6.33 version released!

Fri Nov 06, 2015 2:02 pm

6.32.3 has been moved to bugfix channel.

What's new in 6.33 (2015-Nov-06 12:49):

*) dns - initial fix for situation when dynamic dns servers could disappear;
*) winbox - dropped support for winbox v3.0beta and v3.0rc (use winbox v3.0);
*) dhcpv6 - various improvement and fixes for dhcp-pd client and ippool6;
*) defconf - fixed rare situation where configuration was only partially loaded;
*) net - fix possible never ending loop when bad CDP discovery packet is received;
*) log - make default disk file name to reside in flash dir if it exists;
*) romon - change port list to be not ordered in export;
*) capsman - limit number of simultaneous DTLS handshakes;
*) capsman - fixed memory leak on CAP joining CAPsMAN when ssld is used;
*) winbox - added allow-fast-path to eoip, gre & ipip;
*) winbox - do not show power-cycle properties on non poe ports;
*) l2tp: implemented PPPoE over L2TP in LNS mode, RFC3817;
*) webfig - some of the setting were shifted to the right;
*) packages - allow to reinstall from bundle to separate packages & vice versa;
*) packages - prefer out of bundle packages when both of them are installed;
*) packages - fix a problem of upgrading bundle package to non bundled ones;
*) ipsec - force flow cache validation once in 1h;
*) winbox - make sure that all setting names get shown in full;
*) winbox - added poe power-cycle-ping settings to ethernet interfaces;
*) ppp - handle properly case were ppp client is given same address for local & remote end;
*) winbox - added vlan-mode & vlan-id to virtual-ap interface;
*) winbox - added timeout column to ipv6 address lists;
*) winbox - show SFP Tx/Rx Power properly;
*) winbox - added min-links to bonding interface;
*) winbox - do not show health menu on RB951Ui-2HnD;
*) winbox - added support for Login-Timeout & MAC-Auth-Mode in hotspot;
*) cerm - added option to disable crl download in '/certificate settings';
*) winbox - make user ssh key import work again;
*) webfig - make "Copy to Access List" work in CAPsMAN Registration Table;
*) userman - fix report generation problem which could result in some users being skipped from it;
*) winbox - fix to allow cpu-port as mirror-target
*) proxy - error.html parsing enhancement to improve performance
*) CCR1072 - improve ether1 performance under heavy load
*) routerboard - indicate RouterBOOT type in /system routerboard print;
*) mpls - properly use mpls mtu for routes;
*) cerm - fix key description for signed certificates;
*) trafflow - report flow addresses in v1 and v5 without NAT awareness;
*) hotspot - add mac-auth-mode setting for mac-as-passwd option;
*) hotspot - add login-timeout setting to force login for unauth hosts;
*) auto-upgrade - fixed auto upgrade for smipsbe;
*) dns - do not create duplicate entries for same dynamic dns server addresses;
*) ipsec - fix set on multiple policies which could result in adding non existent dynamic policies to the list;
*) email - allow server to be specified as fqdn which is resolved on each send;
*) fastpath - eoip,gre,ipip tunnels support fastpath (new per tunnel setting "allow-fast-path");
*) ppp, pptp, l2tp, pppoe - fix ppp compression related crashes;
*) cerm - also accept downloaded CRLs in PEM format;
*) userman - added 'history clear' to allow flushing undo history, which may take up significant amount of memory for huge databases with hundreds of users;
*) health - fix voltage for CRS109, CRS112 and CRS210 if powered from external adapter;
*) userman - added phone number support to signup form;
*) ip pool6 - try to acquire the same prefix if info matches recently freed;
*) ipsec - fix transport mode ph2 ID ports when policy selects specific ip protocol on initiator;
*) ipsec - use local-address for phase 1 matching and initiation;
*) route - fixed crash on removing route that was aggregated;
*) ipsec - fix replay window, was accidentally disabled since version 6.30;
*) ssh - allow host key import/export;
*) ssh - use 2048bit RSA host key when strong-crypto enabled;
*) ssh - support RSA keys for user authentication;
*) wlan - improved WMM-PowerSave support in wireless-cm2 package;
*) pptp & l2tp - fixed problem where android client could not connect if both dns names were not provided (was broken since v6.30);
*) auto-upgrade - added ability to select which versions to select when upgrading;
*) quickset - fixed HomeAP mode;
*) lte - improved modem identification to better support multiple identical modems;
*) snmp - fix system scripts table;
*) tunnels - eoip,eoipv6,gre,gre6,ipip,ipipv6,6to4 tunnels now support dns name as remote address;
*) fastpath - active mac-winbox or mac-telnet session no longer suspends fastpath;
*) fastpath - added per interface fastpath counters;
*) fastpath - added trafflow support in basic ipv4 and fasttrack ipv4 fastpath;
*) ppp - added on-up & on-down scripts to ppp profile;
*) winbox - allow to specify dns name in all the tunnels;
*) pppoe - added support for MTU > 1492 on PPPoE;
*) cerm - fix scep server certificate-reply degenerate PKCS#7 signed-data content;
*) ppp-client - added default channels for Alcatel OneTouch L100V;
*) defconf - fix for boards that had bridge with only wlan ports;
*) ovpn: support OpenWRT ovpn clients (or any other with enable-small option enabled);
*) cerm - use certificate file name for imported cert name;
*) fetch - fixed error message when error code 200 was received;
*) cerm - rebuild crl for local ca if crl file does not exist;
*) winbox - make directed broadcasts work for neighbor discovery;
*) upnp: automatically adjust mappings to new external ip change;
*) ppp - added ppp interface to upnp internals/externals if requested;
*) ppp - when adding ipv6 default route use user provided distance;
*) userman - allow to correctly enable CoA on router;
*) cerm - show crl nextupdate time;
*) ppp - added CoA support to PPPoE, PPTP & L2TP (Mikrotik-Recv-Limit, Mikrotik-Xmit-Limit, Mikrotik-Rate-Limit, Ascend-Data-Rate, Ascend-XMit-Rate, Session-Timeout);
*) ppp - added new option under "ppp aaa" - "use-circuit-id-in-nas-port-id";
*) userman - refresh active sessions/users view dynamically;
*) package - added version tag and show everywhere alongside of version number;
*) wlan - improved 802.11 protocol single connection TCP performance for ac chipset with cm2 package.

freemannnn · Fri Nov 06, 2015 3:46 pm

"hotspot - add mac-auth-mode setting for mac-as-passwd option"
so what exactly does this? why is different from ip binding?

ddejager · Fri Nov 06, 2015 3:58 pm

I am running 6.33rc14 on a RB711GA-5HnD. I try to to winbox autoupdate on the "Current" channel. I'm told that the latest version is 6.33 as expected. I click on either download or download & install. In either case nothing gets downloaded and the message at the bottom of the winbox "check for updates" window says: "New version is available". Why does it not download and update?

The same thing happens on an STX HG5 radio.

In either case if I manually download and then copy to the files folder on the device and reboot the upgrade takes place.

Fri Nov 06, 2015 3:58 pm

"hotspot - add mac-auth-mode setting for mac-as-passwd option"
so what exactly does this?

It allows to use mac address both as user-name and password. Old one allowed it be used just as user-name. In some situations it might make things easier for various devices to login if mac login is enabled.

/ip hotspot profile set mac-auth-mode=                
MacAuthMode ::= mac-as-username | mac-as-username-and-password

Fri Nov 06, 2015 3:59 pm

I am running 6.33rc14 on a RB711GA-5HnD. I try to to winbox autoupdate on the "Current" channel. I'm told that the latest version is 6.33 as expected. I click on either download or download & install. In either case nothing gets downloaded and the message at the bottom of the winbox "check for updates" window says: "New version is available". Why does it not download and update?

Did it try to reboot? Reboot manually and see the LOG

freemannnn · Fri Nov 06, 2015 4:02 pm

so if i understand, if you have a hotspot you can tell a friend to login with his device (laptop,phone,tablet) mac address.

1. of course he needs to find mac address by going to device settings. right?
2. its an easy way for hotspot so you dont have to add usernames and passwords each time you want to give away a free access account. right?

Fri Nov 06, 2015 4:06 pm

@freemannnn

You still need to add that mac-address as user in your hotspot or radius, before that persons phone can get authenticated with system. but essentially, yes. This might be useful for all kind of mobile POS systems and things like that in environment where all devices are behind a hotspot server.

ddejager · Fri Nov 06, 2015 4:07 pm

I am running 6.33rc14 on a RB711GA-5HnD. I try to to winbox autoupdate on the "Current" channel. I'm told that the latest version is 6.33 as expected. I click on either download or download & install. In either case nothing gets downloaded and the message at the bottom of the winbox "check for updates" window says: "New version is available". Why does it not download and update?
Did it try to reboot? Reboot manually and see the LOG

It did not try to reboot. Nothing was in the log. I updated my original post to indicate that I could (and did) manually download and manually upgraded successfully.

CrazyMonkey · Fri Nov 06, 2015 4:31 pm

*) l2tp: implemented PPPoE over L2TP in LNS mode, RFC3817;

Thank you !!!

ganewbie · Fri Nov 06, 2015 5:47 pm

*) l2tp: implemented PPPoE over L2TP in LNS mode, RFC3817;
Thanks a million

Vaxter · Fri Nov 06, 2015 5:51 pm

WinBox is missing from build.
Ther is an 404 when clicked on winbox link in web interface.

StubArea51 · Fri Nov 06, 2015 6:19 pm

Upgraded our CCR1072 to 6.33 and got an interesting error when trying to login

Looks like WInBox 3.0 is not a release candidate anymore

Was able to get in after downloading Winbox 3.0.

Fri Nov 06, 2015 6:21 pm

Looks like WInBox 3.0 is not a release candidate anymore Was able to get in after downloading Winbox 3.0.

That's actually mentioned in ChangeLog...

freemannnn · Fri Nov 06, 2015 6:39 pm

hotspot - add login-timeout setting to force login for unauth hosts

and what is this doing exactly...

msport · Fri Nov 06, 2015 8:39 pm

hotspot - add login-timeout setting to force login for unauth hosts

and what is this doing exactly...

I would want to know that as well! Probably it is not what i need but still it would be interesting to have new features explained. Manual is not updated with info as far as i can see.

--

M

freemannnn · Fri Nov 06, 2015 10:10 pm

I found out, Add login-timeout is the timeout a device stays in hosts tab list . After that time it is deleted.

Balmungmp5 · Fri Nov 06, 2015 10:12 pm

*) quickset - fixed HomeAP mode;

What was broken?

UpRunTech · Fri Nov 06, 2015 11:32 pm

Given the single stream TCP/IP speed up is in wireless-cm2, if we are not using Capsman v1 should we all start using wireless-cm2 instead of wireless-fp by default?

gius64 · Fri Nov 06, 2015 11:57 pm

Given the single stream TCP/IP speed up is in wireless-cm2, if we are not using Capsman v1 should we all start using wireless-cm2 instead of wireless-fp by default?

Speaking about that, if I would make my users to use wireless-cm2 on their CPEs, is this package mature enough also on point to multipoint?
The last time I changed my users wireless package was from "wireless" to "wireless-fp", but 6.30 did this automatically, so I simply upgraded all users to 6.30.
Are there any improvement to nv2 point to multipoint on wireless-cm2?

msport · Sat Nov 07, 2015 12:01 am

I found out, Add login-timeout is the timeout a device stays in hosts tab list . After that time it is deleted.

Thanks!

Really dont see the benefit, but then again, not used to the hotspot yet, but getting there.

--
M

Sat Nov 07, 2015 12:56 am

@msport, freemannnn

Regarding "login-timeout" for hotspot. In some situations there was a problem that automatic login or redirect to hotspot portal didn't occur for some reason. Mostly by host being to long in host table and/or user account could being added to hotspot/radius after it was already in host table. Usually people were solving this problem by script that deletes these host entries after a while or manually.

For more neat approach we added this timer. Which by default is disabled, so if desired then needs to enabled by setting it to interval value that best fits your setup.

ckleea · Sat Nov 07, 2015 1:08 am

My KVM image does not start. When click enable and start, it just briefly indicates start and then stopped.

timoid · Sat Nov 07, 2015 1:41 am

the final 6.33 still has the IPv6 addresses going missing bug... should I open a support case?

Sat Nov 07, 2015 2:05 am

the final 6.33 still has the IPv6 addresses going missing bug... should I open a support case?

Yes, definitely.

ckleea · Sat Nov 07, 2015 2:37 am

My KVM image does not start. When click enable and start, it just briefly indicates start and then stopped.

An update: openwrt x86 images work as before but debian i386 images does not. Logging shows kvm error. VNC does not allow me to connect.

nje431 · Sat Nov 07, 2015 2:54 am

*) ipsec - use local-address for phase 1 matching and initiation;

Please elaborate. And does this apply to EoIP ipsec?

andersonlich · Sat Nov 07, 2015 9:16 am

*) l2tp: implemented PPPoE over L2TP in LNS mode, RFC3817;

example configuration please.

andersonlich · Sat Nov 07, 2015 11:23 am

*) pppoe - added support for MTU > 1492 on PPPoE;
example please ?
as far as i know, default when create profile pppoe-server should be 1480, so we can put in 1492 ?

omidkosari · Sat Nov 07, 2015 11:29 am

*) ppp - added new option under "ppp aaa" - "use-circuit-id-in-nas-port-id";

Is it what i requested many years ago ??? http://forum.mikrotik.com/viewtopic.php?f=2&t=42698 "PPPoE option 82"

pe1chl · Sat Nov 07, 2015 11:31 am

"hotspot - add mac-auth-mode setting for mac-as-passwd option"
so what exactly does this?
It allows to use mac address both as user-name and password. Old one allowed it be used just as user-name.

Please add the possibility of using an arbitrary username and password.
(entered in a text field when configuring)

lishniy · Sat Nov 07, 2015 11:35 am

DNS fully broken for me.
/ip dns> print
action timed out - try again, if error continues contact MikroTik support and send a supout file (13)
/ip dns> set servers=8.8.8.8
action timed out - try again, if error continues contact MikroTik support and send a supout file (13)

MartijnVdS · Sat Nov 07, 2015 12:53 pm

DNS fully broken for me.
/ip dns> print
action timed out - try again, if error continues contact MikroTik support and send a supout file (13)
/ip dns> set servers=8.8.8.8
action timed out - try again, if error continues contact MikroTik support and send a supout file (13)

Have you contacted MikroTik support and sent them a supout file?

Ulypka · Sat Nov 07, 2015 2:48 pm

Where is "fastpath - added per interface fastpath counters"?
I haven't found it.

jebz · Sun Nov 08, 2015 10:48 am

Torrent?
Going by past Torrent URLs this should work -
http://www.mikrotik.com/download/router ... 33.torrent
But it responds "Broken", past versions have torrented with this URL pattern.

aboiles · Sun Nov 08, 2015 3:28 pm

try https://www.mikrotik.com/download/route ... 33.torrent
but so far no seeders

drusha · Sun Nov 08, 2015 7:39 pm

My KVM image does not start. When click enable and start, it just briefly indicates start and then stopped.

I confirm this KVM behavior with i386 Debian image on x86

ckleea · Mon Nov 09, 2015 12:28 am

My KVM image does not start. When click enable and start, it just briefly indicates start and then stopped.
I confirm this KVM behavior with i386 Debian image on x86

The same still appears in the 6.34 release candidate. After downgrade back to 6.32.3, it is back to normal

bjornr · Mon Nov 09, 2015 12:58 am

After upgrading I see a lot of unsolicited HTTP requests towards 169.254.169.254:80 from all devices, on most of which no scripts or scheduled jobs are running. The request is rather persistent until the device receives some kind of answer, and happens (at least) after reboots.

This is the HTTP request:
GET /latest/meta-data/public-keys/0/openssh-key HTTP/1.1
Host: 169.254.169.254

Could anyone explain what my devices are suddenly asking for? Is this behaviour hinted at somewhere in the changelog?

bjornr · Mon Nov 09, 2015 1:29 am

[quote="bjornr"]After upgrading I see a lot of unsolicited HTTP requests towards 169.254.169.254:80 from all devices, on most of which no scripts or scheduled jobs are running. The request is rather persistent until the device receives some kind of answer, and happens (at least) after reboots.

This is the HTTP request:
GET /latest/meta-data/public-keys/0/openssh-key HTTP/1.1
Host: 169.254.169.254

Could anyone explain what my devices are suddenly asking for? Is this behaviour hinted at somewhere in the changelog?[/quote]

An update to the above: Below is what RouterOS 6.33 asks for. Seems to be remnants of some testing setup, with funny side effects when released to the public :-)

x.x.x.x - - [09/Nov/2015:00:12:04 +0100] "GET /latest/meta-data/public-keys/0/openssh-key HTTP/1.1" 200 604 "-" "-"
x.x.x.x - - [09/Nov/2015:00:12:05 +0100] "GET /latest/meta-data/hostname HTTP/1.1" 200 230 "-" "-"

Just for fun, I supplied the requested files. Something™ in the boot process sets the hostname from the second request:

[admin@those-are-my-juniper-bushes\n] >

I can't seem to find that the key has been installed anywhere, and since it does not seem to be applied to the "admin" account (the only preconfigured account) I'm anxious to find out what it really does.

kemerovo · Mon Nov 09, 2015 5:29 am

when will support igmp snooping ?

janisk · Mon Nov 09, 2015 8:35 am

bjornr and ckleea would be nice if you sent support output files to the support. Create the file after your attempt to start your image file.

Also, while at it, check if you have kernel and initrd files supplied for the configuration.

bjornr · Mon Nov 09, 2015 8:54 am

bjornr and ckleea would be nice if you sent support output files to the support. Create the file after your attempt to start your image file.

Also, while at it, check if you have kernel and initrd files supplied for the configuration.

I just submitted the supout from one of the devices. Please note that I'm seeing this on regular units (RB-SXTs, RB75x, RB95x, etc), not a CHR image. This behaviour is not limited to the device from which I gathered the supout, it's common for all units that were updated to 6.33.

bronx · Mon Nov 09, 2015 1:22 pm

*) l2tp: implemented PPPoE over L2TP in LNS mode, RFC3817;

example configuration please.

+1

chg123 · Mon Nov 09, 2015 3:49 pm

Is the 404 on http://{routerip}/winbox/winbox.exe a bug or a feature?

Together with the incompatibility of the v3 betas of Winbox this really sucks.

Mon Nov 09, 2015 3:56 pm

chg123 - Have you used Branding maker to modify this router? Winbox is not saved on router any more. It is on our server and you should be directed to http://www.mikrotik.com/download/winbox.exe

qwwwizx · Mon Nov 09, 2015 5:49 pm

*) trafflow - report flow addresses in v1 and v5 without NAT awareness;
*) fastpath - added trafflow support in basic ipv4 and fasttrack ipv4 fastpath;

solved my issues with NAT and Trafficflow

Mon Nov 09, 2015 6:24 pm

chg123 - Have you used Branding maker to modify this router? Winbox is not saved on router any more. It is on our server and you should be directed to http://www.mikrotik.com/download/winbox.exe

Not so good idea. It is preventing to download compatible winbox from ros device when no access to Internet from any reason. It is big step back.

Cha0s · Mon Nov 09, 2015 6:39 pm

I agree with jarda.

pe1chl · Mon Nov 09, 2015 6:48 pm

It is preventing to download compatible winbox from ros device when no access to Internet from any reason. It is big step back.

winbox.exe went from 125KB to 1620KB so I can understand that.
not so easy to understand why it increased so much in size...

NetflashTechnical · Mon Nov 09, 2015 7:58 pm

Ok, LNS Support! Does that include LAC support? It'd be nice to aggregate all our line edge routers to central powerhouse routers for PPPoE, and ideally if we can do separate domains it would let us set up a reseller network through our infrastructure!

Aarriaga · Mon Nov 09, 2015 8:27 pm

*) l2tp: implemented PPPoE over L2TP in LNS mode, RFC3817;

example configuration please.
+1

+1
It's a good idea.

bardelot · Mon Nov 09, 2015 10:05 pm

In 6.33 my configured IPSec RoadWarrior tunnel stopped working. It will still connect and the client is able to reach the router but no systems behind it (multiple subnets including the same as the router). Interestingly everything is working when I enable packet sniffing or torch on the interface.

Anyone else affected by the same issue or able to explain it?

Mon Nov 09, 2015 10:11 pm

In 6.33 my configured IPSec RoadWarrior tunnel stopped working... Interestingly everything is working when I enable packet sniffing or torch on the interface.

Make sure your inner-tunnel IPsec traffic is exempt from Fasttrack.

rioven · Mon Nov 09, 2015 10:15 pm

This is my config (simple queue)

[admin@MikroTik] /queue simple> print
Flags: X - disabled, I - invalid, D - dynamic
0 name="queue1" dst=Streamyx parent=none packet-marks="" priority=8/8
queue=synchronous-default/synchronous-default limit-at=0/0
max-limit=405k/4M burst-limit=425k/0 burst-threshold=384k/0
burst-time=10s/0s

1 name="QoS1" parent=queue1 packet-marks=QoS1 priority=1/1
queue=default-small/default-small limit-at=0/0 max-limit=0/0
burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s

2 name="QoS7" parent=queue1 packet-marks=QoS7 priority=7/7
queue=default-small/default-small limit-at=0/0 max-limit=0/0
burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s

3 name="QoS8" parent=queue1 packet-marks=QoS8 priority=8/8
queue=default-small/default-small limit-at=0/0 max-limit=0/0
burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s

this is sample of /ip firewall mangle

6 ;;; QoS1
chain=prerouting action=mark-packet new-packet-mark=QoS1 passthrough=no
protocol=icmp in-interface=Streamyx log=no log-prefix=""

7 chain=postrouting action=mark-packet new-packet-mark=QoS1 passthrough=no
protocol=icmp out-interface=Streamyx log=no log-prefix=""

8 chain=prerouting action=mark-packet new-packet-mark=QoS1 passthrough=no
protocol=udp in-interface=Streamyx src-port=53,88 log=no log-prefix=""

9 chain=postrouting action=mark-packet new-packet-mark=QoS1 passthrough=no
protocol=udp out-interface=Streamyx dst-port=53,88 log=no log-prefix=""

10 chain=prerouting action=mark-packet new-packet-mark=QoS1 passthrough=no
protocol=tcp in-interface=Streamyx src-port=53,80,443 log=no
log-prefix=""

11 chain=postrouting action=mark-packet new-packet-mark=QoS1 passthrough=no
protocol=tcp out-interface=Streamyx dst-port=53,80,443 log=no
log-prefix=""

It was working on previous version 6.32.3
(edit..add more info)

bardelot · Mon Nov 09, 2015 10:35 pm

In 6.33 my configured IPSec RoadWarrior tunnel stopped working... Interestingly everything is working when I enable packet sniffing or torch on the interface.
Make sure your inner-tunnel IPsec traffic is exempt from Fasttrack.

Indeed, thanks. Removing the FastTrack rules solved the issue. Will have to find a solution how to properly exempt the IPSec traffic from these rules now.

Mon Nov 09, 2015 10:39 pm

winbox.exe went from 125KB to 1620KB so I can understand that.
not so easy to understand why it increased so much in size...

I guess they changes the core of WinBox architechture. WinBox used to download (and cache) a set of DLLs from the router on connect, one DLL per RouterOS package (i.e. system, wireless, security, etc.). Those DLLs is what actually implements UI for a particular package. WinBox 3 does not appear to be doing that any longer. Mikrotik devs, I guess, moved all the logic into the WinBox itself. That means they also introduced a new way for WinBox and the router to communicate which configuration options are available in the RouterOS version you are connected to at the moment. The main advantage of this approach is it will allow (sooner or later) Mikrotik guys to make WinBox truly portable without the need in Wine or similar crutches.

Mon Nov 09, 2015 10:42 pm

Will have to find a solution how to properly exempt the IPSec traffic from these rules now.

You can use a recently introduced 'ipsec-policy' firewall rule matcher. It should easily solve your task, provided you do not NAT your inner-tunnel traffic.

bardelot · Mon Nov 09, 2015 10:56 pm

Will have to find a solution how to properly exempt the IPSec traffic from these rules now.
You can use a recently introduced 'ipsec-policy' firewall rule matcher. It should easily solve your task, provided you do not NAT your inner-tunnel traffic.

I was trying to add a simple FastTrack rule for the related / established connections in the forward chain for inbound as well as outbound traffic.

With the IPSec policy matcher I don't see an option to solve it that easily as it will be either inbound or outbound. E.g. when I restrict the firewall rule to in,none it will still capture the out,ipsec traffic right? Or is there an option to apply a rule to non-ipsec traffic only regardless of the direction?

Edit:
I acutally solved it by marking the connections for both in,ipsec and out,ipsec policies which allows me to apply the FastTrack rule to non ipsec marked connections only.

agnostic · Tue Nov 10, 2015 12:17 am

hello after upgrade to ros 6.33 on rb951 and rb750 not available to work with smb anymore...just try to navigate through files and folders and connection gets dropped with no messages on log...cannot even read a file...downgraded again to 6.32.3 and fixed it

chg123 · Tue Nov 10, 2015 1:05 am

chg123 - Have you used Branding maker to modify this router? Winbox is not saved on router any more. It is on our server and you should be directed to http://www.mikrotik.com/download/winbox.exe

Nope, I did not apply any branding maker. The Winbox link on the routers site still goes to the dead local winbox.exe link.

Really sad.

chg123 · Tue Nov 10, 2015 1:07 am

winbox.exe went from 125KB to 1620KB so I can understand that.
not so easy to understand why it increased so much in size...
I guess they changes the core of WinBox architechture. WinBox used to download (and cache) a set of DLLs from the router on connect, one DLL per RouterOS package (i.e. system, wireless, security, etc.). Those DLLs is what actually implements UI for a particular package. WinBox 3 does not appear to be doing that any longer. Mikrotik devs, I guess, moved all the logic into the WinBox itself. That means they also introduced a new way for WinBox and the router to communicate which configuration options are available in the RouterOS version you are connected to at the moment. The main advantage of this approach is it will allow (sooner or later) Mikrotik guys to make WinBox truly portable without the need in Wine or similar crutches.

If there is a chance for a really portable winbox please launch a natively looking mac version soon!

Xyl · Tue Nov 10, 2015 1:45 am

*) pppoe - added support for MTU > 1492 on PPPoE;

What has changed regarding MTU sizes on PPPoE interfaces?

I have been using 6.30.2 on a RB2011UAS-2HnD-IN and was able to use an MTU of 1500 bytes when connecting to my ISP's PPPoE server.
After upgrading to 6.33 I am no longer able to connect with an MTU of 1500 bytes. RouterOS keeps reverting back to 1480 bytes after connecting.
1488 was the max MTU I was able to set without it reverting back to 1480.

I have downgraded back to 6.30.2 for now where an MTU of 1500 bytes still seems to be working for me.
I'm not sure if I'm doing something wrong or if this is a bug. I have not yet been able to test out the versions between 6.30.2 and 6.33.

gius64 · Tue Nov 10, 2015 3:51 am

*) pppoe - added support for MTU > 1492 on PPPoE;
What has changed regarding MTU sizes on PPPoE interfaces?

I have been using 6.30.2 on a RB2011UAS-2HnD-IN and was able to use an MTU of 1500 bytes when connecting to my ISP's PPPoE server.
After upgrading to 6.33 I am no longer able to connect with an MTU of 1500 bytes. RouterOS keeps reverting back to 1480 bytes after connecting.
1488 was the max MTU I was able to set without it reverting back to 1480.

I have downgraded back to 6.30.2 for now where an MTU of 1500 bytes still seems to be working for me.
I'm not sure if I'm doing something wrong or if this is a bug. I have not yet been able to test out the versions between 6.30.2 and 6.33.

Same problem here.
I opened a ticket to support!
If you can do the same, maybe they can look at the issue with more situations!

Tue Nov 10, 2015 8:37 am

Everyone who is noticing unusual traffic on your router - we have managed to reproduce this issue and we will fix it as soon as possible. The router is checking the ssh key for amazon cloud installation environments, a feature coming later.

As a temporary workaround you can use this solution:
/ip route add distance=1 dst-address=169.254.0.0/16 type=blackhole

Tue Nov 10, 2015 8:48 am

chg123 - Have you used Branding maker to modify this router? Winbox is not saved on router any more. It is on our server and you should be directed to http://www.mikrotik.com/download/winbox.exe
Nope, I did not apply any branding maker. The Winbox link on the routers site still goes to the dead local winbox.exe link.

Really sad.

Please post a screenshot of the problem. Which Winbox link specifically is not working

Tue Nov 10, 2015 8:50 am

jarda - Winbox is too large to store it on router. Since there are flash directories on routers for a while now and HDD space is limited we decided to store Winbox on our download site. Any way Winbox is portable tool and even if you do not have internet access and you want to use router, then there is always Webfig, CLI and you can carry Winbox on your USB drive.

chg123 - Can you please write to support and send supout file from your router and also make a screen shot from the place where you try to download Winbox?

karina · Tue Nov 10, 2015 10:48 am

Netmetal 5 No SNMP since upgrade. anybody else having same issue before I report this?

Tue Nov 10, 2015 11:12 am

karina - Please be more precise. Are you using snmpget? If yes, then which values are you not being able to get? What error do you receive?

ckleea · Tue Nov 10, 2015 11:27 am

bjornr and ckleea would be nice if you sent support output files to the support. Create the file after your attempt to start your image file.

Also, while at it, check if you have kernel and initrd files supplied for the configuration.

I use Debian Wheezy and Jessie to install the KVM. After successful installation, I take out the reference to the netinstall iso image, then I can boot into the debian directly without the need of kernel or initrd files in the setting. It is different from that of the image prepared from openwrt x86.

pe1chl · Tue Nov 10, 2015 11:35 am

I have been using 6.30.2 on a RB2011UAS-2HnD-IN and was able to use an MTU of 1500 bytes when connecting to my ISP's PPPoE server.
After upgrading to 6.33 I am no longer able to connect with an MTU of 1500 bytes. RouterOS keeps reverting back to 1480 bytes after connecting.
1488 was the max MTU I was able to set without it reverting back to 1480.

Hmm that is not good... I will have to stick with 6.32.3 until this is fixed!
I note that with that version MTU 1500 on a PPPoE link is working fine, but the router does not seem to do the RFC4638 negoitiation that is mandatory for a larger MTU than 1492.
Maybe in 6.33 the support for RFC4638 was added, although it is not mentioned in the release note?

This can mean two things: either the RFC4638 support is broken and thus the router falls back to a lower MTU, or your ISP does not support RFC4638 and there is no longer a way to still override the MTU as before.

The limit of 1488 is strange, it should be 1492 for PPPoE connections over a 1500 byte medium.
Is your PPPoE link running over plain ethernet or on top of a VLAN? What modem do you use?

juanvi · Tue Nov 10, 2015 2:44 pm

+1

chg123 - Have you used Branding maker to modify this router? Winbox is not saved on router any more. It is on our server and you should be directed to http://www.mikrotik.com/download/winbox.exe
Not so good idea. It is preventing to download compatible winbox from ros device when no access to Internet from any reason. It is big step back.

Tue Nov 10, 2015 2:48 pm

+1
chg123 - Have you used Branding maker to modify this router? Winbox is not saved on router any more. It is on our server and you should be directed to http://www.mikrotik.com/download/winbox.exe
Not so good idea. It is preventing to download compatible winbox from ros device when no access to Internet from any reason. It is big step back.

This frees up a lot of space in the router, and ensures you always get newest Winbox. When you have no access to internet, you still have Webfig, which is 1:1 in layout and features.

Cha0s · Tue Nov 10, 2015 2:54 pm

Yeap. It frees a whole 1.5 mbyte of data! HUGE savings!

We can now use our routers as fileservers with so many data free!

juanvi · Tue Nov 10, 2015 3:07 pm

You are right but I used to dowload winbox from router because winbox works better than webfig. It's hard for me to understand how much can cost 1MB in year 2015... IMHO... There you will be getting very far maximizing profits/cutting costs?

Respectfully, juanvi

This frees up a lot of space in the router, and ensures you always get newest Winbox. When you have no access to internet, you still have Webfig, which is 1:1 in layout and features.

Xyl · Tue Nov 10, 2015 3:15 pm

Is your PPPoE link running over plain ethernet or on top of a VLAN? What modem do you use?

Uplink runs from the RouterBOARD to a TP-Link SG3210 switch which then goes out over a VLAN to an ethernet to fiber media converter to my ISP.
An MTU of 1500 seems to be working fine when using 6.30.2, confirmed by pinging various hosts over the internet with a data length of 1472 bytes and fragmentation disabled and checking via a packet capture done on the RB2011. I was also able to confirm that pinging with a data length of 1472 bytes is no longer working on 6.33.
I will try to get and post packet captures of what happens on 6.30.2 and on 6.33 when connecting to the PPPoE server using various MTU sizes.
At first glance it seems that the ISP's PPPoE server first tries to acknowledge an MTU of 1500 by itself. So the ISP side supports and defaults to an MTU of 1500.

Tue Nov 10, 2015 3:18 pm

Yeap. It frees a whole 1.5 mbyte of data! HUGE savings!
We can now use our routers as fileservers with so many data free!

some SPI based products have 16 and 8MB of storage, so yes, that is a lot.

war3boy · Tue Nov 10, 2015 4:10 pm

I have a weird issue that , my CPU keep spam up to 50% and then it will start over.
Even router in IDLE mode it is still spamming up to 50%.

Anyone facing this issue before? I have no clue what is happening on this.

CPU.PNG

Tue Nov 10, 2015 4:45 pm

I have a weird issue that , my CPU keep spam up to 50% and then it will start over.
Even router in IDLE mode it is still spamming up to 50%.

Anyone facing this issue before? I have no clue what is happening on this.
CPU.PNG

Open "Tool -> Profile" and see what is causing it.

slarocque · Tue Nov 10, 2015 5:03 pm

Hi folks. Is there somewhere that indicates if a new version of RouterOS (such as 6.33) is a "security" update? that is, how urgent is it to upgrade production machines from 6.32? I imagine there is some indicator somewhere I am overlooking on the wiki or release notes or email notifications that says this.

Thanks,
Steve

Tue Nov 10, 2015 5:07 pm

Rule of thumb: If it is not broken, then do not fix it.

If your network is working why do you want to change/fix it ?

slarocque · Tue Nov 10, 2015 5:10 pm

Rule of thumb: If it is not broken, then do not fix it.

If your network is working why do you want to change/fix it ?

Thanks for your reply. The trouble is that I don't know about a security vulnerability (that is, if it is "broken"). I have a working system and would rather not update it unless it addresses a security vulnerability. Hence the request.

Tue Nov 10, 2015 5:16 pm

It is changelog: http://www.mikrotik.com/download
What's new in 6.33 (2015-Nov-06 12:49):

*) dns - initial fix for situation when dynamic dns servers could disappear;
*) winbox - dropped support for winbox v3.0beta and v3.0rc (use winbox v3.0);
*) dhcpv6 - various improvement and fixes for dhcp-pd client and ippool6;
*) defconf - fixed rare situation where configuration was only partially loaded;
*) net - fix possible never ending loop when bad CDP discovery packet is received;
*) log - make default disk file name to reside in flash dir if it exists;
*) romon - change port list to be not ordered in export;
*) capsman - limit number of simultaneous DTLS handshakes;
*) capsman - fixed memory leak on CAP joining CAPsMAN when ssld is used;
*) winbox - added allow-fast-path to eoip, gre & ipip;
*) winbox - do not show power-cycle properties on non poe ports;
*) l2tp: implemented PPPoE over L2TP in LNS mode, RFC3817;
*) webfig - some of the setting were shifted to the right;
*) packages - allow to reinstall from bundle to separate packages & vice versa;
*) packages - prefer out of bundle packages when both of them are installed;
*) packages - fix a problem of upgrading bundle package to non bundled ones;
*) ipsec - force flow cache validation once in 1h;
*) winbox - make sure that all setting names get shown in full;
*) winbox - added poe power-cycle-ping settings to ethernet interfaces;
*) ppp - handle properly case were ppp client is given same address for local & remote end;
*) winbox - added vlan-mode & vlan-id to virtual-ap interface;
*) winbox - added timeout column to ipv6 address lists;
*) winbox - show SFP Tx/Rx Power properly;
*) winbox - added min-links to bonding interface;
*) winbox - do not show health menu on RB951Ui-2HnD;
*) winbox - added support for Login-Timeout & MAC-Auth-Mode in hotspot;
*) cerm - added option to disable crl download in '/certificate settings';
*) winbox - make user ssh key import work again;
*) webfig - make "Copy to Access List" work in CAPsMAN Registration Table;
*) userman - fix report generation problem which could result in some users being skipped from it;
*) winbox - fix to allow cpu-port as mirror-target
*) proxy - error.html parsing enhancement to improve performance
*) CCR1072 - improve ether1 performance under heavy load
*) routerboard - indicate RouterBOOT type in /system routerboard print;
*) mpls - properly use mpls mtu for routes;
*) cerm - fix key description for signed certificates;
*) trafflow - report flow addresses in v1 and v5 without NAT awareness;
*) hotspot - add mac-auth-mode setting for mac-as-passwd option;
*) hotspot - add login-timeout setting to force login for unauth hosts;
*) auto-upgrade - fixed auto upgrade for smipsbe;
*) dns - do not create duplicate entries for same dynamic dns server addresses;
*) ipsec - fix set on multiple policies which could result in adding non existent dynamic policies to the list;
*) email - allow server to be specified as fqdn which is resolved on each send;
*) fastpath - eoip,gre,ipip tunnels support fastpath (new per tunnel setting "allow-fast-path");
*) ppp, pptp, l2tp, pppoe - fix ppp compression related crashes;
*) cerm - also accept downloaded CRLs in PEM format;
*) userman - added 'history clear' to allow flushing undo history, which may take up significant amount of memory for huge databases with hundreds of users;
*) health - fix voltage for CRS109, CRS112 and CRS210 if powered from external adapter;
*) userman - added phone number support to signup form;
*) ip pool6 - try to acquire the same prefix if info matches recently freed;
*) ipsec - fix transport mode ph2 ID ports when policy selects specific ip protocol on initiator;
*) ipsec - use local-address for phase 1 matching and initiation;
*) route - fixed crash on removing route that was aggregated;
*) ipsec - fix replay window, was accidentally disabled since version 6.30;
*) ssh - allow host key import/export;
*) ssh - use 2048bit RSA host key when strong-crypto enabled;
*) ssh - support RSA keys for user authentication;
*) wlan - improved WMM-PowerSave support in wireless-cm2 package;
*) pptp & l2tp - fixed problem where android client could not connect if both dns names were not provided (was broken since v6.30);
*) auto-upgrade - added ability to select which versions to select when upgrading;
*) quickset - fixed HomeAP mode;
*) lte - improved modem identification to better support multiple identical modems;
*) snmp - fix system scripts table;
*) tunnels - eoip,eoipv6,gre,gre6,ipip,ipipv6,6to4 tunnels now support dns name as remote address;
*) fastpath - active mac-winbox or mac-telnet session no longer suspends fastpath;
*) fastpath - added per interface fastpath counters;
*) fastpath - added trafflow support in basic ipv4 and fasttrack ipv4 fastpath;
*) ppp - added on-up & on-down scripts to ppp profile;
*) winbox - allow to specify dns name in all the tunnels;
*) pppoe - added support for MTU > 1492 on PPPoE;
*) cerm - fix scep server certificate-reply degenerate PKCS#7 signed-data content;
*) ppp-client - added default channels for Alcatel OneTouch L100V;
*) defconf - fix for boards that had bridge with only wlan ports;
*) ovpn: support OpenWRT ovpn clients (or any other with enable-small option enabled);
*) cerm - use certificate file name for imported cert name;
*) fetch - fixed error message when error code 200 was received;
*) cerm - rebuild crl for local ca if crl file does not exist;
*) winbox - make directed broadcasts work for neighbor discovery;
*) upnp: automatically adjust mappings to new external ip change;
*) ppp - added ppp interface to upnp internals/externals if requested;
*) ppp - when adding ipv6 default route use user provided distance;
*) userman - allow to correctly enable CoA on router;
*) cerm - show crl nextupdate time;
*) ppp - added CoA support to PPPoE, PPTP & L2TP (Mikrotik-Recv-Limit, Mikrotik-Xmit-Limit, Mikrotik-Rate-Limit, Ascend-Data-Rate, Ascend-XMit-Rate, Session-Timeout);
*) ppp - added new option under "ppp aaa" - "use-circuit-id-in-nas-port-id";
*) userman - refresh active sessions/users view dynamically;
*) package - added version tag and show everywhere alongside of version number;
*) wlan - improved 802.11 protocol single connection TCP performance for ac chipset with cm2 package.

slarocque · Tue Nov 10, 2015 5:22 pm

Thanks. I didn't see anything in there that sounds to me like an important security hole is patched, so I will leave things at 6.32 for now.

Cheers,
Steve

rac · Tue Nov 10, 2015 5:41 pm

The Dude is loosing interest in RouterOS devices. The package information was lost before in the device list (tab RouterOS) - now also the RouterOS version is gone. This view was a great help for updates.
Are there such changes in some API or is it gone by mistake?

Xyl · Tue Nov 10, 2015 7:21 pm

Same problem here.
I opened a ticket to support!
If you can do the same, maybe they can look at the issue with more situations!

I opened a ticket and included supout.rif and packet capture files for both 6.30.2 and 6.33.

This can mean two things: either the RFC4638 support is broken and thus the router falls back to a lower MTU, or your ISP does not support RFC4638 and there is no longer a way to still override the MTU as before.

My ISP does have support for RFC4638 and reports a max payload of 1500 bytes.
Excerpt from packet capture under RouterOS 6.33 (also by comparing packet captures between 6.30.2 and 6.33 I was able to confirm that RFC4638 has been added in 6.33, as the PPP-Max-Payload tag is missing on 6.30.2):

No.     Time           Source                Destination           Protocol Length Info
     15 3.054014       Routerbo_xx:xx:xx     Broadcast             PPPoED   42     Active Discovery Initiation (PADI)

Frame 15: 42 bytes on wire (336 bits), 42 bytes captured (336 bits)
Ethernet II, Src: Routerbo_xx:xx:xx (d4:ca:6d:xx:xx:xx), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 6
PPP-over-Ethernet Discovery
    0001 .... = Version: 1
    .... 0001 = Type: 1
    Code: Active Discovery Initiation (PADI) (0x09)
    Session ID: 0x0000
    Payload Length: 18
    PPPoE Tags
        Host-Uniq: 00dc0001
        PPP-Max-Payload: 05dc

No.     Time           Source                Destination           Protocol Length Info
     16 3.057052       HuaweiTe_xx:xx:xx     Routerbo_xx:xx:xx     PPPoED   65     Active Discovery Offer (PADO) AC-Name='195.xxx.xxx.xxx'

Frame 16: 65 bytes on wire (520 bits), 65 bytes captured (520 bits)
Ethernet II, Src: HuaweiTe_xx:xx:xx (e0:97:96:xx:xx:xx), Dst: Routerbo_xx:xx:xx (d4:ca:6d:xx:xx:xx)
802.1Q Virtual LAN, PRI: 7, CFI: 0, ID: 6
PPP-over-Ethernet Discovery
    0001 .... = Version: 1
    .... 0001 = Type: 1
    Code: Active Discovery Offer (PADO) (0x07)
    Session ID: 0x0000
    Payload Length: 41
    PPPoE Tags
        Host-Uniq: 00dc0001
        PPP-Max-Payload: 05dc
        AC-Name: 195.xxx.xxx.xxx

Tue Nov 10, 2015 11:34 pm

jarda - Winbox is too large to store it on router. Since there are flash directories on routers for a while now and HDD space is limited we decided to store Winbox on our download site. Any way Winbox is portable tool and even if you do not have internet access and you want to use router, then there is always Webfig, CLI and you can carry Winbox on your USB drive.

I can understand that. I also have the winbox on my computer for such reason. But I liked the possibility to grab the winbox directly from any ros device (excluding smips due to low disk space). There is no need to spare 1,5MB on devices having 64MB or more flash.

Why not to have winbox as separate package, preinstalled by default in devices that has enough space for it and without it on low space devices?

Tue Nov 10, 2015 11:36 pm

The Dude is loosing interest in RouterOS devices. The package information was lost before in the device list (tab RouterOS) - now also the RouterOS version is gone. This view was a great help for updates.
Are there such changes in some API or is it gone by mistake?

I do not see this behaviour on my laboratory devices. It looks correctly like with previous versions.

kemerovo · Wed Nov 11, 2015 3:35 am

to my messages and no one answers , it's sad((

shinobi · Wed Nov 11, 2015 7:16 am

chg123 - Have you used Branding maker to modify this router? Winbox is not saved on router any more. It is on our server and you should be directed to http://www.mikrotik.com/download/winbox.exe
Nope, I did not apply any branding maker. The Winbox link on the routers site still goes to the dead local winbox.exe link.

Really sad.
Please post a screenshot of the problem. Which Winbox link specifically is not working

on my CCR the link is correct, but on x86 and mipsbe the link refer to router itself:

winbox link.jpg

Genkun · Wed Nov 11, 2015 7:33 am

winbox.exe went from 125KB to 1620KB so I can understand that.
not so easy to understand why it increased so much in size...
I guess they changes the core of WinBox architechture. WinBox used to download (and cache) a set of DLLs from the router on connect, one DLL per RouterOS package (i.e. system, wireless, security, etc.). Those DLLs is what actually implements UI for a particular package. WinBox 3 does not appear to be doing that any longer. Mikrotik devs, I guess, moved all the logic into the WinBox itself. That means they also introduced a new way for WinBox and the router to communicate which configuration options are available in the RouterOS version you are connected to at the moment. The main advantage of this approach is it will allow (sooner or later) Mikrotik guys to make WinBox truly portable without the need in Wine or similar crutches.

If there is a chance for a really portable winbox please launch a natively looking mac version soon!

No

Wed Nov 11, 2015 8:49 am

shinobi - Can you test with another browser or clear cache? At this point it seems that cache might be causing this issue.

rac · Wed Nov 11, 2015 11:34 am

The Dude is loosing interest in RouterOS devices. The package information was lost before in the device list (tab RouterOS) - now also the RouterOS version is gone. This view was a great help for updates.
Are there such changes in some API or is it gone by mistake?
I do not see this behaviour on my laboratory devices. It looks correctly like with previous versions.

In my screenshot the "white labeled versions" have been updated to 6.33 and the last column lost it's content I think about half a year ago.

Dude.jpg

war3boy · Wed Nov 11, 2015 12:16 pm

I have a weird issue that , my CPU keep spam up to 50% and then it will start over.
Even router in IDLE mode it is still spamming up to 50%.

Anyone facing this issue before? I have no clue what is happening on this.
CPU.PNG
Open "Tool -> Profile" and see what is causing it.

It is management that causing it.

CaptureProfile.PNG

snoozer · Wed Nov 11, 2015 12:36 pm

Hi,

I have updated a CCR1036-12G-4S from 6.32.3 to 6.33 this morning at 06:00 ish and just now (4h later) the router rebooted for no apparent reason.

remote syslog shows only:
Nov 11 10:09:28 [IP-Addrsss] system,error,critical router was rebooted without proper shutdown

Have other people have experience sudden reboots ? I can rule out a power issue.

Regards
Jan

shinobi · Wed Nov 11, 2015 2:02 pm

shinobi - Can you test with another browser or clear cache? At this point it seems that cache might be causing this issue.

indeed before posting here, i did that. in IE, Firefox and also google chrome. sure it's not cached.

Wed Nov 11, 2015 2:31 pm

The Dude is loosing interest in RouterOS devices. The package information was lost before in the device list (tab RouterOS) - now also the RouterOS version is gone. This view was a great help for updates.
Are there such changes in some API or is it gone by mistake?
I do not see this behaviour on my laboratory devices. It looks correctly like with previous versions.
In my screenshot the "white labeled versions" have been updated to 6.33 and the last column lost it's content I think about half a year ago.

As I said, not a problem in my case:

Dude-devices-6.33.jpg

Maybe some other problem you have than general problem of v 6.33...

Wed Nov 11, 2015 2:41 pm

We plan to make a new Dude release this year, it should fix this, and many other bugs that have been gathered over the last years. Please post about RouterOS v6.33 and make new Dude posts in a separate thread.

Chupaka · Wed Nov 11, 2015 2:43 pm

indeed before posting here, i did that. in IE, Firefox and also google chrome. sure it's not cached.

checked my x86 installation - the link points to mikrotik.com...

We plan to make a new Dude release this year

yahooo!!!

Wed Nov 11, 2015 3:03 pm

shinobi - Please send supout file to support@mikrotik.com

napismizpravu · Wed Nov 11, 2015 4:12 pm

RB433UAH (power 24V 2A) 6.33 ; 6.34rc3

After several versions reappeared error USB Flash disk.

doush · Wed Nov 11, 2015 4:27 pm

We plan to make a new Dude release this year, it should fix this, and many other bugs that have been gathered over the last years. Please post about RouterOS v6.33 and make new Dude posts in a separate thread.

Man ...
Best news. Thanks a lot.

Kraken2k · Wed Nov 11, 2015 5:19 pm

Updated 3 days ago... I really hoped that route cache overflow issue will be solved by this update but... no

the issue was reported more than 4 years ago, not just once and repeatedly with no fix, workaround or even finding the source of this issue.

If you put it together: there is a "feature" called ip route cache, which cannot be printed (so you don't know what is inside), cannot be flushed without router reboot and just constantly grows, despite the fact you turned it off in the ip settings. The only thing you can do is just sit back and watch it growing until its max value (you can't change that one either) is reached and your device stops all IPv4 traffic and force you to restart it every three or four days at least. Pretty frustrating after all those months if you ask me.

Reported by myself to MT support 3 months ago... Ticket number #2015081766000633 but they were unable to help or identify the cause if this issue. Seriously, I ran out of ideas.

Wed Nov 11, 2015 5:52 pm

We plan to make a new Dude release this year...

This year? Does it mean year 2015 as usually counted on this planet - after the born of Jesus Christ?

Holy Jesus! Lets go to pray for Dude!

pe1chl · Wed Nov 11, 2015 8:08 pm

My ISP does have support for RFC4638 and reports a max payload of 1500 bytes.

So it looks like its implementation is broken in the router

Let's see what the result of the ticket is. For now I will not update...

changeip · Wed Nov 11, 2015 11:08 pm

This frees up a lot of space in the router, and ensures you always get newest Winbox. When you have no access to internet, you still have Webfig, which is 1:1 in layout and features.

So how do you move firewall / other rules in webfig? There is no re-ordering capability as far as I can tell so I have to keep using winbox.

Chupaka · Wed Nov 11, 2015 11:23 pm

So how do you move firewall / other rules in webfig? There is no re-ordering capability as far as I can tell so I have to keep using winbox.

well, I drag it - and it moves

just like in WinBox...

105547111 · Thu Nov 12, 2015 2:32 am

We plan to make a new Dude release this year, it should fix this, and many other bugs that have been gathered over the last years. Please post about RouterOS v6.33 and make new Dude posts in a separate thread.

New Dude - ah

kemerovo · Thu Nov 12, 2015 3:34 am

We plan to make a new Dude release this year, it should fix this, and many other bugs that have been gathered over the last years. Please post about RouterOS v6.33 and make new Dude posts in a separate thread.

I hope in the new release will be finalized multicast and IGMP, I'm tired to use routers from other manufacturers for normal viewing of IPTV wi-fi, 'cause when I start viewing HD IPTV via wi-fi picture fray and computers from the local network do not meet , and in the log File, pops up a message that the loop can be as soon as I switch off all IPTV continues to operate normally , I ask you to correct this problem please:

Thu Nov 12, 2015 8:48 am

*) l2tp: implemented PPPoE over L2TP in LNS mode, RFC3817;

example configuration please.

As far as my testing goes (I'm not an expert in this all LNS/LAC stuff), configuration looks straight forward
There are new menu:

/ppp l2tp-secret

You need to specify IP address of remote end where L2TP will be created to.

pppoe packet Pre-Authorization feature is not supported atm, but is coming soon

WDS · Thu Nov 12, 2015 9:16 am

on my CCR the link is correct, but on x86 and mipsbe the link refer to router itself:
winbox link.jpg

I have the same situation on my RB951G-2HnD. The link points to the local winbox storage on the router and is actually dead (404). Tried different browsers, for sure this is not cache issue.

But on another device mAP 2n the link works and points to mikrotik website download location.

And yes, I fully support Jarda on the proposal to make a separate package with winbox so it could be installed on a router as an optional module for those who need it I'm one of them, actually.

Thu Nov 12, 2015 10:10 am

pe1chl - It is already fixed in 6.34rc:
http://forum.mikrotik.com/viewtopic.php ... 05#p507126
http://www.mikrotik.com/download

okoun · Thu Nov 12, 2015 10:12 am

Hello, it is not working on the latest version 6.33 radius requirement Coa. I do not know if I have something of a special turned on routerboard except incoming. Routerboard after sending this command:

echo "User-Name=test" | /usr/bin/radclient -d /etc/freeradius/ -r 2 -x 10.55.1.54:3799 coa "mikrotik-rate-limit=10M/10M 20M/30M 950k/9500k 2000/20000" "secret"

just writes bad request the counter icoming.

Thu Nov 12, 2015 10:49 am

when I start viewing HD IPTV via wi-fi picture fray and computers from the local network do not meet

Try enabling multicast helper in your wireless interface settings. Please note that 'default' means 'disabled' currently.

Thu Nov 12, 2015 10:53 am

Routerboard after sending this command:
Code: Select all
echo "User-Name=test" | /usr/bin/radclient -d /etc/freeradius/ -r 2 -x 10.55.1.54:3799 coa "mikrotik-rate-limit=10M/10M 20M/30M 950k/9500k 2000/20000" "secret"
just writes bad request the counter icoming.

You probably need to supply RADIUS attributes (like 'Acct-Session-Id') to identify a particular user session, not just the user itself. Haven't tried it myself, just guessing.

Thu Nov 12, 2015 2:38 pm

shinobi - We managed to reproduce your problem with Winbox link. It is now reported to our developers. It should be fixed in next version. Thank you!

pe1chl · Thu Nov 12, 2015 7:21 pm

pe1chl - It is already fixed in 6.34rc:
http://forum.mikrotik.com/viewtopic.php ... 05#p507126
http://www.mikrotik.com/download

It was also an item for user Xyl.
Will the fix be in 6.34 only or will there be a 6.33.x version that fixes it too?
(so I know to skip 6.33 if not)

barmaley · Fri Nov 13, 2015 6:24 am

updated yesterday

ntp server disappeared in 6.33

[...@MikroTik] > /system ntp
client export

no announcement in a change log

Fri Nov 13, 2015 7:00 am

pe1chl - Of course, it will be included in next bug-fix version as it is a fix for a bug not a new feature.

Fri Nov 13, 2015 10:26 am

updated yesterday

ntp server disappeared in 6.33

[...@MikroTik] > /system ntp
client export

no announcement in a change log

did you include the NTP server package when you updated? is it enabled?

chg123 · Fri Nov 13, 2015 11:02 am

chg123 - Have you used Branding maker to modify this router? Winbox is not saved on router any more. It is on our server and you should be directed to http://www.mikrotik.com/download/winbox.exe
Nope, I did not apply any branding maker. The Winbox link on the routers site still goes to the dead local winbox.exe link.

Really sad.
Please post a screenshot of the problem. Which Winbox link specifically is not working

Here's the Screenshot. What you cannot see is my mouse pointer hovering over the winbox icon. On the left bottom you see the URL behing this icon which is http://{routerip}/winbox/winbox.exe
[attachment=0]winboxlink.PNG[/attachment

I would like to suggest that the router hosted winbox.exe is an OPTION. Alle the folks with small memory size routers can save space and on all bigger devices winbox can be added as a package or in any other convenient way.

Webbox definitely IS A GREAT alternative. But once you get into trouble with IP addresses and need mac based communication or just want to "inspect" the available devices webbox comes to its end. Also the terminal of webbox does not run as rock solid as the one inside winbox.

I would REALLY appreciate a native Mac version of Webbox.]

Fri Nov 13, 2015 11:14 am

Looks like you will need to Netinstall the device to replace some old/incorrect HTML file with the new one that links to correct winbox

bondkbc · Fri Nov 13, 2015 12:31 pm

Hi, I have problem with queues and download limit when its updated to v6.33. I'll upload you a picture to see. When I disable a fasttrack its start to working. It's a big problem for me becouse I have a lot of RB with that version.

problem.jpg

Fri Nov 13, 2015 1:28 pm

bondkbc - That is whole point of FastTrack. If connection is "fasttracked" then it will not be checked by other firewall rules and queues.

zojka · Fri Nov 13, 2015 4:06 pm

Problem with connection via PPTP in 6.33 for x86, correct login and password but got error 619 or 628.
It's looks like the same problem as 6.31 fixed in 6.32

I downgraded to 6.32.2 and works fine

Abdock · Fri Nov 13, 2015 7:42 pm

I am using Radius manager API dynamic speed, and it was working till 6.30.2 and then when i upgraded in between it broke today i was trying to troubleshoot and finally decided to downgrade and it started working again, whats changed in 6.30.2 > anybody else noticed this ?

thanks,

Chupaka · Sat Nov 14, 2015 12:46 am

Probably, it's changing dynamic queues' parameters, and now dynamic queues are read-only. You should switch to newly-added CoA

rextended · Sat Nov 14, 2015 12:55 pm

updated yesterday

ntp server disappeared in 6.33

[...@MikroTik] > /system ntp
client export

no announcement in a change log
did you include the NTP server package when you updated? is it enabled?

NTP package are missing from smips only.
The user not specify what routerboard try to use.

I have try to access branding maker page to fix the html link on my branded pages, from
/winbox/winbox.exe (for non-smips)
or
http://mt.lv/winbox (for smips)

to

http://www.mikrotik.com/download/winbox.exe

I can successfully login and I see some of my device,
but on branding maker page i do not see any item,
and when I click on log out this message appear:

"Access Denied! (email address of user 0 is banned)"

This error appear also if I simply log in and log out on www.mikrotik.com account page.

The branding page are down because you are working on it?

Thanks.

oyermolenko · Sat Nov 14, 2015 3:34 pm

Hi, All,

Mikrotik RB750Gr2, upgraded to 6.33

still observed this strange issue:

working through LAN interface !
1. from "quick set":
1.1 change mode from dhcp to static
1.2 enter correct IP/mask/gateway/dns (for example, 8.8.8.

!!!
2. apply configuration.

there is no internet access.

investigation: observing "unreachable" status on default route

3. enter any diff dns server (for example, 8.8.4.4) and apply configuration again.
And ... what do you think ? ... default route became reachable ...

strange ...
To sum up:
- wan mode change can be completed only from LAN and in two steps ...

tensink · Sun Nov 15, 2015 6:30 pm

My CRS125-24G-1S-2HnD (mipsbe) is currently running RouterOS v6.30.1. When I try to use the "Check For Upgrades" option it returns "Could not resolve address upgrade.mikrotik.com". The DNS servers are configured to 8.8.8.8 and 8.8.8.4. What should I do to solve this?

cdemers · Sun Nov 15, 2015 11:42 pm

Check your gateway settings, can you do a traceroute?

Sent from my Nexus 5 using Tapatalk

Mon Nov 16, 2015 1:19 am

Probably router asks DNS server from interface which is not NATed or masquaraded properly and DNS's responses are "lost in space".

Neilson · Mon Nov 16, 2015 8:47 am

My CRS125-24G-1S-2HnD (mipsbe) is currently running RouterOS v6.30.1. When I try to use the "Check For Upgrades" option it returns "Could not resolve address upgrade.mikrotik.com". The DNS servers are configured to 8.8.8.8 and 8.8.8.4. What should I do to solve this?

Just a note (don't think this will help with your issue of not finding the server) but the second server should be 8.8.4.4 (2 8's and 2 4's). Hopefully this may help with DNS stability.

Regards
Alexander

saaremaa · Mon Nov 16, 2015 11:42 am

Hello, it is not working on the latest version 6.33 radius requirement Coa. I do not know if I have something of a special turned on routerboard except incoming. Routerboard after sending this command:
Code: Select all
echo "User-Name=test" | /usr/bin/radclient -d /etc/freeradius/ -r 2 -x 10.55.1.54:3799 coa "mikrotik-rate-limit=10M/10M 20M/30M 950k/9500k 2000/20000" "secret"
just writes bad request the counter icoming.

I send commands from the server to the NAS mikrotik

echo "User-Name=pppoeuser-1, NAS-IP-Address=123.17.8.34,Mikrotik-Rate-Limit = '1M 1536k 768k 8 8 1M'," | radclient -r 2 123.17.8.34:3799 coa  drowssap

And I get answers

Received response ID 198, code 44, length = 45
        NAS-Identifier = "KGD-123-17-8-34"
        NAS-IP-Address = 123.17.8.34

In simple queue automatically appears constraint pppoe user-1. Everything is working. Check the command syntax, available port radius and password

karwos · Tue Nov 17, 2015 1:05 am

Dear support,

FIRST of ...

SFP DDM has gone in this (or some of previous) version.
I could read DDM data normally from my SFP modules (AscentOptics OEM, branded and popular in Poland like OPTON, OPTEC, etc) from other devices, like :

Transceiver type: SFP or SFP+
Transceiver: 1000BASE-LX
Length: 3 Km [ Single Mode ]
550 m (OM1) / 550 m (OM2) / 0 m (OM3) [ Multi Mode ]
Speed: 1250 Mb/s
Wavelength: 1310 nm
Connector Type: SC
Vendor name: OEM
Vendor part number: AOPB-3524S-R03
Vendor revision: A0
Vendor serial number: S1235041040266
Product date: 141022
DDM Temperature: 36.5352 C (Warn :-128.0000 / -128.0000) DEFAULT
(Alarm:-128.0000 / -128.0000) DEFAULT
DDM Vcc: 3.3384 V (Warn : 0.0000 / 0.0000) DEFAULT
(Alarm: 0.0000 / 0.0000) DEFAULT
DDM TX bias: 12.8860 mA (Warn : 0.0000 / 0.0000) DEFAULT
(Alarm: 0.0000 / 0.0000) DEFAULT
DDM TX power: -10.0130 dBm (Warn : -40.0000 / -40.0000) DEFAULT
(Alarm: -40.0000 / -40.0000) DEFAULT
DDM RX power: -13.0364 dBm (Warn : -15.0000 / -8.0000) ADMIN
(Alarm: -19.0000 / -6.0000) ADMIN
DDM power state: TX ON RX ON

I'm attaching memory map for my modules - maybe you can add support for them. (should be quite easy)

AscentOptics.png

SECOND of ...

Can you consider in next release, loading operator logo (in format like PNG) and showing it off during slideshow on LCD ? It's could be quite usefull for some configurations.

Best Regards

marcin21 · Tue Nov 17, 2015 6:06 pm

Dear Mikrotik staff!
I use PPPoE for client authorization since 2003. As I succesfully migrated from our linux based pppoe concentrators to mikrotik few years later I started to rely on routeros.
I devoloped way to work on queues to achieve desired effect. because I couldn't go with radius parameters since mikrotik didn't support them I did a workaround.
few years of optimizing solution and now my work is being smashed to dev/null because You disable possiblity of editinig queues? option is disabled and forces me to do work opposite way I did for last few years. My scripts doesn't work anymore and had to downgrade from 6.33 to 6.30.4. Is there an option to use old way accesiible queues or do I have to stick to 6.30.4 forever?

Kindis · Tue Nov 17, 2015 11:09 pm

My CRS125-24G-1S-2HnD (mipsbe) is currently running RouterOS v6.30.1. When I try to use the "Check For Upgrades" option it returns "Could not resolve address upgrade.mikrotik.com". The DNS servers are configured to 8.8.8.8 and 8.8.8.4. What should I do to solve this?

I get the same error and the reason I get it is because I have a drop rule for all traffic in input chain last in my firewall. If I disable this rule check for updates work.

barmaley · Wed Nov 18, 2015 8:22 pm

did you include the NTP server package when you updated? is it enabled?

updated packages from separate download file, no luck.

CRS125-24G-1S
Current firmware: 3.24
Architecture name :Mipsbe
Version:6.33 (stable)

/system package print
Flags: X - disabled
# NAME VERSION SCHEDULED
0 routeros-mipsbe 6.33
1 system 6.33
2 X wireless-cm2 6.33
3 X ipv6 6.33
4 X wireless-fp 6.33
5 hotspot 6.33
6 dhcp 6.33
7 mpls 6.33
8 routing 6.33
9 ppp 6.33
10 security 6.33
11 advanced-tools 6.33

Pea · Wed Nov 18, 2015 9:33 pm

The mipsbe v6.33 and ntp package works fine.
Did you try to upload separate ntp-6.33-mipsbe.npk and reboot?
If yes, what was the log report?

whitbread · Wed Nov 18, 2015 9:52 pm

Strange behaviour here - action timed out:

When changing interfaces the following appears after a long while:

2015-11 Mikrotik Winbox Error Could not change interface.JPG

Same issue in the console:

2015-11 Mikrotik Console Error Could not change interface.JPG

Supout.rif already provided to Support.

Thu Nov 19, 2015 10:03 am

v6.33.1 is released, please use this version for current!
http://forum.mikrotik.com/viewtopic.php?f=1&t=102335

Who is online