v6.36rc [release candidate] is released, wireless-fp package is discontinued!

Tue Apr 19, 2016 3:29 pm

Note: wireless-fp package is discontinued in this version. It needs to be uninstalled/disabled before upgrade. Use wireless-rep or wireless-cm2 instead.

What's new in 6.36rc3 (2016-Apr-19 11:33):

*) bonding - do not corrupt bonding statistics on configuration changes;
*) bonding - fixed crash when vlan parent mtu is higher than bonding mtu;
*) ethernet - do not allow mtu to be higher than l2mtu and l2mtu to be higher than max-l2mtu (reduce automatically on upgrade if it was wrong before);
*) firewall - added udplite, dccp, sctp connection tracking helpers;
*) switch - fixed switch compact export;
*) traffic-flow - added ipfix support (RFC5101 and RFC5102);
*) wireless - wireless-fp is discontinued, it needs to be uninstalled/disabled before upgrade;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

gius64 · Tue Apr 19, 2016 3:53 pm

PLEASE make wireless-fp auto replaced by wireless-cm2. Otherwise it will be a pain to upgrade all CPEs in the network to 6.36

And... Could you please release a changelog for wireless-fp -> wireless-cm2?

kometchtech · Tue Apr 19, 2016 4:27 pm

have the USB disk is not detected by the RB3011.

[Ticket#2016041966000617]

Tue Apr 19, 2016 4:33 pm

PLEASE make wireless-fp auto replaced by wireless-cm2. Otherwise it will be a pain to upgrade all CPEs in the network to 6.36
And... Could you please release a changelog for wireless-fp -> wireless-cm2?

You can install cm2 before update. Then switch the packages and update afterwards. I agree that automatic wireless packages switch during the update would be much more convenient.

gius64 · Tue Apr 19, 2016 4:43 pm

PLEASE make wireless-fp auto replaced by wireless-cm2. Otherwise it will be a pain to upgrade all CPEs in the network to 6.36
And... Could you please release a changelog for wireless-fp -> wireless-cm2?
You can install cm2 before update. Then switch the packages and update afterwards. I agree that automatic wireless packages switch during the update would be much more convenient.

Sure, but you have to manually (or automatically in batch) change package.
It's not so simple and you have to schedule both wireless package change and RouterOS upgrade.

Tue Apr 19, 2016 4:44 pm

Could you please release a changelog for wireless-fp -> wireless-cm2?

As far as I'm aware the only major difference between the two is the supported version of CAPsMAN. Otherwise they should be functionally equivalent. If you happen to used CAPsMAN v1, there are upgrade instruction on the wiki.

Tue Apr 19, 2016 4:47 pm

you have to schedule both wireless package change and RouterOS upgrade.

That's true, but you don't have to do that at the same time- start doing the former now already, if you feel like.

Having said that, automatic upgrade from old wireless or wireless-fp to wireless-cm2 would be much appreciated, of course.

doneware · Tue Apr 19, 2016 6:25 pm

Could you please release a changelog for wireless-fp -> wireless-cm2?
As far as I'm aware the only major difference between the two is the supported version of CAPsMAN. Otherwise they should be functionally equivalent. If you happen to used CAPsMAN v1, there are upgrade instruction on the wiki.

yes, but doing auto-upgrade with manually added packages (e.g. not the bundled in main package) will fail as wireless-fp-x.xx-arch.npk will not be on the distribution site.

anuser · Tue Apr 19, 2016 10:36 pm

I´d like to request a feature for wireless-rep package:

- Is it possible to show the username (beside the MAC address) for all connected clients within CAPSMAN window?
(It would be helpful to see on which access point a client is connected when users calling support and complains about connectivity issues they have...)

105547111 · Wed Apr 20, 2016 12:10 am

Can on 6.36 final release a forced changeover from wireless-fp to wireless-cm2?

whyfly · Wed Apr 20, 2016 5:46 am

I´d like to request a feature for wireless-rep package:

- Is it possible to show the username (beside the MAC address) for all connected clients within CAPSMAN window?
(It would be helpful to see on which access point a client is connected when users calling support and complains about connectivity issues they have...)

+1

I have a few more requests:
Is it possible to show CCQ for each connected client? Or dropped / retransmitted frames percentage?
Is it possible to perform background scan for each remote radio?
(It would be helpful to see connection quality statistics as well as channel usage statistics within CAPSMAN window)

anuser · Wed Apr 20, 2016 9:35 am

Let´s summarize the feature requests for wireless-rep:

Is it possible to show CCQ for each connected client? Or dropped / retransmitted frames percentage?
Is it possible to perform background scan for each remote radio?
(It would be helpful to see connection quality statistics as well as channel usage statistics within CAPSMAN window)

show the username (beside the MAC address) for all connected clients within CAPSMAN window?
)

+ vendor OUI auto naming
+ custom names for CAP devices
+ centralized ressource monitoring / statistics ([CPU, RAM, amount of connected clients for each CAP device], total amount of connected devices, frequency band usage, "rogue devices" using the same frequency band or the same SSID per CAP device,...)

Wed Apr 20, 2016 10:10 am

+ custom names for CAP devices

What do you mean? Is '/system identity' on a CAP device not what you need?

nkourtzis · Wed Apr 20, 2016 12:17 pm

Let´s summarize the feature requests for wireless-rep:
Is it possible to show CCQ for each connected client? Or dropped / retransmitted frames percentage?
Is it possible to perform background scan for each remote radio?
(It would be helpful to see connection quality statistics as well as channel usage statistics within CAPSMAN window)

show the username (beside the MAC address) for all connected clients within CAPSMAN window?
)
+ vendor OUI auto naming
+ custom names for CAP devices
+ centralized ressource monitoring / statistics ([CPU, RAM, amount of connected clients for each CAP device], total amount of connected devices, frequency band usage, "rogue devices" using the same frequency band or the same SSID per CAP device,...)

My post with CAPsMAN feature requests in the 6.35rc thread:

Requests for CAPsMAN bug fixes and new features, based on my experience with the current RC version:

1. {Nice to have} Add "CCQ", P Throughput" and "Signal to Noise", "Encryption" and "Group Encryption" and "WMM Enabled" fields to CAPsMAN Registration Table.

2. {Feature} Add "Frequency Mode", "WMM Support", "Multicast Buffering", "Keepalive frames", "Adaptive Noise Immunity" and "AMPDU Priorities" to CAPsMAN Config Settings.

3. {BUG} Make "Multicast Helper=full" in CAPsMAN slave interfaces work (now the interfaces stay in default setting).

4. {BUG} Make "Country=no_country_set" work on CAPsMAN 5GHz 802.11ac interfaces (it works on 2.4GHz, but on 5GHz ones it results in "no supported band" error message, regardless of the band and frequency settings).

5. {Feature} Add a scan/freq usage feature in CAPsMAN, with an aption to run in the background. Right now, if one wants to scan, they have to detach the physical interface from the Manager, do the scan and re-attach it. [In the future, use this info to auto-adjust CAP channels and power levels.]

6. {Annoying} Stop CAPsMAN from creating virtual interfaces on CAPs with name "wlanXXX" where XXX is a number which is incremented every time the interface is disabled and re-enabled.

7. {Nice to have} Let the user rename the virtual interfaces on the CAPs, like he/she can do with physical interfaces.

nkourtzis · Wed Apr 20, 2016 12:22 pm

Also: Since upgrading from 6.35rc48 to 6.35, my hAP acting as CAPsMAN loses the association with some of the CAPs after a few hours (<1 day), even though the CAPs are accessible from the hAP. The CAPs that have dissassociated stop publishing any wlans. A reboot of the problematic CAPs fixes the problem: they appear again in the "Remote CAP" table. This has happened three times within two days, while had never happened before. I don't know whether this is of any relevance, but free disk space on the hAP is low, to about 1.4MB, even though there are no files taking up any significant space. Sometimes I even get error messages from User Manager because of low space.

All devices are running on 6.35 stable.

I am publishing this here because it has to be worked on in this version.

Wed Apr 20, 2016 2:10 pm

nkourtzis, this problem is reproduced and fixed. We hope we will be able to release a fixed version today.

honzam · Wed Apr 20, 2016 3:08 pm

Can on 6.36 final release a forced changeover from wireless-fp to wireless-cm2?

+1

jondavy · Wed Apr 20, 2016 4:31 pm

please add into the CapsMan Registration Table fields:
CCQ, RadioName, Distance,
and the option to scan for free frequencies for each cap
and also the Channel Width 10mhz

I use CapsMan to have a centralized management of all my sectors and customers with SXT of my Wisp
so the request of the CCQ and RadioName
and in some sector still in use migrated 10mhz

nkourtzis · Wed Apr 20, 2016 4:44 pm

nkourtzis, this problem is reproduced and fixed. We hope we will be able to release a fixed version today.

Good news, but...

When was this bug introduced and how did it make it into the "stable" version? It is not a rare bug. Possibly you should start remaining to the last RC, the one which can ACTUALLY be named Release Candidate, for a few days without making any further additions, just bug fixing, before releasing it as stable. Even from rc48 and rc49 to the stable, there were additions which could introduce new bugs.

Wed Apr 20, 2016 5:13 pm

When was this bug introduced and how did it make it into the "stable" version?

What you call "stable" is called "bugfix only" by Mikrotik guys. And it is version 6.32.4 at the moment. Please read release branch descriptions at the top of official download page. CAPsMAN is rock solid in 6.32.4 with wireless-cm2 for me.

Wed Apr 20, 2016 5:33 pm

please add CCQ for clients on registration table of caps manager

Wed Apr 20, 2016 5:35 pm

MikroTik RouterOS v6.36rc4 is released.

What's new in 6.36rc4 (2016-Apr-20 12:46):

*) arp - added arp-timeout option per interface;
*) log - fixed reboot log messages;
*) traffic-flow - added ipfix support (RFC5101 and RFC5102);
*) tunnel - added option to auto detect tunnel local-address;
*) wireless - fixed issue when CAPsMAN could lock CAPs interface;
*) wireless-rep - fixed scan-list unset;
http://www.mikrotik.com/download

Thu Apr 21, 2016 2:13 am

*) traffic-flow - added ipfix support (RFC5101 and RFC5102);

Hi Sergejs,

It is great to see IPFIX being added to RouterOS

Does the added IPFIX feature have the Layer2 features of IPFIX ? e.g. can it export flows for traffic traversing a bridge ?

GreySer · Thu Apr 21, 2016 9:40 am

MikroTik RouterOS v6.36rc4 is released.
*) tunnel - added option to auto detect tunnel local-address;

How it can be used? I have not found in winbox anywhere.

Thu Apr 21, 2016 12:35 pm

We will adjust Winbox in future rc releases.

GreySer · Thu Apr 21, 2016 1:00 pm

We will adjust Winbox in future rc releases.

ОК.
In the terminal mode it is still also unavailable?

janisk · Thu Apr 21, 2016 1:04 pm

it would be something like this example for tunnelbroker 6to4:

/interface 6to4 add local-address=0.0.0.0 remote-address=192.168.88.1

GreySer · Thu Apr 21, 2016 1:15 pm

it would be something like this example for tunnelbroker 6to4:
Code: Select all
/interface 6to4 add local-address=0.0.0.0 remote-address=192.168.88.1

Work with 6to4, but not with gre or ipip existing tunnels.

docmarius · Thu Apr 21, 2016 2:49 pm

it would be something like this example for tunnelbroker 6to4:
Code: Select all
/interface 6to4 add local-address=0.0.0.0 remote-address=192.168.88.1

Any hope to get IPIP point to multipoint tunnel interfaces like in GNU/Linux?

/interface ipip add local-address=11.22.33.44 remote-address=0.0.0.0 name="ipip1"

With destination address selected by routes, something like:

/ip route add dst-address=10.0.1.0/24 gateway=1.2.3.4%ipip1
/ip route add dst-address=10.0.2.0/24 gateway=2.3.4.5%ipip1

where the gateway actually encodes the peer IP and the interface for that specific subnet.

The kernel IPIP module supports this out of the box, which is probably also true for the kernel you use in ROS:

/ip tunnel add ipip1 mode ipip local 11.22.33.44
/ip route add 10.0.1.0/24 via 1.2.3.4 dev ipip1
/ip route add 10.0.2.0/24 via 2.3.4.5 dev ipip1

Siona · Thu Apr 21, 2016 3:07 pm

Is it possible to implement NDIS support for LTE - USB modems in upcoming releases?

nadeu · Thu Apr 21, 2016 5:20 pm

Poor performance between 2 CCR 1072...

Bandwith test with direct 10G connected, from one CCR to another, DIRECT CABLE, no switches no nothing.

Same configuration on both:
L2MTU: 9216
MTU: 9000

[admin@ICMAN02] > /tool bandwidth-test protocol=tcp address=10.1.2.7 user=admin password=somepassword
status: running
duration: 11s
rx-current: 484.9Mbps
rx-10-second-average: 690.3Mbps
rx-total-average: 700.7Mbps
random-data: no
direction: receive

[admin@ICMAN02] > /tool bandwidth-test protocol=tcp address=10.1.2.7 user=admin password=somepassword direction=transmit
status: running
duration: 9s
tx-current: 622.0Mbps
tx-10-second-average: 785.6Mbps
tx-total-average: 785.6Mbps
random-data: no
direction: transmit

Both supout.rif are uploaded to my Mikrotik account, login is nadeu

Regards

mrz · Thu Apr 21, 2016 5:27 pm

Are you aware that BW test runs on single core? And single core is not capable of generating TCP traffic much more than that?

PtDragon · Thu Apr 21, 2016 10:56 pm

wireless - wireless-fp is discontinued, it needs to be uninstalled/disabled before upgrade;

Can you please tell exactly what should i use instead of it to still have fastpath enabled(as on CCR without it fastpath support was disabled)?
Or fastpath support migrated fully to main module now?

MartijnVdS · Thu Apr 21, 2016 11:01 pm

wireless - wireless-fp is discontinued, it needs to be uninstalled/disabled before upgrade;
Can you please tell exactly what should i use instead of it to still have fastpath enabled(as on CCR without it fastpath support was disabled)?
Or fastpath support migrated fully to main module now?

Both replacement modules (wireless-cm2 and wireless-rep) support fastpath.

As far as I understand, -cm2 and -rep contain everything that was in -fp and then some.

Fri Apr 22, 2016 8:09 am

Can you please tell exactly what should i use instead of it to still have fastpath enabled(as on CCR without it fastpath support was disabled)?

The only wireless package that does not support fastpath was old/regular "wireless", which was first removed from the bundle package lust July, then completely discontinued last December. All three "wireless-fp", "wireless-cm2" and "wireless-rep" do support fastpath. The major difference is -fp supports CAPsMAN v1 while -cm2 and -rep support CAPsMAN v2, and v1 is not compatible with v2 so you have to plan the migration in case you use CAPsMAN.

Fri Apr 22, 2016 10:17 am

Version 6.36rc5 has been released.

Changes since previous version:
*) arp - added arp-timeout option per interface;
*) log - fixed reboot log messages;
*) lte - do not allow to set multiple modes when it is not supported;
*) lte - fixed address acquisition on Huaweii LTE interfaces;
*) ntp - fixed time keeping on SXT ac, RB911L, cAP and wAP
*) traffic-flow - added ipfix support (RFC5101 and RFC5102);
*) winbox - show voltage in Health only if there actually is voltage monitor;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

dev246 · Fri Apr 22, 2016 11:16 am

Hi.

Is any chance to improve TCP performance on single session over IPSEC on IPIP/GRE tunnel in this version?
Now is max 40-80 Mbps per session regardless of device model (tested on CCR 1009 and CCR 1036).

Fri Apr 22, 2016 11:36 am

Hi.

Is any chance to improve TCP performance on single session over IPSEC on IPIP/GRE tunnel in this version?
Now is max 40-80 Mbps per session regardless of device model (tested on CCR 1009 and CCR 1036).

What encryption are you running?

We see close to 600mbit/s over EoIP/IPSEC with AES256-AES256-CBC on a CCR1036

Fri Apr 22, 2016 11:39 am

Why is LTE package not available for ARM architecture?

wombat · Fri Apr 22, 2016 12:09 pm

After upgrade the latest RC, RB 2011UiAS-2HnD

Fri Apr 22, 2016 12:15 pm

dev246 - Is any of CPU cores loaded 100%? Not total CPU load but load per CPU core.
wombat - This is 6.36rc topic. Upgrade to 6.36rc version where issue is fixed.

wombat · Fri Apr 22, 2016 12:22 pm

Hi,

on RB2011 is 6.36 RC it is only view from put above unit for see problems. On RB2011 with 6.36 i can't login at the moment only netinstall is way ..

kivimart · Fri Apr 22, 2016 1:59 pm

Hi.

Is any chance to improve TCP performance on single session over IPSEC on IPIP/GRE tunnel in this version?
Now is max 40-80 Mbps per session regardless of device model (tested on CCR 1009 and CCR 1036).
What encryption are you running?

We see close to 600mbit/s over EoIP/IPSEC with AES256-AES256-CBC on a CCR1036

Could you share that config?

Skickat från min Nexus 6P via Tapatalk

kometchtech · Fri Apr 22, 2016 3:13 pm

Routerboard mipsbe system raise the bootloop.

ROS6.36rc5

Beone · Fri Apr 22, 2016 3:20 pm

reboot loop as well on ccr1009 for v6.36rc5

Shak7 · Fri Apr 22, 2016 5:16 pm

reboot loop for me too on RB2011 for v6.36r5. Reverted to 6.35 using Netinstall to revive.
Again, wow... won't say more.

w0lt · Fri Apr 22, 2016 5:45 pm

Several RB751's and a 951G have locked up... WTF guys... Please, quit putting out software that locks up our units.

nadeu · Fri Apr 22, 2016 5:52 pm

Several RB751's and a 951G have locked up... WTF guys... Please, quit putting out software that locks up our units.

I don't know if Mikrotik hired a monkey to direct the development team, but going from bad to worse. Where is the stability of the branch 5? MikroTik is provoking nightmares to their "carrier users".

acung · Fri Apr 22, 2016 5:54 pm

v6.36r5 cause reboot loop on mAP2n, netinstall to v6.35

Fri Apr 22, 2016 5:54 pm

Calling mikrotik staff to be monkeys is not appropriate. Why are you installing rc versions? Keep the bugfix branch installed and don't touch working things.
If you would like to help mikrotik to fine tune the rc, you have to expect that the device will be frozen so netinstall will be the only solution. If you are not prepared for it, don't do it.
Making netinstall is question of 2 minutes...

paoloaga · Fri Apr 22, 2016 6:02 pm

RC software is for testing purposes, do not complain if your unit doesn't boot after upgrade. If you want to be useful, try to describe your problem to mikrotik's staff, so they can find and fix the bug that caused it.

w0lt · Fri Apr 22, 2016 6:16 pm

RC software is for testing purposes, do not complain if your unit doesn't boot after upgrade. If you want to be useful, try to describe your problem to mikrotik's staff, so they can find and fix the bug that caused it.

I have every right to complain if the software locks up my router !!

paoloaga · Fri Apr 22, 2016 7:15 pm

I have every right to complain if the software locks up my router !!

You have never been a programmer. Test software is far from perfect. Complex software can easily include deadly bugs. If you don't want your device to lock up, don't use RC, there are other two branches that suit you better.

w0lt · Fri Apr 22, 2016 11:19 pm

Thank you for your comments, but I must say..You do not know who I am, or what I am able to do. The one thing I am though is a customer, and so I EXPECT certain things.

If you don't want your device to lock up, don't use RC, there are other two branches that suit you better.

Are you speaking for Mikrotik as an authority of what will, and what won't lock up? Or should I just roll the dice?

If I ran a company like Mikrotik, I wouldn't want people to think that my product might include "deadly bugs".

Again, I thank you for your constructive(?) comments.

Nissarin · Sat Apr 23, 2016 1:57 am

Are you speaking for Mikrotik as an authority of what will, and what won't lock up? Or should I just roll the dice?
If I ran a company like Mikrotik, I wouldn't want people to think that my product might include "deadly bugs".

MT might not be rock solid and probably never will, not only it's extremely complicated system but also it's constantly evolving. That being said if you randomly upload RC version on your production system you can't really have right to complain, it says right at the top of the download page - "(...) Release candidate for testing the absolute latest builds in test environments".

Do you want to hear something constructive - use bugfix version in the future.

orangetek · Sat Apr 23, 2016 6:14 pm

@w0lt and nadeu,

Do you know what an RC is? It's a "Release Candidate" and its purpose is to be tested so that the developers know what doesn't work beyond the numerous configurations they have tried themselves. They cannot possibly try every config combination before they release a version and if they did, there would be no bugs and no RC. If you are installing these versions on a live production network then you guy's are the monkeys and i feel sorry for your customers.

Sun Apr 24, 2016 1:14 am

Thank you for your comments, but I must say..You do not know who I am, or what I am able to do.

The only thing we know about you is your bad behaviour.

The one thing I am though is a customer, and so I EXPECT certain things.

You should expect that official software releases work as they should. If not, you have right to complain.

Are you speaking for Mikrotik as an authority of what will, and what won't lock up? Or should I just roll the dice?

You can even roll two dices at once.

If I ran a company like Mikrotik, I wouldn't want people to think that my product might include "deadly bugs".

Who stops you to run your own software company ? Show us how to release software with no errors ? Each time.

Again, I thank you for your constructive(?) comments.

Thank you for your constructive complaints.

P.S.

Do you really blindly upgrade your working infrastructure to RC versions without any lab tests ?

ufm · Sun Apr 24, 2016 3:34 am

RC software is for testing purposes, do not complain if your unit doesn't boot after upgrade. If you want to be useful, try to describe your problem to mikrotik's staff, so they can find and fix the bug that caused it.

For example:
In forum branch about 6.35 verison MikroTik Support time to time says - "...issues are already fixed in 6.36rc"
My question about 6.35.1 with bugfixes - silent ignore.

Sun Apr 24, 2016 7:31 am

In rc are some errors fixed but new unknown errors are usually added. Therefore it is not expected to be stable.

Sun Apr 24, 2016 11:38 am

6.36rc5 kernel panics on boot on CCR 1036 even after a fresh netinstall

Sun Apr 24, 2016 7:48 pm

Each and every release we have to remind two things.

First of all, rc versions are nightly builds and are not completely tested. It means that each version can and must be tested only on devices which you are willing to Netinstall, if it will be necessary. Basically - just for testing.

Secondary, if you want to complain about specific things, then please create specific topic for that. This is 6.36rc version topic which is created for actual software related discussions to help MikroTik staff and our clients to get rid of problems within specific version - 6.36.

Support staff is actually very open minded and is open for suggestions. Send your requests, suggestions and complaints to support team, if problem is related to software in any way. Otherwise, please create separate topics and do not hijack topic within which people are actually tying to help each other.

As for rc version itself - we are not seeing reboot loops with this version in general. It must/should be related to configuration. Please send supout files and/or serial output to support@mikrotik.com so we can research this particular issue.

JimmyNyholm · Mon Apr 25, 2016 2:21 am

OK So I'm an idiot. Not Reading and just upgrading. What happens if I didn't disable the package?
I have one mAPLite upgraded and now it just boot loops. How do I apply a firmware reset on the unit?

Mon Apr 25, 2016 7:57 am

If you are talking about not disabling wireless package, then you can not upgrade until you have removed it. From which version did you upgrade? As we were telling in previous topics about other versions, there was a problem with upgrade but it is not an issue of 6.36rc. It was a problem with old version on which actually upgrade is performed.

Try to Netinstall device to this same rc version to see if problem was caused by old version or this new one:
http://wiki.mikrotik.com/wiki/Manual:Netinstall

Mon Apr 25, 2016 9:39 am

Reboot loop with 6.36rc5 version will be fixed within 6.36rc6 version. We will release it later today.

JimmyNyholm · Mon Apr 25, 2016 10:13 am

If you are talking about not disabling wireless package, then you can not upgrade until you have removed it. From which version did you upgrade? As we were telling in previous topics about other versions, there was a problem with upgrade but it is not an issue of 6.36rc. It was a problem with old version on which actually upgrade is performed.

Try to Netinstall device to this same rc version to see if problem was caused by old version or this new one:
http://wiki.mikrotik.com/wiki/Manual:Netinstall

Great Thanks. I will back down to 6.35, disable package and w8 for the new rc to come out. I'm eager to se what have been done with automatic tunnel ip selection..... May solve some of our pressing needs.

Mon Apr 25, 2016 10:58 am

Version 6.36rc6 has been released.

Changes since previous version:
*) ipsec - fix initiator modecfg dynamic dns;
*) nand - improved nand refresh feature to enhance stored data integrity;
*) route - fixed ospf by handling ipv6 encoded prefixes with stray bits;
*) watchdog - fixed reboot loop on startup (introduced in 6.36rc5);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

Mon Apr 25, 2016 11:08 am

Nand refreshing was already implemented recently, am I right?
Oh. On kernel partition... Ok, I thought it was general refresh over all nand module.

emils · Mon Apr 25, 2016 12:32 pm

*) route - fixed ospf by handling ipv6 encoded prefixes with stray bits;

Looks like OSPF is not working properly with rc6 because of this fix. Please use with caution. This change will hopefully fix problems when two OSPFv3 neighbors are stuck in Exchange/ExStart states.

NetworkPro · Mon Apr 25, 2016 3:58 pm

I revived the CCR1072 by NetInstall with preserve configuration.

However now there is a problem with LCD: it is white and does not display anything.

6.36rc6

raffav · Mon Apr 25, 2016 6:05 pm

ATTENTION ON CHR

ON CHR under proxmox
after upgrade 6.36rc5 to rc6 cant ping, telnet, winbox
using hypervisor console can access it
but freeze if i try to use the ping tool
ip address print get no output
ip arp print get no output
need to ctrl +c to get back
since I don’t have connectivity to the chr I can’t export the supout file

w0lt · Mon Apr 25, 2016 6:33 pm

If you have a Routerboard that has the memory allocation to add an additional partition, then before you install any further RC firmware I would accomplish the following procedure.

1. Ensure you have ROS 6.35 (Stable) on Partition-0, if not upgrade or downgrade to it.
2. Select "Partition" off the left hand side menu, and "Add" an additional partition. This will cause the router to reboot, that's ok.
3. Once rebooted, select "Partition" off the menu, then select Partition-0, after that, copy Partition-0 to Partition-1. Once that's done, Save the Partition-0 "Config" to Partition-1
4. When this is done, you can upgrade to the latest RC firmware, and if it locks up, it should fallback to the Partition-1 firmware.

At the very lease, you can recover your box. Hope this might help, it has helped me.

-tp

alexjhart · Mon Apr 25, 2016 9:08 pm

Hi.

Is any chance to improve TCP performance on single session over IPSEC on IPIP/GRE tunnel in this version?
Now is max 40-80 Mbps per session regardless of device model (tested on CCR 1009 and CCR 1036).
What encryption are you running?

We see close to 600mbit/s over EoIP/IPSEC with AES256-AES256-CBC on a CCR1036

I have a long open ticket with Mikrotik on this issue. I'm guessing you are using an application that is sensitive to packet loss and/or you have latency above a few milliseconds.

The problem is the hardware encryption driver (on CCR that means aes-*-cbc encryption) encrypts/sends packets out of order. This results in the client seeing packet loss, duplicate acks, out of order packets, etc, which cause performance issues with TCP (some benchmarking/real world traffic shows about 50% of packets are retransmits and duplicate acks). How much depends on a variety of things (like application, tcp window, latency, etc). Because of this, I actually use software encryption (aes-256-ctr) instead because I see about 10x faster single-threaded transfers. Here are some example numbers:

Software/single stream: 75Mbps
Software/multiple stream: 150Mbps (single cpu core maxed)
Hardware/single stream: ~7.5Mbps
Hardware/multiple stream: >500Mbps
Note: Same tests performed. Only difference is toggling (default in /ip ipsec proposal) between CBC (hardware) and CTR (software). Also, you often have to flush installed SAs after changing this on both sides to get the session to actually switch over.

This is unfortunate because the software driver is virtually error-free and performs better on single stream, but means you are cpu bound and can't take advantage of the hardware's builtin decryption capabilities that give you far better multiple stream data rates. If they can fix the hardware driver, we should be able to get the best of both worlds.

This is the last thing I heard when checking up on April 5, 2016:

Hello,

There is no fix yet. When we will fix it, changes will be in the changelog.

Regards,
Maris B.

So I just keep waiting to see it in the changelog. I would welcome others inviting them to make this a higher priority though.

Update on May 20:

We are working on the fix.

nkourtzis · Tue Apr 26, 2016 12:26 pm

Several RB751's and a 951G have locked up... WTF guys... Please, quit putting out software that locks up our units.
I don't know if Mikrotik hired a monkey to direct the development team, but going from bad to worse. Where is the stability of the branch 5? MikroTik is provoking nightmares to their "carrier users".

Why don't you move to another brand then? Many less features, many less bugs. Or many features, less bugs, 10 times the price. Slow release cycle and no access to beta software. You have a choice. I anyone told you you can have it all, they lied to you my friend.

nadeu · Tue Apr 26, 2016 1:21 pm

Several RB751's and a 951G have locked up... WTF guys... Please, quit putting out software that locks up our units.
I don't know if Mikrotik hired a monkey to direct the development team, but going from bad to worse. Where is the stability of the branch 5? MikroTik is provoking nightmares to their "carrier users".

Why don't you move to another brand then? Many less features, many less bugs. Or many features, less bugs, 10 times the price. Slow release cycle and no access to beta software. You have a choice. I anyone told you you can have it all, they lied to you my friend.

We upgraded to RC because MikroTik support indicates, we are following with MikroTik support team.
Did not mean it literally was a joke from the monkeys. We have over 30 CloudCores in production, and more than 200 radiolinks, we trust MikroTik and bet on them, all we ask is more feedback.

leonset · Tue Apr 26, 2016 5:39 pm

Note: wireless-fp package is discontinued in this version. It needs to be uninstalled/disabled before upgrade. Use wireless-rep or wireless-cm2 instead.

The upgrade process of the latests RC and the final version must upgrade automatically wireless-fp to the most reliable alternative wireless package, as it did when plain wireless got replaced by wireless-fp somewhere around v6.30. I understand that this is are initial RC releases and for testing purposes manually uninstalling a package its ok, but this is something that Mikrotik should address before final release to avoid some nightmares their fellow Wisp's...

Wed Apr 27, 2016 1:03 am

I don't remember any wireless package that was swapped automatically. But it should be.

dev246 · Wed Apr 27, 2016 5:43 pm

Hi.

nz_monkey wrote:
dev246 wrote:
Hi.

Is any chance to improve TCP performance on single session over IPSEC on IPIP/GRE tunnel in this version?
Now is max 40-80 Mbps per session regardless of device model (tested on CCR 1009 and CCR 1036).

What encryption are you running?

We see close to 600mbit/s over EoIP/IPSEC with AES256-AES256-CBC on a CCR1036

I using default settings and encryption - aes-128-cbc (I use property "IPsec Secret" in IPIP tunnel).
And I also get around 600mbit/s or even 800 mbit/s on IPIP /IPSEC but for >18 simultaneous connections, on single connection I got only 40-80 mbit/s

strods wotre:
dev246 - Is any of CPU cores loaded 100%? Not total CPU load but load per CPU core.

Per cor CPU does not exceed 1-5%, this same with total CPU

alexjhart wotre:
nz_monkey wrote:

dev246 wrote:
Hi.

Is any chance to improve TCP performance on single session over IPSEC on IPIP/GRE tunnel in this version?
Now is max 40-80 Mbps per session regardless of device model (tested on CCR 1009 and CCR 1036).

What encryption are you running?

We see close to 600mbit/s over EoIP/IPSEC with AES256-AES256-CBC on a CCR1036

I have a long open ticket with Mikrotik on this issue. I'm guessing you are using an application that is sensitive to packet loss and/or you have latency above a few milliseconds.

This isn't sensitive application issue and is fully replicable. Application that i'm using is simply iperf with parm "-P" for setting number of parallel connections (result as this same when i using filezilla for FTP traffic , or simple windows file sharing for SMB traffic)
When I use 1 connection i got ~50Mbit/s , using 2 connections ~118Mbit/s, 4 connections ~231Mbit/s, so is strictly related whit number of parallel TCP session. This situation looks like one session could be handled only by one processor (without seeing it on CPU graph). CCR 1009 have 9 cores (with HT would give as 18 cores), connection bandwidth grow until they reach 18 parallel sessions (looks like 2 session per Core, or 1 session per core with HT).

All test was made in lab environment between 2 mikrotik without any other devices.
I have separate threat describing this tests and lab environment http://forum.mikrotik.com/viewtopic.php?f=2&t=106857 but still without answer.

jwisch · Thu Apr 28, 2016 1:07 am

Each and every release we have to remind two things.

First of all, rc versions are nightly builds and are not completely tested. It means that each version can and must be tested only on devices which you are willing to Netinstall, if it will be necessary. Basically - just for testing.

Secondary, if you want to complain about specific things, then please create specific topic for that. This is 6.36rc version topic which is created for actual software related discussions to help MikroTik staff and our clients to get rid of problems within specific version - 6.36.

Support staff is actually very open minded and is open for suggestions. Send your requests, suggestions and complaints to support team, if problem is related to software in any way. Otherwise, please create separate topics and do not hijack topic within which people are actually tying to help each other.

As for rc version itself - we are not seeing reboot loops with this version in general. It must/should be related to configuration. Please send supout files and/or serial output to support@mikrotik.com so we can research this particular issue.

So on one hand, I have some sympathy for you, with regard to the criticism you are receiving. I agree that in general practice, you should only install RC software (most of the time) on a production system if a) you absolutely need the features in the RC, and b) you have a reasonably good history with the developer that gives you confidence in the stability of their RC releases. As an example, I wouldn't have any problem putting a pfSense RC release in a production environment if, say, it was the only version that would support the NIC I was using, because PFS has a history of releasing betas that are stable enough for production, and RCs that are more stable than other companies' "release" versions.

At the same time, if what you have stated above is correct, I think some of the criticism in the thread is also fair, at least to the extent that you are using "release candidate" in a very different way than most of (at least the English speaking) world. What you have described is often labeled a "snapshot" or "nightly" release. Users downloading a snapshot or nightly have the expectation that things are going to be broken, and that there may be serious regressions between builds. It is absolutely a "caveat emptor" process, where you know you shouldn't flash the build unless you feel comfortable doing low level recovery. On the other hand, a "release candidate" often implies a level of stability that is better than a "beta" release. In other words, when most people see "RC" they have the expectation that as long as no major problems are found, this version is going to be the "final" release - in fact, that the final project might have the same build number, just with the RC dropped.

If you plan on using the structure you outlined above (i.e. builds released with limited or no testing), I would suggest changing the branch name from "release candidate" to "snapshot" or "nightly" to reduce confusion, and bring the terminology more inline with what is used more broadly in the industry.

florentrivoire · Thu Apr 28, 2016 11:59 am

If you plan on using the structure you outlined above (i.e. builds released with limited or no testing), I would suggest changing the branch name from "release candidate" to "snapshot" or "nightly" to reduce confusion, and bring the terminology more inline with what is used more broadly in the industry.

Agree !
The releases that are currently named "RC" should be called "snapshot" or "alpha" or "beta".
Because, between a RC1 and RCx, there should not be anymore new feature or change of behaviour, but only some final bugfix that have not been seen before. If Mikrotik continue to add new feature, new patchs (i'm not talking about bugfixes) between releases, we are still in the development phase, so : snapshot/alpha/beta, but not RC.

NB: just one difference with jwisch : I think "nightly" is not the right term, because the builds currently named "RC" are not automatically build and publish every night, but when developers estimate it's ok, so they are "better" (more consistent, so a little more reliable) than "nightly".

Thu Apr 28, 2016 12:25 pm

Version 6.36rc8 has been released.

*) chr - fixed stalling services (introduced in 6.36rc6);
*) dhcp-server - fixed radius framed route addition after reboot on client renew;
*) firewall - added "/interface list" menu which allows to create list of interfaces which can be used as in/out-zone matcher in firewall (CLI only);
*) firewall - added raw table to be able to disable connection tracking on selected packets or drop packets before connection tracking (CLI only);
*) lte - added cinterion pls8 support;
*) lte - improved multiple same model modems identification;
*) route - fixed ospf-v3 crash (introduced in 6.36rc6);
*) traffic-flow - added ipfix support (RFC5101 and RFC5102);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

Thu Apr 28, 2016 2:12 pm

*) firewall - added "/interface list" menu which allows to create list of interfaces which can be used as in/out-zone matcher in firewall (CLI only)
Since 6.36rc8 version there is a possibility to create list of interfaces. It works similar as address-list in firewall. Under "/interface list" you can add multiple interfaces and group under list with a common name. Now this list/zone will be available in firewall. In firewall there are new matchers called in-zone and out-zone implemented. Basically, it is the same thing as in-interface and out-interface, but now by using "/interface list" you can select multiple interfaces on one firewall rule.

*) firewall - added raw table to be able to disable connection tracking on selected packets or drop packets before connection tracking (CLI only)
Since 6.36rc8 it is possible to configure firewall rules in a raw table ("/ip firewall raw", "/ipv6 firewall raw"). These rules have two possible chains - prerouting and output which happens before connection tracking in packet flow.

There is action called "notrack". It means that you can select on which packets you want to use connection tracking. It is also possible to drop packets already before connection tracking.

These rules do not have firewall rule matchers that would depend on connection tracking like "connection-state".

Packets which match rules with action "notrack" also are not being fragmented. In past as soon as you loaded connection tracking packets were fragmented. Now even if connection tracking is on "notrack" packets are not being defragmented.

Now in regular firewall, there is new possible connection-state value called "untracked".

Basically, this raw firewall should be used to protect your devices against DDoS attacks.

Thu Apr 28, 2016 2:21 pm

*) firewall - added "/interface list" menu which allows to create list of interfaces which can be used as in/out-zone matcher in firewall (CLI only);

OMG ... no more doubled/tripled rules for each interface ... OMG

Ulypka · Thu Apr 28, 2016 2:23 pm

strods
This is amazing
Thanks you

CyberTod · Thu Apr 28, 2016 3:10 pm

Very good firewall additions

Thu Apr 28, 2016 3:13 pm

*) firewall - added "/interface list" menu which allows to create list of interfaces which can be used as in/out-zone matcher in firewall (CLI only)

Change of the year!

Will this make it's way in to WinBox eventually ?

Thu Apr 28, 2016 3:15 pm

Under "/interface list" you can add multiple interfaces and group under list with a common name. Now this list/zone will be available in firewall. In firewall there are new matchers called in-zone and out-zone implemented. Basically, it is the same thing as in-interface and out-interface, but now by using "/interface list" you can select multiple interfaces on one firewall rule.

Can I add a single interface into multiple zones?

Thu Apr 28, 2016 3:28 pm

Yes, you can add interface in multiple lists. Of course these both are new features and might contain bugs at the beginning but for now they work for us.

Of course, in future we will implement them in Winbox, but we decided better to start with CLI than just delay whole process and wait for Winbox implementation right away.

Thu Apr 28, 2016 3:48 pm

*) firewall - added "/interface list" menu which allows to create list of interfaces which can be used as in/out-zone matcher in firewall (CLI only)

OK I have had a play with it, and it appears to work as advertised

very nice.

My feedback is:

- Calling it an "interface list" in one part of RouterOS, and a "zone" in another is confusing. Make it either a "zone" or an "interface list" not both.
- Using "in-zone" and "out-zone" is not consistent with the rest of the firewall rule config on RouterOS. It should be "src-zone" and "dst-zone" or "src-interface-list" and "dst-interface-list"

florentrivoire · Thu Apr 28, 2016 3:52 pm

My feedback is:

- Calling it an "interface list" in one part of RouterOS, and a "zone" in another is confusing. Make it either a "zone" or an "interface list" not both.
- Using "in-zone" and "out-zone" is not consistent with the rest of the firewall rule config on RouterOS. It should be "src-zone" and "dst-zone" or "src-interface-list" and "dst-interface-list"

Before reading this message from nz_monkey, I was going to say the exact same thing :
=> please, try to use the same word to describe the same concept (consistency is really important to simplify the configuration)

But, this feature sounds great

Thanks (in advance) Mikrotik !!

diorges · Thu Apr 28, 2016 4:19 pm

*) route - fixed ospf by handling ipv6 encoded prefixes with stray bits;
Looks like OSPF is not working properly with rc6 because of this fix. Please use with caution. This change will hopefully fix problems when two OSPFv3 neighbors are stuck in Exchange/ExStart states.

OSPFv3 still not working with other "system".

09:18:50 route,ospf,info OSPFv3 neighbor 138.97.60.1: state change from Exchange to 2-Way 
09:18:56 route,ospf,info Database Description packet has different options field 
09:18:56 route,ospf,info     received=11001000  (V6|E|R) 
09:18:56 route,ospf,info     mine=11001000  (V6|E|R) 
09:18:56 route,ospf,info OSPFv3 neighbor 138.97.60.1: state change from Exchange to 2-Way 
09:19:01 route,ospf,info OSPFv3 neighbor 138.97.60.1: state change from ExStart to Down

I'm trying to run ospfv3 with an EdgeRouter, is there a way to mikrotik ignore the AF packet?

I really need this working!

Thu Apr 28, 2016 4:33 pm

*) firewall - added "/interface list" menu which allows to create list of interfaces which can be used as in/out-zone matcher in firewall (CLI only)
OK I have had a play with it, and it appears to work as advertised very nice.

My feedback is:

- Calling it an "interface list" in one part of RouterOS, and a "zone" in another is confusing. Make it either a "zone" or an "interface list" not both.
- Using "in-zone" and "out-zone" is not consistent with the rest of the firewall rule config on RouterOS. It should be "src-zone" and "dst-zone" or "src-interface-list" and "dst-interface-list"

I vote for interface list naming convention. Should be in and out as the interfaces are also called in and out. Src and dst is about the addresses in the packet not about interfaces of the router.
Please don't implement new word zone. It is not necessary.

Thu Apr 28, 2016 4:51 pm

Or "interface group" but "interface list" is consistent with the rest of ROS.

Zorro · Thu Apr 28, 2016 5:50 pm

as for "interfaces list" addition - how about adding "ports list" aswell then for similar purposes ?
ie to make bit more streamlined/shortened, transparet and fast config

Nissarin · Thu Apr 28, 2016 6:11 pm

TLDR:
Perhaps it would be more consistent to rename the list to zones and move it under firewall prefix, i.e. /ip firewall zones.

Long story:
The name 'list' is not that bad but the command 'interface list' suggest something different than it should really do in this case (like list of all interface but I might be nitpicking here), 'interface group' is better but on the other hand it might suggest some kind of physical grouping (bonding) rather than abstract classification.
The name 'zone' is quite fitting when you think about implementing firewall - most of you might be familiar with term DMZ, in fact if you type the term in search engine you will get quite a few hits, not only in terms of some abstractions (internet/local/administration/etc zones) but also some real technologies - see http://packetlife.net/blog/2012/jan/30/ ... d-firewall (looks familiar, eh ?). So since at the end of the day it all has to do with the firewall just keep it all there.

alexjhart · Thu Apr 28, 2016 6:16 pm

I'm guessing they put in under /interfaces because they plan on being able to use that list/group/zone in other areas outside of firewall, like queues. I agree naming should be consistent. Also, regardless of context/naming issues and not being available in winbox yet, I am happy to see this new feature. Long desired feature

irghost · Thu Apr 28, 2016 6:37 pm

Version 6.36rc8 has been released.

*) chr - fixed stalling services (introduced in 6.36rc6);
*) dhcp-server - fixed radius framed route addition after reboot on client renew;
*) firewall - added "/interface list" menu which allows to create list of interfaces which can be used as in/out-zone matcher in firewall (CLI only);
*) firewall - added raw table to be able to disable connection tracking on selected packets or drop packets before connection tracking (CLI only);
*) lte - added cinterion pls8 support;
*) lte - improved multiple same model modems identification;
*) route - fixed ospf-v3 crash (introduced in 6.36rc6);
*) traffic-flow - added ipfix support (RFC5101 and RFC5102);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

Does route marking problem fixed?(bug in 6.35.1 and 6.36rc6)

JanezFord · Thu Apr 28, 2016 10:47 pm

*) firewall - added "/interface list" menu which allows to create list of interfaces which can be used as in/out-zone matcher in firewall (CLI only);

This is great! ...

I hope we get "mac address lists" implemented some day ...

JF

Thu Apr 28, 2016 11:05 pm

Spoiler alert - alexjhart was correct. This new feature for now is available in firewall only, but will be available also in other places. That is why it is available under "/interface list" not "/ip firewall interfaces-list".

As for naming - we will discuss and decide which name we should use for firewall matcher.

LynxChaus · Thu Apr 28, 2016 11:26 pm

Dear mikrotik developers, add export by SNMP system resource parameters: "write-sect-since-reboot,write-sect-total,bad-blocks,architecture-name,board-name" and all of "/int ethernet monitor" data too.

mrtester · Fri Apr 29, 2016 12:11 am

Awesome. I was just telling to my clients how to create configuration with multiple interfaces and on the next day such improvements. Thank you guys! Great to hear about cinterion lte update. I had few of these modems in my stock. Now I can use them

Wazza · Fri Apr 29, 2016 9:25 am

Spoiler alert - alexjhart was correct. This new feature for now is available in firewall only, but will be available also in other places. That is why it is available under "/interface list" not "/ip firewall interfaces-list".

As for naming - we will discuss and decide which name we should use for firewall matcher.

Please tell me we're going to extend that!!!
Something like "/ip address-list" which can then be used for other service controls:- /ip services, /snmp community, /ip dns, etc.

That would mean we could use address-lists anywhere, consistently!!!

That would be awesome!

Fri Apr 29, 2016 9:32 am

After your requests we have renamed matchers in firewall by replacing zone with interface-list.

5nik · Fri Apr 29, 2016 9:58 am

*) firewall - added "/interface list" menu which allows to create list of interfaces which can be used as in/out-zone matcher in firewall (CLI only);

Why new matcher? It is not posibble to integrate into In-Interface and Out-Interface? Address list should be too integrate into Src-Address and Dst-Address.
Is it plan to dynamic adding VPN interfaces (like pptp, l2tp etc.) to interface list (like with adress lists)?
Please add posibility to add leased IP adress to adress list in DHCP client and allow using them (adress lists) in To-Adresses in Firewall NAT (Action).

Fri Apr 29, 2016 10:40 am

Why new matcher? It is not posibble to integrate into In-Interface and Out-Interface?

Because of greater flexibility ? I can bet that in short time someone finds a "case" when it will be useful.

Fri Apr 29, 2016 11:54 am

After your requests we have renamed matchers in firewall by replacing zone with interface-list.

Thank you for the sanity

Fri Apr 29, 2016 12:26 pm

Version 6.36rc9 has been released.

Changes since previous version:

*) arm - added Dude server support;
*) arm - fixed kernel failure on low memory;
*) discovery - fixed identity discovery (introduced in 6.36rc5 and 6.35.1);
*) firewall - added "/interface list" menu which allows to create list of interfaces which can be used as in/out-zone matcher in firewall (CLI only);
*) log - fixed time zone adjustment (introduced in 6.36rc5 and 6.35.1);
*) lte - added cinterion pls8 support;
*) snmp - fixed snmp timeout (introduced in 6.36rc5 and 6.35.1);
*) ssl - fixed memory leak on ssl connect/disconnect (fetch, ovpn, etc.);
*) trafficflow - allow to filter with interface lists;
*) vrrp - fixed missing vrrp interfaces after upgrade (introduced in 6.36rc5 and 6.35.1);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

kometchtech · Fri Apr 29, 2016 2:16 pm

Version 6.36rc9 has been released.

Changes since previous version:

*) arm - added Dude server support;
*) arm - fixed kernel failure on low memory;
*) discovery - fixed identity discovery (introduced in 6.36rc5 and 6.35.1);
*) firewall - added "/interface list" menu which allows to create list of interfaces which can be used as in/out-zone matcher in firewall (CLI only);
*) log - fixed time zone adjustment (introduced in 6.36rc5 and 6.35.1);
*) lte - added cinterion pls8 support;
*) snmp - fixed snmp timeout (introduced in 6.36rc5 and 6.35.1);
*) ssl - fixed memory leak on ssl connect/disconnect (fetch, ovpn, etc.);
*) trafficflow - allow to filter with interface lists;
*) vrrp - fixed missing vrrp interfaces after upgrade (introduced in 6.36rc5 and 6.35.1);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

Issues in RB3011 (unrecognized disk) cannot mount USB flash drive supported?

[Ticket#2016041966000617]

Sob · Fri Apr 29, 2016 2:47 pm

Why new matcher? It is not posibble to integrate into In-Interface and Out-Interface?
Because of greater flexibility ? I can bet that in short time someone finds a "case" when it will be useful.

IMHO those two fields are basically exclusive, you need one (in-interface=<interface name>) or the other (in-interface-list=<list name>), I can't think about any use for both at the same time (feel free to correct me). To me it looks like unnecessary exposing of low level stuff and I think common in-interface=<interface or list name> would work fine.

Fri Apr 29, 2016 3:05 pm

Version 6.36rc10 has been released.

Changes since previous version:
*) firewall - added raw table to be able to disable connection tracking on selected packets or drop packets before connection tracking and packet defragmentation (CLI only);
*) firewall - fixed policy routing configurations (introduced in 6.35rc38);
*) queue - fixed interface queue type for ovpn tunnels;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

Fri Apr 29, 2016 3:53 pm

IMHO those two fields are basically exclusive, you need one (in-interface=<interface name>) or the other (in-interface-list=<list name>

Quick example:
Deny traffic to 8291 port for all "in-interface-list=<list name>" except the management "in-interface=<interface name>" and the traffic comes from particular "src-address=x.x.x.x"

Sob · Fri Apr 29, 2016 4:06 pm

Ok, you're right. It sure does look now, like I didn't give it much thought. Sorry.

docmarius · Fri Apr 29, 2016 4:42 pm

Keeping them separated would be consistent with the address list implementation style.
Even if in-interface=<interface or list name> would be more to my liking and easier to see in prints and winbox tables. And the same goes for address lists, which are already there.
The presented use case would result in 2 rules, an exception and the regular list evaluation, with not much fuss.

Fri Apr 29, 2016 5:22 pm

Hope that port-list and protocol-list are coming soon as well.

docmarius · Fri Apr 29, 2016 5:25 pm

Don't we have a kind of port list? You can put multiple ports and ranges in the port fields. They are not named lists, but still a list.

abis · Fri Apr 29, 2016 9:53 pm

*) arm - added Dude server support;

Pffff, no words for that!

Love you!

Zorro · Fri Apr 29, 2016 11:18 pm

i was not tested eariler snapshots, but rc10 seems had broken "export" command so managing config not really possible.
update: my mistake its worked, just differently than in ancient versions. sorry for misleading.

andlommy · Sat Apr 30, 2016 1:55 am

Since v 6.35.1 there is a bug that causes mikrotik to fail routing based on routing marks.

For example i have a mangle rule that sets routing mark on connections to certain IPs to go via different interface.

This stopped worked since 6.35.1.
Worst part is that if i start packet sniffer on the affected device, all starts to work normally
Downgrading to 6.35 resolves the problem
6.36 rc 10 that claims to resolve problem does not resolve the problem

Beone · Sat Apr 30, 2016 3:54 am

please add cli command something like force-yes=enabled

/system routerboard upgrade force-yes=enabled
/system package upgrade force-yes=enabled
/system package downgrade force-yes=enabled
/system reboot force-yes=enabled

Currently, when using SSH cli scripts, this hangs as the y/N input wait is not catched by most auto-cli scripts...

doush · Sun May 01, 2016 12:35 am

An example to ip firewall raw would be good to see especially for a dDOS case.
Anything to share ?

mrtester · Sun May 01, 2016 5:22 pm

Beone - Just use -:execute script="/system reboot"

jondavy · Tue May 03, 2016 5:15 am

/lcd export import not work properly

Tue May 03, 2016 7:58 am

jondavy - Please provide an example of export which you are not being able to import afterwards

notToNew · Tue May 03, 2016 9:43 am

jondavy - Please provide an example of export which you are not being able to import afterwards

I have one as well

#line 1407 + 1408
set cpu-frequency=650MHz init-delay=0s memory-frequency=300MHz \
expected end of command (line 1 column 26)

Tue May 03, 2016 10:23 am

notToNew - This is not LCD configuration but try to delete init-delay configuration and import afterwards. Does device on which you test import support init-delay and actually has firmware version with init-delay support?

grusu · Tue May 03, 2016 10:57 am

notToNew - This is not LCD configuration but try to delete init-delay configuration and import afterwards. Does device on which you test import support init-delay and actually has firmware version with init-delay support?

Starting with which firmware version supports init-delay?
RouterBOOT_changelog is at version 3.31 and seems not include all changes in every log version:

http://wiki.mikrotik.com/wiki/RouterBOOT_changelog

notToNew · Tue May 03, 2016 11:25 am

notToNew - This is not LCD configuration but try to delete init-delay configuration and import afterwards. Does device on which you test import support init-delay and actually has firmware version with init-delay support?

Sorry, I should have added that it's not LCD.

The Test-router is a simple

RouterBOARD 952Ui-5ac2nD

with Firmware 3.33.
I see no init-delay support.

I just removed the complete line as I don't need it, but it actually brakes
the import every time. As I understand, this should not be exported by "export compact".

Edit: Sorry, I was wrong!!
executing this in terminal does work, so i don't know whats going wrong with import/export.

/system routerboard settings> set cpu-frequency=650MHz init-delay=0s memory-frequency=300MHz protected-routerboot=disabled

The lines created by "export compact" are these:

/system routerboard settings
set cpu-frequency=650MHz init-delay=0s memory-frequency=300MHz \
    protected-routerboot=disabled

witch is thowing this error as mentioned above:

expected end of command (line 1 column 26)

prawira · Wed May 04, 2016 7:21 am

do not forget for the broken snmp at /system health voltage at 6.35.1 and the not working 'safe mode' under winbox

tq

P

Thu May 05, 2016 12:41 pm

Version 6.36rc11 has been released.

Changes since previous version:
*) bonding - fixed crash on RoMON traffic transmit;
*) bonding - implemented l2mtu value == smallest slave interfaces l2mtu;
*) dude - (changes discussed here: forum.mikrotik.com/viewtopic.php?f=8&t=108083 );
*) ipsec - added dead ph2 reply detection;
*) ipsec - fixed AH with SHA2;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

Cha0s · Thu May 05, 2016 1:15 pm

*) traffic-flow - added ipfix support (RFC5101 and RFC5102);

Has anyone tried IPFIX over NetFlow?

I wonder if the issue described here is fixed using IPFIX
http://forum.mikrotik.com/viewtopic.php ... hilit=flow
https://serverfault.com/questions/73920 ... unter-wrap

Thu May 05, 2016 2:54 pm

*) bonding - implemented l2mtu value == smallest slave interfaces l2mtu;

Thank you to the support staff and developers who worked to fix this!

mrtester · Fri May 06, 2016 8:40 am

Thank you guys. Did not know that my crash was caused by RoMON over bonding

. Now it is not rebooting any more after upgrade to 6.36rc11.

Test471 · Fri May 06, 2016 8:13 pm

MikroTik RouterOS v6.36rc4 is released.

*) tunnel - added option to auto detect tunnel local-address;

How exactly this works?

jondavy · Fri May 06, 2016 11:36 pm

MikroTik RouterOS v6.36rc4 is released.

*) tunnel - added option to auto detect tunnel local-address;
How exactly this works?

you not need add local address to an tunnel only the remote address

Test471 · Sat May 07, 2016 10:37 am

I have EoIP/IpSEC and it says I must fill local address.

Now I solved this problem by writing script which is checking every 15 secs if local address changed and makes update but with this new update I dont see any way of going without it.

tamilmaran · Sat May 07, 2016 9:41 pm

why wireless FP is discontinued..?
any specific reason

soyelpulpo · Sun May 08, 2016 6:04 pm

Let´s summarize the feature requests for wireless-rep:
Is it possible to show CCQ for each connected client? Or dropped / retransmitted frames percentage?
Is it possible to perform background scan for each remote radio?
(It would be helpful to see connection quality statistics as well as channel usage statistics within CAPSMAN window)

show the username (beside the MAC address) for all connected clients within CAPSMAN window?
)
+ vendor OUI auto naming
+ custom names for CAP devices
+ centralized ressource monitoring / statistics ([CPU, RAM, amount of connected clients for each CAP device], total amount of connected devices, frequency band usage, "rogue devices" using the same frequency band or the same SSID per CAP device,...)

My post with CAPsMAN feature requests in the 6.35rc thread:

Requests for CAPsMAN bug fixes and new features, based on my experience with the current RC version:

1. {Nice to have} Add "CCQ", P Throughput" and "Signal to Noise", "Encryption" and "Group Encryption" and "WMM Enabled" fields to CAPsMAN Registration Table.

2. {Feature} Add "Frequency Mode", "WMM Support", "Multicast Buffering", "Keepalive frames", "Adaptive Noise Immunity" and "AMPDU Priorities" to CAPsMAN Config Settings.

3. {BUG} Make "Multicast Helper=full" in CAPsMAN slave interfaces work (now the interfaces stay in default setting).

4. {BUG} Make "Country=no_country_set" work on CAPsMAN 5GHz 802.11ac interfaces (it works on 2.4GHz, but on 5GHz ones it results in "no supported band" error message, regardless of the band and frequency settings).

5. {Feature} Add a scan/freq usage feature in CAPsMAN, with an aption to run in the background. Right now, if one wants to scan, they have to detach the physical interface from the Manager, do the scan and re-attach it. [In the future, use this info to auto-adjust CAP channels and power levels.]

6. {Annoying} Stop CAPsMAN from creating virtual interfaces on CAPs with name "wlanXXX" where XXX is a number which is incremented every time the interface is disabled and re-enabled.

7. {Nice to have} Let the user rename the virtual interfaces on the CAPs, like he/she can do with physical interfaces.

6 should be like: cap_abcdef. Where abcdef are the last digits of the cap WiFi mac address.

pe1chl · Sun May 08, 2016 8:37 pm

why wireless FP is discontinued..?
any specific reason

I can understand that having 3 different wireless packages is not desirable.

Mon May 09, 2016 3:38 pm

cm2 has many improvements and works much better than FP

autostoper76 · Mon May 09, 2016 5:01 pm

The Dude client for ARM , missing

Mon May 09, 2016 5:14 pm

The Dude client for ARM , missing

1) dude server nt client
2) separate package can be downloaded here:
http://download2.mikrotik.com/routeros/ ... 11-arm.npk

jondavy · Mon May 09, 2016 5:16 pm

Please add CCQ to CapsMAN

brwainer · Mon May 09, 2016 6:58 pm

Let´s summarize the feature requests for wireless-rep:

+ vendor OUI auto naming
+ custom names for CAP devices
+ centralized ressource monitoring / statistics ([CPU, RAM, amount of connected clients for each CAP device], total amount of connected devices, frequency band usage, "rogue devices" using the same frequency band or the same SSID per CAP device,...)

My post with CAPsMAN feature requests in the 6.35rc thread:

Requests for CAPsMAN bug fixes and new features, based on my experience with the current RC version:

1. {Nice to have} Add "CCQ", P Throughput" and "Signal to Noise", "Encryption" and "Group Encryption" and "WMM Enabled" fields to CAPsMAN Registration Table.

2. {Feature} Add "Frequency Mode", "WMM Support", "Multicast Buffering", "Keepalive frames", "Adaptive Noise Immunity" and "AMPDU Priorities" to CAPsMAN Config Settings.

3. {BUG} Make "Multicast Helper=full" in CAPsMAN slave interfaces work (now the interfaces stay in default setting).

4. {BUG} Make "Country=no_country_set" work on CAPsMAN 5GHz 802.11ac interfaces (it works on 2.4GHz, but on 5GHz ones it results in "no supported band" error message, regardless of the band and frequency settings).

5. {Feature} Add a scan/freq usage feature in CAPsMAN, with an aption to run in the background. Right now, if one wants to scan, they have to detach the physical interface from the Manager, do the scan and re-attach it. [In the future, use this info to auto-adjust CAP channels and power levels.]

6. {Annoying} Stop CAPsMAN from creating virtual interfaces on CAPs with name "wlanXXX" where XXX is a number which is incremented every time the interface is disabled and re-enabled.

7. {Nice to have} Let the user rename the virtual interfaces on the CAPs, like he/she can do with physical interfaces.
6 should be like: cap_abcdef. Where abcdef are the last digits of the cap WiFi mac address.

Once again, I second request #6, and was promised about two months ago by support that they would try to work on implementing it if it didn't conflict with anything else. I figured I would wait until the 3 month mark to follow up on their progress. I like the idea to tie the name of the interface to the wifi MAC - that would be even more helpful than just a static number.

jondavy · Mon May 09, 2016 8:32 pm

jondavy - Please provide an example of export which you are not being able to import afterwards

/interface bridge
add name=LAN
add name=WAN1
add name=WAN2
add name=WAN3

/lcd
set backlight-timeout=never default-screen=stat-slideshow read-only-mode=yes

/lcd interface
set sfp-sfpplus1 disabled=yes
set sfp1 disabled=yes
set ether1 disabled=yes
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
add interface=LAN
add interface=WAN1 timeout=5s
add interface=WAN2 timeout=5s
add interface=WAN3 timeout=5s

notToNew · Tue May 10, 2016 8:52 pm

is it possible when using wireless-rep and wlan1 is currently NOT connected, that i can use wlan1-subdevice in AP-mode?
Currently, the virtual subdevice in the repeater-config is always automatically disabled, when wlan1 doesnt get a connection.
This makes the repeater-mode somehow useless for me. Do I miss anything?
I cann't even connect wireless to the Mikrotik-Device to change the config of wlan1 or change the security-profile. If I have to change
it, i do need a cable.

autostoper76 · Wed May 11, 2016 12:34 am

The Dude client for ARM , missing
1) dude server nt client
2) separate package can be downloaded here:
http://download2.mikrotik.com/routeros/ ... 11-arm.npk

ok, Dude windows client, please link
dude client for windows

docmarius · Wed May 11, 2016 7:11 am

RC11 on hAp (951Ui-2nD, FW 3.33) shows USB port invalid.
Reverting to 6.35.2 fixes the port issue.

Wed May 11, 2016 11:19 am

docmarius - Please send supout file to support@mikrotik.com. Generate file while port is inactive. We can not reproduce such issue. If something is connected then it is active, if we disconnect USB, then it becomes inactive. Connect back and active again.

Wed May 11, 2016 12:10 pm

Version 6.36rc12 has been released.

Changes since previous version:

*) capsman - fixed crash when running over ovpn;
*) dhcp-pd - correct server listing for commands;
*) dude - (changes discussed here: forum.mikrotik.com/viewtopic.php?f=8&t=108083 );
*) fastpath - fixed kernel failure when fastpath handles packet with multicast dst-address;
*) ipsec - don't register temporary ph2 on dead list;
*) ipsec - fixed mode-config export;
*) ipsec - fixed route cache overflow when using ipsec with route cache disabled;
*) sniffer - fixed ipv6 address matching;
*) ssh - add rsa host key size parameter;
*) ssh-keygen - add rsa key size parameter;
*) usb - I-tec U3GLAN3HUB usb hub/ethernet dongle now shows up correctly as ethernet interface;
*) usb - implement possibility to recognize usb hubs/ethernet-dongles;
(if usb hubs/ethernet-dongles shows up as LTE interface with this version - send supout.rif file)
*) wireless-rep - added initial API support for snooper.

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

m94646602 · Wed May 11, 2016 2:56 pm

Still no band steering and CCQ in CAPsMAN

If want to use it in a commercial environment, 2.4 and 5G in a same SSID is a basic requirement !!!!

In our China market, we often lost to other competitors, because there is no BAND STEERING. Our customers say Without this feature it is only a "HOME AP"

MT, can provide some way(script, access-list.......) to temporarily solve the Band Steering problem? Thanks a lot.

cisco : band select
Ruckus : holding the transmit beacon
aruba :http://www.arubanetworks.com/techdocs/A ... eering.htm
EnGenius : Band Steering
ASUS : SmartConnect
zyxel : client steering
d-link : http://www.dlink.com/uk/en/technology/band-steering
ubnt : https://community.ubnt.com/t5/UniFi-Wir ... -p/1429904
tp-link : http://www.tp-link.com/res/down/doc/Aur ... asheet.pdf

jondavy · Wed May 11, 2016 4:32 pm

Still no band steering and CCQ in CAPsMAN
If want to use it in a commercial environment, 2.4 and 5G in a same SSID is a basic requirement !!!!

really I'm just not using it and installing the companies that attend for lack of decent monitoring
CCQ is an essential basic thing

docmarius · Wed May 11, 2016 7:23 pm

docmarius - Please send supout file to support@mikrotik.com. Generate file while port is inactive. We can not reproduce such issue. If something is connected then it is active, if we disconnect USB, then it becomes inactive. Connect back and active again.

Done Ticket#2016051166000808.

5nik · Thu May 12, 2016 9:39 am

Version 6.36rc12 has been released.

...
*) usb - implement possibility to recognize usb hubs/ethernet-dongles;
(if usb hubs/ethernet-dongles shows up as LTE interface with this version - send supout.rif file)
...

Is it possible add support for ASIX USB3 Ethernet?
Chip: AX88179
VID: 0x0b95
PID: 0x1790

diorges · Mon May 16, 2016 8:15 pm

When OSPFv3 will be fixed? Still cant use it with different manufacter!

anuser · Mon May 16, 2016 10:12 pm

When OSPFv3 will be fixed? Still cant use it with different manufacter!

OSPFv3 is running fine with H3C/Comware 5 (HP A series switches) here.

diorges · Tue May 17, 2016 7:02 pm

When OSPFv3 will be fixed? Still cant use it with different manufacter!
OSPFv3 is running fine with H3C/Comware 5 (HP A series switches) here.

I trying to run this with an EdgeRouter Pro.

Wed May 18, 2016 11:49 am

MikroTik RouterOS 6.36rc13 version has been released!

What's new in 6.36rc13 (2016-May-17 12:20):

*) dude - (changes discussed here: forum.mikrotik.com/viewtopic.php?f=8&t=108083 );
*) dhcpv6 client - fixed ia lifetime validation when it is set by dhcpv6 client;
*) health - fixed incorrect voltage after reboot on RB2011UAS;
*) health - fixed broken factory voltage calibration data for some hAP ac boards;
*) log - added whole scep certificate chain print;
*) lte - fix crash on SXT LTE while resetting card while at high traffic;
*) lte - added allow-roaming option for Huawei MU709, ME909s, ME909u devices;
*) lte - changed driver loading for class 2 usb rndis devices;
*) userman - use ipnpb.paypal.com for payment verification;
http://www.mikrotik.com/download

patrick7 · Wed May 18, 2016 3:32 pm

Is there a possibility to log PSU failures on CCR in future versions?

Zorro · Thu May 19, 2016 2:08 am

Is there a possibility to log PSU failures on CCR in future versions?

and what the problem with that today ?
you just need: bump "UPS" part of logging to more verbose/obvious levels than non-existent/disabled default to say "disk", "echo" or "remote" variations of. and then use that logged infor for relevant purposes.

patrick7 · Thu May 19, 2016 11:45 am

Are you sure, UPS will log PSU failures? (on CCR with redundant PSU).

gze100 · Fri May 20, 2016 1:41 am

Since v 6.35.1 there is a bug that causes mikrotik to fail routing based on routing marks.

For example i have a mangle rule that sets routing mark on connections to certain IPs to go via different interface.

This stopped worked since 6.35.1.
Worst part is that if i start packet sniffer on the affected device, all starts to work normally
Downgrading to 6.35 resolves the problem
6.36 rc 10 that claims to resolve problem does not resolve the problem

+1

Nekromans · Fri May 20, 2016 12:03 pm

Hello! Add in the possibility CAPsMAN - Access List to add one client for several interfaces Cap. Thank you!
В мене дві мережі - корпоративна - фізичний інтерфейс і гостьова - віртуальний інтерфейс. Підключено 8 AP. Доступ до корпоративної мережі зробив через прив'язку до фізичного адреса клієнта. І потрібно прописувати

caps-man access-list add mac-address=01:01:01:01:01:01 action=accept interface=IT-1
caps-man access-list add mac-address=01:01:01:01:01:01 action=accept interface=IT-2
caps-man access-list add mac-address=01:01:01:01:01:01 action=accept interface=IT-3
caps-man access-list add mac-address=01:01:01:01:01:01 action=accept interface=IT-4
....
and so 8 times for each client

Fri May 20, 2016 12:08 pm

Hello! Add in the possibility CAPsMAN - Access List to add one client for several interfaces Cap. Thank you!

You want to have multiple drop-down options for the access list interface, so you could select multiple cap interfaces?

Nekromans · Fri May 20, 2016 12:17 pm

Yes!

Or the possibility of combining a group of several interfaces

Zorro · Fri May 20, 2016 8:54 pm

Are you sure, UPS will log PSU failures? (on CCR with redundant PSU).

and why it shouldn't ?

patrick7 · Fri May 20, 2016 11:53 pm

Because PSU has nothing to do with UPS?

Zorro · Mon May 23, 2016 11:51 am

Because PSU has nothing to do with UPS?

screenshot above given "just as reference", explanation how to create additionl(to deafult/pre-created by ROS deployment itself)logging rules/policies.
but you may be right, i cannot reproduce PSU failures in logs ("Critical", "Warning" and "system" are checked)

NathanA · Mon May 23, 2016 10:47 pm

*) arm - added Dude server support;

Very interesting! Is there a reason that you have not done a PPC build of The Dude? There are PPC RouterBoards that outclass the RB3011.

-- Nathan

Tue May 24, 2016 11:02 am

Version 6.36rc16 has been released.

Changes since previous version:
*) dude - (changes discussed here: forum.mikrotik.com/viewtopic.php?f=8&t=108083 );
*) address - allow multiple euqla ip addresses to be added if neither or only one is enabled;
*) bonding - fixed 802.3ad load balancing mode over tunnels ;
*) certificate - display issuer and subject on check failure;
*) cloud - fixed export order;
*) dhcpv6-server - fixed binding last-seen update;
*) e-mail - removed subject and body length limit;
*) ethernet - fixed memory leak when setting interface without changing configuration;
*) firewall - added "/interface list" menu which allows to create list of interfaces which can be used as in/out-interface-list matcher in firewall;
*) firewall - added pre-connection tracking filter - "raw" table, that allow to protect connection-tracking from unnecessary traffic;
*) firewall - allow to add domain name to address-lists (dynamic entries for resolved addresses will be added to specified list);
*) ipsec - fixed checks before accessing ph1 nat options;
*) ipsec - store udp encapsulation type in proposal;
*) ovpn - enable perfect forwarding secrecy support by default;
*) ovpn - fixed compatibility with OpenVPN 2.3.11;
*) rb3011 - fixed port flapping on ether6-ether10;
*) snmp - fixed get function for snmp>=v2 when oid does not exist;
*) winbox - report correctly dude users in active users list;
*) wireless-rep - treat missing SSID element as hidden SSID;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

notToNew · Tue May 24, 2016 11:19 am

Version 6.36rc16 has been released.
*) firewall - allow to add domain name to address-lists (dynamic entries for resolved addresses will be added to specified list);

Nice!!!

grusu · Tue May 24, 2016 11:30 am

Version 6.36rc16 has been released.
*) firewall - allow to add domain name to address-lists (dynamic entries for resolved addresses will be added to specified list);
Nice!!!

How often is updated?

hedele · Tue May 24, 2016 11:52 am

*) firewall - added pre-connection tracking filter - "raw" table, that allow to protect connection-tracking from unnecessary traffic;

So which is faster in terms of throughput - fasttrack or no tracking at all?

alexjhart · Tue May 24, 2016 11:54 am

Version 6.36rc16 has been released.
*) firewall - allow to add domain name to address-lists (dynamic entries for resolved addresses will be added to specified list);
Nice!!!

How often is updated?

My question exactly

juliobrito · Tue May 24, 2016 5:09 pm

Regards,

Please, remember that all Mikrotik users need the implementation of PEAP-MSCHAPv2 Wireless Station Mode. We have more that 7 years waiting for it option.

Tue May 24, 2016 6:03 pm

I am afraid that not all users need it. Please, be so kind and ask just for yourself and don't take others as your hostages.

Tue May 24, 2016 6:07 pm

Nice!!!

How often is updated?
My question exactly

That's what I would like to know as well.

grusu · Tue May 24, 2016 7:47 pm

How often is updated?
My question exactly
That's what I would like to know as well.

I will try to answer the question myself: I think the address is resolved at boot and when DNS TTL reaches 0 and is renew in cache.

alexjhart · Tue May 24, 2016 8:39 pm

My question exactly
That's what I would like to know as well.
I will try to answer the question myself: I think the address is resolved at boot and when DNS TTL reaches 0 and is renew in cache.

Test it yourself? That's crazy talk!

Actually, good idea. We just tested as well and found the same results. We also noticed that domains with multiple A records add multiple entries, which is welcomed. Even follows CNAMEs.

Good job so far Mikrotik.

Feature request: put the timeout remaining calculated from TTL in the timeout column

Thanks @tomaskir for testing with me

Wed May 25, 2016 12:58 am

Thank you grusu. You managed to answer before us and answer is completely correct.

grusu · Wed May 25, 2016 7:25 am

Thank you grusu. You managed to answer before us and answer is completely correct.

Until now I have used a script to resolve the dynamic IP address from where I manage routers. Now it is much easier.
Thank you!

Wed May 25, 2016 1:17 pm

Regarding:

*) firewall - added "/interface list" menu which allows to create list of interfaces which can be used as in/out-interface-list matcher in firewall;

This works in Firewall/Filter but when you select a valid Interface-List for "In. Interface List" or "Out. Interface List" on a Firewall/NAT or Firewall/Mangle policy, it resets to "unknown" a few seconds after clicking OK/Apply.

bajodel · Wed May 25, 2016 1:52 pm

Version 6.36rc16 has been released.

..[CUT]..

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

On two RB3011 upgraded to 6.36rc16 I've lost USB/Disk (present in system/resources/usb ..but not in system/disk).

Someone can confirm ?

Wed May 25, 2016 2:28 pm

nz_monkey - what type of interfaces do you add there?
bajodel - please generate supout file on device and send it to support@mikrotik.com

bajodel · Wed May 25, 2016 3:28 pm

..[cut].. bajodel - please generate supout file on device and send it to support@mikrotik.com

OK ..to give more help I've netinstalled one of the RB3011 with 6.36rc16.

Problem persist, so supout sent to support@mikrotik.com with screenshot and details.

>> [Ticket#2016052566000541]

Thank you..

Zorro · Thu May 26, 2016 6:59 am

frankly ROS also need suuport of EAPoL rather than just EAP/PEAP over Wifi or other 802.1x flavors/portions.

5nik · Thu May 26, 2016 10:31 am

*) firewall - added "/interface list" menu which allows to create list of interfaces which can be used as in/out-interface-list matcher in firewall;

Why structure of "/interface list" menu is different from "/address list" in WinBox? Why they haven't same logic?
Please add posibilities for auto adding dynamic (ppp) interfaces to selected interface list when they connect (start running).
Please add same logic for IP addresses (address lists) when dhcp client leases IP.

Thu May 26, 2016 10:37 am

nz_monkey - what type of interfaces do you add there?
bajodel - please generate supout file on device and send it to support@mikrotik.com

Hi Strods

Just vlan sub interfaces. Nothing complicated.

My testing was on a RB2011

Thu May 26, 2016 10:41 am

Why structure of "/interface list" menu is different from "/address list" in WinBox? Why they haven't same logic?.

I wondered exactly the same thing!

Workflow inconsistency = Bad

JimmyNyholm · Thu May 26, 2016 4:20 pm

Nice!!!

How often is updated?
My question exactly

The Only viable sullution should be the TTL and Refresh values specified on each individual record but then again a confirmation on that one would be very much apprechiated as the wiki seldom states new features until very much later.

Cha0s · Thu May 26, 2016 4:23 pm

The Only viable sullution should be the TTL and Refresh values specified on each individual record but then again a confirmation on that one would be very much apprechiated as the wiki seldom states new features until very much later.

It has been confirmed already. Check a few posts above.

alexjhart · Thu May 26, 2016 6:27 pm

Why structure of "/interface list" menu is different from "/address list" in WinBox? Why they haven't same logic?.
I wondered exactly the same thing!

Workflow inconsistency = Bad

We talked about this earlier in the thread. They are planning more for this than the current firewall use. Ideally, they consolidate all in the future to use the same logic, but one came long ago and has had less intended scope than the new one.

Fri May 27, 2016 7:48 am

As we have explained already earlier in this post and others have told - interface list is not a firewall feature. It is already supported not only in firewall but also on traffic flow.

Fri May 27, 2016 11:06 am

Version 6.36rc19 has been released.

Changes since previous version:
*) dude - (changes discussed here: forum.mikrotik.com/viewtopic.php?f=8&t=108083 );
*) certificate - added automatic scep renewal delay after startup to avoid all requests accessing CA at the same time;
*) certificate - cancel pending renew when certificate becomes valid after date change;
*) certificate - force scep renewal on system clock updates;
*) clock - save current time to configuration once per day even if there are no time zone adjustments pending;
*) console - show message time in echo log messages;
*) defconf - changed channel extension to 20/40/80mhz for all ac boards;
*) fetch - support tls host name extension;
*) kernel - fixed possible kernel deadlock when Sierra USB mode is being used;
*) rb3011 - improved performance on high cpu usage;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

Fri May 27, 2016 11:53 am

As we have explained already earlier in this post and others have told - interface list is not a firewall feature. It is already supported not only in firewall but also on traffic flow.

Hi Strods, Alex

I think my comment has been mis-understood.

What I was saying is that the workflow of the new feature is NOT in line with other "similar" features. e.g.

To add an interface to a new list
1. Click on Interface-List tab
2. Click on "Lists" in tab control pane (new dialogue will appear)
3. In "Interface Lists" dialogue box, click on +
4. Enter List Name
5. Click OK
6. Return to "Interface-List" tab
7. Click on + (yet another dialogue box appears)
8. in "New Interface List Member" tab, select a list, and select a interface.
9. Click OK

To add an address to a new list:
1. Click on Address-List tab
2. Click +
3. Enter List name
4. Enter IP address
5. Click OK

The "flow" taken to add a new "Interface-List" is much longer, and is different from other similar features in RouterOS.

In my opinion, the new feature should be changed to match the existing features. Or the existing features workflow should be updated to match the new features.

Im not saying "Combine Interface-Lists and Address-Lists" I am saying, make the workflow's consistent!

Please don't make this a repeat of the RoMON / Mac-Server / IP Neighbor workflow mess

mrz · Fri May 27, 2016 12:28 pm

Workflow is consistent to other interface related features. For example you first add bridge,mesh and only then add ports. The same is with list, you first add list and then interfaces to the list.

Fri May 27, 2016 12:34 pm

But there is "Bridge" tab where the bridges are added and the "Ports" tab where ports are added to bridges.
There is no "Bridge" button on "Ports" tab.

nkourtzis · Fri May 27, 2016 3:39 pm

Will you please consider fixing the bug where if a wireless interface is set to 2GHz-G/N then all subsequent config changes to this interface done in winbox fail with the message "not supported" and so all config has to be done using the CLI? Changing the interface to any other mode fixes it.

andersonlich · Sun May 29, 2016 1:22 pm

How often is updated?
My question exactly
That's what I would like to know as well.

Can we set from 5 sec to 5 min
?

Cha0s · Sun May 29, 2016 10:46 pm

Hello,

I just gave IPFIX a try on version 6.36rc19 on a RB2011UAS and it seems that it exports the flows with 'random' timestamps in the year 1970.
The time on the RB2011 is correct (double checked).

Timestamp: Jul  5, 1970 11:05:20.000000000 GTB Daylight Time
Timestamp: Jul  5, 1970 11:38:40.000000000 GTB Daylight Time
Timestamp: Jul  5, 1970 12:12:00.000000000 GTB Daylight Time

Those netflow packets where exported to wireshark by mikrotik every 2 seconds.

The full capture:

No.     Time           Source                Destination           Protocol Length Info
 383778 748.591451000  10.10.153.218         10.26.35.34           CFLOW    542    IPFIX partial flow (500/5 bytes)

Frame 383778: 542 bytes on wire (4336 bits), 542 bytes captured (4336 bits) on interface 0
Ethernet II, Src: Routerbo_XX:XX:XX (XX:XX:XX:XX:XX:XX), Dst: YY:YY:YY:YY:YY:YY (YY:YY:YY:YY:YY:YY)
Internet Protocol Version 4, Src: 10.10.153.218 (10.10.153.218), Dst: 10.26.35.34 (10.26.35.34)
User Datagram Protocol, Src Port: 2055 (2055), Dst Port: 2055 (2055)
Cisco NetFlow/IPFIX
    Version: 10
    Length: 5
    Timestamp: Jul  5, 1970 11:05:20.000000000 GTB Daylight Time
        ExportTime: 16013120
    FlowSequence: 384
    Observation Domain Id: 0
    Set 1
        FlowSet Id: (Data) (258)
        FlowSet Length: 484
        Flow 1
            IPVersion: 04
            [Duration: 0.000000000 seconds]
                StartTime: 16010.600000000 seconds
                EndTime: 16010.600000000 seconds
            Packets: 3
            Octets: 192
            SrcPort: 2000
            DstPort: 39216
            InputInt: 4
            OutputInt: 0
            Protocol: 6
            IP ToS: 0x00
            TCP Flags: 0x18
            Destination Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ)
            Post Source Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
            SrcAddr: 10.10.153.217 (10.10.153.217)
            DstAddr: 10.10.153.218 (10.10.153.218)
            NextHop: 10.10.153.218 (10.10.153.218)
            SrcMask: 0
            DstMask: 0
            IP TTL: 64
            IsMulticast: 0
            IP Header Length: 5
            IP Total Length: 64
            UDP Length: 0
            TCP Sequence Number: 1439408172
            TCP Acknowledgement Number: 786858282
            TCP Windows Size: 905
            IGMP Type: 0
            IPv4 ICMP Type: 0
            IPv4 ICMP Code: 0
            Post NAT Source IPv4 Address: 10.10.153.217 (10.10.153.217)
            Post NAT Destination IPv4 Address: 10.10.153.218 (10.10.153.218)
            Post NAPT Source Transport Port: 0
            Post NAPT Destination Transport Port: 0
        Flow 2
            IPVersion: 04
            [Duration: 0.000000000 seconds]
                StartTime: 16011.120000000 seconds
                EndTime: 16011.120000000 seconds
            Packets: 2
            Octets: 1056
            SrcPort: 2055
            DstPort: 2055
            InputInt: 0
            OutputInt: 4
            Protocol: 17
            IP ToS: 0x00
            TCP Flags: 0x00
            Destination Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
            Post Source Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ)
            SrcAddr: 10.10.153.218 (10.10.153.218)
            DstAddr: 10.26.35.34 (10.26.35.34)
            NextHop: 10.10.153.217 (10.10.153.217)
            SrcMask: 0
            DstMask: 0
            IP TTL: 255
            IsMulticast: 0
            IP Header Length: 5
            IP Total Length: 528
            UDP Length: 508
            TCP Sequence Number: 0
            TCP Acknowledgement Number: 0
            TCP Windows Size: 0
            IGMP Type: 0
            IPv4 ICMP Type: 0
            IPv4 ICMP Code: 0
            Post NAT Source IPv4 Address: 10.10.153.218 (10.10.153.218)
            Post NAT Destination IPv4 Address: 10.26.35.34 (10.26.35.34)
            Post NAPT Source Transport Port: 0
            Post NAPT Destination Transport Port: 0
        Flow 3
            IPVersion: 04
            [Duration: 0.000000000 seconds]
                StartTime: 16011.120000000 seconds
                EndTime: 16011.120000000 seconds
            Packets: 2
            Octets: 800
            SrcPort: 2055
            DstPort: 2055
            InputInt: 0
            OutputInt: 4
            Protocol: 17
            IP ToS: 0x00
            TCP Flags: 0x00
            Destination Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
            Post Source Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ)
            SrcAddr: 10.10.153.218 (10.10.153.218)
            DstAddr: 10.69.110.21 (10.69.110.21)
            NextHop: 10.10.153.217 (10.10.153.217)
            SrcMask: 0
            DstMask: 0
            IP TTL: 255
            IsMulticast: 0
            IP Header Length: 5
            IP Total Length: 400
            UDP Length: 380
            TCP Sequence Number: 0
            TCP Acknowledgement Number: 0
            TCP Windows Size: 0
            IGMP Type: 0
            IPv4 ICMP Type: 0
            IPv4 ICMP Code: 0
            Post NAT Source IPv4 Address: 10.10.153.218 (10.10.153.218)
            Post NAT Destination IPv4 Address: 10.69.110.21 (10.69.110.21)
            Post NAPT Source Transport Port: 0
            Post NAPT Destination Transport Port: 0
        Flow 4
            IPVersion: 04
            [Duration: 0.000000000 seconds]
                StartTime: 16012.000000000 seconds
                EndTime: 16012.000000000 seconds
            Packets: 3
            Octets: 194
            SrcPort: 33353
            DstPort: 179
            InputInt: 0
            OutputInt: 4
            Protocol: 6
            IP ToS: 0xc0
            TCP Flags: 0x18
            Destination Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
            Post Source Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ)
            SrcAddr: 10.10.153.218 (10.10.153.218)
            DstAddr: 10.10.153.217 (10.10.153.217)
            NextHop: 10.10.153.217 (10.10.153.217)
            SrcMask: 0
            DstMask: 0
            IP TTL: 64
            IsMulticast: 0
            IP Header Length: 5
            IP Total Length: 71
            UDP Length: 0
            TCP Sequence Number: 131047850
            TCP Acknowledgement Number: 1912585720
            TCP Windows Size: 1016
            IGMP Type: 0
            IPv4 ICMP Type: 0
            IPv4 ICMP Code: 0
            Post NAT Source IPv4 Address: 10.10.153.218 (10.10.153.218)
            Post NAT Destination IPv4 Address: 10.10.153.217 (10.10.153.217)
            Post NAPT Source Transport Port: 0
            Post NAPT Destination Transport Port: 0
        Flow 5
            IPVersion: 04
            [Duration: 0.000000000 seconds]
                StartTime: 16012.000000000 seconds
                EndTime: 16012.000000000 seconds
            Packets: 3
            Octets: 175
            SrcPort: 179
            DstPort: 33353
            InputInt: 4
            OutputInt: 0
            Protocol: 6
            IP ToS: 0xc0
            TCP Flags: 0x10
            Destination Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ)
            Post Source Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
            SrcAddr: 10.10.153.217 (10.10.153.217)
            DstAddr: 10.10.153.218 (10.10.153.218)
            NextHop: 10.10.153.218 (10.10.153.218)
            SrcMask: 0
            DstMask: 0
            IP TTL: 64
            IsMulticast: 0
            IP Header Length: 5
            IP Total Length: 52
            UDP Length: 0
            TCP Sequence Number: 1912585720
            TCP Acknowledgement Number: 131047869
            TCP Windows Size: 1082
            IGMP Type: 0
            IPv4 ICMP Type: 0
            IPv4 ICMP Code: 0
            Post NAT Source IPv4 Address: 10.10.153.217 (10.10.153.217)
            Post NAT Destination IPv4 Address: 10.10.153.218 (10.10.153.218)
            Post NAPT Source Transport Port: 0
            Post NAPT Destination Transport Port: 0

No.     Time           Source                Destination           Protocol Length Info
 384733 750.593356000  10.10.153.218         10.26.35.34           CFLOW    638    IPFIX partial flow (596/6 bytes)

Frame 384733: 638 bytes on wire (5104 bits), 638 bytes captured (5104 bits) on interface 0
Ethernet II, Src: Routerbo_XX:XX:XX (XX:XX:XX:XX:XX:XX), Dst: YY:YY:YY:YY:YY:YY (YY:YY:YY:YY:YY:YY)
Internet Protocol Version 4, Src: 10.10.153.218 (10.10.153.218), Dst: 10.26.35.34 (10.26.35.34)
User Datagram Protocol, Src Port: 2055 (2055), Dst Port: 2055 (2055)
Cisco NetFlow/IPFIX
    Version: 10
    Length: 6
    Timestamp: Jul  5, 1970 11:38:40.000000000 GTB Daylight Time
        ExportTime: 16015120
    FlowSequence: 385
    Observation Domain Id: 0
    Set 1
        FlowSet Id: (Data) (258)
        FlowSet Length: 580
        Flow 1
            IPVersion: 04
            [Duration: 1.820000000 seconds]
                StartTime: 16011.220000000 seconds
                EndTime: 16013.040000000 seconds
            Packets: 3
            Octets: 288
            SrcPort: 0
            DstPort: 0
            InputInt: 4
            OutputInt: 0
            Protocol: 1
            IP ToS: 0x00
            TCP Flags: 0x00
            Destination Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ)
            Post Source Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
            SrcAddr: 10.69.110.16 (10.69.110.16)
            DstAddr: 10.10.153.218 (10.10.153.218)
            NextHop: 10.10.153.218 (10.10.153.218)
            SrcMask: 0
            DstMask: 0
            IP TTL: 63
            IsMulticast: 0
            IP Header Length: 5
            IP Total Length: 96
            UDP Length: 0
            TCP Sequence Number: 0
            TCP Acknowledgement Number: 0
            TCP Windows Size: 0
            IGMP Type: 0
            IPv4 ICMP Type: 8
            IPv4 ICMP Code: 0
            Post NAT Source IPv4 Address: 10.69.110.16 (10.69.110.16)
            Post NAT Destination IPv4 Address: 10.10.153.218 (10.10.153.218)
            Post NAPT Source Transport Port: 0
            Post NAPT Destination Transport Port: 0
        Flow 2
            IPVersion: 04
            [Duration: 1.820000000 seconds]
                StartTime: 16011.220000000 seconds
                EndTime: 16013.040000000 seconds
            Packets: 3
            Octets: 288
            SrcPort: 0
            DstPort: 0
            InputInt: 0
            OutputInt: 4
            Protocol: 1
            IP ToS: 0x00
            TCP Flags: 0x00
            Destination Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
            Post Source Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ)
            SrcAddr: 10.10.153.218 (10.10.153.218)
            DstAddr: 10.69.110.16 (10.69.110.16)
            NextHop: 10.10.153.217 (10.10.153.217)
            SrcMask: 0
            DstMask: 0
            IP TTL: 64
            IsMulticast: 0
            IP Header Length: 5
            IP Total Length: 96
            UDP Length: 0
            TCP Sequence Number: 0
            TCP Acknowledgement Number: 0
            TCP Windows Size: 0
            IGMP Type: 0
            IPv4 ICMP Type: 0
            IPv4 ICMP Code: 0
            Post NAT Source IPv4 Address: 10.10.153.218 (10.10.153.218)
            Post NAT Destination IPv4 Address: 10.69.110.16 (10.69.110.16)
            Post NAPT Source Transport Port: 0
            Post NAPT Destination Transport Port: 0
        Flow 3
            IPVersion: 04
            [Duration: 0.000000000 seconds]
                StartTime: 16013.120000000 seconds
                EndTime: 16013.120000000 seconds
            Packets: 2
            Octets: 1056
            SrcPort: 2055
            DstPort: 2055
            InputInt: 0
            OutputInt: 4
            Protocol: 17
            IP ToS: 0x00
            TCP Flags: 0x00
            Destination Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
            Post Source Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ)
            SrcAddr: 10.10.153.218 (10.10.153.218)
            DstAddr: 10.26.35.34 (10.26.35.34)
            NextHop: 10.10.153.217 (10.10.153.217)
            SrcMask: 0
            DstMask: 0
            IP TTL: 255
            IsMulticast: 0
            IP Header Length: 5
            IP Total Length: 528
            UDP Length: 508
            TCP Sequence Number: 0
            TCP Acknowledgement Number: 0
            TCP Windows Size: 0
            IGMP Type: 0
            IPv4 ICMP Type: 0
            IPv4 ICMP Code: 0
            Post NAT Source IPv4 Address: 10.10.153.218 (10.10.153.218)
            Post NAT Destination IPv4 Address: 10.26.35.34 (10.26.35.34)
            Post NAPT Source Transport Port: 0
            Post NAPT Destination Transport Port: 0
        Flow 4
            IPVersion: 04
            [Duration: 0.000000000 seconds]
                StartTime: 16013.120000000 seconds
                EndTime: 16013.120000000 seconds
            Packets: 2
            Octets: 800
            SrcPort: 2055
            DstPort: 2055
            InputInt: 0
            OutputInt: 4
            Protocol: 17
            IP ToS: 0x00
            TCP Flags: 0x00
            Destination Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
            Post Source Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ)
            SrcAddr: 10.10.153.218 (10.10.153.218)
            DstAddr: 10.69.110.21 (10.69.110.21)
            NextHop: 10.10.153.217 (10.10.153.217)
            SrcMask: 0
            DstMask: 0
            IP TTL: 255
            IsMulticast: 0
            IP Header Length: 5
            IP Total Length: 400
            UDP Length: 380
            TCP Sequence Number: 0
            TCP Acknowledgement Number: 0
            TCP Windows Size: 0
            IGMP Type: 0
            IPv4 ICMP Type: 0
            IPv4 ICMP Code: 0
            Post NAT Source IPv4 Address: 10.10.153.218 (10.10.153.218)
            Post NAT Destination IPv4 Address: 10.69.110.21 (10.69.110.21)
            Post NAPT Source Transport Port: 0
            Post NAPT Destination Transport Port: 0
        Flow 5
            IPVersion: 04
            [Duration: 1.010000000 seconds]
                StartTime: 16012.600000000 seconds
                EndTime: 16013.610000000 seconds
            Packets: 4
            Octets: 256
            SrcPort: 2000
            DstPort: 39216
            InputInt: 4
            OutputInt: 0
            Protocol: 6
            IP ToS: 0x00
            TCP Flags: 0x18
            Destination Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ)
            Post Source Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
            SrcAddr: 10.10.153.217 (10.10.153.217)
            DstAddr: 10.10.153.218 (10.10.153.218)
            NextHop: 10.10.153.218 (10.10.153.218)
            SrcMask: 0
            DstMask: 0
            IP TTL: 64
            IsMulticast: 0
            IP Header Length: 5
            IP Total Length: 64
            UDP Length: 0
            TCP Sequence Number: 1439408196
            TCP Acknowledgement Number: 786858306
            TCP Windows Size: 905
            IGMP Type: 0
            IPv4 ICMP Type: 0
            IPv4 ICMP Code: 0
            Post NAT Source IPv4 Address: 10.10.153.217 (10.10.153.217)
            Post NAT Destination IPv4 Address: 10.10.153.218 (10.10.153.218)
            Post NAPT Source Transport Port: 0
            Post NAPT Destination Transport Port: 0
        Flow 6
            IPVersion: 04
            [Duration: 2.030000000 seconds]
                StartTime: 16011.580000000 seconds
                EndTime: 16013.610000000 seconds
            Packets: 9
            Octets: 528
            SrcPort: 39216
            DstPort: 2000
            InputInt: 0
            OutputInt: 4
            Protocol: 6
            IP ToS: 0x00
            TCP Flags: 0x18
            Destination Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
            Post Source Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ)
            SrcAddr: 10.10.153.218 (10.10.153.218)
            DstAddr: 10.10.153.217 (10.10.153.217)
            NextHop: 10.10.153.217 (10.10.153.217)
            SrcMask: 0
            DstMask: 0
            IP TTL: 64
            IsMulticast: 0
            IP Header Length: 5
            IP Total Length: 64
            UDP Length: 0
            TCP Sequence Number: 786858282
            TCP Acknowledgement Number: 1439408184
            TCP Windows Size: 913
            IGMP Type: 0
            IPv4 ICMP Type: 0
            IPv4 ICMP Code: 0
            Post NAT Source IPv4 Address: 10.10.153.218 (10.10.153.218)
            Post NAT Destination IPv4 Address: 10.10.153.217 (10.10.153.217)
            Post NAPT Source Transport Port: 0
            Post NAPT Destination Transport Port: 0

No.     Time           Source                Destination           Protocol Length Info
 385861 752.592360000  10.10.153.218         10.26.35.34           CFLOW    830    IPFIX partial flow (788/8 bytes)

Frame 385861: 830 bytes on wire (6640 bits), 830 bytes captured (6640 bits) on interface 0
Ethernet II, Src: Routerbo_XX:XX:XX (XX:XX:XX:XX:XX:XX), Dst: YY:YY:YY:YY:YY:YY (YY:YY:YY:YY:YY:YY)
Internet Protocol Version 4, Src: 10.10.153.218 (10.10.153.218), Dst: 10.26.35.34 (10.26.35.34)
User Datagram Protocol, Src Port: 2055 (2055), Dst Port: 2055 (2055)
Cisco NetFlow/IPFIX
    Version: 10
    Length: 8
    Timestamp: Jul  5, 1970 12:12:00.000000000 GTB Daylight Time
        ExportTime: 16017120
    FlowSequence: 386
    Observation Domain Id: 0
    Set 1
        FlowSet Id: (Data) (258)
        FlowSet Length: 772
        Flow 1
            IPVersion: 04
            [Duration: 0.000000000 seconds]
                StartTime: 16014.870000000 seconds
                EndTime: 16014.870000000 seconds
            Packets: 2
            Octets: 192
            SrcPort: 0
            DstPort: 0
            InputInt: 4
            OutputInt: 0
            Protocol: 1
            IP ToS: 0x00
            TCP Flags: 0x00
            Destination Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ)
            Post Source Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
            SrcAddr: 10.69.110.16 (10.69.110.16)
            DstAddr: 10.10.153.218 (10.10.153.218)
            NextHop: 10.10.153.218 (10.10.153.218)
            SrcMask: 0
            DstMask: 0
            IP TTL: 63
            IsMulticast: 0
            IP Header Length: 5
            IP Total Length: 96
            UDP Length: 0
            TCP Sequence Number: 0
            TCP Acknowledgement Number: 0
            TCP Windows Size: 0
            IGMP Type: 0
            IPv4 ICMP Type: 8
            IPv4 ICMP Code: 0
            Post NAT Source IPv4 Address: 10.69.110.16 (10.69.110.16)
            Post NAT Destination IPv4 Address: 10.10.153.218 (10.10.153.218)
            Post NAPT Source Transport Port: 0
            Post NAPT Destination Transport Port: 0
        Flow 2
            IPVersion: 04
            [Duration: 0.000000000 seconds]
                StartTime: 16014.870000000 seconds
                EndTime: 16014.870000000 seconds
            Packets: 2
            Octets: 192
            SrcPort: 0
            DstPort: 0
            InputInt: 0
            OutputInt: 4
            Protocol: 1
            IP ToS: 0x00
            TCP Flags: 0x00
            Destination Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
            Post Source Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ)
            SrcAddr: 10.10.153.218 (10.10.153.218)
            DstAddr: 10.69.110.16 (10.69.110.16)
            NextHop: 10.10.153.217 (10.10.153.217)
            SrcMask: 0
            DstMask: 0
            IP TTL: 64
            IsMulticast: 0
            IP Header Length: 5
            IP Total Length: 96
            UDP Length: 0
            TCP Sequence Number: 0
            TCP Acknowledgement Number: 0
            TCP Windows Size: 0
            IGMP Type: 0
            IPv4 ICMP Type: 0
            IPv4 ICMP Code: 0
            Post NAT Source IPv4 Address: 10.10.153.218 (10.10.153.218)
            Post NAT Destination IPv4 Address: 10.69.110.16 (10.69.110.16)
            Post NAPT Source Transport Port: 0
            Post NAPT Destination Transport Port: 0
        Flow 3
            IPVersion: 04
            [Duration: 27.660000000 seconds]
                StartTime: 15987.450000000 seconds
                EndTime: 16015.110000000 seconds
            Packets: 411
            Octets: 32667
            SrcPort: 65470
            DstPort: 8291
            InputInt: 4
            OutputInt: 0
            Protocol: 6
            IP ToS: 0x00
            TCP Flags: 0x18
            Destination Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ)
            Post Source Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
            SrcAddr: 10.26.35.34 (10.26.35.34)
            DstAddr: 10.10.153.218 (10.10.153.218)
            NextHop: 10.10.153.218 (10.10.153.218)
            SrcMask: 0
            DstMask: 0
            IP TTL: 61
            IsMulticast: 0
            IP Header Length: 5
            IP Total Length: 523
            UDP Length: 0
            TCP Sequence Number: 537131081
            TCP Acknowledgement Number: 3081807626
            TCP Windows Size: 65184
            IGMP Type: 0
            IPv4 ICMP Type: 0
            IPv4 ICMP Code: 0
            Post NAT Source IPv4 Address: 10.26.35.34 (10.26.35.34)
            Post NAT Destination IPv4 Address: 10.10.153.218 (10.10.153.218)
            Post NAPT Source Transport Port: 0
            Post NAPT Destination Transport Port: 0
        Flow 4
            IPVersion: 04
            [Duration: 0.000000000 seconds]
                StartTime: 16015.120000000 seconds
                EndTime: 16015.120000000 seconds
            Packets: 2
            Octets: 1248
            SrcPort: 2055
            DstPort: 2055
            InputInt: 0
            OutputInt: 4
            Protocol: 17
            IP ToS: 0x00
            TCP Flags: 0x00
            Destination Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
            Post Source Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ)
            SrcAddr: 10.10.153.218 (10.10.153.218)
            DstAddr: 10.26.35.34 (10.26.35.34)
            NextHop: 10.10.153.217 (10.10.153.217)
            SrcMask: 0
            DstMask: 0
            IP TTL: 255
            IsMulticast: 0
            IP Header Length: 5
            IP Total Length: 624
            UDP Length: 604
            TCP Sequence Number: 0
            TCP Acknowledgement Number: 0
            TCP Windows Size: 0
            IGMP Type: 0
            IPv4 ICMP Type: 0
            IPv4 ICMP Code: 0
            Post NAT Source IPv4 Address: 10.10.153.218 (10.10.153.218)
            Post NAT Destination IPv4 Address: 10.26.35.34 (10.26.35.34)
            Post NAPT Source Transport Port: 0
            Post NAPT Destination Transport Port: 0
        Flow 5
            IPVersion: 04
            [Duration: 0.000000000 seconds]
                StartTime: 16015.120000000 seconds
                EndTime: 16015.120000000 seconds
            Packets: 2
            Octets: 936
            SrcPort: 2055
            DstPort: 2055
            InputInt: 0
            OutputInt: 4
            Protocol: 17
            IP ToS: 0x00
            TCP Flags: 0x00
            Destination Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
            Post Source Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ)
            SrcAddr: 10.10.153.218 (10.10.153.218)
            DstAddr: 10.69.110.21 (10.69.110.21)
            NextHop: 10.10.153.217 (10.10.153.217)
            SrcMask: 0
            DstMask: 0
            IP TTL: 255
            IsMulticast: 0
            IP Header Length: 5
            IP Total Length: 468
            UDP Length: 448
            TCP Sequence Number: 0
            TCP Acknowledgement Number: 0
            TCP Windows Size: 0
            IGMP Type: 0
            IPv4 ICMP Type: 0
            IPv4 ICMP Code: 0
            Post NAT Source IPv4 Address: 10.10.153.218 (10.10.153.218)
            Post NAT Destination IPv4 Address: 10.69.110.21 (10.69.110.21)
            Post NAPT Source Transport Port: 0
            Post NAPT Destination Transport Port: 0
        Flow 6
            IPVersion: 04
            [Duration: 0.000000000 seconds]
                StartTime: 16015.600000000 seconds
                EndTime: 16015.600000000 seconds
            Packets: 3
            Octets: 192
            SrcPort: 2000
            DstPort: 39216
            InputInt: 4
            OutputInt: 0
            Protocol: 6
            IP ToS: 0x00
            TCP Flags: 0x18
            Destination Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ)
            Post Source Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
            SrcAddr: 10.10.153.217 (10.10.153.217)
            DstAddr: 10.10.153.218 (10.10.153.218)
            NextHop: 10.10.153.218 (10.10.153.218)
            SrcMask: 0
            DstMask: 0
            IP TTL: 64
            IsMulticast: 0
            IP Header Length: 5
            IP Total Length: 64
            UDP Length: 0
            TCP Sequence Number: 1439408232
            TCP Acknowledgement Number: 786858342
            TCP Windows Size: 905
            IGMP Type: 0
            IPv4 ICMP Type: 0
            IPv4 ICMP Code: 0
            Post NAT Source IPv4 Address: 10.10.153.217 (10.10.153.217)
            Post NAT Destination IPv4 Address: 10.10.153.218 (10.10.153.218)
            Post NAPT Source Transport Port: 0
            Post NAPT Destination Transport Port: 0
        Flow 7
            IPVersion: 04
            [Duration: 8.370000000 seconds]
                StartTime: 16007.320000000 seconds
                EndTime: 16015.690000000 seconds
            Packets: 50
            Octets: 3700
            SrcPort: 42989
            DstPort: 161
            InputInt: 4
            OutputInt: 0
            Protocol: 17
            IP ToS: 0x00
            TCP Flags: 0x00
            Destination Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ)
            Post Source Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
            SrcAddr: 10.69.110.15 (10.69.110.15)
            DstAddr: 10.10.153.218 (10.10.153.218)
            NextHop: 10.10.153.218 (10.10.153.218)
            SrcMask: 0
            DstMask: 0
            IP TTL: 63
            IsMulticast: 0
            IP Header Length: 5
            IP Total Length: 74
            UDP Length: 54
            TCP Sequence Number: 0
            TCP Acknowledgement Number: 0
            TCP Windows Size: 0
            IGMP Type: 0
            IPv4 ICMP Type: 0
            IPv4 ICMP Code: 0
            Post NAT Source IPv4 Address: 10.69.110.15 (10.69.110.15)
            Post NAT Destination IPv4 Address: 10.10.153.218 (10.10.153.218)
            Post NAPT Source Transport Port: 0
            Post NAPT Destination Transport Port: 0
        Flow 8
            IPVersion: 04
            [Duration: 6.340000000 seconds]
                StartTime: 16009.350000000 seconds
                EndTime: 16015.690000000 seconds
            Packets: 48
            Octets: 3600
            SrcPort: 161
            DstPort: 42989
            InputInt: 0
            OutputInt: 4
            Protocol: 17
            IP ToS: 0x00
            TCP Flags: 0x00
            Destination Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
            Post Source Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ)
            SrcAddr: 10.10.153.218 (10.10.153.218)
            DstAddr: 10.69.110.15 (10.69.110.15)
            NextHop: 10.10.153.217 (10.10.153.217)
            SrcMask: 0
            DstMask: 0
            IP TTL: 64
            IsMulticast: 0
            IP Header Length: 5
            IP Total Length: 75
            UDP Length: 55
            TCP Sequence Number: 0
            TCP Acknowledgement Number: 0
            TCP Windows Size: 0
            IGMP Type: 0
            IPv4 ICMP Type: 0
            IPv4 ICMP Code: 0
            Post NAT Source IPv4 Address: 10.10.153.218 (10.10.153.218)
            Post NAT Destination IPv4 Address: 10.69.110.15 (10.69.110.15)
            Post NAPT Source Transport Port: 0
            Post NAPT Destination Transport Port: 0

Reverting back to NetFlow v9 the timestamp fields contain the right date/time.

Those bad timestamps cause software like nfacct/pmacct to insert bad data to the database.
Also it discards many flows due to bad sequence number (although checking the capture the sequence numbers seem ok. Maybe nfacct consults the timestamp along with the sequence number to detect if a received flow is valid)

Here's my traffic flow configuration:

> /ip traffic-flow export verbose
# may/29/2016 22:35:09 by RouterOS 6.36rc19
# software id = 
#
/ip traffic-flow
set active-flow-timeout=1m cache-entries=32k enabled=yes inactive-flow-timeout=1s interfaces=ether3-ibgp
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes \
    icmp-type=yes igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes ipv6-flow-label=yes is-multicast=yes \
    last-forwarded=yes nat-dst-address=yes nat-dst-port=yes nat-src-address=yes nat-src-port=yes out-interface=yes packets=yes \
    protocol=yes src-address=yes src-address-mask=yes src-mac-address=yes src-port=yes tcp-ack-num=yes tcp-flags=yes tcp-seq-num=yes \
    tcp-window-size=yes tos=yes ttl=yes udp-length=yes
/ip traffic-flow target
add disabled=no dst-address=10.69.110.21 port=2055 src-address=0.0.0.0 v9-template-refresh=20 v9-template-timeout=1m version=9
add disabled=no dst-address=10.26.35.34 port=2055 src-address=0.0.0.0 v9-template-refresh=20 v9-template-timeout=1m version=ipfix

[Ticket#2016052966000463]

docmarius · Sun May 29, 2016 11:43 pm

Ticket#2016051166000808 is solved (tnx).
USB port with GPS and GPS is working (again) since rc16.

NTP server with GPS is still broken and remains in INIT state (since 6.35, works on 6.34.2).

Mon May 30, 2016 1:43 pm

Version 6.36rc20 has been released.

Changes since previous version:
*) dude - (changes discussed here: forum.mikrotik.com/viewtopic.php?f=8&t=108083 );
*) ippool6 - fixed crash on acquire when prefix length is equal with pool prefix length;
*) rb3011 - improved performance on high cpu usage;
*) snmp - report ram memory as ram instead of other;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.