v6.42.7 [current] is released!

emils · Mon Aug 20, 2018 9:54 am

RouterOS version 6.42.7 has been released in public "current" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.42.7 (2018-Aug-17 09:48):

MAJOR CHANGES IN v6.42.7:
----------------------
!) security - fixed vulnerabilities CVE-2018-1156, CVE-2018-1157, CVE-2018-1158, CVE-2018-1159;
----------------------

*) bridge - improved bridge port state changing process;
*) crs326/crs328 - fixed untagged packet forwarding through tagged ports when pvid=1;
*) crs3xx - added command that forces fan detection on fan-equipped devices;
*) crs3xx - fixed port disable on CRS326 and CRS328 devices;
*) crs3xx - fixed tagged packet forwarding without VLAN filtering (introduced in 6.42.6);
*) crs3xx - fixed VLAN filtering when there is no tagged interface specified;
*) dhcpv4-relay - fixed false invalid flag presence;
*) dhcpv6-client - allow to set "default-route-distance";
*) dhcpv6 - improved reliability on IPv6 DHCP services;
*) dhcpv6-server - properly update interface for dynamic DHCPv6 servers;
*) ethernet - improved large packet handling on ARM devices with wireless;
*) ethernet - removed obsolete slave flag from "/interface vlan" menu;
*) ipsec - fixed "sa-src-address" deduction from "src-address" in tunnel mode;
*) ipsec - improved invalid policy handling when a valid policy is uninstalled;
*) ldp - properly load LDP configuration;
*) led - fixed default LED configuration for RBLHGG-5acD-XL devices;
*) lte - added signal readings under "/interface lte scan" for 3G and GSM modes;
*) lte - fixed memory leak on USB disconnect;
*) lte - fixed SMS send feature when not in LTE network;
*) package - do not allow to install out of bundle package if it already exists within bundle;
*) ppp - fixed interface enabling after a while if none of them where active;
*) sfp - hide "sfp-wavelength" parameter for RJ45 transceivers;
*) tr069-client - fixed unresponsive tr069 service when blackhole route is present;
*) upgrade - fixed RouterOS upgrade process from RouterOS v5;
*) userman - fixed compatibility with PayPal TLS 1.2;
*) vrrp - fixed VRRP packet processing on VirtualBox and VMWare hypervisors;
*) w60g - added distance measurement feature;
*) w60g - fixed random disconnects;
*) w60g - general stability and performance improvements;
*) w60g - improved MCS rate detection process;
*) w60g - improved MTU change handling;
*) w60g - properly close connection with station on disconnect;
*) w60g - stop doing distance measurements after first successful measurement;
*) winbox - added "secondary-channel" setting to wireless interface if 80 MHz mode is selected;
*) winbox - fixed "sfp-connector-type" value presence under "Interface/Ethernet";
*) winbox - fixed warning presence for "IP/IPsec/Peers" menu;
*) winbox - properly display all flags for bridge host entries;
*) winbox - show "System/RouterBOARD/Mode Button" on devices that has such feature;
*) wireless - added option to disable PMKID for WPA2;
*) wireless - fixed memory leak when performing wireless scan on ARM;
*) wireless - fixed packet processing after removing wireless interface from CAP settings;
*) wireless - updated "united-states" regulatory domain information;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after some problem has appeared on device

Please keep this forum topic strictly related to this concrete RouterOS release.

If you router has a storage issue (not enough space due to RouterOS, not by other files stored on the device), use package from this link:
https://www.mikrotik.com/download/share/fix_space.npk
- upload package to your router;
- run /system reboot

Other affected installations will be fixed automatically, if there is enough space left for an upgrade by this fix:
"package - free up used storage space consumed by old RouterOS upgrades"

markmcn · Mon Aug 20, 2018 11:15 am

*) ipsec - fixed "sa-src-address" deduction from "src-address" in tunnel mode;

Can you please share what was the issue and what is the fixed behaviour?
I am using alot of IPSec in 6.42.6 and having no issues, I'm just wondering what has changed before I alter a working environment
Thanks for the great work

emils · Mon Aug 20, 2018 11:41 am

When adding (or importing) a new IPsec policy it automatically used src-address to calculate sa-src-address if it was not specified in tunnel mode, which is not correct. E.g.

/ip ipsec policy add dst-address=192.168.1.0/24 sa-dst-address=10.155.107.5 sa-src-address=0.0.0.0 src-address=10.155.107.6 tunnel=yes

Created:

 1     src-address=10.155.107.6/32 src-port=any dst-address=192.168.1.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=10.155.107.6 sa-dst-address=10.155.107.5 proposal=default ph2-count=0

bratislav · Mon Aug 20, 2018 12:21 pm

Seems that new workaround option:

*) wireless - added option to disable PMKID for WPA2;

Does not prevent users to connect and so far everything works well for us ...

markmcn · Mon Aug 20, 2018 12:32 pm

Hi Emils,
Thanks for the responce, Am I correct in saying the corrected behaviour is that if the sa-src-address=0.0.0.0 is used, It will now take the ip address of the outbound interface(Interface with the route to the ipsec peer/sa-dst-address)
Thanks
Mark

When adding (or importing) a new IPsec policy it automatically used src-address to calculate sa-src-address if it was not specified in tunnel mode, which is not correct. E.g.
Code: Select all
/ip ipsec policy add dst-address=192.168.1.0/24 sa-dst-address=10.155.107.5 sa-src-address=0.0.0.0 src-address=10.155.107.6 tunnel=yes
Created:
Code: Select all
 1     src-address=10.155.107.6/32 src-port=any dst-address=192.168.1.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=10.155.107.6 sa-dst-address=10.155.107.5 proposal=default ph2-count=0

emils · Mon Aug 20, 2018 1:35 pm

Yes, that is correct.

UpRunTech · Mon Aug 20, 2018 1:54 pm

upgraded RB751-2HnD and RB2011UiAS-2HnD no dramas. I'll be interested in removing the PMKID and see what happens.

edit: removed PMKID and still here so who needs PMKID anyway?

R1CH · Mon Aug 20, 2018 1:57 pm

Upgraded 5 x wAP AC, no issues so far.

Kindis · Mon Aug 20, 2018 2:07 pm

Upgraded two 3011, one 493G, two CHR and two wAP AC. No issues what so ever. Also disabled PMKID for WPA2 and have no issues so far.

Fusionyx · Mon Aug 20, 2018 2:32 pm

Hi updated a CRS328-24p-4S+ (Arm) from v6.42.6 -> v6.42.7 and all the weird problems are gone for us so far.

We can disable interfaces again without other interface being effected aswell and trunk interfaces toward other switches keep working after the update and reboot.

Thansk for fixing this!

Fusionyx

notToNew · Mon Aug 20, 2018 2:42 pm

*) wireless - added option to disable PMKID for WPA2;

What is the Capsman-part of this?

EDIT: Sorry, just had to relaoad the config to see it!

Joe

rushlife · Mon Aug 20, 2018 3:14 pm

upgraded almost 300MK devices today and so far without problem

already done on types :
crs 328 poe
crs 317
crs 125
crs 226
ccr 1009
ccr 1016
ccr 1032
metal 52SHPacn
metal 2SHPn
rb 2011
rb 3011
mAP lite

In late night I must also done upgrade on main-rt CCR1072, I supposing no problem also

MonkeyDan · Mon Aug 20, 2018 4:58 pm

Does this really fix multipoint Wireless Wire disconnects? I’m reluctant to try as rc56 still had issues.

Jotne · Mon Aug 20, 2018 6:11 pm

@MonkeyDan

*) wireless - added option to disable PMKID for WPA2;
*) wireless - fixed memory leak when performing wireless scan on ARM;
*) wireless - fixed packet processing after removing wireless interface from CAP settings; 
*) wireless - updated "united-states" regulatory domain information;

This wireless problem has been fixed. If your problem is listed there, it should be ok

Njumaen · Mon Aug 20, 2018 7:52 pm

*) wireless - added option to disable PMKID for WPA2;

Even in CAPsMAN! \o/

Great Job!

Ralf.

CZFan · Mon Aug 20, 2018 8:11 pm

upgraded almost 300MK devices today and so far without problem
...

Wow, you are brave

rushlife · Mon Aug 20, 2018 8:43 pm

upgraded almost 300MK devices today and so far without problem
...

Wow, you are brave

or stupid..

no, really, I have lack of bad experiences...

MonkeyDan · Mon Aug 20, 2018 8:50 pm

That's for WiFi. WiGig changes are under w60, which yes, they said they were fixed, but I've seen plenty of current and rc releases where that wasn't the case.
I decided to gave 6.42.7 a go on a 2 station multipoint setup, and while the links flapped for 10 minutes, they've been stable ever since. Hopefully it stays this way for a very long time

@MonkeyDan

*) wireless - added option to disable PMKID for WPA2;
*) wireless - fixed memory leak when performing wireless scan on ARM;
*) wireless - fixed packet processing after removing wireless interface from CAP settings; 
*) wireless - updated "united-states" regulatory domain information;

This wireless problem has been fixed. If your problem is listed there, it should be ok

eddieb · Mon Aug 20, 2018 9:07 pm

Upgraded without problems ..

CRS125
CHR + Dude
RB750
RB951
RB962 (9x)
RB1100
RB2011 (2 IPSEC tunnels)

pe1chl · Mon Aug 20, 2018 9:32 pm

upgraded almost 300MK devices today and so far without problem
...
Wow, you are brave

Just wanted to comment the same.... upgrading 300 devices on the day of release, wow!
He deserves the prize for most valuable beta tester!

pe1chl · Mon Aug 20, 2018 9:35 pm

upgraded almost 300MK devices today and so far without problem
...
Wow, you are brave
or stupid..

no, really, I have lack of bad experiences...

I once painted myself in the corner by upgrading 2 CCR1009 routers before noticing that further upgrades were impossible due to reduced diskspace, and now I am a little more careful because it took a lot of convincing on the forum before a fix package was released that would solve the problem without doing netinstall... and even that I installed too quickly on one of them. (getting rescued only by the fallback to second partition)

dadoremix · Mon Aug 20, 2018 10:54 pm

upgraded almost 300MK devices today and so far without problem

already done on types :
crs 328 poe
crs 317
crs 125
crs 226
ccr 1009
ccr 1016
ccr 1032
metal 52SHPacn
metal 2SHPn
rb 2011
rb 3011
mAP lite

In late night I must also done upgrade on main-rt CCR1072, I supposing no problem also

How did you upgrade 300 devices?
Script / tool? Or manual 1 by 1 ?

mkx · Mon Aug 20, 2018 11:15 pm

How did you upgrade 300 devices?
Script / tool? Or manual 1 by 1 ?

I'm guessing Dude and/or CapsMan.

Tue Aug 21, 2018 8:37 am

Could we expect 6.40.9 ?

bjornr · Tue Aug 21, 2018 8:43 am

After upgrading to 6.42.7, my CRS328-24P-4S+ logs increased CPU temperature from SNMP readouts. The attached graph shows a significant change in CPU temperature after upgrading (at around 23:00). The switch's CPU load (also from SNMP) has not increased.

Were there any changes to the SNMP output for this unit, not mentioned in the changelog? It could look like the temperature of the board was previously listed as CPU temperature.

CRS328-24P-4S+-after-upgrade.png

John39 · Tue Aug 21, 2018 11:14 am

After the update, cloud stopped working for me. Ip address is updated in cloud, and if ping is done, the answer comes from the old address. If you install RC, the problem immediately goes away. I had to switch to the script.

rushlife · Tue Aug 21, 2018 11:27 am

How did you upgrade 300 devices?
Script / tool? Or manual 1 by 1 ?

Hi, I have linux (ubuntu server) with bash script ( which I made myself ) to upgrade all of it.

ofer · Tue Aug 21, 2018 11:31 am

Upgraded 3 x HAP AC, no issues so far.
Update: I disabled PMKID on the units, no issues as well.

Thanks!

John39 · Tue Aug 21, 2018 11:40 am

Forgot to specify the model hap ac2.
The time between updating the cloud and checking ping was about 1 hour.

markmcn · Tue Aug 21, 2018 12:03 pm

I upgraded a RB1100 AH4 last night, It mostly went ok,
The only issue was on reboot none of the ipsec tunnel came back, when I checked IPSec packets weren't even leaving as claimed to be trying to establish!! A second reboot and all the tunnels came up.
The take away being if you depend on IPSec to access the device maybe have a backup plan in this case

Njumaen · Tue Aug 21, 2018 12:37 pm

*) crs3xx - fixed tagged packet forwarding without VLAN filtering (introduced in 6.42.6);

This really drove me crazy on my CRS328-24P-4S+

Thanks for fixing!

CZFan · Tue Aug 21, 2018 1:41 pm

After upgrading to 6.42.7, my CRS328-24P-4S+ logs increased CPU temperature from SNMP readouts. The attached graph shows a significant change in CPU temperature after upgrading (at around 23:00). The switch's CPU load (also from SNMP) has not increased.

Were there any changes to the SNMP output for this unit, not mentioned in the changelog? It could look like the temperature of the board was previously listed as CPU temperature.

CRS328-24P-4S+-after-upgrade.png

CRS326-24G-2S+ also seems to be running high temp's, cant say what it was before as it is a new installation done last night, has 6.42.7 installed last night
This is in an air conditioned server room

CRS326-24G-2S+ Temp.JPG

rushlife · Tue Aug 21, 2018 2:50 pm

I will take a look on this too.

edit : no change imho

Paternot · Tue Aug 21, 2018 5:01 pm

Upgraded one RB750Gr3 and three hAP ac lite. All working: IPsec and OpenVpn (server, RB750Gr3), BGP (small table, internal), PPPoE and wireless (802.11ac/n).

bjornr · Tue Aug 21, 2018 5:29 pm

After upgrading to 6.42.7, my CRS328-24P-4S+ logs increased CPU temperature from SNMP readouts. [...]

Tried downgrading to 6.42.6, and CPU temperature is shown as 8-10 degrees lower than with 6.42.7 - both in System -> Health and with SNMP.

6.42.7 before downgrade:

6.42.7.before.png

Downgraded to 6.42.6:

6.42.6.png

Back to 6.42.7 after upgrading again:

6.42.7.after.png

juliokato · Tue Aug 21, 2018 7:27 pm

Why did 2 fans appear in the last print?

bjornr · Tue Aug 21, 2018 7:55 pm

Why did 2 fans appear in the last print?

For some reason, fan speed is only shown in "System Health" when the fans are running. So during the last screenshot the fans were running, but in the other two the fans were off.

A curious side effect of this is that (at least with Linux and Wine) the "System Health" window will grow bigger when the two fan speeds are shown, and go back to a smaller window when the fans don't run - so the window will not only change size multiple times, but also change its position in Winbox. After some time, I will usually find the "System Health" window in the upper left corner of Winbox :-)

anav · Tue Aug 21, 2018 9:56 pm

upgraded almost 300MK devices today and so far without problem
...

Wow, you are brave

The irony!!
I just want to point that you have now truly earned your nick as CZFAN.

(seeing as rushlife is from CZech land).

CZFan · Wed Aug 22, 2018 12:09 am

Anav, welcome back, been a while since I last saw a post from you.

FYI, my nick name is based on a well known product from Czech Republic

upnort · Wed Aug 22, 2018 6:36 am

Hi, I have linux (ubuntu server) with bash script ( which I made myself ) to upgrade all of it.

Linux user here. Please, please share the script!

rushlife · Wed Aug 22, 2018 9:17 am

enjoy

Kraken2k · Wed Aug 22, 2018 11:16 am

Upgraded RB2011, no issues so far.

FYI, my nick name is based on a well known product from Czech Republic

Yeah... your avatar is pretty self-explaining.

Jotne · Wed Aug 22, 2018 2:37 pm

Found a smal bug that should be fixed.

In GUI name "Tools" is used.
In CLI it is used "tool"

Using same name helps to navigate when using both interface CLI and GUI

Other strange thing.
In GUI Bridge has its own main menu.
In CLI its under Interface/Bridge
Why these differences?`

Wed Aug 22, 2018 2:49 pm

There are some GUI differences for ease of use. It is not v6.42.7 specific.

pe1chl · Wed Aug 22, 2018 2:51 pm

Is there any indication of the attack surface of "vulnerabilities CVE-2018-1156, CVE-2018-1157, CVE-2018-1158, CVE-2018-1159"?
What kind of installations would be directly at risk and require quick updates?
(e.g. admin service ports open on internet, certain types of VPN service open on internet, any configuration with internet connection, etc)

k3dt · Wed Aug 22, 2018 2:53 pm

Can you provide some more informations about fixed vulnerabilities? eg. how critical are? thanks

Jotne · Wed Aug 22, 2018 3:29 pm

There are some GUI differences for ease of use. It is not v6.42.7 specific.

Posted in wrong thread, should be in the Winbox thread.
PS it does not make it simpler to not have equal name and stricture.

soomanyquestions · Wed Aug 22, 2018 4:39 pm

Is there any indication of the attack surface of "vulnerabilities CVE-2018-1156, CVE-2018-1157, CVE-2018-1158, CVE-2018-1159"?
What kind of installations would be directly at risk and require quick updates?
(e.g. admin service ports open on internet, certain types of VPN service open on internet, any configuration with internet connection, etc)

This would be really nice to know!

emils · Wed Aug 22, 2018 4:44 pm

We will publish official blog post soon with more detailed information about the fixed vulnerabilities.

R1CH · Wed Aug 22, 2018 6:39 pm

Were these security fixes stealthily added to the v6.42.7 patch notes? I don't recall seeing them there before and I didn't update since it didn't look like a necessary update. It's very bad that details aren't available even though the fixed version is published. It doesn't take much effort to compare the 6.42.6 vs 6.42.7 binaries and figure out where the exploits were and start attacking them. Hopefully this is just a fix of long standing security bugs like lack of certificate validation in numerous places.

CsXen · Wed Aug 22, 2018 6:42 pm

Upgraded RB951Ui, no issues so far.

Best regards: CsXen

R1CH · Wed Aug 22, 2018 6:49 pm

I can confirm that the security fixes were added to the notes after the 6.42.7 thread was already posted! Why was this?

upnort · Wed Aug 22, 2018 7:27 pm

@rushlife: Thank you for the scripts!

anav · Wed Aug 22, 2018 7:30 pm

Anav, welcome back, been a while since I last saw a post from you.

FYI, my nick name is based on a well known product from Czech Republic

Well after realizing I was more dangerous then helpful I decided to lay low for awhile.
Now I will post if I have some certainty and quality of input (thus crickets chirping from me) or have a healthy dose of humour/sarcasm to inject.
I must say I am screaming through so many TV series these days its all a blur. (Right now its the "Shooter" and "Justified")

Wed Aug 22, 2018 8:45 pm

!) security - fixed vulnerabilities CVE-2018-1156, CVE-2018-1157, CVE-2018-1158, CVE-2018-1159;

6.42.6 is vulnerable to this?

rahuljj · Wed Aug 22, 2018 9:26 pm

Upgraded RB3011. Ipsec tunnels broken
RB750Gr3,. Ipsec tunnels broken ,

Reverted back to 42.6 , all ipsec tunnels back working well ,

pe1chl · Wed Aug 22, 2018 9:55 pm

Upgraded RB3011. Ipsec tunnels broken
RB750Gr3,. Ipsec tunnels broken ,

Updated seveal routers, amongst them some RB750Gr3, no such problem noticed.

sindy · Wed Aug 22, 2018 10:08 pm

Exchange mode and policy type (tunnel/transport) may both make a difference.

bmann · Wed Aug 22, 2018 11:01 pm

@R1CH: Yes, it was not here. Probably they needed to wait for 6.40.9 to ne released too. The the information was added to both.
I do not see problem to release more information later. Maybe it is about to give people some time to upgrade before releasing details.

@chechito: Are you serious with your question ????

pe1chl · Wed Aug 22, 2018 11:21 pm

I do not see problem to release more information later. Maybe it is about to give people some time to upgrade before releasing details.

Well, the problem I have is that I now need to update many routers because they may be vulnerable and taken over tomorrow, and then
when further details emerge it may be that we are not using the vulnerable feature or have the proper firewalling.
So I would have appreaciated some summary of attack surface as I requested above. It would save me a night of overtime.

bmann · Thu Aug 23, 2018 12:27 am

Right, it is legitimate request. In my case this does not impact me, but with bigger amount of devices it is problematic and risky.
If it is serious then better to say 'upgrade', details will follow later or release the details immediately.

bjornr · Thu Aug 23, 2018 9:08 am

This seems to be it: https://blog.mikrotik.com/security/secu ... nable.html

pe1chl · Thu Aug 23, 2018 9:14 am

ARGHH!!! THAT IS WHAT I MEAN:
"issues in RouterOS web server. The issues only affect authenticated users"

They should have put that in the #@%$^^$@# release notes!! A frantic night of updating all for NOTHING.

picom · Thu Aug 23, 2018 9:47 am

If someone wants a script (looking for vulnerable versions) and makes auto updates, I invite you to email.

Here is shown how it works: https://www.youtube.com/channel/UCOIjoi ... IgPlPgFYUQ

Thu Aug 23, 2018 10:51 am

Well you guys did want a security blog and more awareness. Now you complain that the issues are not serious enough

We will try to find a balance.

Thu Aug 23, 2018 11:03 am

I can confirm that the security fixes were added to the notes after the 6.42.7 thread was already posted! Why was this?

Think logically,
1) release versions in all channels with the fixes
2) wait for initial customer feedback to be double sure that version doesn't contain unexpected surprizes and is stable, in case quick fix release needed
3) release information about security issues

i personally don't see anything wrong there.

Thu Aug 23, 2018 11:09 am

I can confirm that the security fixes were added to the notes after the 6.42.7 thread was already posted! Why was this?

No, this is because CVE entries were only made after the fixes were released.
Tenable allows vendors to fix issues and release the fixed versions, before they advertise discovered issues.
We could not add non-existing CVE numbers into the changelog.

emils · Thu Aug 23, 2018 11:11 am

Upgraded RB3011. Ipsec tunnels broken
RB750Gr3,. Ipsec tunnels broken ,

Reverted back to 42.6 , all ipsec tunnels back working well ,

Please send the supout.rif file from 6.42.7 to support@mikrotik.com

pe1chl · Thu Aug 23, 2018 11:13 am

Well you guys did want a security blog and more awareness. Now you complain that the issues are not serious enough We will try to find a balance.

I hope you understand that when you post a new version AND update the bugfix version at the same time, mentioning 4 security issues that have no description, the users get a bit nervous and assume that an update is urgently required.
I asked for the attack surface, you could have replied "issues in the webserver exploitable by authenticated users" and I would have known that it is not urgent for me to update, and I could have waited until more details became known.
But as the issue was completely unknown and it could well have been in ISAKMP, SSTP, PPP or whatever, I decided to work overtime to update everything.

So indeed it would be welcome when it was a little more clear what is going on.

petern · Thu Aug 23, 2018 11:16 am

Well you guys did want a security blog and more awareness. Now you complain that the issues are not serious enough We will try to find a balance.

The issue is you need to provide a little more information please. Adding the CVSS score would be useful, along with information about mitigations (firewall rules!) that, in this case, are most likely already in place.

Listing CVEs without any other information leads to speculation about a possible remote vulnerability leading to compromised devices, and therefore excess panic as admins update without knowing what they're updating.

pe1chl · Thu Aug 23, 2018 11:18 am

Tenable allows vendors to fix issues and release the fixed versions, before they advertise discovered issues.
We could not add non-existing CVE numbers into the changelog.

I think the normally preferred procedure is to create CVE numbers and keep them nondescript until fixes are released.
And as the CVE entries are currently in that state, and were created in December 2017, I would assume this is how it went.
It looks like a lack of communication from Tenable, they should have told you what CVE numbers they had created for the issue.

Thu Aug 23, 2018 11:30 am

Yes, we only got them yesterday. I assume they have reserved a huge block of blank CVE numbers, because these issues were not discovered in december, but more recently.

Cha0s · Thu Aug 23, 2018 12:07 pm

I can confirm that the security fixes were added to the notes after the 6.42.7 thread was already posted! Why was this?

This is bad. I check for updates every day on this forum. The day this release was posted, I read the full changelog and there was nothing of concern to update all my routers immediately.

AFTER the fact they edit the release notes to include a security fix. And then they complain that users don't read the changelogs or update their routers.

This is absurd! I don't care when they found out about it. Which doesn't make sense. Normis claims they only found about it yesterday, but had already released a patch on Augusth the 17th?
They should have made it crystal clear that there is a security patch on this release or release a new .8 version just to mention this security fix (even if it was already on .7).

I DID my due diligence and checked the changelog the same day it got released. What am I supposed to do now? Check everyday if they EDIT the damn changelogs?
If I didn't - by accident - check this thread today, I wouldn't have known that there's a security fix.

Once again, Mikrotik cannot handle simple stuff the way the rest of the industry handles it.
And it shows once again that each update may contain more changes than what the changelog says.
I say this because they always categorically refuse that there are more changes than what the changelog says. Which is obviously NOT true.

On the one hand, it's good that there's a lot of attention on Mikrotik security (we get real fixes and not useless features). But on the other hand, Mikrotik cannot seem to handle the spotlight. Not one bit.

Thu Aug 23, 2018 12:09 pm

What are you talking about? I did say no such thing. The fix was released August 20, only the Blog entry and CVE entries were not yet populated with detailed information. That is all.

Cha0s · Thu Aug 23, 2018 12:11 pm

August 20?

So 6.42.7 does NOT contain a fix? Because the build time is Aug/17/2018 09:48:44.

Thu Aug 23, 2018 12:13 pm

Build time is not the same as release time.
I don't understand your point. Also, I suggest you read the blog post. There is barely one person here who could be affected by these specific "issues".

Cha0s · Thu Aug 23, 2018 12:16 pm

Sigh.... I give up.

Thu Aug 23, 2018 12:42 pm

The company that discovered the issue HAD NOT PUBLISHED IT at that point, so there is no difference if you update yesterday or tomorrow. Nobody knows about the issue and can't exploit it, it is very specific. They ask that we do not mention it in our release notes until they publish it themselves.

Actually in the RC release chain, it was fixed a few weeks ago already, but we were not allowed to disclose this information. This is common practice in these situations.

mkx · Thu Aug 23, 2018 2:53 pm

I believe @normis when he's saying Tenable denied Mikrotik to advertise details (including CVE numbers). However I have hard time to believe Mikrotik could not vaguely mention the fixes.

Right now, change log contains line

!) security - fixed vulnerabilities CVE-2018-1156, CVE-2018-1157, CVE-2018-1158, CVE-2018-1159;

but I believe initially could contain a line like this:

!) security - fixed vulnerabilities in WebFig service where already authenticated user could cause service to crash

More details are not needed, but most administrators would be able to assess if they need to upgrade their devices or not.

Personally, these vulnerabilities affect half of my devices ... and until word about fixed vulnerabilities came around, I upgraded 3/4 of my devices, but not all affected. Sigh.

lymas · Thu Aug 23, 2018 5:27 pm

Hi Normis,

Thank you for all information.
Just one more question:

In the blog says "CVE-2018-1159: www memory corruption, if connections are initiated and not properly cleaned up then a heap corruption occurs in www."

In this CVE decription it does not say anything about being authenticated.
Do I have to be authenticated to exploit failure CVE-2018-1159?

Regards,

Lyma

Thu Aug 23, 2018 5:53 pm

This must be the best version in years, as this topic only complains are about changelogs one entry....

Back on topic - solid version most of network spokes upgraded, core routers will be on the weekend.

mszru · Thu Aug 23, 2018 6:25 pm

This version fixed the weird problem with Xiaomi Redmi 3S phones that could not get IPs from DHCP server running on hEX.

Thank you, MikroTik team!

rvilanov · Thu Aug 23, 2018 6:51 pm

Dhcp error still persists as offering lease withour success on CCR1009. After many errors the dhcp stops to answer for a while.

R1CH · Thu Aug 23, 2018 8:05 pm

Bricked a wAP AC by installing this from 6.36 / 6.37 (wasn't paying close attention to the old version). Rebooted and ethernet is constantly cycling link / no-link, no netinstall, no backup loader. RMA time it seems.

Be careful if upgrading from older versions!

lenciso · Thu Aug 23, 2018 10:33 pm

Hi,

I got this after of update

Webserver Crashed
Telnet service crashed.

complex1 · Thu Aug 23, 2018 11:44 pm

Just upgraded my RB2011 from 6.40.8 [bugfix] to 6.42.7 [current] and encounter no issues at all.
Keep up the good work guys.

Kerbia · Fri Aug 24, 2018 4:20 am

Webserver Crashed
Telnet service crashed.

I confirm this.

Raumaster · Fri Aug 24, 2018 6:51 am

Dhcp error still persists as offering lease withour success on CCR1009. After many errors the dhcp stops to answer for a while.

In our network we have one RB 3011 that works as a Load Balance and in this routerboard we have one DHCP server on one interface and it stoped working as well after applying 6.42.7. It was installed on top of 6.40.8. Downgraded it to 6.40.8 and then updated it to 6.40.9 and everything is working fine again.

knizamm · Fri Aug 24, 2018 7:16 am

Webserver Crashed
Telnet service crashed.
I confirm this.

I can confirm this also.

notToNew · Fri Aug 24, 2018 8:46 am

In our network we have one RB 3011 that works as a Load Balance and in this routerboard we have one DHCP server on one interface and it stoped working as well after applying 6.42.7. It was installed on top of 6.40.8. Downgraded it to 6.40.8 and then updated it to 6.40.9 and everything is working fine again.

Same here.... Ntp Server stopped aswell. Stayinger at 6.40.9 dir awhile

nescafe2002 · Fri Aug 24, 2018 10:00 am

@lenciso, Kerbia, knizamm, notToNew:

Please follow the steps mentioned in the change log to let MikroTik fix this issue asap:

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after some problem has appeared on device

mkx · Fri Aug 24, 2018 10:15 am

Please follow the steps mentioned in the change log to let MikroTik fix this issue asap:

I've seen crashed www service on my ARM-based device as well. Already sent supout.rif to support a few days ago. I'm waiting for any response (other thant automated response text). During crash, that service consumes 100% of CPU which is not a huge problem on my hAP ac2 with 4 CPU cores.

I'm not sure if www service crashes also on MIPSBE devices as it seems to happen only when service is in use and I've yet to use WebFig on MIPSBE devices. I'll try to avoid that as 100% CPU usage on single-core device could cause all other functions (such as routing) performance drop to nothing.

hknet · Fri Aug 24, 2018 10:23 am

Well you guys did want a security blog and more awareness. Now you complain that the issues are not serious enough We will try to find a balance.
I hope you understand that when you post a new version AND update the bugfix version at the same time, mentioning 4 security issues that have no description, the users get a bit nervous and assume that an update is urgently required.
I asked for the attack surface, you could have replied "issues in the webserver exploitable by authenticated users" and I would have known that it is not urgent for me to update, and I could have waited until more details became known.
But as the issue was completely unknown and it could well have been in ISAKMP, SSTP, PPP or whatever, I decided to work overtime to update everything.

So indeed it would be welcome when it was a little more clear what is going on.

I stand with pe1chl

vecernik87 · Fri Aug 24, 2018 11:15 am

Well you guys did want a security blog and more awareness. Now you complain that the issues are not serious enough We will try to find a balance.

Normis, don't let them annoy you. This is great progress! And I really love that we finally got CVE numbers!

rushlife · Fri Aug 24, 2018 1:32 pm

@rushlife: Thank you for the scripts!

noproblemo

diode · Fri Aug 24, 2018 4:36 pm

lhg 60 have a fixed rssi now, its not changing anymore. that's ok for already mounted aligned links, but it will make mounting new links more complicated. its obviously only measured once shortly after connecting.

the fluktuations are 6.42.6, the line is 6.42.7. the single movement was a reconnect. link ist 1514 m distance, but same thing with shorter links

Unbenannt.PNG

pe1chl · Fri Aug 24, 2018 9:15 pm

It looks like the default routerboot boot mode has changed from "nand if fail then ethernet" to "try-ethernet-once-then-nand".
This wasn't mentioned in the release note. However, I think it is a good idea, I already set difficult-to-access devices that way.
Advantage: you can netinstall a device by powercycling it while connected to a computer with running netinstall, without having to fiddle with the button.
(which can be very tricky when the device is mounted on a tower)

td32 · Fri Aug 24, 2018 9:51 pm

It looks like the default routerboot boot mode has changed from "nand if fail then ethernet" to "try-ethernet-once-then-nand".
This wasn't mentioned in the release note. However, I think it is a good idea, I already set difficult-to-access devices that way.
Advantage: you can netinstall a device by powercycling it while connected to a computer with running netinstall, without having to fiddle with the button.
(which can be very tricky when the device is mounted on a tower)

Finally, thats good to know

nidhish · Fri Aug 24, 2018 10:19 pm

I am trying to reset a 532a router board back to factory so I can access it. They recomended using netinstall so I am. However every time I try I am getting an error. bind tftp general failed: Only one usage of each socket address ( protocol/network address/port) is normally permitted (10048). Please advise what I can do to resolve this error

pe1chl · Fri Aug 24, 2018 10:31 pm

1. please don't put questions not related to a specific release into the release topic
2. make sure you use a simple computer without lots of other programs on it, and make sure you are administrator.

mahmoud3dmax · Fri Aug 24, 2018 10:41 pm

how fix this please help me !

mahmoud3dmax · Fri Aug 24, 2018 10:46 pm

RouterOS version 6.42.7 has been released in public "current" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.42.7 (2018-Aug-17 09:48):

MAJOR CHANGES IN v6.42.7:
----------------------
!) security - fixed vulnerabilities CVE-2018-1156, CVE-2018-1157, CVE-2018-1158, CVE-2018-1159;
----------------------

*) bridge - improved bridge port state changing process;
*) crs326/crs328 - fixed untagged packet forwarding through tagged ports when pvid=1;
*) crs3xx - added command that forces fan detection on fan-equipped devices;
*) crs3xx - fixed port disable on CRS326 and CRS328 devices;
*) crs3xx - fixed tagged packet forwarding without VLAN filtering (introduced in 6.42.6);
*) crs3xx - fixed VLAN filtering when there is no tagged interface specified;
*) dhcpv4-relay - fixed false invalid flag presence;
*) dhcpv6-client - allow to set "default-route-distance";
*) dhcpv6 - improved reliability on IPv6 DHCP services;
*) dhcpv6-server - properly update interface for dynamic DHCPv6 servers;
*) ethernet - improved large packet handling on ARM devices with wireless;
*) ethernet - removed obsolete slave flag from "/interface vlan" menu;
*) ipsec - fixed "sa-src-address" deduction from "src-address" in tunnel mode;
*) ipsec - improved invalid policy handling when a valid policy is uninstalled;
*) ldp - properly load LDP configuration;
*) led - fixed default LED configuration for RBLHGG-5acD-XL devices;
*) lte - added signal readings under "/interface lte scan" for 3G and GSM modes;
*) lte - fixed memory leak on USB disconnect;
*) lte - fixed SMS send feature when not in LTE network;
*) package - do not allow to install out of bundle package if it already exists within bundle;
*) ppp - fixed interface enabling after a while if none of them where active;
*) sfp - hide "sfp-wavelength" parameter for RJ45 transceivers;
*) tr069-client - fixed unresponsive tr069 service when blackhole route is present;
*) upgrade - fixed RouterOS upgrade process from RouterOS v5;
*) userman - fixed compatibility with PayPal TLS 1.2;
*) vrrp - fixed VRRP packet processing on VirtualBox and VMWare hypervisors;
*) w60g - added distance measurement feature;
*) w60g - fixed random disconnects;
*) w60g - general stability and performance improvements;
*) w60g - improved MCS rate detection process;
*) w60g - improved MTU change handling;
*) w60g - properly close connection with station on disconnect;
*) w60g - stop doing distance measurements after first successful measurement;
*) winbox - added "secondary-channel" setting to wireless interface if 80 MHz mode is selected;
*) winbox - fixed "sfp-connector-type" value presence under "Interface/Ethernet";
*) winbox - fixed warning presence for "IP/IPsec/Peers" menu;
*) winbox - properly display all flags for bridge host entries;
*) winbox - show "System/RouterBOARD/Mode Button" on devices that has such feature;
*) wireless - added option to disable PMKID for WPA2;
*) wireless - fixed memory leak when performing wireless scan on ARM;
*) wireless - fixed packet processing after removing wireless interface from CAP settings;
*) wireless - updated "united-states" regulatory domain information;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after some problem has appeared on device

Please keep this forum topic strictly related to this concrete RouterOS release.

If you router has a storage issue (not enough space due to RouterOS, not by other files stored on the device), use package from this link:
https://www.mikrotik.com/download/share/fix_space.npk
- upload package to your router;
- run /system reboot

Other affected installations will be fixed automatically, if there is enough space left for an upgrade by this fix:
"package - free up used storage space consumed by old RouterOS upgrades"

how fix this please help me !

razavim · Fri Aug 24, 2018 11:36 pm

Just upgraded my 2011 and Hap AC Lite and (X86) all were so far so good.

Pea · Fri Aug 24, 2018 11:38 pm

how fix this please help me !

1. Please don't put questions not related to a specific release into the release topic
2. You are killing your router by Sector Writes, maybe logging on disc? Check your config, stop it!

3. You can try netinstall, helped me to recover bad blocks, just give it a try

Cha0s · Sat Aug 25, 2018 1:59 pm

I noticed that interface "last link up/down times" are in the future.

interface up-down wrong time.png

modrus · Sat Aug 25, 2018 2:41 pm

Hello,

I have a big problem for me. I wanted to update RouterOS to v 6.42.7 but without success. Now I have disable Wireless module and my AP's are broken because my CAPsMAN is off.
If I want to enable a Wireless module nothing will hapend after restart

Can you help me?

Thank's

Update.png

xvo · Sat Aug 25, 2018 2:57 pm

Hello,

I have a big problem for me. I wanted to update RouterOS to v 6.42.7 but without success. Now I have disable Wireless module and my AP's are broken because my CAPsMAN is off.
If I want to enable a Wireless module nothing will hapend after restart

Can you help me?

Thank's

Update.png

That's the reason:

*) package - do not allow to install out of bundle package if it already exists within bundle;

Try removing the duplicate package.

modrus · Sat Aug 25, 2018 3:09 pm

Yes, I tried it as first. But after restart is still Wireless package on it

xvo · Sat Aug 25, 2018 3:38 pm

Yes, I tried it as first. But after restart is still Wireless package on it

Looks like netinstall is the only solution:
viewtopic.php?f=1&t=133352&p=655190

CsXen · Sat Aug 25, 2018 6:11 pm

I am trying to reset a 532a router board back to factory so I can access it. They recomended using netinstall so I am. However every time I try I am getting an error. bind tftp general failed: Please advise what I can do to resolve this error

Try it with a very old netinstall, which has been released before EOL declared on MIPSLE branch, about at version 5.26.

Best regards: CsXen

(sorry for offtopic)

modrus · Sat Aug 25, 2018 11:03 pm

Yes, I tried it as first. But after restart is still Wireless package on it
Looks like netinstall is the only solution:
viewtopic.php?f=1&t=133352&p=655190

Thank you @xvo. I used Netinstall and now is my RB1100AH ready

djerodrigues · Sun Aug 26, 2018 4:46 am

Hello!

Upgraded my "wAP LTE kit" (RBwAPR-2nD&R11e-LTE) from v6.42.6, and the LTE stopped working!
The interface is up, and the "Status" information seems to be ok like before, however no traffic nor acquiring external IP address.
Downgraded to v6.42.6 and everything is working fine again!

Best Regards

lenciso · Sun Aug 26, 2018 5:34 am

I just updated another router mikrotik RB3011 to version 6.42.7 and at the moment of login with an account that uses a template with webfig the web service drops and the CPU rises

https://www.youtube.com/watch?v=CXJ-n0YrHhs

I sent the file supout.rif a few days ago with the same problem in an RB1100 router

Zavi · Sun Aug 26, 2018 11:53 am

I noticed that interface "last link up/down times" are in the future.

I have the same problem, noticed on 6.42.6 version. Seems to be only Winbox problem, in console and WebFig it's correct.

linktime.png

Kerbia · Mon Aug 27, 2018 4:31 am

I have port flapping issues on hap ac². Anyone else?

giannici · Mon Aug 27, 2018 12:06 pm

Webserver Crashed
Telnet service crashed.
I confirm this.
I can confirm this also.

Webserver crashed to us too!

manbot · Mon Aug 27, 2018 12:30 pm

I have completely out of Internet connectivity (lte1 status running, but greyed) on wAP LTE kit.
The same issue is on 6.43rc64

Downgrading to 6.40.9 is solution for this.

nostromog · Mon Aug 27, 2018 2:24 pm

I upgraded during the weekend 1 hap ac (from 6.42.6) and 1 751G-2HnD (from 6.42.5 firmware 6.42.4, as I had forgotten one reboot). No problem in any of both.

In both I changed to "disable-pmkid=yes". No problem with wifi has been reported (and I warned the people in advance).

Mon Aug 27, 2018 4:38 pm

We have found out that sometimes the R11e-LTE modems fail to get an IP address in 3G mode using RouterOS v6.42.7 - we will fix this problem in the next RC and then push that change to the Current release.

xicu · Mon Aug 27, 2018 5:51 pm

We have found out that sometimes the R11e-LTE modems fail to get an IP address in 3G mode using RouterOS v6.42.7 - we will fix this problem in the next RC and then push that change to the Current release.

Thanks Uldis I wait because we find the same problem when I've upgraded from 6.42.3 to 6.42.7,

eworm · Mon Aug 27, 2018 5:54 pm

We have found out that sometimes the R11e-LTE modems fail to get an IP address in 3G mode using RouterOS v6.42.7 - we will fix this problem in the next RC and then push that change to the Current release.
Thanks Uldis I wait because we find the same problem when I've upgraded from 6.42.3 to 6.42.7,

That's great news! It happens seldom, but I saw this myself several times. As I had no clue how to reproduce I did not yet mail the support.

mahmoud3dmax · Mon Aug 27, 2018 10:46 pm

how fix this please help me !

Pea · Tue Aug 28, 2018 1:38 am

Just start reading!

[time=1535139686 user_id=118648]
how fix this please help me !
1. Please don't put questions not related to a specific release into the release topic, make new topic!
2. You are killing your router by Sector Writes, maybe logging on disc? Check your config, stop it!

texmeshtexas · Tue Aug 28, 2018 10:03 pm

6.42.7 BGP problem

we have 6.42.7 updated this morning.
I'm noticing that our BGP blackhole peer with our upstream is not sending withdrawal from the network list like it used to.

anyone else have issues with this?

105547111 · Wed Aug 29, 2018 12:58 am

We have found out that sometimes the R11e-LTE modems fail to get an IP address in 3G mode using RouterOS v6.42.7 - we will fix this problem in the next RC and then push that change to the Current release.

I found same issue on ccr1016-12G, very intermittent..

105547111 · Wed Aug 29, 2018 1:02 am

6.42.7 BGP problem

we have 6.42.7 updated this morning.
I'm noticing that our BGP blackhole peer with our upstream is not sending withdrawal from the network list like it used to.

anyone else have issues with this?

Not for me .My BGP blackholes in both ipv4 and ipv6 are sending out withdrawals and ends are receiving withdrawals.

dg1kwa · Wed Aug 29, 2018 3:44 pm

RB3011 upgrade and IPSEC brocken

emils · Wed Aug 29, 2018 3:49 pm

We are aware of a specific IPsec issue caused by the new improved policy handling in 6.42.7. A fix is already available in the latest release candidate version and will be included in the next current version as well. Very sorry for inconvenience.

dg1kwa · Wed Aug 29, 2018 4:04 pm

We are aware of a specific IPsec issue caused by the new improved policy handling in 6.42.7. A fix is already available in the latest release candidate version and will be included in the next current version as well. Very sorry for inconvenience.

Thank you for information, but I not understand why this not tested before a release published!?

sindy · Wed Aug 29, 2018 4:29 pm

I'd assume that the reason is that it only happens in a specific scenario which has not been encountered during the tests.

cthil · Wed Aug 29, 2018 5:36 pm

HTTP interface (with SSL) is also broken on RB3011. After rebooting, the interface dies again after a few minutes. Sometimes it causes high CPU load.

kayu · Thu Aug 30, 2018 6:48 am

Upgrade v6.40.x to v6.42.7 and can't login into system (via ssh, winbox). But CHR work done. Why unmanaged?

Thu Aug 30, 2018 9:06 am

Have you tried to use WinBox with MAC connection?

kayu · Thu Aug 30, 2018 9:45 am

Have you tried to use WinBox with MAC connection?

Yes, get ERROR: wrong username or password.

notToNew · Thu Aug 30, 2018 10:05 am

Just type in again the password, don't use the saves password.

kayu · Thu Aug 30, 2018 10:09 am

Just type in again the password, don't use the saves password.

No saves password, only type.

ssbaksa · Fri Aug 31, 2018 9:06 am

Upgrade v6.40.x to v6.42.7 and can't login into system (via ssh, winbox). But CHR work done. Why unmanaged?

Just curious. Which version of Winbox do you use?
I have used older version with new firmware once and something like that happened to me.
SSH is always disabled on my routers so I didn't even try that.

Br
Sasa

ivan98 · Tue Sep 04, 2018 5:11 am

I've a home setup with CCR1009 router, CRS125-24G switch and access points HAP AC 962UiGS & RB951G. Running CAPsMAN with controller at the CCR.

All devices on 6.42 firmware until I upgrade them to 6.42.7, at around 4pm 02 Sep. No other config change were made.

From my grafana graph, you can clearly see the transition before and after 4pm 02 Sep - my Apple devices' RX/TX rates seems capped around 300Mbps, while my sole Xiaomi phone seems not affected at below 500Mbps.

mikrotik1.png

XeviMB · Tue Sep 04, 2018 12:41 pm

Hello,

The same thing happens to Kayu. Since I upgraded to v6.42.7 I can not access the routers, it indicates an incorrect username or password ...

I think the problem is for the admin user ... in some routers I only had this user configured and now I can not enter

Mikrotik any solution?

Thanks in advance

zyzelis · Tue Sep 04, 2018 1:08 pm

Hello,

The same thing happens to Kayu. Since I upgraded to v6.42.7 I can not access the routers, it indicates an incorrect username or password ...

I think the problem is for the admin user ... in some routers I only had this user configured and now I can not enter

Mikrotik any solution?

Thanks in advance

Upgrade your winbox to latest

XeviMB · Tue Sep 04, 2018 4:13 pm

I have updated the wimbox to the latest version and it still fails

Thanks

MDE · Tue Sep 04, 2018 5:19 pm

I have updated the wimbox to the latest version and it still fails

Thanks

Have you cleared the cache?

Sent from my VTR-L29 using Tapatalk

sindy · Tue Sep 04, 2018 5:37 pm

He's got problems even to log in using ssh so it doesn't seem to be a Winbox-related issue.

@kayu, @XeviMB, it takes time for the ssh to generate a new key on the very first login attempt, and maybe a new one is generated after upgrade, so if you have tried to log in using ssh only once, try again now after some time has elapsed. But it is just a wild guess.

jenechka · Wed Sep 05, 2018 5:59 am

Hi, everybody
the firmware itself was updated to 6.42.7
the services included api and DNS registered 8.8.8.8 instead of provider ...
I got busted? or someone had a similar

XeviMB · Wed Sep 05, 2018 5:26 pm

He's got problems even to log in using ssh so it doesn't seem to be a Winbox-related issue.

@kayu, @XeviMB, it takes time for the ssh to generate a new key on the very first login attempt, and maybe a new one is generated after upgrade, so if you have tried to log in using ssh only once, try again now after some time has elapsed. But it is just a wild guess.

I can not enter by ssh...

It only happens to me in those routers that I have updated to v 6.42.7 and only have the admin user created

Mikrotik??

Swordforthelord · Fri Sep 07, 2018 5:19 pm

I have port flapping issues on hap ac². Anyone else?

I have an RB750Gr3 in the field running 6.42.7 and ports 1 and 3 keep going up and down.

Jotne · Fri Sep 07, 2018 11:32 pm

Did you have problem with other version than 6.42.7
Can you try a clean install and see if port goes up/down?

rjj · Sat Sep 08, 2018 12:50 am

Hi guys,

I´ve tried remote upgrade into controlled environment (via package menu) on Ccr1009-8g-1s-1s+ from V6.28 to V6.42.7 and lost connectivity so something went bad.
The screen upgrade showed image dowloaded and it was rebooting after that nothing more and I can´t reconnect over VPN.
I´ll going to check on-site. Please any ideas?

Tks

pe1chl · Sat Sep 08, 2018 12:52 am

I´ve tried remote upgrade into controlled environment (via package menu) on Ccr1009-8g-1s-1s+ from V6.28 to V6.42.7 and lost connectivity so something went bad.
The screen upgrade showed image dowloaded and it was rebooting after that something more.
I´ll going to check on-site. Please any ideas?

You have made a too-big version upgrade, you should have installed some intermediate versions.

rjj · Sat Sep 08, 2018 1:01 am

I´ve tried remote upgrade into controlled environment (via package menu) on Ccr1009-8g-1s-1s+ from V6.28 to V6.42.7 and lost connectivity so something went bad.
The screen upgrade showed image dowloaded and it was rebooting after that something more.
I´ll going to check on-site. Please any ideas?
You have made a too-big version upgrade, you should have installed some intermediate versions.

Thank you for your fast replay! I´ve checked RN and the community and see nothing related minimum version that is because I proceed. The best I found is here below.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

The system should reboot back to previous version? Also, what I can do there --> Reboot? Reinstall version? Reset the entire box?
What should be the GOLD steps in order to recovery as fast we can and upgrade this in safe mode?
Should I upgrade the mother-board too? Before or after de system upgrade?

pe1chl · Sat Sep 08, 2018 1:35 am

By now the only thing you likely can do is netinstall and reconfigure.
You COULD have repartitioned the device into 2 partitions and copy the old version so you could revert back
But that is too late now.

rjj · Sat Sep 08, 2018 2:19 am

By now the only thing you likely can do is netinstall and reconfigure.
You COULD have repartitioned the device into 2 partitions and copy the old version so you could revert back
But that is too late now.

Tks for your support here!
To be honest here I´m frustrated due I never saw a software upgrade crash the entire system it doesn´t make any sense nowadays.
Also, netinstall as unique option who requests a entire new deploymment...it´s frustrating... Of course I´m going to use config backups but it should never damage and crash the ENTIRE system like this.
I was looking for some other paths before appeal for something radical. Netconfig is limitted due it´s mandatory Windows PC and we use only Macbooks so another issue here.
I would recommend someone update ASAP the RN/upgrade notes informing minimumm supported versions upgrades.
Please, do you know what´s the minimum supported version in order to go to v6.42.7?
Also please who knows about mother-board upgrade X system upgrade? Any docs?
Thanks for your attention I really appreciate!

ac6529 · Sat Sep 08, 2018 1:17 pm

Netconfig is limitted due it´s mandatory Windows PC and we use only Macbooks so another issue here.

If it's any help, I have succeeded doing a couple of netinstalls using Windows running in a virtual machine on a Mac.
So basically you could take a trial of VMware, install W10 in it as a trial, recover your router and then get rid of the hypervisor and windows without spending a dime.

rjj · Sat Sep 08, 2018 2:18 pm

Netconfig is limitted due it´s mandatory Windows PC and we use only Macbooks so another issue here.
If it's any help, I have succeeded doing a couple of netinstalls using Windows running in a virtual machine on a Mac.
So basically you could take a trial of VMware, install W10 in it as a trial, recover your router and then get rid of the hypervisor and windows without spending a dime.

Yes, make sense thank you for your contribution. The vendor should take care about this and create easily paths to do things. In this case I need to install Virtual environment + install entire OS just to be compliance to a limited netconfig..it doesn´t make any sense nowadays. Someone from the vendor (engineeer and product managers) must be reviewing that.
All of this is because there is a poor docs/new releases infos missing minimum or tested software version upgrade and also there is SPOF during upgrading process where the entire systems CRASH. Many others vendors roll-back automatically to previous version and at least give a console warning message please upgrade to x before that. It´s basic!
Anyway, thanks for your hint here!

pe1chl · Sat Sep 08, 2018 5:46 pm

Many others vendors roll-back automatically to previous version and at least give a console warning message please upgrade to x before that. It´s basic!

As I already wrote, you could have had that! But on MikroTik it is a user-decision to yield half of the fash capacity to have version rollback.
See this: https://wiki.mikrotik.com/wiki/Manual:Partitions

In short: click on partition, select repartition, set number of partitions to 2.
The router will reboot and now instead of 128MB you will have 64MB of flash.
Go back to partition, select a partition and then "copy to", select the other partition.
Now you do your upgrade. When the router fails to boot, it will try boot from the other partition and you are back
in your old version, which you can copy again to try something else.

Apparently most users do not know that, and it is becoming less interesting as all new low-end routers do not have enough flash space to do this.
However, for your CCR it still was and is an option. I use it on the two CCRs I manage and it already has saved me.

Jotne · Sun Sep 09, 2018 8:14 am

@rjj

If you does not like it the way MikroTik do it, you can always go for another vendor like Cisco.
But it would be at a much higher cost.

rjj · Sun Sep 09, 2018 1:51 pm

Many others vendors roll-back automatically to previous version and at least give a console warning message please upgrade to x before that. It´s basic!
As I already wrote, you could have had that! But on MikroTik it is a user-decision to yield half of the fash capacity to have version rollback.
See this: https://wiki.mikrotik.com/wiki/Manual:Partitions

In short: click on partition, select repartition, set number of partitions to 2.
The router will reboot and now instead of 128MB you will have 64MB of flash.
Go back to partition, select a partition and then "copy to", select the other partition.
Now you do your upgrade. When the router fails to boot, it will try boot from the other partition and you are back
in your old version, which you can copy again to try something else.

Apparently most users do not know that, and it is becoming less interesting as all new low-end routers do not have enough flash space to do this.
However, for your CCR it still was and is an option. I use it on the two CCRs I manage and it already has saved me.

Thanks for the tip and the link. It was crystal clear on your previous post even it's manually and limited to specific systems so I'm going to start and use when it's possible. From my point of view I highly recommend the vendor implement for all systems by default in order to avoid upgrades issues, downtimes, field hours and the most import eliminate the SPoF. It never should be a user decision in my opinion. Nowadays even 8 ports basic switchs support 2 images (primary-secondary) automatically managed. I really appreciate your time and tips! Tomorrow I'll be on-site fixing the issue.

rjj · Sun Sep 09, 2018 1:58 pm

@rjj

If you does not like it the way MikroTik do it, you can always go for another vendor like Cisco.
But it would be at a much higher cost.

I know my options so you don't need waste time to tell the obvious.
This is a serious reflection about troubleshooting, architecture and documentations.

K1w1user · Mon Sep 10, 2018 8:49 am

I just upgraded a new RB3011 from 6.40 to 6.42.7 and now find I can no longer ssh or winbox over a pptp link.

Confirmed by testing, then upgrading a second RB2011 from an older 6.3x to 6.42.7.

Torch shows inbound traffic but no outbound response.

Is this a new "security" measure?

Mark.

emils · Mon Sep 10, 2018 9:53 am

New version 6.43 has been released in current RouterOS channel:

viewtopic.php?f=21&t=138995