Community discussions

MikroTik App
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1658
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

v6.41 [current]

Fri Dec 22, 2017 2:58 pm

RouterOS 6.41 contains new bridge implementation that supports hardware offloading (hw-offload).
This update will convert all interface "master-port" configuration into new bridge configuration, and eliminate "master-port" option as such.
Bridge will handle all Layer2 forwarding and the use of switch-chip (hw-offload) will be automatically turned on based on appropriate conditions.
The rest of RouterOS Switch specific configuration remains untouched in usual menus for now.
Please, note that downgrading to previous RouterOS versions will not restore "master-port" configuration, so use backups to restore configuration on downgrade.


Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.41 (2017-Dec-22 11:55):
!) bridge - implemented software based vlan-aware bridges;
https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering
!) switch - "master-port" conversion into a bridge with hardware offload "hw" option;
https://wiki.mikrotik.com/wiki/Manual:S ... Offloading
!) detnet - implemented "/interface detect-internet" feature;
https://wiki.mikrotik.com/wiki/Manual:Detect_internet
!) bridge - general implementation of hw-offload bridge (introduced in v6.40rc36);
!) routerboot - RouterBOOT version numbering system merged with RouterOS;
!) w60g - added Point to Multipoint support;
!) w60g - revised "master" and "slave" interface modes to more familiar "bridge", "ap-bridge", "station-bridge";
!) wireless - new driver with initial support for 160 and 80+80 MHz channel width;
*) arm - minor improvements on CPU load distribution for RB1100 series devices;
*) arp - fixed invalid static ARP entries after reboot on interfaces without IP address;
*) bgp - added 32-bit private ASN support;
*) bridge - added comment support for VLANs;
*) bridge - added initial support for hardware "igmp-snooping" on CRS1xx/2xx;
*) bridge - added support for "/interface list" as a bridge port;
*) bridge - assume "point-to-point=yes" for all Full Duplex Ethernet interfaces when STP is used (as per standard);
*) bridge - automatically turn off "fast-forward" feature if both bridge ports have "H" flag;
*) bridge - changed "Host" and "MDB" table column order;
*) bridge - disable "hw-offload" when "horizon" or "external-fdb" is set;
*) bridge - fixed "fast-forward" counters;
*) bridge - fixed ARP setting (introduced in v6.40rc36);
*) bridge - fixed connectivity issues when there are multiple VLAN interfaces on bridge;
*) bridge - fixed hw-offloaded IGMP Snooping service getting stopped;
*) bridge - fixed multicast forwarding (introduced in v6.40rc36);
*) bridge - implemented dynamic entries for active MST port overrides;
*) bridge - implemented software based "igmp-snooping";
*) bridge - implemented software based MSTP;
*) bridge - removed "frame-types" and "ingress-filtering" for bridge interfaces (introduced in v6.40rc36);
*) bridge - set "igmp-snooping=no" by default on new bridges;
*) bridge - show "admin-mac" only if "auto-mac=no";
*) bridge - show bridge interface local addresses in the host table;
*) btest - improved reliability on Bandwidth Test when device`s RAM is almost full;
*) capsman - added "vlan-mode=no-tag" option;
*) capsman - added possibility to downgrade CAP with Upgrade command from CAPsMAN;
*) capsman - return complete CA chain when issuing new certificate;
*) capsman - use "adaptive-noise-immunity" value from CAP local configuration;
*) certificate - added option to store CRL in RAM (CLI only);
*) certificate - fixed SCEP "get" request URL encoding;
*) certificate - improved CRL update after system startup;
*) certificate - show "Expired" flag when initial CRL fetch fails;
*) certificate - show invalid flag when local CRL file does not exist;
*) chr - added KVM memory balloon support;
*) chr - added suspend support;
*) console - do not stop "/certificate sign" process if console times out in 1 minute;
*) console - removed "/setup";
*) crs317 - added initial support for HW offloaded MPLS forwarding;
*) crs317 - fixed reliability on FAN controller;
*) crs326 - fixed packet processing speed on switch chip if individual port link speed differs;
*) crs326 - improved transmit performance from SFP+ to Ethernet ports;
*) crs3xx - added ingress/egress rate input limits;
*) crs3xx - hide unused switch "vlan-mode", "vlan-header-mode" and "default-vlan-id" options;
*) crs3xx - switch VLAN configuration integrated within bridge VLAN configuration with hw-offload;
*) dhcp - fixed DHCP services failing after reboot when DHCP option was used;
*) dhcp - fixed unresponsive DHCP service caused by inability to read not set RAW options;
*) dhcp - require DHCP option name to be unique;
*) dhcp-client - limit and enforce DHCP client "default-route-distance" minimal value to 1;
*) dhcp-server - added "option-set" argument (CLI only);
*) dhcp-server - added basic RADIUS accounting;
*) dhcpv4-client - add dynamic DHCP client for mobile clients which require it;
*) dhcpv4-client - allow to use DUID for client as identity string as the option 61;
*) dhcpv4-server - added "NETWORK_GATEWAY" option variable;
*) dhcpv4-server - strip trailing "\0" in "hostname" if present;
*) discovery - use "/interface list" instead of interface name under neighbor discovery settings;
*) e-mail - do not show errors when sending e-mail from script;
*) eoip - made L2MTU parameter read-only;
*) ethernet - removed "master-port" parameter;
*) export - fixed interface list export;
*) fetch - accept all HTTP 2xx status codes;
*) filesystem - implemented additional system integrity checks on reboots;
*) firewall - added "tls-host" firewall matcher;
*) health - fixed bogus voltage readings on CCR1009;
*) hotspot - fixed "dst-port" to require valid "protocol" in "walled-garden ip";
*) hotspot - fixed Walled Garden IP functionality when address-list is used;
*) ike1 - DPD retry interval set to 5 seconds;
*) ike1 - disallow peer creation using base mode;
*) ike1 - fixed crash on xauth if user does not exist;
*) ike1 - fixed memory corruption when IPv6 is used;
*) ike1 - improved stability on phase1 rekeying;
*) ike1 - release mismatched PH2 peer IDs;
*) ike1 - use /32 netmask if none provided by mode config;
*) ike2 - added support for multiple split networks;
*) ike2 - check identities on "initial-contact";
*) ike2 - do not allow to configure nat-traversal;
*) ike2 - fixed PH1 lifetime reset on boot;
*) ike2 - fixed initiator DDoS cookie processing;
*) ike2 - fixed responder DDoS cookie first notify type check;
*) ike2 - kill connection when peer changes address;
*) ike2 - use peer configuration address when available on empty TSi;
*) interface - added "/interface reset-counters" command (CLI only);
*) interface - added default "/interface list" "dynamic" which contains dynamic interfaces;
*) interface - added option to join and exclude "/interface list" from one and another;
*) interface - fixed corrupted "/interface list" configuration after upgrade;
*) ippool6 - try to assign desired prefix for client if prefix is not being already used;
*) ipsec - added DH groups 19, 20 and 21 support for phase1 and phase2;
*) ipsec - allow to specify "remote-peer" address as DNS name;
*) ipsec - fixed incorrect esp proposal key size usage;
*) ipsec - fixed policy enable/disable;
*) ipsec - improved hardware accelerated IPSec performance on 750Gr3;
*) ipsec - improved reliability on certificate usage;
*) ipsec - renamed "firewall" argument to "notrack-chain" in peer configuration;
*) ipsec - skip invalid policies for phase2;
*) ipv6 - add dynamic "/ip dns" server address from RA when RA is permitted by configuration;
*) l2tp - improved reliability on packet processing in FastPath;
*) l2tp-server - fixed PPP services becoming unresponsive after changes on L2TP server with IPSec configuration;
*) lcd - fixed "flip-screen=yes" state after reboot;
*) log - added "bridge" topic;
*) log - fixed interface name in log messages;
*) log - optimized "poe-out" logging topic logs;
*) lte - added "/interface lte apn" menu (Passthrough requires reconfiguration);
*) lte - added Passthrough support;
*) lte - added Yota non-configurable modem support;
*) lte - added support for ZTE ME3630 E1C with additional "/port" for GPS usage;
*) lte - automatically add "/ip dhcp-client" configuration on interface;
*) lte - changed default values to "add-default-route=yes", "use-peer-dns=yes" and "default-route-distance=2";
*) lte - fixed Passthrough support;
*) lte - fixed authentication for non LTE modes;
*) lte - fixed error when trying to add APN profile without name;
*) lte - fixed rare crash when initializing LTE modem after reset;
*) lte - fixed user authentication for R11e-LTE when new firmware is used;
*) lte - integrated IP address acquisition without DHCP client for wAP LTE kit-US;
*) lte - limited minimal default route distance to 1;
*) lte - update info command with "location area code" and "physical cell id" values;
*) m11g - improved ethernet performance on high load;
*) mac-server - use "/interface list" instead of interface name under MAC server settings;
*) modem - added initial support for Alcatel IK40 and Olicard 500;
*) neighbor - show neighbors on actual bridge port instead of bridge itself
*) netinstall - fixed missing "/flash/etc" on first bootup;
*) netinstall - fixed missing default configuration prompt on first startup after reset/netinstall;
*) ospf - fixed OSPF v2 and v3 neighbor election;
*) ovpn-server - do not periodically change automatically generated server MAC address;
*) poe - added new "poe-out" status "controller-error";
*) poe - fixed false positive excessive logs in auto-on mode when connected to 100 Mbps device powered from another power source;
*) poe - log PoE status related messages under debug topic;
*) ppp - added initial support for PLE902;
*) ppp - added support for Sierra MC7750, Verizon USB730L;
*) ppp - do not disconnect PPP connection after "idle-timeout" even if traffic is being processed;
*) ppp - fixed "change-mss" functionality when MSS option is missing on forwrded packets;
*) ppp - fixed L2TP and PPTP encryption negotiation process on configuration changes;
*) ppp - fixed situation when part of PPP configuration was reset to default values after reboot;
*) pppoe-client - properly re-establish MLPPP session when one of the lines stopped transmitting packets;
*) pppoe-server - fixed situation when PPPoE servers become invalid on reboot;
*) quickset - added support for "/interface list" in firewall, neighbor discovery, MAC-Telnet and MAC-Winbox;
*) quickset - fixed LTE quickset mode APN field;
*) quickset - fixed situation when Quickset automatically changes mode to CPE;
*) quickset - renamed router IP static DNS name to "router.lan";
*) radius - limited RADIUS timeout maximum value to 3 seconds;
*) route - fixed potential route crash on routing table update;
*) scheduler - properly display long scheduler configuration;
*) sfp - fixed SFP interface power monitor when bad SFP DDMI information is received;
*) sftp - added functionality which imports ".auto.rsc" file or reboots router on ".auto.npk" upload;
*) sms - fixed minor problem for SMS delivery;
*) sms - log decoded USSD responses;
*) snmp - fixed "ifHighSpeed" value of VLAN, VRRP and Bonding interfaces;
*) snmp - fixed bridge host requests on devices with multiple bridge interfaces;
*) snmp - fixed bulk requests when non-repeaters are used;
*) snmp - fixed consecutive OID bulk get from the same table;
*) snmp - show only available OIDs under "/system health print oid";
*) ssh - do not use DH group1 with strong-crypto enabled;
*) ssh - enforced 2048bit DH group on tile and x86 architectures;
*) system - show USB topology for the device info;
*) tile - improved hardware encryption processes;
*) tr069-client - fixed "/interface lte apn" configuration parameters;
*) traceroute - improved "/tool traceroute" results processing;
*) upnp - add "src-address" parameter on NAT rule if it is specified on UPnP request;
*) upnp - deny UPnP request if port is already used by the router;
*) ups - fixed duplicate "failed" UPS logs;
*) userman - allow to generate more than 999 users;
*) w60g - added "put-stations-in-bridge" and "isolate-stations" options to manage connected clients;
*) w60g - connected stations are treated as separate interfaces;
*) webfig - added favicon file;
*) webfig - fixed router getting reset to default configuration;
*) webfig - fixed terminal graphic user interface under Safari browser;
*) winbox - added "W60G station" tab in Wireless menu;
*) winbox - added "notrack-chain" setting to IPSec peers;
*) winbox - added support for "_" symbol in terminal window;
*) winbox - added switch menu on RB1100AHx4;
*) winbox - do not show MetaROUTER stuff on RB1100AHx4;
*) winbox - do not show duplicate "Switch" menus for CRS326;
*) winbox - do not show duplicate "Template" parameters for filter in IPSec policy list;
*) winbox - do not show duplicate filter parameters "Published" in ARP list;
*) winbox - do not show unnecessary tabs from "Switch" menu;
*) winbox - fixed "/certificate sign" process;
*) winbox - fixed bridge port sorting order by interface name;
*) winbox - show warnings under "/system routerboard settings" menu;
*) wireless - added "allow-signal-out-off-range" option for Access List entries;
*) wireless - added "indonesia3" regulatory domain information;
*) wireless - added passive scan option for wireless scan mode;
*) wireless - added support for CHARGEABLE_USER_ID in EAP Accounting;
*) wireless - check APs against connect-list rules starting with strongest signal;
*) wireless - do not show background scan frequencies in the monitor command channel field;
*) wireless - improved reliability on "rx-rate" selection process;
*) wireless - increased the EAP message retransmit count;
*) wireless - log "signal-strength" when successfully connected to AP;
*) wireless - pass interface MAC address in Sniffer TZSP frames;
*) wireless - updated "UK 5.8 Fixed" and "Australia" country data;
*) wireless - updated "united kingdom" regulatory domain information;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
 
User avatar
macsrwe
Forum Guru
Forum Guru
Posts: 1011
Joined: Mon Apr 02, 2007 5:43 am
Location: Arizona, USA
Contact:

Re: v6.41 [current]

Fri Dec 22, 2017 3:10 pm

e-mail - do not show errors when sending e-mail from script;

But still appears in the log, I hope?
 
freemannnn
Forum Veteran
Forum Veteran
Posts: 700
Joined: Sun Oct 13, 2013 7:29 pm

Re: v6.41 [current]

Fri Dec 22, 2017 3:11 pm

oh my god. and i was thinking what i am gonna do in christmas (4 days holidays). testing testing testing
nice!
Last edited by freemannnn on Fri Dec 22, 2017 3:21 pm, edited 1 time in total.
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1658
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.41 [current]

Fri Dec 22, 2017 3:16 pm

macsrwe - Of course. This affects only console so e-mail would work properly in script.
 
dksoft
Member Candidate
Member Candidate
Posts: 153
Joined: Thu Dec 06, 2012 8:56 am
Location: Germany

Re: v6.41 [current]

Fri Dec 22, 2017 4:30 pm

>*) crs326 - fixed packet processing speed on switch chip if individual port link speed differs;
>*) crs326 - improved transmit performance from SFP+ to Ethernet ports;

Sorry, I can not confirm this. Write performance is 105MByte/s, read performance is about 50MByte/s.
It has increased from former versions which was around 20MByte/s. But still far away from full 1GB/s performance.
Flashing back to SwOS 2.3 gives full performance. SwOS 2.4 puts switch in endless reboot loop.
SwOS 2.5 - 2.6 has the same poor performance of about 20MByte/s. SwOS 2.7 is same as RouterOS 6.41.

Tested with Mellanox and Intel NIC.
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1658
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.41 [current]

Fri Dec 22, 2017 4:36 pm

dksoft - Are you running CRS on SwOS or on RouterOS? If you run RouterOS, are you using device as a switch or you use also router functions, for example, firewall rules?
 
dksoft
Member Candidate
Member Candidate
Posts: 153
Joined: Thu Dec 06, 2012 8:56 am
Location: Germany

Re: v6.41 [current]

Fri Dec 22, 2017 4:38 pm

dksoft - Are you running CRS on SwOS or on RouterOS?
I tried both. RouterOS 6.40 - 6.41, SwOS from 2.3 - 2.7.
Configuration is reset to default after each update. So there are no firewall rules. All ports are switched.
 
th0massin0
Member Candidate
Member Candidate
Posts: 156
Joined: Sun May 11, 2014 4:16 am
Location: Poland

Re: v6.41 [current]

Fri Dec 22, 2017 4:48 pm

Could somebody tell me how to use vlan in hex v3 properly? By /switch or by /bridge?
 
rajo
newbie
Posts: 45
Joined: Tue Aug 16, 2011 11:12 pm

Re: v6.41 [current]

Fri Dec 22, 2017 6:25 pm

Ran into the following bug with upgrading an RB450 from 6.40.4 to 6.41:

NOTE: It appears I must have had the old configuration of ether2 being master and ether3 to ether5 being slaves
1. I performed the upgrade via the console
2. When the router rebooted, ether1 was stable, but ether2 to ether5 were flapping at least every second.
3. I tried power-cycling and same issue as #2
4. I used my cell phone to login to the router via the Internet and inspected the configuration.
5. I noticed that the upgrade process had converted the master/slave config to bridge config.
6. I couldn't find anything wrong except for the fact that the bridge "protocol-mode" was "none"
7. I changed "protocol-mode" to "rstp"
8. Interfaces stabilized and now everything is working.

You may want to update you migration script so "protocol-mode" IS NOT "none"

Thanks
 
anuser
Long time Member
Long time Member
Posts: 601
Joined: Sat Nov 29, 2014 7:27 pm

Re: v6.41 [current]

Fri Dec 22, 2017 7:45 pm

This update will convert all interface "master-port" configuration into new bridge configuration, and eliminate "master-port" option as such.
Bridge will handle all Layer2 forwarding and the use of switch-chip (hw-offload) will be automatically turned on based on appropriate conditions.
Hello,
thanks for the update. I use RouterOS for years running CAPSMAN forwarding based wifi controller with dynamic VLAN IDs for one SSID sent by Microsoft NPS. Upgrading that config from 6.40.5 to 6.41 stops traffic for my clients. I don´t know the reason yet. I have to setup another CAPSMAN and test it some time in 2018. But that´s not the question for now.

I would like to know whether I should expect problems when I let my CAPSMAN controller stay at 6.40.5 and upgrade all CAPs to 6.41 (because of the new wireless drivers)?
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.41 [current]

Fri Dec 22, 2017 7:48 pm

Not happy with the conversion...lots of trouble...looking to solve it.

Update:
Despite the promise by support, the bridge was not created and the interfaces (ports) not attached. The DHCP was not moved from previous master to bridge so DHCP. At least it is stable now for a 10 minutes so I can do some more testing and checking.

L2TP+IPSEC with multiple connections is loading up one core and one to 50% and the last two are almost not used.

Update:
It seems to works now as far as I could test it for now and I keep it up and running on 6.41. Thanks for the upgrade and certainly a lot of things are now improved over 6.40.
Last edited by msatter on Fri Dec 22, 2017 8:29 pm, edited 1 time in total.
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1224
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: v6.41 [current]

Fri Dec 22, 2017 8:00 pm

Found a first anomaly:
Neighbor discovery does not work with the generated 'discover', 'mac-winbox' or 'mactel' interface lists. Other lists seem to work.
After list deletion and recreation by hand, it works.
 
MrYan
Member Candidate
Member Candidate
Posts: 173
Joined: Sat Feb 27, 2010 6:13 pm

Re: v6.41 [current]

Fri Dec 22, 2017 8:08 pm

Upgrade on RB450G went smoothly. Changes to ethernet removing master-port, interface list adding default lists and then neighbour discovery and mac-server to use the lists.
 
sanitycheck
newbie
Posts: 48
Joined: Wed Nov 16, 2011 6:03 am
Location: USA

Re: v6.41 [current]

Fri Dec 22, 2017 8:39 pm

Found a first anomaly:
Neighbor discovery does not work with the generated 'discover', 'mac-winbox' or 'mactel' interface lists. Other lists seem to work.
After list deletion and recreation by hand, it works.

I reset the config on a RB952ui-5ac2nd-us to a default setup on bugfix 6.39.3, and then upgraded it to 6.41. I was connected by mac address in Winbox, not IP. After the upgrade the lights were on but I did not see it in the neighbor list in Winbox. I let it set for about an hour just in case it was still upgrading, but it never showed up. I did not try to connect by default ip 192.168.88.1. Power-cycled it instead, and then it showed up on the Winbox list. So I'm not sure if it was down, or just didn't show up on the neighbor list initially.

UPDATE: I repeated those steps on a new unit I had in stock and observed the same thing. I did confirm that the router was still accessible by IP address (default 192.168.88.1 in this case), just not MAC address. I rebooted the system from Winbox and then, like before, it showed up by MAC address in the neighbor list.
Last edited by sanitycheck on Wed Dec 27, 2017 8:09 pm, edited 1 time in total.
 
alexsolovyev
just joined
Posts: 7
Joined: Thu Oct 19, 2017 10:38 pm

Re: v6.41 [current]

Fri Dec 22, 2017 9:53 pm

I wonder if there were any changes between 6.41rc66 and 6.41 release to the multicast package or wireless. I'm watching IPTV over a wireless connection using IGMP Proxy and after the upgrade the image keeps freezing (in about 10 mins after a reboot). No changes to the configuration was made, just the upgrade. Reverting to 6.41rc66 fixes the issue.

Update: it seems to be related to the wireless (checked only 5GHz AC, RouterBOARD 962UiGS-5HacT2HnT) cause it works fine over the ethernet cable. looks like some packets are dropped (Tx is ~7.5 Mbps on bridge and ~5.5 Mbps on wlan).

Update 2: I've found out that the freezes related to a second device connected to the wireless network (iPhone SE). When the phone goes to the sleep mode, IPTV starts freezing. Awakening the phone stops the freezes. Oddly that stated to happen only after upgrade from 6.41rc66 to 6.41
Last edited by alexsolovyev on Sat Dec 23, 2017 11:01 am, edited 2 times in total.
 
blackbox100
newbie
Posts: 48
Joined: Thu Mar 10, 2016 2:20 am

Re: v6.41 [current]

Fri Dec 22, 2017 10:46 pm

still problems with ingress rate limit on crs326, when set to 135m ingress I get around 100m on speedtest.net, on the 200 pieces of crs226 ingress rate works, when set to 135m I get 130m on speedtest.net

but it has improved since 6.40rc66 where when set to 135m I only got around 30m on speedtest.net

funny enough when I try to change the egress or ingress rate limit now on my test crs326 I get this error

"couldn't change switch port <ether18> - vlan mode not supported (6)

so still 6.41 is still buggy, and not ready for use in a normal setup, but hopefully it will soon be ready, because I need to replace 100 x Dlink 48 port switche, with 200 x CRS326 when they are stable and able to work with egress and ingress rate limits and port isolation and port leakage

Have a merry Christmas
 
esaym
just joined
Posts: 8
Joined: Thu Feb 23, 2017 5:44 am

Re: v6.41 [current]

Fri Dec 22, 2017 11:04 pm

For the new bridge implementation, I assume this does not affect the wAP ac access points? Or do they have a hardware switch built in?
 
drbunsen
newbie
Posts: 40
Joined: Fri Apr 29, 2016 7:24 pm

Re: v6.41 [current]

Fri Dec 22, 2017 11:28 pm

 
storp
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Tue Nov 24, 2015 2:53 pm

Re: v6.41 [current]

Fri Dec 22, 2017 11:55 pm

Upgraded RB2011, hAP, wAP ac, cAP and a RB1100 without issues. But wondering if there is a new way of how I should handle bonding interfaces with vlans? Currently I have two bonding interfaces with two ethernet ports each. On each of the bonds I have severals vlans and the vlans are put on a separate bridge (one bridge per vlan). Is there a new and perhaps smarter way of doing this now?
 
ma678
just joined
Posts: 6
Joined: Tue Aug 29, 2017 7:19 am
Location: Toronto, Canada

Re: v6.41 [current]

Sat Dec 23, 2017 12:21 am

I upgraded my RB750Gr3 from 6.40.5 to 6.41, and now I cannot connect to it via wire or wireless. Did I miss anything here?

Thanks.
 
nightcom
newbie
Posts: 37
Joined: Wed Aug 30, 2017 12:47 am
Location: NL

Re: v6.41 [current]

Sat Dec 23, 2017 1:43 am

RB750Gr3, CRS326 and RB3011 upgraded with no problems (Routerboard firmware also upgraded)
 
skuykend
Member Candidate
Member Candidate
Posts: 274
Joined: Tue Oct 06, 2015 7:28 am

Re: v6.41 [current]

Sat Dec 23, 2017 3:57 am

Upgraded CRS317 to 6.41 from rc61. Seemed to be no problems with its upgrade.

I also have a few RB's and CRS as switches connected to it which I left at 6.40.5.

A little while later my CRS226 @ 6.40.5 stopped responding properly which hasn't happened in years. Traffic wasn't being passed properly and a Winbox connection to it would not show interfaces/etc and would disconnect in a minute or so. Rebooted it before Winbox disconnected me all seems to be fine now.

CRS226 has no bridge configuration, all ports master of Ether1, multiple vlans from the CRS317 handled via switch menu with only one internal management vlan off of ether1.
 
ma678
just joined
Posts: 6
Joined: Tue Aug 29, 2017 7:19 am
Location: Toronto, Canada

Re: v6.41 [current]

Sat Dec 23, 2017 4:48 am

RB750Gr3, CRS326 and RB3011 upgraded with no problems (Routerboard firmware also upgraded)
Were user name or password reverted back to default? I cannot visit via web ui or winbox.

Thanks.
 
biatche
Member Candidate
Member Candidate
Posts: 128
Joined: Tue Oct 13, 2015 6:50 am

Re: v6.41 [current]

Sat Dec 23, 2017 7:03 am

By upgrading from 6.40.5, will it automatically and intelligently add the correct rules to switch all the switch-related configurations to bridge ones?
 
skuykend
Member Candidate
Member Candidate
Posts: 274
Joined: Tue Oct 06, 2015 7:28 am

Re: v6.41 [current]

Sat Dec 23, 2017 8:42 am

By upgrading from 6.40.5, will it automatically and intelligently add the correct rules to switch all the switch-related configurations to bridge ones?
From what I'm seeing, for most older hardware switch vlan configurations the switch menu and settings are still used. Just the Master-Port changes to bridge setups and the vlan parent interface changes from master-port to the bridge. Sometimes the upgrade has to create a new bridge, sometime it tries to convert old bridges. In my case (overblown for fun home setup) an old bridge on my RB2011 didn't convert cleanly, but most other systems seem to convert fine with hardware acceleration.

My CRS317 which uses the new vlan filtering via bridge menu was already on RC and also upgraded fine.

In total I've updated a CRS317, CRS226, CRS-125-2HnD, RB750GL, CCR1009 (older switch model), a couple WaP AC's and the RB2011.

Only the RB2011 gave me real issues and it seemed to be an invalid configuration issue with a port on the bridge showing "Unknown" bridge. (Was a fairly new configuration so don't know how that happened). Once I restored to previous version, I fixed the issue, upgraded again and everything went well.

I have multiple trunked vlans on most devices and was expecting more issues, so this went surprising well.
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: v6.41 [current]

Sat Dec 23, 2017 8:54 am

How the conversion works when there are two switches in the device and both are in the common bridge? What if there are multiple switch groups within one switch differently bridged with other interfaces?
 
skuykend
Member Candidate
Member Candidate
Posts: 274
Joined: Tue Oct 06, 2015 7:28 am

Re: v6.41 [current]

Sat Dec 23, 2017 9:09 am

How the conversion works when there are two switches in the device and both are in the common bridge? What if there are multiple switch groups within one switch differently bridged with other interfaces?
My RB2011 (I'm using as a switch at the moment) with two switch chips seems to convert and work fine with just one created bridge, all ports show hardware acceleration.

I believe that two groups in the same switch (not counting individually separated ports) will disable hardware acceleration on at least all but one group, forcing all other traffic to flow thru cpu.
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 248
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: v6.41 [current]

Sat Dec 23, 2017 11:49 am

How the conversion works when there are two switches in the device and both are in the common bridge? What if there are multiple switch groups within one switch differently bridged with other interfaces?
I have thought of this to and if I may speculate:
The new bridge per say will use hardware offload if possible. Add bridge, add all ports from both switch chips then there would be one of these 3 outcomes.

1. Nothing is hardware assisted software only.
2. Hardware per chip is activated and should be vissible on interface and inter swich chip should be software.
3. Hardware all the way (how that would be possible looking at block design of rb's

Pre 41 with master and slave ports and software bridge, the two master ports made the 2 scenario so why not now....
As per now i recon that 1 is the option and would advocate for a refined implementation towards 2. But if it allready is 2 I lift my hat and say good work MT.
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 248
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: v6.41 [current]

Sat Dec 23, 2017 12:53 pm

I Posted this question in the 41RC channel but I did not get an answer:

Now Looking at the released version of 6.41 of RouterOS.

if i set:
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=64

And then look in the switch menu:
The setting is there to and is not reflecting the change. Here there is a change from last rc cli is not outputting the print (winbox does):
[admin@MikroTik] /interface bridge port> /interface ethernet switch port print
Flags: I - invalid 
 #   NAME                 SWITCH                VLAN-MODE VLAN-HEADER    DEFAULT-VLAN-ID INGRESS-RATE EGRESS-RATE
 0   ether1               switch1                                                           100.0Mbps   250.0Mbps
Winbox switch menu tells me:
Vlanmode=disabled
VlanHeader=leave as is
Default VLAN ID= 0

In RC the cli printed this at print as well but not now.

My questions still are:
Is settings in bridge overriding settings in swith?
Do I need to set both to be sure?
Are there any corner cases where ingres frames with vlan tag would be allowed?
Are there any corner cases when the native untaged vlan would be assumed to be 0 instead of the bridge configured 64
 
nightcom
newbie
Posts: 37
Joined: Wed Aug 30, 2017 12:47 am
Location: NL

Re: v6.41 [current]

Sat Dec 23, 2017 1:03 pm

RB750Gr3, CRS326 and RB3011 upgraded with no problems (Routerboard firmware also upgraded)
Were user name or password reverted back to default? I cannot visit via web ui or winbox.

Thanks.
In my case nothing went to default, just new bridge implemented instead of master-ports. Before upgrade I always reboot unit's (I'm doing it from about a month and I don't have issues at all, before I didn't reboot and sometimes I had issues similar like some people writing on forum,like no IP jus login thru MAC address or i loop etc.), then upgrade to RouterOS I want and after that upgrade Routerboard firmware.
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 248
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: v6.41 [current]

Sat Dec 23, 2017 1:14 pm

Upgraded RB2011, hAP, wAP ac, cAP and a RB1100 without issues. But wondering if there is a new way of how I should handle bonding interfaces with vlans? Currently I have two bonding interfaces with two ethernet ports each. On each of the bonds I have severals vlans and the vlans are put on a separate bridge (one bridge per vlan). Is there a new and perhaps smarter way of doing this now?
This is a complex question:
As of now there is NO hardware support for LACP in 6.41 as far as I know. (Bonding without a protocol is bound to give you problem down the road)
That being said bond interface in RouterOS will and have always been software. Using CRS with weak cpu's compared to number of avail interfaces this is a problem.
Using a Router Board ROUTER ie CCR this is less of a problem in this case we often go from l3 to l2 domain and are in cpu anyway, and there are plenty of them in the ccr's.

Looking at your setup The new setup would be One bridge with several Vlan's. Look at the Router Board block diagram how everything is hooked internally to get a picture of what you are trying to do with the hardware if it is att all possible.

Read the text above with an open mind: Software can do in principal anything but depending on the hardware. If it is software the performance is from nothing to something. Depending on what you are trying to do there may be surprises.
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1224
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: v6.41 [current]

Sat Dec 23, 2017 2:57 pm

After the conversion on my CCR1009, the DHCP server failed to work if connected to a bridge interface (it worked dough on a single vlan interface). For static IP hosts, everything seemed running normal.
I traced this back to the fact that STP/RSTP was not enabled. After enabling, it worked as expected.
It seems that afterwards, disabling SSTP keeps it running properly.
 
upower3
Member
Member
Posts: 425
Joined: Thu May 07, 2015 11:46 am

Re: v6.41 [current]

Sat Dec 23, 2017 5:22 pm

It was kind of "wise" to post this version right before holidays, with no support (even in expect of huge problems), with no smooth way of conversion.

Nice done!

(Hope noone set RB to upgrade authomatically?)
 
complex1
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Wed Jan 04, 2017 9:55 pm
Location: NL-NH

Re: v6.41 [current]

Sat Dec 23, 2017 5:36 pm

Just upgrade my RB2011UiAS-2HnD, all went smooth, no issues so far.
 
kivimart
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Thu Oct 10, 2013 3:06 pm

Re: v6.41 [current]

Sat Dec 23, 2017 5:44 pm

No problem here upgraded firmware also.
RB1100ahx2,
ccr1009-8G-1S-1S+, Runs Capsman
RB962UiGS-5HacT2Hnt,
RB750gr3, RB750GL,
RB912UAG-2HPNnD,
CRS12524G-1S.

I love the releases on Friday and big weekends so i can play with the new releases on the weekends and then upgrade customers routers later.

Merry Christmas
 
upower3
Member
Member
Posts: 425
Joined: Thu May 07, 2015 11:46 am

Re: v6.41 [current]

Sat Dec 23, 2017 5:45 pm

I love the releases on Friday and big weekends so i can play with the new releases on the weekends and then upgrade customers routers later.
Heavily depends on configuration :)
 
Keyko
newbie
Posts: 27
Joined: Sat Dec 23, 2017 6:27 pm

Re: v6.41 [current]

Sat Dec 23, 2017 6:33 pm

Hello!

Updated SXT LTE (3 item) - updated normally, but firmware update 6.41 did not come. There are a couple of other devices out there was an update from 3.41 to 6.41, is this normal?
 
irghost
Member
Member
Posts: 308
Joined: Sun Feb 21, 2016 1:49 pm

Re: v6.41 [current]

Sat Dec 23, 2017 7:42 pm

*) firewall - added "tls-host" firewall matcher;
any documents?
 
User avatar
stmx38
Long time Member
Long time Member
Posts: 650
Joined: Thu Feb 14, 2008 4:03 pm
Location: Moldova, Chisinau

Re: v6.41 [current]

Sat Dec 23, 2017 8:49 pm

Hello!

Home RB951G-2HnD with simple setup was upgraded to 6.41 from 6.40.5.
Bridge1 was created. DHCP server moved to created bridge1. Firmware was upgraded manually to the 6.41 with additional reboot.
All working fine.


Thank you!
 
panosla
just joined
Posts: 22
Joined: Sat Aug 16, 2014 6:47 pm

Re: v6.41 [current]

Sat Dec 23, 2017 9:54 pm

Update to 6.41 bricked my RB750Gr3. In goes into continues boot loop and it is undiscoverable to even perform netinstall. :(
 
User avatar
marlow
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Mar 16, 2006 6:59 pm
Location: Ireland

Re: v6.41 [current]

Sat Dec 23, 2017 10:39 pm

Mikrotik .. you're kidding me, right ?

How can you release 6.41 ?

The 6.41rc releases are massively unstable.

- CRS317 crash fully on a regular basis with not even access via management console anymore (4 switches, 6 crashes in the last month alone, always on the newest rc release).
- Spanning-tree issues.
- Inconsistant configuration between Atheros and Broadcom based chipset switches.

6.41rc couldn't even be considered beta. How can you make a final release on that basis ?

And yes, I've send bug reports in. Some that have been blatantly ignored, even though they were quite detailed.

/M
 
ma678
just joined
Posts: 6
Joined: Tue Aug 29, 2017 7:19 am
Location: Toronto, Canada

Re: v6.41 [current]

Sat Dec 23, 2017 10:47 pm

False alarm. After powering off/on my router manually, everything works normally.
 
User avatar
marlow
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Mar 16, 2006 6:59 pm
Location: Ireland

Re: v6.41 [current]

Sat Dec 23, 2017 10:48 pm

Upgraded RB2011, hAP, wAP ac, cAP and a RB1100 without issues. But wondering if there is a new way of how I should handle bonding interfaces with vlans? Currently I have two bonding interfaces with two ethernet ports each. On each of the bonds I have severals vlans and the vlans are put on a separate bridge (one bridge per vlan). Is there a new and perhaps smarter way of doing this now?
......
As of now there is NO hardware support for LACP in 6.41 as far as I know. (Bonding without a protocol is bound to give you problem down the road)

There's is first of all that, which means there's defacto no bonding on the switches. Especially the 300-series (where the RouterOS isn't stable).

And then there's the fact, that we have QinQ (Service-Vlans) on 100 and 200-series switches, but in 300-series it has to be done in software (which isn't stable and the CPU can't handle the traffic).

/M
Last edited by marlow on Sat Dec 23, 2017 10:49 pm, edited 1 time in total.
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1658
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.41 [current]

Sat Dec 23, 2017 11:03 pm

dksoft, anuser, msatter, alexsolovyev, blackbox100, JimmyNyholm - Please send report to support@mikrotik.com explaining the problem you have and including supout.rif files
rajo - Does the same issue appear if you set bridge mode back to "none"?
panosla - Please note that RouterOS version does not in any way affect Netinstall process. Can you Netinstall any other RouterBOARD just to be sure that configuration is correct and computer is not blocking Netinstall process?
 
mrtester
just joined
Posts: 9
Joined: Sat Dec 23, 2017 11:09 pm

Re: v6.41 [current]

Sat Dec 23, 2017 11:17 pm

Seems funny that you blame Mikrotik for releasing version on Friday like it would be mandatory to upgrade your core routers now.

Ran into some issues after upgrade but that was my mistake. Recommend to read changelog before an upgrade first, got a little bit confused after I upgraded my first router. For me no issues so far. Just that fix for address list timeouts not included in this release yet. When can we expect this Mikrotik?
 
User avatar
marlow
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Mar 16, 2006 6:59 pm
Location: Ireland

Re: v6.41 [current]

Sat Dec 23, 2017 11:36 pm

Hello!

Updated SXT LTE (3 item) - updated normally, but firmware update 6.41 did not come. There are a couple of other devices out there was an update from 3.41 to 6.41, is this normal?
Mikrotik decided some time during 6.41rc to change the naming scheme for the BIOS updates. So instead of keeping a seperate versioning of the BIOS releases, the BIOS has now the same version number as the RouterOS version under which it was introduced.

Just to make the confusion complete.

/M
 
rajo
newbie
Posts: 45
Joined: Tue Aug 16, 2011 11:12 pm

Re: v6.41 [current]

Sat Dec 23, 2017 11:48 pm

rajo - Does the same issue appear if you set bridge mode back to "none"?
Yes. It flaps, if I set it back to "none." Power-cycling did not help.
 
User avatar
marlow
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Mar 16, 2006 6:59 pm
Location: Ireland

Re: v6.41 [current]

Sat Dec 23, 2017 11:49 pm

Please send report to support@mikrotik.com explaining the problem you have and including supout.rif files
This is funny !!

Can you please explain, when Mikrotik will amend the CRS3xx releases, so that the supout.rif not gets written to volatile memory, but onto flash instead ?

Because if the switch crashes and you loose all network connectivity, but manage to get access via console (which happens frequently enough). Then generate the supout.rif. Then reboot, to get network connectivity again ... well, the way it's currently your supout.rif then is ... gone.

I've pointed this out in a few tickets during 6.41rc, but it has been ignored so far and that behavior is still present in the 6.41 release.

/M
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 248
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: v6.41 [current]

Sun Dec 24, 2017 12:22 am

dksoft, anuser, msatter, alexsolovyev, blackbox100, JimmyNyholm - Please send report to support@mikrotik.com explaining the problem you have and including supout.rif files
rajo - Does the same issue appear if you set bridge mode back to "none"?
panosla - Please note that RouterOS version does not in any way affect Netinstall process. Can you Netinstall any other RouterBOARD just to be sure that configuration is correct and computer is not blocking Netinstall process?
I can bother the support for an answer to my question but I think that is contra productive. If you just answer my question here it will be beneficial for everyone. And the support can then help customers with operational problems instead of my need to understand how it all works now. If we could read about it we would but the information is not there to read.

My Question is formulated out of uncertainty When one window in Winbox tells me A en the other window tells me B and I know this is a new implementation. Are there any corner cases and thus your vision with this new functionality is not clear to us users what settings affect hardware and what settings override other settings and can I guaranty that certain packet is not accepted ingress and that only certain ports are available on egress for that packet. In essens what do I need to configure one or both menus to be safe. I do not have a problem that I'm aware of, but it feels uncertain.

My post from earlier today also noted one change from the RC channel to release channel is that the cli output is omitting the contradicting settings from switch menu but Winbox does not.
I do not think that this version is Release ready out of this uncertainty.

I do recon that the release have great additions to Router Boards without switch chips and for these devices I do not have any questions.

My Questioning comes alone from the fact that i'm running RouterOS on my CRS317-1G-16S+RM's and CRS326-24G-2S+RM's. I bought these to get ONE management sullotion Winbox and CLI of Router OS it fits nice with the CCR's.
Keep up the good work! Thanks and have a Merry Christmas.
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 248
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: v6.41 [current]

Sun Dec 24, 2017 12:33 am

Please send report to support@mikrotik.com explaining the problem you have and including supout.rif files
This is funny !!

Can you please explain, when Mikrotik will amend the CRS3xx releases, so that the supout.rif not gets written to volatile memory, but onto flash instead ?

Because if the switch crashes and you loose all network connectivity, but manage to get access via console (which happens frequently enough). Then generate the supout.rif. Then reboot, to get network connectivity again ... well, the way it's currently your supout.rif then is ... gone.

I've pointed this out in a few tickets during 6.41rc, but it has been ignored so far and that behavior is still present in the 6.41 release.

/M
I had this problems too on some of my devices: Alarm led is lit all l2 hardware switching continue but all routeros functions management, serial, routing is stopped until reboot and there is nothing there in the flash but a error in cli saying that kernel panic and unexpected reboot. I will update to this release version and see if the problem comes again.
 
User avatar
marlow
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Mar 16, 2006 6:59 pm
Location: Ireland

Re: v6.41 [current]

Sun Dec 24, 2017 1:04 am

I had this problems too on some of my devices: Alarm led is lit all l2 hardware switching continue but all routeros functions management, serial, routing is stopped until reboot and there is nothing there in the flash but a error in cli saying that kernel panic and unexpected reboot. I will update to this release version and see if the problem comes again.
I have 10+ CRS317 and 2 CRS326. Of those, I deployed 6 CRS317 in non-critical locations after lab-test.

Of these 6, 4 have crashed in that manner. 2 of them twice. 6.41rc32 all the way up to 6.41rc66. Console provides no output either.

Mikrotik has had no response on that issue.

It's not the only problem I have with the CRS3xx series. Basically, under RouterOS, it's currently a downgrade feature wise from the previous switches. QinQ being a major issue.
Selling a switch, that can't be used as a switch with the current stable version of the firmware is a joke in itself. Probably one of the reason, why they're trying to rush out 6.41. None of the CRS3xx switch-chip features are supported in 6.40.x
This week, I raised an issue with spanning-tree, which went completely unanswered, as they obviously were preparing to release 6.41. The issue is, that it actually degrades previous Mikrotik switches to near unusable in certain mixed environments. In theory, an issue like that would have prevented the release, as such it was ignored.

They are back to trying to fix issues with beta and rc releases, introducing a completely unstable environment. And when customers declare that hardware can't go into production on beta or rc-releases, then they just rename said beta and rc-releases as stable .. be it stable or not.

I'm not far from just wrapping all my CRS3xx series up and either ship them back for a refund OR smash them to bits and send Mikrotik the rubble to Riga.

/M
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: v6.41 [current]

Sun Dec 24, 2017 3:48 am

Upgraded RB2011, hAP, wAP ac, cAP and a RB1100 without issues. But wondering if there is a new way of how I should handle bonding interfaces with vlans? Currently I have two bonding interfaces with two ethernet ports each. On each of the bonds I have severals vlans and the vlans are put on a separate bridge (one bridge per vlan). Is there a new and perhaps smarter way of doing this now?
You can put the VLANs on a single bridge now and configure for each bridge port what VLANs should be allowed/blocked and what VLAN should be untagged and what VLANs should be tagged.
 
User avatar
marlow
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Mar 16, 2006 6:59 pm
Location: Ireland

Re: v6.41 [current]

Sun Dec 24, 2017 3:52 am

Upgraded RB2011, hAP, wAP ac, cAP and a RB1100 without issues. But wondering if there is a new way of how I should handle bonding interfaces with vlans? Currently I have two bonding interfaces with two ethernet ports each. On each of the bonds I have severals vlans and the vlans are put on a separate bridge (one bridge per vlan). Is there a new and perhaps smarter way of doing this now?
You can put the VLANs on a single bridge now and configure for each bridge port what VLANs should be allowed/blocked and what VLAN should be untagged and what VLANs should be tagged.

The problem is, that it's not quite that easy. To archieve hardware offloading on the older platforms, you still need to configure it the traditional way. It'll be done in software/cpu otherwise.

Hardware offloading using the bridge/vlan setup only works for the Broadcom (and maybe Realtek) chipsets. On the Atheros chipsets, you still have to do the traditional setup in Switch->Vlan also.

/M
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: v6.41 [current]

Sun Dec 24, 2017 4:45 am

The problem is, that it's not quite that easy. To archieve hardware offloading on the older platforms, you still need to configure it the traditional way. It'll be done in software/cpu otherwise.

Hardware offloading using the bridge/vlan setup only works for the Broadcom (and maybe Realtek) chipsets. On the Atheros chipsets, you still have to do the traditional setup in Switch->Vlan also.

/M
He said he was using bonding interfaces, so he doesn't have hardware offloading anyway because of that.

I'm also hoping MikroTik will eventually remove the need for the special "switch" menu on Atheros chips.
 
User avatar
D1M0N
just joined
Posts: 13
Joined: Mon Aug 05, 2013 1:18 am
Location: Ukraine, Rivne
Contact:

Re: v6.41 [current]

Sun Dec 24, 2017 10:53 am

Update RB951G-2HnD from v6.40.5 to v6.41 and update firmware from 3.41 to 6.41 without problem.
In BRIDGE settings ADDED!!! IGMP Snooping !!! and fast forward...
I test it.
THNX MIKROTIK TEAM!
Happy holidays, and Merry Christmas !!!
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1658
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.41 [current]

Sun Dec 24, 2017 11:02 am

Keyko - This change is mentioed in changelog:
!) routerboot - RouterBOOT version numbering system merged with RouterOS
rajo - In that case definitely send to support two supout files - one generated while mode is none and interfaces are flapping and other when they are not with different settings. Are you sure that they did not flap on old version when mode is set to none? Are you sure that there is no actual loop in your network causing this?
marlow, JimmyNyholm - You can simply generate supout file manually which will be exactly the same thing as autosupout file. Autosupout file is not generated under "/flash" directory on devices with small storage space so storage would not get filled leaving no free memory for other purposes;
marlow - Did you upgrade to 6.41 from rc version? Please note that rc versions are made for testing purposes. Main idea is to create version in a way that 6.40.5 -> 6.41 upgrade works properly.
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.41 [current]

Sun Dec 24, 2017 12:21 pm

dksoft, anuser, msatter, alexsolovyev, blackbox100, JimmyNyholm - Please send report to support@mikrotik.com explaining the problem you have and including supout.rif files
I did that on RC66 and got the reply that those issues would be resolved before final release....it was not and luckily the MAC access worked this time.

I had the feeling then that it would "rushed" out before the end of the year or even sooner and that is why wrote the RC thread "wait till 2018".

I had no problem with my router becoming unresponsive, and have all the files standing by to recover. So I made the plunge and after some manual work I had a working router back.

Other those who have no easy access to their devices I do not envy and hope the won't have stress or worse during Christmas.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.41 [current]

Sun Dec 24, 2017 12:41 pm

Neighbor discovery does not work with the generated 'discover', 'mac-winbox' or 'mactel' interface lists. Other lists seem to work.
After list deletion and recreation by hand, it works.
For me, neighbor discovery did not work after the upgrade, it had created a new list "discover" containing the interfaces it was active on before upgrade, but the discovery list was empty.
When selecting "all" it worked OK. I set it back to "discover" and rebooted a second time after the upgrade and then the discovery worked OK.
So it is likely something related to the config migration process relative to the reboot. I have done 2 reboots before when upgrading, if only because firmware was upgraded, and in that case it probably works fine.
 
User avatar
marlow
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Mar 16, 2006 6:59 pm
Location: Ireland

Re: v6.41 [current]

Sun Dec 24, 2017 1:05 pm

marlow, JimmyNyholm - You can simply generate supout file manually which will be exactly the same thing as autosupout file. Autosupout file is not generated under "/flash" directory on devices with small storage space so storage would not get filled leaving no free memory for other purposes;
I'm not talking about autosupout.

I'm talking about manually generated supout files. On the CRS3xx series, these are stored in volatile storage, meaning they're gone after a reboot. And that's very unhelpful, when you need to reboot to get the file off the switch.

/M
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.41 [current]

Sun Dec 24, 2017 1:22 pm

Ran into the following bug with upgrading an RB450 from 6.40.4 to 6.41:

NOTE: It appears I must have had the old configuration of ether2 being master and ether3 to ether5 being slaves
1. I performed the upgrade via the console
2. When the router rebooted, ether1 was stable, but ether2 to ether5 were flapping at least every second.
7. I changed "protocol-mode" to "rstp"
8. Interfaces stabilized and now everything is working.

You may want to update you migration script so "protocol-mode" IS NOT "none"
I upgraded my 2011 and watched for this issue but it does not happen here (protocol-mode still is none and everything works OK)
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1658
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.41 [current]

Sun Dec 24, 2017 2:10 pm

marlow - All you need is correct file name. Instead of "supout.rif" use "flash/supout.rif".

Please keep this topic directly related to 6.41.
 
Valexus
just joined
Posts: 18
Joined: Wed Aug 12, 2015 5:11 pm

Re: v6.41 [current]

Sun Dec 24, 2017 2:20 pm

I upgraded my Test hAP from 6.39.5 to 6.41 and it just works fine! Now i will test the new VLAN aware bridge :D

To all who already upgraded devices in production right before christmas and complain now: This is so stupid!
It's not new that these new versions have issues with existing configurations and there is a Bugfix Channel which works well.
Also if you want better support you should use a different brand with a support contract but then the devices wont be so damn cheap anymore.
 
User avatar
marlow
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Mar 16, 2006 6:59 pm
Location: Ireland

Re: v6.41 [current]

Sun Dec 24, 2017 3:09 pm

marlow - All you need is correct file name. Instead of "supout.rif" use "flash/supout.rif".

Please keep this topic directly related to 6.41.
This is on topic, as the CRS3xx series only becomes useful in 6.41, if the issues get sorted, that is.

Maybe the default then should be changed for the platforms where "/" is volatile. It's not obvious to the user, until he looses the supout the first time around.

Also, where is the documentation for this, please ? The manual: https://wiki.mikrotik.com/wiki/Manual:S ... utput_File says nothing about, that the default location on some platforms is volatile.

/M
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 203
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.41 [current]

Sun Dec 24, 2017 4:14 pm

How to correctly add virtual interfaces like eoip tunnels to the bridge?
I tried 2 ways to get this working, without any luck.

1. When I add the tunnel interface as port to the bridge and create vlans on the bridge, the interface never comes up because of constant STP Learning/Discarding. I didn't find a way to disable stp on single ports.
2 If I remove the tunnel interface from the brdige and only add vlan subinterfaces, no traffic is passing through.

There is like no documentation available on how to get this kind of setup working

Edit:
Got it working. Added the vlan of the tunnel as bridge port but set pvid matching vlanid (which doesn't make sense because the traffic coming from / going to this interface should be tagged).
I've noticed an increase of CPU usage by about 5% on my CCR-1009. While it always was at 0-1% in 6.40.5, I now have constant cpu usage of about 6-7% without any traffic on the router. The process causing this is "unclassified" and uses only one cpu.
Last edited by osc86 on Sun Dec 24, 2017 8:04 pm, edited 1 time in total.
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1658
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.41 [current]

Sun Dec 24, 2017 5:58 pm

Main idea of this topic is to find problems caused in particular release. In this case changes between 6.40.5 and 6.41. If you have problem in 6.41 which was not there in 6.40.5, then please share it on this topic and/or report to support@mikrotik.com. If problem was there already before, then we recommend to create a new forum topic. Unrelated posts confuse other users and discourage from an upgrade.

Supout file generate process has not been changed for years. However, we have updated supout file wiki page and know you can see an example on how to generate supout file on specific folder.
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.41 [current]

Sun Dec 24, 2017 6:06 pm

marlow - All you need is correct file name. Instead of "supout.rif" use "flash/supout.rif".

Please keep this topic directly related to 6.41.
This is on topic, as the CRS3xx series only becomes useful in 6.41, if the issues get sorted, that is.

Maybe the default then should be changed for the platforms where "/" is volatile. It's not obvious to the user, until he looses the supout the first time around.

Also, where is the documentation for this, please ? The manual: https://wiki.mikrotik.com/wiki/Manual:S ... utput_File says nothing about, that the default location on some platforms is volatile.

/M
The default location is also on the 750Gr3 in volatile memory. However you can move it to flash and the file is not that big so that it will fit in the free flash memory.
 
chuky0
newbie
Posts: 26
Joined: Thu Apr 20, 2017 7:49 pm

Re: v6.41 [current]

Sun Dec 24, 2017 7:11 pm

Here's what I got from upgrading, it did not go smoothly. I had to reboot hex several times to get it going. I can't connect to my wapac device at all. Luckicly wifi is still working, I will fix it when I have alot of time to trouble shoot .So far I have trouble shot for hours. rebooting, etc.

ImageCapture by bet-chu, on Flickr
 
Ulypka
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Wed Jan 09, 2013 8:26 am

Re: v6.41 [current]

Sun Dec 24, 2017 10:36 pm

Empty in Upgrade Firmware
Image
 
hapi
Member Candidate
Member Candidate
Posts: 232
Joined: Fri Mar 11, 2011 11:21 am
Location: Czech Republic

Re: v6.41 [current]

Sun Dec 24, 2017 10:48 pm

Image

and several other SXTs.
 
crash9877
just joined
Posts: 6
Joined: Mon Aug 24, 2015 6:20 pm

Re: v6.41 [current]

Sun Dec 24, 2017 11:42 pm

Hi Guyz,

update on my CCR1009-1s-1s+ (older Modell) worked, but i see no bridge. Is this correct?
besides my CRS125-24G-1s worked fine. converted all ports to Bridge.
hAP AC worked although fine.

Regards

crash9877
 
haik01
Member
Member
Posts: 404
Joined: Sat Mar 23, 2013 10:25 am
Location: Netherlands

Re: v6.41 [current]

Mon Dec 25, 2017 12:15 am

Upgraded an "empty" hAP Lite. Upgrade went fine, and after reboot, router was not reachable. Not by MAC not by IP.

I had to reset hardware TWICE, to get it running.

I have 5 different routerboards in production, and I am definitely NOT going to upgrade if these kind of problems can occur. They are all remote sites (some of them 300 km away).
 
User avatar
pietroscherer
Trainer
Trainer
Posts: 170
Joined: Thu Mar 05, 2015 3:05 pm
Location: RS, Brazil
Contact:

Re: v6.41 [current]

Mon Dec 25, 2017 1:11 am

Unable to upgrade using "check for updates" menu, on my hAP-lite. I received a message of no enough space (7,2 MB was necessary and 7,2 was free).
Droping the main package to router worked without problems.

The hAP-lite seems to works fine for now.
 
killersoft
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

Re: v6.41 [current]

Mon Dec 25, 2017 1:39 am

IP Neighbor

Please revert or Alter the NEW functionality of Neighbor discovery.

I use specific Bridges/Interfaces ( A management VLAN segment) that see's all devices, but I also have Client Side Bridges/Vlans/Interfaces. I DO NOT want Clients to SEE Discovery Broadcasts.
Thus I ask you to Revert to previous functionality, or add a Specific interface(s) to allow/dis-allow the discovery broadcasts.

Cheers
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1160
Joined: Tue Oct 11, 2005 4:53 pm

Re: v6.41 [current]

Mon Dec 25, 2017 1:48 am

IP Neighbor

Please revert or Alter the NEW functionality of Neighbor discovery.

I use specific Bridges/Interfaces ( A management VLAN segment) that see's all devices, but I also have Client Side Bridges/Vlans/Interfaces. I DO NOT want Clients to SEE Discovery Broadcasts.
Thus I ask you to Revert to previous functionality, or add a Specific interface(s) to allow/dis-allow the discovery broadcasts.

Cheers
This functionality has been moved to interface lists.
By default, after the upgrade a dicover interface list is created with all the interfaces that where enabled for discovery prior to the 6.41 upgrade.
It doesn't always migrate everything properly depending on your configuration, but you can easily edit that interface list and only allow the interfaces you want for neighbor discovery.

Same goes for mac-server (mac winbox & mac-telnet) as well.

It was also mentioned in the changelog
*) discovery - use "/interface list" instead of interface name under neighbor discovery settings;
...
*) mac-server - use "/interface list" instead of interface name under MAC server settings;
 
Frostbyte
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Mon Dec 25, 2017 1:42 am

Re: v6.41 [current]

Mon Dec 25, 2017 1:55 am

I have a question regarding v6.41 and FastPath.

I have 2x hAP AC units.
Each one of them has a CPE, connected on ether1, providing internet access.
Both of the units contain Scripts, Schedulers and Mangle rules to handle Load Balancing and WAN Failover mechanisms.

Since VLANs are used heavily in this setup, all of the interfaces (bar one, which is used for VLAN trunking and communication between the units) are members in Bridges.
FastPath would work flawlessly between interfaces that had master-slave relationships, even though the Firewall was populated with a few rules.

Now that the master-port parameter is gone, I'm forced to use bridges for everything. But if the "Use IP Firewall" option is ON, Bridge Fast Path is deactivated.
If I disable "Use IP Firewall" in Bridge settings, my transfer speed is ~110MB/s, but I can no longer use my Mangle rules for Load Balancing.
If I enable "Use IP Firewall" in Bridge settings, my transfer speed is ~55MB/s, and I can use my Mangle rules for Load Balancing.

Prior v6.41, I could utilize the master-port setting, to achieve the best of both worlds (for some ports) - but now this is impossible.
Does Mikrotik plan to do anything about this?

Also, can you please be more elaborate on the "appropriate conditions" for hw-offload?
Only one of my ports appears to have the "H" flag.
The rest of the ports which are all Bridged with VLANs (access mode) do not appear to utilize hw-offload.
Just for the record, I deleted and re-created those Bridges (with and without involving VLANs) and the "H" flag will still not come up.
 
skuykend
Member Candidate
Member Candidate
Posts: 274
Joined: Tue Oct 06, 2015 7:28 am

Re: v6.41 [current]

Mon Dec 25, 2017 4:30 am

update on my CCR1009-1s-1s+ (older Modell) worked, but i see no bridge. Is this correct?
If you didn't have any of the switch ports set to a Master-port, then this is normal.
 
chuky0
newbie
Posts: 26
Joined: Thu Apr 20, 2017 7:49 pm

Re: v6.41 [current]

Mon Dec 25, 2017 6:19 am

Here's what I got from upgrading, it did not go smoothly. I had to reboot hex several times to get it going. I can't connect to my wapac device at all. Luckicly wifi is still working, I will fix it when I have alot of time to trouble shoot .So far I have trouble shot for hours. rebooting, etc.

ImageCapture by bet-chu, on Flickr
So, ehter1 was still selected in DHCP Client, thats why I didn;t get an IP addy with the update. Logged into hEX to see my v6 wapac address, looged into wapac with v6 address, set DHCP client on bridge and voila.

Stil, no reason why I don't get v6 in ND on my winbox liek in this thread viewtopic.php?f=21&t=118408&p=632361#p632361
 
KBV
Frequent Visitor
Frequent Visitor
Posts: 79
Joined: Mon Nov 10, 2014 7:02 pm

Re: v6.41 [current]

Mon Dec 25, 2017 9:24 am

After upgrading my home RB3011 6.40.5 to 6.41RC/ 6.41.

Then I increased <max-neighbor-entries> to 16384 and the problem disappeared.
But there are only two neighbor devices...
[admin@MikroTik] > /log print
[...]
07:42:02 warning ipv4 neighbor table overflow, please consider increasing max-neighbor-entries
07:42:02 warning ipv4 neighbor table overflow, please consider increasing max-neighbor-entries
07:42:02 warning ipv4 neighbor table overflow, please consider increasing max-neighbor-entries
07:42:04 warning ipv4 neighbor table overflow, please consider increasing max-neighbor-entries
07:42:04 warning ipv4 neighbor table overflow, please consider increasing max-neighbor-entries
07:42:04 warning ipv4 neighbor table overflow, please consider increasing max-neighbor-entries
07:42:04 warning ipv4 neighbor table overflow, please consider increasing max-neighbor-entries
07:42:07 warning ipv4 neighbor table overflow, please consider increasing max-neighbor-entries
07:42:07 warning ipv4 neighbor table overflow, please consider increasing max-neighbor-entries
07:42:07 warning ipv4 neighbor table overflow, please consider increasing max-neighbor-entries

[admin@MikroTik] > /ip neighbor print
# INTERFACE ADDRESS MAC-ADDRESS IDENTITY VERSION BOARD
0 ether2... 192.168.80.250 00:50:56:AC:6F:C8 MikroTi... 6.41 (s... CHR
1 ether5... 192.168.80.253 4C:5E:0C:53:6B:34 RB951G-... 6.41 (s...RB951G-2HnD

[admin@MikroTik] > /ip settings print
[...]
max-neighbor-entries: 8192

[admin@MikroTik] > /ip neighbor discovery-settings print 
discover-interface-list: discover

[admin@MikroTik] > /interface list member print where list="discover"
Flags: X - disabled, D - dynamic 
 #   LIST                                                                 INTERFACE                                                                
 0   discover                                                             bridge-LAN                                                               
 1   discover                                                             bridge-DMZ  
 
killersoft
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

Re: v6.41 [current]

Mon Dec 25, 2017 10:10 am

Thanks Cha0s. I suspect I have 50+ units to manually fix-up when I go to upgrade in regards to IP Neighbor Discovery
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.41 [current]

Mon Dec 25, 2017 11:40 am

After upgrading my home RB3011 6.40.5 to 6.41RC/ 6.41.

Then I increased <max-neighbor-entries> to 16384 and the problem disappeared.
But there are only two neighbor devices...
Isn't max-neighbor-entries about IP ARP table? Check it, not Neighbour Discovery
 
KBV
Frequent Visitor
Frequent Visitor
Posts: 79
Joined: Mon Nov 10, 2014 7:02 pm

Re: v6.41 [current]

Mon Dec 25, 2017 12:07 pm

Isn't max-neighbor-entries about IP ARP table? Check it, not Neighbour Discovery
Now (usually) the ARP table contains 11 entries - 9 LAN and 2 from outside (WAN).
---
[admin@MikroTik] > /ip arp print count-only
11
---
But I can check at the time the problem occurs.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.41 [current]

Mon Dec 25, 2017 1:36 pm

Now (usually) the ARP table contains 11 entries - 9 LAN and 2 from outside (WAN).
---
[admin@MikroTik] > /ip arp print count-only
11
---
But I can check at the time the problem occurs.
What is your configuration? How large is your local subnet and is there a default route to some WAN address?
Errors like that can occur when the subnet is large and is being scanned, or when there is no default route and the next hop has "proxy arp" enabled.
In such cases there can be many open ARP requests. (in first case, unresolved ones, and in second case, one for each remote address all with MAC of the next hop)
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1658
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.41 [current]

Mon Dec 25, 2017 2:41 pm

chuky0 - Can you check if you see router in neighbors when you connect to other router? Main idea is to see if Winbox loader neighbors do not work or problem is also there on RouterOS. If you downgrade router to 6.40.5, then does it appear on neighbors list?
Ulypka, hapi - Sorry for any inconvenience caused. We will fix missing firmware issue in next release.
haik01 - Did you reset with reset button or did you Netinstall device? From which version did you upgrade this device? Reset is always the same so most likely reset process was not properly started on the first attempt.
killersoft - Discovery process does not differ from older versions. In previous versions, you did, for example, set "ether1 discover=yes", but now you simply add interfaces to list on which discovery is enabled.
Frostbyte - Please send supout file to support@mikrotik.com so we can investigate what is going on with you device.
KBV - Most likely device was under some kind of DDoS attack and such problem did suddenly appear. If you can not find a cause of the problem, then generate supout file while you see such warnings in log and send this file to support@mikrotik.com.
 
dancsa
just joined
Posts: 6
Joined: Mon Jul 10, 2017 9:46 pm

Re: v6.41 [current]

Mon Dec 25, 2017 4:16 pm

I can also confirm that unreachable management after upgrade on my home gateway (HEX)

Logged in via winbox using IP address, open therminal

Code: Select all

[admin@MikroTik] /system package update> check-for-updates
channel: current
current-version: 6.40.5
latest-version: 6.41
status: New version is available

[admin@MikroTik] /system package update> download
channel: current
current-version: 6.40.5
latest-version: 6.41
status: Downloaded, please reboot router to upgrade it

[admin@MikroTik] /system package update> /system reboot
After reboot, router works, but I couldn't reach it via IP (winbox, webfig), winbox discovery didn't show it. I didn't bother to get my linux laptop, where it is easier to debug, so i just power cycled the hex, it solved it.
 
KBV
Frequent Visitor
Frequent Visitor
Posts: 79
Joined: Mon Nov 10, 2014 7:02 pm

Re: v6.41 [current]

Mon Dec 25, 2017 4:19 pm

What is your configuration? How large is your local subnet and is there a default route to some WAN address?
Errors like that can occur when the subnet is large and is being scanned, or when there is no default route and the next hop has "proxy arp" enabled.
In such cases there can be many open ARP requests. (in first case, unresolved ones, and in second case, one for each remote address all with MAC of the next hop)
Maybe you are right, but before such an error was not.
I'll have to write a script that checks the log and stores the output of the command <ip arp> on time.

UPD
Or I can create such a <Service check> and <chart> in the Dude... Thanks )
 
Kindis
Member
Member
Posts: 441
Joined: Tue Nov 01, 2011 6:54 pm
Location: Sweden

Re: v6.41 [current]

Mon Dec 25, 2017 7:54 pm

Updated two CHR, a 3011, a 750Gr3, a wAP SC and a 493G. All is fine but I had to restart both 750Gr3 and 3011 several times.
First to get neighborhood to work after firmware and then again a few days after because I noted that FastTrack did not work. Now everything work just fine.
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1160
Joined: Tue Oct 11, 2005 4:53 pm

Re: v6.41 [current]

Mon Dec 25, 2017 8:39 pm

Upgraded multiple boards without almost any issues.

RB3011
RB850Gx2
hAP-Lite
mAP-Lite
SEXTANTG
RB433AH
x86

The only issue I had was some IPsec tunnels (manually configured using keys) would keep establish and then disconnect repeatedly.
I couldn't figure out what was causing it. It was happening only on 3 installations (RB850Gx2 and 2 x86). After I used the EoIP IPsec with PSK it worked ok. Didn't have time to troubleshoot further what was the problem in the first place.

Thankfully I didn't encounter any of the more serious issues others have mentioned.
 
panosla
just joined
Posts: 22
Joined: Sat Aug 16, 2014 6:47 pm

Re: v6.41 [current]

Mon Dec 25, 2017 9:21 pm

panosla - Please note that RouterOS version does not in any way affect Netinstall process. Can you Netinstall any other RouterBOARD just to be sure that configuration is correct and computer is not blocking Netinstall process?
Sorry, my bad. I was actually trying to netinstall using ether2 instead of ether1.
Recovered configuration from the export (with changes to fit new bridge implementation) and everything works fine now.
 
haik01
Member
Member
Posts: 404
Joined: Sat Mar 23, 2013 10:25 am
Location: Netherlands

Re: v6.41 [current]

Mon Dec 25, 2017 9:25 pm

Interesting thing:

Updated the following equipment to the latest release 6.41.

I have:

RB2011 as main router
CRS 106-1C-5S (SFP switch)
hAP ac


If I do a neighbour scan from the main router it only finds the CRS and my Cisco AP1142n. It does NOT see the hAP ac.

If I do a neighbour scan from the hAP ac, then I CAN see all the Mikrotik devices (including the Cisco AP).....


Not really bad, but is this a bug? I selected "all interfaces" for discovery.
Last edited by haik01 on Mon Dec 25, 2017 9:37 pm, edited 1 time in total.
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: v6.41 [current]

Mon Dec 25, 2017 9:36 pm

Isn't there any firewall or other setting that prevents visibility of hap?
 
haik01
Member
Member
Posts: 404
Joined: Sat Mar 23, 2013 10:25 am
Location: Netherlands

Re: v6.41 [current]

Mon Dec 25, 2017 9:38 pm

It shouldn't. 5 minutes ago, when the version was 6.39, everything was visible, and worked perfectly. Now after the update.... it does not.


UPDATE: it took some time (more than 5 minutes), but now I see all the equipments.
 
chuky0
newbie
Posts: 26
Joined: Thu Apr 20, 2017 7:49 pm

Re: v6.41 [current]

Tue Dec 26, 2017 12:04 am

chuky0 - Can you check if you see router in neighbors when you connect to other router? Main idea is to see if Winbox loader neighbors do not work or problem is also there on RouterOS. If you downgrade router to 6.40.5, then does it appear on neighbors list?
Thanks for the reply strods, each device can see each other in Neighbor List. Now that I think of it, I started another thread about winbox stopped seeing devices with ipv6 in my Neighbors list when I was on 6.40.5 Maybe this is a winbox bug problem with some kind of Windows 10 update ? I don't want to downgrade to try it out, I'm a little gun shy from the problems I had with this upgrade.

Imagenl by bet-chu, on Flickr
Last edited by chuky0 on Tue Dec 26, 2017 3:43 am, edited 1 time in total.
 
Frostbyte
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Mon Dec 25, 2017 1:42 am

Re: v6.41 [current]

Tue Dec 26, 2017 2:32 am

Frostbyte - Please send supout file to support@mikrotik.com so we can investigate what is going on with you device.
I went ahead and did so, thank you.

It's to my understanding though, that with such a radical change, the whole FastPath mechanism also needs to be reworked.
Right now you have to chose: you'll either have Firewall, or FastPath.. With the master-port setting, we could've had both.
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 203
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.41 [current]

Tue Dec 26, 2017 5:36 am

Adding or removing vlans in MSTI makes my 1009 unreachable on all interfaces, have to power cycle to regain access.. 100% reproducible
 
KBV
Frequent Visitor
Frequent Visitor
Posts: 79
Joined: Mon Nov 10, 2014 7:02 pm

Re: v6.41 [current]

Tue Dec 26, 2017 9:08 am

Can you explain what it is?
[admin@MikroTik-3011] > /ip firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters       chain=forward action=passthrough 
 1    chain=output action=drop protocol=icmp out-interface-list=WAN-Zone log=yes log-prefix="" 
 2    chain=input action=drop protocol=icmp in-interface-list=WAN-Zone log=no log-prefix=""

/log print
[...]
13:48:40 firewall,info output: in:(unknown 0) out:ether9-WAN, proto ICMP (type 3, code 1), xx.xx.xx.xx->5.140.18.171, len 199 
13:48:40 firewall,info output: in:(unknown 0) out:ether9-WAN, proto ICMP (type 3, code 1), xx.xx.xx.xx->213.144.15.197, len 151 
13:48:43 firewall,info output: in:(unknown 0) out:ether9-WAN, proto ICMP (type 3, code 1), xx.xx.xx.xx->130.25.184.120, len 159 
13:48:43 firewall,info output: in:(unknown 0) out:ether9-WAN, proto ICMP (type 3, code 1), xx.xx.xx.xx->122.118.192.105, len 157 
13:48:43 firewall,info output: in:(unknown 0) out:ether9-WAN, proto ICMP (type 3, code 1), xx.xx.xx.xx->110.168.174.166, len 154 
13:48:49 firewall,info output: in:(unknown 0) out:ether9-WAN, proto ICMP (type 3, code 1), xx.xx.xx.xx->182.250.46.228, len 162 
13:48:49 firewall,info output: in:(unknown 0) out:ether9-WAN, proto ICMP (type 3, code 1), xx.xx.xx.xx->1.199.255.204, len 118 
13:48:49 firewall,info output: in:(unknown 0) out:ether9-WAN, proto ICMP (type 3, code 1), xx.xx.xx.xx->171.14.115.181, len 160 
13:48:49 firewall,info output: in:(unknown 0) out:ether9-WAN, proto ICMP (type 3, code 1), xx.xx.xx.xx->93.36.189.219, len 118 
13:48:54 firewall,info output: in:(unknown 0) out:ether9-WAN, proto ICMP (type 3, code 1), xx.xx.xx.xx->198.167.140.58, len 148 
13:48:57 firewall,info output: in:(unknown 0) out:ether9-WAN, proto ICMP (type 3, code 1), xx.xx.xx.xx->173.239.236.54, len 157 
13:48:57 firewall,info output: in:(unknown 0) out:ether9-WAN, proto ICMP (type 3, code 1), xx.xx.xx.xx->173.239.236.54, len 157 
This is the log from the router's OUTPUT chain. Where xx.xx.xx.xx is my ip address.
I do not use <Rejection> rules, only DROP.
Maybe Is this the problem with overflow about I wrote above?
Last edited by KBV on Tue Dec 26, 2017 9:29 am, edited 3 times in total.
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1160
Joined: Tue Oct 11, 2005 4:53 pm

Re: v6.41 [current]

Tue Dec 26, 2017 9:16 am

These look like replies your router sends to incoming packets to unreachable hosts. The router generates those ICMP packets to inform the sender that the host is unreachable.

https://tools.ietf.org/html/rfc792
ICMP Fields:
   Type
      3
   Code
      0 = net unreachable;
      1 = host unreachable;
      2 = protocol unreachable;
      3 = port unreachable;
      4 = fragmentation needed and DF set;
      5 = source route failed.
 
KBV
Frequent Visitor
Frequent Visitor
Posts: 79
Joined: Mon Nov 10, 2014 7:02 pm

Re: v6.41 [current]

Tue Dec 26, 2017 9:21 am

These look like replies your router sends to incoming packets to unreachable hosts. The router generates those ICMP packets to inform the sender that the host is unreachable.
Yes, I read it.
But I do not use <Rejection> rules.
[admin@MikroTik-3011] > /ip firewall filter print count-only where  action="reject"
0
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1174
Joined: Fri Jul 28, 2017 2:53 pm

Re: v6.41 [current]

Tue Dec 26, 2017 9:52 am

Maybe your ICMP rule is allowed because it is not denied?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.41 [current]

Tue Dec 26, 2017 11:10 am

KBV: please show your full configuration of at least /ip route and /ip firewall
it looks like the ICMP packets have no default route and thus are ARP'ed directly on your WAN interface, just as I suggested above.
maybe you are using some kind of policy routing (marking) that does only work in the forward chain.
 
upower3
Member
Member
Posts: 425
Joined: Thu May 07, 2015 11:46 am

Re: v6.41 [current]

Tue Dec 26, 2017 3:59 pm

Upgraded RB2011, hAP, wAP ac, cAP and a RB1100 without issues. But wondering if there is a new way of how I should handle bonding interfaces with vlans? Currently I have two bonding interfaces with two ethernet ports each. On each of the bonds I have severals vlans and the vlans are put on a separate bridge (one bridge per vlan). Is there a new and perhaps smarter way of doing this now?
You can put the VLANs on a single bridge now and configure for each bridge port what VLANs should be allowed/blocked and what VLAN should be untagged and what VLANs should be tagged.
It would be nice to have some docs on wiki so we have kind of official howtos. I ask this mainly for I'd like to know the best way (in terms of stability, perfomance, approach, general way of development) from MT's point of view.

Say, if we consider models like 2011, they feature two switch chips (100M and 1G), and connection between them was CPU-only. Before 6.41, when I set up like eth1 as master and eth2-eth5 as slaves and eth6 as another master, eth7-10 as another slaves, I had to connect eth1 and eth 6 to bridge to assign single IP on bridge1. But this way I understand between which ports traffic to be h/w accelerated.

Now (as of new bridge implementation) I can add eth1..eth10 to bridge, turn on "h/w accelerated" checkbox, and it looks like all ports are accelerated. But in reality, traffic will be passed from eth1..eth5 to eth6..eth10 via the same CPU, isn't it? So, interface will mislead me to believe something that's not for real.

This is why I'd really love to see such gotchas in doc on wiki. Please!
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.41 [current]

Tue Dec 26, 2017 4:05 pm

It would be nice to have some docs on wiki so we have kind of official howtos.
Here it is: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
Some detail about VLAN and how to convert it: https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering
Now (as of new bridge implementation) I can add eth1..eth10 to bridge, turn on "h/w accelerated" checkbox, and it looks like all ports are accelerated. But in reality, traffic will be passed from eth1..eth5 to eth6..eth10 via the same CPU, isn't it? So, interface will mislead me to believe something that's not for real.
As before, you still need to know and understand the block diagram for each router model, as there are other pitfalls like that and there always have been.
 
sup5
Member
Member
Posts: 359
Joined: Sat Jul 10, 2010 12:37 am

Re: v6.41 [current]

Tue Dec 26, 2017 4:09 pm

I think it will be needed to implement pseudo-interfaces in RouterOS.
These pseudo-interfaces will be unremovable and greyed-out interfaces which connect the cpu with the switch-chip.

This way we could:
- monitor the amount of traffic traversing the CPU-port (i.e. to monitor oversubscription of the CPU-port)
- torch the traffic traversing the CPU-port
 
upower3
Member
Member
Posts: 425
Joined: Thu May 07, 2015 11:46 am

Re: v6.41 [current]

Tue Dec 26, 2017 4:13 pm

I think it will be needed to implement pseudo-interfaces in RouterOS.
These pseudo-interfaces will be unremovable and greyed-out interfaces which connect the cpu with the switch-chip.

This way we could:
- monitor the amount of traffic traversing the CPU-port (i.e. to monitor oversubscription of the CPU-port)
- torch the traffic traversing the CPU-port
Oh, this gonna be great feature! If MT will manage to do that along with visual packet tracer like the one that's there for Cisco ASA...!
 
User avatar
marlow
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Mar 16, 2006 6:59 pm
Location: Ireland

Re: v6.41 [current]

Tue Dec 26, 2017 4:19 pm

It would be nice to have some docs on wiki so we have kind of official howtos.
Here it is: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
Some detail about VLAN and how to convert it: https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering
Now (as of new bridge implementation) I can add eth1..eth10 to bridge, turn on "h/w accelerated" checkbox, and it looks like all ports are accelerated. But in reality, traffic will be passed from eth1..eth5 to eth6..eth10 via the same CPU, isn't it? So, interface will mislead me to believe something that's not for real.
As before, you still need to know and understand the block diagram for each router model, as there are other pitfalls like that and there always have been.


VLan filtering will disable the hardware offloading on older switch chips.

All Vlan-filtering on Atheros chipset based switch-chips (CRS1xx, CRS2xx, 2011, etc.) still has to be configured in the switch menu. Otherwise you end up running fully in CPU.

/M
 
upower3
Member
Member
Posts: 425
Joined: Thu May 07, 2015 11:46 am

Re: v6.41 [current]

Tue Dec 26, 2017 4:24 pm

It would be nice to have some docs on wiki so we have kind of official howtos.
Here it is: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
Some detail about VLAN and how to convert it: https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering
Now (as of new bridge implementation) I can add eth1..eth10 to bridge, turn on "h/w accelerated" checkbox, and it looks like all ports are accelerated. But in reality, traffic will be passed from eth1..eth5 to eth6..eth10 via the same CPU, isn't it? So, interface will mislead me to believe something that's not for real.
As before, you still need to know and understand the block diagram for each router model, as there are other pitfalls like that and there always have been.


VLan filtering will disable the hardware offloading on older switch chips.

All Vlan-filtering on Atheros chipset based switch-chips (CRS1xx, CRS2xx, 2011, etc.) still has to be configured in the switch menu. Otherwise you end up running fully in CPU.

/M
Looks like these recommendations should be listed in newly released manual, so people understand how to use MT devices efficiently. Or we end up with many complaints like "MTs are very slow devices, full of bugs".
 
tesme33
Frequent Visitor
Frequent Visitor
Posts: 67
Joined: Mon May 26, 2014 10:25 pm

Re: v6.41 [current]

Tue Dec 26, 2017 4:26 pm

Hi
6.41 running on hAP Lite, RB2011,RB3011 and CCR1009 (PC) , upgraded from different levels. Sometime multiple reboots required to get the firmware (6.41) also flashed.
As im not using tagging, VLAN or any other fancy features i can only say that WLAN, routing, DHCP, DHCP Server and firewall is working as before. The load also didnt increase.
But on the hAP Lite it is stil somehow the masterport config in use. strange. Probably i need to reset them and start from the beginning.


Yours
 
User avatar
marlow
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Mar 16, 2006 6:59 pm
Location: Ireland

Re: v6.41 [current]

Tue Dec 26, 2017 4:44 pm

Looks like these recommendations should be listed in newly released manual, so people understand how to use MT devices efficiently. Or we end up with many complaints like "MTs are very slow devices, full of bugs".

Yes they should. And yes, I've pointed that out already. It's not funny to have to pull information out of the support for every glitch you encounter.

The different behavior and configuration of older and newer switch-chips is actually one of the reasons, why I think, that 6.41 wasn't mature for release.

/M
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.41 [current]

Tue Dec 26, 2017 6:13 pm

I think it will be needed to implement pseudo-interfaces in RouterOS.
These pseudo-interfaces will be unremovable and greyed-out interfaces which connect the cpu with the switch-chip.

This way we could:
- monitor the amount of traffic traversing the CPU-port (i.e. to monitor oversubscription of the CPU-port)
- torch the traffic traversing the CPU-port
That is the bridge interface itself, isn't it?
At least for bridges where there is only a single connected switch.
 
mszru
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Wed Aug 10, 2016 10:42 am

Re: v6.41 [current]

Tue Dec 26, 2017 6:46 pm

Hi there,

Upgraded hAP ac at home from 6.40.5 to 6.41 with one minor issue - all interfaces in the "discover" list became enabled, however some of them were disabled before. To avoid potential problems with conversion of Master Port configuration, I have added all slave ports to the bridge manually and set Master Port to "none". All other features of RouterOS that I use seem to be working fine (PPTP, SSTP, EoIP tunnels, QueueTrees, Policy Based Routing, etc.)

I also tried to upgrade hAP lite from 6.41rc32 to 6.41, but it failed and I reverted ROS back to 6.41rc32. Here I use new bridge implementation with VLAN-filtering enabled. After the router rebooted on 6.41, it did not reply to every second ping. Winbox disconnected several seconds after establishing connection. Then I reset it twice (using System -> Reset Configuration menu in Winbox and then hardware Reset button), imported configuration file from 6.41rc32, rebooted, but the router was unstable (degrading of transfer speeds, etc.). I will try to upgrade it later more time.
Last edited by mszru on Tue Dec 26, 2017 9:26 pm, edited 1 time in total.
 
sup5
Member
Member
Posts: 359
Joined: Sat Jul 10, 2010 12:37 am

Re: v6.41 [current]

Tue Dec 26, 2017 7:08 pm

I think it will be needed to implement pseudo-interfaces in RouterOS.
These pseudo-interfaces will be unremovable and greyed-out interfaces which connect the cpu with the switch-chip.
[...]
That is the bridge interface itself, isn't it?
At least for bridges where there is only a single connected switch.
I think that the bridge-interface won't be showing correct figures here.
Horizon bridged ports currently are software-bridged, thus any traffic flowing between two horizons of the same bridge will traverse through the CPU-port even though hardware based switching might be technically possible. This traffic won't be counted in the corresponding bridge-interface.

We simply need as much pseudo-interfaces as there are independent links from switch to cpu. These interfaces must be accessible via SNMP just like any other interface for monitoring purposes.
Eg.:
RB3011: four pseudo-interfaces. Each with 1000Mbps bandwidth.
RB1100AHx4: three pseudo-interfaces. Each with 2500Mbps bandwith
This will enable us to monitor oversubscription of individual switch-groups much easier.

Reading the RB3011 & RB1100AHx4 figures of the Ethernet test results easily exhibit, that the CPU has much more capacity than the CPU-ports to the two switch-groups.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: v6.41 [current]

Tue Dec 26, 2017 8:22 pm

Now (as of new bridge implementation) I can add eth1..eth10 to bridge, turn on "h/w accelerated" checkbox, and it looks like all ports are accelerated. But in reality, traffic will be passed from eth1..eth5 to eth6..eth10 via the same CPU, isn't it? So, interface will mislead me to believe something that's not for real.
The interface doesn't mislead you - if you look at the status tab for each bridge port, it will show you whether hardware offloading is enabled for that port, and, if so, what the port's 'hardware offload group' is. This shows you whether the port is in the hardware offload group 'switch1' or 'switch2' etc. If the hardware offload group for two bridge ports does not match, switching between those two ports is done by software.
Last edited by mducharme on Tue Dec 26, 2017 11:20 pm, edited 1 time in total.
 
haik01
Member
Member
Posts: 404
Joined: Sat Mar 23, 2013 10:25 am
Location: Netherlands

Re: v6.41 [current]

Tue Dec 26, 2017 8:52 pm

Another issue with Routerboard firmware:

In my RB2011 I can see that there is a 6.41 firmware available, and I can install it. After reboot, it works fine.
On another RB2011, the firmware is NOT available. Only 3.41 which is now installed.


The only difference is that my RB2011 is a 2011UAS, and the remote RB2011 (which shows old firmware) is a 2011UiAS.

Is this a normal behaviour?
 
mszru
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Wed Aug 10, 2016 10:42 am

Re: v6.41 [current]

Tue Dec 26, 2017 9:23 pm

The naming style of the new interface lists for MAC Server is kind of weird. I would rather rename "mactel" to "mac-telnet".
 
tekkninja
just joined
Posts: 7
Joined: Thu Oct 26, 2017 6:59 pm

Re: v6.41 [current]

Wed Dec 27, 2017 1:56 am

Updating an AWS instance with an extisting bridge to V6.41 leaves the instance inaccessible. Also Upgrading to V6.41 without a bridge works fine however, creating a bridge after the upgrade with Ether1 with or without HW-Offloading leaves the CHR inaccessible after rebooting.
 
upower3
Member
Member
Posts: 425
Joined: Thu May 07, 2015 11:46 am

Re: v6.41 [current]

Wed Dec 27, 2017 9:11 am

The interface doesn't mislead you.
Thank you for pointing that, I just forget to check with it.
But as I played with wi-fi routers I noriced I can set 'hw accelerated' checkbox even on wlan (wifi) port in bridge. This is kind of generic approach. I suspect this is due to first version release, and will be changed afterward.
So to say, I'd really like to have a dialog box (maybe even graphical) that'll show up all the groups and links between them at once.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.41 [current]

Wed Dec 27, 2017 11:25 am

So to say, I'd really like to have a dialog box (maybe even graphical) that'll show up all the groups and links between them at once.
In winbox you can enable the columns Hw.Offload and Hw.OffloadGroup on the Ports tab of the bridge window and it neatly shows the status in one screen...
 
23q
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Thu Sep 02, 2010 2:54 pm
Location: Ukraine

Re: v6.41 [current]

Wed Dec 27, 2017 2:20 pm

Email tool, multiple attachments bugs??
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2975
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: v6.41 [current]

Wed Dec 27, 2017 3:13 pm

What abou 6.39 bugfix? Is it gonna be still bugfix or do you plan make 6.40.5 the new bugfix?
 
rognick
just joined
Posts: 5
Joined: Wed Dec 27, 2017 4:47 pm

Re: v6.41 [current]

Wed Dec 27, 2017 5:18 pm

Hello,
I am on the way to acquiring the RB750Gr3 + wap ac and I am confused if the RB750Gr3 can be configured for IPTV.

Can someone help me to clarify if RB750Gr3 with v6.41 can be configured IPTV and VLAN tagging / untagging?
 
Frostbyte
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Mon Dec 25, 2017 1:42 am

Re: v6.41 [current]

Wed Dec 27, 2017 8:02 pm

Also, can you please be more elaborate on the "appropriate conditions" for hw-offload?
Only one of my ports appears to have the "H" flag.
The rest of the ports which are all Bridged with VLANs (access mode) do not appear to utilize hw-offload.
Just for the record, I deleted and re-created those Bridges (with and without involving VLANs) and the "H" flag will still not come up.
Upon further experimentation, it appears that the hardware-offload will trigger only for the first eligible bridge.

If I disable hw-offload for the ports of bridge0, the "H" flag will move to bridge1's ports.
If I disable hw-offload for the ports of bridge1, the "H" flag will then appear next to the bridge2's ports.. and so on..

Is this intended? Shouldn't hw-offload trigger for all of the eligible bridges and not just one at a given time?
 
andriys
Forum Guru
Forum Guru
Posts: 1543
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: v6.41 [current]

Wed Dec 27, 2017 8:19 pm

Is this intended? Shouldn't hw-offload trigger for all of the eligible bridges and not just one at a given time?
It is likely a hardware limitation. It has never been possible to set more then one port as a master-port on any device with a "small" switch-chip on board.
 
Frostbyte
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Mon Dec 25, 2017 1:42 am

Re: v6.41 [current]

Wed Dec 27, 2017 8:26 pm

Is this intended? Shouldn't hw-offload trigger for all of the eligible bridges and not just one at a given time?
It is likely a hardware limitation. It has never been possible to set more then one port as a master-port on any device with a "small" switch-chip on board.
Uhh, sure.. but having everything in the same Bridge/Master should be a very rare case I reckon. (Unless you're literally using it as an L3 Switch)
Besides, even if you do put them all on the same bridge and try to enable Bridge VLAN Filtering, hw-offload will disable on QCA8337. (according to the documentation)

So, it's a loss-loss.. :(
 
User avatar
marlow
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Mar 16, 2006 6:59 pm
Location: Ireland

Re: v6.41 [current]

Wed Dec 27, 2017 9:19 pm

Is this intended? Shouldn't hw-offload trigger for all of the eligible bridges and not just one at a given time?
It is likely a hardware limitation. It has never been possible to set more then one port as a master-port on any device with a "small" switch-chip on board.
It was possible on the 100 Mbit/s switch chips (like RB493AH), but not the GBits/s ones that Mikrotik uses.

/M

Sent from my SM-G930F using Tapatalk

 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2975
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: v6.41 [current]

Wed Dec 27, 2017 9:43 pm

The problem is that switching "jumps" back&forth between bridges with no possibility to stabilize switch group for some interfaces.
In Master-slave scenario it was possible to assign particular ports to switchng chip for fast transfers. Now you never know when it is hw-offloaded or not.
My tests for 2011:
# dec/27/2017 19:24:10 by RouterOS 6.41
# software id = M14U-3BQP
#
# model = 2011L
# serial number = XXXXXXXXXXXXXXXXXXXXXXXXX
/interface ethernet
set [ find default-name=ether6 ] name=FE6 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether7 ] name=FE7 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether8 ] name=FE8 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether9 ] name=FE9 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether10 ] name=FEA rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether1 ] name=GE1 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] name=GE2 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether3 ] name=GE3 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether4 ] name=GE4 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether5 ] name=GE5 rx-flow-control=auto tx-flow-control=auto
/interface bridge
add fast-forward=no name=BRIDGEFE67 priority=0x8001 protocol-mode=none
add fast-forward=no name=BRIDGEFE89A protocol-mode=none
add admin-mac=D4:CA:6D:33:79:B0 auto-mac=no fast-forward=no igmp-snooping=yes name=BRIDGEGE
/interface bridge port
add bridge=BRIDGEGE interface=GE1
add bridge=BRIDGEGE interface=GE2
add bridge=BRIDGEGE interface=GE3
add bridge=BRIDGEGE interface=GE4
add bridge=BRIDGEGE interface=GE5
add bridge=BRIDGEFE67 interface=FE6
add bridge=BRIDGEFE67 interface=FE7
add bridge=BRIDGEFE89A interface=FE8
add bridge=BRIDGEFE89A interface=FE9
add bridge=BRIDGEFE89A interface=FEA
/interface bridge settings
set allow-fast-path=no
/ip neighbor discovery-settings
set discover-interface-list=all
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=BRIDGEGE
/ip dns
set allow-remote-requests=yes cache-max-ttl=4h
/ip firewall filter
add action=accept chain=input comment="Accept winbox" dst-port=8291 protocol=tcp
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RB2011
/system logging
add prefix=STP: topics=sstp,stp
/system ntp client
set enabled=yes server-dns-names=jp.pool.ntp.org,pl.pool.ntp.org
[admin@RB2011] > 
1. Switch off BRIDGEFE67
2. Switch off BRIDGEFE89A
3. Switch on BRIDGEFE89A back
4. Switch on BRIDGEFE67 back

No guarantee that ports 8,9,A are switched in hardware.
Strange ports information for bridges during hw-offloading changes in steps 1 and 4.
BR_3.PNG
You do not have the required permissions to view the files attached to this post.
 
nightcom
newbie
Posts: 37
Joined: Wed Aug 30, 2017 12:47 am
Location: NL

Re: v6.41 [current]

Wed Dec 27, 2017 10:21 pm

What I notice after update from 6.40.5 to 6.41 is that memory is less stable than it was before. On screen you can see that till Friday device was running on 6.40.5 and after upgrade to 6.41 looks like that now.
I didn't notice any unstable work just this situation with memory and it can be seen only on RB3011
Image
 
User avatar
marlow
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Mar 16, 2006 6:59 pm
Location: Ireland

Re: v6.41 [current]

Wed Dec 27, 2017 11:42 pm

What I notice after update from 6.40.5 to 6.41 is that memory is less stable than it was before. On screen you can see that till Friday device was running on 6.40.5 and after upgrade to 6.41 looks like that now.
I didn't notice any unstable work just this situation with memory and it can be seen only on RB3011

It's probably just more accurate to measure the memory usage.

/M
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.41 [current]

Thu Dec 28, 2017 12:22 am

It could be that some memory used for e.g. the DNS cache is now returned to free when not in use anymore.
From your graph it looks like the flat top of previous usage is about the same as the peaks of the current usage.
On my 2011 there is no such variability, but I do not use its DNS service.
 
WojtusW5
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Mon Oct 02, 2017 1:25 pm

Re: v6.41 [current]

Thu Dec 28, 2017 7:56 am

Hi,

I have a problem with hw-offload and IGMP Snooping on my CRS109-8G-1S-2HnD I use this function to support IPTV. After selecting a channel on the STB I see in the MDB that the multicast group has been ordered but there is no transmission from it. When I checked the traffic in the torch, I saw that there was no traffic from multicast addresses. However, when I disable hw-offload, leaving IGMP Snooping enabled or vice versa when I leave hw-offload off, disabling IGMP Snooping IPTV works correctly but the documentation says that the CRS series supports both of these options enabled at the same time. Below I am sending the configuration downloaded during the problem. Please help.

[admin@MikroTik] > export
# jan/02/1970 00:56:22 by RouterOS 6.41
# software id = S96Y-XT19
#
# model = CRS109-8G-1S-2HnD
# serial number = 883C0747FDED
/interface bridge
add arp=disabled fast-forward=no igmp-snooping=yes name=bridge1 protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether7
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
[admin@MikroTik] >
 
User avatar
zervan
Member
Member
Posts: 329
Joined: Fri Aug 20, 2010 10:43 pm
Location: Slovakia
Contact:

Re: v6.41 [current]

Thu Dec 28, 2017 10:16 am

Is there something changed related to OSPF? I've just upgrade the main router RB1200 and OSPF routes are mostly lost. I've also lost all the VLAN connections :-o I thought it should work after upgrade - at least when I was testing on my home router, OSPF and VLAN were working fine.
Last edited by zervan on Thu Dec 28, 2017 10:40 am, edited 1 time in total.
 
quickes
just joined
Posts: 2
Joined: Thu Dec 28, 2017 9:50 am

Re: v6.41 [current]

Thu Dec 28, 2017 10:17 am

Have bugs with asterisk after update to 6.41 with sip alg.
Sip alg disabled, but dst address changed in ovpn client interface
RESOLVED
Update firmware board and reboot fix this bug
Last edited by quickes on Thu Dec 28, 2017 7:39 pm, edited 1 time in total.
 
Quasar
newbie
Posts: 33
Joined: Sun Oct 05, 2014 1:11 pm

Re: v6.41 [current]

Thu Dec 28, 2017 11:50 am

All Vlan-filtering on Atheros chipset based switch-chips (CRS1xx, CRS2xx, 2011, etc.) still has to be configured in the switch menu. Otherwise you end up running fully in CPU.

/M
And you shouldn't do that either it seems. On RB951G I had a switch chip vlan filter configured with strict checking (mode=secure) on the uplink port.

After upgrading to v6.41 I discovered traffic doesn't flow at all, unless I set mode to anything but secure. It probably conflicts with the new bridge hw offloading code, because if I disable hw offload on the uplink port mode=secure doesn't break things, but frames are duplicated as they leave another bridge port.
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 248
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: v6.41 [current]

Thu Dec 28, 2017 6:49 pm

I have a lab with CRS317-1G-16S+ switches in core network as P routers. With L3 Only links routed within the IGP (OSPF). MPLS is enabled and LDP is distributing lables. Only real traffic entering the switch would be mpls not counting ospf that is cpu bound and probably LDP to but the datapath for real traffic should in this case be mpls in and mpls out and if I not reading the release notes as the devil reads the bible this should be possible now....

Question: How do I monitor or Check to se that mpls hardware switching, on otherwise routed L3 interface, is done with the CRS317-1G-16S+ Running this version of RouterOS
 
cheeze
Member Candidate
Member Candidate
Posts: 146
Joined: Tue Jul 31, 2012 7:44 am

Re: v6.41 [current]

Fri Dec 29, 2017 7:48 am

I have a lab with CRS317-1G-16S+ switches in core network as P routers. With L3 Only links routed within the IGP (OSPF). MPLS is enabled and LDP is distributing lables. Only real traffic entering the switch would be mpls not counting ospf that is cpu bound and probably LDP to but the datapath for real traffic should in this case be mpls in and mpls out and if I not reading the release notes as the devil reads the bible this should be possible now....

Question: How do I monitor or Check to se that mpls hardware switching, on otherwise routed L3 interface, is done with the CRS317-1G-16S+ Running this version of RouterOS
Go under MPLS and under Forwarding Table.

You'll notice two counters for the same thing. One is Bytes and Packets, the other is Hw. Bytes and Packets. I believe that's where you'd look.

Also *PLEASE* let me know of your results. I am very interested in seeing this.
 
poizzon
Member Candidate
Member Candidate
Posts: 113
Joined: Fri Jun 21, 2013 12:53 pm

Re: v6.41 [current]

Fri Dec 29, 2017 9:03 am


RouterBOOT booter 3.41

CCR1036-8G-2S+

CPU frequency: 1200 MHz
Memory size: 16384 MiB
NAND size: 1024 MiB

Press any key within 2 seconds to enter setup..
trying bootp protocol............... failed
kernel loading failed

loading kernel... OK
setting up elf image... OK
jumping to kernel code
ERROR: no system package found!
Kernel panic - not syncing: Attempted to kill init!

Starting stack dump of tid 1, pid 1 (init) on cpu 4 at cycle 36896725778
frame 0: 0xfffffff70051f780 dump_stack+0x0/0x20 (sp 0xfffffe41ffdbfc08)
frame 1: 0xfffffff700518718 panic+0x168/0x398 (sp 0xfffffe41ffdbfc08)
frame 2: 0xfffffff700056120 do_exit+0x1c8/0xd48 (sp 0xfffffe41ffdbfcb0)
frame 3: 0xfffffff700056de8 do_group_exit+0xf0/0x1e8 (sp 0xfffffe41ffdbfd78)
frame 4: 0xfffffff700056f00 __wake_up_parent+0x0/0x18 (sp 0xfffffe41ffdbfdb0)
frame 5: 0xfffffff7005204d8 handle_syscall+0x210/0x2d0 (sp 0xfffffe41ffdbfdc0)
<syscall while in user mode>
frame 6: 0x8b778 0x8b778 (sp 0x7fe6fa30)
Stack dump complete
Rebooting in 1 seconds..Resetting chip and restarting.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.41 [current]

Fri Dec 29, 2017 9:37 am

poizzon, something went wrong %) Reinstall using NetInstall. For the future, use Partitioning feature, so you reboot into old working image
 
User avatar
zervan
Member
Member
Posts: 329
Joined: Fri Aug 20, 2010 10:43 pm
Location: Slovakia
Contact:

Re: v6.41 [current]

Fri Dec 29, 2017 11:00 am

Is there something changed related to OSPF? I've just upgrade the main router RB1200 and OSPF routes are mostly lost. I've also lost all the VLAN connections :-o I thought it should work after upgrade - at least when I was testing on my home router, OSPF and VLAN were working fine.
The problem with VLAN was because of not ideal upgrade process. Before upgrade there was:
  • ether5 as master switch port;
  • ether1-4 as slave switch ports;
  • VLANs bonded to ether5 as a master;
  • VLANs defined on switch ports;
  • ether5 as a part of bridge-lan.
After upgrade, VLANs left on ether5 which was not master anymore, so they were not working. I had to re-bond VLANs to bridge-lan. I think that upgrade process should do this automatically.

I am still not sure about the problem with OSPF - it started to work when VLANs were fixed, but after reboot of the main router, it was not working. I had to reboot other two routers - neighbours on bridge-lan. Later I had the problem again. I have never experienced such problems before upgrade and I hope it will work fine.
 
upower3
Member
Member
Posts: 425
Joined: Thu May 07, 2015 11:46 am

Re: v6.41 [current]

Fri Dec 29, 2017 11:05 am

The problem with VLAN was because of not ideal upgrade process. Before upgrade there was:
I definitely suspect the upgrade process and config conversion procedure is something that better be fixed (in a case MT do care for users).
It would be much better to create some kind of web interface where person can copy and paste his/her device config and see converted config (the one that'll be on device after 6.41 upgrade). This would be useful to prove what'll be lost/changed so user will be able to understand the consequences.
 
poizzon
Member Candidate
Member Candidate
Posts: 113
Joined: Fri Jun 21, 2013 12:53 pm

Re: v6.41 [current]

Fri Dec 29, 2017 12:03 pm

I'm trying. But netinstall not working correctly.
In wireshark i see bootp requests, but my netinstall does not respond, didn't show router..
If I use tftpd32 as dhcp server, then in wireshark I see asking for vimlinux file, but netinstall didn't respond to it too.
poizzon, something went wrong %) Reinstall using NetInstall. For the future, use Partitioning feature, so you reboot into old working image
P.s. it seems cable problem was.
 
User avatar
zervan
Member
Member
Posts: 329
Joined: Fri Aug 20, 2010 10:43 pm
Location: Slovakia
Contact:

Re: v6.41 [current]

Fri Dec 29, 2017 2:49 pm

Somebody using CRS112-8G-4S? It is rebooting me each 2 minutes when I turn on IGMP Snooping.
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 248
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: v6.41 [current]

Fri Dec 29, 2017 2:51 pm

Go under MPLS and under Forwarding Table.
You'll notice two counters for the same thing. One is Bytes and Packets, the other is Hw. Bytes and Packets. I believe that's where you'd look.
Also *PLEASE* let me know of your results. I am very interested in seeing this.
Here it Goes... YES! It show only L in winbox but CLI says HL.
Winbox shows hardware bytes and hardware packets.

This is beginning to be a very nice game now I think. More testing is Needed though....
 
XaTTa6bl4
just joined
Posts: 18
Joined: Wed Dec 16, 2015 10:53 pm

Re: v6.41 [current]

Fri Dec 29, 2017 3:54 pm

Hello. It seems as a CRITICAL bug in new bridge mode!
I have brand new hAP ac lite, upgraded to 6.41 and resetted to default by /system reset-configuration after it.
[admin@MikroTik] > /system routerboard print   
    routerboard: yes
    board-name: hAP ac lite
    model: RouterBOARD 952Ui-5ac2nD
    serial-number: xxx
    firmware-type: qca9531L
    factory-firmware: 3.36
    current-firmware: 6.41
    upgrade-firmware: 6.41

[admin@MikroTik] > /system resource print 
    uptime: 6m43s
    version: 6.41 (stable)
    build-time: Dec/22/2017 11:55:15
    factory-software: 6.29.1
    free-memory: 42.1MiB
    total-memory: 64.0MiB
    cpu: MIPS 24Kc V7.4
    cpu-count: 1
    cpu-frequency: 650MHz
    cpu-load: 0%
    free-hdd-space: 4.9MiB
    total-hdd-space: 16.0MiB
    write-sect-since-reboot: 73
    write-sect-total: 9834
    bad-blocks: 0%
    architecture-name: mipsbe
    board-name: hAP ac lite
    platform: MikroTik

Then I try to change wan, for example from ether1 to ether3:
/interface bridge port print 
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                                                                  BRIDGE                                                                  HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0   H ;;; defconf
       ether2                                                                     bridge                                                                  yes    1     0x80         10                 10       none
 1 I H ;;; defconf
       ether3                                                                     bridge                                                                  yes    1     0x80         10                 10       none
 2 I H ;;; defconf
       ether4                                                                     bridge                                                                  yes    1     0x80         10                 10       none
 3 I H ;;; defconf
       ether5                                                                     bridge                                                                  yes    1     0x80         10                 10       none
 4 I   ;;; defconf
       wlan1                                                                      bridge                                                                  yes    1     0x80         10                 10       none
 5 I   ;;; defconf
       wlan2                                                                      bridge                                                                  yes    1     0x80         10                 10       none

[admin@MikroTik] > /interface bridge port remove [find interface="ether3"]
[admin@MikroTik] > /interface bridge port add bridge=bridge interface=ether1


... it's seems to be OK...
[admin@MikroTik] > /interface bridge port print 
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                                                                  BRIDGE                                                                  HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0   H ;;; defconf
       ether2                                                                     bridge                                                                  yes    1     0x80         10                 10       none
 1 I H ;;; defconf
       ether4                                                                     bridge                                                                  yes    1     0x80         10                 10       none
 2 I H ;;; defconf
       ether5                                                                     bridge                                                                  yes    1     0x80         10                 10       none
 3 I   ;;; defconf
       wlan1                                                                      bridge                                                                  yes    1     0x80         10                 10       none
 4 I   ;;; defconf
       wlan2                                                                      bridge                                                                  yes    1     0x80         10                 10       none
 5 I H ether1                                                                     bridge                                                                  yes    1     0x80         10                 10       none

... export is OK too:
[admin@MikroTik] > /interface bridge port export 
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether1

Then just reboot:
[admin@MikroTik] > /system reboot 
Reboot, yes? [y/N]: 
y

after reboot ONLY the ether2 in bridge!
[admin@MikroTik] > /interface bridge port print 
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                                                                  BRIDGE                                                                  HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0   H ;;; defconf
       ether2                                                                     bridge                                                                  yes    1     0x80         10                 10       none
       
[admin@MikroTik] > /interface bridge port export    
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11115
Joined: Mon Dec 04, 2017 9:19 pm

Re: v6.41 [current]

Fri Dec 29, 2017 6:25 pm

Hi, anyone any idea why the WebFig of 6.41 behaves different on two identical boards (RouterBOARD 952Ui-5ac2nD)?
At one of them the VLAN Filtering checkbox and the MSTP choice for protocol are present at bridge configuration page, and the VLANs, MSTI etc. tabs are present at the bridge list page as well, where at the other one all this is missing. The related settings can be done in CLI but even that does not make them pop up at WebFig. And a bonus question - which of these two behaviours is the correct one?
Both have been upgraded from 6.40.5.
 
andriys
Forum Guru
Forum Guru
Posts: 1543
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: v6.41 [current]

Fri Dec 29, 2017 7:53 pm

Hi, anyone any idea why the WebFig of 6.41 behaves different on two identical boards (RouterBOARD 952Ui-5ac2nD)?
Very likely a browser cache issue. Have you tried clearing the cache and/or using another browser.
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11115
Joined: Mon Dec 04, 2017 9:19 pm

Re: v6.41 [current]

Fri Dec 29, 2017 8:19 pm

Bingo, thank you. I haven't given a thought to such possibility as I used the same browser to upgrade both devices at about the same time.
So the bonus answer is that these settings should be available, they are not intentionally hidden.

Yet there is still something rotten about it. In the meantime I've hit another issue, interfaces added from command line in the terminal window of the web interface did not appear in the drop-down lists (for ping, sniffer etc.) on the GUI, and when I've added an IP address to one of them, the interface name was shown as "unknown" in the IP address list on the GUI and when editing the address from there, it was also missing in the drop-down list. Nevertheless these interfaces were shown in GUI's interface list. After clearing the browser cache all this also started behaving normally, an interface added from command line is now visible everyhere in the GUI.

I can imagine that "static" contents of the GUI (menu items, tabs etc.) may have been affected by cached old data, but I don't get how the actual configuration items could be.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1550
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: v6.41 [current]

Sat Dec 30, 2017 12:12 am

Re: wireless - log "signal-strength" when successfully connected to AP;

Clients do appear to log the signal strength when they connect to an AP
-however-
NV2 APs do NOT log the the signal strength when a NV2 client connects

It would be nice if NV2 APs could also log the signal strength of connecting NV2 clients

North Idaho Tom Jones
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.41 [current]

Sat Dec 30, 2017 10:29 pm

This time the new bridge implementation again did not work for me and I am back to 6.40.5 after a week using 6.41. I got a substantial speed loss when using the bridge implementation.

L2TP/IPSEC on 6.41 down/up 55/46 and on 6.40.5 it is 75/69 Mbps
Normal connection on 6.41 500/171 and on 6.40.5 it is 500/650 Mbps and that is a loss of almost 500Mbps, so fastracking is clearly not working on upload and I don't know why. Connection tracking is showing an F for fasttracking.

Hoping that Bridge will match the speed of Master/Slave and I will have a new run at it when it is more mature.

update: I noticed running with the bridge the dail-on-demand pppoe was never going to sleep and I had to force an time-out to have change state to "waiting for pakets". Back on 6.40.5 it sleeps again till needed. The pppoe connection was no part of the bridge.
Last edited by msatter on Mon Jan 01, 2018 1:40 am, edited 1 time in total.
 
zycom
just joined
Posts: 1
Joined: Mon Jan 01, 2018 12:39 am

Re: v6.41 [current]

Mon Jan 01, 2018 12:50 am

I have a cc upgraded to 6.41 some how in the process I have deleted the dude folder in the files list can anyone tell me how to add this back? the dude npk file is there but the main folder is missing so it will not work or enable

thanks!!!
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: v6.41 [current]

Mon Jan 01, 2018 7:52 am

I have a cc upgraded to 6.41 some how in the process I have deleted the dude folder in the files list can anyone tell me how to add this back? the dude npk file is there but the main folder is missing so it will not work or enable

thanks!!!
Have you tried to remove "The Dude" completely, restarting and then adding it back again?
 
User avatar
soonwai
Member Candidate
Member Candidate
Posts: 188
Joined: Mon Feb 06, 2012 10:50 pm
Location: Kuala Lumpur

Re: v6.41 [current]

Mon Jan 01, 2018 4:45 pm

Hello,
I am on the way to acquiring the RB750Gr3 + wap ac and I am confused if the RB750Gr3 can be configured for IPTV.

Can someone help me to clarify if RB750Gr3 with v6.41 can be configured IPTV and VLAN tagging / untagging?
Yes, it certainly can. Here's an example configuration for an ISP which uses VLAN 500 for Internet and VLAN 600 for IPTV.
https://wiki.mikrotik.com/wiki/Mikrotik ... ee/soonwai
 
Temorizador
just joined
Posts: 16
Joined: Fri Aug 25, 2017 6:25 am

Re: v6.41 [current]

Mon Jan 01, 2018 5:55 pm

hi people , i've updated the rb2011iN , rb951g ,a haplite and 2 x cap2nd , everything works fine except that in the 951g I need fasttrack and I had to go back (downgrade) to the 6.40.5 only in the rborder ,since I have 300 Mb fiber and without the fastrack so, I got it just 200
I guess they'll fix that soon, until then we'll have to use the 6.40.5 to fastracker the connection :-)

Greetings from Barcelona
_______________________________________________________________________________________
Hola gente , he actulizado un rb2011 ,rb051g un haplite y 2 cap2nd , todo va bien , excepto que en el rb951g necesito fasttrack y he tenido que dongradear a 6.40.5 solo en el router de borde ,ya que tengo 300 megas de fibra y sin el fasttack solo me entraban 200 apenas.
Supongo que fixearan esto pronto, hasta entonces pues usare la 6.40.5 para fastrackear la conexccion en el router de borde :-).

Saludos desde Barcelona
 
Kindis
Member
Member
Posts: 441
Joined: Tue Nov 01, 2011 6:54 pm
Location: Sweden

Re: v6.41 [current]

Mon Jan 01, 2018 6:14 pm

everything works fine except that in the 951g I need fasttrack and I had to go back (downgrade) to the 6.40.5 only in the rborder ,since I have 300 Mb fiber and without the fastrack so, I got it just 200
I guess they'll fix that soon, until then we'll have to use the 6.40.5 to fastracker the connection :-)
FastTrack on both my 750Gr3 and 3011 was not working at upgrade. Upgraded firmware (router boot) to latest and restarted. Still did not work but after yet another restart without any change to ROS or firmware everything started working again. Did you try to upgrade firmware after you went to 6.41 and also restart a third time?
 
Temorizador
just joined
Posts: 16
Joined: Fri Aug 25, 2017 6:25 am

Re: v6.41 [current]

Mon Jan 01, 2018 6:30 pm

everything works fine except that in the 951g I need fasttrack and I had to go back (downgrade) to the 6.40.5 only in the rborder ,since I have 300 Mb fiber and without the fastrack so, I got it just 200
I guess they'll fix that soon, until then we'll have to use the 6.40.5 to fastracker the connection :-)
FastTrack on both my 750Gr3 and 3011 was not working at upgrade. Upgraded firmware (router boot) to latest and restarted. Still did not work but after yet another restart without any change to ROS or firmware everything started working again. Did you try to upgrade firmware after you went to 6.41 and also restart a third time?

No, i dont reset the mikrotik once it has been upgraded,if is this u question . but i delete fastrack from filter rules and rebbor the rb , went create a nuew rule to activate fasttrtack, not work although he told me the packages and the bytes... so I went back to 6.40.5.
But if you confirm that if you reset and configure to hand the configuration, the fastrack work ,I can test it :-)

someone has tried it and it has worked ? it's going well all for you ?
-------------------------------------------------------------------------------
No , no resetee el mikrotik una vez upgradeado , pero si que elimine fastrack de filter rules y reinicie . Luego volvi ha crear la regla de fasttrtack pero seria sin funcionar aunque me augmentaba los paquetes y bytes ...asi que volvi a la 6.40.5.
Pero si me confirmas que si se resetea y se configura a mano desde cero toda la configuracion luego el fastrack funciona, puedo provar :-)

alguien lo ha provado y le ha funcionado , te va todo bien compi ?

___________________________________________________________________________
 
bbs2web
Member Candidate
Member Candidate
Posts: 234
Joined: Sun Apr 22, 2012 6:25 pm
Location: Johannesburg, South Africa
Contact:

Re: v6.41 [current]

Mon Jan 01, 2018 6:50 pm

RouterOS 6.41 does not honor received MSS value in TCP SYN packet. We are subsequently unable to connect to our routers through a VPN connection from our offices.
pe03 --- MPLS --- br01 --- ccr1 --- Linux system running PPTP
Traffic capture on pe03 shows TCP SYN packet arriving with TCP options where MSS is set as 1312 bytes. Replies aren't visible on this router as they are MPLS switched to br01. Reviewing a packet capture on interface facing 'customer' on br01 or upstream interface on ccr1 shows pe03 sending back an ACK with MSS incorrectly set as 1460 bytes.

First packet (SYN) sending correct MSS of 1312 bytes:
Image

Reply acknowledgement from pe03 showing incorrect MSS of 1460 bytes having been set:
Image
 
Kindis
Member
Member
Posts: 441
Joined: Tue Nov 01, 2011 6:54 pm
Location: Sweden

Re: v6.41 [current]

Mon Jan 01, 2018 8:08 pm

everything works fine except that in the 951g I need fasttrack and I had to go back (downgrade) to the 6.40.5 only in the rborder ,since I have 300 Mb fiber and without the fastrack so, I got it just 200
I guess they'll fix that soon, until then we'll have to use the 6.40.5 to fastracker the connection :-)
FastTrack on both my 750Gr3 and 3011 was not working at upgrade. Upgraded firmware (router boot) to latest and restarted. Still did not work but after yet another restart without any change to ROS or firmware everything started working again. Did you try to upgrade firmware after you went to 6.41 and also restart a third time?

No, i dont reset the mikrotik once it has been upgraded,if is this u question . but i delete fastrack from filter rules and rebbor the rb , went create a nuew rule to activate fasttrtack, not work although he told me the packages and the bytes... so I went back to 6.40.5.
But if you confirm that if you reset and configure to hand the configuration, the fastrack work ,I can test it :-)

someone has tried it and it has worked ? it's going well all for you ?
-------------------------------------------------------------------------------
No , no resetee el mikrotik una vez upgradeado , pero si que elimine fastrack de filter rules y reinicie . Luego volvi ha crear la regla de fasttrtack pero seria sin funcionar aunque me augmentaba los paquetes y bytes ...asi que volvi a la 6.40.5.
Pero si me confirmas que si se resetea y se configura a mano desde cero toda la configuracion luego el fastrack funciona, puedo provar :-)

alguien lo ha provado y le ha funcionado , te va todo bien compi ?

___________________________________________________________________________
No I did not reset. After upgrade to 6.41 I upgraded routerboot to latest firmware (also 6.41). Both upgrades includes a reboot. After about a day I noticed that FastTrack did not work on both my 750 and 3011. Did a simple reboot and everything started working again. Nothing more that that solved my issue.
 
andriys
Forum Guru
Forum Guru
Posts: 1543
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: v6.41 [current]

Mon Jan 01, 2018 11:23 pm

Traffic capture on pe03 shows TCP SYN packet arriving with TCP options where MSS is set as 1312 bytes. Replies aren't visible on this router as they are MPLS switched to br01. Reviewing a packet capture on interface facing 'customer' on br01 or upstream interface on ccr1 shows pe03 sending back an ACK with MSS incorrectly set as 1460 bytes.
That's normal and is in accordance with the existing standards. MSS is NOT negotiated, but rather each side of the connection just informs the other side of the connection (by using the MSS TCP option) about the maximum segment size it is able to receive. For each TCP connection different MSS values may be used in each direction of data flow. There's no requirement for the MSS value set by the initiator to be "reflected" by the responder; thus MSS clamping, if required, should be applied in each direction of data flow independently.
 
estdata
Member Candidate
Member Candidate
Posts: 100
Joined: Mon Feb 20, 2012 9:05 pm
Contact:

Re: v6.41 [current]

Tue Jan 02, 2018 12:11 am

I think that version 6.41 mess of the inside of the
I installed a and came out of that system-routerboard > under notice

Warning: the default and the cpu Frenquency
 
Temorizador
just joined
Posts: 16
Joined: Fri Aug 25, 2017 6:25 am

Re: v6.41 [current]

Tue Jan 02, 2018 1:06 am

everything works fine except that in the 951g I need fasttrack and I had to go back (downgrade) to the 6.40.5 only in the rborder ,since I have 300 Mb fiber and without the fastrack so, I got it just 200
I guess they'll fix that soon, until then we'll have to use the 6.40.5 to fastracker the connection :-)
FastTrack on both my 750Gr3 and 3011 was not working at upgrade. Upgraded firmware (router boot) to latest and restarted. Still did not work but after yet another restart without any change to ROS or firmware everything started working again. Did you try to upgrade firmware after you went to 6.41 and also restart a third time?

No, i dont reset the mikrotik once it has been upgraded,if is this u question . but i delete fastrack from filter rules and rebbor the rb , went create a nuew rule to activate fasttrtack, not work although he told me the packages and the bytes... so I went back to 6.40.5.
But if you confirm that if you reset and configure to hand the configuration, the fastrack work ,I can test it :-)

someone has tried it and it has worked ? it's going well all for you ?
-------------------------------------------------------------------------------
No , no resetee el mikrotik una vez upgradeado , pero si que elimine fastrack de filter rules y reinicie . Luego volvi ha crear la regla de fasttrtack pero seria sin funcionar aunque me augmentaba los paquetes y bytes ...asi que volvi a la 6.40.5.
Pero si me confirmas que si se resetea y se configura a mano desde cero toda la configuracion luego el fastrack funciona, puedo provar :-)

alguien lo ha provado y le ha funcionado , te va todo bien compi ?

___________________________________________________________________________
No I did not reset. After upgrade to 6.41 I upgraded routerboot to latest firmware (also 6.41). Both upgrades includes a reboot. After about a day I noticed that FastTrack did not work on both my 750 and 3011. Did a simple reboot and everything started working again. Nothing more that that solved my issue.
Ok ty i dotn undestand to start :-) ,sorry my english , tomorrow to morning i will upgrade try again and i will try as you said, ty for explanation :-) ,

____________________________________________________

Ok gracias, no entendí al principio :-), lo siento por mi ingles , mañana por la mañana upgradeare de nuevo u provare como mehas dicho, gracias por la explicacion :-)
 
Kindis
Member
Member
Posts: 441
Joined: Tue Nov 01, 2011 6:54 pm
Location: Sweden

Re: v6.41 [current]

Tue Jan 02, 2018 1:15 am

everything works fine except that in the 951g I need fasttrack and I had to go back (downgrade) to the 6.40.5 only in the rborder ,since I have 300 Mb fiber and without the fastrack so, I got it just 200
I guess they'll fix that soon, until then we'll have to use the 6.40.5 to fastracker the connection :-)
FastTrack on both my 750Gr3 and 3011 was not working at upgrade. Upgraded firmware (router boot) to latest and restarted. Still did not work but after yet another restart without any change to ROS or firmware everything started working again. Did you try to upgrade firmware after you went to 6.41 and also restart a third time?

No, i dont reset the mikrotik once it has been upgraded,if is this u question . but i delete fastrack from filter rules and rebbor the rb , went create a nuew rule to activate fasttrtack, not work although he told me the packages and the bytes... so I went back to 6.40.5.
But if you confirm that if you reset and configure to hand the configuration, the fastrack work ,I can test it :-)

someone has tried it and it has worked ? it's going well all for you ?
-------------------------------------------------------------------------------
No , no resetee el mikrotik una vez upgradeado , pero si que elimine fastrack de filter rules y reinicie . Luego volvi ha crear la regla de fasttrtack pero seria sin funcionar aunque me augmentaba los paquetes y bytes ...asi que volvi a la 6.40.5.
Pero si me confirmas que si se resetea y se configura a mano desde cero toda la configuracion luego el fastrack funciona, puedo provar :-)

alguien lo ha provado y le ha funcionado , te va todo bien compi ?

___________________________________________________________________________
No I did not reset. After upgrade to 6.41 I upgraded routerboot to latest firmware (also 6.41). Both upgrades includes a reboot. After about a day I noticed that FastTrack did not work on both my 750 and 3011. Did a simple reboot and everything started working again. Nothing more that that solved my issue.
Ok ty i dotn undestand to start :-) ,sorry my english , tomorrow to morning i will upgrade try again and i will try as you said, ty for explanation :-) ,

____________________________________________________

Ok gracias, no entendí al principio :-), lo siento por mi ingles , mañana por la mañana upgradeare de nuevo u provare como mehas dicho, gracias por la explicacion :-)
Good luck. Just remember to upgrade routerboot firmware too after ROS upgrade (system > Router board). After you press upgrade you restart. After this I had to restart again to get FastTrack working.
 
moep
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Mon Jul 02, 2012 2:12 pm

Re: v6.41 [current] IKEv2 vs IKEv1 Problem

Tue Jan 02, 2018 2:22 pm

Hello,

I run multiple IPSec Tunnels from two central sites to remote sites. Inside of the IPSec-tunnel is a IPIP-tunnel to do OSPF via multiple paths.
With v6.41 I tried to switch over the peers to a new IKEv2 enabled peer.

On the main site, I copied the 0.0.0.0/0 peer and changed the exchange mode to IKEv2 and left the rest as it was.
On the remote sites, I switched the existing peer to IKEv2.

All tunnels came up and seemed to be running, but after expiry of the SA (after ~30 Minutes, as configured), the IPIP tunnel experienced a disconnect, which was never there with IKEv1.
This disonnect lasts about 10 seconds. After that, the IPIP-tunnel came back online and OSPF found a neighbor. All this repeats every 30 Minutes for every remote site.
When I change back the exchange-mode to IKEv1, everything works like a charm. No disconnects after 30 Minutes whatsoever.

Is this a (known) bug or do I have to change something at peer or policy level for IKEv2?
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11115
Joined: Mon Dec 04, 2017 9:19 pm

Re: v6.41 [current]

Tue Jan 02, 2018 4:41 pm

RFC 7296 leaves no space for the behaviour you describe:
SAs should be rekeyed proactively, i.e., the new SA should be established before the old one expires and becomes unusable. Enough time should elapse between the time the new SA is established and the old one becomes unusable so that traffic can be switched over to the new SA.
So to me such behaviour is a clear bug and you should report it to support@mikrotik.com. Maybe, to help narrow the search, before sending the report you should watch the SA list between the 28th and 30th minute to see whether the new SA has already been negotiated - normally (i.e. when IKEv1 is used), a new (pair of) SA is generated 5 minutes before the old one's expiration.
 
User avatar
BlackVS
Member Candidate
Member Candidate
Posts: 175
Joined: Mon Feb 04, 2013 7:00 pm
Contact:

Re: v6.41 [current]

Tue Jan 02, 2018 6:48 pm

Found a first anomaly:
Neighbor discovery does not work with the generated 'discover', 'mac-winbox' or 'mactel' interface lists. Other lists seem to work.
After list deletion and recreation by hand, it works.
The same. After disabling-enabling all "discover" list items started to work...
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: v6.41 [current]

Tue Jan 02, 2018 11:03 pm

Found a first anomaly:
Neighbor discovery does not work with the generated 'discover', 'mac-winbox' or 'mactel' interface lists. Other lists seem to work.
After list deletion and recreation by hand, it works.
The same. After disabling-enabling all "discover" list items started to work...
A second reboot after the upgrade also fixes this.
 
estdata
Member Candidate
Member Candidate
Posts: 100
Joined: Mon Feb 20, 2012 9:05 pm
Contact:

Re: v6.41 [current]

Tue Jan 02, 2018 11:37 pm

What is problems . I upgrading my routerboard RB2011UAS wireless model. version 6.7 -> 6.41

Please , tell me , What is problems ?`

<img src="https://www.upload.ee/image/7838585/routerboard.png" border="0" alt="routerboard.png" />
https://www.upload.ee/image/7838585/routerboard.png
 
kmok1
newbie
Posts: 43
Joined: Wed Nov 28, 2012 6:49 pm
Location: Windsor ON Canada
Contact:

Re: v6.41 [current]

Tue Jan 02, 2018 11:55 pm

Hello,

I am unsure this has been posted. V6.41 on MIPS-BE devices so far.

1) Reboot upgraded device.
2) Second line in log states ""bridge1" mac address changed to XX" where XX seens to be a randomized MAC address.
3) In / interface bridge print, it shows the bridge's mac address as the first active mac address in the group of ports.

Is this a bug?

Also, in the older devices like RB Groove 5Hn, / system routerboard print shows blank for "upgrade-firmware" while hEX POE shows 6.41.
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11115
Joined: Mon Dec 04, 2017 9:19 pm

Re: v6.41 [current] IKEv2 vs IKEv1 Problem

Wed Jan 03, 2018 12:05 am


All tunnels came up and seemed to be running, but after expiry of the SA (after ~30 Minutes, as configured), the IPIP tunnel experienced a disconnect, which was never there with IKEv1.
This disonnect lasts about 10 seconds. After that, the IPIP-tunnel came back online and OSPF found a neighbor. All this repeats every 30 Minutes for every remote site.
...
Is this a (known) bug or do I have to change something at peer or policy level for IKEv2?
I've just tested a similar, not identical, setup where an IKEv2 established SA has been replaced by a new one while a single RTP flow was running through it. Instead of your IP-IP tunnel, I am using a "lan-to-lan" (subnet-subnet) IPsec policy. I could see the old and new SA to exist in parallel for a short period of time, yet the RTP flow was completely missing at the output of the IPsec tunnel between sequence numbers 53955 and 54045, i.e. for 90 20-ms packets which is 1800 ms. Bad enough alone, but if the IP-IP tunnel needs some time to re-establish after a failure, it could explain your 10 seconds outage.

Reporting that to support myself.
 
User avatar
ziegenberg
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Thu Mar 07, 2013 11:14 am
Location: Vienna
Contact:

Re: v6.41 [current]

Wed Jan 03, 2018 12:11 am

Hello estdata!
What is problems . I upgrading my routerboard RB2011UAS wireless model. version 6.7 -> 6.41

Please , tell me , What is problems ?`

Image
The first message says, that you should reboot your routerboard, so the firmware update can be completed. You should reboot and then we can see, if the other messages are still there.

greetings, Daniel
 
estdata
Member Candidate
Member Candidate
Posts: 100
Joined: Mon Feb 20, 2012 9:05 pm
Contact:

Re: v6.41 [current]

Wed Jan 03, 2018 12:28 am

Hello estdata!
What is problems . I upgrading my routerboard RB2011UAS wireless model. version 6.7 -> 6.41

Please , tell me , What is problems ?`

Image
The first message says, that you should reboot your routerboard, so the firmware update can be completed. You should reboot and then we can see, if the other messages are still there.

greetings, Daniel
Yes, I've done the upgrade and restart have done several times in the
 
xrobau
just joined
Posts: 9
Joined: Wed Jan 03, 2018 4:18 am

Bug in 6.41

Wed Jan 03, 2018 4:24 am

I've noticed two things, but one of them may be actually hardware related.

The first is that ONE of my interfaces is refusing to link at 1gb. Even though it's set to advertise everything, it's not advertising 1gb:

Image

In my efforts to see what the problem is, 'Cable Test' now no longer works. It just says 'Cable OK', and that's it.

Hardware is a RouterBOARD 962UiGS-5HacT2HnT, with upgraded Routerboard Firmware

Image
 
User avatar
zervan
Member
Member
Posts: 329
Joined: Fri Aug 20, 2010 10:43 pm
Location: Slovakia
Contact:

Re: v6.41 [current]

Wed Jan 03, 2018 9:16 am

What is problems . I upgrading my routerboard RB2011UAS wireless model. version 6.7 -> 6.41

Please , tell me , What is problems ?
Set frequency to 600 MHz, uncheck "Protected Routerboot", reboot.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.41 [current]

Wed Jan 03, 2018 11:35 am

Re: wireless - log "signal-strength" when successfully connected to AP;

Clients do appear to log the signal strength when they connect to an AP
-however-
NV2 APs do NOT log the the signal strength when a NV2 client connects

It would be nice if NV2 APs could also log the signal strength of connecting NV2 clients
The same thing with CAPsMAN - please add signal strength to its messages also
 
Nuubo
just joined
Posts: 6
Joined: Wed Jan 03, 2018 12:38 pm

Re: v6.41 [current]

Wed Jan 03, 2018 12:44 pm

After upgrading smoothly SSTP VPN is working fine but there is no route to internal LAN.

Until this upgrade everything was running OK, is there any issue or extra configuration to be done with SSTP interface?
 
User avatar
emils
Forum Veteran
Forum Veteran
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.41 [current] IKEv2 vs IKEv1 Problem

Wed Jan 03, 2018 1:23 pm

Hello,

I run multiple IPSec Tunnels from two central sites to remote sites. Inside of the IPSec-tunnel is a IPIP-tunnel to do OSPF via multiple paths.
With v6.41 I tried to switch over the peers to a new IKEv2 enabled peer.

On the main site, I copied the 0.0.0.0/0 peer and changed the exchange mode to IKEv2 and left the rest as it was.
On the remote sites, I switched the existing peer to IKEv2.

All tunnels came up and seemed to be running, but after expiry of the SA (after ~30 Minutes, as configured), the IPIP tunnel experienced a disconnect, which was never there with IKEv1.
This disonnect lasts about 10 seconds. After that, the IPIP-tunnel came back online and OSPF found a neighbor. All this repeats every 30 Minutes for every remote site.
When I change back the exchange-mode to IKEv1, everything works like a charm. No disconnects after 30 Minutes whatsoever.

Is this a (known) bug or do I have to change something at peer or policy level for IKEv2?
I am unable to reproduce such issue. Could you please send supout.rif files from both main and remote sites to support@mikrotik.com?
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11115
Joined: Mon Dec 04, 2017 9:19 pm

Re: v6.41 [current]

Wed Jan 03, 2018 2:39 pm

Emils,

just so that several support people don't have to deal with same or similar issue, please check Ticket#2018010322000212.

Pavel
 
Nuubo
just joined
Posts: 6
Joined: Wed Jan 03, 2018 12:38 pm

Re: v6.41 [current]

Wed Jan 03, 2018 4:23 pm

After several tests I found the issue:

VPN fails if VPN network is configured in the same subnet as LAN bridge. I could add VPN profile to bridge but it didn´t work so finally I decided to delete bridge and I did the same configuration I had before bridge (LAN port independent and same subnet as VPN). VPN is working again.

I consider this is a bug, I checked VPN profile configuration and I didn´t find anything that can avoid the VPN function when you connect to the same subnet as internal bridge for several ports.

By the way, why not keeping switch masterport and slave interfaces option as previous RouterOS releases?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7186
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.41 [current]

Wed Jan 03, 2018 4:34 pm

It is a known problem that proxy-arp on bridge do not work after upgrade, You have to set it manually again after upgrade. This problem should be already solved in v6.42rc
 
Nuubo
just joined
Posts: 6
Joined: Wed Jan 03, 2018 12:38 pm

Re: v6.41 [current]

Wed Jan 03, 2018 5:22 pm

Thanks for your answer.
I tried to reconfigure proxy-arp also but it didn´t work even after reboot. I will wait for 6.42 (for the remaining Mikrotik we have)
 
105547111
Member Candidate
Member Candidate
Posts: 135
Joined: Fri Jun 22, 2012 9:46 pm

Re: v6.41 [current]

Wed Jan 03, 2018 8:08 pm

It is a known problem that proxy-arp on bridge do not work after upgrade, You have to set it manually again after upgrade. This problem should be already solved in v6.42rc
Shoudn't this also be included in an upcoming 6.41.1 also?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.41 [current]

Wed Jan 03, 2018 10:31 pm

Shoudn't this also be included in an upcoming 6.41.1 also?
It will be, of course
 
105547111
Member Candidate
Member Candidate
Posts: 135
Joined: Fri Jun 22, 2012 9:46 pm

Re: v6.41 [current]

Wed Jan 03, 2018 11:45 pm

I just found in my only 751G doesn't contain a new bootloader version its blank....
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.41 [current]

Thu Jan 04, 2018 12:09 am

I just found in my only 751G doesn't contain a new bootloader version its blank....
viewtopic.php?f=21&t=128915&start=50#p633665

Will be fixed in 6.41.1
*) routerboot - fixed missing upgrade firmware for "ar7240" devices;
 
RLithgo
newbie
Posts: 30
Joined: Mon Dec 12, 2016 12:21 am

Re: v6.41 [current]

Thu Jan 04, 2018 1:56 am

I am currently running 6.38 and don't have any issues. I am a little concerned over the 6.41 upgrade.
Has anyone else gone from 6.38 (or earlier) to 6.41 and if so, was it smooth sailing?
 
5nik
Member Candidate
Member Candidate
Posts: 107
Joined: Thu Dec 08, 2011 3:15 am
Location: Czech Republic

Re: v6.41 [current]

Thu Jan 04, 2018 1:59 am

Hello, after upgrade 6.40.5 -> 6.41 on hAP ac IPIP6 tunel interfaces not running. Reset configuration doesn't help.
 
bbs2web
Member Candidate
Member Candidate
Posts: 234
Joined: Sun Apr 22, 2012 6:25 pm
Location: Johannesburg, South Africa
Contact:

Re: v6.41 [current]

Thu Jan 04, 2018 6:34 am

You're right, the actual issue appears to be that RouterOS does not appear to process or honor ICMP 'fragmentation needed' messages. The following capture is on a MPLS speaking 6.41 RouterOS device where MPLS switched packets are not captured and subsequently only shows incoming packets which use Penultimate Hop Popping (PHP):

Image

The above is to validate that ICMP messages arrive correctly at 41.79.22.34. Herewith a packet capture on the MPLS ingress point, showing 41.79.22.34 continuing to send packets with a payload of 1312 bytes after it receives ICMP 'fragmentation needed' messages which indicate that the maximum MTU is 1348 bytes (-40 bytes = 1308 payload):

Image
Traffic capture on pe03 shows TCP SYN packet arriving with TCP options where MSS is set as 1312 bytes. Replies aren't visible on this router as they are MPLS switched to br01. Reviewing a packet capture on interface facing 'customer' on br01 or upstream interface on ccr1 shows pe03 sending back an ACK with MSS incorrectly set as 1460 bytes.
That's normal and is in accordance with the existing standards. MSS is NOT negotiated, but rather each side of the connection just informs the other side of the connection (by using the MSS TCP option) about the maximum segment size it is able to receive. For each TCP connection different MSS values may be used in each direction of data flow. There's no requirement for the MSS value set by the initiator to be "reflected" by the responder; thus MSS clamping, if required, should be applied in each direction of data flow independently.
 
jardap
just joined
Posts: 2
Joined: Thu Jan 04, 2018 10:50 am

Re: v6.41 [current]

Thu Jan 04, 2018 11:07 am

Hello, I've got another issue. After upgrade from v6.40.5 to v6.41 my DUDE server (running on RB1100Dx4) reporting cpu,disk and memory services down on all MK devices. Pls anybody can help me?
Thnx
Jarda

Flag,Time,Message
,Jan/01 22:15:06,syslog: Service disk on CHO51VKAP2 - 172.27.220.251 is now down (down)
,Jan/01 22:15:06,Service disk on CHO51VKAP2 - 172.27.220.251 is now down (down)
,Jan/01 22:15:07,syslog: Service memory on CHO51VKAP2 - 172.27.220.251 is now down (down)
,Jan/01 22:15:07,Service memory on CHO51VKAP2 - 172.27.220.251 is now down (down)
,Jan/01 22:15:23,syslog: Service cpu on CHO51VKAP2 - 172.27.220.251 is now down (down)
,Jan/01 22:15:23,Service cpu on CHO51VKAP2 - 172.27.220.251 is now down (down)
,Jan/01 22:16:37,syslog: Service disk on 172.27.220.253 is now up ()
,Jan/01 22:16:37,Service disk on 172.27.220.253 is now up ()
,Jan/01 22:16:37,syslog: Service disk on MK router - 172.27.220.4 is now down (down)
,Jan/01 22:16:37,Service disk on MK router - 172.27.220.4 is now down (down)
,Jan/01 22:16:40,syslog: Service disk on 172.27.220.254 is now up ()
,Jan/01 22:16:40,Service disk on 172.27.220.254 is now up ()
,Jan/01 22:16:42,syslog: Service memory on CHO51VKAP1 - 172.27.220.250 is now down (down)
,Jan/01 22:16:42,Service memory on CHO51VKAP1 - 172.27.220.250 is now down (down)
,Jan/01 22:16:50,syslog: Service memory on 172.27.220.253 is now up ()
,Jan/01 22:16:50,Service memory on 172.27.220.253 is now up ()
,Jan/01 22:19:07,syslog: Service cpu on 172.27.220.254 is now down (down)
,Jan/01 22:19:07,Service cpu on 172.27.220.254 is now down (down)
,Jan/01 22:19:10,syslog: Service disk on 172.27.220.254 is now down (down)
,Jan/01 22:19:10,Service disk on 172.27.220.254 is now down (down)
,Jan/01 22:19:50,syslog: Service memory on 172.27.220.253 is now down (down)
,Jan/01 22:19:50,Service memory on 172.27.220.253 is now down (down)
 
User avatar
BlackVS
Member Candidate
Member Candidate
Posts: 175
Joined: Mon Feb 04, 2013 7:00 pm
Contact:

Re: v6.41 [current]

Thu Jan 04, 2018 11:15 am

Probably known problem with discovery - do any from listed below:
Found a first anomaly:
Neighbor discovery does not work with the generated 'discover', 'mac-winbox' or 'mactel' interface lists. Other lists seem to work.
After list deletion and recreation by hand, it works.
The same. After disabling-enabling all "discover" list items started to work...
A second reboot after the upgrade also fixes this.
Or check firewall rules - may be migrating wasn't smooth and packets blocked by default rules...
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1658
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.41 [current]

Thu Jan 04, 2018 11:31 am

In order to keep this 6.41 version topic as clean as possible, please before posting a question or problem report, check 6.42rc version changelog. In most cases problems are already resolved:

Note that rc version topic first post is a changelog of first rc version released. Later updates are posted further into topic:
viewtopic.php?f=21&t=129034
viewtopic.php?f=21&t=129034#p634998
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.41 [current]

Thu Jan 04, 2018 11:48 am

You're right, the actual issue appears to be that RouterOS does not appear to process or honor ICMP 'fragmentation needed' messages.
That would be correct, it is not the task of the router to act upon these messages, it is the responsibility of the end system to do so. It should only process those messages when they refer to traffic originated from the router itself.
Of course the router must forward the ICMP messages to the correct end system, this is often a problem with tunneling protocols and with too many "Gibson paranoia" firewalls inbetween.
 
raymondr15
Member Candidate
Member Candidate
Posts: 119
Joined: Fri Sep 05, 2014 1:11 am
Location: East London, South Africa
Contact:

Re: v6.41 [current]

Thu Jan 04, 2018 2:07 pm

Hi,

I noticed after upgrading to v6.41 that ether3 & ether5 were showing the exact same TX throughput all the time, I checked bridge settings and played around to see if there was a configuration issue from the upgrade, a saw that ether3's "auto isolate" was disabled, I reenabled it and as soon as I did, I lost all access from any port on the bridge interface, only discovery was working, couldn't even login via winbox mac. After rebooting the router, everything came back up fine??

Whats this about? Bug?
 
rognick
just joined
Posts: 5
Joined: Wed Dec 27, 2017 4:47 pm

Re: v6.41 [current]

Thu Jan 04, 2018 11:48 pm

Hello,
I am on the way to acquiring the RB750Gr3 + wap ac and I am confused if the RB750Gr3 can be configured for IPTV.

Can someone help me to clarify if RB750Gr3 with v6.41 can be configured IPTV and VLAN tagging / untagging?
Yes, it certainly can. Here's an example configuration for an ISP which uses VLAN 500 for Internet and VLAN 600 for IPTV.
https://wiki.mikrotik.com/wiki/Mikrotik ... ee/soonwai

Hey soonwai! So thanks to you, I was able to config my RB750Gr3 :)

I checked and vlan-filtering = yes
at momet everything is ok.
I do not know if it was supposed to work on both bridge to do vlan-filtering

There is a difference between the above example and the new tagging / untagging settings
https://wiki.mikrotik.com/wiki/Manual:I ... s_Ports.29

Thanks!
 
jardap
just joined
Posts: 2
Joined: Thu Jan 04, 2018 10:50 am

Re: v6.41 [current]

Fri Jan 05, 2018 12:15 am

Unfortunately this problem is not mentioned at 6.42rc topic and 6.42rc5 did not resolve my problem. Dude is still getting information about cpu,memory and disk overloading.
In order to keep this 6.41 version topic as clean as possible, please before posting a question or problem report, check 6.42rc version changelog. In most cases problems are already resolved:
 
User avatar
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1658
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.41 [current]

Fri Jan 05, 2018 12:41 am

jardap - have you reported this to support@mikrotik.com with problem description and supout files?
 
pcjc
just joined
Posts: 22
Joined: Wed Aug 02, 2017 4:29 pm

Re: v6.41 [current]

Fri Jan 05, 2018 11:44 am

Just in the process of downgrading back to 6.40.5....

On the RB2011 it doesn't appear possible to create a working bridge (hw offload) config as efficient as the previous software revision, where we could use switch hardware offload on both the 1000M ports and 100M ports - then bridge those switches together with the SFP port.
The additional complexity is that I had a vlan trunk port on the 1000M switch (Business + Guest vlan wifi) - as well as the other untagged (business) ports. The initial 6.41 configuration I had appeared to be working, but with NO hardware offload, and things traversing the 1000M switch (e.g. ping) appeared to get 3x extra duplicate packets received.
 
kor3k
just joined
Posts: 9
Joined: Mon Dec 21, 2015 7:11 pm

Re: v6.41 [current]

Fri Jan 05, 2018 1:04 pm

hello,

have a problem with this release.

we have two CRS-326 connected together through 4 ether ports, both have same configuration:

4 connecting ether ports are bound into a bonding
that bonding is part of a bridge

before upgrade (6.40.5), everything worked fine.
but after upgrade to 6.41, both CRSs start throw "bridge port received packet with own address as source address" error and both freeze up (because of packet storm).

what is wrong? how can i fix it?

kor3k
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 248
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: v6.41 [current]

Fri Jan 05, 2018 3:25 pm

https://wiki.mikrotik.com/wiki/Manual:I ... P_Snooping

Reading Wiki and reading Questions here on the Forum. As there is no version setting for IGMP snooping I assume it's on IGMPv2? or is it IGMPv3? It can't be IGMPv1 still?

As you se the Confusion is obvious and there is a ton of other stuff to think about when talking multicast that is not obvious at first.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2975
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: v6.41 [current]

Fri Jan 05, 2018 6:01 pm

..."bridge port received packet with own address as source address"
You have two routes/interfaces for packets received by this bridge.
I have noticed something similar configuring CAPSMAN with CAP's device WiFi interface assigned staticaly to "locally-forwarded" CAP's bridge in CAP device and virtually created in CAPSMAN and included in CAPSMAN's bridge.
 
kor3k
just joined
Posts: 9
Joined: Mon Dec 21, 2015 7:11 pm

Re: v6.41 [current]

Fri Jan 05, 2018 6:52 pm

..."bridge port received packet with own address as source address"
You have two routes/interfaces for packets received by this bridge.
I have noticed something similar configuring CAPSMAN with CAP's device WiFi interface assigned staticaly to "locally-forwarded" CAP's bridge in CAP device and virtually created in CAPSMAN and included in CAPSMAN's bridge.
thanks for pointing this out.

actually, we are using capsman in our network.
and i think in the same setup as you describe.

each CAP's wlan is "locally-forwarded" into CAP's bridge, but each wlan also has 2 VirtualAPs, which are "capsman-forwarded" into CAPSMAN's bridge.
and these two CRS-326 with bonding are in the middle of the network (backbone switches), but they are not caps managers.
the whole network is bridged.

how did you solve the issue? do you know why this is happening? seems like a bug to me.
 
bbs2web
Member Candidate
Member Candidate
Posts: 234
Joined: Sun Apr 22, 2012 6:25 pm
Location: Johannesburg, South Africa
Contact:

Re: v6.41 [current]

Fri Jan 05, 2018 10:28 pm

Seeing that I am connecting to this router, it would subsequently confirm that RouterOS does not honour ICMP fragmentation needed messages.

ie: I connect via Winbox or SSH (port 2200), initial packets go back and forth until a payload exceeds the remote VPN MTU. ICMP 'fragmentation needed' message is received by RouterOS, which contains maximum MTU, so RouterOS should fragment at that boundary, instead of continuing with original MSS received during TCP establishment...
You're right, the actual issue appears to be that RouterOS does not appear to process or honor ICMP 'fragmentation needed' messages.
That would be correct, it is not the task of the router to act upon these messages, it is the responsibility of the end system to do so. It should only process those messages when they refer to traffic originated from the router itself.
Of course the router must forward the ICMP messages to the correct end system, this is often a problem with tunneling protocols and with too many "Gibson paranoia" firewalls inbetween.
 
YeOldeSwitcheroo
just joined
Posts: 1
Joined: Fri Jan 05, 2018 9:53 pm

Re: v6.41 [current]

Sat Jan 06, 2018 12:53 am

Could you please disable HW offloading when bridge filter rules are added?

The problem is that they're incompatible with each other (at least it seems that way). I just bought a hEX, set it to bridge mode (which enables HW offloading for all those ports, because the hEX board supports it) and then added a filter that drops UDP packets to port 67 & 68 (DHCP).

The counters for the filter increase, but they have zero effect. All those packets are still forwarded, regardless of chain. Disabling HW offloading and leaving only rules for the forward chain has the desired effect.
 
skuykend
Member Candidate
Member Candidate
Posts: 274
Joined: Tue Oct 06, 2015 7:28 am

Re: v6.41 [current]

Sat Jan 06, 2018 2:07 am

Just in the process of downgrading back to 6.40.5....

On the RB2011 it doesn't appear possible to create a working bridge (hw offload) config as efficient as the previous software revision, where we could use switch hardware offload on both the 1000M ports and 100M ports - then bridge those switches together with the SFP port.
The additional complexity is that I had a vlan trunk port on the 1000M switch (Business + Guest vlan wifi) - as well as the other untagged (business) ports. The initial 6.41 configuration I had appeared to be working, but with NO hardware offload, and things traversing the 1000M switch (e.g. ping) appeared to get 3x extra duplicate packets received.
I'm using all ports on my RB2011 as a switch with vlans (tagged and untagged) and am getting HW offloading and not seeing any duplicate packets. I posted my config in this thread: viewtopic.php?f=2&t=129057&p=634278#p634278
 
linux25
just joined
Posts: 5
Joined: Sat Apr 29, 2017 4:09 pm

Re: v6.41 [current]

Sat Jan 06, 2018 4:13 am

This is for mikrotik, you disappointed me with your product and updates, i have problems with flapping eth, your updates worse my problem, is not for my cable connection, your product sucks, i don't buy ever again your product.
I tell you friends, don't go in roads with mikrotik. Good luck.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2975
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: v6.41 [current]

Sun Jan 07, 2018 9:58 pm

....how did you solve the issue? do you know why this is happening? seems like a bug to me.
If you configure "Local forwarding" in CAP then you HAVE TO remove WiFi interfaces from bridge you are dynamically assigning them to.
As you see on pictures all WLAN interfaces are "D" = dynamically added.
You also have to not assign them to any bridge on CAPSMAN as the traffic is already sent to local bridge so assigning WIFI interface in CAPSMAN sends the second packet to bridge on CAPSMAN and then you have two same packets in the LAN.
BR_LFD.PNG
You do not have the required permissions to view the files attached to this post.
 
kor3k
just joined
Posts: 9
Joined: Mon Dec 21, 2015 7:11 pm

Re: v6.41 [current]

Mon Jan 08, 2018 12:00 am

BartoszP, thank you. but i have found out today that capsman is not the cause of the problem.
we have all wlans and virtualAPs as dynamic bridge ports on capsman and all caps.

i have two CRS-326 connected through ether2-3.
on both i reset config and disable all interfaces except for ether1-3, then create a bonding on ether2-3 and a bridge.

bonding1
- ether2
- ether3

bridge1
- bonding1
- ether1

this starts throwing "bridge port received packet with own address as source address" error on the one with the root bridge.
when i remove the bonding from the bridge on either side, it stops.

we are using bondings on different models too (RB2011,CRS125,CCR1036) and they are working fine, only CRS-326 have these symptoms.
 
pcjc
just joined
Posts: 22
Joined: Wed Aug 02, 2017 4:29 pm

Re: v6.41 [current]

Mon Jan 08, 2018 2:02 am

I'm using all ports on my RB2011 as a switch with vlans (tagged and untagged) and am getting HW offloading and not seeing any duplicate packets. I posted my config in this thread: viewtopic.php?f=2&t=129057&p=634278#p634278
[/quote]

My 6.41 configuration (before I downgraded) looked fairly similar to yours, and was (almost) what the upgrade gave me when migrating 6.40.5 -> 6.41 (had to make a few tweaks for things which weren't well converted). If I get a chance to try again, I'll see if I can reproduce the problem on 6.41 again.
One thing I tried (but could not do), was to create a bridge for each switch chip (with auto hardware off-load), and then create a bridge to join those hardware groups and the SFP interface. This didn't work, since the Mikrotik software won't allow adding the "child" bridges (e.g. HW offload to the switch chip CPU ports) into the "parent" bridge). I'm not sure I prefer the new method of configuring switches / bridges. As a HW guy, I'm quite happy with being aware of the underlying hardware configuration with the switch chips etc.. (although the "master port" terminology not that helpful - since really it is the switch cpu port interface being bridged by the software).
 
F1le
newbie
Posts: 29
Joined: Tue Nov 21, 2017 1:35 am

Re: v6.41 [current]

Mon Jan 08, 2018 3:03 am

First thing which happened after upgrade to 6.41 from 6.40.5 was all the time SFP connection drop. I have to go to the router unplug it and plug it again. Running on :

RB962UIGS 5HACT2HNT HAP AC

During 4h after upgrade it happened twice till now. On 6.40.5 it was running rock solid on SFP.
 
User avatar
frank333
Member
Member
Posts: 333
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: v6.41 [current]

Mon Jan 08, 2018 8:54 pm

Simple queues do not work, or the way in which they are written has changed.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.41 [current]

Tue Jan 09, 2018 10:43 am

Simple queues do not work, or the way in which they are written has changed.
Changed compared to what?
 
User avatar
frank333
Member
Member
Posts: 333
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: v6.41 [current]

Tue Jan 09, 2018 12:14 pm

Hi, Chupaka, compared to the previous version 6.40.5.
I also have problems with PPPoE Client, every time the ISP changes ip I have to use the backup file, because the only reboot leaves the connection active but not working.
All I have to do is to downgrade to 6.40.5.
 
scampbell
Trainer
Trainer
Posts: 487
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: v6.41 [current]

Tue Jan 09, 2018 9:19 pm

I have upgraded a CRS125, wAP AC and RB751U all to 6.41 on the same network.

All devices upgraded OK and are working but only two devices showed the new 6.41 Routerboard F/W. The RB751U interestingly shows a blank where you would expect to see the new F/W (6.41). Is this a limtitation of the older hardware or a bug I wonder ?

(Tried rebooting the RB751U and no change either under Winbox or CLI).
RoS6.41-rb751U.PNG
You do not have the required permissions to view the files attached to this post.
 
mszru
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Wed Aug 10, 2016 10:42 am

Re: v6.41 [current]

Tue Jan 09, 2018 10:05 pm

The RB751U interestingly shows a blank where you would expect to see the new F/W (6.41). Is this a limtitation of the older hardware or a bug I wonder ?

It was reported earlier in this topic and already fixed in 6.42rc.
 
tkgit
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Sun Dec 23, 2012 8:32 am
Location: Dunedin, NZ
Contact:

Re: v6.41 [current]

Wed Jan 10, 2018 7:01 am

Limited troughput between RB951G & RB751u2HnD,
I use cat5e cable and as seen in the pict it's 100Mbps FD link,
Image
Image
I tried to connect my laptop to RB951(connected to ONT-UFB) then did BW speed test and the result is same
http://pic.nperf.com/r/224638898-QnI4M7V4.png
eventhough when I tried direct connect from ONT-UFB to my laptop the result is
http://pic.nperf.com/r/224477017-k6qrDvc7.png

any comment? what should I do/
 
User avatar
kometchtech
Member Candidate
Member Candidate
Posts: 194
Joined: Sat Jun 15, 2013 4:25 am
Location: Japan
Contact:

Re: v6.41 [current]

Wed Jan 10, 2018 7:28 am

Limited troughput between RB951G & RB751u2HnD,
I use cat5e cable and as seen in the pict it's 100Mbps FD link,
Image
Image
I tried to connect my laptop to RB951(connected to ONT-UFB) then did BW speed test and the result is same
http://pic.nperf.com/r/224638898-QnI4M7V4.png
eventhough when I tried direct connect from ONT-UFB to my laptop the result is
http://pic.nperf.com/r/224477017-k6qrDvc7.png

any comment? what should I do/
It seems that the CPU usage rate of RB751u2HnD is 100%, but are you using functions such as FW?
If that is the case, I think that it is better to use the profile etc. to see which function is used.
 
tkgit
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Sun Dec 23, 2012 8:32 am
Location: Dunedin, NZ
Contact:

Re: v6.41 [current]

Wed Jan 10, 2018 7:39 am

Limited troughput between RB951G & RB751u2HnD,
I use cat5e cable and as seen in the pict it's 100Mbps FD link,
Image
Image
I tried to connect my laptop to RB951(connected to ONT-UFB) then did BW speed test and the result is same
http://pic.nperf.com/r/224638898-QnI4M7V4.png
eventhough when I tried direct connect from ONT-UFB to my laptop the result is
http://pic.nperf.com/r/224477017-k6qrDvc7.png

any comment? what should I do/
It seems that the CPU usage rate of RB751u2HnD is 100%, but are you using functions such as FW?
If that is the case, I think that it is better to use the profile etc. to see which function is used.
tried again
Image
 
maxpower
newbie
Posts: 29
Joined: Fri Dec 05, 2014 4:45 pm

Re: v6.41 [current]

Wed Jan 10, 2018 12:32 pm

Previously there were 2 possible ways to implement VLAN functionality:
1) Via the switch chip VLAN functionality which was 100% hardware (switch > vlan)
2) Via the CPU functionality which was 100% software (create multiple bridges for each VLAN (untagged ports), and one bridge for tagged ports)

Solution 1 was not very useful if device have 2 separate switch chips.

What changed now with hardware offload?
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1189
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: v6.41 [current]

Wed Jan 10, 2018 1:35 pm

Just want to say good job on the HW offload functions. I managed to get this onto my "old" RB750 which sits on my desk at work and the offload makes a huge difference from 1 interface to another so hopefully this amazing performance increase scales up to far larger switches. CPU usage was also down from 98% to 2-3% whilst running tests.

Imagehwoffloadtest by Steve Carter, on Flickr
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1768
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: v6.41 [current]

Wed Jan 10, 2018 2:05 pm

Just want to say good job on the HW offload functions. I managed to get this onto my "old" RB750 which sits on my desk at work and the offload makes a huge difference from 1 interface to another so hopefully this amazing performance increase scales up to far larger switches. CPU usage was also down from 98% to 2-3% whilst running tests.
Yes, sometimes good features simply needs to be forced upon you,
This functionality was there for 7+ years, simply instead of bridge you needed to use "master-port" option in interface settings.
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: v6.41 [current]

Wed Jan 10, 2018 4:23 pm

Even though I believe this is good for most of the users, I do not understand well why I should loose the straightforward way of organising switches and bridges as I want. But I am also preparing to give a try...
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.41 [current]

Wed Jan 10, 2018 4:37 pm

Even though I believe this is good for most of the users, I do not understand well why I should loose the straightforward way of organising switches and bridges as I want.
The reason it was done (I think) is to allow standards like RSTP and IGMP snooping to work in both bridge and switch.
And it should also make things a little bit clearer.
However, I agree that everything that was previously done (and allowed) in switch configuration should be migrated to bridge in such a way that the original switch menu can be completely deleted.
As it is now, it is confusing. I have VLAN configuration on my switches and it has to be migrated to bridge without losing hardware acceleration. As of now this does not work, so switch config remains necessary.
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1189
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: v6.41 [current]

Wed Jan 10, 2018 7:04 pm

Just want to say good job on the HW offload functions. I managed to get this onto my "old" RB750 which sits on my desk at work and the offload makes a huge difference from 1 interface to another so hopefully this amazing performance increase scales up to far larger switches. CPU usage was also down from 98% to 2-3% whilst running tests.
Yes, sometimes good features simply needs to be forced upon you,
This functionality was there for 7+ years, simply instead of bridge you needed to use "master-port" option in interface settings.
It is a clean, easy to use implementation of something that was although working, clunky. The option to "add all" to bridge is also brilliant, a real step forwards in user friendliness.
 
thobias
newbie
Posts: 26
Joined: Thu Nov 30, 2017 8:45 pm

Re: v6.41 [current]

Thu Jan 11, 2018 1:04 pm

*) ipsec - allow to specify "remote-peer" address as DNS name;
How can I use this to set up a site to site vpn tunnel with dynamic ip in one end?
I can't seem to set DNS-name as SA-address in ipsec->policy.
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11115
Joined: Mon Dec 04, 2017 9:19 pm

Re: v6.41 [current]

Thu Jan 11, 2018 1:36 pm

You cannot set a dns name as sa-dst-address in a manually configured IPsec policy. The feature can be used with mode-config peers, i.e. the "vpn clients" which generate policy dynamically based on the information received from the peer. It is possible to associate an address pool of more than a single address to a user name, so when this user establishes an IPsec connection, it gets the whole subnet via mode-config, and it generates the policy dynamically, based on this subnet. In this case, the generated policy sets the current IP address of the peer as sa-dst-address.
 
Dalo
just joined
Posts: 5
Joined: Thu Jan 11, 2018 11:14 pm

Re: v6.41 [current]

Thu Jan 11, 2018 11:32 pm

I have updated the following boards to 6.41 RB750GR3, RB960PGS, RB3011 and CRS112-8G. All of them were successfully provisioned to this new version with no issues. Specially for the CRS112 I noticed a huge improvement in the throughput speed as a simple switch (no IP.Firewall), with 6.40.5 I usually got +-400Mbps, once the update to 6.41 now the clients can reach +-850Mbps as a bridge, hw offload, IGMP Snooping and Fast Forward. Certainly for my application, this update is working brilliant.
 
AlexanderMartynenko
just joined
Posts: 1
Joined: Fri Jan 12, 2018 9:38 am

Re: v6.41 [current]

Fri Jan 12, 2018 9:41 am

Hi Guys,
After update to 6.41 Router OS I have a problem with EoIP tunnel. On PH2 State it shows - no phase 2 - status.
Is any ideas how to fix it?
 
MartinT
newbie
Posts: 26
Joined: Wed Jul 22, 2009 1:28 am
Location: CZ

Re: v6.41 [current]

Fri Jan 12, 2018 2:16 pm

*) ospf - fixed OSPF v2 and v3 neighbor election;

Could anybody from Mikrotik explain more this fix ? From which version it is broken and which network-type are afected ? Thanks.
 
akliouev
just joined
Posts: 16
Joined: Wed Dec 25, 2013 9:24 am

Re: v6.41 [current]

Fri Jan 12, 2018 4:28 pm

It appears that running both a L2TP and an OVPN server is impossible on a HAP ac
When enabling OVPN established L2TP sessions are getting kicked out and new sessions are failing to establish. It looks like enabling OVPN just shuts down or filters out L2TP trafic
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 248
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: v6.41 [current]

Fri Jan 12, 2018 6:24 pm

Can someone explain why eoip interface has a l2mtu setting of 65535 in this version and not changeble.

If I do bridging it is this value that is the max l2 recieved right? and it sould after adding headers fragment if outgoing interface after routelookup has a smaller ip mtu?
 
marceloru
newbie
Posts: 48
Joined: Tue Jul 08, 2008 12:00 am
Location: Argentina

Re: v6.41 [current] (PPPOE PROBLEM)

Mon Jan 15, 2018 5:48 am

I was with version 6.39.3 in a ccr 1036 working as PPPOE server, all correct, I update to version 6.41 and I have problems with access to some ftp sites, among them ftp://200.47.24.13/, I return to the version 6.39.3 again and the problem disappears.-

version 6.40.5 also have problems MTU and packets bigger than 1400 bytes lost a lot, 6.39.9 work ok
Last edited by marceloru on Thu Jan 18, 2018 1:03 am, edited 1 time in total.
 
wuyizhao
just joined
Posts: 2
Joined: Mon Jan 15, 2018 9:22 am

Re: v6.41 [current]

Mon Jan 15, 2018 9:32 am

HAP AC Lite upgrade 6.41 cannot be started.
Usr lights are always bright.
How to fix it?
 
kamillo
Member Candidate
Member Candidate
Posts: 162
Joined: Tue Jul 15, 2014 5:44 pm

Re: v6.41 [current]

Mon Jan 15, 2018 10:58 am

You can try Netinstall to reinstall RouterOS:

https://wiki.mikrotik.com/wiki/Manual:Netinstall
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: v6.41 [current]

Tue Jan 16, 2018 11:03 pm

Previously there were 2 possible ways to implement VLAN functionality:
1) Via the switch chip VLAN functionality which was 100% hardware (switch > vlan)
2) Via the CPU functionality which was 100% software (create multiple bridges for each VLAN (untagged ports), and one bridge for tagged ports)

Solution 1 was not very useful if device have 2 separate switch chips?
Then there's the third possibility, which was a hybrid one: use switch chip VLAN functionality for ethernet ports and CPU functionality for adding other interfaces (e.g. WLAN with VLAN tags such as virtual AP) or other switch chips. And you don't have to create multiple bridges, one is enough.

My observation is that CPU bridge is VLAN-transparent. If you want to do something specific to a particular VLAN, you have to create a VLAN virtual interface and then do whatever needs to be done using that particular VLAN virtual interface. E.g. if you want to route between two different VLANs, you create two VLAN virtual devices, one for each VLAN. They both belong to "the" bridge. Then you bind different IP addresses to each VLAN virtual device and then you can do the routing between the two interfaces.
However, if you want to switch traffic between e.g. WLAN with VLAN id 42 and ethernet with VLAN id 42, you don't need to do anything apart from having WLAN interface and "switch CPU" port belong to same (CPU) bridge.

I don't have any RB with more than one switch chip, but I guess this is the optimum way of spanning all of the ethernet ports: let switch chip deal with traffic between ports belonging to the same switch chip and have single bridge, spanning all "switch cpu" ports. From switch chip point of view, this CPU bridge appears to be normal ethernet port connecting it to some virtual switch (implemented in SW). One just needs to be careful about VLAN setup of these ports. Bridging without (many) rules should not bog down CPU too much, at least that's what MikroTik wants to show with test results - I'm just not sure how the "brigding - fast path" results compare to switch chip performance on the same hardware.

It would be good to know if anything changed in 6.41 with regard to switch/bridge functionality.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.41 [current]

Wed Jan 17, 2018 12:33 pm

My observation is that CPU bridge is VLAN-transparent. If you want to do something specific to a particular VLAN, you have to create a VLAN virtual interface and then do whatever needs to be done using that particular VLAN virtual interface. E.g. if you want to route between two different VLANs, you create two VLAN virtual devices, one for each VLAN. They both belong to "the" bridge. Then you bind different IP addresses to each VLAN virtual device and then you can do the routing between the two interfaces.
However, if you want to switch traffic between e.g. WLAN with VLAN id 42 and ethernet with VLAN id 42, you don't need to do anything apart from having WLAN interface and "switch CPU" port belong to same (CPU) bridge.
The disadvantage of that method is that it allows VLAN communication of any VLAN id between those ports. You cannot easily forward one VLAN and disallow another.
When some security is desired, it is better to explicitly bridge the wanted VLAN subinterfaces.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.41 [current]

Wed Jan 17, 2018 12:59 pm

The disadvantage of that method is that it allows VLAN communication of any VLAN id between those ports. You cannot easily forward one VLAN and disallow another.
When some security is desired, it is better to explicitly bridge the wanted VLAN subinterfaces.
Huh?..
/interface bridge
add name=bridge1 vlan-filtering=yes
add name=bridge2 vlan-filtering=yes

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge2 interface=ether2

/interface bridge vlan
add bridge=bridge1 tagged=ether1 vlan-ids=10
add bridge=bridge2 tagged=ether2 vlan-ids=10
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11115
Joined: Mon Dec 04, 2017 9:19 pm

Re: v6.41 [current]

Wed Jan 17, 2018 1:40 pm

@Chupaka,
my experience shows that for the last part,
/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=10
add bridge=bridge2 tagged=ether2,bridge2 vlan-ids=10
is necessary. Without the bridge itself being listed as a tagged member of the VLAN, some things did not work for me, so I looked at the manual page and example #3 was showing this (unlike the other two). I was not the only one to bump into this, but I have no explanation why this is necessary. And if it is necessary only in particular cases, why.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.41 [current]

Wed Jan 17, 2018 2:00 pm

I have similar (bad) experience with the new bridge and VLAN tagging. The first attempt to convert my initial multi-bridge setup to a single bridge with VLAN tags failed.
I reverted to my pre-6.41 configuration (separate bridge for each VLAN and switch configured for the VLANs and tagged/untagged ports) and have to try again some time.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.41 [current]

Wed Jan 17, 2018 2:05 pm

@sindy, yep, if you need those VLANs locally. It was just a short example of possible way :)
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11115
Joined: Mon Dec 04, 2017 9:19 pm

Re: v6.41 [current]

Wed Jan 17, 2018 2:18 pm

if you need those VLANs locally
Can you elaborate? It sounds as if the VLAN wouldn't reach the CPU if the bridge itself is not stated among member interfaces, but in such case, if you have a dual-switch machine and you assign ports from both switches to the same bridge, wouldn't you have to do the same even if you don't need to access the VLAN locally, just want it to flow between ports of different switches?

The second point is what the difference in CPU load is whether you list the bridge itself among VLAN members or not. If it is none or negligible if you do list it but don't actually access the VLAN locally, why this setting has been put to configuration at all?
 
Lansman
just joined
Posts: 20
Joined: Tue Jul 15, 2014 11:22 am

Re: v6.41 [current]

Wed Jan 17, 2018 2:47 pm

I have the same experience. After the upgrade, no connection via ethernet or wifi works. Wifi is off. Winbox cannot show it. I asked another RB on the LAN which properly upgraded to show its neighbours, and the dead RB is listed with a MAC address of 00:00:00:00:00:00. The dead device is up in the air, been operating for a few years, and properly installed to protect it from rain and weather. It will not be fun to replace. It will not be fun to hit a reset button. Any ideas will be appreciated.

I upgraded my RB750Gr3 from 6.40.5 to 6.41, and now I cannot connect to it via wire or wireless. Did I miss anything here?

Thanks.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.41 [current]

Wed Jan 17, 2018 4:10 pm

Can you elaborate? It sounds as if the VLAN wouldn't reach the CPU if the bridge itself is not stated among member interfaces, but in such case, if you have a dual-switch machine and you assign ports from both switches to the same bridge, wouldn't you have to do the same even if you don't need to access the VLAN locally, just want it to flow between ports of different switches?
I just wanted to point that if you don't need to send packets to the router itself, you may use something like this for isolating two VLANs with the same VlanID:
/interface bridge
add name=bridge1 vlan-filtering=yes
add name=bridge2 vlan-filtering=yes

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge2 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge2 interface=ether4

/interface bridge vlan
add bridge=bridge1 tagged=ether1,ether3 vlan-ids=10
add bridge=bridge2 tagged=ether2,ether4 vlan-ids=10
As for adding ports from different switches (where software switching is needed) - I think, the router itself should decide and automatically add bridge to the list (or kind of that), because user don't have to know exact hardware implementation, so he shouldn't guess why something is not working.

P.S. I haven't tested anything above, just my thoughts :)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: v6.41 [current]

Wed Jan 17, 2018 11:31 pm

The disadvantage of that method is that it allows VLAN communication of any VLAN id between those ports. You cannot easily forward one VLAN and disallow another.
When some security is desired, it is better to explicitly bridge the wanted VLAN subinterfaces.
Switch chip sees all VLANs employed by member ethernet ports and switch administrator has to configure VLANs per port properly. It doesn't matter if some additional VLAN comes from another switch via bridge (=switch cpu port).
In addition to that, traditionaly you had to define which VLANs do pass through switch cpu port and you can restrict some VLANs from "escaping" out of a particular switch chip if so desired.

I'm not sure if this part is different in 6.41 or not, my VLAN-infested RBs are still on 6.40.5.
 
User avatar
vipnet
newbie
Posts: 26
Joined: Sat Jul 20, 2013 9:27 pm
Location: Brazil

Re: v6.41 [current]

Thu Jan 18, 2018 3:09 am

pppoe client dont open after update.
 
ISPIE001
just joined
Posts: 5
Joined: Thu Jan 18, 2018 12:00 pm

Re: v6.41 [current]

Thu Jan 18, 2018 12:04 pm

We are seeing a strange problem with 6.41 in the fact that it prevents one particular HTTPS website from being accessable. This is the case if either 6.41 is running on the PPP server/router or indeed if 6.41 is running on the client's Mikrotik router.
The website in question is https://safeseas.ie/ssi/login.jsp and we have replicated the problem on many iterations of 6.41 across multiple sites. In each case rolling back fixes the issue.
Feedback would be welcome
 
AKuntsevich
just joined
Posts: 3
Joined: Tue Aug 08, 2017 5:34 pm

Re: v6.41 [current]

Thu Jan 18, 2018 2:01 pm

We are seeing a strange problem with 6.41 in the fact that it prevents one particular HTTPS website from being accessable. This is the case if either 6.41 is running on the PPP server/router or indeed if 6.41 is running on the client's Mikrotik router.
The website in question is https://safeseas.ie/ssi/login.jsp and we have replicated the problem on many iterations of 6.41 across multiple sites. In each case rolling back fixes the issue.
Feedback would be welcome
Same problem with http://fl.yantarenergosbyt.ru/
On 6.39.3 all good, on 6.41 and newer - cant open site.
I see this problem if MT set like pppoe-client. If internet from dhcp-client - site available.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.41 [current]

Thu Jan 18, 2018 2:39 pm

Huh... Sounds like
*) ppp - fixed "change-mss" functionality when MSS option is missing on forwrded packets;
 
fredcom
just joined
Posts: 9
Joined: Thu Jan 18, 2018 7:55 pm

Re: v6.41 [current]

Thu Jan 18, 2018 8:15 pm

Hi guys,

is there a way to change the values for these settings? *) lte - changed default values to "add-default-route=yes", "use-peer-dns=yes" and "default-route-distance=2";
Basically, I want to change the DNS servers, but first I need to disable using peer DNS, if I understand correctly. And Winbox won't let me, saying "couldn't change DHCP Client <lte1> - cannot change dynamic entry (6)"

I'm using RBM11G and Huawei ME909s-120.

Thanks.
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11115
Joined: Mon Dec 04, 2017 9:19 pm

Re: v6.41 [current]

Thu Jan 18, 2018 8:21 pm

Well, it is just the default value of use-peer-dns what has been changed, so just specify use-peer-dns=no when creating the interface and you should be good?
 
fredcom
just joined
Posts: 9
Joined: Thu Jan 18, 2018 7:55 pm

Re: v6.41 [current]

Thu Jan 18, 2018 9:05 pm

Well, it is just the default value of use-peer-dns what has been changed, so just specify use-peer-dns=no when creating the interface and you should be good?
The problem is that it seems it's impossible to delete and then create lte interface from Interface list window. But you've actually set me on the correct path - there is a new button on the LTE tab, where you can setup LTE APNs - this is where the Use Peer DNS can be unchecked.

Thanks.
 
User avatar
bobr
just joined
Posts: 21
Joined: Fri Feb 13, 2015 4:27 pm

Re: v6.41 [current]

Fri Jan 19, 2018 10:19 am

Hello to all!
I need help with clarifying some things about new bridge behaviour and switch and switch VLANs and all the around stuff.
First of all - explain to me please, how does bridge interface PVID and bridge ports PVID and switch ports PVID and the VLAN ID of the VLAN interfaces added in interface table( I call them "L3 VLANs" ) correlating with each other and when I should use bridge interface PVID and should I at all?

Then I need help with creating of access ports using switch VLANs and new bridge behaviour, when I want to use the switch functions for VLANs instead of creating them on a bridge and to use no bridge VLAN filtering. What I want? While playing a lab experiments I've decide to create a simple schema: make RB 750 to able to rule a management VLAN and a few over-the-network VLANs.

VLANs:
110 - management. Need to be accessible via ether5 locally
200 - vlan which just need to go through as tagged to...e.g. - ether3
300 - vlan which need to to go through as tagged to...e.g. - ether3 and be accessible via ether4(ether4 as access port for this vlan)

ehter2 - uplink port
ehter5 - local mangement port
192.168.110.211/24 - IP address for this RB 750 in a management network(on a management vlan interface).
Other IPs on interfaces are just dummy.

Pretty simple, hugh? But I can't get further than make able to work the management vlan via uplink port. I can't even get ehter5 local management port working as access port to be able to log into my RB 750 from a laptop connected to it(suppose, laptop has a 192.168.110.220/24 IP without any gateways configured on it's ehternet interface).
Here is my simple config.
# RB 750
/interface bridge
add fast-forward=no name=bridge1 protocol-mode=none vlan-filtering=no pvid=1 protocol-mode=none

/interface ethernet
set [ find default-name=ether2 ] name=ether2-uplink

/interface vlan
add interface=bridge1 name=vlan110 vlan-id=110

/interface bridge port
add bridge=bridge1 interface=ether2-uplink hw=yes pvid=1
add bridge=bridge1 interface=ether3 hw=yes pvid=1
add bridge=bridge1 interface=ether4 hw=yes pvid=1
add bridge=bridge1 interface=ether5 hw=yes pvid=1

/ip neighbor discovery-settings
set discover-interface-list=all

/interface ethernet switch port
# ether5 port
set 3 default-vlan-id=110 vlan-header=always-strip vlan-mode=check
# switch1-cpu port
set 4 default-vlan-id=1 vlan-mode=check

/interface ethernet switch vlan
add ports=ether2-uplink,ether5,switch1-cpu switch=switch1 vlan-id=110

/ip address
add address=192.168.88.1/24 interface=ether1 network=192.168.88.0
add address=192.168.1.88/24 interface=ether4 network=192.168.1.0
add address=192.168.110.211/24 interface=vlan110 network=192.168.110.0

/ip route
add distance=1 gateway=192.168.110.254

/system clock
set time-zone-name=Europe/Kiev
I'll appreciate much if someone can explain to me all that stuff...
 
dsiecinski
just joined
Posts: 20
Joined: Fri Jan 27, 2017 6:16 pm
Location: Poland

Re: v6.41 [current]

Fri Jan 19, 2018 10:25 am

I just want raport after upgrade issues

Upgraded RB3011 from 6.35 to 6.41

after upgrade my scheduler scripts not working

and when I copy script from scheduler to terminal and paste it ... very interesting thing happened
because if run it in terminal allways at firs time I got error "no such item (4)"

it looks like this:

[dsiecinski@Mikrotik] > /interface pptp-client enable pptp-out1
no such item (4)
[dsiecinski@Mikrotik] > /interface pptp-client enable pptp-out1
[dsiecinski@Mikrotik] >

fun is that commands is not difrerent :)
but work allways after second trie
 
User avatar
bobr
just joined
Posts: 21
Joined: Fri Feb 13, 2015 4:27 pm

Re: v6.41 [current]

Fri Jan 19, 2018 11:18 am

dsiecinski, I think you need to report it to Mikrotik directly...
 
User avatar
vipnet
newbie
Posts: 26
Joined: Sat Jul 20, 2013 9:27 pm
Location: Brazil

Re: v6.41 [current]

Fri Jan 19, 2018 3:55 pm

We are seeing a strange problem with 6.41 in the fact that it prevents one particular HTTPS website from being accessable. This is the case if either 6.41 is running on the PPP server/router or indeed if 6.41 is running on the client's Mikrotik router.
The website in question is https://safeseas.ie/ssi/login.jsp and we have replicated the problem on many iterations of 6.41 across multiple sites. In each case rolling back fixes the issue.
Feedback would be welcome
Same problem with http://fl.yantarenergosbyt.ru/
On 6.39.3 all good, on 6.41 and newer - cant open site.
I see this problem if MT set like pppoe-client. If internet from dhcp-client - site available.
We have same problems with PPP server/router with http://fl.yantarenergosbyt.ru/ and https://www.verbojuridico.com.br/default.aspx

please team MK new relese
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.41 [current]

Fri Jan 19, 2018 3:57 pm

The problem is already fixed in 6.42rc.

The workaround is to add TCP MSS rule to your firewall rules
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: v6.41 [current]

Fri Jan 19, 2018 4:32 pm

The workaround is to add TCP MSS rule to your firewall rules
Would you care to paste appropriate command to implement that workaround here? Thank you!
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.41 [current]

Fri Jan 19, 2018 4:35 pm

 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: v6.41 [current]

Fri Jan 19, 2018 5:07 pm

I'll appreciate much if someone can explain to me all that stuff...
As I already wrote, my VLAN-infested RBs are still on 6.40.5, so things might have changed. However, my setup is something like this:
/interface ethernet switch port
set 0 vlan-mode=secure
set 1 vlan-mode=secure
set 2 default-vlan-id=42 vlan-header=add-if-missing vlan-mode=secure
set 3 vlan-mode=secure
set 4 default-vlan-id=2 vlan-header=add-if-missing vlan-mode=secure
set 5 vlan-header=add-if-missing vlan-mode=fallback

/interface ethernet switch vlan
# .. I guess this is the old style of defining which ethernet port is member of which VLAN

add independent-learning=no ports=switch1-cpu,ether1,ether2,ether3,ether4 switch=switch1 vlan-id=42
add independent-learning=no ports=ether1,ether2,ether5,ether4 switch=switch1 vlan-id=3999
add independent-learning=no ports=switch1-cpu,ether1,ether2 switch=switch1 vlan-id=41
add independent-learning=no ports=switch1-cpu,ether1,ether2 switch=switch1 vlan-id=40
add independent-learning=no ports=switch1-cpu,ether1,ether2,ether5,ether4 switch=switch1 vlan-id=2
N.b. port 0 is switch CPU interface. Only some ports have PVID set. I have other VLAN-capable switches that serve most access ethernet ports.
/interface vlan
add interface=bridge name=vlan-2 vlan-id=2
add interface=bridge name=vlan-40 vlan-id=40
add interface=bridge name=vlan-41 vlan-id=41
add interface=bridge name=vlan-42 vlan-id=42

/interface bridge port
add bridge=bridge interface=ether1
You can see that VLAN 3999 does not enter the router's bridge, it's dealt with completely by switch chip.
/ip address
add address=192.168.42.1/23 interface=vlan-42 network=192.168.42.0
add address=192.168.41.1/24 interface=vlan-41 network=192.168.41.0
add address=192.168.40.1/24 interface=vlan-40 network=192.168.40.0
add address=192.168.1.240/24 interface=vlan-2 network=192.168.1.0
The router has 4 different addresses, one per VLAN where routing is needed and none where it's not (VLAN 3999).

The bridge itself acts like a passive wire in my case, it passes packets between the member interfaces (vlan-* interfaces, switch-cpu and two wifi interfaces I didn't show in config). It's up to configuration of individual interfaces to drop any VLANs not interesting and tag packets without VLAN tags (PVID).

It's up to IP filter rules to restrict access to ROS itself, so management access is not restricted on per-port basis, but rather on IP address basis (or any other filter ROS offers, which incidentally includes inbound port as well).

One might say that this kind of bridge setup is not entirely safe. My answer is that probably the very same administrator is configuring all aspects of a given router and it doesn't matter at what particular point/interface (s)he limits inappropriate traffic to enter/leave the routerboard device.

@bobr: in your case, the problem of no management access is probably due to the fact that management computer, connecting to eth5, does not use VLAN-tagged packets and consequently gets tagged with VLAN ID 1 (PVID setting). You either need to configure your management computer to use VLANs or configure eth5 with PVID=110 (and make sure also that VLAN segement gets routed/NATed to internet if so desired).
 
User avatar
vipnet
newbie
Posts: 26
Joined: Sat Jul 20, 2013 9:27 pm
Location: Brazil

Re: v6.41 [current]

Fri Jan 19, 2018 6:21 pm

The problem is already fixed in 6.42rc.

The workaround is to add TCP MSS rule to your firewall rules
adding tcp mss to my firewall doesn't work router os 6.41
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1092
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.41 [current]

Fri Jan 19, 2018 9:08 pm

The problem is already fixed in 6.42rc.

The workaround is to add TCP MSS rule to your firewall rules
adding tcp mss to my firewall doesn't work router os 6.41
Neither works for me. Did anybody succeed to fix this with a firewall rule?
 
armarsh
just joined
Posts: 1
Joined: Fri Jan 19, 2018 9:20 pm

Re: v6.41 [current]

Fri Jan 19, 2018 9:37 pm

i have a problem with my router. When i upgrade from 6.40 to 6.41 i cant login in to routerboard, it said cannot connect to 20561 port
 
Clauu
Member Candidate
Member Candidate
Posts: 217
Joined: Fri Mar 21, 2014 8:27 pm
Location: RO

Re: v6.41 [current]

Fri Jan 19, 2018 11:13 pm

Hello, same problem with some sites not accesible on all devices with 6.41.. changed tcp mss without any luck so.. please advice.
L.E: So as a quick fix, edit the ppp profile and modify 'Change TCP MSS' from default/yes to no. This should fix the issue.
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 248
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: v6.41 [current]

Sat Jan 20, 2018 2:04 pm

The problem is already fixed in 6.42rc.

The workaround is to add TCP MSS rule to your firewall rules
Witch will disable fastpath on your router yes!?
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11115
Joined: Mon Dec 04, 2017 9:19 pm

Re: v6.41 [current]

Sat Jan 20, 2018 2:21 pm

Which will disable fastpath on your router, yes!?
It won't. TCP MSS has to be adjusted only in the first two packets of each session, and the fasttracking rule only applies on the following ones anyway (TCP state established is reached after the SYN,ACK has been processed).
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 248
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: v6.41 [current]

Sat Jan 20, 2018 2:30 pm

Which will disable fastpath on your router, yes!?
It won't. TCP MSS has to be adjusted only in the first two packets of each session, and the fasttracking rule only applies on the following ones anyway (TCP state established is reached after the SYN,ACK has been processed).
I wasn't talking about fast track this is for firewall state tracking but more optimisted.
FastPath is NO FIREWALL enabled forward only as fast as you can with as little cpu resources that you can. This is SPEED

IF I only use the device for routing I would like fastpath to stay active. That was my objection as to do mangle rules.
IF I use firewall then surly to get any performance fasttrack would be good but this is orders of magnitude slower then fastpath.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.41 [current]

Sat Jan 20, 2018 2:50 pm

Witch will disable fastpath on your router yes!?
If it's critical for you - just stay with 6.40 or earlier :)
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 248
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: v6.41 [current]

Sat Jan 20, 2018 3:14 pm

If it's critical for you - just stay with 6.40 or earlier :)
:wink: Am doing just that, was just stating the obvious. :D
 
gosha
Member Candidate
Member Candidate
Posts: 154
Joined: Mon Jul 19, 2004 3:14 pm
Location: Tallinn, Estonia

Re: v6.41 [current]

Sat Jan 20, 2018 4:16 pm

After upgrading smoothly SSTP VPN is working fine but there is no route to internal LAN.

Until this upgrade everything was running OK, is there any issue or extra configuration to be done with SSTP interface?
I have the same problem but not only SSTP affected, PPtP is not working too. Even more strange that if remote ip is from another network, it will work...
 
Clauu
Member Candidate
Member Candidate
Posts: 217
Joined: Fri Mar 21, 2014 8:27 pm
Location: RO

Re: v6.41 [current]

Sat Jan 20, 2018 8:06 pm

Hello, same problem with some sites not accesible on all devices with 6.41.. changed tcp mss without any luck so.. please advice.
L.E: So as a quick fix, edit the ppp profile and modify 'Change TCP MSS' from default/yes to no. This should fix the issue.
As an update, seems that changing that it will break another sites.. so isn't a viable solution.
Without upgrading to rc6.42, any other ideas please?
 
gosha
Member Candidate
Member Candidate
Posts: 154
Joined: Mon Jul 19, 2004 3:14 pm
Location: Tallinn, Estonia

Re: v6.41 [current]

Sat Jan 20, 2018 9:03 pm

Can I downgrade in case if firmware was upgraded to 6.41? Which previous version to choose?
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: v6.41 [current]

Sun Jan 21, 2018 2:41 pm

Yes. Easily by downgrade when device works. More difficultly when it does not work using netinstall. You can choose whatever version you want just it cannot be lower than original version from manufacturing.
 
User avatar
bobr
just joined
Posts: 21
Joined: Fri Feb 13, 2015 4:27 pm

Re: v6.41 [current]

Sun Jan 21, 2018 2:49 pm

@mkx:
my VLAN-infested RBs are still on 6.40.5, so things might have changed
do you have a vlan filtering ability and hw-offload in your bridge configurations? 'cause if no - yep, things are changed and, if my memory serves me, in 6.40.5 brigde had no vlan filtering ability yet and master-port functionality is still present there.
with master-port the things were pretty clear. but now, without master-port the configs are slight different. I even say - much different. so, all my questions are related exactly to those changes. for someone to explain to me, how did new functionality changed the behaviour of all those vlans stuff.

in your case, the problem of no management access is probably due to the fact that management computer, connecting to eth5, does not use VLAN-tagged packets and consequently gets tagged with VLAN ID 1 (PVID setting). You either need to configure your management computer to use VLANs or configure eth5 with PVID=110 (and make sure also that VLAN segement gets routed/NATed to internet if so desired).
I think, you should re-read my post more precisely:
/interface ethernet switch port
# ether5 port
set 3 default-vlan-id=110 vlan-header=always-strip vlan-mode=check
# switch1-cpu port
set 4 default-vlan-id=1 vlan-mode=check
or did I do something wrong?

anyway - thanks - you're the only one person here who tried to help! ::beers::
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11115
Joined: Mon Dec 04, 2017 9:19 pm

Re: v6.41 [current]

Sun Jan 21, 2018 5:36 pm

you're the only one person here who tried to help!
Maybe because it is new for everybody so no one feels competent enough yet to advise in this high-profile topic? This was at least my reason to wait for someone more competent to answer.
Also, in my opinion such a question would deserve its own topic due to the size of the answer.

So if you want my personal understanding, which may differ from the real implementation, here you go:
The bridge concept of 6.41 was declared as a way towards uniting bridge and switch configuration in one. So the first thing to do if you start from scratch is not to do any /interface ethernet switch setings at all as they are likely in conflict with those done the new way.

Creation of a bridge interface creates both the bridge in software (as in the old way, including the ability to attach an IP configuration directly to it) and a group of swicth ports (which is empty at the beginning untill you assign some ports to it).

So the first step is to create the bridge (with any flavour of STP switched off for now and with vlan-filtering switched off as well):
/interface bridge
add fast-forward=no name=bridge1 protocol-mode=none vlan-filtering=no pvid=1
If you eventually assign an IP configuration to this bridge1, it will be using VLAN ID 1 because pvid is set to 1.

Next, you assign the member ports of that bridge, both those at the switch and those at the CPU including eventual virtual ones (like L2 tunnels). I'm not sure whether hw=yes won't cause a conflict and the manual says it is enabled automatically if possible, so let's not specify any value:
/interface bridge port
add bridge=bridge1 interface=ether2-uplink pvid=1
add bridge=bridge1 interface=ether3 pvid=1
add bridge=bridge1 interface=ether4 pvid=300
add bridge=bridge1 interface=ether5 pvid=110
Those Ethernet ports which are going to become access ports must have the corresponding PVID set.

As you want to create an IP interface to be accessed via VLAN ID 110, you have to create a corresponding virtual interface as a member of that bridge:
/interface vlan
add interface=bridge1 name=vlan110 vlan-id=110

Of course, let's assign the IP configuration to it as well:
/ip address
add address=192.168.110.211/24 interface=vlan110 network=192.168.110.0

And now - what you had to do in switch configuration before has to be done in bridge configuration now. Note that several VLAN IDs may be grouped at each line and bear in mind that all VLANs in the same group must have the same topology across the whole network if you want MSTP to work. I assume that the configuration below only becomes necessary and relevant once you change the vlan-filtering to yes, i.e. that already the steps above should cause everything you wanted to work except the vlan-filtering, but I may be wrong:
/interface bridge vlan
add bridge=bridge1 vlan-ids=110 tagged=bridge1,ether2-uplink untagged=ether5
add bridge=bridge1 vlan-ids=200 tagged=ether2-uplink,ether3
add bridge=bridge1 vlan-ids=300 tagged=ether2-uplink,ether3 untagged=ether4
Note that for VLAN ID 110, the bridge itself is indicated as a tagged member port of itself. This seems to be necessary to allow frames to be forwarded between the virtual interfaces (bridge and vlan) and the physical interfaces, in another words, between the CPU and the switch. This is the most confusing point for me. I don't know understand why it is not done automatically.

Also note that the vlan110 virtual interface does not need to be indicated as a member here.

With the settings above done, you can activate vlan-filtering at the bridge:
/interface bridge set bridge1 vlan-filtering=yes
After doing that, packets with VLAN IDs other than those for which a given interface is a member of the bridge will not be forwarded to/from that interface.
 
nmt1900
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Wed Feb 01, 2017 12:36 am

Re: v6.41 [current]

Sun Jan 21, 2018 10:45 pm

I have similar (bad) experience with the new bridge and VLAN tagging. The first attempt to convert my initial multi-bridge setup to a single bridge with VLAN tags failed.
I reverted to my pre-6.41 configuration (separate bridge for each VLAN and switch configured for the VLANs and tagged/untagged ports) and have to try again some time.
Same thing here.

Had everything working with VLAN filtering on test setup (CRS326), but when I tried to apply new single bridge setup (same as test setup) in production environment, nothing worked - no matter whether it was done by modifying old multibridge configuration or setup fresh after reset.

Worst anomaly was bridge losing ports after reboot - interestingly enough not all were lost. When I fired up test setup at the office again - same one which was working (!) - then surprise, surprise, bridge had only few of attached ports left over there too.

Maybe it's better to wait for 6.42 - CRS326 seems to be capable of adequate performance for our current needs even in multibridge setup...
 
Clauu
Member Candidate
Member Candidate
Posts: 217
Joined: Fri Mar 21, 2014 8:27 pm
Location: RO

Re: v6.41 [current]

Sun Jan 21, 2018 11:52 pm

Until release of 6.42'stable', has anybody any solution to this?
Hello, same problem with some sites not accesible on all devices with 6.41.. changed tcp mss(iptables firewall) without any luck so.. please advice.
We are seeing a strange problem with 6.41 in the fact that it prevents one particular HTTPS website from being accessable. This is the case if either 6.41 is running on the PPP server/router or indeed if 6.41 is running on the client's Mikrotik router.
The website in question is https://safeseas.ie/ssi/login.jsp and we have replicated the problem on many iterations of 6.41 across multiple sites. In each case rolling back fixes the issue.
Feedback would be welcome
Same problem with http://fl.yantarenergosbyt.ru/
On 6.39.3 all good, on 6.41 and newer - cant open site.
I see this problem if MT set like pppoe-client. If internet from dhcp-client - site available.
We have same problems with PPP server/router with http://fl.yantarenergosbyt.ru/ and https://www.verbojuridico.com.br/default.aspx

please team MK new relese
 
AKuntsevich
just joined
Posts: 3
Joined: Tue Aug 08, 2017 5:34 pm

Re: v6.41 [current]

Mon Jan 22, 2018 9:51 am

The problem is already fixed in 6.42rc.

The workaround is to add TCP MSS rule to your firewall rules
Yes, now fixed in rc11.
Before tested on rc9 - problem still here.
 
Clauu
Member Candidate
Member Candidate
Posts: 217
Joined: Fri Mar 21, 2014 8:27 pm
Location: RO

Re: v6.41 [current]

Mon Jan 22, 2018 10:17 am

I understand that in rc it is fixed, but i(we) need a solution without installing the rc version. Adding a firewall rule didn't change anything.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7186
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.41 [current]

Mon Jan 22, 2018 11:39 am

If mangle rule did not fix the problem then either your rule is incorrect or it is not TCP MSS problem.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1092
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.41 [current]

Mon Jan 22, 2018 12:52 pm

Looks like this works for me:
/ppp profile
set [ find default ] change-tcp-mss=no
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=all-ppp protocol=tcp tcp-flags=syn
Then reconnect your ppp connection try to access the affected sites.
Can anybody confirm?
 
Clauu
Member Candidate
Member Candidate
Posts: 217
Joined: Fri Mar 21, 2014 8:27 pm
Location: RO

Re: v6.41 [current]

Mon Jan 22, 2018 9:42 pm

Seems fine your suggestion, thanks!
 
Lansman
just joined
Posts: 20
Joined: Tue Jul 15, 2014 11:22 am

Re: v6.41 [current] What I did

Tue Jan 23, 2018 12:10 pm

I have the same experience. After the upgrade, no connection via ethernet or wifi works. Wifi is off. Winbox cannot show it. I asked another RB on the LAN which properly upgraded to show its neighbours, and the dead RB is listed with a MAC address of 00:00:00:00:00:00. The dead device is up in the air, been operating for a few years, and properly installed to protect it from rain and weather. It will not be fun to replace. It will not be fun to hit a reset button. Any ideas will be appreciated.

I upgraded my RB750Gr3 from 6.40.5 to 6.41, and now I cannot connect to it via wire or wireless. Did I miss anything here?

Thanks.
......................................
******* UPDATE**********
.....................................

I placed this laptop at ground level. I climbed to the RB Metal 2SHPn. I dismounted it and cut off the shielded ethernet connector. I brought the Metal inside. If you remember, nothing could see the Metal. It had no MAC address, and wifi was off after upgrade. I knew I must use Netinstall, but you must watch your laptop when setting up Netinstall. You must see that you are loading the new OS. I had to try many times, but finally I saw the Metal in Netinstall. I told it to go install the new OS and keep the old config. It did. All the old user settings were kept. Then I had to go back up with the Metal, and tighten the Metal back on the old mast. Then put a new connector on the shielded cat 5 cable. I did that after renewing the fusing electrical tape over the N connector and antenna. I still must put better water protection over that connector. The antenna is a nice OMNI, about 4 dBd gain.

This is a lot of work for an automatic upgrade. Be warned. Mikrotik does not automatically fully check automatic upgrades to be sure it will work. After an upgrade, you may have lost all connection to your Router Board until you can get at the reset button and have a nearby computer to do a Netinstall.
 
inversistemas
just joined
Posts: 4
Joined: Tue Jan 23, 2018 4:38 am

Re: v6.41 [current]

Tue Jan 23, 2018 6:02 pm

Since my RB3011 was upgraded from 6.40 to 6.41 my bridges aren't working as usual, and I still don't understand well enought about "hw-offload" and "switch chip", I just feel that "master-ports" was working fine.

> My setup is:
interface type vlan / name: vlan20-4 / vlan ID: 20 / interface: ethernet4
interface type vlan / name: vlan20-3 / vlan ID: 20 / interface: ethernet3

interface type bridge / name: bridge20 / STP protocol: RSTP / VLAN filtering disabled

bridge port / bridge name:bridge20 / interface name: vlan20-4 / Hardware offload: checked / Edge: auto / ingress filtering: unchecked / Frame: admit all
bridge port / bridge name:bridge20 / interface name: vlan20-3 / Hardware offload: checked / Edge: auto / ingress filtering: unchecked / Frame: admit all

but, with this, my bridge is not working...

any help? any idea?
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11115
Joined: Mon Dec 04, 2017 9:19 pm

Re: v6.41 [current]

Tue Jan 23, 2018 6:14 pm

but, with this, my bridge is not working...
Please read this post and if it does not help, create a new topic and place here a link to it, I'll try to guide you.
 
UMarcus
Frequent Visitor
Frequent Visitor
Posts: 95
Joined: Wed Jan 21, 2015 10:11 am
Location: Europe

Re: v6.41 [current]

Tue Jan 23, 2018 6:15 pm

Hello,
i had update all my Devices (CRS124, HAP and HAP Lite) to 6.41.

Now I get errors like 'port received packet with own address as source address' and a packet storm. Network is down.

The configuration is 3x HAP and 2 HAP lite as CAP and the CRS124 as CAPSMAN and 5 VLAN Networks.

This only happens if both HAP lite connected !
If i remove one of them the network is running without issues. If i reconnect the second HAP Lite it takes a short time than i get this packet storm.

I already reset the HAP Lite and reconfigure it but without luck.

Any ideas how to investigate and fix that or is it a bug in the new 6.41 ?

Thanks
regards
Marcus
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1092
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.41 [current]

Tue Jan 23, 2018 6:32 pm

Now I get errors like 'port received packet with own address as source address' and a packet storm. Network is down.
I have seen this once, but could not reproduce since. No idea what happened and why.
 
User avatar
macsrwe
Forum Guru
Forum Guru
Posts: 1011
Joined: Mon Apr 02, 2007 5:43 am
Location: Arizona, USA
Contact:

Re: v6.41 [current]

Tue Jan 23, 2018 8:34 pm

Can you please explain, when Mikrotik will amend the CRS3xx releases, so that the supout.rif not gets written to volatile memory, but onto flash instead ?
When you type the command to take the supout, begin the file name with flash/.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2975
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: v6.41 [current]

Wed Jan 24, 2018 3:25 pm

Could we expect that 6.40.5 will become "bugfix" or 6.40.6 with fixes from 6.41?

6.40.5 is the last with "old-known-bridge-implementation" technology and not all want to upgrade to "new-better-but-not-too-familiarized" one.
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 552
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: v6.41 [current]

Wed Jan 24, 2018 9:25 pm

Could we expect that 6.40.5 will become "bugfix" or 6.40.6 with fixes from 6.41?
6.40.5 is the last with "old-known-bridge-implementation" technology and not all want to upgrade to "new-better-but-not-too-familiarized" one.
+1 .. absolutely, and keep 6.40.x on bugfix for long time
 
User avatar
karlisi
Member
Member
Posts: 469
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: v6.41 [current]

Thu Jan 25, 2018 8:35 am

Could we expect that 6.40.5 will become "bugfix" or 6.40.6 with fixes from 6.41?

6.40.5 is the last with "old-known-bridge-implementation" technology and not all want to upgrade to "new-better-but-not-too-familiarized" one.
+1001
 
User avatar
bobr
just joined
Posts: 21
Joined: Fri Feb 13, 2015 4:27 pm

Re: v6.41 [current]

Thu Jan 25, 2018 9:05 am

Could we expect that 6.40.5 will become "bugfix" or 6.40.6 with fixes from 6.41?
6.40.5 is the last with "old-known-bridge-implementation" technology and not all want to upgrade to "new-better-but-not-too-familiarized" one.
+1 .. absolutely, and keep 6.40.x on bugfix for long time
+1001
Quite agree. Or make all that stuff with new bridge-to-L2 behaviour and features more transparent and understandable. 'Cause before 6.41 you made master port and then went to Switch in winbox and did all the stuff for L2, including VLANs, there. And now the things are not as clear.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1550
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: v6.41 [current] (problem - clients lost DHCP default route after upgrade)

Fri Jan 26, 2018 3:41 am

Re: v6.41 [current] (problem - clients lost DHCP default route after upgrade)

Is anybody else experiencing this issue ?

When I upgrade wireless remote Mikrotik DHCP clients, I experience problems after the remote client reboots.


The most important issue I am seeing is that the remote clients no longer have a DHCP default-route.
FYI - The wlan is software bridged to WAN & The WAN is a DHCP client -and- the WAN IP addresses are part of my Live-Internet-IPs

Example:
I upgraded a remote client from 6.40.5
Here is part of the export (prior to the upgrade - still on 6.40.5)
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=WAN


After the remote client is upgraded to 6.41
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=WAN


As you can see , the default-route-distance=0 is now missing.

Below is larger portion of the export prior to upgrading:
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=WAN
/ip dhcp-server network
add address=192.168.56.0/24 gateway=192.168.56.1
/ip dns
set max-udp-packet-size=512 servers=66.35.8.72,66.35.8.73
/ip firewall nat
add action=masquerade chain=srcnat
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set cache-path=web-proxy1 max-cache-size=none parent-proxy=0.0.0.0
/ip route
add distance=1 pref-src=192.168.56.111 type=blackhole
add distance=1 pref-src=192.168.56.119 type=blackhole
add distance=1 pref-src=192.168.56.118 type=blackhole
add distance=1 pref-src=192.168.56.120 type=blackhole
add distance=1 pref-src=192.168.56.106 type=blackhole
add distance=1 pref-src=192.168.56.114 type=blackhole
add distance=1 pref-src=192.168.56.115 type=blackhole
add distance=1 pref-src=192.168.56.100 type=blackhole
add distance=1 pref-src=192.168.56.101 type=blackhole
add distance=1 pref-src=192.168.56.102 type=blackhole
add distance=1 pref-src=192.168.56.103 type=blackhole
add distance=1 pref-src=192.168.56.104 type=blackhole
add distance=1 pref-src=192.168.56.105 type=blackhole
add distance=1 pref-src=192.168.56.117 type=blackhole
add distance=1 pref-src=192.168.56.107 type=blackhole
add distance=1 pref-src=192.168.56.109 type=blackhole
add distance=1 pref-src=192.168.56.108 type=blackhole
add distance=1 pref-src=192.168.56.110 type=blackhole
add distance=1 pref-src=192.168.56.113 type=blackhole
add distance=1 pref-src=192.168.56.112 type=blackhole
add distance=1 pref-src=192.168.56.116 type=blackhole
add distance=1 dst-address=10.0.0.0/8 gateway=192.168.56.3
add distance=1 dst-address=10.0.0.0/8 type=blackhole
add distance=1 dst-address=172.16.0.0/12 gateway=192.168.56.3
add distance=1 dst-address=172.16.0.0/12 type=blackhole
add distance=1 dst-address=192.168.0.0/16 gateway=192.168.56.3
add distance=1 dst-address=192.168.0.0/16 type=blackhole
/ip route rule
add action=drop interface=WAN src-address=192.168.0.0/16
add action=drop interface=WAN src-address=10.0.0.0/8
add action=drop interface=WAN src-address=172.16.0.0/12
add action=drop dst-address=10.0.0.0/8 interface=WAN
add action=drop dst-address=172.16.0.0/12 interface=WAN

-and now for some additional export information after the firmware upgrade:
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=WAN
/ip dhcp-server network
add address=192.168.56.0/24 gateway=192.168.56.1
/ip dns
set max-udp-packet-size=512 servers=66.35.8.72,66.35.8.73
/ip firewall nat
add action=masquerade chain=srcnat
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set cache-path=web-proxy1 max-cache-size=none parent-proxy=0.0.0.0
/ip route
add distance=1 pref-src=192.168.56.111 type=blackhole
add distance=1 pref-src=192.168.56.119 type=blackhole
add distance=1 pref-src=192.168.56.118 type=blackhole
add distance=1 pref-src=192.168.56.120 type=blackhole
add distance=1 pref-src=192.168.56.106 type=blackhole
add distance=1 pref-src=192.168.56.114 type=blackhole
add distance=1 pref-src=192.168.56.115 type=blackhole
add distance=1 pref-src=192.168.56.100 type=blackhole
add distance=1 pref-src=192.168.56.101 type=blackhole
add distance=1 pref-src=192.168.56.102 type=blackhole
add distance=1 pref-src=192.168.56.103 type=blackhole
add distance=1 pref-src=192.168.56.104 type=blackhole
add distance=1 pref-src=192.168.56.105 type=blackhole
add distance=1 pref-src=192.168.56.117 type=blackhole
add distance=1 pref-src=192.168.56.107 type=blackhole
add distance=1 pref-src=192.168.56.109 type=blackhole
add distance=1 pref-src=192.168.56.108 type=blackhole
add distance=1 pref-src=192.168.56.110 type=blackhole
add distance=1 pref-src=192.168.56.113 type=blackhole
add distance=1 pref-src=192.168.56.112 type=blackhole
add distance=1 pref-src=192.168.56.116 type=blackhole
add distance=1 dst-address=10.0.0.0/8 gateway=192.168.56.3
add distance=1 dst-address=10.0.0.0/8 type=blackhole
add distance=1 dst-address=172.16.0.0/12 gateway=192.168.56.3
add distance=1 dst-address=172.16.0.0/12 type=blackhole
add distance=1 dst-address=192.168.0.0/16 gateway=192.168.56.3
add distance=1 dst-address=192.168.0.0/16 type=blackhole
/ip route rule
add action=drop interface=WAN src-address=192.168.0.0/16
add action=drop interface=WAN src-address=10.0.0.0/8
add action=drop interface=WAN src-address=172.16.0.0/12
add action=drop dst-address=10.0.0.0/8 interface=WAN
add action=drop dst-address=172.16.0.0/12 interface=WAN

North Idaho Tom Jones
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.41 [current]

Fri Jan 26, 2018 8:16 am

Nope, working okay for me. "default-route-distance=" is missing because its default value changed to 1, I think, and 0 is changed to 1 automagically
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.41 [current]

Fri Jan 26, 2018 11:30 am

distance can only be 0 for "directly connected" routes (the automatically generated routes that correspond to the address/net of an interface), all other routes including your default route have a distance of at least 1. So distance=0 is invalid.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.41 [current]

Fri Jan 26, 2018 1:35 pm

distance can only be 0 for "directly connected" routes (the automatically generated routes that correspond to the address/net of an interface), all other routes including your default route have a distance of at least 1. So distance=0 is invalid.
It's invalid from 6.41, but earlier it was working :)
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.41 [current]

Fri Jan 26, 2018 5:12 pm

It's invalid from 6.41, but earlier it was working :)
What do you mean with "working"? In 6.40.5 I cannot add a static route with distance=0.
You mean a DHCP client with default-route-distance=0 was adding a route with distance=0?
That must have been a bug that has been fixed...

What problem does that cause? Remember subnet size always has higher precedence than distance,
so for a route to 0.0.0.0/0 the distance really doesn't matter relative to those blackhole routes, those will
still be used even when the default route has distance=1 or distance=2 or higher!

Distance setting for the default route is just there to have the possibility of having several internet interfaces
with different default route distance so it is know which one has preference. distance=0 is not required for that.
 
kfaessen
just joined
Posts: 3
Joined: Sun Jul 02, 2017 9:57 pm

Re: v6.41 [current]

Fri Jan 26, 2018 6:21 pm

Does anyone know how to get the certificates working in 6.41? It worked in all the previous versions but the https service tells me now that it's Invalid and I assumed that it's caused by the changes in the certificates.

I have a wildcard certificate at comodo and I have imported all the linked root certificates. The CRL's are also downloaded automatically of all the certificates, so that seems fine to me. However the https service still complains invalid (without telling what is invalid)

Edit: I have figured it out, it appeared that port 443 is blocked by something else, when I changed the port to 8443 it worked. Now I need to figure out what is blocking port 443.

Related configuration (I have changed my domain name in the text, it's obvious not test.com)
[admin@MikroTik] > /certificate print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
 #       NAME                                    COMMON-NAME               SUBJECT-ALT-NAME                   FINGERPRINT
 0 K L T wildcard.test.com                       *.test.com                DNS:*.test.com                     09133...
 1     T AddTrustExternalCARoot                  AddTrust External CA      Root                               687fa...
 2   L T COMODORSAAddTrustCA                     COMODO RSA                Certification Authority            4f32d...
 3   L T COMODORSADomainValidationSecureServerCA COMODO RSA                Domain Validation Secure Server CA 02ab5...

[admin@MikroTik] > /ip service print detail
Flags: X - disabled, I - invalid
 0 XI name="telnet"  port=23   address=""
 1 XI name="ftp"     port=21   address=""
 2    name="www"     port=80   address=192.168.1.0/24
 3    name="ssh"     port=22   address=""
 4 I  name="www-ssl" port=443  address=192.168.1.0/24 certificate=wildcard.test.com
 5 XI name="api"     port=8728 address=""
 6    name="winbox"  port=8291 address=""
 7    name="api-ssl" port=8729 address="" certificate=*C
 
SDFadfasdfadsf
just joined
Posts: 23
Joined: Sun Feb 07, 2016 2:21 am

Re: v6.41 [current]

Sat Jan 27, 2018 7:17 pm

log overwriting broke? It looks like after mem log is full, new logs are all "item add", "item removed" garbage. These logs should have been firewall drop actions.
 
User avatar
genesispro
Member
Member
Posts: 304
Joined: Fri Mar 14, 2014 12:33 pm

Re: v6.41 [current]

Sat Jan 27, 2018 8:21 pm

I think I found a minor winbox bug @6.41
It allows me to add the same interface list to a bridge port multiple times
 
Biker111
newbie
Posts: 37
Joined: Thu Aug 11, 2016 1:21 am
Location: Denmark

Deleted ...

Sun Jan 28, 2018 5:12 am

Deleted ...
Last edited by Biker111 on Sun Jan 28, 2018 11:25 am, edited 1 time in total.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.41 [current]

Sun Jan 28, 2018 9:04 am

You mean a DHCP client with default-route-distance=0 was adding a route with distance=0?
That must have been a bug that has been fixed...
Yep, that's exactly what happened. And that change could introduce some other bug, for example :)
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.41 [current]

Sun Jan 28, 2018 12:22 pm

You mean a DHCP client with default-route-distance=0 was adding a route with distance=0?
That must have been a bug that has been fixed...
Yep, that's exactly what happened. And that change could introduce some other bug, for example :)
What is that "other bug"? I still don't get why you would want to have a default route with distance=0
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.41 [current]

Sun Jan 28, 2018 1:12 pm

I found a limitation in the configuration for ip neighbor using interface-list instead of explicit settings...

In the old 6.40.5 situation on a CCR1009 I had this setting:

/ip neighbor discovery
set ether2 discover=no
set ether7 discover=no
set ether8 discover=no
/ip neighbor discovery settings
set default-for-dynamic=yes

When updating to 6.41 RouterOS has created an interface list "discover" and added all static interfaces
except the ones named above to it, and set /ip neighbor discovery-settings set discover-interface-list=disover

This of course did not work until another reboot. But that is a known bug.
However, now there is no way to include the set default-for-dynamic=yes setting which handles discovery
on the dynamically created (incoming L2TP/IPsec) interfaces!)
I tried adding "dynamic" for the "include" setting of the interface list "discover" but that does not do it.
(even did another reboot after that change).
Neiighbor discovery no longer works for my dynamic interfaces unless I enable it on "all" which of course enables
it on the 3 abovementioned interfaces as well.
 
User avatar
macsrwe
Forum Guru
Forum Guru
Posts: 1011
Joined: Mon Apr 02, 2007 5:43 am
Location: Arizona, USA
Contact:

Re: v6.41 [current]

Sun Jan 28, 2018 5:38 pm

You mean a DHCP client with default-route-distance=0 was adding a route with distance=0?
That must have been a bug that has been fixed...
Yep, that's exactly what happened. And that change could introduce some other bug, for example :)
What is that "other bug"? I still don't get why you would want to have a default route with distance=0
For example, I had an initialization script for a class of routers that was initially generated two years ago from an export of a working hand configuration. The export process created a DHCP client with default-route-distance=0 specified (something I would not have specified by hand, but was present in the export). I went to use it yesterday, and it failed to import, because MikroTik made this fix. So, bug.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v6.41 [current]

Sun Jan 28, 2018 7:59 pm

it failed to import, because MikroTik made this fix. So, bug.
It should probably just ignore the distance=0 in the input and use the default distance=1
However, this is always a tough decision: should it silently ignore invalid parameters that were valid in the past, potentially confusing users, or should
it issue error messages.
My solution would be:
- in normal command mode it should issue error messages
- in import mode it should ignore those parameters even when error messages occur

This is a generic gripe I have about import (and running of script after reset-configuration): it should be able to continue processing when minor errors occur.
This is just a special case of that.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.41 [current]

Mon Jan 29, 2018 12:23 pm

What is that "other bug"? I still don't get why you would want to have a default route with distance=0
Well, the "other bug" I thought of was "the remote clients no longer have a DHCP default-route" %)

Who is online

Users browsing this forum: No registered users and 9 guests