v6.48.6 [long-term] is released!

emils · Tue Dec 07, 2021 12:37 pm

RouterOS version 6.48.6 has been released in public "long-term" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.48.6 (2021-Dec-03 12:15):

MAJOR CHANGES IN v6.48.6:
----------------------
!) device-mode - added feature locking mechanism;
----------------------

Changes since 6.48.5:

*) certificate - improved stability when sending bogus SCEP message;
*) quickset - use 5GHz interface's country for "Home AP Dual" configuration;
*) system - improved system stability if device is upgraded from RouterOS and/or RouterBOOT v6.41.4 or older;
*) upgrade - added new "upgrade" channel for upgrades between major versions;
*) winbox - do not allow to add/remove W60G interfaces;
*) wireless - added U-NII-2 support for US and Canada country profiles for cAP ac XL and QRT 5 ac;

For a full changelog please visit https://mikrotik.com/download/changelogs

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after some problem has appeared on device

Please keep this forum topic strictly related to this specific RouterOS release.

infabo · Tue Dec 07, 2021 1:33 pm

I always thought that long-term does only receive bugfixes - and no new features.

mrz · Tue Dec 07, 2021 1:35 pm

security related stuff is an exception.

Amm0 · Tue Dec 07, 2021 2:42 pm

security related stuff is an exception.

What's the recommend way of using device-mode if it's for security?

e.g. Is there some security bulletin/notice that describes the vulnerability this addresses?

Znevna · Tue Dec 07, 2021 2:58 pm

https://help.mikrotik.com/docs/display/ROS/Device-mode

Amm0 · Tue Dec 07, 2021 3:19 pm

https://help.mikrotik.com/docs/display/ROS/Device-mode

True, but why would some need to ENABLE it. What security problem does it address?

Are there known vulnerabilities this addresses? It must being back ported to long-term as for "security" for some reason.

Znevna · Tue Dec 07, 2021 3:20 pm

You're just trolling right now, right?

infabo · Tue Dec 07, 2021 3:28 pm

Device mode does not target any explicit vulnerability. It is a security measure. Just read the wiki article about what device mode does and look for meris botnet here in the forum. It may answer your questions.

Amm0 · Tue Dec 07, 2021 3:31 pm

You're just trolling right now, right?

If a vendor says something is "for security" in nearly all cases there is some notice about vulnerabilities a *security* feature address. If it's just a feature, then don't mention security.

I worry Mikrotik knows about new vulnerability and device-lock is some fix for it. And, they don't want to say what the vulnerability is yet.

Amm0 · Tue Dec 07, 2021 3:32 pm

Device mode does not target any explicit vulnerability. It is a security measure. Just read the wiki article about what device mode does and look for meris botnet here in the forum. It may answer your questions.

And the Meris article doesn't say "we recommend using device-lock" to address this. If so, they should say explicitly.

Znevna · Tue Dec 07, 2021 3:35 pm

Ah, so you're just a californian rextended. Got it.
What is the issue that you encountered after upgrading to this version that you're trying to report in this topic?

Tue Dec 07, 2021 3:41 pm

I worry Mikrotik knows about new vulnerability and device-lock is some fix for it. And, they don't want to say what the vulnerability is yet.

IF (and that's a big IF) this would be the case, don't you think they FIRST would make sure to have the fix in place BEFORE making public what the problem is ?
Logical sequence of communicating.

Not saying there IS a vulnerability at play here. But it does make perfect sense to provide the fix first.

mjezierski · Tue Dec 07, 2021 4:34 pm

Upgrade from 6.42.10 to 6.48.6 on RB953GS-5HnT-RP went smoothly compared to 6.48.5 which required netinstall

djdrastic · Tue Dec 07, 2021 5:33 pm

So what is the over/under now ?
Do we not upgrade the hardware firmware when doing package/os upgrades ?

llpax · Wed Dec 08, 2021 12:02 am

6.48.6 broke all PPP only for me? Сyclic PPP reconnections (client or server - it doesn't matter).
downgrade to 6.48.5 - fixed problem

ahmedelbarbary · Wed Dec 08, 2021 5:56 am

i was using accept in dst address in NAT for local ip tv to make ip tv see all users ip address after update to 6.48.6 i cant open ip tv downgade fix it or remove accept rule and use !dst address in Masquerade rule, what makes this happen ?

DenisPDA · Wed Dec 08, 2021 11:05 am

i was using accept in dst address in NAT for local ip tv to make ip tv see all users ip address after update to 6.48.6 i cant open ip tv downgade fix it or remove accept rule and use !dst address in Masquerade rule, what makes this happen ?

Something strange with multicast

complex1 · Wed Dec 08, 2021 2:36 pm

No issues after upgrade from 6.47.10 on my RB4011. :-)
MT... Keep up the good work.

bratislav · Wed Dec 08, 2021 4:30 pm

6.48.6 broke all PPP only for me? Сyclic PPP reconnections (client or server - it doesn't matter).
downgrade to 6.48.5 - fixed problem

And by all PPP you mean L2TP, SSTP, OVPN, PPTP, PPPoE or actually PPP that runs over serial connection?

llpax · Thu Dec 09, 2021 2:10 pm

And by all PPP you mean L2TP, SSTP, OVPN, PPTP, PPPoE or actually PPP that runs over serial connection?

ovpn server + l2tp server + l2tp client in my case. after update to 6.48.6 - just didn't work.. (tested on rb3011)

SirPrikol · Fri Dec 10, 2021 7:54 pm

/route bgp peer
add hold-time=1m in-filter=home.nets.in instance=home.nets keepalive-time=5s name=peer1 out-filter=home.nets.out remote-address=::ffff:0.0.0.0 remote-as=65402 ttl=default

Does not work. I want to connect from ANY ip and from a specific AS.
Ideally, with any private AS, but this is not important, the main thing is that there is an opportunity from any third-party ip

roe1974 · Sat Dec 11, 2021 9:17 am

No issues updating from 6.48.4 -> 6.48.6 on ltAP, cAP AC, RB4011iGS
thx !!
Richard

marcin21 · Sat Dec 11, 2021 3:11 pm

*) system - improved system stability if device is upgraded from RouterOS and/or RouterBOOT v6.41.4 or older;

I did mass upgrade with 6.48.5 hundreds of older devices responded only to netinstall. Each client had to be visited on site.
two weeks of hard work that was unnecessary, complaints from clients, stress.

Thank You Mikrotik staff for releasing routeros in long-term branch that makes my life so much more interesting.

@$@#%#$%

Jotne · Sat Dec 11, 2021 3:39 pm

Thank You Mikrotik staff for releasing routeros in long-term branch that makes my life so much more interesting.

And you did test the software on equal routers with same config and software version at a local site before you did the upgrade?
And you did also upgrade at the same time as software was released?
And you did read all message on the forum, the first day?

If not, this is much your fault.

RouterOS is a complex router with lots of function. I know may big company that has released software that has give breakdown of bigger network. To just mention one, Cisco. No one can garanti that all possible has been tested and all bugs are removed.

So wait some time before upgrade, read forum and do a test before upgrade lots of routers.

GregC · Sat Dec 11, 2021 3:42 pm

Thank You Mikrotik staff for releasing routeros in long-term branch that makes my life so much more interesting.
And you did test the software on equal routers with same config and software version at a local site before you did the upgrade?
And you did also upgrade at the same time as software was released?
And you did read all message on the forum, the first day?

If not, this is much your fault.

RouterOS is a complex router with lots of function. I know may big company that has released software that has give breakdown of bigger network. To just mention one, Cisco. No one can garanti that all possible has been tested and all bugs are removed.

So wait some time before upgrade, read forum and do a test before upgrade lots of routers.

I was just about to say the same thing that Jotne stated. You just don't upgrade without test before doing a mass update!!!!

marcin21 · Sat Dec 11, 2021 5:01 pm

@Jotne @GregC, I was thinking that long-term is free from features added that can make such a disaster.
The question is what was the CAUSE that anything prior to 6.41.4 was bricked.

my fault?
yes indeed.
too much faith in mikrotik staff testing LONG-TERM releases to avoid critical issues.
but You're right, I should have learn not to trust mikrotik long time ago.
in fact I did, and yet again critical dissapointment.

Sat Dec 11, 2021 5:12 pm

I always do a staggered Update. Update home Router, wait, Update uncritical routers one by one with wait between. A rollout lasts 2 months at least.
MT has no SW quality management worth this name. *We* have to test. If you can't live with this, use another vendor. For sure you will pay for this quality management.

Jotne · Sat Dec 11, 2021 6:27 pm

The question is what was the CAUSE that anything prior to 6.41.4 was bricked.

Why did you not upgrade before? 6.41.4 was released more than 3 1/2 year ago.
You have missed out lots of security fixes.

marcin21 · Sat Dec 11, 2021 7:33 pm

once again, I admit it was my fault. to much faith. i'm with mikrotik since routerOS 2.9.27 or so. So I had many many situations up to now, with buggy routerOS. I Should have learn it.
So last time after many succesfull hand made upgrades decided to do it on mass. Stupid I was.
And since that time mikrotik long-term release refers for me to "dont try it on production. EVER"

Yes ofcourse Mikrotik is no top-shelf company but could at least do that SIMPLE test if release is upgradable from every earlier ROS, at least from the same generation.
but hey! let our customers be again betatesters in a hardway.

thank You mikrotik again, unforgettable moments, very close to my cusotemers, during last two weeks. especially important during another wave of covid.

Amm0 · Sat Dec 11, 2021 7:50 pm

The question is what was the CAUSE that anything prior to 6.41.4 was bricked.
Why did you not upgrade before? 6.41.4 was released more than 3 1/2 year ago.
You have missed out lots of security fixes.

And, whose to know how/why they were at 6.41, possible the previous vendor got fired that did that ;). Regardless, something did have to get done – those security updates might make someone move with more urgency in deployment. Anyway, lots of factors that got to needing netinstall...

I am hopeful once V7 is more stabilized, more attention will be paid to the upgrade paths by MT. Realistically, if you have more than handful, at MT's low price, testing and at least scanning the forums is sorta the price of admission. You do have a pretty good chance of some bulk upgrade going well is part of the problem – normally long-term to long-term even if old isn't an issue. Clearly not for @marcin21.

What caused this: firmware - the new OS cannot boot using that particular older firmware

Also why any big upgrade in versions# are just risky, regardless of the device (any why testing be even more important here). See the old firmware is used load to new ROS software – but if ROS driver/something may need something that isn't old firmware. No doubt MT spends a lot time make sure they don't do operations, or workaround, unavailable things in older firmware to make upgrades even possible. But if it's driver during boot, new OS crashes, but still selected as primary OS in BIOS & cycle repeats. Since you can't upgrade to newer firmware until the new ROS is successful boot – it always some catch-22 since new versions may need something in newer firmware.

But that's why you'd expect by "long-term" to know all those "catch-22". The driver crashes were hopefully caught by people using the "testing" or even "stable" channels. Rushing builds though those phases is exactly how someone runs it need netinstall with "long-term". Certainly the matrix of possible versions to device type is too large to test all combos all the time, so the testing (or even stable) channel offer them ability to crowd-source some testing. More time in those phases, allow more time to catch an issue like this.

So I'm not so sure that @marcin21 was too wrong here. Sure, skipping a lot of best practices. He might, or very well should have, expected some trouble in a bulk upgrade. But bet he was thinking they could fix any problems remotely – not rolling trucks because the OS didn't boot using the older firmware.

ahmedelbarbary · Tue Dec 14, 2021 5:00 pm

Something strange with multicast

Yes, but not in old releases, Is this mean the way is changed ? or this is a problem and support will fix it ?

JJT211 · Thu Dec 16, 2021 5:44 am

once again, I admit it was my fault. to much faith. i'm with mikrotik since routerOS 2.9.27 or so. So I had many many situations up to now, with buggy routerOS. I Should have learn it.
So last time after many succesfull hand made upgrades decided to do it on mass. Stupid I was.
And since that time mikrotik long-term release refers for me to "dont try it on production. EVER"

Yes ofcourse Mikrotik is no top-shelf company but could at least do that SIMPLE test if release is upgradable from every earlier ROS, at least from the same generation.
but hey! let our customers be again betatesters in a hardway.

thank You mikrotik again, unforgettable moments, very close to my cusotemers, during last two weeks. especially important during another wave of covid.

Faith and trust are your problem.

You shouldnt trust any vendor's firmware update, especially when making such a massive jump in firmware version. Only trust what you TEST. Its really that simple.

starlingus · Thu Dec 16, 2021 11:12 am

6.48.6 broke all PPP only for me? Сyclic PPP reconnections (client or server - it doesn't matter).
downgrade to 6.48.5 - fixed problem

This issue has been reported already with 6.48 version ... see viewtopic.php?t=171035#p837319

All secrets were deleted by the upgrade (6.47.10 => 6.48.6). My PPP server is running on hAP ac2.

Milecus · Thu Dec 16, 2021 12:42 pm

Unfortunately, not all secrets have been overcome, RBLHGG-60ad is very unstable when connected to RBwAPG-60ad-SA, flip connections permanently with this version Router OS. With v6.49.2 - normal.

han · Fri Dec 17, 2021 12:09 pm

So I upgraded from 6.48.5 to 6.48.6 today.

Reading this thread I expected issues with my PPP connection, however it works fine after the upgrade.

I love boring updates where all keeps just working as it should!!

jamsden · Fri Dec 17, 2021 2:43 pm

@han I have also upgraded all my home equipment without any issue. I first upgraded mAP lite and waited for a couple of days, then RB1100, CRS112 and Hap. No issues!

infabo · Wed Dec 22, 2021 4:43 pm

No issues here either. hap lite and map lite.

alfred998 · Wed Dec 29, 2021 5:26 pm

two cap ac and two hEX 6.48.5 -> 6.48.6 no issues
one hEX with PPP secrets preserved.

DragonQ · Tue Jan 04, 2022 12:28 pm

Any benefit to this version over 6.47.10 LTS for a CRS328? I have no issues but would like some control over the fans, which I think has still not been added in 6.48?

Tue Jan 04, 2022 2:16 pm

Some security features added. If you do regularly inspect your device, change password, and know the config well, you can stay on your version.

za7 · Wed Jan 05, 2022 9:58 pm

When will RouterOS v6 reach end of life?

infabo · Wed Jan 05, 2022 11:42 pm

When v7 is stable stable

mt99 · Mon Jan 10, 2022 1:09 am

When will RouterOS v6 reach end of life?

I would say, unless we see a new testing branch for v6, that v6 feature development is winding down. But hopefully Mikrotik will make some kind of statement about that so their customers can plan accordingly.

infabo · Mon Jan 10, 2022 10:19 am

I am not long around here, but MT seems to me using more the "silence is gold" strategy and just announce thing right when they happen.

wwwcjh · Sun Mar 27, 2022 5:32 pm

I worry Mikrotik knows about new vulnerability and device-lock is some fix for it. And, they don't want to say what the vulnerability is yet.
IF (and that's a big IF) this would be the case, don't you think they FIRST would make sure to have the fix in place BEFORE making public what the problem is ?
Logical sequence of communicating.

Not saying there IS a vulnerability at play here. But it does make perfect sense to provide the fix first.

Your guess should be correct.

Amm0 · Sun Mar 27, 2022 8:07 pm

IF (and that's a big IF) this would be the case, don't you think they FIRST would make sure to have the fix in place BEFORE making public what the problem is ?
Logical sequence of communicating.

Not saying there IS a vulnerability at play here. But it does make perfect sense to provide the fix first.
Your guess should be correct.

I also had very good luck with long-term 6.47.10, and then seemingly rush out a "long term" without promoting a "stable". Mikroitk doesn't seem big on disclosure, so that was my worry.

Apparently FTP and SMB effected by a DoS vector in 6.47.10. See https://www.cvedetails.com/vulnerabilit ... rotik.html with details here https://github.com/colorlight/mikrotik_ ... o_vulns.md

wwwcjh · Mon Mar 28, 2022 11:18 am

Your guess should be correct.
I also had very good luck with long-term 6.47.10, and then seemingly rush out a "long term" without promoting a "stable". Mikroitk doesn't seem big on disclosure, so that was my worry.

Apparently FTP and SMB effected by a DoS vector in 6.47.10. See https://www.cvedetails.com/vulnerabilit ... rotik.html with details here https://github.com/colorlight/mikrotik_ ... o_vulns.md

/system device-mode> update
activation-timeout as-value do email flagged hotspot ipsec mode pptp romon smb socks without-paging
append bandwidth-test duration fetch flagging-enabled interval l2tp once proxy scheduler sniffer traffic-gen

The device-mode is a feature which sets specific limitations on a device, or limits access to specific configuration options.
There are two available modes: enterprise and home. By default, all devices use the mode enterprise, which allows all functionality except container. The home mode disables the following features: scheduler, socks, fetch, bandwidth-test, traffic-gen, sniffer, romon, proxy, hotspot, email, zerotier, container.

The device mode can be changed by the user, but remote access to the device is not enough to change it. After changing the device-mode, you need to confirm it, by pressing a button on the device itself, or perform a "cold reboot" - that is, unplug the power:

If no power off or button press is performed within the specified time, the mode change is canceled. If another update command is run in parallel, both will be canceled.

greebo · Mon Mar 28, 2022 12:36 pm

Disabling PoE does not comply with "cold reboot" ?

/system device-mode update mode=home scheduler=yes romon=yes bandwidth-test=yes flagged=yes

or am i missing something? AP boots back info enterprise mode....

mkx · Mon Mar 28, 2022 12:54 pm

Try running the command without setting flagged=yes ... the way I read documentation, flagged means that device is compromised:

If suspicious configuration is detected, the suspicious configuration will be disabled and the flagged parameter will be set to "yes". The device has now a Flagged state and enforces certain limitations.

Before doing anything sensitive on router, you have to set flagged=no:

To exit the flagged state, you must perform the command "/system/device-mode/update flagged=no". The system will ask to either press a button, or issue a hard reboot (cut power physically or do a hard reboot of the virtual machine).

Seems like you're running a command without fully understanding its parameters?

greebo · Mon Mar 28, 2022 1:26 pm

Seems like you're running a command without fully understanding its parameters?

forum was not my 1st choice,because of the "kind" comment above. :)

Firmware and routerboard are 6.48.6:

> /system routerboard print
routerboard: yes
board-name: wAP ac
model: RouterBOARD wAP G-5HacT2HnD
serial-number: 7DF108E16AD9
firmware-type: qca9550L
factory-firmware: 3.41
current-firmware: 6.48.6
upgrade-firmware: 6.48.6

/system device-mode> print
mode: enterprise

does not matter if CAPS manager is on or off

/system routerboard settings> print
auto-upgrade: no
boot-device: nand-if-fail-then-ethernet
cpu-frequency: 720MHz
boot-protocol: dhcp
force-backup-booter: no
silent-boot: no
protected-routerboot: disabled
reformat-hold-button: 20s
reformat-hold-button-max: 10m

w/ or w/o flagging-enabled
w/ or w/o flagged

same result. after reboot (i disable PoE on switch), the MT is still in enterprise mode.

"The device mode can be changed by the user, but remote access to the device is not enough to change it. After changing the device-mode, you need to confirm it, by pressing a button on the device itself, or perform a "cold reboot" - that is, unplug the power:"

mar/28/2022 12:12:44 system,error,critical router was rebooted without proper shutdown
mar/28/2022 12:19:53 system,error,critical router was rebooted without proper shutdown

Is cutting PoE power off is not enough then ?

am i missing something ? protected-routerboot ???

mkx · Mon Mar 28, 2022 4:07 pm

Seems like you're running a command without fully understanding its parameters?
forum was not my 1st choice,because of the "kind" comment above. :)

So your idea is to have somebody else read the docs for you?

Back to the problem you're having: as device mode is pretty new functionality, it might have some bug. So perhaps you should try the other possibility (press the button). And be sure to do it within indicated time interval (5 minutes). If that doesn't work, then register trouble ticket with Mikrotik support.
OK, in surge of constructiveness, I did test on my RB951G running 7.2rc5 ... button press method works, cutting power doesn't (in my case, I unplugged and re-plugged barrel power connector). So if it bothers you that cutting power doesn't work as advertised, file a ticket with support.

greebo · Mon Mar 28, 2022 7:56 pm

So your idea is to have somebody else read the docs for you?

i did RTFM and then i went here.

eitherway..

Back to the problem you're having: as device mode is pretty new functionality, it might have some bug. So perhaps you should try the other possibility (press the button). And be sure to do it within indicated time interval (5 minutes). If that doesn't work, then register trouble ticket with Mikrotik support.

since i am not SpiderMan and can't climb 5meters up the walls in our halls to push button on all our 150+ AP i will contact MT support.
thanks for feedback.

wwwcjh · Tue Mar 29, 2022 4:00 am

Disabling PoE does not comply with "cold reboot" ?

/system device-mode update mode=home scheduler=yes romon=yes bandwidth-test=yes flagged=yes

or am i missing something? AP boots back info enterprise mode....

A：The intention of the official design is to make sure that you are operating the device locally before the restart will take effect. rather than remote settings.

Cut off DC power

Press the rest button

###Choose one of the two to execute the effective operation.

nichky · Tue Mar 29, 2022 5:42 am

cant see the new feature locking mechanism;

nichky · Tue Mar 29, 2022 5:49 am

also still its not clear what flagged does. frome the wili:
If the system has detected unauthorized access to RouterOS, the status "flagged" is set to yes.

So if the system has detected unauthorized access , flagged will set automaticly to yes or what?
wiki its not clear

mkx · Tue Mar 29, 2022 8:03 am

Cut off DC power

This part doesn't work on my RB951G running 7.2rc5 (I'm using barrel DC power input so unplugging it definitely counts as local action) nor does it work for @greebo (using PoE in).

@nichky: you quoted part from manual and the used almost exactly the same words in your question, so I don't see what is not ckear? Manual says that flagged property is set to yes if the system detects unauthorized access to it. I don't see any other entity that might set flagged to yes in this case. If router admin would detect unauthorized access to the system, I don't think he'd need the flag, he could immediately make any needed steps to control the damage.

nichky · Tue Mar 29, 2022 8:53 am

@mkd

maybe you are right about that,

can you point me out where is the new feature locking mechanism;

mkx · Tue Mar 29, 2022 10:09 am

If you mean where it can be configured ... it's under /system/device-mode (also mentioned in manual).

On my devices default settings are blank (probably that means functionality is according to defaults, listed and explained in manual). My devices default to enterprise mode and none of other properties are actually shown. Just for experiment I've set smb=no which actually made a difference (/ip/smb/print now shows ;;; inactivated, not allowed by device-mode).

nichky · Tue Mar 29, 2022 11:31 am

@mkx

are you guessing or have you checked already? i got v6.48.6 and it's not there , then why im asking here

wwwcjh · Wed Mar 30, 2022 2:49 am

@mkx

are you guessing or have you checked already? i got v6.48.6 and it's not there , then why im asking here

/system device-mode> pri
mode: enterprise

nichky · Wed Mar 30, 2022 3:25 am

/system device-mode> pri
mode: enterprise

i got that, and wehre is "locking mechanism"?
that has been here since device-mode pops up

wwwcjh · Wed Mar 30, 2022 5:31 am

i got that, and wehre is "locking mechanism"?
that has been here since device-mode pops up

#You can try it
/system device-mode update proxy=no smb=no socks=no

#Printer again
/system device-mode pri

mkx · Mon Apr 04, 2022 3:07 pm

I worry Mikrotik knows about new vulnerability and device-lock is some fix for it. And, they don't want to say what the vulnerability is yet.

I'm more inclined into thinking that MT is planning to implement some new vulnerability and device-lock will prevent device from getting exploited. So for time being it's better to stay on obsolete ROS version which will not be vulnerable to that attack.

Or is everything just a conspiracy theory?

Seriously: I think device-lock is ROS v7 way of disabling certain functionality. In ROS v6 it was possible either to uninstall some packages or at least disable them. In v7 uninstalling parts of ROS is not possible any more because (apart from some border case functionality) everything is neatly integrated into single package. And device-lock allows one to disable quite a few functions (including: bandwidth test server, container support, email sending, hotspot, pptp, proxy, romon, scheduller, socks, zerotier and, my favourite, smb).

mkx · Tue Apr 19, 2022 7:11 pm

I've a couple of devices that do have a button ... and found out that you really must use the button, pulling the power doesn't cut it. (some other users have the same experience ... and it's pretty unfortunate for those that have devices mounted in most inaccessible places, but can control PoE power delivered to them).

BTW, found this post explaining how to find button on RB1100AHx2: viewtopic.php?t=106854#p530819 (look also at some of next posts there)

rextended · Tue Apr 19, 2022 9:42 pm

On the picture YOU link, the button is on the right of the pad....

About this problem, open a separate topic and add the export of your config, for check if something is suspicious....

rextended · Wed Apr 20, 2022 11:59 am

Is for understand what on your config trigger the "flagged" state

rextended · Wed Apr 20, 2022 4:52 pm

LtAP mini have two slot for SIMs, "up" and "down" are not referred to active/inactive state, but if the sim selected is on up or down slot...

CZFan · Fri Apr 22, 2022 2:11 am

I really am struggling to understand why Mikrotik does not list all changes made in updates, I.e. as I just found out changes were made in Bridge filtering....
@Normis, can you please respond on this?

Albirew · Thu May 12, 2022 4:52 pm

Is there a calendar for long-term ROS 6.49 and 7.0 releases?
I'm especially looking for 802.11ac wave2 support on RB922UAGS-5HPacD, 911G-5HPacD and 911-5HacD

Znevna · Thu May 12, 2022 5:45 pm

Those devices don't have Wave2 wireless chips.

kriszos · Tue May 17, 2022 12:39 pm

Upgraded my infrastructure from 6.46.8 to 6.48.6 all went fine besides one CCR1009-7G-1C-1S+
caps-man stopped working, caps-man configuration become not accessible, /caps-man export just hang
edit created ticket #[SUP-82386]

Albirew · Wed May 18, 2022 4:51 pm

Those devices don't have Wave2 wireless chips.

thanks for your answer.
well, it was half expected... u_u
i'll just wait for some wave2 RB, but then again, 6GHz RB will be a better choice when it goes out...

abis · Tue Jun 28, 2022 11:02 pm

v6 has it reached the end?

jn9 · Wed Jun 29, 2022 9:20 am

v6 has it reached the end?

No. It is still supported, on hardware where it works.

Wed Jun 29, 2022 10:13 am

v6 has it reached the end?

I doubt you're going to get any new features in v6; that's what v7 is about. Bugfix releases do seem to be slowing in frequency, suggesting a tapering off of development effort in favor of stabilizing and finishing v7, but I think it's a little premature to call an "end" to things when the last 6.x release (6.49.6) is under 3 months old.

It is true that this last 6.48.6 release on the LTS line is approaching 7 months old, but what is it about "long-term" that you're misunderstanding? Releases in this line are rare, on purpose.

105547111 · Mon Jul 04, 2022 10:12 pm

You maybe can start contemplating upgrading once there's ever a V7.x long term version as well as dude server.

rextended · Mon Aug 08, 2022 9:46 pm

I'm not the only moderator, and sincerely I already want know the same, but this topic is only strictly to report errors on this version.
It is useless to ask over and over again the same thing that others have asked before you, they don't answer anyway.
Open a separate topic or contact directly support@mikrotik.com

rextended · Wed Aug 17, 2022 5:19 pm

Bonding is done on CPU, not on bridge, is not hardware-offloaded.
You can see the H, when supported and enabled, only on hardware ports, and also not all switch models support more than one bridge on hardware offload.
I not remember all models at memory, check the docs.

Wed Aug 17, 2022 11:00 pm

There is no declared hardware offload.

There is, but it wasn't added until v7.1. Quoting the ChangeLog: "support for Layer 3 hardware acceleration on all CRS3xx devices." The implication is that it isn't in v6 at all. (Confirmed in the docs.)

There's significant improvement to this in the v7.2 and v7.3 releases. (Expand the ChangeLog and search for "l3hw".) Since nothing in this area changed in v7.4, it may now be "stable." I wouldn't know; I don't rely on L3HW offloading.

There's an L3HW NAT fix in 7.5beta11, but since you shouldn't be doing high-speed NAT on a CRS class device and thus need L3HW offload for it, it shouldn't matter in your use case.

uplinks in bonding for the scalability purpose

I'm a little confused about this; maybe you can clear it up. At the start of your post, you talked about putting one SFP+ into a bond and failing, but then later you show two 1G copper ports in a bond. Which is it?

I ask because with the CRS328, I see no reason to bond RJ45 ports for "scalability." A single SFP+ port with a 10G fiber module will win every time, and it'll probably end up more reliable overall due to having fewer things to break.

If you're trying to get 20, 30, or 40G throughput by combining SFP+, then that's a different matter.

mkx · Wed Aug 17, 2022 11:29 pm

Bonding is done on CPU, not on bridge, is not hardware-offloaded.
You can see the H, when supported and enabled, only on hardware ports, and also not all switch models support more than one bridge on hardware offload.
I not remember all models at memory, check the docs.

@tangent is mixing L2hw offloading (e.g. ethernet link bonding) and L3hw offloading (IP routing).

Anyways, bonding is supported in hardware (see manual) and was supported from early days of CRS3xx seties. However it requires certain config (onky 802.3ad or bonding-xor and only L2+L3+L4 transmit hash policy). I couldn't find anything about combination of bonding+VLANs, that might disable HW offoad (if it did, that would surprise me plenty though). Also using large MTU and/or MSTP could break HW offload.

Thu Aug 18, 2022 12:33 am

@tangent is mixing L2hw offloading (e.g. ethernet link bonding) and L3hw offloading (IP routing).

So does MikroTik. :) Quotes from the ChangeLog:

l3hw - fixed bonding source MAC address;
l3hw - improved system stability when using 7 or more VLAN interfaces;

Those are L2 interactions. It may be that v7 fixes something OP is depending on.

The primary complaints I'm seeing these days about v7 are related to advanced routing features, not things to worry about on a CRS328. If you're doing BGP on it, you have bigger problems than v7 incompatibilities.

Thu Aug 18, 2022 7:59 pm

several Mikrotik devices with v7.2, firmware were crashed and randomly rebooted once a week due to memory leaks.

While annoying, a minute of downtime a week doesn't sound too bad to me. That's 99.99% SLA. Plus, the nature of this sort of problem is that you can schedule the reboot for a non-peak time, where the downtime isn't important.

Mind, I'm not defending leaks in production code. That sucks. All I'm saying is, this is a weak reason not to upgrade.

Also, 7.2 is four months old now, with two major releases after it since. Isn't it about time you gave it another try?

If you experience the same problem, remember, a reproducible bug is a dead bug walking. Provide MikroTik a reliable and repeatable repro procedure, and I'll bet you get a faster fix than vaguely whining on the forum about unspecified "leaks".

Using of V7 is risky.

Using all technology is risky. If it all worked perfectly out of the box, our employers wouldn't need full-time network engineers to run it.

1x10G vs Nx1G It's less reliable because of possible sfp faults, line cards faults, optics faults.

You can't have it both ways. You want to put the SFP+ port into a bond for "possible traffic growth > 10G with very basic additional configuration", but then you complain of the risks of using optical networking.

Also 1x10G costs more than several 1G.

It doesn't cost more than ten 1G ports, the proper comparison.

I don't know about where you live, but here, the major cost in networking isn't hard equipment or the cable off the spool, it's the cable-pulling labor, termination, configuration, etc. Anything involving human time. Pulling, terminating, and provisioning ten 1G ports will swamp the cost of a single 10G fiber port unless your labor costs are $NOTHING.

And in the end, the ten 1G ports only match the 10G port for aggregate bandwidth tests across many flows due to the vagaries of LACP hashing and such. The 10G port is 10G all the time, even for a single flow.

LACP sucks. We use LACP only when we absolutely must.

mkx · Thu Aug 18, 2022 8:47 pm

bonding1 belongs to bridge1.

Which made me to look at your config again and now I see you're using (at least) two bridges. AFAIK the limitation about HW offload only being available for one bridge (per switch chip) still applies. So with your configuration you can only choose which bridge to offload, you can't have offloaded both (all) of them. If you don't configure it nanually, ROS will choose one. While selection might be deterministic, the selection process might have changed between v6.4x and v7 giving different results in some cases.

Thu Aug 18, 2022 8:52 pm

AFAIK the limitation about HW offload only being available for one bridge (per switch chip) still applies.

Yes, good catch. I just had MikroTik confirm that, for an unrelated project. For the CRS328, there's one switch chip, so you get one hardware-accelerated bridge, only.

Contrast RB1100, where you can have 3 such bridges.

(Or even the RB4011, since the single SFP+ is on the CPU, so the distinction between hardware bridge and software bridge is moot.)

Now contrast the RB5009, where you're back to 1 bridge, since everything's now on a single switch chip.

mkx · Thu Aug 18, 2022 9:01 pm

Now contrast the RB5009, where you're back to 1 bridge, since everything's now on a single switch chip.

The cases where one has to use more than one bridge are extremely rare, so limitation of HW offload of single bridge is not that problematic. On devices where more than one bridge can be offloaded one has to be pretty careful (and know exact HW layout) in order to make things work as intended. OTOH when one requires single bridge on such devices this causes some negative side effects (traffic passing between ports on different switch chips hits CPU ... pretty hard if CPU is not very fast).

Thu Aug 18, 2022 9:05 pm

(traffic passing between ports on different switch chips hits CPU ... pretty hard if CPU is not very fast).

Agreed. For the project in question, there were already firewall/router stages between the switch chips, so the traffic was already going to cross the CPU.

mkx · Thu Aug 18, 2022 9:18 pm

Nicely written.

anav · Tue Aug 23, 2022 5:12 pm

Is this the one advantage of the RB4011 over the RB5009, two chips, and thus ports 1-5 can have a bridge and ports 6-10 can have a bridge?

Tue Aug 23, 2022 5:50 pm

i think rb5009 switch chip has important advantages

rb4011 vs rb5009 switch chip features.png

batot · Wed Oct 26, 2022 3:56 pm

6.48.6 [long-term] is mega unstable on RB411 - be careful!!!
I was testing on 2 RB's.
I was upgrading from 6.11 to 6.48.6.
First RB411 is working 24h/7d and second RB411 is a link in lab.
Effect's are near the same, but the effect is visible more on the 24h/7d RB411 (more bandwidth).
CPU usage most of the time is 100% ping varies (unstable).
When I try connect to Winbox the effect is that most of the time I'm getting "reconnect" or connection but Windbox can't load settings and the CPU usage is 100%, then for 2-5secs 5% usage and again 100%.

Packages:
- advanced-tools,
-dhcp,
- ntp,
-security,
- system,
-wireless.

When I uninstalled security and dhcp packages I saw about 20% more power but RB411 was still very unstable, losing packages ~4%, ping 400-1000ms etc, etc...
Next decision was downgrade to version 6.46.8. This version is ok, in winbox never sow more that 9% CPU usage.
In my objective opinion version 6.11 was else faster that 6.46.8.
This is screen on 6.48.6 showing problem when Winbox was halted waiting i don't know why?

erlinden · Wed Oct 26, 2022 4:00 pm

You might want to consider opening a new topic, batot. I think that to do some investigation, you might want to share your config. Seeing your previous version...sure your router is not compromised?

rextended · Wed Oct 26, 2022 4:01 pm

I was upgrading from 6.11 to 6.48.6.

batot · Wed Oct 26, 2022 4:45 pm

and?
Did you joking that expected upgrade each version between 6.11 to 6.48.6?

Ok this day is too late but tomorrow will be test from netinstall. For me this is no matter no expect different result.

Wed Oct 26, 2022 5:10 pm

Ok this day is too late but tomorrow will be test from netinstall.

That would be my suggestion after seeing such a big jump.
Make sure to export your config first (and check it is complete).

Wed Oct 26, 2022 5:40 pm

remember to update Routerboot at system -> routerboard

cdemers · Thu Oct 27, 2022 3:48 am

@batot The RB411 is pretty old, think it originally ran ROS v3, came out around 2009 or so. So running the latest V6 may be a bit much for it, as newer releases are designed for newer hardware. I have a bunch of those in a storage container for playing with, I would only use them for low bandwidth applications. Used to use them as CPEs replaced them as they could no longer handle the speeds. Another reason I replaced them was some developed bad caps, easy to fix but made them unstable under load until they were fixed. Just made better sense to replace them and recycle the antennas for newer/faster units.

za7 · Mon Dec 05, 2022 9:31 pm

The last RouterOS v6 (long-term) was released nearly a year ago. Is Mikrotik going to release a newer RouterOS v6 (long-term) version?
Zero-Day Initiative:
SUCCESS - DEVCORE becomes the first team ever to successfully execute two different Stack-based buffer overflow attacks against a Mikrotik router and a Canon printer in the brand new SOHO SMASHUP category. They earn a cool $100K cash and 10 Master of Pwn points.
https://www.zerodayinitiative.com/blog/ ... ne-results
Does anybody know about this Stack-based buffer overflow attacks against a Mikrotik router?

mkx · Mon Dec 05, 2022 9:45 pm

The last RouterOS v6 (long-term) was released nearly a year ago. Is Mikrotik going to release a newer RouterOS v6 (long-term) version?

Are there any noteworthy bugs in latest v6 versions? Or is it that you're missing new features, I believe (and hope) those will only be presented in v7.

slimmerwifi · Wed Dec 07, 2022 12:37 pm

Happy birthday v6.48.6!🥳

rextended · Wed Dec 07, 2022 2:34 pm

🎂🍾🎉

mkx · Wed Dec 07, 2022 6:46 pm

Well, you're late for the party, it was 4 days ago:

What's new in 6.48.6 (2021-Dec-03 12:15):

Only "birth announcement" was exactly one year ago from today.

whatever · Wed Dec 07, 2022 6:58 pm

Are there any noteworthy bugs in latest v6 versions?

Apparently it's vulnerable to CVE-2022-45313 and CVE-2022-45315

rextended · Wed Dec 07, 2022 7:05 pm

Are there any noteworthy bugs in latest v6 versions?
Apparently it's vulnerable to CVE-2022-45315

Yes, the usual "if I shoot myself in the foot I'll break my toes" bugs.

As usuals on this bug

It's possible for an authenticated user to achieve code execution.

So we always start from the fact that first of all the user must be authenticated...
But if he is already authenticated who cares, what does he do, does he damage himself???
If a hacker has to authenticate himself first, and he succeeds, by which point he's already in full control, what's the matter with exploiting the vulnerability?

whatever · Wed Dec 07, 2022 7:15 pm

You don't see an issue if credentials for a read-only account, e.g. for monitoring purposes, are sufficient to execute code?

rextended · Wed Dec 07, 2022 7:59 pm

always and in any case the account must be known, and the firewall must not be set correctly, as usual...

Wed Dec 07, 2022 10:35 pm

good version

uptime.png

Traveller · Thu Dec 08, 2022 7:19 pm

good version

The seventh version is also good. 302 days and 170 TB of data. It could have been longer if Russia had not destroyed our energy.

172TBС.png

rextended · Fri Dec 09, 2022 12:08 am

It could have been longer if Russia had not destroyed our energy.

💔

bbs2web · Fri Dec 09, 2022 5:34 am

The CVE-2022-45315 advisory appears to relate to an out of bounds read on SNMP. Considering RouterOS enables this by default and NIST appearing to rate this as 9.8, no news from MikroTik...

https://nvd.nist.gov/vuln/detail/CVE-2022-45315

Fri Dec 09, 2022 9:18 am

Do I understand it correctly ... with an authenticated RouterOS user who has WRITE access, you can do things to the router? Where is the bug? The same router can do full reset if he wants.

Larsa · Fri Dec 09, 2022 9:34 am

CVE-2022-45315 is apparently some kind of joke or misunderstanding but someone is at least willing to checkout the facts once again.

8F4B5BBC-7ACD-452B-BACC-54D1E3A5F236.png

rextended · Fri Dec 09, 2022 11:09 am

... RouterOS enables this [SNMP?] by default ...

Completely false, where do you read this bullshit? Why don't you check before posting?
SNMP on default is disabled, must be enabled on purpose (and a default firewall is present).

However, beyond any consideration,
if you don't leave the equipment configured correctly, what do you expect?
Obviously, SNMP should not be left open to the "world".
and as usual these vulnerabilities require "the user to be authenticated", so someone starts already knowing the username and password of the device...

pomah · Fri Dec 09, 2022 11:08 pm

and ticking...

AUsquirrel · Mon Dec 12, 2022 11:51 am

The last RouterOS v6 (long-term) was released nearly a year ago. Is Mikrotik going to release a newer RouterOS v6 (long-term) version?
Zero-Day Initiative:
SUCCESS - DEVCORE becomes the first team ever to successfully execute two different Stack-based buffer overflow attacks against a Mikrotik router and a Canon printer in the brand new SOHO SMASHUP category. They earn a cool $100K cash and 10 Master of Pwn points.
https://www.zerodayinitiative.com/blog/ ... ne-results
Does anybody know about this Stack-based buffer overflow attacks against a Mikrotik router?

I too am interested in this bug. I have been digging for more info.

Based on the rules they successfully completed the challenge "An attempt in this category requires the contestant to get arbitrary code execution on two different devices to win the corresponding prize. The attempt must begin by exploiting the WAN side of the selected router from the Router Category and pivot to the LAN side to launch the next stage of the attempt. After successfully compromising the router, the attempt must pivot from the LAN side of the router and compromise a selected device from the Home Automation Hub, Smart Speaker, Printer, or Network Attached Storage Categories within the contest network. The contestant is free to select any combination of router and home automation hub, smart speaker, printer, or network attached storage device during the registration process. as it was linked to a printer stack overflow." That was the prize they were awarded according to the blog post. ( See https://www.zerodayinitiative.com/Pwn2O ... Rules.html)

I haven't found the OS version in the rules so far. The rule did state it was a RB2011UiAS-IN. No details about hardening or RouterOS I found. I guess that was given to the competitors after they applied/registered.

I guess we will have to wait for DEVCORE to complete the responsible disclosure and publish their hack.

rextended · Mon Jan 09, 2023 2:53 am

Huge bug in script compiler: after two calls "[ ]" executes all functions defined in the script.

to find out how I got there:
viewtopic.php?p=976194#p976194

to quickly test the bug:

Example code

{
:local test1 do={:put "test1"}
:local test2 do={:put "test2"}
:local test3 do={:put "test3"}
:local test4 do={:put "test4"}
:local test5 do={:put "test5"}
[]
[]
}

Wed Mar 15, 2023 1:30 pm

Some pretty off-topic posts have been split into a separate topic and can now be found here: viewtopic.php?t=194519

batot · Fri Mar 17, 2023 5:30 pm

I see censorship is starting to work on this forum and inconvenient facts are pushed to other threads.

Fri Mar 17, 2023 5:45 pm

I would say that self healing works behind the scenes.

Jotne · Fri Mar 17, 2023 7:09 pm

I see censorship is starting to work on this forum and inconvenient facts are pushed to other threads.

I would say not. This thread are for the release of 6.48.6 and are normally used when new version are released for quick discover problems that arise.
For specific problem an own thread is always the best option. If not release thread would become a very long read and lots of info not needed for the masses.

Tue May 23, 2023 12:41 pm

New version v6.48.7 has been released:
viewtopic.php?t=196412

Example code

Who is online