Could you give some more info about the exploitability of this? Are all situations where RouterOS parses a DNS packet vulnerable? Eg router used in typical setup - DNS server for LAN and sends queries to the internet (allow-remote-requests=yes) and router used only for local DNS (allow-remote-requests=no)?!) security - fixed improper handling of DNS responses (CVE-2019-3978, CVE-2019-3979);
"Simply disabling Winbox mitigates all of these attacks." - i couldn't agree more with this approach.Could you give some more info about the exploitability of this?
Very interesting. I think that is the issue that I had:*) lte - fixed modem not receiving IP configuration when roaming (introduced in v6.45);
This is supposed to fix "ipsec,error Mikrotik: got fatal error: INVALID_SYNTAX"?*) ike2 - fixed phase 1 rekeying (introduced in v6.45);
RouterOS version 6.45.7 has been released in public "stable" channel!
!) package - accept only packages with original filenames (CVE-2019-3976);
!) package - improved package signature verification (CVE-2019-3977);
!) security - fixed improper handling of DNS responses (CVE-2019-3978, CVE-2019-3979);
Can`t upgrade to 6.45.7, not enough space to upgrade
how to upgrade?
I couln't agree more."Simply disabling Winbox mitigates all of these attacks." - i couldn't agree more with this approach.
i understand that winbox was a key for many happy current RouterOS users to get acquainted with networking, as for many the CLI still kind of scary, and it is still doing it.
on the other hand, it is hard (if not impossible) to keep all these management interfaces (CLI, webfig, winbox, API) consistent and trouble-free. winbox is a great example for lacking behind in new features. i notoriously disable winbox on each unboxed device, i kept doing this since i laid my hands on the very first RouterOS device i encountered - i never liked to rely on windows, but that's just a personal preference.
I don't despise the existence of GUI tools, i just think that if there's something like winbox, it should rely on a 'standards-based' interface, like the API-SSL. or even based on SSH. i cannot imagine how hard it is to carry out such a drastic change to an existing ecosystem though.
Sigh... who designed this braindead protocol that allows UNAUTHENTICATED USERS to invoke whatever binary they want?! Any programmer could see what a terrible idea this is. It seems the Winbox protocol needs to be scrapped and rebuilt with security in mind from day one rather than band-aid patches for vulnerability after vulnerability.At a high level, “messages” sent to the Winbox port can be routed to different binaries in RouterOS based on an array-based numbering scheme.
+10,000RouterOS without WinBox is like car without seats, it still runs, but it's not enjoyable ride. But it's clear now that it's not good idea to let it be exposed to whole world. I though that it shouldn't be a problem anymore, that MikroTik surely fixed it, to require robust authentication first before allowing to do anything else, but clearly not. Why was that DNS proxy functionality even there?
Yes.This is supposed to fix "ipsec,error Mikrotik: got fatal error: INVALID_SYNTAX"?*) ike2 - fixed phase 1 rekeying (introduced in v6.45);
Works well on all my devices. Thanks Mikrotik for the update!
RouterOS version 6.45.7 has been released in public "stable" channel!
Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.
What's new in 6.45.7 (2019-Oct-24 08:44):
MAJOR CHANGES IN v6.45.7:
----------------------
!) lora - added support for LoRaWAN low-power wide-area network technology for MIPSBE, MMIPS and ARM;
!) package - accept only packages with original filenames (CVE-2019-3976);
!) package - improved package signature verification (CVE-2019-3977);
!) security - fixed improper handling of DNS responses (CVE-2019-3978, CVE-2019-3979);
----------------------
Changes in this release:
*) capsman - fixed frequency setting requiring multiple frequencies;
*) capsman - fixed newline character missing on some logging messages;
*) conntrack - properly start manually enabled connection tracking;
*) crs312 - fixed combo SFP port toggling (introduced in v6.44.5);
*) crs3xx - correctly display link rate when 10/100/1000BASE-T SFP modules are used in SFP+ interfaces;
*) crs3xx - fixed management access when using switch rule "new-vlan-priority" property;
*) export - fixed "bootp-support" parameter export;
*) ike2 - fixed phase 1 rekeying (introduced in v6.45);
*) led - fixed default LED configuration for RBLHG5nD;
*) lte - fixed modem not receiving IP configuration when roaming (introduced in v6.45);
*) radius - fixed open socket leak when invalid packet is received (introduced in v6.44);
*) sfp - fixed "sfp-rx-power" value for some transceivers;
*) snmp - improved reliability on SNMP service packet validation;
*) system - improved system stability for devices with AR9342 SoC;
*) winbox - show SFP tab for QSFP interfaces;
*) wireless - added "canada2" regulatory domain information;
*) wireless - improved stability when setting fixed primary and secondary channels on RB4011iGS+5HacQ2HnD-IN;
To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download
If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after some problem has appeared on device
Please keep this forum topic strictly related to this particular RouterOS release.
Yes. Winbox is a reason to use Mikrotik. Fast easy managment without IP setup is a big deal handling problems in the field. Every box needs filtering anyway ...+10,000RouterOS without WinBox is like car without seats, it still runs, but it's not enjoyable ride. But it's clear now that it's not good idea to let it be exposed to whole world. I though that it shouldn't be a problem anymore, that MikroTik surely fixed it, to require robust authentication first before allowing to do anything else, but clearly not. Why was that DNS proxy functionality even there?
Could not agree more
@anavIf I dont use winbox externally and I change the default port to something else, where is the risk from this latest vulnerability?
If I was to use winbox externally via VPN ( IKEv2), where is the risk?
and that risk is huge. people tend to forget, that there is no such thing as "safe network" anymore. in contrary, the network is a constant battlefield, and you & your devices better be prepared to face these challenges. in the good old days, it was like a gun: one side was safe, the other one was dangerous. now the safe side is dangerous as well, admittedly less dangerous based on the rule of scale but still.No need to change winbox default port when using winbox internally -- risk is only from compromised workstations as noted below.
and yet we still have netinstall as a windows only tool. luckily i hardly ever need to use this, but i once considered to reverse engineer it and try to build it with some scripting tools and open source sw so it can be used with unix-like operating systems. if you do stuff on large scale, like commissioning a loads of devices, GUI doesn't scale well. i created my mass provisioning tools to rely on IPv6 & SSH, but still the first step - logging in, enabling ipv6, rebooting the device - is a bit painful. sure it can be scripted - i did it, but having IPv6 enabled right out of the box is just satisfying.Being tied to Windows and specific client versions is just troublesome.
thanks, hap lite upgraded to 6.45.7 first upgrading to 6.43.7 and then to newest oneYou may try downgrade first to an earlier stable version (e.g. 6.43.7) which takes less space on the device and then upgrade to 6.45.7
Guys, please stop it. There is no Mikrotik without a Winbox. Web interface, though comparable in funcitonality, is still not there. Kill Winbox and I am done with MT. Maybe you should ask Cisco and Juniper then, why they are so lame in their GUI tools care. There's more to the security, than just the GUI tools.I couln't agree more."Simply disabling Winbox mitigates all of these attacks." - i couldn't agree more with this approach.
i understand that winbox was a key for many happy current RouterOS users to get acquainted with networking, as for many the CLI still kind of scary, and it is still doing it.
on the other hand, it is hard (if not impossible) to keep all these management interfaces (CLI, webfig, winbox, API) consistent and trouble-free. winbox is a great example for lacking behind in new features. i notoriously disable winbox on each unboxed device, i kept doing this since i laid my hands on the very first RouterOS device i encountered - i never liked to rely on windows, but that's just a personal preference.
I don't despise the existence of GUI tools, i just think that if there's something like winbox, it should rely on a 'standards-based' interface, like the API-SSL. or even based on SSH. i cannot imagine how hard it is to carry out such a drastic change to an existing ecosystem though.
Being tied to Windows and specific client versions is just troublesome. You don't see Cisco & Juniper putting much effort on GUI clients for their stuff (altough it exists).
He give points the command to download the file himself. Why are some points (hAP AC + HEX poe) updated without any problems, while others (RB951G+ hEX/RB3011) write that they can't find the file?When doing CAP upgrades via CAPsMAN, you have to manually upload needed packages to the place configured in /caps-man manager ... in particular properties package-path= and upgrade-policy= (that's a directory on CAPsMAN device itself, I don't know if it's possible to set it to some external resource). CAP won't search for upgrade packages on usual internet sources.
It looks like those scenarios are not really vulnerable. The only risk is allowing others than the admin access to the Winbox port (8291).Could you give some more info about the exploitability of this? Are all situations where RouterOS parses a DNS packet vulnerable? Eg router used in typical setup - DNS server for LAN and sends queries to the internet (allow-remote-requests=yes) and router used only for local DNS (allow-remote-requests=no)?!) security - fixed improper handling of DNS responses (CVE-2019-3978, CVE-2019-3979);
Why are some points (hAP AC + HEX poe) updated without any problems, while others (RB951G+ hEX/RB3011) write that they can't find the file?
Wow! Thank you for that information!mkx
The mentioned devices are not all the same architecture: hAP AC and hEX PoE are both MIPSBE, so it is RB951G, but hEX (the current one - RB750Gr3) is MMIPS and RB3011 is ARM. All in all that's 3 distinct sets of files that you have to provide.
don't want to turn the thread into a flame war. i agree, a lot of people need GUI, a lot of people love the look&feel of winbox, sure thing. not like i'd have the power or the will to take away your tools. in some parts winbox app is directly responsible for the popularity of RouterOS because it made the 'mystic networking stuff' accessible for the masses.Guys, please stop it. There is no Mikrotik without a Winbox. Web interface, though comparable in funcitonality, is still not there. Kill Winbox and I am done with MT.
Well, winbox could of course use API to do what it is doing now... no idea why a separate protocol is used for this, it could be that it is more efficient, it could be due to history.my point was merely to kill the "winbox protocol" and rather move the communication stack of the "well known and beloved" GUI tool over API or SSH. the convenient point-and-click thingie could remain there forever in unchanged visual format, given the large and loyal user base.
if it is documented - like SSH and API are - others can build similar GUI tools for different operating systems, and you would not need to rely on emulation/virtual machines just to have access to your device from a non windows environment. the protocol winbox uses is basically a black box, researchers are reverse engineering it with more or less success.
jacekes Should be fixed now.
Sunlight, flameproof Please send supout.rif file to support@mikrotik.com
maryaadmins Check if addresses are not given out by the Cisco router. In most cases, your described issue is caused by another DHCP server in your network.
Can you be more verbose regarding what you refer to? 6.45.4 is a factory-only release, and all your other posts refer to BGP. IPsec is important for me so I am really interested in the details.When will be fixed that Ipsec tunnels hung up?
Yes, after deeper monitoring i became to conclusion that BGP failure coming from Ipsec Hung up. When its happens next time I ll sent suppout.rifCan you be more verbose regarding what you refer to? 6.45.4 is a factory-only release, and all your other posts refer to BGP. IPsec is important for me so I am really interested in the details.When will be fixed that Ipsec tunnels hung up?
Other than that, have you sent the related supout.rif to support@mikrotik.com? Developers cannot resolve an issue they cannot reproduce.
That statement gives no details regarding what actually happens and what IPsec configuration you use - there are many possible variants of IPsec configuration and only some of them may be affected. You may want to open a dedicated topic and post a network diagram and anonymized configuration exports there.after deeper monitoring i became to conclusion that BGP failure coming from Ipsec Hung up. When its happens next time I ll sent suppout.rif
It happens again, I sent suppout.rif to support email. This problem starts after v6.45.3. I use Gre over ipsec with BGP routing.That statement gives no details regarding what actually happens and what IPsec configuration you use - there are many possible variants of IPsec configuration and only some of them may be affected. You may want to open a dedicated topic and post a network diagram and anonymized configuration exports there.after deeper monitoring i became to conclusion that BGP failure coming from Ipsec Hung up. When its happens next time I ll sent suppout.rif
Can you post the peer configuration and profile and policy proposal you use? E.g. IKE(v1) and IKEv2 are very different internally. Also, GRE has problems of its own, I had problems with startup of GRE over IPsec if the tunnel was enabled before the firewall rules were set up at both ends.I use Gre over ipsec with BGP routing.
The problem was resolved with /interface wireless reset-configuration wlan1,wlan2Sunlight, flameproof Please send supout.rif file to support@mikrotik.com
/interface wireless security-profiles
set [ find default=yes ] disable-pmkid=yes eap-methods="" \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \
management-protection=allowed mode=dynamic-keys name=Net \
supplicant-identity="" wpa2-pre-shared-key=********
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \
management-protection=allowed mode=dynamic-keys name=Smart \
supplicant-identity="" wpa2-pre-shared-key=********
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
20/40/80/160mhz-Ceeeeeee disabled=no frequency-mode=superchannel \
installation=indoor mac-address=76:4D:28:5A:9C:74 mode=ap-bridge name=\
wlan1-net2-5G security-profile=Net ssid=Net_5G \
wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=2ghz-b/g/n disabled=no installation=\
indoor mac-address=76:4D:28:5A:9C:76 mode=ap-bridge name=wlan2-net1-2G \
security-profile=Net ssid=Net tx-power=30 tx-power-mode=\
all-rates-fixed wireless-protocol=802.11 wmm-support=enabled wps-mode=\
disabled
add keepalive-frames=disabled mac-address=76:4D:28:5A:9C:75 master-interface=\
wlan1-net2-5G multicast-buffering=disabled name=wlan1-net1-5G \
security-profile=Net ssid=Net wds-cost-range=0 wds-default-cost=0 \
wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=86:25:19:1A:1E:82 \
master-interface=wlan2-net1-2G multicast-buffering=disabled name=\
wlan2-smart-2G security-profile=Smart ssid=Smart \
wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=disabled
may be you dont like Winbox that your opiniondon't want to turn the thread into a flame war. i agree, a lot of people need GUI, a lot of people love the look&feel of winbox, sure thing. not like i'd have the power or the will to take away your tools. in some parts winbox app is directly responsible for the popularity of RouterOS because it made the 'mystic networking stuff' accessible for the masses.Guys, please stop it. There is no Mikrotik without a Winbox. Web interface, though comparable in funcitonality, is still not there. Kill Winbox and I am done with MT.
my point was merely to kill the "winbox protocol" and rather move the communication stack of the "well known and beloved" GUI tool over API or SSH. the convenient point-and-click thingie could remain there forever in unchanged visual format, given the large and loyal user base.
if it is documented - like SSH and API are - others can build similar GUI tools for different operating systems, and you would not need to rely on emulation/virtual machines just to have access to your device from a non windows environment. the protocol winbox uses is basically a black box, researchers are reverse engineering it with more or less success.
but i'm just stating my opinion, that's all.
:resolve $hostname server=$NS
:resolve $hostname server=$NS"
What architecture? I've just tested that on my arm (hAP ac²) and there is no issue:On 6.45.7:
Most probably a bug in new version.
Thanks for your insight.What architecture? I've just tested that on my arm (hAP ac²) and there is no issue:On 6.45.7:
Most probably a bug in new version.
[me@MyTik] > system script print where name~"test"
Flags: I - invalid
0 name="test" owner="me" policy=read,write,test dont-require-permissions=no last-started=nov/05/2019 18:10:19 run-count=3
source=local dnsServer 9.9.9.9 ; put [resolve nationalgeographic.com server=$dnsServer]
[me@MyTik] > system script run test
23.60.72.183
I even ran the script while logged as different user than the script owner, still doing fine.
We have a similar problem. IKEv2 with pre-shared-key and xauth is no longer supported after 6.43.16. Most likely, that's the reason you were left with an incomplete setup after upgrading.Had an issue upgrading from 6.43.12 directly to 6.45.7 on a single RB1100AHx4 - the information in /ip ipsec peer wasn't properly split into the /ip ipsec peer and /ip ipsec identity parts, the latter was missing completely. In 6.43.12, auth-method pre-shared-key and pre-shared-key-xauth were used together with exchange-mode=ike2. Upgrade of another RB1100AHx4 from 6.43.16 didn't suffer from this issue, neither did an upgrade of CHRs from 6.43.7, 6.43.8 and 6.43.16.
It's actually not as bad as it seems, but as it is not directly related to 6.45.7, please open a new topic in General like "how to migrate a ike2 pre-shared-key-xauth setup beyond 6.43 with the minimum level of stress", I'll respond there.Most likely, that's the reason you were left with an incomplete setup after upgrading.
...
As we have hundreds of devices with this setting, we cannot upgrade from 6.43.16 without destroying our ipsec setup.
in 6.45.7,the “resolve” command can't work with AAAA records,it returns “not enough permissions (9)”,please fix itRouterOS version 6.45.7 has been released in public "stable" channel!
Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.
What's new in 6.45.7 (2019-Oct-24 08:44):
MAJOR CHANGES IN v6.45.7:
----------------------
!) lora - added support for LoRaWAN low-power wide-area network technology for MIPSBE, MMIPS and ARM;
!) package - accept only packages with original filenames (CVE-2019-3976);
!) package - improved package signature verification (CVE-2019-3977);
!) security - fixed improper handling of DNS responses (CVE-2019-3978, CVE-2019-3979);
----------------------
Changes in this release:
*) capsman - fixed frequency setting requiring multiple frequencies;
*) capsman - fixed newline character missing on some logging messages;
*) conntrack - properly start manually enabled connection tracking;
*) crs312 - fixed combo SFP port toggling (introduced in v6.44.5);
*) crs3xx - correctly display link rate when 10/100/1000BASE-T SFP modules are used in SFP+ interfaces;
*) crs3xx - fixed management access when using switch rule "new-vlan-priority" property;
*) export - fixed "bootp-support" parameter export;
*) ike2 - fixed phase 1 rekeying (introduced in v6.45);
*) led - fixed default LED configuration for RBLHG5nD;
*) lte - fixed modem not receiving IP configuration when roaming (introduced in v6.45);
*) radius - fixed open socket leak when invalid packet is received (introduced in v6.44);
*) sfp - fixed "sfp-rx-power" value for some transceivers;
*) snmp - improved reliability on SNMP service packet validation;
*) system - improved system stability for devices with AR9342 SoC;
*) winbox - show SFP tab for QSFP interfaces;
*) wireless - added "canada2" regulatory domain information;
*) wireless - improved stability when setting fixed primary and secondary channels on RB4011iGS+5HacQ2HnD-IN;
To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download
If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after some problem has appeared on device
Please keep this forum topic strictly related to this particular RouterOS release.
This is the same issue as this:On 6.43.11:
I have a script containing the following command:I set "read, write, test" permission on this script, run without errorCode: Select all:resolve $hostname server=$NS
On 6.45.7:
When the same script run into the commandit caused the "not enough permissions (9)" error.Code: Select all:resolve $hostname server=$NS"
When I remove the portion "server=$NS", it runs normally.
I tried to remove all permission setting, add all permission setting, and even added "Don't Require Permissions", all in vain.
Most probably a bug in new version.
Which I am also seeing:in 6.45.7,the “resolve” command can't work with AAAA records,it returns “not enough permissions (9)”,please fix it
:put [:resolve ipv6.google.com]
2607:f8b0:4004:810::200e
:put [:resolve ipv6.google.com]
not enough permissions (9)
Same thing here on CCR1072. Updated to 6.45.7 (both routerboard and ROS), and it happened after 20 hours. The IPsec tunnel was still up, but no traffic was passing. The solution was to hit "Kill Connections" on the Active Peers tab. The IPsec tunnel is Aes-128-cbc encrypted (IKE2 exchange mode), with ecp384 DH group. Previously happened on 6.45.3 as well.When will be fixed that Ipsec tunnels hung up? It starts from 6.45.4 and continues. Helps only clear connection.
Please spawn a dedicated topic and provide the complete IPsec configuration there (proposals, peer profiles, identities - everything may matter, just use hide-sensitive while exporting to keep your keys secret, and obfuscate the public IP addresses following the hint in my automatic signature below). If the other peer is not a Mikrotik, describe what it is and provide its configuration too if you have access to it. 20 hours is a weird time interval, as it doesn't match any of the default lifetimes - the phase 1 lifetime is typically 24h whereas the phase 2 lifetime is typically 30m. So if it is not some memory leak, it looks like an unsuccessful phase2 renegotiation, which is an issue which existed in IKEv2 in early 6.43 versions if I remember well. It was easy to spot if you had access to both ends - the ephemeral enc-key values of the installed-sa with the same spi value were different between the peers. If you lose access to the remote peer once this happens and can afford it, just give it 30 minutes and see whether it eventually recovers. Back then, it was happening randomly, not at all peers at the same time.Same thing here on CCR1072. Updated to 6.45.7 (both routerboard and ROS), and it happened after 20 hours. The IPsec tunnel was still up, but no traffic was passing. The solution was to hit "Kill Connections" on the Active Peers tab. The IPsec tunnel is Aes-128-cbc encrypted (IKE2 exchange mode), with ecp384 DH group. Previously happened on 6.45.3 as well.When will be fixed that Ipsec tunnels hung up? It starts from 6.45.4 and continues. Helps only clear connection.
The tunnel was down for 1h 21minutes by the time I killed the connection, so it does not recover after 30 minutes. I am not opening a dedicated topic, as there were many reports in previous versions for similar issues with IPsec, this is nothing new. I can create a supout if it happens again, but to be fair, this is relatively infrequent. We are usually noticing this after a SW upgrade and/or outage, that IPsec tunnels are not recovering, or going down after a couple hours of operation.Please spawn a dedicated topic and provide the complete IPsec configuration there (proposals, peer profiles, identities - everything may matter, just use hide-sensitive while exporting to keep your keys secret, and obfuscate the public IP addresses following the hint in my automatic signature below). If the other peer is not a Mikrotik, describe what it is and provide its configuration too if you have access to it. 20 hours is a weird time interval, as it doesn't match any of the default lifetimes - the phase 1 lifetime is typically 24h whereas the phase 2 lifetime is typically 30m. So if it is not some memory leak, it looks like an unsuccessful phase2 renegotiation, which is an issue which existed in IKEv2 in early 6.43 versions if I remember well. It was easy to spot if you had access to both ends - the ephemeral enc-key values of the installed-sa with the same spi value were different between the peers. If you lose access to the remote peer once this happens and can afford it, just give it 30 minutes and see whether it eventually recovers. Back then, it was happening randomly, not at all peers at the same time.
Are you saying that only the first negotiation of the tunnel after each upgrade fails, and once you resolve it the way you've described, it then runs well ever until the next upgrade?We are usually noticing this after a SW upgrade and/or outage, that IPsec tunnels are not recovering, or going down after a couple hours of operation.
I have the same problem. I have some dozens of routers and more than half of them can not register in DDNS after upgrade to 6.45.7Hi, I did an RB upgrade to the 6.45.7 version and from that moment the DDNS Cloud, to reach the RB remotely, no longer works. The public address is not tracked.
Having a dynamic public ip, I need to solve the problem. How can I do?
Thanks
[ak@RO-20] >/ip cloud export terse
# nov/14/2019 01:49:13 by RouterOS 6.45.7
# model = RouterBOARD 750G r3
/ip cloud set ddns-enabled=yes update-time=no
[ak@RO-20] >/ip cloud print
ddns-enabled: yes
ddns-update-interval: none
update-time: no
status: updating...
/ip firewall filter
add action=drop chain=forward dst-address=192.168.0.0/16 src-address=192.168.1.224/27
In default configuration ether2 and ether3 are both ports of the same bridge. So if the laptop and the computer both have a netmask of /24 (or shorter) in their IP configuration, they send packets to each other directly, not via the Mikrotik as an IP gateway, so the packets never get to the /ip firewall filter unless you'd force that by telling the bridge to force frames through the IP firewall and disabling hardware-accelerated forwarding.firewall not work.
the computer is connected to ether 2 (IP: 192.168.1.100), the laptop is connected to ether 3 ((IP: 192.168.1.251).
I turned off acceleration forwarding. And i am use Firewall (see pic).disabling hardware-accelerated forwarding.
/interface bridge port set [find] hw=noI turned off acceleration forwarding. And i am use Firewall (see pic).
Now everything worked. Thanks/interface bridge port set [find] hw=noI turned off acceleration forwarding. And i am use Firewall (see pic).
is the way to disable hardware-accelerated forwarding (accelerated by the switch chip, so the frames don't even get to the CPU so that it could push them through the ip firewall).
But first of all, you should prefer routing when policing the communication among devices on your LAN, and second, this is definitely nothing specific to 6.45.7.
See if rebooting the router doesn't fix the issue.Today morning my CCR1009 suddenly stopped responding to snmp requests.
Seems that all snmp related settings are gone. No changes were made recently.
An export of /snmp never finishes.
update??This is the same issue as this:On 6.43.11:
I have a script containing the following command:I set "read, write, test" permission on this script, run without errorCode: Select all:resolve $hostname server=$NS
On 6.45.7:
When the same script run into the commandit caused the "not enough permissions (9)" error.Code: Select all:resolve $hostname server=$NS"
When I remove the portion "server=$NS", it runs normally.
I tried to remove all permission setting, add all permission setting, and even added "Don't Require Permissions", all in vain.
Most probably a bug in new version.
Which I am also seeing:in 6.45.7,the “resolve” command can't work with AAAA records,it returns “not enough permissions (9)”,please fix it
CHR running v6.45.6:CHR running 6.45.7:Code: Select all:put [:resolve ipv6.google.com] 2607:f8b0:4004:810::200e
This also happens on arm arch. where just before an upgrade it worked.Code: Select all:put [:resolve ipv6.google.com] not enough permissions (9)
This is the same issue as this:On 6.43.11:
I have a script containing the following command:I set "read, write, test" permission on this script, run without errorCode: Select all:resolve $hostname server=$NS
On 6.45.7:
When the same script run into the commandit caused the "not enough permissions (9)" error.Code: Select all:resolve $hostname server=$NS"
When I remove the portion "server=$NS", it runs normally.
I tried to remove all permission setting, add all permission setting, and even added "Don't Require Permissions", all in vain.
Most probably a bug in new version.
Which I am also seeing:in 6.45.7,the “resolve” command can't work with AAAA records,it returns “not enough permissions (9)”,please fix it
CHR running v6.45.6:CHR running 6.45.7:Code: Select all:put [:resolve ipv6.google.com] 2607:f8b0:4004:810::200e
This also happens on arm arch. where just before an upgrade it worked.Code: Select all:put [:resolve ipv6.google.com] not enough permissions (9)
Yes hotspot is still broken, need to install long term version.Is the hotspot still broken on anything over 6.44.6?
Same device, similar time, same problem - my RB1100AH4x with 6.45.7 was unexectedly rebooted after 21 days of running without any problems.RB1100AH4x 6.45.7
nothing special in my configuration. just few firewall rules.
"Router was rebooted after proper shutdown"
Happens now 2 times after 7 and 21 days of running
Really long uptimes i only got with the 6.44.xx
-faxxe
I think it could be due to change in the external IP, or even release of the current one due to problems in the DHCP renegotiation, you could look for dhcp messages in logs. I'm assuming that you get an IP through some sort of dhcp. I used to have a connection when in Germany where the provider would change the ip every day or so between 7-9am, which broke all my connections.Is there any known reason why (what looks like) all NAT stops working in 6.45.7 after a few hours?
Where do I even start yo debug this?