So make sure you're allowing GRE before dropping invalid connections.*) conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160);
You are right, the problem is in GRE state matching, but why EoIP tunnels is in invalid connection state now?Isn't EoIP using GRE?
So make sure you're allowing GRE before dropping invalid connections.*) conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160);
It is enough to lay out the full list of changes v6.44.5 relative to 6.43.16 long-termkarlisi, it is hard to judge about proper and improper ways for changelogs syntax. However, we will try to improve it for the next versions, thank you for the report.
Try using Mozilla Firefox to download a netinstall 6.44.5The [netinstall-6.44.5.zip] seems corrupted, please confirm ..thanks
https://download.mikrotik.com/routeros/6.44.5/netinstall-6.44.5.zip
confirmFile from 159.148.147.204 is corrupted.
https://159.148.172.226/routeros/6.44.5 ... 6.44.5.zip seems ok.
Your image is corruptedconfirmFile from 159.148.147.204 is corrupted.
https://159.148.172.226/routeros/6.44.5 ... 6.44.5.zip seems ok.
correctedYour image is corrupted
Now it's encrypted in cyrilliccorrectedYour image is corrupted
Exactly!It is enough to lay out the full list of changes v6.44.5 relative to 6.43.16 long-term
EoIP is based on GRE RFC 1701You are right, the problem is in GRE state matching, but why EoIP tunnels is in invalid connection state now?Isn't EoIP using GRE?
So make sure you're allowing GRE before dropping invalid connections.*) conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160);
How did you download these packages: manually, fetch or another method? Can you reproduce it or it happened once?More download issues to add to above : Dude and x86 server packages are also 0 bytes.
People fly into space.How do you guys propose we make such a changelog? This is the long term branch, where releases are very rare, and the jumps are very big.
Imagine there could be 15 fixes, new bugs, fixes again, then the feature could be already removed, then a new one added, removed again, and then a new feature made and fixed.
Listing fixes for non existing feature would be useless.
You are not posting the full list of changes.I don't fly into space, though
there is a feeling that the gentlemen are changing wheels on the go. In the future, this method may tear off your hands.You are not posting the full list of changes.I don't fly into space, though
Are you serious? OK, I'll explain. List only changes from last long-term release. List fixes to features which exist in latest long-term release. Skip fetaures and fixes added and then removed in between. And, yes, it takes some time. You know, there's a big secret - on every long-term release we, your customers, are reading all changelogs in all branches, consolidate them, in fact, we are doing your job.How do you guys propose we make such a changelog? This is the long term branch, where releases are very rare, and the jumps are very big.
Imagine there could be 15 fixes, new bugs, fixes again, then the feature could be already removed, then a new one added, removed again, and then a new feature made and fixed.
Listing fixes for non existing feature would be useless.
Yup, we have had the same problem spread across our network affecting EoIP PPTP tunnels. As above we have disabled the drop input invalid rule as a work around.EoIP is based on GRE RFC 1701You are right, the problem is in GRE state matching, but why EoIP tunnels is in invalid connection state now?Isn't EoIP using GRE?
So make sure you're allowing GRE before dropping invalid connections.*) conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160);
Let's cool down on the changelog topic.
IMHO this is just another matter of communication. Just add a note to the changelog: A new stable release moved to long-term. For full changelog see changes up to version 6.44.3.
At least this is a first step and clarifies what changes can be expected in changelog.
It's about this sentence? For long-term channel there are no other intermediate releases, only long-term. Similarly as for stable channel there is no beta releases. Changelogs should be written accordingly. IMHO.Every changelog must contain all changes and fixes from previous same channel release, not from previous release by number.
Well, that info can be useful also: you know what parts of OS were officially touched, so you can pay more attention into testing them Just my 2c.Imagine there could be 15 fixes, new bugs, fixes again, then the feature could be already removed, then a new one added, removed again, and then a new feature made and fixed.
Listing fixes for non existing feature would be useless.
You have set strong-crypto=yes? I think it depends on that setting.I noticed that after upgrade from 6.43.16 to 6.44.5, allow-none-crypto=yes was set in /ip ssh. This seems to be a new setting and is documented as defaulting to no.
Yes, it's just a small bugfix release then.Can I migrate my router from 6.44 Stable to Long term without worrying about configuration?
Yes strong-crypto=yes was already set.You have set strong-crypto=yes? I think it depends on that setting.I noticed that after upgrade from 6.43.16 to 6.44.5, allow-none-crypto=yes was set in /ip ssh. This seems to be a new setting and is documented as defaulting to no.
So i also can go from 6.44.3 (stable) to 6.44.5 (LT) without any major changes/problems ?Yes, it's just a small bugfix release then.Can I migrate my router from 6.44 Stable to Long term without worrying about configuration?
You can review the changes for 6.44.4 and 6.44.5 to determine if any of them will affect you?So i also can go from 6.44.3 (stable) to 6.44.5 (LT) without any major changes/problems ?
Yes, i know, but RouterOS knows my EoIP settings and for him these appropriate GRE packets MUST NOT be in invalid state. Please fix that.EoIP is based on GRE RFC 1701You are right, the problem is in GRE state matching, but why EoIP tunnels is in invalid connection state now?Isn't EoIP using GRE?
So make sure you're allowing GRE before dropping invalid connections.*) conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160);
Was it "Upgrading on the edge" by Aerosmith?
Jump from 6.40 directly to 6.45 .... you are brave man. Have you read changelogs in the 6.41?
Can't you connect via ssh but using administrative user name?
I connect to manage routers with ssh using an rsa ssh key. SSH stong-crypto is set to yes. I upgraded a remote test router from 6.43.16 long-term to 6.44.5 long-term.
It allows me to make a connection using Putty as usual, the connection terminal window displays correctly. But when I try to manage the router through ssh port tunnel (redirect) to winbox or telnet it disconnects the ssh session with this error:
Strange packet received: type 82
The firmware was not upgraded to 6.44.5 because I could never reconnect to do it (user with ssh permissions is limited to just ssh, so management has to be through a redirected winbox or telnet unless there is a way to change users inside the ssh console window).
My Winbox is 3.19. If there is a change in the changelog that explains this problem I don't see it.
Realistically though, the introduction then removal of a feature in "stable" prior to moving to "long-term" is unlikely to occur often. It's supposed to be "stable".How do you guys propose we make such a changelog? This is the long term branch, where releases are very rare, and the jumps are very big.
Imagine there could be 15 fixes, new bugs, fixes again, then the feature could be already removed, then a new one added, removed again, and then a new feature made and fixed.
Listing fixes for non existing feature would be useless.
This exactly what long-term branch is:I wish the "long-term" channel would only have releases with bugfixes and security fixes, not a bunch of new features and underlying changes that need to be tested before I can apply the update to fix a security vulnerability. IMO, "long-term" channel should stay in 6.43.x branch and just receive fixes for at least 1 year, preferably more.
So why was 6.44 pushed to long-term if all we needed were a few Linux kernel fixes? I remember "long-term" channel going from 6.42 to 6.43 not long ago.This exactly what long-term branch is:I wish the "long-term" channel would only have releases with bugfixes and security fixes, not a bunch of new features and underlying changes that need to be tested before I can apply the update to fix a security vulnerability. IMO, "long-term" channel should stay in 6.43.x branch and just receive fixes for at least 1 year, preferably more.
https://wiki.mikrotik.com/wiki/Manual:U ... _numbering
Cause previous version became stable enough?So why was 6.44 pushed to long-term if all we needed were a few Linux kernel fixes? I remember "long-term" channel going from 6.42 to 6.43 not long ago.This exactly what long-term branch is:I wish the "long-term" channel would only have releases with bugfixes and security fixes, not a bunch of new features and underlying changes that need to be tested before I can apply the update to fix a security vulnerability. IMO, "long-term" channel should stay in 6.43.x branch and just receive fixes for at least 1 year, preferably more.
https://wiki.mikrotik.com/wiki/Manual:U ... _numbering
Upgrading to 6.44.5 (and possibly prior 6.44.x releases) does bonkers things to the SSH settings, in particular:
If strong-crypto=yes then allow-none-crypto=no is added - AFAIK this is fixed in the latest beta.
Pertinent to your situation forwarding-enabled=remote is added - IIRC this has been mentioned in previous threads that forwarding-enabled=both, or at least forwarding-enabled=local, would be a better choice on upgrade.
FYI we have tested this on our devices - DHCP relay is working fine for us on 6.44.5.I got problem with dhcp-relay , after upgrade my client cannot get address.
Now I downgrade to version 6.43.16 it work fine.
Does the beginning of /log print show anything after reboot with the new package downloaded? Typical reasons are .npk for a wrong architecture or a mythical malware preventing upgrade to protect itself.I can't update 6.43.16 to 6.44.5. Don't know why.
It's show me after reboot. Sent from my Redmi Note 5 using TapatalkDoes the beginning of /log print show anything after reboot with the new package downloaded? Typical reasons are .npk for a wrong architecture or a mythical malware preventing upgrade to protect itself.I can't update 6.43.16 to 6.44.5. Don't know why.
Thanks sir, it's working. Best wishes for you.So the router tells you that it cannot install an enabled package (security) because it requires another package (dhcp) to work. It's not a nonsense - since 6.44, IKEv2 (from the security package) responder responds to DHCPINFORM messages from Windows clients which explains the dependency. So enable the dhcp package before upgrade and you should be good.
We saw something similar on a CCR1036 when upgrading from v6.43.12 to v6.44.5. What is strange is that we upgraded another CCR1036 from v6.43.12 to v6.44.5 before that which has very similar config (BGP, MPLS, EoIP) but saw no issues. Could only log into the device via mac-telnet and when checking routing table we saw it populate and then completely disappear. Had to factory reset, downgrade to v6.43.12 then restore from backup file.44.5 caused Mipse and CCR's to port flap.. I'm not sure why, but when we go to 44.3 it stops..
Going to 445 or above, including the latest BETA crashed an entire leg of our network. Ports were flapping that had nothing plugged in to them, and some where BH's were and it would just flap OSPF constantly to the point I couldn't change settings or keep a winbox open.. Going to 44.3 fixed this issue.
It was very bad.
I was able to downgrade back to 44.3 and the problem went away. But, some other routers didn't seem to act the same way as the two that were totally freaking out either. I even went so far as to try the latest Beta to see if it stopped and it acted the exact same. Ports that weren't even part of OSPF were flapping like mad. Then other ports that were part of OSPF and BH's were flapping also. Which of course screwed up an entire leg of our network. It was very very bad.. 44.3 instantly fixed that issue. SOMETHING IS BROKEN PAST 44.3. I don't know what it is, but it is for sure.We saw something similar on a CCR1036 when upgrading from v6.43.12 to v6.44.5. What is strange is that we upgraded another CCR1036 from v6.43.12 to v6.44.5 before that which has very similar config (BGP, MPLS, EoIP) but saw no issues. Could only log into the device via mac-telnet and when checking routing table we saw it populate and then completely disappear. Had to factory reset, downgrade to v6.43.12 then restore from backup file.44.5 caused Mipse and CCR's to port flap.. I'm not sure why, but when we go to 44.3 it stops..
Going to 445 or above, including the latest BETA crashed an entire leg of our network. Ports were flapping that had nothing plugged in to them, and some where BH's were and it would just flap OSPF constantly to the point I couldn't change settings or keep a winbox open.. Going to 44.3 fixed this issue.
It was very bad.
Oh it's okay. I already found the solution.I got error "TLS Failed" on Mikrotik OVPN client when enabling the verify-server-certificate. Can tell me what is the reason? When disabled, my Mikrotik OVPN client can connect without problem. I have been reading the mikrotik wiki on https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN but nothing mention on the "verify-server-certificate", it has not been update is not it?
Updated some CCRs with OSPF and BGP and do not see this problem. Must be specific to your config/installation.I was able to downgrade back to 44.3 and the problem went away. But, some other routers didn't seem to act the same way as the two that were totally freaking out either. I even went so far as to try the latest Beta to see if it stopped and it acted the exact same. Ports that weren't even part of OSPF were flapping like mad. Then other ports that were part of OSPF and BH's were flapping also. Which of course screwed up an entire leg of our network. It was very very bad.. 44.3 instantly fixed that issue. SOMETHING IS BROKEN PAST 44.3. I don't know what it is, but it is for sure.We saw something similar on a CCR1036 when upgrading from v6.43.12 to v6.44.5. What is strange is that we upgraded another CCR1036 from v6.43.12 to v6.44.5 before that which has very similar config (BGP, MPLS, EoIP) but saw no issues. Could only log into the device via mac-telnet and when checking routing table we saw it populate and then completely disappear. Had to factory reset, downgrade to v6.43.12 then restore from backup file.44.5 caused Mipse and CCR's to port flap.. I'm not sure why, but when we go to 44.3 it stops..
Going to 445 or above, including the latest BETA crashed an entire leg of our network. Ports were flapping that had nothing plugged in to them, and some where BH's were and it would just flap OSPF constantly to the point I couldn't change settings or keep a winbox open.. Going to 44.3 fixed this issue.
It was very bad.
Yeah, that's a lot of help..Updated some CCRs with OSPF and BGP and do not see this problem. Must be specific to your config/installation.I was able to downgrade back to 44.3 and the problem went away. But, some other routers didn't seem to act the same way as the two that were totally freaking out either. I even went so far as to try the latest Beta to see if it stopped and it acted the exact same. Ports that weren't even part of OSPF were flapping like mad. Then other ports that were part of OSPF and BH's were flapping also. Which of course screwed up an entire leg of our network. It was very very bad.. 44.3 instantly fixed that issue. SOMETHING IS BROKEN PAST 44.3. I don't know what it is, but it is for sure.We saw something similar on a CCR1036 when upgrading from v6.43.12 to v6.44.5. What is strange is that we upgraded another CCR1036 from v6.43.12 to v6.44.5 before that which has very similar config (BGP, MPLS, EoIP) but saw no issues. Could only log into the device via mac-telnet and when checking routing table we saw it populate and then completely disappear. Had to factory reset, downgrade to v6.43.12 then restore from backup file.44.5 caused Mipse and CCR's to port flap.. I'm not sure why, but when we go to 44.3 it stops..
Going to 445 or above, including the latest BETA crashed an entire leg of our network. Ports were flapping that had nothing plugged in to them, and some where BH's were and it would just flap OSPF constantly to the point I couldn't change settings or keep a winbox open.. Going to 44.3 fixed this issue.
It was very bad.
For us it has always had this behavior (from when we started using it at around 6.35.x onward) - if a customer is assigned a static remote address for PPP (through RADIUS for example) it doesn't get tracked in pool usage so the same address can be given to another customer.Updateing to 6.44.5 brings a problem with PPOE Server. Using a Remote Address in PPP Secret which is from a pool this address is not reserved/blocked. So PPPOE-Server uses this IP twice. Hard to find the problem as pings alway go through from the server side but customers complain like mad. So the static IP has to be removed from the pool.
I hop from long term to long term and reduce updates where possible. Still got burnt with such changes. I read the changelog carefully but ... I am really tired with complaining customers.For us it has always had this behavior (from when we started using it at around 6.35.x onward) - if a customer is assigned a static remote address for PPP (through RADIUS for example) it doesn't get tracked in pool usage so the same address can be given to another customer.Updateing to 6.44.5 brings a problem with PPOE Server. Using a Remote Address in PPP Secret which is from a pool this address is not reserved/blocked. So PPPOE-Server uses this IP twice. Hard to find the problem as pings alway go through from the server side but customers complain like mad. So the static IP has to be removed from the pool.
well at least it pass the record instead of do nothing like before, now wish they can fully implement itAFAIK only "support" for DNSSEC in RouterOS is when you ask its resolver for DNSSEC-related records, it will ask upstream resolver and if it gets them from there, it will pass them on. But it's nothing special, any resolver that's not horribly broken does that.
Same problem to me
I have several cAPlite, wAP, wAPac. No any problem with wifi.has anyone had any wireless problems with cAP (RBcAPGi-5acD2nD) and 6.44.5? After upgrading from the great 6.43.16 (I didn't know about the devices for like a year) to 6.44.5, I started to receive complaints from users. I don't see anything in logs or monitoring, but users say internet drops for a while, or the wifi(s) disappear totally for a short while.
I have like 100 of them and it is not a single complaint, there probably are some other non-Mikrotik factors involved in this, but anyway - 6.43.16 seems rock solid to me compared to 6.44.5,, has anyone experienced this too?
--- /nova/logs/panic0.log
v6.44.5 Jul/04/2019 10:32:21 at 2019.10.26-18:28:20
fffffff7000f3b68 out_of_memory+0x388/0x878 (sp 0xfffffe407c26f9a0)
<3> frame 3: 0xfffffff7000f98d8 __alloc_pages_nodemask+0x900/0xad8 (sp 0xfffffe407c26fa40)
<3> frame 4: 0xfffffff7000f1a80 filemap_fault+0x3e0/0x690 (sp 0xfffffe407c26fb80)
<3> frame 5: 0xfffffff70011a348 __do_fault+0x128/0x848 (sp 0xfffffe407c26fc08)
<3> frame 6: 0xfffffff70011e128 handle_pte_fault+0x278/0x1838 (sp 0xfffffe407c26fca0)
<3> frame 7: 0xfffffff7000391f0 do_page_fault+0x760/0xc48 (sp 0xfffffe407c26fd30)
<3> frame 8: 0xfffffff70051ff60 handle_interrupt+0x288/0x2a8 (sp 0xfffffe407c26fdc0)
<3> <interrupt 7 while in user mode>
<3> frame 9: 0x26380 0x26380 (sp 0x7fcdf838)
<3>Stack dump stopped; next frame identical to this one
<3>Stack dump complete
<4>------------[ cut here ]------------
<4>WARNING: at /home/build/6.44.5/kernel/linux6/arch/tile/kernel/smp.c:239 smp_send_reschedule+0x70/0xb8()
<3>
<3>Starting stack dump of tid 0, pid 0 (swapper/9) on cpu 9 at cycle 56482214520
<3> frame 0: 0xfffffff70051fc00 dump_stack+0x0/0x20 (sp 0xfffffe007cd6f5c8)
<3> frame 1: 0xfffffff70004ca08 warn_slowpath_common+0xe0/0x190 (sp 0xfffffe007cd6f5c8)
<3> frame 2: 0xfffffff700033338 smp_send_reschedule+0x70/0xb8 (sp 0xfffffe007cd6f608)
<3> frame 3: 0xfffffff700093990 try_to_wake_up+0x490/0x560 (sp 0xfffffe007cd6f620)
<3> frame 4: 0xfffffff70007fa10 autoremove_wake_function+0x28/0x90 (sp 0xfffffe007cd6f688)
<3> frame 5: 0xfffffff70008bb58 __wake_up_common+0xa8/0x130 (sp 0xfffffe007cd6f6a0)
<3> frame 6: 0xfffffff70008c198 __wake_up+0x70/0xb8 (sp 0xfffffe007cd6f6f0)
<3> frame 7: 0xfffffff7000f95b8 __alloc_pages_nodemask+0x5e0/0xad8 (sp 0xfffffe007cd6f730)
<3> frame 8: 0xfffffff70014a3e0 new_slab+0x1d0/0x598 (sp 0xfffffe007cd6f870)
<3> frame 9: 0xfffffff70051be40 __slab_alloc+0x388/0x8b8 (sp 0xfffffe007cd6f8c0)
<3> frame 10: 0xfffffff70014d358 kmem_cache_alloc_node+0x90/0x208 (sp 0xfffffe007cd6f9b8)
<3> frame 11: 0xfffffff7101f4288 fast_path_update_stats+0x898/0x1028 [packet_hook@0xfffffff7101f0000] (sp 0xfffffe007cd6f9e0)
<3> frame 12: 0xfffffff7101f2b08 fast_path_rx_noinvalidate_nostats+0xa8/0x740 [packet_hook@0xfffffff7101f0000] (sp 0xfffffe007cd6fa38)
<3> frame 13: 0xfffffff7101f86b0 fp_ipv4_exit+0x348/0x958 [packet_hook@0xfffffff7101f0000] (sp 0xfffffe007cd6fa98)
<3> frame 14: 0xfffffff7101f2b08 fast_path_rx_noinvalidate_nostats+0xa8/0x740 [packet_hook@0xfffffff7101f0000] (sp 0xfffffe007cd6fab0)
<3> frame 15: 0xfffffff710ee7f20 0xfffffff710ee7f20 [tilegx@0xfffffff710ee0000] (sp 0xfffffe007cd6fb10)
<3> frame 16: 0xfffffff700418668 net_rx_action+0x2f0/0x3f0 (sp 0xfffffe007cd6fb98)
<3> frame 17: 0xfffffff700057d38 __do_softirq+0x228/0x380 (sp 0xfffffe007cd6fc30)
<3> frame 18: 0xfffffff7000582c8 do_softirq+0xc8/0x140 (sp 0xfffffe007cd6fcd0)
<3> frame 19: 0xfffffff700058878 irq_exit+0xe8/0x170 (sp 0xfffffe007cd6fce8)
<3> frame 20: 0xfffffff700026f28 tile_dev_intr+0x1e8/0x248 (sp 0xfffffe007cd6fcf8)
<3> frame 21: 0xfffffff70051ff60 handle_interrupt+0x288/0x2a8 (sp 0xfffffe007cd6fd40)
<3> <interrupt 29 while in kernel mode>
<3> frame 22: 0xfffffff70051fcc0 _cpu_idle_nap+0x0/0x18 (sp 0xfffffe007cd6ffa0)
<3> frame 23: 0xfffffff700029bb8 cpu_idle+0x340/0x420 (sp 0xfffffe007cd6ffa0)
<3>Stack dump complete
<4>---[ end trace 7b8d6a88c8c57a65 ]---
<0>BUG: soft lockup - CPU#30 stuck for 22s! [loader:315]