v6.41 [current]

Fri Dec 22, 2017 2:58 pm

RouterOS 6.41 contains new bridge implementation that supports hardware offloading (hw-offload).
This update will convert all interface "master-port" configuration into new bridge configuration, and eliminate "master-port" option as such.
Bridge will handle all Layer2 forwarding and the use of switch-chip (hw-offload) will be automatically turned on based on appropriate conditions.
The rest of RouterOS Switch specific configuration remains untouched in usual menus for now.
Please, note that downgrading to previous RouterOS versions will not restore "master-port" configuration, so use backups to restore configuration on downgrade.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.41 (2017-Dec-22 11:55):
!) bridge - implemented software based vlan-aware bridges;
https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering
!) switch - "master-port" conversion into a bridge with hardware offload "hw" option;
https://wiki.mikrotik.com/wiki/Manual:S ... Offloading
!) detnet - implemented "/interface detect-internet" feature;
https://wiki.mikrotik.com/wiki/Manual:Detect_internet
!) bridge - general implementation of hw-offload bridge (introduced in v6.40rc36);
!) routerboot - RouterBOOT version numbering system merged with RouterOS;
!) w60g - added Point to Multipoint support;
!) w60g - revised "master" and "slave" interface modes to more familiar "bridge", "ap-bridge", "station-bridge";
!) wireless - new driver with initial support for 160 and 80+80 MHz channel width;
*) arm - minor improvements on CPU load distribution for RB1100 series devices;
*) arp - fixed invalid static ARP entries after reboot on interfaces without IP address;
*) bgp - added 32-bit private ASN support;
*) bridge - added comment support for VLANs;
*) bridge - added initial support for hardware "igmp-snooping" on CRS1xx/2xx;
*) bridge - added support for "/interface list" as a bridge port;
*) bridge - assume "point-to-point=yes" for all Full Duplex Ethernet interfaces when STP is used (as per standard);
*) bridge - automatically turn off "fast-forward" feature if both bridge ports have "H" flag;
*) bridge - changed "Host" and "MDB" table column order;
*) bridge - disable "hw-offload" when "horizon" or "external-fdb" is set;
*) bridge - fixed "fast-forward" counters;
*) bridge - fixed ARP setting (introduced in v6.40rc36);
*) bridge - fixed connectivity issues when there are multiple VLAN interfaces on bridge;
*) bridge - fixed hw-offloaded IGMP Snooping service getting stopped;
*) bridge - fixed multicast forwarding (introduced in v6.40rc36);
*) bridge - implemented dynamic entries for active MST port overrides;
*) bridge - implemented software based "igmp-snooping";
*) bridge - implemented software based MSTP;
*) bridge - removed "frame-types" and "ingress-filtering" for bridge interfaces (introduced in v6.40rc36);
*) bridge - set "igmp-snooping=no" by default on new bridges;
*) bridge - show "admin-mac" only if "auto-mac=no";
*) bridge - show bridge interface local addresses in the host table;
*) btest - improved reliability on Bandwidth Test when device`s RAM is almost full;
*) capsman - added "vlan-mode=no-tag" option;
*) capsman - added possibility to downgrade CAP with Upgrade command from CAPsMAN;
*) capsman - return complete CA chain when issuing new certificate;
*) capsman - use "adaptive-noise-immunity" value from CAP local configuration;
*) certificate - added option to store CRL in RAM (CLI only);
*) certificate - fixed SCEP "get" request URL encoding;
*) certificate - improved CRL update after system startup;
*) certificate - show "Expired" flag when initial CRL fetch fails;
*) certificate - show invalid flag when local CRL file does not exist;
*) chr - added KVM memory balloon support;
*) chr - added suspend support;
*) console - do not stop "/certificate sign" process if console times out in 1 minute;
*) console - removed "/setup";
*) crs317 - added initial support for HW offloaded MPLS forwarding;
*) crs317 - fixed reliability on FAN controller;
*) crs326 - fixed packet processing speed on switch chip if individual port link speed differs;
*) crs326 - improved transmit performance from SFP+ to Ethernet ports;
*) crs3xx - added ingress/egress rate input limits;
*) crs3xx - hide unused switch "vlan-mode", "vlan-header-mode" and "default-vlan-id" options;
*) crs3xx - switch VLAN configuration integrated within bridge VLAN configuration with hw-offload;
*) dhcp - fixed DHCP services failing after reboot when DHCP option was used;
*) dhcp - fixed unresponsive DHCP service caused by inability to read not set RAW options;
*) dhcp - require DHCP option name to be unique;
*) dhcp-client - limit and enforce DHCP client "default-route-distance" minimal value to 1;
*) dhcp-server - added "option-set" argument (CLI only);
*) dhcp-server - added basic RADIUS accounting;
*) dhcpv4-client - add dynamic DHCP client for mobile clients which require it;
*) dhcpv4-client - allow to use DUID for client as identity string as the option 61;
*) dhcpv4-server - added "NETWORK_GATEWAY" option variable;
*) dhcpv4-server - strip trailing "\0" in "hostname" if present;
*) discovery - use "/interface list" instead of interface name under neighbor discovery settings;
*) e-mail - do not show errors when sending e-mail from script;
*) eoip - made L2MTU parameter read-only;
*) ethernet - removed "master-port" parameter;
*) export - fixed interface list export;
*) fetch - accept all HTTP 2xx status codes;
*) filesystem - implemented additional system integrity checks on reboots;
*) firewall - added "tls-host" firewall matcher;
*) health - fixed bogus voltage readings on CCR1009;
*) hotspot - fixed "dst-port" to require valid "protocol" in "walled-garden ip";
*) hotspot - fixed Walled Garden IP functionality when address-list is used;
*) ike1 - DPD retry interval set to 5 seconds;
*) ike1 - disallow peer creation using base mode;
*) ike1 - fixed crash on xauth if user does not exist;
*) ike1 - fixed memory corruption when IPv6 is used;
*) ike1 - improved stability on phase1 rekeying;
*) ike1 - release mismatched PH2 peer IDs;
*) ike1 - use /32 netmask if none provided by mode config;
*) ike2 - added support for multiple split networks;
*) ike2 - check identities on "initial-contact";
*) ike2 - do not allow to configure nat-traversal;
*) ike2 - fixed PH1 lifetime reset on boot;
*) ike2 - fixed initiator DDoS cookie processing;
*) ike2 - fixed responder DDoS cookie first notify type check;
*) ike2 - kill connection when peer changes address;
*) ike2 - use peer configuration address when available on empty TSi;
*) interface - added "/interface reset-counters" command (CLI only);
*) interface - added default "/interface list" "dynamic" which contains dynamic interfaces;
*) interface - added option to join and exclude "/interface list" from one and another;
*) interface - fixed corrupted "/interface list" configuration after upgrade;
*) ippool6 - try to assign desired prefix for client if prefix is not being already used;
*) ipsec - added DH groups 19, 20 and 21 support for phase1 and phase2;
*) ipsec - allow to specify "remote-peer" address as DNS name;
*) ipsec - fixed incorrect esp proposal key size usage;
*) ipsec - fixed policy enable/disable;
*) ipsec - improved hardware accelerated IPSec performance on 750Gr3;
*) ipsec - improved reliability on certificate usage;
*) ipsec - renamed "firewall" argument to "notrack-chain" in peer configuration;
*) ipsec - skip invalid policies for phase2;
*) ipv6 - add dynamic "/ip dns" server address from RA when RA is permitted by configuration;
*) l2tp - improved reliability on packet processing in FastPath;
*) l2tp-server - fixed PPP services becoming unresponsive after changes on L2TP server with IPSec configuration;
*) lcd - fixed "flip-screen=yes" state after reboot;
*) log - added "bridge" topic;
*) log - fixed interface name in log messages;
*) log - optimized "poe-out" logging topic logs;
*) lte - added "/interface lte apn" menu (Passthrough requires reconfiguration);
*) lte - added Passthrough support;
*) lte - added Yota non-configurable modem support;
*) lte - added support for ZTE ME3630 E1C with additional "/port" for GPS usage;
*) lte - automatically add "/ip dhcp-client" configuration on interface;
*) lte - changed default values to "add-default-route=yes", "use-peer-dns=yes" and "default-route-distance=2";
*) lte - fixed Passthrough support;
*) lte - fixed authentication for non LTE modes;
*) lte - fixed error when trying to add APN profile without name;
*) lte - fixed rare crash when initializing LTE modem after reset;
*) lte - fixed user authentication for R11e-LTE when new firmware is used;
*) lte - integrated IP address acquisition without DHCP client for wAP LTE kit-US;
*) lte - limited minimal default route distance to 1;
*) lte - update info command with "location area code" and "physical cell id" values;
*) m11g - improved ethernet performance on high load;
*) mac-server - use "/interface list" instead of interface name under MAC server settings;
*) modem - added initial support for Alcatel IK40 and Olicard 500;
*) neighbor - show neighbors on actual bridge port instead of bridge itself
*) netinstall - fixed missing "/flash/etc" on first bootup;
*) netinstall - fixed missing default configuration prompt on first startup after reset/netinstall;
*) ospf - fixed OSPF v2 and v3 neighbor election;
*) ovpn-server - do not periodically change automatically generated server MAC address;
*) poe - added new "poe-out" status "controller-error";
*) poe - fixed false positive excessive logs in auto-on mode when connected to 100 Mbps device powered from another power source;
*) poe - log PoE status related messages under debug topic;
*) ppp - added initial support for PLE902;
*) ppp - added support for Sierra MC7750, Verizon USB730L;
*) ppp - do not disconnect PPP connection after "idle-timeout" even if traffic is being processed;
*) ppp - fixed "change-mss" functionality when MSS option is missing on forwrded packets;
*) ppp - fixed L2TP and PPTP encryption negotiation process on configuration changes;
*) ppp - fixed situation when part of PPP configuration was reset to default values after reboot;
*) pppoe-client - properly re-establish MLPPP session when one of the lines stopped transmitting packets;
*) pppoe-server - fixed situation when PPPoE servers become invalid on reboot;
*) quickset - added support for "/interface list" in firewall, neighbor discovery, MAC-Telnet and MAC-Winbox;
*) quickset - fixed LTE quickset mode APN field;
*) quickset - fixed situation when Quickset automatically changes mode to CPE;
*) quickset - renamed router IP static DNS name to "router.lan";
*) radius - limited RADIUS timeout maximum value to 3 seconds;
*) route - fixed potential route crash on routing table update;
*) scheduler - properly display long scheduler configuration;
*) sfp - fixed SFP interface power monitor when bad SFP DDMI information is received;
*) sftp - added functionality which imports ".auto.rsc" file or reboots router on ".auto.npk" upload;
*) sms - fixed minor problem for SMS delivery;
*) sms - log decoded USSD responses;
*) snmp - fixed "ifHighSpeed" value of VLAN, VRRP and Bonding interfaces;
*) snmp - fixed bridge host requests on devices with multiple bridge interfaces;
*) snmp - fixed bulk requests when non-repeaters are used;
*) snmp - fixed consecutive OID bulk get from the same table;
*) snmp - show only available OIDs under "/system health print oid";
*) ssh - do not use DH group1 with strong-crypto enabled;
*) ssh - enforced 2048bit DH group on tile and x86 architectures;
*) system - show USB topology for the device info;
*) tile - improved hardware encryption processes;
*) tr069-client - fixed "/interface lte apn" configuration parameters;
*) traceroute - improved "/tool traceroute" results processing;
*) upnp - add "src-address" parameter on NAT rule if it is specified on UPnP request;
*) upnp - deny UPnP request if port is already used by the router;
*) ups - fixed duplicate "failed" UPS logs;
*) userman - allow to generate more than 999 users;
*) w60g - added "put-stations-in-bridge" and "isolate-stations" options to manage connected clients;
*) w60g - connected stations are treated as separate interfaces;
*) webfig - added favicon file;
*) webfig - fixed router getting reset to default configuration;
*) webfig - fixed terminal graphic user interface under Safari browser;
*) winbox - added "W60G station" tab in Wireless menu;
*) winbox - added "notrack-chain" setting to IPSec peers;
*) winbox - added support for "_" symbol in terminal window;
*) winbox - added switch menu on RB1100AHx4;
*) winbox - do not show MetaROUTER stuff on RB1100AHx4;
*) winbox - do not show duplicate "Switch" menus for CRS326;
*) winbox - do not show duplicate "Template" parameters for filter in IPSec policy list;
*) winbox - do not show duplicate filter parameters "Published" in ARP list;
*) winbox - do not show unnecessary tabs from "Switch" menu;
*) winbox - fixed "/certificate sign" process;
*) winbox - fixed bridge port sorting order by interface name;
*) winbox - show warnings under "/system routerboard settings" menu;
*) wireless - added "allow-signal-out-off-range" option for Access List entries;
*) wireless - added "indonesia3" regulatory domain information;
*) wireless - added passive scan option for wireless scan mode;
*) wireless - added support for CHARGEABLE_USER_ID in EAP Accounting;
*) wireless - check APs against connect-list rules starting with strongest signal;
*) wireless - do not show background scan frequencies in the monitor command channel field;
*) wireless - improved reliability on "rx-rate" selection process;
*) wireless - increased the EAP message retransmit count;
*) wireless - log "signal-strength" when successfully connected to AP;
*) wireless - pass interface MAC address in Sniffer TZSP frames;
*) wireless - updated "UK 5.8 Fixed" and "Australia" country data;
*) wireless - updated "united kingdom" regulatory domain information;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

macsrwe · Fri Dec 22, 2017 3:10 pm

e-mail - do not show errors when sending e-mail from script;

But still appears in the log, I hope?

freemannnn · Fri Dec 22, 2017 3:11 pm

oh my god. and i was thinking what i am gonna do in christmas (4 days holidays). testing testing testing
nice!

Fri Dec 22, 2017 3:16 pm

macsrwe - Of course. This affects only console so e-mail would work properly in script.

dksoft · Fri Dec 22, 2017 4:30 pm

>*) crs326 - fixed packet processing speed on switch chip if individual port link speed differs;
>*) crs326 - improved transmit performance from SFP+ to Ethernet ports;

Sorry, I can not confirm this. Write performance is 105MByte/s, read performance is about 50MByte/s.
It has increased from former versions which was around 20MByte/s. But still far away from full 1GB/s performance.
Flashing back to SwOS 2.3 gives full performance. SwOS 2.4 puts switch in endless reboot loop.
SwOS 2.5 - 2.6 has the same poor performance of about 20MByte/s. SwOS 2.7 is same as RouterOS 6.41.

Tested with Mellanox and Intel NIC.

Fri Dec 22, 2017 4:36 pm

dksoft - Are you running CRS on SwOS or on RouterOS? If you run RouterOS, are you using device as a switch or you use also router functions, for example, firewall rules?

dksoft · Fri Dec 22, 2017 4:38 pm

dksoft - Are you running CRS on SwOS or on RouterOS?

I tried both. RouterOS 6.40 - 6.41, SwOS from 2.3 - 2.7.
Configuration is reset to default after each update. So there are no firewall rules. All ports are switched.

th0massin0 · Fri Dec 22, 2017 4:48 pm

Could somebody tell me how to use vlan in hex v3 properly? By /switch or by /bridge?

rajo · Fri Dec 22, 2017 6:25 pm

Ran into the following bug with upgrading an RB450 from 6.40.4 to 6.41:

NOTE: It appears I must have had the old configuration of ether2 being master and ether3 to ether5 being slaves
1. I performed the upgrade via the console
2. When the router rebooted, ether1 was stable, but ether2 to ether5 were flapping at least every second.
3. I tried power-cycling and same issue as #2
4. I used my cell phone to login to the router via the Internet and inspected the configuration.
5. I noticed that the upgrade process had converted the master/slave config to bridge config.
6. I couldn't find anything wrong except for the fact that the bridge "protocol-mode" was "none"
7. I changed "protocol-mode" to "rstp"
8. Interfaces stabilized and now everything is working.

You may want to update you migration script so "protocol-mode" IS NOT "none"

Thanks

anuser · Fri Dec 22, 2017 7:45 pm

This update will convert all interface "master-port" configuration into new bridge configuration, and eliminate "master-port" option as such.
Bridge will handle all Layer2 forwarding and the use of switch-chip (hw-offload) will be automatically turned on based on appropriate conditions.

Hello,
thanks for the update. I use RouterOS for years running CAPSMAN forwarding based wifi controller with dynamic VLAN IDs for one SSID sent by Microsoft NPS. Upgrading that config from 6.40.5 to 6.41 stops traffic for my clients. I don´t know the reason yet. I have to setup another CAPSMAN and test it some time in 2018. But that´s not the question for now.

I would like to know whether I should expect problems when I let my CAPSMAN controller stay at 6.40.5 and upgrade all CAPs to 6.41 (because of the new wireless drivers)?

msatter · Fri Dec 22, 2017 7:48 pm

Not happy with the conversion...lots of trouble...looking to solve it.

Update:
Despite the promise by support, the bridge was not created and the interfaces (ports) not attached. The DHCP was not moved from previous master to bridge so DHCP. At least it is stable now for a 10 minutes so I can do some more testing and checking.

L2TP+IPSEC with multiple connections is loading up one core and one to 50% and the last two are almost not used.

Update:
It seems to works now as far as I could test it for now and I keep it up and running on 6.41. Thanks for the upgrade and certainly a lot of things are now improved over 6.40.

docmarius · Fri Dec 22, 2017 8:00 pm

Found a first anomaly:
Neighbor discovery does not work with the generated 'discover', 'mac-winbox' or 'mactel' interface lists. Other lists seem to work.
After list deletion and recreation by hand, it works.

MrYan · Fri Dec 22, 2017 8:08 pm

Upgrade on RB450G went smoothly. Changes to ethernet removing master-port, interface list adding default lists and then neighbour discovery and mac-server to use the lists.

sanitycheck · Fri Dec 22, 2017 8:39 pm

Found a first anomaly:
Neighbor discovery does not work with the generated 'discover', 'mac-winbox' or 'mactel' interface lists. Other lists seem to work.
After list deletion and recreation by hand, it works.

I reset the config on a RB952ui-5ac2nd-us to a default setup on bugfix 6.39.3, and then upgraded it to 6.41. I was connected by mac address in Winbox, not IP. After the upgrade the lights were on but I did not see it in the neighbor list in Winbox. I let it set for about an hour just in case it was still upgrading, but it never showed up. I did not try to connect by default ip 192.168.88.1. Power-cycled it instead, and then it showed up on the Winbox list. So I'm not sure if it was down, or just didn't show up on the neighbor list initially.

UPDATE: I repeated those steps on a new unit I had in stock and observed the same thing. I did confirm that the router was still accessible by IP address (default 192.168.88.1 in this case), just not MAC address. I rebooted the system from Winbox and then, like before, it showed up by MAC address in the neighbor list.

alexsolovyev · Fri Dec 22, 2017 9:53 pm

I wonder if there were any changes between 6.41rc66 and 6.41 release to the multicast package or wireless. I'm watching IPTV over a wireless connection using IGMP Proxy and after the upgrade the image keeps freezing (in about 10 mins after a reboot). No changes to the configuration was made, just the upgrade. Reverting to 6.41rc66 fixes the issue.

Update: it seems to be related to the wireless (checked only 5GHz AC, RouterBOARD 962UiGS-5HacT2HnT) cause it works fine over the ethernet cable. looks like some packets are dropped (Tx is ~7.5 Mbps on bridge and ~5.5 Mbps on wlan).

Update 2: I've found out that the freezes related to a second device connected to the wireless network (iPhone SE). When the phone goes to the sleep mode, IPTV starts freezing. Awakening the phone stops the freezes. Oddly that stated to happen only after upgrade from 6.41rc66 to 6.41

blackbox100 · Fri Dec 22, 2017 10:46 pm

still problems with ingress rate limit on crs326, when set to 135m ingress I get around 100m on speedtest.net, on the 200 pieces of crs226 ingress rate works, when set to 135m I get 130m on speedtest.net

but it has improved since 6.40rc66 where when set to 135m I only got around 30m on speedtest.net

funny enough when I try to change the egress or ingress rate limit now on my test crs326 I get this error

"couldn't change switch port <ether18> - vlan mode not supported (6)

so still 6.41 is still buggy, and not ready for use in a normal setup, but hopefully it will soon be ready, because I need to replace 100 x Dlink 48 port switche, with 200 x CRS326 when they are stable and able to work with egress and ingress rate limits and port isolation and port leakage

Have a merry Christmas

esaym · Fri Dec 22, 2017 11:04 pm

For the new bridge implementation, I assume this does not affect the wAP ac access points? Or do they have a hardware switch built in?

drbunsen · Fri Dec 22, 2017 11:28 pm

No, there is no switch: https://i.mt.lv/routerboard/files/RBwAP ... 162504.png

storp · Fri Dec 22, 2017 11:55 pm

Upgraded RB2011, hAP, wAP ac, cAP and a RB1100 without issues. But wondering if there is a new way of how I should handle bonding interfaces with vlans? Currently I have two bonding interfaces with two ethernet ports each. On each of the bonds I have severals vlans and the vlans are put on a separate bridge (one bridge per vlan). Is there a new and perhaps smarter way of doing this now?

ma678 · Sat Dec 23, 2017 12:21 am

I upgraded my RB750Gr3 from 6.40.5 to 6.41, and now I cannot connect to it via wire or wireless. Did I miss anything here?

Thanks.

nightcom · Sat Dec 23, 2017 1:43 am

RB750Gr3, CRS326 and RB3011 upgraded with no problems (Routerboard firmware also upgraded)

skuykend · Sat Dec 23, 2017 3:57 am

Upgraded CRS317 to 6.41 from rc61. Seemed to be no problems with its upgrade.

I also have a few RB's and CRS as switches connected to it which I left at 6.40.5.

A little while later my CRS226 @ 6.40.5 stopped responding properly which hasn't happened in years. Traffic wasn't being passed properly and a Winbox connection to it would not show interfaces/etc and would disconnect in a minute or so. Rebooted it before Winbox disconnected me all seems to be fine now.

CRS226 has no bridge configuration, all ports master of Ether1, multiple vlans from the CRS317 handled via switch menu with only one internal management vlan off of ether1.

ma678 · Sat Dec 23, 2017 4:48 am

RB750Gr3, CRS326 and RB3011 upgraded with no problems (Routerboard firmware also upgraded)

Were user name or password reverted back to default? I cannot visit via web ui or winbox.

Thanks.

biatche · Sat Dec 23, 2017 7:03 am

By upgrading from 6.40.5, will it automatically and intelligently add the correct rules to switch all the switch-related configurations to bridge ones?

skuykend · Sat Dec 23, 2017 8:42 am

By upgrading from 6.40.5, will it automatically and intelligently add the correct rules to switch all the switch-related configurations to bridge ones?

From what I'm seeing, for most older hardware switch vlan configurations the switch menu and settings are still used. Just the Master-Port changes to bridge setups and the vlan parent interface changes from master-port to the bridge. Sometimes the upgrade has to create a new bridge, sometime it tries to convert old bridges. In my case (overblown for fun home setup) an old bridge on my RB2011 didn't convert cleanly, but most other systems seem to convert fine with hardware acceleration.

My CRS317 which uses the new vlan filtering via bridge menu was already on RC and also upgraded fine.

In total I've updated a CRS317, CRS226, CRS-125-2HnD, RB750GL, CCR1009 (older switch model), a couple WaP AC's and the RB2011.

Only the RB2011 gave me real issues and it seemed to be an invalid configuration issue with a port on the bridge showing "Unknown" bridge. (Was a fairly new configuration so don't know how that happened). Once I restored to previous version, I fixed the issue, upgraded again and everything went well.

I have multiple trunked vlans on most devices and was expecting more issues, so this went surprising well.

Sat Dec 23, 2017 8:54 am

How the conversion works when there are two switches in the device and both are in the common bridge? What if there are multiple switch groups within one switch differently bridged with other interfaces?

skuykend · Sat Dec 23, 2017 9:09 am

How the conversion works when there are two switches in the device and both are in the common bridge? What if there are multiple switch groups within one switch differently bridged with other interfaces?

My RB2011 (I'm using as a switch at the moment) with two switch chips seems to convert and work fine with just one created bridge, all ports show hardware acceleration.

I believe that two groups in the same switch (not counting individually separated ports) will disable hardware acceleration on at least all but one group, forcing all other traffic to flow thru cpu.

JimmyNyholm · Sat Dec 23, 2017 11:49 am

How the conversion works when there are two switches in the device and both are in the common bridge? What if there are multiple switch groups within one switch differently bridged with other interfaces?

I have thought of this to and if I may speculate:
The new bridge per say will use hardware offload if possible. Add bridge, add all ports from both switch chips then there would be one of these 3 outcomes.

1. Nothing is hardware assisted software only.
2. Hardware per chip is activated and should be vissible on interface and inter swich chip should be software.
3. Hardware all the way (how that would be possible looking at block design of rb's

Pre 41 with master and slave ports and software bridge, the two master ports made the 2 scenario so why not now....
As per now i recon that 1 is the option and would advocate for a refined implementation towards 2. But if it allready is 2 I lift my hat and say good work MT.

JimmyNyholm · Sat Dec 23, 2017 12:53 pm

I Posted this question in the 41RC channel but I did not get an answer:

Now Looking at the released version of 6.41 of RouterOS.

if i set:

/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=64

And then look in the switch menu:
The setting is there to and is not reflecting the change. Here there is a change from last rc cli is not outputting the print (winbox does):

[admin@MikroTik] /interface bridge port> /interface ethernet switch port print
Flags: I - invalid 
 #   NAME                 SWITCH                VLAN-MODE VLAN-HEADER    DEFAULT-VLAN-ID INGRESS-RATE EGRESS-RATE
 0   ether1               switch1                                                           100.0Mbps   250.0Mbps

Winbox switch menu tells me:
Vlanmode=disabled
VlanHeader=leave as is
Default VLAN ID= 0

In RC the cli printed this at print as well but not now.

My questions still are:
Is settings in bridge overriding settings in swith?
Do I need to set both to be sure?
Are there any corner cases where ingres frames with vlan tag would be allowed?
Are there any corner cases when the native untaged vlan would be assumed to be 0 instead of the bridge configured 64

nightcom · Sat Dec 23, 2017 1:03 pm

RB750Gr3, CRS326 and RB3011 upgraded with no problems (Routerboard firmware also upgraded)
Were user name or password reverted back to default? I cannot visit via web ui or winbox.

Thanks.

In my case nothing went to default, just new bridge implemented instead of master-ports. Before upgrade I always reboot unit's (I'm doing it from about a month and I don't have issues at all, before I didn't reboot and sometimes I had issues similar like some people writing on forum,like no IP jus login thru MAC address or i loop etc.), then upgrade to RouterOS I want and after that upgrade Routerboard firmware.

JimmyNyholm · Sat Dec 23, 2017 1:14 pm

Upgraded RB2011, hAP, wAP ac, cAP and a RB1100 without issues. But wondering if there is a new way of how I should handle bonding interfaces with vlans? Currently I have two bonding interfaces with two ethernet ports each. On each of the bonds I have severals vlans and the vlans are put on a separate bridge (one bridge per vlan). Is there a new and perhaps smarter way of doing this now?

This is a complex question:
As of now there is NO hardware support for LACP in 6.41 as far as I know. (Bonding without a protocol is bound to give you problem down the road)
That being said bond interface in RouterOS will and have always been software. Using CRS with weak cpu's compared to number of avail interfaces this is a problem.
Using a Router Board ROUTER ie CCR this is less of a problem in this case we often go from l3 to l2 domain and are in cpu anyway, and there are plenty of them in the ccr's.

Looking at your setup The new setup would be One bridge with several Vlan's. Look at the Router Board block diagram how everything is hooked internally to get a picture of what you are trying to do with the hardware if it is att all possible.

Read the text above with an open mind: Software can do in principal anything but depending on the hardware. If it is software the performance is from nothing to something. Depending on what you are trying to do there may be surprises.

docmarius · Sat Dec 23, 2017 2:57 pm

After the conversion on my CCR1009, the DHCP server failed to work if connected to a bridge interface (it worked dough on a single vlan interface). For static IP hosts, everything seemed running normal.
I traced this back to the fact that STP/RSTP was not enabled. After enabling, it worked as expected.
It seems that afterwards, disabling SSTP keeps it running properly.

upower3 · Sat Dec 23, 2017 5:22 pm

It was kind of "wise" to post this version right before holidays, with no support (even in expect of huge problems), with no smooth way of conversion.

Nice done!

(Hope noone set RB to upgrade authomatically?)

complex1 · Sat Dec 23, 2017 5:36 pm

Just upgrade my RB2011UiAS-2HnD, all went smooth, no issues so far.

kivimart · Sat Dec 23, 2017 5:44 pm

No problem here upgraded firmware also.
RB1100ahx2,
ccr1009-8G-1S-1S+, Runs Capsman
RB962UiGS-5HacT2Hnt,
RB750gr3, RB750GL,
RB912UAG-2HPNnD,
CRS12524G-1S.

I love the releases on Friday and big weekends so i can play with the new releases on the weekends and then upgrade customers routers later.

Merry Christmas

upower3 · Sat Dec 23, 2017 5:45 pm

I love the releases on Friday and big weekends so i can play with the new releases on the weekends and then upgrade customers routers later.

Heavily depends on configuration

Keyko · Sat Dec 23, 2017 6:33 pm

Hello!

Updated SXT LTE (3 item) - updated normally, but firmware update 6.41 did not come. There are a couple of other devices out there was an update from 3.41 to 6.41, is this normal?

irghost · Sat Dec 23, 2017 7:42 pm

*) firewall - added "tls-host" firewall matcher;

any documents?

stmx38 · Sat Dec 23, 2017 8:49 pm

Hello!

Home RB951G-2HnD with simple setup was upgraded to 6.41 from 6.40.5.
Bridge1 was created. DHCP server moved to created bridge1. Firmware was upgraded manually to the 6.41 with additional reboot.
All working fine.

Thank you!

panosla · Sat Dec 23, 2017 9:54 pm

Update to 6.41 bricked my RB750Gr3. In goes into continues boot loop and it is undiscoverable to even perform netinstall.

marlow · Sat Dec 23, 2017 10:39 pm

Mikrotik .. you're kidding me, right ?

How can you release 6.41 ?

The 6.41rc releases are massively unstable.

- CRS317 crash fully on a regular basis with not even access via management console anymore (4 switches, 6 crashes in the last month alone, always on the newest rc release).
- Spanning-tree issues.
- Inconsistant configuration between Atheros and Broadcom based chipset switches.

6.41rc couldn't even be considered beta. How can you make a final release on that basis ?

And yes, I've send bug reports in. Some that have been blatantly ignored, even though they were quite detailed.

/M

ma678 · Sat Dec 23, 2017 10:47 pm

False alarm. After powering off/on my router manually, everything works normally.

marlow · Sat Dec 23, 2017 10:48 pm

Upgraded RB2011, hAP, wAP ac, cAP and a RB1100 without issues. But wondering if there is a new way of how I should handle bonding interfaces with vlans? Currently I have two bonding interfaces with two ethernet ports each. On each of the bonds I have severals vlans and the vlans are put on a separate bridge (one bridge per vlan). Is there a new and perhaps smarter way of doing this now?
......
As of now there is NO hardware support for LACP in 6.41 as far as I know. (Bonding without a protocol is bound to give you problem down the road)

There's is first of all that, which means there's defacto no bonding on the switches. Especially the 300-series (where the RouterOS isn't stable).

And then there's the fact, that we have QinQ (Service-Vlans) on 100 and 200-series switches, but in 300-series it has to be done in software (which isn't stable and the CPU can't handle the traffic).

/M

Sat Dec 23, 2017 11:03 pm

dksoft, anuser, msatter, alexsolovyev, blackbox100, JimmyNyholm - Please send report to support@mikrotik.com explaining the problem you have and including supout.rif files
rajo - Does the same issue appear if you set bridge mode back to "none"?
panosla - Please note that RouterOS version does not in any way affect Netinstall process. Can you Netinstall any other RouterBOARD just to be sure that configuration is correct and computer is not blocking Netinstall process?

mrtester · Sat Dec 23, 2017 11:17 pm

Seems funny that you blame Mikrotik for releasing version on Friday like it would be mandatory to upgrade your core routers now.

Ran into some issues after upgrade but that was my mistake. Recommend to read changelog before an upgrade first, got a little bit confused after I upgraded my first router. For me no issues so far. Just that fix for address list timeouts not included in this release yet. When can we expect this Mikrotik?

marlow · Sat Dec 23, 2017 11:36 pm

Hello!

Updated SXT LTE (3 item) - updated normally, but firmware update 6.41 did not come. There are a couple of other devices out there was an update from 3.41 to 6.41, is this normal?

Mikrotik decided some time during 6.41rc to change the naming scheme for the BIOS updates. So instead of keeping a seperate versioning of the BIOS releases, the BIOS has now the same version number as the RouterOS version under which it was introduced.

Just to make the confusion complete.

/M

rajo · Sat Dec 23, 2017 11:48 pm

rajo - Does the same issue appear if you set bridge mode back to "none"?

Yes. It flaps, if I set it back to "none." Power-cycling did not help.

marlow · Sat Dec 23, 2017 11:49 pm

Please send report to support@mikrotik.com explaining the problem you have and including supout.rif files

This is funny !!

Can you please explain, when Mikrotik will amend the CRS3xx releases, so that the supout.rif not gets written to volatile memory, but onto flash instead ?

Because if the switch crashes and you loose all network connectivity, but manage to get access via console (which happens frequently enough). Then generate the supout.rif. Then reboot, to get network connectivity again ... well, the way it's currently your supout.rif then is ... gone.

I've pointed this out in a few tickets during 6.41rc, but it has been ignored so far and that behavior is still present in the 6.41 release.

/M

JimmyNyholm · Sun Dec 24, 2017 12:22 am

dksoft, anuser, msatter, alexsolovyev, blackbox100, JimmyNyholm - Please send report to support@mikrotik.com explaining the problem you have and including supout.rif files
rajo - Does the same issue appear if you set bridge mode back to "none"?
panosla - Please note that RouterOS version does not in any way affect Netinstall process. Can you Netinstall any other RouterBOARD just to be sure that configuration is correct and computer is not blocking Netinstall process?

I can bother the support for an answer to my question but I think that is contra productive. If you just answer my question here it will be beneficial for everyone. And the support can then help customers with operational problems instead of my need to understand how it all works now. If we could read about it we would but the information is not there to read.

My Question is formulated out of uncertainty When one window in Winbox tells me A en the other window tells me B and I know this is a new implementation. Are there any corner cases and thus your vision with this new functionality is not clear to us users what settings affect hardware and what settings override other settings and can I guaranty that certain packet is not accepted ingress and that only certain ports are available on egress for that packet. In essens what do I need to configure one or both menus to be safe. I do not have a problem that I'm aware of, but it feels uncertain.

My post from earlier today also noted one change from the RC channel to release channel is that the cli output is omitting the contradicting settings from switch menu but Winbox does not.
I do not think that this version is Release ready out of this uncertainty.

I do recon that the release have great additions to Router Boards without switch chips and for these devices I do not have any questions.

My Questioning comes alone from the fact that i'm running RouterOS on my CRS317-1G-16S+RM's and CRS326-24G-2S+RM's. I bought these to get ONE management sullotion Winbox and CLI of Router OS it fits nice with the CCR's.
Keep up the good work! Thanks and have a Merry Christmas.

JimmyNyholm · Sun Dec 24, 2017 12:33 am

Please send report to support@mikrotik.com explaining the problem you have and including supout.rif files
This is funny !!

Can you please explain, when Mikrotik will amend the CRS3xx releases, so that the supout.rif not gets written to volatile memory, but onto flash instead ?

Because if the switch crashes and you loose all network connectivity, but manage to get access via console (which happens frequently enough). Then generate the supout.rif. Then reboot, to get network connectivity again ... well, the way it's currently your supout.rif then is ... gone.

I've pointed this out in a few tickets during 6.41rc, but it has been ignored so far and that behavior is still present in the 6.41 release.

/M

I had this problems too on some of my devices: Alarm led is lit all l2 hardware switching continue but all routeros functions management, serial, routing is stopped until reboot and there is nothing there in the flash but a error in cli saying that kernel panic and unexpected reboot. I will update to this release version and see if the problem comes again.

marlow · Sun Dec 24, 2017 1:04 am

I had this problems too on some of my devices: Alarm led is lit all l2 hardware switching continue but all routeros functions management, serial, routing is stopped until reboot and there is nothing there in the flash but a error in cli saying that kernel panic and unexpected reboot. I will update to this release version and see if the problem comes again.

I have 10+ CRS317 and 2 CRS326. Of those, I deployed 6 CRS317 in non-critical locations after lab-test.

Of these 6, 4 have crashed in that manner. 2 of them twice. 6.41rc32 all the way up to 6.41rc66. Console provides no output either.

Mikrotik has had no response on that issue.

It's not the only problem I have with the CRS3xx series. Basically, under RouterOS, it's currently a downgrade feature wise from the previous switches. QinQ being a major issue.
Selling a switch, that can't be used as a switch with the current stable version of the firmware is a joke in itself. Probably one of the reason, why they're trying to rush out 6.41. None of the CRS3xx switch-chip features are supported in 6.40.x
This week, I raised an issue with spanning-tree, which went completely unanswered, as they obviously were preparing to release 6.41. The issue is, that it actually degrades previous Mikrotik switches to near unusable in certain mixed environments. In theory, an issue like that would have prevented the release, as such it was ignored.

They are back to trying to fix issues with beta and rc releases, introducing a completely unstable environment. And when customers declare that hardware can't go into production on beta or rc-releases, then they just rename said beta and rc-releases as stable .. be it stable or not.

I'm not far from just wrapping all my CRS3xx series up and either ship them back for a refund OR smash them to bits and send Mikrotik the rubble to Riga.

/M

mducharme · Sun Dec 24, 2017 3:48 am

Upgraded RB2011, hAP, wAP ac, cAP and a RB1100 without issues. But wondering if there is a new way of how I should handle bonding interfaces with vlans? Currently I have two bonding interfaces with two ethernet ports each. On each of the bonds I have severals vlans and the vlans are put on a separate bridge (one bridge per vlan). Is there a new and perhaps smarter way of doing this now?

You can put the VLANs on a single bridge now and configure for each bridge port what VLANs should be allowed/blocked and what VLAN should be untagged and what VLANs should be tagged.

marlow · Sun Dec 24, 2017 3:52 am

Upgraded RB2011, hAP, wAP ac, cAP and a RB1100 without issues. But wondering if there is a new way of how I should handle bonding interfaces with vlans? Currently I have two bonding interfaces with two ethernet ports each. On each of the bonds I have severals vlans and the vlans are put on a separate bridge (one bridge per vlan). Is there a new and perhaps smarter way of doing this now?
You can put the VLANs on a single bridge now and configure for each bridge port what VLANs should be allowed/blocked and what VLAN should be untagged and what VLANs should be tagged.

The problem is, that it's not quite that easy. To archieve hardware offloading on the older platforms, you still need to configure it the traditional way. It'll be done in software/cpu otherwise.

Hardware offloading using the bridge/vlan setup only works for the Broadcom (and maybe Realtek) chipsets. On the Atheros chipsets, you still have to do the traditional setup in Switch->Vlan also.

/M

mducharme · Sun Dec 24, 2017 4:45 am

The problem is, that it's not quite that easy. To archieve hardware offloading on the older platforms, you still need to configure it the traditional way. It'll be done in software/cpu otherwise.

Hardware offloading using the bridge/vlan setup only works for the Broadcom (and maybe Realtek) chipsets. On the Atheros chipsets, you still have to do the traditional setup in Switch->Vlan also.

/M

He said he was using bonding interfaces, so he doesn't have hardware offloading anyway because of that.

I'm also hoping MikroTik will eventually remove the need for the special "switch" menu on Atheros chips.

D1M0N · Sun Dec 24, 2017 10:53 am

Update RB951G-2HnD from v6.40.5 to v6.41 and update firmware from 3.41 to 6.41 without problem.
In BRIDGE settings ADDED!!! IGMP Snooping !!! and fast forward...
I test it.
THNX MIKROTIK TEAM!
Happy holidays, and Merry Christmas !!!

Sun Dec 24, 2017 11:02 am

Keyko - This change is mentioed in changelog:
!) routerboot - RouterBOOT version numbering system merged with RouterOS
rajo - In that case definitely send to support two supout files - one generated while mode is none and interfaces are flapping and other when they are not with different settings. Are you sure that they did not flap on old version when mode is set to none? Are you sure that there is no actual loop in your network causing this?
marlow, JimmyNyholm - You can simply generate supout file manually which will be exactly the same thing as autosupout file. Autosupout file is not generated under "/flash" directory on devices with small storage space so storage would not get filled leaving no free memory for other purposes;
marlow - Did you upgrade to 6.41 from rc version? Please note that rc versions are made for testing purposes. Main idea is to create version in a way that 6.40.5 -> 6.41 upgrade works properly.

msatter · Sun Dec 24, 2017 12:21 pm

dksoft, anuser, msatter, alexsolovyev, blackbox100, JimmyNyholm - Please send report to support@mikrotik.com explaining the problem you have and including supout.rif files

I did that on RC66 and got the reply that those issues would be resolved before final release....it was not and luckily the MAC access worked this time.

I had the feeling then that it would "rushed" out before the end of the year or even sooner and that is why wrote the RC thread "wait till 2018".

I had no problem with my router becoming unresponsive, and have all the files standing by to recover. So I made the plunge and after some manual work I had a working router back.

Other those who have no easy access to their devices I do not envy and hope the won't have stress or worse during Christmas.

pe1chl · Sun Dec 24, 2017 12:41 pm

Neighbor discovery does not work with the generated 'discover', 'mac-winbox' or 'mactel' interface lists. Other lists seem to work.
After list deletion and recreation by hand, it works.

For me, neighbor discovery did not work after the upgrade, it had created a new list "discover" containing the interfaces it was active on before upgrade, but the discovery list was empty.
When selecting "all" it worked OK. I set it back to "discover" and rebooted a second time after the upgrade and then the discovery worked OK.
So it is likely something related to the config migration process relative to the reboot. I have done 2 reboots before when upgrading, if only because firmware was upgraded, and in that case it probably works fine.

marlow · Sun Dec 24, 2017 1:05 pm

marlow, JimmyNyholm - You can simply generate supout file manually which will be exactly the same thing as autosupout file. Autosupout file is not generated under "/flash" directory on devices with small storage space so storage would not get filled leaving no free memory for other purposes;

I'm not talking about autosupout.

I'm talking about manually generated supout files. On the CRS3xx series, these are stored in volatile storage, meaning they're gone after a reboot. And that's very unhelpful, when you need to reboot to get the file off the switch.

/M

pe1chl · Sun Dec 24, 2017 1:22 pm

Ran into the following bug with upgrading an RB450 from 6.40.4 to 6.41:

NOTE: It appears I must have had the old configuration of ether2 being master and ether3 to ether5 being slaves
1. I performed the upgrade via the console
2. When the router rebooted, ether1 was stable, but ether2 to ether5 were flapping at least every second.
7. I changed "protocol-mode" to "rstp"
8. Interfaces stabilized and now everything is working.

You may want to update you migration script so "protocol-mode" IS NOT "none"

I upgraded my 2011 and watched for this issue but it does not happen here (protocol-mode still is none and everything works OK)

Sun Dec 24, 2017 2:10 pm

marlow - All you need is correct file name. Instead of "supout.rif" use "flash/supout.rif".

Please keep this topic directly related to 6.41.

Valexus · Sun Dec 24, 2017 2:20 pm

I upgraded my Test hAP from 6.39.5 to 6.41 and it just works fine! Now i will test the new VLAN aware bridge

To all who already upgraded devices in production right before christmas and complain now: This is so stupid!
It's not new that these new versions have issues with existing configurations and there is a Bugfix Channel which works well.
Also if you want better support you should use a different brand with a support contract but then the devices wont be so damn cheap anymore.

marlow · Sun Dec 24, 2017 3:09 pm

marlow - All you need is correct file name. Instead of "supout.rif" use "flash/supout.rif".

Please keep this topic directly related to 6.41.

This is on topic, as the CRS3xx series only becomes useful in 6.41, if the issues get sorted, that is.

Maybe the default then should be changed for the platforms where "/" is volatile. It's not obvious to the user, until he looses the supout the first time around.

Also, where is the documentation for this, please ? The manual: https://wiki.mikrotik.com/wiki/Manual:S ... utput_File says nothing about, that the default location on some platforms is volatile.

/M

osc86 · Sun Dec 24, 2017 4:14 pm

How to correctly add virtual interfaces like eoip tunnels to the bridge?
I tried 2 ways to get this working, without any luck.

1. When I add the tunnel interface as port to the bridge and create vlans on the bridge, the interface never comes up because of constant STP Learning/Discarding. I didn't find a way to disable stp on single ports.
2 If I remove the tunnel interface from the brdige and only add vlan subinterfaces, no traffic is passing through.

There is like no documentation available on how to get this kind of setup working

Edit:
Got it working. Added the vlan of the tunnel as bridge port but set pvid matching vlanid (which doesn't make sense because the traffic coming from / going to this interface should be tagged).
I've noticed an increase of CPU usage by about 5% on my CCR-1009. While it always was at 0-1% in 6.40.5, I now have constant cpu usage of about 6-7% without any traffic on the router. The process causing this is "unclassified" and uses only one cpu.

Sun Dec 24, 2017 5:58 pm

Main idea of this topic is to find problems caused in particular release. In this case changes between 6.40.5 and 6.41. If you have problem in 6.41 which was not there in 6.40.5, then please share it on this topic and/or report to support@mikrotik.com. If problem was there already before, then we recommend to create a new forum topic. Unrelated posts confuse other users and discourage from an upgrade.

Supout file generate process has not been changed for years. However, we have updated supout file wiki page and know you can see an example on how to generate supout file on specific folder.

msatter · Sun Dec 24, 2017 6:06 pm

marlow - All you need is correct file name. Instead of "supout.rif" use "flash/supout.rif".

Please keep this topic directly related to 6.41.
This is on topic, as the CRS3xx series only becomes useful in 6.41, if the issues get sorted, that is.

Maybe the default then should be changed for the platforms where "/" is volatile. It's not obvious to the user, until he looses the supout the first time around.

Also, where is the documentation for this, please ? The manual: https://wiki.mikrotik.com/wiki/Manual:S ... utput_File says nothing about, that the default location on some platforms is volatile.

/M

The default location is also on the 750Gr3 in volatile memory. However you can move it to flash and the file is not that big so that it will fit in the free flash memory.

chuky0 · Sun Dec 24, 2017 7:11 pm

Here's what I got from upgrading, it did not go smoothly. I had to reboot hex several times to get it going. I can't connect to my wapac device at all. Luckicly wifi is still working, I will fix it when I have alot of time to trouble shoot .So far I have trouble shot for hours. rebooting, etc.

Capture by bet-chu, on Flickr

Ulypka · Sun Dec 24, 2017 10:36 pm

Empty in Upgrade Firmware

hapi · Sun Dec 24, 2017 10:48 pm

and several other SXTs.

crash9877 · Sun Dec 24, 2017 11:42 pm

Hi Guyz,

update on my CCR1009-1s-1s+ (older Modell) worked, but i see no bridge. Is this correct?
besides my CRS125-24G-1s worked fine. converted all ports to Bridge.
hAP AC worked although fine.

Regards

crash9877

haik01 · Mon Dec 25, 2017 12:15 am

Upgraded an "empty" hAP Lite. Upgrade went fine, and after reboot, router was not reachable. Not by MAC not by IP.

I had to reset hardware TWICE, to get it running.

I have 5 different routerboards in production, and I am definitely NOT going to upgrade if these kind of problems can occur. They are all remote sites (some of them 300 km away).

pietroscherer · Mon Dec 25, 2017 1:11 am

Unable to upgrade using "check for updates" menu, on my hAP-lite. I received a message of no enough space (7,2 MB was necessary and 7,2 was free).
Droping the main package to router worked without problems.

The hAP-lite seems to works fine for now.

killersoft · Mon Dec 25, 2017 1:39 am

IP Neighbor

Please revert or Alter the NEW functionality of Neighbor discovery.

I use specific Bridges/Interfaces ( A management VLAN segment) that see's all devices, but I also have Client Side Bridges/Vlans/Interfaces. I DO NOT want Clients to SEE Discovery Broadcasts.
Thus I ask you to Revert to previous functionality, or add a Specific interface(s) to allow/dis-allow the discovery broadcasts.

Cheers

Cha0s · Mon Dec 25, 2017 1:48 am

IP Neighbor

Please revert or Alter the NEW functionality of Neighbor discovery.

I use specific Bridges/Interfaces ( A management VLAN segment) that see's all devices, but I also have Client Side Bridges/Vlans/Interfaces. I DO NOT want Clients to SEE Discovery Broadcasts.
Thus I ask you to Revert to previous functionality, or add a Specific interface(s) to allow/dis-allow the discovery broadcasts.

Cheers

This functionality has been moved to interface lists.
By default, after the upgrade a dicover interface list is created with all the interfaces that where enabled for discovery prior to the 6.41 upgrade.
It doesn't always migrate everything properly depending on your configuration, but you can easily edit that interface list and only allow the interfaces you want for neighbor discovery.

Same goes for mac-server (mac winbox & mac-telnet) as well.

It was also mentioned in the changelog

*) discovery - use "/interface list" instead of interface name under neighbor discovery settings;
...
*) mac-server - use "/interface list" instead of interface name under MAC server settings;

Frostbyte · Mon Dec 25, 2017 1:55 am

I have a question regarding v6.41 and FastPath.

I have 2x hAP AC units.
Each one of them has a CPE, connected on ether1, providing internet access.
Both of the units contain Scripts, Schedulers and Mangle rules to handle Load Balancing and WAN Failover mechanisms.

Since VLANs are used heavily in this setup, all of the interfaces (bar one, which is used for VLAN trunking and communication between the units) are members in Bridges.
FastPath would work flawlessly between interfaces that had master-slave relationships, even though the Firewall was populated with a few rules.

Now that the master-port parameter is gone, I'm forced to use bridges for everything. But if the "Use IP Firewall" option is ON, Bridge Fast Path is deactivated.
If I disable "Use IP Firewall" in Bridge settings, my transfer speed is ~110MB/s, but I can no longer use my Mangle rules for Load Balancing.
If I enable "Use IP Firewall" in Bridge settings, my transfer speed is ~55MB/s, and I can use my Mangle rules for Load Balancing.

Prior v6.41, I could utilize the master-port setting, to achieve the best of both worlds (for some ports) - but now this is impossible.
Does Mikrotik plan to do anything about this?

Also, can you please be more elaborate on the "appropriate conditions" for hw-offload?
Only one of my ports appears to have the "H" flag.
The rest of the ports which are all Bridged with VLANs (access mode) do not appear to utilize hw-offload.
Just for the record, I deleted and re-created those Bridges (with and without involving VLANs) and the "H" flag will still not come up.

skuykend · Mon Dec 25, 2017 4:30 am

update on my CCR1009-1s-1s+ (older Modell) worked, but i see no bridge. Is this correct?

If you didn't have any of the switch ports set to a Master-port, then this is normal.

chuky0 · Mon Dec 25, 2017 6:19 am

Here's what I got from upgrading, it did not go smoothly. I had to reboot hex several times to get it going. I can't connect to my wapac device at all. Luckicly wifi is still working, I will fix it when I have alot of time to trouble shoot .So far I have trouble shot for hours. rebooting, etc.

Capture by bet-chu, on Flickr

So, ehter1 was still selected in DHCP Client, thats why I didn;t get an IP addy with the update. Logged into hEX to see my v6 wapac address, looged into wapac with v6 address, set DHCP client on bridge and voila.

Stil, no reason why I don't get v6 in ND on my winbox liek in this thread viewtopic.php?f=21&t=118408&p=632361#p632361

KBV · Mon Dec 25, 2017 9:24 am

After upgrading my home RB3011 6.40.5 to 6.41RC/ 6.41.

Then I increased <max-neighbor-entries> to 16384 and the problem disappeared.
But there are only two neighbor devices...

[admin@MikroTik] > /log print
[...]
07:42:02 warning ipv4 neighbor table overflow, please consider increasing max-neighbor-entries
07:42:02 warning ipv4 neighbor table overflow, please consider increasing max-neighbor-entries
07:42:02 warning ipv4 neighbor table overflow, please consider increasing max-neighbor-entries
07:42:04 warning ipv4 neighbor table overflow, please consider increasing max-neighbor-entries
07:42:04 warning ipv4 neighbor table overflow, please consider increasing max-neighbor-entries
07:42:04 warning ipv4 neighbor table overflow, please consider increasing max-neighbor-entries
07:42:04 warning ipv4 neighbor table overflow, please consider increasing max-neighbor-entries
07:42:07 warning ipv4 neighbor table overflow, please consider increasing max-neighbor-entries
07:42:07 warning ipv4 neighbor table overflow, please consider increasing max-neighbor-entries
07:42:07 warning ipv4 neighbor table overflow, please consider increasing max-neighbor-entries

[admin@MikroTik] > /ip neighbor print
# INTERFACE ADDRESS MAC-ADDRESS IDENTITY VERSION BOARD
0 ether2... 192.168.80.250 00:50:56:AC:6F:C8 MikroTi... 6.41 (s... CHR
1 ether5... 192.168.80.253 4C:5E:0C:53:6B:34 RB951G-... 6.41 (s...RB951G-2HnD

[admin@MikroTik] > /ip settings print
[...]
max-neighbor-entries: 8192

[admin@MikroTik] > /ip neighbor discovery-settings print 
discover-interface-list: discover

[admin@MikroTik] > /interface list member print where list="discover"
Flags: X - disabled, D - dynamic 
 #   LIST                                                                 INTERFACE                                                                
 0   discover                                                             bridge-LAN                                                               
 1   discover                                                             bridge-DMZ

killersoft · Mon Dec 25, 2017 10:10 am

Thanks Cha0s. I suspect I have 50+ units to manually fix-up when I go to upgrade in regards to IP Neighbor Discovery

Chupaka · Mon Dec 25, 2017 11:40 am

After upgrading my home RB3011 6.40.5 to 6.41RC/ 6.41.

Then I increased <max-neighbor-entries> to 16384 and the problem disappeared.
But there are only two neighbor devices...

Isn't max-neighbor-entries about IP ARP table? Check it, not Neighbour Discovery

KBV · Mon Dec 25, 2017 12:07 pm

Isn't max-neighbor-entries about IP ARP table? Check it, not Neighbour Discovery

Now (usually) the ARP table contains 11 entries - 9 LAN and 2 from outside (WAN).
---
[admin@MikroTik] > /ip arp print count-only
11
---
But I can check at the time the problem occurs.

pe1chl · Mon Dec 25, 2017 1:36 pm

Now (usually) the ARP table contains 11 entries - 9 LAN and 2 from outside (WAN).
---
[admin@MikroTik] > /ip arp print count-only
11
---
But I can check at the time the problem occurs.

What is your configuration? How large is your local subnet and is there a default route to some WAN address?
Errors like that can occur when the subnet is large and is being scanned, or when there is no default route and the next hop has "proxy arp" enabled.
In such cases there can be many open ARP requests. (in first case, unresolved ones, and in second case, one for each remote address all with MAC of the next hop)

Mon Dec 25, 2017 2:41 pm

chuky0 - Can you check if you see router in neighbors when you connect to other router? Main idea is to see if Winbox loader neighbors do not work or problem is also there on RouterOS. If you downgrade router to 6.40.5, then does it appear on neighbors list?
Ulypka, hapi - Sorry for any inconvenience caused. We will fix missing firmware issue in next release.
haik01 - Did you reset with reset button or did you Netinstall device? From which version did you upgrade this device? Reset is always the same so most likely reset process was not properly started on the first attempt.
killersoft - Discovery process does not differ from older versions. In previous versions, you did, for example, set "ether1 discover=yes", but now you simply add interfaces to list on which discovery is enabled.
Frostbyte - Please send supout file to support@mikrotik.com so we can investigate what is going on with you device.
KBV - Most likely device was under some kind of DDoS attack and such problem did suddenly appear. If you can not find a cause of the problem, then generate supout file while you see such warnings in log and send this file to support@mikrotik.com.

dancsa · Mon Dec 25, 2017 4:16 pm

I can also confirm that unreachable management after upgrade on my home gateway (HEX)

Logged in via winbox using IP address, open therminal

Code: Select all


[admin@MikroTik] /system package update> check-for-updates 

          channel: current

  current-version: 6.40.5

   latest-version: 6.41

           status: New version is available



[admin@MikroTik] /system package update> download 

          channel: current

  current-version: 6.40.5

   latest-version: 6.41

           status: Downloaded, please reboot router to upgrade it



[admin@MikroTik] /system package update> /system reboot

After reboot, router works, but I couldn't reach it via IP (winbox, webfig), winbox discovery didn't show it. I didn't bother to get my linux laptop, where it is easier to debug, so i just power cycled the hex, it solved it.

KBV · Mon Dec 25, 2017 4:19 pm

What is your configuration? How large is your local subnet and is there a default route to some WAN address?
Errors like that can occur when the subnet is large and is being scanned, or when there is no default route and the next hop has "proxy arp" enabled.
In such cases there can be many open ARP requests. (in first case, unresolved ones, and in second case, one for each remote address all with MAC of the next hop)

Maybe you are right, but before such an error was not.
I'll have to write a script that checks the log and stores the output of the command <ip arp> on time.

UPD
Or I can create such a <Service check> and <chart> in the Dude... Thanks )

Kindis · Mon Dec 25, 2017 7:54 pm

Updated two CHR, a 3011, a 750Gr3, a wAP SC and a 493G. All is fine but I had to restart both 750Gr3 and 3011 several times.
First to get neighborhood to work after firmware and then again a few days after because I noted that FastTrack did not work. Now everything work just fine.

Cha0s · Mon Dec 25, 2017 8:39 pm

Upgraded multiple boards without almost any issues.

RB3011
RB850Gx2
hAP-Lite
mAP-Lite
SEXTANTG
RB433AH
x86

The only issue I had was some IPsec tunnels (manually configured using keys) would keep establish and then disconnect repeatedly.
I couldn't figure out what was causing it. It was happening only on 3 installations (RB850Gx2 and 2 x86). After I used the EoIP IPsec with PSK it worked ok. Didn't have time to troubleshoot further what was the problem in the first place.

Thankfully I didn't encounter any of the more serious issues others have mentioned.

panosla · Mon Dec 25, 2017 9:21 pm

panosla - Please note that RouterOS version does not in any way affect Netinstall process. Can you Netinstall any other RouterBOARD just to be sure that configuration is correct and computer is not blocking Netinstall process?

Sorry, my bad. I was actually trying to netinstall using ether2 instead of ether1.
Recovered configuration from the export (with changes to fit new bridge implementation) and everything works fine now.

haik01 · Mon Dec 25, 2017 9:25 pm

Interesting thing:

Updated the following equipment to the latest release 6.41.

I have:

RB2011 as main router
CRS 106-1C-5S (SFP switch)
hAP ac

If I do a neighbour scan from the main router it only finds the CRS and my Cisco AP1142n. It does NOT see the hAP ac.

If I do a neighbour scan from the hAP ac, then I CAN see all the Mikrotik devices (including the Cisco AP).....

Not really bad, but is this a bug? I selected "all interfaces" for discovery.

Mon Dec 25, 2017 9:36 pm

Isn't there any firewall or other setting that prevents visibility of hap?

haik01 · Mon Dec 25, 2017 9:38 pm

It shouldn't. 5 minutes ago, when the version was 6.39, everything was visible, and worked perfectly. Now after the update.... it does not.

UPDATE: it took some time (more than 5 minutes), but now I see all the equipments.

chuky0 · Tue Dec 26, 2017 12:04 am

chuky0 - Can you check if you see router in neighbors when you connect to other router? Main idea is to see if Winbox loader neighbors do not work or problem is also there on RouterOS. If you downgrade router to 6.40.5, then does it appear on neighbors list?

Thanks for the reply strods, each device can see each other in Neighbor List. Now that I think of it, I started another thread about winbox stopped seeing devices with ipv6 in my Neighbors list when I was on 6.40.5 Maybe this is a winbox bug problem with some kind of Windows 10 update ? I don't want to downgrade to try it out, I'm a little gun shy from the problems I had with this upgrade.

nl by bet-chu, on Flickr

Frostbyte · Tue Dec 26, 2017 2:32 am

Frostbyte - Please send supout file to support@mikrotik.com so we can investigate what is going on with you device.

I went ahead and did so, thank you.

It's to my understanding though, that with such a radical change, the whole FastPath mechanism also needs to be reworked.
Right now you have to chose: you'll either have Firewall, or FastPath.. With the master-port setting, we could've had both.

osc86 · Tue Dec 26, 2017 5:36 am

Adding or removing vlans in MSTI makes my 1009 unreachable on all interfaces, have to power cycle to regain access.. 100% reproducible

KBV · Tue Dec 26, 2017 9:08 am

Can you explain what it is?

[admin@MikroTik-3011] > /ip firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters       chain=forward action=passthrough 
 1    chain=output action=drop protocol=icmp out-interface-list=WAN-Zone log=yes log-prefix="" 
 2    chain=input action=drop protocol=icmp in-interface-list=WAN-Zone log=no log-prefix=""

/log print
[...]
13:48:40 firewall,info output: in:(unknown 0) out:ether9-WAN, proto ICMP (type 3, code 1), xx.xx.xx.xx->5.140.18.171, len 199 
13:48:40 firewall,info output: in:(unknown 0) out:ether9-WAN, proto ICMP (type 3, code 1), xx.xx.xx.xx->213.144.15.197, len 151 
13:48:43 firewall,info output: in:(unknown 0) out:ether9-WAN, proto ICMP (type 3, code 1), xx.xx.xx.xx->130.25.184.120, len 159 
13:48:43 firewall,info output: in:(unknown 0) out:ether9-WAN, proto ICMP (type 3, code 1), xx.xx.xx.xx->122.118.192.105, len 157 
13:48:43 firewall,info output: in:(unknown 0) out:ether9-WAN, proto ICMP (type 3, code 1), xx.xx.xx.xx->110.168.174.166, len 154 
13:48:49 firewall,info output: in:(unknown 0) out:ether9-WAN, proto ICMP (type 3, code 1), xx.xx.xx.xx->182.250.46.228, len 162 
13:48:49 firewall,info output: in:(unknown 0) out:ether9-WAN, proto ICMP (type 3, code 1), xx.xx.xx.xx->1.199.255.204, len 118 
13:48:49 firewall,info output: in:(unknown 0) out:ether9-WAN, proto ICMP (type 3, code 1), xx.xx.xx.xx->171.14.115.181, len 160 
13:48:49 firewall,info output: in:(unknown 0) out:ether9-WAN, proto ICMP (type 3, code 1), xx.xx.xx.xx->93.36.189.219, len 118 
13:48:54 firewall,info output: in:(unknown 0) out:ether9-WAN, proto ICMP (type 3, code 1), xx.xx.xx.xx->198.167.140.58, len 148 
13:48:57 firewall,info output: in:(unknown 0) out:ether9-WAN, proto ICMP (type 3, code 1), xx.xx.xx.xx->173.239.236.54, len 157 
13:48:57 firewall,info output: in:(unknown 0) out:ether9-WAN, proto ICMP (type 3, code 1), xx.xx.xx.xx->173.239.236.54, len 157

This is the log from the router's OUTPUT chain. Where xx.xx.xx.xx is my ip address.
I do not use <Rejection> rules, only DROP.
Maybe Is this the problem with overflow about I wrote above?

Cha0s · Tue Dec 26, 2017 9:16 am

These look like replies your router sends to incoming packets to unreachable hosts. The router generates those ICMP packets to inform the sender that the host is unreachable.

https://tools.ietf.org/html/rfc792

ICMP Fields:
   Type
      3
   Code
      0 = net unreachable;
      1 = host unreachable;
      2 = protocol unreachable;
      3 = port unreachable;
      4 = fragmentation needed and DF set;
      5 = source route failed.

KBV · Tue Dec 26, 2017 9:21 am

These look like replies your router sends to incoming packets to unreachable hosts. The router generates those ICMP packets to inform the sender that the host is unreachable.

Yes, I read it.
But I do not use <Rejection> rules.

[admin@MikroTik-3011] > /ip firewall filter print count-only where  action="reject"
0

Anumrak · Tue Dec 26, 2017 9:52 am

Maybe your ICMP rule is allowed because it is not denied?

pe1chl · Tue Dec 26, 2017 11:10 am

KBV: please show your full configuration of at least /ip route and /ip firewall
it looks like the ICMP packets have no default route and thus are ARP'ed directly on your WAN interface, just as I suggested above.
maybe you are using some kind of policy routing (marking) that does only work in the forward chain.

upower3 · Tue Dec 26, 2017 3:59 pm

Upgraded RB2011, hAP, wAP ac, cAP and a RB1100 without issues. But wondering if there is a new way of how I should handle bonding interfaces with vlans? Currently I have two bonding interfaces with two ethernet ports each. On each of the bonds I have severals vlans and the vlans are put on a separate bridge (one bridge per vlan). Is there a new and perhaps smarter way of doing this now?
You can put the VLANs on a single bridge now and configure for each bridge port what VLANs should be allowed/blocked and what VLAN should be untagged and what VLANs should be tagged.

It would be nice to have some docs on wiki so we have kind of official howtos. I ask this mainly for I'd like to know the best way (in terms of stability, perfomance, approach, general way of development) from MT's point of view.

Say, if we consider models like 2011, they feature two switch chips (100M and 1G), and connection between them was CPU-only. Before 6.41, when I set up like eth1 as master and eth2-eth5 as slaves and eth6 as another master, eth7-10 as another slaves, I had to connect eth1 and eth 6 to bridge to assign single IP on bridge1. But this way I understand between which ports traffic to be h/w accelerated.

Now (as of new bridge implementation) I can add eth1..eth10 to bridge, turn on "h/w accelerated" checkbox, and it looks like all ports are accelerated. But in reality, traffic will be passed from eth1..eth5 to eth6..eth10 via the same CPU, isn't it? So, interface will mislead me to believe something that's not for real.

This is why I'd really love to see such gotchas in doc on wiki. Please!

pe1chl · Tue Dec 26, 2017 4:05 pm

It would be nice to have some docs on wiki so we have kind of official howtos.

Here it is: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
Some detail about VLAN and how to convert it: https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering

Now (as of new bridge implementation) I can add eth1..eth10 to bridge, turn on "h/w accelerated" checkbox, and it looks like all ports are accelerated. But in reality, traffic will be passed from eth1..eth5 to eth6..eth10 via the same CPU, isn't it? So, interface will mislead me to believe something that's not for real.

As before, you still need to know and understand the block diagram for each router model, as there are other pitfalls like that and there always have been.

sup5 · Tue Dec 26, 2017 4:09 pm

I think it will be needed to implement pseudo-interfaces in RouterOS.
These pseudo-interfaces will be unremovable and greyed-out interfaces which connect the cpu with the switch-chip.

This way we could:
- monitor the amount of traffic traversing the CPU-port (i.e. to monitor oversubscription of the CPU-port)
- torch the traffic traversing the CPU-port

upower3 · Tue Dec 26, 2017 4:13 pm

I think it will be needed to implement pseudo-interfaces in RouterOS.
These pseudo-interfaces will be unremovable and greyed-out interfaces which connect the cpu with the switch-chip.

This way we could:
- monitor the amount of traffic traversing the CPU-port (i.e. to monitor oversubscription of the CPU-port)
- torch the traffic traversing the CPU-port

Oh, this gonna be great feature! If MT will manage to do that along with visual packet tracer like the one that's there for Cisco ASA...!

marlow · Tue Dec 26, 2017 4:19 pm

It would be nice to have some docs on wiki so we have kind of official howtos.
Here it is: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
Some detail about VLAN and how to convert it: https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering
Now (as of new bridge implementation) I can add eth1..eth10 to bridge, turn on "h/w accelerated" checkbox, and it looks like all ports are accelerated. But in reality, traffic will be passed from eth1..eth5 to eth6..eth10 via the same CPU, isn't it? So, interface will mislead me to believe something that's not for real.
As before, you still need to know and understand the block diagram for each router model, as there are other pitfalls like that and there always have been.

VLan filtering will disable the hardware offloading on older switch chips.

All Vlan-filtering on Atheros chipset based switch-chips (CRS1xx, CRS2xx, 2011, etc.) still has to be configured in the switch menu. Otherwise you end up running fully in CPU.

/M

upower3 · Tue Dec 26, 2017 4:24 pm

It would be nice to have some docs on wiki so we have kind of official howtos.
Here it is: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
Some detail about VLAN and how to convert it: https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering
Now (as of new bridge implementation) I can add eth1..eth10 to bridge, turn on "h/w accelerated" checkbox, and it looks like all ports are accelerated. But in reality, traffic will be passed from eth1..eth5 to eth6..eth10 via the same CPU, isn't it? So, interface will mislead me to believe something that's not for real.
As before, you still need to know and understand the block diagram for each router model, as there are other pitfalls like that and there always have been.

VLan filtering will disable the hardware offloading on older switch chips.

All Vlan-filtering on Atheros chipset based switch-chips (CRS1xx, CRS2xx, 2011, etc.) still has to be configured in the switch menu. Otherwise you end up running fully in CPU.

/M

Looks like these recommendations should be listed in newly released manual, so people understand how to use MT devices efficiently. Or we end up with many complaints like "MTs are very slow devices, full of bugs".

tesme33 · Tue Dec 26, 2017 4:26 pm

Hi
6.41 running on hAP Lite, RB2011,RB3011 and CCR1009 (PC) , upgraded from different levels. Sometime multiple reboots required to get the firmware (6.41) also flashed.
As im not using tagging, VLAN or any other fancy features i can only say that WLAN, routing, DHCP, DHCP Server and firewall is working as before. The load also didnt increase.
But on the hAP Lite it is stil somehow the masterport config in use. strange. Probably i need to reset them and start from the beginning.

Yours

marlow · Tue Dec 26, 2017 4:44 pm

Looks like these recommendations should be listed in newly released manual, so people understand how to use MT devices efficiently. Or we end up with many complaints like "MTs are very slow devices, full of bugs".

Yes they should. And yes, I've pointed that out already. It's not funny to have to pull information out of the support for every glitch you encounter.

The different behavior and configuration of older and newer switch-chips is actually one of the reasons, why I think, that 6.41 wasn't mature for release.

/M

pe1chl · Tue Dec 26, 2017 6:13 pm

I think it will be needed to implement pseudo-interfaces in RouterOS.
These pseudo-interfaces will be unremovable and greyed-out interfaces which connect the cpu with the switch-chip.

This way we could:
- monitor the amount of traffic traversing the CPU-port (i.e. to monitor oversubscription of the CPU-port)
- torch the traffic traversing the CPU-port

That is the bridge interface itself, isn't it?
At least for bridges where there is only a single connected switch.

mszru · Tue Dec 26, 2017 6:46 pm

Hi there,

Upgraded hAP ac at home from 6.40.5 to 6.41 with one minor issue - all interfaces in the "discover" list became enabled, however some of them were disabled before. To avoid potential problems with conversion of Master Port configuration, I have added all slave ports to the bridge manually and set Master Port to "none". All other features of RouterOS that I use seem to be working fine (PPTP, SSTP, EoIP tunnels, QueueTrees, Policy Based Routing, etc.)

I also tried to upgrade hAP lite from 6.41rc32 to 6.41, but it failed and I reverted ROS back to 6.41rc32. Here I use new bridge implementation with VLAN-filtering enabled. After the router rebooted on 6.41, it did not reply to every second ping. Winbox disconnected several seconds after establishing connection. Then I reset it twice (using System -> Reset Configuration menu in Winbox and then hardware Reset button), imported configuration file from 6.41rc32, rebooted, but the router was unstable (degrading of transfer speeds, etc.). I will try to upgrade it later more time.

sup5 · Tue Dec 26, 2017 7:08 pm

I think it will be needed to implement pseudo-interfaces in RouterOS.
These pseudo-interfaces will be unremovable and greyed-out interfaces which connect the cpu with the switch-chip.
[...]
That is the bridge interface itself, isn't it?
At least for bridges where there is only a single connected switch.

I think that the bridge-interface won't be showing correct figures here.
Horizon bridged ports currently are software-bridged, thus any traffic flowing between two horizons of the same bridge will traverse through the CPU-port even though hardware based switching might be technically possible. This traffic won't be counted in the corresponding bridge-interface.

We simply need as much pseudo-interfaces as there are independent links from switch to cpu. These interfaces must be accessible via SNMP just like any other interface for monitoring purposes.
Eg.:
RB3011: four pseudo-interfaces. Each with 1000Mbps bandwidth.
RB1100AHx4: three pseudo-interfaces. Each with 2500Mbps bandwith
This will enable us to monitor oversubscription of individual switch-groups much easier.

Reading the RB3011 & RB1100AHx4 figures of the Ethernet test results easily exhibit, that the CPU has much more capacity than the CPU-ports to the two switch-groups.

mducharme · Tue Dec 26, 2017 8:22 pm

Now (as of new bridge implementation) I can add eth1..eth10 to bridge, turn on "h/w accelerated" checkbox, and it looks like all ports are accelerated. But in reality, traffic will be passed from eth1..eth5 to eth6..eth10 via the same CPU, isn't it? So, interface will mislead me to believe something that's not for real.

The interface doesn't mislead you - if you look at the status tab for each bridge port, it will show you whether hardware offloading is enabled for that port, and, if so, what the port's 'hardware offload group' is. This shows you whether the port is in the hardware offload group 'switch1' or 'switch2' etc. If the hardware offload group for two bridge ports does not match, switching between those two ports is done by software.

haik01 · Tue Dec 26, 2017 8:52 pm

Another issue with Routerboard firmware:

In my RB2011 I can see that there is a 6.41 firmware available, and I can install it. After reboot, it works fine.
On another RB2011, the firmware is NOT available. Only 3.41 which is now installed.

The only difference is that my RB2011 is a 2011UAS, and the remote RB2011 (which shows old firmware) is a 2011UiAS.

Is this a normal behaviour?

mszru · Tue Dec 26, 2017 9:23 pm

The naming style of the new interface lists for MAC Server is kind of weird. I would rather rename "mactel" to "mac-telnet".

tekkninja · Wed Dec 27, 2017 1:56 am

Updating an AWS instance with an extisting bridge to V6.41 leaves the instance inaccessible. Also Upgrading to V6.41 without a bridge works fine however, creating a bridge after the upgrade with Ether1 with or without HW-Offloading leaves the CHR inaccessible after rebooting.

upower3 · Wed Dec 27, 2017 9:11 am

The interface doesn't mislead you.

Thank you for pointing that, I just forget to check with it.
But as I played with wi-fi routers I noriced I can set 'hw accelerated' checkbox even on wlan (wifi) port in bridge. This is kind of generic approach. I suspect this is due to first version release, and will be changed afterward.
So to say, I'd really like to have a dialog box (maybe even graphical) that'll show up all the groups and links between them at once.

pe1chl · Wed Dec 27, 2017 11:25 am

So to say, I'd really like to have a dialog box (maybe even graphical) that'll show up all the groups and links between them at once.

In winbox you can enable the columns Hw.Offload and Hw.OffloadGroup on the Ports tab of the bridge window and it neatly shows the status in one screen...

23q · Wed Dec 27, 2017 2:20 pm

Email tool, multiple attachments bugs??

Wed Dec 27, 2017 3:13 pm

What abou 6.39 bugfix? Is it gonna be still bugfix or do you plan make 6.40.5 the new bugfix?

rognick · Wed Dec 27, 2017 5:18 pm

Hello,
I am on the way to acquiring the RB750Gr3 + wap ac and I am confused if the RB750Gr3 can be configured for IPTV.

Can someone help me to clarify if RB750Gr3 with v6.41 can be configured IPTV and VLAN tagging / untagging?

Frostbyte · Wed Dec 27, 2017 8:02 pm

Also, can you please be more elaborate on the "appropriate conditions" for hw-offload?
Only one of my ports appears to have the "H" flag.
The rest of the ports which are all Bridged with VLANs (access mode) do not appear to utilize hw-offload.
Just for the record, I deleted and re-created those Bridges (with and without involving VLANs) and the "H" flag will still not come up.

Upon further experimentation, it appears that the hardware-offload will trigger only for the first eligible bridge.

If I disable hw-offload for the ports of bridge0, the "H" flag will move to bridge1's ports.
If I disable hw-offload for the ports of bridge1, the "H" flag will then appear next to the bridge2's ports.. and so on..

Is this intended? Shouldn't hw-offload trigger for all of the eligible bridges and not just one at a given time?

Wed Dec 27, 2017 8:19 pm

Is this intended? Shouldn't hw-offload trigger for all of the eligible bridges and not just one at a given time?

It is likely a hardware limitation. It has never been possible to set more then one port as a master-port on any device with a "small" switch-chip on board.

Frostbyte · Wed Dec 27, 2017 8:26 pm

Is this intended? Shouldn't hw-offload trigger for all of the eligible bridges and not just one at a given time?
It is likely a hardware limitation. It has never been possible to set more then one port as a master-port on any device with a "small" switch-chip on board.

Uhh, sure.. but having everything in the same Bridge/Master should be a very rare case I reckon. (Unless you're literally using it as an L3 Switch)
Besides, even if you do put them all on the same bridge and try to enable Bridge VLAN Filtering, hw-offload will disable on QCA8337. (according to the documentation)

So, it's a loss-loss..

marlow · Wed Dec 27, 2017 9:19 pm

Is this intended? Shouldn't hw-offload trigger for all of the eligible bridges and not just one at a given time?
It is likely a hardware limitation. It has never been possible to set more then one port as a master-port on any device with a "small" switch-chip on board.

It was possible on the 100 Mbit/s switch chips (like RB493AH), but not the GBits/s ones that Mikrotik uses.

/M

Sent from my SM-G930F using Tapatalk

Wed Dec 27, 2017 9:43 pm

The problem is that switching "jumps" back&forth between bridges with no possibility to stabilize switch group for some interfaces.
In Master-slave scenario it was possible to assign particular ports to switchng chip for fast transfers. Now you never know when it is hw-offloaded or not.
My tests for 2011:

# dec/27/2017 19:24:10 by RouterOS 6.41
# software id = M14U-3BQP
#
# model = 2011L
# serial number = XXXXXXXXXXXXXXXXXXXXXXXXX
/interface ethernet
set [ find default-name=ether6 ] name=FE6 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether7 ] name=FE7 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether8 ] name=FE8 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether9 ] name=FE9 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether10 ] name=FEA rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether1 ] name=GE1 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] name=GE2 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether3 ] name=GE3 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether4 ] name=GE4 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether5 ] name=GE5 rx-flow-control=auto tx-flow-control=auto
/interface bridge
add fast-forward=no name=BRIDGEFE67 priority=0x8001 protocol-mode=none
add fast-forward=no name=BRIDGEFE89A protocol-mode=none
add admin-mac=D4:CA:6D:33:79:B0 auto-mac=no fast-forward=no igmp-snooping=yes name=BRIDGEGE
/interface bridge port
add bridge=BRIDGEGE interface=GE1
add bridge=BRIDGEGE interface=GE2
add bridge=BRIDGEGE interface=GE3
add bridge=BRIDGEGE interface=GE4
add bridge=BRIDGEGE interface=GE5
add bridge=BRIDGEFE67 interface=FE6
add bridge=BRIDGEFE67 interface=FE7
add bridge=BRIDGEFE89A interface=FE8
add bridge=BRIDGEFE89A interface=FE9
add bridge=BRIDGEFE89A interface=FEA
/interface bridge settings
set allow-fast-path=no
/ip neighbor discovery-settings
set discover-interface-list=all
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=BRIDGEGE
/ip dns
set allow-remote-requests=yes cache-max-ttl=4h
/ip firewall filter
add action=accept chain=input comment="Accept winbox" dst-port=8291 protocol=tcp
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RB2011
/system logging
add prefix=STP: topics=sstp,stp
/system ntp client
set enabled=yes server-dns-names=jp.pool.ntp.org,pl.pool.ntp.org
[admin@RB2011] >

1. Switch off BRIDGEFE67
2. Switch off BRIDGEFE89A
3. Switch on BRIDGEFE89A back
4. Switch on BRIDGEFE67 back

No guarantee that ports 8,9,A are switched in hardware.
Strange ports information for bridges during hw-offloading changes in steps 1 and 4.

BR_3.PNG

nightcom · Wed Dec 27, 2017 10:21 pm

What I notice after update from 6.40.5 to 6.41 is that memory is less stable than it was before. On screen you can see that till Friday device was running on 6.40.5 and after upgrade to 6.41 looks like that now.
I didn't notice any unstable work just this situation with memory and it can be seen only on RB3011

marlow · Wed Dec 27, 2017 11:42 pm

What I notice after update from 6.40.5 to 6.41 is that memory is less stable than it was before. On screen you can see that till Friday device was running on 6.40.5 and after upgrade to 6.41 looks like that now.
I didn't notice any unstable work just this situation with memory and it can be seen only on RB3011

It's probably just more accurate to measure the memory usage.

/M

pe1chl · Thu Dec 28, 2017 12:22 am

It could be that some memory used for e.g. the DNS cache is now returned to free when not in use anymore.
From your graph it looks like the flat top of previous usage is about the same as the peaks of the current usage.
On my 2011 there is no such variability, but I do not use its DNS service.

WojtusW5 · Thu Dec 28, 2017 7:56 am

Hi,

I have a problem with hw-offload and IGMP Snooping on my CRS109-8G-1S-2HnD I use this function to support IPTV. After selecting a channel on the STB I see in the MDB that the multicast group has been ordered but there is no transmission from it. When I checked the traffic in the torch, I saw that there was no traffic from multicast addresses. However, when I disable hw-offload, leaving IGMP Snooping enabled or vice versa when I leave hw-offload off, disabling IGMP Snooping IPTV works correctly but the documentation says that the CRS series supports both of these options enabled at the same time. Below I am sending the configuration downloaded during the problem. Please help.

[admin@MikroTik] > export
# jan/02/1970 00:56:22 by RouterOS 6.41
# software id = S96Y-XT19
#
# model = CRS109-8G-1S-2HnD
# serial number = 883C0747FDED
/interface bridge
add arp=disabled fast-forward=no igmp-snooping=yes name=bridge1 protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether7
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
[admin@MikroTik] >

zervan · Thu Dec 28, 2017 10:16 am

Is there something changed related to OSPF? I've just upgrade the main router RB1200 and OSPF routes are mostly lost. I've also lost all the VLAN connections

I thought it should work after upgrade - at least when I was testing on my home router, OSPF and VLAN were working fine.

quickes · Thu Dec 28, 2017 10:17 am

Have bugs with asterisk after update to 6.41 with sip alg.
Sip alg disabled, but dst address changed in ovpn client interface
RESOLVED
Update firmware board and reboot fix this bug

Quasar · Thu Dec 28, 2017 11:50 am

All Vlan-filtering on Atheros chipset based switch-chips (CRS1xx, CRS2xx, 2011, etc.) still has to be configured in the switch menu. Otherwise you end up running fully in CPU.

/M

And you shouldn't do that either it seems. On RB951G I had a switch chip vlan filter configured with strict checking (mode=secure) on the uplink port.

After upgrading to v6.41 I discovered traffic doesn't flow at all, unless I set mode to anything but secure. It probably conflicts with the new bridge hw offloading code, because if I disable hw offload on the uplink port mode=secure doesn't break things, but frames are duplicated as they leave another bridge port.

JimmyNyholm · Thu Dec 28, 2017 6:49 pm

I have a lab with CRS317-1G-16S+ switches in core network as P routers. With L3 Only links routed within the IGP (OSPF). MPLS is enabled and LDP is distributing lables. Only real traffic entering the switch would be mpls not counting ospf that is cpu bound and probably LDP to but the datapath for real traffic should in this case be mpls in and mpls out and if I not reading the release notes as the devil reads the bible this should be possible now....

Question: How do I monitor or Check to se that mpls hardware switching, on otherwise routed L3 interface, is done with the CRS317-1G-16S+ Running this version of RouterOS

cheeze · Fri Dec 29, 2017 7:48 am

I have a lab with CRS317-1G-16S+ switches in core network as P routers. With L3 Only links routed within the IGP (OSPF). MPLS is enabled and LDP is distributing lables. Only real traffic entering the switch would be mpls not counting ospf that is cpu bound and probably LDP to but the datapath for real traffic should in this case be mpls in and mpls out and if I not reading the release notes as the devil reads the bible this should be possible now....

Question: How do I monitor or Check to se that mpls hardware switching, on otherwise routed L3 interface, is done with the CRS317-1G-16S+ Running this version of RouterOS

Go under MPLS and under Forwarding Table.

You'll notice two counters for the same thing. One is Bytes and Packets, the other is Hw. Bytes and Packets. I believe that's where you'd look.

Also *PLEASE* let me know of your results. I am very interested in seeing this.

poizzon · Fri Dec 29, 2017 9:03 am

RouterBOOT booter 3.41

CCR1036-8G-2S+

CPU frequency: 1200 MHz
Memory size: 16384 MiB
NAND size: 1024 MiB

Press any key within 2 seconds to enter setup..
trying bootp protocol............... failed
kernel loading failed

loading kernel... OK
setting up elf image... OK
jumping to kernel code
ERROR: no system package found!
Kernel panic - not syncing: Attempted to kill init!

Starting stack dump of tid 1, pid 1 (init) on cpu 4 at cycle 36896725778
frame 0: 0xfffffff70051f780 dump_stack+0x0/0x20 (sp 0xfffffe41ffdbfc08)
frame 1: 0xfffffff700518718 panic+0x168/0x398 (sp 0xfffffe41ffdbfc08)
frame 2: 0xfffffff700056120 do_exit+0x1c8/0xd48 (sp 0xfffffe41ffdbfcb0)
frame 3: 0xfffffff700056de8 do_group_exit+0xf0/0x1e8 (sp 0xfffffe41ffdbfd78)
frame 4: 0xfffffff700056f00 __wake_up_parent+0x0/0x18 (sp 0xfffffe41ffdbfdb0)
frame 5: 0xfffffff7005204d8 handle_syscall+0x210/0x2d0 (sp 0xfffffe41ffdbfdc0)
<syscall while in user mode>
frame 6: 0x8b778 0x8b778 (sp 0x7fe6fa30)
Stack dump complete
Rebooting in 1 seconds..Resetting chip and restarting.

Chupaka · Fri Dec 29, 2017 9:37 am

poizzon, something went wrong %) Reinstall using NetInstall. For the future, use Partitioning feature, so you reboot into old working image

zervan · Fri Dec 29, 2017 11:00 am

Is there something changed related to OSPF? I've just upgrade the main router RB1200 and OSPF routes are mostly lost. I've also lost all the VLAN connections I thought it should work after upgrade - at least when I was testing on my home router, OSPF and VLAN were working fine.

The problem with VLAN was because of not ideal upgrade process. Before upgrade there was:

ether5 as master switch port;
ether1-4 as slave switch ports;
VLANs bonded to ether5 as a master;
VLANs defined on switch ports;
ether5 as a part of bridge-lan.

After upgrade, VLANs left on ether5 which was not master anymore, so they were not working. I had to re-bond VLANs to bridge-lan. I think that upgrade process should do this automatically.

I am still not sure about the problem with OSPF - it started to work when VLANs were fixed, but after reboot of the main router, it was not working. I had to reboot other two routers - neighbours on bridge-lan. Later I had the problem again. I have never experienced such problems before upgrade and I hope it will work fine.

upower3 · Fri Dec 29, 2017 11:05 am

The problem with VLAN was because of not ideal upgrade process. Before upgrade there was:

I definitely suspect the upgrade process and config conversion procedure is something that better be fixed (in a case MT do care for users).
It would be much better to create some kind of web interface where person can copy and paste his/her device config and see converted config (the one that'll be on device after 6.41 upgrade). This would be useful to prove what'll be lost/changed so user will be able to understand the consequences.

poizzon · Fri Dec 29, 2017 12:03 pm

I'm trying. But netinstall not working correctly.
In wireshark i see bootp requests, but my netinstall does not respond, didn't show router..
If I use tftpd32 as dhcp server, then in wireshark I see asking for vimlinux file, but netinstall didn't respond to it too.

poizzon, something went wrong %) Reinstall using NetInstall. For the future, use Partitioning feature, so you reboot into old working image

P.s. it seems cable problem was.

zervan · Fri Dec 29, 2017 2:49 pm

Somebody using CRS112-8G-4S? It is rebooting me each 2 minutes when I turn on IGMP Snooping.

JimmyNyholm · Fri Dec 29, 2017 2:51 pm

Go under MPLS and under Forwarding Table.
You'll notice two counters for the same thing. One is Bytes and Packets, the other is Hw. Bytes and Packets. I believe that's where you'd look.
Also *PLEASE* let me know of your results. I am very interested in seeing this.

Here it Goes... YES! It show only L in winbox but CLI says HL.
Winbox shows hardware bytes and hardware packets.

This is beginning to be a very nice game now I think. More testing is Needed though....

XaTTa6bl4 · Fri Dec 29, 2017 3:54 pm

Hello. It seems as a CRITICAL bug in new bridge mode!
I have brand new hAP ac lite, upgraded to 6.41 and resetted to default by /system reset-configuration after it.

[admin@MikroTik] > /system routerboard print   
    routerboard: yes
    board-name: hAP ac lite
    model: RouterBOARD 952Ui-5ac2nD
    serial-number: xxx
    firmware-type: qca9531L
    factory-firmware: 3.36
    current-firmware: 6.41
    upgrade-firmware: 6.41

[admin@MikroTik] > /system resource print 
    uptime: 6m43s
    version: 6.41 (stable)
    build-time: Dec/22/2017 11:55:15
    factory-software: 6.29.1
    free-memory: 42.1MiB
    total-memory: 64.0MiB
    cpu: MIPS 24Kc V7.4
    cpu-count: 1
    cpu-frequency: 650MHz
    cpu-load: 0%
    free-hdd-space: 4.9MiB
    total-hdd-space: 16.0MiB
    write-sect-since-reboot: 73
    write-sect-total: 9834
    bad-blocks: 0%
    architecture-name: mipsbe
    board-name: hAP ac lite
    platform: MikroTik

Then I try to change wan, for example from ether1 to ether3:

/interface bridge port print 
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                                                                  BRIDGE                                                                  HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0   H ;;; defconf
       ether2                                                                     bridge                                                                  yes    1     0x80         10                 10       none
 1 I H ;;; defconf
       ether3                                                                     bridge                                                                  yes    1     0x80         10                 10       none
 2 I H ;;; defconf
       ether4                                                                     bridge                                                                  yes    1     0x80         10                 10       none
 3 I H ;;; defconf
       ether5                                                                     bridge                                                                  yes    1     0x80         10                 10       none
 4 I   ;;; defconf
       wlan1                                                                      bridge                                                                  yes    1     0x80         10                 10       none
 5 I   ;;; defconf
       wlan2                                                                      bridge                                                                  yes    1     0x80         10                 10       none

[admin@MikroTik] > /interface bridge port remove [find interface="ether3"]
[admin@MikroTik] > /interface bridge port add bridge=bridge interface=ether1

... it's seems to be OK...

[admin@MikroTik] > /interface bridge port print 
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                                                                  BRIDGE                                                                  HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0   H ;;; defconf
       ether2                                                                     bridge                                                                  yes    1     0x80         10                 10       none
 1 I H ;;; defconf
       ether4                                                                     bridge                                                                  yes    1     0x80         10                 10       none
 2 I H ;;; defconf
       ether5                                                                     bridge                                                                  yes    1     0x80         10                 10       none
 3 I   ;;; defconf
       wlan1                                                                      bridge                                                                  yes    1     0x80         10                 10       none
 4 I   ;;; defconf
       wlan2                                                                      bridge                                                                  yes    1     0x80         10                 10       none
 5 I H ether1                                                                     bridge                                                                  yes    1     0x80         10                 10       none

... export is OK too:

[admin@MikroTik] > /interface bridge port export 
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether1

Then just reboot:

[admin@MikroTik] > /system reboot 
Reboot, yes? [y/N]: 
y

after reboot ONLY the ether2 in bridge!

[admin@MikroTik] > /interface bridge port print 
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                                                                  BRIDGE                                                                  HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0   H ;;; defconf
       ether2                                                                     bridge                                                                  yes    1     0x80         10                 10       none
       
[admin@MikroTik] > /interface bridge port export    
/interface bridge port
add bridge=bridge comment=defconf interface=ether2

sindy · Fri Dec 29, 2017 6:25 pm

Hi, anyone any idea why the WebFig of 6.41 behaves different on two identical boards (RouterBOARD 952Ui-5ac2nD)?
At one of them the VLAN Filtering checkbox and the MSTP choice for protocol are present at bridge configuration page, and the VLANs, MSTI etc. tabs are present at the bridge list page as well, where at the other one all this is missing. The related settings can be done in CLI but even that does not make them pop up at WebFig. And a bonus question - which of these two behaviours is the correct one?
Both have been upgraded from 6.40.5.

Fri Dec 29, 2017 7:53 pm

Hi, anyone any idea why the WebFig of 6.41 behaves different on two identical boards (RouterBOARD 952Ui-5ac2nD)?

Very likely a browser cache issue. Have you tried clearing the cache and/or using another browser.

sindy · Fri Dec 29, 2017 8:19 pm

Bingo, thank you. I haven't given a thought to such possibility as I used the same browser to upgrade both devices at about the same time.
So the bonus answer is that these settings should be available, they are not intentionally hidden.

Yet there is still something rotten about it. In the meantime I've hit another issue, interfaces added from command line in the terminal window of the web interface did not appear in the drop-down lists (for ping, sniffer etc.) on the GUI, and when I've added an IP address to one of them, the interface name was shown as "unknown" in the IP address list on the GUI and when editing the address from there, it was also missing in the drop-down list. Nevertheless these interfaces were shown in GUI's interface list. After clearing the browser cache all this also started behaving normally, an interface added from command line is now visible everyhere in the GUI.

I can imagine that "static" contents of the GUI (menu items, tabs etc.) may have been affected by cached old data, but I don't get how the actual configuration items could be.

Sat Dec 30, 2017 12:12 am

Re: wireless - log "signal-strength" when successfully connected to AP;

Clients do appear to log the signal strength when they connect to an AP
-however-
NV2 APs do NOT log the the signal strength when a NV2 client connects

It would be nice if NV2 APs could also log the signal strength of connecting NV2 clients

North Idaho Tom Jones

msatter · Sat Dec 30, 2017 10:29 pm

This time the new bridge implementation again did not work for me and I am back to 6.40.5 after a week using 6.41. I got a substantial speed loss when using the bridge implementation.

L2TP/IPSEC on 6.41 down/up 55/46 and on 6.40.5 it is 75/69 Mbps
Normal connection on 6.41 500/171 and on 6.40.5 it is 500/650 Mbps and that is a loss of almost 500Mbps, so fastracking is clearly not working on upload and I don't know why. Connection tracking is showing an F for fasttracking.

Hoping that Bridge will match the speed of Master/Slave and I will have a new run at it when it is more mature.

update: I noticed running with the bridge the dail-on-demand pppoe was never going to sleep and I had to force an time-out to have change state to "waiting for pakets". Back on 6.40.5 it sleeps again till needed. The pppoe connection was no part of the bridge.

zycom · Mon Jan 01, 2018 12:50 am

I have a cc upgraded to 6.41 some how in the process I have deleted the dude folder in the files list can anyone tell me how to add this back? the dude npk file is there but the main folder is missing so it will not work or enable

thanks!!!

CZFan · Mon Jan 01, 2018 7:52 am

I have a cc upgraded to 6.41 some how in the process I have deleted the dude folder in the files list can anyone tell me how to add this back? the dude npk file is there but the main folder is missing so it will not work or enable

thanks!!!

Have you tried to remove "The Dude" completely, restarting and then adding it back again?

soonwai · Mon Jan 01, 2018 4:45 pm

Hello,
I am on the way to acquiring the RB750Gr3 + wap ac and I am confused if the RB750Gr3 can be configured for IPTV.

Can someone help me to clarify if RB750Gr3 with v6.41 can be configured IPTV and VLAN tagging / untagging?

Yes, it certainly can. Here's an example configuration for an ISP which uses VLAN 500 for Internet and VLAN 600 for IPTV.
https://wiki.mikrotik.com/wiki/Mikrotik ... ee/soonwai

Temorizador · Mon Jan 01, 2018 5:55 pm

hi people , i've updated the rb2011iN , rb951g ,a haplite and 2 x cap2nd , everything works fine except that in the 951g I need fasttrack and I had to go back (downgrade) to the 6.40.5 only in the rborder ,since I have 300 Mb fiber and without the fastrack so, I got it just 200
I guess they'll fix that soon, until then we'll have to use the 6.40.5 to fastracker the connection

Greetings from Barcelona
_______________________________________________________________________________________
Hola gente , he actulizado un rb2011 ,rb051g un haplite y 2 cap2nd , todo va bien , excepto que en el rb951g necesito fasttrack y he tenido que dongradear a 6.40.5 solo en el router de borde ,ya que tengo 300 megas de fibra y sin el fasttack solo me entraban 200 apenas.
Supongo que fixearan esto pronto, hasta entonces pues usare la 6.40.5 para fastrackear la conexccion en el router de borde

.

Saludos desde Barcelona

Kindis · Mon Jan 01, 2018 6:14 pm

everything works fine except that in the 951g I need fasttrack and I had to go back (downgrade) to the 6.40.5 only in the rborder ,since I have 300 Mb fiber and without the fastrack so, I got it just 200
I guess they'll fix that soon, until then we'll have to use the 6.40.5 to fastracker the connection

FastTrack on both my 750Gr3 and 3011 was not working at upgrade. Upgraded firmware (router boot) to latest and restarted. Still did not work but after yet another restart without any change to ROS or firmware everything started working again. Did you try to upgrade firmware after you went to 6.41 and also restart a third time?

Temorizador · Mon Jan 01, 2018 6:30 pm

everything works fine except that in the 951g I need fasttrack and I had to go back (downgrade) to the 6.40.5 only in the rborder ,since I have 300 Mb fiber and without the fastrack so, I got it just 200
I guess they'll fix that soon, until then we'll have to use the 6.40.5 to fastracker the connection
FastTrack on both my 750Gr3 and 3011 was not working at upgrade. Upgraded firmware (router boot) to latest and restarted. Still did not work but after yet another restart without any change to ROS or firmware everything started working again. Did you try to upgrade firmware after you went to 6.41 and also restart a third time?

No, i dont reset the mikrotik once it has been upgraded,if is this u question . but i delete fastrack from filter rules and rebbor the rb , went create a nuew rule to activate fasttrtack, not work although he told me the packages and the bytes... so I went back to 6.40.5.
But if you confirm that if you reset and configure to hand the configuration, the fastrack work ,I can test it

someone has tried it and it has worked ? it's going well all for you ?
-------------------------------------------------------------------------------
No , no resetee el mikrotik una vez upgradeado , pero si que elimine fastrack de filter rules y reinicie . Luego volvi ha crear la regla de fasttrtack pero seria sin funcionar aunque me augmentaba los paquetes y bytes ...asi que volvi a la 6.40.5.
Pero si me confirmas que si se resetea y se configura a mano desde cero toda la configuracion luego el fastrack funciona, puedo provar

alguien lo ha provado y le ha funcionado , te va todo bien compi ?

___________________________________________________________________________

bbs2web · Mon Jan 01, 2018 6:50 pm

RouterOS 6.41 does not honor received MSS value in TCP SYN packet. We are subsequently unable to connect to our routers through a VPN connection from our offices.

pe03 --- MPLS --- br01 --- ccr1 --- Linux system running PPTP

Traffic capture on pe03 shows TCP SYN packet arriving with TCP options where MSS is set as 1312 bytes. Replies aren't visible on this router as they are MPLS switched to br01. Reviewing a packet capture on interface facing 'customer' on br01 or upstream interface on ccr1 shows pe03 sending back an ACK with MSS incorrectly set as 1460 bytes.

First packet (SYN) sending correct MSS of 1312 bytes:

Reply acknowledgement from pe03 showing incorrect MSS of 1460 bytes having been set:

Kindis · Mon Jan 01, 2018 8:08 pm

everything works fine except that in the 951g I need fasttrack and I had to go back (downgrade) to the 6.40.5 only in the rborder ,since I have 300 Mb fiber and without the fastrack so, I got it just 200
I guess they'll fix that soon, until then we'll have to use the 6.40.5 to fastracker the connection
FastTrack on both my 750Gr3 and 3011 was not working at upgrade. Upgraded firmware (router boot) to latest and restarted. Still did not work but after yet another restart without any change to ROS or firmware everything started working again. Did you try to upgrade firmware after you went to 6.41 and also restart a third time?

No, i dont reset the mikrotik once it has been upgraded,if is this u question . but i delete fastrack from filter rules and rebbor the rb , went create a nuew rule to activate fasttrtack, not work although he told me the packages and the bytes... so I went back to 6.40.5.
But if you confirm that if you reset and configure to hand the configuration, the fastrack work ,I can test it

someone has tried it and it has worked ? it's going well all for you ?
-------------------------------------------------------------------------------
No , no resetee el mikrotik una vez upgradeado , pero si que elimine fastrack de filter rules y reinicie . Luego volvi ha crear la regla de fasttrtack pero seria sin funcionar aunque me augmentaba los paquetes y bytes ...asi que volvi a la 6.40.5.
Pero si me confirmas que si se resetea y se configura a mano desde cero toda la configuracion luego el fastrack funciona, puedo provar

alguien lo ha provado y le ha funcionado , te va todo bien compi ?

___________________________________________________________________________

No I did not reset. After upgrade to 6.41 I upgraded routerboot to latest firmware (also 6.41). Both upgrades includes a reboot. After about a day I noticed that FastTrack did not work on both my 750 and 3011. Did a simple reboot and everything started working again. Nothing more that that solved my issue.

Mon Jan 01, 2018 11:23 pm

Traffic capture on pe03 shows TCP SYN packet arriving with TCP options where MSS is set as 1312 bytes. Replies aren't visible on this router as they are MPLS switched to br01. Reviewing a packet capture on interface facing 'customer' on br01 or upstream interface on ccr1 shows pe03 sending back an ACK with MSS incorrectly set as 1460 bytes.

That's normal and is in accordance with the existing standards. MSS is NOT negotiated, but rather each side of the connection just informs the other side of the connection (by using the MSS TCP option) about the maximum segment size it is able to receive. For each TCP connection different MSS values may be used in each direction of data flow. There's no requirement for the MSS value set by the initiator to be "reflected" by the responder; thus MSS clamping, if required, should be applied in each direction of data flow independently.

estdata · Tue Jan 02, 2018 12:11 am

I think that version 6.41 mess of the inside of the
I installed a and came out of that system-routerboard > under notice

Warning: the default and the cpu Frenquency

Temorizador · Tue Jan 02, 2018 1:06 am

everything works fine except that in the 951g I need fasttrack and I had to go back (downgrade) to the 6.40.5 only in the rborder ,since I have 300 Mb fiber and without the fastrack so, I got it just 200
I guess they'll fix that soon, until then we'll have to use the 6.40.5 to fastracker the connection
FastTrack on both my 750Gr3 and 3011 was not working at upgrade. Upgraded firmware (router boot) to latest and restarted. Still did not work but after yet another restart without any change to ROS or firmware everything started working again. Did you try to upgrade firmware after you went to 6.41 and also restart a third time?

No, i dont reset the mikrotik once it has been upgraded,if is this u question . but i delete fastrack from filter rules and rebbor the rb , went create a nuew rule to activate fasttrtack, not work although he told me the packages and the bytes... so I went back to 6.40.5.
But if you confirm that if you reset and configure to hand the configuration, the fastrack work ,I can test it

someone has tried it and it has worked ? it's going well all for you ?
-------------------------------------------------------------------------------
No , no resetee el mikrotik una vez upgradeado , pero si que elimine fastrack de filter rules y reinicie . Luego volvi ha crear la regla de fasttrtack pero seria sin funcionar aunque me augmentaba los paquetes y bytes ...asi que volvi a la 6.40.5.
Pero si me confirmas que si se resetea y se configura a mano desde cero toda la configuracion luego el fastrack funciona, puedo provar

alguien lo ha provado y le ha funcionado , te va todo bien compi ?

___________________________________________________________________________
No I did not reset. After upgrade to 6.41 I upgraded routerboot to latest firmware (also 6.41). Both upgrades includes a reboot. After about a day I noticed that FastTrack did not work on both my 750 and 3011. Did a simple reboot and everything started working again. Nothing more that that solved my issue.

Ok ty i dotn undestand to start

,sorry my english , tomorrow to morning i will upgrade try again and i will try as you said, ty for explanation

,

____________________________________________________

Ok gracias, no entendí al principio

, lo siento por mi ingles , mañana por la mañana upgradeare de nuevo u provare como mehas dicho, gracias por la explicacion

Kindis · Tue Jan 02, 2018 1:15 am

everything works fine except that in the 951g I need fasttrack and I had to go back (downgrade) to the 6.40.5 only in the rborder ,since I have 300 Mb fiber and without the fastrack so, I got it just 200
I guess they'll fix that soon, until then we'll have to use the 6.40.5 to fastracker the connection
FastTrack on both my 750Gr3 and 3011 was not working at upgrade. Upgraded firmware (router boot) to latest and restarted. Still did not work but after yet another restart without any change to ROS or firmware everything started working again. Did you try to upgrade firmware after you went to 6.41 and also restart a third time?

No, i dont reset the mikrotik once it has been upgraded,if is this u question . but i delete fastrack from filter rules and rebbor the rb , went create a nuew rule to activate fasttrtack, not work although he told me the packages and the bytes... so I went back to 6.40.5.
But if you confirm that if you reset and configure to hand the configuration, the fastrack work ,I can test it

someone has tried it and it has worked ? it's going well all for you ?
-------------------------------------------------------------------------------
No , no resetee el mikrotik una vez upgradeado , pero si que elimine fastrack de filter rules y reinicie . Luego volvi ha crear la regla de fasttrtack pero seria sin funcionar aunque me augmentaba los paquetes y bytes ...asi que volvi a la 6.40.5.
Pero si me confirmas que si se resetea y se configura a mano desde cero toda la configuracion luego el fastrack funciona, puedo provar

alguien lo ha provado y le ha funcionado , te va todo bien compi ?

___________________________________________________________________________
No I did not reset. After upgrade to 6.41 I upgraded routerboot to latest firmware (also 6.41). Both upgrades includes a reboot. After about a day I noticed that FastTrack did not work on both my 750 and 3011. Did a simple reboot and everything started working again. Nothing more that that solved my issue.
Ok ty i dotn undestand to start ,sorry my english , tomorrow to morning i will upgrade try again and i will try as you said, ty for explanation ,

____________________________________________________

Ok gracias, no entendí al principio , lo siento por mi ingles , mañana por la mañana upgradeare de nuevo u provare como mehas dicho, gracias por la explicacion

Good luck. Just remember to upgrade routerboot firmware too after ROS upgrade (system > Router board). After you press upgrade you restart. After this I had to restart again to get FastTrack working.

moep · Tue Jan 02, 2018 2:22 pm

Hello,

I run multiple IPSec Tunnels from two central sites to remote sites. Inside of the IPSec-tunnel is a IPIP-tunnel to do OSPF via multiple paths.
With v6.41 I tried to switch over the peers to a new IKEv2 enabled peer.

On the main site, I copied the 0.0.0.0/0 peer and changed the exchange mode to IKEv2 and left the rest as it was.
On the remote sites, I switched the existing peer to IKEv2.

All tunnels came up and seemed to be running, but after expiry of the SA (after ~30 Minutes, as configured), the IPIP tunnel experienced a disconnect, which was never there with IKEv1.
This disonnect lasts about 10 seconds. After that, the IPIP-tunnel came back online and OSPF found a neighbor. All this repeats every 30 Minutes for every remote site.
When I change back the exchange-mode to IKEv1, everything works like a charm. No disconnects after 30 Minutes whatsoever.

Is this a (known) bug or do I have to change something at peer or policy level for IKEv2?

sindy · Tue Jan 02, 2018 4:41 pm

RFC 7296 leaves no space for the behaviour you describe:

SAs should be rekeyed proactively, i.e., the new SA should be established before the old one expires and becomes unusable. Enough time should elapse between the time the new SA is established and the old one becomes unusable so that traffic can be switched over to the new SA.

So to me such behaviour is a clear bug and you should report it to support@mikrotik.com. Maybe, to help narrow the search, before sending the report you should watch the SA list between the 28th and 30th minute to see whether the new SA has already been negotiated - normally (i.e. when IKEv1 is used), a new (pair of) SA is generated 5 minutes before the old one's expiration.

BlackVS · Tue Jan 02, 2018 6:48 pm

Found a first anomaly:
Neighbor discovery does not work with the generated 'discover', 'mac-winbox' or 'mactel' interface lists. Other lists seem to work.
After list deletion and recreation by hand, it works.

The same. After disabling-enabling all "discover" list items started to work...

mducharme · Tue Jan 02, 2018 11:03 pm

Found a first anomaly:
Neighbor discovery does not work with the generated 'discover', 'mac-winbox' or 'mactel' interface lists. Other lists seem to work.
After list deletion and recreation by hand, it works.
The same. After disabling-enabling all "discover" list items started to work...

A second reboot after the upgrade also fixes this.

estdata · Tue Jan 02, 2018 11:37 pm

What is problems . I upgrading my routerboard RB2011UAS wireless model. version 6.7 -> 6.41

Please , tell me , What is problems ?`

<img src="https://www.upload.ee/image/7838585/routerboard.png" border="0" alt="routerboard.png" />
https://www.upload.ee/image/7838585/routerboard.png

kmok1 · Tue Jan 02, 2018 11:55 pm

Hello,

I am unsure this has been posted. V6.41 on MIPS-BE devices so far.

1) Reboot upgraded device.
2) Second line in log states ""bridge1" mac address changed to XX" where XX seens to be a randomized MAC address.
3) In / interface bridge print, it shows the bridge's mac address as the first active mac address in the group of ports.

Is this a bug?

Also, in the older devices like RB Groove 5Hn, / system routerboard print shows blank for "upgrade-firmware" while hEX POE shows 6.41.

sindy · Wed Jan 03, 2018 12:05 am

All tunnels came up and seemed to be running, but after expiry of the SA (after ~30 Minutes, as configured), the IPIP tunnel experienced a disconnect, which was never there with IKEv1.
This disonnect lasts about 10 seconds. After that, the IPIP-tunnel came back online and OSPF found a neighbor. All this repeats every 30 Minutes for every remote site.
...
Is this a (known) bug or do I have to change something at peer or policy level for IKEv2?

I've just tested a similar, not identical, setup where an IKEv2 established SA has been replaced by a new one while a single RTP flow was running through it. Instead of your IP-IP tunnel, I am using a "lan-to-lan" (subnet-subnet) IPsec policy. I could see the old and new SA to exist in parallel for a short period of time, yet the RTP flow was completely missing at the output of the IPsec tunnel between sequence numbers 53955 and 54045, i.e. for 90 20-ms packets which is 1800 ms. Bad enough alone, but if the IP-IP tunnel needs some time to re-establish after a failure, it could explain your 10 seconds outage.

Reporting that to support myself.

ziegenberg · Wed Jan 03, 2018 12:11 am

Hello estdata!

What is problems . I upgrading my routerboard RB2011UAS wireless model. version 6.7 -> 6.41

Please , tell me , What is problems ?`

The first message says, that you should reboot your routerboard, so the firmware update can be completed. You should reboot and then we can see, if the other messages are still there.

greetings, Daniel

estdata · Wed Jan 03, 2018 12:28 am

Hello estdata!

What is problems . I upgrading my routerboard RB2011UAS wireless model. version 6.7 -> 6.41

Please , tell me , What is problems ?`

The first message says, that you should reboot your routerboard, so the firmware update can be completed. You should reboot and then we can see, if the other messages are still there.

greetings, Daniel

Yes, I've done the upgrade and restart have done several times in the

xrobau · Wed Jan 03, 2018 4:24 am

I've noticed two things, but one of them may be actually hardware related.

The first is that ONE of my interfaces is refusing to link at 1gb. Even though it's set to advertise everything, it's not advertising 1gb:

In my efforts to see what the problem is, 'Cable Test' now no longer works. It just says 'Cable OK', and that's it.

Hardware is a RouterBOARD 962UiGS-5HacT2HnT, with upgraded Routerboard Firmware

zervan · Wed Jan 03, 2018 9:16 am

What is problems . I upgrading my routerboard RB2011UAS wireless model. version 6.7 -> 6.41

Please , tell me , What is problems ?

Set frequency to 600 MHz, uncheck "Protected Routerboot", reboot.

Chupaka · Wed Jan 03, 2018 11:35 am

Re: wireless - log "signal-strength" when successfully connected to AP;

Clients do appear to log the signal strength when they connect to an AP
-however-
NV2 APs do NOT log the the signal strength when a NV2 client connects

It would be nice if NV2 APs could also log the signal strength of connecting NV2 clients

The same thing with CAPsMAN - please add signal strength to its messages also

Nuubo · Wed Jan 03, 2018 12:44 pm

After upgrading smoothly SSTP VPN is working fine but there is no route to internal LAN.

Until this upgrade everything was running OK, is there any issue or extra configuration to be done with SSTP interface?

emils · Wed Jan 03, 2018 1:23 pm

Hello,

I run multiple IPSec Tunnels from two central sites to remote sites. Inside of the IPSec-tunnel is a IPIP-tunnel to do OSPF via multiple paths.
With v6.41 I tried to switch over the peers to a new IKEv2 enabled peer.

On the main site, I copied the 0.0.0.0/0 peer and changed the exchange mode to IKEv2 and left the rest as it was.
On the remote sites, I switched the existing peer to IKEv2.

All tunnels came up and seemed to be running, but after expiry of the SA (after ~30 Minutes, as configured), the IPIP tunnel experienced a disconnect, which was never there with IKEv1.
This disonnect lasts about 10 seconds. After that, the IPIP-tunnel came back online and OSPF found a neighbor. All this repeats every 30 Minutes for every remote site.
When I change back the exchange-mode to IKEv1, everything works like a charm. No disconnects after 30 Minutes whatsoever.

Is this a (known) bug or do I have to change something at peer or policy level for IKEv2?

I am unable to reproduce such issue. Could you please send supout.rif files from both main and remote sites to support@mikrotik.com?

sindy · Wed Jan 03, 2018 2:39 pm

Emils,

just so that several support people don't have to deal with same or similar issue, please check Ticket#2018010322000212.

Pavel

Nuubo · Wed Jan 03, 2018 4:23 pm

After several tests I found the issue:

VPN fails if VPN network is configured in the same subnet as LAN bridge. I could add VPN profile to bridge but it didn´t work so finally I decided to delete bridge and I did the same configuration I had before bridge (LAN port independent and same subnet as VPN). VPN is working again.

I consider this is a bug, I checked VPN profile configuration and I didn´t find anything that can avoid the VPN function when you connect to the same subnet as internal bridge for several ports.

By the way, why not keeping switch masterport and slave interfaces option as previous RouterOS releases?

Wed Jan 03, 2018 4:34 pm

It is a known problem that proxy-arp on bridge do not work after upgrade, You have to set it manually again after upgrade. This problem should be already solved in v6.42rc

Nuubo · Wed Jan 03, 2018 5:22 pm

Thanks for your answer.
I tried to reconfigure proxy-arp also but it didn´t work even after reboot. I will wait for 6.42 (for the remaining Mikrotik we have)

105547111 · Wed Jan 03, 2018 8:08 pm

It is a known problem that proxy-arp on bridge do not work after upgrade, You have to set it manually again after upgrade. This problem should be already solved in v6.42rc

Shoudn't this also be included in an upcoming 6.41.1 also?

Chupaka · Wed Jan 03, 2018 10:31 pm

Shoudn't this also be included in an upcoming 6.41.1 also?

It will be, of course

105547111 · Wed Jan 03, 2018 11:45 pm

I just found in my only 751G doesn't contain a new bootloader version its blank....

msatter · Thu Jan 04, 2018 12:09 am

I just found in my only 751G doesn't contain a new bootloader version its blank....

viewtopic.php?f=21&t=128915&start=50#p633665

Will be fixed in 6.41.1
*) routerboot - fixed missing upgrade firmware for "ar7240" devices;

RLithgo · Thu Jan 04, 2018 1:56 am

I am currently running 6.38 and don't have any issues. I am a little concerned over the 6.41 upgrade.
Has anyone else gone from 6.38 (or earlier) to 6.41 and if so, was it smooth sailing?

5nik · Thu Jan 04, 2018 1:59 am

Hello, after upgrade 6.40.5 -> 6.41 on hAP ac IPIP6 tunel interfaces not running. Reset configuration doesn't help.

bbs2web · Thu Jan 04, 2018 6:34 am

You're right, the actual issue appears to be that RouterOS does not appear to process or honor ICMP 'fragmentation needed' messages. The following capture is on a MPLS speaking 6.41 RouterOS device where MPLS switched packets are not captured and subsequently only shows incoming packets which use Penultimate Hop Popping (PHP):

The above is to validate that ICMP messages arrive correctly at 41.79.22.34. Herewith a packet capture on the MPLS ingress point, showing 41.79.22.34 continuing to send packets with a payload of 1312 bytes after it receives ICMP 'fragmentation needed' messages which indicate that the maximum MTU is 1348 bytes (-40 bytes = 1308 payload):

Traffic capture on pe03 shows TCP SYN packet arriving with TCP options where MSS is set as 1312 bytes. Replies aren't visible on this router as they are MPLS switched to br01. Reviewing a packet capture on interface facing 'customer' on br01 or upstream interface on ccr1 shows pe03 sending back an ACK with MSS incorrectly set as 1460 bytes.
That's normal and is in accordance with the existing standards. MSS is NOT negotiated, but rather each side of the connection just informs the other side of the connection (by using the MSS TCP option) about the maximum segment size it is able to receive. For each TCP connection different MSS values may be used in each direction of data flow. There's no requirement for the MSS value set by the initiator to be "reflected" by the responder; thus MSS clamping, if required, should be applied in each direction of data flow independently.

jardap · Thu Jan 04, 2018 11:07 am

Hello, I've got another issue. After upgrade from v6.40.5 to v6.41 my DUDE server (running on RB1100Dx4) reporting cpu,disk and memory services down on all MK devices. Pls anybody can help me?
Thnx
Jarda

Flag,Time,Message
,Jan/01 22:15:06,syslog: Service disk on CHO51VKAP2 - 172.27.220.251 is now down (down)
,Jan/01 22:15:06,Service disk on CHO51VKAP2 - 172.27.220.251 is now down (down)
,Jan/01 22:15:07,syslog: Service memory on CHO51VKAP2 - 172.27.220.251 is now down (down)
,Jan/01 22:15:07,Service memory on CHO51VKAP2 - 172.27.220.251 is now down (down)
,Jan/01 22:15:23,syslog: Service cpu on CHO51VKAP2 - 172.27.220.251 is now down (down)
,Jan/01 22:15:23,Service cpu on CHO51VKAP2 - 172.27.220.251 is now down (down)
,Jan/01 22:16:37,syslog: Service disk on 172.27.220.253 is now up ()
,Jan/01 22:16:37,Service disk on 172.27.220.253 is now up ()
,Jan/01 22:16:37,syslog: Service disk on MK router - 172.27.220.4 is now down (down)
,Jan/01 22:16:37,Service disk on MK router - 172.27.220.4 is now down (down)
,Jan/01 22:16:40,syslog: Service disk on 172.27.220.254 is now up ()
,Jan/01 22:16:40,Service disk on 172.27.220.254 is now up ()
,Jan/01 22:16:42,syslog: Service memory on CHO51VKAP1 - 172.27.220.250 is now down (down)
,Jan/01 22:16:42,Service memory on CHO51VKAP1 - 172.27.220.250 is now down (down)
,Jan/01 22:16:50,syslog: Service memory on 172.27.220.253 is now up ()
,Jan/01 22:16:50,Service memory on 172.27.220.253 is now up ()
,Jan/01 22:19:07,syslog: Service cpu on 172.27.220.254 is now down (down)
,Jan/01 22:19:07,Service cpu on 172.27.220.254 is now down (down)
,Jan/01 22:19:10,syslog: Service disk on 172.27.220.254 is now down (down)
,Jan/01 22:19:10,Service disk on 172.27.220.254 is now down (down)
,Jan/01 22:19:50,syslog: Service memory on 172.27.220.253 is now down (down)
,Jan/01 22:19:50,Service memory on 172.27.220.253 is now down (down)

BlackVS · Thu Jan 04, 2018 11:15 am

Probably known problem with discovery - do any from listed below:

Found a first anomaly:
Neighbor discovery does not work with the generated 'discover', 'mac-winbox' or 'mactel' interface lists. Other lists seem to work.
After list deletion and recreation by hand, it works.
The same. After disabling-enabling all "discover" list items started to work...
A second reboot after the upgrade also fixes this.

Or check firewall rules - may be migrating wasn't smooth and packets blocked by default rules...

Thu Jan 04, 2018 11:31 am

In order to keep this 6.41 version topic as clean as possible, please before posting a question or problem report, check 6.42rc version changelog. In most cases problems are already resolved:

Note that rc version topic first post is a changelog of first rc version released. Later updates are posted further into topic:
viewtopic.php?f=21&t=129034
viewtopic.php?f=21&t=129034#p634998

pe1chl · Thu Jan 04, 2018 11:48 am

You're right, the actual issue appears to be that RouterOS does not appear to process or honor ICMP 'fragmentation needed' messages.

That would be correct, it is not the task of the router to act upon these messages, it is the responsibility of the end system to do so. It should only process those messages when they refer to traffic originated from the router itself.
Of course the router must forward the ICMP messages to the correct end system, this is often a problem with tunneling protocols and with too many "Gibson paranoia" firewalls inbetween.

raymondr15 · Thu Jan 04, 2018 2:07 pm

Hi,

I noticed after upgrading to v6.41 that ether3 & ether5 were showing the exact same TX throughput all the time, I checked bridge settings and played around to see if there was a configuration issue from the upgrade, a saw that ether3's "auto isolate" was disabled, I reenabled it and as soon as I did, I lost all access from any port on the bridge interface, only discovery was working, couldn't even login via winbox mac. After rebooting the router, everything came back up fine??

Whats this about? Bug?

rognick · Thu Jan 04, 2018 11:48 pm

Hello,
I am on the way to acquiring the RB750Gr3 + wap ac and I am confused if the RB750Gr3 can be configured for IPTV.

Can someone help me to clarify if RB750Gr3 with v6.41 can be configured IPTV and VLAN tagging / untagging?
Yes, it certainly can. Here's an example configuration for an ISP which uses VLAN 500 for Internet and VLAN 600 for IPTV.
https://wiki.mikrotik.com/wiki/Mikrotik ... ee/soonwai

Hey soonwai! So thanks to you, I was able to config my RB750Gr3

I checked and vlan-filtering = yes
at momet everything is ok.
I do not know if it was supposed to work on both bridge to do vlan-filtering

There is a difference between the above example and the new tagging / untagging settings
https://wiki.mikrotik.com/wiki/Manual:I ... s_Ports.29

Thanks!

jardap · Fri Jan 05, 2018 12:15 am

Unfortunately this problem is not mentioned at 6.42rc topic and 6.42rc5 did not resolve my problem. Dude is still getting information about cpu,memory and disk overloading.

In order to keep this 6.41 version topic as clean as possible, please before posting a question or problem report, check 6.42rc version changelog. In most cases problems are already resolved:

Fri Jan 05, 2018 12:41 am

jardap - have you reported this to support@mikrotik.com with problem description and supout files?

pcjc · Fri Jan 05, 2018 11:44 am

Just in the process of downgrading back to 6.40.5....

On the RB2011 it doesn't appear possible to create a working bridge (hw offload) config as efficient as the previous software revision, where we could use switch hardware offload on both the 1000M ports and 100M ports - then bridge those switches together with the SFP port.
The additional complexity is that I had a vlan trunk port on the 1000M switch (Business + Guest vlan wifi) - as well as the other untagged (business) ports. The initial 6.41 configuration I had appeared to be working, but with NO hardware offload, and things traversing the 1000M switch (e.g. ping) appeared to get 3x extra duplicate packets received.

kor3k · Fri Jan 05, 2018 1:04 pm

hello,

have a problem with this release.

we have two CRS-326 connected together through 4 ether ports, both have same configuration:

4 connecting ether ports are bound into a bonding
that bonding is part of a bridge

before upgrade (6.40.5), everything worked fine.
but after upgrade to 6.41, both CRSs start throw "bridge port received packet with own address as source address" error and both freeze up (because of packet storm).

what is wrong? how can i fix it?

kor3k

JimmyNyholm · Fri Jan 05, 2018 3:25 pm

https://wiki.mikrotik.com/wiki/Manual:I ... P_Snooping

Reading Wiki and reading Questions here on the Forum. As there is no version setting for IGMP snooping I assume it's on IGMPv2? or is it IGMPv3? It can't be IGMPv1 still?

As you se the Confusion is obvious and there is a ton of other stuff to think about when talking multicast that is not obvious at first.

Fri Jan 05, 2018 6:01 pm

..."bridge port received packet with own address as source address"

You have two routes/interfaces for packets received by this bridge.
I have noticed something similar configuring CAPSMAN with CAP's device WiFi interface assigned staticaly to "locally-forwarded" CAP's bridge in CAP device and virtually created in CAPSMAN and included in CAPSMAN's bridge.

kor3k · Fri Jan 05, 2018 6:52 pm

..."bridge port received packet with own address as source address"
You have two routes/interfaces for packets received by this bridge.
I have noticed something similar configuring CAPSMAN with CAP's device WiFi interface assigned staticaly to "locally-forwarded" CAP's bridge in CAP device and virtually created in CAPSMAN and included in CAPSMAN's bridge.

thanks for pointing this out.

actually, we are using capsman in our network.
and i think in the same setup as you describe.

each CAP's wlan is "locally-forwarded" into CAP's bridge, but each wlan also has 2 VirtualAPs, which are "capsman-forwarded" into CAPSMAN's bridge.
and these two CRS-326 with bonding are in the middle of the network (backbone switches), but they are not caps managers.
the whole network is bridged.

how did you solve the issue? do you know why this is happening? seems like a bug to me.

bbs2web · Fri Jan 05, 2018 10:28 pm

Seeing that I am connecting to this router, it would subsequently confirm that RouterOS does not honour ICMP fragmentation needed messages.

ie: I connect via Winbox or SSH (port 2200), initial packets go back and forth until a payload exceeds the remote VPN MTU. ICMP 'fragmentation needed' message is received by RouterOS, which contains maximum MTU, so RouterOS should fragment at that boundary, instead of continuing with original MSS received during TCP establishment...

You're right, the actual issue appears to be that RouterOS does not appear to process or honor ICMP 'fragmentation needed' messages.
That would be correct, it is not the task of the router to act upon these messages, it is the responsibility of the end system to do so. It should only process those messages when they refer to traffic originated from the router itself.
Of course the router must forward the ICMP messages to the correct end system, this is often a problem with tunneling protocols and with too many "Gibson paranoia" firewalls inbetween.

YeOldeSwitcheroo · Sat Jan 06, 2018 12:53 am

Could you please disable HW offloading when bridge filter rules are added?

The problem is that they're incompatible with each other (at least it seems that way). I just bought a hEX, set it to bridge mode (which enables HW offloading for all those ports, because the hEX board supports it) and then added a filter that drops UDP packets to port 67 & 68 (DHCP).

The counters for the filter increase, but they have zero effect. All those packets are still forwarded, regardless of chain. Disabling HW offloading and leaving only rules for the forward chain has the desired effect.

skuykend · Sat Jan 06, 2018 2:07 am

Just in the process of downgrading back to 6.40.5....

On the RB2011 it doesn't appear possible to create a working bridge (hw offload) config as efficient as the previous software revision, where we could use switch hardware offload on both the 1000M ports and 100M ports - then bridge those switches together with the SFP port.
The additional complexity is that I had a vlan trunk port on the 1000M switch (Business + Guest vlan wifi) - as well as the other untagged (business) ports. The initial 6.41 configuration I had appeared to be working, but with NO hardware offload, and things traversing the 1000M switch (e.g. ping) appeared to get 3x extra duplicate packets received.

I'm using all ports on my RB2011 as a switch with vlans (tagged and untagged) and am getting HW offloading and not seeing any duplicate packets. I posted my config in this thread: viewtopic.php?f=2&t=129057&p=634278#p634278

linux25 · Sat Jan 06, 2018 4:13 am

This is for mikrotik, you disappointed me with your product and updates, i have problems with flapping eth, your updates worse my problem, is not for my cable connection, your product sucks, i don't buy ever again your product.
I tell you friends, don't go in roads with mikrotik. Good luck.