Thanks for including this fix.*) ipsec - allow multiple peers to the same address with different local-address (introduced in v6.43);
i pointed on same thingsThanks for including this fix.*) ipsec - allow multiple peers to the same address with different local-address (introduced in v6.43);
It works ok now![]()
This IPsec bug still not fixed viewtopic.php?f=2&t=136445
*) led - added "dark-mode" functionality
I noticed same when updating RBD52G (hAP ac^2) from 6.42.3 to 6.42.5. Issue was reported to support in Ticket#2018062922002154. According to them, "The issue is caused by Graphing and Virtual Wireless interfaces which causes an interface loading delay when the router is booting up."When updating from 6.43.2 to 6.43.4 one of my hAP ac2 logged this message (similar to message in this post after update to 6.43.4):
oct/19 00:10:46 script,warning DefConf gen: Unable to find wireless interface(s)
However all the configuration seems to be intact and this message is NOT logged on subsequent reboots.
Are you sure this is fixed? I just upgraded and am still having the same problem, at least with L2TP server. The binding is not being created.*) dhcpv6-server - fixed dynamic binding addition on solicit when IA_PD does not contain prefix (introduced in v6.43);
*) dhcpv6-server - recreate DHCPv6 server binding if it is no longer within prefix pool when rebinding/renewing;
My RB912R-2nD-kit refuses to upgrade. After downloading and rebooting, 6.43.2 ist still my OS.
Nothing in the logs.
I'm currently not at the same location to do a netinstall...
in my LDF I can not find the function....*) led - added "dark-mode" functionality
Sunglasses not needed anymore?
Is not dark-mode function - is a functionality.in my LDF I can not find the function....*) led - added "dark-mode" functionality
Sunglasses not needed anymore?
tnx!Is not dark-mode function - is a functionality.in my LDF I can not find the function....*) led - added "dark-mode" functionality
Sunglasses not needed anymore?
On some devices, you can close the LEDs using the command:
all-leds-off
Read here:
https://wiki.mikrotik.com/wiki/Manual:S ... ds_Setting
And here:
viewtopic.php?t=132379#p650277
Error may appear if default script generator is unable to find Ethernet interfaces within 30seconds after boot. On x86 you shouldn't worry about failure at all, since generated default configuration is the same as fallback config (192.168.88.1 on ether1)x86 upgrade will take a little bit longer and show following script error in log file, while Mikrotik devices not:
DefConf Gen: Unable to find ethernet interfaces
CCR1009, memory usage higher then normal and keep increasing slowly when compare to 6.42.7, I am talking about 100MB+ different, as I had schedule reboot so dunno if it just higher memory usage or leak.
Thanks for your feedback, I will try reset it first.CCR1009, memory usage higher then normal and keep increasing slowly when compare to 6.42.7, I am talking about 100MB+ different, as I had schedule reboot so dunno if it just higher memory usage or leak.
Upgraded our CCR1009s to 6.43.4 yesterday and no issues so far. In our case memory consumption even seems to be much better than before.
Running multiple BGP IXP peering sessions, route filters, vlans, bridges, ip firewall as well as receiving two BGP full feeds for IPv4 and v6.
It has always been like that. Changing comment on any interface brings that interface down and then back up.When I set comment for PPTP client, it reconnect !
New feature ?
Sorry, I don't know it down when I change comment until this update.It has always been like that. Changing comment on any interface brings that interface down and then back up.When I set comment for PPTP client, it reconnect !
New feature ?
PS. The next time you post to a release topic please make sure you are reporting a problems that is specific to (was introduced in) this specific release. Thanks.
What do you mean? As far as I remember, VLAN has always had the same MAC address as its parent Ethernet interface.Mac Address leaked from VLAN to main interface (CCR1009, Hex r3), I have 2 bridge same mac, it cause packet loop due leaked.
Nevermind - I was mistaken. When troubleshooting the issue with earlier 6.43.x versions I changed the client DHCPv6 interface b/c I wanted to see if the client could get a prefix from the server if not on a PPP interface type (to see if the problem only affected PPP tunnels), and forgot that I had changed the client setting.mducharme - Can you provide more details about the problem that you have? Preferably over e-mail to support@mikrotik.com? Provide supout file from your DHCPv6 server and more details about the problem - which client was trying to connect and did not receive a prefix, was the exact same configuration working just fine on v6.42.x?
I mean all of mac address of vlan leak.What do you mean? As far as I remember, VLAN has always had the same MAC address as its parent Ethernet interface.Mac Address leaked from VLAN to main interface (CCR1009, Hex r3), I have 2 bridge same mac, it cause packet loop due leaked.
And, as always, you can freely change MAC address of bridge interface via "Admin MAC Address" property.
/queue simple add burst-limit=768k/0 burst-threshold=128k/0 burst-time=2s/0s max-limit=512k/2M name=Simple target=VLAN21,VLAN22,VLAN23,VLAN24
Thank you. I moved some rules and didn't noticed that my FastTrack rule ended up above and it was FastTracking this traffic before it got to the forward rules.So, it was working in previous versions and was broken in 6.43.4, right?
But by your description, it looks like you're using FastTrack. According to the docs, it skips Queues.
I believe it's because src-ip is selected in 'main' routing table, and mangle output is after routing decision (where src-ip is being selected) but before routing adjustment (where you can select new routing table but it's too late for changing src-ip).pref-src in alternative routing table, in combination with output mangle routing do not set the correct output IP
Same hereRB2011 upgraded without problems, no issues so far.
It's not MiktoTik problem. All websites I can found show GMT +03:00 for Volgograd today, even Google.Hi
Europe/Volgograd time zone is incorrect. should be GMT Offset +04:00 from October 28
This Volgograd change was published in tzdata on 2018-10-18, probably will have a long time to be updated in the servers.It's not MiktoTik problem. All websites I can found show GMT +03:00 for Volgograd today, even Google.Hi
Europe/Volgograd time zone is incorrect. should be GMT Offset +04:00 from October 28
If +04:00 is true, it needs to be fixed in TimeZone Database, not in applications.
https://www.timeserver.ru/cities/ru/volgogradIt's not MiktoTik problem. All websites I can found show GMT +03:00 for Volgograd today, even Google.Hi
Europe/Volgograd time zone is incorrect. should be GMT Offset +04:00 from October 28
If +04:00 is true, it needs to be fixed in TimeZone Database, not in applications.
+1hAP ac ( 962UiGS-5HacT2HnT), upgraded at Oct/17 with 6.43.4 build [Oct/17/2018 06:37:48]
after that get 8 reboots up today, that at boot leaves in LOG:
router was rebooted without proper shutdown by watchdog timer
there are no configuration changes, high loads
current firmware 6.43
what does that mean?does not work
# nov/10/2018 14:29:33 by RouterOS 6.43.4
# software id = a98y-5s1n
#
# model = RouterBOARD 3011UiAS
/ip firewall filter
add action=accept chain=input comment="ACCEPT WinBox after knock" dst-port=\
8291 in-interface-list=WAN protocol=tcp src-address-list=KNOCK-SUCCESS
add action=jump chain=input comment="Check port knock (__1__)" icmp-options=\
8:0-255 jump-target=knock packet-size=!0-99 protocol=icmp
add action=return chain=knock comment="KNOCK FAILURE return (__2__)" \
src-address-list=KNOCK-FAILURE
add action=add-src-to-address-list address-list=KNOCK-SUCCESS \
address-list-timeout=1h chain=knock comment=\
"KNOCK 3rd - success 10 (__3__)" packet-size=10 src-address-list=\
KNOCK2
add action=return chain=knock comment="KNOCK 3rd - success return (__4__)" \
src-address-list=KNOCK-SUCCESS
add action=add-src-to-address-list address-list=KNOCK-FAILURE \
address-list-timeout=1m chain=knock comment=\
"KNOCK 3rd - failure (__5__)" src-address-list=KNOCK2
add action=return chain=knock comment="KNOCK 3rd - failure return (__6__)" \
src-address-list=KNOCK-FAILURE
add action=add-src-to-address-list address-list=KNOCK2 address-list-timeout=\
1m chain=knock comment="KNOCK 2nd - success 7 (__7__)" packet-size=7 \
src-address-list=KNOCK1
add action=return chain=knock comment="KNOCK 2nd - success return (__8__)" \
src-address-list=KNOCK2
add action=add-src-to-address-list address-list=KNOCK-FAILURE \
address-list-timeout=1m chain=knock comment=\
"KNOCK 2nd - failure (__9__)" src-address-list=KNOCK1
add action=return chain=knock comment="KNOCK 2nd - failure return (__10__)" \
src-address-list=KNOCK-FAILURE
add action=add-src-to-address-list address-list=KNOCK1 address-list-timeout=\
1m chain=knock comment="KNOCK 1st - success 10 (__11__)" packet-size=\
10
add action=return chain=knock comment="KNOCK 1st - success return (__12__)" \
src-address-list=KNOCK1
add action=add-src-to-address-list address-list=KNOCK-FAILURE \
address-list-timeout=1m chain=knock comment=\
"KNOCK 1st - failure (__13__)"
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=2w chain=input comment=\
"scanners-1 Port scanners to list" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=2w chain=input comment=\
"scanners-2 NMAP FIN Stealth scan" protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=2w chain=input comment="scanners-3 SYN/FIN scan" \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=2w chain=input comment="scanners-4 SYN/RST scan" \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=2w chain=input comment=\
"scanners-5 FIN/PSH/URG scan" protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=2w chain=input comment="scanners-6 ALL/ALL scan" \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=2w chain=input comment="scanners-7 NMAP NULL scan" \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="scanners-8 dropping port scanners" \
src-address-list=port_scanners
add action=drop chain=forward comment="scanners-9 dropping port scanners" \
src-address-list=port_scanners
add action=drop chain=input comment="Brute Forcers_winbox_black_list - 1" \
dst-port=8291 in-interface-list=WAN protocol=tcp src-address-list=\
black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=8h chain=input comment=\
"Brute Forcers_add_black_list - 2" connection-state=new dst-port=8291 \
in-interface-list=WAN protocol=tcp src-address-list=Winbox_Ssh_stage3
add action=add-src-to-address-list address-list=Winbox_Ssh_stage3 \
address-list-timeout=1m chain=input comment=\
"Brute Forcers_Ssh_stage3 - 3" connection-state=new dst-port=8291 \
in-interface-list=WAN protocol=tcp src-address-list=Winbox_Ssh_stage2
add action=add-src-to-address-list address-list=Winbox_Ssh_stage2 \
address-list-timeout=1m chain=input comment=\
"Brute Forcers_Ssh_stage2 - 4" connection-state=new dst-port=8291 \
in-interface-list=WAN protocol=tcp src-address-list=Winbox_Ssh_stage1
add action=add-src-to-address-list address-list=Winbox_Ssh_stage1 \
address-list-timeout=1m chain=input comment=\
"Brute Forcers_Ssh_stage1 - 5" connection-state=new dst-port=8291 \
in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Drop DNS" dst-port=53 in-interface-list=\
WAN protocol=udp
add action=drop chain=input comment="Drop DNS" dst-port=53 in-interface-list=\
WAN protocol=tcp
add action=drop chain=input comment="Block hole Windows - 1" dst-port=\
135,137-139,445,593,4444 protocol=tcp
add action=drop chain=forward comment="Block hole Windows - 2" dst-port=\
135,137-139,445,593,4444 protocol=tcp
add action=drop chain=input comment="Block hole Windows - 3" dst-port=\
135,137-139 protocol=udp
add action=drop chain=forward comment="Block hole Windows - 4" dst-port=\
135,137-139 protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=torrent dst-port=50000 \
in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="torrent UDP" dst-port=50000 \
in-interface-list=WAN protocol=udp
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
what does that mean?does not work
can you ping NTP server? don't you block NTP packets in Firewall Filter?
> routing bgp peer print detail where name=AS_SOMEPEER
Flags: X - disabled, E - established
0 E name="AS_SOMEPEER" instance=default remote-address=x.x.x.x remote-as=12345 tcp-md5-key="xxx"
nexthop-choice=default multihop=no route-reflect=no hold-time=3m ttl=default max-prefix-limit=10
in-filter=ixp-peer-in out-filter=ixp-ixp-peer-out address-families=ip default-originate=never remove-private-as=no
as-override=no passive=no use-bfd=no
> routing filter print where chain=ixp-peer-in
Flags: X - disabled
0 ;;; ---- IXP Peer In ----
chain=ixp-peer-in prefix-length=16-24 address-family=ip invert-match=no action=accept set-bgp-local-pref=300
set-bgp-prepend-path=""
1 chain=ixp-peer-in address-family="" invert-match=no action=reject set-bgp-prepend-path=""
> ip route print detail where received-from=AS_SOMEPEER
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADb dst-address=x.x.x.x/19 gateway=x.x.x.x gateway-status=x.x.x.x reachable via sfp-sfpplus1 distance=20
scope=40 target-scope=10 bgp-as-path="12345" bgp-local-pref=300 bgp-med=0 bgp-origin=igp received-from=AS_SOMEPEER
1 ADb dst-address=x.x.x.x/32 gateway=x.x.x.x gateway-status=x.x.x.x reachable via sfp-sfpplus1 distance=20
scope=40 target-scope=10 bgp-as-path="12345" bgp-origin=igp received-from=AS_SOMEPEER
2 ADb dst-address=x.x.x.x/32 gateway=x.x.x.x gateway-status=x.x.x.x reachable via sfp-sfpplus1 distance=20
scope=40 target-scope=10 bgp-as-path="12345" bgp-origin=igp received-from=AS_SOMEPEER
3 ADb dst-address=x.x.x/22 gateway=x.x.x.x gateway-status=x.x.x.x reachable via sfp-sfpplus1 distance=20
scope=40 target-scope=10 bgp-as-path="12345" bgp-local-pref=300 bgp-origin=igp received-from=AS_SOMEPEER
I think the address-family="" in your reject rule is probably causing it to not match anything.Why are the /32 routes installed and active? Seems like the prefix-length=16-24 filter attribute is handled incorrectly.
Already contacted MT support two days ago, no reply yet.
Already tried that, no difference. From my perspective a reject rule without any attributes (inculding address-family) should always reject everything.I think the address-family="" in your reject rule is probably causing it to not match anything.
address-family="" on the reject rule would only reject routes where address-family = NULL, which should never be true.Already tried that, no difference. From my perspective a reject rule without any attributes (inculding address-family) should always reject everything.
address-family="" on the reject rule would only reject routes where address-family = NULL, which should never be true.Already tried that, no difference. From my perspective a reject rule without any attributes (inculding address-family) should always reject everything.
If you want it to reject any address family you need !address-family instead of address-famiy=""
> add chain=test action=reject
> print where chain=test
Flags: X - disabled
0 chain=test invert-match=no action=reject set-bgp-prepend-path=""
When I create a new routing filter rule on my home router (running 6.43.4) it does not have those added for every newly created rule by default. I'm not sure how you are getting those on newly created rules by default, unless you are creating them by copying existing rules.Additionally invert-match=no (default) and set-bgp-prepend-path="" (default) are also added for every newly created rule by default
@Grvuser: Which version did you upgrade from? There has been several changes recently which affects the way how winbox communicate and it is recommended to use newest winbox (currently 3.18) to avoid issues when logging in. Invalid username/password is one of typical issues which happens on older Winbox versions under some circumstances.Just Updated to this SW release, and I am unable to connect to Groove. It keeps giving me a invalid username and password. Tried resetting a couple of times, but it doesn't seem to reset at all. It connects to the setup network right away. Any help would be appreciated to connect back to Groove.
@tevolo: How many dhcp-servers do you have on each router and how many users per one dhcp-server? If you have any update about this issue, please share it. What are other "many issues"? Is there anything else except dhcp-server issues?We have experienced many issues with 6.43.4 and losing the DHCP server functionality.