v6.45.1 [stable] is released!

emils · Mon Jul 01, 2019 10:11 am

RouterOS version 6.45.1 has been released in public "stable" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45.1 (2019-Jun-27 10:23):

Important note!!!
Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading.
Old API authentication method will also no longer work, see documentation for new login procedure:
https://wiki.mikrotik.com/wiki/Manual:API#Initial_login

MAJOR CHANGES IN v6.45.1:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control;
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
!) security - fixed vulnerabilities CVE-2018-1157, CVE-2018-1158;
!) security - fixed vulnerabilities CVE-2019-11477, CVE-2019-11478, CVE-2019-11479;
!) security - fixed vulnerability CVE-2019-13074;
!) user - removed insecure password storage;
----------------------

Changes in this release:

*) bridge - correctly display bridge FastPath status when vlan-filtering or dhcp-snooping is used;
*) bridge - correctly handle bridge host table;
*) bridge - fixed log message when hardware offloading is being enabled;
*) bridge - improved stability when receiving traffic over USB modem with bridge firewall enabled;
*) capsman - fixed CAP system upgrading process for MMIPS;
*) capsman - fixed interface-list usage in access list;
*) ccr - improved packet processing after overloading interface;
*) certificate - added "key-type" field;
*) certificate - added support for ECDSA certificates (prime256v1, secp384r1, secp521r1);
*) certificate - fixed self signed CA certificate handling by SCEP client;
*) certificate - made RAM the default CRL storage location;
*) certificate - removed DSA (D) flag;
*) certificate - removed "set-ca-passphrase" parameter;
*) chr - legacy adapters require "disable-running-check=yes" to be set;
*) cloud - added "replace" parameter for backup "upload-file" command;
*) conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160);
*) conntrack - significant stability and performance improvements;
*) crs317 - fixed known multicast flooding to the CPU;
*) crs3xx - added ethernet tx-drop counter;
*) crs3xx - correctly display auto-negotiation information for SFP/SFP+ interfaces in 1Gbps rate;
*) crs3xx - fixed auto negotiation when 2-pair twisted cable is used (downshift feature);
*) crs3xx - fixed "tx-drop" counter;
*) crs3xx - improved switch-chip resource allocation on CRS326, CRS328, CRS305;
*) defconf - added "custom-script" field that prints custom configuration installed by Netinstall;
*) defconf - automatically set "installation" parameter for outdoor devices;
*) defconf - changed default configuration type to AP for cAP series devices;
*) defconf - fixed channel width selection for RU locked devices;
*) dhcp - create dual stack queue based on limitations specified on DHCPv4 server lease configuration;
*) dhcp - do not require lease and binding to have the same configuration for dual-stack queues;
*) dhcp - show warning in log if lease and binding dual-stack related parameters do not match and create separate queues;
*) dhcpv4-server - added "client-mac-limit" parameter;
*) dhcpv4-server - added IP conflict logging;
*) dhcpv4-server - added RADIUS accounting support with queue based statistics;
*) dhcpv4-server - added "vendor-class-id" matcher (CLI only);
*) dhcpv4-server - improved stability when performing "check-status" command;
*) dhcpv4-server - replaced "busy" lease status with "conflict" and "declined";
*) dhcpv6-client - added option to disable rapid-commit;
*) dhcpv6-client - fixed status update when leaving "bound" state;
*) dhcpv6-server - added additional RADIUS parameters for Prefix delegation, "rate-limit" and "life-time";
*) dhcpv6-server - added "address-list" support for bindings;
*) dhcpv6-server - added "insert-queue-before" and "parent-queue" parameters;
*) dhcpv6-server - added RADIUS accounting support with queue based statistics;
*) dhcpv6-server - added "route-distance" parameter;
*) dhcpv6-server - fixed dynamic IPv6 binding without proper reference to the server;
*) dhcpv6-server - override prefix pool and/or DNS server settings by values received from RADIUS;
*) discovery - correctly create neighbors from VLAN tagged discovery messages;
*) discovery - fixed CDP packets not including address on slave ports (introduced in v6.44);
*) discovery - improved neighbour's MAC address detection;
*) discovery - limit max neighbour count per interface based on total RAM memory;
*) discovery - show neighbors on actual mesh ports;
*) e-mail - include "message-id" identification field in e-mail header;
*) e-mail - properly release e-mail sending session if the server's domain name can not be resolved;
*) ethernet - added support for 25Gbps and 40Gbps rates;
*) ethernet - fixed running (R) flag not present on x86 interfaces and CHR legacy adapters;
*) ethernet - increased loop warning threshold to 5 packets per second;
*) fetch - added SFTP support;
*) fetch - improved user policy lookup;
*) firewall - fixed fragmented packet processing when only RAW firewall is configured;
*) firewall - process packets by firewall when accepted by RAW with disabled connection tracking;
*) gps - fixed missing minus close to zero coordinates in dd format;
*) gps - make sure "direction" parameter is upper case;
*) gps - strip unnecessary trailing characters from "longtitude" and "latitude" values;
*) gps - use "serial0" as default port on LtAP mini;
*) hotspot - added "interface-mac" variable to HTML pages;
*) hotspot - moved "title" HTML tag after "meta" tags;
*) ike1 - adjusted debug packet logging topics;
*) ike2 - added support for ECDSA certificate authentication (rfc4754);
*) ike2 - added support for IKE SA rekeying for initiator;
*) ike2 - do not send "User-Name" attribute to RADIUS server if not provided;
*) ike2 - improved certificate verification when multiple CA certificates received from responder;
*) ike2 - improved child SA rekeying process;
*) ike2 - improved XAuth identity conversion on upgrade;
*) ike2 - prefer SAN instead of DN from certificate for ID payload;
*) ippool - improved logging for IPv6 Pool when prefix is already in use;
*) ipsec - added dynamic comment field for "active-peers" menu inherited from identity;
*) ipsec - added "ph2-total" counter to "active-peers" menu;
*) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods;
*) ipsec - added traffic statistics to "active-peers" menu;
*) ipsec - disallow setting "src-address" and "dst-address" for transport mode policies;
*) ipsec - do not allow adding identity to a dynamic peer;
*) ipsec - fixed policies becoming invalid after changing priority;
*) ipsec - general improvements in policy handling;
*) ipsec - properly drop already established tunnel when address change detected;
*) ipsec - renamed "remote-peers" to "active-peers";
*) ipsec - renamed "rsa-signature" authentication method to "digital-signature";
*) ipsec - replaced policy SA address parameters with peer setting;
*) ipsec - use tunnel name for dynamic IPsec peer name;
*) ipv6 - improved system stability when receiving bogus packets;
*) ltap - renamed SIM slots "up" and "down" to "2" and "3";
*) lte - added initial support for Vodafone R216-Z;
*) lte - added passthrough interface subnet selection;
*) lte - added support for manual operator selection;
*) lte - allow setting empty APN;
*) lte - allow to specify URL for firmware upgrade "firmware-file" parameter;
*) lte - do not show error message for info commands that are not supported;
*) lte - fixed session reactivation on R11e-LTE in UMTS mode;
*) lte - improved firmware upgrade process;
*) lte - improved "info" command query;
*) lte - improved R11e-4G modem operation;
*) lte - renamed firmware upgrade "path" command to "firmware-file" (CLI only);
*) lte - show alphanumeric value for operator info;
*) lte - show correct firmware revision after firmware upgrade;
*) lte - use default APN name "internet" when not provided;
*) lte - use secondary DNS for DNS server configuration;
*) m33g - added support for additional Serial Console port on GPIO headers;
*) ospf - added support for link scope opaque LSAs (Type 9) for OSPFv2;
*) ospf - fixed opaque LSA type checking in OSPFv2;
*) ospf - improved "unknown" LSA handling in OSPFv3;
*) ovpn - added "verify-server-certificate" parameter for OVPN client (CVE-2018-10066);
*) ppp - added initial support for Quectel BG96;
*) proxy - increased minimal free RAM that can not be used for proxy services;
*) rb3011 - improved system stability when receiving bogus packets;
*) rb4011 - fixed MAC address duplication between sfp-sfpplus1 and wlan1 interfaces (wlan1 configuration reset required);
*) rb921 - improved system stability ("/system routerboard upgrade" required);
*) routerboard - renamed 'sim' menu to 'modem';
*) sfp - fixed S-35LC20D transceiver DDMI readouts after reboot;
*) sms - added USSD message functionality under "/tool sms" (CLI only);
*) sms - allow specifying multiple "allowed-number" values;
*) sms - improved delivery report logging;
*) snmp - added "dot1dStpPortTable" OID;
*) snmp - added OID for neighbor "interface";
*) snmp - added "write-access" column to community print;
*) snmp - allow setting interface "adminStatus";
*) snmp - fixed "send-trap" not working when "trap-generators" does not contain "temp-exception";
*) snmp - fixed "send-trap" with multiple "trap-targets";
*) snmp - improved reliability on SNMP service packet validation;
*) snmp - properly return multicast and broadcast packet counters for IF-MIB OIDs;
*) ssh - accept remote forwarding requests with empty hostnames;
*) ssh - added new "ssh-exec" command for non-interactive command execution;
*) ssh - fixed non-interactive multiple command execution;
*) ssh - improved remote forwarding handling (introduced in v6.44.3);
*) ssh - improved session rekeying process on exchanged data size threshold;
*) ssh - keep host keys when resetting configuration with "keep-users=yes";
*) ssh - use correct user when "output-to-file" parameter is used;
*) sstp - improved stability when received traffic hits tarpit firewall;
*) supout - added IPv6 ND section to supout file;
*) supout - added "kid-control devices" section to supout file;
*) supout - added "pwr-line" section to supout file;
*) supout - changed IPv6 pool section to output detailed print;
*) switch - properly reapply settings after switch chip reset;
*) tftp - added "max-block-size" parameter under TFTP "settings" menu (CLI only);
*) tile - improved link fault detection on SFP+ ports;
*) tr069-client - added LTE CQI and IMSI parameter support;
*) tr069-client - fixed potential memory corruption;
*) tr069-client - improved error reporting with incorrect firware upgrade XML file;
*) traceroute - improved stability when sending large ping amounts;
*) traffic-generator - improved stability when stopping traffic generator;
*) tunnel - removed "local-address" requirement when "ipsec-secret" is used;
*) userman - added support for "Delegated-IPv6-Pool" and "DNS-Server-IPv6-Address" (CLI only);
*) w60g - do not show unused "dmg" parameter;
*) w60g - prefer AP with strongest signal when multiple APs with same SSID present;
*) w60g - show running frequency under "monitor" command;
*) winbox - added "System/SwOS" menu for all dual-boot devices;
*) winbox - do not allow setting "dns-lookup-interval" to "0";
*) winbox - show "LCD" menu only on boards that have LCD screen;
*) wireless - fixed frequency duplication in the frequency selection menu;
*) wireless - fixed incorrect IP header for RADIUS accounting packet;
*) wireless - improved 160MHz channel width stability on rb4011;
*) wireless - improved DFS radar detection when using non-ETSI regulated country;
*) wireless - improved installation mode selection for wireless outdoor equipment;
*) wireless - set default SSID and supplicant-identity the same as router's identity;
*) wireless - updated "china" regulatory domain information;
*) wireless - updated "new zealand" regulatory domain information;
*) www - improved client-initiated renegotiation within the SSL and TLS protocols (CVE-2011-1473);

What's new in 6.45 (2019-Jun-21 09:00):

(factory only release)

What's new in 6.44.4 (2019-May-09 12:14):

(factory only release)

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after some problem has appeared on device

Please keep this forum topic strictly related to this particular RouterOS release.

amt · Mon Jul 01, 2019 10:27 am

many thanks Mikrotik Team...

Kindis · Mon Jul 01, 2019 10:32 am

Wow 9 CVE fixed! Very nice will try this one on the test systems asap!

ErfanDL · Mon Jul 01, 2019 10:59 am

thanks for this Big Update!!! updated RB2011UiAS2HnD and RB951Ui and hAP Lite without any problem.

roe1974 · Mon Jul 01, 2019 11:14 am

found this in change log:

*) rb4011 - fixed MAC address duplication between sfp-sfpplus1 and wlan1 interfaces (wlan1 configuration reset required);

how todo "wlan1 configuration reset required" ???

regards, Richard

freemannnn · Mon Jul 01, 2019 11:15 am

- cloud - added "replace" parameter for backup "upload-file" command;

what is the correct syntax to replace file? wiki is not updated yet.
please add backup and restore function in winbox.

Mon Jul 01, 2019 11:24 am

ros1974 - Command is "/interface wireless reset-configuration"
freemannnn - Here is an example "/system backup cloud upload-file action=create-and-upload replace=cloud-XXXXXXXX-XXXXXX password=123"

paulct · Mon Jul 01, 2019 11:32 am

*) ethernet - added support for 25Gbps and 40Gbps rates

soon, mmmm

ludvik · Mon Jul 01, 2019 11:34 am

What bug exactly is solved by: *) ccr - improved packet processing after overloading interface;
thanks

ndbjorne · Mon Jul 01, 2019 11:41 am

!) security - fixed vulnerabilities CVE-2018-1157, CVE-2018-1158;

https://blog.mikrotik.com/security/secu ... nable.html: All of the above issues are fixed in the following RouterOS releases: 6.42.7, 6.40.9, 6.43
Fixed again?

!) security - fixed vulnerabilities CVE-2019-11477, CVE-2019-11478, CVE-2019-11479;
!) security - fixed vulnerability CVE-2019-13074;
!) user - removed insecure password storage;
*) conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160);
*) ovpn - added "verify-server-certificate" parameter for OVPN client (CVE-2018-10066);
*) www - improved client-initiated renegotiation within the SSL and TLS protocols (CVE-2011-1473);

When in the bugfix?

roe1974 · Mon Jul 01, 2019 12:08 pm

@strods
when i perfom a "/interface wireless reset-configuration" then all my wireless settings are gone?

I have same MAC adress on SFP+ and WLAN Interface 5G (QCA9984) ..... the 2.4GHz Interface has another MAC Adress.
The SFP+ Port is disabled, so do i need to do any changes/resets ?

regards, Richard

PS: can i only reset the config from WLAN 5G ?

grusu · Mon Jul 01, 2019 12:30 pm

You can try: /interface wireless reset-configuration wlanX where "wlanX" is your 5 GHz wlan interface.

roe1974 · Mon Jul 01, 2019 12:33 pm

wlanX is then the "name" of the interface ?

eworm · Mon Jul 01, 2019 12:36 pm

I have serve issues with all my IPSec responders. As far as I can tell about half of my IPSec initiator devices do not get addresses from mode-config.
Not sure about the details. Anybody else seen this?

Edit 1:
Initiator devices log:

ipsec,error MikroTik: bad state: 7

Edit 2:
Looking in /ip ipsec active-peers I noticed those missing dynamic-address also miss ph2-total.

roe1974 · Mon Jul 01, 2019 12:58 pm

new change for OVPN:
"ovpn - added "verify-server-certificate" parameter for OVPN client"

how ist he config line for the client ?

regards, Richard

pacman88 · Mon Jul 01, 2019 1:00 pm

does "improved switch chip allocation" fix the port flapping mentioned in this topic viewtopic.php?f=2&t=141633 ?

BR
Alex

Mon Jul 01, 2019 1:00 pm

@roe1974 Simple:
verify-server-certificate=yes

roe1974 · Mon Jul 01, 2019 1:04 pm

that's an config option for the client OVPN config file ??
there is notthing about here of such a config option:

https://openvpn.net/community-resources/how-to/

or is this an option to be set at the OVPN Server on the mikrotik router ?

regards Richard

Mon Jul 01, 2019 1:06 pm

That is an option for RouterOS OVPN clients, for which this exact change apply. It has nothing to do with non-RouterOS OVPN client.

kobuki · Mon Jul 01, 2019 1:36 pm

Will CVE fixes get into the 6.43 LTS version?

nmt1900 · Mon Jul 01, 2019 1:40 pm

Upgrade 6.44.3 -> 6.45.1

ARP in reply-only mode was used and static ARP entries had to be removed and added back to regain L3 access to other Mikrotik devices on the network (static IP addresses and these same static ARP entries).

RB750Gr3

raystream · Mon Jul 01, 2019 2:04 pm

Upgrade 6.44.3 -> 6.45.1

on my hAP ac lite and on RB2011iL all went fine.

but i have a problem with my RB3011.
I can not login anymore with winbox ("wrong username or password").
All other services are disabled so only connection with winbox possible.

Chupaka · Mon Jul 01, 2019 2:06 pm

WinBox version?

Mon Jul 01, 2019 2:06 pm

What winbox version?

raystream · Mon Jul 01, 2019 2:09 pm

actual winbox version 3.18

i connected with that winbox version to start the upgrade and after the upgrade the failure happens

grusu · Mon Jul 01, 2019 2:15 pm

wlanX is then the "name" of the interface ?

Yes. In my case wlan 5GHz interface is called "wlan5":

wlan.PNG

raystream · Mon Jul 01, 2019 2:21 pm

i have found the failure.
connecting with the android app over vpn (i am not at home) is fine.
connecting with winbox from my windows laptop over vpn is fone too.

only winbox running with wine on my macbook shows this failure
and after deleting the cache in winbox it connects again on my macbook

nichky · Mon Jul 01, 2019 2:34 pm

i upgrade my RB433AH after that...i couldn't access with current user and password and with admin????

LetMeRepair · Mon Jul 01, 2019 2:40 pm

Same here, hAP ac² ...upgrade from 6.43.2 to 6.45.1 .. .wrong username/password!!

EDIT: clearing Winbox cache (regular Windows 10 / 1903 ) solved issue. Phewww ... that was close.

proximus · Mon Jul 01, 2019 2:42 pm

i upgrade my RB433AH after that...i couldn't access with current user and password and with admin????

.
My observation is that after a reboot, the first login attempt fails ... subsequent logins are successful. This behavior has been reproducible after every reboot, of the single device I'm testing on (hAP Lite).

nichky · Mon Jul 01, 2019 2:46 pm

it is my remote site!!!!!
any bug make sense....this one...hhhhhh

matiaszon · Mon Jul 01, 2019 2:51 pm

After swtiching from 6.43.16 to 6.54.1 I am not able to use my LTE connection. My main router (RB2011) is getting an IP from BaseBox2 + R11e-LTE (passthorugh, using only Band 3, T-Mobile Poland). Modem shows status connected and everything seems to be OK. However, there is no traffic coming through LTE modem. I have upgraded Routerbord too and it hasn't helped. After coming back to 6.43.16 it works fine again.

Cha0s · Mon Jul 01, 2019 2:55 pm

i upgrade my RB433AH after that...i couldn't access with current user and password and with admin????
.
My observation is that after a reboot, the first login attempt fails ... subsequent logins are successful. This behavior has been reproducible after every reboot, of the single device I'm testing on (hAP Lite).

I confirm this behavior. Tested on over 10 installations so far. All had the exact behavior you described.

Reinis · Mon Jul 01, 2019 3:00 pm

!) security - fixed vulnerabilities CVE-2018-1157, CVE-2018-1158;
Fixed again?

Both CVE's were fixed in the previous versions, but they could be reproduced differently if you had access to the www service and user account with "full" rights. We have removed this possibility as well.

nichky · Mon Jul 01, 2019 3:01 pm

!) security - fixed vulnerabilities CVE-2018-1157, CVE-2018-1158;
Fixed again?
Both CVE's were fixed in the previous versions, but they could be reproduced differently if you had access to the www service and user account with "full" rights. We have removed this possibility as well.

and how can we get access?

toxmost · Mon Jul 01, 2019 3:13 pm

PLEASE HELP!!!

I have RB4011iGS+5HacQ2HnD with dlink DPN-100 (TW2362H-CDEL-CLX) GPON SFP module (WAN).
IP address receive via DHCP. ALL WORK GREAT! ---> firmware 6.44.3

If im update firmware to 6.45.1, SFP module have status "link ok", but DHCP address not received, DHCP client all time in status "searching", packet (in module window) TXed, but not RXed.

Help me PLEASE!

Thank you.

Mon Jul 01, 2019 3:15 pm

and how can we get access?

You can't

That is the point of this issue. Only the admin himself could trigger the problem. it's not a serious issue, but we still fixed it.

Stanleyssm · Mon Jul 01, 2019 3:21 pm

Hi Guys

I am having problem to update my device,

it complete and reboot , but when i go to check the currentversion, is still 6.42 and not 6.45

Please Help

nichky · Mon Jul 01, 2019 3:21 pm

and how can we get access?
You can't That is the point of this issue. Only the admin himself could trigger the problem. it's not a serious issue, but we still fixed it.

So we have to replace the router? so fany

Stanleyssm · Mon Jul 01, 2019 3:22 pm

Hy Guys

I try Update , itdomy device downlo and install, then reboot the device...but when i went to check if theCurrent Version of the Update is still 6.42.6. any help

nichky · Mon Jul 01, 2019 3:25 pm

The only access i can get is via SSH. and i downgrade to 6.44.3,nothing happens

SimWhite · Mon Jul 01, 2019 3:35 pm

GRE tunnels won't start anymore between 6.45.1 versions. But 6.44.3 <--> 6.45.1 are working fine.

Mon Jul 01, 2019 3:43 pm

and how can we get access?
You can't That is the point of this issue. Only the admin himself could trigger the problem. it's not a serious issue, but we still fixed it.
So we have to replace the router? so fany

What are you even talking about ? No, you don't have to replace anything. You have no risk here unless you plan to hack your own devices. Please read carefully.

3bs · Mon Jul 01, 2019 3:54 pm

After upgrade map receive "ERROR: wrong username or password" when connect with winbox. But connect with webfig, ssh without errors. Clear winbox cache don't helped.

Mon Jul 01, 2019 4:08 pm

Upgrade Winbox too

3bs · Mon Jul 01, 2019 4:11 pm

winbox version 3.18

eworm · Mon Jul 01, 2019 4:17 pm

GRE tunnels won't start anymore between 6.45.1 versions. But 6.44.3 <--> 6.45.1 are working fine.

Is this just GRE or GRE over IPSec? Possibly an IPSec issue?

SimWhite · Mon Jul 01, 2019 4:25 pm

Is this just GRE or GRE over IPSec? Possibly an IPSec issue?

Both.

Vlad2 · Mon Jul 01, 2019 4:37 pm

After upgrade map receive "ERROR: wrong username or password" when connect with winbox. But connect with webfig, ssh without errors. Clear winbox cache don't helped.

Connect through Winbox again and the second time should already log in normally.
I only have 2 routers so it was, clicked Connect and logged in to the router

3bs · Mon Jul 01, 2019 4:58 pm

Connect through Winbox again and the second time should already log in normally.
I only have 2 routers so it was, clicked Connect and logged in to the router

Tried many times from several machines (win10, winxp), same error. I have more than 15 mikrotik routers, problem only with map2n.

rifkytech · Mon Jul 01, 2019 5:50 pm

After upgrade map receive "ERROR: wrong username or password" when connect with winbox. But connect with webfig, ssh without errors. Clear winbox cache don't helped.

me to, but i have problem on api, i can connect with winbox, but i can't login with API ( wrong password ). why?

nuffrespect · Mon Jul 01, 2019 6:16 pm

GRE tunnels won't start anymore between 6.45.1 versions. But 6.44.3 <--> 6.45.1 are working fine.
Is this just GRE or GRE over IPSec? Possibly an IPSec issue?

The same bug...
IPSec (transport + 47 proto) in established state, phases normal.

GRE tunnels was in down state in 6.45.1 (not running interface)

Downgrade to 6.44.3 - flushed! any settings in Policy

nuffrespect · Mon Jul 01, 2019 6:33 pm

2 Mikrotik Team

Do you confirm some troubles with GRE interfaces + IPSec (transport) ?
What we have to do in that case?

Maybe there is something special with update? For example: We have to update passive sites first to 6.45.1 and after main router to 6.45.1
Or another way?

Thanks!

Chupaka · Mon Jul 01, 2019 6:38 pm

me to, but i have problem on api, i can connect with winbox, but i can't login with API ( wrong password ). why?

Do you use new login style in API?
https://wiki.mikrotik.com/wiki/Manual:API#Initial_login

sterod · Mon Jul 01, 2019 6:40 pm

After upgrade map receive "ERROR: wrong username or password" when connect with winbox. But connect with webfig, ssh without errors. Clear winbox cache don't helped.

I'm having the exact same problem with an RB4011iGS+5HacQ2HnD. Using winbox 3.18, cleared cache, made a dozen login attempts, no joy. This configuration has been in place for months and has now stopped working after upgrading the device to 6.45.1

I am trying to connect to this device through an unencrypted L2TP tunnel with address 172.16.1.5. It simply will not connect through winbox. I can only connect through telnet, therefore I know for certain the username and password are still good. I used a computer that is on the same network as the RB4011 and it is able to connect to winbox using the same username and password with no issue, over the wifi. Therefore, it appears that there is a problem authenticating through winbox when traversing a L2TP tunnel.

EDIT: I've tried PPTP, enabled IPsec on the L2TP tunnel, blanked the admin user password, created a new user with admin, all with no change, the same issue persists.

Cha0s · Mon Jul 01, 2019 6:43 pm

2 Mikrotik Team

Do you confirm some troubles with GRE interfaces + IPSec (transport) ?
What we have to do in that case?

Maybe there is something special with update? For example: We have to update passive sites first to 6.45.1 and after main router to 6.45.1
Or another way?

Thanks!

I have IPsec tunnels between 6.45.1 and various 6.4X versions and also all the way back to 5.26.
All IPsec tunnels work without any issues on all versions I have atm.

The only issue I had was that some statically defined policies, lost their peer association after the update. By selecting the correct one, the IPsec sessions established fine.

nuffrespect · Mon Jul 01, 2019 6:58 pm

I have IPsec tunnels between 6.45.1 and various 6.4X versions and also all the way back to 5.26.
All IPsec tunnels work without any issues on all versions I have atm.
The only issue I had was that some statically defined policies, lost their peer association after the update. By selecting the correct one, the IPsec sessions established fine.

Yes, i wrote that IPSec was in normal state. May be if you use pure IPsec - that's OK
But in our organization we use GRE tunnels (interface extIP<->extIP) + IPSec in transport mode 47 protocol (not IPSec SITE2SITE tunnel)
After upgrade remote site to 6.45.1 - router lost some params in Policy. OK. I changed peer's settings. IPSEC state became normal.
BUT GRE interface was in down state, anyway

That's why i decided to made downgrade, until additional info about this.
One brick better, than a lot of bricks, i think.

wpeople · Mon Jul 01, 2019 6:59 pm

OSPF (over openvpn tunnel) caused me 100% cpu load. Downgrading and all OK.

Cha0s · Mon Jul 01, 2019 7:00 pm

My configurations use all types of tunnels.

GRE, IPIP, EoIP. All of them, over IPsec without any problems on my end.

osc86 · Mon Jul 01, 2019 7:03 pm

My configurations use all types of tunnels.

GRE, IPIP, EoIP. All of them, over IPsec without any problems on my end.

same here, no issues.

nuffrespect · Mon Jul 01, 2019 7:05 pm

My configurations use all types of tunnels.

GRE, IPIP, EoIP. All of them, over IPsec without any problems on my end.

Thanks, will try to find out, what's wrong with my situation.

SimWhite · Mon Jul 01, 2019 7:49 pm

I just tried to create GRE-tunnel without IPsec between 6.45.1 versions on external IPs and disabled firewalls. GRE interface gets the "running" state on the one side but on the other side it does not start. When the 6.44.3 on the other side everything is working fine. CHR is used on the side which won't start.

nuffrespect · Mon Jul 01, 2019 8:00 pm

My configurations use all types of tunnels.

GRE, IPIP, EoIP. All of them, over IPsec without any problems on my end.
Thanks, will try to find out, what's wrong with my situation.

Something strange. MAIN router at 6.44.3

Try to update 6.45.1 remote sites
On some remote router (mipsbe w|o wireless) on 6.45.1 i see 47 gre in Connection tracker > Tunnes UP
On another remote router (mipsbe + wireless) - nothing -> no gre in Connection tracker with 6.45.1. > Tunnels DOWN

IPIP - works normal on 6.45.1 on failed router
After downgrade failed remote router to 6.44.3 - GRE works normal.
Now see 47 proto in Connection tracker. Tunnels - UP

eddieb · Mon Jul 01, 2019 8:01 pm

updating to 6.45.1 went smooth ... from 6.44.3 to 6.45.1 with some help from the dude

No problems so far

SimWhite · Mon Jul 01, 2019 8:09 pm

On another remote router (mipsbe + wireless) - nothing -> no gre in Connection tracker with 6.45.1. > Tunnels DOWN

The same on the CHR side.

nuffrespect · Mon Jul 01, 2019 8:12 pm

Try to update 6.45.1 remote sites
On some remote router (mipsbe w|o wireless) on 6.45.1 i see 47 gre in Connection tracker > Tunnes UP

UPDATE:
NOW Checked Connection tracker - Tunnels UP - NO GRE 47 protocol in Connection Tracker!
Downgrade last failed router.

bleblas · Mon Jul 01, 2019 8:27 pm

me to, but i have problem on api, i can connect with winbox, but i can't login with API ( wrong password ). why?
Do you use new login style in API?
https://wiki.mikrotik.com/wiki/Manual:API#Initial_login

i have this same problem with API after update to 6.45.1, it's work on 6.44.5 fine.
i update/change login metod before,and i get wrong password

marcperea · Mon Jul 01, 2019 9:00 pm

Hello,
I too am having problems with our software logging in using API. I can SSH and Winbox, but over API we get authentication error - invalid credentials!

w0lt · Mon Jul 01, 2019 9:13 pm

Try to update 6.45.1 remote sites
On some remote router (mipsbe w|o wireless) on 6.45.1 i see 47 gre in Connection tracker > Tunnes UP
UPDATE:
NOW Checked Connection tracker - Tunnels UP - NO GRE 47 protocol in Connection Tracker!
Downgrade last failed router.

My EoIP tunnels (IPSec) won't come up either. I've tried several methods but no joy. Back to 6.44.3 which works just fine.

-tp

dhoulbrooke · Mon Jul 01, 2019 9:15 pm

Hi All,

For those having trouble with EoIP/GRE following the upgrade the below workaround worked for me:

/ip firewall raw add action=notrack chain=prerouting protocol=gre

tesme33 · Mon Jul 01, 2019 9:23 pm

Hi
upgraded crs326 and one hap lite without issues : 6.43.3 --> 6.45.1
one hap lite wont upgrade. I suspect space problem, but there are no files on the system.

[admin@haplite1] > /system resource print 
                   uptime: 11m54s
                  version: 6.44.3 (stable)
               build-time: Apr/23/2019 12:37:03
              free-memory: 7.9MiB
             total-memory: 32.0MiB
                      cpu: MIPS 24Kc V7.4
                cpu-count: 1
            cpu-frequency: 650MHz
                 cpu-load: 3%
           free-hdd-space: 7.5MiB
          total-hdd-space: 16.0MiB
  write-sect-since-reboot: 709
         write-sect-total: 281833
               bad-blocks: 0%
        architecture-name: smips
               board-name: hAP lite
                 platform: MikroTik
[admin@haplite1] > /file print            
 # NAME                    TYPE                         SIZE CREATION-TIME       
 0 96N6-4YZ6.key           .key file                     204 may/26/2019 09:00:16
 1 skins                   directory                         jan/01/1970 02:00:01

anav · Mon Jul 01, 2019 9:27 pm

I am using capAC in AP WISP Mode and for some reason it does not have access to the internet (probably how I setup my vlans). Two questions.
(1) What method can I use to manually upload the package (dont see a selection in packages)?? and
(2) Should I change the capAC mode to home AP from AP Wisp mode??

NM. No need to change modes in 2, drag and drop works for 1 and reboot.

TimurA · Mon Jul 01, 2019 9:32 pm

one hap lite wont upgrade. I suspect space problem.

I confirm. upgrade problem on hap lite.

UMarcus · Mon Jul 01, 2019 9:47 pm

one hap lite wont upgrade. I suspect space problem.
I confirm. upgrade problem on hap lite.

My hap lite upgrade with no issues.

mducharme · Mon Jul 01, 2019 9:56 pm

The API logins were broken in the last beta of 6.45 as well. Is it related to the removal of the old unencrypted password store?

sebastia · Mon Jul 01, 2019 10:00 pm

one hap lite wont upgrade. I suspect space problem, but there are no files on the system.

Try upgrading with specific packages that you actually use. So download the "extra packages" and only put the packages you need on device + reboot.

mserge · Mon Jul 01, 2019 10:20 pm

Hello,

When i updated my LHG 5 HP, then i couldn't access it by winbox, it says wrong user/pass.

Package is what has been updated however firmware is still on 44.3 as i couldn't access it again to complete the upgrade. Any help please?

Thanks!

mkx · Mon Jul 01, 2019 10:23 pm

Hi
upgraded crs326 and one hap lite without issues : 6.43.3 --> 6.45.1
one hap lite wont upgrade. I suspect space problem, but there are no files on the system.

It's the oroblem with free memory. Devices with small flash (less than 64MB) download upgrade packages to RAM ... and for that some 12MB RAM should be free. Free RAM on your hAP lite is quite low ... do you have some large address list?

matiaszon · Mon Jul 01, 2019 10:30 pm

After swtiching from 6.43.16 to 6.54.1 I am not able to use my LTE connection. My main router (RB2011) is getting an IP from BaseBox2 + R11e-LTE (passthorugh, using only Band 3, T-Mobile Poland). Modem shows status connected and everything seems to be OK. However, there is no traffic coming through LTE modem. I have upgraded Routerbord too and it hasn't helped. After coming back to 6.43.16 it works fine again.

nobody can say anything about it?

OndrejHolas · Mon Jul 01, 2019 10:31 pm

It seems that archive all_packages-mmips-6.45.1.zip is truncated on one download server:

https://159.148.147.204/routeros/6.45.1/all_packages-mmips-6.45.1.zip
https://[2a02:610:7501:1000::196]/routeros/6.45.1/all_packages-mmips-6.45.1.zip
Size: 10600448
SHA256: 6c4d219a8e59398c6fe821deec2f12c93bc72adcd1189a02e428a123798414a8 (wrong)

https://[159.148.172.226]/routeros/6.45.1/all_packages-mmips-6.45.1.zip
https://2a02:610:7501:4000::226/routeros/6.45.1/all_packages-mmips-6.45.1.zip
Size: 11811731
SHA256: 2ae2174d31895aeac25afda0a27f22d5394134c0b64bdd34ff10c8a59df83832 (correct)

OH

sebastia · Mon Jul 01, 2019 10:46 pm

After coming back to 6.43.16 it works fine again.

v6.43.16 is using P2P ip configuration for LTE passthrough. 6.45 is using small ip block, back as it was in pre-6.43.
check what ip you get and if you can ping the gateway at least.

zsolt · Mon Jul 01, 2019 10:55 pm

I have hAP lite. I want to upgrade from 6.44.3, but not enough flash. The flash-drive is empty (/file print)
Can I remote-upgrade this device?

/system package update install
channel: stable
installed-version: 6.44.3
latest-version: 6.45.1
status: ERROR: not enough disk space, 7.4MiB is required and only 7.3MiB is free

sebastia · Mon Jul 01, 2019 10:59 pm

2 options:
1. disable unnecessary packages, and upload ONLY the used ones for upgrade (from "extra packages" zip)
2. netinstall...

markos222 · Mon Jul 01, 2019 11:04 pm

someboy could explain me this CVE??

*) conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160)

This is not fixed in old versions??

thank you

ofer · Mon Jul 01, 2019 11:23 pm

Upgraded HapACx3 6.43.3 -> 6.45.1 - no issues

Thanks!

anav · Mon Jul 01, 2019 11:31 pm

No issues in upgrading two CapAC and one RB450Gx4.

smileymattj · Mon Jul 01, 2019 11:34 pm

When will the [long-term] receive the CVE fixes addressed in v6.45.1?

petrb · Mon Jul 01, 2019 11:37 pm

FAIL, RB4011, DHCPv6 PD from RADIUS failed, in 6.44.3 works fine. Some ip changed .... I use trick with replace input username in freeradius to pair "mac username" and "Calling-Station-Id"

00:29:47 dhcp,error item: radius authentication failed for f09fc24af7e8 ::/64: prefix changed ::/64 -> 2a01:5e0:30:1000::/60

Workaround:
- Linux with Radius

Framed-IP-Address     | =  | 192.168.177.15                    |
Framed-Route          | =  | 213.192.5.17/32 192.168.177.15 1 |
Mikrotik-Rate-Limit   | =  | 5M/5M                             |
Mikrotik-address-list | =  | neplatic                          |
Calling-Station-Id    | =  | F0-9F-C2-4A-F7-E8                 |
Delegated-IPv6-Prefix | =  | 2a01:5e0:30:1000::/60             |

- RB4011 with DHCPv4 and v6

/ip dhcp-server network add address=192.168.177.0/24 dns-server=1.1.1.1 gateway=192.168.177.100
/ipv6 dhcp-server add interface=bridge1 lease-time=10m name=server1 rapid-commit=no use-radius=yes
/radius add address=192.168.43.1 secret=test service=dhcp src-address=10.177.1.1

from radius:

(110) Sent Access-Accept Id 26 from 192.168.43.1:1812 to 10.177.1.1:32839 length 0
(110)   Framed-IP-Address = 192.168.177.15
(110)   Framed-Route = "213.192.5.17/32 192.168.177.15 1"
(110)   Mikrotik-Rate-Limit = "5M/5M"
(110)   Mikrotik-Address-List = "neplatic"
(110)   Calling-Station-Id = "F0-9F-C2-4A-F7-E8"
(110)   Delegated-IPv6-Prefix = 2a01:5e0:30:1000::/60

log in mikrotik:

00:37:41 radius,debug,packet sending Access-Request with id 27 to 192.168.43.1:1812 
00:37:41 radius,debug,packet     Signature = 0x31ba2d3f58e4837ca33071255ad9bb62 
00:37:41 radius,debug,packet     NAS-Port-Type = 15 
00:37:41 radius,debug,packet     NAS-Port = 2199912456 
00:37:41 radius,debug,packet     Calling-Station-Id = 0xf09fc24af7e8 
00:37:41 radius,debug,packet     Called-Station-Id = "server1" 
00:37:41 radius,debug,packet     Delegated-IPv6-Prefix = ::/64 
00:37:41 radius,debug,packet     User-Name = "F0:9F:C2:4A:F7:E8" 
00:37:41 radius,debug,packet     User-Password = 0x00000000 
00:37:41 radius,debug,packet     NAS-Identifier = "RB4011-1" 
00:37:41 radius,debug,packet     NAS-IP-Address = 10.177.1.1 
00:37:41 radius,debug,packet received Access-Accept with id 27 from 192.168.43.1:1812 
00:37:41 radius,debug,packet     Signature = 0x883ffcd554726f9b161fde42cd81e7ad 
00:37:41 radius,debug,packet     Framed-IP-Address = 192.168.177.15 
00:37:41 radius,debug,packet     Framed-Route = "213.192.5.17/32 192.168.177.15 1" 
00:37:41 radius,debug,packet     MT-Rate-Limit = "5M/5M" 
00:37:41 radius,debug,packet     MT-Address-List = "neplatic" 
00:37:41 radius,debug,packet     Calling-Station-Id = "F0-9F-C2-4A-F7-E8" 
00:37:41 radius,debug,packet     Delegated-IPv6-Prefix = 2a01:5e0:30:1000::/60 
00:37:41 radius,debug received reply for 17:22 
00:37:41 dhcp,error item: radius authentication failed for f09fc24af7e8 ::/64: prefix changed ::/64 -> 2a01:5e0:30:1000::/60

complex1 · Mon Jul 01, 2019 11:48 pm

Upgraded RB4011 from 6.44.3 to 6.45.1 - no issues

Thanks!

Panbambaryla · Mon Jul 01, 2019 11:56 pm

Upgraded RB4011 from 6.44.3 to 6.45.1 - no issues

Well, actually there is one - the bridge MAC address has changed so the network discovery on Windows must be done again. In my case the bridge MAC addr is the same as for eth7 interface. Interesting what it depends on...
Best
Bam

nerxu · Tue Jul 02, 2019 12:06 am

ehhhh

lms-notify-sms = DOWN
why - because API has been changed
Now admin says ....: / fuck
say how to fix ?

matiaszon · Tue Jul 02, 2019 12:09 am

After coming back to 6.43.16 it works fine again.
v6.43.16 is using P2P ip configuration for LTE passthrough. 6.45 is using small ip block, back as it was in pre-6.43.
check what ip you get and if you can ping the gateway at least.

What do you exactly mean? What should I check? It is not a public IP. What I get is internal IP from my LTE ISP.

STEVEUK1 · Tue Jul 02, 2019 12:16 am

Has anyone solved these password issues as yet to access the routers ?

We have one remote router which is in a different country. We have a STTP VPN direct to the router which is showing as connected but the username and password are not working - It was working fine before it was upgraded.

It has or at least had a 16 digit random password on it with a custom username.

Tried using the username without a password
Tried the admin account with no password
Tried asking a staff member to reboot it

Still no access and we're not really sure what to try next - Any help much appreciated

adonato · Tue Jul 02, 2019 12:30 am

Hello I have a Router RB 750 and when I tried to update from winbox or donwloading the file from mikrotik
after I rebot, I get this message:

" system,error can not install routeros-mipsbe-6.45.1: it is not made for m
mips, but for mips "

Some know what to do?

Thanks!

snake27 · Tue Jul 02, 2019 12:33 am

Hi All,

For those having trouble with EoIP/GRE following the upgrade the below workaround worked for me:
Code: Select all
/ip firewall raw add action=notrack chain=prerouting protocol=gre

Thanks!

w0lt · Tue Jul 02, 2019 12:41 am

Hi All,

For those having trouble with EoIP/GRE following the upgrade the below workaround worked for me:
Code: Select all
/ip firewall raw add action=notrack chain=prerouting protocol=gre

Good tip !! Got me back up and running with 6.45.1

Thanks !!

jwilkinson6028 · Tue Jul 02, 2019 12:43 am

After updating to 6.45.1 I am no longer able to login using the PEAR2 PHP API. Just get an error for login failure in the log.

sterod · Tue Jul 02, 2019 1:26 am

Has anyone solved these password issues as yet to access the routers ?

We have one remote router which is in a different country. We have a STTP VPN direct to the router which is showing as connected but the username and password are not working - It was working fine before it was upgraded.

It has or at least had a 16 digit random password on it with a custom username.

Tried using the username without a password
Tried the admin account with no password
Tried asking a staff member to reboot it

Still no access and we're not really sure what to try next - Any help much appreciated

I have the same problem, see post #55. I have not found a workaround.

Sent from my Pixel 3 using Tapatalk

STEVEUK1 · Tue Jul 02, 2019 1:39 am

Has anyone solved these password issues as yet to access the routers ?

We have one remote router which is in a different country. We have a STTP VPN direct to the router which is showing as connected but the username and password are not working - It was working fine before it was upgraded.

It has or at least had a 16 digit random password on it with a custom username.

Tried using the username without a password
Tried the admin account with no password
Tried asking a staff member to reboot it

Still no access and we're not really sure what to try next - Any help much appreciated
I have the same problem, see post #55. I have not found a workaround.

Sent from my Pixel 3 using Tapatalk

Thanks for the response.

Good to know it works on the same network at least - we can get access to a local machine to get on it and downgrade again so we have access, giving us some time to do some testing in the office.

If you do manage to work this out please do let me know - i will of course do the same if we can find a solution.

Hyperlight · Tue Jul 02, 2019 2:40 am

I had a problem with all my IPSec tunnels for this upgrade. Something is fishy with how the reflexive NAT firewall rule works on the IPSEC initiator side. I had to write a FW rule to allow traffic back in to the initiator from the responder before my GRE tunnels on these interfaces came back up.

The following is what broke, even though tunnel state is established.

IPSec Initiator -> Reponder : Ping Reponder IP - GRE Tunnel Endoint (Works)
IPSec Reponder-> Initiator : Ping Initiator IP GRE Tunnel Endoint (Fails)

Had to write the following FW rule

Accept - Input - External IP of the Responder

After this rule was put in everything came back online. Can someone look into why this rule is now required?

rifkytech · Tue Jul 02, 2019 3:57 am

me to, but i have problem on api, i can connect with winbox, but i can't login with API ( wrong password ). why?
Do you use new login style in API?
https://wiki.mikrotik.com/wiki/Manual:API#Initial_login

yes, i am use it

rifkytech · Tue Jul 02, 2019 3:58 am

me to, but i have problem on api, i can connect with winbox, but i can't login with API ( wrong password ). why?
Do you use new login style in API?
https://wiki.mikrotik.com/wiki/Manual:API#Initial_login

I use CHR

elgrandiegote · Tue Jul 02, 2019 4:31 am

CHR --> "ERROR: wrong username or password" when I try to login with WinBox 3.18

it is seen that this version was not very tested....

berzerker · Tue Jul 02, 2019 5:56 am

!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;

Since this is "as initiator," can I assume this isn't supported for running as a roadwarrior config?

If so, when is support for that coming, if at all?

lomayani · Tue Jul 02, 2019 7:11 am

this release is crashing ccr having vpls tunnels. Downgrading back to 6.44.3 no issue

Tue Jul 02, 2019 7:53 am

ludvik - On some specific and very rare case Ethernet interface on TILE routers could lock up. Now this problem is resolved;
ndbjorne, kobuki, smileymattj - Bugfix version (long-term) will be released as soon as possible;
eworm, matiaszon, toxmost, Stanleyssm, wpeople, petrb, lomayani - I recommend that you provide supout file to support@mikrotik.com in order to get more information about the problem that you are experiencing;
pacman88 - CRS3xx switches now can better handle traffic passing through the switch if interface speeds are different;
nmt1900 - Can you reproduce this problem once more? Actually. sounds that this was simply a coincidence and the problem was caused by something else besides static ARP entries;
raystream, nichky, LetMeRepair, proximus, Cha0s, 3bs, Vlad2, sterod, mserge, STEVEUK1, elgrandiegote - We can not seem to reproduce the problem with Winbox login. Can you provide more details? From which version did you upgrade your router? Do you, for example, use RADIUS for Winbox authorisation?
SimWhite, nuffrespect, w0lt, snake27, Hyperlight - Please try to add a new firewall rule at every end of the tunnel and see if it starts to work properly? The rule should be located at the top (at least before drop rules) of input firewall filter rules chain (/ip firewall filter add chain=input action=accept protocol=gre src-address=[address that is configured as a remote-address on your GRE tunnel interface]);
rifkytech, bleblas, marcperea, mducharme, nerxu, jwilkinson6028 - If you cannot login into your router by using API please make sure that you have updated API authentication script (https://wiki.mikrotik.com/wiki/Manual:API#Initial_login);
anav - Is this problem related to RouterOS v6.45.1 or this is simply a configuration related question?
OndrejHolas - We will resolve this problem as soon as possible;
markos222 - Currently fix is available only in v6.45. Fix will be backported to long-term versions aswell;
adonato - MIPS and MMIPS are two differnet architectures. Is it RB750 or RB750Gr3? Please name precise model.

mkx · Tue Jul 02, 2019 7:57 am

Hello I have a Router RB 750 and when I tried to update from winbox or donwloading the file from mikrotik
after I rebot, I get this message:

" system,error can not install routeros-mipsbe-6.45.1: it is not made for m
mips, but for mips "

Some know what to do?

Which particular RB750 ... the old RB750UP which is MIPSBE, or the new hEX (RB750Gr3) which is MMIPS or some other RB750 which might be MIPS? You can check it by running command /system resource print (it's in the architecture-name field).

Or are you using the built-in way of upgrading (/system package update install)?

3bs · Tue Jul 02, 2019 8:10 am

raystream, nichky, LetMeRepair, proximus, Cha0s, 3bs, Vlad2, sterod, mserge, STEVEUK1, elgrandiegote - We can not seem to reproduce the problem with Winbox login. Can you provide more details? From which version did you upgrade your router? Do you, for example, use RADIUS for Winbox authorisation?

Upgraded from version 6.44.3, no RADIUS, internal authorisation.

SimWhite · Tue Jul 02, 2019 8:12 am

SimWhite, nuffrespect, w0lt, snake27, Hyperlight - Please try to add a new firewall rule at every end of the tunnel and see if it starts to work properly? The rule should be located at the top (at least before drop rules) of input firewall filter rules chain (/ip firewall filter add chain=input action=accept protocol=gre src-address=[address that is configured as a remote-address on your GRE tunnel interface]);

GRE up and running now on the both sides.

Tue Jul 02, 2019 8:31 am

3bs - Can you please:

1) Try to log into your router by using Winbox;
2) See that authentication fails;
3) Log into your router by another method;
4) Generate supout file;
5) Download file from the router;
6) Send this file to support@mikrotik.com?

Abdock · Tue Jul 02, 2019 8:39 am

Have tried to download few times all_packages-mmips-6.45.1 when extracting it says director is empty.

3bs · Tue Jul 02, 2019 8:59 am

3bs - Can you please:

1) Try to log into your router by using Winbox;
2) See that authentication fails;
3) Log into your router by another method;
4) Generate supout file;
5) Download file from the router;
6) Send this file to support@mikrotik.com?

Sent.

emils · Tue Jul 02, 2019 9:03 am

all_packages-mmips-6.45.1.zip should be working now.

jvparis · Tue Jul 02, 2019 9:13 am

Using a SXTsq 5 ac with v6.45.1 the only installation-type that is available when using frequency-mode-regulatory-domain is "outdoors". Can I no longer legally use this device indoors and profit from the wider frequency spectrum? I already know the workaround using superchannel...

Cetalfio · Tue Jul 02, 2019 9:22 am

In the new version of ROS no problem logging on to a RB750 r2 via ssh and Winbox and also mac-telnet, access is right from the local LAN network. If instead I try on an LHG associated as a wireless station to an AP 921, access is possibile only via ssh. Winbox, telnet and mac-telnet do not work the error is: invalid Login and Password.
Cetalfio

Tue Jul 02, 2019 9:25 am

Everyone who is experiencing Winbox login problems, please:

1) Make sure that you use Winbox 3.18;
2) If you use Winbox 3.18, then close all of the Winbox applications (for example, reboot computer) and try again;
3) Check if you can log into your router over WEB interface (Webfig).

Tue Jul 02, 2019 9:30 am

jvparis - Which country have you selected? What happens, if you try to use this command "/interface wireless set [interface_name] country=[your_country] frequency-mode=regulatroy-domain installation=indoor"? What kind of an error do you get?

SimWhite · Tue Jul 02, 2019 9:36 am

SimWhite, nuffrespect, w0lt, snake27, Hyperlight - Please try to add a new firewall rule at every end of the tunnel and see if it starts to work properly? The rule should be located at the top (at least before drop rules) of input firewall filter rules chain (/ip firewall filter add chain=input action=accept protocol=gre src-address=[address that is configured as a remote-address on your GRE tunnel interface]);

strods, Could you tell is this a bug or a feature? Will it be fixed in the next updates or we should use such kind of rules started from 6.45.1?

jvparis · Tue Jul 02, 2019 9:37 am

jvparis - Which country have you selected? What happens, if you try to use this command "/interface wireless set [interface_name] country=[your_country] frequency-mode=regulatroy-domain installation=indoor"? What kind of an error do you get?

Hi strods!
country is germany. This is the error:

[admin@sxt-wds] <SAFE> /interface wireless set wlan1 country=germany frequency-mode=regulatory-domain installation=indoor 
failure: allowed installation type is outdoor

FogOfWar · Tue Jul 02, 2019 9:38 am

The login problem is major.
Two LHG-R-s, passwords do not match, even worse, via romon, blank password is accepted although password is set.
Downgraded either to 6.44.3 and 6.44.18 but problem persists. Via romon, password is not accepted, blank password IS accepted.
After logging in, when new terminal is opened, it will fail with wrong password (as it was blank for romon login). correct one is accepted.

Without downgrading, not any password in most interfaces was accepted. Only SSH accepted correct password.
Clear configuration , password change etc. did not change the behaviour.

This password store change needs a rollback ASAP.

petrb · Tue Jul 02, 2019 9:41 am

Hi normis,

please explane last line from log. Radius PD DHCPv6, Access-Accept receive but auth failed? What is that? No bindings in dhcpv6. Works in 6.44.3.

00:37:41 radius,debug,packet sending Access-Request with id 27 to 192.168.43.1:1812 
00:37:41 radius,debug,packet     Signature = 0x31ba2d3f58e4837ca33071255ad9bb62 
00:37:41 radius,debug,packet     NAS-Port-Type = 15 
00:37:41 radius,debug,packet     NAS-Port = 2199912456 
00:37:41 radius,debug,packet     Calling-Station-Id = 0xf09fc24af7e8 
00:37:41 radius,debug,packet     Called-Station-Id = "server1" 
00:37:41 radius,debug,packet     Delegated-IPv6-Prefix = ::/64 
00:37:41 radius,debug,packet     User-Name = "F0:9F:C2:4A:F7:E8" 
00:37:41 radius,debug,packet     User-Password = 0x00000000 
00:37:41 radius,debug,packet     NAS-Identifier = "RB4011-1" 
00:37:41 radius,debug,packet     NAS-IP-Address = 10.177.1.1 
00:37:41 radius,debug,packet received Access-Accept with id 27 from 192.168.43.1:1812 
00:37:41 radius,debug,packet     Signature = 0x883ffcd554726f9b161fde42cd81e7ad 
00:37:41 radius,debug,packet     Framed-IP-Address = 192.168.177.15 
00:37:41 radius,debug,packet     Framed-Route = "213.192.5.17/32 192.168.177.15 1" 
00:37:41 radius,debug,packet     MT-Rate-Limit = "5M/5M" 
00:37:41 radius,debug,packet     MT-Address-List = "neplatic" 
00:37:41 radius,debug,packet     Calling-Station-Id = "F0-9F-C2-4A-F7-E8" 
00:37:41 radius,debug,packet     Delegated-IPv6-Prefix = 2a01:5e0:30:1000::/60 
00:37:41 radius,debug received reply for 17:22 
00:37:41 dhcp,error item: radius authentication failed for f09fc24af7e8 ::/64: prefix changed ::/64 -> 2a01:5e0:30:1000::/60

Anumrak · Tue Jul 02, 2019 9:46 am

Impossile to upgrade hAP lite. Please fix this. All unnecessary features were disabled. It's not working.

nichky · Tue Jul 02, 2019 9:48 am

raystream, nichky, LetMeRepair, proximus, Cha0s, 3bs, Vlad2, sterod, mserge, STEVEUK1, elgrandiegote - We can not seem to reproduce the problem with Winbox login. Can you provide more details? From which version did you upgrade your router? Do you, for example, use RADIUS for Winbox authorisation?
Upgraded from version 6.44.3, no RADIUS, internal authorisation.

Same...Upgraded from version 6.44.3, no RADIUS, internal authorisation.
i upgrade on two devices,on one of them is okay other one no, and i'm not going to upgrade the rest of routers

Xymox · Tue Jul 02, 2019 10:15 am

4011 fail. Sorta. Its remote and started rebooting and being really weird. It would come up and seem fine, but then, go offline again..

For some reason it wont switch back to the partition with 6.44.3 in it. It shows A but when I reboot it does not switch back to it.

Its not up long enough to realy explore what is wrong. I was able to get the config backup off it, so, at least if need be I can setup another and send it out for swap out.

It was set to a higher CPU speed. Which has worked fine for 6 months, going back to the fact CPU speed after the upgrade to 6.45.1 might have fixed it.

Weird issue.

I did upgrade a bunch of CCRs and a few 2011's. No issues.. Just this one 4011..Which was overclocked..

nmt1900 · Tue Jul 02, 2019 10:31 am

It looks like Dude has problems with SNMP access.

snmpwalk to other Mikrotik device causes this to appear in log of target device

10:22:24 snmp,debug unsupported v3 security level 
10:22:24 snmp,debug v3 err: 0 unsupported security
10:22:24 snmp,debug bad packet

and snmpwalk times out. We have LibreNMS set up for monitoring and it works fine as it did before.SNMP is set up as v3 private access.

Dude is updated to 6.45.1. It is hard to say whether Dude is the problem or RouterOS on the device itself...

baragoon · Tue Jul 02, 2019 10:34 am

Openvpn broken on v6.45.1. Downgrading back to 6.44.3 and it works.
On client side logs observing this line repeatedly

openvpn[30190]: write to TUN/TAP : Invalid argument (code=22)

nerxu · Tue Jul 02, 2019 10:37 am

Winbox login problem, please:
winbox 3.18 - tools-clear cache WORK

API login problems, please:
change all script (lms,serwer,PHP...) - are you fu... crazy ? I must change all my programs

90% admins says now : F...

kanitelka · Tue Jul 02, 2019 10:44 am

Hi!
After updating, there was a problem.
I have two incoming channels - main and backup.
VPN (pptp and L2TP)
I can only connect to the backup channel (pptp or l2tp). The port is open on the main channel, the logs are empty
Settings and rules after the update did not change.

bleblas · Tue Jul 02, 2019 10:57 am

Winbox login problem, please:
winbox 3.18 - tools-clear cache WORK

API login problems, please:
change all script (lms,serwer,PHP...) - are you fu... crazy ? I must change all my programs
90% admins says now : F...

the problem is, we don't know what we need to change.

WTC · Tue Jul 02, 2019 11:02 am

hello,

after upgrade to 6.45.1 we were unable to login to CHR instance(We use it as package source) from clients using System -> AutoUpgrade -> Upgrade Package Sources. In log on CHR we had login failure.
On CHR after downgrade to 6.44.3 and restoring config from backup file. It's working. We won't update clients mikrotiks until this issue is addressed.

thnak you

Michael

Vlad2 · Tue Jul 02, 2019 11:04 am

1) (problem with authorization in WinBox after updating to 6.45.1)

And I have the same thing, routers 951, 952, 760. The old RouterBOARD cAP 2n access point and a number of other similar devices.
Radius is not present, settings usual, authorization standard internal, and on a number of devices, after updating - at an input the authorization error was written.
The right to counsel from the team Mikrotik: tried with 3 different computers, all copies of WinBox and closed and opened, two of the 3 computers have to be rebooted. But there is an authorization error (and there is the first time when connecting). Well other users see and read, also the error is present.
Simple decision: 3.19 release WinBox and to upgrade and reset to zero CACHE/cleaned automatically.

2) (problem with not being able to update firmware on RB941)
Hap Lite (RB941) - can't update it, it is to be away, on the disk of the router nothing, no files, no folders. Address-there are no sheets in memory, there is no load on the router. The router was rebooted twice, the error - there is not enough space for updating. I have the feeling(I think) that it is not enough just trivia, 100-150 kilobytes would be removed from the new firmware.
I cannot use NetInstall, the router to be far from me and I consider that the firmware has to be placed on an internal disk of a router and at least still kilobyte 50-90 has to remain. So that am asking team Mikrotik optimize firmware for architecture smips to RB941 can be was renew.
Well, no, so close the model and do not sell it already.

P.S.
People who have RB932 - check, maybe there is a problem with lack of disk space ?
And sorry for bad English

Tue Jul 02, 2019 11:05 am

Everyone who is experiencing problems with Winbox authorization - we will release a new Winbox loader with a fix for this problem as soon as possible. We are very sorry for any inconvenience caused.

llubik · Tue Jul 02, 2019 11:07 am

Hapac2 . . . Don't worry me anymore. What version, it infinitely L2TP_IPSec. It's really nervous. Failed to pre-process ph2 packet.

TimurA · Tue Jul 02, 2019 11:10 am

People who have RB932 - check, maybe there is a problem with lack of disk space ?
And sorry for bad English

hello, no problem on RB932, only RB941

and

that's where the developers were in a hurry? The problem with the 5ghz interface on the RB4011 has not been resolved. falls.

UMarcus · Tue Jul 02, 2019 11:16 am

Upgraded RB4011 from 6.44.3 to 6.45.1 - no issues
Well, actually there is one - the bridge MAC address has changed so the network discovery on Windows must be done again. In my case the bridge MAC addr is the same as for eth7 interface. Interesting what it depends on...
Best
Bam

Here same issue on 3 Devices upgraded from 6.44.3 to 6.45.1.

In my case this cause two major problems :
1. Static DHCP offer of DHCP Server didn't work because of changed MAC -> Login to know IP Address didn't work anymore because get no or a dynamic address from DHCP server
2. The Bridge get the MAC from the WLAN Interface which cause major porblem's in CAPSMAN configuration. There was a lot of 'receive packet from same interface, may loop' messages in the CPASMAN log. The cap client interface's repeatedly connect / disconnect from the CAPSMAN -> WLAN dead

I fix this issue by set the Admin MAC of each bridge manualy.

roe1974 · Tue Jul 02, 2019 11:16 am

@strods

I have same MAC adress on SFP+ and WLAN Interface 5G (QCA9984) ..... the 2.4GHz Interface has another MAC Adress.
The SFP+ Port is disabled, so do i need to do any changes/resets ?

regards, Richard

TimurA · Tue Jul 02, 2019 11:22 am

@strods

I have same MAC adress on SFP+ and WLAN Interface 5G (QCA9984) ..... the 2.4GHz Interface has another MAC Adress.
The SFP+ Port is disabled, so do i need to do any changes/resets ?

regards, Richard

reset wlan interface configuration

/interface wireless reset-configuration wlan1

dash · Tue Jul 02, 2019 11:59 am

System -> Auto Upgrade feature seems to be broken. Working fine with versions prior to 6.45.

I have a remote Router hosting ROS packages. Other mikrotik routers in the same network are scheduled to check if there is new ROS version on the remote (local network) Mikrotik router. With 6.45 this feature is not working anymore. Clients that want to update cant login anymore. On the remote router I see 'login failures' in the logfile each time a client tries to access it.
Already tried creating a new user and adding group 'full' to it, but with no success...

nuffrespect · Tue Jul 02, 2019 12:03 pm

SimWhite, nuffrespect, w0lt, snake27, Hyperlight - Please try to add a new firewall rule at every end of the tunnel and see if it starts to work properly? The rule should be located at the top (at least before drop rules) of input firewall filter rules chain (/ip firewall filter add chain=input action=accept protocol=gre src-address=[address that is configured as a remote-address on your GRE tunnel interface]);
strods, Could you tell is this a bug or a feature? Will it be fixed in the next updates or we should use such kind of rules started from 6.45.1?

The same question, Mikrotik-Team? Bug | Option | ?

Tue Jul 02, 2019 12:48 pm

!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
Since this is "as initiator," can I assume this isn't supported for running as a roadwarrior config?

If so, when is support for that coming, if at all?

Road warrior client is always an initiator, so I do not see the reason why it shouldn't be supported.

Tue Jul 02, 2019 12:54 pm

nuffrespect - Actually bug was the fact that your tunnel did work before. Please see related changelog entry:

"conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160)"

sindy · Tue Jul 02, 2019 1:05 pm

Actually bug was the fact that your tunnel did work before.

I've always thought that the incoming GRE packets get accepted by the chain=input action=accept connection-state=established rule because the corresponding connection gets created by the locally originated GRE packet passing through chain output. What's wrong with this idea?

Tue Jul 02, 2019 1:10 pm

It is wrong if initiator is remote router.

spacex · Tue Jul 02, 2019 1:12 pm

It looks like Dude has problems with SNMP access.

snmpwalk to other Mikrotik device causes this to appear in log of target device
Code: Select all
10:22:24 snmp,debug unsupported v3 security level 
10:22:24 snmp,debug v3 err: 0 unsupported security
10:22:24 snmp,debug bad packet
and snmpwalk times out. We have LibreNMS set up for monitoring and it works fine as it did before.SNMP is set up as v3 private access.

Dude is updated to 6.45.1. It is hard to say whether Dude is the problem or RouterOS on the device itself...

I have that same problem

Anumrak · Tue Jul 02, 2019 2:34 pm

Everyone who is experiencing problems with Winbox authorization - we will release a new Winbox loader with a fix for this problem as soon as possible. We are very sorry for any inconvenience caused.

Hey. What about low capacity of space in hAP lite? Watever I did, it says not enough space. Every time.

serhio · Tue Jul 02, 2019 2:46 pm

RB1100AHx2 - after upgrade from 6.42.6 > 6.45.1, the router is very unstable. Self reboots on irregular intervals happen.

I tried to disable unnecessary packets (like IPv6, MPLS, Wireless or HotSpot) without any meaningful result.

I sent the email to the support team (with attached support.rif), but no response yet.

I'm considering rollback to 6.43.16 LTS. In addition, I will wait with updates on other devices.

In addition, the IPsec rules aren't transferred automatically and all tunnels went down. I needed to fix all of them manually.

pe1chl · Tue Jul 02, 2019 2:56 pm

SimWhite, nuffrespect, w0lt, snake27, Hyperlight - Please try to add a new firewall rule at every end of the tunnel and see if it starts to work properly? The rule should be located at the top (at least before drop rules) of input firewall filter rules chain (/ip firewall filter add chain=input action=accept protocol=gre src-address=[address that is configured as a remote-address on your GRE tunnel interface]);

I have always had this firewall rule, I presume it is fine as well?

add action=accept chain=input ipsec-policy=in,ipsec protocol=gre

(I have not upgraded yet, running 6.44.3 and this rule as a couple of matches about the same as our number of tunnels)

Chupaka · Tue Jul 02, 2019 3:19 pm

API login problems, please:
change all script (lms,serwer,PHP...) - are you fu... crazy ? I must change all my programs
90% admins says now : F...

If admins don't want to use more secure login - they simply don't upgrade RouterOS versions. If you upgrade RouterOS - what's the problem in upgrading your API library (it should be shared among all your scripts) too?

adonato · Tue Jul 02, 2019 3:23 pm

ludvik - On some specific and very rare case Ethernet interface on TILE routers could lock up. Now this problem is resolved;
ndbjorne, kobuki, smileymattj - Bugfix version (long-term) will be released as soon as possible;
eworm, matiaszon, toxmost, Stanleyssm, wpeople, petrb, lomayani - I recommend that you provide supout file to support@mikrotik.com in order to get more information about the problem that you are experiencing;
pacman88 - CRS3xx switches now can better handle traffic passing through the switch if interface speeds are different;
nmt1900 - Can you reproduce this problem once more? Actually. sounds that this was simply a coincidence and the problem was caused by something else besides static ARP entries;
raystream, nichky, LetMeRepair, proximus, Cha0s, 3bs, Vlad2, sterod, mserge, STEVEUK1, elgrandiegote - We can not seem to reproduce the problem with Winbox login. Can you provide more details? From which version did you upgrade your router? Do you, for example, use RADIUS for Winbox authorisation?
SimWhite, nuffrespect, w0lt, snake27, Hyperlight - Please try to add a new firewall rule at every end of the tunnel and see if it starts to work properly? The rule should be located at the top (at least before drop rules) of input firewall filter rules chain (/ip firewall filter add chain=input action=accept protocol=gre src-address=[address that is configured as a remote-address on your GRE tunnel interface]);
rifkytech, bleblas, marcperea, mducharme, nerxu, jwilkinson6028 - If you cannot login into your router by using API please make sure that you have updated API authentication script (https://wiki.mikrotik.com/wiki/Manual:API#Initial_login);
anav - Is this problem related to RouterOS v6.45.1 or this is simply a configuration related question?
OndrejHolas - We will resolve this problem as soon as possible;
markos222 - Currently fix is available only in v6.45. Fix will be backported to long-term versions aswell;
adonato - MIPS and MMIPS are two differnet architectures. Is it RB750 or RB750Gr3? Please name precise model.

Hello I have a RouterBOARD 750G r3

uptime: 14h59m39s
version: 6.44.3 (stable)
build-time: Apr/23/2019 12:37:03
factory-software: 6.36.1
free-memory: 167.8MiB
total-memory: 256.0MiB
cpu: MIPS 1004Kc V2.15
cpu-count: 4
cpu-frequency: 880MHz
cpu-load: 6%
free-hdd-space: 172.0KiB
total-hdd-space: 16.3MiB
write-sect-since-reboot: 146662
write-sect-total: 84183238
bad-blocks: 0%
architecture-name: mmips
board-name: hEX
platform: MikroTik

boquepasha · Tue Jul 02, 2019 3:29 pm

Greetings!

We've observed similar behaviour with a customer of ours who has a RouterBOARD LHG 5nD, but not quite the same. We had mac-telnet access before upgrading routerOS to 6.45.1. After the upgrade, we can no longer log in by mac-telnet login, but we can through any other method, including Winbox. We've tried disabling and enabling the mac-telnet server to no avail. After downgrading to 6.44.3 (and restoring the missing password) we recovered mac-telnet access, as well as any other acces we had. So far we've stopped our upgrade schedule until this problem gets sorted out.

elgrandiegote · Tue Jul 02, 2019 3:35 pm

Hi strods,

i've upgraded several devices from version 6.44.3 (RB3011, RB2011) but the problem is with the CHR, however i can connect via ssh without problem,
I use WinBox 3.18 without RADIUS
regards

ludvik - On some specific and very rare case Ethernet interface on TILE routers could lock up. Now this problem is resolved;
ndbjorne, kobuki, smileymattj - Bugfix version (long-term) will be released as soon as possible;
eworm, matiaszon, toxmost, Stanleyssm, wpeople, petrb, lomayani - I recommend that you provide supout file to support@mikrotik.com in order to get more information about the problem that you are experiencing;
pacman88 - CRS3xx switches now can better handle traffic passing through the switch if interface speeds are different;
nmt1900 - Can you reproduce this problem once more? Actually. sounds that this was simply a coincidence and the problem was caused by something else besides static ARP entries;
raystream, nichky, LetMeRepair, proximus, Cha0s, 3bs, Vlad2, sterod, mserge, STEVEUK1, elgrandiegote - We can not seem to reproduce the problem with Winbox login. Can you provide more details? From which version did you upgrade your router? Do you, for example, use RADIUS for Winbox authorisation?
SimWhite, nuffrespect, w0lt, snake27, Hyperlight - Please try to add a new firewall rule at every end of the tunnel and see if it starts to work properly? The rule should be located at the top (at least before drop rules) of input firewall filter rules chain (/ip firewall filter add chain=input action=accept protocol=gre src-address=[address that is configured as a remote-address on your GRE tunnel interface]);
rifkytech, bleblas, marcperea, mducharme, nerxu, jwilkinson6028 - If you cannot login into your router by using API please make sure that you have updated API authentication script (https://wiki.mikrotik.com/wiki/Manual:API#Initial_login);
anav - Is this problem related to RouterOS v6.45.1 or this is simply a configuration related question?
OndrejHolas - We will resolve this problem as soon as possible;
markos222 - Currently fix is available only in v6.45. Fix will be backported to long-term versions aswell;
adonato - MIPS and MMIPS are two differnet architectures. Is it RB750 or RB750Gr3? Please name precise model.

3bs · Tue Jul 02, 2019 3:37 pm

Hey. What about low capacity of space in hAP lite? Watever I did, it says not enough space. Every time.

Try uninstall additional packages, then update. After update install packages.

dakotabcn · Tue Jul 02, 2019 3:48 pm

I have downgraded to 6.44.3 the rb4011 with wifi due fails with L2TP connections
Mi computer connect with any problem, but other users no connect, the log report phase1 negotiation failed
Others router RB3011 have the same issue
All routers have NAT for Inet (the ftth/hfc router is wit NAT) and all computers have win8/10 with nat trasversal
This bug is vert bad, please repair

thx!

lenciso · Tue Jul 02, 2019 4:07 pm

I updated 2 RB2011 and 2 RB951 without problems.

berzerker · Tue Jul 02, 2019 4:08 pm

!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
Since this is "as initiator," can I assume this isn't supported for running as a roadwarrior config?

If so, when is support for that coming, if at all?
Road warrior client is always an initiator, so I do not see the reason why it shouldn't be supported.

Well, I'm receiving an error trying to add an identity for IKEv2 w/ EAP-TLS authentication, saying it's only supported as a client.

[admin@RB4011] /ip ipsec identity> add peer=ikev2 auth-method=eap eap-methods=eap-tls remote-certificate=ios-client generate-policy=port-strict
failure: only EAP client supported

Tue Jul 02, 2019 4:11 pm

As far as I understand you are trying to configure server. Server requires RADIUS server with EAP support. Locally on the router it is not supported.

berzerker · Tue Jul 02, 2019 4:19 pm

As far as I understand you are trying to configure server. Server requires RADIUS server with EAP support. Locally on the router it is not supported.

Ok...so that goes back to my original question. Will this be supported without the requirement of RADIUS, locally on ROS?

Gusse · Tue Jul 02, 2019 4:21 pm

RESOLVED: OVPN Server Binding was causing some issues. I deleted the old one instances and made a new one, then it started to work again.

I noticed issues with Android OpenVPN client after upgrade. Before it worked ok, but now I get this. Log full of this TUN write error.

16:08:56.806 -- EVENT: ASSIGN_IP

16:08:56.884 -- Connected via tun

16:08:56.885 -- EVENT: CONNECTED info='xxxx@xxc.xxx:1194 (xxx.xxx.xxx.xxx) via /TCPv4 on tun/10.0.0.84/ gw=[10.0.0.85/]' trans=TO_CONNECTED

16:09:22.049 -- TUN write error: write_some: Invalid argument

16:09:22.054 -- TUN write error: write_some: Invalid argument

enzain · Tue Jul 02, 2019 4:22 pm

Some routers after upgrade not allow login

Username or password incorrect.

Cha0s · Tue Jul 02, 2019 4:38 pm

Everyone who is experiencing problems with Winbox authorization - we will release a new Winbox loader with a fix for this problem as soon as possible. We are very sorry for any inconvenience caused.

While you are at it, will you fix the interfaces last up/down times on winbox that are in the future?

sindy · Tue Jul 02, 2019 4:39 pm

It is wrong if initiator is remote router.

Can you be more verbose? "initiator" is a role of an IPsec peer, but there is no "initiator/responder" or "client/server" role related to GRE, both ends of the tunnel are sending no matter whether the remote end responds or not and no matter whether a corresponding IPsec policy is available or not, and no matter what is the role of the IPsec peer used by that policy. As there are no ports in GRE, and as the ID field is the same for all packets, an IP.A (local) ->IP.B (remote) packet passing the output chain should create a tracked connection, so a received packet IP.B->IP.A should match "connection-state=established" in the input chain.

Tue Jul 02, 2019 4:54 pm

In terms of connection tracking there will be always the one that initiates/creates (call it whatever you like) new connection. If remote device trying to initiate connection it should not be accepted by "establish/related" rule because connection does not exist yet. That is what happened before the fix.

artem1 · Tue Jul 02, 2019 5:05 pm

After upgrade my CHR on intel with aes-ni to 6.45.1 I see flag "Hardware AEAD" is gray (off) (in IPSEC on installed SA tab).
Before upgrade this flag was shown as enabled (black).
Enc: sha1+aes-cbc128

petern · Tue Jul 02, 2019 5:08 pm

Can you be more verbose? "initiator" is a role of an IPsec peer, but there is no "initiator/responder" or "client/server" role related to GRE, both ends of the tunnel are sending no matter whether the remote end responds or not and no matter whether a corresponding IPsec policy is available or not, and no matter what is the role of the IPsec peer used by that policy. As there are no ports in GRE, and as the ID field is the same for all packets, an IP.A (local) ->IP.B (remote) packet passing the output chain should create a tracked connection, so a received packet IP.B->IP.A should match "connection-state=established" in the input chain.

I think you have it the wrong way around. GRE itself may not have initiator/responder terminology, but connection-tracking does. Thus, if the GRE packet first comes from the remote side, you need to explicitly allow it and not rely on established, as it isn't yet an established connection. I've always used an explicit allow rule for this, as that's how it should work.

Anumrak · Tue Jul 02, 2019 5:19 pm

Hey. What about low capacity of space in hAP lite? Watever I did, it says not enough space. Every time.
Try uninstall additional packages, then update. After update install packages.

This is abnormal behavior. I'll wait for a fix for this.

sindy · Tue Jul 02, 2019 5:36 pm

In terms of connection tracking there will be always the one that initiates/creates (call it whatever you like) new connection. If remote device trying to initiate connection it should not be accepted by "establish/related" rule because connection does not exist yet. That is what happened before the fix.

OK, so I assume you are saying that if the GRE packet comes from outside first (and, logically, doesn't match connection-state=established), no outgoing GRE packet will ever be sent because the local side only responds to connection attempts coming from the remote one inside the GRE tunnel, and the GRE packets carrying these connection attempts get dropped.

What about the GRE keepalives then? I've often created GRE tunnels with no actual payload traffic to use them for minutes and they did come up nevertheless, so I've always thought the keepalive packets are what creates the tracked connection.

nmt1900 · Tue Jul 02, 2019 6:34 pm

nmt1900 - Can you reproduce this problem once more? Actually. sounds that this was simply a coincidence and the problem was caused by something else besides static ARP entries

Router has one bridge with 2 addresses/subnets on it without VLANs and ARP in reply-only mode.

Subnet 1 has DHCP with add-arp-for-leases=yes and it is main subnet with client devices in it.
Subnet 2 has only some other devices in it for testing and static ARP entries for these devices in router's ARP list.

This setup worked without problems before, but now there is a problem:
subnet 1 works OK, devices can access each other and public internet and this subnet can be accessed over incoming VPN connection
subnet 2 cannot be accessed from subnet 1 and devices in subnet 2 cannot access router, subnet 1 or public internet. Devices in it cannot be accessed over incoming VPN connection either. Other Mikrotik devices in subnet 2 can only be accessed by MAC telnet or RoMON when problem is present.

Devices from subnet 2 will regain access after their static ARP entries are removed and added back, but after some time problem comes back - just like ARP entries are aged out, but still existing in list.

Everything works OK, when ARP is set to enabled mode.
If ARP is left to reply-only mode and accept rule (subnet 1 and subnet 2 as both source and destination) is added to forward chain, then it looks like this rule also solves the problem. This was not needed before

Long story got shorter - I moved one device with static address and ARP entry from subnet 2 to subnet 1. For some weird reason additional dynamic ARP entry started popping up with old IP address and it did not went away although IP address did not exist at that time. Then I moved this device back to subnet 2 and only the right ARP entry remained. Problem disappeared after that.

buset1974 · Tue Jul 02, 2019 7:09 pm

i'am having "rebooted without proper shutdown by watchdog timer" again after upgrading to 6.45.1 on CCR-1036-8G-2S+ from 6.44.3
It's has ipv4 and ipv6 running on the routers
We have this kind of issues last years and already fixed and it happen again now, please check my tickets #2018060122002189
Please check what changed on 6.45.1 that caused this happen again.

thx

antonina2 · Tue Jul 02, 2019 7:30 pm

Updated the router to the current version.
After the update, we can not work.

LAN computers behind RB951 cannot connect to PPTP servers.
We stopped work. Help.

P.S. Sorry, I know English very bad.

sindy · Tue Jul 02, 2019 7:33 pm

Updated the router to the current version.
After the update, we can not work. LAN computers behind RB951 cannot connect to PPTP servers.
We stopped work. Help.

P.S. Sorry, I know English very bad.

PPTP uses GRE to transport data. If the PPTP connections seem to be up but no data actually pass through them, look earlier in this thread for the firewall rule necessary to allow GRE to work. As the PPTP clients run on the LAN computers, not on the Mikrotik itself, the rule will have to be effective in the forward chain.

antonina2 · Tue Jul 02, 2019 7:38 pm

PPTP uses GRE to transport data. If the PPTP connections seem to be up but no data actually pass through them, look earlier in this thread for the firewall rule necessary to allow GRE to work. As the PPTP clients run on the LAN computers, not on the Mikrotik itself, the rule will have to be effective in the forward chain.

I tried different rules from this branch, nothing helps. Could you give an example of the rule? Thanks.

1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 4    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 

 5    ;;; defconf: accept in ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec 

 6    ;;; defconf: accept out ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec 

 7    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

 8    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

 9    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

10    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix="" 

11    ;;; Drop BOGONS List
      chain=input action=drop src-address-list=BOGONS in-interface-list=WAN log=yes log-prefix=""

sindy · Tue Jul 02, 2019 7:40 pm

Could you give an example of the rule?

/ip firewall filter add chain=forward action=accept protocol=gre src-address=ip.address.of.the.PPTP.server

It must be at the right place in the forward chain. If you're not sure, create a dedicated topic and post the export of your configuration there. See my automatic signature for details.

The rule should be placed between rules 8 and 9 in your /ip firewall filter print above.

And more than that:

as we talk about multiple PPTP servers, you probably need to use src-address-list in the rule, which contains addresses of all the servers, not just a single src-address,
as we talk about the forward chain, you need another rule where the same address-list is used as dst-address-list, as the first packet to be tunneled via GRE may come from either direction.

jsadler · Tue Jul 02, 2019 7:47 pm

I also have the Winbox Login Problem that has been mentioned....

I note that this is ***INTERMITTENT*** and so far it seems to only happen on links with higher latency.

I've upgraded approx 20 devices. This may or may not be a coincidence, however I have noted that devices that are nearby to my location are fine (approx 15) and don't have any login issues. Devices which are far away, eg international, or local but via LTE mobile data links (eg high latency) etc seem to have the issue (5 devices)

I've seen the login issue on CHR, LTAP and CRS, so I don't think it matters which hardware variant you are using.

When my login is failing, if I keep clicking connect in Winbox, it will usually connect after 5 to 10 attempts.

Note that the router logs the invalid connection attempt as a login failure for user xyz with the source IP of the winbox client, but other than that nothing else of interest is logged.

Cheers,
Jono.

petrb · Tue Jul 02, 2019 7:53 pm

DHCPv6 PD with RADIUS not work with dhcp6c in linux/ubnt .... work in 6.44.3. Work with DHCPv6 client with mikrotik. Very simple radius configuration:

744d288d0d1e => Mikrotik DHCPv6 client works (can fail when prefix is changed and release action is not invoked)
f09fc24af7e8 => UBNT/Ubuntu tested linux dhcp6c FAIL - works in 6.44.3

dhcp,error item: radius authentication failed for f09fc24af7e8 ::/60: prefix changed ::/60 -> 2a01:5e0:31:1000::/60

select * from radcheck

f09fc24af7e8      | Auth-Type          | := | Accept 
744d288d0d1e      | Auth-Type          | := | Accept

select * from radreply

f09fc24af7e8      | Delegated-IPv6-Prefix | =  | 2a01:5e0:31:1000::/60
744d288d0d1e      | Delegated-IPv6-Prefix | =  | 2a01:5e0:31:2000::/60

EDIT: main difference between dhcp6 client in MK and other is in receive value "ia_pd prefix" in first solication and compare value with radius. MK client not send "ia_pd prefix". Linux send ::/64(::/60 in my exmaple).

cat /etc/dhcp6c.conf

interface ath0 {
	request domain-name-servers;
	send ia-na 1;
	send ia-pd 1;
	script "/usr/bin/dhcp6c-state";
};

id-assoc na 1 {
};

id-assoc pd 1 {
	prefix ::/60 infinity;
	prefix-interface eth0 {
		sla-id 0;
		sla-len 4;
	};
};

nightcom · Tue Jul 02, 2019 8:21 pm

I see some of you have problems, just to make it more clear below is list of units that I upgraded to 6.45.1 without problems

RB3011UiAS-RM
hex RB750Gr3

Upgraded via Winbox 3.18

mserge · Tue Jul 02, 2019 8:41 pm

Everyone who is experiencing problems with Winbox authorization - we will release a new Winbox loader with a fix for this problem as soon as possible. We are very sorry for any inconvenience caused.

Any news about when will the new winbox be available?

kadety · Tue Jul 02, 2019 8:49 pm

Some routers after upgrade not allow login

Username or password incorrect.

I have the same problem. RB951G

Username or password incorrect.

Does anyone have a solution? Please

antonina2 · Tue Jul 02, 2019 9:10 pm

/ip firewall filter add chain=forward action=accept protocol=gre src-address=ip.address.of.the.PPTP.server

It must be at the right place in the forward chain. If you're not sure, create a dedicated topic and post the export of your configuration there. See my automatic signature for details.

The rule should be placed between rules 8 and 9 in your /ip firewall filter print above.

And more than that:
as we talk about multiple PPTP servers, you probably need to use src-address-list in the rule, which contains addresses of all the servers, not just a single src-address,

as we talk about the forward chain, you need another rule where the same address-list is used as dst-address-list, as the first packet to be tunneled via GRE may come from either direction.

For me it does not work.

Experimentally found out.
We have always been disabled service-port

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

Enabling pptp solved the problem.
Now the clients of the local network can connect to the pptp servers in the Internet.

2mrz & strods
This is a bug, or so it is conceived?
Why does this affect forward pptp?

/ip firewall service-port
set pptp disabled=yes

sindy · Tue Jul 02, 2019 9:43 pm

This is a bug, or so it is conceived?

Please do read the previous posts of this topic. @strods has already explained that a bug (with its own CVE) was the previous behaviour, where incoming GRE was allowed to pass through the firewall even without a corresponding permissive rule in place.

Why does this affect forward pptp?
Code: Select all
/ip firewall service-port
set pptp disabled=yes

It didn't come to my mind you could have the helpers disabled as by default they are enabled, so I was expecting a PPTP helper didn't exist at all, so I've suggested those rules above. My fault.

The whole /ip firewall service-port section deals with cases where communication using one protocol controls establishment of connections which use another protocol. So the firewall analyses the information in the control protocol and creates a connection-tracking record marked with connection-state=related in advance, before the first packet of that "controlled" connection arrives. So in the particular case of PPTP, when a PPTP control session between a client and the server gets established inside a TCP session (port 1723 on server side), the PPTP helper in the firewall prepares a tracked GRE connection between the IP addresses of the client and the server, so the rule action=accept chain=forward connection-state=established,related accepts these packets even though no rule explicitly permitting them exists in the forward chain.

/ip firewall connection-print where protocol~"gre" should show you a connection marked with E in the attributes column, which means Expected, which means connection-state=related.

adonato · Tue Jul 02, 2019 10:07 pm

ludvik - On some specific and very rare case Ethernet interface on TILE routers could lock up. Now this problem is resolved;
ndbjorne, kobuki, smileymattj - Bugfix version (long-term) will be released as soon as possible;
eworm, matiaszon, toxmost, Stanleyssm, wpeople, petrb, lomayani - I recommend that you provide supout file to support@mikrotik.com in order to get more information about the problem that you are experiencing;
pacman88 - CRS3xx switches now can better handle traffic passing through the switch if interface speeds are different;
nmt1900 - Can you reproduce this problem once more? Actually. sounds that this was simply a coincidence and the problem was caused by something else besides static ARP entries;
raystream, nichky, LetMeRepair, proximus, Cha0s, 3bs, Vlad2, sterod, mserge, STEVEUK1, elgrandiegote - We can not seem to reproduce the problem with Winbox login. Can you provide more details? From which version did you upgrade your router? Do you, for example, use RADIUS for Winbox authorisation?
SimWhite, nuffrespect, w0lt, snake27, Hyperlight - Please try to add a new firewall rule at every end of the tunnel and see if it starts to work properly? The rule should be located at the top (at least before drop rules) of input firewall filter rules chain (/ip firewall filter add chain=input action=accept protocol=gre src-address=[address that is configured as a remote-address on your GRE tunnel interface]);
rifkytech, bleblas, marcperea, mducharme, nerxu, jwilkinson6028 - If you cannot login into your router by using API please make sure that you have updated API authentication script (https://wiki.mikrotik.com/wiki/Manual:API#Initial_login);
anav - Is this problem related to RouterOS v6.45.1 or this is simply a configuration related question?
OndrejHolas - We will resolve this problem as soon as possible;
markos222 - Currently fix is available only in v6.45. Fix will be backported to long-term versions aswell;
adonato - MIPS and MMIPS are two differnet architectures. Is it RB750 or RB750Gr3? Please name precise model.

Hello I have a RouterBOARD 750G r3

uptime: 14h59m39s
version: 6.44.3 (stable)
build-time: Apr/23/2019 12:37:03
factory-software: 6.36.1
free-memory: 167.8MiB
total-memory: 256.0MiB
cpu: MIPS 1004Kc V2.15
cpu-count: 4
cpu-frequency: 880MHz
cpu-load: 6%
free-hdd-space: 172.0KiB
total-hdd-space: 16.3MiB
write-sect-since-reboot: 146662
write-sect-total: 84183238
bad-blocks: 0%
architecture-name: mmips
board-name: hEX
platform: MikroTik

Sorry, bu Does anyone know what to do??

fmoses · Tue Jul 02, 2019 10:14 pm

After upgrading to 6.45.1 PPPOE Profile bandwidth defaults are not creating simple queues. Radius auth is working but if the radius server does not send Mikrotik-Rate for a user ( meaning use the profiles default settings ) it does not. Only users with a defined Mikrotik-Rate get simple queues created... IE for higher bandwidth packages..

gdemtcev · Tue Jul 02, 2019 10:22 pm

RouterOS version 6.45.1 (2019-Jun-27 10:23) has broken RADIUS PAP auth!!!

We have 500+ clients with Mikrotik devices and 27 june in our RADIUS server we see many errors from Mikrotik devices:

Mon Jul 1 11:04:53 2019 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [XX-XX-FA-92-17-09/XX-XX-FA-92-17-0] (from client internet-network port 2152726528 cli XX:XX::FA:92:17:09)
Mon Jul 1 11:12:29 2019 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [XX-XX-80-DC-6F-96/XX-XX-80-DC-6F-9L1\313\033\\ݍ\351\037\231,\205\201҅\236] (from client internet-network port 2152726529 cli XX:XX::80:DC:6F:96)
Mon Jul 1 11:12:40 2019 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [XX-XX-80-DC-6F-96/XX-XX-80-DC-6F-9\006o\377\255\202[\224>\264\351\3103%xe\234] (from client internet-network port 2152726530 cli XX:XX:80:DC:6F:96)
... and man many many logs ...

After update to 6.45.1 all request from Mikrotik to RADIUS have broken last symbol in password (PAP, plain text)

We reproduce this bug in our office on 5+ devices.

How i can open bug report to this error?

ivanfm · Tue Jul 02, 2019 10:56 pm

RouterOS version 6.45.1 (2019-Jun-27 10:23) has broken RADIUS PAP auth!!!

We have 500+ clients with Mikrotik devices and 27 june in our RADIUS server we see many errors from Mikrotik devices:

Mon Jul 1 11:04:53 2019 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [XX-XX-FA-92-17-09/XX-XX-FA-92-17-0] (from client internet-network port 2152726528 cli XX:XX::FA:92:17:09)
Mon Jul 1 11:12:29 2019 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [XX-XX-80-DC-6F-96/XX-XX-80-DC-6F-9L1\313\033\\ݍ\351\037\231,\205\201҅\236] (from client internet-network port 2152726529 cli XX:XX::80:DC:6F:96)
Mon Jul 1 11:12:40 2019 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [XX-XX-80-DC-6F-96/XX-XX-80-DC-6F-9\006o\377\255\202[\224>\264\351\3103%xe\234] (from client internet-network port 2152726530 cli XX:XX:80:DC:6F:96)
... and man many many logs ...

After update to 6.45.1 all request from Mikrotik to RADIUS have broken last symbol in password (PAP, plain text)

We reproduce this bug in our office on 5+ devices.

How i can open bug report to this error?

This reports should be made by e-mail to support@mikrotik.com .

I have already reported it for hotspot ( #2019070222007151 ) and other person also found same problem in wireless authentication : viewtopic.php?f=19&t=149811

I did not receive any response from my ticket .

OndrejHolas · Tue Jul 02, 2019 10:57 pm

CCR1009, 6.44.3 -> 6.45.1. After upgrade, bonding interface didn't go up. I use two levels of bonding: two low level bonding interfaces, each consisting of two ethernets, bundled to LACP LAG; and one upper level bonding interface, consisting of the two LAGs:

/interface bonding
add mode=802.3ad name=lacp1 slaves=ether5,ether6 transmit-hash-policy=layer-3-and-4
add mode=802.3ad name=lacp2 slaves=ether7,ether8 transmit-hash-policy=layer-3-and-4
add down-delay=1s mode=active-backup name=trunk1 primary=lacp1 slaves=lacp1,lacp2 transmit-hash-policy=layer-2-and-3 up-delay=5s

Up to version 6.44.3 this worked reliably. After upgrade to 6.45.1, the low level bondings (lacp1 and lacp2) go up after boot, but the upper level bonding (trunk1) doesn't notice link change from its slaves and remains down. Disconnecting and reconnecting cables, firmware upgrade, warm and cold reboots, nothing helps.

After disabling and re-enabling upper level bonding interface (/int disa trunk1; /int ena trunk1), it starts to work, including functional failover/failback after link state changes of slaves. Nevertheless, this works only until reboot.

Permanent workaround that worked for me:

/system scheduler
add name="trunk1 fix 6.45.1" on-event=":delay 10s;/int disa trunk1;/int ena trunk1" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup

Submitted to support as Ticket#2019070222008098.

Ondrej

sindy · Tue Jul 02, 2019 11:05 pm

Sorry, bu Does anyone know what to do??

adonato - instead of the package for mipsbe you've tried to install, download the package for mmips which is the architecture of your device as reported by /system resource print.

gdemtcev · Tue Jul 02, 2019 11:11 pm

RouterOS version 6.45.1 (2019-Jun-27 10:23) has broken RADIUS PAP auth!!!

We have 500+ clients with Mikrotik devices and 27 june in our RADIUS server we see many errors from Mikrotik devices:

Mon Jul 1 11:04:53 2019 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [XX-XX-FA-92-17-09/XX-XX-FA-92-17-0] (from client internet-network port 2152726528 cli XX:XX::FA:92:17:09)
Mon Jul 1 11:12:29 2019 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [XX-XX-80-DC-6F-96/XX-XX-80-DC-6F-9L1\313\033\\ݍ\351\037\231,\205\201҅\236] (from client internet-network port 2152726529 cli XX:XX::80:DC:6F:96)
Mon Jul 1 11:12:40 2019 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [XX-XX-80-DC-6F-96/XX-XX-80-DC-6F-9\006o\377\255\202[\224>\264\351\3103%xe\234] (from client internet-network port 2152726530 cli XX:XX:80:DC:6F:96)
... and man many many logs ...

After update to 6.45.1 all request from Mikrotik to RADIUS have broken last symbol in password (PAP, plain text)

We reproduce this bug in our office on 5+ devices.

How i can open bug report to this error?
This reports should be made by e-mail to support@mikrotik.com .

I have already reported it for hotspot ( #2019070222007151 ) and other person also found same problem in wireless authentication : viewtopic.php?f=19&t=149811

I did not receive any response from my ticket .

Already send, twice, but not response yet...(

Panbambaryla · Wed Jul 03, 2019 12:59 am

Upgraded RB4011 from 6.44.3 to 6.45.1 - no issues
Well, actually there is one - the bridge MAC address has changed so the network discovery on Windows must be done again. In my case the bridge MAC addr is the same as for eth7 interface. Interesting what it depends on...
Best
Bam

Well, the bridge MAC address changes with RB4011 WiFI reboot so from time to time you will have to change your Windows network from public to private until it cycles all MAC addresses from your eth interfaces. Mikrotik, could you please explain if it is expected behaviour or rather some side effect of the latest firmware?
Best, Bam

Spirch · Wed Jul 03, 2019 4:16 am

wow 4 pages already, i'm happy to always wait a few days before installing things that can bring down my network or make thing difficult.

people still deploy stuff in mass without testing them?

time to wait a little bit longer and see the evolution of this thread

Xymox · Wed Jul 03, 2019 5:07 am

Upgraded RB4011 from 6.44.3 to 6.45.1 - no issues
Well, actually there is one - the bridge MAC address has changed so the network discovery on Windows must be done again. In my case the bridge MAC addr is the same as for eth7 interface. Interesting what it depends on...
Best
Bam
Well, the bridge MAC address changes with RB4011 WiFI reboot so from time to time you will have to change your Windows network from public to private until it cycles all MAC addresses from your eth interfaces. Mikrotik, could you please explain if it is expected behaviour or rather some side effect of the latest firmware?
Best, Bam

I saw some real weirdness with the 4011.. Maybe the above is part of it. Briefly it was rebooting too. The unit has settled down and I am going to try and downgrade it back to 44.3..

Im running 45.1 on my home CCR and so far it seems fine, but, im just doing a home NAT setup, nothing involved at all.

YEA... Remember everybody, use partitions if your device supports them. Makes for a easy switch back. Before upgrading, copy to and save to a partition. THEN upgrade. You then have a fall back. I would like to be able to pick partitions from the LCD on units that have a LCD..

Wed Jul 03, 2019 7:51 am

spacex - We will look into this problem;
Anumrak - Yes, hAP lite and similar routers are designed to run RouterOS bundle package and can be upgraded without any problems, as long as you do not store anything else on your router that might fill up the storage. If there is not enough space on the disk for upgrades - remove files, limit features that use disk and use separate packages instead of RouterOS bundle package;
boquepasha - Which RouterOS version is installed on the router from which you start MAC Telnet session? Is it at least RouterOS version 6.43?
elgrandiegote, enzain, jsadler, kadety - As mentioned in previous posts, we have already resolved this problem and will release Winbox 3.19 with a fix as soon as possible;
dakotabcn, artem1, petrb, fmoses, Xymox - I recommend that you provide supout file to support@mikrotik.com in order to get more information about the problem that you are experiencing;
Gusse - Can you reproduce this problem once more? Actually, sounds that this was simply a coincidence and the problem was caused by something else;
Cha0s - Unfortunately, this problem is not resolved yet;
mserge - I can not tell you precisely when it will be released, but it will happen as soon as possible (hopefully later today);
adonato - You have not replied which router do you have. Provide the output of the command ":put [/system resource get architecture]". It will tell you which architecture packages you must download in order to upgrade your router;
Panbambaryla - That is why you can set static MAC address on the bridge interface. If it is not set, then the bridge will use MAC address of the first interface which is loaded in RouterOS after a reboot;

Everyone - Please note that MikroTik team provide free support for you if you have a software or hardware related problem. Usually, we reply within three business days (sometimes it might take longer). All of the tickets that you have created will be replied to as soon as possible.

Murmaider · Wed Jul 03, 2019 9:34 am

170 updates and changes and not one BGP improvement...

boquepasha · Wed Jul 03, 2019 9:59 am

That might be the problem, strods. The device from where we were trying to mac-telnet our customer had version 6.42.3. We'll upgrade that device and tell you back with our findings.

petrb · Wed Jul 03, 2019 10:33 am

Supout file was sent to the support. Thanks

NetVicious · Wed Jul 03, 2019 10:39 am

Hi!
As I read before on this thread It seems 6.45.1 has some problem with GRE.
I have some Mikrotik RB450G (call they A, B, C, .....) connected to one RB850Gxx2 (call him as master).

"Master" has one PPTP Server binding for each other (A, B, C).

After upgrading all the devices to 6.45.1, A and C cannot connect to "master" within PPTP, but B was working perfectly.

A, B and C had practically the same configuration.

After trying some changes, I did a downgrade on A and C and it's PPP started to work another time without doing any other change.

I did some screenshots of the logs

Log with 6.45.1 (pptp don't connects)

Log with 6.44.3 (pptp connects correctly)

pe1chl · Wed Jul 03, 2019 11:07 am

As I read before on this thread It seems 6.45.1 has some problem with GRE.

When you do make the effort of reading the topic first and seeing others with the same problem, why don't you go that tiny step further and read the replies that they got (also from MikroTik) about the cause of this "problem with GRE" and how you can solve it other dan by downgrading?

pe1chl · Wed Jul 03, 2019 11:10 am

Upgraded RB4011 from 6.44.3 to 6.45.1 - no issues
Well, actually there is one - the bridge MAC address has changed so the network discovery on Windows must be done again. In my case the bridge MAC addr is the same as for eth7 interface. Interesting what it depends on...
Best
Bam
Well, the bridge MAC address changes with RB4011 WiFI reboot so from time to time you will have to change your Windows network from public to private until it cycles all MAC addresses from your eth interfaces. Mikrotik, could you please explain if it is expected behaviour or rather some side effect of the latest firmware?
Best, Bam

As always, when the MAC address of a bridge is important you should not configure it as "auto mac" but rather set its "admin mac address" manually.
You can just copy and paste the address it has now.

NetVicious · Wed Jul 03, 2019 11:30 am

As I read before on this thread It seems 6.45.1 has some problem with GRE.
When you do make the effort of reading the topic first and seeing others with the same problem, why don't you go that tiny step further and read the replies that they got (also from MikroTik) about the cause of this "problem with GRE" and how you can solve it other dan by downgrading?

Sorry. I did the downgrade as a fast attempt to fix the problem because I had users waiting to connect.
I read the thread after the downgrade.
I will try the temporal fix later when users are not working.

Anumrak · Wed Jul 03, 2019 11:39 am

spacex - We will look into this problem;
Anumrak - Yes, hAP lite and similar routers are designed to run RouterOS bundle package and can be upgraded without any problems, as long as you do not store anything else on your router that might fill up the storage. If there is not enough space on the disk for upgrades - remove files, limit features that use disk and use separate packages instead of RouterOS bundle package;
boquepasha - Which RouterOS version is installed on the router from which you start MAC Telnet session? Is it at least RouterOS version 6.43?
elgrandiegote, enzain, jsadler, kadety - As mentioned in previous posts, we have already resolved this problem and will release Winbox 3.19 with a fix as soon as possible;
dakotabcn, artem1, petrb, fmoses, Xymox - I recommend that you provide supout file to support@mikrotik.com in order to get more information about the problem that you are experiencing;
Gusse - Can you reproduce this problem once more? Actually, sounds that this was simply a coincidence and the problem was caused by something else;
Cha0s - Unfortunately, this problem is not resolved yet;
mserge - I can not tell you precisely when it will be released, but it will happen as soon as possible (hopefully later today);
adonato - You have not replied which router do you have. Provide the output of the command ":put [/system resource get architecture]". It will tell you which architecture packages you must download in order to upgrade your router;
Panbambaryla - That is why you can set static MAC address on the bridge interface. If it is not set, then the bridge will use MAC address of the first interface which is loaded in RouterOS after a reboot;

Everyone - Please note that MikroTik team provide free support for you if you have a software or hardware related problem. Usually, we reply within three business days (sometimes it might take longer). All of the tickets that you have created will be replied to as soon as possible.

There are no files on the flash drive. Why I didn't need to remove other packages in previous upgrades?

Wed Jul 03, 2019 11:40 am

I will try the temporal fix later when users are not working.

Temporary? Please read the topic once again, carefully. This version fixes a bug that allowed GRE to work even when your device was configured improperly. So you do not need to apply a temporary fix, but rather permanently fix your configuration.

NetVicious · Wed Jul 03, 2019 12:11 pm

@andriys. Sorry but I don't saw the official strods post answering a lot of posts of this threads with the info about GRE.

I said temporary fix because I have some RB450G with 6.45.1 running perfectly against a RB850Gx2 with 6.45.1 without any new firewall rule about GRE. That's why I though it's a temporary fix.