MAJOR CHANGES IN v6.43:
----------------------
!) api - changed authentication process (https://wiki.mikrotik.com/wiki/Manual:API#Initial_login);
!) backup - do not encrypt backup file unless password is provided;
!) btest - requires at least v6.43 Bandwidth Test client when connecting to v6.43 or later version server except when authentication is not required;
!) cloud - added IPv6 support;
!) cloud - added support for licensed CHR instances (including trial);
!) cloud - reworked "/ip cloud ddns-enabled" implementation (suggested to disable service and re-enable after installation process);
!) radius - use MS-CHAPv2 for "login" service authentication;
!) romon - require at least v6.43 RoMON agent when connecting to v6.43 or later RoMON client device;
!) webfig - improved authentication process;
!) winbox - improved authentication process excluding man-in-the-middle possibility;
!) winbox - minimal required version is v3.15;
----------------------
Changes in this release:
backup - added support for new backup file encryption (AES128-CTR) with signatures (SHA256); backup - generate proper file name when devices identity is longer than 32 symbols; bridge - add dynamic CAP interface to tagged ports if "vlan-mode=use-tag" is enabled; bridge - added an option to manually specify ports that have a multicast router (CLI only); bridge - added a warning when untrusted port receives a DHCP Server message when DCHP Snooping is enabled; bridge - added ingress filtering options to bridge interface; bridge - added initial Q-in-Q support; bridge - added more options to fine-tune IGMP Snooping enabled bridges (CLI only); bridge - added per-port based "tag-stacking" feature; bridge - added support for BPDU Guard; bridge - added support for DHCP Option 82; bridge - added support for DHCP Snooping; bridge - added support for IGMP Snooping fast-leave feature (CLI only); bridge - fixed dynamic VLAN table entries when using ingress filtering; bridge - fixed "ingress-filtering", "frame-types" and "tag-stacking" value storing; bridge - forward LACPDUs when "protocol-mode=none"; bridge - ignore tagged BPDUs when bridge VLAN filtering is used; bridge - improved packet handling; bridge - improved packet processing when bridge port changes states; bridge - improved performance when bridge VLAN filtering is used without hardware offloading; bridge - renamed option "vlan-protocol" to "ether-type"; capsman - added ability to use chain 3 for "HT TX chains" and "HT RX chains" selections (CLI only); capsman - allow to change "radio-name" (CLI only); capsman - increase timeout for the CAP to CAPsMAN communication; certificate - added "expires-after" parameter; certificate - do not allow to perform "undo" on certificate changes; certificate - fixed RA "server-url" setting; check-installation - improved system integrity checking; chr - added checksum offload support for Hyper-V installations; chr - added large send offload support for Hyper-V installations; chr - added multiqueue support on Xen installations; chr - added support for multiqueue feature on "virtio-net"; chr - added virtual Receive Side Scaling support for Hyper-V installations (might require more RAM assigned than in previous versions); chr - by default enable link state tracking for virtual drivers with "/interface ethernet disable-running-check=no"; chr - do not show IRQ entries from removed devices; chr - fixed interface name assign process when running CHR on Hyper-V; chr - fixed interface name order when "virtio-net is not being used on KVM installations; chr - fixed MTU changing process when running CHR on Hyper-V; chr - fixed NIC hotplug for "virtio-net"; chr - improved balooning process; chr - improved boot time for Hyper-V installations; chr - provide part of network interface GUID at the beginning of "bindstr2" value when running CHR on Hyper-V; chr - reduced RAM memory required per interface; cloud - added simultaneous IPv4/IPv6 support; cloud - close local UDP port if no activity; console - added "dont-require-permissions" parameter for scripts; console - added error log message when netwatch tries to execute script with insufficient permissions; console - added error log message when scheduler tries to execute script with insufficient permissions; console - do not show spare parameters on ping command; console - made "once" parameter mandatory when using "as-value" on "monitor" commands; console - removed automatic swapping of "from=" and "to=" in "for" loops; crs317 - fixed Ethernet inteface stuck on 100 Mbps speed; crs326/crs328 - fixed packet forwarding when port changes states with IGMP Snooping enabled; crs328 - fixed transmit on sfp-sfpplus1 and sfp-sfpplus2 interfaces; crs3xx - added hardware support for DHCP Snooping and Option 82; crs3xx - added Q-in-Q hardware offloading support; crs3xx - do not report SFP interface as running when interface on opposite side is disabled; crs3xx - fixed ACL rate rules (introduced in v6.41rc27); crs3xx - fixed flow control; crs3xx - fixed SwOS config import; defconf - fixed default configuration for RBSXTsq5nD; defconf - fixed missing bridge ports after configuration reset; dhcp - added dynamic IPv4/IPv6 "dual-stack" simple queue support, based on client's MAC address; dhcp - reduced resource usage of DHCP services; dhcpv4-client - fixed DHCP client that was stuck on invalid state; dhcpv4-client - fixed double ACK packet handling; dhcpv4-server - added "allow-dual-stack-queue" implementation (CLI only); dhcpv4-server - do not allow override lease "always-broadcast" value based on offer type; dhcpv4-server - improved performance when "rate-limit" and/or "address-list" setting is present; dhcpv6-client - added missing "Server identifier" parameter in release message; dhcpv6-client - fixed "add-default-route" parameter; dhcpv6-client - fixed option handling; dhcpv6-client - improved dynamic IPv6 pool addition process; dhcpv6-server - added additional RADIUS parameters for Prefix delegation, "rate-limit" and "life-time"; dhcpv6-server - added "allow-dual-stack-queue" implementation (CLI only); dhcpv6-server - added initial dynamic simple queue support; dhcpv6-server - do not allow to run DHCPv6 server on slave interface; dhcpv6-server - fixed dynamic simple queue creation for RADIUS bindings; dns - fixed DNS cache service becoming unresponsive when active Hotspot server is present on the router (introduced in 6.42); dude - fixed client auto upgrade (broken since 6.43rc17); ethernet - do not show "combo-state" field if interface is not SFP or copper; ethernet - properly handle Ethernet interface default configuration; export - do not show w60g password on "hide-sensitive" type of export; fetch - added "as-value" output format; fetch - fixed address and DNS verification in certificates; filesystem - fixed NAND memory going into read-only mode (requires "factory-firmware" >= 3.41.1 and "current-firmware" >= 6.43); filesystem - improved software crash handling on devices with FLASH type memory; health - added missing parameters from export; health - fixed voltage measurements for RB493G devices; health - improved speed of health measurement readings; hotspot - allow to properly configure Hotspot directory on external disk for devices that have flash type storage; hotspot - fixed RADIUS CoA & PoD by allowing to accept "NAS-Port-Id"; ike1 - added unsafe configuration warning for main mode with pre-shared-key authentication; ike1 - purge both SAs when timer expires; ike1 - zero out reserved bytes in NAT-OA payload; ike2 - fixed initiator first policy selection; ike2 - fixed rekeyed child deletion during another exchange; ike2 - improved basic exchange logging readability; ike2 - use "/32" netmask by default on initiator if not provided by responder; interface - improved interface "last-link-down-time" and "last-link-up-time" values; interface - improved reliability on dynamic interface handling; ippool - improved used address error message; ipsec - added "responder" parameter for "mode-config" to allow multiple initiator configurations; ipsec - added "src-address-list" parameter for "mode-config" that generates dynamic "src-nat" rule; ipsec - added warning messages for incorrect peer configuration; ipsec - do not allow removal of "proposal" and "mode-config" entries that are in use; ipsec - fixed AES-192-CTR fallback to software AEAD on ARM devices with wireless and RB3011UiAS-RM; ipsec - fixed AES-CTR and AES-GCM key size proposing as initiator; ipsec - fixed "static-dns" value storing; ipsec - improved invalid policy handling when a valid policy is uninstalled; ipsec - improved reliability on generated policy addition when IKEv1 or IKEv2 used; ipsec - improved stability when using IPsec with disabled route cache; ipsec - install all DNS server addresses provided by "mode-config" server; ipsec - separate phase1 proposal configuration from peer menu; ipsec - separate phase1 proposal configuration from peer menu; ipsec - use monotonic timer for SA lifetime check; kidcontrol - allow to edit discovered devices; l2tp - allow setting "max-mtu" and "max-mru" bigger than 1500; led - improved w60g alignment trigger; leds - fixed LED behaviour when bonding is configured on SFP+ interfaces; log - fixed false log warnings about system status after power on for CRS328-4C-20S-4S+; log - show interface name on OSPF "different MTU" info log messages; lte - added additional D-Link PIDs; lte - added additional ID support for SIM7600 modem; lte - added additional low endpoint SIM7600 PIDs; lte - added eNB ID to info command; lte - added extended LTE signal info for SIM7600 modules; lte - added extended signal information for Quectel LTE EC25 and EP06 modem; lte - added ICCID reading for info command R11e-LTE and R11e-LTE-US; lte - added "registration-status" parameter under "/interface lte info" command; lte - added roaming status reading for info command; lte - added "sector-id" to info command; lte - added support for alternative SIM7600 PID; lte - added support for Novatel USB730LN modem with new ID; lte - added support for Quanta 1k6e modem; lte - allow to execute concurrent internal AT commands; lte - allow to use multiple PLS modems at the same time; lte - do not allow to remove default APN profile; lte - do not allow to send "at-chat" commands for configless modems; lte - expose GPS channel for PLS modems; lte - fixed LTE registration in 2G/3G mode; lte - fixed SIM7600 registration info; lte - fixed SIM7600 series module support with newer device IDs; lte - ignore empty MAC addresses during Passthrough discovery phase; lte - improved modem event processing; lte - improved r11e-LTE and r11e-LTE-US dialling process; lte - improved r11e-LTE configuration exchange process; lte - improved reading of SMS message after entering running state; lte - improved readings of info command results for the SXT LTE; lte - improved stability of USB LTE interface detection process; lte - properly detect interface state when running for IPv6 only connection for R11e-LTE modem; lte - renamed LTE scan tool field "scan-code" to "mcc-mnc"; lte - show UICC in correct format for SXT LTE devices; lte - use "/32" address for the Passthrough feature when R11e-LTE module is used; lte - use alphanumeric operator format in info command; mac-telnet - improved reliability when connecting from RouterOS versions prior 6.43; multicast - allow to add more than one RP per IP address for PIM; ntp - allow to specify link-local address for NTP server; ospf - improved link-local LSA flooding; ospf - improved stability when originating LSAs with OSPFv3; package - renamed "current-version" to "installed-version" under "/system package install"; ppp - added support for additional ID for E3531 modem; ppp - added support for Alfa Network U4G modem; ppp - added support for Telit LM940 modem; ppp - improved modem mode switching; ppp - show comments from "/ppp secrets" menu within "/ppp active" menu when client is connected; quickset - recognize 160 MHz channel as HomeAP mode; rb1100ahx4 - added DES and 3DES hardware acceleration support; romon - fixed RoMON services becoming unavailable after disabled once during active scanning process; romon - properly classify RoMON sessions in log and active users list; routerboard - allow to fill up to half of the RAM memory with files on devices with FLASH storage; routerboard - fixed "protected-routerboot" feature (introduced in v6.42); routerboard - fixed wrongly reported RAM size on ARM devices; routerboot - removed RAM test from TILE devices (routerboot upgrade required); sfp - fixed default advertised link speeds; smb - fixed valid request handling when additional options are used; sms - converted "keep-max-sms" feature to "auto-erase"; sms - do not require "port" and "interface" parameters when sending SMS if already present in configuration; sms - improved reliability on SMS reader; snmp - added CAPsMAN "remote-cap" table; snmp - added EAP identity to CAPsMAN registration table; snmp - added "phy-rate" reading for "station-bridge" mode; snmp - added "temp-exception" trap; snmp - fixed interface speed reporting for predefined rates; snmp - fixed "remote-cap" peer MAC address format; ssh - disconnect all active connections when device gets rebooted or turned off; ssh - strengthen strong-crypto (add aes-128-ctr and disallow hmac sha1 and groups with sha1); supout - added "files" section to supout file; supout - added info log message when supout file is created; supout - added monitored bridge VLAN table to supout file; supout - added "w60g" section to supout file; switch - added CPU Flow Control settings for devices with a Atheros8227, QCA8337, Atheros8327, Atheros7240 or Atheros8316 switch chip; switch - added support for port isolation by switch chip; switch - fixed possible switch chip hangs after initialization on MediaTek and Atheros8327 switch chips; swos - implemented "/system swos" menu that allows to upgrade, reset, save or load configuration and change address for dual-boot CRS devices (CLI only); tile - added DES and 3DES hardware acceleration support; tile - fixed false HW offloading flag for MPLS; tr069-client - allow editing of "provisioning-code" attribute; tr069-client - fixed setting of "DeviceInfo.ProvisioningCode" parameter; tr069-client - use SNI extension for HTTPS; upgrade - fixed RouterOS upgrade process from RouterOS v5 on PowerPC; ups - improved UPS serial parsing stability; usb - fixed modem initialisation on LtAP mini; usb - fixed power-reset for hAP ac^2 devices; user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades); userman - fixed "shared-secret" parameter requiring "sensitive" policy; vrrp - improved reliability on VRRP interface configured as a bridge port when "use-ip-firewall" is enabled; w60g - added ability to specify MCS range (CLI only); w60g - added "beamforming-event" stats counter; w60g - fixed random disconnects; w60g - general stability and performance improvements; watchdog - added "ping-timeout" setting; webfig - do not automatically re-log in after logging out; webfig - fixed occasional authentication failure when logging in; webfig - fixed www service becoming unresponsive; webfig - properly display time interval within Kid Control menu; webfig - properly handle double clicking when logging in or out; webfig - properly show NTP clients "last-adjustment" value; winbox - added bridge Fast Forward statistics counters; winbox - added "poe-fault" LED trigger; winbox - added "tag-stacking" option to "Bridge/Ports"; winbox - allow to specify LTE interface when sending SMS; winbox - fixed arrow key handling within table filter fields; winbox - fixed "bad-blocks" value presence under "System/Resources"; winbox - fixed bridge port MAC learning parameter values; winbox - fixed "IP/IPsec/Peers" section sorting; winbox - fixed "write-sect-since-reboot" value presence under "System/Resources"; winbox - properly close session when uploading multiple files to the device at the same time; winbox - removed duplicate "20/40/80MHz" value from "channel-width" setting options; winbox - renamed "VLAN Protocol" to "EtherType" under bridge interface "VLAN" tab; winbox - show HT MCS tab when "5ghz-n/ac" band is used; winbox - show "Switch" menu on hAP ac^2 devices; winbox - show "System/RouterBOARD/Mode Button" on devices that has such feature; wireless - accept only valid path for sniffer output file parameter; wireless - accept only valid path for sniffer output file parameter; wireless - added "czech republic 5.8" regulatory domain information; wireless - added "etsi2" regulatory domain information; wireless - added option for RADIUS "called-station-id" format selection; wireless - added option to disable PMKID for WPA2; wireless - do not disconnect clients when WDS master connects with MAC address "00:00:00:00:00:00"; wireless - fixed "/interface wireless sniffer packet print follow" output; wireless - fixed wireless interface lockup after period of inactivity; wireless - improved Nv2 reliability on ARM devices; wireless - improved Nv2 stability for 802.11n interfaces on RB953, hAP ac and wAP ac devices; wireless - require "sniff" policy for wireless sniffer; wireless - updated "czech republic" regulatory domain information; wireless - updated "germany 5.8 ap" and "germany 5.8 fixed p-p" regulatory domain information; x86 - improved Ethernet driver for Davicom DM9x0x;