Mikrotik RouterOSをアップデートした記録 6.43.12→6.44
アップデート内容確認
MikrotikのRouterOSを
6.43.12から6.44にWinboxを使ってアップデートします
変更点の確認はこちら
MikroTik Routers and Wireless – Software
https://mikrotik.com/download/changelogs
What's new in 6.44 (2019-Feb-25 14:11): MAJOR CHANGES IN v6.44: ---------------------- !) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only); !) ipsec - added new "identity" menu with common peer distinguishers; !) ipsec - removed "main-l2tp" exchange-mode, it is the same as "main" exchange-mode; !) ipsec - removed "users" menu, XAuth user configuration is now handled by "identity" menu; !) radius - initial implementation of RadSec (RADIUS communication over TLS); !) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only); ---------------------- Changes in this release: *) bgp - properly update keepalive time after peer restart; *) bridge - added option to monitor fast-forward status; *) bridge - count routed FastPath packets between bridge ports under FastPath bridge statistics; *) bridge - disable fast-forward when using SlowPath features; *) bridge - fixed BOOTP packet forwarding when DHCP Snooping is enabled; *) bridge - fixed DHCP Option 82 parsing when using DHCP Snooping; *) bridge - fixed log message when hardware offloading is being enabled; *) bridge - fixed packet forwarding when changing MSTI VLAN mappings; *) bridge - fixed packet forwarding with enabled DHCP Snooping and Option 82; *) bridge - fixed possible memory leak when using MSTP; *) bridge - fixed system's identity change when DHCP Snooping is enabled (introduced in v6.43); *) bridge - improved packet handling when hardware offloading is being disabled; *) bridge - improved packet processing when bridge port changes states; *) btest - added multithreading support for both UDP and TCP tests; *) btest - added warning message when CPU load exceeds 90% (CLI only); *) capsman - always accept connections from loopback address; *) certificate - added support for multiple "Subject Alt. Names"; *) certificate - enabled RC2 cipher to allow P12 certificate decryption; *) certificate - fixed certificate signing by SCEP client if multiple CA certificates are provided; *) certificate - show digest algorithm used in signature; *) chr - assign interface names based on underlying PCI device order on KVM; *) chr - distribute NIC queue IRQ's evenly across all CPUs; *) chr - fixed IRQ balancing when using more than 32 CPUs; *) chr - improved system stability when insufficient resources are allocated to the guest; *) cloud - added "ddns-update-interval" parameter; *) cloud - do not reuse old UDP socket if routing changes are detected; *) cloud - ignore "force-update" command if DDNS is disabled; *) cloud - improved DDNS service disabling; *) cloud - made address updating faster when new public address detected; *) conntrack - added new "loose-tcp-tracking" parameter (equivalent to "nf_conntrack_tcp_loose" in netfilter); *) console - renamed IP protocol 41 to "ipv6-encap"; *) console - updated copyright notice; *) crs317 - fixed packet forwarding when LACP is used with hw=no; *) crs3xx - fixed packet forwarding through SFP+ ports when using 100Mbps link speed; *) crs3xx - improved fan control stability; *) defconf - fixed configuration not generating properly on upgrade; *) defconf - fixed default configuration loading on RB4011iGS+5HacQ2HnD-IN; *) defconf - fixed IPv6 link-local address range in firewall rules; *) dhcp - added "allow-dual-stack-queue" setting for IPv4/IPv6 DHCP servers to control dynamic lease/binding behaviour; *) dhcp - properly load DHCP configuration if options are configured; *) dhcpv4-server - added "parent-queue" parameter (CLI only); *) dhcpv4-server - added "User-Name" attribute to RADIUS accounting messages; *) dhcpv4-server - fixed service becoming unresponsive after interface leaves and enters the same bridge; *) dhcpv4-server - use ARP for conflict detection; *) dhcpv6-client - use default route distance also for unreachable route added by DHCPv6 client; *) dhcpv6-server - allow to add DHCPv6 server with pool that does not exist; *) dhcpv6-server - fixed missing gateway for binding's network if RADIUS authentication was used; *) dhcpv6-server - improved DHCPv6 server stability when using "print" command; *) dhcpv6-server - show "client-address" parameter for bindings; *) discovery - detect proper slave interface on bounded interfaces; *) discovery - fixed malformed neighbor information for routers that has incomplete IPv6 configuration; *) discovery - send master port in "interface-name" parameter; *) discovery - show neighbors on actual bridge port instead of bridge itself for LLDP; *) e-mail - added info log message when e-mail is sent successfully; *) ethernet - added "tx-rx-1024-max" counter to Ethernet stats; *) ethernet - fixed IPv4 and IPv6 packet forwarding on IPQ4018 devices; *) ethernet - fixed linking issues on wAP ac, RB750Gr2 and Metal 52 ac (introduced in v6.43rc52); *) ethernet - fixed packet forwarding when SFP interface is disabled on hEX S; *) ethernet - fixed VLAN1 forwarding on RB1100AHx4 and RB4011 devices; *) ethernet - improved per core ethernet traffic classificator on mmips devices; *) export - fixed "silent-boot" compact export; *) fetch - added "http-header-field" parameter; *) fetch - added option to specify multiple headers under "http-header-field", including content type; *) fetch - fixed "without-paging" option; *) fetch - improved file downloading to slow memory; *) fetch - improved stability when using HTTP mode; *) fetch - removed "http-content-type" parameter; *) gps - increase precision for dd format; *) gps - moved "coordinate-format" from "monitor" command to "set" parameter; *) health - improved fan control stability on CRS328-24P-4S+RM; *) hotspot - added "https-redirect" under server profiles; *) hotspot - added per-user NAT rule generation based on "incoming-filter" and "outgoing-filter" parameters; *) ike1 - do not allow using RSA-key and RSA-signature authentication methods simultaneously on single peer; *) ike1 - fixed memory leak; *) ike2 - added option to specify certificate chain; *) ike2 - added peer identity validation for RSA auth (disabled after upgrade); *) ike2 - allow to match responder peer by "my-id=fqdn" field; *) ike2 - fixed local address lookup when initiating new connection; *) ike2 - improved subsequent phase 2 initialization when no childs exist; *) ike2 - properly handle certificates with empty "Subject"; *) ike2 - retry RSA signature validation with deduced digest from certificate; *) ike2 - send split networks over DHCP (option 249) to Windows initiators if DHCP Inform is received; *) ike2 - show weak pre-shared-key warning; *) interface - added "pwr-line" interface support (more information will follow in next newsletter); *) ipsec - added account log message when user is successfully authenticated; *) ipsec - added basic pre-shared-key strength checks; *) ipsec - added new "remote-id" peer matcher; *) ipsec - allow to specify single address instead of IP pool under "mode-config"; *) ipsec - fixed active connection killing when changing peer configuration; *) ipsec - fixed all policies not getting installed after startup (introduced in v6.43.8); *) ipsec - fixed stability issues after changing peer configuration (introduced in v6.43); *) ipsec - hide empty prefixes on "peer" menu; *) ipsec - improved invalid policy handling when a valid policy is uninstalled; *) ipsec - made dynamic "src-nat" rule more specific; *) ipsec - made peers autosort themselves based on reachability status; *) ipsec - moved "profile" menu outside "peer" menu; *) ipsec - properly detect AES-NI extension as hardware AEAD; *) ipsec - removed limitation that allowed only single "auth-method" with the same "exchange-mode" as responder; *) ipsec - require write policy for key generation; *) kidcontrol - added IPv6 support; *) kidcontrol - added "reset-counters" command for "device" menu (CLI only); *) kidcontrol - added statistics web interface for kids (http://router.lan/kid-control); *) kidcontrol - added "tur-fri", "tur-mon", "tur-sat", "tur-sun", "tur-thu", "tur-tue", "tur-wed" parameters; *) kidcontrol - dynamically discover devices from DNS activity; *) kidcontrol - fixed validation checks for time intervals; *) kidcontrol - properly detect time zone changes; *) kidcontrol - use "/128" prefix-length for IPv6 addresses; *) l2tp - fixed IPsec secret not being updated when "ipsec-secret" is changed under L2TP client configuration; *) lcd - made "pin" parameter sensitive; *) led - fixed default LED configuration for RBSXTsq-60ad; *) led - fixed default LED configuration for wAP 60G AP devices; *) led - fixed PWR-LINE AP Ethernet LED polarity ("/system routerboard upgrade" required); *) lldp - fixed missing capabilities fields on some devices; *) lte - added additional ID support for Novatel USB730L modem; *) lte - added "cell-monitor" command for R11e-LTE international modem (CLI only); *) lte - added "ecno" field for "info" command; *) lte - added "firmware-upgrade" command for R11e-LTE international modems (CLI only); *) lte - added initial support for multiple APN for R11e-4G (new modem firmware required); *) lte - added initial support for Telit LN940; *) lte - added multiple APN support for R11e-4G; *) lte - added option to lock the LTE operator; *) lte - added support for JioFi JMR1040 modem; *) lte - fixed connection issue when LTE modem was de-registered from network for more than 1 minute; *) lte - fixed DHCP IP acquire (introduced in v6.43.7); *) lte - fixed DHCP relay packet forwarding when in passthrough mode; *) lte - fixed IPv6 activation for R11e-LTE-US modems; *) lte - fixed Jaton/SQN modems preventing router from booting properly; *) lte - fixed LTE interface not working properly after reboot on RBSXTLTE3-7; *) lte - fixed missing running (R) flag for Jaton LTE modems; *) lte - fixed passthrough DHCP address forward when other address is acquired from operator; *) lte - fixed reported "rsrq" precision (introduced in v6.43.8); *) lte - improved compatibility for Alt38xx modems; *) lte - improved SIM7600 initialization after reset; *) lte - improved SimCom 7100e support; *) lte - query "cfun" on initialization; *) lte - require write policy for at-chat; *) lte - update firmware version information after R11e-LTE/R11e-4G firmware upgrade; *) netinstall - do not show kernel failure critical messages in the log after fresh install; *) ntp-client - fixed "dst-active" and "gmt-offset" being updated after synchronization with server; *) port - improved "remote-serial" TCP performance in RAW mode; *) ppp - added "at-chat" command; *) ppp - fixed dynamic route creation towards VPN server when "add-default-route" is used; *) profiler - classify kernel crypto processing as "encrypting"; *) profile - removed obsolete "file-name" parameter; *) proxy - removed port list size limit; *) radius - implemented Proxy-State attribute handling in CoA and disconnect requests; *) rb3011 - implemented multiple engine IPsec hardware acceleration support; *) rb4011 - fixed SFP+ interface full duplex and speed parameter behavior; *) rb4011 - improved SFP+ interface linking to 1Gbps; *) rbm33g - improved stability when used with some USB devices; *) romon - improved reliability when processing RoMON packets on CHR; *) routerboard - removed "RB" prefix from PWR-LINE AP devices; *) routerboard - require at least 10 second interval between "reformat-hold-button" and "max-reformat-hold-button"; *) smb - added commenting option for SMB users (CLI only); *) smb - fixed macOS clients not showing share contents; *) smb - fixed Windows 10 clients not able to establish connection to share; *) sniffer - save packet capture in "802.11" type when sniffing on w60g interface in "sniff" mode; *) snmp - added "dot1qPortVlanTable" and "dot1dBasePortTable" OIDs; *) snmp - changed fan speed value type to Gauge32; *) snmp - fixed "rsrq" reported precision; *) snmp - fixed w60g station table; *) snmp - removed "rx-sector" ("Wl60gRxSector") value; *) snmp - report bridge ifSpeed as "0"; *) snmp - report ifSpeed 0 for sub-layer interfaces; *) ssh - added "allow-none-crypto" parameter to disable "none" encryption usage (CLI only); *) ssh - added error log message when key exchange fails; *) ssh - close active SSH connections before IPsec connections on shutdown; *) ssh - fixed public key format compatibility with RFC4716; *) supout - fixed "poe-out" output not showing all interfaces; *) supout - fixed Profile output on single core devices; *) switch - added comment field to switch ACL rules; *) switch - fixed ACL rules on IPQ4018 devices; *) system - accept only valid path for "log-file" parameter in "port" menu; *) system - removed obsolete "/driver" command; *) tr069-client - added "check-certificate" parameter to allow communication without certificates; *) tr069-client - added "connection-request-port" parameter (CLI only); *) tr069-client - added support for InformParameter object; *) tr069-client - fixed certificate verification for certificates with IP address; *) tr069-client - fixed HTTP cookie getting duplicated with the same key; *) tr069-client - increased reported "rsrq" precision; *) traceroute - improved stability when sending large ping amounts; *) traffic-flow - reduced minimal value of "active-flow-timeout" parameter to 1s; *) tunnel - properly clear dynamic IPsec configuration when removing/disabling EoIP with DNS as "remote-address"; *) upgrade - made security package depend on DHCP package; *) usb - improved power-reset error message when no bus specified on CCR1072-8G-1S+; *) usb - improved USB device powering on startup for hAP ac^2 devices; *) usb - increased default power-reset timeout to 5 seconds; *) userman - added first and last name fields for signup form; *) userman - show redirect location in error messages; *) user - require "write" permissions for LTE firmware update; *) vrrp - made "password" parameter sensitive; *) w60g - added "10s-average-rssi" parameter to align mode (CLI only); *) w60g - added align mode "/interface w60g align" (CLI only); *) w60g - fixed scan in bridge mode; *) w60g - improved PtMP performance; *) w60g - improved reconnection detection; *) w60g - improved "tx-packet-error-rate" reading; *) w60g - renamed disconnection message when license level did not allow more connected clients; *) w60g - renamed "frequency-list" to "scan-list"; *) watchdog - allow specifying DNS name for "send-smtp-server" parameter; *) webfig - improved file handling; *) winbox - added 4th chain selection for "HT TX chains" and "HT RX chains" under "CAPsMAN/CAP Interface/Wireless" tab; *) winbox - added "allow-dual-stack-queue" parameter in "IP/DHCP Server" and "IPv6/DHCP Server" menus; *) winbox - added "challenge-password" field when signing certificate with SCEP; *) winbox - added "conflict-detection" parameter in "IP/DHCP Server" menu; *) winbox - added "coordinate-format" parameter in LTE interface settings; *) winbox - added "radio-name" setting to "CAPsMAN/CAP Interface/General" tab; *) winbox - added "secondary-channel" setting to "CAPsMAN/CAP Interface/Channel" tab; *) winbox - added src/dst address and in/out interface list columns to default firewall menu view; *) winbox - added support for dynamic devices in "IP/Kid Control/Devices" tab; *) winbox - allow setting "network-mode" to "auto" under LTE interface settings; *) winbox - allow specifying interface lists in "CAPsMAN/Access List" menu; *) winbox - fixed "IPv6/Firewall" "Connection limit" parameter not allowing complete IPv6 prefix lengths; *) winbox - fixed L2MTU parameter setting on "W60G" type interfaces; *) winbox - fixed "LCD" menu not shown on RB2011UiAS-2HnD; *) winbox - fixed missing w60g interface status values; *) winbox - improved file handling; *) winbox - moved "Too Long" statistics counter to Ethernet "Rx Stats" tab; *) winbox - organized wireless parameters between simple and advanced modes; *) winbox - renamed "Default AP Tx Rate" to "Default AP Tx Limit"; *) winbox - renamed "Default Client Tx Rate" to "Default Client Tx Limit"; *) winbox - show "R" flag under "IPv6/DHCP Server/Bindings" tab; *) winbox - show "System/RouterBOARD/Mode Button" on devices that have such feature; *) winbox - show "W60G" wireless tab on wAP 60G AP; *) wireless - added new "installation" parameter to specify router's location; *) wireless - improved AR5212 response to incoming ACK frames; *) wireless - improved connection stability for new model Apple devices; *) wireless - improved NV2 performance for all ARM devices; *) wireless - improved signal strength at low TX power on LHG 5 ac, LHG 5 ac XL and LDF 5 ac ("/system routerboard upgrade" required); *) wireless - improved system stability for all ARM devices with wireless; *) wireless - improved system stability for all devices with 802.11ac wireless; *) wireless - improved system stability when scanning for other networks; *) wireless - removed G/N support for 2484MHz in "japan" regulatory domain; *) wireless - report last seen IP address in RADIUS accounting messages; *) wireless - show "installation" parameter when printing configuration;
メジャーアップデートになっていて、かなりの変更点がありますが
項目を読んでいくと大半が安定性向上や不具合修正になっていて
機能面に関しては大きく変更されているわけではない様子なので
比較的安心してアプデできるような印象です
更新ログの冒頭にある通りIPsecでmain-l2tpモードを使用している際は
アップデート後に設定を修正し通信テストや設定確認をする必要があるでしょう
現時点ではwinbox本体は3.18のままでした
所要時間は5分程度
アップデートの手順
事前にバックアップをした上で以下の操作でアップデートを実行
RouterOSのアップデート
System→PackagesでPackage Listを開いて左上の「Check For Updates」を選択
6.43.12から6.44へアップデートと表示出てるのを確認して「Download&Install」を押す
無事に完了すると自動で再起動開始されます
再起動後にPackage ListにてVersionが6.44になっているのを確認
FWのアップデート
FW更新を行うためSystem→Routerboardを開く
Upgrade Firmwareが6.44になっているのを確認して「Upgrade」ボタンを選択
確認画面を経て更新完了すれば以下メッセージが表示される
”Firmware upgraded successfully. please reboot for changes to take effect!”
指示通りSystem→Rebootから再起動
再起動後にSystem→RouterboardにてCurrent Firmwareが6.44になっているのを確認
最後に最新Verの状態でバックアップをして完了
コメント