ devices; *) crs3xx - improved SFP+ DAC cable initialization for CRS326-24S+2Q+ device; *) discovery - do not send CDP and LLDP packets on interfaces that does not have MAC address; *) dude - fixed connection to other RouterOS type devices through The Dude agents (introduced in v6.46.4); *) ike1 - rekey phase 1 rekeying as responder for Windows initiators; *) ipsec - improved system stability when handling fragmented packets; *) led - added "dark-mode" functionality for CRS105-5S-FB; *) lora - added IPv6 support for LoRa packet forwarder; *) lora - added UTC timestamp for RX events in "rxpk" json; *) lora - added value limits for "freq-off" parameter; *) lora - properly update source address for packets when routing table is changed; *) lte - fixed IP type selection from APN on RBSXTLTE3-7; *) sniffer - fixed minor typo in "host" menu; *) supout - added "gps" section to supout files; *) supout - improved PoE-out information reporting; *) system - improved kernel panic reporting in logs after reboot; *) system - improved system stability when forwarding traffic from switch chip to CPU (introduced in v6.43); *) traceroute - improved stability when invalid packet is received; *) traffic-generator - improved statistics reporting; *) w60g - improved stability after multiple disconnections; *) winbox - added "Options" parameter support for DHCPv6 client and server; *) winbox - added 160Mhz extension channel support for CAPsMAN; *) winbox - added support for "Tools->WoL" menu; *) winbox - allow setting "20/40/80/160Mhz-eeeeeeCe" channel under "Channel Width" parameter; *) winbox - do not show "Revision" parameter under "System/RouterBOARD" menu on devices that have only one revision; *) winbox - fixed "ARP" parameter inheritance from "CAPs Configuration" configuration; *) winbox - fixed "Bands" parameter display for LTE interfaces; *) winbox - fixed "DSCP" parameter value setting; *) winbox - fixed "Frequency" and "Secondary Frequency" parameter inheritance from "CAPs Channel" configuration; *) winbox - fixed "Passthr. MAC Address" parameter display "LTE APNs" menu; *) winbox - fixed "Switch" menu on CRS354-48P-4S+2Q+; *) winbox - fixed "dst-port" unsetting in "IP->Hotspot->Walled Garden" menu; *) winbox - fixed automatic "IPv6->Firewall->Address List" table update; *) winbox - made "none" the default value for "Security Profile" parameter when creating a new "Wirelees->Connect list" entry; *) winbox - properly show "Hw. Offload Group" value for each interface under "Bridge->Ports" menu; *) winbox - renamed "Memory used" to "HDD used" for HDD type under "Tools->Graphing->Resource Graphs"; *) winbox - show "System/RouterBOARD/Mode Button" on devices that have such feature; *) wireless - added "U-NII-2" support for hAP ac2 and RBwAPGR series devices; *) wireless - added "skip-dfs-channels" parameter; *) wireless - fixed default "antenna-gain" setting on SXT 2 and LtAP series devices; *) wireless - updated "bangladesh" regulatory domain information; *) wireless - updated "indonesia4" regulatory domain information; What's new in 6.46.4 (2020-Feb-21 11:26): Important note!!! - The Dude server must be updated to monitor 6.46.4 and v6.47beta30+ RouterOS type devices. - The Dude client must be manually upgraded after upgrading The Dude server. - To get RouterOS data from the devices, The Dude now requires RouterOS to be 6.46.4 or v6.47beta30+. Changes in this release: *) arm - improved watchdog and kernel panic reporting in log after reboots on RB3011 and IPQ4018/IPQ4019 devices ("/system routerboard upgrade" required); *) branding - allow forcing configuration script as default configuration (new branding packet required); *) branding - fixed "company-url" and "router-default-name" survival after system upgrade; *) branding - fixed WEB HTML page survival after system upgrade; *) certificate - fixed certificate verification when flushing CRL's; *) chr - fixed graceful shutdown execution on Hyper-V (introduced in v6.46); *) console - fixed script with "dont-require-permissions=yes" execution without sufficient permissions; *) crs3xx - fixed frame forwarding after disabling/enabling bridge hardware offloading for CRS354-48G-4S+2Q+ device; *) defconf - added welcome note with common first steps for new users; *) dude - updated The Dude to use new style authentication method; *) health - fixed maximum SFP temperature reading under '/system health' menu; *) ike2 - fixed DHCP Inform package handling when received on PPPoE interface; *) lte - added interface name prefix for logging events; *) lte - added "phy-cellid" value support for R11e-LTE-US; *) lte - do not allow using empty APN Profile names; *) lte - improved all APN session activation after disconnect on R11e-LTE; *) lte - use APN from network when blank APN used on R11e-4G; *) snmp - fixed "routeros-version" value returning from registration table; *) snmp - fixed UPS battery voltage value scaling; *) ssh - added support for RSA keys with SHA256 hash (RFC8332); *) system - improved system stability when receiving/sending TCP traffic on multicore devices; *) telnet - improved telnet compatibility with other client implementations; *) user-manager - fixed signup enabling (introduced in v6.46); *) webfig - added default configuration confirmation window to WebFig; *) webfig - do not show WebFig menu when opening 'Check For Updates' in Quick Set; *) winbox - completely removed old style authentication method; *) winbox - fixed "invalid" flag presence under "System/Certificates/CRL" menu; *) wireless - improved compatibility for "ETSI" wireless country profile; What's new in 6.46.3 (2020-Jan-28 10:46): *) hotspot - fixed redirect to log in page (introduced in v6.45); *) lora - added "ru-864-mid" channel plan; *) lora - improved immediate packet delivery; *) lte - added GPS port support for Quectel EP06 modem; *) lte - added "psc" (Primary Scrambling Code) parameter for "cell-monitor" function on R11e-LTE6 and R11e-LTE; *) lte - do not show invalid "phy-cellid" when it is not yet received on "R11e-LTE"; *) lte - do not show unrelated info parameters after network mode failover; *) port - fixed multiple identical USB serial device detection (introduced in v6.46); *) ppp - fixed connection establishment when receiving "0.0.0.0" DNS; *) snmp - fixed "ifOperStatus" reporting for combo ports; *) winbox - removed duplicate "counter", "chain", "size" and "payload" parameters under "LoRa/Traffic"; What's new in 6.46.2 (2020-Jan-14 07:17): *) chr - improved stability when changing ARP modes on e1000 type adapters; *) console - prevent "flash" directory from being removed (introduced in v6.46); *) console - updated copyright notice; *) crs305 - disable optical SFP/SFP+ module Tx power after disabling SFP+ interface; *) defconf - fixed "caps-mode" not initialized properly after resetting; *) defconf - fixed default configuration loading on RBwAPG-60adkit (introduced in v6.46); *) lora - fixed packet sending when using "antenna-gain" higher than 5dB; *) lte - fixed "cell-monitor" on R11e-LTE in 3G mode; *) lte - fixed "earfcn" reporting on R11e-LTE6 in UMTS and GSM modes; *) lte - report only valid info parameters on R11e-LTE6; *) ppp - fixed minor typo in "ppp-client" monitor; *) qsfp - do not report bogus monitoring readouts on modules without DDMI support; *) qsfp - improved module monitoring readouts for DAC and break-out cables; *) routerboard - added "mode-button" support for RBcAP2nD; *) security - fixed vulnerability for routers with default password (limited to Wireless Wire), admin could login on startup with empty password before default configuration script was fully loaded; *) system - fixed "*.auto.rsc" file execution (introduced in v6.46); *) system - fixed "check-installation" on PowerPC devices (introduced in v6.46); *) traffic-generator - improved memory handling on CHR; *) webfig - allow skin designing without "ftp" and "sensitive" policies; *) webfig - fixed "skins" saving to "flash" directory if it exists (introduced in v6.46); *) winbox - automatically refresh "Packets" table when new packets are captured by "Tools/Packet Sniffer"; *) winbox - fixed "Default Route Distance" default value when creating new LTE APN; *) winbox - removed duplicate "join-eui" and "dev-eui" parameters under "Lora/Traffic"; What's new in 6.46.1 (2019-Dec-13 12:44): *) capsman - fixed CAP upgrading (introduced in v6.46); *) console - fixed "clear-history" restoring historic actions after power cycle; *) console - removed "edit" and "set" actions from "System/History" menu; *) defconf - fixed default configuration loading after fresh install (introduced in v6.46); *) dhcpv6-server - use lease time from RADIUS; *) dude - fixed image and font file accessing (introduced in v6.46); *) gps - only adjust system time after GPS signal is established; *) health - fixed health reporting on OmniTIK 5 PoE ac; *) ipsec - improved system stability when processing decrypted packet on unregistered interface; *) l2tp - improved system stability when disconnecting many clients at once; *) log - fixed "disk-file-name" parameter validation (introduced in v6.46); *) lora - added support for MIPSBE, PPC, TILE and x86 architectures; *) lora - improved confirmed downlink forwarding; *) lte - do not reset modem when setting the same SIM slot on LtAP; *) lte - show SIM error when no card is present; *) ppp - fixed session establishment with high amount of tunnels (introduced in v6.46); *) ppp - prioritize "remote-ipv6-prefix-pool" from PPP secret over PPP profile; *) qsfp - do not show "sfp-wavelength" for cables that do not support it; *) snmp - fixed health related OID polling (introduced in v6.46); *) supout - fixed autosupout.rif file generation (introduced in v6.46); *) system - fixed "*.auto.rsc" file execution (introduced in v6.46); *) user-manager - fixed "db-path" parameter validation (introduced in v6.46); *) webfig - fixed skin folder presence (introduced in v6.46); *) winbox - fixed "allowed-number" parameter setting invalid value in "Tool/SMS" menu; *) winbox - show "LCD" menu only on boards that have LCD screen; *) wireless - added "russia4" regulatory domain information; *) wireless - improved compatibility by adding default installation mode and gain for devices with integrated antennas; *) wireless - improved compatibility for Switzerland wireless country profile to improve compliance with ETSI regulations; What's new in 6.46 (2019-Dec-02 11:16): MAJOR CHANGES IN v6.46: ---------------------- !) lora - added support for LoRaWAN low-power wide-area network technology for MIPSBE, MMIPS and ARM; !) package - accept only packages with original filenames (CVE-2019-3976); !) package - improved package signature verification (CVE-2019-3977); !) security - fixed improper handling of DNS responses (CVE-2019-3978, CVE-2019-3979); ---------------------- Changes in this release: *) backup - fixed automatic backup file generation when configuration reset by button; *) backup - store automatically created backup file in "flash" directory; *) bonding - correctly remove HW offloaded bonding with ARP monitoring; *) bonding - properly handle MAC addresses when bonding WLAN interfaces; *) bridge - disable/enable bridge port when setting bpdu-guard; *) bridge - do not add bridge as untagged VLAN member when frame-types=admit-only-vlan-tagged; *) bridge - do not add dynamically VLAN entry when changing "pvid" property for non-vlan aware bridge; *) bridge - include whole VLAN-id in DHCP Option 82 message; *) btest - removed duplicate "duration" parameter; *) capsman - fixed background scan showing incorrect regulatory domain mismatch error (CAP upgrade required); *) capsman - fixed channel auto reselection; *) capsman - fixed MAC address detection for "common-name" parameter in certificate requests; *) capsman - improved DFS channel switching when radar detected; *) capsman - improved radar detection algorithm; *) ccr - improved general system stability; *) certificate - added progress bar when creating certificate request; *) certificate - added support for certificate request signing with EC keys; *) certificate - allow specifying "file-name" parameter for export (CLI only); *) certificate - allow specifying "name" parameter for import (CLI only); *) certificate - improved CRL updating process; *) certificate - removed "key-size" parameter for "create-certificate-request" command; *) chr - added support for Azure guest agent; *) console - added bitwise operator support for "ip6" data type; *) console - fixed "address" column width when printing DHCPv4 leases; *) console - fixed IP conversion to "num" data type; *) console - fixed "tobool" conversion; *) console - properly detect IPv6 address as "ip6" data type; *) crs1xx/2xx - allow to set trunk port as mirroring target; *) crs3xx - correctly handle L2MTU change; *) crs3xx - do not send pause frames when ethernet "tx-flow-control" is disabled on CRS326/CRS328/CRS305 devices; *) crs3xx - improved interface initialization; *) crs3xx - improved switch-chip resource allocation on CRS317-1G-16S+, CRS309-1G-8S+, CRS312-4C+8XG, CRS326-24S+2Q+ devices; *) crs3xx - improved system stability on CRS309-1G-8S+, CRS312-4C+8XG, CRS326-24S+2Q+ devices; *) crs3xx - remove previously set mirror-source property before changing it; *) defconf - fixed default configuration loading on RBmAPL-2nD (introduced in v6.45); *) defconf - require "policy" permission to print default configuration; *) dhcpv4-client - allow empty "dhcp-options" parameter when adding new client; *) dhcpv4-client - fixed "dhcp-options" parameter setting when adding new client; *) dhcpv4-server - improved stability when RADIUS Interim update is sent; *) dhcpv6-client - fixed timeout when doing rebind; *) dhcpv6-client - properly update bind time when unused prefix received from the server; *) dhcpv6-client - properly update IPv6 address on rebind; *) dhcpv6-server - fixed logged error message when using "address-pool=static-only"; *) dhcpv6-server - ignore prefix-hint from client's DHCPDISCOVER if static prefix received from RADIUS; *) dhcpv6-server - include "User-Name" parameter in accounting requests; *) dhcpv6-server - made "calling-station-id" contain MAC address if DUID contains it; *) dot1x - added "reject-vlan-id" server parameter (CLI only); *) dot1x - added support for dynamic switch rules from RADIUS; *) dot1x - added support for "mac-auth" authentication type (CLI only); *) ethernet - automatically detect interface when using IP address for power-cycle-ping; *) ethernet - do not enable interface after reboot that is already disabled; *) ethernet - send requests only from ethernet interface when using MAC address for power-cycle-ping; *) export - always export "ssid" value for w60g interfaces; *) fetch - do not allocate extra 500KiB on SMIPS; *) fetch - improved stability when processing large output data; *) gps - use "serial1" as default port on RBLtAP-2HnD; *) hotspot - fixed non-local NAT redirection to port TCP/64873; *) hotspot - fixed RADIUS CoA "address-list" update; *) ike1 - fixed minor spelling mistake in logs; *) ike2 - improved CHILD SA rekey process with Apple iOS 13; *) ike2 - improved stability when retransmitting first packet as responder; *) ipsec - added "error" topic for identity check failure logging messages; *) ipsec - fixed DNS resolving when domain has only AAAA entries; *) ipsec - fixed policy "sa-src-address" detection from "local-address" (introduced in v6.45); *) ipv6 - changed "advertise-dns" default value to "yes"; *) led - fixed default LED configuration for RBLHG-2nD and RBLHG-5HPnD; *) log - increased log message length limit to 1024 characters; *) lte - added support for D402 modem; *) lte - added support for LM960A18; *) lte - added support for Telit LM960 and LE910C1 modems; *) lte - do not allow setting 3G and GSM modes on LTE only modems; *) lte - fixed band setting on R11e-4G; *) lte - fixed network registration on R11e-LTE-US; *) lte - fixed Sierra WP7601 driver loading; *) lte - fix "operator" names not being displayed properly; *) lte - improved modem initialization; *) lte - show "primary-band" only for LTE modems; *) lte - use /128 prefix for IPv6 address on LTE interface; *) lte - use interface from RA when "ipv6-interface=none" and IPv6 enabled; *) ppp - added 3GPP IoT "access-technology" definitions; *) ppp - added support for Sierra WP7601; *) ppp - disable DTR send when using at-chat; *) quickset - added "LTE AP Dual" mode support; *) quickset - added "LTE APN" dropdown support; *) quickset - fixed "LTE Band" checkbox display; *) route - fixed area range summary route installation in VRF; *) routerboard - fixed default CPU frequency on RB750r2 ("/system routerboard upgrade" required); *) routerboard - fixed USB configuration export on RBLtAP-2HnD; *) routerboard - hide "memory-frequency" parameter for RBLtAP-2HnD; *) sniffer - allow filtering by packet size; *) snmp - added "disabled" and "comment" parameters for communities; *) snmp - added option to monitor "link-downs" parameter using MIKROTIK-MIB; *) snmp - fixed "dot1dBasePort" index offset for BRIDGE-MIB; *) snmp - fixed "ifLastChange" OID reporting for IF-MIB; *) snmp - fixed "radio-name" (mtxrWlRtabRadioName) OID support; *) snmp - improved interface status reporting for IfOperStatus OID; *) snmp - improved LLDP interface returned index and type; *) snmp - return only interfaces with MAC addresses for LLDP; *) snmp - use "src-address" also for traps; *) ssh - fixed output printing when "command" parameter used; *) supout - include information from all LTE interfaces; *) supout - removed "file" option from "/system sup-output" command; *) switch - added "comment" property for switch vlan menu (CLI only); *) switch - correctly update dynamic switch rule when dhcp-snooping is enabled; *) switch - ignore "default-vlan-id" property after switch reset on RTL8367 switch chip; *) switch - show "external" flag for bridge hosts on MT7621, RTL8367 switch chips; *) timezone - updated time zone database to version 2019c; *) tr069-client - added CellDiagnostics parameter support; *) tr069-client - added LTE band and cellular technology selection parameters; *) tr069-client - added LTE RSCP, ECNO and ICCID parameter support; *) tr069-client - added multiple LTE monitoring parameters; *) tr069-client - reconnect to ACS when "ConnectionRequestURL" is updated; *) upgrade - improved auto package updating using "check-for-updates"; *) ups - improved compatibility with APC UPS's; *) usb - general USB modem stability improvements; *) userman - updated Authorize.Net to use SHA512 hashing; *) w60g - added "region" setting to limit allowed frequencies (CLI only); *) w60g - do not reset link when changing comment on station; *) w60g - fixed "monitor" command on disabled interfaces; *) w60g - move stations to new bridge when "put-in-bridge" parameter is changed; *) webfig - fixed link to Winbox download; *) winbox - added "ip-address" and stats columns in "IP/Kid-Control/Devices" menu; *) winbox - added "public-address-ipv6" parameter to "IP/Cloud" menu; *) winbox - added "reset-counters" button to "IP/Kid Control/Devices" menu; *) winbox - added "tx-info-field" parameter to "Wireless/W60G" menu; *) winbox - added "Vendor Classes" tab in "IP/DHCP Server" menu; *) winbox - added wireless alignment LED types to "System/LEDs" menu; *) winbox - fixed allowed range for bridge filter "new-priority" parameter; *) winbox - fixed "CAPs Scanner" stopping; *) winbox - fixed "cluster-id" parameter setting in "Routing/BGP/Instances" menu; *) winbox - fixed file locking when uploading multiple files at once; *) winbox - fixed firewall limit parameter support for rates more than 4G; *) winbox - fixed invalid flag presence in "IP/SMB/Shares" menu; *) winbox - fixed "Routing" menu icon presence when there is no routing package installed; *) winbox - improved stability when transfering multiple files between multiple windows; *) winbox - properly show timestamp in file "Creation Time" field; *) winbox - removed "Set CA Passphrase" button from "Certificate" menu; *) winbox - renamed "Queue Limit" to "Queue Size" for "pcq-upload-default" and "pcq-download-default" parameters; *) winbox - replaced "kb" with "KiB" in "Tools/Packet Sniffer" menu; *) winbox - show "Switch" menu on RBwAPGR-5HacD2HnD; *) winbox - show "System/RouterBOARD/Mode Button" on devices that have such feature; *) wireless - added 4 chain MCS support for 802.11n wireless protocol (CLI only); *) wireless - added "ETSI" regulatory domain information; *) wireless - added "indonesia4" regulatory domain information; *) wireless - added "push-button-5s" value for "wps-mode" parameter; *) wireless - added U-NII-2 support forRBSXTsqG-5acD, RBLHGG-5acD-XL, RBLHGG-5acD, RBLDFG-5acD, RBDiscG-5acD; *) wireless - allow using "canada2" regulatory domain on US lock devices; *) wireless - fixed 802.11n rate selection when managed by CAPsMAN; *) wireless - fixed RX chain selection; *) wireless - fixed sensor MAC address reporting in TZSP header; *) wireless - improved 802.11ac stability for all ARM devices with wireless; *) wireless - improved IPQ4019, QCA9984, QCA9888 wireless interface stability; *) wireless - updated "ukraine" regulatory domain information; *) wireless - updated "united-states" regulatory domain information; What's new in 6.45.7 (2019-Oct-24 08:44): MAJOR CHANGES IN v6.45.7: ---------------------- !) lora - added support for LoRaWAN low-power wide-area network technology for MIPSBE, MMIPS and ARM; !) package - accept only packages with original filenames (CVE-2019-3976); !) package - improved package signature verification (CVE-2019-3977); !) security - fixed improper handling of DNS responses (CVE-2019-3978, CVE-2019-3979); ---------------------- Changes in this release: *) capsman - fixed frequency setting requiring multiple frequencies; *) capsman - fixed newline character missing on some logging messages; *) conntrack - properly start manually enabled connection tracking; *) crs312 - fixed combo SFP port toggling (introduced in v6.44.5); *) crs3xx - correctly display link rate when 10/100/1000BASE-T SFP modules are used in SFP+ interfaces; *) crs3xx - fixed management access when using switch rule "new-vlan-priority" property; *) export - fixed "bootp-support" parameter export; *) ike2 - fixed phase 1 rekeying (introduced in v6.45); *) led - fixed default LED configuration for RBLHG5nD; *) lte - fixed modem not receiving IP configuration when roaming (introduced in v6.45); *) radius - fixed open socket leak when invalid packet is received (introduced in v6.44); *) sfp - fixed "sfp-rx-power" value for some transceivers; *) snmp - improved reliability on SNMP service packet validation; *) system - improved system stability for devices with AR9342 SoC; *) winbox - show SFP tab for QSFP interfaces; *) wireless - added "canada2" regulatory domain information; *) wireless - improved stability when setting fixed primary and secondary channels on RB4011iGS+5HacQ2HnD-IN; What's new in 6.45.6 (2019-Sep-10 09:06): Important note!!! Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading. Old API authentication method will also no longer work, see documentation for new login procedure: https://wiki.mikrotik.com/wiki/Manual:API#Initial_login *) capsman - fixed regulatory domain information checking when doing background scan; *) conntrack - improved system stability when using h323 helper (introduced in v6.45); *) crs3xx - fixed "egress-rate" property on CRS309-1G-8S+, CRS312-4C+8XG, CRS326-24S+2Q+ devices; *) qsfp - clear SFP monitoring data on port enable; *) qsfp - correctly display SFP monitoring data; *) qsfp - fixed EEPROM checksum validation; *) qsfp - show more QSFP module diagnostics; *) wireless - include last frequency when manually setting frequency step in "scan-list"; What's new in 6.45.5 (2019-Aug-26 10:56): Important note!!! Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading. Old API authentication method will also no longer work, see documentation for new login procedure: https://wiki.mikrotik.com/wiki/Manual:API#Initial_login *) crs328 - adjust fan speed based on SFP and CPU temperature; *) dhcpv4-server - fixed "Acct-Output-Octets" reporting to RADIUS; *) health - improved fan control on CRS3xx and CCR1016-12S-1S+r2; *) ike2 - don't release policy on rekey when child not found; *) ike2 - fixed ID validation with multiple SAN; *) ike2 - fixed policy port selection for responder with natted initiator; *) ike2 - fixed traffic selector address family selection when using IPv6; *) ike2 - improved rekeying process with Windows initiators; *) ike2 - properly start all initiators to the same remote address; *) ipsec - allow inline "passphrase" parameter when importing keys; *) ipsec - fixed "eap-radius" authentication method (introduced in v6.45); *) ipsec - fixed minor spelling mistakes in logs; *) lte - fixed cell information monitoring on R11e-LTE-US (introduced in v6.45.2); *) lte - fixed LTE interface disappearing on RBSXTLTE3-7; *) smb - improved stability on x86 and CHR (CVE-2019-16160); *) snmp - fixed encrypted data sequence (introduced in v6.44.5); *) ssh - fixed carriage return presence in subsequent sessions; *) switch - fix port isolation for non-CRS series switch chips; *) system - accept only valid string for "name" parameter in "disk" menu (CVE-2019-15055); *) upnp - fixed XML parsing (FG-VD-19-110); *) watchdog - renamed "no-ping-delay" parameter to "ping-start-after-boot"; *) winbox - added "auto-erase" parameter to "Tools/SMS" menu; *) winbox - added "https-redirect" parameter to "IP/Hotspot/Profiles menu"; *) winbox - added "revision" parameter to "System/Routerboard" menu; *) winbox - removed "max-sms" parameter from "Tools/SMS" menu; *) wireless - fixed basic rate reporting in snooper; What's new in 6.45.4 (2019-Aug-13 09:04): (factory only release) What's new in 6.45.3 (2019-Jul-29 12:11): Important note!!! Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading. Old API authentication method will also no longer work, see documentation for new login procedure: https://wiki.mikrotik.com/wiki/Manual:API#Initial_login *) certificate - renew certificates via SCEP when 3/4 of lifetime reached; *) crs317 - fixed multicast packet receiving (introduced in v6.45); *) hotspot - fixed default profile values not being used (introduced in v6.45); *) rb4011 - fixed SFP+ interface linking (introduced in v6.45.2); *) smips - reduced RouterOS main package size (disabled LTE modem, dot1x and SwOS support); *) supout - fixed SIM slot printing (introduced in v6.45); *) wireless - improved U-APSD (WMM Power Save) support for 802.11e; What's new in 6.45.2 (2019-Jul-17 10:04): Important note!!! Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading. Old API authentication method will also no longer work, see documentation for new login procedure: https://wiki.mikrotik.com/wiki/Manual:API#Initial_login *) bonding - fixed bonding running status after reboot when using other bonds as slave interfaces (introduced in v6.45); *) cloud - properly stop "time-zone-autodetect" after disable; *) interface - fixed missing PWR-LINE section on PL7411-2nD and PL6411-2nD (introduced v6.44); *) ipsec - added "connection-mark" parameter for mode-config initiator; *) ipsec - allow peer argument only for "encrypt" policies (introduced in v6.45); *) ipsec - fixed peer configuration migration from versions older than v6.43 (introduced in v6.45); *) ipsec - improved stability for peer initialization (introduced in v6.45); *) ipsec - show warning for policies with "unknown" peer; *) ospf - fixed possible busy loop condition when accessing OSPF LSAs; *) profile - added "internet-detect" process classificator; *) radius - fixed "User-Password" encoding (introduced in v6.45); *) ssh - do not enable "none-crypto" if "strong-crypto" is enabled on upgrade (introduced in v6.45); *) ssh - fixed executed command output printing (introduced in v6.45); *) supout - fixed supout file generation outside of internal storage with insufficient space; *) upgrade - fixed "auto-upgrade" to use new style authentication (introduced in v6.45); *) vlan - fixed "slave" flag for non-running interfaces (introduced in v6.45); *) wireless - improved 802.11ac stability for all ARM devices with wireless; *) wireless - improved range selection when distance set to "dynamic"; What's new in 6.45.1 (2019-Jun-27 10:23): Important note!!! Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading. Old API authentication method will also no longer work, see documentation for new login procedure: https://wiki.mikrotik.com/wiki/Manual:API#Initial_login MAJOR CHANGES IN v6.45.1: ---------------------- !) dot1x - added support for IEEE 802.1X Port-Based Network Access Control; !) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator; !) security - fixed vulnerabilities CVE-2019-13954, CVE-2019-13955; !) security - fixed vulnerabilities CVE-2019-11477, CVE-2019-11478, CVE-2019-11479; !) security - fixed vulnerability CVE-2019-13074; !) user - removed insecure password storage; ---------------------- Changes in this release: *) bridge - correctly display bridge FastPath status when vlan-filtering or dhcp-snooping is used; *) bridge - correctly handle bridge host table; *) bridge - fixed log message when hardware offloading is being enabled; *) bridge - improved stability when receiving traffic over USB modem with bridge firewall enabled; *) capsman - fixed CAP system upgrading process for MMIPS; *) capsman - fixed interface-list usage in access list; *) ccr - improved packet processing after overloading interface; *) certificate - added "key-type" field; *) certificate - added support for ECDSA certificates (prime256v1, secp384r1, secp521r1); *) certificate - fixed self signed CA certificate handling by SCEP client; *) certificate - made RAM the default CRL storage location; *) certificate - removed DSA (D) flag; *) certificate - removed "set-ca-passphrase" parameter; *) chr - legacy adapters require "disable-running-check=yes" to be set; *) cloud - added "replace" parameter for backup "upload-file" command; *) conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160); *) conntrack - significant stability and performance improvements; *) crs317 - fixed known multicast flooding to the CPU; *) crs3xx - added ethernet tx-drop counter; *) crs3xx - correctly display auto-negotiation information for SFP/SFP+ interfaces in 1Gbps rate; *) crs3xx - fixed auto negotiation when 2-pair twisted cable is used (downshift feature); *) crs3xx - fixed "tx-drop" counter; *) crs3xx - improved switch-chip resource allocation on CRS326, CRS328, CRS305; *) defconf - added "custom-script" field that prints custom configuration installed by Netinstall; *) defconf - automatically set "installation" parameter for outdoor devices; *) defconf - changed default configuration type to AP for cAP series devices; *) defconf - fixed channel width selection for RU locked devices; *) dhcp - create dual stack queue based on limitations specified on DHCPv4 server lease configuration; *) dhcp - do not require lease and binding to have the same configuration for dual-stack queues; *) dhcp - show warning in log if lease and binding dual-stack related parameters do not match and create separate queues; *) dhcpv4-server - added "client-mac-limit" parameter; *) dhcpv4-server - added IP conflict logging; *) dhcpv4-server - added RADIUS accounting support with queue based statistics; *) dhcpv4-server - added "vendor-class-id" matcher (CLI only); *) dhcpv4-server - improved stability when performing "check-status" command; *) dhcpv4-server - replaced "busy" lease status with "conflict" and "declined"; *) dhcpv6-client - added option to disable rapid-commit; *) dhcpv6-client - fixed status update when leaving "bound" state; *) dhcpv6-server - added additional RADIUS parameters for Prefix delegation, "rate-limit" and "life-time"; *) dhcpv6-server - added "address-list" support for bindings; *) dhcpv6-server - added "insert-queue-before" and "parent-queue" parameters; *) dhcpv6-server - added RADIUS accounting support with queue based statistics; *) dhcpv6-server - added "route-distance" parameter; *) dhcpv6-server - fixed dynamic IPv6 binding without proper reference to the server; *) dhcpv6-server - override prefix pool and/or DNS server settings by values received from RADIUS; *) discovery - correctly create neighbors from VLAN tagged discovery messages; *) discovery - fixed CDP packets not including address on slave ports (introduced in v6.44); *) discovery - improved neighbour's MAC address detection; *) discovery - limit max neighbour count per interface based on total RAM memory; *) discovery - show neighbors on actual mesh ports; *) e-mail - include "message-id" identification field in e-mail header; *) e-mail - properly release e-mail sending session if the server's domain name can not be resolved; *) ethernet - added support for 25Gbps and 40Gbps rates; *) ethernet - fixed running (R) flag not present on x86 interfaces and CHR legacy adapters; *) ethernet - increased loop warning threshold to 5 packets per second; *) fetch - added SFTP support; *) fetch - improved user policy lookup; *) firewall - fixed fragmented packet processing when only RAW firewall is configured; *) firewall - process packets by firewall when accepted by RAW with disabled connection tracking; *) gps - fixed missing minus close to zero coordinates in dd format; *) gps - make sure "direction" parameter is upper case; *) gps - strip unnecessary trailing characters from "longtitude" and "latitude" values; *) gps - use "serial0" as default port on LtAP mini; *) hotspot - added "interface-mac" variable to HTML pages; *) hotspot - moved "title" HTML tag after "meta" tags; *) ike1 - adjusted debug packet logging topics; *) ike2 - added support for ECDSA certificate authentication (rfc4754); *) ike2 - added support for IKE SA rekeying for initiator; *) ike2 - do not send "User-Name" attribute to RADIUS server if not provided; *) ike2 - improved certificate verification when multiple CA certificates received from responder; *) ike2 - improved child SA rekeying process; *) ike2 - improved XAuth identity conversion on upgrade; *) ike2 - prefer SAN instead of DN from certificate for ID payload; *) ippool - improved logging for IPv6 Pool when prefix is already in use; *) ipsec - added dynamic comment field for "active-peers" menu inherited from identity; *) ipsec - added "ph2-total" counter to "active-peers" menu; *) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods; *) ipsec - added traffic statistics to "active-peers" menu; *) ipsec - disallow setting "src-address" and "dst-address" for transport mode policies; *) ipsec - do not allow adding identity to a dynamic peer; *) ipsec - fixed policies becoming invalid after changing priority; *) ipsec - general improvements in policy handling; *) ipsec - properly drop already established tunnel when address change detected; *) ipsec - renamed "remote-peers" to "active-peers"; *) ipsec - renamed "rsa-signature" authentication method to "digital-signature"; *) ipsec - replaced policy SA address parameters with peer setting; *) ipsec - use tunnel name for dynamic IPsec peer name; *) ipv6 - improved system stability when receiving bogus packets; *) ltap - renamed SIM slots "up" and "down" to "2" and "3"; *) lte - added initial support for Vodafone R216-Z; *) lte - added passthrough interface subnet selection; *) lte - added support for manual operator selection; *) lte - allow setting empty APN; *) lte - allow to specify URL for firmware upgrade "firmware-file" parameter; *) lte - do not show error message for info commands that are not supported; *) lte - fixed session reactivation on R11e-LTE in UMTS mode; *) lte - improved firmware upgrade process; *) lte - improved "info" command query; *) lte - improved R11e-4G modem operation; *) lte - renamed firmware upgrade "path" command to "firmware-file" (CLI only); *) lte - show alphanumeric value for operator info; *) lte - show correct firmware revision after firmware upgrade; *) lte - use default APN name "internet" when not provided; *) lte - use secondary DNS for DNS server configuration; *) m33g - added support for additional Serial Console port on GPIO headers; *) ospf - added support for link scope opaque LSAs (Type 9) for OSPFv2; *) ospf - fixed opaque LSA type checking in OSPFv2; *) ospf - improved "unknown" LSA handling in OSPFv3; *) ovpn - added "verify-server-certificate" parameter for OVPN client (CVE-2018-10066); *) ppp - added initial support for Quectel BG96; *) proxy - increased minimal free RAM that can not be used for proxy services; *) rb3011 - improved system stability when receiving bogus packets; *) rb4011 - fixed MAC address duplication between sfp-sfpplus1 and wlan1 interfaces (wlan1 configuration reset required); *) rb921 - improved system stability ("/system routerboard upgrade" required); *) routerboard - renamed 'sim' menu to 'modem'; *) sfp - fixed S-35LC20D transceiver DDMI readouts after reboot; *) sms - added USSD message functionality under "/tool sms" (CLI only); *) sms - allow specifying multiple "allowed-number" values; *) sms - improved delivery report logging; *) snmp - added "dot1dStpPortTable" OID; *) snmp - added OID for neighbor "interface"; *) snmp - added "write-access" column to community print; *) snmp - allow setting interface "adminStatus"; *) snmp - fixed "send-trap" not working when "trap-generators" does not contain "temp-exception"; *) snmp - fixed "send-trap" with multiple "trap-targets"; *) snmp - improved reliability on SNMP service packet validation; *) snmp - properly return multicast and broadcast packet counters for IF-MIB OIDs; *) ssh - accept remote forwarding requests with empty hostnames; *) ssh - added new "ssh-exec" command for non-interactive command execution; *) ssh - fixed non-interactive multiple command execution; *) ssh - improved remote forwarding handling (introduced in v6.44.3); *) ssh - improved session rekeying process on exchanged data size threshold; *) ssh - keep host keys when resetting configuration with "keep-users=yes"; *) ssh - use correct user when "output-to-file" parameter is used; *) sstp - improved stability when received traffic hits tarpit firewall; *) supout - added IPv6 ND section to supout file; *) supout - added "kid-control devices" section to supout file; *) supout - added "pwr-line" section to supout file; *) supout - changed IPv6 pool section to output detailed print; *) switch - properly reapply settings after switch chip reset; *) tftp - added "max-block-size" parameter under TFTP "settings" menu (CLI only); *) tile - improved link fault detection on SFP+ ports; *) tr069-client - added LTE CQI and IMSI parameter support; *) tr069-client - fixed potential memory corruption; *) tr069-client - improved error reporting with incorrect firware upgrade XML file; *) traceroute - improved stability when sending large ping amounts; *) traffic-generator - improved stability when stopping traffic generator; *) tunnel - removed "local-address" requirement when "ipsec-secret" is used; *) userman - added support for "Delegated-IPv6-Pool" and "DNS-Server-IPv6-Address" (CLI only); *) w60g - do not show unused "dmg" parameter; *) w60g - prefer AP with strongest signal when multiple APs with same SSID present; *) w60g - show running frequency under "monitor" command; *) winbox - added "System/SwOS" menu for all dual-boot devices; *) winbox - do not allow setting "dns-lookup-interval" to "0"; *) winbox - show "LCD" menu only on boards that have LCD screen; *) wireless - fixed frequency duplication in the frequency selection menu; *) wireless - fixed incorrect IP header for RADIUS accounting packet; *) wireless - improved 160MHz channel width stability on rb4011; *) wireless - improved DFS radar detection when using non-ETSI regulated country; *) wireless - improved installation mode selection for wireless outdoor equipment; *) wireless - set default SSID and supplicant-identity the same as router's identity; *) wireless - updated "china" regulatory domain information; *) wireless - updated "new zealand" regulatory domain information; *) www - improved client-initiated renegotiation within the SSL and TLS protocols (CVE-2011-1473); What's new in 6.45 (2019-Jun-21 09:00): (factory only release) What's new in 6.44.4 (2019-May-09 12:14): (factory only release) What's new in 6.44.3 (2019-Apr-23 12:37): *) certificate - fixed SAN being duplicated on status change (introduced in v6.44); *) conntrack - fixed "loose-tcp-tracking" parameter not taken in action (introduced in v6.44); *) dhcpv4-server - fixed commenting option for alerts; *) dhcpv6-server - fixed binding setting update from RADIUS; *) ike1 - improved stability for transport mode policies on initiator side; *) ipsec - fixed freshly created identity not taken in action (introduced in v6.44); *) ipsec - fixed possible configuration corruption after import (introduced in v6.44); *) ipv6 - adjusted IPv6 route cache max size; *) ipv6 - improved IPv6 neighbor table updating process; *) lte - reset LTE modem only when SIM slot is changed on dual SIM slot devices; *) rb2011 - removed "sfp-led" from "System/LEDs" menu; *) smb - fixed possible buffer overflow; *) snmp - added "radio-name" (mtxrWlRtabRadioName) OID support; *) ssh - added "both", "local" and "remote" options for "forwarding-enabled" parameter; *) ssh - do not generate host key on configuration export; *) ssh - fixed multiline non-interactive command execution; *) switch - fixed possible crash when interface state changes and DHCP Snooping is enabled; *) userman - updated authorize.net gateway DNS name; *) wireless - added support for US FCC UNII-2 and Canada country profiles for LHG-5HPnD-US, RBLHG-5HPnD-XL-US and SXTsq5HPnD-US devices; *) wireless - improved wireless country settings for EU countries; What's new in 6.44.2 (2019-Apr-01 12:47): MAJOR CHANGES IN v6.44.2: ---------------------- !) ipv6 - fixed soft lockup when forwarding IPv6 packets; !) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table; ---------------------- Changes in this release: *) ipv6 - adjust IPv6 route cache max size based on total RAM memory; What's new in 6.44.1 (2019-Mar-13 08:38): Changes in this release: *) bridge - fixed possible memory leak when using "ingress-filtering=yes" on bridge interface; *) certificate - force 3DES encryption for P12 certificate export; *) dhcp - fixed dual stack queue addition; *) dhcpv6-server - use MAC address for RADIUS user when "allow-dual-stack-queue=yes"; *) e-mail - fixed missing "from" address for sent e-mails (introduced in v6.44); *) gps - increase precision for dd format; *) gps - removed unnecessary leading "0" for dd format; *) ipsec - allow identities with empty XAuth login and password if RADIUS is enabled (introduced in v6.44); *) ipsec - fixed dynamic L2TP peer and identity configuration missing after reboot (introduced in v6.44); *) ipsec - use "remote-id=ignore" for dynamic L2TP configuration (introduced in v6.44); *) ipv6 - do not allow setting "preferred-lifetime" longer than "valid-lifetime"; *) lte - do not show "session-uptime" if session is not up; *) lte - fixed LTE interface band setting on RBSXTLTE3-7 (introduced in v6.44); *) rb4011 - fixed ether10 failing to auto negotiate link speed to 1Gbps; *) winbox - added "use-local-address" parameter in "IP/Cloud" menu; *) wireless - fixed antenna gain setting on RBSXT5nDr2; What's new in 6.44 (2019-Feb-25 14:11): MAJOR CHANGES IN v6.44: ---------------------- !) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only); !) ipsec - added new "identity" menu with common peer distinguishers; !) ipsec - removed "main-l2tp" exchange-mode, it is the same as "main" exchange-mode; !) ipsec - removed "users" menu, XAuth user configuration is now handled by "identity" menu; !) radius - initial implementation of RadSec (RADIUS communication over TLS); !) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only); ---------------------- Changes in this release: *) bgp - properly update keepalive time after peer restart; *) bridge - added option to monitor fast-forward status; *) bridge - count routed FastPath packets between bridge ports under FastPath bridge statistics; *) bridge - disable fast-forward when using SlowPath features; *) bridge - fixed BOOTP packet forwarding when DHCP Snooping is enabled; *) bridge - fixed DHCP Option 82 parsing when using DHCP Snooping; *) bridge - fixed log message when hardware offloading is being enabled; *) bridge - fixed packet forwarding when changing MSTI VLAN mappings; *) bridge - fixed packet forwarding with enabled DHCP Snooping and Option 82; *) bridge - fixed possible memory leak when using MSTP; *) bridge - fixed system's identity change when DHCP Snooping is enabled (introduced in v6.43); *) bridge - improved packet handling when hardware offloading is being disabled; *) bridge - improved packet processing when bridge port changes states; *) btest - added multithreading support for both UDP and TCP tests; *) btest - added warning message when CPU load exceeds 90% (CLI only); *) capsman - always accept connections from loopback address; *) certificate - added support for multiple "Subject Alt. Names"; *) certificate - enabled RC2 cipher to allow P12 certificate decryption; *) certificate - fixed certificate signing by SCEP client if multiple CA certificates are provided; *) certificate - show digest algorithm used in signature; *) chr - assign interface names based on underlying PCI device order on KVM; *) chr - distribute NIC queue IRQ's evenly across all CPUs; *) chr - fixed IRQ balancing when using more than 32 CPUs; *) chr - improved system stability when insufficient resources are allocated to the guest; *) cloud - added "ddns-update-interval" parameter; *) cloud - do not reuse old UDP socket if routing changes are detected; *) cloud - ignore "force-update" command if DDNS is disabled; *) cloud - improved DDNS service disabling; *) cloud - made address updating faster when new public address detected; *) conntrack - added new "loose-tcp-tracking" parameter (equivalent to "nf_conntrack_tcp_loose" in netfilter); *) console - renamed IP protocol 41 to "ipv6-encap"; *) console - updated copyright notice; *) crs317 - fixed packet forwarding when LACP is used with hw=no; *) crs3xx - fixed packet forwarding through SFP+ ports when using 100Mbps link speed; *) crs3xx - improved fan control stability; *) defconf - fixed configuration not generating properly on upgrade; *) defconf - fixed default configuration loading on RB4011iGS+5HacQ2HnD-IN; *) defconf - fixed IPv6 link-local address range in firewall rules; *) dhcp - added "allow-dual-stack-queue" setting for IPv4/IPv6 DHCP servers to control dynamic lease/binding behaviour; *) dhcp - properly load DHCP configuration if options are configured; *) dhcpv4-server - added "parent-queue" parameter (CLI only); *) dhcpv4-server - added "User-Name" attribute to RADIUS accounting messages; *) dhcpv4-server - fixed service becoming unresponsive after interface leaves and enters the same bridge; *) dhcpv4-server - use ARP for conflict detection; *) dhcpv6-client - use default route distance also for unreachable route added by DHCPv6 client; *) dhcpv6-server - allow to add DHCPv6 server with pool that does not exist; *) dhcpv6-server - fixed missing gateway for binding's network if RADIUS authentication was used; *) dhcpv6-server - improved DHCPv6 server stability when using "print" command; *) dhcpv6-server - show "client-address" parameter for bindings; *) discovery - detect proper slave interface on bounded interfaces; *) discovery - fixed malformed neighbor information for routers that has incomplete IPv6 configuration; *) discovery - send master port in "interface-name" parameter; *) discovery - show neighbors on actual bridge port instead of bridge itself for LLDP; *) e-mail - added info log message when e-mail is sent successfully; *) e-mail - added support for multiple transactions on single connection; *) ethernet - added "tx-rx-1024-max" counter to Ethernet stats; *) ethernet - fixed IPv4 and IPv6 packet forwarding on IPQ4018 devices; *) ethernet - fixed linking issues on wAP ac, RB750Gr2 and Metal 52 ac (introduced in v6.43rc52); *) ethernet - fixed packet forwarding when SFP interface is disabled on hEX S; *) ethernet - fixed VLAN1 forwarding on RB1100AHx4 and RB4011 devices; *) ethernet - improved per core ethernet traffic classificator on mmips devices; *) export - fixed "silent-boot" compact export; *) fetch - added "http-header-field" parameter; *) fetch - added option to specify multiple headers under "http-header-field", including content type; *) fetch - fixed "without-paging" option; *) fetch - improved file downloading to slow memory; *) fetch - improved stability when using HTTP mode; *) fetch - removed "http-content-type" parameter; *) gps - increase precision for dd format; *) gps - moved "coordinate-format" from "monitor" command to "set" parameter; *) health - improved fan control stability on CRS328-24P-4S+RM; *) hotspot - added "https-redirect" under server profiles; *) hotspot - added per-user NAT rule generation based on "incoming-filter" and "outgoing-filter" parameters; *) ike1 - do not allow using RSA-key and RSA-signature authentication methods simultaneously on single peer; *) ike1 - fixed memory leak; *) ike2 - added option to specify certificate chain; *) ike2 - added peer identity validation for RSA auth (disabled after upgrade); *) ike2 - allow to match responder peer by "my-id=fqdn" field; *) ike2 - fixed local address lookup when initiating new connection; *) ike2 - improved subsequent phase 2 initialization when no childs exist; *) ike2 - properly handle certificates with empty "Subject"; *) ike2 - retry RSA signature validation with deduced digest from certificate; *) ike2 - send split networks over DHCP (option 249) to Windows initiators if DHCP Inform is received; *) ike2 - show weak pre-shared-key warning; *) interface - added "pwr-line" interface support (more information will follow in next newsletter); *) ipsec - added account log message when user is successfully authenticated; *) ipsec - added basic pre-shared-key strength checks; *) ipsec - added new "remote-id" peer matcher; *) ipsec - allow to specify single address instead of IP pool under "mode-config"; *) ipsec - fixed active connection killing when changing peer configuration; *) ipsec - fixed all policies not getting installed after startup (introduced in v6.43.8); *) ipsec - fixed stability issues after changing peer configuration (introduced in v6.43); *) ipsec - hide empty prefixes on "peer" menu; *) ipsec - improved invalid policy handling when a valid policy is uninstalled; *) ipsec - made dynamic "src-nat" rule more specific; *) ipsec - made peers autosort themselves based on reachability status; *) ipsec - moved "profile" menu outside "peer" menu; *) ipsec - properly detect AES-NI extension as hardware AEAD; *) ipsec - removed limitation that allowed only single "auth-method" with the same "exchange-mode" as responder; *) ipsec - require write policy for key generation; *) kidcontrol - added IPv6 support; *) kidcontrol - added "reset-counters" command for "device" menu (CLI only); *) kidcontrol - added statistics web interface for kids (http://router.lan/kid-control); *) kidcontrol - added "tur-fri", "tur-mon", "tur-sat", "tur-sun", "tur-thu", "tur-tue", "tur-wed" parameters; *) kidcontrol - dynamically discover devices from DNS activity; *) kidcontrol - fixed validation checks for time intervals; *) kidcontrol - properly detect time zone changes; *) kidcontrol - use "/128" prefix-length for IPv6 addresses; *) l2tp - fixed IPsec secret not being updated when "ipsec-secret" is changed under L2TP client configuration; *) lcd - made "pin" parameter sensitive; *) led - fixed default LED configuration for RBSXTsq-60ad; *) led - fixed default LED configuration for wAP 60G AP devices; *) led - fixed PWR-LINE AP Ethernet LED polarity ("/system routerboard upgrade" required); *) lldp - fixed missing capabilities fields on some devices; *) log - accumulate multiple e-mail messages before sending; *) lte - added additional ID support for Novatel USB730L modem; *) lte - added "cell-monitor" command for R11e-LTE international modem (CLI only); *) lte - added "ecno" field for "info" command; *) lte - added "firmware-upgrade" command for R11e-LTE international modems (CLI only); *) lte - added initial support for multiple APN for R11e-4G (new modem firmware required); *) lte - added initial support for Telit LN940; *) lte - added multiple APN support for R11e-4G; *) lte - added option to lock the LTE operator; *) lte - added support for JioFi JMR1040 modem; *) lte - fixed connection issue when LTE modem was de-registered from network for more than 1 minute; *) lte - fixed DHCP IP acquire (introduced in v6.43.7); *) lte - fixed DHCP relay packet forwarding when in passthrough mode; *) lte - fixed IPv6 activation for R11e-LTE-US modems; *) lte - fixed Jaton/SQN modems preventing router from booting properly; *) lte - fixed LTE interface not working properly after reboot on RBSXTLTE3-7; *) lte - fixed missing running (R) flag for Jaton LTE modems; *) lte - fixed passthrough DHCP address forward when other address is acquired from operator; *) lte - fixed reported "rsrq" precision (introduced in v6.43.8); *) lte - improved compatibility for Alt38xx modems; *) lte - improved SIM7600 initialization after reset; *) lte - improved SimCom 7100e support; *) lte - query "cfun" on initialization; *) lte - require write policy for at-chat; *) lte - update firmware version information after R11e-LTE/R11e-4G firmware upgrade; *) netinstall - do not show kernel failure critical messages in the log after fresh install; *) ntp-client - fixed "dst-active" and "gmt-offset" being updated after synchronization with server; *) port - improved "remote-serial" TCP performance in RAW mode; *) ppp - added "at-chat" command; *) ppp - fixed dynamic route creation towards VPN server when "add-default-route" is used; *) profiler - classify kernel crypto processing as "encrypting"; *) profile - removed obsolete "file-name" parameter; *) proxy - removed port list size limit; *) radius - implemented Proxy-State attribute handling in CoA and disconnect requests; *) rb3011 - implemented multiple engine IPsec hardware acceleration support; *) rb4011 - fixed SFP+ interface full duplex and speed parameter behavior; *) rb4011 - improved SFP+ interface linking to 1Gbps; *) rbm33g - improved stability when used with some USB devices; *) romon - improved reliability when processing RoMON packets on CHR; *) routerboard - removed "RB" prefix from PWR-LINE AP devices; *) routerboard - require at least 10 second interval between "reformat-hold-button" and "max-reformat-hold-button"; *) smb - added commenting option for SMB users (CLI only); *) smb - fixed macOS clients not showing share contents; *) smb - fixed Windows 10 clients not able to establish connection to share; *) sniffer - save packet capture in "802.11" type when sniffing on w60g interface in "sniff" mode; *) snmp - added "dot1qPortVlanTable" and "dot1dBasePortTable" OIDs; *) snmp - changed fan speed value type to Gauge32; *) snmp - fixed "rsrq" reported precision; *) snmp - fixed w60g station table; *) snmp - removed "rx-sector" ("Wl60gRxSector") value; *) snmp - report bridge ifSpeed as "0"; *) snmp - report ifSpeed 0 for sub-layer interfaces; *) ssh - added "allow-none-crypto" parameter to disable "none" encryption usage (CLI only); *) ssh - added error log message when key exchange fails; *) ssh - close active SSH connections before IPsec connections on shutdown; *) ssh - fixed public key format compatibility with RFC4716; *) supout - fixed "poe-out" output not showing all interfaces; *) supout - fixed Profile output on single core devices; *) switch - added comment field to switch ACL rules; *) switch - fixed ACL rules on IPQ4018 devices; *) system - accept only valid path for "log-file" parameter in "port" menu; *) system - removed obsolete "/driver" command; *) tr069-client - added "check-certificate" parameter to allow communication without certificates; *) tr069-client - added "connection-request-port" parameter (CLI only); *) tr069-client - added support for InformParameter object; *) tr069-client - fixed certificate verification for certificates with IP address; *) tr069-client - fixed HTTP cookie getting duplicated with the same key; *) tr069-client - increased reported "rsrq" precision; *) traceroute - improved stability when sending large ping amounts; *) traffic-flow - reduced minimal value of "active-flow-timeout" parameter to 1s; *) tunnel - properly clear dynamic IPsec configuration when removing/disabling EoIP with DNS as "remote-address"; *) upgrade - made security package depend on DHCP package; *) usb - improved power-reset error message when no bus specified on CCR1072-8G-1S+; *) usb - improved USB device powering on startup for hAP ac^2 devices; *) usb - increased default power-reset timeout to 5 seconds; *) userman - added first and last name fields for signup form; *) userman - show redirect location in error messages; *) user - require "write" permissions for LTE firmware update; *) vrrp - made "password" parameter sensitive; *) w60g - added "10s-average-rssi" parameter to align mode (CLI only); *) w60g - added align mode "/interface w60g align" (CLI only); *) w60g - fixed scan in bridge mode; *) w60g - improved PtMP performance; *) w60g - improved reconnection detection; *) w60g - improved "tx-packet-error-rate" reading; *) w60g - renamed disconnection message when license level did not allow more connected clients; *) w60g - renamed "frequency-list" to "scan-list"; *) watchdog - allow specifying DNS name for "send-smtp-server" parameter; *) webfig - improved file handling; *) winbox - added 4th chain selection for "HT TX chains" and "HT RX chains" under "CAPsMAN/CAP Interface/Wireless" tab; *) winbox - added "allow-dual-stack-queue" parameter in "IP/DHCP Server" and "IPv6/DHCP Server" menus; *) winbox - added "challenge-password" field when signing certificate with SCEP; *) winbox - added "conflict-detection" parameter in "IP/DHCP Server" menu; *) winbox - added "coordinate-format" parameter in LTE interface settings; *) winbox - added "radio-name" setting to "CAPsMAN/CAP Interface/General" tab; *) winbox - added "secondary-channel" setting to "CAPsMAN/CAP Interface/Channel" tab; *) winbox - added src/dst address and in/out interface list columns to default firewall menu view; *) winbox - added support for dynamic devices in "IP/Kid Control/Devices" tab; *) winbox - allow setting "network-mode" to "auto" under LTE interface settings; *) winbox - allow specifying interface lists in "CAPsMAN/Access List" menu; *) winbox - fixed "IPv6/Firewall" "Connection limit" parameter not allowing complete IPv6 prefix lengths; *) winbox - fixed L2MTU parameter setting on "W60G" type interfaces; *) winbox - fixed "LCD" menu not shown on RB2011UiAS-2HnD; *) winbox - fixed missing w60g interface status values; *) winbox - improved file handling; *) winbox - moved "Too Long" statistics counter to Ethernet "Rx Stats" tab; *) winbox - organized wireless parameters between simple and advanced modes; *) winbox - renamed "Default AP Tx Rate" to "Default AP Tx Limit"; *) winbox - renamed "Default Client Tx Rate" to "Default Client Tx Limit"; *) winbox - show "R" flag under "IPv6/DHCP Server/Bindings" tab; *) winbox - show "System/RouterBOARD/Mode Button" on devices that have such feature; *) winbox - show "W60G" wireless tab on wAP 60G AP; *) wireless - added new "installation" parameter to specify router's location; *) wireless - improved AR5212 response to incoming ACK frames; *) wireless - improved connection stability for new model Apple devices; *) wireless - improved NV2 performance for all ARM devices; *) wireless - improved signal strength at low TX power on LHG 5 ac, LHG 5 ac XL and LDF 5 ac ("/system routerboard upgrade" required); *) wireless - improved system stability for all ARM devices with wireless; *) wireless - improved system stability for all devices with 802.11ac wireless; *) wireless - improved system stability when scanning for other networks; *) wireless - removed G/N support for 2484MHz in "japan" regulatory domain; *) wireless - report last seen IP address in RADIUS accounting messages; *) wireless - show "installation" parameter when printing configuration; What's new in 6.43.12 (2019-Feb-08 11:46): MAJOR CHANGES IN v6.43.12: ---------------------- !) winbox - improvements in connection handling to router with open winbox service (CVE-2019–3924); ---------------------- What's new in 6.43.11 (2019-Feb-04 12:24): *) ipsec - accept only valid path for "export-pub-key" parameter in "key" menu; *) quickset - fixed "country" parameter not properly setting regulatory domain configuration; *) smb - fixed possible buffer overflow; *) w60g - fixed disconnection issues in PtMP setups; *) wireless - improved antenna gain setting for devices with built in antennas; *) wireless - show indoor/outdoor frequency limitations under "/interface wireless info country-info" command; What's new in 6.43.10 (2019-Jan-24 07:09): (factory only release) What's new in 6.43.9 (2019-Jan-10 07:11): (factory only release) What's new in 6.43.8 (2018-Dec-21 07:10): MAJOR CHANGES IN v6.43.8: ---------------------- !) telnet - do not allow to set "tracefile" parameter; ---------------------- Changes in this release: *) bridge - fixed IPv6 link-local address generation when auto-mac=yes; *) capsman - fixed "group-key-update" parameter not using correct units; *) crs3xx - improved data transmission between 10G and 1G ports; *) console - properly remove system note after configuration reset; *) dhcpv4-server - fixed dynamic lease reuse after expiration; *) dhcpv6-server - properly handle DHCP requests that include prefix hint; *) ethernet - fixed VLAN1 forwarding on RB1100AHx4 and RB4011 devices; *) gps - added "coordinate-format" parameter; *) led - fixed default LED configuration for RBMetalG-52SHPacn; *) led - fixed PWR-LINE AP ethernet led polarity ("/system routerboard upgrade" required); *) lte - disallow setting LTE interface as passthrough target; *) lte - fixed DHCP IP acquire (introduced in v6.43.7); *) lte - fixed passthrough functionality when interface is removed; *) lte - increased reported "rsrq" precision; *) lte - reset USB when non-default slot is used; *) package - use bundled package by default if standalone packages are installed as well; *) resource - fixed "total-memory" reporting on ARM devices; *) snmp - added "tx-ccq" ("mtxrWlStatTxCCQ") and "rx-ccq" ("mtxrWlStatRxCCQ") values; *) switch - fixed MAC learning when disabling interfaces on devices with Atheros8327 and QCA8337 switch chips; *) system - fixed situation when all configuration was not properly loaded on bootup; *) timezone - fixed "Europe/Dublin" time zone; *) upgrade - automatically uninstall standalone package if already installed in bundle; *) webfig - do not show bogus VHT field in wireless interface advanced mode; *) winbox - added "allow-roaming" parameter in "Interface/LTE" menu; *) winbox - allow to change VHT rates when 5ghz-n/ac band is used; *) winbox - renamed "Radius" to "RADIUS"; *) winbox - show "Switch" menu on RB4011iGS+5HacQ2HnD and RB4011iGS+; *) wireless - added new "installation" parameter to specify router's location; *) wireless - improved stability for 802.11ac; *) wireless - improvements in wireless frequency selection; What's new in 6.43.7 (2018-Nov-30 09:01): MAJOR CHANGES IN v6.43.7: ---------------------- !) upgrade - release channels renamed - "bugfix" to "long-term", "current" to "stable" and "release candidate" to "testing"; !) upgrade - "testing" release channel now can contain "beta" together with "release-candidate" versions; ---------------------- Changes in this release: *) bridge - properly disable dynamic CAP interfaces; *) certificate - fixed "expires-after" parameter calculation; *) certificate - fixed time zone adjustment for SCEP requests; *) certificate - properly flush old CRLs when changing store location; *) chr - fixed possible memory allocation failure when using multiple CPUs or interfaces on Xen installations; *) crs328 - fixed SFP ports not reporting auto-negotiation status; *) crs328 - improved link status update on disabled SFP and SFP+ interfaces; *) defconf - automatically accept default configuration if reset done by holding button; *) defconf - fixed default configuration loading on RB4011iGS+5HacQ2HnD-IN; *) discovery - fixed malformed neighbor information for routers that has incomplete IPv6 configuration; *) discovery - fixed neighbor discovery for PPP interfaces; *) discovery - properly use System ID for "software-id" value on CHR; *) export - fixed "silent-boot" compact export; *) health - fixed bad voltage readings on RB493G; *) interface - improved system stability when including/excluding a list to itself; *) ipsec - fixed hw-aead (H) flag presence under Installed SAs on startup; *) ipsec - improved stability when uninstalling multiple SAs at once; *) ipsec - properly handle peer profiles on downgrade; *) ipsec - properly update warnings under peer menu; *) kidcontrol - do not allow users with "read" policy to pause and resume kids; *) log - properly handle long echo messages; *) lte - added support for more ZTE MF90 modems; *) ospf - improved stability while handling type-5 LSAs; *) routerboard - renamed SIM slots to "a" and "b" on SXT LTE kit; *) routerboard - show "boot-os" and "force-backup-booter" options only on devices that have such feature; *) snmp - do not initialise interface traps on bootup if they are not enabled; *) timezone - updated timezone information from tzdata2018g release; *) traffic-flow - fixed post NAT port reporting; *) traffic-flow - fixed "src-mac-address" and added "post-src-mac-address" fields; *) tunnel - made "ipsec-secret" parameter sensitive; *) usb - fixed power-reset for hAP ac^2 devices; *) user - speed up first time login process after upgrade from version older than v6.43; *) winbox - allow to specify SIM slot on LtAP mini; *) winbox - enabled "fast-forward" by default when adding new bridge; *) winbox - fixed neighbor discovery for IPv6 neighbors; *) winbox - show "System/Health" only on boards that have health monitoring; What's new in 6.43.6 (2018-Nov-07 10:40): (factory only release) What's new in 6.43.5 (2018-Oct-25 12:37): (factory only release) What's new in 6.43.4 (2018-Oct-17 06:37): Changes in this release: *) bridge - do not learn untagged frames when filtering only tagged packets; *) bridge - fixed possible memory leak when VLAN filtering is used; *) bridge - improved packet handling when hardware offloading is being disabled; *) bridge - properly forward unicast DHCP messages when using DHCP Snooping with hardware offloading; *) crs328 - improved link status update on disabled SFP+ interface when using DAC; *) crs3xx - fixed possible memory leak when disabling bridge interface; *) crs3xx - properly read "eeprom" data after different module inserted in disabled interface; *) dhcpv4-server - use client MAC address for dual stack queue when "client-id" is not received; *) dhcpv6-server - fixed dynamic binding addition on solicit when IA_PD does not contain prefix (introduced in v6.43); *) dhcpv6-server - recreate DHCPv6 server binding if it is no longer within prefix pool when rebinding/renewing; *) ipsec - allow multiple peers to the same address with different local-address (introduced in v6.43); *) led - added "dark-mode" functionality for LHG and LDF series devices; *) led - added "dark-mode" functionality for wsAP ac lite, RB951Ui-2nD, hAP and hAP ac lite devices; *) led - fixed default LED configuration for SXT LTE kit devices; *) led - fixed power LED turning on after reboot when "dark-mode" is used; *) ntp - fixed possible NTP server stuck in "started" state; *) romon - improved packet processing when MTU in path is lower than 1500; *) routerboard - show "boot-os" option only on devices that have such feature; *) traffic-flow - fixed post NAT port reporting; *) w60g - added "frequency-list" setting; *) w60g - added interface stats; *) w60g - fixed interface LED status update on connection; *) w60g - general stability and performance improvements; *) w60g - improved stability for short distance links; *) w60g - renamed "mcs" to "tx-mcs" and "phy-rate" to "tx-phy-rate"; What's new in 6.43.3 (2018-Oct-05 13:12): (factory only release) What's new in 6.43.2 (2018-Sep-18 12:12): Changes in this release: *) routerboot - fixed RouterOS booting on devices with particular NAND memory (introduced in v6.43); What's new in 6.43.1 (2018-Sep-17 06:53): Changes in this release: *) crs317 - fixed packet forwarding on bonded interfaces without hardware offloading; *) defconf - properly clear global variables when generating default configuration after RouterOS upgrade; *) dhcpv6-client - log only failed pool additions; *) hotspot - properly update dynamic "walled-garden" entries when changing "dst-host"; *) ike2 - fixed rare authentication and encryption key mismatches after rekey with PFS enabled; *) lte - fixed LTE interface not working properly after reboot on RBSXTLTE3-7; *) rb3011 - added IPsec hardware acceleration support; *) routerboard - fixed memory tester reporting false errors on IPQ4018 devices ("/system routerboard upgrade" required); *) sniffer - made "connection", "host", "packet" and "protocol" sections read-only; *) switch - fixed port mirroring on devices that do not support CPU Flow Control; *) upnp - improved UPnP service stability when handling HTTP requests; *) webfig - allow to change user name when creating a new system user (introduced in v6.43); *) webfig - fixed time interval settings not applied properly under "IP/Kid Control/Kids" menu; *) winbox - added "allow-dual-stack-queue" setting to "IP/DHCP Server/Leases" menu; *) winbox - added "allow-dual-stack-queue" setting to "IPv6/DHCPv6 Server/Bindings" menu; *) winbox - fixed corrupt user database after specifying allowed address range (introduced in v6.43); *) winbox - make bridge port "untrusted" by default when creating new port; *) winbox - show "IP/Cloud" menu on CHR; *) winbox - show "System/RouterBOARD/Mode Button" on devices that have such feature; *) wireless - removed "czech republic 5.8" regulatory domain information as it overlaps with "ETSI 5.7-5.8"; What's new in 6.43 (2018-Sep-06 12:44): MAJOR CHANGES IN v6.43: ---------------------- !) api - changed authentication process (https://wiki.mikrotik.com/wiki/Manual:API#Initial_login); !) backup - do not encrypt backup file unless password is provided; !) btest - requires at least v6.43 Bandwidth Test client when connecting to v6.43 or later version server except when authentication is not required; !) cloud - added IPv6 support; !) cloud - added support for licensed CHR instances (including trial); !) cloud - reworked "/ip cloud ddns-enabled" implementation (suggested to disable service and re-enable after installation process); !) radius - use MS-CHAPv2 for "login" service authentication; !) romon - require at least v6.43 RoMON agent when connecting to v6.43 or later RoMON client device; !) webfig - improved authentication process; !) winbox - improved authentication process excluding man-in-the-middle possibility; !) winbox - minimal required version is v3.15; ---------------------- Changes in this release: *) backup - added support for new backup file encryption (AES128-CTR) with signatures (SHA256); *) backup - generate proper file name when devices identity is longer than 32 symbols; *) bridge - add dynamic CAP interface to tagged ports if "vlan-mode=use-tag" is enabled; *) bridge - added an option to manually specify ports that have a multicast router (CLI only); *) bridge - added a warning when untrusted port receives a DHCP Server message when DCHP Snooping is enabled; *) bridge - added ingress filtering options to bridge interface; *) bridge - added initial Q-in-Q support; *) bridge - added more options to fine-tune IGMP Snooping enabled bridges (CLI only); *) bridge - added per-port based "tag-stacking" feature; *) bridge - added support for BPDU Guard; *) bridge - added support for DHCP Option 82; *) bridge - added support for DHCP Snooping; *) bridge - added support for IGMP Snooping fast-leave feature (CLI only); *) bridge - fixed dynamic VLAN table entries when using ingress filtering; *) bridge - fixed "ingress-filtering", "frame-types" and "tag-stacking" value storing; *) bridge - forward LACPDUs when "protocol-mode=none"; *) bridge - ignore tagged BPDUs when bridge VLAN filtering is used; *) bridge - improved packet handling; *) bridge - improved packet processing when bridge port changes states; *) bridge - improved performance when bridge VLAN filtering is used without hardware offloading; *) bridge - renamed option "vlan-protocol" to "ether-type"; *) capsman - added ability to use chain 3 for "HT TX chains" and "HT RX chains" selections (CLI only); *) capsman - allow to change "radio-name" (CLI only); *) capsman - increase timeout for the CAP to CAPsMAN communication; *) certificate - added "expires-after" parameter; *) certificate - do not allow to perform "undo" on certificate changes; *) certificate - fixed RA "server-url" setting; *) check-installation - improved system integrity checking; *) chr - added checksum offload support for Hyper-V installations; *) chr - added large send offload support for Hyper-V installations; *) chr - added multiqueue support on Xen installations; *) chr - added support for multiqueue feature on "virtio-net"; *) chr - added virtual Receive Side Scaling support for Hyper-V installations (might require more RAM assigned than in previous versions); *) chr - by default enable link state tracking for virtual drivers with "/interface ethernet disable-running-check=no"; *) chr - do not show IRQ entries from removed devices; *) chr - fixed interface name assign process when running CHR on Hyper-V; *) chr - fixed interface name order when "virtio-net is not being used on KVM installations; *) chr - fixed MTU changing process when running CHR on Hyper-V; *) chr - fixed NIC hotplug for "virtio-net"; *) chr - improved balooning process; *) chr - improved boot time for Hyper-V installations; *) chr - provide part of network interface GUID at the beginning of "bindstr2" value when running CHR on Hyper-V; *) chr - reduced RAM memory required per interface; *) cloud - added simultaneous IPv4/IPv6 support; *) cloud - close local UDP port if no activity; *) console - added "dont-require-permissions" parameter for scripts; *) console - added error log message when netwatch tries to execute script with insufficient permissions; *) console - added error log message when scheduler tries to execute script with insufficient permissions; *) console - do not show spare parameters on ping command; *) console - made "once" parameter mandatory when using "as-value" on "monitor" commands; *) console - removed automatic swapping of "from=" and "to=" in "for" loops; *) crs317 - fixed Ethernet inteface stuck on 100 Mbps speed; *) crs326/crs328 - fixed packet forwarding when port changes states with IGMP Snooping enabled; *) crs328 - fixed transmit on sfp-sfpplus1 and sfp-sfpplus2 interfaces; *) crs3xx - added hardware support for DHCP Snooping and Option 82; *) crs3xx - added Q-in-Q hardware offloading support; *) crs3xx - do not report SFP interface as running when interface on opposite side is disabled; *) crs3xx - fixed ACL rate rules (introduced in v6.41rc27); *) crs3xx - fixed flow control; *) crs3xx - fixed SwOS config import; *) defconf - fixed default configuration for RBSXTsq5nD; *) defconf - fixed missing bridge ports after configuration reset; *) dhcp - added dynamic IPv4/IPv6 "dual-stack" simple queue support, based on client's MAC address; *) dhcp - reduced resource usage of DHCP services; *) dhcpv4-client - fixed DHCP client that was stuck on invalid state; *) dhcpv4-client - fixed double ACK packet handling; *) dhcpv4-server - added "allow-dual-stack-queue" implementation (CLI only); *) dhcpv4-server - do not allow override lease "always-broadcast" value based on offer type; *) dhcpv4-server - improved performance when "rate-limit" and/or "address-list" setting is present; *) dhcpv6-client - added missing "Server identifier" parameter in release message; *) dhcpv6-client - fixed "add-default-route" parameter; *) dhcpv6-client - fixed option handling; *) dhcpv6-client - improved dynamic IPv6 pool addition process; *) dhcpv6-server - added additional RADIUS parameters for Prefix delegation, "rate-limit" and "life-time"; *) dhcpv6-server - added "allow-dual-stack-queue" implementation (CLI only); *) dhcpv6-server - added initial dynamic simple queue support; *) dhcpv6-server - do not allow to run DHCPv6 server on slave interface; *) dhcpv6-server - fixed dynamic simple queue creation for RADIUS bindings; *) dns - fixed DNS cache service becoming unresponsive when active Hotspot server is present on the router (introduced in 6.42); *) dude - fixed client auto upgrade (broken since 6.43rc17); *) ethernet - do not show "combo-state" field if interface is not SFP or copper; *) ethernet - properly handle Ethernet interface default configuration; *) export - do not show w60g password on "hide-sensitive" type of export; *) fetch - added "as-value" output format; *) fetch - fixed address and DNS verification in certificates; *) filesystem - fixed NAND memory going into read-only mode (requires "factory-firmware" >= 3.41.1 and "current-firmware" >= 6.43); *) filesystem - improved software crash handling on devices with FLASH type memory; *) health - added missing parameters from export; *) health - fixed voltage measurements for RB493G devices; *) health - improved speed of health measurement readings; *) hotspot - allow to properly configure Hotspot directory on external disk for devices that have flash type storage; *) hotspot - fixed RADIUS CoA & PoD by allowing to accept "NAS-Port-Id"; *) ike1 - added unsafe configuration warning for main mode with pre-shared-key authentication; *) ike1 - purge both SAs when timer expires; *) ike1 - zero out reserved bytes in NAT-OA payload; *) ike2 - fixed initiator first policy selection; *) ike2 - fixed rekeyed child deletion during another exchange; *) ike2 - improved basic exchange logging readability; *) ike2 - use "/32" netmask by default on initiator if not provided by responder; *) interface - improved interface "last-link-down-time" and "last-link-up-time" values; *) interface - improved reliability on dynamic interface handling; *) ippool - improved used address error message; *) ipsec - added "responder" parameter for "mode-config" to allow multiple initiator configurations; *) ipsec - added "src-address-list" parameter for "mode-config" that generates dynamic "src-nat" rule; *) ipsec - added warning messages for incorrect peer configuration; *) ipsec - do not allow removal of "proposal" and "mode-config" entries that are in use; *) ipsec - fixed AES-192-CTR fallback to software AEAD on ARM devices with wireless and RB3011UiAS-RM; *) ipsec - fixed AES-CTR and AES-GCM key size proposing as initiator; *) ipsec - fixed "static-dns" value storing; *) ipsec - improved invalid policy handling when a valid policy is uninstalled; *) ipsec - improved reliability on generated policy addition when IKEv1 or IKEv2 used; *) ipsec - improved stability when using IPsec with disabled route cache; *) ipsec - install all DNS server addresses provided by "mode-config" server; *) ipsec - separate phase1 proposal configuration from peer menu; *) ipsec - separate phase1 proposal configuration from peer menu; *) ipsec - use monotonic timer for SA lifetime check; *) kidcontrol - allow to edit discovered devices; *) l2tp - allow setting "max-mtu" and "max-mru" bigger than 1500; *) led - improved w60g alignment trigger; *) leds - fixed LED behaviour when bonding is configured on SFP+ interfaces; *) log - fixed false log warnings about system status after power on for CRS328-4C-20S-4S+; *) log - show interface name on OSPF "different MTU" info log messages; *) lte - added additional D-Link PIDs; *) lte - added additional ID support for SIM7600 modem; *) lte - added additional low endpoint SIM7600 PIDs; *) lte - added eNB ID to info command; *) lte - added extended LTE signal info for SIM7600 modules; *) lte - added extended signal information for Quectel LTE EC25 and EP06 modem; *) lte - added ICCID reading for info command R11e-LTE and R11e-LTE-US; *) lte - added "registration-status" parameter under "/interface lte info" command; *) lte - added roaming status reading for info command; *) lte - added "sector-id" to info command; *) lte - added support for alternative SIM7600 PID; *) lte - added support for Novatel USB730LN modem with new ID; *) lte - added support for Quanta 1k6e modem; *) lte - allow to execute concurrent internal AT commands; *) lte - allow to use multiple PLS modems at the same time; *) lte - do not allow to remove default APN profile; *) lte - do not allow to send "at-chat" commands for configless modems; *) lte - expose GPS channel for PLS modems; *) lte - fixed LTE registration in 2G/3G mode; *) lte - fixed SIM7600 registration info; *) lte - fixed SIM7600 series module support with newer device IDs; *) lte - ignore empty MAC addresses during Passthrough discovery phase; *) lte - improved modem event processing; *) lte - improved r11e-LTE and r11e-LTE-US dialling process; *) lte - improved r11e-LTE configuration exchange process; *) lte - improved reading of SMS message after entering running state; *) lte - improved readings of info command results for the SXT LTE; *) lte - improved stability of USB LTE interface detection process; *) lte - properly detect interface state when running for IPv6 only connection for R11e-LTE modem; *) lte - renamed LTE scan tool field "scan-code" to "mcc-mnc"; *) lte - show UICC in correct format for SXT LTE devices; *) lte - use "/32" address for the Passthrough feature when R11e-LTE module is used; *) lte - use alphanumeric operator format in info command; *) mac-telnet - improved reliability when connecting from RouterOS versions prior 6.43; *) multicast - allow to add more than one RP per IP address for PIM; *) ntp - allow to specify link-local address for NTP server; *) ospf - improved link-local LSA flooding; *) ospf - improved stability when originating LSAs with OSPFv3; *) package - renamed "current-version" to "installed-version" under "/system package install"; *) ppp - added support for additional ID for E3531 modem; *) ppp - added support for Alfa Network U4G modem; *) ppp - added support for Telit LM940 modem; *) ppp - improved modem mode switching; *) ppp - show comments from "/ppp secrets" menu within "/ppp active" menu when client is connected; *) quickset - recognize 160 MHz channel as HomeAP mode; *) rb1100ahx4 - added DES and 3DES hardware acceleration support; *) romon - fixed RoMON services becoming unavailable after disabled once during active scanning process; *) romon - properly classify RoMON sessions in log and active users list; *) routerboard - allow to fill up to half of the RAM memory with files on devices with FLASH storage; *) routerboard - fixed "protected-routerboot" feature (introduced in v6.42); *) routerboard - fixed wrongly reported RAM size on ARM devices; *) routerboot - removed RAM test from TILE devices (routerboot upgrade required); *) sfp - fixed default advertised link speeds; *) smb - fixed valid request handling when additional options are used; *) sms - converted "keep-max-sms" feature to "auto-erase"; *) sms - do not require "port" and "interface" parameters when sending SMS if already present in configuration; *) sms - improved reliability on SMS reader; *) snmp - added CAPsMAN "remote-cap" table; *) snmp - added EAP identity to CAPsMAN registration table; *) snmp - added "phy-rate" reading for "station-bridge" mode; *) snmp - added "temp-exception" trap; *) snmp - fixed interface speed reporting for predefined rates; *) snmp - fixed "remote-cap" peer MAC address format; *) ssh - disconnect all active connections when device gets rebooted or turned off; *) ssh - strengthen strong-crypto (add aes-128-ctr and disallow hmac sha1 and groups with sha1); *) supout - added "files" section to supout file; *) supout - added info log message when supout file is created; *) supout - added monitored bridge VLAN table to supout file; *) supout - added "w60g" section to supout file; *) switch - added CPU Flow Control settings for devices with a Atheros8227, QCA8337, Atheros8327, Atheros7240 or Atheros8316 switch chip; *) switch - added support for port isolation by switch chip; *) switch - fixed possible switch chip hangs after initialization on MediaTek and Atheros8327 switch chips; *) swos - implemented "/system swos" menu that allows to upgrade, reset, save or load configuration and change address for dual-boot CRS devices (CLI only); *) tile - added DES and 3DES hardware acceleration support; *) tile - fixed false HW offloading flag for MPLS; *) tr069-client - allow editing of "provisioning-code" attribute; *) tr069-client - fixed setting of "DeviceInfo.ProvisioningCode" parameter; *) tr069-client - use SNI extension for HTTPS; *) upgrade - fixed RouterOS upgrade process from RouterOS v5 on PowerPC; *) ups - improved UPS serial parsing stability; *) usb - fixed modem initialisation on LtAP mini; *) usb - fixed power-reset for hAP ac^2 devices; *) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades); *) userman - fixed "shared-secret" parameter requiring "sensitive" policy; *) vrrp - improved reliability on VRRP interface configured as a bridge port when "use-ip-firewall" is enabled; *) w60g - added "beamforming-event" stats counter; *) w60g - fixed random disconnects; *) w60g - general stability and performance improvements; *) watchdog - added "ping-timeout" setting; *) webfig - do not automatically re-log in after logging out; *) webfig - fixed occasional authentication failure when logging in; *) webfig - fixed www service becoming unresponsive; *) webfig - properly display time interval within Kid Control menu; *) webfig - properly handle double clicking when logging in or out; *) webfig - properly show NTP clients "last-adjustment" value; *) winbox - added bridge Fast Forward statistics counters; *) winbox - added "poe-fault" LED trigger; *) winbox - added "tag-stacking" option to "Bridge/Ports"; *) winbox - allow to specify LTE interface when sending SMS; *) winbox - fixed arrow key handling within table filter fields; *) winbox - fixed "bad-blocks" value presence under "System/Resources"; *) winbox - fixed bridge port MAC learning parameter values; *) winbox - fixed "IP/IPsec/Peers" section sorting; *) winbox - fixed "write-sect-since-reboot" value presence under "System/Resources"; *) winbox - properly close session when uploading multiple files to the device at the same time; *) winbox - removed duplicate "20/40/80MHz" value from "channel-width" setting options; *) winbox - renamed "VLAN Protocol" to "EtherType" under bridge interface "VLAN" tab; *) winbox - show HT MCS tab when "5ghz-n/ac" band is used; *) winbox - show "Switch" menu on hAP ac^2 devices; *) winbox - show "System/RouterBOARD/Mode Button" on devices that has such feature; *) wireless - accept only valid path for sniffer output file parameter; *) wireless - accept only valid path for sniffer output file parameter; *) wireless - added "czech republic 5.8" regulatory domain information; *) wireless - added "etsi2" regulatory domain information; *) wireless - added option for RADIUS "called-station-id" format selection; *) wireless - added option to disable PMKID for WPA2; *) wireless - do not disconnect clients when WDS master connects with MAC address "00:00:00:00:00:00"; *) wireless - fixed "/interface wireless sniffer packet print follow" output; *) wireless - fixed wireless interface lockup after period of inactivity; *) wireless - improved Nv2 reliability on ARM devices; *) wireless - improved Nv2 stability for 802.11n interfaces on RB953, hAP ac and wAP ac devices; *) wireless - require "sniff" policy for wireless sniffer; *) wireless - updated "czech republic" regulatory domain information; *) wireless - updated "germany 5.8 ap" and "germany 5.8 fixed p-p" regulatory domain information; *) x86 - improved Ethernet driver for Davicom DM9x0x; What's new in 6.42.7 (2018-Aug-17 09:48): MAJOR CHANGES IN v6.42.7: ---------------------- !) security - fixed vulnerabilities CVE-2018-1156, CVE-2018-1157, CVE-2018-1158, CVE-2018-1159; ---------------------- *) bridge - improved bridge port state changing process; *) crs326/crs328 - fixed untagged packet forwarding through tagged ports when pvid=1; *) crs3xx - added command that forces fan detection on fan-equipped devices; *) crs3xx - fixed port disable on CRS326 and CRS328 devices; *) crs3xx - fixed tagged packet forwarding without VLAN filtering (introduced in 6.42.6); *) crs3xx - fixed VLAN filtering when there is no tagged interface specified; *) dhcpv4-relay - fixed false invalid flag presence; *) dhcpv6-client - allow to set "default-route-distance"; *) dhcpv6 - improved reliability on IPv6 DHCP services; *) dhcpv6-server - properly update interface for dynamic DHCPv6 servers; *) ethernet - improved large packet handling on ARM devices with wireless; *) ethernet - removed obsolete slave flag from "/interface vlan" menu; *) ipsec - fixed "sa-src-address" deduction from "src-address" in tunnel mode; *) ipsec - improved invalid policy handling when a valid policy is uninstalled; *) ldp - properly load LDP configuration; *) led - fixed default LED configuration for RBLHGG-5acD-XL devices; *) lte - added signal readings under "/interface lte scan" for 3G and GSM modes; *) lte - fixed memory leak on USB disconnect; *) lte - fixed SMS send feature when not in LTE network; *) package - do not allow to install out of bundle package if it already exists within bundle; *) ppp - fixed interface enabling after a while if none of them where active; *) sfp - hide "sfp-wavelength" parameter for RJ45 transceivers; *) tr069-client - fixed unresponsive tr069 service when blackhole route is present; *) upgrade - fixed RouterOS upgrade process from RouterOS v5; *) userman - fixed compatibility with PayPal TLS 1.2; *) vrrp - fixed VRRP packet processing on VirtualBox and VMWare hypervisors; *) w60g - added distance measurement feature; *) w60g - fixed random disconnects; *) w60g - general stability and performance improvements; *) w60g - improved MCS rate detection process; *) w60g - improved MTU change handling; *) w60g - properly close connection with station on disconnect; *) w60g - stop doing distance measurements after first successful measurement; *) winbox - added "secondary-channel" setting to wireless interface if 80 MHz mode is selected; *) winbox - fixed "sfp-connector-type" value presence under "Interface/Ethernet"; *) winbox - fixed warning presence for "IP/IPsec/Peers" menu; *) winbox - properly display all flags for bridge host entries; *) winbox - show "System/RouterBOARD/Mode Button" on devices that has such feature; *) wireless - added option to disable PMKID for WPA2; *) wireless - fixed memory leak when performing wireless scan on ARM; *) wireless - fixed packet processing after removing wireless interface from CAP settings; *) wireless - updated "united-states" regulatory domain information; What's new in 6.42.6 (2018-Jul-06 11:56): *) bridge - improved packets processing when bridge port changes states; *) crs3xx - fixed bonding slave failover when packets are sent out of the bridge interface; *) crs3xx - fixed LACP member failover; *) crs3xx - improved link state detection when one side has disabled interface; *) defconf - fixed bridge default configuration for SOHO devices with more than 9 Ethernet interfaces; *) package - free up used storage space consumed by old RouterOS upgrades; *) snmp - fixed w60g "phy-rate" readings; *) supout - added "ip-cloud" section to supout file; *) w60g - fixed random disconnects; *) w60g - general stability and performance improvements; *) winbox - added 64,8 GHz frequency to w60g interface frequency settings; *) winbox - show "sector-writes" on devices that have such counters; What's new in 6.42.5 (2018-Jun-26 12:12): *) api - properly classify API sessions in log; *) chr - enabled promiscuous mode (requires to be enabled on host as well) when running CHR on Hyper-V; *) kidcontrol - added dynamic accept firewall rules to allow bandwidth limit when FastTrack is enabled; *) led - fixed LED default configuration for LtAP mini; *) snmp - added "rssi" and "tx-sector-info" value support for w60g type interfaces; *) snmp - added station "distance", "phy-rate", "rssi" value support for w60g type interfaces; *) ssh - allow to use "diffie-hellman-group1-sha1" on TILE and x86 devices with "strong-crypto" disabled; *) w60g - added 4th 802.11ad channel (CLI only); *) w60g - added distance measurement; *) w60g - do not reset interface after adding comment; *) w60g - general stability and performance improvements; *) w60g - improved maximum achievable distance; *) w60g - properly report center status under "tx-sector-info"; *) winbox - show "sector-writes" on ARM devices that have such counters; *) winbox - show "System/Health" only on devices that have health monitoring; What's new in 6.42.4 (2018-Jun-15 14:14): *) bridge - allow to make changes for bridge port when it is interface list; *) bridge - fixed FastPath for bridge master interfaces (introduced in v6.42); *) certificate - fixed "add-scep" template existence check when signing certificate; *) chr - fixed adding MSTI entries; *) chr - fixed boot on hosts older than Windows Server 2012 when running CHR on Hyper-V; *) chr - fixed various network hang scenarios when running CHR on Hyper-V; *) console - fixed script permissions if script is executed by other RouterOS service; *) dhcpv4-server - fixed DHCP server that was stuck on invalid state; *) health - changed "PSU-Voltage" to "PSU-State" for CRS328-4C-20S-4S+; *) health - fixed incorrect PSU index for CRS328-4C-20S-4S+; *) ipsec - improved reliability on IPsec hardware encryption for RB1100Dx4; *) kidcontrol - fixed dynamically created firewall rules order; *) led - added "dark-mode" functionality for hEX S and SXTsq 5 ac devices; *) led - fixed CCR1016-12S-1S+ LED behaviour after Netinstall (introduced in v6.41rc58); *) led - use routers uptime as a starting point when turning off LEDs if option was not enabled on boot; *) ppp - fixed "hunged up" grammar to "hung up" within PPP log messages; *) quickset - added missing wireless "channel-width" settings; *) quickset - added support for "5ghz-a/n" band when CPE mode is used; *) snmp - added remote CAP count OID for CAPsMAN; *) snmp - fixed readings for CAPsMAN slave interfaces; *) supout - added "partitions" section to supout file; *) usb - properly detect USB 3.0 flash on RBM33G when jumper is removed; *) userman - improved unique username generation process when adding batch of users; *) w60g - improved RAM memoy allocation processes; *) winbox - added missing "dscp" and "clamp-tcp-mss" settings to IPv6 tunnels; *) winbox - allow to specify full URL in SCEP certificate signing process; *) winbox - by default specify keepalive timeout value for tunnel type interfaces; *) winbox - show "scep-url" for certificates; *) winbox - show "System/Health" only on boards that have health monitoring; *) winbox - show firmware upgrade message at the bottom of "System/RouterBOARD" menu; *) wireless - enable all chains by default on devices without external antennas after configuration reset; *) wireless - improved Nv2 reliability on ARM devices; What's new in 6.42.3 (2018-May-24 09:20): *) lte - fixed automatic LTE band selection for R11e-LTE; *) wireless - improved client "channel-width" detection; *) wireless - improved Nv2 PtMP performance; *) wireless - increased stability on hAP ac^2 and cAP ac with legacy data rates; What's new in 6.42.2 (2018-May-17 09:20): *) bridge - do not allow to add same interface list to bridge more than once; *) bridge - fixed LLDP packet receiving; *) bridge - fixed processing of fragmented packets when hardware offloading is enabled; *) console - fixed type "on" and "wireless-status" LED trigger value setting (introduced in v6.42.1); *) crs317 - fixed link flapping when inserted S+RJ10 module without any cable; *) defconf - fixed wAP LTE kit default configuration; *) dhcpv4 - prevent sending out ICMP port unreachable packets; *) dhcpv4-client - fixed DHCP client stuck in renewing state; *) dhcpv6-relay - fixed missing configuration after reboot; *) filesystem - fixed NAND memory going into read-only mode; *) hotspot - fixed user authentication when queue from old session is not removed yet; *) interface - fixed "built-in=no" parameter for manually created interface lists; *) interface - fixed "dynamic" built-in interface list behaviour; *) interface - fixed interface list which include disabled member; *) interface - fixed interface list which include/exclude another list; *) interface - fixed interface configuration responsiveness; *) ipsec - fixed policies becoming invalid if added after a disabled policy; *) ipsec - improved reliability on IPsec hardware encryption for ARM devices except RB1100Dx4; *) led - added "dark-mode" functionality for hAP ac and hAP ac^2 devices; *) lte - improved LTE communication process on MMIPS platform devices; *) quickset - fixed dual radio mode detection process; *) routerboard - properly represent board name for hAP ac^2; *) tile - fixed Ethernet interfaces becoming unresponsive; *) winbox - allow to specify "any" as wireless "access-list" interface; *) winbox - fixed "/ip dhcp-server network set dns-none" parameter; *) wireless - enable all chains by default on devices without external antennas after configuration reset; *) wireless - fixed packet processing when "static-algo-0=40bit-wep" is being used (introduced in v6.42); *) wireless - fixed usage of allowed signal strength values received from RADIUS; *) wireless - improved wireless throughput on hAP ac^2 and cAP ac; *) x86 - fixed reboot caused by MAC Winbox connection; What's new in 6.42.1 (2018-Apr-23 10:46): !) winbox - fixed vulnerability that allowed to gain access to an unsecured router; *) bridge - fixed hardware offloading for MMIPS and PPC devices; *) bridge - fixed LLDP packet receiving; *) crs3xx - fixed failing connections through bonding in bridge; *) ike2 - use "policy-template-group" parameter when picking proposal as initiator; *) led - added "dark-mode" functionality for hAP ac and hAP ac^2 devices; *) led - improved w60g alignment trigger; *) lte - allow to send "at-chat" command over disabled LTE interface; *) routerboard - fixed "mode-button" support on hAP lite r2 devices; *) w60g - allow to manually set "tx-sector" value; *) w60g - fixed incorrect RSSI readings; *) w60g - show phy rate on "/interface w60g monitor" (CLI only); *) winbox - fixed bridge port MAC learning parameter values; *) winbox - show "Switch" menu on cAP ac devices; *) winbox - show correct "Switch" menus on CRS328-24P-4S+; *) wireless - improved compatibility with BCM chipset devices; What's new in 6.42 (2018-Apr-13 11:03): !) tile - improved system performance and stability ("/system routerboard upgrade" required); !) w60g - increased distance for wAP 60G to 200+ meters; *) bridge - added host aging timer for CRS3xx and Atheros hw-bridges; *) bridge - added per-port forwarding options for broadcasts, unknown-multicasts and unknown-unicasts; *) bridge - added per-port learning options; *) bridge - added support for static hosts; *) bridge - fixed "master-port" configuration conversion from pre-v6.41 RouterOS versions; *) bridge - fixed bridge port interface parameter under "/interface bridge host print detail"; *) bridge - fixed false MAC address learning on hAP ac^2 and cAP ac devices; *) bridge - fixed incorrect "fast-forward" enabling when ports were switched; *) bridge - fixed MAC learning for VRRP interfaces on bridge; *) bridge - fixed reliability on software bridges when used on devices without switch chip; *) bridge - hide options for disabled bridge features in CLI; *) bridge - show "hw" flags only on Ethernet interfaces and interface lists; *) capsman - added "allow-signal-out-of-range" option for Access List entries; *) capsman - added support for "interface-list" in Access List and Datapath entries; *) capsman - improved CAPsMAN responsiveness with large amount of CAP interfaces; *) capsman - log "signal-strength" when successfully connected to AP; *) certificate - added PKCS#10 version check; *) certificate - dropped DES support and added AES instead for SCEP; *) certificate - dropped MD5 support and require SHA1 as minimum for SCEP; *) certificate - fixed incorrect SCEP URL after an upgrade; *) chr - added "open-vm-tools" on VMware installations; *) chr - added "qemu-guest-agent" and "virtio-scsi" driver on KVM installations; *) chr - added "xe-daemon" on Xen installations; *) chr - added support for Amazon Elastic Network Adapter (ENA) driver; *) chr - added support for booting from NVMe disks; *) chr - added support for Hyper-V ballooning, guest quiescing, host-guest file transfer, integration services and static IP injection; *) chr - added support for NIC hot-plug on VMware and Xen installations; *) chr - fixed additional disk detaching on Xen installations; *) chr - fixed interface matching by name on VMware installations; *) chr - fixed interface naming order when adding more than 4 interfaces on VMware installations; *) chr - fixed suspend on Xen installations; *) chr - make additional disks visible under "/disk" on Xen installations; *) chr - make Virtio disks visible under "/disk" on KVM installations; *) chr - run startup scripts on the first boot on AWS and Google Cloud installations; *) console - fixed "idpr-cmtp" protocol by changing its value from 39 to 38; *) console - improved console stability after it has not been used for a long time; *) crs1xx/2xx - added BPDU value for "ingress-vlan-translation" menu "protocol" option; *) crs212 - fixed Ethernet boot when connected to boot server through CRS326 device; *) crs326 - fixed known multicast flooding to the CPU; *) crs3xx - added switch port "storm-rate" limiting options; *) crs3xx - added “hw-offload” support for 802.3ad and “balance-xor” bonding; *) detnet - fixed "detect-internet" feature unavailability if router had too long identity (introduced in v6.41); *) dhcp - improved DHCP service reliability when it is configured on bridge interface; *) dhcp - reduced resource usage of DHCP services; *) dhcpv4-server - added "dns-none" option to "/ip dhcp-server network dns"; *) dhcpv6 - make sure that time is set before restoring bindings; *) dhcpv6-client - added info exchange support; *) dhcpv6-client - added possibility to specify options; *) dhcpv6-client - added support for options 15 and 16; *) dhcpv6-client - implement confirm after reboot; *) dhcpv6-server - added DHCPv4 style user options; *) dns - do not generate "Undo" messages on changes to dynamic servers; *) email - set maximum number of sessions to 100; *) fetch - added "http-content-type" option to allow setting MIME type of the data in free text form; *) fetch - added "output" option for all modes in order to return result to file, variable or ignore it; *) fetch - increased maximum number of sessions to 100; *) filesystem - implemented additional system storage maintenance checks on ARM CPU based devices; *) flashfig - properly apply configuration provided by Flashfig; *) gps - improved NMEA sentence handling; *) health - added log warning when switching between redundant power supplies; *) health - fixed empty measurements on CRS328-24P-4S+RM; *) hotspot - improved HTTPS matching in Walled Garden rules; *) ike1 - display error message when peer requests "mode-config" when it is not configured; *) ike1 - do not accept "mode-config" reply more than once; *) ike1 - fixed wildcard policy lookup on responder; *) ike2 - fixed framed IP address received from RADIUS server; *) interface - improved interface configuration responsiveness; *) ippool - added ability to specify comment; *) ippool6 - added pool name to "no more addresses left" error message; *) ipsec - fixed AES-CTR and AES-GCM support on RB1200; *) ipsec - improved single tunnel hardware acceleration performance on MMIPS devices; *) ipsec - properly detect interface for "mode-config" client IP address assignment; *) ipv6 - fixed IPv6 behaviour when bridge port leaves bridge; *) ipv6 - update IPv6 DNS from RA only when it is changed; *) kidcontrol - initial work on "/ip kid-control" feature; *) led - added "Dark Mode" support for wAP 60G; *) led - added w60g alignment trigger; *) led - fixed unused "link-act-led" LED trigger on RBLHG 2nD, RBLHG 2nD-XL and RBSXTsq 2nD; *) led - removed unused "link-act-led" trigger for devices which does not use it; *) lte - added initial support for Quectel LTE EP06-E; *) lte - added initial support for SIM7600 LTE modem interface; *) lte - added support for the user and password authentication for wAP-LTE-kit-US (R11e-LTE-US); *) lte - do not add DHCP client on LTE modems that doesn't use DHCP; *) lte - fixed DHCP client adding for MF823 modem; *) lte - fixed LTE band setting for SXT LTE; *) mac-ping - fixed duplicate responses; *) modem - added initial support for AC340U; *) netinstall - fixed MMIPS RouterOS package description; *) netinstall - sign Netinstall executable with an Extended Validation Code Signing Certificate; *) netwatch - limit to read, write, test and reboot policies for Netwatch script execution; *) poe - do not show "poe-out-current" on devices which can not determine it; *) poe - hide PoE related properties on interfaces that does not provide power output; *) ppp - added initial support for NETGEAR AC340U and ZyXEL WAH1604; *) ppp - allow to override remote user PPP profile via "Mikrotik-Group"; *) quickset - fixed NAT if PPPoE client is used for Internet access; *) quickset - properly detect IP address when one of the bridge modes is used; *) quickset - properly detect LTE interface on startup; *) quickset - show "G" flag for guest users; *) quickset - use "/24" subnet for local network by default; *) r11e-lte - improved LTE connection initialization process; *) rb1100ahx4 - improved reliability on hardware encryption; *) routerboard - added RouterBOOT "auto-upgrade" after RouterOS upgrade (extra reboot required); *) routerboard - properly detect hAP ac^2 RAM size; *) sniffer - fixed "/tool sniffer packet" results listed in incorrect order; *) snmp - added "/caps-man interface print oid"; *) snmp - added "/interface w60g print oid"; *) snmp - added "board-name" OID; *) snmp - improved request processing performance for wireless and CAP interfaces; *) ssh - fixed SSH service becoming unavailable; *) ssh - generate SSH keys only on the first connect attempt instead of the first boot; *) ssh - improved key import error messages; *) ssh - remove imported public SSH keys when their owner user is removed; *) switch - hide "ingress-rate" and "egress-rate" for non-CRS3xx switches; *) tile - added "aes-ctr" hardware acceleration support; *) tr069-client - added "DownloadDiagnostics" and "UploadDiagnostics"; *) tr069-client - correctly return “TransferComplete” after vendor configuration file transfer; *) tr069-client - fixed "/tool fetch" commands executed with ".alter" script; *) tr069-client - fixed HTTPS authentication process; *) traffic-flow - fixed IPv6 destination address value when IPFIX protocol is used; *) upgrade - improved RouterOS upgrade process and restrict upgrade from RouterOS older than v5.16; *) ups - improved communication between router and UPS; *) ups - improved disconnect message handling between RouterOS and UPS; *) userman - added support for ARM and MMIPS platform; *) w60g - added "tx-power" setting (CLI only); *) w60g - added RSSI information (CLI only); *) w60g - added TX sector alignment information (CLI only); *) watchdog - retry to send "autosupout.rif" file to an e-mail if initial delivery failed up to 3 times within 20 second interval; *) winbox - added "antenna" setting under GPS settings for MIPS platform devices; *) winbox - added "crl-store" setting to certificate settings; *) winbox - added "insert-queue-before" to DHCP server; *) winbox - added "use-dn" setting in OSPF instance General menu; *) winbox - added 160 MHz "channel-width" to wireless settings; *) winbox - added DHCPv6 client info request type and updated statuses; *) winbox - added missing protocol numbers to IPv4 and IPv6 firewall; *) winbox - added possibility to delete SMS from inbox; *) winbox - allow to comment new object without committing it; *) winbox - allow to open bridge host entry; *) winbox - fixed name for "out-bridge-list" parameter under bridge firewall rules; *) winbox - fixed typo from "UPtime" to "Uptime"; *) winbox - fixed Winbox closing when viewing graph which does not contain any data; *) winbox - improved stability when using trackpad scrolling in large lists; *) winbox - made UDP local and remote TX size parameters optional in Bandwidth Test tool; *) winbox - moved "ageing-time" setting from STP to General tab; *) winbox - moved OSPF instance "routing-table" setting in OSPF instance General menu; *) winbox - removed “VLAN” section from “Switch” menu for CRS3xx devices; *) winbox - show Bridge Port PVID column by default; *) winbox - show CQI in LTE info; *) winbox - show dual SIM options only for RouterBOARDS which does have two SIM slots; *) winbox - show only master CAP interfaces under CAPsMAN wireless scan tool; *) winbox - use proper graph name for HDD graphs; *) wireless - added "realm-raw" setting for "/interface wireless interworking-profiles" (CLI only); *) wireless - added initial support for "nstreme-plus"; *) wireless - added support for "band=5ghz-n/ac"; *) wireless - added support for "interface-list" for Access List entries; *) wireless - added support for legacy AR9485 chipset; *) wireless - enable all chains by default on devices without external antennas after configuration reset; *) wireless - fixed "wds-slave" channel selection when single frequency is specified; *) wireless - fixed incompatibility with macOS clients; *) wireless - fixed long "scan-list" entries not working for ARM based wireless interfaces; *) wireless - fixed nv2 protocol on ARM platform SXTsq devices; *) wireless - fixed RB911-5HnD low transmit power issue; *) wireless - fixed RTS/CTS option for the ARM based wireless devices; *) wireless - fixed wsAP wrong 5 GHz interface MAC address; *) wireless - improved compatibility with specific wireless AC standard clients; *) wireless - improved Nv2 PtMP performance; *) wireless - improved packet processing on ARM platform devices; *) wireless - improved wireless performance on hAP ac^2 devices while USB is being used; *) wireless - improved wireless scan functionality; What's new in 6.41.4 (2018-Apr-05 12:23): !) tile - improved overall system performance and stability ("/system routerboard upgrade" required); *) led - fixed unused "link-act-led" LED trigger on RBLHG 2nD, RBLHG 2nD-XL and RBSXTsq 2nD; *) led - removed unused "link-act-led" trigger for devices which does not use it; *) netinstall - sign Netinstall executable with an Extended Validation Code Signing Certificate; *) poe - do not show "poe-out-current" on devices which can not determine it; *) poe - hide PoE related properties on interfaces which does not provide power output; *) winbox - made UDP local and remote TX size parameters optional in Bandwidth Test tool; *) winbox - show dual SIM options only for RouterBOARDs which does have two SIM slots; *) winbox - use proper graph name for HDD graphs; *) wireless - enable all chains by default on devices without external antennas after configuration reset; What's new in 6.41.3 (2018-Mar-08 11:55): !) smb - fixed buffer overflow vulnerability, everyone using this feature is urged to upgrade; !) tile - improved overall system performance and stability ("/system routerboard upgrade" required); *) chr - automatically generate new system ID on first startup; *) console - do not allow variables that start with digit to be referenced without "$" sign; *) defconf - fixed DISC Lite5 LED default configuration; *) export - fixed "/system routerboard mode-button" compact export; *) filesystem - improved error correction process on RB1100AHx4 storage; *) firewall - fixed "tls-host" firewall feature (introduced in v6.41); *) gps - added GPS port support for Quectel EC25-E modem when used in LTE mode; *) lte - fixed r11-LTE-US interface initialization process after reboot; *) romon - make "secret" field sensitive in console; *) snmp - fixed w60g SSID value; *) tile - fixed bogus voltage readings; *) tr069-client - fixed TR069 service becoming unavailable when related service package is not available; *) usb - improved packet processing over USB modems; *) winbox - fixed "/tool e-mail send" attachment behavior; *) winbox - fixed maximal ID for Traffic Generator stream; *) winbox - removed "Enable" and "Disable" buttons from IPsec "mode-config" list; *) winbox - show "D" flag under "/ip dhcp-client" menu; *) wireless - removed unused "/interface wireless registration-table monitor" command; What's new in 6.41.2 (2018-Feb-06 12:29): *) bridge - fixed ARP settings on bridge interfaces (introduced v6.41); *) discovery - fixed discovery interface list change; *) disk - fixed disk related processes becoming unresponsive after unplugging used disk; *) filesystem - fixed situations when "/flash" directory lost files after upgrade; *) ppp - do not lose "/ppp profile" script configuration after other profile parameters are edited; *) routerboard - properly report warnings under "/system routerboard" menu; *) snmp - added w60g support; *) w60g - fixed "/interface w60g reset-configuration"; *) webfig - fixed backup loading from Webfig on RouterBOARD running default configuration; *) winbox - changed default bridge port PVID value to 1; *) wireless - fixed wireless protocol mode restrictions if lockpack is installed and has limits for it; What's new in 6.41.1 (2018-Jan-30 10:26): *) bridge - fixed "mst-override" export; *) bridge - fixed allowed MSTI priority values; *) bridge - fixed ARP option changing on bridge (introduced v6.41); *) bridge - fixed hw-offload disabling for Mediatek and Realtek switches when STP/RSTP configured; *) bridge - fixed hw-offload disabling when adding a port with "horizon" set; *) bridge - fixed IGMP Snooping after disabling/enabling bridge; *) bridge - fixed interface list moving in "/interface bridge port" menu; *) bridge - fixed repetitive port "priority" set; *) bridge - fixed situation when packet could be sent with local MAC as dst-mac; *) bridge - fixed VLAN filtering when "use-ip-firewall" is enabled (introduced in v6.41); *) bridge - properly update "actual-mtu" after MTU value changes (introduced v6.41); *) btest - fixed TCP test accuracy when low TX/RX rates are used; *) certificate - do not use utf8 for SCEP challenge password; *) certificate - fixed PKCS#10 version; *) crs317 - improved transmit performance between 10G and 1G ports; *) crs326 - fixed possible packet leaking from CPU to switch ports; *) crs3xx - hide deprecated VLAN related settings in "/interface ethernet switch port" menu; *) detnet - additional work on "detect-internet" implementation; *) dhcpv4-server - fixed framed and classless route received from RADIUS server; *) discovery - fixed discovery related settings conversation during upgrade from pre-v6.41 discovery implementation (introduced v6.41); *) dude - fixed e-mail notifications when default port is not used; *) firewall - fixed "tls-host" firewall feature (introduced v6.41); *) firewall - limited maximum "address-list-timeout" value to 35w3d13h13m56s; *) ike1 - fixed "aes-ctr" and "aes-gcm" encryption algorithms (introduced v6.41); *) ike2 - delay rekeyed peer outbound SA installation; *) ike2 - improve half-open connection handling; *) ipsec - properly update IPsec secret for IPIP/EoIP/GRE dynamic peer; *) log - properly report bridge interface MAC address changes; *) netinstall - improved LTE package description; *) netinstall - properly generate skins folder when branding package is installed; *) ovpn - fixed resource leak on systems with high CPU usage; *) ppp - changed default value of "route-distance" to 1; *) ppp - fixed change-mss functionality in some specific traffic (introduced in v6.41); *) radius - added warning if PPP authentication over RADIUS is enabled; *) radius - increase allowed RADIUS server timeout to 60s; *) rb1100ahx4 - fixed reset button responsiveness when regular firmware is used; *) rb433/rb450 - fixed port flapping on bridged Ethernet interfaces if hw-offload is enabled (introduced in v6.41); *) routerboot - fixed missing upgrade firmware for "ar7240" devices; *) sfp - improved SFP module compatibility; *) snmp - allow also IPv6 on default public community; *) tile - fixed USB device speed detection after reboot; *) traffic-flow - do not count single extra packet per each flow; *) webfig - added support for proper default policies when adding script or scheduler job; *) webfig - fixed bridge port sorting order by name; *) webfig - fixed MAC address ordering; *) webfig - fixed wireless snooper address, SSID and other column ordering; *) winbox - added "dhcp-option-set" to DHCP server; *) winbox - allow to specify "to-ports" for "action=masquerade"; *) winbox - do not show "hw" option on non-Ethernet interfaces; *) winbox - do not show VLAN related settings in switch port menu on CRS3xx boards; *) wireless - updated "Czech Republic" country 5.8 GHz frequency range; What's new in 6.41 (2017-Dec-22 11:55): Important note!!! Backup before upgrade! RouterOS (v6.40rc36-rc40 and) v6.41rc1+ contains new bridge implementation that supports hardware offloading (hw-offload). This update will convert all interface "master-port" configuration into new bridge configuration, and eliminate "master-port" option as such. Bridge will handle all Layer2 forwarding and the use of switch-chip (hw-offload) will be automatically turned on based on appropriate conditions. The rest of RouterOS Switch specific configuration remains untouched in usual menus for now. Please, note that downgrading to previous RouterOS versions will not restore "master-port" configuration, so use backups to restore configuration on downgrade. !) bridge - implemented software based vlan-aware bridges; https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering !) switch - "master-port" conversion into a bridge with hardware offload "hw" option; https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Bridge_Hardware_Offloading !) detnet - implemented "/interface detect-internet" feature; https://wiki.mikrotik.com/wiki/Manual:Detect_internet !) bridge - general implementation of hw-offload bridge (introduced in v6.40rc36); !) routerboot - RouterBOOT version numbering system merged with RouterOS; !) w60g - added Point to Multipoint support; !) w60g - revised "master" and "slave" interface modes to more familiar "bridge", "ap-bridge", "station-bridge"; !) wireless - new driver with initial support for 160 and 80+80 MHz channel width; *) arm - minor improvements on CPU load distribution for RB1100 series devices; *) arp - fixed invalid static ARP entries after reboot on interfaces without IP address; *) bgp - added 32-bit private ASN support; *) bridge - added comment support for VLANs; *) bridge - added initial support for hardware "igmp-snooping" on CRS1xx/2xx; *) bridge - added support for "/interface list" as a bridge port; *) bridge - assume "point-to-point=yes" for all Full Duplex Ethernet interfaces when STP is used (as per standard); *) bridge - automatically turn off "fast-forward" feature if both bridge ports have "H" flag; *) bridge - changed "Host" and "MDB" table column order; *) bridge - disable "hw-offload" when "horizon" or "external-fdb" is set; *) bridge - fixed "fast-forward" counters; *) bridge - fixed ARP setting (introduced in v6.40rc36); *) bridge - fixed connectivity issues when there are multiple VLAN interfaces on bridge; *) bridge - fixed hw-offloaded IGMP Snooping service getting stopped; *) bridge - fixed multicast forwarding (introduced in v6.40rc36); *) bridge - implemented dynamic entries for active MST port overrides; *) bridge - implemented software based "igmp-snooping"; *) bridge - implemented software based MSTP; *) bridge - removed "frame-types" and "ingress-filtering" for bridge interfaces (introduced in v6.40rc36); *) bridge - set "igmp-snooping=no" by default on new bridges; *) bridge - show "admin-mac" only if "auto-mac=no"; *) bridge - show bridge interface local addresses in the host table; *) btest - improved reliability on Bandwidth Test when device`s RAM is almost full; *) capsman - added "vlan-mode=no-tag" option; *) capsman - added possibility to downgrade CAP with Upgrade command from CAPsMAN; *) capsman - return complete CA chain when issuing new certificate; *) capsman - use "adaptive-noise-immunity" value from CAP local configuration; *) certificate - added option to store CRL in RAM (CLI only); *) certificate - fixed SCEP "get" request URL encoding; *) certificate - improved CRL update after system startup; *) certificate - show "Expired" flag when initial CRL fetch fails; *) certificate - show invalid flag when local CRL file does not exist; *) chr - added KVM memory balloon support; *) chr - added suspend support; *) console - do not stop "/certificate sign" process if console times out in 1 minute; *) console - removed "/setup"; *) crs317 - added initial support for HW offloaded MPLS forwarding; *) crs317 - fixed reliability on FAN controller; *) crs326 - fixed packet processing speed on switch chip if individual port link speed differs; *) crs326 - improved transmit performance from SFP+ to Ethernet ports; *) crs3xx - added ingress/egress rate input limits; *) crs3xx - hide unused switch "vlan-mode", "vlan-header-mode" and "default-vlan-id" options; *) crs3xx - switch VLAN configuration integrated within bridge VLAN configuration with hw-offload; *) dhcp - fixed DHCP services failing after reboot when DHCP option was used; *) dhcp - fixed unresponsive DHCP service caused by inability to read not set RAW options; *) dhcp - require DHCP option name to be unique; *) dhcp-client - limit and enforce DHCP client "default-route-distance" minimal value to 1; *) dhcp-server - added "option-set" argument (CLI only); *) dhcp-server - added basic RADIUS accounting; *) dhcpv4-client - add dynamic DHCP client for mobile clients which require it; *) dhcpv4-client - allow to use DUID for client as identity string as the option 61; *) dhcpv4-server - added "NETWORK_GATEWAY" option variable; *) dhcpv4-server - strip trailing "\0" in "hostname" if present; *) discovery - use "/interface list" instead of interface name under neighbor discovery settings; *) e-mail - do not show errors when sending e-mail from script; *) eoip - made L2MTU parameter read-only; *) ethernet - removed "master-port" parameter; *) export - fixed interface list export; *) fetch - accept all HTTP 2xx status codes; *) filesystem - implemented additional system integrity checks on reboots; *) firewall - added "tls-host" firewall matcher; *) health - fixed bogus voltage readings on CCR1009; *) hotspot - fixed "dst-port" to require valid "protocol" in "walled-garden ip"; *) hotspot - fixed Walled Garden IP functionality when address-list is used; *) ike1 - DPD retry interval set to 5 seconds; *) ike1 - disallow peer creation using base mode; *) ike1 - fixed crash on xauth if user does not exist; *) ike1 - fixed memory corruption when IPv6 is used; *) ike1 - improved stability on phase1 rekeying; *) ike1 - release mismatched PH2 peer IDs; *) ike1 - use /32 netmask if none provided by mode config; *) ike2 - added support for multiple split networks; *) ike2 - check identities on "initial-contact"; *) ike2 - do not allow to configure nat-traversal; *) ike2 - fixed PH1 lifetime reset on boot; *) ike2 - fixed initiator DDoS cookie processing; *) ike2 - fixed responder DDoS cookie first notify type check; *) ike2 - kill connection when peer changes address; *) ike2 - use peer configuration address when available on empty TSi; *) interface - added "/interface reset-counters" command (CLI only); *) interface - added default "/interface list" "dynamic" which contains dynamic interfaces; *) interface - added option to join and exclude "/interface list" from one and another; *) interface - fixed corrupted "/interface list" configuration after upgrade; *) ippool6 - try to assign desired prefix for client if prefix is not being already used; *) ipsec - added DH groups 19, 20 and 21 support for phase1 and phase2; *) ipsec - allow to specify "remote-peer" address as DNS name; *) ipsec - fixed incorrect esp proposal key size usage; *) ipsec - fixed policy enable/disable; *) ipsec - improved hardware accelerated IPSec performance on 750Gr3; *) ipsec - improved reliability on certificate usage; *) ipsec - renamed "firewall" argument to "notrack-chain" in peer configuration; *) ipsec - skip invalid policies for phase2; *) ipv6 - add dynamic "/ip dns" server address from RA when RA is permitted by configuration; *) l2tp - improved reliability on packet processing in FastPath; *) l2tp-server - fixed PPP services becoming unresponsive after changes on L2TP server with IPSec configuration; *) lcd - fixed "flip-screen=yes" state after reboot; *) log - added "bridge" topic; *) log - fixed interface name in log messages; *) log - optimized "poe-out" logging topic logs; *) lte - added "/interface lte apn" menu (Passthrough requires reconfiguration); *) lte - added Passthrough support; *) lte - added Yota non-configurable modem support; *) lte - added support for ZTE ME3630 E1C with additional "/port" for GPS usage; *) lte - automatically add "/ip dhcp-client" configuration on interface; *) lte - changed default values to "add-default-route=yes", "use-peer-dns=yes" and "default-route-distance=2"; *) lte - fixed Passthrough support; *) lte - fixed authentication for non LTE modes; *) lte - fixed error when trying to add APN profile without name; *) lte - fixed rare crash when initializing LTE modem after reset; *) lte - fixed user authentication for R11e-LTE when new firmware is used; *) lte - integrated IP address acquisition without DHCP client for wAP LTE kit-US; *) lte - limited minimal default route distance to 1; *) lte - update info command with "location area code" and "physical cell id" values; *) m11g - improved ethernet performance on high load; *) mac-server - use "/interface list" instead of interface name under MAC server settings; *) modem - added initial support for Alcatel IK40 and Olicard 500; *) neighbor - show neighbors on actual bridge port instead of bridge itself *) netinstall - fixed missing "/flash/etc" on first bootup; *) netinstall - fixed missing default configuration prompt on first startup after reset/netinstall; *) ospf - fixed OSPF v2 and v3 neighbor election; *) ovpn-server - do not periodically change automatically generated server MAC address; *) poe - added new "poe-out" status "controller-error"; *) poe - fixed false positive excessive logs in auto-on mode when connected to 100 Mbps device powered from another power source; *) poe - log PoE status related messages under debug topic; *) ppp - added initial support for PLE902; *) ppp - added support for Sierra MC7750, Verizon USB730L; *) ppp - do not disconnect PPP connection after "idle-timeout" even if traffic is being processed; *) ppp - fixed "change-mss" functionality when MSS option is missing on forwrded packets; *) ppp - fixed L2TP and PPTP encryption negotiation process on configuration changes; *) ppp - fixed situation when part of PPP configuration was reset to default values after reboot; *) pppoe-client - properly re-establish MLPPP session when one of the lines stopped transmitting packets; *) pppoe-server - fixed situation when PPPoE servers become invalid on reboot; *) quickset - added support for "/interface list" in firewall, neighbor discovery, MAC-Telnet and MAC-Winbox; *) quickset - fixed LTE quickset mode APN field; *) quickset - fixed situation when Quickset automatically changes mode to CPE; *) quickset - renamed router IP static DNS name to "router.lan"; *) radius - limited RADIUS timeout maximum value to 3 seconds; *) route - fixed potential route crash on routing table update; *) scheduler - properly display long scheduler configuration; *) sfp - fixed SFP interface power monitor when bad SFP DDMI information is received; *) sftp - added functionality which imports ".auto.rsc" file or reboots router on ".auto.npk" upload; *) sms - fixed minor problem for SMS delivery; *) sms - log decoded USSD responses; *) snmp - fixed "ifHighSpeed" value of VLAN, VRRP and Bonding interfaces; *) snmp - fixed bridge host requests on devices with multiple bridge interfaces; *) snmp - fixed bulk requests when non-repeaters are used; *) snmp - fixed consecutive OID bulk get from the same table; *) snmp - show only available OIDs under "/system health print oid"; *) ssh - do not use DH group1 with strong-crypto enabled; *) ssh - enforced 2048bit DH group on tile and x86 architectures; *) system - show USB topology for the device info; *) tile - improved hardware encryption processes; *) tr069-client - fixed "/interface lte apn" configuration parameters; *) traceroute - improved "/tool traceroute" results processing; *) upnp - add "src-address" parameter on NAT rule if it is specified on UPnP request; *) upnp - deny UPnP request if port is already used by the router; *) ups - fixed duplicate "failed" UPS logs; *) userman - allow to generate more than 999 users; *) w60g - added "put-stations-in-bridge" and "isolate-stations" options to manage connected clients; *) w60g - connected stations are treated as separate interfaces; *) webfig - added favicon file; *) webfig - fixed router getting reset to default configuration; *) webfig - fixed terminal graphic user interface under Safari browser; *) winbox - added "W60G station" tab in Wireless menu; *) winbox - added "notrack-chain" setting to IPSec peers; *) winbox - added support for "_" symbol in terminal window; *) winbox - added switch menu on RB1100AHx4; *) winbox - do not show MetaROUTER stuff on RB1100AHx4; *) winbox - do not show duplicate "Switch" menus for CRS326; *) winbox - do not show duplicate "Template" parameters for filter in IPSec policy list; *) winbox - do not show duplicate filter parameters "Published" in ARP list; *) winbox - do not show unnecessary tabs from "Switch" menu; *) winbox - fixed "/certificate sign" process; *) winbox - fixed bridge port sorting order by interface name; *) winbox - show warnings under "/system routerboard settings" menu; *) wireless - added "allow-signal-out-off-range" option for Access List entries; *) wireless - added "indonesia3" regulatory domain information; *) wireless - added passive scan option for wireless scan mode; *) wireless - added support for CHARGEABLE_USER_ID in EAP Accounting; *) wireless - check APs against connect-list rules starting with strongest signal; *) wireless - do not show background scan frequencies in the monitor command channel field; *) wireless - improved reliability on "rx-rate" selection process; *) wireless - increased the EAP message retransmit count; *) wireless - log "signal-strength" when successfully connected to AP; *) wireless - pass interface MAC address in Sniffer TZSP frames; *) wireless - updated "UK 5.8 Fixed" and "Australia" country data; *) wireless - updated "united kingdom" regulatory domain information; What's new in 6.40.5 (2017-Oct-31 13:05): *) certificate - fixed import of certificates with empty SKID; *) crs3xx - fixed 100% CPU usage after interface related changes; *) firewall - do not NAT address to 0.0.0.0 after reboot if to-address is used but not specified; *) ike1 - fixed crash after downgrade if DH groups 19,20,21 were used for phase1; *) ike1 - fixed RSA authentication for Windows clients behind NAT; *) ipsec - fixed lost value for "remote-certificate" parameter after disable/enable; *) ipv6 - fixed IPv6 addresses constructed from prefix and static address entry; *) log - properly recognize MikroTik specific RADIUS attributes; *) lte - do not reset modem when it is not possible to access SMS storage; *) lte - fixed modem initialization after reboot; *) lte - fixed PIN option after setting up the band; *) sms - include time stamps in SMS delivery reports; *) sms - properly initialize SMS storage; *) snmp - fixed "/system license" parameters for CHR; *) winbox - allow shorten bytes to k,M,G in Hotspot user limits; *) wireless - fixed rate selection process when "rate-set=configured" and NV2 protocol is used; What's new in 6.40.4 (2017-Oct-02 08:38): *) address - show warning on IPv6 address when acquire from pool has failed; *) arp - properly update dynamic ARP entries after interface related changes; *) crs1xx/2xx - fixed 1 Gbps forced mode for several SFP modules; *) crs317 - added L2MTU support; *) crs3xx - improved packet processing in slowpath; *) defconf - fixed RouterOS default configuration (introduced in v6.40.3); *) dhcp - fixed downgrade from RouterOS v6.41 or higher; *) dhcpv6 client - added IAID check in reply; *) dhcpv6-client - fixed IA check on solicit when "rapid-commit" is enabled; *) dhcpv6-client - ignore unknown IA; *) dhcpv6-client - require pool name to be unique; *) e-mail - auto complete file name on "file" parameter (introduced in v6.40); *) export - fixed wireless "ssid" and "supplicant-identity" compact export; *) hotspot - fixed missing "/ip hotspot server profile" if invalid "dns-name" was specified; *) hotspot - improved user statistics collection process; *) ike1 - remove PH1 and PH2 when "mode-config" exchange fails; *) ipsec - kill PH1 on "mode-config" address failure; *) ipv6 - fixed IPv6 address request from pool; *) lte - fixed modem initialization after reboot; *) ntp-client - properly start NTP client after reboot if manual server IP is not configured; *) rb931-2nd - fixed startup problems (requires additional reboot after upgrade); *) routerboard - fixed "/system routerboard upgrade" for CRS212-8G-4S; *) sfp - fixed OPTON module DDM information readings; *) sfp - fixed temperature readings for various SFP modules; *) snmp - fixed "/caps-man registration-table" uptime values; *) snmp - fixed "/system license" parameters for CHR; *) tile - improved reliability on MPLS package processing; *) userman - fixed unresponsive RADIUS server (introduced in v6.40.3); *) vlan - do not allow VLAN MTU to be higher than L2MTU; *) webfig - improved reliability of login process; *) wireless - added "etsi1" regulatory domain information; *) wireless - improved WPA2 key exchange reliability; *) wireless - updated "norway" regulatory domain information; What's new in 6.40.3 (2017-Sep-01 07:40): *) dhcpv6-server - do not release address of static binding from pool after server removal; *) export - fixed "/system routerboard" export (introduced in 6.40.1); *) export - fixed export for PoE-OUT related settings; *) ike1 - fixed initiator ID comparison to NAT-OA; *) led - fixed "on" and "off" triggers when multiple LEDs are selected; *) led - fixed RB711UA ether1 LED (introduced in v6.38rc16); *) lte - do not show USB LTE modem under "/port" menu; *) lte - fixed ethernet flap when LTE establishes connection; *) lte - fixed SXT LTE graphs in QuickSet; *) lte - improved reliability of USB LTE modems; *) poe-out - fixed router reboot after "poe-out-status" changes; *) rb1100ahx4 - fixed HW acceleration fragmented packet decryption when fragment is smaller than 64 bytes; *) rb750gr3 - show warning and do not allow to use "protected-bootloader" feature if "factory-firmware" older than 3.34.4 version; *) routerboard - added "mode-button" support for RB750Gr3 (CLI only); *) ssh - do not execute command if it starts with "-" symbol; *) traffic-flow - fixed reboots when IPv6 address has been set as target address without active IPv6 package; *) userman - fixed "limitation" and "profile-limitation" update; *) userman - fixed CoA packet processing after changes in "/tool user-manager router" configuration; *) webfig - allow to open table entry even if table is not sorted by # (introduced in v6.40); *) webfig - allow to unset "rate-limit" for DHCP leases; *) winbox - added possibility to define "comment" for "/routing bgp network" entries; *) winbox - do not show FAN related information under "/system health" menu for devices which does not have it; *) winbox - do not show LCD menu for devices which does not have it; *) winbox - fixed ARP table update after entry changes state to incomplete; *) wireless - added "russia3" country settings; *) wireless - added New Zealand regulatory domain information for P2P links; *) wireless - updated China and New Zealand regulatory domain information; *) www - fixed unresponsive Web services (introduced in v6.40); What's new in 6.40.2 (2017-Aug-08 13:13): *) dhcpv6-client - fixed IA evaluation order; *) led - fixed "modem-signal" LEDs (introduced in 6.40); *) pppoe-client - fixed wrong MRU detection over VLAN interfaces; *) rb2011 - fixed possible LCD blinking along with ethernet LED (introduced in 6.40); *) sfp - fixed invalid temperature readings when ambient temperature is below 0C; *) winbox - added certificate settings; *) winbox - added support for certificate CRL list; *) winbox - do not show LCD menu for devices which does not have it; *) winbox - hide "level" and "tunnel" parameters for IPSec policy templates; *) winbox - hide FAN speed if it is 0RPM; What's new in 6.40.1 (2017-Aug-03 12:37): *) bonding - improved reliability on bonding interface removal; *) chr - fixed false warnings on upgrade reboots; *) dhcpv6-client - do not run DHCPv6 client when IPv6 package is disabled; *) export - fixed export for different parameters where numerical range or constant string is expected; *) firewall - properly remove "address-list" entry after timeout ends; *) interface - improved interface state change handling when multiple interfaces are affected at the same time; *) lte - fixed LTE not passing any traffic while in running state; *) ovpn-client - fixed incorrect netmask usage for pushed routes (introduced in 6.40); *) pppoe-client - fixed incorrectly formed PADT packet; *) rb2011 - fixed possible LCD blinking along with ethernet LED (introduced in 6.40); *) rb922 - restored missing wireless interface on some boards; *) torch - fixed Torch on PPP tunnels (introduced in 6.40); *) trafficgen - fixed "lost-ratio" showing incorrect statistics after multiple sequences; *) winbox - added "none-dynamic" and "none-static" options for "address-list-timeout" parameter under NAT, Mangle and RAW rules; What's new in v6.40 (2017-Jul-21 08:45): !) lte - added initial fastpath support (except SXT LTE and Sierra modems); !) lte - added initial support for passthrough mode for lte modems that supports fastpath; !) wireless - added Nv2 AP synchronization feature "nv2-modes" and "nv2-sync-secret" option; *) bonding - fixed 802.3ad mode on RB1100AHx4; *) btest - fixed crash when packet size has been changed during test; *) capsman - added "current-registered-clients" and "current-authorized-clients" count for CAP interfaces; *) capsman - fixed EAP identity reporting in "registration-table"; *) capsman - set minimal "caps-man-names" and "caps-man-certificate-common-names" length to 1 char; *) certificate - added "crl-use" setting to disable CRL use (CLI only); *) certificate - update and reload old certificate with new one if SKID matches; *) chr - fixed MAC address assignment when hot plugging NIC on XenServer; *) chr - maximal system disk size now limited to 16GB; *) conntrack - fixed IPv6 connection tracking enable/disable; *) console - fixed different command auto complete on ; *) crs212 - fixed Optech sfp-10G-tx module compatibility with SFP ports; *) defconf - added IPv6 default firewall configuration (IPv6 package must be enabled on reset); *) defconf - improved IPv4 default firewall configuration; *) defconf - renamed 192.168.88.1 address static DNS entry from "router" to "router.lan"; *) dhcp - added "debug" logs on MAC address change; *) dhcpv4-client - added "gateway-address" script parameter; *) dhcpv4-server - fixed lease renew for DHCP clients that sends renewal with "ciaddr = 0.0.0.0"; *) dhcpv4-server - fixed server state on interface change in Winbox and Webfig; *) discovery - fixed timeouts for LLDP neighbours; *) dns - remove all dynamic cache RRs of same type when adding static entry; *) dude - fixed server crash; *) email - added support for multiple attachments; *) ethernet - fixed occasional broken interface order after reset/first boot; *) ethernet - fixed rare linking problem with forced 10Mbps full-duplex mode; *) export - added "terse" option; *) export - added default "init-delay" setting for "/routerboard settings" menu; *) export - added router model and serial number to configuration export; *) export - fixed "/interface list" verbose export; *) export - fixed "/ipv6 route" compact export; *) export - fixed MPLS "dynamic-label-range" export; *) export - fixed SNMP "src-address" for compact export; *) fastpath - improved performance when packets for slowpath are received; *) fastpath - improved process of removing dynamic interfaces; *) fasttrack - fixed fasttrack over interfaces with dynamic MAC address; *) fetch - added "src-address" parameter for HTTP and HTTPS; *) filesystem - improved error correcting process on tilera and RB1100AHx4 storage; *) firewall - added "none-dynamic" and "none-static" options for "address-list-timeout" parameter; *) firewall - fixed bridge "action=log" rules; *) firewall - fixed cosmetic "inactive" flag when item was disabled; *) firewall - fixed crash on fasttrack dummy rule manual change attempt; *) firewall - removed unique address list name limit; *) hAP ac lite - removed nonexistent "wlan-led"; *) hotspot - added "address-list" support in "walled-garden" IP section; *) hotspot - require "dns-name" to contain "." symbol under Hotspot Server Profile configuration; *) ike1 - added log error message if netmask was not provided by "mode-config" server; *) ike1 - added support for "framed-pool" RADIUS attribute; *) ike1 - create tunnel policy when no split net provided; *) ike1 - fixed minor memory leak on peer configuration change; *) ike1 - kill phase1 instead of rekey if "mode-config" is used; *) ike1 - removed SAs on DPD; *) ike1 - send phase1 delete; *) ike1 - wait for cfg set reply before ph2 creation with xAuth; *) ike2 - added RADIUS attributes "Framed-Pool", "Framed-Ip-Address", "Framed-Ip-Netmask"; *) ike2 - added pfkey kernel return checks; *) ike2 - added support for "Mikrotik_Address_List" RADIUS attribute; *) ike2 - added support for "mode-config" static address; *) ike2 - by default use "/24" netmask for peer IP address in split net; *) ike2 - fixed duplicate policy checking with "0.0.0.0/0" policies; *) ike2 - prefer traffic selector with "mode-config" address; *) ipsec - added "firewall=add-notrack" peer option (CLI only); *) ipsec - added information in console XML for "mode-config" menu; *) ipsec - added support for "key-id" peer identification type; *) ipsec - allow to specify chain in "firewall" peer option; *) ipsec - do not deduct "dst-address" from "sa-dst-address" for "/0" policies; *) ipsec - enabled modp2048 DH group by default; *) ipsec - fixed connections cleanup on policy or proposal modification; *) ipsec - optimized logging under IPSec topic; *) ipsec - removed policy priority; *) l2tp - fixed handling of pre-authenticated L2TP sessions with CHAP authentication; *) l2tp-server - added "one-session-per-host" option; *) log - added "poe-out" topic; *) log - improved "l2tp" logs; *) log - optimized "wireless,info" topic logs; *) log - work on false CPU/RAM overclocked alarms; *) lte - added "accounting" logs for LTE connections; *) lte - added info command support for the Jaton LTE modem; *) lte - added initial support for "NTT DoCoMo" modem; *) lte - added support for Huawei E3531-6; *) lte - added support for ZTE TE W120; *) lte - fixed info command when it is executed at the same time as modem restarts/disconnects; *) lte - improved SMS delivery report; *) lte - improved reliability on SXT LTE; *) metarouter - fixed display of bogus error message on startup; *) mmips - added support for NVME disks; *) ovpn - added support for "push-continuation"; *) ovpn - added support for topology subnet for IP mode; *) ovpn - fixed duplicate default gateway presence when receiving extra routes; *) ovpn - improved performance when receiving too many options; *) packages - increased automatic download retry interval to 5 minutes if there is no free disk space; *) ping - fixed ping getting stuck (after several thousands of ping attempts); *) ppp - added initial support for ZTE K4203-Z and ME3630-E; *) ppp - added output values for "info" command for finding the GSM base station's location ("LAC" and "IMSI"); *) ppp - fixed "user-command" output; *) ppp - fixed non-standart PAP or CHAP packet handling; *) ppp - improved MLPPP packet forwarding performance; *) ppp - use interface name instead of IP as default route gateway; *) proxy - fixed potential crash; *) proxy - fixed rare program crash after closing client connection; *) quickset - added "Band" setting to "CPE" and "PTP CPE" modes; *) quickset - added special firewall exception rules for IPSec; *) quickset - fixed incorrect VPN address value on arm and tilera; *) quickset - simplified LTE status monitoring; *) quickset - use active user name and permissions when applying changes; *) rb1100ahx4 - fixed startup problems (requires additional reboot after upgrade); *) rb3011 - fixed packet passthrough on switch2 while booting; *) rb750gr3 - fixed USB power; *) routerboard - added "caps-mode" option for "reset-configuration"; *) routerboard - added "caps-mode-script" for default-configuration print; *) routing - allow to disable "all" interface entry in BFD; *) safe-mode - fixed session handling when Safe Mode is used on multiple sessions at the same time; *) sfp - fixed invalid temperature reporting when ambient temperature is less than 0; *) sms - decode reports in readable format; *) sniffer - do not skip L2 packets when "all" interface mode was used; *) snmp - added "ifindex" on interface traps; *) snmp - added CAPsMAN interface statistics; *) snmp - added ability to set "src-address"; *) snmp - fixed "/system resource cpu print oid" menu; *) snmp - fixed crash on interface table get; *) snmp - fixed wireless interface walk table id ordering; *) socks - fixed crash while processing many simultaneous sessions; *) ssl - added Wildcard support for "left-most" DNS label (will allow to use signed Wildcard certificate on VPN servers); *) supout - fixed IPv6 firewall section; *) switch - fixed "loop-protect" on CRS SFP/SFP+ ports; *) switch - fixed multicast forwarding on CRS326; *) tile - fixed copying large amount of text over serial console; *) tr069-client - fixed lost HTTP header on authorization; *) trafficgen - added "lost-ratio" to statistics; *) ups - show correct "line-voltage" value for usbhid UPS devices; *) userman - added "/tool user-manager user clear-profiles" command; *) userman - do not send disconnect request for user when "simultaneous session limit reached"; *) userman - lookup language files also in "/flash" directory; *) vlan - do not delete existing VLAN interface on "failure: already have such vlan"; *) webfig - fixed wireless "scan-list" parameter not being saved after applying changes; *) winbox - added "eap-identity" to CAPsMAN registration table; *) winbox - added "no-dad" setting to IPv6 addresses; *) winbox - added "reselect-channel" to CAPsMAN interfaces; *) winbox - added "session-uptime" to LTE interface; *) winbox - added TR069 support; *) winbox - do not autoscale graphs outside known maximums; *) winbox - fixed wireless interface "amsdu-threshold" max limit; *) winbox - hide LCD menu on CRS112-8G-4S; *) winbox - make IPSec policies table an order list; *) winbox - moved LTE info fields to status tab; *) winbox - show "/interface wireless cap print" warnings; *) winbox - show "/system health" only on boards that have health monitoring; *) winbox - show "D" flag under "/interface mesh port" menu; *) wireless - NAK any methods except MS-CHAPv2 as inner method in PEAP; *) wireless - added option to change "nv2-downlink-ratio" for nv2 protocol; *) wireless - added option to set "fixed-downlink" mode for nv2 protocol; *) wireless - allow VirutalAP on Level0 (24h demo) license; *) wireless - always use "multicast-helper" when DHCP is being used; *) wireless - do not skip >2462 channels if interface is WDS slave; *) wireless - fixed 802.11u wireless request processing; *) wireless - fixed EAP PEAP success processing; *) wireless - fixed compatibility with "AR5212" wireless chips; *) wireless - fixed rare crash on cap disable; *) wireless - fixed registration table "signal-strength" reporting for chains when using nv2; What's new in 6.39.2 (2017-Jun-6 08:01): *) 6to4 - fixed wrong IPv6 "link-local" address generation; *) arp - fixed "make-static"; *) bonding - do not add bonding interface if "could not set MTU" error is received; *) bridge - fixed connectivity between bridges when "fast-forward" feature is enabled; *) conntrack - load IPv6 connection tracking independently from IPv4; *) console - fixed "No such file or directory" warnings on upgrade reboots; *) export - removed spare "caller-id-type" value from compact export; *) fetch - fixed "user" and "password" argument parsing from URL for FTP; *) firewall - fixed "address-list" entry "creation-time" adjustment to timezone; *) firewall - do not allow to set "rate" value to 0 for "limit" parameter; *) firewall - fixed "address-list" entry changing from IP to DNS and vice versa; *) gps - removed duplicate logs; *) ike1 - fixed crash on xauth message; *) ike1 - removed xauth login length limitation; *) ike2 - fixed rare kernel failure on address acquire; *) ike2 - fixed situation when traffic selector prefix was parsed incorrectly; *) ipsec - fixed generated policy priority; *) ipsec - fixed peer "my-id" address reset; *) ipsec - renamed "remote-dynamic-address" to "dynamic-address"; *) ipv6 - fixed address becoming invalid when interface was removed from bridge/mesh; *) led - fixed turning off LED when interface is lost; *) lte - improved info channel background polling; *) lte - improved relialibility on SXT LTE; *) lte - replaced "user-command" with "at-chat" command; *) ppp - fixed "change-mss" functionality (introduced in 6.39); *) ppp - fixed MLPPP over multiple channels/interfaces (introduced in v6.39); *) ppp - send correct IP address in RADIUS "accounting-stop" messages (introduced in 6.39); *) pppoe - fixed warning on PPPoE server, when changing interface to non-slave interface; *) pppoe-client - removed false warning from client interface if it starts running on non-slave interface; *) pppoe-server - fixed "one-session-per-host" issue where 2 simultaneous sessions were possible from the same host; *) queue - fixed queuing when at least one child queue has "default-small" and other/s is/are different (introduced in 6.35); *) quickset - fixed LTE "signal-strength" graphs; *) sniffer - fixed VLAN tags when sniffing all interfaces; *) snmp - fixed limited walk; *) switch - fixed disabling of MAC learning on CRS1xx/CRS2xx; *) tile - fixed EoIP keepalive when tunnel is made over VLAN interface; *) tile - fixed rare encryption kernel failure when small packets are processed; *) traffic-flow - fixed IPFIX IPv6 data reporting; *) winbox - do not allow to open multiple same sub-menus at the same time; *) winbox - fixed firewall port selection with Winbox v2; *) winbox - fixed LTE info button; *) winbox - removed spare values from "loop-protect" setting for EoIPv6 tunnels; *) wireless - reduced load on CPU for high speed wireless links; What's new in 6.39.1 (2017-Apr-27 10:06): *) defconf - discard default configuration startup query with RouterOS upgrade; *) defconf - discard default configuration startup query with configuration change from Webfig; *) smb - fixed external drive folder sharing when "/flash" folder existed; *) smb - fixed invalid default share after reboot when "/flash" folder existed; *) upnp - fixed firewall nat rule update when external IP address changes; *) dns - made loading thousands of static entries faster; What's new in 6.39 (2017-Apr-27 10:06): !) bridge - added "fast-forward" setting and counters (enabled by default only for new bridges) (CLI only); !) bridge - added support for special and faster case of fastpath called "fast-forward" (available only on bridges with 2 interfaces); !) bridge - reverted bridge BPDU processing back to pre-v6.38 behaviour; (v6.40 will have another separate VLAN-aware bridge implementation); !) filesystem - fixed rare situation when filesystem failed to read all configuration on startup; !) filesystem - fixed rare situation when filesystem went into read-only mode (some configuration might have gotten lost on reboot); !) firewall - discontinued support for p2p matcher (old rules will become invalid); !) kernel - fixed UDP checksum handling in rare oveflow situations; !) l2tp - added fastpath support when MRRU is enabled; !) ppp - completely rewritten internal fragmentation algorithm (when MRRU is used), optimized for multicore; !) ppp - implemented internal algorithm for "change-mss", no mangle rules necessary; !) pppoe - added fastpath support when MRRU and MLPPP are enabled; !) quickset - configuration changes are now applied only on "OK" and "Apply" (not on mode change); !) tile - fixed IPSec hardware acceleration out-of-order packet problem, significantly improved performance; !) winbox - minimal required version is v3.11; *) address - fixed crash when address is assigned to another bridge port; *) api - fixed double dynamic flags for "/ip firewall address-list print"; *) capsman - added "extension-channel" XX and XXXX auto matching modes; *) capsman - added "keepalive-frames" setting; *) capsman - added "skip-dfs-channels" setting; *) capsman - added CAP discovery interface list support; *) capsman - added DFS support; *) capsman - added EAP identity to registration table; *) capsman - added ability to specify multiple channels in frequency field; *) capsman - added save-channel option to speed up frequency selection on CAPsMAN restart; *) capsman - added support for "background-scan" and channel "reselect-interval"; *) capsman - added support for static virtual interfaces on CAP; *) capsman - changed channel "width" name to "control-channel-width" and changed default values; *) capsman - improved CAP status querying; *) capsman - improved support for communicating frame priority between CAP and CAPsMAN; *) certificate - SCEP client now supports FQDN URL and port; *) certificate - allow CRL address to be specified as DNS name; *) console - fixed "/ip neighbor discovery" export; *) console - fixed DHCP/PPP add-default-route distance minimal value to 1; *) console - fixed crash; *) console - fixed incorrect ":put [/lcd get enabled]" value; *) ddns - improved "dns-update" authentication validation; *) defconf - fixed Groove 52 ac band settings; *) defconf - fixed default configuration generation when wireless package is disabled; *) dhcp-client - added "script" option which executes script on state changes; *) dhcpv4 - fixed string option parser; *) dhcpv4-server - added "lease-hostname" script parameter; *) dhcpv4-server - by default make server “authoritative”; *) dhcpv4-server - do some lease checks only on enabled object; *) discovery - fixed LLDP discovery, IPv6 address was not parsed correctly; *) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=21&t=116471); *) email - check for errors during SMTP exchange process; *) ethernet - added "voltage-too-low" status for single port power injector devices; *) ethernet - fixed "loop-protect" on "master-port"; *) ethernet - fixed rare switch chip hang (could cause port flapping); *) ethernet - fixed unnecessary power cycle of powered device when changing any poe-out related setting on single port power injector devices; *) ethernet - renamed "rx-lose" to "rx-loss" in ethernet statistics; *) ethernet - reversed poe-priority on hEX PoE and OmniTIK 5 PoE to make "poe-priority" consistent to all other RouterOS priorities; *) fastpath - fixed rare crash on devices with dynamic interfaces; *) fetch - added "http-data" and "http-method" parameters to allow delete, get, post, put methods (content-type=application/x-www-form-urlencoded by default); *) fetch - fixed authentication failure; *) fetch - fixed download issue over HTTPS; *) gps - added "fix-quality" and "horizontal-dilution" parameters; *) graphing - fixed graph disappearance after power outage; *) hotspot - added access to HTTP headers using $(http-header-name); *) ike1 - fixed ph2 ID logging; *) ike2 - allow multiple child SA traffic selectors on re-key; *) ike2 - always replace empty TSi with configured address if it is available; *) ike2 - check child state before allowing rekey; *) ike2 - default to /32 peer address mask; *) ike2 - fixed CTR mode; *) ike2 - fixed EAP message length; *) ike2 - fixed ISA handler object removal on SA delete; *) ike2 - fixed RSA authentication without EAP; *) ike2 - fixed ctr mode; *) ike2 - fixed disabled DPD; *) ike2 - fixed last EAP auth payload type; *) ike2 - fixed ph2 state when sending notify; *) ike2 - fixed policy release during SA negotion; *) ike2 - fixed state when sending delete packet; *) ike2 - improved logging; *) ike2 - kill only child SAs which are not re-keyed by remote peer; *) ike2 - log RADIUS timeout message under error topic; *) ike2 - remove old SA after rekey; *) ike2 - send EAP identity as user-name RADIUS attribute; *) ike2 - update "calling_station_id" RADIUS attribute; *) ike2 - update peer identity after successful EAP authentication; *) ippool - return proper error message when trying to create duplicate name; *) ipsec - added "last-seen" parameter to active connection list; *) ipsec - allow mixing aead algorithms in proposal; *) ipsec - better responder flag calculator for console; *) ipsec - disallow AH+ESP combined policies ; *) ipsec - do not loose "use-ipsec=yes" parameter after downgrade; *) ipsec - enable aes-ni on i386 and x64 for cbc, ctr and gcm modes; *) ipsec - fixed "/ip ipsec policy group export verbose"; *) ipsec - fixed "mode-cfg" verbose export; *) ipsec - fixed SA authentication flag; *) ipsec - renamed "hw-authenc" flag to "hw-aead"; *) ipsec - show hardware accelerated authenticated SAs; *) ipsec - updated tilera classifier for UDP encapsulated ESP; *) l2tp - added support for multiple L2TP tunnels (not to be confused with sessions) between same endpoints (required in some LNS configurations); *) l2tp - fixed hidden attribute decryption in forwarded CHAP responses for LNS; *) l2tp-server - added "caller-id-type" to forward calling station number to RADIUS on authentication; *) l2tp-server - added "use-ipsec=required" option; *) l2tp-server - fixed upgrade to keep "use-ipsec=yes" in L2TP server; *) leds - added LTE modem access technology trigger; *) leds - changed error message on unsupported board; *) leds - do not update single LED state when it is not changed; *) leds - show warning on print when "modem-signal-threshold" is not available; *) log - added "gps" topic; *) log - added "tr069" topic; *) log - added missing "license limit exceeded" log entry; *) log - added warning when Winbox/Dude sessions were denied; *) log - do not show changes in packet if NAT has not been used; *) log - make SNMP logs more compact; *) lte - added "session-uptime" in info command; *) lte - added LTE signal level reading for Cinterion modems; *) lte - added error handling for remote AT execute; *) lte - added initial support for DWR-910 modem; *) lte - added initial support for Quectel ec25; *) lte - added initialization for Cinterion; *) lte - added log entry for SMS delivery report; *) lte - added support for Vodafone R216 (Huawei); *) lte - buffer AT events while info command is active; *) lte - fixed "/interface lte info X once"; *) lte - fixed IPv6 address prefix on interface *) lte - fixed network mode selection for me909u, mu609; *) lte - fixed older standard CEREG parsing; *) lte - fixed support for Huawai R216; *) lte - fixed user-command; *) lte - reset interface stats on "link-down"; *) netinstall - fixed typos; *) ntp - restart NTP client when it is stuck in error state; *) ppp - added "bridge-horizon" option under PPP/Profile; *) ppp - added option to specify "interface-list" in PPP/Profile; *) ppp - fixed rare kernel failure on PPP client connection; *) ppp - fixed rare kernel failure when receiving IPv6 address on PPP interface; *) ppp - include rates, limits and address-lists parameters in RADIUS accounting requests; *) ppp-client - added support for Datacard 750UL, DWR-730 and K4607-Zr; *) pppoe - added warning on PPPoE client/server, if it is configured on slave interface; *) pppoe - set default keepalive 10s for newly created PPPoE clients; *) quickset - added initial LTE AP mode support; *) rb1100ahx2 - fixed random counter resets for ether12,13; *) rb3011 - added partitioning support; *) smb - fixed different memory leaks and crashes; *) smb - fixed share path on devices with "/flash" directory; *) smips - reduced RouterOS main package size; *) snmp - "No Such Instance" error message is replaced with "No Such Object"; *) snmp - added fan-speed OIDs in "/system health print oid"; *) snmp - added optical table; *) snmp - fixed rare crash; *) snmp - improved getall filter; *) snmp - improved response speed when multiple requests are received within short period of time; *) snmp - increase "engineBoots" value on reboot; *) snmp - optimized bridge table processing; *) tile - added initial support for NVMe SSD disk drives; *) tile - fixed IPSec crash (introduced in 6.39rc64); *) tile - optimized hardware encryption; *) tr069-client - added "Device.Hosts.Host.{i}." support; *) tr069-client - added "Device.WiFi.NeighboringWiFiDiagnostic." support; *) tr069-client - added "Ethernet.Interface.{i}.MACAddress" parameter; *) tr069-client - added DHCP server support; *) tr069-client - added Upload RPC "2 Vendor Log File" support; *) tr069-client - added architecture name parameter (X_MIKROTIK_ArchName - vendor specific); *) tr069-client - added basic stats parameters for some interface types; *) tr069-client - added basic support for "/ip firewall filters"; *) tr069-client - added connection request authentication; *) tr069-client - added firewall NAT support using vendor Parameters; *) tr069-client - added parameters for DNS client management support; *) tr069-client - added ping diagnostics support; *) tr069-client - added support for escaped entity references (& < > ' "); *) tr069-client - added support for managing "/system/identity/" value; *) tr069-client - added support for memory and CPU load parameters; *) tr069-client - added support for uploading/downloading factory script; *) tr069-client - added traceroute diagnostics support; *) tr069-client - close connection if CPE considers XML as invalid; *) tr069-client - fixed "AddObjectResponse" "InstanceNumber" value; *) tr069-client - fixed "Device.ManagementServer." value update; *) tr069-client - fixed XML special character parsing; *) tr069-client - fixed crash on =acs-url change special case; *) tr069-client - fixed special escape characters on XML data send; *) tr069-client - fixed write for "Device.ManagementServer.URL"; *) tr069-client - general improvements on reducing storage space; *) tr069-client - generate random connection request target path; *) tr069-client - hide "Device.PPP.Interface.{i}.Password" value; *) tr069-client - improved LTE monitoring process; *) tr069-client - increased performance on GetParameterValues; *) tr069-client - made any Download RPC overwrite configuration except ".alter"; *) tr069-client - make more Parameters deny active notifications; *) tr069-client - set CHR license ID as ".SerialNumber" value to avoid "no serial number" error in ACS; *) traceroute - small fix; *) tunnels - fixed reboot loop on configurations with IPIP and EoIP tunnels (introduced in 6.39rc68); *) usb - added support for more CP210X devices; *) userman - allow "name-for-user" to be empty and not unique; *) userman - automatically select all newly created users to generate vouchers; *) userman - fixed rare crash when User Manager requested file does not exist on router; *) userman - fixed rare web interface crash while using Users section; *) wAP ac - improved 2.4GHz wireless performance; *) webfig - added menu bar to quickly select between Webfig, Quickset and Terminal; *) webfig - allow shorten bytes to k,M,G in firewall "connection-bytes" and "connection-rates"; *) webfig - allow to change global variable contents; *) webfig - allow to enter frequency ranges in wireless scan list; *) webfig - allow to select "default-encryption" profile on PPP tunnels; *) webfig - correctly specify routing filter prefix; *) webfig - do not allow to reorder items if table is sorted by some column; *) webfig - fixed bridge property display; *) webfig - fixed delays on key press in terminal; *) webfig - fixed tab ordering on Google Chrome; *) webfig - fixed “last-link-up” & “last-link-down” time information; *) webfig - improved field layout; *) webfig - make Terminal window work within Webfig window; *) webfig - show all available options under “Advanced Mode” for wireless interfaces; *) webfig - show proper error messages for optional erroneous text fields; *) winbox - added "Flush" button under unicast-fdb menu; *) winbox - added "group-key-update" to CAPsMAN security settings; *) winbox - added "k" and "M" unit support to PPP secret limit-bytes parameters; *) winbox - added "memory-scroll", "filter-cpu", "filter-ipv6-address", "filter-operation-between-entries" parameters; *) winbox - added "save-selected" setting under CAPsMAN channels; *) winbox - added "static-virtual" to wireless CAP; *) winbox - added GPS menu; *) winbox - added protected routerboard parameters under routerboard settings menu; *) winbox - allow shorten bytes to k,M,G in firewall "connection-bytes" and "connection-rates"; *) winbox - allow to change user password to empty one; *) winbox - allow to not specify certificate in IPSec peer settings; *) winbox - allow to specify "route-distance" in "dhcp-client" if "special-classless" mode is selected; *) winbox - allow to specify certificate type when exporting it; *) winbox - allow to specify interfaces that CAPsMAN can use for management; *) winbox - allow unhide SNMP passwords; *) winbox - allowed to specify static-dns as list; *) winbox - do not allow Packet Sniffer "memory-limit" and "file-limit" lower than 10KiB; *) winbox - do not create time field when copying CAPsMAN access list entry; *) winbox - do not show "dpd-max-failures" on IKEv2; *) winbox - do not show empty LTE fields in Info menu; *) winbox - do not start Traffic Generator automatically when opening "Quick Start"; *) winbox - do not try to disable dynamic items from firewall tables; *) winbox - fixed "Montly" typo to "Monthly" in Graphing menu; *) winbox - fixed CAPsMAN channels frequency (allow to specify a list of them); *) winbox - fixed IPSec "mode-config" DNS settings; *) winbox - fixed issue when working IPSec policies were shown as invalid; *) winbox - fixed misleading error when trying to export certificate; *) winbox - fixed typo in BGP advertisements menu Aggragator->Aggregator; *) winbox - hide "wps-mode" & "security-profile" in wireless nv2 mode; *) winbox - hide health menu on RB450; *) winbox - improved "/tool torch"; *) winbox - increased maximal number of Winbox sessions 20->100; *) winbox - properly name CAP Interface on new interface creation; *) winbox - properly show "dhcp-server" warnings; *) winbox - properly show IPSec "installed-sa" "enc-algorithm" when it is aes-gcm; *) winbox - properly show wireless registration table stat counters; *) winbox - removed "sfp-rate-select" setting from ethernet interface; *) winbox - removed unnecessary "/system health" menu on "hAP ac lite"; *) winbox - set default "dhcp-client" "default-route-distance" value to 1; *) winbox - show "A" flag for IPSec policies; *) winbox - show "H" flag for IPSec installed SAs; *) winbox - show PoE-OUT current, voltage and power only on devices which can report these values; *) wireless - added Egypt 5.8 country settings; *) wireless - added PEAP authentication support for wireless station mode; *) wireless - apply broadcast bit to DHCP requests when using "station-pseudobridge" mode; *) wireless - do not allow equal MAC addresses between multiple Virtual APs when same "master-interface" is used; *) wireless - fixed RBSXT5HacD2nr2 small channel support; *) wireless - fixed crash while running "spectral-scan"; *) wireless - fixed dynamic wireless interface removal from bridge ports when changing wireless mode; *) wireless - fixed false positive DFS radar detection caused by iPhone 6s devices; *) wireless - fixed issue when wireless interfaces might not show up in CAP mode; *) wireless - fixed occasional crash on interface disabling; *) wireless - fixed rare crash on nv2 configurations; *) wireless - fixed rare wireless ac interface lockup; *) x86 - added support for NVMe SSD disk drives; What's new in 6.38.5 (2017-Mar-09 11:32): !) www - fixed http server vulnerability; What's new in 6.38.4 (2017-Mar-08 09:26): *) chr - fixed problem when transmit speed was reduced by interface queues; *) dhcpv6-server - require "address-pool" to be specified; *) export - do not show "read-only" IRQ entries; *) filesystem - implemented procedures to verify and restore internal file structure integrity upon upgrading; *) firewall - do not allow to set "time" parameter to 0s for "limit" option; *) hotspot - fixed redirect to URL where escape characters are used (requires newly generated HTML files); *) hotspot - show Host table commentaries also in Active tab and vice versa; *) ike1 - fixed “xauth” Radius login; *) ike2 - also kill IKEv2 connections on proposal change; *) ike2 - always limit empty remote selector; *) ike2 - fixed proposal change crash; *) ike2 - fixed responder subsequent new child creation when PFS is used; *) ike2 - fixed responder TS updating on wild match; *) ipsec - deducted policy SA src/dst address from src/dst address; *) ipsec - do not require "sa-dst-address" if "action=none" or "action=discard"; *) ipsec - fixed SA address check in policy lookup; *) ipsec - hide SA address for transport policies; *) ipsec - keep policy in kernel even with bad proposal; *) ipsec - kill ph2 on policy removal; *) ipsec - updated/fixed Radius attributes; *) irq - properly detect all IRQ entries; *) l2tp-client - fixed IPSec policy generation after reboot; *) l2tp-client - require working IPSec encryption if "use-ipsec=yes"; *) lcd - show fan2 speed only if it is available; *) profile - classify ethernet driver activity properly in ARM architecture; *) snmp - added SSID to CAPsMAN registration table; *) snmp - fixed "/tool snmp-get" crash on session timeout; *) snmp - fixed CAPsMAN registration table OID print; *) snmp - fixed situation when SNMP could not read "/system health" values after reboot; *) userman - allow access to User Manager users page only through "/user" URL; *) userman - show warning when no users are selected for CSV file generation; *) winbox - do not hide "power-cycle-after" option; *) winbox - hide advertise tab in Hotspot user profile configuration if "transparent-proxy" is not enabled; *) winbox - make "power-cycle-interval" not to depend on "power-cycle-ping-enabled" in PoE settings; *) winbox - properly show BGP communities in routing filters table filter; *) wireless - fixed scan tool stuck in background; *) wireless - improved compatibility with Intel 2200BG wireless card; What's new in 6.38.3 (2017-Feb-07 09:52): *) bridge - do not add dynamic hardware STP ports if “master-port” is not capable of hardware STP; *) bridge - fixed rare crash when hardware STP capable interface gets new “master-port” which already is in bridge; *) bridge - fixed rare situation when port flapping occurs on bridge ports; *) bridge - fixed STP/RSTP packet receive on all types of bridge ports; *) bridge - minor improvements in performance when "master-port" is bridge port; *) capsman - fixed SGI (Short Guard Interval) support; *) dhcp - do not listen on IPv4/IPv6 client to IPv6 MLD packets; *) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=21&t=116356); *) firewall - added "fasttrack" dummy rule to "/ip firewall raw" table; *) firewall - do not show IPv4 “fastpath” as active if “route-cache” is disabled; *) firewall - fixed import of exported configuration that had updated "limit" setting; *) graphing - fixed graphing crash when high amount of traffic is processed; *) hotspot - fixed rare kernel crash on multicore systems; *) ike1 - fixed responder xauth trailing null; *) leds - fixed defaults for RBSXT5HacD2nr2; *) mmips - improved general stability; *) rb3011 - fixed noise from buzzer after silent boot; *) switch - fixed crash when trying to configure second master port on the same chipset (RB3011, RB2011, CCR1009-8G-1S+); *) usb - added missing USB ethernet drivers to arm & tile architecture; *) winbox - added "add-relay-info" and "relay-info-remote-id" to DHCP relay; *) winbox - added H flag to "/ip arp" ; *) winbox - added missing "use-fan2" and "active-fan2" to "/system health"; *) winbox - allow shorten bytes to k,M,G in bridge firewall just like in “/ip firewall”; *) winbox - do not hide 00:00:00:00:00:00 MAC address in unpublished ARPs; *) winbox - fixed matching "connection-state=untracked" connections; *) winbox - fixed typo in “/system resources pci” list; *) winbox - make "power-cycle-after" show correct value; *) winbox - updated fan management menu; *) wireless - added "station-roaming" setting; *) wireless - update Thailand country frequency settings; What's new in 6.38.2 (2017-Jan-17 08:45): *) factory only release; What's new in 6.38.1 (2017-Jan-13 05:51): *) bridge - disallow manual removal of dynamic bridge ports; *) bridge - fixed MAC address learning from switch master-port; *) bridge - fixed access loss to device through bridge if master port had a loop (introduced in v6.38); *) certificate - added year cap (invalid-after date will not exceed year 2039); *) certificate - fixed fail on import from CAPs when both key and name already exist; *) dhcpv6-client - fixed DHCPv6 rebind on startup; *) dhcpv6-server - fixed server removal crash if static binding was present; *) dns - fixed typo in regexp error message; *) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=21&t=116356); *) fan - improved RPM monitor on CCR1009; *) firewall - nat action "netmap" now requires to-addresses to be specified; *) health - report fan speed for RB800 and RB1100 when 3-pin fan is being used; *) ike1 - fixed ph1 rekey in setups with mode-cfg; *) ike2 - allow empty selectors to reach policy handler; *) ike2 - auto-negotiate split nets; *) ike2 - default to tunnel mode in setups without policy; *) ike2 - fixed error packet from initiator on responder reply; *) ike2 - fixed initiator TS updating; *) ike2 - fixed ph1 initial-contact rare desync; *) ike2 - fixed policy setting for /0 selector with different address families; *) ike2 - fixed split policy active flag; *) ike2 - fixed traffic selector prefix calculation; *) ike2 - fixed xauth add check; *) ike2 - include identity in peer address info; *) ike2 - log empty TS payload; *) ike2 - minor logging update; *) ike2 - show peer identity of connected peers; *) ike2 - traffic selector improvements; *) ike2 - update also local port when peer changes port; *) ike2 - use first split net for empty TS; *) ike2 - use standard retransmission timers for DPD; *) ike2 - xauth like auth method with user support; *) ipsec - added ability to kill particular remote-peer; *) ipsec - fixed flush speed and SAs on startup; *) ipsec - fixed peer port export; *) ipsec - port is used only for initiators; *) ipv6 - added warning about having interface MTU less than minimal IPv6 packet fragment (1280); *) license - fixed demo license expiration after installation on x86; *) log - improved firewall log messages when NAT has changed only connection ports; *) logs - work on false CPU/RAM overclocked alarms; *) mpls - fixed crash on active tunnel loss in MPLS TE setups; *) ovpn - fixed address acquisition when ovpn-in interface becomes slave; *) proxy - fixed "max-cache-object-size" export; *) proxy - speed-up almost empty disk cache clean-up; *) quickset - various small changes; *) rb751u - fixed ethernet LEDs (broken since 6.38rc16); *) ssh - fixed high memory consumption when transferring file over ssh tunnel; *) webfig - show properly large BGP AS numbers; *) winbox - added "make-static" to IPv6 DHCP server bindings; *) winbox - added "prefix-pool" to DHCPv6 server binding; *) winbox - added IPsec to radius services; *) winbox - added upstream flag to IGMP proxy interfaces; *) winbox - allow to specify "connection-bytes" & "connection-rate" for any protocol in “/ip firewall” rules; *) winbox - allow to specify "sip-timeout" under ip firewall service-ports; *) winbox - do not create empty rates.vht-basic/supported-mcs if not specified in CAPsMAN; *) winbox - hide "nat-traversal" setting in IPsec peer if IKEv2 is selected; *) winbox - show dynamic IPv6 pools properly; *) winbox - show errors on IPv6 addresses; *) winbox - specify metric for “/ip dns cache-used” setting; *) wireless - show comment on "security-profile" if it is set; What's new in 6.38 (2016-Dec-30 11:33): Important note!!! RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE 802.1Q-2014 by sending and processing BPDU packets without VLAN tag. To avoid STP/RSTP compatibility issues with older RouterOS versions, upgrade RouterOS to v6.38 on all routers in Layer2 networks with VLAN and STP/RSTP configurations. The recommended procedure is to start by upgrading the remotest routers and gradually do it to the Root Bridge device. If after upgrade you experience loss of connectivity, then disabling STP/RSTP on RouterOS bridge interface will restore connectivity so you can complete upgrade process on your network. !) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set xauth-use-radius=yes"; !) ipsec - added IKEv2 support; !) ipsec - added IKEv2 EAP RADIUS passthrough authentication for responder; !) ipsec - added support for unique policy generation; !) ipsec - removed IKEv1 ah+esp support; !) snmp - added basic get and walk functionality "/tool snmp-[get|walk]"; !) switch - added hardware STP functionality for CRS devices and small Atheros switch chips (http://wiki.mikrotik.com/wiki/Manual:CRS_examples#Spanning_Tree_Protocol); !) tr069-client - initial implementation (as separate package) (cli only); !) winbox - Winbox 3.7 is the minimum version that can connect to RouterOS; *) arp - added "local-proxy-arp" feature; *) bonding - added "forced-mac-address" option; *) bonding - fixed "tx-drop" on VLAN over bonding on x86; *) bridge - fixed rare crash on bridge port removal; *) bridge - fixed VLAN BPDU rx and tx when connected to non-RouterOS device with STP functionality; *) bridge - require admin-mac to be specified if auto-mac is disabled; *) bridge - show bridge port name in port monitor; *) capsman - added "group-key-update" parameter; *) capsman - added possibility to change arp, mtu, l2mtu values in datapath configuration; *) capsman - fixed CAP upgrade when separate wireless package is used (introduced in 6.37); *) capsman - use correct source address in reply to unicast discovery requests; *) ccr - added AHCI driver for Samsung XP941 128GB AHCI M.2; *) certificates - added support for PKCS#12 export; *) certificates - allow import multiple certs with the same key; *) certificates - fixed crash when crl is removed while it is being fetched; *) certificates - fixed trust chain update on local certificate revocation in programs using ssl; *) certificates - if no name provided create certificate name automatically from certificate fields; *) console - fixed multi argument value unset; *) crs - added comment ability in more switch menus; *) crs - fixed rare kernel failure on switch reset (for example, reboot); *) dhcp - fixed DNS server assignment to client if dynamic server exists and is from another IP family; *) dhcp - fixed issue when dhcp-client was still possible on interfaces with "slave" flag and using slave interface MAC address; *) dhcp - show dhcp server as invalid and log an error when interface becomes a slave; *) dhcp-server - fixed when wizard was unable to create pool >dhcp_pool99; *) discovery - added LLDP support; *) discovery - removed 6to4 tunnels from "/ip neighbor discovery menu"; *) dns - added "max-concurrent-queries" and "max-concurrent-tcp-sessions" settings; *) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599); *) ethernet - added "k" and "M" unit support to Ethernet Bandwidth setting; *) ethernet - fixed "tx-fcs-error" on SFP+ interfaces when loop-protect is enabled; *) export - do not show interface comment in "/ip neighbor discovery" menu; *) export - updated default values to clean up export compact; *) fastpath - fixed rare crash; *) fastpath - fixed x86 bridge fast-path status shown as active even if it is manually disabled; *) file - fixed file manager crash when file transfer gets cancelled; *) firewall - added "creation-time" to address list entries; *) firewall - added sctp/dccp/udp-lite support for "src-port", "dst-port", "port" and "to-ports" firewall options; *) firewall - do not defragment packets which are marked with "notrack" in raw firewall; *) firewall - fixed "time" option by recognizing weekday properly (introduced in v6.37.2); *) firewall - fixed dynamic raw rule behaviour; *) firewall - fixed rule activation if "time" option is used and no other active rules are present; *) firewall - increased max size of connection tracking table to 1048576; *) firewall - new faster "connection-limit" option implementation; *) firewall - significantly improved large firewall rule set import performance; *) graphing - fixed queue graphs showing up in web interface if aggregate name size >57840 symbols; *) health - show power consumption on devices which has voltage and current monitor; *) hotspot - fixed nat rule port setting in "hs-unauth-to" chain by changing it from "dst-port" to "src-port" on Walled Garden ip "return" rules; *) interface - changed loopback interface mtu to 1500; *) interface - do not treat multiple zeros as single zero on name comparison; *) interface - show link stats in "/interface print stats-detail" output; *) ipsec - added ability to specify static IP address at "send-dns" option; *) ipsec - added ph2 accounting for each policy "/ip ipsec policy ph2-count"; *) ipsec - allow to specify explicit split dns address; *) ipsec - changed logging topic from error to debug when empty pfkey messages are received; *) ipsec - do not auto-negotiate more SAs than needed; *) ipsec - ensure generated policy refers to valid proposal; *) ipsec - fixed camellia crypto algorithm module loading; *) ipsec - fixed IPv6 remote prefix; *) ipsec - fixed kernel failure on tile with sha256 when hardware encryption is not being used; *) ipsec - fixed peer configuration my-id IPv4 address endianness; *) ipsec - fixed ph2 auto-negotiation by checking policies in correct order; *) ipsec - load ipv6 related modules only when ipv6 package is enabled; *) ipsec - make generated policies always as unique; *) ipsec - non passive peers will also establish SAs from policy without waiting for the first packet; *) ipsec - optimized logging under ipsec topic; *) ipsec - show active flag when policy has active SA; *) ipsec - show SA "enc-key-size"; *) ipsec - split "mode-config" and "send-dns" arguments; *) ipv6 - added "no-dad" setting to ipv6 addresses; *) ipv6 - fixed "accept-router-advertisements" behaviour; *) ipv6 - moved empty IPv6 pool error message to error topic; *) lcd - improved performance, causes less cpu load; *) led - fixed dark mode for cAP 2nD (http://wiki.mikrotik.com/wiki/Manual:System/LEDS#Leds_Setting); *) log - fixed "System rebooted because of kernel failure" message to show after 1st crash reboot; *) lte - added support for more Vodafone K4201-Z, Novatel USB620L, PANTECH UML295 and ZTE MF90 modems; *) lte - allow to execute concurrent info commands; *) lte - fixed dwm-222, Pantech UML296 support; *) lte - fixed init delay after power reset; *) lte - increased delay when setting sms send mode; *) lte - return info data when all the fields are populated; *) metarouter - fixed startup process (introduced in 6.37.2); *) mmips - fixed traffic accounting in "/interface" menu; *) ospf - fixed route crash caused by memory corruption when there are multiple active interfaces; *) ppp - fixed packet size calculation when MRRU is set (was 2 bytes bigger than MTU allows); *) ppp - significantly improved shutdown speed on servers with many active tunnels; *) ppp - significantly improved tunnel termination process on servers with many active tunnels; *) profile - added "bfd" and "remote-access" processes; *) profile - added ability to monitor cpu usage per core; *) profile - make profile work on mmips devices; *) profile - properly classify "wireless" processes; *) queue - fixed "time" option by recognizing weekday properly (introduced in v6.37.2); *) radius - added IPSec service (cli only); *) rb750Gr3 - fixed ipsec with 3des+md5 to work on this board; *) rb850Gx2 - fixed pcb temperature monitor if temperature was above 60C; *) resolver - ignore cache entries if specific server is used; *) routerboot - show log message if router CPU/RAM is overclocked; *) script - increment run count value when script is executed from snmp; *) snmp - always report bonding speed as speed from first bonding slave; *) snmp - fixed rare crash when incorrectly formatted packet was received; *) snmp - provide sinr in lte table; *) ssh - added routing-table setting (cli only); *) ssh - fixed lost "/ip ssh" settings on upgrade from version older than 5.15; *) system - reboot device on critical program crash; *) tile - fixed kernel failure when when IPv6 ICMP packet is sent through PPP interface; *) time - updated time zones; *) traceroute - fixed memory leak; *) traffic-flow - fixed flow sequence counter and length; *) trafficgen - fixed compact export when "header-stack" includes tcp; *) trafficgen - fixed crash when IPv6 traffic is processed; *) trafficgen - fixed potential crash when very big frame is generated; *) trafficgen - improved fastpath support; *) tunnel - fixed transmit packets occasionally not going through fastpath; *) tunnel - properly export keepalive value; *) usb - fixed kernel failure when Nexus 6P device is removed; *) users - added minimal required permission set for full user group; *) users - added TikApp policy; *) vlan - allow to add multiple VLANs which name starts with same number and has same length; *) vrrp - do not show unrelated log warning messages about version mismatch; *) watchdog - do not send supout file if "auto-send-supout" is disabled; *) webfig - added extra protection against XSS exploits; *) webfig - show ipv6 addresses correctly; *) webfig - show properly interface last-link-up/down times; *) winbox - added "Complete" flag to arp table; *) winbox - added "untracked" option to firewall "connection-state" setting; *) winbox - added Dude icon to Dude menu; *) winbox - allow to enable/disable traffic flow targets; *) winbox - allow to run profile from "/system resources" menu; *) winbox - allow to specify interface for leds with "interface-speed" trigger; *) winbox - do not allow to set "loop-protect-send-interval" to 0s; *) winbox - do not show hotspot user profile incoming and outgoing filters and marks as set if there is no value specified; *) winbox - fixed crash when legacy Winbox version was used; *) winbox - fixed default values for interface "loop-protect-disable-time" and "loop-protect-send-interval"; *) winbox - fixed missing "IPv6/Settings" menu; *) winbox - fixed typo in "propagate-ttl" setting; *) winbox - make cert signing include provided ca-crl-host; *) winbox - moved ipsec peer "exchange-mode" to General tab; *) winbox - properly show VHT basic and supported rates in CAPsMAN; *) winbox - removed spare values from loop-protect menu; *) winbox - show all related HT tab settings in 2GHz-g/n mode; *) winbox - show primary and secondary ntp addresses as 0.0.0.0 if none are set; *) winbox - show proper ipv6 connection timeout; *) wireless - added API command to report country-list (/interface/wireless/info/country-list); *) wireless - added CRL checking for eap-tls; *) wireless - fixed action frame handling for WDS nodes; *) wireless - fixed custom channel extension-channel appearance in console; *) wireless - fixed full "spectral-history" header print on AP modes; *) wireless - fixed rare kernel failure when connecting to nv2 access point with legacy rate select; *) wireless - fixed upgrade from older wireless packages when AP interface had empty SSID; *) wireless - take in account channel width when returning supported channels; *) wireless - use VLAN ID 0 in RADIUS message to disable VLAN tagging; What's new in 6.37.3 (2016-Nov-28 11:11): *) bgp - do not match all prefixes tagged with community 0:0 by routing filters; *) bridge - fixed filter Ingress Priority option (broken in 6.36rc8); *) chr - fixed crash on "/interface print" (introduced in 6.36.4); *) chr - fixed crash on "/system reboot" and "/system shutdown"; *) crs226 - fixed sfp-sfpplus1 link re-negotiation (broken in 6.37rc28/v6.37.1); *) disk - fixed issue when disk was renamed after reboot on devices with flash disks; *) dns - do not resolve incorrect addresses after changes made in static dns entries; *) dns - improved static dns entry add speed when regexp is being used; *) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112598); *) firewall - fixed filter rule "limit" parameter by making it visible again; *) firewall - fixed interface slave state recognition (broken in 6.37.2); *) firewall - fixed timeout option on address lists with domain name; *) log - ignore email topic if action is email; *) mipsbe - improved memory allocation on devices with nand when file transfer and tcp traffic processing is on progress; *) route - fixed memory leak when route cache is disabled; *) tile - fixed rare kernel failure when IPv6 neighbor discovery packet is received; *) traceroute - fixed crash when too many sessions are active; *) tunnel - allow to force mtu value when actual-mtu is already the same; *) winbox - recognize properly tcp in traffic-generator packet-template header type; *) winbox - show HT MCS tab if 2GHz-G/N band is used; What's new in 6.37.2 (2016-Nov-08 13:15): Important note!!! Dude client auto-upgrade to this version will not work. Use http://www.mikrotik.com/download for 6.37.2 client download/install. It will be fixed in soon to be released v6.37.3 Changes since 6.37.1: !) ethernet - optimized packet processing on low load when irq re-balance is not necessary; !) fastpath - let one packet per second through slow path to properly update connection timeouts; !) queues - significantly improved hashing algorithm in dynamic simple queue setups (fixes CPU load spikes on queue removal); *) arm - improved watchdog reliability; *) bonding - fixed 802.3ad load balancing over routed VLANs with fastpath enabled; *) bonding - fixed mac address selection after upgrade; *) crs - fixed port mirroring halt after L2MTU change; *) dhcp - do not allow to create dhcp-server on slave interface; *) ethernet - fixed interface speed reporting for x86 in log after reboot or if "disable-running-check=yes"; *) ethernet - fixed potential loopprotect crash; *) export - fixed "/interface ethernet switch export" on some boards; *) export - fixed CRS switch egress-vlan-tag export; *) fastpath - fixed kernel failure when fastpath traffic goes into loop; *) fastpath - improved connection tracking timeout updates; *) firewall - do not allow to increase/decrease ttl and hop-limit by 0; *) firewall - fixed "connection-state" value disappearance in rules that were created before v6.22; *) firewall - fixed compact export (introduced in 6.37rc14); *) firewall - improved "time" option (ranges like 22h-10h now are acceptable); *) hotspot - fixed nat rule dst-port by making it visible again for Walled Garden ip return rules; *) ipsec - changed logging topic from error to debug for ph2 transform mismatch messages; *) ipv6 - increased default max-neighbor-entries value to 8192, same as ipv4; *) mmips - improved watchdog reliability; *) package - show minimal supported RouterOS version under "/system resource" menu if it is specified; *) queue - fixed rare crash on statistic gathering in "/queue tree"; *) queue - improved "time" option (ranges like 22h-10h are now usable); *) rb2011 - fixed crash on l2mtu changes; *) sms - fixed crash after modem has failed to start; *) ssl - fixed potential memory leak ( when using dude for example); *) torch - fixed aggregate statistics appearance; *) traffic-flow - fixed dst-port reporting if connection is not maintained by connection tracking; *) userman - fixed memory leak on user limitation calculations; *) winbox - added led settings menu; *) winbox - fixed missing switch menu for mmips devices; What's new in 6.37.1 (2016-Sep-30 10:28): !) package - fixed wireless package status after upgrade to 6.37 (extra reboot after upgrade is necessary); !) ssl - fixed peer address/dns verification from certificate (affects sstp, fetch, capsman); !) winbox - now Winbox 3.6 is the minimum version that can connect to RouterOS; *) console - fixed typo in web-proxy (passthru to passhtrough); *) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599); *) export - do not show mac-address in export when it is not necessary; *) firewall - fixed dynamic dummy firewall rules appearance in raw tables; *) hotspot - fixed nat rule dst-port by making it visible again; *) led - fixed default led settings for wAP2nDr2; *) snmp - do not allow to execute script if user does not have write permission; *) tile - do not reboot device after watchdog disable/enable; *) userman - always re-fetch table data when switching between different menus; *) userman - fixed timezone adjustment in reports; *) webfig - fixed channel selection in check-for-update menu in Firefox; *) winbox - added loop-protect settings; *) winbox - added passthrough state to web-proxy; *) winbox - allow to unset http-proxy field for sstp client; *) winbox - do not show health menu on RB951-2n; *) winbox - fixed typo in dhcpv6 relay (DCHP to DHCP); *) winbox - show address expiration time in dhcp client list; *) wireless - show DFS flag in country-info command output; What's new in 6.37 (2016-Sep-23 08:20): --- IMPORTANT! WIRELESS PACKAGE CHANGES: There will be only one "wireless" package starting from RouterOS v6.37. --- IMPORTANT! DFS CHANGES: DFS configuration in RouterOS has been redesigned, now device looks at specified country settings (/interface wireless info country-info), and applies corresponding DFS mode for each frequency range automatically, making dfs-mode setting unnecessary. Please, check that your frequencies work with corresponding DFS settings before upgrade. !) console - dfs-mode setting does not exist any more and all scripts with such setting will not be executed; !) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=110424); !) dude - from now on dude will use winbox port and it will be changed automatically both in client loader and agent configuration; !) ethernet - added new loop-protect feature for ethernet, vlan, eoip, eoipv6 interfaces, http://wiki.mikrotik.com/wiki/Manual:Loop_Protect ; !) wireless - "wireless" package included in bundle "routeros" package; !) wireless - "wireless-cm2" discontinued; !) wireless - "wireless-rep" renamed to "wireless"; !) wireless - DFS option is removed, corresponding DFS mode for each frequency range applies automatically; *) capsman - fixed kernel crash on cap while changing client-to-client forwarding; *) capsman - report radio-name in registration table; *) certificate - do not allow to remove certificate template while signing certificate; *) console - hotspot setup show wrong certificate name; *) defconf - fixed default configuration restore if virtual wireless interface were present; *) defconf - fixed default configuration when wireless package is used; *) defconf - using caps button now forces all wireless interfaces in caps mode; *) dhcpv6 - improved interface status tracking; *) dhcpv6 - reworked DHCP-PD server interface and route management; *) dhcpv6 - update DUID when system-id changes (solves problem when cloned VM retains the same DUID); *) dns - fixed crash when using regexp static dns entries; *) ethernet - added support for LAN9514 ethernet dongle; *) ethernet - allow to force mtu value when actual-mtu is already the same; *) ethernet - fixed loop-protect on bridged ports; *) ethernet - fixed never ending loop in CDP packet processing; *) ethernet - fixed rare kernel failure on non-switch ethernet reset; *) ethernet - rb44ge now have disabled-running-check=no by default; *) firewall - added additional matchers for firewall raw rules; *) firewall - fixed time based rules on time/timezone changes (again); *) gps - always check NMEA checksum if available; *) health - do not show psu and fan information for passive cooling devices; *) hotspot - show comments from user menu also in active menu; *) ipsec - fixed crash with enabled fragmentation; *) ipsec - fixed dynamic policy not deleted on disconnect for nat-t peers; *) ipsec - fixed fragmentation use negotiation; *) ipsec - fixed kernel crash when sha512 was used; *) ipv6 - fixed RA and RS processing on new interfaces after many interfaces have lost link during prolonged operation; *) ipv6 - improved system responsiveness when ipv6 routes are frequently modified; *) ipv6 - show multiple neighbors with the same address; *) kvm - fix add/remove of disabled interfaces; *) kvm - fixed guest crashing when using mtu bigger than 1504; *) l2tp - fixed kernel failure when fastpath handles l2tp packets; *) leds - added option to disable all leds on RBcAP2n; *) lte - added ability to send/receive sms using '/tool sms'; *) lte - added dlink dwm-157 D, dwm-222 support; *) lte - added huawei me909s variant; *) lte - added initial deregistration only for bandrich modems; *) lte - added logging for usb config switching; *) lte - added Pantech UML295, Vodafone K4201-Z, ZTE MF823/MF831 support; *) lte - added rndis for ZTE MF8xx; *) lte - added support for more dlink dwm-222 configurations; *) lte - added switch for Huawei K5160; *) lte - added zte K5008-Z back; *) lte - adjusted usb config for dlink dwm-157 D; *) lte - fixed at chat condition storage; *) lte - fixed band setting for sxt lte; *) lte - fixed band unsetting; *) lte - fixed default channels for dlink dwm-157; *) lte - fixed ip activation when CREG (circuit switched) state remains in not registered state; *) lte - fixed setting correct lte band for sxt lte; *) lte - process initial state change to deregistred, when lockup occurs; *) lte - reset if sms storage set fails; *) mpls - fixed memory leak; *) mpls - fixed vpls throughput issues caused by out-of-order packets; *) ntp - fixed ntp server when local-clock used (like usb gps module); *) partitions - added ability to add comments; *) ppp - use default-route-distance when adding ipv6 default route; *) ppp,lte - pin is now converted to string argument; *) pppoe - fixed disconnects by idle timeout when fastpath is used; *) quickset - added 2GHz-g/n band support; *) quickset - fixed guest reporting in "home ap dual" mode; *) quickset - fixed wireless frequency fields in "home ap dual" mode; *) rb3011 - fixed rare occasions when router would hang while loading kernel; *) routing - improved kernel performance in setups with large routing tables; *) sfp - enabled eeprom printout in /interface ethernet monitor; *) sfp - fixed initial eeprom reading on CCR1036-8G-2S+ and CCR1072-1G-8S+; *) sfp - removed "sfp-rate-select" as command was not relevant to currently supported hardware; *) sms - moved incorrectly logged message from async to gsm topic; *) sms - report error when unsupported modem is being used; *) snmp - added script table which executes script and returns it's output on get request; *) snmp - require write permitions for script run table access; *) snmp - skip forbidden oids on getnext completion; *) sstp - allow to specify proxy by dns name; *) sstp - now supports TLS_ECDHE algorithms; *) supout - fixed bug that could cause enormous size supout.rif files; *) supout - improved crash report generation for tile architecture; *) switch - added comment field for CRS switch VLANs; *) traffic-flow - allow ipv6 src address to be optional; *) traffic-flow - fixed IPFIX packet timestamp; *) traffic-flow - fixed IPFIX wrong flow sequence; *) trafficgen - add per stream packet count setting; *) trafficgen - show out-of-order packet counters in stats printouts; *) tunnel - fixed communication via tunnel to router itself if fastpath was active; *) tunnel - fixed ipv6 link-local address adding for gre; *) tunnel - increased minimal MRRU to 1500 for PPP interfaces; *) tunnel - ipv6 link-local address is now generated from tunnel local-address; *) usb - added support for SMSC95XX USB Ethernet dongle on mipsbe; *) usermanager - fixed rare crash on paypal payment; *) users - fixed script policy checking against user policies when running scripts; *) webfig - do not crash if radius server does not give out encryption keys; *) webfig - fixed certificate signing; *) winbox - added auto refresh for BFD neighbors; *) winbox - added comment field support for switch vlan menu; *) winbox - added default-authentication parameter for wireless station modes; *) winbox - added src-address field for traffic-flow target; *) winbox - adjust on-event field dynamically depending on window size; *) winbox - adjusted allowed values for http-proxy field; *) winbox - disabled MRRU by default for PPP interfaces; *) winbox - display actual-mtu for tunnels in interfaces window; *) winbox - fixed disconnect when no windows were opened for a while in unsecure mode; *) winbox - fixed multiline read only fields not displaying new line characters; *) winbox - fixed raw firewall showing jump targets from filter chains; *) winbox - hide ethernet flow control settings for interfaces which does not support them; *) winbox - removed health menu from devices that do not support it; *) winbox - removed L2MTU field for PPP interfaces; *) winbox - removed L2MTU field from PPP server binding settings; *) winbox - removed unset button for L2MTU field; *) winbox - show firmware-type in routerboard window; *) wireless - display DFS flag in country info; *) wireless - improved driver support for RB953, hAP ac, wAP ac; *) wireless - send deauth to data frames in scan mode. *) wireless - updated brazil country settings; What's new in 6.36.3 (2016-Sep-05 08:09): *) arp - fixed crash that caused Ethernet frames to go out via wrong interface; *) fastpath - fixed kernel crash on interface disable/remove; *) fetch - fixed bug with incomplete files in https mode; *) ipsec - don't log authtype mismatch as critical; *) ipsec - fixed xauth parameter printing in terminal; *) pppoe - fixed kernel crash caused by dial-on-demand when used with fastpath; *) pppoe - fixed master interface l2mtu check, could result in assumption that master interface can handle 14 byte bigger packet than it actually can (broken in 6.36); *) simple queues - fixed issue which caused additional/unnecessary CPU load; *) vlan - do not allow to add new vlan interface with mtu higher than l2mtu; *) tile - fixed rare kernel crash when usb device is being attached; What's new in 6.36.2 (2016-Aug-22 12:54): *) arm - show cpu frequency under resources menu; *) capsman - fixed upgrade policy; *) ccr/crs - fixed SFP+ interface ddmi info reporting function. Info is now refreshed on regular intervals; *) conntrack - fixed ipv6 timeout display; *) conntrack - fixed removing icmpv6 connections; *) dns - avoid unnecessary dynamic server address saving in storage; *) dns - allow to set query-server-timeout and query-total-timeout only greater than 0s; *) dns - fixed lockup when dynamic dns server address 0.0.0.0 was received; *) export - updated default values in /system routerboard settings menu; *) partitions - fixed crash on repartition when there is not enough free space; *) sstp - fixed disconnects on transmit for multicore systems; *) switch - fixed configuration reload on CRS switches; *) winbox - make queue tree default queue type default-small; What's new in 6.36.1 (2016-Aug-05 09:39): *) address-list - allow DNS names with "_" symbol; *) address-list - check for duplicates when domain name is used in address field; *) bridge - fixed kernel failure when set-priority action was used in bridge firewall; *) dns - avoid unnecessary static entry saving in storage; *) email - increased time which email tool can spend while sending message; *) export - removed unnecessary "log-prefix" on firewall export; *) firewall - fixed time based rules on time/timezone changes; *) log - logs loaded from disk after reboot didn't have correct topics; *) lte - fixed access technology update; *) ovpn - add special exception route for tunnel itself when using add-default-route; *) ping - fixed freezing on "not running" interfaces; *) resource - fixed free-memory reporting after disk eject; *) snmp - fixed packet corruption when multiple trap-targets were used; *) tile - fixed rare kernel crash when fastpath is being active; *) traffic-flow - fixed kernel failure when traffic-flow target uses small mtu; *) upnp - fixed nat rule dst-port by making it visible again; *) upnp - updated to make it work with more UPnP implementations (for example, latest Skype); *) vrrp - fixed transition to backup state when ipv6 mode and equal priorities are used; *) webfig - allowed user password changing (broken in v6.36); *) x86 - fixed crash when igmp-proxy interface becomes "not running" while passing traffic; What's new in 6.36 (2016-Jul-20 14:09): *) arm - added Dude server support; *) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=110428); *) dude - server package is now made smaller. client side content upgrade is now removed from it and is downloaded straight from our cloud. So workstations on which client is used will require access to wan. Alternatively upgrade must be done by reinstalling the client on each new release; *) firewall - added "/interface list" menu which allows to create list of interfaces which can be used as in/out-interface-list matcher in firewall and use as a filter in traffic-flow; *) firewall - added pre-connection tracking filter - "raw" table, that allow to protect connection-tracking from unnecessary traffic; *) firewall - allow to add domain name to address-lists (dynamic entries for resolved addresses will be added to specified list); *) wireless - wireless-fp is discontinued, it needs to be uninstalled/disabled before upgrade; *) address - allow multiple equal ip addresses to be added if neither or only one is enabled; *) address-list - make "dynamic=yes" as read-only option; *) arm - fixed kernel failure on low memory; *) arp - added arp-timeout option per interface; *) bonding - fixed 802.3ad load balancing mode over tunnels ; *) bonding - fixed bonding primary slave assignment for ovpn interfaces after startup; *) bonding - fixed crash on RoMON traffic transmit; *) bonding - implemented l2mtu value == smallest slave interfaces l2mtu; *) capsman - fixed crash when running over ovpn; *) certificate - added automatic scep renewal delay after startup to avoid all requests accessing CA at the same time; *) certificate - cancel pending renew when certificate becomes valid after date change; *) certificate - display issuer and subject on check failure; *) certificate - do not exit after card-verify; *) certificate - force scep renewal on system clock updates; *) chr - fixed CHR seeing its own system disk mounted as additional data disk; *) clock - fixed time keeping for SXT ac, 911L, cAP, mAP lite, wAP; *) clock - save current time to configuration once per day even if there are no time zone adjustments pending; *) cloud - fixed export order; *) console - fixed get false function; *) console - show message time in echo log messages; *) defconf - changed channel extension to 20/40/80mhz for all ac boards; *) dhcp-pd - correct server listing for commands; *) dhcp-server - fixed radius framed route addition after reboot on client renew; *) dhcpv6-client - fixed ia lifetime validation when it is set by dhcpv6 client; *) dhcpv6-relay - set packet link-address only when it is manually configured; *) dhcpv6-server - fixed binding last-seen update; *) disk - added support for Plextor PX-G128M6e(A) SSD on CCR1072; *) email - fixed send from winbox; *) email - removed subject and body length limit; *) ethernet - fixed incorrect ether1 link speed after reboot on rb4xx series routers; *) ethernet - fixed memory leak when setting interface without changing configuration; *) fastpath - fixed kernel failure when fastpath handles packet with multicast dst-address; *) fetch - support tls host name extension; *) firewall - added udplite, dccp, sctp connection tracking helpers; *) firewall - do not show disabled=no in export; *) firewall - fixed spelling in built-in firewall commentary; *) gps - fixed longitude seconds part; *) health - fixed broken factory voltage calibration data for some hAP ac boards; *) health - fixed incorrect voltage after reboot on RB2011UAS; *) icmp - fixed kernel failure when icmp packet could not be processed on high load; *) ippool6 - fixed crash on acquire when prefix length is equal with pool prefix length; *) ipsec - add dead ph2 detection exception for windows msgid noncompliance with rfc; *) ipsec - added dead ph2 reply detection; *) ipsec - don't register temporary ph2 on dead list; *) ipsec - fix initiator modecfg dynamic dns; *) ipsec - fixed AH with SHA2; *) ipsec - fixed checks before accessing ph1 nat options; *) ipsec - fixed mode-config export; *) ipsec - fixed route cache overflow when using ipsec with route cache disabled; *) ipsec - fixed windows msgid check on x86 devices; *) ipsec - show remote peer address in error messages when possible; *) ipsec - store udp encapsulation type in proposal; *) kernel - fixed possible kernel deadlock when Sierra USB mode is being used; *) l2tp - fixed crash when rebooting or disabling l2tp while there are still active connections; *) lcd - reduced lowest backlight-timeout value from 5m to 30s; *) license - do not expire demo license right after fresh installation of x86; *) log - added whole scep certificate chain print; *) log - increase excessive multicast/broadcast warning threshold every time it is logged; *) log - make logging process less aggressive on startup; *) lte - added allow-roaming option for Huawei MU709, ME909s devices; *) lte - added cinterion pls8 support; *) lte - added support for Huawei E3531; *) lte - added support for ZTE ZM8620; *) lte - added use-peer-dns option (will work only combined with add-default-route); *) lte - changed driver loading for class 2 usb rndis devices; *) lte - display message in lte,error log if no response received; *) lte - display message in lte,error log when PIN is required; *) lte - fix crash on SXT LTE while resetting card while at high traffic; *) lte - fixed access technology logging; *) lte - fixed connection for Huawei without cell info; *) lte - fixed modem init when pin request present; *) lte - fixed modem network configuration version checks; *) lte - fixed network-mode support after downgrade; *) lte - Huawei MU609 must use latest firmware to work correctly; *) lte - improved multiple same model modems identification; *) lte - show uicc for Huawei modems; *) lte - use only creg result codes as network status indications; *) mesh - fixed crash when connection references a mesh network but it is not available any more; *) modem - added support for Alcatel OneTouch X600; *) modem - added support for Quectel EC21 and EC25; *) modem - added support for SpeedUP SU-900U modem; *) nand - improved nand refresh feature to enhance stored data integrity; *) ovpn - enable perfect forwarding secrecy support by default; *) ovpn - fixed compatibility with OpenVPN 2.3.11; *) pppoe - allow to set MTU and MRU higher than 1500 for PPPoE; *) pppoe - do not allow to send out bigger packets than l2mtu if mrru is provided; *) proxy - limit max ram usage to 80% for tile and x86 devices; *) queue - reset queue type on interfaces which default queue type changes to no-queue after upgrade; *) rb2011 - fixed ether6-ether10 flapping when two ports from both switch chips are in the same bridge; *) rb3011 - fixed port flapping on ether6-ether10; *) rb3011 - fixed reset button functionality; *) rb3011 - fixed usb driver load; *) rb3011 - fixed usb storage mounting; *) rb3011 - improved performance on high cpu usage; *) route - added suppport for more than 8 bits of options; *) route - fixed ospf by handling ipv6 encoded prefixes with stray bits; *) sniffer - fixed ipv6 address matching; *) snmp - fixed get function for snmp>=v2 when oid does not exist; *) snmp - fixed interface stats branch from MikroTik MIB; *) snmp - report current access technology and cell id for lte modems; *) snmp - report ram memory as ram instead of other; *) ssh - add rsa host key size parameter; *) ssh-keygen - add rsa key size parameter; *) ssl - do not exit while there still are active sessions; *) ssl - fixed memory leak on ssl connect/disconnect (fetch, ovpn, etc.); *) sstp - fixed dns name support in connect-to field if http-proxy is specified; *) supout - erase panic data properly on Netinstall; *) switch - fixed switch compact export; *) timezone - updated timezone information from tzdata2016e release; *) traffic-flow - added ipfix support (RFC5101 and RFC5102); *) tunnel - added option to auto detect tunnel local-address; *) tunnel - fixed rare crash by specifying minimal header length immediately at tunnel initialization; *) upnp - fixed nat rule dst-port by making it visible again; *) usb - I-tec U3GLAN3HUB usb hub/ethernet dongle now shows up correctly as ethernet interface; *) usb - implement possibility to recognize usb hubs/ethernet-dongles (if usb hubs/ethernet-dongles are not recognized with this version - send supout.rif file); *) userman - fixed crash on database upload; *) userman - use ipnpb.paypal.com for payment verification; *) wap-ac - fixed performance problems with 2.4GHz wireless (additional reboot after upgrade required); *) webfig - do not allow to press OK or Apply if current configuration values are not loaded yet; *) webfig - reduced refresh time for wireless registration table to 1 second; *) winbox - added 2ghz-g/n band for wireless-rep; *) winbox - added icons to bridge filter actions similar to ip firewall; *) winbox - added support for ipv6 dhcp relay; *) winbox - allow to reorder hotspot walled-garden & walled-garden-ip rules; *) winbox - do not allow to specify vlan-mode=no-tag in capsman datapath config; *) winbox - do not show filter for combined fields like bgp-vpn4 RD; *) winbox - do not show mode setting for WDS interfaces; *) winbox - fixed crash on disconnect in secure mode; *) winbox - fixed crash when using ctrl+d; *) winbox - fixed safe mode; *) winbox - improve filtering on list fields; *) winbox - report correctly dude users in active users list; *) winbox - set default sa-learning value to "yes" for CRS Ingress VLAN Translation rules; *) winbox - show action column as first in bridge firewall; *) winbox - show error when telnet is not allowed because of permissions; *) wireless - fixed multiple wireless packages enabled at the same time after upgrade; *) wireless-rep - added initial API support for snooper; *) wireless-rep - fixed crash on nv2 reconnect; *) wireless-rep - fixed scan-list unset; *) wireless-rep - treat missing SSID element as hidden SSID; What's new in 6.35.4 (2016-Jun-09 12:02): *) address-list - make "dynamic=yes" as read-only option; *) bonding - fixed 802.3ad load balancing mode over tunnels ; *) bonding - fixed bonding primary slave assignment for ovpn interfaces after startup; *) bonding - fixed crash on RoMON traffic transmit; *) dhcpv6 client - fixed ia lifetime validation when it is set by dhcpv6 client; *) disk - added support for Plextor PX-G128M6e(A) SSD on CCR1072; *) ethernet - fixed memory leak when setting interface without changing configuration; *) firewall - do not show disabled=no in export; *) health - fixed broken factory voltage calibration data for some hAP ac boards; *) health - fixed incorrect voltage after reboot on RB2011UAS; *) ipsec - fixed mode-config export; *) ipsec - fixed route cache overflow when using ipsec with route cache disabled; *) lte - use only creg result codes as network status indications; *) ovpn - enable perfect forwarding secrecy support by default; *) rb3011 - fixed port flapping on ether6-ether10; *) rb3011 - fixed reset button functionality; *) rb3011 - improved performance on high cpu usage; What's new in 6.35.3 (2016-Jun-01 7:55): (factory only release) What's new in 6.35.2 (2016-May-02 10:09): *) discovery - fixed identity discovery (introduced in 6.35.1); *) firewall - fixed policy routing configurations (introduced in 6.35rc38); *) log - fixed time zone adjustment (introduced in 6.35.1); *) queue - fixed interface queue type for ovpn tunnels; *) snmp - fixed snmp timeout (introduced in 6.35.1); *) vrrp - fixed missing vrrp interfaces after upgrade (introduced in 6.35.1). What's new in 6.35.1 (2016-Apr-25 09:29): *) bonding - do not corrupt bonding statistics on configuration changes; *) bonding - fixed crash when vlan parent mtu is higher than bonding mtu; *) ethernet - do not allow mtu to be higher than l2mtu and l2mtu to be higher than max-l2mtu (reduce automatically on upgrade if it was wrong before); *) log - fixed reboot log messages; *) lte - do not allow to set multiple modes when it is not supported; *) lte - fixed address acquisition on Huaweii LTE interfaces; *) winbox - show voltage in Health only if there actually is voltage monitor; *) wireless - fixed issue when CAPsMAN could lock CAPs interface; What's new in 6.35 (2016-Apr-14 12:55): *) arp - apply Linux Kernel patch to stop RouterOS from randomly exhibiting misplaced ARPs; *) mipsbe - (excluding RB4xx and CRS series) fixed rare ethernet tx buffer corruption; *) nand - implemented once a week nand refresh to improve stored data integrity (will increase sector writes); *) pppoe-client - implemented fastpath support; *) l2tp - implemented l2tp and lns fastpath/fasttrack support; *) queue - added bucket-size setting to queues (derived from max-limit); *) tile - fixed rare situation when some cores decide not to take part in packet processing till next reboot; *) tunnels - fixed performance slowdown on any other tunnel disable/enable; *) winbox - increased minimal required winbox version to 3.4; *) wireless - added new package "wireless-rep"; *) wireless - improved 1-chain 802.11ac station compatibility with other vendor multi-chain APs; *) address-list - fixed crash in low memory situations; *) bonding - fixed crash when creating vlans on bonding interface; *) capsman - added 802.11g/n band; *) capsman - fixed capsman extension channel names; *) certificate - revoked certificates not showing as (R)evoked; *) certificate - allow manual crl url addition; *) chr - added support for VLAN on Hyper-V; *) chr - fixed Hyper-V booting from SCSI; *) chr - fixed Hyper-V on windows 8/10 reboot loop; *) chr - fixed bridge firewall; *) chr - fixed kernel crash when virtual ethernet was not connected to anything in Hyper-V; *) chr - implemented automatic storage increase on disk image size increase; *) chr - implemented kernel crash saving to autosupout.rif (will utilize additional 24Mb of RAM); *) chr - make shutdown request from hyper-v work (might fix other hypervisor as well); *) chr - no more installation on first boot; *) chr - try to renew expired license once a hour instead of 100h; *) cloud - don't write minor status changes to storage; *) console - fixed print follow in "/ip dns cache" menu; *) console - show RouterOS Version in /interface wireless scan; *) console - sort completions/hints in natural order; *) console - update copyright notice; *) defconf - fixed default configuration for SXT LTE; *) dhcpv6-client - fixed wrong error message; *) dhcpv6-client - fix ia expiration and lifetime validation; *) dhcpv6-server - acquire binding on renew if it does not exist; *) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=104395); *) dude - fixed dude login logging, no more shows as winbox login; *) email - fixed send cmd server addr override; *) ethernet - add option to see S-GPON-ONU module, GPON side SN in "/int eth mon sfp#"; *) ethernet - do not allow to set self as master port; *) export - bonding did not show up in global export; *) export - exclude default values from export in "/interface l2tp-server server" menu; *) export - fixed export when ipv6 address was taken from pool; *) export - fixed rare situations when not whole config was exported; *) export - updated defaults for compact export; *) fastpath - fixed crash when packet arrives on disabled interface; *) fastpath - fixed show rx-bits-per-second on all VLAN interfaces; *) fastpath - improved vlan fastpath; *) fasttrack - fixed timer updating in connections table for fasttrack connections; *) fetch - decrease connection idle timeout; *) firewall - added experimental "action=route" in mangle prerouting - that forces packets to specific gateway by ignoring routing decisions (CLI only); *) health - always report fan speed (even if it is 0); *) health - swap fan2 and fan3 on CCR1072; *) hotspot - clean-up all dead entries at once; *) hotspot - fixed possible deadlock; *) hotspot - improved html page resistance against attacks; *) hotspot - make video tag work properly on hotspot login.html page *) ip - rename max-arp-entries to less confusing max-neighbor-entries; *) ippool6 - fixed potential crash; *) ipsec - always re-key ph1 because it was possible that ph1 without DPD would expire; *) ipsec - better flush on proposal change; *) ipsec - fixed crash on policy update; *) ipsec - fixed fast ph2 SA addition; *) ipsec - fixed larval SA refresh for display; *) ipsec - fixed multiple consecutive dynamic policy flush; *) l2tp & pppoe - fixed user traffic accounting when fastpath was used; *) l2tp - introduced per tunnel allow-fast-path option; *) l2tp - added support for Hidden AVP, it is needed for proxy authentication; *) l2tp - added support for max-sessions; *) l2tp - added support for proxy authentication when receiving forwarded PPPoE sessions; *) l2tp - fixed small memory leak on reconnects; *) lcd - fixed branding packet logo drawing on startup; *) led - fixed crash on assigned interface removal; *) led - turn on fault led on CCR1072 if CPU too hot; *) leds - fixed AP-CAP led blinking after successful association to CAPsMAN; *) lte - added ipv6 support for SXT LTE; *) lte - changed AT command processing; *) lte - changed AT parsing because supported Huawei modems use unsolicited events instead of polling; *) lte - fixed bandlux modem dialing; *) lte - fixed crash on early initialization; *) lte - improve situation when SXT modem never finds operator; *) lte - replaced signal-strength with rssi in info command; *) lte - support Alt38XX modem; *) lte - support for zte mf820s2; *) lte - supported modems now use unsolicited events for network monitoring; *) lte - use timer for modem info; *) map lite - added hardware WPS button support; *) mpls - do not reset VPLS on TE tunnel re-optimize; *) ntp - fixed ntp client hangs in reached state; *) ospf - fixed crash when getting neighbor router-id in NBMA area; *) ppp - fixed ppp interface reconnect when uPnP was used; *) ppp - close connection if peer wants to re-authenticate; *) ppp - fixed memory leak high number of pppoe clients to the same server; *) ppp - fixed ppp crash if lcp packets were lost and authentication got delayed; *) ppp - fixed some clients can not connect due to LCP restart; *) pppoe - added rfc4679 support; *) pppoe - fixed crash when removing pppoe service; *) pppoe-server - added pado-delay option; *) profiler - classify certificate signing; *) proxy - fixed ftp request url decode; *) queue - improve "/queue interface" menu; *) quickset - fixed invalid date adjusted the signal threshold for the signal chart and refresh rate; *) quickset - fixed situations when hidden password was passed as ******* from winbox nd webfig; *) radius - warn radius client if incorrect secret is being used; *) rb3011 - fixed sfp compatibility with CCR when using direct attached cables; *) rb3011 - fixed time keeping; *) rb3011 - make ether6-ether10 work if SFP module is present on bootup; *) romon-ssh - fixed active addresses for romon user; *) route - do not show duplicate gateway on connected route; *) route - fixed filter by routing table; *) routing - fixed rare kernel failure on different dynamic routing configurations; *) routing - fixed routing-marks were not erased from memory when they are not being used; *) services - do not show ssh entry under ip services if security package is disabled; *) snmp - don't group oids for bulk get with maxreps > 1 ; *) snmp - fixed cpu load reporting to 1min average and change oid to 1.3.6.1.4.1.2021.11.10.0; *) snmp - fixed dhcpv4 lease hwaddr format according to mib; *) snmp - fixed getbulk result ordering with multiple request OIDs; *) ssh - simplify login process; *) ssl - optimized certificate update; *) system - log time changes; *) tile - corrected max-l2mtu; *) tile - fixed fastpath related memory leak; *) tile - fixed performance regression on switch chip (introduced in 6.33rc18); *) tile-crypto - fixed minor memory leak; *) tool fetch - fixed https cleanup on user stop while handshaking; *) trafficgen - fixed console arguments; *) trafficgen - fixed crash when unexpected stream reappears; *) trafflow - fixed potential deadlock; *) ups - fixed entering hibernate mode when below battery capacity limit; *) users - added separate RoMoN policy; *) webfig - fixed firewall rule sorting did not work in other chains except all; *) webfig - show single item groups as optional values; *) webfig - sort numeric columns numerically even if they contain some text; *) winbox - added "pw-type" to "/interface vpls bgp-vpls" menu; *) winbox - added "use-control-word" and "pw-mtu" to "/interface vpls cisco-bgp-vpls" menu; *) winbox - added /interface wireless setup-repeater; *) winbox - added all the rates settings to the capsman; *) winbox - added flip-screen option to lcd settings; *) winbox - added init-delay option to routerboard settings; *) winbox - added ipv6 firewall missing log option; *) winbox - added missing eap-ttls-mschamv2 method to wireless security profile; *) winbox - added mtu=auto support to eoipv6 tunnel; *) winbox - added sfp-mac for GPON interfaces; *) winbox - added support for new settings from wireless-rep package; *) winbox - added support for route action in mangle rules; *) winbox - allow to set additional-network-modes; *) winbox - allow to set multiple dh-groups; *) winbox - disable autostart for wireless scan,snooper,align etc. on open; *) winbox - do not show "enable-jumper-reset" setting on devices without serial port; *) winbox - do not show real-tx-power column in current-tx-power by default; *) winbox - fixed unset options in /routing ospf interface menu; *) winbox - hotspot default-trial user shows profile as "unknown" in Winbox; *) winbox - improved winbox connection loss detection, fixes winbox safe mode; *) winbox - limit ospf key to 16 symbols; *) winbox - make additional-network-mode optional for lte interface; *) winbox - make build with latest lte changes; *) winbox - make mrru disabled and set mtu+mru to auto by default on new servers; *) winbox - show "usb-power-reset" option on all boards that have it; *) wireless - fixed crash on nstreme-dual interface stats update; *) wireless-rep - added 802.11g/n only band; *) wireless-rep - added STEP feature for the scan-list; *) wireless-rep - added WPS client support; *) wireless-rep - added support for saving wireless scan results to file; *) wireless-rep - added support for wireless background scan for 802.11 protocol; *) wireless-rep - added support for wireless repeater mode for 802.11 protocol; *) wireless-rep - added support for wireless scan rounds setting; *) wireless-rep - adjust roaming scan times; *) wireless-rep - allow to connect to AP after scan; *) wireless-rep - do not allow empty ssid for AP modes; *) wireless-rep - fixed crash on non-HT clients; *) wireless-rep - fixed latency issues with Intel wireless clients; *) wireless-rep - fixed nv2 protocol; *) wireless-rep - fixed qos frame-priority when nv2 protocol used in station-wds mode; *) wireless-rep - fixed signal leds; *) wireless-rep - fixed speed issue when connected with Intel 802.11ac; *) wireless-rep - initial support for station roaming for station mode in 802.11 protocol; *) wireless-rep - request interface name for setup-repeater; *) wireless-rep - use full identity where possible; *) wireless-rep,capsman - added more configuration settings; *) wireless-rep,capsman - added rate config support. What's new in 6.34.4 (2016-Mar-24 13:13): *) bonding - fixed crash on bonding slave release; *) bonding - fixed mac-address disappearance after reboot in specific setups; *) chr - fixed reboots with license and queues; *) console - allow unknown scan-list names on wireless configuration to fix import; *) ethernet - fixed Netmetal, QRT, DynaDish, SXT ac linking at 10/100Mbps (introduced in 6.34.x); *) fastpath - fixed rare kernel failure; *) ipsec - take into account ip protocol in kernel policy matcher; *) mac-winbox - try to aggregate packets & resend all pending packets on timeout; *) ppp - do not crash when received multiple CBCP packets; *) ppp - fixed crash when ppp interface gets disconnected and user gets authenticated at the same time (most probable with slow RADIUS server); *) quickset - fixed wan interface selection on devices with SFP interfaces; *) quickset - use 5GHz interface instead of 2GHz interface on SXT Lite5 ac; *) rb3011 - fixed high cpu load breaks ethernet stats; *) rb3011 - fixed link down messages; *) romon - fixed romon discovery after romon ID change; *) timezone - fixed reboot by watchdog when selecting timezones from the end of list; *) userman - fixed www crash; *) winbox - allow to show revoked & authority flags at the same time; *) winbox - correctly recognise if there is need to report fan information under system health; *) winbox - do not use area v2 names instead of ospf v3 area names; *) winbox - make mac-winbox work with RB850. What's new in 6.34.3 (2016-Mar-09 10:03): *) ccr1072 - fix traffic halting when sfp+ 1-4 or 5-8 where all disabled; *) chr - fixed crash when layer7 firewall option used; *) fetch - fixed TTFP download; *) gre - fixed memory leak; *) lcd - fixed security screen did not show ip addresses on ccr; *) netinstall - fixed link negotiation for different sfp modules; *) ppp - fixed ppp crash; *) queue-tree - improved nested queue limit calculation; *) ssh - fixed crash on failed scp read; *) winbox - allow to set multiple dh-groups; *) winbox - do not show fan statuses in passive cooling CCR1009; *) winbox - fixed typo in "echo reply"; *) winbox - fixed unset options in /routing ospf interface menu; What's new in 6.34.2 (2016-Feb-18 06:31): *) dude - updated to the latest Release Candidate revision (v6.35rc11); *) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=104395); *) chr - fixed high rate limitation; *) dhcpv6 client - fix pd hint with empty address; *) ipsec - fix console peer aes enc algorithm display; *) l2tp - ipsec peer & policy sometimes was not removed after l2tp interface disable; *) log - try not to loose disk messages and warn if lost any; *) lte - fix allowed bands for RBSXTLTE3-7; *) pptp - fixed kernel crash when receiving fragmented packet with fragmented header; *) proxy - store error.html on flash if it is available; *) ssh - fixed connection stalling; *) ssh - make export verbose work; *) switch - make "sa-learning=yes" by default when adding Ingress VLAN Translation rules; *) tile - fixed possible kernel failure with disabled watchdog timer caused by DDoS attack; *) ups - fix waiting for AC power restore in hibernate mode; *) winbox - added factory-firmware field to system/routerboard; *) winbox - fixed email address saving; *) winbox - fixed multi value field display (i.e. web proxy ports); *) winbox - fixed incomplete ARP entries are not refreshed; *) www - fixed www crash. What's new in 6.34.1 (2016-Feb-02 14:08): *) interface - fixed stats that were 8x smaller; *) traffic-monitor - fixed stats that were 8x smaller; *) smips - properly detect smips boards for winbox & webfig. What's new in 6.34 (2016-Jan-29 10:25): *) mipsle - architecture support dropped (last fully supported version 6.32.x); *) dude - The reports of my death have been greatly exaggerated; *) dude - dude RouterOS package added for tile and x86 (CHR) architecture; *) dude - package included by default to all CHR images; *) dude - initial work on dude integration into RouterOS; *) bgp vpls - fixed initialization after reboot; *) mpls - forwarding of VRF over TE tunnel stopped working after BGP peer reset; *) ipsec - improved TCP performance on CCRs; *) btest - significantly increased TCP bandwidth test performance; *) winbox - fixed possible busy-loop on v2.x with latest 6.34RC versions; *) cerm - allow to sign certificates from imported CAs created with RouterOS; *) ldp - fix MPLS PDU max length; *) net - improve 64bit interface stats support; *) routerboard - print factory-firmware version in routerboard menu; *) snmp - add oid from ucd mib for total cpu load OID 1.3.6.1.4.1.2021.11.52.0; *) winbox - add extra items automatically to multi-line fields if at least one of them is required; *) winbox - implemented full ipv6 dhcp client; *) winbox - update blocked flag if user changed blocked field in dhcp server lease; *) mac-telnet - fixed backspace when typing login username; *) sstp - allow ECDHE when pfs enabled; *) lte - fixed info command for Cinterion EHS5-E modem; *) fast-path - fixed kernel crash on on/off; *) licensing - fixed that some old 7 symbol keys could not be upgraded; *) ssh - fixed possible kernel crash; *) console - fixed crash on creating variable with "?" in it; *) chr - fix SSH key import on AWS; *) crs212 - fix 1Gbps ether1 linking problem; *) timezone - use backward timezone aliases; *) lte - support serial port for DellWireless 5570; *) lte - improved dhcp handling on interfaces that doesn't support it; *) ipsec - allow my-id address specification in main mode; *) dhcpv6 client - fix remove when client reappears on restart; *) default config - fix hAP lite with one wireless; *) firewall - added inversion support for "limit" option; *) firewall - added bit rate matching for "limit" option; *) firewall - improved performance for "limit" option; *) dhcpv6-client - fix ia lifetime check; *) ipsec - prioritize proposals; *) ipsec - support multiple DH groups for phase 1; *) netinstall - fix apply default config; *) tile - make sure that SFP rj45 modules that use forced 1G FD settings work correctly after system reboot; *) wireless - added WPS buttons support on hAP and hAP ac lite; *) upnp - added comment for dynamic dst-nat rules to inform what host/program required it; *) webfig - recognize properly CHR; *) chr - license fix for AWS and similar solutions; *) arm - fix usb modem modules on ARM; *) dhcpv6-client - fixed stopped state; *) netinstall - sort packages by name; *) firewall - do not allow to add new rule before built-in (reverted); *) winbox - include FP in fast-path column names; *) ipsec - fix phase2 hmac-sha-256-128 truncation len from 96 to 128 This will break compatibility with all previous versions and any other currently compatible software using sha256 hmac for phase2; *) ssh, ftp - make read, write user group policy aware; *) tunnel - fix keep-alive (introduced in 6.34rc); *) cerm - show last crl update time; *) quicket - support CAP mode on all existing wireless packages; *) wlan - add united states3 country; *) fast-path - fix locking issue which could lead to reboot loop (introduced in 6.34rc20); *) userman4 - try loading signup files from db path first; *) sstp - allow to limit tls version to v1.2 only; *) chr - make tool profile work on 64bit x86; *) dhcpv6-server - added binding server=all option; *) hotspot - added html-directory-override & recognize default hotspot user; *) hotspot - fixed export of default trial user; *) hotspot - fixed memory leak on https requests; *) winbox - allow to specify amsdu-limit & amsdu-threshold on 11n wifi cards; *) winbox - added multicast-buffering & keepalive-frames settings to wireless interfaces; *) CHR - implemented trial support for different CHR speed tiers; *) dhcpv6-client - fix add route/address; *) usb - enable ch341 serial module; *) lte - make sure that both LTE miniPCI-e cards are recognized; *) winbox - show Common-Name of certificates in certificate list; *) winbox - added units to PCQ queue fields; *) net - do not break connection when interface is added to bridge; *) hotspot - show cookie add/remove events in hotspot,debug log; *) hotspot - allow static entries with the same mac on multiple hotspot servers; *) hotspot - do not remove mac-cookie in case of radius timeout; *) hotspot - added byte limits option for default-trial users; *) ipsec - make sure that dynamic policy always has dynamic flag; *) CAPsMAN - use CAP name in log when remote-cap is deleted (wireless-cm2); *) hotspot - fixed login by mac-cookie when roaming among hotspot servers; *) hotspot - add html-directory-override for read-only directory on usb flash; *) hotspot - add uptime, byte and packet counter variables to logout script; *) net - fix statistics counters jumping up to 4G; *) firewall - SIP helper update for newer Cisco phones; *) usermanager - fixed usermanager web page crash; *) ipsec - fixed active SAs flushing; *) hotspot - added option to login user manually from cli; *) hotspot - fixed trial-uptime parsing from CLI to Winbox/Webfig; *) lte - added support for multiple E3372 on the same device; *) modem - added wpd-600n ppp support; *) console - fixed incorrect disabled firewall rule matching to "invalid flag"; *) dns - fix for situation when dynamic dns servers could disappear; *) sfp - fix 10g ports in 1g mode (introduced in 6.34rc1); *) CCR1072 - added support for S-RJ01 SFP modules; *) trafficgen - fixed issue that traffic-generator could not be started twice without reboot; *) dhcpv6-server - replace delay option with preference option. -- *) winbox - show properly route-distinguisher for bgp vpn4; *) winbox - show dhcp server name in dhcp leases; *) ppp - make CoA work correctly with address-lists; *) winbox - fixed tab names to correspond to console; *) winbox - show only actual switch-cpu ports in switch setting combobox; *) winbox/webfig - fixed version column ordering in ip neighbors list; *) webfig - fixed switch port "default vlan id" has missing "auto" value; *) webfig - fixed firewall connection-bytes option; *) ipsec - fixed kernel failure after underlying tunnel has been disabled/enabled; *) romon - allow to see device identity if it is longer than 31 character; *) fastpath - show fp counters in /interface monitor aggregate; *) bridge firewall - fix chain check (broken since 6.33.2); *) bridge firewall - fixed crash when jump rule points to disabled custom chain; *) smb - fix crash when changing user which has open session; *) address-list - properly remove unused address-lists from drop-downs; *) fetch - fixed closure after 30 seconds; *) capsman - fix radius accounting stop message; *) log - reopen log file if deleted; *) packing - fix tcp/udp checksums when simple packing is used; *) tile - fix ipsec freeze after SA updates; *) upnp - fixed missing in-interface option for dynamic dst-nat rules; *) tunnel - fix complaining about loop after ~248 days; *) vrrp - make sure that VRRP gets state on bootup; *) ppp - fixed rare kernel crash (introduced in v6.33); *) ppp - do not allow empty name ppp secrets; *) ssh - fix active user accounting. What's new in 6.33.5 (2015-Dec-28 09:13): *) mipsle - architecture support dropped (last fully supported version 6.32.3); *) wireless - regular “wireless” package is now retired and replaced by "wireless-fp" and "wireless-cm2"; *) arp - show incomplete ARP entries; *) btest - fix potential crash after btest release; *) btest - improve UDP tx rate precision; *) crypto - fixed kernel failure in talitos HW encryption; *) dhcpv6-client - fix DNS address assignement; *) dhcpv6-client - set correct parameters when rapid commit is used *) e-mail - do not reset server address after changing configuration; *) fastpath - fixed possible kernel failure on multi core systems; *) fetch - added 30 second connection time-out; *) hotspot - added missing favicon.ico in hotspot html pages; *) kernel - general improvement for core process scheduling; *) led - add WLAN led to RB951Ui *) log - log link up/down events only when link actually has changed its state; *) lte - improve support Sierra Wireless 320U; *) lte - speed up first time connection to LTE network on SXT LTE; *) net - apply slave config only if master config has been changed; *) net - do not show L2MTU in VLAN compact export; *) netwatch - make work with ping time-out more precise; *) ppp - make PPP active print radius & !radius conditions work; *) romon - do not accept multicast id; *) romon - fixed crash on RoMON if fast-path was active; *) smb - show correct interface name in SMB debug logs; *) ssh - fix session clean-up; *) sshd - resolved shared secret mismatch issue; *) tile - fixed kernel failure on HW encryption; *) webfig - didn't show zero values in CRS ingress/egress VLAN translation rules; *) winbox - added + & - to IGMP proxy MFC; *) winbox - added LCD menu for RB3011; *) winbox - allow to specify traffic-monitor threshold in k & M units + specify that those are bits; *) winbox - show fast-path per interface counters. What's new in 6.33.3 (2015-Dec-03 16:08): *) ethernet - fixed 10/100Mbps auto-negotiation fails on RB922UAGS ether1 (introduced in v6.33.2); *) upnp - fixed memory leak; *) ssh - avoid double session clean-up; *) email - make password field sensitive in console. What's new in 6.33.2 (2015-Nov-27 15:00): *) bridge - fixed power-cycle-ping for bridge ports (was affecting all bridge); *) ethernet - fixed link resetting on power-cycle-ping value change; *) ppp - fixed dynamic filter rule adding on some firewall filter configurations; *) pppoe - improved MTU discovery compatibility with other vendors; *) pppoe - made MTU discovery more robust; *) pppoe - fixed compliance to RFC4638 (MTU larger than 1488) again; *) vrrp - fix arp=reply-only; *) vrrp - do not warn about version mismatch if VRID does not match; *) vrrp - allow VRRP to work behind firewall and NAT rules; *) vrrp - fixed on-backup script; *) dhcpv4 server - fix kernel crash when restoring lease with queue for non-existent server; *) dhcpv4-client - support /32 address assignment; *) ssh - fix key exchange when first kex packet follows. What's new in 6.33.1 (2015-Nov-17 09:55): *) licensing - fix unneeded connection attempts to 169.254.x.x must be CHR only (introduced in 6.33); *) pppoe - fixed compliance to RFC4638 for MTU larger than 1488 (introduced in 6.33); *) CRS2xx - fixed occasional switchip resets (broken in 6.33); *) fastpath - fixed wireless interface fastpath (broken in 6.33); *) smb - fixed SMB share crash when connection was cancelled; *) lcd - fixed LCD crash on fast disable/enable; *) lcd - refresh LCD after display command is executed; *) vrrp - fix enabling disabled vrrp interface when vrrp program has exited; *) winbox - do not send any changes on OK button press if nothing has been changed; *) www - put correct path to Winbox v3.0 for new installations with branding package; *) webfig - show correctly SFP Tx/Rx; *) winbox - renamed power-cycle-ping-interval to power-cycle-ping-timeout; *) hotspot - fixed missing image at login; *) netinstall - fix branding pack parsing; *) packages - show version tag when no bundle is installed. What's new in 6.33 (2015-Nov-06 12:49): *) dns - initial fix for situation when dynamic dns servers could disappear; *) winbox - dropped support for winbox v3.0beta and v3.0rc (use winbox v3.0); *) dhcpv6 - various improvement and fixes for dhcp-pd client and ippool6; *) defconf - fixed rare situation where configuration was only partially loaded; *) net - fix possible never ending loop when bad CDP discovery packet is received; *) log - make default disk file name to reside in flash dir if it exists; *) romon - change port list to be not ordered in export; *) capsman - limit number of simultaneous DTLS handshakes; *) capsman - fixed memory leak on CAP joining CAPsMAN when ssld is used; *) winbox - added allow-fast-path to eoip, gre & ipip; *) winbox - do not show power-cycle properties on non poe ports; *) l2tp: implemented PPPoE over L2TP in LNS mode, RFC3817; *) webfig - some of the setting were shifted to the right; *) packages - allow to reinstall from bundle to separate packages & vice versa; *) packages - prefer out of bundle packages when both of them are installed; *) packages - fix a problem of upgrading bundle package to non bundled ones; *) ipsec - force flow cache validation once in 1h; *) winbox - make sure that all setting names get shown in full; *) winbox - added poe power-cycle-ping settings to ethernet interfaces; *) ppp - handle properly case were ppp client is given same address for local & remote end; *) winbox - added vlan-mode & vlan-id to virtual-ap interface; *) winbox - added timeout column to ipv6 address lists; *) winbox - show SFP Tx/Rx Power properly; *) winbox - added min-links to bonding interface; *) winbox - do not show health menu on RB951Ui-2HnD; *) winbox - added support for Login-Timeout & MAC-Auth-Mode in hotspot; *) cerm - added option to disable crl download in '/certificate settings'; *) winbox - make user ssh key import work again; *) webfig - make "Copy to Access List" work in CAPsMAN Registration Table; *) userman - fix report generation problem which could result in some users being skipped from it; *) winbox - fix to allow cpu-port as mirror-target *) proxy - error.html parsing enhancement to improve performance *) CCR1072 - improve ether1 performance under heavy load *) routerboard - indicate RouterBOOT type in /system routerboard print; *) mpls - properly use mpls mtu for routes; *) cerm - fix key description for signed certificates; *) trafflow - report flow addresses in v1 and v5 without NAT awareness; *) hotspot - add mac-auth-mode setting for mac-as-passwd option; *) hotspot - add login-timeout setting to force login for unauth hosts; *) auto-upgrade - fixed auto upgrade for smipsbe; *) dns - do not create duplicate entries for same dynamic dns server addresses; *) ipsec - fix set on multiple policies which could result in adding non existent dynamic policies to the list; *) email - allow server to be specified as fqdn which is resolved on each send; *) fastpath - eoip,gre,ipip tunnels support fastpath (new per tunnel setting "allow-fast-path"); *) ppp, pptp, l2tp, pppoe - fix ppp compression related crashes; *) cerm - also accept downloaded CRLs in PEM format; *) userman - added 'history clear' to allow flushing undo history, which may take up significant amount of memory for huge databases with hundreds of users; *) health - fix voltage for CRS109, CRS112 and CRS210 if powered from external adapter; *) userman - added phone number support to signup form; *) ip pool6 - try to acquire the same prefix if info matches recently freed; *) ipsec - fix transport mode ph2 ID ports when policy selects specific ip protocol on initiator; *) ipsec - use local-address for phase 1 matching and initiation; *) route - fixed crash on removing route that was aggregated; *) ipsec - fix replay window, was accidentally disabled since version 6.30; *) ssh - allow host key import/export; *) ssh - use 2048bit RSA host key when strong-crypto enabled; *) ssh - support RSA keys for user authentication; *) wlan - improved WMM-PowerSave support in wireless-cm2 package; *) pptp & l2tp - fixed problem where android client could not connect if both dns names were not provided (was broken since v6.30); *) auto-upgrade - added ability to select which versions to select when upgrading; *) quickset - fixed HomeAP mode; *) lte - improved modem identification to better support multiple identical modems; *) snmp - fix system scripts table; *) tunnels - eoip,eoipv6,gre,gre6,ipip,ipipv6,6to4 tunnels now support dns name as remote address; *) fastpath - active mac-winbox or mac-telnet session no longer suspends fastpath; *) fastpath - added per interface fastpath counters; *) fastpath - added trafflow support in basic ipv4 and fasttrack ipv4 fastpath; *) ppp - added on-up & on-down scripts to ppp profile; *) winbox - allow to specify dns name in all the tunnels; *) pppoe - added support for MTU > 1492 on PPPoE; *) cerm - fix scep server certificate-reply degenerate PKCS#7 signed-data content; *) ppp-client - added default channels for Alcatel OneTouch L100V; *) defconf - fix for boards that had bridge with only wlan ports; *) ovpn: support OpenWRT ovpn clients (or any other with enable-small option enabled); *) cerm - use certificate file name for imported cert name; *) fetch - fixed error message when error code 200 was received; *) cerm - rebuild crl for local ca if crl file does not exist; *) winbox - make directed broadcasts work for neighbor discovery; *) upnp: automatically adjust mappings to new external ip change; *) ppp - added ppp interface to upnp internals/externals if requested; *) ppp - when adding ipv6 default route use user provided distance; *) userman - allow to correctly enable CoA on router; *) cerm - show crl nextupdate time; *) ppp - added CoA support to PPPoE, PPTP & L2TP (Mikrotik-Recv-Limit, Mikrotik-Xmit-Limit, Mikrotik-Rate-Limit, Ascend-Data-Rate, Ascend-XMit-Rate, Session-Timeout); *) ppp - added new option under "ppp aaa" - "use-circuit-id-in-nas-port-id"; *) userman - refresh active sessions/users view dynamically; *) package - added version tag and show everywhere alongside of version number; *) wlan - improved 802.11 protocol single connection TCP performance for ac chipset with cm2 package. What's new in 6.32.2 (2015-Sep-17 15:20): *) cerm - guard template from parallel use *) mipsle - fixed missing second level menu in CLI; *) sstp - avoid routing loops on client when adding default route; *) sstp - fixed problem where sometimes sstp ip addresses were invalid; *) switch - fixed bogus log messages about excessive broadcasts/multicasts on master-port; *) tftp - fix request file name reading from packet *) pptp encryption - better handling for out-of-order packets; *) ethernet - added support for new ASIX USB Ethernet dongles; *) CAPsMAN - fix 100% CPU usage when trying to upgrade RouterOS on CAP; *) upgrade - fixed default configuration export; *) ppp - fixed ppp interface stuck in not running state; *) ipsec - fixed kernel failure when packets were not ordered on first call; *) upnp - randomize action urls to fix "filet-o-firewall" vulnerability; *) RB532/RB564 - fixed no link after ethernet disable/enable; *) romon - fixed default configuration export; *) tile - fixed occasional deadlock on module unload; *) mesh - fix router lock-up when interface is added/removed; *) ipsec - fix sockaddr buf size on id generation for ipv6 address; *) health - show correct voltage for CRS109,CRS112,CRS210 when powered through PSU and show voltage up to 27V when powered through PoE; *) email - resolve server address; *) snmp - show firmware upgrade info; *) upgrade - report status in check-for-updates. What's new in 6.32.1 (2015-Sep-07 13:03): *) RB911/912 - fixed lock-up; *) RB493G - fixed reboot loop; *) firewall - do not lose firewall mangle rules on start-up; *) defconf - fix default configuration for routers without wireless package. What's new in 6.32 (2015-Aug-31 14:47): *) trafflow - added support for IPv6 targets; *) switch - fixed port flapping on switch ports of RB750, RB750UP, RB751U-2HnD and RB951-2N (introduced in 6.31) *) ipsec - added compatibility option skip-peer-id-check; *) flash - fix kernel failure (exposed by 6.31); *) bridge firewall - add ipv6 src/dst addr, ip protocol, src/dst port matching to bridge firewall; *) RB911/RB912 - fix SPI bus lock after fast led blink; *) ipsec - fix potential memory leak; *) bridge firewall - vlan matchers support service tag - 0x88a8; *) ippool6 - try to acquire the same prefix if info matches recently freed; *) crs switch - allow to unset port learn-limit, new default is unset to allow more than 1023 hosts per port; *) x86 - fixed 32bit multi-cpu kernel support; *) chr - add hotspot,btest,traffgen support; *) revised change that caused reboot by watchdog problems introduced in v6.31; *) ipsec - use local-address for phase 1 matching and initiation; *) ipsec - fix transport mode ph2 ID ports when policy selects specific ip protocol on initiator; *) certificates -fixed bug where crl stopped working after a while; *) ip accounting - fixed kernel crash; *) snmp - fix system scripts get; *) hotspot - ignore PoD remote requests if no HotSpot configured; *) hotspot - fix kernel failure when www plugin aborts on broken html source; *) torch - add invert filter for src/dst/src6/dst6 addresses ; *) bonding - add min_links property for 802.3ad mode; *) snmp - get vlan speed from master interface; *) hotspot - fix html-directory path on small flash devices; *) mipsbe - make system shutdown work again; *) lcd - fixed parallel port LCD display support on multi-cpu x86; *) bridge - fixed use-ip-firewall-for-vlan in setups with multiple bridges; *) ipv6 - fixed DHCP-PD client skips some steps when renewing lease; *) upnp - fixed protocol port selection for upnp protocol comunications; *) firewall - fixed limit and dst-limit options. *) winbox - fixed wireless interface l2mtu (VirtualAP and WDS interface creation in winbox) *) winbox - fixed multiple firewall rule moving in Winbox 2 *) simple queues - restrict all changes in dynamic simple queues What's new in 6.30 (2015-Jul-08 09:07): *) wireless - added WMM power save suport for mobile devices; *) firewall - sip helper improved, large packets no longer dropped; *) fixed encryption 'out of order' problem on SMP systems; *) email - fix sending multiple consecutive emails; *) fixed router lockup on leap seconds with installed ntp package; *) ccr - made hardware watchdog work again (was broken since v6.26); *) console - allow users with 'policy' policy to change script owner; *) icmp - use receive interface address when responding with icmp errors; *) ipsec - fail ph2 negitioation when initiator proposed key length does not match proposal configuration; *) timezone - updated timezone information to 2015e release; *) ssh - added option '/ip ssh stong-crypto' *) wireless - improve ac radio coexistence with other wireless clients, optimized transmit times to not interfere with other devices; *) console - values of $".id", $".nextid" and $".dead" are avaliable for use in 'print where' expressions; *) console - ':execute' command now accepts script source in "{}" braces, like '/system scripts add source=' does; *) console - ':execute' command now returns internal number of running job, that can be used to check and stop execution. For example: :local j [:execute {/interface print follow where [:log info "$name"]}] :delay 10s :do { /system script job remove $j } on-error={} *) console - firewall 'print' commands now show all entries including dynamic, 'all' argument now has no effect; *) ipsec - increase replay window to 128; *) fixed file transfer on devices with large RAM memory; *) pptp - fixed "encryption got out of sync" problem; *) ppp - disable vj tcp header compression; *) api - reduce api tcp connection keepalive delay to 30 seconds, will timeout idle connections in about 5 minutes; *) pptp & l2tp & sstp client: support the case were server issues its tunnel ip address the same as its public one; *) removed wireless package from routeros bundle package, new wireless-fp is left in place and wireless-cm2 added as option; *) pptp & l2tp client: when adding default route, add special exception route for a tunnel itself (no need to add it manually anymore); *) improved connection list: added connection packet/byte counters, added separate counters for fasttrack, added current rate display, added flag wheather connection is fasttracked/srcnated/dstnated, removed 2048 connection entry limit; *) tunnels - eoip, eoipv6, gre,gre6, ipip, ipipv6, 6to4 tunnels have new property - ipsec-secret - for easy setup of ipsec encryption and authentication; *) firewall - added ipsec-policy matcher to check wheather packet was/will be ipsec processed or not; *) possibility to disable route cache - improves DDOS attack handling performance up to 2x (note that ipv4 fastpath depends on route cache); *) fasttrack - added dummy firewall rule in filter and mangle tables to show packets/bytes that get processed in fasttrack and bypass firewall; *) fastpath - vlan interfaces support fastpath; *) fastpath - partial support for bonding interfaces (rx only); *) fastpath - vrrp interfaces support fastpath; *) fixed memory leak on CCR devices (introduced in 6.28); *) lte - improved modem identification to better support multiple identical modems; *) snmp - fix system scripts table; What's new in 6.29 (2015-May-27 11:19): *) ssh server - use custom generated DH primes when possible; *) ipsec - allow to specify custom IP address for my_id parameter; *) ovpn server - use subnet topology in ip mode if netmask is provided (makes android & ios clients work); *) console - allow '-' characters in unknown command argument names; *) snmp - fix rare bug when some OIDs where skipped; *) ssh - added aes-ctr cipher support; *) mesh - fixed kernel crash; *) ipv4 fasttrack fastpath - accelerates connection tracking and nat for marked connections (more than 5x performance improvement compared to regular slow path conntrack/nat) - currently limited to TCP/UDP only; *) added ~fasttrack-connection~ firewall action in filter/mangle tables for marking connections as fasttrack; *) added fastpath support for bridge interfaces - packets received and transmitted on bridge interface can go fastpath (previously only bridge forwarded packets could go fastpath); *) packets now can go half-fastpath - if input interface supports fastpath and packet gets forwarded in fastpath but output interface does not support fastpath or has interface queue other than only-hw-queue packet gets converted to slow path only at the dst interface transmit time; *) trafflow: add natted addrs/ports to ipv4 flow info; *) tilegx: enable autoneg for sfp ports in netinstall; *) health - fix voltage on some RB4xx; *) romon - fix 100% CPU usage; *) romon - moved under tools menu in console; *) email - store hostname for consistency; *) vrrp - do not reset interface when no interesting config changes; *) fixed async. ppp server; *) sstp - fixed router lockup. *) queue tree: some queues would stop working after some configuration changes; *) fixed CRS226 10G ports could lose link (introduced in 6.28); *) fixed FREAK vulnerability in SSL & TLS; *) firewall - fixed sector writes rising starting since 6.28; *) improved support for new hEX lite; What's new in 6.28 (2015-Apr-15 15:18): *) email - increase server greeting timeout to 60s; *) lte - ZTE MF823 may loose configuration; *) userman - update paypal root certificate; *) timezone - updated timezone information to 2015b release; *) cm2 - fixed capsman v2 100% CPU and other stability improvements; *) route - using ldp could cause connected routes with invalid interface nexthop; *) added support for SiS 190/191 PCI Ethernet adapter; *) made metarouter work on boards with 802.11ac support or usb LTE; *) sstp server - allow ADH only when no certificate set; *) make fat32 disk formatting support disks bigger than 134GiB; *) fixed tunnels - could crash when clamp-tcp-mss was enabled; *) added basic counters for ipv4/bridge fast path, also show status wether fast path is active at all; *) trafflow: - fixed crash on disable; *) pppoe over eoip - fixed crash with large packets; *) tilegx - fixed memory leak when queue settings are changed; *) ar9888 - fixed crash when hw reports invalid rate; *) console - fixed "in" operator in console; *) console - make "/system package update print" work again. *) tile - rare situation when CCR devices failed to auto-negotiate ethernet link (introduced in v6.25); *) dhcpv4 client - it is now possible to unset default clientid and hostname options *) initial RoMon (Router Management Overlay Network) support added. What's new in 6.27 (2015-Feb-11 13:24): *) console - added 'comment' parameter for '/system script' *) api - return sentences can have property ".section" that groups values from commands such as "monitor", "traceroute", "print" (with non-zero 'interval' value); *) cloud - add time zone detection feature "/system clock time-zone-autodetect"; *) cloud - rename "/ip cloud enabled" to "/ip cloud ddns-enabled"; *) cloud - make "/ip cloud update-time" independent from "/ip cloud ddns-enabled" *) cloud - when setting "/ip cloud ddns-enabled" to "no" router will send message to server to disable DNS name for this routerboard; *) cloud - "/ip cloud force-update" command now will work also when "/ip cloud ddns-enabled = no". usefull if user wants to disable DDNS; *) RB4xxGL - improved ethernet throughput (less dropped packets); *) RouterBOARD - fixed health reporting; *) check-installation: fixed wrong kernel crc on powerpc boards *) watchdog: fix software watchdog for x86 *) ssh - check conn state before sending disconnect message; *) ipsec - fixed crash that happened in specific situation;