v6.36 [current] is released!

Thu Jul 21, 2016 10:39 am

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

*) arm - added Dude server support;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=110428);
*) dude - server package is now made smaller. client side content upgrade is now removed from it and is downloaded straight from our cloud. So workstations on which client is used will require access to wan. Alternatively upgrade must be done by reinstalling the client on each new release;
*) firewall - added "/interface list" menu which allows to create list of interfaces which can be used as in/out-interface-list matcher in firewall and use as a filter in traffic-flow;
*) firewall - added pre-connection tracking filter - "raw" table, that allow to protect connection-tracking from unnecessary traffic;
*) firewall - allow to add domain name to address-lists (dynamic entries for resolved addresses will be added to specified list);
*) wireless - wireless-fp is discontinued, it needs to be uninstalled/disabled before upgrade;
*) address - allow multiple equal ip addresses to be added if neither or only one is enabled;
*) address-list - make "dynamic=yes" as read-only option;
*) arm - fixed kernel failure on low memory;
*) arp - added arp-timeout option per interface;
*) bonding - fixed 802.3ad load balancing mode over tunnels ;
*) bonding - fixed bonding primary slave assignment for ovpn interfaces after startup;
*) bonding - fixed crash on RoMON traffic transmit;
*) bonding - implemented l2mtu value == smallest slave interfaces l2mtu;
*) capsman - fixed crash when running over ovpn;
*) certificate - added automatic scep renewal delay after startup to avoid all requests accessing CA at the same time;
*) certificate - cancel pending renew when certificate becomes valid after date change;
*) certificate - display issuer and subject on check failure;
*) certificate - do not exit after card-verify;
*) certificate - force scep renewal on system clock updates;
*) chr - fixed CHR seeing its own system disk mounted as additional data disk;
*) clock - fixed time keeping for SXT ac, 911L, cAP, mAP lite, wAP;
*) clock - save current time to configuration once per day even if there are no time zone adjustments pending;
*) cloud - fixed export order;
*) console - fixed get false function;
*) console - show message time in echo log messages;
*) defconf - changed channel extension to 20/40/80mhz for all ac boards;
*) dhcp-pd - correct server listing for commands;
*) dhcp-server - fixed radius framed route addition after reboot on client renew;
*) dhcpv6-client - fixed ia lifetime validation when it is set by dhcpv6 client;
*) dhcpv6-relay - set packet link-address only when it is manually configured;
*) dhcpv6-server - fixed binding last-seen update;
*) disk - added support for Plextor PX-G128M6e(A) SSD on CCR1072;
*) email - fixed send from winbox;
*) email - removed subject and body length limit;
*) ethernet - fixed incorrect ether1 link speed after reboot on rb4xx series routers;
*) ethernet - fixed memory leak when setting interface without changing configuration;
*) fastpath - fixed kernel failure when fastpath handles packet with multicast dst-address;
*) fetch - support tls host name extension;
*) firewall - added udplite, dccp, sctp connection tracking helpers;
*) firewall - do not show disabled=no in export;
*) firewall - fixed spelling in built-in firewall commentary;
*) gps - fixed longitude seconds part;
*) health - fixed broken factory voltage calibration data for some hAP ac boards;
*) health - fixed incorrect voltage after reboot on RB2011UAS;
*) icmp - fixed kernel failure when icmp packet could not be processed on high load;
*) ippool6 - fixed crash on acquire when prefix length is equal with pool prefix length;
*) ipsec - add dead ph2 detection exception for windows msgid noncompliance with rfc;
*) ipsec - added dead ph2 reply detection;
*) ipsec - don't register temporary ph2 on dead list;
*) ipsec - fix initiator modecfg dynamic dns;
*) ipsec - fixed AH with SHA2;
*) ipsec - fixed checks before accessing ph1 nat options;
*) ipsec - fixed mode-config export;
*) ipsec - fixed route cache overflow when using ipsec with route cache disabled;
*) ipsec - fixed windows msgid check on x86 devices;
*) ipsec - show remote peer address in error messages when possible;
*) ipsec - store udp encapsulation type in proposal;
*) kernel - fixed possible kernel deadlock when Sierra USB mode is being used;
*) l2tp - fixed crash when rebooting or disabling l2tp while there are still active connections;
*) lcd - reduced lowest backlight-timeout value from 5m to 30s;
*) license - do not expire demo license right after fresh installation of x86;
*) log - added whole scep certificate chain print;
*) log - increase excessive multicast/broadcast warning threshold every time it is logged;
*) log - make logging process less aggressive on startup;
*) lte - added allow-roaming option for Huawei MU709, ME909s devices;
*) lte - added cinterion pls8 support;
*) lte - added support for Huawei E3531;
*) lte - added support for ZTE ZM8620;
*) lte - added use-peer-dns option (will work only combined with add-default-route);
*) lte - changed driver loading for class 2 usb rndis devices;
*) lte - display message in lte,error log if no response received;
*) lte - display message in lte,error log when PIN is required;
*) lte - fix crash on SXT LTE while resetting card while at high traffic;
*) lte - fixed access technology logging;
*) lte - fixed connection for Huawei without cell info;
*) lte - fixed modem init when pin request present;
*) lte - fixed modem network configuration version checks;
*) lte - fixed network-mode support after downgrade;
*) lte - Huawei MU609 must use latest firmware to work correctly;
*) lte - improved multiple same model modems identification;
*) lte - show uicc for Huawei modems;
*) lte - use only creg result codes as network status indications;
*) mesh - fixed crash when connection references a mesh network but it is not available any more;
*) modem - added support for Alcatel OneTouch X600;
*) modem - added support for Quectel EC21 and EC25;
*) modem - added support for SpeedUP SU-900U modem;
*) nand - improved nand refresh feature to enhance stored data integrity;
*) ovpn - enable perfect forwarding secrecy support by default;
*) ovpn - fixed compatibility with OpenVPN 2.3.11;
*) pppoe - allow to set MTU and MRU higher than 1500 for PPPoE;
*) pppoe - do not allow to send out bigger packets than l2mtu if mrru is provided;
*) proxy - limit max ram usage to 80% for tile and x86 devices;
*) queue - reset queue type on interfaces which default queue type changes to no-queue after upgrade;
*) rb2011 - fixed ether6-ether10 flapping when two ports from both switch chips are in the same bridge;
*) rb3011 - fixed port flapping on ether6-ether10;
*) rb3011 - fixed reset button functionality;
*) rb3011 - fixed usb driver load;
*) rb3011 - fixed usb storage mounting;
*) rb3011 - improved performance on high cpu usage;
*) route - added suppport for more than 8 bits of options;
*) route - fixed ospf by handling ipv6 encoded prefixes with stray bits;
*) sniffer - fixed ipv6 address matching;
*) snmp - fixed get function for snmp>=v2 when oid does not exist;
*) snmp - fixed interface stats branch from MikroTik MIB;
*) snmp - report current access technology and cell id for lte modems;
*) snmp - report ram memory as ram instead of other;
*) ssh - add rsa host key size parameter;
*) ssh-keygen - add rsa key size parameter;
*) ssl - do not exit while there still are active sessions;
*) ssl - fixed memory leak on ssl connect/disconnect (fetch, ovpn, etc.);
*) sstp - fixed dns name support in connect-to field if http-proxy is specified;
*) supout - erase panic data properly on Netinstall;
*) switch - fixed switch compact export;
*) timezone - updated timezone information from tzdata2016e release;
*) traffic-flow - added ipfix support (RFC5101 and RFC5102);
*) tunnel - added option to auto detect tunnel local-address;
*) tunnel - fixed rare crash by specifying minimal header length immediately at tunnel initialization;
*) upnp - fixed nat rule dst-port by making it visible again;
*) usb - I-tec U3GLAN3HUB usb hub/ethernet dongle now shows up correctly as ethernet interface;
*) usb - implement possibility to recognize usb hubs/ethernet-dongles (if usb hubs/ethernet-dongles are not recognized with this version - send supout.rif file);
*) userman - fixed crash on database upload;
*) userman - use ipnpb.paypal.com for payment verification;
*) wap-ac - fixed performance problems with 2.4GHz wireless (additional reboot after upgrade required);
*) webfig - do not allow to press OK or Apply if current configuration values are not loaded yet;
*) webfig - reduced refresh time for wireless registration table to 1 second;
*) winbox - added 2ghz-g/n band for wireless-rep;
*) winbox - added icons to bridge filter actions similar to ip firewall;
*) winbox - added support for ipv6 dhcp relay;
*) winbox - allow to reorder hotspot walled-garden & walled-garden-ip rules;
*) winbox - do not allow to specify vlan-mode=no-tag in capsman datapath config;
*) winbox - do not show filter for combined fields like bgp-vpn4 RD;
*) winbox - do not show mode setting for WDS interfaces;
*) winbox - fixed crash on disconnect in secure mode;
*) winbox - fixed crash when using ctrl+d;
*) winbox - fixed safe mode;
*) winbox - improve filtering on list fields;
*) winbox - report correctly dude users in active users list;
*) winbox - set default sa-learning value to "yes" for CRS Ingress VLAN Translation rules;
*) winbox - show action column as first in bridge firewall;
*) winbox - show error when telnet is not allowed because of permissions;
*) wireless - fixed multiple wireless packages enabled at the same time after upgrade;
*) wireless-rep - added initial API support for snooper;
*) wireless-rep - fixed crash on nv2 reconnect;
*) wireless-rep - fixed scan-list unset;
*) wireless-rep - treat missing SSID element as hidden SSID;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

paulct · Thu Jul 21, 2016 11:00 am

Wowsers! Now that is a list

Well done and thanks!

patrick7 · Thu Jul 21, 2016 11:20 am

hAP AC looks fine after upgrade.

Thu Jul 21, 2016 11:30 am

Thank you to Mikrotik support and developers for all the hard work that has gone in to 6.36

This release fixes a number of bugs we were experiencing and is a solid step towards RouterOS v7

patrick7 · Thu Jul 21, 2016 11:38 am

I get the following message at startup:

09:58:10 script,warning DefConf: Unable to find wireless interface(s)

Zorro · Thu Jul 21, 2016 11:39 am

thats FANTASTIC !!
*went to make some tea to celebrate that*

dadaniel · Thu Jul 21, 2016 1:43 pm

I noticed that export compact now generates

log-prefix=""

at every firewall line.

And

/ip upnp export

does only generate /ip upnp interfaces output. set enabled=yes/no is missing!

Thu Jul 21, 2016 2:24 pm

dadaniel - Firewall rules export issue will be fixed within 6.37rc version but UPnP settings are shown in export on my router. Please send supout file to support@mikrotik.com. We will investigate it and see what is wrong.

patrick7 · Thu Jul 21, 2016 2:26 pm

Why will this problem not be fixed in the stable release? Problems in "stable" should be fixed in stable, not in new beta/rc's.

Thu Jul 21, 2016 2:36 pm

We will not rebuild 6.36 version which is already released. First issues are fixed in rc version and then fixes are combined with 6.36 version. To give more precise answer - fix will be included in 6.37rc, 6.36.x and future versions newer that 6.37.

patrick7 · Thu Jul 21, 2016 2:49 pm

Yes, I don't ask you to rebuild the version, but to include it also in 6.36.X

Paternot · Thu Jul 21, 2016 3:00 pm

Amazing! A ton of bugfixes, and multiple interfaces on firewall rules!

Now I just have to wait the first wave of early adopters...

mirolm · Thu Jul 21, 2016 3:08 pm

After upgrade to 6.36 wireless-fp got removed as expected, but wireless-rep is missing. I got only wireless-cm2 atm.

Where i can get wireless-rep from and is it backward compatible with older wireless packages?

freemannnn · Thu Jul 21, 2016 3:15 pm

*) firewall - added "/interface list" menu which allows to create list of interfaces which can be used as in/out-interface-list matcher in firewall and use as a filter in traffic-flow;

this list can be made by terminal only?
winbox?

update...
i found the tab interface list in interface. thank u!

notToNew · Thu Jul 21, 2016 3:21 pm

Upgraded my little test-enviroment(HAP-AC lite) from 6.36rc40 to 6.36, but device does not go online.
As it has no COM-Port, I have no idea what's going on. 6.36rc40 rebootet without problems.
Maybe some firewall rules regarding the new lists got mixed up again?!?

Edit: If I get no other advice, I will do a Netinstall and try to restore a backup

dadaniel · Thu Jul 21, 2016 3:37 pm

dadaniel - Firewall rules export issue will be fixed within 6.37rc version but UPnP settings are shown in export on my router. Please send supout file to support@mikrotik.com. We will investigate it and see what is wrong.

I found out that "set enabled=yes" is exported, but "set enabled=no" is missing, although it should be there as I'm not using export compact

Thu Jul 21, 2016 4:02 pm

Router works, VPNs connect but ....

941.PNG

Thu Jul 21, 2016 4:14 pm

as I'm not using export compact

export is compact by default since early 6.0 RCs.

notToNew · Thu Jul 21, 2016 5:15 pm

can anyone tell me that how to use RAW tab in firewall.

See the new http://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6.
RAW is before Connection-Tracking, and so it allows to bypass it for max-performance.

dadaniel · Thu Jul 21, 2016 5:27 pm

I noticed another thing after upgrade:

my first filter rule

add action=drop chain=forward connection-state=invalid

got changed to connection-state="" (also in Winbox checkbox is disabled now)

SimWhite · Thu Jul 21, 2016 5:44 pm

Please explain how domain name to address-lists works? Does it resolve it just once while address list created or on every query?

105547111 · Thu Jul 21, 2016 5:44 pm

Thanks support 11 routers upgraded - no issues (1 X CCR1016, 2 X CRS125, 2 X SXT5AC, 1 X RB751G and 5 X RB951G)

Cha0s · Thu Jul 21, 2016 6:01 pm

Please explain how domain name to address-lists works? Does it resolve it just once while address list created or on every query?

It uses the domain's TTL,

anuser · Thu Jul 21, 2016 7:24 pm

CAPSMAN + wireless rep: Auto channel doesn´t work. Clients get disconnected too often. After setting static frequencies, connections are fine.
(I have 3+ WAP ac access point in 1 room, so they can see themselves)

notToNew · Thu Jul 21, 2016 7:50 pm

Regarding my upgrade-issue (6.36rc40 to 6.36): A startupscript generating backupfiles local AND on a USB-Stick did not run anymore.
Netinstall with downgrade worked, but I lost 2 DHCP-Static lease-entries and 1 address-list entry using the new dns-feature.

Strange. The device was in a bootloop. Is it possible that the filesystem went full while the upgrade was running?!?
I currently have only 300kb free space although there is only 1 backupfile on the partition. I used to have more free space before doing the netinstall.

Thu Jul 21, 2016 9:31 pm

I can't wait to start using the interface lists feature - this is an excellent addition to ROS because now it's easy to make a true zone-based policy configuration that is independent of physical interface names - just add/remove interfaces from the policy!

Although, I have to say that the interface to it in Winbox still feels a touch clunky compared to the address lists / custom chains, because simply typing a name into a field in a rule is sufficient to create a new chain / address list, but currently one must click the button and open the lists window and actually create the interface list first.

Oh well, not griping - just giving some feedback.
6.36 is quite a major revision - great job, Mikrotik!

Cha0s · Thu Jul 21, 2016 10:00 pm

I can't wait to start using the interface lists feature - this is an excellent addition to ROS because now it's easy to make a true zone-based policy configuration that is independent of physical interface names - just add/remove interfaces from the policy!

I've already been using this feature for just that! It has simplified my configuration immensely!
It's really a great addition to RouterOS

Although, I have to say that the interface to it in Winbox still feels a touch clunky compared to the address lists / custom chains, because simply typing a name into a field in a rule is sufficient to create a new chain / address list, but currently one must click the button and open the lists window and actually create the interface list first.

++

proximus · Thu Jul 21, 2016 10:07 pm

Please explain how domain name to address-lists works? Does it resolve it just once while address list created or on every query?

Ouchy! Just to see what would happen, I read in a 390 entry domain block list (sourced from https://ransomwaretracker.abuse.ch/down ... _DOMBL.txt ). Hit 85% CPU on a RB2011 and wasn't getting very good IP address resolution. I suspect this wasn't the intended use of the feature, but it was worth a try. Sticking with the IP address block lists for now.

Fri Jul 22, 2016 1:25 am

Although, I have to say that the interface to it in Winbox still feels a touch clunky compared to the address lists / custom chains, because simply typing a name into a field in a rule is sufficient to create a new chain / address list, but currently one must click the button and open the lists window and actually create the interface list first.

I agree, the workflow is inconsistent with similar features in RouterOS, and feels "clunky".

I understand address-list and interface-list are different, but there is no reason for the workflow to be different!

elgrandiegote · Fri Jul 22, 2016 2:49 am

The ssl process goes to 100% when I have a profile openvpn server connected with one or more clients

IntrusDave · Fri Jul 22, 2016 6:35 am

The ssl process goes to 100% when I have a profile openvpn server connected with one or more clients

Which router? I have a CCR1016 with 42 OpenVPN clients and my CPU load is less than 2%.

Fri Jul 22, 2016 6:41 am

Although, I have to say that the interface to it in Winbox still feels a touch clunky compared to the address lists / custom chains, because simply typing a name into a field in a rule is sufficient to create a new chain / address list, but currently one must click the button and open the lists window and actually create the interface list first.
I agree, the workflow is inconsistent with similar features in RouterOS, and feels "clunky".

I understand address-list and interface-list are different, but there is no reason for the workflow to be different!

I second this too. Very weird and unusual behaviour. Similar to bridge configuration, but it could be maybe simplified too. And one other thing. I am missing bridge configuration from the interfaces main window. I would like to double click on the bridge in interface window and be able to add /remove interfaces to it directly. Sure, filter rules are common for all bridges , but they can be moved from bridge to firewall and separate bridge main menu could be removed...

Just for considering...

Fri Jul 22, 2016 7:12 am

BartoszP - Please send supout file to support. Our hAP lite devices does have information in routerboard menu. This must be something specific.

Test471 · Fri Jul 22, 2016 9:48 am

I installed 6.36 and now I have a problem with EoIP/IPSec.

The thing is that if I change local address on EoIP interface (manually or via script) it does not update IPSec policy but leaves the old address. This was working before 6.36.

I tried to delete EoIP and create new one but problem is still there. It only puts to IPSec policy what was in local address for the first time. It is not updating.

cutedrummerboy · Fri Jul 22, 2016 10:02 am

after upgrading my igmp proxy is not working. i cannot see any rx or tx packets.

bratislav · Fri Jul 22, 2016 10:27 am

After upgrade to 6.36 wireless-fp got removed as expected, but wireless-rep is missing. I got only wireless-cm2 atm.

Where i can get wireless-rep from and is it backward compatible with older wireless packages?

You can find it in Extra packages zip archive, it is backward compatible but you should disable wireless-cm2 package before installation ...
This actually happened to me too, during installation disabled wireless-fp is uninstalled but new wireless-rep is not installed, it is a bit inconvenient and it seems like a installation bug to me ...

Fri Jul 22, 2016 10:36 am

Installing rep disables cm2 automatically.

notToNew · Fri Jul 22, 2016 10:38 am

Wer can I read what "Insert Queue before" does in Winbox in DHCP-Server/Leases?
I cann't find it in
http://wiki.mikrotik.com/wiki/Manual:IP ... ver#Leases
and I cann't even find it in terminal.
Excuse me if I'm just blind...

demonster · Fri Jul 22, 2016 11:26 am

After update from 6.35.4 prerouting mangle not working.

/ ip firewall mangle chain=prerouting action=mark-routing new-routing-mark=second_provider src-address-list=second_conn_list

I downgrade to 6.35.6 - prerouting working.

ChrisVanMeer · Fri Jul 22, 2016 11:30 am

hAP AC looks fine after upgrade.

Did you experience slow ethernet connection prior to upgrading?
If yes, do you notice improvement after this upgrade with ethernet speeds?

calandri · Fri Jul 22, 2016 12:00 pm

Unfortunately in this update are not present the support UDP on OVPN tunnels

Does anyone know when it will be implemented?
Thanks

Fri Jul 22, 2016 12:01 pm

Unfortunately in this update are not present the support UDP on OVPN tunnels

Does anyone know when it will be implemented?
Thanks

RouterOS 7, as it was promised in the other topics about this.

SimWhite · Fri Jul 22, 2016 1:10 pm

I can't wait to start using the interface lists feature - this is an excellent addition to ROS because now it's easy to make a true zone-based policy configuration that is independent of physical interface names - just add/remove interfaces from the policy!

Could you explain what are you talking about?

Chalky · Fri Jul 22, 2016 1:11 pm

Well that's just completely killed my CHR

Loading system with initrd
ERROR: no system package found!
Kernel panic - not syncing : Attempted to kill init!
Rebooting in 1 seconds...

Bye bye Dude installation...

mandrade · Fri Jul 22, 2016 1:41 pm

After update from 6.35.4 prerouting mangle not working.
Code: Select all
/ ip firewall mangle chain=prerouting action=mark-routing new-routing-mark=second_provider src-address-list=second_conn_list
I downgrade to 6.35.6 - prerouting working.

Same problem Here.....

Fri Jul 22, 2016 2:56 pm

madnrade - Please send supout file to support. If you do not use address list specified on rule does it work then?

zilf · Fri Jul 22, 2016 4:16 pm

Hap lite - everything is working.

elgrandiegote · Fri Jul 22, 2016 4:16 pm

The ssl process goes to 100% when I have a profile openvpn server connected with one or more clients
Which router? I have a CCR1016 with 42 OpenVPN clients and my CPU load is less than 2%.

I have no lucky to have a ccr, I tried it in several RB2011, and using the ssl process cpu goes to 100%, downgrade to 6.35.4 and it works perfect

michaelcarno · Fri Jul 22, 2016 4:18 pm

After update from 6.35.4 prerouting mangle not working.
Code: Select all
/ ip firewall mangle chain=prerouting action=mark-routing new-routing-mark=second_provider src-address-list=second_conn_list
I downgrade to 6.35.6 - prerouting working.
Same problem Here.....

Same, mangle doesnt work as it work with 6.35.6. Tested on CC1016-12G.

Fri Jul 22, 2016 4:28 pm

I can't wait to start using the interface lists feature - this is an excellent addition to ROS because now it's easy to make a true zone-based policy configuration that is independent of physical interface names - just add/remove interfaces from the policy!
Could you explain what are you talking about?

You can define policies using interface-lists as your keys on policy:
in-interface-list=WAN potocol=udp dport=53 action=drop
In the past, if you had 3 WAN interfaces, you had to repeat the above rule two more times, once for each interface. It gets even more complicated if your logic requires a NOT (!) operator:
in-interace-list=!LAN action=drop --> drop anything NOT on the LAN group of interfaces
whereas these two rules:
in-interface=!ether4 action=drop
in-interface=!wlan1 action=drop
This drops ALL packets, LAN or otherwise because if it's on wlan1, rule 1 will drop it, and if it's on ether4, rule 2 will drop it. If it's on any other interface, rule 1 will drop that too.
Putting ether4 and wlan1 into a group (LAN) and using the single rule above makes logic simpler and firewall rule chains shorter (thus faster).

Fraction · Fri Jul 22, 2016 5:38 pm

Winbox Secure Mode doesn't work with Windows 10.

Secure mode -box is checked and lock icon appears after login, but if I capture the traffic with Wireshark, the connection is not encrypted at all..

rajo · Fri Jul 22, 2016 6:58 pm

The interface list matcher needs some serious performance optimization. I converted my firewall filters, mangle and NAT rules to using interface lists and performance tanked up to 50 %.

If I disable my simple queues, I'm able to regain the lost performance; however, that's not a solution. I've now reverted to my prior configurations.

mandrade · Sat Jul 23, 2016 12:01 am

madnrade - Please send supout file to support. If you do not use address list specified on rule does it work then?

This simple rule works fine on 6.35.4, but not work on 6.36 :

/ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=!Sem_Proxy dst-port=80 new-routing-mark=PROXY protocol=tcp
/ip route add check-gateway=ping distance=1 gateway=x.x.x.x routing-mark=PROXY

I will send a supout to support

MAYAKNET · Sat Jul 23, 2016 7:07 am

RU:
Доброго времени суток
У меня на X86 после обновления потерялся интерфейс, на котором был подключен модуль SFP+
На рисунке он должен быть - sfpplus009
EN:
Hello
At me on X86 after up-dating the interface on which the SFP+ module was connected was lost
In a figure it shall be - sfpplus009

Test471 · Sat Jul 23, 2016 11:13 am

I installed 6.36 and now I have a problem with EoIP/IPSec.

The thing is that if I change local address on EoIP interface (manually or via script) it does not update IPSec policy but leaves the old address. This was working before 6.36.

I tried to delete EoIP and create new one but problem is still there. It only puts to IPSec policy what was in local address for the first time. It is not updating.

I've tried everything possible and the only thing for IPSec policy to be updated is reboot. It is not helping even to disable/enable EoIP interface...

docmarius · Sat Jul 23, 2016 12:16 pm

NTP server still doesn't work in a GPS + NTP server only configuration:
ROS 6.36 Failure (refid INIT, Stratum 16):

ROS 6.32.4 OK (refid LOCAL, Stratum 4):

markmcn · Sun Jul 24, 2016 10:44 pm

Any one seeing issues with Winbox disconnecting after a few minutes?
I've been running Winbox 3.4 under Wine on linux without issue. I upgraded one router to 6.36 and now it just randomly disconnects after a few minutes.
I've tried from a workstation and laptop both of which have no issues with winbox prior to the upgrade.

andrei · Mon Jul 25, 2016 9:02 am

One interface issue: System->resources is not refreshing in the web page.

paoloaga · Mon Jul 25, 2016 11:09 am

I upgraded some devices on my production network. Everything seems good except for one minor glitch: I have some SSH sessions always open (for days). After some hours, randomly, some SSH sessions through firewalls are dropped (not all). I suppose it might be related to the conntrack, but I still didn't figure out how to reproduce/document it. Reverting back to 6.35.4 solves the issue.

ATROX · Mon Jul 25, 2016 11:16 am

After updating to version 6.36 router reboots endlessly
CCR1036-12G-4S
Now version 6.35rc21

Ansy · Mon Jul 25, 2016 11:22 am

Mobile Tik-App for Android began to crash immediately after login to 6.36 upgraded devices.
6.35.4 worked OK.
Many routers -- RB750UP, RB951U, RB2011, HAP lite.
Please check, confirm and fix something. Thanks in advance.

kristaps · Mon Jul 25, 2016 2:47 pm

Mobile Tik-App for Android began to crash immediately after login to 6.36 upgraded devices.
6.35.4 worked OK.
Many routers -- RB750UP, RB951U, RB2011, HAP lite.
Please check, confirm and fix something. Thanks in advance.

Hello, What phone are you using?
Are you able connect to demo.mt.lv and demo2.mt.lv ?
We cannot replicate your issue locally with Tik-app and 6.36 version on multiple phones.

After updating to version 6.36 router reboots endlessly
CCR1036-12G-4S
Now version 6.35rc21

Please provide more detailed info,

Send us email support@mikrotik.com

patrick7 · Mon Jul 25, 2016 5:29 pm

Also found a difference to 6.35:

Firewall rules which existed before upgrading:

1 ;;; Allow Customers
chain=forward action=accept connection-state=invalid,new in-interface-list=customer out-interface-list=transit log=no log-prefix=""

If I delete it and re add it again:

1 ;;; Allow Customers
chain=forward action=accept connection-state=invalid,new in-interface-list=customer out-interface-list=transit

Paternot · Mon Jul 25, 2016 5:36 pm

Also found a difference to 6.35:

Firewall rules which existed before upgrading:
1    ;;; Allow Customers
      chain=forward action=accept connection-state=invalid,new in-interface-list=customer out-interface-list=transit log=no log-prefix=""
If I delete it and re add it again:

1    ;;; Allow Customers
      chain=forward action=accept connection-state=invalid,new in-interface-list=customer out-interface-list=transit

Just an optimization, isn't it? Looks like it is assuming that rules without the "log=yes" are disabled. Is it right? Does this rule stays disabled, if You restore this new export?

EDIT:
I mean, the log of the rule is disabled, not the rule.

Mon Jul 25, 2016 5:40 pm

If log parameter is not set to yes, then rule will not log.

patrick7 · Mon Jul 25, 2016 5:53 pm

Yes, but since the upgrade, this will not be shown with "print" for new rules. Also it's not possible to unset log/log-prefix...

105547111 · Mon Jul 25, 2016 6:40 pm

I've discovered a ND / IPv6 issue. We have several IPv6 routes, but on our CCR have only 1 set to advertise on the bridge that hands out radvd broadcasts to the inside network.

Now I'm finding two addresses are being advertised despite only the main one is ticked with advertise....

Verified as its random what IPv6 address you get, between the two.

Used some centos servers downstream and they verify the CCR is now advertising both addresses despite only 1 should be..

[Ticket#2016072266000061]

Percanta · Mon Jul 25, 2016 8:04 pm

madnrade - Please send supout file to support. If you do not use address list specified on rule does it work then?
This simple rule works fine on 6.35.4, but not work on 6.36 :
Code: Select all
/ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=!Sem_Proxy dst-port=80 new-routing-mark=PROXY protocol=tcp
/ip route add check-gateway=ping distance=1 gateway=x.x.x.x routing-mark=PROXY
I will send a supout to support

Same problem here

colin · Tue Jul 26, 2016 4:58 am

The changelog of: *) upnp - fixed nat rule dst-port by making it visible again;

It seems that the dst-port still unvisible.

wolfktl · Tue Jul 26, 2016 9:11 am

Good afternoon.

I wanted to specify.

correction: l2tp - fixed crash when rebooting or disabling l2tp while there are still active connections;
It to treat L2-SERVER?

Who means this correction?

Ansy · Tue Jul 26, 2016 10:46 am

Mobile Tik-App for Android began to crash immediately after login to 6.36 upgraded devices.
6.35.4 worked OK.
Many routers -- RB750UP, RB951U, RB2011, HAP lite.
Please check, confirm and fix something. Thanks in advance.
Hello, What phone are you using?
Are you able connect to demo.mt.lv and demo2.mt.lv ?
We cannot replicate your issue locally with Tik-app and 6.36 version on multiple phones.

Phone is Philips W6500.
Both of demo.mt.lv and demo2.mt.lv crashes Tik-App too, after login as "admin"/"".
Don't crash and says "invalid user or password" with any than empty pass.

I was testing it just during upgrade process -- every updated to 6.36 device began to crash Tik-App, but 6.35.4 still not.

h17 · Tue Jul 26, 2016 11:16 am

After updating to version 6.36 router reboots endlessly
CCR1036-12G-4S

I'm experiencing probably the same thing. Can't verify ATM (I'm at work now), but I've lost access via all uplinks.
The one I can look at from ISP side shows port flapping every few seconds. Looks like reboot loop.
Also CCR1036-12G-4S. I'll send supout file to support if I'll be able to get it.

P.S.
This happened after a few days, not immediately after upgrade.

Ugh! My power supply inside CCR has died (poor electrolytic capacitor + exploded MOSFET).
So I cannot confirm any issue with 3.36 on CCR yet.

ScottReed · Tue Jul 26, 2016 1:59 pm

Pantech UML295 LTE modem support appears to be broken in 6.36 on RouterOS x86.

Downgraded back to 6.35.2.

Tue Jul 26, 2016 5:11 pm

madnrade - Please send supout file to support. If you do not use address list specified on rule does it work then?
This simple rule works fine on 6.35.4, but not work on 6.36 :
Code: Select all
/ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=!Sem_Proxy dst-port=80 new-routing-mark=PROXY protocol=tcp
/ip route add check-gateway=ping distance=1 gateway=x.x.x.x routing-mark=PROXY
I will send a supout to support
Same problem here

If you have fasttrack enabled, then make sure you are accepting traffic that is marked before fasttrack rule, or disable fasttrack.

mandrade · Tue Jul 26, 2016 8:29 pm

madnrade - Please send supout file to support. If you do not use address list specified on rule does it work then?
This simple rule works fine on 6.35.4, but not work on 6.36 :
Code: Select all
/ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=!Sem_Proxy dst-port=80 new-routing-mark=PROXY protocol=tcp
/ip route add check-gateway=ping distance=1 gateway=x.x.x.x routing-mark=PROXY
I will send a supout to support
Same problem here
If you have fasttrack enabled, then make sure you are accepting traffic that is marked before fasttrack rule, or disable fasttrack.

FastTrack disabled and all works fine. Waiting final fix on 6.36.1

kristaps · Tue Jul 26, 2016 10:49 pm

Pantech UML295 LTE modem support appears to be broken in 6.36 on RouterOS x86.

Downgraded back to 6.35.2.

Yes There is issue with all simple CDC_Ether and RNDIS modems who uses web config in 6.36 we need to add exact ID for support.
One client have already sent us Pantech UML295 LTE supout.rif file it will be added back in 6.37rc7 and 6.36.1

ScottReed · Tue Jul 26, 2016 10:51 pm

Pantech UML295 LTE modem support appears to be broken in 6.36 on RouterOS x86.

Downgraded back to 6.35.2.
Yes There is issue with all simple CDC_Ether and RNDIS modems who uses web config in 6.36 we need to add exact ID for support.
One client have already sent us Pantech UML295 LTE supout.rif file it will be added back in 6.37rc7 and 6.36.1

@kristaps
Thank you for the prompt reply.

Wed Jul 27, 2016 7:43 am

mandrade - This is not a bug. That is how FastTrack works. Please read this manual:
http://wiki.mikrotik.com/wiki/Manual:Wiki/Fasttrack

FastTrack main purpose is to accept some kind of traffic without limiting it and without checking it against Firewall rules, etc. If you need to do something else with traffic without just only passing it through router, then you must either disable FastTrack or make an exceptions in Firewall before FastTrack or in FastTrack rule itself.

kyob · Wed Jul 27, 2016 8:14 am

After upgrade my bonding stop working on x86. Issue was strange only icmp was ok and other protocols has no communication. Even winbox couldnt discovery on ipv4 and ipv6. Downgrade to 6.4 fix problem. Logs was clear on both sides pc with ros and switch L2.

vosgessystemes · Wed Jul 27, 2016 11:19 am

Any one seeing issues with Winbox disconnecting after a few minutes?
I've been running Winbox 3.4 under Wine on linux without issue. I upgraded one router to 6.36 and now it just randomly disconnects after a few minutes.
I've tried from a workstation and laptop both of which have no issues with winbox prior to the upgrade.

Exactly the same issue here

Very randomly disconnections only on router upgraded to 6.36
@mikrotikTeam any idea ? Bugfix under dev ?

xavierbt · Wed Jul 27, 2016 11:29 am

Seems that mark routing is failing since 6.36 and only traffic from main wan is working.
If you disable fasttrack rule all works fine.
Same configuration works fine with 6.35.x

xootraoox · Wed Jul 27, 2016 11:35 am

For "firewall - allow to add domain name to address-lists (dynamic entries for resolved addresses will be added to specified list);".

Please add support for regex domain.

Tnx.

Wed Jul 27, 2016 11:39 am

mark routing is not going to work properly on any version if fasttrack is enabled. The reason why it worked in previous versions is that you were using some feature which could disabled fasttrack. For example, if you routed to pppoe interface, older version did not support fastpath over pppoe so feature was disabled.

Cha0s · Wed Jul 27, 2016 1:11 pm

For "firewall - allow to add domain name to address-lists (dynamic entries for resolved addresses will be added to specified list);".

Please add support for regex domain.

Tnx.

While it would be welcome, I don't think it's possible.

Say you add *\.domain\.com
How would it know which subdomains to resolve to addresses and add to the list? There could be millions of combinations for '*'.
This is not how domains on address lists work. They are being resolved as they are being added to the list.

xavierbt · Wed Jul 27, 2016 1:55 pm

mark routing is not going to work properly on any version if fasttrack is enabled. The reason why it worked in previous versions is that you were using some feature which could disabled fasttrack. For example, if you routed to pppoe interface, older version did not support fastpath over pppoe so feature was disabled.

But 6.35.4 support pppoe fastpath too.

Wed Jul 27, 2016 1:57 pm

mark routing is not going to work properly on any version if fasttrack is enabled. The reason why it worked in previous versions is that you were using some feature which could disabled fasttrack. For example, if you routed to pppoe interface, older version did not support fastpath over pppoe so feature was disabled.
But 6.35.4 support pppoe fastpath too.

It was just an example.

mandrade · Wed Jul 27, 2016 3:38 pm

mandrade - This is not a bug. That is how FastTrack works. Please read this manual:
http://wiki.mikrotik.com/wiki/Manual:Wiki/Fasttrack

FastTrack main purpose is to accept some kind of traffic without limiting it and without checking it against Firewall rules, etc. If you need to do something else with traffic without just only passing it through router, then you must either disable FastTrack or make an exceptions in Firewall before FastTrack or in FastTrack rule itself.

Ok, i understood, but why it works on previous version and stop on current??? bug fix of a benefic bug ?
BR

hansolo · Wed Jul 27, 2016 5:01 pm

RB951G-2HnD and ZTE MF823 lte-interface disappeared after upgrade to 6.36

downgrade to 6.35.4 lte-interface appears and everything starts to work. What's wrong with the version 6.36?

kristaps · Wed Jul 27, 2016 5:28 pm

@hansolo

Yes, There is issue with all simple CDC_Ether and RNDIS modems who uses web config in 6.36 we need to add exact ID for support.

Please send supout.rif form 6.36 and from 6.35.4 to support@mikrotik.com

xootraoox · Wed Jul 27, 2016 9:23 pm

For "firewall - allow to add domain name to address-lists (dynamic entries for resolved addresses will be added to specified list);".

Please add support for regex domain.

Tnx.
While it would be welcome, I don't think it's possible.

Say you add *\.domain\.com
How would it know which subdomains to resolve to addresses and add to the list? There could be millions of combinations for '*'.
This is not how domains on address lists work. They are being resolved as they are being added to the list.

Equal to L7 rules, for Facebook example.

*\.facebook\.*

To resolve facebook.com, m.facebook.com and all other variant.

Cha0s · Wed Jul 27, 2016 9:44 pm

Equal to L7 rules, for Facebook example.

*\.facebook\.*

To resolve facebook.com, m.facebook.com and all other variant.

Address lists with domain names are based on resolving their A or CNAME records by using the DNS protocol.
Once a domain is added to an address-list it is resolved by routeros and the resolved IP(s) is added to the same address-list as a dynamic entry with timeout value the TTL returned by the DNS protocol.
When the timeout (TTL) expires, routeros will re-resolve the domains again and if the IP is changed it will replace it in the address-list.
The firewall rules that use those address-lists only take into account the entries with IP addresses. Not the ones with domains.

So given that the domain address-list entries use the DNS protocol to work what you are saying doesn't make sense. You cannot do a wildcard DNS request. How would routeros determine which subdomains are available under *\.facebook\.com or under even worse *\.facebook\.* ? How would it know which TLDs to try?! That's not how DNS works.

I can't think of a way to do what you say without iptables opening each packet to match what you want. What L7 rules already do essentially.

jms1 · Wed Jul 27, 2016 11:15 pm

I can see how to use "/interface list add" to create a list, but how do I control which interfaces are part of the list? http://wiki.mikrotik.com/wiki/Manual:Interface/List is pretty much useless at the moment.

patrick7 · Wed Jul 27, 2016 11:48 pm

Example:

[admin@cr1.fra1] > /int list exp
# jul/27/2016 22:48:23 by RouterOS 6.36
# software id = XXX-XXXX
#
/interface list
add name=customer
add name=transit
add name=vpn
/interface list member
add interface=ether7 list=transit
add interface=ether8 list=transit
add interface=sfpplus1 list=transit
add interface=sit1 list=customer
add interface=gre1 list=vpn
add interface=gre2 list=vpn

You can use the lists in /ip firewall filter

Wed Jul 27, 2016 11:49 pm

I can see how to use "/interface list add" to create a list, but how do I control which interfaces are part of the list? http://wiki.mikrotik.com/wiki/Manual:Interface/List is pretty much useless at the moment.

Step by step:

Untitled.png

xootraoox · Thu Jul 28, 2016 2:54 am

Equal to L7 rules, for Facebook example.

*\.facebook\.*

To resolve facebook.com, m.facebook.com and all other variant.
Address lists with domain names are based on resolving their A or CNAME records by using the DNS protocol.
Once a domain is added to an address-list it is resolved by routeros and the resolved IP(s) is added to the same address-list as a dynamic entry with timeout value the TTL returned by the DNS protocol.
When the timeout (TTL) expires, routeros will re-resolve the domains again and if the IP is changed it will replace it in the address-list.
The firewall rules that use those address-lists only take into account the entries with IP addresses. Not the ones with domains.

So given that the domain address-list entries use the DNS protocol to work what you are saying doesn't make sense. You cannot do a wildcard DNS request. How would routeros determine which subdomains are available under *\.facebook\.com or under even worse *\.facebook\.* ? How would it know which TLDs to try?! That's not how DNS works.

I can't think of a way to do what you say without iptables opening each packet to match what you want. What L7 rules already do essentially.

Hi Cha0s,
I think you are mistaken, the list is dynamic but without expiry (based on TTL), actually I'm using scripts for walk over dns cache and find the entries that match with ".facebook.", this is no regex but work.

In the address list "facebook.com" or "m.facebook.com" is valid, in this case two rules is required... I think anyway is more efficient than the scripts but was just Ideally one rule to follow just a list.
In this image the entries no have timeouts, I tested and the timeout is manually.

Cha0s · Thu Jul 28, 2016 3:43 am

You are right about the timeout value. I didn't remember that detail correctly.

The rest of what I mention about the TTL and how domains are resolved are also confirmed by strods' reply here: http://forum.mikrotik.com/viewtopic.php ... 12#p539412

jms1 · Thu Jul 28, 2016 8:52 pm

Example:
[admin@cr1.fra1] > /int list exp
...
/interface list member
...
You can use the lists in /ip firewall filter

I totally missed the fact that /interface list member existed. Thanks for pointing this out.

marcin21 · Thu Jul 28, 2016 10:52 pm

*) rb2011 - fixed ether6-ether10 flapping when two ports from both switch chips are in the same bridge;

does this mean that when I had eth1 and eth6 both in bridge1 and eth2-eth5, eth6-eth10 switched respectively to their master ports I could have portflapping on 6-10?
When this bug was introduced?

DWE · Fri Jul 29, 2016 9:23 am

RU
Доброе время суток ребята. Помогите пожалуйста проблемы с прошивкой!
У меня MIKROTIK SXT LTE когда стояла прошивка v6.35.2 всё отлично работало,
за исключением когда начинал идти большой трафик через интерфейс LTE, он падал и всё так зависало, настроил watch dog, стал перезагружается mikrotik за сутки раз 5-15,но интерфейс поднимался и всё работало.

Обновился до прошивки v6.36(в ней как я понимаю LTE исправлено, и в момент когда начинает идти большой трафик через интерфейс LTE такой проблемы нету)
Но следующая проблема работает только BAND 3 (10MHz),а мне нужна ширина канала BAND 7(20Mhz) у нас операторы поддерживают в основном только её.
Пробовал менять настройки ставил отдельно галочку BAND 7 появляется надпись PLMN search in progress очень долго весит и через минут 10 поднимается подключение к LTE, захожу в статистику а там пишет BAND 3 (10MHZ) подключается к какой то очень дальней вышке с слабым сигналом.
Также пробовал ставить галки сразу две Band 3 и Band 7 такая же ситуация, и снимать эти галки Mikrotik упорно поднимает подключение и стабильно всё время к этой дальней вышке в диапазоне BAND 3.
При этом доступен диапазон BAND 7 с хорошим и мощным сигналом, но он не подключается к нему!
Всё это я пробовал после обновления до прошивки v6.36,не сбрасывая настройки по умолчанию, а так же пробывал сбросить настройки на по умолчанию и настраивал заново,
не какой разницы, работает только BAND 3!!!!!

Помогите ребята очень нужен интернет уже дней 5 мучаюсь!

Так же откатывался назад на прошивку v6.35.2,не работает так же BAND 7,но после того как сбросишь настройки по умолчанию,
и настроишь всё заново и выберешь в настройках BAND 7, PLMN search in progress происходит очень быстро, поднимается интерфейс LTE и всё начинает работать,
в статистике стоит BAND 7 (20MHz).........

Спасите ребята........

EN

Good time of day guys. Please help a problem with the firmware!
I MIKROTIK SXT LTE when standing firmware v6.35.2 everything works fine,
except when I started to go a lot of traffic through the LTE interface, he fell down and everything is so hangs, set up watch dog, has become restarts mikrotik 5-15 times per day, but the interface is up and it worked.

Updated to v6.36 firmware (in it as I understand LTE fixed, and at the moment when it begins to go a lot of traffic through the LTE interface is no problem)
But the next problem is only BAND 3 (10MHz), and I need the bandwidth BAND 7 (20Mhz) operators support we basically just her.
Tried to change the settings set separately BAND 7 checkmark appears PLMN search in progress inscription very long and weighs
10 minutes climbs to connect to LTE, I go into statistics and then writes BAND 3 (10MHZ) is connected to a very distant tower with a weak signal.
Also I tried to put daw just two Band 3 and Band 7 the same situation, and take the jackdaws Mikrotik persistently raises the
connection and stable at all times to the distant tower BAND 3.
Pri in this range available BAND 7 range with good and strong signal, but it can not connect to it!
All this I have tried after updating to v6.36 firmware without resetting the default settings, as well as probyval reset to default and set up again,
not a difference is only 3 BAND !!!!!

Help. Really need the Internet already 5 days I suffer!

Just rolled back to v6.35.2 firmware does not work so well BAND 7, but after reset the default settings,
and set up all over again, and you will choose in the settings BAND 7, PLMN search in progress is very rapid, rising LTE interface and everything starts to work,
Statistics should BAND 7 (20MHz) .........

Please me HELP........

ndbjorne · Fri Jul 29, 2016 12:42 pm

*) firewall - allow to add domain name to address-lists (dynamic entries for resolved addresses will be added to specified list);

Great!

Next could be...

- a way to force address-list name resolution without having to disable+enable address-list with something like
Code: Select all
```
/ip firewall refresh-fqdn
```
- a way of setting domain name TTL in firewall
Code: Select all
```
/ip firewall fqdn-ttl=600
```
without need to schedule previous
- use of fqdn name in
Code: Select all
```
/ip firewall nat to-address=www.mikrotik.com
```
which would make configurations easier to maintain.

Wouldn't this be great?

/ip {
 dns static {
  add address=192.168.0.1 name=my.server.ip
 }
 firewall {
  set fqdn-ttl=600
  address-list {
   add list=TestDomain address=example.com
   add list=TestDomain address=www.example.com
  }
  nat {
   add chain=dstnat dst-address-list=TestDomain protocol=tcp dst-port=80,443 action=dst-nat to-address=my.server.ip
  }
 }
}

Thank you

Cha0s · Fri Jul 29, 2016 12:49 pm

I also noticed that when you add a domain and it's resolved ok but afterwards the record is deleted from the dns server, routeros does not remove the resolved IP from the address list until a disable/enable or a reboot.

docmarius · Fri Jul 29, 2016 1:18 pm

routeros does not remove the resolved IP from the address list until a disable/enable or a reboot.

AFAIK it will stay there until the DNS record's TTL is reached. Actually not a bug, just a DNS server configuration change side effect.
The same will happen if your DNS data is cached in other places.
Basically it is a breach of contract by your DNS server. The initial published info states e.g. "Name X has this IP and will not change for 10 days, take my word for that, I am authoritative". Afterwards the server single sided changes its mind.
Enable/disable or rebooting is the brainwashing needed to forget the initial promise.
Networking is not like politics.

Cha0s · Fri Jul 29, 2016 1:31 pm

routeros does not remove the resolved IP from the address list until a disable/enable or a reboot.
AFAIK it will stay there until the DNS record's TTL is reached. Actually not a bug, just a DNS server configuration change side effect.
The same will happen if your DNS data is cached in other places.
Basically it is a breach of contract on behalf of your DNS server. The initial published info states e.g. "Name X has this IP and will not change for 10 days, take my word for that, I am authoritative". Afterwards the server single sided changes its mind...

I am talking about a deleted AND expired record. It never leaves the address list even after the TTL expires.
Just to clarify, I am talking about a record that was resolving ok but at sometime it got deleted from the DNS server so it now returns NXDOMAIN.
ROS does not honor NXDOMAIN reply AFTER it was already resolvable and added in the address list.

docmarius · Fri Jul 29, 2016 1:33 pm

I am talking about a deleted AND expired record. It never leaves the address list even after the TTL expires.
Just to clarify, I am talking about a record that was resolving ok but at sometime it got deleted from the DNS server so it now returns NXDOMAIN.
ROS does not honor NXDOMAIN reply AFTER it was already resolvable and added in the address list.

That was missing in the initial description. Now that's probably a little itsy bitsy bug.

Cha0s · Fri Jul 29, 2016 1:41 pm

That was missing in the initial description. Now that's probably a little itsy bitsy bug.

Yeap, seems that way.

Checking the DNS cache I confirm that ROS does try to lookup the domain and does see the change (NXDOMAIN, or 'unknown' in routeros dns cache terms) but the address list is not updated and the previously resolved IP is not removed until disable/enable or reboot.

docmarius · Fri Jul 29, 2016 2:00 pm

Checking the DNS cache I confirm that ROS does try to lookup the domain and does see the change (NXDOMAIN, or 'unknown' in routeros dns cache terms) but the address list is not updated and the previously resolved IP is not removed until disable/enable or reboot.

On the other hand, this behavior has its benefits. Let's say that for some reason, your DNS server is down. A lookup will give NXDOMAIN, which will invalidate an initial working setup.
And I think it is more likely to get a DNS server failure compared to a disappearing DNS name.

Cha0s · Fri Jul 29, 2016 2:21 pm

On the other hand, this behavior has its benefits. Let's say that for some reason, your DNS server is down. A lookup will give NXDOMAIN, which will invalidate an initial working setup.
And I think it is mode likely to get a DNS failure compared to a disappearing DNS name.

You get NXDOMAIN reply when the DNS server replies back that what you asked for is Non Existent.
You can't get a reply from a server that is down, let alone an NXDOMAIN one

If the authoritative DNS server is down, then the Caching dns server should reply with 'SERVFAIL' not NXDOMAIN.
If the caching dns server is down, obviously you don't get any reply at all.

So, NXDOMAIN should be honored if encountered after being resolved before, as it is honored if encountered when adding a domain to the address list or during a reboot.

Keeping things simple and straightforward will help everyone in the long run.

Having a clear implementation of this (ie honor the dns protocol since that is being used for this feature to work), will make things easier when troubleshooting. Knowing that it uses the TTLs and that it will remove entries appropriately you don't need to worry about custom scripts for doing that or any other 'hacks'.

In case a DNS server is actually down and ROS doesn't get a reply after a TTL is expired, then this could be something that the user has control over.
Maybe an extra option when adding domain address-lists that allows you to either keep the resolved IPs even if the DNS server is down (after being resolved the first time of course) or remove them once the DNS server stops replying. This should cover both cases where someone needs to either keep or discard those IPs from the address list.

wolfktl · Fri Jul 29, 2016 2:28 pm

After update from 6.35.4 prerouting mangle not working.
Code: Select all
/ ip firewall mangle chain=prerouting action=mark-routing new-routing-mark=second_provider src-address-list=second_conn_list
I downgrade to 6.35.6 - prerouting working.

Where to download 6.35.6 ?

docmarius · Fri Jul 29, 2016 2:36 pm

You get NXDOMAIN reply when the DNS server replies back that what you asked for is Non Existent.
You can't get a reply from a server that is down, let alone an NXDOMAIN one
If the authoritative DNS server is down, then the Caching dns server should reply with 'SERVFAIL' not NXDOMAIN.
If the caching dns server is down, obviously you don't get any reply at all.

So, NXDOMAIN should be honored if encountered after being resolved before, as it is honored if encountered when adding a domain to the address list or during a reboot.

Tnx for clarifying that.

notToNew · Fri Jul 29, 2016 5:11 pm

Where to download 6.35.6 ?

I'm pretty shure 6.35.4 was the lastes in '35 Builds. Here is a link, just change the hardware if needed.
here the link for 6.35.4
http://download2.mikrotik.com/routeros/ ... 6.35.4.zip
6.34.6 would be
http://download2.mikrotik.com/routeros/ ... 6.34.6.zip

jayakons · Fri Jul 29, 2016 7:03 pm

i need update firmware SXTG-‐5HpacD-‐SA, how firmware downlad, i sorry my english, i am novate thanks

patrick7 · Fri Jul 29, 2016 7:14 pm

/system routerboard upgrade

Do you mean this?

santong7 · Fri Jul 29, 2016 10:29 pm

Mobile Tik-App for Android began to crash immediately after login to 6.36 upgraded devices.
6.35.4 worked OK.
Many routers -- RB750UP, RB951U, RB2011, HAP lite.
Please check, confirm and fix something. Thanks in advance.
Hello, What phone are you using?
Are you able connect to demo.mt.lv and demo2.mt.lv ?
We cannot replicate your issue locally with Tik-app and 6.36 version on multiple phones.

After updating to version 6.36 router reboots endlessly
CCR1036-12G-4S
Now version 6.35rc21

Please provide more detailed info,

Send us email support@mikrotik.com

The following is from my post on Tik-App alpha Google+.
I had the same issue after upgrading to the new version of Tik-App, I cannot connect with secure mode to updated Ros routers 6.36 or older. I uninstalled the Tik-App and reinstalled on my device and still no connect. Also I tried to connect to demo2.mt.lv but still the same. The Tik-app is stuck on the moving circle downloading plugins. I do not know if my mobile device Samsung Galaxy S6, after latest android update (OTA same version update, not total version upgrade) has created this issue
For secure mode with the new 6.36 there is a workaround I discovered. I connected to demo2.mt.lv with unsecure mode then Tik-App downloaded the plugins and get connected. After disconnection from the demo, I turned on the secure mode and it connects to everywhere now with secure mode but only to routers with the same plugins of the demo2.mt.lv, older ros routers cannot be connected. Also, if you want to risk to connect without security to routers with older ros (else you can do it from the lan side), uncheck secure mode connect let it download plugins, then disconnect, check again secure mode and it works.

Maggiore81 · Sat Jul 30, 2016 1:25 am

RB3011 flaps port 6-7-8 for 3 seconds.
not resolved in 6.36

darkprocess · Sat Jul 30, 2016 2:29 am

I've no such issue with mine rb3011. May hw issue

DWE · Sat Jul 30, 2016 2:36 am

RU
Доброе время суток ребята. Помогите пожалуйста проблемы с прошивкой!
У меня MIKROTIK SXT LTE когда стояла прошивка v6.35.2 всё отлично работало,
за исключением когда начинал идти большой трафик через интерфейс LTE, он падал и всё так зависало, настроил watch dog, стал перезагружается mikrotik за сутки раз 5-15,но интерфейс поднимался и всё работало.

Обновился до прошивки v6.36(в ней как я понимаю LTE исправлено, и в момент когда начинает идти большой трафик через интерфейс LTE такой проблемы нету)
Но следующая проблема работает только BAND 3 (10MHz),а мне нужна ширина канала BAND 7(20Mhz) у нас операторы поддерживают в основном только её.
Пробовал менять настройки ставил отдельно галочку BAND 7 появляется надпись PLMN search in progress очень долго весит и через минут 10 поднимается подключение к LTE, захожу в статистику а там пишет BAND 3 (10MHZ) подключается к какой то очень дальней вышке с слабым сигналом.
Также пробовал ставить галки сразу две Band 3 и Band 7 такая же ситуация, и снимать эти галки Mikrotik упорно поднимает подключение и стабильно всё время к этой дальней вышке в диапазоне BAND 3.
При этом доступен диапазон BAND 7 с хорошим и мощным сигналом, но он не подключается к нему!
Всё это я пробовал после обновления до прошивки v6.36,не сбрасывая настройки по умолчанию, а так же пробывал сбросить настройки на по умолчанию и настраивал заново,
не какой разницы, работает только BAND 3!!!!!

Помогите ребята очень нужен интернет уже дней 5 мучаюсь!

Так же откатывался назад на прошивку v6.35.2,не работает так же BAND 7,но после того как сбросишь настройки по умолчанию,
и настроишь всё заново и выберешь в настройках BAND 7, PLMN search in progress происходит очень быстро, поднимается интерфейс LTE и всё начинает работать,
в статистике стоит BAND 7 (20MHz).........

Спасите ребята........

EN

Good time of day guys. Please help a problem with the firmware!
I MIKROTIK SXT LTE when standing firmware v6.35.2 everything works fine,
except when I started to go a lot of traffic through the LTE interface, he fell down and everything is so hangs, set up watch dog, has become restarts mikrotik 5-15 times per day, but the interface is up and it worked.

Updated to v6.36 firmware (in it as I understand LTE fixed, and at the moment when it begins to go a lot of traffic through the LTE interface is no problem)
But the next problem is only BAND 3 (10MHz), and I need the bandwidth BAND 7 (20Mhz) operators support we basically just her.
Tried to change the settings set separately BAND 7 checkmark appears PLMN search in progress inscription very long and weighs
10 minutes climbs to connect to LTE, I go into statistics and then writes BAND 3 (10MHZ) is connected to a very distant tower with a weak signal.
Also I tried to put daw just two Band 3 and Band 7 the same situation, and take the jackdaws Mikrotik persistently raises the
connection and stable at all times to the distant tower BAND 3.
Pri in this range available BAND 7 range with good and strong signal, but it can not connect to it!
All this I have tried after updating to v6.36 firmware without resetting the default settings, as well as probyval reset to default and set up again,
not a difference is only 3 BAND !!!!!

Help. Really need the Internet already 5 days I suffer!

Just rolled back to v6.35.2 firmware does not work so well BAND 7, but after reset the default settings,
and set up all over again, and you will choose in the settings BAND 7, PLMN search in progress is very rapid, rising LTE interface and everything starts to work,
Statistics should BAND 7 (20MHz) .........

Please me HELP........

Прошивка обновилась до 6.37rc10,проблема так же осталась. Исправьте пожалуйста....

Не работает BAND 7(20MHZ)

Firmware updated to 6.37rc10, the problem remains the same . Please correct....

It does not work BAND 7 (20MHZ)

popowsergei · Sat Jul 30, 2016 10:43 am

igmp proxy is not running on x86. the packet counter is not moving at all.

Balmungmp5 · Sun Jul 31, 2016 3:10 am

Thank you for the multicast fix. This was causing nightmares for me since my ISP's switch doesn't do IGMP snooping and is bombarding my WAN interfaces with multicast traffic.

MTusewk · Sun Jul 31, 2016 12:02 pm

I have also experienced random disconnections of WinBox after upgrading to this release.

Cha0s · Sun Jul 31, 2016 4:22 pm

Today I upgraded dozens of Mikrotik installations ranging from versions 6.9 to 6.35.4

All went well without any problems.

List of Device Models I upgraded:
RB2011UAS
RB2011UiAS
RB3011UiAS
RB850Gx2
RB1200
RB433AH
RB750G
RB951G
RB951-2n
mAP-Lite (mAP L-2nD)
hAP-Lite (941-2nD)
SEXTANTG (911G-5HPnD)
Groove A-52HPn
SXT-5HPnD
x86

Great job Mikrotik! Thanks

Fraction · Sun Jul 31, 2016 5:07 pm

Watchdog has rebooted my RB2011UAS twice during last week:
..
Jul/26/2016 13:36:19 system,error,critical router was rebooted without proper shutdown by watchdog timer
..
Jul/30/2016 11:26:31 system,error,critical router was rebooted without proper shutdown by watchdog timer
..

-No watch addresses defined.
-"Automatic Supout"-option is checked, but no supout files showed up in Files.
-"Auto Send" is checked and correct SMTP settings defined, but mail never came.

It may be related to version upgrade (which I did Jul/22/2016 if remember correctly) or then something else, but I can't remember this behavior happening ever before.

Abdock · Sun Jul 31, 2016 9:48 pm

traffic engineering mpls, does not work well, 34.4 was working well, with this one it stops at some point till the routers are rebooted.

mramos · Mon Aug 01, 2016 3:34 am

Hi ...

On 3011 POE on port 10 works but no readings of voltage, current, power both in winbox or terminal;

regards

DWE · Tue Aug 02, 2016 2:23 am

RU
Доброе время суток ребята. Помогите пожалуйста проблемы с прошивкой!
У меня MIKROTIK SXT LTE когда стояла прошивка v6.35.2 всё отлично работало,
за исключением когда начинал идти большой трафик через интерфейс LTE, он падал и всё так зависало, настроил watch dog, стал перезагружается mikrotik за сутки раз 5-15,но интерфейс поднимался и всё работало.

Обновился до прошивки v6.36(в ней как я понимаю LTE исправлено, и в момент когда начинает идти большой трафик через интерфейс LTE такой проблемы нету)
Но следующая проблема работает только BAND 3 (10MHz),а мне нужна ширина канала BAND 7(20Mhz) у нас операторы поддерживают в основном только её.
Пробовал менять настройки ставил отдельно галочку BAND 7 появляется надпись PLMN search in progress очень долго весит и через минут 10 поднимается подключение к LTE, захожу в статистику а там пишет BAND 3 (10MHZ) подключается к какой то очень дальней вышке с слабым сигналом.
Также пробовал ставить галки сразу две Band 3 и Band 7 такая же ситуация, и снимать эти галки Mikrotik упорно поднимает подключение и стабильно всё время к этой дальней вышке в диапазоне BAND 3.
При этом доступен диапазон BAND 7 с хорошим и мощным сигналом, но он не подключается к нему!
Всё это я пробовал после обновления до прошивки v6.36,не сбрасывая настройки по умолчанию, а так же пробывал сбросить настройки на по умолчанию и настраивал заново,
не какой разницы, работает только BAND 3!!!!!

Помогите ребята очень нужен интернет уже дней 5 мучаюсь!

Так же откатывался назад на прошивку v6.35.2,не работает так же BAND 7,но после того как сбросишь настройки по умолчанию,
и настроишь всё заново и выберешь в настройках BAND 7, PLMN search in progress происходит очень быстро, поднимается интерфейс LTE и всё начинает работать,
в статистике стоит BAND 7 (20MHz).........

Спасите ребята........

EN

Good time of day guys. Please help a problem with the firmware!
I MIKROTIK SXT LTE when standing firmware v6.35.2 everything works fine,
except when I started to go a lot of traffic through the LTE interface, he fell down and everything is so hangs, set up watch dog, has become restarts mikrotik 5-15 times per day, but the interface is up and it worked.

Updated to v6.36 firmware (in it as I understand LTE fixed, and at the moment when it begins to go a lot of traffic through the LTE interface is no problem)
But the next problem is only BAND 3 (10MHz), and I need the bandwidth BAND 7 (20Mhz) operators support we basically just her.
Tried to change the settings set separately BAND 7 checkmark appears PLMN search in progress inscription very long and weighs
10 minutes climbs to connect to LTE, I go into statistics and then writes BAND 3 (10MHZ) is connected to a very distant tower with a weak signal.
Also I tried to put daw just two Band 3 and Band 7 the same situation, and take the jackdaws Mikrotik persistently raises the
connection and stable at all times to the distant tower BAND 3.
Pri in this range available BAND 7 range with good and strong signal, but it can not connect to it!
All this I have tried after updating to v6.36 firmware without resetting the default settings, as well as probyval reset to default and set up again,
not a difference is only 3 BAND !!!!!

Help. Really need the Internet already 5 days I suffer!

Just rolled back to v6.35.2 firmware does not work so well BAND 7, but after reset the default settings,
and set up all over again, and you will choose in the settings BAND 7, PLMN search in progress is very rapid, rising LTE interface and everything starts to work,
Statistics should BAND 7 (20MHz) .........

Please me HELP........
Прошивка обновилась до 6.37rc10,проблема так же осталась. Исправьте пожалуйста.... Не работает BAND 7(20MHZ)

Firmware updated to 6.37rc10, the problem remains the same . Please correct.... It does not work BAND 7 (20MHZ)

Обновился на прошивку 6.37rc11,тоже самое не работает BAND7 (20MHZ),настройки сбрасывал и настроил роутер заново!

( Changes since 6.37rc11:
*) lte - fixed band setting for sxt lte???????????????????????????????????????????;)

Updated to firmware 6.37rc11, the same does not work BAND7 (20MHZ), settings are reset and re-configure the router!
HELPPPPP HELLPPPPPPPPP, please.....

mramos · Tue Aug 02, 2016 5:12 pm

Hi ...

From time to time ETH1 (auto neg on) which is connected to a RB1100 (1Gb auto neg off) exhibit this behavior:

Nothing on log, neither on disconnection counter.The only fields that switch up and down are TX/RX Rate & TX/RX Packet Rate. FP TX/RX keep stable and this issue is not observed at the 1100 side (ROS 5.26). First time I rebooted 3011 to stop it. Second time stopped by itself (like the pix shows).

EDITED: The same behavior was observed using WebFig. And - a couple of hours ago - I realized that that this occur at other used ports as well, not all at the same time, e.g. PUBLIC is at Switch 1 and Locals (3 ports used) at the Switch 2. No packet losses on ping.

EDITED 2: other tests => while this drops on measured TX/RX was occurring I started a speed test from another MT device to one of the affected ports (udp and tcp) and NO drops was observed at the test graphic. Still the same behavior: TX/RX drops at WinBox / old Dude graphics and NO drops at FP counters.

BTW this was observed few days ago while I run version 6.37rcX for some hours before "downgrade" to 6.36 for production purposes.

Chupaka · Tue Aug 02, 2016 5:52 pm

what version of WinBox? have you checked another version?

mramos · Tue Aug 02, 2016 5:56 pm

Hi ...

Tried both eg the built in on 5.26 and the 3.4 downloaded from mt.

kristaps · Tue Aug 02, 2016 6:16 pm

Updated to firmware 6.37rc11, the same does not work BAND7 (20MHZ), settings are reset and re-configure the router!
HELPPP HELLP, please.....

Please send supout.rif to support@mikrotik.com

Ansy · Wed Aug 03, 2016 9:44 am

Mobile Tik-App for Android began to crash immediately after login to 6.36 upgraded devices.
6.35.4 worked OK.
Many routers -- RB750UP, RB951U, RB2011, HAP lite.
Please check, confirm and fix something. Thanks in advance.
Hello, What phone are you using?
Are you able connect to demo.mt.lv and demo2.mt.lv ?
We cannot replicate your issue locally with Tik-app and 6.36 version on multiple phones.

After updating to version 6.36 router reboots endlessly
CCR1036-12G-4S
Now version 6.35rc21

Please provide more detailed info,

Send us email support@mikrotik.com
The following is from my post on Tik-App alpha Google+.
I had the same issue after upgrading to the new version of Tik-App, I cannot connect with secure mode to updated Ros routers 6.36 or older. I uninstalled the Tik-App and reinstalled on my device and still no connect. Also I tried to connect to demo2.mt.lv but still the same. The Tik-app is stuck on the moving circle downloading plugins. I do not know if my mobile device Samsung Galaxy S6, after latest android update (OTA same version update, not total version upgrade) has created this issue
For secure mode with the new 6.36 there is a workaround I discovered. I connected to demo2.mt.lv with unsecure mode then Tik-App downloaded the plugins and get connected. After disconnection from the demo, I turned on the secure mode and it connects to everywhere now with secure mode but only to routers with the same plugins of the demo2.mt.lv, older ros routers cannot be connected. Also, if you want to risk to connect without security to routers with older ros (else you can do it from the lan side), uncheck secure mode connect let it download plugins, then disconnect, check again secure mode and it works.

Yesterday update for Tik-App has fixed the issue!
I can manage all my 6.36 devices again.
Thanx MT!

mramos · Wed Aug 03, 2016 2:37 pm

Hi there ...

I had disabled Fast Path at IP settings ... why FP counters still showing almost the same traffic as TX/RX ?? Is this a 6.36 issue?

Regards;

Wed Aug 03, 2016 3:37 pm

Hi there ...

I had disabled Fast Path at IP settings ... why FP counters still showing almost the same traffic as TX/RX ?? Is this a 6.36 issue?

Regards;

Ip settings only disables routing fastpath, there are still bridging fastpath and interface fastpath.
If i'm not mistaken, in interface driver supports fastpath all RX traffic will be in fastpath counters.

mramos · Wed Aug 03, 2016 3:59 pm

Hi there ...

I had disabled Fast Path at IP settings ... why FP counters still showing almost the same traffic as TX/RX ?? Is this a 6.36 issue?

Regards;
Ip settings only disables routing fastpath, there are still bridging fastpath and interface fastpath.
If i'm not mistaken, in interface driver supports fastpath all RX traffic will be in fastpath counters.

Ok, I had disabled at IP Settings and Bridge Settings as well (not care abt bridging I had one loopback to OSPF only). And at firewall conntrak=yes (I read somewhere that fasttrack look at some fw rules and other settings to se if its the case to be on or off so I set it to always on.

Anyway if those FP counter "issue" it's not an issue I'll revert back all this settings from manual/off to auto. Simple queues are working ok and there is some fw rules that tells FP not to play with

Still TX / RX counter glitches btw. And few moments ago all ports of switch 2 flipped

Regards

колбаскин · Wed Aug 03, 2016 4:20 pm

Как на счёт снижения скорости в l2tp + ipsec?
Уже много постов на эту тему, а вы не чините.
Человек писал вам на почту и на форуме тема, будет решение или нет?
http://forum.mikrotik.com/viewtopic.php ... ad#p550101

Wed Aug 03, 2016 4:23 pm

Как на счёт снижения скорости в l2tp + ipsec?
Уже много постов на эту тему, а вы не чините.
Человек писал вам на почту и на форуме тема, будет решение или нет?
http://forum.mikrotik.com/viewtopic.php ... ad#p550101

What is your ticket number? I don't think we have a report in support emails.

колбаскин · Wed Aug 03, 2016 4:39 pm

What is your ticket number? I don't think we have a report in support emails.

Не думаю что это поможет, но держите 2016073166000213
Обратите внимание на ссылку форума что я дал выше.
Там тесты скорости при идентичных настройках на разных прошивках.
Такое не только у этого человека.

easyspot · Wed Aug 03, 2016 5:53 pm

Adding port to bridge disconnect winbox with mac login. Not happened in ROS 6.32.4 n below.
Example: after reset configuration with no-default, connect winbox using mac address at ether1, open terminal, paste:
interface bridge add name=bridge1
interface bridge port add bridge=bridge1 interface=ether1
interface bridge port add bridge=bridge1 interface=ether2
interface bridge port add bridge=bridge1 interface=ether3
interface bridge port add bridge=bridge1 interface=ether4
interface bridge port add bridge=bridge1 interface=ether5
interface bridge port add bridge=bridge1 interface=wlan1

At line: interface bridge port add bridge=bridge1 interface=ether1 ==> winbox suddenly disconnected.
Need reconnect to continue script.
Only happened in 6.33.5 and above
6.33.3, 6.32.4, and below are good.
Hardware affected: crs125-24g-1s-2hnd-in, rb2011uias-2hnd-in, rb951g-2hnd, rb951ui-2hnd, rb941-2n, rb952ui-5ac2nd, rbsxt-2ndr2, rbgroovea-52hpn, rbmetal2shpn, rb450g
Please fix it. It's really freakin annoying to have winbox disconnected.
You guys might said: please use master switch instead of bridge.
I am using bridge firewall to limit/block every single port so no master switch for me..

Wed Aug 03, 2016 8:27 pm

Next could be...
- a way to force address-list name resolution without having to disable+enable address-list with something like

This doesn't make sense for most cases. If the server that the Mikrotik is using for DNS resolution is not authoritative for the FQDN in question, then the FQDN will stay cached until TTL expires anyway. If you flush your address list before that time, then you're just going to get the same cached answer from the Mikrotik's DNS server.

If the Mikrotik's DNS host happens to be authoritative for the FQDN in question, THEN you could have the case where the Mikrotik might be wrong for up to TTL seconds.
Have you tried just disabling / enabling that one entry in the address list?

alexjhart · Thu Aug 04, 2016 1:23 am

Any one seeing issues with Winbox disconnecting after a few minutes?
I've been running Winbox 3.4 under Wine on linux without issue. I upgraded one router to 6.36 and now it just randomly disconnects after a few minutes.
I've tried from a workstation and laptop both of which have no issues with winbox prior to the upgrade.
Exactly the same issue here
Very randomly disconnections only on router upgraded to 6.36
@mikrotikTeam any idea ? Bugfix under dev ?

I'm seeing this too on Windows 10. Doesn't seem to affect CCR running 6.34.2, but affects same model on 6.36 when using Winbox 3.4. I have observed this on two different computers with both CCR and 951. I added debug logging, but didn't get anything. However, standard logging says user logged out from winbox. I also noticed that wireshark shows normal back and forth including tcp keepalives, then suddenly the router sends computer fin-ack when winbox returns to login saying the router has been disconnected. This is with ethernet connection to the router and other winbox beyond this router stay up and running (all suggesting it isn't a network problem). So pretty sure this is something to do with the 6.36 release.

derr12 · Fri Aug 05, 2016 8:51 pm

Just a heads up guys. Paypal payments via usermanager are broken in 6.36 on x86. IPN responses time out on 6.36.
Also, you cant downgrade from 6.36 in the traditional method. you have to select and older version (via bugfix) in winbox.
It never attempts to install packages during bootup.

big0bum · Fri Aug 05, 2016 10:32 pm

Hello,

I have a problem with version 6.36.
I upgraded today to it from the latest version (6.35.4) and I can't see my Android phone via USB tethering anymore. It was showing up as LTE and worked with no problem.
The phone shows up in System>Resources>USB, but there is no interface to add/configure in LTE.
How can I debug?

Should I downgrade? How can I downgrade safely?

MartijnVdS · Fri Aug 05, 2016 11:23 pm

Hello,

I have a problem with version 6.36.
I upgraded today to it from the latest version (6.35.4) and I can't see my Android phone via USB tethering anymore. It was showing up as LTE and worked with no problem.
The phone shows up in System>Resources>USB, but there is no interface to add/configure in LTE.
How can I debug?

Should I downgrade? How can I downgrade safely?

Some versions of Android "reset" the USB setting from time to time. Make sure USB tethering is still enabled.

timoid · Sat Aug 06, 2016 5:19 am

CHR - btest tcp will only send at 88-96bytes/second. UDP appears fine. Full P10 license installed and activated.

big0bum · Sat Aug 06, 2016 5:14 pm

Some versions of Android "reset" the USB setting from time to time. Make sure USB tethering is still enabled.

Hello,
It's not "reset". I downgraded to 6.35.4 and it works fine. This happened after 6.36 upgrade.

Any ideas? I tested again (donwgrade/upgrade) and it's the same. The LTE connnection dissaprears.

UsernameMT · Mon Aug 08, 2016 4:18 pm

http://forum.mikrotik.com/viewtopic.php ... 01#p548501
http://forum.mikrotik.com/viewtopic.php ... 57#p549357

AlexDi · Mon Aug 08, 2016 8:32 pm

новые прошивки сильно режут скорость, у меня все что выше 6.32.2 режет скорость, пример ниже

6.32.2

6.36

kristaps · Wed Aug 10, 2016 5:54 pm

Hello @AlexDi
What router are you using ?
Upgrade to 6.36 then,
please export your config to rsc file.
http://wiki.mikrotik.com/wiki/Manual:Co ... figuration
Save that file.
Reset to no configuration and import your rsc file and re-test. Speeds should improve. Because we have made lot of changes between 6.36 and 6.32.2

patrick7 · Wed Aug 10, 2016 7:57 pm

Could you please write in english? Not everyone is russian.

AlexDi · Thu Aug 11, 2016 12:47 am

@kristaps
my router rb951g-2hnd
6.36 not good works

UsernameMT · Thu Aug 11, 2016 6:50 am

...

ради чистоты эксперимента, сделай резет для конфига
http://wiki.mikrotik.com/wiki/Manual:Co ... tion_Reset
и произведи сам основные настройки ручками (NAT, DHCP etc...)
сам я никогда не использовал дефолтную настройку девайса, сказать, что они там крутят - не могу

пиши по английски, иначе ответа от форумчан не сможешь получить

.
Edited by moderator.
It is the last warning.
Please DO use English not Russian. I am sure that many of us could read and answer in Russian but we use English here.
P.S.
I do not need translator to understand your posts so I know what you are writing and how "funny" you are.

AlexDi · Thu Aug 11, 2016 12:07 pm

@UsernameMT
after reset and manual tuning was better, but still 6.32.2 works faster on 50-70 mbps

kristaps · Thu Aug 11, 2016 1:03 pm

@AlexDi Plese send two supout.rif from both version to support@mikrotik.com

UsernameMT · Thu Aug 11, 2016 1:04 pm

@UsernameMT
after reset and manual tuning was better, but still 6.32.2 works faster on 50-70 mbps

show the result of this (enter in Terminal):

system routerboard settings print

on 6.32.2
and on 6.36

Best regards.

AlexDi · Thu Aug 11, 2016 1:21 pm

@UsernameMT
6.32.2

[admin@MikroTik] > system routerboard settings print
          boot-device: nand-if-fail-then-ethernet
        cpu-frequency: 600MHz
        boot-protocol: bootp
  force-backup-booter: no
          silent-boot: no

6.36

[admin@MikroTik] > system routerboard settings print
           init-delay: 0s
          boot-device: nand-if-fail-then-ethernet
        cpu-frequency: 600MHz
        boot-protocol: bootp
  force-backup-booter: no
          silent-boot: no

UsernameMT · Thu Aug 11, 2016 1:27 pm

...

then
http://forum.mikrotik.com/viewtopic.php ... 50#p551988

PS: http://wiki.mikrotik.com/wiki/Manual:Su ... utput_File

steen · Fri Aug 12, 2016 9:25 am

Hello Folks!

After upgrading to RoS v6.36 from RoS v6.35.x and v6.35 we experience kernel crash and device reboots.
Affected devices are RB433, RB411, RB711G-5HnD, RB SXT-5D, CRS125-24G-1S, RB333, CCR1016-12G, CCR1009-8G1S+, RB2011, RB750.

Kernel crash has been observed one time or two times so far on the affected devices.

Mikrotik recommended us to reinstall using net install which was possible on only RB333 devices since all others are located in such way it is impossible to perform without visiting many locations. The net install seemed not to work, the device rebooted two days after anyway.

SiB · Fri Aug 12, 2016 10:14 pm

I receive e-mail with critical logs, login into terminal and see:

(24 messages not shown)
aug/12/2016 12:05:33 system,error,critical Out of memory condition was detected
aug/12/2016 12:05:33 system,error,critical router was rebooted without proper shutdown
aug/12/2016 12:15:42 system,error,critical System rebooted because of kernel failure
/12/2016 12:15:42 system,error,critical Out of memory condition was detected
ug/12/2016 12:15:42 system,error,critical router was rebooted without proper shu
aug/12/2016 12:21:29 system,error,critical Out of memory condition was detected
aug/12/2016 12:21:29 system,error,critical router was rebooted without proper shutdown

and many error about sending e-mail's.
system,e-mail,error Error sending e-mail <system,e-mail,error r sending e-mail <system,e-mail,error Erro>: something is missing>: something is missing
system,e-mail,error failed>: DNS resolve failed>: DNS resolve >: something is missing
...

v6.36 is not stable to upgrade my networks!. Still will be at v6.32.2 as the best from v6.
The worst ever was 6.5-6.18 if you use ipsec/l2tp tunels.

Yes, I send auto-support.info to support@mikrotik.com and I am sure that I receive std msg "...netinstall...current version..." .

kapulan · Sat Aug 13, 2016 11:41 am

Hi Guys !

The pppoe fastpatch Tx side not working with RB1100AHx2. Routeros6.36. But the Rx side working perfect !
I attach the image the problem.

Regards
Christian

lotnybartek · Sat Aug 13, 2016 6:10 pm

RB2011 on 6.36 wifi clients gets randomly disconnected - all of them with log: mac address@wlan1 or wlan2 or wlan3: disconnected, received deauth: unspecified (1). After couple of seconds they get connected to the AP again. Nothing like this happened in previous versions.

Sat Aug 13, 2016 7:00 pm

I am observing significantly higher cpu utilisation by management process in higher throughput in 2011. It won't pass more than about 60mbits while the vast of majority is fasttracked. 50 percent or more of management utilisation was not common in previous versions. Reported to support.

Byhalia14 · Sun Aug 14, 2016 1:35 am

I am running RB850GX2 and RB1100AHX2 routers. I updated all routers from
ppc OS 6.35.4 to the current OS 6.36. I have one of each router types
noted above on different service areas having an interface port drop all
routes through that interface and stay down for 15-20 minutes before
coming back online on its own.

(I am using example IP's below!)

Logging reported:

Removed Route
state=ACTIVE
dst-prefix=10.10.10.0/24
attributes
protocol=OSPF
scope 20

Added candidate route
dst-prefix=10.10.10.0/24
attributes
protocol=OSPF
scope=20

This is example, but it drops all routes tied to that interface. All
other routers to date are working normal on 6.36, but these other 2
routers would drop the interface routes randomly every 1-2 days. I
downgraded these 2 routers back to 6.35.4 and the issue on these routers
disappeared...so far!

Any ideas why?

estdata · Sun Aug 14, 2016 4:21 pm

Whether someone is using or has used the IGMP Proxy (multicast)?
Which version is the best, can someone says that, so do not lag

MoDest · Mon Aug 15, 2016 12:29 pm

When can we expect an update 6.36.1? I don't want update to unstable 6.37rc, but I need bugfixes from there.

UsernameMT · Mon Aug 15, 2016 1:31 pm

When can we expect an update 6.36.1? I don't want update to unstable 6.37rc, but I need bugfixes from there.

+1

PS: i'm waiting working firmware is already more than a month

chimetex2002 · Mon Aug 15, 2016 2:11 pm

Hello there,

I upgraded to v6.36 yesterday on my RB 1100Ahx2 but then I started experiencing issues immediately:

• The WAN link suddenly became terribly slow and there was activity recorded under the Tx and Rx sections on the link but not more than 10 users were logged in via the hotspot(please see attached).
• I also tried to generate the supout file(for version 6.36) yesterday for review by your team but it was simply stuck at 5% for over 30 mins on three different tries. I had no option but to downgrade to v6.32.1 and this downgrade restored everything back to normal anyway.

The supout file(for version 6.32.1) was generated this morning. Please advice what I can do about this as I plan to upgrade to the latest version due to new features like adding URL to address list.

I look to your helpful reply.

Chimetex

eworm · Mon Aug 15, 2016 10:37 pm

When can we expect an update 6.36.1? I don't want update to unstable 6.37rc, but I need bugfixes from there.

Wondering the same... The demo systems (http://demo.mt.lv and http://demo2.mt.lv) are running with 6.36.1 since last week already.

narapon · Wed Aug 17, 2016 10:32 am

Having issues with this build too, mangle New Routing Mark rules does not work with TCP packets

Downgraded back to 6.35.4 for now

eworm · Wed Aug 17, 2016 11:02 pm

Having issues with this build too, mangle New Routing Mark rules does not work with TCP packets

Downgraded back to 6.35.4 for now

Possibly an issue with fastpath?

saaremaa · Thu Aug 18, 2016 4:30 pm

After removal of the MPLS TE tunnel with RSVP Messages RSVP anyway transmitted between routers. MPLS TE reserves rate for the tunnel that we have already removed. These messages can be found in the dump traffic.

saaremaa · Thu Aug 18, 2016 4:49 pm

mpls-6.36-ppc.npk

After removal of the MPLS TE tunnel with RSVP Messages RSVP anyway transmitted between routers. MPLS TE reserves rate for the tunnel that we have already removed. These messages can be found in the dump traffic.

genesispro · Thu Aug 18, 2016 5:30 pm

I had about 5 devices most of them 2011UiAS-2HnD and one CRS125-24G-1S out of 300 devices that I monitor that where malfunctioning on upgrade to 6.36.
Not all menus would show data and even terminal wouldn't work.
All I managed to do was to paste a file to the files and do a downgrade. I used 6.35.4 that I had and luckily it worked fine in all except 1 device that is on a boot loop and I cannot flash it not even with netinstall

Thu Aug 18, 2016 5:33 pm

I had about 5 devices most of them 2011UiAS-2HnD and one CRS125-24G-1S out of 300 devices that I monitor that where malfunctioning on upgrade to 6.36.
Not all menus would show data and even terminal wouldn't work.
All I managed to do was to paste a file to the files and do a downgrade. I used 6.35.4 that I had and luckily it worked fine in all except 1 device that is on a boot loop and I cannot flash it not even with netinstall

are you using latest winbox 3.x ?? do you have any supout.rif files from 6.36 from problematic boards? send it to support@mikrotik.com. Also check 6.37rc changelog maybe there are something fixed that might be in your config.

nastitek · Fri Aug 19, 2016 3:01 pm

Hi,

Using HAP AC Lite with 6.36
- unable to access device via winbox after device is working for some time. need to reset via telnet to reboot and connect with winbox 3.4
- noted that cpu utilization is always at 100%

Did not able to experience this issues with v6.32

Anyone have an idea where this problem comes from?

Thank you.

Fri Aug 19, 2016 3:07 pm

Hi,

Using HAP AC Lite with 6.36
- unable to access device via winbox after device is working for some time. need to reset via telnet to reboot and connect with winbox 3.4
- noted that cpu utilization is always at 100%

Did not able to experience this issues with v6.32

Anyone have an idea where this problem comes from?

Thank you.

After you access with telnet, run command "/tool profile" to see what eats CPU

narapon · Fri Aug 19, 2016 3:56 pm

Having issues with this build too, mangle New Routing Mark rules does not work with TCP packets

Downgraded back to 6.35.4 for now
Possibly an issue with fastpath?

Using fasttrack on 6.35.4 with no issues though, same config breaks mangle on WAN 2

nastitek · Sat Aug 20, 2016 6:08 am

Hi,

Using HAP AC Lite with 6.36
- unable to access device via winbox after device is working for some time. need to reset via telnet to reboot and connect with winbox 3.4
- noted that cpu utilization is always at 100%

Did not able to experience this issues with v6.32

Anyone have an idea where this problem comes from?

Thank you.
After you access with telnet, run command "/tool profile" to see what eats CPU

============ Pls. see image result from the profile service==================
https://drive.google.com/open?id=0B2eq6 ... m9wUlZ2MlU

Many thanks.

moep · Sun Aug 21, 2016 2:08 pm

Seems that mark routing is failing since 6.36 and only traffic from main wan is working.
If you disable fasttrack rule all works fine.
Same configuration works fine with 6.35.x

I am having a similar problem with 6.36 on CCR.
Previous Version was 6.35.2.

I had a fasttrack rule for WAN1 (PPPoE-Client, 50Mbps) and another rule for WAN2 (DHCP, 200Mbps) in place, everything worked fine.
With 6.36 the traffic from WAN2 is not getting through (seems to be one sided, as is see traffic going out in torch), traffic from WAN1 works normally.
When I disable Fasttrack for WAN2 everything seems to work finde again.
As is want to keep CPU utilisation as low as possible, fasttrack would be great to function (again).

Best Regards

---update---
6.36 also break IPSec von WAN1 until I also disable Fasttrack for WAN1
---/update---

PetrolHead · Mon Aug 22, 2016 8:43 am

Hello,

I would like to report an issue in 6.36 (also tried 6.37rc19) version. It's regarding using ZTE modems in RNDIS mode.
The issue: LTE1 is not displayed in Interfaces.
Modems: ZTE 823D, ZTE825(830FT)
RouterBoard tried: 751Ui, 951Ui (not hAP), RB2011UAS.

Under 6.35.2 everything works perfectly on all the above devices. ZTE is shown in USB devices, LTE is available in Interfaces.
However, under 6.36 ZTE is shown in USB devices, but no LTE1 is shown in Interfaces in all 3 routers.

I'm ready to perform any tests you could request, just please be so kind to help to troubleshoot and fix the issue since 823/825 is a very popular model in Russia and I'm pretty sure many people have been suffering from this issue already.

Thanks in advance.

//Addition

Under 6.35.4 951Ui router doesn't show LTE1 either.
Guys, this issue is critical, I bought a new 951Ui (not hAP) with 6.35.4 and cannot downgrade because of hw limitation (the RB says not possible to downgrade). As a result I cannot even use 825 modem, because I cannot downgrade the RB.
Please help to fix the issue in the latest RC.

//Addition 1

Checked again, 6.35.4 works okay with both ZTE 823d and 825. As soon as I upgrade to 6.36, LTE is gone.

genesispro · Mon Aug 22, 2016 10:01 am

I had about 5 devices most of them 2011UiAS-2HnD and one CRS125-24G-1S out of 300 devices that I monitor that where malfunctioning on upgrade to 6.36.
Not all menus would show data and even terminal wouldn't work.
All I managed to do was to paste a file to the files and do a downgrade. I used 6.35.4 that I had and luckily it worked fine in all except 1 device that is on a boot loop and I cannot flash it not even with netinstall
are you using latest winbox 3.x ?? do you have any supout.rif files from 6.36 from problematic boards? send it to support@mikrotik.com. Also check 6.37rc changelog maybe there are something fixed that might be in your config.

Yes I am using latest winbox... and I just had it on Friday again with a 2011UiAS-2HnD. I could connect on winbox but many menus didn't have any data. I could upload a file to downgrade or upgrade to a Realese Candidate but on reboot no down/upgrade was made and the file was not in place any more. I could reset to defaults also from the LCD... it would reset(it went to .88.1) but still same problem. When I was trying to send any command on cli I would get error prompting me to supout which I tried but as far as I remember it failed. I did a check installation and at about 80% it would fail saying a package was broken with a linux path (I didn't get a screenshot of the broken file). I managed to flash it to 6.35.4 and it would respond but after some settings it would respond slowly. Then I upgraded to the latest RC 6.37rc20 and since Friday it looks like it is working. Any ideas? I am close to 10 devices that this has happened after upgrading to 6.36

Hotz1 · Tue Aug 23, 2016 7:49 am

Not sure if this has been reported. Suppose you are running an older version of ROS with wireless-fp enabled, and you want to upgrade to 6.36. You might think it would be efficient to disable the wireless-fp package, enable the wireless-cm2 package, upload the new ROS image, and reboot once to make the transition. DON'T DO IT!

If you try switch to -cm2 and upgrade ROS in the same reboot, when the device comes back up it will have lost all wireless configuration! You MUST reboot after changing wireless packages, then reboot a second time after uploading ROS, to preserve wireless settings.

This happened to me on an RB435G and several RB912UAG-2HnD.

Tue Aug 23, 2016 8:24 am

Seems that mark routing is failing since 6.36 and only traffic from main wan is working.
If you disable fasttrack rule all works fine.
Same configuration works fine with 6.35.x
I am having a similar problem with 6.36 on CCR.
Previous Version was 6.35.2.

I had a fasttrack rule for WAN1 (PPPoE-Client, 50Mbps) and another rule for WAN2 (DHCP, 200Mbps) in place, everything worked fine.
With 6.36 the traffic from WAN2 is not getting through (seems to be one sided, as is see traffic going out in torch), traffic from WAN1 works normally.
When I disable Fasttrack for WAN2 everything seems to work finde again.
As is want to keep CPU utilisation as low as possible, fasttrack would be great to function (again).

Best Regards

---update---
6.36 also break IPSec von WAN1 until I also disable Fasttrack for WAN1
---/update---

Isn't ipsec mentioned in fasttrack documentation as bypassed when fasttrack is on?

genesispro · Tue Aug 23, 2016 1:14 pm

Not sure if this has been reported. Suppose you are running an older version of ROS with wireless-fp enabled, and you want to upgrade to 6.36. You might think it would be efficient to disable the wireless-fp package, enable the wireless-cm2 package, upload the new ROS image, and reboot once to make the transition. DON'T DO IT!

If you try switch to -cm2 and upgrade ROS in the same reboot, when the device comes back up it will have lost all wireless configuration! You MUST reboot after changing wireless packages, then reboot a second time after uploading ROS, to preserve wireless settings.

This happened to me on an RB435G and several RB912UAG-2HnD.

All of my routers where on cm2 package already for months

easyspot · Tue Aug 23, 2016 7:43 pm

Demo is already 6.36.2 while in downloads still 6.36.

jrpaz · Wed Aug 24, 2016 12:56 am

I just ran into an issue with an RB2011 running 6.36 where it lost power, and the PPPoE client would not load the default route upon reboot. I would have to manually select the add default route off and then on to restore the route. The PPPoE server is a CCR1036 running 6.36 also.

Thanks

Wed Aug 24, 2016 1:36 pm

Version 6.36.2 has been released:
http://forum.mikrotik.com/viewtopic.php?f=21&t=111450