Mikrotik 6.47.1 released

Lots of things here. Some noteable things

What’s new in 6.47.1 (2020-Jul-08 12:34):

*) crs3xx – fixed HW offloading for netPower 15FR and netPower 16P devices (introduced in v6.47);
*) crs3xx – fixed increased CPU temperature for CRS354-48G-4S+2Q+ device (introduced in v6.47);
*) crs3xx – improved Ethernet port group traffic forwarding for CRS354 devices;
*) dhcpv6-server – disallow changing binding’s “prefix-pool”;
*) dhcpv6-server – improved stability when changing server for static bindings;
*) dns – do not allow setting “forward-to” same as “name” or “regex”;
*) dns – do not allow setting zero value IP addresses for “A” and “AAAA” records;
*) dns – do not use DoH for local queries when a server is specified;
*) ftp – fixed possible buffer overflow;
*) ike2 – fixed initiator child SA init without policy;
*) ike2 – fixed policy reference for pending acquire;
*) ike2 – retry RSA signature validation with deduced digest from certificate;
*) ipsec – do not update peer endpoints for generated policy entries (introduced in v6.47);
*) lora – added “spoof-gps” parameter for fake GPS coordinate sending;
*) lora – fixed JSON statistics inaccuracies;
*) lte – added support for MTS 8810FT;
*) lte – fixed modem initialization when multiple modems are used simultaneously;
*) lte – fixed PDP authentication configuration for SIM7600;
*) metarouter – fixed image importing (introduced in v6.46);
*) ospf – improved route tag processing for OSPFv3;
*) ppp – allow specifying pool name for “remote-ipv6-prefix-pool” parameter;
*) profile – fixed “unclassified” load reporting on PowerPC devices (introduced in v6.47);
*) qsfp – fixed auto-negotiation status;
*) qsfp – ignore FEC mode when set to fec91, only fec74 mode is supported (introduced in v6.47);
*) switch – fixed MAC address learning on switch-cpu port for Atheros8316, Atheros8227 and Atheros7240 switch chips;

Full change log at https://mikrotik.com/download

CCR1016 BGP route pull down

This morning I had a Mikrotik CCR1016 where I had to change the router ID, which caused all the sessions to reset. The following is a screenshot of the time it took to re-learn all of the peers. Obviously, the smaller prefixes were learned pretty quickly. It took about 10 minutes to learn two full IPv4 route tables and about 5 minutes to learn the IPv6 routing tables.

This is why I always get full routes plus a default from the upstream when it warrants full routes. This way I can have slow convergence time like this and still have traffic flowing.

OpenVPN, rooter project, and Mikrotik

Over the past couple of weeks, I have been fighting with getting an LTE device running The Rooter Project to establish an OpenVPN connection with a Mikrotik router. Apparently, OPENVPN is the only option when it comes to VPNs on The Rooter Project. For the purpose of this article, I am going to refer to the software as “the rooter”. This is just to denote the device running The Rooter Project software. In my case, this is a GL.iNET GL-X750 LTE device.

There are two parts to this setup. The OpenVPN setup on the Mikrotik and the setup on the rooter.

Mikrotik Setup

The Mikrotik setup is pretty straight forward. There are some great tutorials out there for a more in-depth setup. The RouterOS version I used for this setup is 6.47.

Creating Certificates
You will need to create 3 certificates on the Mikrotik.
1. cert_export_ca-certificate.crt
2.cert_export_client-certificate.crt
3.cert_export_client-certificate.key

/certificate
add name=ca-template common-name=example.com days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
add name=server-template common-name=*.example.com days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
add name=client-template common-name=client.example.com days-valid=3650 key-size=2048 key-usage=tls-client

Signing Certificates
Once you have created the above certificates you will need to sign them with the following

/certificate
sign ca-template name=ca-certificate
sign server-template name=server-certificate ca=ca-certificate
sign client-template name=client-certificate ca=ca-certificate

Exporting Certificates
Run the following commands to add a passphrase to your key certificate and export them to files

/certificate
export-certificate ca-certificate export-passphrase=""
export-certificate client-certificate export-passphrase=j2sw123com

This will give you three files: cert_export_ca-certificate.crtcert_export_client-certificate.crt, and cert_export_client-certificate.key. Download these out of “files” from the Mikrotik to the same computer you have access to the rooter on. I like to rename them to ca.crtclient.crt, and client.key so I can keep track of what is what.



Rooter Client Setup

Caveats
I could not find out how to make the operating system read a config file I would edit by hand. Even after a reboot, the config file would not be read. I am not sure if there is a command to read it into the running-config. If someone knows, let me know and that will make this process much easier.

client
dev tun
proto tcp
remote example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
cipher AES-128-CBC
auth SHA1
auth-user-pass
redirect-gateway def1
verb 3

In my rooter, the config is in /var/etc. I would cat this occasionally to make sure I did not have any extra options turned on. Since I could not make my edits the file stick, I would make the below changes in the GUI and verify they matched up to my above file.

If your OpenVPN is using a username and password create a file named passowrd.txt and put the username on the first line and the password on the second.

You will need that file along with the three files you generate on the Mikrotik above.

Log in to the router and create you an open VPN instance. In my case, I named it Nexstream because this is who I was working for on this project. You can name it anything you want.

Click on edit and you will be brought to the following screens. Fill them out as shown.

When you get to the bottom this is where you upload your password.text and your cert and key files. If you see anything missing go to the bottom and select the field and click add.

Make sure to hit save and apply before proceeding. Click on “switch to advanced configuration”. Match up your configuration with the following screenshots, which match up with the above config file. You are just basically making the proper checkboxes to match the plain text config I posted above. Again, if anyone knows how to get OpenVPN. on the rooter to read the config in let me know.

Once you have the GUI part done and the certs uploaded to the rooter you will need to deal with the keyphrase via the command line. Simply SSH to the rooter. The below code is a generic code for changing the client.key to not ask for a passphrase anymore.

cd /etc/luci-uploads/
openssl.exe rsa -in client.key -out client.key
Enter pass phrase for client.key: j2sw123com
writing RSA key

Couple of things to note about the process.
1. Your location may vary. You must either be inside the directory with your keys or provide the path to the keys in the OpenSSL command

2.when I uploaded the keys it changed them to cbid.openvpn.FRIENDLYNAME.key.

what my actual code looked like to change the passphrase

cd /etc/luci-uploads/
openssl.exe rsa -in cbid.openvpn.vpnout.key -out cbid.openvpn.vpnout.key
Enter pass phrase for client.key: j2sw123com
writing RSA key

If everything goes well you will be rewarded with the following screen on your OpenVPN main page. If, for some reason, it does not start the system log is actually pretty informative on what is going on.

Mikrotik Routeros 7.0beta7

What’s new in 7.0beta7 (2020-Jun-3 16:31):

!) added Layer3 hardware offloading support for CRS317-1G-16S+RM more info here: https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches#L3_Hardware_Offloading
!) enabled BGP support with multicore peer processing (CLI only);
!) enabled RPKI support (CLI only);
!) ported features and fixes introduced in v6.47;
!) routing updates, complete status report: https://help.mikrotik.com/docs/display/ROS/v7+Routing+Protocol+Status
!) system kernel has been updated to version 5.6.3;
*) other minor fixes and improvements;

Mikrotik BGP firewall rules for security

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon
Already a qualifying Patreon member? Refresh to access this content.

Simple Mikrotik DNS cache flush script

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon
Already a qualifying Patreon member? Refresh to access this content.

Mikrotik 6.45.9 Noteables

What’s new in 6.45.9 (2020-Apr-30 10:25):
https://www.mikrotik.com/download

*) chr – added support for file system quiescing;
*) chr – enabled support for VMBus protocol version 4.1;
*) chr – improved system stability when running CHR on Hyper-V;
*) crs3xx – fixed frame forwarding after disabling/enabling bridge hardware offloading for CRS354-48G-4S+2Q+ device;
*) crs3xx – fixed interface statistics for CRS354-48G-4S+2Q+ and CRS354-48P-4S+2Q+ devices;
*) crs3xx – fixed switch rule “dst-port” parameter for IPv6 traffic on CRS305-1G-4S+, CRS326-24G-2S+, CRS328-24P-4S+, CRS328-4C-20S-4S+, netPower 15FR devices;
*) crs3xx – improved SFP+ DAC cable initialization for CRS326-24S+2Q+ device;
*) defconf – added welcome note with common first steps for new users;
*) discovery – do not send CDP and LLDP packets on interfaces that does not have MAC address;
*) ipsec – improved system stability when handling fragmented packets;
*) lte – added “phy-cellid” value support for LTE-US;
*) lte – fixed IP type selection from APN on RBSXTLTE3-7;
*) lte – improved system stability when performing firmware update on R11e-LTE6;
*) ssh – added support for RSA keys with SHA256 hash (RFC8332);
*) system – correctly handle Generic Receive Offloading (GRO) for MPLS traffic;
*) system – improved system stability when forwarding traffic from switch chip to CPU (introduced in v6.43);
*) system – improved system stability when receiving/sending TCP traffic on multicore devices;

Some Mikrotik SXT photos and first thoughts.

I have been wanting to do some photos and thoughts on the Mikrotik SXTR-LTEs and other Mikrotik LTE products. I recently fired one up using dual sims. One is from Tmobile and one is from At&T.  Verizon is pretty nonexistent in my area. I am about 2.5 miles away from a Tmobile tower and about a mile from a fiber-fed AT&T monopole.

As you notice in the following photo I am pretty buried in trees.

My view of the tower. Notice the high-tech holder.

Some initial notes.  Setup of LTE is a very easy process as far as the mikrotik is concerned.  I literally had to put in some information in the APN and that was it as far as LTE goes.  I did set up standard Mikrotik stuff (DHCP server, security, etc.).

Adding the second sim card can be a huge pain due to the location of the sim card slot.  Luckily I had some tweezers that were angled to be able to slide the card in the slot.  These were part of a dental kit I picked up off Amazon for releasing stuck SFPs and the like.

Look for a more in-depth series on Mikrotik LTE coming soon.