v6.48 [stable] is released!

emils · Wed Dec 23, 2020 12:01 pm

RouterOS version 6.48 has been released in public "stable" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.48 (2020-Dec-22 11:20):

*) arm - added support for automatic CPU frequency stepping for IPQ4018/IPQ4019 devices;
*) arm - improved system stability;
*) arm - improved watchdog and kernel panic reporting in log after reboots on IPQ4018/IPQ4019 devices;
*) arm64 - improved reboot reason reporting in log;
*) bgp - fixed VPNV4 RD byte order;
*) bonding - added LACP monitoring;
*) branding - fixed LCD logo loading from new style branding package;
*) bridge - added "multicast-router" monitoring value for bridge interface;
*) bridge - added fixes and improvements for IGMP and MLD snooping;
*) bridge - added minor fixes and improvements for IGMP snooping with HW offloading;
*) bridge - added warning message when port is disabled by the BPDU guard;
*) bridge - allow to exclude interfaces from extended ports;
*) bridge - automatically remove extended interfaces when deleting PE device from CB;
*) bridge - correctly filter packets by L2MTU size;
*) bridge - correctly remove dynamic VLAN assignment for bridge ports;
*) bridge - fixed "multicast-router" setting on bridge enable;
*) bridge - fixed MDB entry removal when using bridge port "fast-leave" property;
*) bridge - fixed dynamic VLAN assignment when changing port "frame-type" property (introduced in v6.46);
*) bridge - fixed dynamic VLAN assignment when changing port to tagged VLAN member;
*) bridge - fixed link-local multicast forwarding when IGMP snooping and HW offloading is enabled;
*) bridge - fixed local MAC address removal from host table when deleting bridge interface;
*) bridge - fixed multicast table printing;
*) bridge - improved BPDU guard logging;
*) bridge - increased multicast table size to 4K entries;
*) bridge - show "H" flag for extended bridge ports;
*) bridge - show error when switch do not support controlling bridge or port extension;
*) bridge - use "frame-types=admit-all" by default for extended bridge ports;
*) cap - fixed L2MTU setting from CAPsMAN;
*) certificate - clear challenge password on renew;
*) certificate - fixed CRL URL length limit;
*) certificate - fixed private key verification for CA certificate during signing process;
*) certificate - generate CRL even when CRL URL not specified;
*) certificate - properly flush expired SCEP OTP entries;
*) chr - fixed SSH key import on Azure;
*) chr - fixed VLAN tagged packet transmit on bridge for Hyper-V installations;
*) chr - improved interface loading on startup on XEN;
*) chr - improved system stability when changing flow control settings on e1000;
*) cloud - improved backup generation process;
*) conntrack - automatically reduce connection tracking timeouts when table is full;
*) console - allow "once" parameter for bonding monitoring;
*) crs3xx - added initial Bridge Port Extender support;
*) crs3xx - added initial Controlling Bridge support for CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices;
*) crs3xx - added switch-cpu port VLAN filtering (switch-cpu port is now mapped with bridge interface VLAN membership when vlan-filtering is enabled);
*) crs3xx - correctly filter packets by L2MTU size;
*) crs3xx - fixed "custom-drop-packet" and "not-learned" switch stats for CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices;
*) crs3xx - fixed "mirror-source" property on switch port disable for CRS305, CRS326-24G-2S+, CRS328, CRS318 devices;
*) crs3xx - fixed "storm-rate" traffic limiting for switch-cpu port on CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices;
*) crs3xx - fixed "switch-cpu" VLAN membership on bridge disable;
*) crs3xx - fixed CDP packet forwarding for CRS305, CRS318, CRS326-24G-2S+, CRS328 devices;
*) crs3xx - fixed duplicate host entries when creating static switch hosts;
*) crs3xx - fixed port isolation for "switch-cpu" port for CRS305, CRS326-24G-2S+, CRS328, CRS318 devices;
*) crs3xx - fixed port isolation removal for "switch-cpu" port on CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices;
*) crs3xx - fixed switch "copy-to-cpu" property for CRS305, CRS318, CRS326-24G-2S+, CRS328 devices;
*) crs3xx - fixed switch "not-learned" stats for CRS305, CRS326-24G-2S+, CRS328-24P-4S+, CRS328-4C-20S-4S+, CRS318 devices;
*) crs3xx - improved system stability on CRS354 devices;
*) crs3xx - improved system stability when receiving large frames for CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices (introduced in v6.47.5);
*) defconf - fixed default configuration loading on RBcAP-2nD and RBwAP-2nD;
*) defconf - fixed static IP address setting in case default configuration loading fails;
*) defconf - improved CAP interface bridging;
*) defconf - improved default configuration generation on devices with non-default wireless interface names;
*) detnet - fixed malformed dummy DHCP User Class option;
*) detnet - use MAC address from bridge interface instead of slave port;
*) dhcp - fixed DHCP packet forwarding to IPsec policies;
*) dhcpv4-server - improved "client-id" value parsing;
*) dhcpv6 server - added support for "Delegated-IPv6-Prefix" for PPP services;
*) dhcpv6-server - added ability to generate binding on first request;
*) dhcpv6-server - added support for "option18" and "option37" for RADIUS managed clients;
*) dhcpv6-server - allow loose static binding "pool" parameter (introduced in v6.46.8);
*) dhcpv6-server - make sure that calling station ID always contains DUID;
*) discovery - added "lldp-med-net-policy-vlan" property for assigning VLAN ID;
*) discovery - allow choosing which discovery protocol is used;
*) discovery - fixed discovery on mesh ports;
*) discovery - fixed discovery packet sending on newly bridged port with "protocol-mode=none";
*) discovery - fixed discovery when enabled only on master port;
*) discovery - send the same "Chassis ID" on all interfaces for LLDP packets;
*) discovery - use interface MAC address when sending MNDP from slave port;
*) disk - fixed external EXT3 disk mounting on x86 systems;
*) dns - added IPv6 support for DoH;
*) dns - do not use type "A" for static entries with unspecified type;
*) dns - end ongoing queries when changing DoH configuration;
*) dns - fixed listening for DNS queries when only dynamic static entries exist (introduced in v6.47);
*) dot1x - accept priority tagged (VLAN 0) EAP packets on dot1x client;
*) dot1x - fixed reauthentication after server rejects a client into VLAN;
*) dot1x - fixed unicast destination EAP packet receiving when a client is running on a bridge port;
*) dude - fixed configuration menu presence on ARM64 devices;
*) export - fixed RouterBOARD USB "type" parameter export;
*) filesystem - fixed repartition on RB4011 series devices;
*) filesystem - fixed repartition on non-first partition;
*) filesystem - improved long-term filesystem stability and data integrity;
*) gps - fixed "init-channel" release when not used;
*) health - changed PSU state parameter type to read-only;
*) health - removed unused "heater-control" and "heater-threshold" parameters;
*) hotspot - added "vlan-id" parameter support for hosts and HTML pages;
*) hotspot - added support for captive portal advertising using DHCP (RFC7710);
*) hotspot - fixed "html-directory" parameter export;
*) hotspot - improved management service stability when receiving bogus packets;
*) ike1 - fixed "my-id=address" parameter usage together with certificate authentication;
*) ike1 - fixed 'rsa-signature-hybrid' authentication method;
*) ike1 - fixed memory leak on multiple CR payloads;
*) ike1 - fixed policy update with and without mode configuration;
*) ike1 - rekey phase 1 as responder for Windows initiators;
*) ike2 - added "prf-algorithm" support for phase 1;
*) ike2 - added support for IKEv2 Message Fragmentation (RFC7383);
*) ike2 - fixed EAP MSK length validation;
*) ike2 - fixed too small payload parsing;
*) ike2 - improved EAP message integrity checking;
*) ike2 - improved child SA rekeying process;
*) interface - added temperature warning and interface disable on overheat for SFP and SFP+ interfaces (CLI only);
*) interface - fixed pwr-line running state (introduced in v6.45);
*) ipsec - added SHA384 hash algorithm support for phase 1;
*) ipsec - do not kill connection when peer's "name" or "comment" is changed;
*) ipsec - fixed client certificate usage when certificate is renewed with SCEP;
*) ipsec - fixed multiple warning message display for peers;
*) ipsec - inactivate peer's policy on disconnect;
*) ipsec - refresh peer's DNS only when phase 1 is down;
*) kidcontrol - allow creating static device entries without assigned user;
*) led - fixed state persistence after device reboot on NetMetal 5 ac devices;
*) lora - fixed device going into "ERROR" state caused by FSK modulated downlinks;
*) lora - limited output power in RU region for range 868.7 MHz - 869.2 MHz according to regulations;
*) lte - added "age" column and "max-age" parameter to "cell-monitor" (CLI only);
*) lte - added "comment" parameter for APN profiles;
*) lte - added support for Alcatel IK41VE1;
*) lte - fixed "band" value reporting;
*) lte - increased "at+cops" reply timeout to 90 seconds;
*) m33g - added support for "/system gpio" menu (CLI only);
*) metarouter - allow creating RouterOS metarouter instances on devices with 16MB flash storage;
*) metarouter - fixed memory leak when tearing down metarouter instance;
*) ppp - added "bridge-learning" parameter support;
*) ppp - added "ipv6-routes" parameter to "secrets" menu;
*) ppp - added support for "Framed-IPv6-Route" RADIUS attribute;
*) ppp - store "last-caller-id" for PPP secrets;
*) ppp - store "last-disconnect-reason" for PPP secrets;
*) profile - added "lcd" process classificator;
*) profile - improved idle process detection on x86 processors;
*) profile - improved process classification on ARM devices;
*) quickset - added "Port Mapping" to QuickSet;
*) quickset - fixed local IP address setting on master interface;
*) route - improved stability when 6to4 interface is configured with disabled IPv6 package;
*) routerboard - fixed PCIe bus reset during power-on on MMIPS devices ("/system routerboard upgrade" required);
*) routerboard - force power-down on PCIe bus during reboot on LHGR devices ("/system routerboard upgrade" required);
*) script - added error message in the logs if startup script runtime limit was exceeded;
*) snmp - added information from IPsec "active-peers" menu to MIKROTIK-MIB;
*) snmp - added new LTE monitoring OID's to MIKROTIK-MIB;
*) snmp - fixed value types for "dot1dStp";
*) snmp - fixed value types for "dot1qPvid";
*) ssh - fixed returned output saving to file when "output-to-file" parameter is used;
*) ssh - skip interactive authentication when not running in interactive mode;
*) supout - added bonding interface monitor information;
*) supout - improved autosupout.rif file generation process;
*) timezone - updated timezone information from "tzdata2020d" release;
*) tr069-client - added "X_MIKROTIK_MimoRSRP" parameter for LTE RSRP value reporting;
*) tr069-client - added LTE model and revision parameters;
*) tr069-client - added additional wireless registration table parameters;
*) tr069-client - added branding package build time parameter;
*) tr069-client - added wireless "noise-floor" and "overall-tx-ccq" information parameters;
*) tr069-client - allow passing LTE firmware update URL as XML;
*) tr069-client - fixed RouterOS downgrade procedure;
*) tr069-client - fixed TotalBytesReceived parameter value;
*) tr069-client - send correct "ConnectionRequestURL" when using IPv6;
*) traffic-flow - added "sys-init-time" parameter support;
*) traffic-flow - added NAT event logging support for IPFIX;
*) traffic-generator - fixed 32Gbps limitation;
*) user-manager - do not allow creating limitation that crosses midnight;
*) user-manager - updated PayPal's root certificate authorities;
*) webfig - allow hiding QuickSet mode selector;
*) webfig - allow hiding and renaming inline buttons;
*) webfig - fixed default value presence when creating new entries under "IP/Kid Control";
*) webfig - properly stop background processes when switching away from QuickSet tab;
*) winbox - added "src-mac-address" parameter under "IP/DHCP-Server/Leases" menu;
*) winbox - added missing IGMP Snooping settings to "Bridge" menu;
*) winbox - added missing MSTP settings to "Bridge" menu;
*) winbox - added support for LTE Cell Monitor;
*) winbox - allow adding bonding interface with one slave interface;
*) winbox - allow performing "USB Power Reset" on "0" bus on RBM33G;
*) winbox - do not show "network-mode" parameter for LTE interfaces that do not support it;
*) winbox - fixed "IP->Kid Control->Devices" table automatic refreshing;
*) winbox - fixed "interface" and "on-interface" parameter presence under "Bridge/Hosts" menu;
*) winbox - fixed "receive-errors" setting persistence under "Wireless/Wireless Sniffer/Settings" menu;
*) winbox - fixed "tls-version" parameter setting under "IP/Services" menu;
*) winbox - fixed minor typo in "Users" menu;
*) winbox - provide sane default values for bridge "VLAN IDs" parameter;
*) winbox - use health values reported by gauges for "System/Health" menu;
*) wireless - added U-NII-2 support for US and Canada country profiles for mANTBox series devices;
*) wireless - create "connect-list" rule when address specified for "setup-repeater";
*) wireless - do not override MTU and ARP values from CAPsMAN with local forwarding;
*) wireless - improved WPS process stability;
*) wireless - increased "group-key-update" maximum value to 1 day;
*) wireless - updated "indonesia5" regulatory domain information;
*) wireless - updated "no_country_set" regulatory domain information;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after some problem has appeared on device

Please keep this forum topic strictly related to this particular RouterOS release.

Jotne · Wed Dec 23, 2020 1:24 pm

Nice Christmas present :)

osc86 · Wed Dec 23, 2020 1:40 pm

Trusted checkbox appears twice in Bridge -> Ports -> <interface> -> General

kd2pm2 · Wed Dec 23, 2020 1:49 pm

Upgraded my 2011 and 4011....time to test and see what happens.

Chupaka · Wed Dec 23, 2020 3:35 pm

dns - fixed listening for DNS queries when only dynamic static entries exist (introduced in v6.47);

Only dynamic static?..

tomaskir · Wed Dec 23, 2020 3:51 pm

That's one huge changelog - the stability fixes for ARM are much welcomed.

After the upgrade, "/export compact" without any reconfiguration shows 2 new changes from "default":

...

What has changed in the defaults for user groups and neighbor discovery?

TimothyKoval · Wed Dec 23, 2020 9:14 pm

Setting firmware auto upgrade to each no or yes crashes my RB3011, working fine on cAP ac and CRS112

/system routerboard settings set auto-upgrade=yes

erlinden · Wed Dec 23, 2020 10:03 pm

I see the following error in the log (every 30 min):

IPsec-SA expired before finishing rekey

Haven't seen this issue in the current LTS and the 6.47.x releases.

Found this answer in the topic, hope it helps:
viewtopic.php?f=2&t=159536&p=783686&hil ... ey#p784468

MartijnVdS · Wed Dec 23, 2020 10:18 pm

Do these multicast fixes mean IPv6 will work better again?

Because my routers keep forgetting to respond to IPv6 neighbor solicitations over multicast after a while. Meaning it _seems_ to work for a while.. and then when you leave it breaks.

Guscht · Thu Dec 24, 2020 12:18 am

*) branding - fixed LCD logo loading from new style branding package;

How can we add a LCD logo? It would be great to add a custom image with our company logo and the Router-Name.

kevinb361 · Thu Dec 24, 2020 1:54 am

Just updated the following all working great so far!

CCR 1009, CSR 326, and two wAP AC's

dadoremix · Thu Dec 24, 2020 2:14 am

we are waiting for 6.48.5 .. stable release is beta channel

mducharme · Thu Dec 24, 2020 2:27 am

What has changed in the defaults for user groups and neighbor discovery?

I'm not sure about neighbor discovery, but in user groups it appears that the group "full" does not have the "dude" policy enabled by default.

mducharme · Thu Dec 24, 2020 2:42 am

*) tr069-client - send correct "ConnectionRequestURL" when using IPv6;

I am a bit puzzled by this fix as even though our clients are mostly dual stack, and our ACS URL has both A and AAAA records and is listening on IPv4 and IPv6, I've never seen the clients ever attempt to connect to the ACS via IPv6, only IPv4. Until now I assumed that the TR069 client on MikroTik had support for IPv4 only and not IPv6. Under what circumstances will the TR069 client attempt a connection via IPv6?

krafg · Thu Dec 24, 2020 3:20 am

Updated all my devices and for now all is working fine.

Regards.

dioeyandika · Thu Dec 24, 2020 3:57 am

hem after upgrade system health not showing voltage and temperature RB 750G r3

G2Dolphin · Thu Dec 24, 2020 4:09 am

*) m33g - added support for "/system gpio" menu (CLI only);

I don't have M33g, but... does that allow us to play with unused GPIOs for simple stuff like turning some load on and off with relays or having additional status LEDs? That would be awesome! :D

psybernoid · Thu Dec 24, 2020 8:21 am

On my CRS326-24G-2S+ after updating I no longer have any interfaces nor will the device reboot cleanly.

This is the output from terminal:

[admin@CRS326] > /interface
[admin@CRS326] /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave
 #     NAME                                TYPE       ACTUAL-MTU L2MTU
[admin@CRS326] /interface> /system reboot
Reboot, yes? [y/N]:
y
system will reboot shortly

Rebooting...
failed to stop ipsec: std failure: timeout (13)
failed to stop route: std failure: timeout (13)

jcmerg · Thu Dec 24, 2020 10:19 am

On my CRS326-24G-2S+ after updating I no longer have any interfaces nor will the device reboot cleanly.

This is the output from terminal:

[admin@CRS326] > /interface
[admin@CRS326] /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave
 #     NAME                                TYPE       ACTUAL-MTU L2MTU
[admin@CRS326] /interface> /system reboot
Reboot, yes? [y/N]:
y
system will reboot shortly

Rebooting...
failed to stop ipsec: std failure: timeout (13)
failed to stop route: std failure: timeout (13)

Same Issue here, i've removed all lacp bonding interfaces from the bridge, after that, the switch worked fine, so i downgraded to the last 6.47.x

I've also tried a factory reset and reconfiguration with a export backup .... same issue.

DarkNate · Thu Dec 24, 2020 10:30 am

RB450Gx4. Smooth upgrade, no problems, no errors, nothing. Perfect.

elbob2002 · Thu Dec 24, 2020 1:04 pm

After upgrading on RB3011 ports in switch group 1 (ether1-5) started flapping every 5 minutes. Rolled back on 6.47.8 and all seems ok. So 3011 users, install with care! ;)

Same here on my RB3011. My WAN port was on ether 2 and kept flapping.

Moved it to ether10 and now have a stable WAN connection again but obviously the flapping issue isn't resolved.

Before moving to ether 10 I turned autonegotiation off but no luck.

psybernoid · Thu Dec 24, 2020 1:37 pm

Same Issue here, i've removed all lacp bonding interfaces from the bridge, after that, the switch worked fine, so i downgraded to the last 6.47.x

I've also tried a factory reset and reconfiguration with a export backup .... same issue.

Ahh. I have 3 LACP bonds on mine. I may well be having the same issue then.

Though how did you remove the bonds if the interfaces where not showing?

R00tKit · Thu Dec 24, 2020 2:15 pm

Sadly I confirm the problem with Several RB3011. The switch chip of ports 1-5 works erratically after the upgrade.
All my PPPoE connections on those ports (usually 1,2) started flapping.
Switching to ports 6-10 worked for me, but this is kind of serious.

Edit: After several days I have customers reporting SIP connectivity problems with their Gigaset handsets as well. These have RB2011UiAS. I think I will revert to the older version for now

nimbo78 · Thu Dec 24, 2020 2:42 pm

After upgrading on RB3011 ports in switch group 1 (ether1-5) started flapping every 5 minutes. Rolled back on 6.47.8 and all seems ok. So 3011 users, install with care! ;)

same here
bridge with rstp and hw offload, rb3011 with upgraded RouterBoard
on ether6-ether10 all good

"stable" :)

biomesh · Thu Dec 24, 2020 2:48 pm

I upgraded the following without any issues:

Crs326-24g-2s+ (with lacp bond), crs317, ccr1009, cap ac, wap ac, hap ac2, hap mini, chr, rb921gs.

andkar · Thu Dec 24, 2020 3:01 pm

Hi,

Hap AC2 - ok so far.
RB3011 - port flapping (like others noted)

Software QA.needs improvements.

staticsafe · Thu Dec 24, 2020 3:45 pm

Time for me to ask again, is the bug with the SFP ports not working fixed in this version?

I really want to upgrade my hAP ac to latest :)

shavenne · Thu Dec 24, 2020 4:01 pm

6.48 is the same as rc1 I guess? So this =>

Tried to update my switches at home (CRS112-8P-4S, CRS112-8G-4S, CRS309-1G-8S+, CRS328-24P-4S+) to 6.48beta40 yesterday (6.47.4 before).
For some reason all clients stopped getting IPv6 addresses from my RB4011 (with 7.1beta2) then.
I started downgrading the firmware on the CRS328-24P-4S+ (to which the RB4011 is also connected) and all clients connected to it were getting IPv6 addresses again.
I still had to downgrade the other switches too to obtain IPv6 there also.

I find it quite strange as I'm not using any routing or firewall functions on the switches. Actually just VLANs (all IPv6 clients are in a seperate vlan) and nothing else.
Any idea what's going wrong?
Tried the same with 6.48rc1 today. Still the same problem :(
Downgraded to 6.47.8 and it works again immediately.

will remain, right??

This is my config:

# dec/24/2020 14:59:11 by RouterOS 6.47.8
# software id = 76F0-EZPJ
#
# model = CRS328-24P-4S+
# serial number = A1A10A614FF6
/interface bridge
add admin-mac=74:4D:28:D3:63:6B auto-mac=no comment=defconf igmp-snooping=yes \
    name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=pi.home
set [ find default-name=ether2 ] comment="Kamera Hof"
set [ find default-name=ether5 ] comment="Deep-Thought Intel-Karte"
set [ find default-name=ether6 ] comment=Slow-Thought
set [ find default-name=ether11 ] comment=TV
set [ find default-name=ether13 ] comment=HTPC
set [ find default-name=ether14 ] comment=AV-Receiver
set [ find default-name=ether22 ] comment="Freifunk Hotspot (Hof)"
set [ find default-name=ether23 ] comment=\
    "Unifi AP + plastikschleuder.home (RPi)"
set [ find default-name=ether24 ] comment="WAN LTE"
set [ find default-name=sfp-sfpplus1 ] comment="Zum Keller"
set [ find default-name=sfp-sfpplus2 ] comment="Deep-Thought 10G"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,tikapp"
add name=prometheus policy="read,winbox,api,!local,!telnet,!ssh,!ftp,!reboot,!wr\
    ite,!policy,!test,!password,!web,!sniff,!sensitive,!romon,!dude,!tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22 pvid=31
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge comment="IPv6 only" tagged=sfp-sfpplus1,ether5 vlan-ids=66
add bridge=bridge comment="WAN Freifunk" tagged=\
    sfp-sfpplus1,ether23,ether24,sfp-sfpplus2,ether13,ether10 vlan-ids=12
add bridge=bridge comment="Freifunk Hotspot" tagged=sfp-sfpplus1,ether5 \
    untagged=ether22 vlan-ids=31
add bridge=bridge comment=VoIP tagged=sfp-sfpplus1,ether23,ether24 vlan-ids=21
add bridge=bridge comment="WAN FTTH1" tagged=sfp-sfpplus1,ether17 vlan-ids=4001
add bridge=bridge comment="WAN FTTH2" tagged=sfp-sfpplus1,ether17 vlan-ids=4002
add bridge=bridge comment="WWW \FCber bridge-pi" tagged=sfp-sfpplus1,ether17 \
    vlan-ids=4050
add bridge=bridge comment="Freifunk Hotspot (Balkon)" tagged=\
    sfp-sfpplus1,ether5 vlan-ids=32
add bridge=bridge comment="IPv6 Pool 2" tagged=sfp-sfpplus1,ether5 vlan-ids=67
add bridge=bridge comment="WAN LTE" tagged=sfp-sfpplus1,ether24 vlan-ids=4010
add bridge=bridge comment=IceCC tagged=ether5,sfp-sfpplus1 vlan-ids=530
/ip address
add address=192.168.90.7/24 interface=bridge network=192.168.90.0
/ip dns
set servers=192.168.90.1
/ip firewall filter
add action=accept chain=output
add action=accept chain=input
/ip route
add distance=1 gateway=192.168.90.1
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=SW_WohnungOben
/system ntp client
set enabled=yes primary-ntp=62.108.36.235 secondary-ntp=46.165.221.137
/system package update
set channel=testing
/system routerboard settings
set boot-os=router-os
/system swos
set address-acquisition-mode=static allow-from-ports="p1,p2,p3,p4,p5,p6,p7,p8,p9\
    ,p10,p11,p12,p13,p14,p15,p16,p17,p18,p19,p20,p21,p22,p23,p24,p25,p26,p27,p28\
    " identity=SW_WohnungOben static-ip-address=192.168.90.7

(exported from v6.47.8)

jcmerg · Thu Dec 24, 2020 4:09 pm

Same Issue here, i've removed all lacp bonding interfaces from the bridge, after that, the switch worked fine, so i downgraded to the last 6.47.x

I've also tried a factory reset and reconfiguration with a export backup .... same issue.
Ahh. I have 3 LACP bonds on mine. I may well be having the same issue then.

Though how did you remove the bonds if the interfaces where not showing?

Simply unplug all bond members and boot the switch, the issue occures only when the bond interfaces in the bridge are up and active

guruniverse · Thu Dec 24, 2020 4:18 pm

Did not receive SMS messages in inbox after upgrade anymore. Downgrading to previous stable version (6.46.8) fixed the issue.

Running a RBLTAP-2HND&R11E-LTE (MMIPS architecture).

nostromog · Thu Dec 24, 2020 5:22 pm

What's new in 6.48 (2020-Dec-22 11:20):
(...)
*) interface - fixed pwr-line running state (introduced in v6.45);

Difficult to know what this means, can anyone clarify?

A couple of pwr-line power sources for a couple of mAP Lite routers have stopped a strange behaviour they were showing, flashing all lights in a ~10 seconds pattern (that I had already reported months ago) and was waiting for feedback more than one month ago. Last they sent me a firmware that made disappear the interface...

It is still not working with 6.48, though, even with both pwr-line adaptors in the same extension cord they don't link together... But now at least the behaviour doesn't look broken, just no traffic across the wire...

bmatic · Thu Dec 24, 2020 5:32 pm

hem after upgrade system health not showing voltage and temperature RB 750G r3

I can confirm the problem on RB750Gr3 and RB760iGS .

mikruser · Thu Dec 24, 2020 5:45 pm

why are you upgrading to beta-version?
it has been repeatedly said that
"long-term" = Stable
"stable" = Beta
"testing" = Alpha

dannym · Thu Dec 24, 2020 5:54 pm

This new release "make" my 24.12 day...
Rb2011 works fine after update
Rb941/ Rb931 works fine after update
Rb 4011 and 3011 are down...
Last stable releases are total mess.

rushlife · Thu Dec 24, 2020 6:07 pm

rb3011 flapping, 1500 linkdowns for about 30 minutes

rb4011 seems to be fine

Guscht · Thu Dec 24, 2020 6:27 pm

What are "Port Extensions"?

No single word in any Mikrotik wiki...

npeca75 · Thu Dec 24, 2020 6:37 pm

What are "Port Extensions"

No single word in any Mikrotik wiki...

Hi
You could find useful info here:
https://help.mikrotik.com/docs/display/ ... t+Extender

FurfangosFrigyes · Thu Dec 24, 2020 7:15 pm

- RB3011 port flapping
- CRS328 24p 4s+ crashed if the device has bonded interfaces

- RB4011 ok
- CAP AC ok
- HAP AC3 ok
- CHR ok
- HAP AC2 ok

deweydb · Thu Dec 24, 2020 7:32 pm

After upgrading on RB3011 ports in switch group 1 (ether1-5) started flapping every 5 minutes. Rolled back on 6.47.8 and all seems ok. So 3011 users, install with care! ;)

confirmed on our RouterBOARD 3011UiAS

npeca75 · Thu Dec 24, 2020 10:21 pm

rb3011 flapping, 1500 linkdowns for about 30 minutes

rb4011 seems to be fine

Hi @rushlife
I like to ask you, did you upgrade FW (bios) on your 3011 ?

I ask this because my 3011 is up with v6.48 and it is stable - NULL link down's , all ETH ports 1G, up without problems
but i forgot to update FW (bios), it is still 6.47.8

so now i am afraid to update/reboot because i am remote until next year

Ivoshiee · Thu Dec 24, 2020 11:06 pm

Why does a reboot will erase files from the flash? Image file update and erasing that file was a normal, but why some other files need to go?

nwa · Fri Dec 25, 2020 12:27 am

this is the reason why you don´t touch an running system on the holidays.... but i do......... my bad...........
3011 is broken, links down... downgrade with trouble... nice.

ganewbie · Fri Dec 25, 2020 3:15 am

rb3011 flapping, 1500 linkdowns for about 30 minutes

rb4011 seems to be fine
Hi @rushlife
I like to ask you, did you upgrade FW (bios) on your 3011 ?

I ask this because my 3011 is up with v6.48 and it is stable - NULL link down's , all ETH ports 1G, up without problems
but i forgot to update FW (bios), it is still 6.47.8

so now i am afraid to update/reboot because i am remote until next year

Do not worry,
We had port flapping with a 3011 router that we updated remotely including the firmware was updated.
Not a big deal, we downgraded to 6.47.8 and our client is stable again.
Good luck

rushlife · Fri Dec 25, 2020 10:04 am

rb3011 flapping, 1500 linkdowns for about 30 minutes

rb4011 seems to be fine
Hi @rushlife
I like to ask you, did you upgrade FW (bios) on your 3011 ?

I ask this because my 3011 is up with v6.48 and it is stable - NULL link down's , all ETH ports 1G, up without problems
but i forgot to update FW (bios), it is still 6.47.8

so now i am afraid to update/reboot because i am remote until next year

hi, yeah
firmware was also upgraded to 6.48

Fri Dec 25, 2020 10:08 am

*) branding - fixed LCD logo loading from new style branding package;
How can we add a LCD logo? It would be great to add a custom image with our company logo and the Router-Name.

Go to your Mikrotik account,
At the bottom you see other.
Click on branding maker.
Here you can add your logo.
Then you have to load a package into the router.
If this adjustment is loaded in the router.
You can delete it by netinstall. A reset procedure does not delete them.
I wish you a happy holidays and keep it safe.

npeca75 · Fri Dec 25, 2020 11:43 am

rb3011 flapping, 1500 linkdowns for about 30 minutes

rb4011 seems to be fine
Hi @rushlife
I like to ask you, did you upgrade FW (bios) on your 3011 ?

I ask this because my 3011 is up with v6.48 and it is stable - NULL link down's , all ETH ports 1G, up without problems
but i forgot to update FW (bios), it is still 6.47.8

so now i am afraid to update/reboot because i am remote until next year
hi, yeah
firmware was also upgraded to 6.48

So, i could consider lucky that i forget to update FW (second reboot)
Still working without glitch, all ports on 1G FD, HW Offload, 14 Vlans, 65% port utilization
Was in hurry to replace scripting with " *) ppp - added ipv6-routes parameter to secrets menu" before holidays and now i am hoping that power/UPS will remain until first work day

it was my mistake :(
nice christmas present :(

h17 · Fri Dec 25, 2020 12:25 pm

After upgrading on RB3011 ports in switch group 1 (ether1-5) started flapping every 5 minutes. Rolled back on 6.47.8 and all seems ok. So 3011 users, install with care! ;)

I was having same problem on CRS309-1G-8S+. After a while SFP+ port started constantly flapping every few seconds.
Tried with auto-negotiation turned off. No luck. Had to downgrade to v6.47.8.

Surprisingly, v6.48 on CRS305-1G-4S+ works ok (it's at the other end of that flapping link).

WirtelPL · Fri Dec 25, 2020 1:05 pm

hem after upgrade system health not showing voltage and temperature RB 750G r3
I can confirm the problem on RB750Gr3 and RB760iGS .

RBD53iG-5HacD2HnD - the same bug.

stefanosp · Fri Dec 25, 2020 2:42 pm

what 6.48 did to my RBD52G-5HacD2HnD config:

resetted both wireless interfaces
removed the bridge
removed SSTP-client interface
..

too bad for a MT fan.

shiyiqiang08 · Fri Dec 25, 2020 2:57 pm

@mikrotik
*) arm - added support for automatic CPU frequency stepping for IPQ4018/IPQ4019 devices;
The frequency of automatic adjustment CPU can only be up to 716, but it can be manually adjusted to 896 in routerboard

Hominidae · Fri Dec 25, 2020 3:02 pm

...no problems here after upgrading 24hrs ago, for

- RB4011, running capsman
- CRS326-24G-2S+-RM, including bond-Interface, VLANs and SFP+ (AOC connect to RB4011)
- cAP-ac

complex1 · Fri Dec 25, 2020 6:46 pm

Sorry i report a problem with PwrLine. After upgrade to 6.48, my two devices (model PL7411-2nD) don't pair.
After reboot, change settings, more and more.. nothing. Downgrade to long term, all change to ok. Untill 6.47.8 everything works fine.
ps: ether1, pwr-line1, wlan (off) all on bridge-local with no protocol (stp, rstp, etc...).

I am having the exact same problem here.

joedoelv · Fri Dec 25, 2020 8:13 pm

After upgrading my 962UiGS-5HacT2HnT from 6.47.8 to 6.48 I have constant troubles with my SIP phone. When switching on or reconfiguring, it connects to my Asterisk and after some minutes disconnects. Also in Asterisk console I see messages "Peer is lagged/ peer is available" every 30 seconds while the phone is registered. Changing keep alive settings on the phone did not help. After downgrading to 6.46.8 all problems disappeared

I've seen same behavior on Gigaset N300A IP after upgrading my mom's 951Ui-2HnD to 6.48
After downgrading to 6.46.8 issue got resolved.

Aytishnikcom · Fri Dec 25, 2020 8:43 pm

Red Hat (long-term) = Stable
CentOS (stable) = Stable
Fedora (testing) = Beta

why are you upgrading to beta-version?
it has been repeatedly said that
"long-term" = Stable
"stable" = Beta
"testing" = Alpha

sterod · Fri Dec 25, 2020 10:44 pm

Did this update break anyone else's pwr line setup? I have a pwr line pro and at the other end of pwr line AP and the link between them is now incredibly unstable. I had to downgrade to 6.47.8 to restore connectivity.

jult · Sat Dec 26, 2020 1:33 am

- never mind - using a different PC with netinstall worked.

netraider · Sat Dec 26, 2020 3:13 am

After upgrading my 962UiGS-5HacT2HnT from 6.47.8 to 6.48 I have constant troubles with my SIP phone. When switching on or reconfiguring, it connects to my Asterisk and after some minutes disconnects. Also in Asterisk console I see messages "Peer is lagged/ peer is available" every 30 seconds while the phone is registered. Changing keep alive settings on the phone did not help. After downgrading to 6.46.8 all problems disappeared
I've seen same behavior on Gigaset N300A IP after upgrading my mom's 951Ui-2HnD to 6.48
After downgrading to 6.46.8 issue got resolved.

Confirm this! The 6.48 dropped all SIP accounts in my gigaset IP phones to offline. Also I got the problems with access to phone`s webinterface. After downgrade to 6.47.8 everithing works fine again

OndrejHolas · Sat Dec 26, 2020 4:06 pm

Hi all,

I have one spare RB3011 in lab, so I tried to upgrade it to 6.48 to see the problem with port flapping others mention here. So I did:

upload ROS 6.48 packages to RB3011 with 6.47.7 (both ROS and firmware)
sys reb (ROS upgraded)
waited 10 minutes, no port flapping occurred
upgraded firmware to 6.48 (sys rou up)
sys reb (warm restart)
waited 10 minutes, no port flapping occurred
sys shut
power cycle (cold start)
waited 10 minutes, no port flapping occurred

So in my case 6.48 on RB3011 does not (yet?) exhibit the port flapping problem even after cold start (when the new firmware becomes fully effective). But this is a very early box, bought just after 3011's introduction; maybe there are other HW versions of 3011.

Ondrej

ganewbie · Sat Dec 26, 2020 4:31 pm

So in my case 6.48 on RB3011 does not (yet?) exhibit the port flapping problem even after cold start (when the new firmware becomes fully effective). But this is a very early box, bought just after 3011's introduction; maybe there are other HW versions of 3011.
Ondrej

In our setup we have 2 WAN ports "ether1 and ether2" and port flapping was present after the upgrade.
Our 3011 is old but maybe not as old as yours it was shipping with firmware 3.41

eworm · Sat Dec 26, 2020 4:34 pm

Now on rekey childs mikrotik send and want proposals without pfs despite pfs-group=ecp521 configured. Similar issue has Windows 7 time ago.

With IKEv2 the pfs group is inherited from phase 1, have a look at dh group in profiles. Perfect forward secret should be used even if set to none in proposals.
Correct me if I am wrong, but I think you should set pfs-group to none in proposals on all devices for IKEv2.

OndrejHolas · Sat Dec 26, 2020 4:40 pm

Our 3011 is old but maybe not as old as yours it was shipping with firmware 3.41

Mine is indeed older, factory firmware is 3.27.

Ondrej

rpingar · Sat Dec 26, 2020 4:57 pm

still (6.47.8 too) get ccr2004 crashes on pppoe-clinet interface queue.
No matter what queue's kind, the router crashes.

ticket #[SUP-36923] opened
regards
Ros

kehrlein · Sat Dec 26, 2020 5:24 pm

Upgraded several devices without any issues:
- CRS326-24G-2S+ (with bridge, bonding, VLAN, SFP+)
- CRS112-8P-4S (with bridge, bonding, VLAN, SFP)
- RB750GL
- RB760iGS (HeX S)

erlinden · Sat Dec 26, 2020 5:35 pm

With IKEv2 the pfs group is inherited from phase 1, have a look at dh group in profiles. Perfect forward secret should be used even if set to none in proposals.
Correct me if I am wrong, but I think you should set pfs-group to none in proposals on all devices for IKEv2.

My current settings:

/ip ipsec profile
add dh-group=modp4096 enc-algorithm=aes-256,aes-128 hash-algorithm=sha512 name=site2site-profile
/ip ipsec peer
add address=x.x.x.x comment=site2site exchange-mode=ike2 name=site2site profile=site2site-profile
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=site2site-proposal pfs-group=[b]modp4096[/b]
/ip ipsec identity
add comment=site2site peer=site2site
/ip ipsec policy
add comment=site2site dst-address=192.168.60.0/24 peer=site2site proposal=site2site-proposal sa-dst-address=x.x.x.x sa-src-address=0.0.0.0 \
    src-address=192.168.50.0/24 tunnel=yes

Are you referring to the highlighted pfs-group?

eworm · Sat Dec 26, 2020 6:22 pm

Yes, that's what should be set to none IMHO.
Look at first line, dh-group=modp4096 is used for dh in phase 1 and for PFS in phase 2.

eworm · Sat Dec 26, 2020 6:48 pm

See this and the following posts from emils about the details:
viewtopic.php?f=2&t=147769#p740153

Lemahasta · Sat Dec 26, 2020 7:23 pm

After upgrade from 6.47.8 IPSEC-IKEV2 from windows 10 client -> mikrotik CCR 1009 using eap-radius stopped working.

After downgrade everything works fine again. RADIUS sends access-accept, windows client tries connecting for some time than just times out.
No errors in mikrotik. Just doesn't work.

Downgrade to 6.47.8 fixes issue.

IPSEC-IKEV2 using strongswan client (for android) works fine in both versions (6.47.8 and 6.48).

mhaluska · Sat Dec 26, 2020 8:29 pm

-- deleted --

mikelaurense · Sat Dec 26, 2020 8:43 pm

After upgrading my 962UiGS-5HacT2HnT from 6.47.8 to 6.48 I have constant troubles with my SIP phone. When switching on or reconfiguring, it connects to my Asterisk and after some minutes disconnects. Also in Asterisk console I see messages "Peer is lagged/ peer is available" every 30 seconds while the phone is registered. Changing keep alive settings on the phone did not help. After downgrading to 6.46.8 all problems disappeared
I've seen same behavior on Gigaset N300A IP after upgrading my mom's 951Ui-2HnD to 6.48
After downgrading to 6.46.8 issue got resolved.

Same on Gigaset S850A. Seems this update breaks SIP on multiple phones... any solution, or is downgrading the only option?

OndrejHolas · Sat Dec 26, 2020 9:13 pm

Same on Gigaset S850A. Seems this update breaks SIP on multiple phones... any solution, or is downgrading the only option?

What transport do you use for SIP (UDP, TCP, TLS)?
Is the SIP conntrack helper active? (/ip firewall service-port print)

erlinden · Sat Dec 26, 2020 10:07 pm

Yes, that's what should be set to none IMHO.
Look at first line, dh-group=modp4096 is used for dh in phase 1 and for PFS in phase 2.

Thanks, saved my day! Got it working!!

shahani · Sat Dec 26, 2020 11:12 pm

1x CCR1036-12G-4S-149
1x CRS328_24p_4s_rm
1x RB4011iGS+5HacQ2HnD-IN
2x RB2011UiAS-2HnD-IN
1x RB952Ui-5ac2nD
upgrading 60hrs ago without any issues

mikelaurense · Sat Dec 26, 2020 11:30 pm

Same on Gigaset S850A. Seems this update breaks SIP on multiple phones... any solution, or is downgrading the only option?
What transport do you use for SIP (UDP, TCP, TLS)?
Is the SIP conntrack helper active? (/ip firewall service-port print)

Transport was set to Automatic, but setting it to UDP only or TCP only doesn't make a difference.
I used to have the SIP helper set to on, disabled it today, but that makes no difference as well.

This setup has been working for years, and only broke today after updating to 6.48. I see no other option than downgrading until this bug is fixed.

[edit]
Downgraded to 6.47.8 and the problem is gone

sterod · Sun Dec 27, 2020 6:42 am

I think the moral to this story is to avoid majors (6.48) and wait until the first minor (6.48.1)

mafiosa · Sun Dec 27, 2020 9:52 am

After upgrading on RB3011 ports in switch group 1 (ether1-5) started flapping every 5 minutes. Rolled back on 6.47.8 and all seems ok. So 3011 users, install with care! ;)
I have the same problem with eth1 and eth2 dropping every hour approximately on my RB3011, downgrading solved the problem as well.
Hope this will be corrected

Same here bugtik rb3011

Ozon · Sun Dec 27, 2020 11:47 am

Same on Gigaset S850A. Seems this update breaks SIP on multiple phones... any solution, or is downgrading the only option?

Same problems with SIP.

Stopped working:
on hAP ac
on hAP lite x2
on RB951G-2HnD

multiple Gigaset device with and without virtual PBX

all lost connection to PBX

Only helped reverting to 6.48.7

Stuck with downgrading hAP ac - shows 13MB used out of 16 MB

npeca75 · Sun Dec 27, 2020 12:04 pm

I think the moral to this story is to avoid majors (6.48) and wait until the first minor (6.48.1)

Moral of this story:

1. MKT was forced by sales department to release "new" (7b/6b) versions before christmas without testing
2. Never trust blindly and install anything on holiday season

OndrejHolas · Sun Dec 27, 2020 12:08 pm

To someone having problems with SIP phones: Could you please check log of the router with ROS 6.48, whether there are unexpected flapping events (link down/up) or not?

Since the linkdowns last between 1 and 2 seconds (as observed in my lab), it could cause "Lagged" state in Asterisk when qualify probe hits the linkdown state. Maybe the problem is more general and not SIP-specific, although SIP qualify probes can detect short communication outages.

OndrejHolas · Sun Dec 27, 2020 12:10 pm

Our 3011 is old but maybe not as old as yours it was shipping with firmware 3.41
Mine is indeed older, factory firmware is 3.27.

Finally, my old 3011 started to flap with another NIC connected, so the problem seems to be dependent on connected NIC (or its PHY?) as well.

Ozon · Sun Dec 27, 2020 12:41 pm

To someone having problems with SIP phones: Could you please check log of the router with ROS 6.48, whether there are unexpected flapping events (link down/up) or not?

Since the linkdowns last between 1 and 2 seconds (as observed in my lab), it could cause "Lagged" state in Asterisk when qualify probe hits the linkdown state. Maybe the problem is more general and not SIP-specific, although SIP qualify probes can detect short communication outages.

nope, link is ok.

upd.

downgraded last 2 devices to 6.47.8

@ MTK - never please release new firmware during holidays. Luck that today is weekend, and everybody is out of office. In another way we could get huge problem without all telephone services working.

biomesh · Sun Dec 27, 2020 2:52 pm

Are these gigaset devices having issues with the lldp med options added?

My asterisk, grandstream, and obihai (polycom) devices all work fine.

OndrejHolas · Sun Dec 27, 2020 5:55 pm

With IKEv2 the pfs group is inherited from phase 1, have a look at dh group in profiles. Perfect forward secret should be used even if set to none in proposals.
Correct me if I am wrong, but I think you should set pfs-group to none in proposals on all devices for IKEv2.

Just to clarify, in IKEv2, phase 2 PFS group is not inherited from phase 1. During IKE SA init phase, when phase 1 keying material is negotiated (using group configured at the phase 1 level) and also phase 2 "create child SA" is requested, this time the phase 2 derives its keys from phase 1 keying material, so in this case there's really no need to negotiate PFS group at the phase 2 level (for example Strongswan is quite liberal here and matches proposals from both peers even if their PFS groups don't match).

Different situation is during phase 2 rekeying, when peers are required to have common PFS group, as there's need to negotiate new keys from scratch. Or, if both peers have PFS group unconfigured, rekeying is done based on previously used keying material, lacking advantage of PFS.

Thus, in IKEv2, the PFS group configured at the phase 2 level is used the same way as in IKEv1 except the initial contact.

6.47.8 and 6.48 send different proposals during phase 2 rekey, 6.48 omits the configured PFS group in proposal sent, 6.47.8 includes it (can be seen in Strongswan logs at the other side).

Setting PFS group to none makes the rekeying work with 6.48, although the rekey process is then weaker due to lacking PFS.

samasd · Sun Dec 27, 2020 8:12 pm

updated all my routers there was a weird problem in one of 750g routers bridge port , all the clients could ping the upper router except the router itself ! had to remove bridge and its ports and add it again, the arp was good and it was working with no problem with 6.47.8

zandhaas · Sun Dec 27, 2020 10:04 pm

Upgrade on my 750Gr3 OK Also the system health is showing power and temp
Upgrade on HAP ac2 is also OK

Kindis · Sun Dec 27, 2020 10:23 pm

To someone having problems with SIP phones: Could you please check log of the router with ROS 6.48, whether there are unexpected flapping events (link down/up) or not?

Since the linkdowns last between 1 and 2 seconds (as observed in my lab), it could cause "Lagged" state in Asterisk when qualify probe hits the linkdown state. Maybe the problem is more general and not SIP-specific, although SIP qualify probes can detect short communication outages.
nope, link is ok.

upd.

downgraded last 2 devices to 6.47.8

@ MTK - never please release new firmware during holidays. Luck that today is weekend, and everybody is out of office. In another way we could get huge problem without all telephone services working.

You cannot be serious with this. How are they responsible for anyone deploying this in production just before the holiday's? Testing fine but not actual prod. We freeze all prod equipment around 18th of Dec to 11th of Jan and do not allow any upgrades/changes unless it is an emergency.
If it is this important I recommend you use Long-term instead as they tend to be better in term of version change but always test first.

Guscht · Sun Dec 27, 2020 11:11 pm

hotspot - added support for captive portal advertising using DHCP (RFC7710)

Any information regarding this?
Is there a new option somewhere in the HotSpot section or in the DHCP section? Or is this a "hidden" background feature?

Trunkz · Mon Dec 28, 2020 1:51 am

Yes, that's what should be set to none IMHO.
Look at first line, dh-group=modp4096 is used for dh in phase 1 and for PFS in phase 2.

Thats odd - I've got pfs set in phase 2 and the IKEv2 tunnel establishes correctly:

# model = RB4011iGS+5HacQ2HnD
# serial number = xxxx
/ip ipsec profile
add dh-group=ecp521 enc-algorithm=aes-256 name=xxxx
/ip ipsec peer
add address=xxxx/32 exchange-mode=ike2 name=xxxx profile=xxxx
/ip ipsec proposal
add enc-algorithms=aes-256-cbc name=xxxx pfs-group=ecp521
/ip ipsec identity
add peer=xxxx secret=xxxx
/ip ipsec policy
add dst-address=xxxx/24 peer=xxxx proposal=xxxx sa-dst-address=xxxx sa-src-address=xxxx src-address=xxxx/25 tunnel=yes

spiritamokk · Mon Dec 28, 2020 4:44 am

After upgrading all our routers (mix of different models: CCR, RB1100AHx4 and CHR) bumped into an issue that IPSec tunnels (GRE based) after Phase 1 is expired Phase 2 fails to form. Before upgrade those tunnels were rock solid for the last 3+ years and survived multiple upgrades.

Active peer shows expired and established Phase 1, but new phase is not passing any traffic. Phase 2 is till shows as associated with expired phase 1
https://prntscr.com/wb5rda

On the Phase 2 (Policies) it looks like it doesn't have info on what flow to encrypt.
https://prnt.sc/wb5u4a

Tunnel configuration on both ends is the same and tunnel is built from behind the firewall with dedicated 1:1 NAT on both ends of the tunnel.

/interface gre
add !keepalive name=GRE-VPN-WEST remote-address=XX.XX.XX.XX

/ip ipsec peer
add address=XX.XX.XX.XX/32 name=VPN-WEST-PEER profile=\
"Default EMS PHASE 1"

/ip ipsec policy
add dst-address=XX.XX.XX.XX/32 peer=VPN-WEST-PEER proposal=\
"Default EMS PHASE 2" src-address=YY.YY.YY.YY/32 (public NAT)

/ip ipsec profile
add dh-group=modp6144 enc-algorithm=aes-256 hash-algorithm=sha512 name=\
"Default EMS PHASE 1"

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-192-cbc lifetime=1h
add enc-algorithms=aes-192-cbc lifetime=1h name="Default EMS PHASE 2"

Please help if you experiencing similar issues as I have no idea where to even start troubleshooting.

Thanks

valemal · Mon Dec 28, 2020 9:42 am

Time for me to ask again, is the bug with the SFP ports not working fixed in this version?

(my MikroTik hAP ac RB962UiGS-5HacT2HnT View this servicedesk in support portal )

eddieb · Mon Dec 28, 2020 10:00 am

Time for me to ask again, is the bug with the SFP ports not working fixed in this version?

(my MikroTik hAP ac RB962UiGS-5HacT2HnT View this servicedesk in support portal )

Your issue might be depending on the type of SFP you use,
I have 4pc of RB962UiGS-5HacT2HnT with Mikrotik SFP's and they work fine
You should contact support directly ....

dg1kwa · Mon Dec 28, 2020 10:06 am

IGMP Snooping not work correct with this release.

4x rb2011, 1x CRS106 and 1x HeX

After some minutes the MDB-table is empthy and the multicast flood to all ports :(

Try different settings, not help.

huntermic · Mon Dec 28, 2020 10:29 am

IGMP Snooping not work correct with this release.

4x rb2011, 1x CRS106 and 1x HeX

After some minutes the MDB-table is empthy and the multicast flood to all ports :(

Try different settings, not help.

No issues with IGMP Snooping here using RB4011 and a couple of HAP AC2 devices

dg1kwa · Mon Dec 28, 2020 10:39 am

IGMP Snooping not work correct with this release.

4x rb2011, 1x CRS106 and 1x HeX

After some minutes the MDB-table is empthy and the multicast flood to all ports :(

Try different settings, not help.
No issues with IGMP Snooping here using RB4011 and a couple of HAP AC2 devices

I switch igmp snooping on, set version to v3. Then the MDB Table start to filling and 1-2 minute later mdb table is empty and multicast traffic flood to all ports :(

With 6.47.8 was all ok

huntermic · Mon Dec 28, 2020 10:42 am

IGMP Snooping not work correct with this release.

4x rb2011, 1x CRS106 and 1x HeX

After some minutes the MDB-table is empthy and the multicast flood to all ports :(

Try different settings, not help.
No issues with IGMP Snooping here using RB4011 and a couple of HAP AC2 devices
I switch igmp snooping on, set version to v3. Then the MDB Table start to filling and 1-2 minute later mdb table is empty and multicast traffic flood to all ports :(

With 6.47.8 was all ok

I'm using IGMP version 2

eworm · Mon Dec 28, 2020 10:47 am

Thats odd - I've got pfs set in phase 2 and the IKEv2 tunnel establishes correctly:

Yes, they establish correctly. But do they rekey without issue? Have a look at your log...

eworm · Mon Dec 28, 2020 10:52 am

Please help if you experiencing similar issues as I have no idea where to even start troubleshooting.

Have a look above, IPSec issues have been discussed before.

Ozon · Mon Dec 28, 2020 12:23 pm

You cannot be serious with this. How are they responsible for anyone deploying this in production just before the holiday's? Testing fine but not actual prod. We freeze all prod equipment around 18th of Dec to 11th of Jan and do not allow any upgrades/changes unless it is an emergency.
If it is this important I recommend you use Long-term instead as they tend to be better in term of version change but always test first.

Customer is always right. Why customer can't use as it marked as stable?

Anyway i'm in contact with support now, they suggested to turn off LLDP
/ip neighbor discovery-settings set protocol=cdp,mndp

UPD:
this doesn't help

Mon Dec 28, 2020 12:27 pm

osc86, mducharme, dioeyandika, psybernoid, jcmerg, brbsh, elbob2002, R00tKit, nimbo78, andkar, newrealsprl, nostromog, bmatic, rushlife, FurfangosFrigyes, deweydb, nwa, FabioA, ganewbie, h17, WirtelPL, complex1, sterod, ganewbie, kombinat, jwelstead, mafiosa, OndrejHolas - Thank you for your reports. These issues will be resolved in the upcoming RouterOS releases.

tomaskir - Is this on a router that was just reset?
TimothyKoval - What do you mean exactly by "crashes"?
MartijnVdS, staticsafe - Have you reported this to support with more details (supout file, pcap files, etc.)?
guruniverse - Can you please provide a supout file from such a router that would be generated right after the router should have received an SMS?
Ivoshiee - If the device has a directory named "flash" in its file list, then files which you want to be kept after system reboot/power cycle must be stored within it. As anything outside of it is kept within a RAM disk and will be lost upon reboot. Note: this does not include .npk upgrade files as they will be applied by the upgrade process before the system discards the RAM drive content.
IYARINDRA, tabareco, netraider, Lemahasta, mikelaurense, samasd, dg1kwa - Can you please provide supout file to support@mikrotik.com from this problematic router?
ksaa, joedoelv, netraider, Ozon, OndrejHolas - Can you please provide supout file to support support@mikrotik.com if you have not done that already? We are currently looking into this.
stefanosp - Did the router simply rever to the default configuration? Is it possible that the reset button is stuck?
npeca75 - No, this is not why we did release new free RouterOS versions for you.
valemal - To which support ticket do you refer to?

nithinkumar2000 · Mon Dec 28, 2020 1:40 pm

For Delegated-IPv6-Prefix - any chance of adding the feature address-change-immediate-update like in Juniper? https://kb.juniper.net/InfoCenter/index ... id=KB31659

You already are doing RADIUS accounting for the DHCPv6-PD session for a PPPoE tunnel, but it is a different session. The address-change-immediate-update setting causes that Delegated-IPv6-Prefix to be copied to the PPPoE session itself. Then the DHCPv6-PD prefix is linked to the PPPoE session as well in RADIUS rather than only being a separate session.

Same Request from me also....

dg1kwa · Mon Dec 28, 2020 2:22 pm

osc86, mducharme, dioeyandika, psybernoid, jcmerg, brbsh, elbob2002, R00tKit, nimbo78, andkar, newrealsprl, nostromog, bmatic, rushlife, FurfangosFrigyes, deweydb, nwa, FabioA, ganewbie, h17, WirtelPL, complex1, sterod, ganewbie, kombinat, jwelstead, mafiosa, OndrejHolas - Thank you for your reports. These issues will be resolved in the upcoming RouterOS releases.

tomaskir - Is this on a router that was just reset?
TimothyKoval - What do you mean exactly by "crashes"?
MartijnVdS, staticsafe - Have you reported this to support with more details (supout file, pcap files, etc.)?
guruniverse - Can you please provide a supout file from such a router that would be generated right after the router should have received an SMS?
Ivoshiee - If the device has a directory named "flash" in its file list, then files which you want to be kept after system reboot/power cycle must be stored within it. As anything outside of it is kept within a RAM disk and will be lost upon reboot. Note: this does not include .npk upgrade files as they will be applied by the upgrade process before the system discards the RAM drive content.
IYARINDRA, tabareco, netraider, Lemahasta, mikelaurense, samasd, dg1kwa - Can you please provide supout file to support@mikrotik.com from this problematic router?
ksaa, joedoelv, netraider, Ozon, OndrejHolas - Can you please provide supout file to support support@mikrotik.com if you have not done that already? We are currently looking into this.
stefanosp - Did the router simply rever to the default configuration? Is it possible that the reset button is stuck?
npeca75 - No, this is not why we did release new free RouterOS versions for you.
valemal - To which support ticket do you refer to?

I send already.
Two new information:
1. MDB Table at all router full (more than 1048 entrys from IPv6-address) then next moment it is empthy
2. on one Router I disable IPv6. Now I have only 5 ipv4 address at mdb table at igmp snopping still work

In not use IPv6-Multicast for IP-TV!

mkx · Mon Dec 28, 2020 2:33 pm

I confirm the problem with SIP connections on this firmware.
I have a bundle of Gigaset C610A IP + RBD52G-5HacD2HnD.

Did you bother to read a few posts before your own? It was suggested to disable LLDP and (at least for some users) this fixes the SIP problem with Gigaset phones.

valemal · Mon Dec 28, 2020 2:39 pm

osc86, mducharme, dioeyandika, psybernoid, jcmerg, brbsh, elbob2002, R00tKit, nimbo78, andkar, newrealsprl, nostromog, bmatic, rushlife, FurfangosFrigyes, deweydb, nwa, FabioA, ganewbie, h17, WirtelPL, complex1, sterod, ganewbie, kombinat, jwelstead, mafiosa, OndrejHolas - Thank you for your reports. These issues will be resolved in the upcoming RouterOS releases.
valemal - To which support ticket do you refer to?

SUP-33662

Ozon · Mon Dec 28, 2020 3:16 pm

ksaa, joedoelv, netraider, Ozon, OndrejHolas - Can you please provide supout file to support support@mikrotik.com if you have not done that already? We are currently looking into this.

done, SUP-37406

valemal · Mon Dec 28, 2020 4:52 pm

Time for me to ask again, is the bug with the SFP ports not working fixed in this version?

(my MikroTik hAP ac RB962UiGS-5HacT2HnT View this servicedesk in support portal )
Your issue might be depending on the type of SFP you use,
I have 4pc of RB962UiGS-5HacT2HnT with Mikrotik SFP's and they work fine
You should contact support directly ....

The SFP module has been tested on MikroTik RB4011iGS + 5HacQ2HnD-IN and has no such issue. But at the same time, there is a problem in the MikroTik hAP ac RB962UiGS-5HacT2HnT router. therefore, I think that the problem is in the RB962UiGS-5HacT2HnT router

spiritamokk · Mon Dec 28, 2020 5:52 pm

Please help if you experiencing similar issues as I have no idea where to even start troubleshooting.
Have a look above, IPSec issues have been discussed before.

Thank you, I've read it all but nothing that would cover my case with IKEv1

hci · Mon Dec 28, 2020 7:00 pm

After upgrading on RB3011 ports in switch group 1 (ether1-5) started flapping every 5 minutes. Rolled back on 6.47.8 and all seems ok. So 3011 users, install with care! ;)
Same here on my RB3011. My WAN port was on ether 2 and kept flapping.

Moved it to ether10 and now have a stable WAN connection again but obviously the flapping issue isn't resolved.

Before moving to ether 10 I turned autonegotiation off but no luck.

We experienced port flapping on RB3011 too. Flapped about every 10 seconds or so. Were only using ethernet ports 1 and 10. Moved device in port 10 to port 5 and issue went away. Port 10 was in bridge group with an EoiP tunnel.

hatred · Mon Dec 28, 2020 9:27 pm

DoH related memory leak reported in SUP-31833 is not fixed in this release.

raystream · Mon Dec 28, 2020 10:56 pm

Port Flapping on RB3011.
great now i am trying to get around but the suggested workaround is not working for me.

that is not really a stable release.
the statement: improved arm stability is wrong.

never had such a bad update from mikrotik.

will go back to long term version

dad2312 · Tue Dec 29, 2020 12:21 am

Sorry i report a problem with PwrLine. After upgrade to 6.48, my two devices (model PL7411-2nD) don't pair.
After reboot, change settings, more and more.. nothing. Downgrade to long term, all change to ok. Untill 6.47.8 everything works fine.
ps: ether1, pwr-line1, wlan (off) all on bridge-local with no protocol (stp, rstp, etc...).

+1

NTESNick · Tue Dec 29, 2020 12:51 am

Port Flapping on RB3011.
great now i am trying to get around but the suggested workaround is not working for me.

that is not really a stable release.
the statement: improved arm stability is wrong.

never had such a bad update from mikrotik.

will go back to long term version

Same issues here :(

mducharme · Tue Dec 29, 2020 1:12 am

Has anybody tried the LLDP-MED support yet? The only device I have to test with at home is an old antique Cisco 7941 phone, and although it gets the VLAN ID through LLDP-MED, after it connects to the voice VLAN and gets an IP there, it goes back to the main VLAN, then proceeds to flap back and forth between the default VLAN and the voice VLAN specified through LLDP-MED. However, I'm not sure if it is something weird that this old phone is doing, or whether there is actually an issue with the LLDP-MED implementation.

It is a rather simple setup - just an RB4011 with the phone plugged in to one of the ports, no bridge VLAN filtering used, and a voice VLAN on the bridge.

netraider · Tue Dec 29, 2020 1:45 am

I confirm the problem with SIP connections on this firmware.
I have a bundle of Gigaset C610A IP + RBD52G-5HacD2HnD. When upgrading to 6.48 started constant disconnections with SIP servers. Unfortunately, the Gigaset C610A IP doesn't provide any additional information about the problems (logs). After downgrading to 6.46.8 everything was normal (as been).

I have exactly the same situation. In Asterisk logs there are disconnections without any reasons and there are no new attempts to reconnects. It looks like Mikrotik is dropping them. Rolling back to previous RouterOS is fully solve the problem.
Also I see a lot of posts about this problem on other network related forums.

anav · Tue Dec 29, 2020 1:53 am

) defconf - improved CAP interface bridging;

What does this mean???

tomaskir · Tue Dec 29, 2020 2:04 am

tomaskir - Is this on a router that was just reset?

No reset, this was a fully configured router on an older version updated to 6.48 without any changes.
Before and after upgrade an "/export compact" was taken, and these 2 were diff-ed.

This resulted in the changeset you see - looks like the defaults changed in 6.48.

mducharme · Tue Dec 29, 2020 2:17 am

It is a rather simple setup - just an RB4011 with the phone plugged in to one of the ports, no bridge VLAN filtering used, and a voice VLAN on the bridge.

Update - I figured out the issue. Every minute or so, the router was sending out an LLDP packet to the phone on both the bridge itself (untagged) and the VLAN interface. The packet from the VLAN interface came just after the packet from the bridge itself.

Normally, the extra LLDP packet that is tagged with the VLAN tag wouldn't cause a major issue, but in this case, it seems that MikroTik is for some reason including the LLDP-MED info only in the packet from "bridge" and not in the packet from the "Voice_VLAN" VLAN interface. Presumably, this is to prevent Q-in-Q or something along those lines. The problem is, however, that the phone interprets this tagged LLDP packet with no LLDP-MED voice vlan specified as an indication that there is no voice VLAN. So that makes it go back to the main untagged VLAN. Once it is on the main untagged VLAN, it is only a matter of time until it gets another LLDP packet from "bridge" with LLDP-MED specified, which makes it go back to the voice VLAN. Now that is back on the voice VLAN, it is only a matter of time until it gets an LLDP packet from the voice vlan with LLDP-MED missing, which makes it think there is no voice VLAN and it switches to untagged. This results in the flapping behaviour that I observed.

For now I have worked around this by purposely creating an interface list that excludes the voice VLAN, so that when the phone is on the VLAN, it only receives the one LLDP packet from "bridge" rather than two LLDP packets from both "bridge" and "Voice_VLAN". It seems that because the Voice_VLAN packet arrives slightly after the packet from bridge, the Voice_VLAN packet with missing voice VLAN ID wins, which causes the phone to flap.

mducharme · Tue Dec 29, 2020 2:57 am

One further update: If I create a second VLAN on the bridge, the phone starts flapping again between untagged and voice vlan tagged. It appears that once it is on the voice vlan, it starts to process any VLAN tagged LLDP packets, even those that are for a completely unrelated VLAN (i.e. it is ignoring the VLAN ID in the tag and just processing LLDP packets tagged for any VLAN). The workaround of using an interface list to prevent this issue then has to include all VLAN interfaces, not just the voice VLAN, otherwise the phone sees the LLDP packet tagged for the other VLAN and decides to switch back to untagged.

mducharme · Tue Dec 29, 2020 3:43 am

Another issue - the bridging by default forwards LLDP frames from other devices. The issue is that if the VoIP phone receives one of these (and mine has), it will flap back to untagged VLAN since the other device's LLDP frame is missing the LLDP-MED Network Policy VLAN. IMO, it would be ideal if there was a relatively easy way of stopping this. Maybe if bridge VLAN filtering is enabled, it will behave differently (I'm not sure if LLDP/CDP frames from other devices are forwarded when bridge vlan filtering is enabled), but it would be great if this were better documented.

EDIT: I tried enabling bridge vlan filtering, it didn't change anything regarding the behavior of LLDP and CDP. I was able to partially work around the issue by disabling hardware offload on all ports and creating a bridge filter as follows:

/interface bridge filter
add action=drop chain=forward comment="Block LLDP forwarding" mac-protocol=lldp
add action=drop chain=forward comment="Block CDP forwarding" dst-mac-address=01:00:0C:CC:CC:CC/FF:FF:FF:FF:FF:FF

But this is not an obvious solution, and this isn't suitable for the CRS switch line where software bridging is much too slow, and also I'm not sure this will help to prevent CDP/LLDP packets with VLAN tags from being forwarded to other ports. It would be ideal if there was a more comprehensive solution for bridges to prevent the forwarding of LLDP or CDP packets from port to port without having to disable hardware offload to accomplish it.

According to this HPE document, LLDP should not be forwarded from port to port under any circumstances: https://techhub.hpe.com/eginfolib/netwo ... 06s12.html

It would make sense to adjust bridging to behave in a similar way so that LLDP is not forwarded.

nevolex · Tue Dec 29, 2020 9:52 am

Hi guys

@emils

Updated my Audience to 6.48 and secondary wifi 5Ghz band is now not working at all (1733 Mbit/s one) I was using it as my primary network not as mesh

Please see that some setting are now missing for the band 5500 (1733 wirelss network compare to regular 5ghz)

Please fix

https://ibb.co/q1KcY6j

dbeyzade · Tue Dec 29, 2020 11:07 am

Testing the new Delegated-IPv6-Prefix via PPPoE software version 6.48

First PPPoE authentication is successful - prefix is assigned from RADIUS

When a second user dials up. There is an error:

could not add dhcpv6 server with pool : server with such name already exists (7)

This seems to stem from the fact the dynamically created DHCPv6 server has no name. Any ideas?

OndrejHolas · Tue Dec 29, 2020 11:51 am

LLDP should not be forwarded from port to port under any circumstances

Agreed. AFAIK, special L2 control protocols (especially those using multicast addresses 01-80-C2-00-00-00 to 01-80-C2-00-00-0F), including LLDP, are intended to be "bridge-to-bridge" and their frames should not be forwarded in any case.

Since LLDP provides information about physical port and its capabilities, LLDP encapsulated in frame with 802.1Q VLAN tag makes no sense and can have unexpected results on buggy or incomplete LLDP implementations.

LLDP(-MED) implementation in ROS is very basic from configuration perspective. No control over TLVs sent, no control over accepting LLDP frames (security policy in some organizations require switches to only transmit basic information to identify ports and discard any discovery information received), no support for multiple voice VLANs on single box, no support for additional media VLANs (signalling, video etc.).

Trunkz · Tue Dec 29, 2020 1:51 pm

Thats odd - I've got pfs set in phase 2 and the IKEv2 tunnel establishes correctly:
Yes, they establish correctly. But do they rekey without issue? Have a look at your log...

You are right. SA expires before rekey. Set pfs to none and will monitor..

likaon · Tue Dec 29, 2020 1:59 pm

Updating the hap AC2 device went quickly and well.

whether this update was intended to fix an Accesspoint problem and fix getting IP with wireless clients. I'm saying that I have two Accesspoint TL-WA854RE and asus rp-ac5 devices that cannot broadcast IP.

tomislav91 · Tue Dec 29, 2020 2:42 pm

Trusted checkbox appears twice in Bridge -> Ports -> <interface> -> General

What that use for?

Jotne · Tue Dec 29, 2020 2:57 pm

DoH related memory leak reported in SUP-31833 is not fixed in this release.

Hmm, you can guess from the graph when I turned on DoH!!
Open space at the end is when I upgraded to 6.48 and you see memory goes up after upgrade as well.

memory.jpg

Tue Dec 29, 2020 3:04 pm

I fixed upload permissions for this section, you can now attach files again

anav · Tue Dec 29, 2020 3:21 pm

Jotne, thanks for sharing your near death experience graph from the hospital. ;-)

Heavy · Tue Dec 29, 2020 3:29 pm

Port flapping on RB3011 for me too after upgrade to 6.48, i've just opened a support ticket to send the supout file

Jotne · Tue Dec 29, 2020 4:17 pm

DoH Turned off, so will see after some days if memory stabilise it self.

@Normis. Thanks, Image uploaded :)

staticsafe · Tue Dec 29, 2020 6:13 pm

Time for me to ask again, is the bug with the SFP ports not working fixed in this version?

(my MikroTik hAP ac RB962UiGS-5HacT2HnT View this servicedesk in support portal )
Your issue might be depending on the type of SFP you use,
I have 4pc of RB962UiGS-5HacT2HnT with Mikrotik SFP's and they work fine
You should contact support directly ....
The SFP module has been tested on MikroTik RB4011iGS + 5HacQ2HnD-IN and has no such issue. But at the same time, there is a problem in the MikroTik hAP ac RB962UiGS-5HacT2HnT router. therefore, I think that the problem is in the RB962UiGS-5HacT2HnT router

I am on a hAP AC, the SFP is ALCATELLUCENT G010SP.

Last time I upgraded from v6.46.6, the SFP interface doesn't get link. I can't replace the SFP with a different one as I believe Bell Canada locks the connection to the specific SFP they provide (if I'm incorrect, somebody let me know because then I can try a Mikrotik or other SFP).

AFAIK, Mikrotik is aware of this issue already, it was reported them a while back when 6.47 was first released.

shavenne · Tue Dec 29, 2020 6:31 pm

6.48 is the same as rc1 I guess? So this =>

Tried to update my switches at home (CRS112-8P-4S, CRS112-8G-4S, CRS309-1G-8S+, CRS328-24P-4S+) to 6.48beta40 yesterday (6.47.4 before).
For some reason all clients stopped getting IPv6 addresses from my RB4011 (with 7.1beta2) then.
I started downgrading the firmware on the CRS328-24P-4S+ (to which the RB4011 is also connected) and all clients connected to it were getting IPv6 addresses again.
I still had to downgrade the other switches too to obtain IPv6 there also.

I find it quite strange as I'm not using any routing or firewall functions on the switches. Actually just VLANs (all IPv6 clients are in a seperate vlan) and nothing else.
Any idea what's going wrong?
Tried the same with 6.48rc1 today. Still the same problem :(
Downgraded to 6.47.8 and it works again immediately.

will remain, right??

This is my config:

# dec/24/2020 14:59:11 by RouterOS 6.47.8
# software id = 76F0-EZPJ
#
# model = CRS328-24P-4S+
# serial number = A1A10A614FF6
/interface bridge
add admin-mac=74:4D:28:D3:63:6B auto-mac=no comment=defconf igmp-snooping=yes \
    name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=pi.home
set [ find default-name=ether2 ] comment="Kamera Hof"
set [ find default-name=ether5 ] comment="Deep-Thought Intel-Karte"
set [ find default-name=ether6 ] comment=Slow-Thought
set [ find default-name=ether11 ] comment=TV
set [ find default-name=ether13 ] comment=HTPC
set [ find default-name=ether14 ] comment=AV-Receiver
set [ find default-name=ether22 ] comment="Freifunk Hotspot (Hof)"
set [ find default-name=ether23 ] comment=\
    "Unifi AP + plastikschleuder.home (RPi)"
set [ find default-name=ether24 ] comment="WAN LTE"
set [ find default-name=sfp-sfpplus1 ] comment="Zum Keller"
set [ find default-name=sfp-sfpplus2 ] comment="Deep-Thought 10G"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,tikapp"
add name=prometheus policy="read,winbox,api,!local,!telnet,!ssh,!ftp,!reboot,!wr\
    ite,!policy,!test,!password,!web,!sniff,!sensitive,!romon,!dude,!tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22 pvid=31
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge comment="IPv6 only" tagged=sfp-sfpplus1,ether5 vlan-ids=66
add bridge=bridge comment="WAN Freifunk" tagged=\
    sfp-sfpplus1,ether23,ether24,sfp-sfpplus2,ether13,ether10 vlan-ids=12
add bridge=bridge comment="Freifunk Hotspot" tagged=sfp-sfpplus1,ether5 \
    untagged=ether22 vlan-ids=31
add bridge=bridge comment=VoIP tagged=sfp-sfpplus1,ether23,ether24 vlan-ids=21
add bridge=bridge comment="WAN FTTH1" tagged=sfp-sfpplus1,ether17 vlan-ids=4001
add bridge=bridge comment="WAN FTTH2" tagged=sfp-sfpplus1,ether17 vlan-ids=4002
add bridge=bridge comment="WWW \FCber bridge-pi" tagged=sfp-sfpplus1,ether17 \
    vlan-ids=4050
add bridge=bridge comment="Freifunk Hotspot (Balkon)" tagged=\
    sfp-sfpplus1,ether5 vlan-ids=32
add bridge=bridge comment="IPv6 Pool 2" tagged=sfp-sfpplus1,ether5 vlan-ids=67
add bridge=bridge comment="WAN LTE" tagged=sfp-sfpplus1,ether24 vlan-ids=4010
add bridge=bridge comment=IceCC tagged=ether5,sfp-sfpplus1 vlan-ids=530
/ip address
add address=192.168.90.7/24 interface=bridge network=192.168.90.0
/ip dns
set servers=192.168.90.1
/ip firewall filter
add action=accept chain=output
add action=accept chain=input
/ip route
add distance=1 gateway=192.168.90.1
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=SW_WohnungOben
/system ntp client
set enabled=yes primary-ntp=62.108.36.235 secondary-ntp=46.165.221.137
/system package update
set channel=testing
/system routerboard settings
set boot-os=router-os
/system swos
set address-acquisition-mode=static allow-from-ports="p1,p2,p3,p4,p5,p6,p7,p8,p9\
    ,p10,p11,p12,p13,p14,p15,p16,p17,p18,p19,p20,p21,p22,p23,p24,p25,p26,p27,p28\
    " identity=SW_WohnungOben static-ip-address=192.168.90.7

(exported from v6.47.8)

Tested it now with the final 6.48. Problem still persists. Sniffed with wireshark now: The only packets I'm getting are the MNDP from my router.
Can somebody tell me if it's a bug or not? Or is it just working 'by accident' with old versions and I have misconfigured something?! Doesn't seem like that actually.

/edit: It begins to work again if I disable IGMP snooping. So something is wrong with IGMP/MLD snooping I guess??

tomislav91 · Tue Dec 29, 2020 8:42 pm

Does this affect some Stellaris microcontrollers, because i am having some issue with communication? Maybe some have information?

evince · Tue Dec 29, 2020 10:43 pm

*) branding - fixed LCD logo loading from new style branding package;
How can we add a LCD logo? It would be great to add a custom image with our company logo and the Router-Name.
Go to your Mikrotik account,
At the bottom you see other.
Click on branding maker.
Here you can add your logo.
Then you have to load a package into the router.
If this adjustment is loaded in the router.
You can delete it by netinstall. A reset procedure does not delete them.
I wish you a happy holidays and keep it safe.

Thank you, it helped me :-)

By the way, is there any solution to fix it as default screen? The goal is to display only a logo.

Thank you in advance :)

benoitc · Tue Dec 29, 2020 11:27 pm

RouterOS version 6.48 has been released in public "stable" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.48 (2020-Dec-22 11:20):

*) arm - added support for automatic CPU frequency stepping for IPQ4018/IPQ4019 devices;
*) arm - improved system stability;
*) arm - improved watchdog and kernel panic reporting in log after reboots on IPQ4018/IPQ4019 devices;
*) arm64 - improved reboot reason reporting in log;
*) bgp - fixed VPNV4 RD byte order;
*) bonding - added LACP monitoring;
*) branding - fixed LCD logo loading from new style branding package;
*) bridge - added "multicast-router" monitoring value for bridge interface;
*) bridge - added fixes and improvements for IGMP and MLD snooping;
*) bridge - added minor fixes and improvements for IGMP snooping with HW offloading;
*) bridge - added warning message when port is disabled by the BPDU guard;
*) bridge - allow to exclude interfaces from extended ports;
*) bridge - automatically remove extended interfaces when deleting PE device from CB;
*) bridge - correctly filter packets by L2MTU size;
*) bridge - correctly remove dynamic VLAN assignment for bridge ports;
*) bridge - fixed "multicast-router" setting on bridge enable;
*) bridge - fixed MDB entry removal when using bridge port "fast-leave" property;
*) bridge - fixed dynamic VLAN assignment when changing port "frame-type" property (introduced in v6.46);
*) bridge - fixed dynamic VLAN assignment when changing port to tagged VLAN member;
*) bridge - fixed link-local multicast forwarding when IGMP snooping and HW offloading is enabled;
*) bridge - fixed local MAC address removal from host table when deleting bridge interface;
*) bridge - fixed multicast table printing;
*) bridge - improved BPDU guard logging;
*) bridge - increased multicast table size to 4K entries;
*) bridge - show "H" flag for extended bridge ports;
*) bridge - show error when switch do not support controlling bridge or port extension;
*) bridge - use "frame-types=admit-all" by default for extended bridge ports;
*) cap - fixed L2MTU setting from CAPsMAN;
*) certificate - clear challenge password on renew;
*) certificate - fixed CRL URL length limit;
*) certificate - fixed private key verification for CA certificate during signing process;
*) certificate - generate CRL even when CRL URL not specified;
*) certificate - properly flush expired SCEP OTP entries;
*) chr - fixed SSH key import on Azure;
*) chr - fixed VLAN tagged packet transmit on bridge for Hyper-V installations;
*) chr - improved interface loading on startup on XEN;
*) chr - improved system stability when changing flow control settings on e1000;
*) cloud - improved backup generation process;
*) conntrack - automatically reduce connection tracking timeouts when table is full;
*) console - allow "once" parameter for bonding monitoring;
*) crs3xx - added initial Bridge Port Extender support;
*) crs3xx - added initial Controlling Bridge support for CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices;
*) crs3xx - added switch-cpu port VLAN filtering (switch-cpu port is now mapped with bridge interface VLAN membership when vlan-filtering is enabled);
*) crs3xx - correctly filter packets by L2MTU size;
*) crs3xx - fixed "custom-drop-packet" and "not-learned" switch stats for CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices;
*) crs3xx - fixed "mirror-source" property on switch port disable for CRS305, CRS326-24G-2S+, CRS328, CRS318 devices;
*) crs3xx - fixed "storm-rate" traffic limiting for switch-cpu port on CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices;
*) crs3xx - fixed "switch-cpu" VLAN membership on bridge disable;
*) crs3xx - fixed CDP packet forwarding for CRS305, CRS318, CRS326-24G-2S+, CRS328 devices;
*) crs3xx - fixed duplicate host entries when creating static switch hosts;
*) crs3xx - fixed port isolation for "switch-cpu" port for CRS305, CRS326-24G-2S+, CRS328, CRS318 devices;
*) crs3xx - fixed port isolation removal for "switch-cpu" port on CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices;
*) crs3xx - fixed switch "copy-to-cpu" property for CRS305, CRS318, CRS326-24G-2S+, CRS328 devices;
*) crs3xx - fixed switch "not-learned" stats for CRS305, CRS326-24G-2S+, CRS328-24P-4S+, CRS328-4C-20S-4S+, CRS318 devices;
*) crs3xx - improved system stability on CRS354 devices;
*) crs3xx - improved system stability when receiving large frames for CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices (introduced in v6.47.5);
*) defconf - fixed default configuration loading on RBcAP-2nD and RBwAP-2nD;
*) defconf - fixed static IP address setting in case default configuration loading fails;
*) defconf - improved CAP interface bridging;
*) defconf - improved default configuration generation on devices with non-default wireless interface names;
*) detnet - fixed malformed dummy DHCP User Class option;
*) detnet - use MAC address from bridge interface instead of slave port;
*) dhcp - fixed DHCP packet forwarding to IPsec policies;
*) dhcpv4-server - improved "client-id" value parsing;
*) dhcpv6 server - added support for "Delegated-IPv6-Prefix" for PPP services;
*) dhcpv6-server - added ability to generate binding on first request;
*) dhcpv6-server - added support for "option18" and "option37" for RADIUS managed clients;
*) dhcpv6-server - allow loose static binding "pool" parameter (introduced in v6.46.8);
*) dhcpv6-server - make sure that calling station ID always contains DUID;
*) discovery - added "lldp-med-net-policy-vlan" property for assigning VLAN ID;
*) discovery - allow choosing which discovery protocol is used;
*) discovery - fixed discovery on mesh ports;
*) discovery - fixed discovery packet sending on newly bridged port with "protocol-mode=none";
*) discovery - fixed discovery when enabled only on master port;
*) discovery - send the same "Chassis ID" on all interfaces for LLDP packets;
*) discovery - use interface MAC address when sending MNDP from slave port;
*) disk - fixed external EXT3 disk mounting on x86 systems;
*) dns - added IPv6 support for DoH;
*) dns - do not use type "A" for static entries with unspecified type;
*) dns - end ongoing queries when changing DoH configuration;
*) dns - fixed listening for DNS queries when only dynamic static entries exist (introduced in v6.47);
*) dot1x - accept priority tagged (VLAN 0) EAP packets on dot1x client;
*) dot1x - fixed reauthentication after server rejects a client into VLAN;
*) dot1x - fixed unicast destination EAP packet receiving when a client is running on a bridge port;
*) dude - fixed configuration menu presence on ARM64 devices;
*) export - fixed RouterBOARD USB "type" parameter export;
*) filesystem - fixed repartition on RB4011 series devices;
*) filesystem - fixed repartition on non-first partition;
*) filesystem - improved long-term filesystem stability and data integrity;
*) gps - fixed "init-channel" release when not used;
*) health - changed PSU state parameter type to read-only;
*) health - removed unused "heater-control" and "heater-threshold" parameters;
*) hotspot - added "vlan-id" parameter support for hosts and HTML pages;
*) hotspot - added support for captive portal advertising using DHCP (RFC7710);
*) hotspot - fixed "html-directory" parameter export;
*) hotspot - improved management service stability when receiving bogus packets;
*) ike1 - fixed "my-id=address" parameter usage together with certificate authentication;
*) ike1 - fixed 'rsa-signature-hybrid' authentication method;
*) ike1 - fixed memory leak on multiple CR payloads;
*) ike1 - fixed policy update with and without mode configuration;
*) ike1 - rekey phase 1 as responder for Windows initiators;
*) ike2 - added "prf-algorithm" support for phase 1;
*) ike2 - added support for IKEv2 Message Fragmentation (RFC7383);
*) ike2 - fixed EAP MSK length validation;
*) ike2 - fixed too small payload parsing;
*) ike2 - improved EAP message integrity checking;
*) ike2 - improved child SA rekeying process;
*) interface - added temperature warning and interface disable on overheat for SFP and SFP+ interfaces (CLI only);
*) interface - fixed pwr-line running state (introduced in v6.45);
*) ipsec - added SHA384 hash algorithm support for phase 1;
*) ipsec - do not kill connection when peer's "name" or "comment" is changed;
*) ipsec - fixed client certificate usage when certificate is renewed with SCEP;
*) ipsec - fixed multiple warning message display for peers;
*) ipsec - inactivate peer's policy on disconnect;
*) ipsec - refresh peer's DNS only when phase 1 is down;
*) kidcontrol - allow creating static device entries without assigned user;
*) led - fixed state persistence after device reboot on NetMetal 5 ac devices;
*) lora - fixed device going into "ERROR" state caused by FSK modulated downlinks;
*) lora - limited output power in RU region for range 868.7 MHz - 869.2 MHz according to regulations;
*) lte - added "age" column and "max-age" parameter to "cell-monitor" (CLI only);
*) lte - added "comment" parameter for APN profiles;
*) lte - added support for Alcatel IK41VE1;
*) lte - fixed "band" value reporting;
*) lte - increased "at+cops" reply timeout to 90 seconds;
*) m33g - added support for "/system gpio" menu (CLI only);
*) metarouter - allow creating RouterOS metarouter instances on devices with 16MB flash storage;
*) metarouter - fixed memory leak when tearing down metarouter instance;
*) ppp - added "bridge-learning" parameter support;
*) ppp - added "ipv6-routes" parameter to "secrets" menu;
*) ppp - added support for "Framed-IPv6-Route" RADIUS attribute;
*) ppp - store "last-caller-id" for PPP secrets;
*) ppp - store "last-disconnect-reason" for PPP secrets;
*) profile - added "lcd" process classificator;
*) profile - improved idle process detection on x86 processors;
*) profile - improved process classification on ARM devices;
*) quickset - added "Port Mapping" to QuickSet;
*) quickset - fixed local IP address setting on master interface;
*) route - improved stability when 6to4 interface is configured with disabled IPv6 package;
*) routerboard - fixed PCIe bus reset during power-on on MMIPS devices ("/system routerboard upgrade" required);
*) routerboard - force power-down on PCIe bus during reboot on LHGR devices ("/system routerboard upgrade" required);
*) script - added error message in the logs if startup script runtime limit was exceeded;
*) snmp - added information from IPsec "active-peers" menu to MIKROTIK-MIB;
*) snmp - added new LTE monitoring OID's to MIKROTIK-MIB;
*) snmp - fixed value types for "dot1dStp";
*) snmp - fixed value types for "dot1qPvid";
*) ssh - fixed returned output saving to file when "output-to-file" parameter is used;
*) ssh - skip interactive authentication when not running in interactive mode;
*) supout - added bonding interface monitor information;
*) supout - improved autosupout.rif file generation process;
*) timezone - updated timezone information from "tzdata2020d" release;
*) tr069-client - added "X_MIKROTIK_MimoRSRP" parameter for LTE RSRP value reporting;
*) tr069-client - added LTE model and revision parameters;
*) tr069-client - added additional wireless registration table parameters;
*) tr069-client - added branding package build time parameter;
*) tr069-client - added wireless "noise-floor" and "overall-tx-ccq" information parameters;
*) tr069-client - allow passing LTE firmware update URL as XML;
*) tr069-client - fixed RouterOS downgrade procedure;
*) tr069-client - fixed TotalBytesReceived parameter value;
*) tr069-client - send correct "ConnectionRequestURL" when using IPv6;
*) traffic-flow - added "sys-init-time" parameter support;
*) traffic-flow - added NAT event logging support for IPFIX;
*) traffic-generator - fixed 32Gbps limitation;
*) user-manager - do not allow creating limitation that crosses midnight;
*) user-manager - updated PayPal's root certificate authorities;
*) webfig - allow hiding QuickSet mode selector;
*) webfig - allow hiding and renaming inline buttons;
*) webfig - fixed default value presence when creating new entries under "IP/Kid Control";
*) webfig - properly stop background processes when switching away from QuickSet tab;
*) winbox - added "src-mac-address" parameter under "IP/DHCP-Server/Leases" menu;
*) winbox - added missing IGMP Snooping settings to "Bridge" menu;
*) winbox - added missing MSTP settings to "Bridge" menu;
*) winbox - added support for LTE Cell Monitor;
*) winbox - allow adding bonding interface with one slave interface;
*) winbox - allow performing "USB Power Reset" on "0" bus on RBM33G;
*) winbox - do not show "network-mode" parameter for LTE interfaces that do not support it;
*) winbox - fixed "IP->Kid Control->Devices" table automatic refreshing;
*) winbox - fixed "interface" and "on-interface" parameter presence under "Bridge/Hosts" menu;
*) winbox - fixed "receive-errors" setting persistence under "Wireless/Wireless Sniffer/Settings" menu;
*) winbox - fixed "tls-version" parameter setting under "IP/Services" menu;
*) winbox - fixed minor typo in "Users" menu;
*) winbox - provide sane default values for bridge "VLAN IDs" parameter;
*) winbox - use health values reported by gauges for "System/Health" menu;
*) wireless - added U-NII-2 support for US and Canada country profiles for mANTBox series devices;
*) wireless - create "connect-list" rule when address specified for "setup-repeater";
*) wireless - do not override MTU and ARP values from CAPsMAN with local forwarding;
*) wireless - improved WPS process stability;
*) wireless - increased "group-key-update" maximum value to 1 day;
*) wireless - updated "indonesia5" regulatory domain information;
*) wireless - updated "no_country_set" regulatory domain information;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after some problem has appeared on device

Please keep this forum topic strictly related to this particular RouterOS release.

with this release fans on the CRS312-4C+8XG-RM are running at max :/ any idea how ic an reduce the speed?

acidvenom · Wed Dec 30, 2020 12:05 am

RB3011 - ports 6-10 flapping every 5 seconds.
IKEv2 policy problem with "no generate" option. Server drops random connection if there are 2 IKEv2 tunnels from single client IP address.

spiritamokk · Wed Dec 30, 2020 4:46 am

Please help if you experiencing similar issues as I have no idea where to even start troubleshooting.
Have a look above, IPSec issues have been discussed before.

Downgraded from "Stable" 6.48 to Long-Term 6.46.8 and IPSec IKEv1 issues disappeared. I guess I was just lucky not getting problems for 3 years, so no more "Stable" releases for me. Will stick to less "feature rich" upgrades =)

Heavy · Wed Dec 30, 2020 12:29 pm

i've received a reply from the support, they solve the 3011 port flapping on the next 6.48.xx

Jotne · Wed Dec 30, 2020 12:56 pm

DoH does definitely have a memory problem. After turning it off for one day, this is how my memory logs looks like on my hEX.
Support case created. SUP-37699
.

memory2.jpg

OndrejHolas · Wed Dec 30, 2020 1:46 pm

Also noticed that after upgrade to 6.48 the hAP lite (RB941-2nD - smips) stopped transmitting LLDP frames (neither periodic nor after receiving MED probe from phone), although it still processes received LLDP frames (discovered phones are visible in /ip nei pr); all three discovery protocols are enabled, MNDP and CDP frames are transmitted, but not LLDP.

6.47.8 with the same configuration transmits periodic LLDP frames as expected.

CTSsean · Wed Dec 30, 2020 3:07 pm

I think the moral to this story is to avoid majors (6.48) and wait until the first minor (6.48.1)
Moral of this story:

1. MKT was forced by sales department to release "new" (7b/6b) versions before christmas without testing
2. Never trust blindly and install anything on holiday season

only a narcissist would say this.

Lemahasta · Wed Dec 30, 2020 6:39 pm

After upgrade from 6.47.8 IPSEC-IKEV2 from windows 10 client -> mikrotik CCR 1009 using eap-radius stopped working.

After downgrade everything works fine again. RADIUS sends access-accept, windows client tries connecting for some time than just times out.
No errors in mikrotik. Just doesn't work.

Downgrade to 6.47.8 fixes issue.

IPSEC-IKEV2 using strongswan client (for android) works fine in both versions (6.47.8 and 6.48).

Error I'm getting on mikrotik is:
invalid MSK length

I suppose that's caused by the patch note:
*) ike2 - fixed EAP MSK length validation;

I don't know, doesn't seem fixed if standard windows 10 client is now invalid, but worked before.
Changing on windows client EAP from EAP-PEAP to EAP-MSCHAP2 fixes ("=>EAP MSK (size 0x20))" is in debug. But this setting is not preferred.

tesme33 · Wed Dec 30, 2020 9:40 pm

Hi
just want to add some information to the Multicast related discussions.
Upgraded my CRS326 to 6.48 and MDB was not filling. Enabling Multicast snooping (which was disabled) --> MDB was filling.
But still no Multicast traffic going through. How do i know ?
Easy answer my SatIP setup is no longer working. The clients no longer see the SatIP server.

[admin@CRS326] /system routerboard> print
                ;;; Firmware upgraded successfully, please reboot for changes
                    to take effect!
       routerboard: yes
             model: CRS326-24G-2S+
     serial-number: 94550966B962
     firmware-type: dx3230L
  factory-firmware: 6.42.7
  current-firmware: 6.47.8
  upgrade-firmware: 6.48

[admin@CRS326] /interface bridge> print
Flags: X - disabled, R - running
 0 R name="bridge" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled
     arp-timeout=auto mac-address=B8:69:F4:8D:F3:76 protocol-mode=none
     fast-forward=yes igmp-snooping=yes multicast-router=temporary-query
     multicast-querier=no startup-query-count=2 last-member-query-count=2
     last-member-interval=1s membership-interval=4m20s querier-interval=4m15s
     query-interval=2m5s query-response-interval=10s
     startup-query-interval=31s250ms igmp-version=2 mld-version=1 auto-mac=no
     admin-mac=B8:69:F4:8D:F3:76 ageing-time=5m vlan-filtering=no
     dhcp-snooping=no


[admin@CRS326] /interface bridge mdb> print
GROUP                                                VID PORTS      BRIDGE
239.255.255.250                                          sfp-sfp... bridge
                                                         ether23...
                                                         sfp-sfp...
                                                         ether3
                                                         ether1 ...
                                                         ether9 ...
                                                         ether12...
                                                         ether19...
ff02::fb                                                 ether1 ... bridge
                                                         ether12...

techdude · Wed Dec 30, 2020 10:12 pm

Applied the 6.48 on my CRS354 in my fully functional environment. After i could not access the device and it created loops so the entire network went down until i turned the CRS354 off. I'm running MSTP that was working 100% in 6.47.8. After downgrade back to 6.47.8 everything works. I run two bonding interfaces with 802.3ad that works in 6.47.8, i suspect the loops could be related to those but i haven't had time to do more testing as it cost me a few hours just to fix this downgrade and troubleshoot. I will wait until a more stable release before i try again, i might configure the device from scratch next time to see whats causing issues.

MikeRoTik · Wed Dec 30, 2020 11:01 pm

m33g - added support for "/system gpio" menu (CLI only);

Could we please, please, please have the documentation for the RBM33G Header and instructions on how to trigger the gpio pins as inputs? (Pull up, pull down, resistor?, etc...)

Did I say PLEASE?

tesme33 · Wed Dec 30, 2020 11:41 pm

After reboot and new firmware it is working.
Lets see if it stops after some time. As mentioned in a post before.

[admin@CRS326] /system routerboard> print
       routerboard: yes
             model: CRS326-24G-2S+
     serial-number: 94550966B962
     firmware-type: dx3230L
  factory-firmware: 6.42.7
  current-firmware: 6.48
  upgrade-firmware: 6.48

Hi
just want to add some information to the Multicast related discussions.
Upgraded my CRS326 to 6.48 and MDB was not filling. Enabling Multicast snooping (which was disabled) --> MDB was filling.
But still no Mulricast traffic going through. How do i know ?
Easy answer my SatIP setup is no longer working. The clients no longer see the SatIP server.
Code: Select all
[admin@CRS326] /system routerboard> print
                ;;; Firmware upgraded successfully, please reboot for changes
                    to take effect!
       routerboard: yes
             model: CRS326-24G-2S+
     serial-number: 94550966B962
     firmware-type: dx3230L
  factory-firmware: 6.42.7
  current-firmware: 6.47.8
  upgrade-firmware: 6.48

...
                                                         ether12...
                                                         ether19...
ff02::fb                                                 ether1 ... bridge
                                                         ether12...

Jotne · Thu Dec 31, 2020 8:10 am

Found change in logging that was not mention in the DHCP logs.

&MT Please also list these type of changes as well, since my Splunk for Mikrotik did stop showing DHCP logs due to this.
Its positive that you finally have stated to clean up the logs mess :) viewtopic.php?t=124291

Old format

dhcp,debug,packet MikroTik: DHCP-Main received request with id 2264044792 from 192.168.10.230

New format

dhcp,debug MikroTik: DHCP-Main received request id 212743147 from 192.168.10.230 '1:c4:ad:34:c3:37:xx'

packet is removed and mac added to this log line
MikroTik: is a prefix I have added.

What other logs has changed?

herger · Thu Dec 31, 2020 2:32 pm

I noticed that when using a CRS317 as Port Controller and a CRS309 as Port Extender, once the link between the two devices fails the Port Controller completely stops forwarding and is not accessible anymore. It stays in the locked up state until the link to the Port Extender is restored. This behavior makes it some what risky to use this new feature but i hope this will be fixed in future versions.

TheSirStumfy · Fri Jan 01, 2021 10:25 am

Really hope they fix the RB3011 finally.

Mine has been flapping for years, I have 2 years of logs to prove it. Some updates ware better some worse, but none fixed it truly.

set X cpu-flow-control=no name="Switch x" does help a bit, but never really went away, just went from many flaps a day to some flaps per week.

Im honestly half way to asking for a refund, since the product just does not work in the current state. It has caused corrupted backups in the past when the flap landed on the backup schedule.

Kindis · Fri Jan 01, 2021 11:05 am

Really hope they fix the RB3011 finally.

Mine has been flapping for years, I have 2 years of logs to prove it. Some updates ware better some worse, but none fixed it truly.

set X cpu-flow-control=no name="Switch x" does help a bit, but never really went away, just went from many flaps a day to some flaps per week.

Im honestly half way to asking for a refund, since the product just does not work in the current state. It has caused corrupted backups in the past when the flap landed on the backup schedule.

I have two 3011 and I have none of these issue. Are your sure it is not the connected devices or cable?

I use to have a flapping issue on my RB750gr3 but after I disabled EEE on the port in the Zyxel switch this issue went away.

notToNew · Fri Jan 01, 2021 11:28 am

I have two 3011 and I have none of these issue. Are your sure it is not the connected devices or cable?

I use to have a flapping issue on my RB750gr3 but after I disabled EEE on the port in the Zyxel switch this issue went away.

same here. IT was not mikrotik. at anotzer location I had serious electrical Problems. I needed to use a special cat2 safety poweradapter to get rid of the Port disconnects.

TheSirStumfy · Fri Jan 01, 2021 12:06 pm

Hm.. the only thing honestly that could be a problem is a SFP module. Ok thanks for the idea guys, Ill play around with switching if for a different one, perhaps it could be causing problems.. Did not try that, because it works fine.

zervan · Fri Jan 01, 2021 12:09 pm

Did this update break anyone else's pwr line setup? I have a pwr line pro and at the other end of pwr line AP and the link between them is now incredibly unstable. I had to downgrade to 6.47.8 to restore connectivity.

Yes, there is a bug at least in PWR-LINE AP: The problem is that interface "pwr-line" is reported as not running despite the fact that it is sending and receiving frames, see the screenshot from WinBox. If the interface is part of bridge, then it is reported as invalid.

Masyanich · Fri Jan 01, 2021 1:29 pm

ccr 1016-12g
resetted all ppp secrets after upgrade
this build is a pure disaster

erlinden · Fri Jan 01, 2021 2:07 pm

I absolute love the wireless improvement I'm experiencing. More stability and higher speeds.

Unfortunately I noticed periodic "link down", strangely enough only between my RB4011 and my CRS112-8P-4S. This is not occurring between the RB4011 and a cAP ac and not between CRS112-8P-4S and the cAP ac and wAP ac. Have not excluded possible cable problems, but on the other hand, I never noticed it on the LTS I was running previously.

nichky · Fri Jan 01, 2021 11:49 pm

*) ppp - store "last-caller-id" for PPP secrets;

how that one works?

randomwalk · Sat Jan 02, 2021 10:21 am

DNS regression after 6.48 update
RB450Gx4
edited --> 6.46.8 (FW 6.46.8) LTS --> 6.47.8 (FW 6.47.8) Stable --> 6.48 (FW 6.47.8) Stable --> 6.46.8 (FW 6.46.8) <--- edited

1. CPU utilization during reboot spiked higher, and stayed high for much longer.
2. RouterOS took 15 min to parse ~83,000 static DNS records at reboot compared to <1 min before.
3. Idle CPU utilization after update increased from 0% to 2%
4. DNS service was unavailable for 15 minutes after reboot.
5. Router downtime ~15 min upon reboot is not acceptable. Compare it to <1 min before.

My configuration includes ~83,000 static DNS records, so I had to downgrade to 6.46.8 LTS.
After downgrade, the CPU utilization went back to normal, with less than 1 minute downtime again.

See some screenshots:

https://pasteboard.co/JHKgyOC.png

https://pasteboard.co/JHKlz5U.png

randomwalk · Sat Jan 02, 2021 10:33 am

we are waiting for 6.48.5 .. stable release is beta channel

Agree, The "stable" channel should be called Beta.

DarkNate · Sat Jan 02, 2021 10:44 am

we are waiting for 6.48.5 .. stable release is beta channel
Agree, The "stable" channel should be called Beta.

Although v6.48 is perfectly stable for my RB450Gx4. I agree with you and the other members here.

Eventually, I will be forced to move to a different vendor with a more reliable "stable" channel for patches/updates.

complex1 · Sat Jan 02, 2021 12:30 pm

we are waiting for 6.48.5 .. stable release is beta channel
Agree, The "stable" channel should be called Beta.
Although v6.48 is perfectly stable for my RB450Gx4. I agree with you and the other members here.

Eventually, I will be forced to move to a different vendor with a more reliable "stable" channel for patches/updates.

... or use the Long-term version if you want a more stable version. ;-)

acidvenom · Sat Jan 02, 2021 12:42 pm

we are waiting for 6.48.5 .. stable release is beta channel
Agree, The "stable" channel should be called Beta.
Although v6.48 is perfectly stable for my RB450Gx4. I agree with you and the other members here.

Eventually, I will be forced to move to a different vendor with a more reliable "stable" channel for patches/updates.

OK then find equal vendor with handy console, cheap devices with support and a lot of features.

Jotne · Sat Jan 02, 2021 9:46 pm

6.46.8 LTS --> 6.48 Stable --> 6.46.8 LTS

Did you also upgrade the firmware.

randomwalk · Sun Jan 03, 2021 1:22 am

6.46.8 LTS --> 6.48 Stable --> 6.46.8 LTS
Did you also upgrade the firmware.

No i did not upgrade the firmware. The firmware was v6.47.8 (i forgot that I switched to Stable channel ~4 weeks ago.)
Here is my exact (more accurate) update path:
6.46.8 (FW 6.46.8) LTS --> 6.47.8 (FW 6.47.8) Stable --> 6.48 (FW 6.47.8) Stable --> 6.46.8 (FW 6.46.8)
So in the end i rolled back both the firmware and routeros to LTS.

P.S. To mikrotik developers: here is another snapshot some 16 hrs later.
It appears that 6.48 memory usage is better than 6.47.8, but neither can match 6.46.8 which is better in both: CPU and RAM usage

https://pasteboard.co/JHQqX4v.png

Jotne · Sun Jan 03, 2021 9:32 am

Image

Do not post link to image. Upload them to the forum use the Attachments button below the post window. It will then stay in the forum.

zeek01 · Sun Jan 03, 2021 5:10 pm

After upgrading on RB3011 ports in switch group 1 (ether1-5) started flapping every 5 minutes. Rolled back on 6.47.8 and all seems ok. So 3011 users, install with care! ;)

My RB3011 has flapping ports on both switch groups (1-5) and (6-10), going to roll back now... if I can work out how!!

IF YOU HAVE AN RB3011 DON'T USE THIS FIRMWRE would be my advice.

Steve

elbob2002 · Mon Jan 04, 2021 8:49 am

After upgrading on RB3011 ports in switch group 1 (ether1-5) started flapping every 5 minutes. Rolled back on 6.47.8 and all seems ok. So 3011 users, install with care! ;)

My RB3011 has flapping ports on both switch groups (1-5) and (6-10), going to roll back now... if I can work out how!!

IF YOU HAVE AN RB3011 DON'T USE THIS FIRMWRE would be my advice.

Steve

Copy the correct .npk to your RB3011 using Winbox to Files folder.

https://download.mikrotik.com/routeros/ ... 6.47.8.npk

From the terminal in winbox type

/system package downgrade

jakubk2 · Mon Jan 04, 2021 10:28 am

i can confirm massive connectivity issues with Gigaset phones after upgrading to 6.48

rb962UiGS and Gigaset C430 IP
rb951G-2HnD and Gigaset A690 IP (same issues with A580 IP)

i had to downgrade both routers to 6.46.8. After downgrade everything is working fine again.

WildRat · Mon Jan 04, 2021 1:24 pm

The hAP ac v6.48 router rebooted today due to an existing memory leak issue:

This problem has been present in several recent stable releases:

This is most likely due to DoH function, because my secondary router wAP ac don't have same problem.

Jotne · Mon Jan 04, 2021 2:14 pm

This is most likely due to DoH function, because my secondary router wAP ac don't have same problem.

If you did read this thread, you will see that I posted the same here:
viewtopic.php?p=837044#p837044

MT will try to fix it for the next release.

randomwalk · Tue Jan 05, 2021 2:44 am

Image
Do not post link to image. Upload them to the forum use the Attachments button below the post window. It will then stay in the forum.

I tried, but don't have the privilege according to forum faq. Thanks anyway.

aries · Tue Jan 05, 2021 7:46 pm

Hello,
After upgrading to 6.48, dhcp snooping is not working (blocking dhcp requests) on CRS326-24G-2S+ and CRS305-1G-4S+

Best regards.

avggeek · Wed Jan 06, 2021 5:45 am

On RB750gr3, Winbox 3.27 does not show any health information in v6.48. However "/system health print" works fine:

zandhaas · Wed Jan 06, 2021 10:20 am

On RB750gr3, Winbox 3.27 does not show any health information in v6.48. However "/system health print" works fine:

I have upgraded my RB750GR3 from 6.47.8 to 6.48 and Winbox 3.27 does show system health information.

2021-01-06 09_11_33-Keeper Desktop Applet.png

mafiosa · Wed Jan 06, 2021 12:07 pm

fix port flapping please for 3011 ASAP

netraider · Thu Jan 07, 2021 12:19 am

fix port flapping please for 3011 ASAP

And SIP forwarding too

imadloo · Thu Jan 07, 2021 8:38 am

Hello

Problem after RB493G update. Mikrotik won't let traffic through and keeps crashing after several hours. Duplicate tested.

Other models such as: RB750Gr3, RB960PGS, RB2011iLS, RB750GL all ok.

avggeek · Thu Jan 07, 2021 10:12 am

I have upgraded my RB750GR3 from 6.47.8 to 6.48 and Winbox 3.27 does show system health information.

2021-01-06 09_11_33-Keeper Desktop Applet.png

Did you upgrade firmware under "/system routerboard"? I have upgraded mine and I wonder if this is the cause.

Update: It doesn't seem to be an issue with the board firmware. I found that if I downgrade to long-term (6.46.8) the system health option works correctly, even with board firmware at 6.48. Upgrading from there to 6.48 Stable breaks it again. So it's something in the 6.48 packages.

Update #2: Well that's bizzare. I selected the system package and clicked Downgrade. Router rebooted and still shows system package version as 6.48 same as other packages. But now System>Health works in Winbox.

zandhaas · Thu Jan 07, 2021 11:10 pm

Did you upgrade firmware under "/system routerboard"? I have upgraded mine and I wonder if this is the cause.

No this time I seemed to have forgotten to upgrade the routerboard firmware. Normaly I do it right after the RouterOS. So this is different to your environment.

For now I wait with the upgrade of the routerboard firmware :)

mikrotikedoff · Fri Jan 08, 2021 2:57 am

@Mountaineer

Hello and welcome as I see you are new. With Mikrotik you have to treat LT as "stable", stable as beta, testing as alpha, and beta as experimental. This has been a long term gripe from the community. Please be advised sometimes they release a bad/bugged LT version as well so even that tree cant be 100% depended on. Many people end up bouncing between stable and LT tree depending on which is performing better at a given time. For instance, all my production equipment at the moment is on 6.47.7 stable. They also never remove broken software versions they just add the new release when it becomes available. You'll definitely want to consider investing in some equipment to lab with to test new releases with before deployment.

Best regards,

OndrejHolas · Fri Jan 08, 2021 11:30 am

RB750GL with 6.48, directly connected Gigaset A540 IP (with latest firmware 42.248), no problems observed. Also checked with discovery turned on for all interfaces, including LLDP, and cold restart of the VoIP base (to achieve full init). Neither ping losses nor lagged/unreachable messages in Asterisk log (qualifyfreq=11) were detected. SIP uses TCP transport. Maybe A540 IP is too basic model and is not affected by LLDP changes - packet capture is missing LLDP-MED probes from the phone, so it seems that A540 IP does not support LLDP at all.

osc86 · Fri Jan 08, 2021 5:51 pm

It seems static DNS records of type FWD are ignored once a DoH server is added.
Is this a design decision or a bug? If this is not going to change, we'll never be able to use it, because we need conditional forwarding.

eworm · Fri Jan 08, 2021 6:04 pm

It seems static DNS records of type FWD are ignored once a DoH server is added.
Is this a design decision or a bug? If this is not going to change, we'll never be able to use it, because we need conditional forwarding.

It has been this way since DoH has been introduced in 6.47 - see older release threads for details...
There has not been an answer from Mikrotik. I hope this is considered a bug and will be fix. I causes a lot of trouble for me as well.

osc86 · Fri Jan 08, 2021 6:23 pm

I hope we'll get an official statement from a Mikrotik representative. As a workaround I'm currently forwarding all DNS requests to an OpenBSD machine running unbound, which handels DoH and CF just fine. Would be great if this could be done on the router itself.

eworm · Fri Jan 08, 2021 6:28 pm

Best is to open a support ticket with the complains.
I did not for 6.47 - in hope anything happens with the details in release thread...

Will open a ticket myself soon.

I had thought about an extra Raspberry Pi for DNS... But that would be a share for Mikrotik routers.
Also this is not an option for "mobile" devices, for example my hAP ac² or wAP ac LTE I carry in my bag...

deliveri · Fri Jan 08, 2021 7:32 pm

Hi R00tKit,
we are experiencing similar problems, with CCR1016-12S-1S+ , since upgrade to 6.48 .
SIP packets randomly disappear, mainly Siemens Gigaset A510IP A540 IP A690 IP affected.
But RTP (UDP stream) also affected randomly the uploading (going out to internet) packets losts.

Did you made a rollback from Mikrotik Firmware 6.48 to older one? Does is solve the SIP traffic problem?

Sadly I confirm the problem with Several RB3011. The switch chip of ports 1-5 works erratically after the upgrade.
All my PPPoE connections on those ports (usually 1,2) started flapping.
Switching to ports 6-10 worked for me, but this is kind of serious.

Edit: After several days I have customers reporting SIP connectivity problems with their Gigaset handsets as well. These have RB2011UiAS. I think I will revert to the older version for now

Kindis · Fri Jan 08, 2021 8:27 pm

Read in this thread about SIP and workaround.. All is written here.

korekvin · Sat Jan 09, 2021 1:50 am

I have been pulling my hair over the Pwr-line units I have recently purchased.
6.48 indeed breaks pwr-line communication completely.
Installing long-term 6.46.8 solved the issue.

fs89 · Mon Jan 11, 2021 11:21 am

Hey@ALL

After upgrading to version 6.48, I cannot create a new "bridge" or "ppp" connection.
The URL appears in the browser, but the web interface remains empty.

EXAMPLE:
- http://%IP%/webfig/#PPP.Interface.new.OVPN_Client
- http://%IP%/webfig/#Bridge.Bridge.new

THX for help and feedback

si458 · Mon Jan 11, 2021 12:36 pm

Hi R00tKit,
we are experiencing similar problems, with CCR1016-12S-1S+ , since upgrade to 6.48 .
SIP packets randomly disappear, mainly Siemens Gigaset A510IP A540 IP A690 IP affected.
But RTP (UDP stream) also affected randomly the uploading (going out to internet) packets losts.

Did you made a rollback from Mikrotik Firmware 6.48 to older one? Does is solve the SIP traffic problem?

Sadly I confirm the problem with Several RB3011. The switch chip of ports 1-5 works erratically after the upgrade.
All my PPPoE connections on those ports (usually 1,2) started flapping.
Switching to ports 6-10 worked for me, but this is kind of serious.

Edit: After several days I have customers reporting SIP connectivity problems with their Gigaset handsets as well. These have RB2011UiAS. I think I will revert to the older version for now

i can confirm if you roll back a software update/firmware update to 6.47.8 it does indeed fix the SIP issue with gigaset handsets
if you pinged the devices the pings would drop out randomly at the same time the sip would drop out,
i had spend a full week onsite at a single site trying to fix this issue (even arranged to purchase new handsets cuz i thought they had broken the phones)
then realizing i had done updates a week prior and after checking the comments here others having the same issue i was, i rolled it back and worked straight away!
i havent tried the DISABLE LLDP that others have suggested using the 6.48 update, but i'm hanging fire upgrading again for now until a new update next month

R00tKit · Mon Jan 11, 2021 1:34 pm

Did you made a rollback from Mikrotik Firmware 6.48 to older one? Does is solve the SIP traffic problem?

Hello. Yes, Going back to the previous version fixed all problems. All we can do for now is rollback and wait for the next version.

nostromog · Mon Jan 11, 2021 1:46 pm

I have been pulling my hair over the Pwr-line units I have recently purchased.
6.48 indeed breaks pwr-line communication completely.
Installing long-term 6.46.8 solved the issue.

Not for my pwrline power sources for mAP Lite. Those were fully broken for a number of releases, and 6.48 seem to have changed the behaviour in a positive sense, but breaking connectivity. I'm waiting for a fix in 6.48, my devices have been broken for several months, and they don't work when downgrading and no response from my support ticket.

DmitryT · Mon Jan 11, 2021 2:58 pm

two 2011 down, port remapped and updown loop
two 3011 down, port remapped, freezes
HEX works but freezes

WiesiDeluxe · Mon Jan 11, 2021 2:59 pm

Sorry i report a problem with PwrLine. After upgrade to 6.48, my two devices (model PL7411-2nD) don't pair.
After reboot, change settings, more and more.. nothing. Downgrade to long term, all change to ok. Untill 6.47.8 everything works fine.
ps: ether1, pwr-line1, wlan (off) all on bridge-local with no protocol (stp, rstp, etc...).
Same here, switching to long-term channel with v6.46.8 solved the issue with my 3 pwr-line devices.

+1 same here, worked again after downgrade to long term

Kiasw · Mon Jan 11, 2021 6:12 pm

rb3011 down, freezes vpn clients.

Kiasw · Mon Jan 11, 2021 6:16 pm

Rolling back the firmware to stable 6.46.8 solved the problem. Owners of RB3011 are very careful to upgrade to this version.

Kiasw · Mon Jan 11, 2021 6:23 pm

On RB951Ui-2nd, RB941-2nd-OK

Mainale · Mon Jan 11, 2021 7:37 pm

I see I`m not alone with my issues.

Ivoshiee · Tue Jan 12, 2021 12:58 pm

The 60GHz link has still issues with traffic stoppage/link down. I just experienced one to see that the link was still up, but the IP-traffic was sopped. I got the supout.rif file and performed disable/enable on the 60Ghz interface. IP-traffic resumed.

hajde · Tue Jan 12, 2021 4:09 pm

PL7411-2nD after upgrade, dosnt connect over PCL. 5 devices same situation. Downgrade to 6.47.8 solve problem.

kaspi4 · Tue Jan 12, 2021 4:14 pm

My 3011 started port flapping on sw6-10 since 6.48 is there any ideas?

/interface ethernet switch set switch2 cpu-flow-control=no Does not help

I have sstp_server_binding (saw someone with same issues on gre tunnel)

hajde · Tue Jan 12, 2021 4:25 pm

Run on 6.47.8.

kaspi4 · Tue Jan 12, 2021 4:32 pm

Run on 6.47.8.

Will try, thanks!