What's new in 6.0rc9 (2013-Feb-08 08:15):

*) ospf - fixed Summary-LSA prefix length check for OSPFv3, was not
accepting valid LSAs;
*) certificates - fix broken certificate handling (bug introduced in rc8) in all related programs;
*) fixed - bgp tcp-md5-key crash on CCR;
*) fixed interfaces list sometimes showing up empty;
*) fixed - ip addrs could be inactive for some types of interfaces which are added as bridge ports and disabled;

Note for Cloud Core Router users: after upgrading, please also upgrade the RouterBOOT with the console command "/system routerboard upgrade"
This is a highly recommended upgrade for all CCR series users. First upload this file, then run command: http://www.mikrotik.com/download/share/ ... 3_04_2.fwf

http://www.mikrotik.com/download

Dear Normis!

The v6.0rc9 tile all packages contain RouterBOOT 3.03 version.
This version of RouterBOOT same in older v6.0rc version...

Thx.

Attila

with 6.0rc9 on RB2011UAS, RB1100AHx2 and RB1200, the command "/ip dns cache-size=2048KiB" still results in an error.

Because of this, I can't deploy it with my automatic provisioning software.


-------

Another note, slightly off topic: this small flaw happens also on TILE platform with 6.0rc7.

[admin@gw1-vpr] > /ip dns set cache-size=2048KiB
value of cache-size contains invalid trailing characters
[admin@gw1-vpr] > /system resource print
uptime: 2w6d18h53m31s
version: 6.0rc7
build-time: Jan/18/2013 13:04:05
free-memory: 3072.7MiB
total-memory: 3964.0MiB
cpu: tilegx
cpu-count: 36
cpu-frequency: 1200MHz
cpu-load: 0%
free-hdd-space: 424.1MiB
total-hdd-space: 512.0MiB
architecture-name: tile
board-name: CCR1036-12G-4S
platform: MikroTik

I will try upgrading to rc9 later (can't reboot now).

"/ip dns set cache-size=2048"

works fine in RC9

RGDS

"/ip dns set cache-size=2048"

Sure, but if you add "KiB" at the end (that it is what "/ip dns export verbose" outputs), the command is not accepted, it's a (small but annoying) bug.

Any chance that 6rd is going to find its way into one of the RouterOS v6 RC builds? at&t and many large ISPs like it are now using 6rd to deploy IPv6. Not having it in RouterOS is a big issue for our clients that use RouterOS on the edge.

In RC9 I have still problem with all interfaces, they not appear in Interfaces and RB got 100% cpu usage, RB 433AH

Upgraded a point to point nstreme link from 6.0rc6 to rc9. One end used RB433 and the other used an Alix board (x86). Both with R52Hn cards. Link is set up using VPLS over a AP to Station link. AES encryption.

The RB433 looks fine with about 2% CPU, but the Alix board jumped up to 80% CPU. Under rc6 cpu load on the Alix board was about 5% with traffic. Sending about 15Mbps. Nothing too complex.

We don't have many Alix systems anymore, but it might be something you want to look at.

RC09 , all ethernet not appear and can not access via winbox

/interface print command not responding

RC09 , all ethernet not appear and can not access via winbox

/interface print command not responding

tried at MAC? Which your RB?

For these problems that I'm afraid to upgrade my RB.

Routerboot is already 3.03.

NAT is not working on CCR with rc9.

NAT is not working on CCR with rc9.

Excuse my ignorance, what most mean by CCR?

NAT is not working on CCR with rc9.

Excuse my ignorance, what most mean by CCR?

CCR = Cloud Core Router

http://routerboard.com/CCR1036-12G-4S

Is it normal, that E-mail password easy to see in .backup file? And Wi-Fi key too?
Is it not protected format?

Is it normal, that E-mail password easy to see in .backup file? And Wi-Fi key too?
Is it not protected format?

I think it's not problem

Is it normal, that E-mail password easy to see in .backup file? And Wi-Fi key too?
Is it not protected format?

"Important! The backup file contains sensitive information, do not store your backup files inside the router's Files directory, instead, download them, and keep them in a secure location. "
Citation from: http://wiki.mikrotik.com/wiki/Manual:Co ... Management

a) hard to notice
b) Applies to RouterOS: 2.9, v3, v4

I have something which most of you might not know...

Read especially part III.
I bet ROS 5.x, 6.x are about the same security level....

http://felinemenace.org/~andrewg/MikroT ... sis_Part1/
http://felinemenace.org/~andrewg/MikroT ... sis_Part2/
http://felinemenace.org/~andrewg/MikroT ... sis_Part3/

still think it`s nothing?

imagine me breaking into your tower somewhere "in the woods" and stealing your microtik

I will gain access to your network and I will also gain access to all your routers because of same password used everywhere.

It will take me 5 minutes to scan your network for unpatched windows and by using some script kiddy tool like metasploit to hack a few customers in few hours, stealing their data.

This is how a WISP can be put out of service in one dark night...

So be warned!

Someone already updated RC9 in some RB450G? everything is normal with no problems?

a) hard to notice
b) Applies to RouterOS: 2.9, v3, v4

I have something which most of you might not know...

Read especially part III.
I bet ROS 5.x, 6.x are about the same security level....

http://felinemenace.org/~andrewg/MikroT ... sis_Part1/
http://felinemenace.org/~andrewg/MikroT ... sis_Part2/
http://felinemenace.org/~andrewg/MikroT ... sis_Part3/

still think it`s nothing?

imagine me breaking into your tower somewhere "in the woods" and stealing your microtik

I will gain access to your network and I will also gain access to all your routers because of same password used everywhere.

It will take me 5 minutes to scan your network for unpatched windows and by using some script kiddy tool like metasploit to hack a few customers in few hours, stealing their data.

This is how a WISP can be put out of service in one dark night...

So be warned!

In security once you have physical access it's game over, Also this requires you to extract the file from the flash of an RB or the HDD of a x86 box (Alot easier on x86)

The winbox entry is interesting but again requires a compromised PC at which point it's just time. It's another attack vector that requires social engineering to exploit and it's much easy to get granny to install bonzai buddy than it is a network engineer with user/pass for main routers.

Bit of a storm in a teacup really.

NAT is not working on CCR with rc9.

Please clarify what is not working, and send a supout.rif file to support. We have CCR routers with NAT and it works fine, maybe there is something specific in your configuration.

RC09 , all ethernet not appear and can not access via winbox

/interface print command not responding

engineertote, please write to support about this. can we get remote SSH access to your device?

First post has been updated with the CCR RouterBOOT upgrade file. http://www.mikrotik.com/download/share/ ... 3_04_2.fwf

after update to rc 9, status of Connections disappeared (marked in red)

Is it normal, that E-mail password easy to see in .backup file? And Wi-Fi key too?
Is it not protected format?

yes, it is normal. do not store the backup file in public location, and do not give it to anybody.

after update to rc 9, status of Connections disappeared (marked in red)

it has been fixed in RC10 (not released yet)

a) hard to notice
b) Applies to RouterOS: 2.9, v3, v4

I have something which most of you might not know...

Read especially part III.
I bet ROS 5.x, 6.x are about the same security level....

http://felinemenace.org/~andrewg/MikroT ... sis_Part1/
http://felinemenace.org/~andrewg/MikroT ... sis_Part2/
http://felinemenace.org/~andrewg/MikroT ... sis_Part3/

still think it`s nothing?

imagine me breaking into your tower somewhere "in the woods" and stealing your microtik

I will gain access to your network and I will also gain access to all your routers because of same password used everywhere.

It will take me 5 minutes to scan your network for unpatched windows and by using some script kiddy tool like metasploit to hack a few customers in few hours, stealing their data.

This is how a WISP can be put out of service in one dark night...

So be warned!

Please clarify how you will break into something, if the backup file is not given to you? If you follow the manual, and store the file "in a secure location", no harm can be done. There is no solution to this, except by using encryption, which would require decryption keys.

Under PPPoE Client, when bonding multilink pppoe links status only reports 1 Active link instead of the correct number.

Also [Ticket#2013012466000127] still unresolved, BGP session hangs in 'open sent' over multilinked pppoe link (2 or more) but works OK (Established BGP session) on single pppoe link. My ISP require I use TCP MD5 key on the BGP session. This is a new bug in v6, v5 worked fine.

No backup needed to compromise. It`s much easier to get access to physical equipment of a WISP. Most of the equipment is protected by nothing.

If I`m a script kiddy I do this:
a) Crack the case on the tower
b) http://manio.skyboo.net/mikrotik/
c) Do harm
d) Tell all my friends how good hacker I am.

No backup needed to compromise. It`s much easier to get access to physical equipment of a WISP. Most of the equipment is protected by nothing.

If I`m a script kiddy I do this:
a) Crack the case on the tower
b) http://manio.skyboo.net/mikrotik/
c) Do harm
d) Tell all my friends how good hacker I am.

Sorry but this is not related to this topic. Your described method requires somebody to keep a backup file on the router, which is against documentation recommendation. Also, breaking the case open, will not help if there is a routerboard inside.

If you follow the manual, and store the file "in a secure location", no harm can be done. There is no solution to this, except by using encryption, which would require decryption keys.

Normis, read the three part article in more depth or give the links to somebody able to understand it. I do not care about the backups as they are "just another security flaw" and the is a much bigger hole in the system.

If you follow the manual, and store the file "in a secure location", no harm can be done. There is no solution to this, except by using encryption, which would require decryption keys.

Normis, read the three part article in more depth or give the links to somebody able to understand it. I do not care about the backups as they are "just another security flaw" and the is a much bigger hole in the system.

This is not a serious security hole. Anybody can break into a bank and steal all the money. This is basically the same. Just put security guard and more locks on the door.

No backup needed to compromise. It`s much easier to get access to physical equipment of a WISP. Most of the equipment is protected by nothing.

If I`m a script kiddy I do this:
a) Crack the case on the tower
b) http://manio.skyboo.net/mikrotik/
c) Do harm
d) Tell all my friends how good hacker I am.

Sorry but this is not related to this topic. Your described method requires somebody to keep a backup file on the router, which is against documentation recommendation. Also, breaking the case open, will not help if there is a routerboard inside.

Oh really??!?!!? Want work if there is a RB inside:

Then what is this:
Hardware needed
- computer (laptop is a good choice for hard conditions)
- RouterBoard (i've tested it on versions: 532, 532A and 411 - but should work on all OpenWrt-supported RouterBoards, Cesco tested it on RB133C)
- serial console cable
- patch-cord


Now you are really panicking!

Please read one post above. Also, please stop posting in unrelated topics. You can email support if you want to continue

a) Crack the case on the tower

In many countries it is being called the crime.

Someone already updated RC9 in some RB450G? everything is normal with no problems?

Someone already updated RC9 in some RB450G? everything is normal with no problems?

On my RB450G upgrade to version 6rc8 and 6rc9 leads to a loss in the channel. Returned to 6rc7

On my RB450G upgrade to version 6rc8 and 6rc9 leads to a loss in the channel. Returned to 6rc7

what do you mean by "loss in the channel", please clarify?

what do you mean by "loss in the channel", please clarify?

I think the problem with the queues - until the limit is reached, all is OK. As soon as someone loads the channel, at other users Internet disappears. I wrote about this in support. Ticket #2013021166000275

This is compounded by low bandwidth of the channel - the queues is always loaded

We use nat rules with address list but it not work.
After reset counter:



after 23 seconds, but there is no anything nated.

We that own CCR should upload tilegx_3_04_2.fwf and then run upgrade command?

zlatkomajstor, Yes! of course, also upgrade RouterOS itself.

Dear Normis!

Multicast routing (PIM-SM) same source (IPTV channel) with different client IP (Set Top Box) not working in CCR1036 (RC6,RC7,RC8,RC9). Same ROS version (RC6,RC7,RC8,RC9) and same configuration (1. RP, 3. Interface) working correctly in RB2011.

Please investigate this problem...


Thx.

Attila

I upgraded the router to version RC9 but the firmware was the same as in RC7 and I didn't read the second line where it said that we should also upload that file and upgrade after that. This is also first time I read about this. I thought that the firmware is built inside the upgrade package as it was always in the past.

dhcp radius autoryzation still offered

How many people have done this on a CCR? I'm stilling running RC7 as it's stable for me.

Also, can you update the boot FW without doing the OS?

How many people have done this on a CCR? I'm stilling running RC7 as it's stable for me.

Also, can you update the boot FW without doing the OS?

Yes, you can. Put the file http://www.mikrotik.com/download/share/ ... 3_04_2.fwf
info files. And then run command
/system routerboard upgrade

After upgrading CCR to rc9, VRRP is not working well.

On a router reboot, I have to disable and enable again VRRP IP to get it working. Downgrading to rc7 works fine.

Dear All,

I've problem also with rc9 on RB433ah with OSFP and MPLS configured, when the router boot and OSFP goes running the RB reboot with kernel failure.

BR

MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 6.0rc9 (c) 1999-2013 http://www.mikrotik.com/

[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments

[Tab] Completes the command/word. If the input is ambigous,
a second [Tab] gives possible options

/ Move up to base level
.. Move up one level
/command Use command at the base level
(8 messages not shown)
feb/04/2013 05:12:20 system,error,critical router was rebooted without proper shutdown
feb/04/2013 11:24:13 system,error,critical router was rebooted without proper shutdown
feb/05/2013 06:02:30 system,error,critical router was rebooted without proper shutdown
feb/07/2013 14:54:46 system,error,critical router was rebooted without proper shutdown
feb/08/2013 05:18:48 system,error,critical router was rebooted without proper shutdown
feb/10/2013 09:08:06 system,error,critical router was rebooted without proper shutdown
feb/11/2013 17:44:23 system,error,critical router was rebooted without proper shutdown
feb/12/2013 19:47:02 system,error,critical router was rebooted without proper shutdown

Morning All!

I was very excited when I took at look at the Changelog for rc8 and saw initial Openflow support ... but now Changelog has been updated and that's no longer visible ....

I'd appreciate being involved in any Openflow testing

R

I was very excited when I took at look at the Changelog for rc8 and saw initial Openflow support ... but now Changelog has been updated and that's no longer visible ....

I'd appreciate being involved in any Openflow testing

both rc8 and rc9 downloads contain 'openflow' package which you need to install for OpenFlow support

I am sending graphics of the CPU load on CCR1036 in three cases:

RouterOS v6.0rc7 Conntrack disabled


RouterOS v6.0rc9 Conntrack disabled


RouterOS v6.0rc9 firmware 3.04.2 Conntrack disabled



About 5k users, static routes, BGP and couple of IP based firewall rules.

I think that there is still a lot of work in order to do better load balance on the CPU cores.

I haven't seen any problem with the router except sometimes I don't get readings thru SNMP. I didn't had this problem with other Mikrotik routers and the older RouterOS even if their CPU-s were working at higher load then on the CCR.

both rc8 and rc9 downloads contain 'openflow' package which you need to install for OpenFlow support

Quite right - unwrapped my CCR1036 this morning, installed RC9 and saw the Openflow package

Morning All!

I was very excited when I took at look at the Changelog for rc8 and saw initial Openflow support ... but now Changelog has been updated and that's no longer visible ....

I'd appreciate being involved in any Openflow testing

R

Here is the little information on how to use Openflow on RouterOS.
http://wiki.mikrotik.com/wiki/Manual:OpenFlow

You can contact support to get more details.

Hello all,

I found this problem in RC9: When PPP tunnel was established, two mangle rules (changing MTU) are added. But on the end (not at first position) of existing rules in chain forward. When some rule before them accepts packet, they avoid changing MTU and communication is faulty.
I must manually move change MTU rules before others in forward chain.

I am not 100% sure, but in previous version (RC7 and older) I hadn't problem with this (changing MTU rule was at first postition).
(tested on RB751G)

The change MSS rules are in the "Mangle" table, while the other forward rules go into the "Filter" table.
According to the netfilter metamodel, mangle rules are applied before filter and NAT rules.

You can check this out here:
http://www.shorewall.net/NetfilterOverv ... l#Overview

So the position of change MTU in regard to other rules doesn't actually matter.
Unless there's an implementation fault.

The change MSS rules are in the "Mangle" table, while the other forward rules go into the "Filter" table.
According to the netfilter metamodel, mangle rules are applied before filter and NAT rules.

I means rules in mangle table, in forward chain. I have packet marking rules (due traffic shaping).

But now I look in to other Mikrotiks with older firmwares (5.22) and Change MSS rules are on the end of table too. So this is not new in rc9, I must reorganize rules in mangle.

I need help, I need the firewall mangle functions, global out, and in global, however do not have the RC9?, in version 5.22 has my works normal full cache without them without full cache.

rc10 has been released. please continue discussion in that topic, after you have upgraded. thanks!