pietroscherer - Does problem go away if you downgrade router to 6.40.5 version and appears once more if you upgrade back to 6.40.6?

pietroscherer - Does problem go away if you downgrade router to 6.40.5 version and appears once more if you upgrade back to 6.40.6?

Hello Strods,

I didn't do this test yet. One of the neighbors that wasn't working, becomes to work after update (6.23 -> 6.41.2). The other one still non working (no update).
I'll test a downgrade on RB1100AHx2 to 6.40.5 to see if it'll work.

* I'll do this in a light time, because it's one of my main routers.

Thank you!

....What's new in 6.40.6 (2018-Feb-20 11:04):.....

....What's new in 6.40.6 (2018-Feb-20 11:04):.....

IMHO it means that Mikrotik reports new things.
All changes you can trace here: https://mikrotik.com/download/changelogs/

Beone - Which fixes exactly are you referring to? Please provide copy of change included in 6.41.x or 6.42rc which you are looking for.

pietroscherer - Glad to hear that you resolved the problem. As far as I understand, you can not tell if problem was caused by this particular release. Is that correct?
jgro, BartoszP - Changelog always shows difference between this version and previous one. Previous before 6.40.6 is "-1" - 6.40.5. This changelog shows difference between 6.40.5 and 6.40.6. For example, if you upgrade from 6.38, then you have to check - all 6.38.x changelogs, 6.39 and 6.39.x changelogs and 6.40 and 6.40.x changelogs.
Beone - There are no silent fixes. If changes are not in changelog, then they are not in the release.

pietroscherer - Glad to hear that you resolved the problem. As far as I understand, you can not tell if problem was caused by this particular release. Is that correct?

What's new in 6.40.6 (2018-Feb-20 11:04):

*) btest - fixed TCP test accuracy when low TX/RX rates are used;
*) certificate - do not use UTF-8 for SCEP challenge password;
*) certificate - fixed PKCS#10 version;
*) chr - generate new system ID on first boot;
*) crs317 - fixed reliability on FAN controller;
*) defconf - fixed DISC Lite5 LED default configuration;
*) dhcpv4-server - fixed framed and classless route received from RADIUS server;
*) disk - fixed disk detach process;
*) dude - fixed e-mail notifications when default port is not used;
*) export - fixed "/system routerboard mode-button" compact export;
*) filesystem - implemented additional system integrity checks on reboots;
*) firewall - limited maximum "address-list-timeout" value to “35w3d13h13m56s”;
*) hotspot - fixed "dst-port" to require valid "protocol" in "walled-garden ip";
*) hotspot - fixed Walled Garden IP functionality when address-list is used;
*) ike1 - fixed crash on XAUTH if user does not exist;
*) ike1 - fixed memory corruption when IPv6 is used;
*) ike1 - improved stability on phase1 rekeying;
*) ike2 - added support for multiple split networks;
*) ike2 - delay rekeyed peer outbound SA installation;
*) ike2 - improve half-open connection handling;
*) ike2 - kill connection when peer changes address;
*) ike2 - use peer configuration address when available on empty TSi;
*) ipsec - fixed incorrect esp proposal key size usage;
*) ipsec - properly update IPsec secret for IPIP/EoIP/GRE dynamic peer;
*) l2tp - improved reliability on packet processing in FastPath;
*) netinstall - improved LTE package description;
*) netinstall - properly generate skins folder when branding package is installed;
*) ovpn - fixed resource leak on systems with high CPU usage;
*) ovpn-server - do not periodically change automatically generated server MAC address;
*) ppp - do not disconnect active PPP connection after "idle-timeout";
*) ppp - do not lose "/ppp profile" script configuration after other profile parameters are edited;
*) ppp - fixed "change-mss" functionality when MSS is not set on forwarded packets;
*) ppp - fixed L2TP and PPTP encryption negotiation process on configuration changes;
*) pppoe-client - properly re-establish MLPPP session when one of the lines stopped transmitting packets;
*) quickset - do not automatically change mode to CPE;
*) quickset - renamed router IP static DNS name to "router.lan";
*) route - fixed DHCP/PPP “add-default-route” “distance” minimal value to 1;
*) route - improved reliability on routing table update;
*) routerboard - properly report warnings under "/system routerboard" menu;
*) scheduler - properly display long scheduler configuration;
*) sfp - improved SFP module compatibility;
*) sms - fixed minor problem for SMS delivery;
*) snmp - added IPv6 addresses support on default "public" community;
*) snmp - fixed bulk requests when non-repeaters are used;
*) snmp - fixed consecutive OID bulk get from the same table;
*) traceroute - fixed "/tool traceroute" results print;
*) traffic-flow - do not count single extra packet per each flow;
*) webfig - added support for proper default policies when adding script or scheduler job;
*) webfig - fixed backup loading from Webfig on RouterBOARD running default configuration;
*) webfig - fixed bridge port sorting order by name;
*) webfig - fixed MAC address ordering;
*) webfig - fixed router getting reset to default configuration;
*) webfig - fixed column ordering;
*) winbox - allow to specify "to-ports" for "action=masquerade";
*) wireless - fixed wireless protocol mode restrictions if lockpack is installed and has limits for it;
*) wireless - removed unused monitor command from CLI;
*) wireless - updated "Australia", "Czech Republic", "UK 5.8 Fixed" and "United Kingdom" regulatory domain information;

What's new in 6.40.5 (2017-Oct-31 13:05):

*) certificate - fixed import of certificates with empty SKID;
*) crs3xx - fixed 100% CPU usage after interface related changes;
*) firewall - do not NAT address to 0.0.0.0 after reboot if to-address is used but not specified;
*) ike1 - fixed crash after downgrade if DH groups 19,20,21 were used for phase1;
*) ike1 - fixed RSA authentication for Windows clients behind NAT;
*) ipsec - fixed lost value for "remote-certificate" parameter after disable/enable;
*) ipv6 - fixed IPv6 addresses constructed from prefix and static address entry;
*) log - properly recognize MikroTik specific RADIUS attributes;
*) lte - do not reset modem when it is not possible to access SMS storage;
*) lte - fixed modem initialization after reboot;
*) lte - fixed PIN option after setting up the band;
*) sms - include time stamps in SMS delivery reports;
*) sms - properly initialize SMS storage;
*) snmp - fixed "/system license" parameters for CHR;
*) winbox - allow shorten bytes to k,M,G in Hotspot user limits;
*) wireless - fixed rate selection process when "rate-set=configured" and NV2 protocol is used;

What's new in 6.40.4 (2017-Oct-02 08:38):

*) address - show warning on IPv6 address when acquire from pool has failed;
*) arp - properly update dynamic ARP entries after interface related changes;
*) crs1xx/2xx - fixed 1 Gbps forced mode for several SFP modules;
*) crs317 - added L2MTU support;
*) crs3xx - improved packet processing in slowpath;
*) defconf - fixed RouterOS default configuration (introduced in v6.40.3);
*) dhcp - fixed downgrade from RouterOS v6.41 or higher;
*) dhcpv6 client - added IAID check in reply;
*) dhcpv6-client - fixed IA check on solicit when "rapid-commit" is enabled;
*) dhcpv6-client - ignore unknown IA;
*) dhcpv6-client - require pool name to be unique;
*) e-mail - auto complete file name on "file" parameter (introduced in v6.40);
*) export - fixed wireless "ssid" and "supplicant-identity" compact export;
*) hotspot - fixed missing "/ip hotspot server profile" if invalid "dns-name" was specified;
*) hotspot - improved user statistics collection process;
*) ike1 - remove PH1 and PH2 when "mode-config" exchange fails;
*) ipsec - kill PH1 on "mode-config" address failure;
*) ipv6 - fixed IPv6 address request from pool;
*) lte - fixed modem initialization after reboot;
*) ntp-client - properly start NTP client after reboot if manual server IP is not configured;
*) rb931-2nd - fixed startup problems (requires additional reboot after upgrade);
*) routerboard - fixed "/system routerboard upgrade" for CRS212-8G-4S;
*) sfp - fixed OPTON module DDM information readings;
*) sfp - fixed temperature readings for various SFP modules;
*) snmp - fixed "/caps-man registration-table" uptime values;
*) snmp - fixed "/system license" parameters for CHR;
*) tile - improved reliability on MPLS package processing;
*) userman - fixed unresponsive RADIUS server (introduced in v6.40.3);
*) vlan - do not allow VLAN MTU to be higher than L2MTU;
*) webfig - improved reliability of login process;
*) wireless - added "etsi1" regulatory domain information;
*) wireless - improved WPA2 key exchange reliability;
*) wireless - updated "norway" regulatory domain information;

What's new in 6.40.3 (2017-Sep-01 07:40):

*) dhcpv6-server - do not release address of static binding from pool after server removal;
*) export - fixed "/system routerboard" export (introduced in 6.40.1);
*) export - fixed export for PoE-OUT related settings;
*) ike1 - fixed initiator ID comparison to NAT-OA;
*) led - fixed "on" and "off" triggers when multiple LEDs are selected;
*) led - fixed RB711UA ether1 LED (introduced in v6.38rc16);
*) lte - do not show USB LTE modem under "/port" menu;
*) lte - fixed ethernet flap when LTE establishes connection;
*) lte - fixed SXT LTE graphs in QuickSet;
*) lte - improved reliability of USB LTE modems;
*) poe-out - fixed router reboot after "poe-out-status" changes;
*) rb1100ahx4 - fixed HW acceleration fragmented packet decryption when fragment is smaller than 64 bytes;
*) rb750gr3 - show warning and do not allow to use "protected-bootloader" feature if "factory-firmware" older than 3.34.4 version;
*) routerboard - added "mode-button" support for RB750Gr3 (CLI only);
*) ssh - do not execute command if it starts with "-" symbol;
*) traffic-flow - fixed reboots when IPv6 address has been set as target address without active IPv6 package;
*) userman - fixed "limitation" and "profile-limitation" update;
*) userman - fixed CoA packet processing after changes in "/tool user-manager router" configuration;
*) webfig - allow to open table entry even if table is not sorted by # (introduced in v6.40);
*) webfig - allow to unset "rate-limit" for DHCP leases;
*) winbox - added possibility to define "comment" for "/routing bgp network" entries;
*) winbox - do not show FAN related information under "/system health" menu for devices which does not have it;
*) winbox - do not show LCD menu for devices which does not have it;
*) winbox - fixed ARP table update after entry changes state to incomplete;
*) wireless - added "russia3" country settings;
*) wireless - added New Zealand regulatory domain information for P2P links;
*) wireless - updated China and New Zealand regulatory domain information;
*) www - fixed unresponsive Web services (introduced in v6.40);

What's new in 6.40.2 (2017-Aug-08 13:13):

*) dhcpv6-client - fixed IA evaluation order;
*) led - fixed "modem-signal" LEDs (introduced in 6.40);
*) pppoe-client - fixed wrong MRU detection over VLAN interfaces;
*) rb2011 - fixed possible LCD blinking along with ethernet LED (introduced in 6.40);
*) sfp - fixed invalid temperature readings when ambient temperature is below 0C;
*) winbox - added certificate settings;
*) winbox - added support for certificate CRL list;
*) winbox - do not show LCD menu for devices which does not have it;
*) winbox - hide "level" and "tunnel" parameters for IPSec policy templates;
*) winbox - hide FAN speed if it is 0RPM;

What's new in 6.40.1 (2017-Aug-03 12:37):

*) bonding - improved reliability on bonding interface removal;
*) chr - fixed false warnings on upgrade reboots;
*) dhcpv6-client - do not run DHCPv6 client when IPv6 package is disabled;
*) export - fixed export for different parameters where numerical range or constant string is expected;
*) firewall - properly remove "address-list" entry after timeout ends;
*) interface - improved interface state change handling when multiple interfaces are affected at the same time;
*) lte - fixed LTE not passing any traffic while in running state;
*) ovpn-client - fixed incorrect netmask usage for pushed routes (introduced in 6.40);
*) pppoe-client - fixed incorrectly formed PADT packet;
*) rb2011 - fixed possible LCD blinking along with ethernet LED (introduced in 6.40);
*) rb922 - restored missing wireless interface on some boards;
*) torch - fixed Torch on PPP tunnels (introduced in 6.40);
*) trafficgen - fixed "lost-ratio" showing incorrect statistics after multiple sequences;
*) winbox - added "none-dynamic" and "none-static" options for "address-list-timeout" parameter under NAT, Mangle and RAW rules;

What's new in v6.40 (2017-Jul-21 08:45):

!) lte - added initial fastpath support (except SXT LTE and Sierra modems);
!) lte - added initial support for passthrough mode for lte modems that supports fastpath;
!) wireless - added Nv2 AP synchronization feature "nv2-modes" and "nv2-sync-secret" option;
*) bonding - fixed 802.3ad mode on RB1100AHx4;
*) btest - fixed crash when packet size has been changed during test;
*) capsman - added "current-registered-clients" and "current-authorized-clients" count for CAP interfaces;
*) capsman - fixed EAP identity reporting in "registration-table";
*) capsman - set minimal "caps-man-names" and "caps-man-certificate-common-names" length to 1 char;
*) certificate - added "crl-use" setting to disable CRL use (CLI only);
*) certificate - update and reload old certificate with new one if SKID matches;
*) chr - fixed MAC address assignment when hot plugging NIC on XenServer;
*) chr - maximal system disk size now limited to 16GB;
*) conntrack - fixed IPv6 connection tracking enable/disable;
*) console - fixed different command auto complete on ;
*) crs212 - fixed Optech sfp-10G-tx module compatibility with SFP ports;
*) defconf - added IPv6 default firewall configuration (IPv6 package must be enabled on reset);
*) defconf - improved IPv4 default firewall configuration;
*) defconf - renamed 192.168.88.1 address static DNS entry from "router" to "router.lan";
*) dhcp - added "debug" logs on MAC address change;
*) dhcpv4-client - added "gateway-address" script parameter;
*) dhcpv4-server - fixed lease renew for DHCP clients that sends renewal with "ciaddr = 0.0.0.0";
*) dhcpv4-server - fixed server state on interface change in Winbox and Webfig;
*) discovery - fixed timeouts for LLDP neighbours;
*) dns - remove all dynamic cache RRs of same type when adding static entry;
*) dude - fixed server crash;
*) email - added support for multiple attachments;
*) ethernet - fixed occasional broken interface order after reset/first boot;
*) ethernet - fixed rare linking problem with forced 10Mbps full-duplex mode;
*) export - added "terse" option;
*) export - added default "init-delay" setting for "/routerboard settings" menu;
*) export - added router model and serial number to configuration export;
*) export - fixed "/interface list" verbose export;
*) export - fixed "/ipv6 route" compact export;
*) export - fixed MPLS "dynamic-label-range" export;
*) export - fixed SNMP "src-address" for compact export;
*) fastpath - improved performance when packets for slowpath are received;
*) fastpath - improved process of removing dynamic interfaces;
*) fasttrack - fixed fasttrack over interfaces with dynamic MAC address;
*) fetch - added "src-address" parameter for HTTP and HTTPS;
*) filesystem - improved error correcting process on tilera and RB1100AHx4 storage;
*) firewall - added "none-dynamic" and "none-static" options for "address-list-timeout" parameter;
*) firewall - fixed bridge "action=log" rules;
*) firewall - fixed cosmetic "inactive" flag when item was disabled;
*) firewall - fixed crash on fasttrack dummy rule manual change attempt;
*) firewall - removed unique address list name limit;
*) hAP ac lite - removed nonexistent "wlan-led";
*) hotspot - added "address-list" support in "walled-garden" IP section;
*) hotspot - require "dns-name" to contain "." symbol under Hotspot Server Profile configuration;
*) ike1 - added log error message if netmask was not provided by "mode-config" server;
*) ike1 - added support for "framed-pool" RADIUS attribute;
*) ike1 - create tunnel policy when no split net provided;
*) ike1 - fixed minor memory leak on peer configuration change;
*) ike1 - kill phase1 instead of rekey if "mode-config" is used;
*) ike1 - removed SAs on DPD;
*) ike1 - send phase1 delete;
*) ike1 - wait for cfg set reply before ph2 creation with xAuth;
*) ike2 - added RADIUS attributes "Framed-Pool", "Framed-Ip-Address", "Framed-Ip-Netmask";
*) ike2 - added pfkey kernel return checks;
*) ike2 - added support for "Mikrotik_Address_List" RADIUS attribute;
*) ike2 - added support for "mode-config" static address;
*) ike2 - by default use "/24" netmask for peer IP address in split net;
*) ike2 - fixed duplicate policy checking with "0.0.0.0/0" policies;
*) ike2 - prefer traffic selector with "mode-config" address;
*) ipsec - added "firewall=add-notrack" peer option (CLI only);
*) ipsec - added information in console XML for "mode-config" menu;
*) ipsec - added support for "key-id" peer identification type;
*) ipsec - allow to specify chain in "firewall" peer option;
*) ipsec - do not deduct "dst-address" from "sa-dst-address" for "/0" policies;
*) ipsec - enabled modp2048 DH group by default;
*) ipsec - fixed connections cleanup on policy or proposal modification;
*) ipsec - optimized logging under IPSec topic;
*) ipsec - removed policy priority;
*) l2tp - fixed handling of pre-authenticated L2TP sessions with CHAP authentication;
*) l2tp-server - added "one-session-per-host" option;
*) log - added "poe-out" topic;
*) log - improved "l2tp" logs;
*) log - optimized "wireless,info" topic logs;
*) log - work on false CPU/RAM overclocked alarms;
*) lte - added "accounting" logs for LTE connections;
*) lte - added info command support for the Jaton LTE modem;
*) lte - added initial support for "NTT DoCoMo" modem;
*) lte - added support for Huawei E3531-6;
*) lte - added support for ZTE TE W120;
*) lte - fixed info command when it is executed at the same time as modem restarts/disconnects;
*) lte - improved SMS delivery report;
*) lte - improved reliability on SXT LTE;
*) metarouter - fixed display of bogus error message on startup;
*) mmips - added support for NVME disks;
*) ovpn - added support for "push-continuation";
*) ovpn - added support for topology subnet for IP mode;
*) ovpn - fixed duplicate default gateway presence when receiving extra routes;
*) ovpn - improved performance when receiving too many options;
*) packages - increased automatic download retry interval to 5 minutes if there is no free disk space;
*) ping - fixed ping getting stuck (after several thousands of ping attempts);
*) ppp - added initial support for ZTE K4203-Z and ME3630-E;
*) ppp - added output values for "info" command for finding the GSM base station's location ("LAC" and "IMSI");
*) ppp - fixed "user-command" output;
*) ppp - fixed non-standart PAP or CHAP packet handling;
*) ppp - improved MLPPP packet forwarding performance;
*) ppp - use interface name instead of IP as default route gateway;
*) proxy - fixed potential crash;
*) proxy - fixed rare program crash after closing client connection;
*) quickset - added "Band" setting to "CPE" and "PTP CPE" modes;
*) quickset - added special firewall exception rules for IPSec;
*) quickset - fixed incorrect VPN address value on arm and tilera;
*) quickset - simplified LTE status monitoring;
*) quickset - use active user name and permissions when applying changes;
*) rb1100ahx4 - fixed startup problems (requires additional reboot after upgrade);
*) rb3011 - fixed packet passthrough on switch2 while booting;
*) rb750gr3 - fixed USB power;
*) routerboard - added "caps-mode" option for "reset-configuration";
*) routerboard - added "caps-mode-script" for default-configuration print;
*) routing - allow to disable "all" interface entry in BFD;
*) safe-mode - fixed session handling when Safe Mode is used on multiple sessions at the same time;
*) sfp - fixed invalid temperature reporting when ambient temperature is less than 0;
*) sms - decode reports in readable format;
*) sniffer - do not skip L2 packets when "all" interface mode was used;
*) snmp - added "ifindex" on interface traps;
*) snmp - added CAPsMAN interface statistics;
*) snmp - added ability to set "src-address";
*) snmp - fixed "/system resource cpu print oid" menu;
*) snmp - fixed crash on interface table get;
*) snmp - fixed wireless interface walk table id ordering;
*) socks - fixed crash while processing many simultaneous sessions;
*) ssl - added Wildcard support for "left-most" DNS label (will allow to use signed Wildcard certificate on VPN servers);
*) supout - fixed IPv6 firewall section;
*) switch - fixed "loop-protect" on CRS SFP/SFP+ ports;
*) switch - fixed multicast forwarding on CRS326;
*) tile - fixed copying large amount of text over serial console;
*) tr069-client - fixed lost HTTP header on authorization;
*) trafficgen - added "lost-ratio" to statistics;
*) ups - show correct "line-voltage" value for usbhid UPS devices;
*) userman - added "/tool user-manager user clear-profiles" command;
*) userman - do not send disconnect request for user when "simultaneous session limit reached";
*) userman - lookup language files also in "/flash" directory;
*) vlan - do not delete existing VLAN interface on "failure: already have such vlan";
*) webfig - fixed wireless "scan-list" parameter not being saved after applying changes;
*) winbox - added "eap-identity" to CAPsMAN registration table;
*) winbox - added "no-dad" setting to IPv6 addresses;
*) winbox - added "reselect-channel" to CAPsMAN interfaces;
*) winbox - added "session-uptime" to LTE interface;
*) winbox - added TR069 support;
*) winbox - do not autoscale graphs outside known maximums;
*) winbox - fixed wireless interface "amsdu-threshold" max limit;
*) winbox - hide LCD menu on CRS112-8G-4S;
*) winbox - make IPSec policies table an order list;
*) winbox - moved LTE info fields to status tab;
*) winbox - show "/interface wireless cap print" warnings;
*) winbox - show "/system health" only on boards that have health monitoring;
*) winbox - show "D" flag under "/interface mesh port" menu;
*) wireless - NAK any methods except MS-CHAPv2 as inner method in PEAP;
*) wireless - added option to change "nv2-downlink-ratio" for nv2 protocol;
*) wireless - added option to set "fixed-downlink" mode for nv2 protocol;
*) wireless - allow VirutalAP on Level0 (24h demo) license;
*) wireless - always use "multicast-helper" when DHCP is being used;
*) wireless - do not skip >2462 channels if interface is WDS slave;
*) wireless - fixed 802.11u wireless request processing;
*) wireless - fixed EAP PEAP success processing;
*) wireless - fixed compatibility with "AR5212" wireless chips;
*) wireless - fixed rare crash on cap disable;
*) wireless - fixed registration table "signal-strength" reporting for chains when using nv2;

so between the 2 bugfix releases this is the actual difference if i understand properly
...

Long, long post ... five seconds of scrolling. Was it necessary?

We use RADIUS to assign additional subnets as static route to the DHCP client. We've seen that this breaks default routes on Mikrotik CPEs, as it forwards the values through and replaces the default route assignment, but other brand CPEs seem to work ok. Does this change fix that issue, or is it something else?

*) wireless - updated "Czech Republic" regulatory domain information;

The non-specific short-range device category covers all kinds of radio devices, regardless of the application or the purpose,
which fulfil the technical conditions as specified for a given frequency band. Typical uses include telemetry,
telecommand, alarms, data transmissions in general and other applications.

Can we get some clarification around this change?
*) dhcpv4-server - fixed framed and classless route received from RADIUS server;

We use RADIUS to assign additional subnets as static route to the DHCP client. We've seen that this breaks default routes on Mikrotik CPEs, as it forwards the values through and replaces the default route assignment, but other brand CPEs seem to work ok. Does this change fix that issue, or is it something else?

Hmm,

problem.
I upgraded my 3 hAP AC from 6.39.3 to 6.40.6 ..
All seemed OK but the office W10 laptop refused to connect to the wifi ...
To bad there is no useable logging, the MT logging just says station leaving and the W10 logging says "unable to connect" ...
I donwgraded to 6.39.3 and now the W10 connects ...

Eddie

Hello,
can I get any info about this? Why was this change made?

*) wireless - updated "Czech Republic" regulatory domain information;

Czech republic has implemented the EU plan and band number 61 in this document is: 5725-5875MHz Non-specific Short-range devices 25mW e.i.r.p.

The non-specific short-range device category covers all kinds of radio devices, regardless of the application or the purpose,
which fulfil the technical conditions as specified for a given frequency band. Typical uses include telemetry,
telecommand, alarms, data transmissions in general and other applications.

http://eur-lex.europa.eu/legal-content/ ... 26&from=EN

The same information also state local documents from Czech telecommunication office.

Hmm,

problem.
Eddie

Please provide support output file to suport@mikrotik.com so we could compare that configuration to see why it would not work in v6.40.6

The issue is that 'other brands' does not follow RFC. RFC3442 clearly states: "If the DHCP server returns both a Classless Static Routes option and a Router option, the DHCP client MUST ignore the Router option."

So, the correct way is to add default route (0.0.0.0/0) to your Option 121. The workaround on the RouterOS side is "/ip dhcp-client set [find] add-default-route=special-classless".

I may put up a new post about this, as the feature of the Mikrotik router assigning static routes towards the client and using the same RADIUS response value to tell the client to route those same subnets back upstream router seems like something you would never want...

I may put up a new post about this, as the feature of the Mikrotik router assigning static routes towards the client and using the same RADIUS response value to tell the client to route those same subnets back upstream router seems like something you would never want...

Huh?.. What feature?..

Muator - I assume that you did upgrade device from version older than 6.38.4 and did not read all the changelogs in the middle. 6.38.4 introduces this fix - "firewall - do not allow to set "time" parameter to 0s for "limit" option". Also this problem is not related to 6.40.6 so please in the future do not report problem in concrete version forum topic if you are not sure that it is caused by it, since you might scare off others who will think that feature is broken. This is whole reason why we make version topics - to find out problems caused by concrete release. Not 6.39.3, not 6.40.5 but exact version - 6.40.6.

From the winbox in the firewall creates a rule with the parameter "time" 0C for "limit". From the terminal is not created.

From the winbox in the firewall creates a rule with the parameter "time" 0C for "limit". From the terminal is not created.

I can't create it from WinBox as well. How do you do that?

WinBox 3.12, RouterOS 6.41.1
limit0.jpg

On version 6.40.6 is created ! Upgrade to 6.40.6 and check if you don't believe.
Checked just now again, in the mangle and firewall, is created with 0.
The output from the console showed above.
The point is that the rules were added after the upgrade to 6.40.6.

On version 6.40.6 is created ! Upgrade to 6.40.6 and check if you don't believe.
Checked just now again, in the mangle and firewall, is created with 0.
The output from the console showed above.
The point is that the rules were added after the upgrade to 6.40.6.

Don't get me wrong, but I downgraded to 6.40.6 and...

limit0-2.jpg

(checked both mangle and filter)

irico - Are you 100% sure that simply another admin or you by mistake or on purpose did not re-configure MAC address. Also - why in your printout "Ethernet" is with capital letter? It is not an export. These commands are edited by the hand.

###[ROUTER UPDATED TODAY]

# mar/19/2018 20:25:20 by RouterOS 6.39.3
# software id = [EDITED]
#
[...]
/interface ethernet
set [ find default-name=ether1 ] comment="Megatro (LACP)" name=e1-Megatro
set [ find default-name=ether2 ] comment="Megatro (LACP)" name=e2-Megatro
set [ find default-name=ether3 ] comment="Telefonica (PPPoE)" name=e3-WAN3
set [ find default-name=ether4 ] comment="SW (LACP)" name=e4-SW
set [ find default-name=ether5 ] comment="SW (LACP)" name=e5-SW
set [ find default-name=ether6 ] comment="SW (LACP)" name=e6-SW
set [ find default-name=ether7 ] comment="SW (LACP)" name=e7-SW
[...]
/interface bonding
add mode=802.3ad name=bonding1-Megatro-WAN1 slaves=e1-Megatro,e2-Megatro \
    transmit-hash-policy=layer-2-and-3
add mode=802.3ad name=bonding2-SW slaves=e4-SW,e5-SW,e6-SW,e7-SW \
    transmit-hash-policy=layer-2-and-3



# mar/19/2018 20:26:24 by RouterOS 6.40.6
# software id = [EDITED]
#
# model = CCR1009-7G-1C-1S+
# serial number = [EDITED]
[...]
/interface ethernet
set [ find default-name=ether1 ] comment="Megatro (LACP)" name=e1-Megatro
set [ find default-name=ether2 ] comment="Megatro (LACP)" mac-address=\
    6C:3B:6B:E4:90:E5 name=e2-Megatro
set [ find default-name=ether3 ] comment="Telefonica (PPPoE)" name=e3-WAN3
set [ find default-name=ether4 ] comment="SW (LACP)" name=e4-SW
set [ find default-name=ether5 ] comment="SW (LACP)" mac-address=\
    6C:3B:6B:E4:90:E8 name=e5-SW
set [ find default-name=ether6 ] comment="SW (LACP)" mac-address=\
    6C:3B:6B:E4:90:E8 name=e6-SW
set [ find default-name=ether7 ] comment="SW (LACP)" mac-address=\
    6C:3B:6B:E4:90:E8 name=e7-SW
[...]
/interface bonding
add mode=802.3ad name=bonding1-Megatro-WAN1 slaves=e1-Megatro,e2-Megatro \
    transmit-hash-policy=layer-2-and-3
add mode=802.3ad name=bonding2-SW slaves=e4-SW,e5-SW,e6-SW,e7-SW \
    transmit-hash-policy=layer-2-and-3



###[ROUTER UPDATED 03/15/2018]

# mar/15/2018 15:10:38 by RouterOS 6.39.3
# software id = [EDITED]
#
[...]
/interface ethernet
set [ find default-name=ether1 ] comment="Telefonica (PPPoE)" name=e1-WAN2
set [ find default-name=ether2 ] name=e2
set [ find default-name=ether3 ] name=e3
set [ find default-name=ether4 ] comment="GSM SIM" name=e4-TELGSM
set [ find default-name=ether5 ] comment="SW (LACP)" name=e5-SW
set [ find default-name=ether6 ] comment="SW (LACP)" name=e6-SW
set [ find default-name=ether7 ] comment="GRN (PPPoE)" disabled=yes name=e7
set [ find default-name=ether8 ] comment=Adamo name=e8-WAN1
[...]
/interface bonding
add comment="SW-LAN_FAB (LACP)" mode=802.3ad name=bonding1-SW-LAN_FAB slaves=\
    e6-SW,e5-SW



# mar/15/2018 15:16:40 by RouterOS 6.40.6
# software id = [EDITED]
#
# model = CCR1009-8G-1S-1S+
# serial number = [EDITED]
[...]
/interface ethernet
set [ find default-name=ether1 ] comment="Telefonica (PPPoE)" name=e1-WAN2
set [ find default-name=ether2 ] name=e2
set [ find default-name=ether3 ] name=e3
set [ find default-name=ether4 ] comment="GSM SIM" name=e4-TELGSM
set [ find default-name=ether5 ] comment="SW (LACP)" name=e5-SW
set [ find default-name=ether6 ] comment="SW (LACP)" mac-address=\
    4C:5E:0C:DF:8D:92 name=e6-SW
set [ find default-name=ether7 ] comment="GRN (PPPoE)" disabled=yes name=e7
set [ find default-name=ether8 ] comment=Adamo name=e8-WAN1
[...]
/interface bonding
add comment="SW-LAN_FAB (LACP)" mode=802.3ad name=bonding1-SW-LAN_FAB slaves=\
    e6-SW,e5-SW