Don't forget to update the Security blog. During writing this the blog has not been updated.*) security - fixed vulnerability for routers with default password (limited to Wireless Wire), admin could login on startup with empty password before default configuration script was fully loaded;
[admin@switch] > sy pa up do
channel: stable
installed-version: 6.46.1
latest-version: 6.46.2
status: Downloaded, please reboot router to upgrade it
[admin@switch] > file print
# NAME TYPE SIZE CREATION-TIME
0 skins directory jan/01/1970 02:00:09
Is MikroTīkls transforming into MikroĀbols or what is the motivation of introducing hidden files?the downloaded files are no longer visible in /files section when using Package Updater
LeftyTs, the downloaded files are no longer visible in /files section when using Package Updater. You can still reboot the device and it will upgrade. Or use /sys pac upd cancel to free the storage.
About this... does manual upgrade/downgrade (uploading files + reboot) work as before?System files have always been hidden / not accessible for a user in RouterOS. Packages are now following the same principle.
Yes, it was under 6.46. Although not particularly mentioning that files are now hidden. There were a few improvements in package updater.
Maybe you need to give us more description regarding your changing. if you didn't give us more info about downloaded files,from here can we get that?
*) upgrade - improved auto package updating using "check-for-updates";
System files have always been hidden / not accessible for a user in RouterOS. Packages are now following the same principle.
That is just plain silly!System files have always been hidden / not accessible for a user in RouterOS. Packages are now following the same principle.
This is very bad idea! It's extremely important to check that all required packages were downloaded correctly before update. Missing packages may result in completely inaccessible router.System files have always been hidden / not accessible for a user in RouterOS. Packages are now following the same principle.
That is just plain silly!System files have always been hidden / not accessible for a user in RouterOS. Packages are now following the same principle.
Now when I check for new version and click Download, or after uploading files using FTP, I cannot even check if the files were loaded completely before doing a reboot!
Please undo this change, it serves no useful purpose and has many disadvantages.
+++ I totally agree with pe1chl, macsrwe and r00t. Please revert it back!That is just plain silly!System files have always been hidden / not accessible for a user in RouterOS. Packages are now following the same principle.
Now when I check for new version and click Download, or after uploading files using FTP, I cannot even check if the files were loaded completely before doing a reboot!
Please undo this change, it serves no useful purpose and has many disadvantages.
Agreed. Our network runs a complicated script to automatically upgrade units only to releases that have passed our testing and been made available on an internal server. The script takes pains to ensure that all files have been downloaded completely before automatically rebooting. Now it appears that you have introduced an unadvertised change that will cause the script to fail. (Ironically, this is a second order effect, because at the same time you also broke /system upgrade entirely so that they cannot even begin to execute.) This change has no obvious benefit to users, while actively impeding them (both scripts and humans) from ensuring that an upgrade Is complete and correct before installation reboot.
Please revert this change.
mikrotikExperimentalModule MODULE-IDENTITY
LAST-UPDATED "201807310000Z"
REVISION "201807310000Z"
Agree. Please revert it back.+++ I totally agree with pe1chl, macsrwe and r00t. Please revert it back!Please revert this change.Please undo this change, it serves no useful purpose and has many disadvantages.System files have always been hidden / not accessible for a user in RouterOS. Packages are now following the same principle.
+1That is just plain silly!System files have always been hidden / not accessible for a user in RouterOS. Packages are now following the same principle.
Now when I check for new version and click Download, or after uploading files using FTP, I cannot even check if the files were loaded completely before doing a reboot!
Please undo this change, it serves no useful purpose and has many disadvantages.
Or just revert it back to how it was...or use other more reliable ways.
For one, it is not a good thing that there can be files in the user visible Files area that are hidden. You wrote before that system files always were hidden, but they do not exist in that same directory, don't they? The location of the system files is different from the user files area.Can anyone post reasonable reason why it's important?
Verification that file is downloaded is plain strange. If you don't trust the auto-upgrade mechanism, use Fetch, or use other more reliable ways.
++++++++++Agree. Please revert it back.+++ I totally agree with pe1chl, macsrwe and r00t. Please revert it back!Please revert this change.Please undo this change, it serves no useful purpose and has many disadvantages.System files have always been hidden / not accessible for a user in RouterOS. Packages are now following the same principle.
I'll turn the question around, could you provide a good reason why they should to be hidden? I'm not seeing it. One of the things I like about Mikrotik, is the control it gives me. This just obscures that control.Can anyone post reasonable reason why it's important?
Verification that file is downloaded is plain strange. If you don't trust the auto-upgrade mechanism, use Fetch, or use other more reliable ways.
Certainly.Can anyone post reasonable reason why it's important?
Verification that file is downloaded is plain strange. If you don't trust the auto-upgrade mechanism, use Fetch, or use other more reliable ways.
Because such changes (non-cosmetic, without clear reason) are introduced without warning. BTW there is unmet side effect. Usually after ROS upgrade I uploaded additional packages to CAPsMAN for another platforms, to remote upgrade CAPs, storing them in file root. Till now these packages survived reboots, now they are gone. Sure, will store them in subfolders (should I mention the "easy" way to create folders in RouterOS?). And, I am sure, no word in changelog about this "improvement" when stable will turn in long-termCan anyone post reasonable reason why it's important?
There will be no leftovers, on reboot they delete all npk files in file root. Only these in subfolders will be intact.3) If actual upgrade at reboot fails (due to missing packages or whatever), how does the admin know what packages are leftover in Files, and how does he remove them if Files is going to pretend to him that they don't exist?
Can anyone post reasonable reason why it's important? Verification that file is downloaded is plain strange.
On any device where reliability is important, auto-update can't be trusted. It will happily download incomplete packages, leave some missing and then just update system. If your access depends on some package that doesn't get installed for some reason, like wireless, you are screwed. If it's just an CPE or SOHO router, you have to annoy the customer and you have to invest your time to fix it. But it could be far worse if it's antenna somewhere up on tower where you can't just go and hold the reset button. You may need permit to do so, or special equipment or just have to wait for better weather.Can anyone post reasonable reason why it's important?
Verification that file is downloaded is plain strange. If you don't trust the auto-upgrade mechanism, use Fetch, or use other more reliable ways.
Imagine that I sent the wrong upgrade package, and want to remove it. How? I can't boot the router - it will install it!Can anyone post reasonable reason why it's important?
Verification that file is downloaded is plain strange. If you don't trust the auto-upgrade mechanism, use Fetch, or use other more reliable ways.
Sometimes I just get the files from the mikrotik.com download section, collecting the main package and some optional packages, then I FTP the whole thing to the router and reboot. This is in fact the only way to add one or more optional packages. Of course after doing the FTP I first list the Files section to see if it all went well. Our network sometimes can be slow and unreliable, and the transfer may fail. That now does not work anymore, I checked, so I cannot check if all files were transferred.
[admin@3p_DUT_Audience] /file> print
# NAME TYPE SIZE CREATION-TIME
..
18 routeros-7.0beta4-ar... package 11.3MiB jan/21/2020 09:48:50
..
Ok I checked that by taking a test router which was updated to 6.46.2 and switching it to "testing" channel and then checking for new version. Then I clicked Download and nothing was visible, then I switched back to "stable" channel but I realized that there now was nothing I can do to avoid installation of this testing version on the next reboot!Sometimes I just get the files from the mikrotik.com download section, collecting the main package and some optional packages, then I FTP the whole thing to the router and reboot. This is in fact the only way to add one or more optional packages. Of course after doing the FTP I first list the Files section to see if it all went well. Our network sometimes can be slow and unreliable, and the transfer may fail. That now does not work anymore, I checked, so I cannot check if all files were transferred.
File uploaded by FTP is visible in files sectionCode: Select all[admin@3p_DUT_Audience] /file> print # NAME TYPE SIZE CREATION-TIME .. 18 routeros-7.0beta4-ar... package 11.3MiB jan/21/2020 09:48:50 ..
emils wrote thatOk I checked that by taking a test router which was updated to 6.46.2 and switching it to "testing" channel and then checking for new version. Then I clicked Download and nothing was visible, then I switched back to "stable" channel but I realized that there now was nothing I can do to avoid installation of this testing version on the next reboot!
/sys pac upd cancel
What it was before the upgrade? 10 minutes is default value.detect one problem of all mikrotik device, after update:
"DCHP lease time" parameter arbitrarily changed its value 10 min ( 10:00)
its NORMAL?
Maybe you had it set lower than that? This often causes problems.detect one problem of all mikrotik device, after update:
"DCHP lease time" parameter arbitrarily changed its value 10 min ( 10:00)
its NORMAL?
SNMP related problem with CRS328-4C-20S-4S+ and combo ports. If combo ports´ copper port is used SNMP shows notPresent(6) although copper port is physically up and traffic flows.
...
When I plug SFP in combo3 and use the copper port, then correct port status is reported. Correct status is also reported when only combo´s SFP port is used.
/interface ethernet monitor combo1
;;; # Transit Provider A
name: combo1
status: link-ok
auto-negotiation: done
rate: 1Gbps
full-duplex: yes
tx-flow-control: no
rx-flow-control: no
advertising: 10M-full,100M-full,1000M-full
link-partner-advertising: 10M-full,100M-full,1000M-full
combo-state: copper
sfp-module-present: no
iso.3.6.1.2.1.2.2.1.2.2 = STRING: "combo1"
iso.3.6.1.2.1.2.2.1.8.2 = INTEGER: 6 <--- ifOperStatus:notPresent(6) , but should be up(1)
emils wrote thatOk I checked that by taking a test router which was updated to 6.46.2 and switching it to "testing" channel and then checking for new version. Then I clicked Download and nothing was visible, then I switched back to "stable" channel but I realized that there now was nothing I can do to avoid installation of this testing version on the next reboot!frees the storage. Possibly the same happens when channel is switched?Code: Select all/sys pac upd cancel
Would make sense at least.
On the other hand there has been demand for a feature to automatically update RouterOS in case of vulnerabilities, preferably enabled by default and using a separate channel that only updates when there is a real reason to do so, not just track the "stable" release. Of course the sysop can disable it when he does not like this and wants to take the responsability to update, but at least all the careless users that never update their router will remain safe.MikroTik has been asked point blank to justify this change by citing any advantage at all, and they have completely avoided answering the question. Certainly they cannot justify it on the basis of user demand, because I have seen no one demand it.
This started to happen with all RouterOS versions from 6.45 to current stable releases.But when WinSCP queries the server for a target of those links, the server returns an error.
I believe it's a server-side problem.
Exactly!I'll turn the question around, could you provide a good reason why they should to be hidden? I'm not seeing it. One of the things I like about Mikrotik, is the control it gives me. This just obscures that control.Can anyone post reasonable reason why it's important?
Verification that file is downloaded is plain strange. If you don't trust the auto-upgrade mechanism, use Fetch, or use other more reliable ways.
Going this way, you'll soon start asking to remove Quick Set from default packageWe are not office secretaries, we are techs, and we want to see what we are actually doing!
Quickset doesn't bother me at all, what bothers me is not being able to see what I need to seeGoing this way, you'll soon start asking to remove Quick Set from default packageWe are not office secretaries, we are techs, and we want to see what we are actually doing!
Going this way, you'll soon start asking to remove Quick Set from default packageWe are not office secretaries, we are techs, and we want to see what we are actually doing!
I have asked that before (or at least some option to make it read-only) but it is obvious that requests made on the forum are a low priority for MikroTik.Going this way, you'll soon start asking to remove Quick Set from default packageWe are not office secretaries, we are techs, and we want to see what we are actually doing!
Strods,Why packages are downloaded in a different directory? - If there are other .npk files under the "Files" menu, then upgrade will fail
What to do, if I want to cancel upgrade? - Use "/system package update cancel" feature
What to do if I want to verify packages after download? - First of all, how do you verify? Nobody has answered this question so far. Also, RouterOS on reboot firstly checks if packages are correct and if not, then they are not installed and you get a "broken package" error.
What to do if I do not like a new method? - Use fetch tool instead
What to do, if I want to cancel upgrade? - Use "/system package update cancel" feature
What to do if I do not like a new method? - Use fetch tool instead
IMHO half of complaints would be eliminated, if there would be text in File window status bar, like "RouterOS package 6.45.8 downloaded, please reboot to install" or smth. like that, and button 'Delete packages' in the same window.Regarding verification of packages after download, this is of course about actually seeing the file in /file. That is not the same as doing a hash check or something, but that is not what this is about
UseWhat to do if I do not realize there is an upgrade present that needs to be cancelled, because I can't see it, and therefore fail to cancel it?What to do, if I want to cancel upgrade? - Use "/system package update cancel" feature
/system package update print
Does RouterOS now first verify that a complete set of update packages is available (matching the currently installed set of packages, and all of them correct) before it begins applying them one by one?What to do if I want to verify packages after download? - First of all, how do you verify? Nobody has answered this question so far. Also, RouterOS on reboot firstly checks if packages are correct and if not, then they are not installed and you get a "broken package" error.
State of pending update with list of packages that will be updated on next reboot has to be clearly visible. Both in winbox and console, maybe even as a warning on user login. Because most admins will just check files, see no NPK files and conclude no updating will happen on reboot.What to do, if I want to cancel upgrade? - Use "/system package update cancel" feature
There are two issues that may happen during auto-update:What to do if I want to verify packages after download? - First of all, how do you verify? Nobody has answered this question so far. Also, RouterOS on reboot firstly checks if
packages are correct and if not, then they are not installed and you get a "broken package" error.
It would be nice when there was an option in the dir listing to "show md5 sums" for the files listed. But now that this is not available, I merely look(ed) at file sizes.Simply download NPK files from router to PC and compare file checksums. That's the only way to be sure what router downloaded is not corrupted.
"Our" problem is that the subset of users who gather here on the forum is only a small subset of users to which MikroTik sell equipment.Pride comes before a fall. Companies much larger than MikroTik have had to learn this valuable lesson. One more time ... please hire a Product Manager who understands your users.
Cisco offers the verify command. I think mikrotik should at very least have an equivalent checksum of the downloaded package. Even with that though, I want to see the file 100% of the time.Why packages are downloaded in a different directory? - If there are other .npk files under the "Files" menu, then upgrade will fail
What to do if I want to verify packages after download? - First of all, how do you verify? Nobody has answered this question so far. Also, RouterOS on reboot firstly checks if packages are correct and if not, then they are not installed and you get a "broken package" error.
Pride comes before a fall. Companies much larger than MikroTik have had to learn this valuable lesson. One more time ... please hire a Product Manager who understands your users.
You are probably right in your analysis about "our" share of the customer base.
"Our" problem is that the subset of users who gather here on the forum is only a small subset of users to which MikroTik sell equipment.
Of course they are the tech savvy users who get MikroTik to get things done the cannot get done on equipment from other manufacturers in the same market segment by salesprice, and for which they do not want to spend 4 times at much at another company (which then wants even more money to receive firmware updates and access to a supportdesk).
But likely they sell 10 times more equipment via sales channels that reach customers without any such wishes, or with wishes that are satisfied by features like Kid Control and Detect Internet, and by products like Audience.
So we can ask for update transparency or IPv6 support as much as we want, we will be at the bottom of the list compared to users who ask for "products that perform a function out of the box".
(still I don't understand why something like "automatically update vulnerable products" is not covered by this)
And please finally retire the Tile architecture. It's a dead horse. There are much better architectures out there noawadays.
While there probably should be no new products (other than maybe some enhance model e.g. a dual PSU option for an existing device, like there was most recent) I surely hope that the Tile architecture will be supported in RouterOS for some time to come, so we don't have to retire the CCR1009s that work so well.And please finally retire the Tile architecture. It's a dead horse. There are much better architectures out there noawadays.
This is not only Apple-style, the same we see in MS products, and some others. IMHO, Mikrotik should decide if they will go home user or IT pros direction (or both, separating the product lines also in software). As for now it seems like (at least in software) Mikrotik wants to go for SOHO as potentially larger market, not eliminating IT pros. In result no one gets what he needs.P.S. All the "verification is a useless step", "we know better" answers are really ābols-style and it's sad to see that MikroTik has started going in this direction (a direction that is not very appreciated by IT people who might be a very notable share of current MikroTik users/customers).
+++++++Have you not read the above answers to your questions? Since I see repetition of the same flawed arguments.
1. looking at files is not verification
2. RouterOS does internal verification that is much better than looking with your eyes
3. if you want to do some advanced checksum operations, you still have Fetch tool available
all of this was offered above
Normis,Have you not read the above answers to your questions? Since I see repetition of the same flawed arguments.
1. looking at files is not verification
2. RouterOS does internal verification that is much better than looking with your eyes
3. if you want to do some advanced checksum operations, you still have Fetch tool available
all of this was offered above
Because you dont need it. You dont need access to Kernel, you dont need access to Filesystem. I hope mikrotik will never Listen to guys like you. This will Not improve the OS.[
Normis,
Can you please tell us:
What is the reason for hiding the files?
Note that update packages up/downloaded to the router are not system files, are not kernel files, or anyway other special files.Because you dont need it. You dont need access to Kernel, you dont need access to Filesystem. I hope mikrotik will never Listen to guys like you. This will Not improve the OS.[
Normis,
Can you please tell us:
What is the reason for hiding the files?
+1Note that update packages up/downloaded to the router are not system files, are not kernel files, or anyway other special files.Because you dont need it. You dont need access to Kernel, you dont need access to Filesystem. I hope mikrotik will never Listen to guys like you. This will Not improve the OS.[
Normis,
Can you please tell us:
What is the reason for hiding the files?
Most of the confusion has arisen from the fact that initially it was suspected that the files are now hidden (because of .npk extension), but still were loaded to the same location.
Later it turned out that the truth is that now the internal updater downloads the files to a DIFFERENT location, and of course this is not visible because no other files than the publicly visible Files section are visible.
This makes it a bit more reasonable, but still I think the system should offer the option to see what is in that download area, e.g. you click on a button and it shows a list of packages that has been downloaded, which version that is, and if the checksums are OK.
With that addition it would be fine, preferably when done in such a way that the result (version and status) can also be queried in a custom automatic upgrade script, so you can decide if it is safe to issue the reboot command or not.
Any chance we could PLEASE get the PSU1 and PSU2 OID for the CRS112-8P-4S. They are visible in Winbox and /system health but no OID - only temperatureThanks @schadom, @R1st0.
We will try to fix SNMP reporting for combo interfaces in the next RouterOS version.
It's unchecked/disabled on my 6.45.7 hAP ac2 and I'm pretty sure this is default setting. So either you had it disabled prior to upgrade as well and enabling option does not affect your problem (clearing ARP cache probably did it) ... or you actually had it enabled previously for some good reason and you actually found a bug in upgrade procedure.However when the Mikrotik came back up, for some reason it had disabled/unchecked the "Add ARP for Leases" setting in dhcp server.
Thanks for reply.I checked several routers and I do not see a memory leak. There is some increase in use roughly during the first day of uptime (like shown in your graphs) and then it stabilizes.
In one router that does a lot of NAT there is memory usage varying by time, it increases during peak hours but falls back to normal after that.
Maybe you have some problem with DoS or other resource exhaustion specific to your network, e.g. due to attackers or "people having fun".
It is not advisable to make that big upgrade step when you have IPsec configured. As already written, IPsec has been changed quite a lot between those versions.CCR1009 upgrade from 6.42.2 to 6.46.2
All IPSec tunnels are works with strange notification in Policies about Peer's column as "unknown" or in CLI as "peer not set".
I have objection to upgrade process, not to a new way of configuration. I not import config from old to latest version.Policies have become bound to peers at least since 6.45 if not 6.44. That's nothing to claim as a bug, it is an intended change.
Can you please include some information on how the dependencies of packages are processed during update (which packages depend on which packages - what is the dependency graph? can different installed packages have different versions? what will happen if updates for only some installed packages are uploaded to router? what will happen if update of a package is uploaded, but updates for its dependencies are not uploaded? etc.) in the wiki page (or the new documentation system)?Have you not read the above answers to your questions? Since I see repetition of the same flawed arguments.
1. looking at files is not verification
2. RouterOS does internal verification that is much better than looking with your eyes
3. if you want to do some advanced checksum operations, you still have Fetch tool available
all of this was offered above
My router just suddenly rebooted again.Today I've updated my hAP ac^2 from 6.44.6 to 6.46.2 (including firmware) and after a couple of hours, I've got a sudden router reboot.
Honestly, I can't remember such reboots at all (though I try to avoid beta versions).
My router has a pretty basic setup (default firewall + 2xWAN PCC balancing). Log says "router was rebooted without proper shutdown". What should I suspect & do?
You have not answered the questions in post #69 viewtopic.php?p=771370#p771370 :Have you not read the above answers to your questions? Since I see repetition of the same flawed arguments.
1. looking at files is not verification
2. RouterOS does internal verification that is much better than looking with your eyes
3. if you want to do some advanced checksum operations, you still have Fetch tool available
all of this was offered above
This still leaves us rebooting multiple times if something fails. It's not acceptable to us. We need to know when it reboots it will be upgraded. For us, not having a verify command/some way to checksum before the reboot is a deal breaker.Auto upgrader will not try to install if at least one package is missing or not finished downloading.
I think there are special conditions where this is (or was?) not true. As said earlier... My LTE router managed to update with missing wireless package at least twice.Auto upgrader will not try to install if at least one package is missing or not finished downloading.
But this all boils down to the question: "Is there any good reason for hiding the files?"
And the answer is definitely "no", at least MT has not come up with one single reason yet, apart from "the system files are hidden an now the upgrade files follow that path too" which sounds like a politician's answer...
with this release very strong@dg1kwa - please keep this forum topic strictly related to this particular RouterOS release.
MDB entries do timeout after a while if no membership reports are received, see "membership-interval" property. Make sure you have some device that acts as an IGMP querier. Otherwise, create a new forum thread or report to the support portal.
[altmsizo@hAPac2] > /system resource print
uptime: 3d23h33m50s
version: 6.46.2 (stable)
build-time: Jan/14/2020 07:17:12
factory-software: 6.43.10
free-memory: 71.0MiB
total-memory: 128.0MiB
cpu: ARMv7
cpu-count: 4
cpu-frequency: 716MHz
cpu-load: 1%
free-hdd-space: 2132.0KiB
total-hdd-space: 15.3MiB
write-sect-since-reboot: 968
write-sect-total: 968
bad-blocks: 0%
architecture-name: arm
board-name: hAP ac^2
platform: MikroTik
About that downgrading thing - there's usually a reason why other manufacturers may sometimes limit downgradeability. The fact, that you just can upload npk file of any older version and simply press downgrade button to have all blanked passwords in result is everything but normal - even if warning is issued everywhere in changelogs...But this all boils down to the question: "Is there any good reason for hiding the files?"
And the answer is definitely "no", at least MT has not come up with one single reason yet, apart from "the system files are hidden an now the upgrade files follow that path too" which sounds like a politician's answer...
Repeated refusal to even acknowledge this question leads me to suspect that answer is somewhere in here. It just smells right.
It appears to be some form of "phone home". It could be the "new IPcloud" thing, I normally always disable that but there are some routers not under my control in the network that could have it enabled.It lloks that after latest update that /ip neighbor dicovery is enabled on wan port
i have flood on udp 5678 from Mikrotik devices all around the world
one of them is 159.148.147.229
route: 159.148.147.0/24
org: ORG-MA140-RIPE
descr: MIKROTIKLS
origin: AS51894
mnt-by: AS2588-MNT
created: 2010-11-29T08:32:40Z
last-modified: 2019-07-08T12:13:46Z
source: RIPE
b/r goran
Is there a problem with the auto upgrade via different source on version 6.46.1?
I added a package source, which is a different mikrotik to manage what OS I want to be installed onto my routerboards.
All my tests work with previous versions of routerOS, but as soon as I hit 6.46.1, it would seem to stop working.
I loaded 4.46.2 on my "package source router", but the mikrotik doing the auto upgrade does not see the package.
I wanted to implement my auto upgrade scripts this week and now before my deployment I did a quick final test with the newest routerOS and just does not work.
Now I'm scared to do the deployment on 100's of mikrotiks as newest version is not working.(upgrading in my scenario).