v6.38rc [release candidate] is released

Fri Sep 30, 2016 11:19 am

What's new in 6.38rc7 (2016-Sep-30 07:33):

!) ssl - fixed peer address/dns verification from certificate (affects sstp, fetch, capsman);
!) switch - added hardware stp functionality for CRS devices (http://wiki.mikrotik.com/wiki/Manual:CR ... e_Protocol);
!) winbox - now Winbox 3.6 is the minimum version that can connect to RouterOS;
*) arp - added local-proxy-arp feature;
*) capsman - added possibility to change arp, mtu, l2mtu values in datapath configuration (CLI only);
*) console - fixed typo in web-proxy (passthru to passhtrough);
*) discovery - added LLDP support;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) export - do not show mac-address in export when it is not necessary;
*) firewall - added creation-time to address list entries;
*) firewall - fixed dynamic dummy firewall rules appearance in raw tables;
*) hotspot - fixed nat rule dst-port by making it visible again;
*) interface - do not treat multiple zeros as single zero on name comparison;
*) interface - show link stats in "/interface print stats-detail" output;
*) ipsec - allow to specify explicit split dns address;
*) ipsec - changed logging topic from error to debug when empty pfkey messages are received;
*) led - fixed default led settings for wAP2nDr2;
*) lte - fixed init delay after power reset;
*) mobile - added support for more Vodafone K4201-Z and ZTE MF90 modems;
*) package - fixed wireless package status after upgrade to 6.37;
*) rb850Gx2 - fixed pcb temperature monitor if temperature was above 60C;
*) snmp - do not allow to execute script if user does not have write permission;
*) tile - do not reboot device after watchdog disable/enable;
*) usb - fixed kernel failure when Nexus 6P device is removed;
*) userman - always re-fetch table data when switching between different menus;
*) userman - fixed timezone adjustment in reports;
*) users - added TikApp policy;
*) winbox - added loop-protect settings;
*) winbox - added passthrough state to web-proxy;
*) winbox - allow to unset http-proxy field on sstp client;
*) winbox - do not show health menu on RB951-2n;
*) winbox - do not show hotspot user profile incoming and outgoing filters and marks as set if there is no value specified;
*) winbox - fixed typo in dhcpv6 relay (DCHP to DHCP);
*) winbox - show address expiration time in dhcp client list;
*) winbox - show primary and secondary ntp addresses as 0.0.0.0 if none are set;
*) wireless - added api command to report country-list (/interface/wireless/info/country-list);
*) wireless - fixed rare kernel failure when connecting to nv2 access point with legacy rate select;
*) wireless - show DFS flag in country-info command output;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

Fri Sep 30, 2016 11:23 am

OMG .... *) discovery - added LLDP support;

It's time for the party

pe1chl · Fri Sep 30, 2016 12:23 pm

It is not yet available via the "check for updates" button when selecting release candidate.
Will try again later.

patrick7 · Fri Sep 30, 2016 12:25 pm

STP... Great! What about other products with switching chip?

Fri Sep 30, 2016 12:30 pm

!) switch - added hardware stp functionality for CRS devices
*) arp - added local-proxy-arp feature;
*) discovery - added LLDP support;

PARTY, PARTY, PARTY !!!

Thanks Mikrotik

paulct · Fri Sep 30, 2016 12:45 pm

A very nonchalant post.....not!! Great updates!!!

tomaskir · Fri Sep 30, 2016 12:56 pm

Where can I configure LLDP, I cant find anything related to it in "/ip neighbor" or anywhere else.

MartijnVdS · Fri Sep 30, 2016 1:03 pm

Where can I configure LLDP, I cant find anything related to it in "/ip neighbor" or anywhere else.

It seems like LLDP is enabled automatically when neighbour discovery is enabled for an interface.

tomaskir · Fri Sep 30, 2016 1:12 pm

Our switch sees the MikroTik in its LLDP table now, just no way to configure it on RouterOS yet I guess.
And no way to see LLDP peer table in Router OS yet.

And of course LLDP data it not in SNMP either...

MartijnVdS · Fri Sep 30, 2016 1:20 pm

Our switch sees the MikroTik in its LLDP table now, just no way to configure it on RouterOS yet I guess.
And no way to see LLDP peer table in Router OS yet.

I see my LLDP peers in the "/ip neighbour show" table on RouterOS. They don't have any info other than mac-address and IP (Mikrotik devices show software-id, version, etc.)

patrick7 · Fri Sep 30, 2016 1:25 pm

Still missing in my opinion: rp_filter per interface. Should be a small thing to implement.

tomaskir · Fri Sep 30, 2016 1:31 pm

I see my LLDP peers in the "/ip neighbour show" table on RouterOS. They don't have any info other than mac-address and IP (Mikrotik devices show software-id, version, etc.)

Neither of the 2 switches connected to my test MikroTik show up over LLDP in its "/ip neighbor print detail".

kamillo · Fri Sep 30, 2016 1:33 pm

Great news with STP on CRS. What I would like to see is hardware support for LACP on CRS, any chance/ time scale for that?

athurdent · Fri Sep 30, 2016 1:50 pm

Any chance we'll see increased wireless speeds with AC WLAN equipment like the wAP/hAP? 400-420 Mbit max with a MacBookPro seems about 100-300 Mbit slower than the competition...

rjickity · Fri Sep 30, 2016 1:51 pm

STP and LLDP, look out !

Chupaka · Fri Sep 30, 2016 2:30 pm

*) arp - added local-proxy-arp feature;

when it will be in the manual?

need at least a short description...

pe1chl · Fri Sep 30, 2016 2:31 pm

Our switch sees the MikroTik in its LLDP table now, just no way to configure it on RouterOS yet I guess.
And no way to see LLDP peer table in Router OS yet.

And of course LLDP data it not in SNMP either...

Apparently only outgoing LLDP for now?

pe1chl · Fri Sep 30, 2016 2:32 pm

*) arp - added local-proxy-arp feature;
when it will be in the manual? need at least a short description...

local proxy-arp normally means: router will reply to ARP for hosts it can directly reach, not for hosts it can route to.

Chupaka · Fri Sep 30, 2016 2:45 pm

local proxy-arp normally means: router will reply to ARP for hosts it can directly reach, not for hosts it can route to.

in other words, it will search only interface/connected (by the way, which of two exactly? tech guys, we need your knowledge!) routes in routing table, not all routes? thanks

Fri Sep 30, 2016 3:19 pm

If after upgrade you still see another (unnecessary) wireless package under System/Package menu, then do not worry It will disappear after next reboot of device.

pe1chl · Fri Sep 30, 2016 3:19 pm

I think it is useful in the case where you have the router operating as a VPN server and your VPN clients are in the same subnet as your LAN.
Ethernet interface with local-proxy-arp will reply to ARP requests for VPN users directly connected to the router and with address in the same LAN segment as the ethernet interface.
In earlier releases you could use proxy-arp but it would make the router reply to ALL addresses it knows the route to.
This can lead to nasty problems when it is not detected. (devices without default gateway "just work" but get a very big ARP table)

raffav · Fri Sep 30, 2016 3:40 pm

Via system package cant upgrade to 38rc since get msg "no dude.npk"

alexjhart · Fri Sep 30, 2016 7:13 pm

*) snmp - do not allow to execute script if user does not have write permission;

I'm glad my ticket was addressed quickly to resolve executing scripts with read-only access.

What about adding the ability to chose which scripts are given SNMP access?

alexjhart · Fri Sep 30, 2016 7:14 pm

Also, great work on getting STP for CRS and LLDP out the door!

pe1chl · Fri Sep 30, 2016 7:50 pm

Updated an existing x86 installation I use for testing (running under VMware ESXi).

IPv6 is completely broken! All addresses are gone and replaced by ::/0 or ::/64 in addresses, routes and firewall.
Re-entering them appears to work but broken again after reboot.

Fri Sep 30, 2016 8:59 pm

If after upgrade you still see another (unnecessary) wireless package under System/Package menu, then do not worry It will disappear after next reboot of device.

Would you please provide some additional information about this.

I am asking because on some upgraded I have done from 6.36 (with 6.36 wireless-rep) upgrades to 6.37 , I have been experiencing problems where the Wireless section in Winbox disappears and under packages, I see two wireless packages where one is a much older package (6.20 or something). The only fix I found was to downgrade from 6.37 to 6.36 and then restore a backup to get it working again. This is reproducible on the problem Mikrotiks when I upgrade again to 6.37.

Another question - re the reboot to make the other wireless package disappear is - what about remote clients. Is there a way to do an upgrade and have them auto-reboot if there are two wireless packages where one if older package - then have it re-load the backup config so that the remote client Mikrotik comes back on-line ?

North Idaho Tom Jones

Fri Sep 30, 2016 9:11 pm

Local proxy arp.... Interesting.

W/o any knowledge, my guess is this:
Essentially, this would be a proxy ARP which answers for the exact inverse conditions of regular proxy arp - i.e. ONLY reply if the requested IP address is located on the same interface where the ARP request was received.

Am I right?

If so, this seems to me as the missing piece of the pie for being the hub of a NBMA topology.

e.g. You have a network with client isolation / split horizon bridge. This blocks direct client-to-client at the MAC layer. Thus clients are unable to broadcast each other or ARP spoof each other, rogue DHCP / rogue RA, etc. Normally this would make client-to-client communication impossible. If the Mikrotik answers ARP for client-to-client, then it will allow client-to-client communications at layer 3 by forcing all traffic to first get forwarded up to the router, where you can apply the usual firewall rules and not need to sacrifice fastpath by bridging with filters enabled on the bridge.....

Very great feature!

Fri Sep 30, 2016 11:23 pm

Local proxy arp.... Interesting.

W/o any knowledge, my guess is this:
Essentially, this would be a proxy ARP which answers for the exact inverse conditions of regular proxy arp - i.e. ONLY reply if the requested IP address is located on the same interface where the ARP request was received.

Am I right?

You are spot on !

This is a feature I have been requesting for the last few years. Our primary application is when using a Mikrotik as an IPoE BNG. We have hundreds of vlans in a single bridge, with a DHCP server running on the bridge. We can only present 2 MAC addresses to each vlan, and dont want clients to be able to talk directly to each other. By using local-proxy-arp in combination with split horizon we can achieve this goal.

TLDR; local-proxy-arp replies to all ARP requests on the bridge with it's own MAC address, but only for IP's within the subnet on that bridge.

This is the first cut of this feature by Mikrotik, and I suspect it may need further minor tweaking from the devs, specifically some DHCP client devices that upon receiving a lease send out an ARP request to verify it is not in use, and if they receive one they decline the lease. From initial testing "local-proxy-arp" replies to all ARP requests with it's own MAC, so there may need to be a "reply-only local-proxy-arp" mode.

Sat Oct 01, 2016 2:56 am

If after upgrade you still see another (unnecessary) wireless package under System/Package menu, then do not worry It will disappear after next reboot of device.
Would you please provide some additional information about this.

I am asking because on some upgraded I have done from 6.36 (with 6.36 wireless-rep) upgrades to 6.37 , I have been experiencing problems where the Wireless section in Winbox disappears and under packages, I see two wireless packages where one is a much older package (6.20 or something). The only fix I found was to downgrade from 6.37 to 6.36 and then restore a backup to get it working again. This is reproducible on the problem Mikrotiks when I upgrade again to 6.37.

Another question - re the reboot to make the other wireless package disappear is - what about remote clients. Is there a way to do an upgrade and have them auto-reboot if there are two wireless packages where one if older package - then have it re-load the backup config so that the remote client Mikrotik comes back on-line ?

North Idaho Tom Jones

EDIT - Update - Good News
Working with a problem Mikrotik that every time lost the wireless interface when upgrading from 6.36 to 6.37 which resulted in two different versions of the wireless package (one was new at 6.37 and the old was 6.20 (where ever the 6.20 came from I have noo idea). Both wireless packages were disabled and the only recovery was to downgrade to 6.36 then restore the last backup configuration.

What worked was upgrading from 6.36 to 6.38rc7
The wireless link came back
However - there was still the older disabled wireless 6.20 package
I did another reboot - when it came back then everything looked good - there was no longer a second older wireless package.

North Idaho Tom Jones

Sat Oct 01, 2016 8:57 am

... it may need further minor tweaking from the devs, specifically some DHCP client devices that upon receiving a lease send out an ARP request to verify it is not in use, and if they receive one they decline the lease. From initial testing "local-proxy-arp" replies to all ARP requests with it's own MAC, so there may need to be a "reply-only local-proxy-arp" mode.

Even gratuitous ARPs?

I was thinking the solution to this would be a no-brainer: never respond to gratuitous arps.

Upon reflection, though, there is a wrinkle: what if there IS an address conflict? The gratuitous ARP should be replied to in that case.
It wouldn't matter whether this reply uses the router's MAC or the real MAC as the src. I can see both arguments: using the real MAC is useful in troubleshooting if the conflicting host can report the other MAC in the error message -vs- using the real MAC is a breach of host isolation and allows information about the neighboring hosts to leak through the isolation....

As to how to decide when to respond to gratuitous ARPs....
Maybe if a gratuitous ARP is received and there already exists such an entry in the router's ARP cache with a different MAC address, the router should unicast an ARP request to the existing MAC (if unicast ARP does not violate RFC), and if no reply is given, then ignore the gratuitous arp, and if a reply comes back, then proxy-reply to the gratuitous arp-er so it can detect the conflict.
Even this isn't perfect because the original owner of the IP may have timed out of the router's ARP cache and simply been idle since that timeout.... in which case a conflict would arise anyway.

If unicast ARP is counter-RFC (and some hosts may simply ignore unicast ARP frames), then it would be impossible to simply broadcast a new gratuitous ARP in proxy, because the original host would receive this proxied gratuitous ARP broadcast, and conclude there is a conflict.

Anyone curious about what gratuitous arp means:
http://www.taos.com/2014/07/16/understa ... tous-arps/

I learned that these are also commonly used to force ARP table updates in clustering scenarios where the cluster wasn't using a virtual MAC address. That makes a lot of sense, and I've long-since noticed that Cisco will immediately update its ARP cache whenever an IP packet arrives with a src-mac that is different than the one cached.

horza · Sun Oct 02, 2016 6:23 pm

Is the loop protect dropdown in 6.38rc7 supposed to have these options?
I see it on mipsbe and x86, in both winbox and web, on all interface types that support loop protect.

https://dl.horza.org/routeros/winbox-eo ... rotect.jpg

Mon Oct 03, 2016 1:35 am

This is the first cut of this feature by Mikrotik, and I suspect it may need further minor tweaking from the devs, specifically some DHCP client devices that upon receiving a lease send out an ARP request to verify it is not in use, and if they receive one they decline the lease. From initial testing "local-proxy-arp" replies to all ARP requests with it's own MAC, so there may need to be a "reply-only local-proxy-arp" mode.

I have just tested this, and can confirm that some further minor tweaking is required by Mikrotik developers.

While the new "local-proxy-arp" feature solves the issue with DHCP clients declining leases, the Mikrotik still rewrites ARP queries even if there is no entry in the Mikrotik's ARP table. This will allow for IP hi-jacking on the bridge.

A "reply-only local-proxy-arp" feature is needed that combines reply-only with local-proxy-arp. This will solve the issues with DHCP clients detecting a duplicate IP and declining the lease, and will also prevent IP hi-jacking on the bridge.

Mon Oct 03, 2016 5:44 pm

A "reply-only local-proxy-arp" feature is needed that combines reply-only with local-proxy-arp. This will solve the issues with DHCP clients detecting a duplicate IP and declining the lease, and will also prevent IP hi-jacking on the bridge.

Sounds pretty solid to me.

Mon Oct 03, 2016 6:07 pm

Small off-topic: isn't it time to protect port 53 DDOS for WAN interface in the default rule set ?

fredericmoulins · Mon Oct 03, 2016 6:50 pm

A "reply-only local-proxy-arp" feature is needed that combines reply-only with local-proxy-arp. This will solve the issues with DHCP clients detecting a duplicate IP and declining the lease, and will also prevent IP hi-jacking on the bridge.

Hi,

I think a "-reply-only" alternative for every case, "proxy-arp-reply-only", and now "local-proxy-arp-reply-only", would be useful to be used with the dhcp-server "add-arp" option.

zyzelis · Mon Oct 03, 2016 7:24 pm

Small off-topic: isn't it time to protect port 53 DDOS for WAN interface in the default rule set ?

Why offtopic? it should be "must-have" feature ASAP.

+1 for this suggestion

Mon Oct 03, 2016 8:56 pm

OT was from ARP discussion.

Zorro · Tue Oct 04, 2016 1:45 am

OMG .... *) discovery - added LLDP support;

It's time for the party

yeah, imagine thos people, whining/shouting/complain/asking about LLDP for months here

*imagines them all happier now /random picture of celebration. eg disco, drinks, girlfriends, etc/*
i guess then RouterOS become closer to version 7.0 a bit ;=)

Small off-topic: isn't it time to protect port 53 DDOS for WAN interface in the default rule set ?

isn't easier just setup "whitelist" for incoming DNS traffic sources ?
unless you use hungreds of random DNS services in your work and/or tend to accept DNS traffic "from strangers" (which isn't good idea for other "essential" services as well, btw).
and generally its working better than moving local, querying DNS client/server on router to "high", "un-priveleged" ports from 53, partly because its not solved problem completely, partly because disallow you from efficiently firewall things. so dnsmasq and bind defaults changed in last 2 years for such pruposes in ways, i critized - just dead/end, not working well "by design".

"reply-only" configuration for ARP or "IP guard" as used in CISCO or Lucent (Juniper and VyOS differ in slang/terms

only circumvert Portion of ARP exploitation, not completely eleminating problem. but its neftty trick if you good with plenty of manual work(or scripting. with or without say API usage, Dude, SNMP or other mean).
however for wireless its more useful because 802.1x partial support by ROS atleast for WiFi. which is essential area to continue work/efforts toward, IMHO(both in Wireless and Copper/Fiber interfaces, btw).

Tue Oct 04, 2016 10:49 am

What's new in 6.38rc8 (2016-Oct-04 06:22):

Changes since 6.38rc7:

*) capsman - added possibility to change arp, mtu, l2mtu values in datapath configuration;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) ipsec - changed logging topic from error to debug for ph2 transform mismatch messages;
*) lte - improved dwm-222 support;
*) torch - fixed aggregate statistics appearance;
*) trafficgen - fixed crash when IPv6 traffic is processed;
*) userman - fixed memory leak on user limitation calculations;
*) winbox - removed spare values from loop-protect menu;
*) wireless - fixed custom channel extension-channel appearance in console;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

pe1chl · Tue Oct 04, 2016 11:07 pm

ERROR: missing dude-6.38rc8.npk

ryz · Tue Oct 04, 2016 11:35 pm

The same ERROR: missing dude-6.38rc8.npk

and no packages for 6.37.1 :/

szalkerous · Wed Oct 05, 2016 2:46 am

The same ERROR: missing dude-6.38rc8.npk

and no packages for 6.37.1 :/

Yup all my devices are dead in the water in terms of updates:

ERROR: missing dude-6.37.1-tile.npk (on Current/Stable channel)
ERROR: missing dude-6.38rc8-tile.npk (on Release Candidate channel)

Wed Oct 05, 2016 4:25 pm

What's new in 6.38rc9 (2016-Oct-05 10:23):

Changes since 6.38rc8:
!) switch - added hardware stp functionality for CRS devices and small Atheros switch chips (http://wiki.mikrotik.com/wiki/Manual:CR ... e_Protocol);
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) ethernet - fixed interface speed reporting for x86 in log after reboot or if "disable-running-check=yes";
*) package – show minimal supported RouterOS version under “/system resource” menu if it is specified (CLI only);
*) sms – fixed crash after modem has failed to start;
*) traffic-flow - fixed dst-port reporting if connection is not maintained by connection tracking;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

pe1chl · Wed Oct 05, 2016 4:52 pm

IPv6 still completely broken... won't accept and keep IPv6 addresses anywhere.

Chupaka · Wed Oct 05, 2016 6:06 pm

*) ethernet - fixed interface speed reporting for x86 in log after reboot or if "disable-running-check=yes";

I'd rather say, removed, not fixed:

17:51:27 interface,info ether3 link up 
17:51:27 interface,info ether6 link up 
17:51:27 interface,info ether7 link up

No more speed info

patrick7 · Wed Oct 05, 2016 8:30 pm

STP, good work!

Thu Oct 06, 2016 10:11 am

Chupaka - After setting "disable-running-check=yes" links go up and do not report any status changes. If "disable-running-check=no", then links report status changes

Thu Oct 06, 2016 3:49 pm

What's new in 6.38rc10 (2016-Oct-06 11:28):

Changes since 6.38rc9:
*) bridge - fixed LLDP packet receive over bridge interfaces;
*) dhcp - do not show slave interfaces in dhcp server interface menu at server setup;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) led - fixed dark mode for cAP2nD (http://wiki.mikrotik.com/wiki/Manual:Sy ... ds_Setting);
*) lte - increased delay when setting sms send mode;

w0lt · Thu Oct 06, 2016 3:56 pm

I have a wAP 2nD r2 and every time I upgrade the ROS any backup file I have made gets blitzed !! What gives?
I have tried upgrading, and downgrading..same thing no backup files after doing it.

-tp

raffav · Thu Oct 06, 2016 4:01 pm

Hello
can any one test to access a CHR running 38 RC with Winbox and se if can login in, ?
my winbox wont open, it donwload de plugin and after that close it
on terminal on log i see User Login via winbox and instantly after User logout via winbox

Thu Oct 06, 2016 4:01 pm

I have a wAP 2nD r2 and every time I upgrade the ROS any backup file I have made gets blitzed !! What gives?
I have tried upgrading, and downgrading..same thing no backup files after doing it.

-tp

Make sure backup file is stored in flash not RAM drive.

Shak7 · Thu Oct 06, 2016 4:29 pm

Hello
can any one test to access a CHR running 38 RC with Winbox and se if can login in, ?
my winbox wont open, it donwload de plugin and after that close it
on terminal on log i see User Login via winbox and instantly after User logout via winbox

Same thing here with RB3011.... Can't access Winbox. Webfig works.

Thu Oct 06, 2016 4:45 pm

I have a wAP 2nD r2 and every time I upgrade the ROS any backup file I have made gets blitzed !! What gives?

Where do you store you backups?
You seem to be using a small-flash device, so anything stored outside of the /flash folder is in fact stored in RAM and does not survive reboot.
This is documented here.

pe1chl · Thu Oct 06, 2016 5:02 pm

I have a wAP 2nD r2 and every time I upgrade the ROS any backup file I have made gets blitzed !! What gives?

You should always download your backups and store them off-device! Otherwise, what use are they?

Thu Oct 06, 2016 5:21 pm

http://wiki.mikrotik.com/wiki/Manual:System/File

"Warning: If device has a directory named "flash" in its file list, then files which you want to be kept after system reboot/power cycle must be stored within it. As anything outside of it is kept within a RAM disk and will be lost upon reboot. Note: this does not include .npk upgrade files as they will be applied by upgrade process before system discards the RAM drive content. "

kez · Thu Oct 06, 2016 5:25 pm

Hello support!
We are having a lot of problems here with Mikrotik Queues X Windows 10 Updates. When a customer have one PC downloading Windows 10 updates, his queue is 100% used, most of the time is impossible to do anything else, even open an web page.
So, I was reading about it and I could see the "fq_codel" is the best way to minimize this problem.
Windows 10 updates are now downloaded from servers using FAST TCP - https://en.wikipedia.org/wiki/FAST_TCP

More info about fq_codel
http://snapon.lab.bufferbloat.net/~d/Pr ... jan-28.pdf
http://forum.mikrotik.com/viewtopic.php?f=1&t=89221
http://forum.mikrotik.com/viewtopic.php?f=2&t=63594

few years ago, normis said this...

thanks for the suggestion, we are looking into it for v7. currently you can use SFQ, which is also very good

http://forum.mikrotik.com/viewtopic.php ... 21#p464269

Are there any news???
Thanks!

roswitina · Fri Oct 07, 2016 2:46 pm

Can't login with winbox to RouterOS v6.38RC10 x86 (VM in Proxmox). Logon with RouterOS v6.38RC7 x86 works.
Console Login from Proxmox works. Login with Browser (Port 80) works also.

Rosi

pe1chl · Fri Oct 07, 2016 3:15 pm

6.38rc10 IPv6 still broken...
Nobody using IPv6 here?
Or is this problem limited to x86 architecture and maybe dependent on specific config?
(I don't assume that, we use very simple config with static address)

csalcedo · Fri Oct 07, 2016 4:59 pm

Yup cant winbox to CHR in VMWARE 6.38RC10

notToNew · Fri Oct 07, 2016 5:47 pm

Feature-request: Just like the new Interface-List, i'd need a Time-object with date/time.

Having this i can set the time-object to tomorrow 06:00 and all FW-rules which are conigured with this object are "enabled" until the time runs off.

I have a big firewall and so i need to enable quiet a few rules to allow external tests. I'm always at risk to forget disabling such a rule after the work is done.

Sob · Fri Oct 07, 2016 11:43 pm

6.38rc10 IPv6 still broken...
Nobody using IPv6 here?

I have one CHR with 6.38rc10 for testing and IPv6 addresses stick just fine. So it must depend on something.

pe1chl · Sat Oct 08, 2016 11:20 am

My IPv6 config is trivial:

/ipv6 address
add address=2001:xxx:xxxx:xx::195 advertise=no interface=ether2
/ipv6 firewall filter
add action=drop chain=forward
add action=accept chain=input connection-state=established,related
add action=accept chain=input protocol=icmpv6
add action=accept chain=input src-address=2001:yyy:yyyy::/64
add action=drop chain=input
/ipv6 route
add distance=1 gateway=2001:xxx:xxxx:xx::1

This was working fine until 6.37 then I upgraded it to the first v6.38rc and all IPv6 addresses are gone.
(interface address, that address in the firewall, and default route)
They now show like ::/0

nescafe2002 · Sat Oct 08, 2016 2:21 pm

"If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash."

pe1chl · Sat Oct 08, 2016 4:12 pm

Yes it looks like I need to do that. It looked more like a bug that they could easily reproduce without such details...

Sun Oct 09, 2016 12:27 pm

LLDP party is quite skimpy

DGSLLDP.PNG

Tue Oct 11, 2016 2:56 pm

What's new in 6.38rc12 (2016-Oct-11 10:35):

Changes since 6.38rc10:
!) winbox - now Winbox 3.7 is the minimum version that can connect to RouterOS;
*) crs - fixed rare kernel failure on switch reset (for example, reboot);
*) dhcp - do not allow to create dhcp-server on slave interface;
*) dhcp - show dhcp server as invalid and log an error when interface becomes a slave;
*) dns - improved static dns entry add speed when regexp is being used;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) ethernet - optimized packet processing on low load when irq re-balance is not necessary;
*) export - do not show interface comment in "/ip neighbor discovery" menu;
*) firewall - do not allow to increase/decrease ttl and hop-limit by 0;
*) firewall - increased max size of connection tracking table to 1048576;
*) health - show power consumption on devices which has voltage and current monitor;
*) hotspot - fixed nat rule dst-port by making it visible again for Walled Garden ip return rules;
*) lte - allow to execute concurrent info commands;
*) lte - return info data when all the fields are populated;
*) routerboot - show log message if router CPU/RAM is overclocked;
*) script - increment run count value when script is executed via snmp;
*) snmp - provide sinr in lte table;
*) trafficgen - improved fastpath support;
*) tunnel - properly export keepalive value;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

kometchtech · Tue Oct 11, 2016 3:27 pm

>*) ethernet - optimized packet processing on low load when irq re-balance is not necessary;

This is how much effect can be expected?
How much throughput can be expected?

athurdent · Tue Oct 11, 2016 3:42 pm

Upgraded my wAP ac and I am getting warnings about CPU and memory being overclocked. I have never tinkered with any overclock settings, the CPU is running at 720 MHz.

Chupaka · Tue Oct 11, 2016 5:33 pm

*) firewall - increased max size of connection tracking table to 1048576;

Guys, please comment this in the light of this:

This number in "max-entries" will increase only when needed. <...> It will increase when you will hit the limit for some period of time. It will use 16GB, there is no scam

So, there IS a limit?..

Tue Oct 11, 2016 7:50 pm

athurdent - Do not worry. Feature is not fully optimized. We will work on it in further rc releases. If you have not overclocked device manually, then do not worry about this message
Chupaka - You can see the limit in IP/Firewall/Connections menu. At the bottom of the table there is Max Entries value.

Siona · Tue Oct 11, 2016 7:57 pm

What's new in 6.38rc12 (2016-Oct-11 10:35):

*) health - show power consumption on devices which has voltage and current monitor;
.

Could you be more specific?

npero · Tue Oct 11, 2016 8:02 pm

What's new in 6.38rc12 (2016-Oct-11 10:35):

*) health - show power consumption on devices which has voltage and current monitor;
.
Could you be more specific?

I thing in devices where have voltage and current sensor they just do P=U * I

Siona · Tue Oct 11, 2016 8:10 pm

That's true, but where can I find list of this devices.

Kevo · Tue Oct 11, 2016 10:17 pm

Chupaka - You can see the limit in IP/Firewall/Connections menu. At the bottom of the table there is Max Entries value.

I tried to check this on our main router and I gave up trying to get to the end of the table. (Which brings up a problem with Webfig. There should be a paging mechanism or a scrolling window with some sort of lazy loading mechanism on the screens with potentially massive tables.) The top of the table said something like 94k connections, and I'm pretty sure we've had more than that because our bandwidth usage was only about 1Gbps at the time when I checked. I know we've been up to 1.8Gbps on that router before. Are we going to run into some kind of connection limit that will prevent us from utilizing more of our bandwidth. Do we need to split up our routing because of this? This is on the CCR1072 btw.

Kindis · Tue Oct 11, 2016 11:47 pm

Chupaka - You can see the limit in IP/Firewall/Connections menu. At the bottom of the table there is Max Entries value.
I tried to check this on our main router and I gave up trying to get to the end of the table. (Which brings up a problem with Webfig. There should be a paging mechanism or a scrolling window with some sort of lazy loading mechanism on the screens with potentially massive tables.) The top of the table said something like 94k connections, and I'm pretty sure we've had more than that because our bandwidth usage was only about 1Gbps at the time when I checked. I know we've been up to 1.8Gbps on that router before. Are we going to run into some kind of connection limit that will prevent us from utilizing more of our bandwidth. Do we need to split up our routing because of this? This is on the CCR1072 btw.

I check on my router and you do not see this in Webfig. Tested with Winbox and I can see that the value on 6.36.3 is 524288 for me.
So check with Winbox. No scrolling needed

Edit: Or use SSH
[admin@MikroTik] /ip firewall connection tracking> print
enabled: auto
tcp-syn-sent-timeout: 5s
tcp-syn-received-timeout: 5s
tcp-established-timeout: 1d
tcp-fin-wait-timeout: 10s
tcp-close-wait-timeout: 10s
tcp-last-ack-timeout: 10s
tcp-time-wait-timeout: 10s
tcp-close-timeout: 10s
tcp-max-retrans-timeout: 5m
tcp-unacked-timeout: 5m
udp-timeout: 10s
udp-stream-timeout: 3m
icmp-timeout: 10s
generic-timeout: 10m
max-entries: 524288
total-entries: 94

Kevo · Wed Oct 12, 2016 1:18 am

Chupaka - You can see the limit in IP/Firewall/Connections menu. At the bottom of the table there is Max Entries value.
I tried to check this on our main router and I gave up trying to get to the end of the table. (Which brings up a problem with Webfig. There should be a paging mechanism or a scrolling window with some sort of lazy loading mechanism on the screens with potentially massive tables.) The top of the table said something like 94k connections, and I'm pretty sure we've had more than that because our bandwidth usage was only about 1Gbps at the time when I checked. I know we've been up to 1.8Gbps on that router before. Are we going to run into some kind of connection limit that will prevent us from utilizing more of our bandwidth. Do we need to split up our routing because of this? This is on the CCR1072 btw.
I check on my router and you do not see this in Webfig. Tested with Winbox and I can see that the value on 6.36.3 is 524288 for me.
So check with Winbox. No scrolling needed

I also have the same value. I was also able to see that the report number in the list of shown connections exceeds the value reported. We had over 104K connections listed but the value showed more like 90K. Maybe there is a delay in the display that prevents the displayed number from matching the actual value. In any case, we only have 2 ports in use right now on this router at roughly 20% capacity, so I could easily see us exceeding this value if we were to ever add a couple more connections which we hope to do. I guess we'll wait and see what happens with this version.

Chupaka · Wed Oct 12, 2016 2:25 am

Chupaka - You can see the limit in IP/Firewall/Connections menu. At the bottom of the table there is Max Entries value.

then please check the whole topic
Normis said the limit will auto-extend, but here we see it's hardcoded. where's the truth?

Wed Oct 12, 2016 10:36 am

Chupaka. This has changed in the latest versions. In the RC (this topic) there is a specific value which you can see.

djdrastic · Wed Oct 12, 2016 11:19 am

Just wanted to say . Big ups for the LLDP neighbor support guys.
Now if we can get MED and the like working as well

Lakis · Wed Oct 12, 2016 2:25 pm

What's new in 6.38rc12 (2016-Oct-11 10:35):

Changes since 6.38rc10:
*) health - show power consumption on devices which has voltage and current monitor;

Nice future will be if you can add in system health total consumption on PoE devices - sum of all Ethernet (PoE out Power)

Chupaka · Wed Oct 12, 2016 2:53 pm

Chupaka. This has changed in the latest versions. In the RC (this topic) there is a specific value which you can see.

What about 'big-table.npk' which will extend conntrack table for those who need it big, for the price of performance?

Wed Oct 12, 2016 6:00 pm

Feature-request: Just like the new Interface-List, i'd need a Time-object with date/time.

Having this i can set the time-object to tomorrow 06:00 and all FW-rules which are conigured with this object are "enabled" until the time runs off.

I have a big firewall and so i need to enable quiet a few rules to allow external tests. I'm always at risk to forget disabling such a rule after the work is done.

Another way to do this would be to add a single "whitelist" rule based on the IP address(es) of the test source. Place this rule early in the chain and put a time of day component on this one rule.
I'm not sure what all rules you're disabling, but if it's a set of filters, then this solution would work. If you're doing something more complex, you could make a custom rule chain for "test mode" and place just one time-of-day based rule which jumps into that chain during those times.

notToNew · Wed Oct 12, 2016 6:13 pm

@ZeroByte Thanks for your suggestion.

hm, I have >90 vlans and several external maintenance-contracts.
so if p.ex. the external "voip"-company needs access to the server, they automatically also need internet-access and access to the svn-server (which are normally denied)
to backup the config.
so i have to enable 7-8 firewall rules just for them. in other firewall distros i just use such a time-object for this, named "maintenance-voip" and enable it for the next 4 hours.
So I cannot forget to disable the rules when the maintenance is finnished, they are automatically disabled.

using chains is a mess whith all those vlans and several hundred rules.

Wed Oct 12, 2016 6:27 pm

Well, address list can be your friend here.

You could have a rule that says this:
chain=forward src-address-list=maintenance_sources dst-address-list=maintenance_hosts action=accept
(whitelist by IP - allow all ports)

Then schedule a script which injects the source/destination IPs into the appropriate lists at whatever times you've agreed on.
When the script injects the IPs into the lists, just include a 2hr timeout value.
e.g.:
/ip firewall address-list add list=maintenance_sources address=192.0.2.21 timeout=7200
/ip firewall address-list add list=maintenance_hosts address=10.20.30.40 timeout=7200

These entries would automatically remove themselves after 7200 seconds...
Just an idea.

Thu Oct 13, 2016 9:20 am

What's new in 6.38rc14 (2016-Oct-13 04:52):

Changes since 6.38rc12:
!) fastpath - let one packet per second through slow path to properly update connection timeouts;
*) console - fixed "/interface ethernet switch export" on some boards;
*) discovery - removed 6to4 tunnels from /ip neighbor discovery menu;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) ethernet - fixed potential loopprotect crash;
*) firewall - new faster "connection-limit" option implementation;
*) lte - added support for PANTECH UML295;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

pe1chl · Thu Oct 13, 2016 11:04 am

!) fastpath - let one packet per second through slow path to properly update connection timeouts;

Does that also fix the problem that idle TCP sessions sometimes tick in tcp-unacked state
instead of tcp-established? http://forum.mikrotik.com/viewtopic.php?f=2&t=109608

Thu Oct 13, 2016 3:28 pm

Yes, it should. If that is not working as suspected, then please try without FastTrack. If behavior with and without FastTrack differs, then write to support@mikrotik.com. Send two supout files - one with and one without FastTrack.

Chupaka · Thu Oct 13, 2016 3:42 pm

Looks like something is broken in firewall export:

add action=drop chain=output !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content !dscp dst-address=5.6.8.5 !dst-address-list !dst-address-type \
    !dst-limit !dst-port !fragment !hotspot icmp-options=3:0-255 !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit !nth !out-bridge-port \
    !out-bridge-port-list !out-interface !out-interface-list !p2p !packet-mark !packet-size !per-connection-classifier !port !priority protocol=icmp !psd !random !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl

everything is okay in versions upto 6.37.1

pe1chl · Thu Oct 13, 2016 3:43 pm

Yes, it should. If that is not working as suspected, then please try without FastTrack. If behavior with and without FastTrack differs, then write to support@mikrotik.com. Send two supout files - one with and one without FastTrack.

Ok, I'll see if I can reproduce the problem on a router that I can update to the RC.

hdmn · Fri Oct 14, 2016 12:32 am

I have identified a problem since v6.38rc (at least rc10 / up to rc14) on a range of different devices (CCR, CRS, hAP, CHR).

When you add a firewall rule where you put a source or destination address and the 4th byte is >127, src/dst field is being rewritten to *.0.0.0.
For example:

1.1.1.1 OK
1.1.1.254 -> 1.0.0.0
128.128.128.128 -> 128.0.0.0
254.254.254.127 OK
254.254.254.128 -> 254.0.0.0

Also, CIDR notation is broken:

192.168.0.0/23 -> 192.168.0.0-192.0.0.0
192.168.0.0/25 OK
192.168.1.0/24 -> 192.168.1.0-192.0.0.0
192.168.1.0/255.255.255.0 ->192.168.1.0/24 -> 192.168.1.0-192.0.0.0
254.254.254.0/24 -> 254.254.254.0-254.0.0.0

As mentioned above, this is reproducible on virtually all current rc-versions and does not happen on v6.37.1.

PS: As i am relatively new to the MikroTik-world and was not able to locate a bug tracker or the like, I thought this would be a good place to post this kind of information. If I missed the appropriate spot, please push me there…

raffav · Fri Oct 14, 2016 12:46 am

I have identified a problem since v6.38rc (at least rc10 / up to rc14) on a range of different devices (CCR, CRS, hAP, CHR).

When you add a firewall rule where you put a source or destination address and the 4th byte is >127, src/dst field is being rewritten to *.0.0.0.
For example:
1.1.1.1 OK
1.1.1.254 -> 1.0.0.0
128.128.128.128 -> 128.0.0.0
254.254.254.127 OK
254.254.254.128 -> 254.0.0.0
Also, CIDR notation is broken:
192.168.0.0/23 -> 192.168.0.0-192.0.0.0
192.168.0.0/25 OK
192.168.1.0/24 -> 192.168.1.0-192.0.0.0
192.168.1.0/255.255.255.0 ->192.168.1.0/24 -> 192.168.1.0-192.0.0.0
254.254.254.0/24 -> 254.254.254.0-254.0.0.0
As mentioned above, this is reproducible on virtually all current rc-versions and does not happen on v6.37.1.

PS: As i am relatively new to the MikroTik-world and was not able to locate a bug tracker or the like, I thought this would be a good place to post this kind of information. If I missed the appropriate spot, please push me there…

Send a mail and a support file to mk support mail
And describe the bug.

Enviado do Moto X Force

drees · Fri Oct 14, 2016 10:24 am

Yes, it should. If that is not working as suspected, then please try without FastTrack. If behavior with and without FastTrack differs, then write to support@mikrotik.com. Send two supout files - one with and one without FastTrack.

FastTrack works better in the latest rc in that an idle SSH connection doesn't completely timeout, but an idle SSH connection (sending keep alives every minute) still has it's Timeout drop to 5 minutes, decline to 4 minutes before popping back up to 5 minutes. I'll send the supout files to support.

pe1chl · Fri Oct 14, 2016 12:13 pm

I have identified a problem since v6.38rc (at least rc10 / up to rc14) on a range of different devices (CCR, CRS, hAP, CHR).
When you add a firewall rule where you put a source or destination address and the 4th byte is >127, src/dst field is being rewritten to *.0.0.0.

That is an interesting observation! it could be related to the trouble I have with IPv6, where also the addresses are truncated to zeroes.
Unfortunately there is no followup yet on the support ticket I have filed for that.

Fri Oct 14, 2016 2:24 pm

What's new in 6.38rc15 (2016-Oct-14 09:11):

Changes since 6.38rc14:
*) dhcp - fixed dhcp-client crash (introduced in 6.37rc14);
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) firewall - fixed compact export (introduced in 6.37rc14);
*) rb2011 - fixed crash on l2mtu changes;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

lelmus · Fri Oct 14, 2016 5:48 pm

What's with the false critical messages in 6.38rc15 on my 922UAGS-5HPacD?

Critical cpu overclocked
Critical memory overclocked

docmarius · Fri Oct 14, 2016 6:38 pm

Same issue. CPU is at 720 MHz (factory default):

18:29:59 system,info verified routeros-mipsbe-6.38rc15.npk 
18:30:03 system,info installed routeros-mipsbe-6.38rc15 
18:30:03 system,info router rebooted 
18:30:09 interface,info ether1 link up (speed 1G, full duplex) 
...
18:30:18 system,info,critical cpu overclocked 
18:30:18 system,info,critical memory overclocked
...

[admin@YO2LOJ-Metal] /system routerboard> print
                ;;; Warning: cpu overclocked
                ;;; Warning: memory overclocked
       routerboard: yes
             model: 922UAGS-5HPacD
     serial-number: 6210055ADBAF
     firmware-type: qca9550
  factory-firmware: 3.22
  current-firmware: 3.34
  upgrade-firmware: 3.34

gyropilot · Fri Oct 14, 2016 7:46 pm

What's with the false critical messages in 6.38rc15 on my 922UAGS-5HPacD?

Critical cpu overclocked
Critical memory overclocked

I'm also getting the "cpu overclocked" error after boot on my RB952 hAP ac lite running 6.38rc14, but not the "memory overclocked" error.

John

raffav · Fri Oct 14, 2016 10:06 pm

... Do not worry. Feature is not fully optimized. We will work on it in further rc releases. If you have not overclocked device manually, then do not worry about this message

hdmn · Fri Oct 14, 2016 10:10 pm

v6.38rc: Firewall rule parsing broken in v6.38rc15, too

--------------------------------------------------------------------------------------------------------------------------------------------

hAP lite classic / Warning: cpu overclocked

[admin@hAP] > /system routerboard print
                ;;; Warning: cpu overclocked
       routerboard: yes
             model: RouterBOARD 941-2nD
     serial-number: 5B3204AB2B42
     firmware-type: qca9531L
  factory-firmware: 3.22
  current-firmware: 3.33
  upgrade-firmware: 3.33
  
[admin@hAP] > /system routerboard settings print 
                    ;;; Warning: cpu overclocked
           boot-device: nand-if-fail-then-ethernet
         cpu-frequency: 650MHz
         boot-protocol: bootp
   force-backup-booter: no
           silent-boot: no
  protected-routerboot: disabled
  
  [admin@hAP] > /system resource print
                   uptime: 4h1m36s
                  version: 6.38rc15 (testing)
               build-time: Oct/14/2016 09:11:04
              free-memory: 6.4MiB
             total-memory: 32.0MiB
                      cpu: MIPS 24Kc V7.4
                cpu-count: 1
            cpu-frequency: 650MHz
                 cpu-load: 3%
           free-hdd-space: 7.0MiB
          total-hdd-space: 16.0MiB
  write-sect-since-reboot: 5132
         write-sect-total: 565859
               bad-blocks: 0%
        architecture-name: smips
               board-name: hAP lite
                 platform: MikroTik

raffav · Fri Oct 14, 2016 11:40 pm

v6.38rc: Firewall rule parsing broken in v6.38rc15, too

[/code]

on my crs i cant reproduce this bug

[Vaselli@CRS] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=output action=accept src-address=1.1.1.254 dst-address=254.254.254.128 log=no
log-prefix=""

1 chain=forward action=accept src-address=192.168.0.0/23 log=no log-prefix=""
[Vaselli@CRS] > ip firewall filter export
# oct/14/2016 17:39:18 by RouterOS 6.38rc15
# software id = K711-PKMH
#
/ip firewall filter
add action=accept chain=output dst-address=254.254.254.128 src-address=1.1.1.254
add action=accept chain=forward src-address=192.168.0.0/23
[Vaselli@CRS] > system resource print
uptime: 6h32m52s
version: 6.38rc15 (testing)
build-time: Oct/14/2016 09:11:04
free-memory: 102.8MiB
total-memory: 128.0MiB
cpu: MIPS 74Kc V4.12
cpu-count: 1
cpu-frequency: 600MHz
cpu-load: 5%
free-hdd-space: 47.6MiB
total-hdd-space: 64.0MiB
write-sect-since-reboot: 545
write-sect-total: 198197
bad-blocks: 0%
architecture-name: mipsbe
board-name: CRS125-24G-1S-2HnD
platform: MikroTik
[Vaselli@CRS] >

hdmn · Fri Oct 14, 2016 11:48 pm

on my crs i cant reproduce this bug

probably a webfig-only bug? did you add it via winbox or shell?

patrick7 · Fri Oct 14, 2016 11:50 pm

Maybe it's only in webfig or winbox?

raffav · Fri Oct 14, 2016 11:52 pm

on my crs i cant reproduce this bug
probably a webfig-only bug? did you add it via winbox or shell?

winbox
will try over webfig and post back here, just a minute

EDIT
Via WEBFIG has the BUG

hdmn · Fri Oct 14, 2016 11:56 pm

on my crs i cant reproduce this bug
probably a webfig-only bug? did you add it via winbox or shell?
winbox
will try over webfig and post back here, just a minute

Tik-App (Android) works fine. So this seems to concern webfig only...

Zorro · Sat Oct 15, 2016 8:57 pm

conntrack limit defaults usually not concern even on border devices.
exceptions are CCR endpoints in installations/solutions where expected lot of PPS and/or DDoS attemps of many kind. or say rb850gx2, RB1200 users for example or other "border"/edge devices.
(rb3011 and below aren't fill that role much despite distracting price

contrary usually defaults may be quite over-estimated, especially in soho devices.
not surprised to had conntrack table defaults set in irrelevant to memory size in say ASUS, Zuxel or Alpha, Buffalo, ZTE -made SOHO devices and alikes, but having "default" conntrack table in say ERL(or DFL,DSR by Alpha with similar impact) firmware(taken directly from vyatta without changes)result to resources exhausting eventually and hang in result(sometimes in work, sometmies after re-boot), since (especially in long uptime and with serious traffic) it eventually wouldn't let devices breathe themselves. so for most of them - usually safe/sane was actually reduceing numbers 8x times or 4x atleast and do help a LOT.
thats where ROS shine because low footprint of it, lack/absence of irrelevant (for networking)portions of linux stack/distribution, both in terms of speed, resource consumption and attack surface reduction.
my point is: thats quite helpful/meaningful change. especially if you are run ISP company or mid-big sized company networker.
before that - you absolytely have no control of conntrack table in ROS(except timeouts values), sometimes desperately looking at 8Gb or 16Gb RAM installed on say CCR, with completely exhausted tables. now it fixes that for real world use/tweaking.

p.s. for SOHO devices i highly suggest - go opposite way and slightly decrease all numbers(including hash table) seriously in their config for stability.

ivicask · Mon Oct 17, 2016 3:51 pm

Hello support!
We are having a lot of problems here with Mikrotik Queues X Windows 10 Updates. When a customer have one PC downloading Windows 10 updates, his queue is 100% used, most of the time is impossible to do anything else, even open an web page.
So, I was reading about it and I could see the "fq_codel" is the best way to minimize this problem.
Windows 10 updates are now downloaded from servers using FAST TCP - https://en.wikipedia.org/wiki/FAST_TCP

More info about fq_codel
http://snapon.lab.bufferbloat.net/~d/Pr ... jan-28.pdf
http://forum.mikrotik.com/viewtopic.php?f=1&t=89221
http://forum.mikrotik.com/viewtopic.php?f=2&t=63594

few years ago, normis said this...
thanks for the suggestion, we are looking into it for v7. currently you can use SFQ, which is also very good
http://forum.mikrotik.com/viewtopic.php ... 21#p464269

Are there any news???
Thanks!

I had the same problem long time ago, i solved it when separated HTTP traffic into "browsing" and "downloads", so first 5mb are marked as regular web browsing and have higher priority in tree queue, and all above 5MB goes into this downloads queue which is than limited down and has lower priority.
Every day i have alot of computers downloading updates and other stuff and i can browse internet without any delays.And all that works with PCQ.

bajodel · Wed Oct 19, 2016 9:39 am

On RB951G with 6.38rc15 (using winbox 3.7) if you set wlan1 band to 2 Ghz-G/N the HT MCS tab disappears. It came back if you set band to bgn or only-n (not tested other combinations)

JorgeAmaral · Wed Oct 19, 2016 3:06 pm

Is it possible to setup port based vlan on CRS with hw RSTP?

I tried the scenario on the wiki ( http://wiki.mikrotik.com/wiki/Manual:CR ... AN_Routing ) and added each masterport vlan to different bridges and was expecting it to behave like "per vlan spanning tree" but... nothing happens.

notToNew · Thu Oct 20, 2016 12:37 pm

Intel(R) PRO/Wireless 3945ABG -cardsa can only connect in B/G-mode.
When AP is in B/G/N-mode, no connection is possible.

Borizo · Thu Oct 20, 2016 6:50 pm

I see one of developers had a chance to look DNS code portion:

Changes since 6.38rc10:
*) dns - improved static dns entry add speed when regexp is being used;

Is there any chance to add two small features please?
[Feature][DNS] Allow 0.0.0.0 as address for DNS records
[Feature][DNS] Apply the regexp entry after plain entries
They should not be consume much time and seems rather natural.

bryans2k · Sat Oct 22, 2016 9:36 am

I've been seeing weird DNS failures on the CCR DNS server. It doesn't seem to follow the DNS server priority when you have 4 DNS servers in the DNS Settings list and query from multiple subnets. For example my CCR has 3 ip's 10.0.0.9,10.1.0.2,10.1.1.2 on 3 different interfaces. If I query dns on 10.1.0.2 from 10.0.0.x it fails on the first DNS server in the list then succeed's on the second even though the first DNS server is fine. If I query dns on 10.0.0.9 from 10.0.0.x it works without a problem. If I reduce the DNS servers to just 2 in the DNS Settings list then it also works without a problem.

Wed Oct 26, 2016 12:48 pm

What's new in 6.38rc19 (2016-Oct-24 11:19):

Changes since 6.38rc15:
!) snmp - added basic get and walk functionality "/tool snmp-[get|walk]";
*) chr - fixed "/interface print";
*) chr - fixed reboot;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) fastpath - fixed kernel failure when fastpath traffic goes into loop;
*) fastpath - fixed rare crash;
*) interface - changed loopback interface mtu to 1500;
*) ipsec - added ability to specify static IP address at send-dns option (CLI only);
*) ipsec - send xauth password without trailing null;
*) led - fixed cAP 2nD stuck in dark mode all the time;
*) lte - fixed Pantech UML296 support;
*) package - show minimal supported RouterOS version under "/system resource" menu if it is specified;
*) profiler - added ability to monitor cpu usage per core;
*) resolver - ignore cache entries if specific server is used;
*) ssh - fixed lost "/ip ssh" settings on upgrade from version older than 5.15;
*) trafficgen - fixed potential crash when very big frame is generated;
*) vlan - allow to add multiple vlans which name starts with same number and has same length;
*) vlan - fixed CRS switch egress-vlan-tag export;
*) winbox - added led settings menu;
*) winbox - allow to run profiler from "/system resources" menu;
*) winbox - fixed missing switch menu for mmips devices;
*) winbox - properly show VHT basic and supported rates in CAPsMAN;
*) wireless - added CRL checking for eap-tls;
*) wireless - take in account channel width when returning supported channels;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

Kindis · Wed Oct 26, 2016 12:56 pm

What's new in 6.38rc19 (2016-Oct-24 11:19):

Changes since 6.38rc15:
*) chr - fixed "/interface print";
*) chr - fixed reboot;

Looks promising. Will test my CHR when I have access to it.

paulct · Wed Oct 26, 2016 2:24 pm

*) profiler - added ability to monitor cpu usage per core;

Nice

Gennadiy51 · Wed Oct 26, 2016 4:41 pm

I have two hAP lite. On both routers after update from v6.37.1 to v6.38rc19 and after each reboot I am see in Log "system, info, critical --- CPU overclocked", but in system, resources all O.K.

[Guess_Who-2@MikroTik] /log> print
15:29:59 system,info installed dhcp-6.38rc19
15:29:59 system,info installed security-6.38rc19
15:29:59 system,info installed wireless@-6.38rc19
15:30:01 system,info router rebooted
15:30:02 system,info,critical cpu overclocked
15:30:08 interface,info ether1-WAN link up (speed 100M, full duplex)
15:30:12 pppoe,ppp,info Arax_Internet: initializing...
15:30:12 pppoe,ppp,info Arax_Internet: connecting...

[Guess_Who-2@MikroTik] > system resource print
uptime: 1h57m25s
version: 6.38rc19 (testing)
build-time: Oct/24/2016 11:19:32
free-memory: 7.4MiB
total-memory: 32.0MiB
cpu: MIPS 24Kc V7.4
cpu-count: 1
cpu-frequency: 650MHz
cpu-load: 3%
free-hdd-space: 7.6MiB
total-hdd-space: 16.0MiB
write-sect-since-reboot: 180
write-sect-total: 77897
bad-blocks: 0%
architecture-name: smips
board-name: hAP lite
platform: MikroTik

At v6.37.1 in Log no such message.

Kindis · Wed Oct 26, 2016 4:41 pm

What's new in 6.38rc19 (2016-Oct-24 11:19):

Changes since 6.38rc15:
*) chr - fixed "/interface print";
*) chr - fixed reboot;
Looks promising. Will test my CHR when I have access to it.

Nope this does not solve my issues with my CHR. Still dies when updated. My guess this is related to me using syntecic networkcards insted of legacy.

Wed Oct 26, 2016 6:04 pm

I have two hAP lite. On both routers after update from v6.37.1 to v6.38rc19 and after each reboot I am see in Log "system, info, critical --- CPU overclocked", but in system, resources all O.K.

[Guess_Who-2@MikroTik] /log> print
15:29:59 system,info installed dhcp-6.38rc19
15:29:59 system,info installed security-6.38rc19
15:29:59 system,info installed wireless@-6.38rc19
15:30:01 system,info router rebooted
15:30:02 system,info,critical cpu overclocked
15:30:08 interface,info ether1-WAN link up (speed 100M, full duplex)
15:30:12 pppoe,ppp,info Arax_Internet: initializing...
15:30:12 pppoe,ppp,info Arax_Internet: connecting...

[Guess_Who-2@MikroTik] > system resource print
uptime: 1h57m25s
version: 6.38rc19 (testing)
build-time: Oct/24/2016 11:19:32
free-memory: 7.4MiB
total-memory: 32.0MiB
cpu: MIPS 24Kc V7.4
cpu-count: 1
cpu-frequency: 650MHz
cpu-load: 3%
free-hdd-space: 7.6MiB
total-hdd-space: 16.0MiB
write-sect-since-reboot: 180
write-sect-total: 77897
bad-blocks: 0%
architecture-name: smips
board-name: hAP lite
platform: MikroTik

At v6.37.1 in Log no such message.

Do not worry about this warning, this is for us to track down wrong default CPU and memory frequencies.

drees · Wed Oct 26, 2016 6:11 pm

The 2nd to last line before rebooting after upgrading from rc15 was:

system, error, critical System rebooted because of kernel failure

Everything seems fine post reboot. Is that normal? RB951G

Thu Nov 03, 2016 4:56 pm

Version 6.38rc24 has been released.

Changes since previous rc:

!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set radius=yes" (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
!) ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only);
!) tr069-client - initial implementation (as separate package);
*) arm - improved watchdog reliability;
*) bonding - added "forced-mac-address" option (cli only);
*) bonding - fixed 802.3ad load balancing over routed VLANs with fastpath enabled;
*) bonding - fixed mac address selection after upgrade;
*) bridge - fixed rare crash on bridge port removal;
*) certificates - fixed trust chain update on local certificate revocation in programs using ssl;
*) crs - added comment ability in more switch menus;
*) crs - fixed port mirroring halt after L2MTU change;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) fastpath - improved connection tracking timeout updates;
*) firewall - fixed "connection-state" value disappearance in rules that were created before v6.22;
*) firewall - improved "time" option (ranges like 22h-10h now are acceptable);
*) ipsec - added ph2 accounting for each policy "/ip ipsec policy ph2-count" (cli only);
*) ipsec - non passive peers will also establish SAs from policy without waiting for the first packet;
*) ipv6 - increased default max-neighbor-entries value to 8192, same as ipv4;
*) log - fixed "System rebooted because of kernel failure" message to show after 1st crash reboot;
*) mmips - fixed traffic accounting in "/interface" menu;
*) mmips - improved watchdog reliability;
*) profiler - added ability to monitor cpu usage per core;
*) ssl - fixed potential memory leak ( when using dude for example);
*) queue - fixed rare crash on statistic gathering in "/queue tree";
*) queue - improved "time" option (ranges like 22h-10h are now usable);
*) wireless - added CRL checking for eap-tls;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

nescafe2002 · Thu Nov 03, 2016 5:31 pm

Updated RB750Gr3 to 6.38rc24.

My policies with sa-src-address=0.0.0.0 are failing.

ipsec, error x.x.x.x parsing packet failed, possible cause: wrong password

After setting correct WAN address as sa-src-address, remote connections are up again:

/ip ipsec policy> set [f] sa-src-address=x.x.x.x

Thu Nov 03, 2016 6:04 pm

what is your setup? tunnel or transport mode?

problem confirmed in tunnel mode. Thanks.

Thu Nov 03, 2016 6:43 pm

!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set radius=yes" (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
!) ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only);

Yay! I can't believe I will be able to throw a couple of good-old-but-no-longer-supported ASA5505 boxes away soon!
Just need to wait until the version gets stable.

cutedrummerboy · Thu Nov 03, 2016 8:15 pm

aha, tr069 client. lots of room for experiments.

Kindis · Thu Nov 03, 2016 8:45 pm

Any expected date when problems with CHR on Hyper-V will be fixed? No hurry from my side as 6.36.3 is super stable but would like to know if there is any planned eta on that?
[Ticket#2016100322001305]

cutedrummerboy · Thu Nov 03, 2016 8:46 pm

after installing tr069 client how to work with it??

cutedrummerboy · Fri Nov 04, 2016 6:47 am

nevermind, I found it. currently it is only console based implementation.

ditonet · Fri Nov 04, 2016 11:02 am

Hi,
Download link for Dude server 6.38rc24 for CHR is broken

Regards,

janisk · Fri Nov 04, 2016 1:59 pm

dude links for rc24 are fixed. Also, that is the same package made fo x86.

pe1chl · Fri Nov 04, 2016 9:09 pm

Updated CHR install from rc19 to rc24, on reboot it logs:

system error critical open /dev/panics failed

huntah · Sat Nov 05, 2016 11:06 am

strods wrote:
!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set radius=yes" (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
!) ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only);

Does this mean multiple L2TP/IPSEC users behind same Public IP?

Sat Nov 05, 2016 11:17 am

Does this mean multiple L2TP/IPSEC users behind same Public IP?

In theory yes..

Hopefully some examples appear on the wiki soon.

Sat Nov 05, 2016 11:43 am

!) ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only);
Does this mean multiple L2TP/IPSEC users behind same Public IP?

Yes.

Hopefully some examples appear on the wiki soon.

I don't think extra examples are needed. It should just work, provided NAT-T is enabled in the ipsec peer configuration.

pe1chl · Sat Nov 05, 2016 12:35 pm

I don't think extra examples are needed. It should just work, provided NAT-T is enabled in the ipsec peer configuration.

I hope it can handle double-NAT... in the current version I even need to relax the policy generation (from port-strict to port-override)
or else it is not able to handle certain clients that are behind two levels of NAT. And that is unfortunately quite common, e.g.
a MikroTik router with Huawei E3372 stick (which has its built-in NAT) on a mobile provider that uses carrier-grade NAT.
In this setup the policy is wrongly generated, the port number does not always correctly match on the different levels.

Hopefully someone can report on this, I have seen other people reporting the same problem and fixing it the same way.
(not using the auto-generated peer definition by setting the "ipsec secret" on the L2TP server, but manual IPsec peer
definition with relaxed port matching)

danxx26 · Sun Nov 06, 2016 3:40 am

Today I attempted to upgrade to 6.38rc24 and things did not go well. After reboot I noticed my wireless was gone. I was able to get inside the RB2011 with Winbox and noticed there are is no wireless menu. The interfaces tab confirms no wireless interfaces. I went into the package menu and noticed that the only package is the main 6.38rc24 all other packages are gone and the main package says "disabled". I attempted to download the "extra" packages and copied them over with winbox and reboot. Still no wireless & in packages the ones I uploaded do not show. I see them in files but that's it. Any help would be greatly appreciated.

Thank you

Daniel

Sun Nov 06, 2016 11:02 am

Which version have you upgraded from ?

Chupaka · Sun Nov 06, 2016 10:36 pm

And what's in Log after reboot with package uploaded?

Mon Nov 07, 2016 11:45 am

Version 6.38rc25 has been released.

Changes since previous version:
!) queues - significantly improved hashing algorithm in dynamic simple queue setups (fixes CPU load spikes on queue removal);
!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set radius=yes" (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
!) ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only);
*) discovery - added LLDP support;
*) routerboot - show log message if router CPU/RAM is overclocked;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

Mon Nov 07, 2016 12:19 pm

Version highlight - this release includes significant fix for large scale tunnel implementations (and any other implementations which uses dynamic simple queues).
It was observed that tunnel disconnect process causes a CPU spike. In some cases for significant amount of time, during this spike, throughput of device decreases, latency increases and in worst case scenario causes other tunnels to disconnect, resulting in avalanche like effect.
Problem was narrowed down to queue removal process, which causes hash table update for whole simple queue set. To fix this we adjusted the way hashing algorithm works.
Please, test this, so that we can add it to next current and/or bugfix versions as soon as possible.

raffav · Mon Nov 07, 2016 12:45 pm

Version 6.38rc has been released.

Changes since previous version:
!) queues - significantly improved hashing algorithm in dynamic simple queue setups (fixes CPU load spikes on queue removal);
!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set radius=yes" (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
!) ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only);
*) discovery - added LLDP support;
*) routerboot - show log message if router CPU/RAM is overclocked;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

@strods
maybe you forgout to put the new RC version on the change log ?,
*) ipsec - added ph2 accounting for each policy "/ip ipsec policy ph2-count" (cli only); cant find where it that

Mon Nov 07, 2016 1:04 pm

Post includes only changes since previous rc version release. Full changelog:
http://www.mikrotik.com/download

raffav · Mon Nov 07, 2016 1:13 pm

@strods
that i know
i was talking about this

Version 6.38rcXXhas been released.

but never mind, it not important , was only a observation

alexjhart · Mon Nov 07, 2016 6:32 pm

*) discovery - added LLDP support;

I thought LLDP was already added?

efaden · Tue Nov 08, 2016 2:23 am

MikroTik....

!) ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only);

How do we use this?

Chupaka · Tue Nov 08, 2016 2:34 am

How do we use this?

http://forum.mikrotik.com/viewtopic.php ... 52#p566652

efaden · Tue Nov 08, 2016 2:48 am

Thanks

Tue Nov 08, 2016 8:24 am

*) discovery - added LLDP support;
I thought LLDP was already added?

AFAIK this is RC changelog, there is no point to add new line for every fix/update for features that was introduced in this RC, when released in current it will still be just one changelog entry about feature introduction. So those entries that have fixes/updates, just pops up again in RC, i have noticed this since the new era of changlogs, for me it makes sense.

alexjhart · Tue Nov 08, 2016 8:29 am

*) discovery - added LLDP support;
I thought LLDP was already added?
AFAIK this is RC changelog, there is no point to add new line for every fix/update for features that was introduced in this RC, when released in current it will still be just one changelog entry about feature introduction. So those entries that have fixes/updates, just pops up again in RC, i have noticed this since the new era of changlogs, for me it makes sense.

I can understand summarizing in final release notes, but nice in rc changelog to know if fixes or updates were made relating to that line item, right?

Tue Nov 08, 2016 9:07 am

I can understand summarizing in final release notes, but nice in rc changelog to know if fixes or updates were made relating to that line item, right?

Changelog line is moved to latest RC, so there are fixes or updates

. One can argue, that it would be nice to know what exactly are those changes, but i think it is one step too far, just knowing that something is changed is enough for me.

markom · Tue Nov 08, 2016 3:38 pm

snmp - added basic get and walk functionality "/tool snmp-[get|walk]";

desired bold command part is missing.
tool snmp-walk community=public address=10.10.10.10 file=device.txt
I would like to see option to put in file snmpwalk command.

alexjhart · Tue Nov 08, 2016 7:02 pm

I upgraded from rc7 to rc24 on x86. My road warrior L2TP IPsec VPN stopped working (both OS X and Android clients). I upgraded to rc25, still didn't work. Downgraded back to rc7 works again.

rc24/25:
08:46:31 ipsec,debug respond new phase 2 negotiation: 2.2.2.2[4500]<=>1.1.1.1[10584]
08:46:31 ipsec,debug searching for policy
08:46:31 ipsec,debug can't match selector to any template, skipping: 2.2.2.2:1701 ipproto:17 <=> 1.1.1.1:10584 ipproto:17
08:46:31 ipsec,debug failed to proposal from policy
08:46:31 ipsec,debug failed to get proposal for responder.
08:46:31 ipsec,error 1.1.1.1 failed to pre-process ph2 packet.
08:46:31 ipsec,error 1.1.1.1 failed to pre-process ph2 packet.
08:46:31 ipsec,error 1.1.1.1 failed to pre-process ph2 packet.

rc7:
08:49:48 ipsec,debug respond new phase 2 negotiation: 2.2.2.2[4500]<=>1.1.1.1[23165]
08:49:48 ipsec,debug no policy found, try to generate the policy : 172.31.99.154/32[51455] 2.2.2.2/32[1701] proto=udp dir=in port_override=0
08:49:48 ipsec,debug Adjusting my encmode UDP-Transport->Transport
08:49:48 ipsec,debug Adjusting peer's encmode UDP-Transport(4)->Transport(2)
08:49:48 ipsec,debug pfkey GETSPI succeeded: ESP/Transport 1.1.1.1[23165]->2.2.2.2[4500] spi=152113860(0x91112c4)
08:49:48 ipsec,debug sent phase2 packet 2.2.2.2[4500]<=>1.1.1.1[23165] de330e033113ec3d:14443609588c73ae:0000b502
08:49:49 ipsec IPsec-SA established: ESP/Transport 1.1.1.1[23165]->2.2.2.2[4500] spi=152113860(0x91112c4)
08:49:49 ipsec IPsec-SA established: ESP/Transport 2.2.2.2[4500]->1.1.1.1[23165] spi=215287899(0xcd5085b)

Tue Nov 08, 2016 7:10 pm

Send supout to support from rc25

alexjhart · Tue Nov 08, 2016 7:25 pm

Send supout to support from rc25

Sent

alexjhart · Tue Nov 08, 2016 8:18 pm

I upgraded from rc7 to rc24 on x86. My road warrior L2TP IPsec VPN stopped working (both OS X and Android clients). I upgraded to rc25, still didn't work. Downgraded back to rc7 works again.

rc24/25:
08:46:31 ipsec,debug respond new phase 2 negotiation: 2.2.2.2[4500]<=>1.1.1.1[10584]
08:46:31 ipsec,debug searching for policy
08:46:31 ipsec,debug can't match selector to any template, skipping: 2.2.2.2:1701 ipproto:17 <=> 1.1.1.1:10584 ipproto:17
08:46:31 ipsec,debug failed to proposal from policy
08:46:31 ipsec,debug failed to get proposal for responder.
08:46:31 ipsec,error 1.1.1.1 failed to pre-process ph2 packet.
08:46:31 ipsec,error 1.1.1.1 failed to pre-process ph2 packet.
08:46:31 ipsec,error 1.1.1.1 failed to pre-process ph2 packet.

rc7:
08:49:48 ipsec,debug respond new phase 2 negotiation: 2.2.2.2[4500]<=>1.1.1.1[23165]
08:49:48 ipsec,debug no policy found, try to generate the policy : 172.31.99.154/32[51455] 2.2.2.2/32[1701] proto=udp dir=in port_override=0
08:49:48 ipsec,debug Adjusting my encmode UDP-Transport->Transport
08:49:48 ipsec,debug Adjusting peer's encmode UDP-Transport(4)->Transport(2)
08:49:48 ipsec,debug pfkey GETSPI succeeded: ESP/Transport 1.1.1.1[23165]->2.2.2.2[4500] spi=152113860(0x91112c4)
08:49:48 ipsec,debug sent phase2 packet 2.2.2.2[4500]<=>1.1.1.1[23165] de330e033113ec3d:14443609588c73ae:0000b502
08:49:49 ipsec IPsec-SA established: ESP/Transport 1.1.1.1[23165]->2.2.2.2[4500] spi=152113860(0x91112c4)
08:49:49 ipsec IPsec-SA established: ESP/Transport 2.2.2.2[4500]->1.1.1.1[23165] spi=215287899(0xcd5085b)

This also affects point to point VPN with 2 Mikrotiks.

Support says this should be fixed in next rc. Thanks Maris

raffav · Tue Nov 08, 2016 9:26 pm

Hi, had to go back to RC19, for some reason internet navigation was getting problematic , and webpage not loaded very well,
this happens only on office, maybe RC 24-25 changes something that my network didn't worked as supposed to work.
i couldn't reproduce this behavior at home, our in a lab.

Zorro · Wed Nov 09, 2016 1:39 pm

*) discovery - added LLDP support;
I thought LLDP was already added?

LLDP itself, yes.
but not in neighboorhood/discovery.
eg, its now implemented ~ completely, basically.
i guess folks that cried about LLDP necessity - become bit happier now(party time, huh ?

.

boldsuck · Wed Nov 09, 2016 9:39 pm

This was working fine until 6.37 then I upgraded it to the first v6.38rc and all IPv6 addresses are gone.
(interface address, that address in the firewall, and default route)
They now show like ::/0

Same here:
RouterOS v6.38rc25 (testing) on RB2011UAS (mips)

ISSUES:
IPv6 addresses are not shown correctly (only ::/0, ::, or blank in DHCP_Client).
It's a webfig-only bug here. In Tik App and CLI IPv6 addresses are shown correctly.
IPv6 is normaly working.

pe1chl · Wed Nov 09, 2016 10:47 pm

The issue has been confirmed by MikroTik and will be fixed. It only occurs in WebFig so you can still configure and check using commandline.
The reason why my IPv6 was down was because of a configuration error.
I put a static address on an ethernet interface but forgot the /64 mask. In previous versions the default was /64 and now it is /128.
This was the real reason why my IPv6 was down. However, I was misled during debugging because of the display problem in WebFig.

Fri Nov 11, 2016 4:10 pm

Version 6.38rc29 has been released.

Changes since 6.38rc25:

!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set radius=yes" (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
!) ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only);
!) tr069-client - initial implementation (as separate package);
*) bridge - fixed filter Ingress Priority option (broken in v6.38rc16);
*) ccr - added AHCI driver for Samsung XP941 128GB AHCI M.2;
*) crs226 - fixed sfp-sfpplus1 link re-negotiation (broken in 6.37rc28/v6.37.1);
*) certificates - allow import multiple certs with the same key;
*) certificates - if no name provided create certificate name automatically from certificate fields;
*) dhcp - fixed issue when dhcp-client was still possible on interfaces with "slave" flag and using slave interface MAC address;
*) discovery - added LLDP support;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) ethernet - added "k" and "M" unit support to Ethernet Bandwidth setting;
*) firewall - new faster "connection-limit" option implementation;
*) ipsec - don't generate unnecessary ah+esp policies;
*) ipsec - fixed generated policy lookup with ah+esp proposal;
*) traffic-flow - fixed flow sequence counter and length;
*) webfig - fixed smaller than /24 ip address configuration (broken in v6.38rc3);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

irico · Fri Nov 11, 2016 7:32 pm

When update from 6.38rc25 to 6.38rc29, ipsec peer exchange mode changes from ike2 to unknown

With 6.38rc29, IKEv2 only works with sha1 or md5 proposal auth algorithm. I have not been able to use "sha256" or "sha512"

benoga · Fri Nov 11, 2016 8:00 pm

I have the same Problem. L2TP from Android can't connect with Auth. Algorithmus sha265 to the Mikrotik 6.38rc29.

craigreilly · Sat Nov 12, 2016 12:03 am

How do I go about setting up L2TP with ipSEC now that we can have multiple peers behind same NAT.
√ I see it is via CLI only. I really need to get this going since Apple dropped support for PPTP.

efaden · Sat Nov 12, 2016 3:19 pm

Having a weird issue on my CRS. Running > rc10 seems to crash randomly and just stop passing all traffic (including responding to anything itself) requiring a reboot. I sent supouts. I think it is somewhere in IPSec. I wind up with 100s of SAs that keep expiring.... for a single ipsec tunnel....

-Eric

cgaspar · Sat Nov 12, 2016 3:36 pm

Hello, I've updated The Dude to 6.38rc29 version and the e-mail notification is not working. Any changes with the variables at all?

{ Body: Service [Probe.Name] on [Device.Name] is now [Service.Status] ([Service.ProblemDescription]) }

ThomasLevering · Mon Nov 14, 2016 8:53 am

with 6.38rc29 L2TP/IPsec is not working. Windows7/Windows10/iPhone/Mac
with 6.37.1 only one connection per IP
RB750Gr3

6.37.1 QuickSet src-address was Wrong
/ip firewall nat
add action=masquerade chain=srcnat comment="masq. vpn traffic" \
src-address=0.89.168.192-255.89.168.192

huntermic · Mon Nov 14, 2016 10:04 am

Same issue here, since last two RC's my L2TP/IPSEC is dead

Mon Nov 14, 2016 3:58 pm

Version 6.38rc30 has been released.

Changes since previous version:
*) dns - do not resolve incorrect addresses after changes made in static dns entries;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) firewall - fixed timeout option on address lists with domain name;
*) system - reboot device on critical program crash;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

ErfanDL · Mon Nov 14, 2016 4:25 pm

Version 6.38rc30 has been released.

Changes since previous version:
*) dns - do not resolve incorrect addresses after changes made in static dns entries;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) firewall - fixed timeout option on address lists with domain name;
*) system - reboot device on critical program crash;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

Hi strods
please add 3G modem D-Link DWM 157 H/W Ver D1 in new routeros release candidate

last night I send an email to support@mikrotik.com with supout.rif file attachment for support D-Link DWM 157 H/W Ver D1 but there is no answer

Mon Nov 14, 2016 4:52 pm

ErfanDL - We usually reply within 3 working days. Did it work in 6.37 version? If it did not, then please do not write such posts in rc related topics. Write to support - that is the correct and fastest way.

ErfanDL · Mon Nov 14, 2016 6:09 pm

ErfanDL - We usually reply within 3 working days. Did it work in 6.37 version? If it did not, then please do not write such posts in rc related topics. Write to support - that is the correct and fastest way.

thanks for reply.
yes I test it in 6.37 - 6.37.1 and latest RC 6.38 but did not worked.

thanks

Rushmore · Mon Nov 14, 2016 11:53 pm

6.38rc30 broke synthetic NIC on chr under Hyper-V... again! Hangs on /interface print, then after prints: info failed: std failure: timeout (13)

Kindis · Tue Nov 15, 2016 8:17 am

6.38rc30 broke synthetic NIC on chr under Hyper-V... again! Hangs on /interface print, then after prints: info failed: std failure: timeout (13)

I have had this issue since 6.37 release. This affects Hyper-V running 2012 R2 och older Hyper-V versions.
Windows 10 (not tested but i guess server 2016 also) work with same configuration. Wating for MT to verify that they can reproduce the error as they only tested on Windows 10.

Rushmore · Tue Nov 15, 2016 9:18 am

I have had this issue since 6.37 release. This affects Hyper-V running 2012 R2 och older Hyper-V versions.

6.38rc29 works fine in my environment except live migration issue and auto-negotiation failure. 6.38rc30 hangs again, as before.

Kindis · Tue Nov 15, 2016 1:54 pm

I have had this issue since 6.37 release. This affects Hyper-V running 2012 R2 och older Hyper-V versions.
6.38rc29 works fine in my environment except live migration issue and auto-negotiation failure. 6.38rc30 hangs again, as before.

My guess is you only use syntetic Network adapters? Strage as I have this issues even if I download a brand new VHDX ans start with that. If I remove the Network adapters and replace with Legacy Network Adapters this works.
I have tested rc29 but could not get that to boot either. Are you using 2012 R2?
What brand of network adapters are you using?

Kindis · Tue Nov 15, 2016 2:12 pm

I have had this issue since 6.37 release. This affects Hyper-V running 2012 R2 och older Hyper-V versions.
6.38rc29 works fine in my environment except live migration issue and auto-negotiation failure. 6.38rc30 hangs again, as before.

Downloaded a new VHDX built on rc29. Built a new machine and tried to start it. Started but maintains the same issue as all other build for me.

Rushmore · Tue Nov 15, 2016 2:28 pm

Kindis
I did update via /system/packages from 6.36.3.

Kindis · Tue Nov 15, 2016 3:03 pm

Kindis
I did update via /system/packages from 6.36.3.

Have done this with several rc releases but got tiered of upgrading my router. Thats why I'm testing new VHDX files from now on.
Tested to update a new 6.36.3 to rc30. Same issue.
Good thing is that 6.36.3 is running very well

Rushmore · Tue Nov 15, 2016 3:35 pm

Kindis
I'm using Hyper-V checkpoints for testing RC builds.
Shutdown CHR --> create checkpoint --> turn on CHR --> update to fresh build.
If something went wrong, just apply checkpoint and delete whole checkpoint tree. Got stable version again

Kindis · Tue Nov 15, 2016 4:22 pm

Kindis
I'm using Hyper-V checkpoints for testing RC builds.
Shutdown CHR --> create checkpoint --> turn on CHR --> update to fresh build.
If something went wrong, just apply checkpoint and delete whole checkpoint tree. Got stable version again

I do the same but without turning it off. As the checkpoint covers the memory the recovery back is instant. NTP client updates the clock within a few seconds 
As this is my main router and firewall at home I have a very strong SLA during none office hours

. The family using all types of streaming and me messing with the router does not make them happy 
Testing rc build with new VHDX file do not affect the uptime. Works very well also as I can experiment a lot more.
Otherwise checkpoint builds are the best thing since sliced bread for the router. Don’t have to worry about rollback at all + I export the router via script every night and send it to the NAS. So I have an exported copy backup. Not just the config but the entire router. 

Tue Nov 15, 2016 4:39 pm

6.38rc31 has been released.

Changes since previous version:
!) ipsec - added IKEv2 EAP RADIUS passthrough authentication for responder (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
*) bgp - do not match all prefixes tagged with community 0:0 by routing filters;
*) certificate - fixed crash when crl is removed while it is being fetched;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) log - ignore email topic if action is email;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

JavierTF · Tue Nov 15, 2016 6:02 pm

Hello

I know this has already been suggested in some other topic, but I think this is a best place to do it.

   1) It would be interesting if you could add to CAPSMAN the option to set a frequency range in the 'channels' section instead of setting a single frequency, so that automatic channel selection could be enabled but limited only to that range

   This would help in high-density CAP's environments, where it would not be necessary to set the channel for each CAP manually if you want to limit it's range.

  2) Why in CAPs of 5Ghz with transmission power fixed to 30 dbm and automatic channel selection enabled, CAPSMAN always selects the lowest channel, limiting the transmit power of the CAP to 17dbm? The right way would be that if the power has been fixed, automatic channel selection will automatically limit the range of channels to be used to those that support that power (or at least prioritize these when selecting the channel to use)

Thanks a lot

huntermic · Wed Nov 16, 2016 11:16 am

Please fix the L2TP/IPSEC functionality before the final release

strzinek · Wed Nov 16, 2016 1:49 pm

Having problem with SMB on 6.38 rc versions (tried on rc29,30,31) on CHR x86 under VMWare vSphere when using linux client. I have second disc mounted on /disk1.
My ROS smb configuration:

/ip smb
set allow-guests=no comment="SMB share" domain=work enabled=yes \
    interfaces=ether1
/ip smb shares
set [ find default=yes ] disabled=yes
add directory=/disk1 max-sessions=6 name="backup\$"
/ip smb users
add name=backuper password=password

How to reproduce:
1. Connect from windows machine (tested with Win 8.1 and 10), enter username and password - connection succeeds and I am able to see and copy files with Windows explorer.
2. Connect from another machine with linux (tested on CentOS 5 and 7 both with cifs mount), connection time-outs and also existing connection on first machine gets lost. On linux mount command fails with message "mount error 112 = Host is down" when run first and then "mount error 111 = Connection refused"

Log on ROS says nothing. When I use only windows clients, it works ok.

alexjhart · Wed Nov 16, 2016 8:02 pm

Please fix the L2TP/IPSEC functionality before the final release

I agree it needs to be fixed before final release. Make sure to send support supout. I am still working through some issues with them that were introduced in this rc. Works in rc7, but hasn't in rc25-31 (haven't tested rc8-24).

biatche · Thu Nov 17, 2016 5:09 am

would ikev2 be considered stable by the time we reach 6.38 final?

Thu Nov 17, 2016 9:40 am

would ikev2 be considered stable by the time we reach 6.38 final?

ikev2 will be considered stable when RouterOS 6.38 or higher is in the "bugfix" release chain.

nescafe2002 · Thu Nov 17, 2016 3:08 pm

Updated RB750Gr3 to 6.38rc24.

My ipsec tunnels with sa-src-address=0.0.0.0 are failing.
ipsec, error x.x.x.x parsing packet failed, possible cause: wrong password

After setting correct WAN address as sa-src-address, remote connections are up again:
/ip ipsec policy> set [f] sa-src-address=x.x.x.x

After upgrade to 6.38rc31, this also applies to the peers.
Error: parsing packet failed, possible cause: wrong password

Problematic config (tunnel down):

/ip ipsec peer
add address=222.222.222.222/32 enc-algorithm=aes-128 exchange-mode=aggressive local-address=:: my-id=fqdn:router.home.local nat-traversal=no

Better config (tunnel up):

/ip ipsec peer
add address=222.222.222.222/32 enc-algorithm=aes-128 exchange-mode=aggressive local-address=111.111.111.111 my-id=fqdn:router.home.local nat-traversal=no

Edit:
Unsetting the local-address seems to be working as well.. But I don't know how to achieve that from cli (only in winbox).

Edit2:
Unsetting works for a limited period. local-address is reset to :: after a while.

msatter · Mon Nov 21, 2016 9:35 am

I can't get my Layer 7 filters working again on 6.38rc (on the latest version and before). Can someone check if their Layer 7 filters are still working.

I am have a hEX RB750Gr3 as router.

Update: found the problem and I thought the connection state would be NEW and that was not the case....my head banged a few times on the keyboard in that time.

Update 2: I had in /ip settings "Allow Fast Path disabled to be sure all packages went through. After enabling it again the Layer 7 stopped working.

Luckily is the RB750Gr3 fast enough to work without Fast Path and break a sweat.

ThomasLevering · Mon Nov 21, 2016 12:53 pm

6.38rc29 RB750Gr3
Disable/Enable PPPoE Connection crashed my config. -> No Interfaces in Winbox/CLI

I had to Restore from the Backup

cgabriel · Mon Nov 21, 2016 1:37 pm

I had problems with auto generated certificates with CAPsMAN and local radio.
I simply prepared a board (wAP ac) with CAPsMAN and also enabling local radio for CAPsMAN.
There are some log errors related to issued certificate, which remains unsigned (?). It work shortly on the current session, but after a router restart the client is rejected.
Reverted to 6.37.1 and it works as expected; there is still a certificate error (failed to import CAP CA), I interpret this as normal because the generated certificate is already there...

Gabriel

noyo · Mon Nov 21, 2016 7:10 pm

What's new in 6.37.2 ? Changelog is empty.

alexjhart · Mon Nov 21, 2016 7:13 pm

What's new in 6.37.2 ? Changelog is empty.

From download page:

What's new in 6.37.2 (2016-Nov-08 13:15):

Important note!!!
Dude doesn't work in this version, it will be fixed in soon to be released v6.37.3

Changes since 6.37.1:

!) ethernet - optimized packet processing on low load when irq re-balance is not necessary;
!) fastpath - let one packet per second through slow path to properly update connection timeouts;
!) queues - significantly improved hashing algorithm in dynamic simple queue setups (fixes CPU load spikes on queue removal);
*) arm - improved watchdog reliability;
*) bonding - fixed 802.3ad load balancing over routed VLANs with fastpath enabled;
*) bonding - fixed mac address selection after upgrade;
*) crs - fixed port mirroring halt after L2MTU change;
*) dhcp - do not allow to create dhcp-server on slave interface;
*) ethernet - fixed interface speed reporting for x86 in log after reboot or if "disable-running-check=yes";
*) ethernet - fixed potential loopprotect crash;
*) export - fixed "/interface ethernet switch export" on some boards;
*) export - fixed CRS switch egress-vlan-tag export;
*) fastpath - fixed kernel failure when fastpath traffic goes into loop;
*) fastpath - improved connection tracking timeout updates;
*) firewall - do not allow to increase/decrease ttl and hop-limit by 0;
*) firewall - fixed "connection-state" value disappearance in rules that were created before v6.22;
*) firewall - fixed compact export (introduced in 6.37rc14);
*) firewall - improved "time" option (ranges like 22h-10h now are acceptable);
*) hotspot - fixed nat rule dst-port by making it visible again for Walled Garden ip return rules;
*) ipsec - changed logging topic from error to debug for ph2 transform mismatch messages;
*) ipv6 - increased default max-neighbor-entries value to 8192, same as ipv4;
*) mmips - improved watchdog reliability;
*) package - show minimal supported RouterOS version under "/system resource" menu if it is specified;
*) queue - fixed rare crash on statistic gathering in "/queue tree";
*) queue - improved "time" option (ranges like 22h-10h are now usable);
*) rb2011 - fixed crash on l2mtu changes;
*) sms - fixed crash after modem has failed to start;
*) ssl - fixed potential memory leak ( when using dude for example);
*) torch - fixed aggregate statistics appearance;
*) traffic-flow - fixed dst-port reporting if connection is not maintained by connection tracking;
*) userman - fixed memory leak on user limitation calculations;
*) winbox - added led settings menu;
*) winbox - fixed missing switch menu for mmips devices;

noyo · Mon Nov 21, 2016 7:17 pm

What's new in 6.37.2 ? Changelog is empty.
From download page:

What's new in 6.37.2 (2016-Nov-08 13:15):

Important note!!!
Dude doesn't work in this version, it will be fixed in soon to be released v6.37.3

I saw it.
For me, it do not say anything.

ErfanDL · Mon Nov 21, 2016 7:19 pm

6.37.2 just releasing for make dude bugy?

Please post 6.37.2 changelogs

Sent from my C6833 using Tapatalk

alexjhart · Mon Nov 21, 2016 7:25 pm

6.37.2 just releasing for make dude bugy?

I think it was released early to fix important issues. Hopefully 6.38rc either isn't affected or will also have another release soon

linkwave · Mon Nov 21, 2016 7:31 pm

It seems that is now supported the new cpu architecture MMIPS, fo the (future?) RB750Gr3.

The MMIPS package wasn't present with the 6.37.1 version.

pe1chl · Mon Nov 21, 2016 8:38 pm

It seems that is now supported the new cpu architecture MMIPS, fo the (future?) RB750Gr3.

The MMIPS package wasn't present with the 6.37.1 version.

My (current) RB750Gr3 is running 6.37.1 (MMIPS).
It came with an earlier version, I am not sure exactly which but it was in the 6.36 series.
Anyway, this thread is not for discussing 6.37 versions.

celeritynetworks · Tue Nov 22, 2016 2:07 am

Email notifiers are broken (for us) in 6.38rc30 and 31. RouterOS log shows:

"Nov/21/2016 16:56:34 system,e-mail,error Error sending e-mail <Service [Probe.Name] on [Device.Name] is now [Service.Status]>: error connecting to server"

When I send a test email from within Winbox in RouterOS, it works successfully, but not from within the Dude (either via Dude client or via Dude/Notifications menu).

I even changed the notification entry to remove the variables and just have words - same error.

Chupaka · Tue Nov 22, 2016 1:47 pm

6.37.2 just releasing for make dude bugy?
Please post 6.37.2 changelogs

Changes since 6.37.1:

this means, 'Changes in 6.37.2 compared to 6.37.1'

ErfanDL · Tue Nov 22, 2016 2:05 pm

6.37.2 just releasing for make dude bugy?
Please post 6.37.2 changelogs

Changes since 6.37.1:
this means, 'Changes in 6.37.2 compared to 6.37.1'

So 6.37.2 is real version of 6.37.1

Chupaka · Tue Nov 22, 2016 2:14 pm

this means, 'Changes in 6.37.2 compared to 6.37.1'
So 6.37.2 is real version of 6.37.1

no, this means what I said, but not 'Changes since 6.37' or 'Changes since 6.36.4' or 'Changes since 6.38rcXX' or some other version