RouterOS 6.48 [stable]がリリースされました。

2020-12-24 10:11Blog

はじめに

クリスマスプレゼントのつもりなのかstableチャンネルのRouterOS 6.48がリリースされました。桁上がりなのでボリュームがあります。

更新内容

What's new in 6.48 (2020-Dec-22 11:20):
*) arm - added support for automatic CPU frequency stepping for IPQ4018/IPQ4019 devices;
*) arm - improved system stability;
*) arm - improved watchdog and kernel panic reporting in log after reboots on IPQ4018/IPQ4019 devices;
*) arm64 - improved reboot reason reporting in log;
*) bgp - fixed VPNV4 RD byte order;
*) bonding - added LACP monitoring;
*) branding - fixed LCD logo loading from new style branding package;
*) bridge - added "multicast-router" monitoring value for bridge interface;
*) bridge - added fixes and improvements for IGMP and MLD snooping;
*) bridge - added minor fixes and improvements for IGMP snooping with HW offloading;
*) bridge - added warning message when port is disabled by the BPDU guard;
*) bridge - allow to exclude interfaces from extended ports;
*) bridge - automatically remove extended interfaces when deleting PE device from CB;
*) bridge - correctly filter packets by L2MTU size;
*) bridge - correctly remove dynamic VLAN assignment for bridge ports;
*) bridge - fixed "multicast-router" setting on bridge enable;
*) bridge - fixed MDB entry removal when using bridge port "fast-leave" property;
*) bridge - fixed dynamic VLAN assignment when changing port "frame-type" property (introduced in v6.46);
*) bridge - fixed dynamic VLAN assignment when changing port to tagged VLAN member;
*) bridge - fixed link-local multicast forwarding when IGMP snooping and HW offloading is enabled;
*) bridge - fixed local MAC address removal from host table when deleting bridge interface;
*) bridge - fixed multicast table printing;
*) bridge - improved BPDU guard logging;
*) bridge - increased multicast table size to 4K entries;
*) bridge - show "H" flag for extended bridge ports;
*) bridge - show error when switch do not support controlling bridge or port extension;
*) bridge - use "frame-types=admit-all" by default for extended bridge ports;
*) cap - fixed L2MTU setting from CAPsMAN;
*) certificate - clear challenge password on renew;
*) certificate - fixed CRL URL length limit;
*) certificate - fixed private key verification for CA certificate during signing process;
*) certificate - generate CRL even when CRL URL not specified;
*) certificate - properly flush expired SCEP OTP entries;
*) chr - fixed SSH key import on Azure;
*) chr - fixed VLAN tagged packet transmit on bridge for Hyper-V installations;
*) chr - improved interface loading on startup on XEN;
*) chr - improved system stability when changing flow control settings on e1000;
*) cloud - improved backup generation process;
*) conntrack - automatically reduce connection tracking timeouts when table is full;
*) console - allow "once" parameter for bonding monitoring;
*) crs3xx - added initial Bridge Port Extender support;
*) crs3xx - added initial Controlling Bridge support for CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices;
*) crs3xx - added switch-cpu port VLAN filtering (switch-cpu port is now mapped with bridge interface VLAN membership when vlan-filtering is enabled);
*) crs3xx - correctly filter packets by L2MTU size;
*) crs3xx - fixed "custom-drop-packet" and "not-learned" switch stats for CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices;
*) crs3xx - fixed "mirror-source" property on switch port disable for CRS305, CRS326-24G-2S+, CRS328, CRS318 devices;
*) crs3xx - fixed "storm-rate" traffic limiting for switch-cpu port on CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices;
*) crs3xx - fixed "switch-cpu" VLAN membership on bridge disable;
*) crs3xx - fixed CDP packet forwarding for CRS305, CRS318, CRS326-24G-2S+, CRS328 devices;
*) crs3xx - fixed duplicate host entries when creating static switch hosts;
*) crs3xx - fixed port isolation for "switch-cpu" port for CRS305, CRS326-24G-2S+, CRS328, CRS318 devices;
*) crs3xx - fixed port isolation removal for "switch-cpu" port on CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices;
*) crs3xx - fixed switch "copy-to-cpu" property for CRS305, CRS318, CRS326-24G-2S+, CRS328 devices;
*) crs3xx - fixed switch "not-learned" stats for CRS305, CRS326-24G-2S+, CRS328-24P-4S+, CRS328-4C-20S-4S+, CRS318 devices;
*) crs3xx - improved system stability on CRS354 devices;
*) crs3xx - improved system stability when receiving large frames for CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices (introduced in v6.47.5);
*) defconf - fixed default configuration loading on RBcAP-2nD and RBwAP-2nD;
*) defconf - fixed static IP address setting in case default configuration loading fails;
*) defconf - improved CAP interface bridging;
*) defconf - improved default configuration generation on devices with non-default wireless interface names;
*) detnet - fixed malformed dummy DHCP User Class option;
*) detnet - use MAC address from bridge interface instead of slave port;
*) dhcp - fixed DHCP packet forwarding to IPsec policies;
*) dhcpv4-server - improved "client-id" value parsing;
*) dhcpv6 server - added support for "Delegated-IPv6-Prefix" for PPP services;
*) dhcpv6-server - added ability to generate binding on first request;
*) dhcpv6-server - added support for "option18" and "option37" for RADIUS managed clients;
*) dhcpv6-server - allow loose static binding "pool" parameter (introduced in v6.46.8);
*) dhcpv6-server - make sure that calling station ID always contains DUID;
*) discovery - added "lldp-med-net-policy-vlan" property for assigning VLAN ID;
*) discovery - allow choosing which discovery protocol is used;
*) discovery - fixed discovery on mesh ports;
*) discovery - fixed discovery packet sending on newly bridged port with "protocol-mode=none";
*) discovery - fixed discovery when enabled only on master port;
*) discovery - send the same "Chassis ID" on all interfaces for LLDP packets;
*) discovery - use interface MAC address when sending MNDP from slave port;
*) disk - fixed external EXT3 disk mounting on x86 systems;
*) dns - added IPv6 support for DoH;
*) dns - do not use type "A" for static entries with unspecified type;
*) dns - end ongoing queries when changing DoH configuration;
*) dns - fixed listening for DNS queries when only dynamic static entries exist (introduced in v6.47);
*) dot1x - accept priority tagged (VLAN 0) EAP packets on dot1x client;
*) dot1x - fixed reauthentication after server rejects a client into VLAN;
*) dot1x - fixed unicast destination EAP packet receiving when a client is running on a bridge port;
*) dude - fixed configuration menu presence on ARM64 devices;
*) export - fixed RouterBOARD USB "type" parameter export;
*) filesystem - fixed repartition on RB4011 series devices;
*) filesystem - fixed repartition on non-first partition;
*) filesystem - improved long-term filesystem stability and data integrity;
*) gps - fixed "init-channel" release when not used;
*) health - changed PSU state parameter type to read-only;
*) health - removed unused "heater-control" and "heater-threshold" parameters;
*) hotspot - added "vlan-id" parameter support for hosts and HTML pages;
*) hotspot - added support for captive portal advertising using DHCP (RFC7710);
*) hotspot - fixed "html-directory" parameter export;
*) hotspot - improved management service stability when receiving bogus packets;
*) ike1 - fixed "my-id=address" parameter usage together with certificate authentication;
*) ike1 - fixed 'rsa-signature-hybrid' authentication method;
*) ike1 - fixed memory leak on multiple CR payloads;
*) ike1 - fixed policy update with and without mode configuration;
*) ike1 - rekey phase 1 as responder for Windows initiators;
*) ike2 - added "prf-algorithm" support for phase 1;
*) ike2 - added support for IKEv2 Message Fragmentation (RFC7383);
*) ike2 - fixed EAP MSK length validation;
*) ike2 - fixed too small payload parsing;
*) ike2 - improved EAP message integrity checking;
*) ike2 - improved child SA rekeying process;
*) interface - added temperature warning and interface disable on overheat for SFP and SFP+ interfaces (CLI only);
*) interface - fixed pwr-line running state (introduced in v6.45);
*) ipsec - added SHA384 hash algorithm support for phase 1;
*) ipsec - do not kill connection when peer's "name" or "comment" is changed;
*) ipsec - fixed client certificate usage when certificate is renewed with SCEP;
*) ipsec - fixed multiple warning message display for peers;
*) ipsec - inactivate peer's policy on disconnect;
*) ipsec - refresh peer's DNS only when phase 1 is down;
*) kidcontrol - allow creating static device entries without assigned user;
*) led - fixed state persistence after device reboot on NetMetal 5 ac devices;
*) lora - fixed device going into "ERROR" state caused by FSK modulated downlinks;
*) lora - limited output power in RU region for range 868.7 MHz - 869.2 MHz according to regulations;
*) lte - added "age" column and "max-age" parameter to "cell-monitor" (CLI only);
*) lte - added "comment" parameter for APN profiles;
*) lte - added support for Alcatel IK41VE1;
*) lte - fixed "band" value reporting;
*) lte - increased "at+cops" reply timeout to 90 seconds;
*) m33g - added support for "/system gpio" menu (CLI only);
*) metarouter - allow creating RouterOS metarouter instances on devices with 16MB flash storage;
*) metarouter - fixed memory leak when tearing down metarouter instance;
*) ppp - added "bridge-learning" parameter support;
*) ppp - added "ipv6-routes" parameter to "secrets" menu;
*) ppp - added support for "Framed-IPv6-Route" RADIUS attribute;
*) ppp - store "last-caller-id" for PPP secrets;
*) ppp - store "last-disconnect-reason" for PPP secrets;
*) profile - added "lcd" process classificator;
*) profile - improved idle process detection on x86 processors;
*) profile - improved process classification on ARM devices;
*) quickset - added "Port Mapping" to QuickSet;
*) quickset - fixed local IP address setting on master interface;
*) route - improved stability when 6to4 interface is configured with disabled IPv6 package;
*) routerboard - fixed PCIe bus reset during power-on on MMIPS devices ("/system routerboard upgrade" required);
*) routerboard - force power-down on PCIe bus during reboot on LHGR devices ("/system routerboard upgrade" required);
*) script - added error message in the logs if startup script runtime limit was exceeded;
*) snmp - added information from IPsec "active-peers" menu to MIKROTIK-MIB;
*) snmp - added new LTE monitoring OID's to MIKROTIK-MIB;
*) snmp - fixed value types for "dot1dStp";
*) snmp - fixed value types for "dot1qPvid";
*) ssh - fixed returned output saving to file when "output-to-file" parameter is used;
*) ssh - skip interactive authentication when not running in interactive mode;
*) supout - added bonding interface monitor information;
*) supout - improved autosupout.rif file generation process;
*) timezone - updated timezone information from "tzdata2020d" release;
*) tr069-client - added "X_MIKROTIK_MimoRSRP" parameter for LTE RSRP value reporting;
*) tr069-client - added LTE model and revision parameters;
*) tr069-client - added additional wireless registration table parameters;
*) tr069-client - added branding package build time parameter;
*) tr069-client - added wireless "noise-floor" and "overall-tx-ccq" information parameters;
*) tr069-client - allow passing LTE firmware update URL as XML;
*) tr069-client - fixed RouterOS downgrade procedure;
*) tr069-client - fixed TotalBytesReceived parameter value;
*) tr069-client - send correct "ConnectionRequestURL" when using IPv6;
*) traffic-flow - added "sys-init-time" parameter support;
*) traffic-flow - added NAT event logging support for IPFIX;
*) traffic-generator - fixed 32Gbps limitation;
*) user-manager - do not allow creating limitation that crosses midnight;
*) user-manager - updated PayPal's root certificate authorities;
*) webfig - allow hiding QuickSet mode selector;
*) webfig - allow hiding and renaming inline buttons;
*) webfig - fixed default value presence when creating new entries under "IP/Kid Control";
*) webfig - properly stop background processes when switching away from QuickSet tab;
*) winbox - added "src-mac-address" parameter under "IP/DHCP-Server/Leases" menu;
*) winbox - added missing IGMP Snooping settings to "Bridge" menu;
*) winbox - added missing MSTP settings to "Bridge" menu;
*) winbox - added support for LTE Cell Monitor;
*) winbox - allow adding bonding interface with one slave interface;
*) winbox - allow performing "USB Power Reset" on "0" bus on RBM33G;
*) winbox - do not show "network-mode" parameter for LTE interfaces that do not support it;
*) winbox - fixed "IP->Kid Control->Devices" table automatic refreshing;
*) winbox - fixed "interface" and "on-interface" parameter presence under "Bridge/Hosts" menu;
*) winbox - fixed "receive-errors" setting persistence under "Wireless/Wireless Sniffer/Settings" menu;
*) winbox - fixed "tls-version" parameter setting under "IP/Services" menu;
*) winbox - fixed minor typo in "Users" menu;
*) winbox - provide sane default values for bridge "VLAN IDs" parameter;
*) winbox - use health values reported by gauges for "System/Health" menu;
*) wireless - added U-NII-2 support for US and Canada country profiles for mANTBox series devices;
*) wireless - create "connect-list" rule when address specified for "setup-repeater";
*) wireless - do not override MTU and ARP values from CAPsMAN with local forwarding;
*) wireless - improved WPS process stability;
*) wireless - increased "group-key-update" maximum value to 1 day;
*) wireless - updated "indonesia5" regulatory domain information;
*) wireless - updated "no_country_set" regulatory domain information;

コメント

先にも書いたとおりタイミング的にはクリスマスプレゼント何ですかね。

今回の更新内容としてはARMなRotuerboardの動作改善、および最近の製品であるCRS3xx関連の動作改善および機能性修正、RouterOS全体としてはbridgeインターフェースの動作改善が多くを占めます。あと今回からDNS over HTTPS (IPv6)に対応しました。

公式フォーラムを確認する限り現時点では大きな?トラブルはなさそうですが、修正内容として多く上がっているneighbor周りにて正常に動作していない、という書き込みがいくつかあります。

余談ですが

私の環境だけかもしれませんが、RB3011にてROS6.48を適用すると、swtich1側(インターフェースでいうところのether1~5)に接続するとフラッピングする現象に遭遇しています。PC(Intel NIC)の環境なのですが、いまいち発生条件が分かっていません。とりあえず公式には報告済みです。

CRS112についてもこのバージョンからCPU使用率が2%ほど増えました。どのパッケージがその要因になっているのかこれから確認します。

公式サイト