v7.6 [stable] is released!

emils · Tue Oct 18, 2022 11:48 am

RouterOS version 7.6 is released in the "v7 stable" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during the upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.6 (2022-Oct-17 13:55):

*) bgp - added support for BGP advertisement displaying (CLI only);
*) bgp - fixed reporting of session uptime;
*) bgp - improved session establishment speed after bootup;
*) bonding - fixed ARP monitor packets with bond's MAC address;
*) bonding - improved interface stability on slave configuration changes;
*) bonding - reduce "actual-mtu" according to interface "l2mtu";
*) branding - execute "autorun.scr" file when installing branding package;
*) capsman - fixed RADIUS accounting when EAP is used;
*) certificate - fixed SHA1 certificate name lookup;
*) certificate - improved certificate management, signing and storing processes;
*) certificate - restricted maximum retry attempt window for Let's Encrypt certificate to 60 minutes;
*) container - added "start-on-boot" parameter for automatic container startup;
*) container - allow changing container related parameters while it is running;
*) container - fixed usage of non-authenticated registries;
*) dhcpv4-server - fixed matcher functionality;
*) dhcpv4-server - fixed RADIUS accounting for local leases;
*) dhcpv4-server - improved service stability when removing dynamic leases;
*) dhcpv6-client - fixed false error status reporting when server offers T1 or T2 value as 0;
*) dns - added "match-subdomain" option for static entries (CLI only);
*) dot1x - fixed incorrect error when using "mac-auth";
*) ethernet - added "5Gbps" option for speed setting;
*) firewall - added "src/dst-address-type" parameter under "IPv6/Firewall/Mangle" menu;
*) firewall - disable IRC NAT helper on upgrade;
*) firewall - fixed IPv6 filtering with "in/out-interface" matcher that is in VRF;
*) firewall - fixed IRC NAT helper (CVE-2022-2663);
*) firewall - fixed usage of "netmap" action for IPv6 source NAT;
*) health - fixed fan speed and temperature reporting on CCR1072;
*) health - improved voltage reading on RBmAP-2nD;
*) hotspot - fixed service initialization when HTML directory configured on an external disk;
*) hotspot - fixed SSL usage on all HotSpot pages;
*) hotspot - improved stability when receiving bogus packets;
*) hotspot - limit maximum allowed connections based on free RAM resources;
*) hotspot - removed "routerboard.com" URL from default HotSpot advertise;
*) interface - added warning when interface has configured "mtu" higher than "l2mtu";
*) ipsec - added "invalid-packets" counter for Installed SA's menu;
*) ipsec - fixed packet processing by hardware encryption engine on MMIPS devices;
*) l3hw - added "l3hw-settings" sub menu under the switch menu;
*) l3hw - added support for IPv6 route offloading (disabled by default);
*) l3hw - fixed "H" flag presence for accelerated connection tracking entries;
*) l3hw - fixed possible packet loss when using HW offloaded NAT;
*) l3hw - improved connected host offloading on startup;
*) l3hw - improved connected IPv6 host offloading when routing table is nearly full for 98DX224S, 98DX226S, and 98DX3236 switch chips;
*) l3hw - improved system stability;
*) l3hw - made route offloading selection work only on unicast;
*) lte - added interface name in MTU debug logging message;
*) lte - added periodic IPv6 RS to trigger IPv6 adress acquisition for non-MBIM modems;
*) lte - added support for Neoway N75-EA;
*) lte - added support to perform FOTA upgrade from local file for EG12-EA, EG18-EA, RG502Q-AE, EG06-A, EP06-A modems;
*) lte - disabled RPLMN on Chateau 5G;
*) lte - fixed at-chat on Telit FN980m;
*) lte - fixed handover from UMTS to LTE when PS activation had failed for MBIM modems;
*) lte - fixed MBIM modem initialization;
*) lte - fixed re-attaching on PS detach for MBIM modems;
*) lte - removed reconnect delay after receiving DETACH notification for MBIM modems;
*) macsec - added configuration support with VLAN, ARP, DHCP and bridge tagging/untagging;
*) macsec - added logging support with "debug" and "dot1x" topics;
*) macsec - added support for MTU and L2MTU;
*) macsec - fixed interface after Ethernet link down;
*) macsec - fixed interface statistics and missing properties;
*) macsec - fixed interface status;
*) macsec - fixed multiple interface creation on different Ethernet ports
*) macsec - improved interface stability;
*) macsec - improved system stability for TILE and RB5009 devices;
*) macsec - removed interface from SMIPS devices;
*) mac-telnet - respect interface MTU setting when sending packets for MAC-Telnet and MAC-WinBox;
*) netwatch - fixed string variable values in script;
*) ntp - improved initial synchronization speed after bootup;
*) ospf - added SHA hashing for authentication;
*) ospf - fixed area "no-summary" setting;
*) ospf - fixed checksum calculation;
*) ospf - fixed displaying of VRF interface in related logs;
*) ospf - fixed transmit of LSA/ACK's on p2p interfaces;
*) ospf - improved logging when invalid configuration is detected;
*) ospf - refresh OSPFv3 interface configuration when IPv6 network becomes available;
*) ovpn - added IPv6 support;
*) ovpn - added VRF support for client;
*) ppp - fixed memory leak;
*) ppp - improved service stability when multiple users disconnect simultaneously;
*) pppoe - fixed MRU negotiation even when it is set to 1500;
*) qsfp - added interface temperature warnings and shutdown;
*) queue - improved stability for CAKE type queues;
*) radius - require "policy" policy for "login" service configuration;
*) rip - fixed passwordless MD5 authentication;
*) route-filter - fixed filtering for multiple community routes;
*) route-filter - fixed memory allocation when moving entries;
*) route - fixed disappearance of inactive static routes after upgrade;
*) route - fixed memory leak;
*) routerboard - return router's short name in "model" parameter;
*) routerboard - set "Delete" as default key to enter booter menu ("/system routerboard upgrade" required);
*) serial - added support for newer PL2303 serial controllers;
*) sfp - improved QSFP/SFP interface stability for 98DXxxxx and 98PX1012 switches;
*) sms - added "status-report-request" parameter for "send" command;
*) sms - fixed handling of SMS send attempts on unsupported modems;
*) snmp - improved retrieval of routing related OID's;
*) snmp - improved stability when receiving bogus packets;
*) ssh - increased key generation timeout;
*) sstp - added VRF support for client;
*) supout - added tr069-client section;
*) supout - removed duplicate "bridge-controller" section;
*) switch - improved traffic forwarding at 5Gbps rate for 98DX8525, 98DX4310 switches;
*) system - renamed error messages when trying to edit or remove dynamic entries;
*) tile - improved system stability when processing packets;
*) tr069-client - do not allow ":" symbols in username;
*) tr069-client - fixed reporting of "X_MIKROTIK_MimoRSRP" parameter;
*) user-manager - accept any username for outer authentication;
*) user-manager - added "comment" parameter for batch user creation;
*) user-manager - added support for multiple accounting sessions;
*) user-manager - added variables to print profile name and end time in voucher templates;
*) user-manager - allow specifying router's address as subnet;
*) user-manager - fixed "migrate-legacy-db" command;
*) user-manager - fixed session expiry when it is stopped by Disconnect-Request;
*) user-manager - forced username verification against client's certificate for EAP-TLS;
*) user-manager - use "Class" attribute to associate user's accounting session;
*) user - removed unused "dude" policy;
*) vrrp - fixed connection tracking synchronization on MMIPS and MIPSBE devices;
*) vxlan - added IPv6 support for remote VTEPs (only IPv4 or IPv6 will be used at the same time, use "vteps-ip-version" property on VXLAN interface to change the version);
*) w60g - improved system stability (introduced in v7.5);
*) webfig - fixed creation of new IPv6 routes;
*) webfig - fixed displaying of "Last Seen" parameter under "IP/DHCP Server/Leases" menu;
*) webfig - fixed hex input for "Host Uniq" field;
*) webfig - fixed unsetting of "endpoint-address" parameter under "WireGuard/Peers" menu;
*) wifiwave2 - fixed enabling of unconfigured interfaces;
*) wifiwave2 - fixed malfunction of WPA3 hash-to-element technique when enabled on multiple interfaces;
*) wifiwave2 - fixed RADIUS accounting after fast-transition;
*) wifiwave2 - fixed "WPA Key Data Length" value in EAPOL frame when FT-EAP-SHA384 AKM is used;
*) winbox - added "Active" prefix for current remote and local session ID fields for L2TP-Ether interfaces;
*) winbox - added "address-list" parameter under "IP/DNS/Static" menu;
*) winbox - added "File Name" option for "Load Config" parameter under "System/SwOS" menu;
*) winbox - added icon for TR069-client menu;
*) winbox - added MACsec support;
*) winbox - added quick filtering option for route list;
*) winbox - added "Rapid Commit" parameter support under "IPv6/DHCP-Server" menu;
*) winbox - added "Reset Traffic Counters" button for all interfaces;
*) winbox - added "type" and "status-report-request" parameters under "Tools/SMS" menu;
*) winbox - allow "timeout" value to be less than 1 under "Tools/Netwatch" menu;
*) winbox - allow to rename mounted disks;
*) winbox - changed order of tabs under "User Manager" menu;
*) winbox - changed "uptime" parameter format when using the wifiwave2 package;
*) winbox - do not show unavailable features on SMIPS devices;
*) winbox - fixed interface traffic graph drawing on RB5009;
*) winbox - fixed maximum allowed value for VRRP's "priority" parameter;
*) winbox - fixed "Session Uptime" value for not established sessions under "Routing/BGP" menu;
*) winbox - fixed "Session Uptime" value under "Routing/BGP" menu;
*) winbox - fixed "System/SwOS" window refreshing after changes are detected;
*) winbox - fixed "User Manager/User Profiles" window refreshing after changes are detected;
*) winbox - made "backup.swb" the default value for SwOS backup;
*) winbox - made sessions removable in "User Manager" menu;
*) winbox - show "F" flag for failed entries under "Interfaces/VRRP" menu;
*) winbox - show "Switch" menu on Chateau LTE18 ax;
*) winbox - show "System/Health" only on boards that have health monitoring;
*) winbox - show "System/RouterBOARD/Mode Button" on devices that have such feature;
*) wireguard - strip whitespaces from keys;
*) wireless - disallowed using "default" as scan list or channel names;
*) wireless - fixed incorrectly applied ingress priority to non-wireless packets;
*) wireless - fixed missing wireless interface on some RB921GS-5HPacD devices;
*) www - improved stability when receiving bogus packets;
*) x86 - improved ixgbe driver support;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while the router is not working as suspected or after some problem has appeared on the device

Please keep this forum topic strictly related to this particular RouterOS release.

Maggiore81 · Tue Oct 18, 2022 12:09 pm

Hello
wich are the differencies betweeen RC3 and final ? This night I applied the 7.6RC3 :-) on a CRS317

gotsprings · Tue Oct 18, 2022 12:14 pm

POE Tabs are back in Winbox for crs328-24p-4s+rm
POE also stayed on during the update reboots

As for Winbox and having the POE tabs... that's pretty impressive. I pointed it out in the 7.5 Announcement YESTERDAY, and its fixed in the 7.6 a few hours later.

Rox169 · Tue Oct 18, 2022 12:23 pm

Hi,
anyone tried this on HAP AC3 and W60g?

loloski · Tue Oct 18, 2022 12:25 pm

hap ac2 here so far no ill effects

Kanzler · Tue Oct 18, 2022 12:36 pm

hAP AC3 (ww2) work perfectly fine

cklee234 · Tue Oct 18, 2022 12:44 pm

*) x86 - improved ixgbe driver support;

Can you elaborate on the improved support? What included and added?

emils · Tue Oct 18, 2022 12:45 pm

Hello
wich are the differencies betweeen RC3 and final ? This night I applied the 7.6RC3 on a CRS317

There are no changes between v7.6 and v7.6rc3.

mohamads · Tue Oct 18, 2022 1:32 pm

*) x86 - improved ixgbe driver support;

Can you elaborate on the improved support? What included and added?

I second that !

usmank · Tue Oct 18, 2022 2:00 pm

Session time left not working...

Guscht · Tue Oct 18, 2022 2:22 pm

So far, no issues with 7.6:

Screenshot 2022-10-18 132051.jpg

depth0cert · Tue Oct 18, 2022 2:27 pm

RouterOS version 7.6 is released in the "v7 stable" channel!
*) certificate - fixed SHA1 certificate name lookup;
*) certificate - improved certificate management, signing and storing processes;
*) certificate - restricted maximum retry attempt window for Let's Encrypt certificate to 60 minutes;

Since version 7, certificates signed on the ROS do not have legacy Netscape extensions (nsComment = "Generated by RouterOS").
Please answer, now this extension will not be used in the work of internal services, such as CAPsMAN and others?

shyrwall · Tue Oct 18, 2022 2:28 pm

Upgrading HAP AC3 (RBD53iG-5HacD2HnD) from 7.6rc2 results in "kernel failure in previous boot". Multiple retries.

giulianoz · Tue Oct 18, 2022 2:38 pm

Upgrading HAP AC3 (RBD53iG-5HacD2HnD) from 7.6rc2 results in "kernel failure in previous boot". Multiple retries.

Thanks, I will stay on rc2 for a while

shyrwall · Tue Oct 18, 2022 2:40 pm

Upgrading HAP AC3 (RBD53iG-5HacD2HnD) from 7.6rc2 results in "kernel failure in previous boot". Multiple retries.

Same 7.6rc2 -> rc3

Rox169 · Tue Oct 18, 2022 2:41 pm

HAP AC3 from 7.5 to 7.6 is OK.

I have WiFi disbaled on this hAP AC3.

Luizfilipesl · Tue Oct 18, 2022 2:42 pm

And what about the L3HW for VxLAN? Any news?

nichky · Tue Oct 18, 2022 2:45 pm

*) ovpn - added VRF support for client;

cant see that on v7.6

Tue Oct 18, 2022 2:46 pm

https://help.mikrotik.com/docs/pages/vi ... edfeatures

shyrwall · Tue Oct 18, 2022 3:03 pm

Upgrading HAP AC3 (RBD53iG-5HacD2HnD) from 7.6rc2 results in "kernel failure in previous boot". Multiple retries.
Same 7.6rc2 -> rc3

We're so far unable to reproduce this locally. Please open a support ticket and provide a supout file.

Znevna · Tue Oct 18, 2022 3:24 pm

Glad I didn't remotely upgrade my hAP ac3.
Others might not be so lucky ;p

Tue Oct 18, 2022 3:27 pm

Hmm .. I think I'll wait a bit with my AC3's using wifiwave2 ...

mmc · Tue Oct 18, 2022 3:28 pm

*) sfp - improved QSFP/SFP interface stability for 98DXxxxx and 98PX1012 switches;

qsfp 4 x breakout cables still don't work - ccr2116 qsfp to original mikrotik breakout cable 'Q+BC0003-S+' still has no link. last known working version was ros 7.2.3. all other versions after 7.2.3 just don't have a stable link anymore.

reported on every release with a ticket - last was [SUP-95119]

Rox169 · Tue Oct 18, 2022 3:29 pm

Is the problem only when you upgrade from RC? Is it safe when you upgrade from 7.5? Did you bricked hAP AC3?

Tue Oct 18, 2022 3:30 pm

There are no changes between v7.6 and v7.6rc3.

Then how come there are problems using wifiwave2 now ?

dapilori90 · Tue Oct 18, 2022 3:57 pm

ospf simple auth error "route,ospf,info Discarding packet: wrong chekcsum" between 6.49.7 and 7.6
7.5 and 6.x works well

I'm having the same issue between 7.6 and Cisco IOS-XE:

%OSPF-4-ERRRCV: Received invalid packet: Bad Checksum

7.5 and IOS-XE works well.

To fix it, I had to disable OSPF authentication (not a big deal, since it is a point-to-point IPsec/GRE tunnel).

dimacbz · Tue Oct 18, 2022 4:09 pm

Updated 7.5 -> 7.6:

RBD25GR-5HPacQD2HPnD - x1 (Audience LTE6 kit)
RBD53iG-5HacD2HnD - x3 (hAP ac3)

wifi is on everywhere
No problem. including wifi2wave

tigro11 · Tue Oct 18, 2022 4:16 pm

After the update, I can't enter Winbox, stay still on: download descriptors

rextended · Tue Oct 18, 2022 4:18 pm

Possible that the details are always asked and are not automatically written???
Winbox version and on what platform?

shyrwall · Tue Oct 18, 2022 4:22 pm

Same 7.6rc2 -> rc3
Possibly because of wifi2wave,

wlan: [69:E:QDF] qdf_fs_read[55]: Fail to Open File /lib/firmware/.fileindex
wlan: [69:E:QDF] qdf_fs_write[137], Failed to open file /lib/firmware/.fileindex

wlan: [69:E:ANY] ramdump_work_handler: ** STARTING DUMP options:2
wlan: [69:E:ANY] ol_get_tgt_dump_location: ERROR: No wifi_dump dts node available in the dts entry file
wlan: [69:E:ANY] fw_get_core_dump: Assertion failed! 0:fw_get_core_dump /opt/atlassian/bamboo-agent/xml-data/build-dir/ROS-V73-JOB1/7/wireless-qca/drivers/arm/qca-wifi/os/linux/../../qca_ol/wifi2.0/../../offl>
CPU: 2 PID: 69 Comm: kworker/2:1 Tainted: G O L 5.6.3 #2
Hardware name: IPQ4019
Workqueue: events __qdf_defer_func [qdf@0x7f3fb000]
{8fbbddcc} _stext+0x97e8/0x465b68
{8fbbddd4} _stext+0x451920/0x465b68
{8fbbdde4} ol_diag_read_sram+0x750/0x810 [wifi_2_0@0x7f456000]
{8fbbde6c} ramdump_work_handler+0x78/0x17c [wifi_2_0@0x7f456000]
{8fbbdf0c} ahb_defer_reconnect+0x30/0x200 [qca_ol@0x7f8d1000]
{8fbbdf3c} _stext+0x2d3b4/0x465b68
{8fbbdf64} _stext+0x2d6b4/0x465b68
{8fbbdf8c} _stext+0x32274/0x465b68
{8fbbdfac} _stext+0x10e8/0x465b68
Exception stack(0x8fbbdfb0 to 0x8fbbdff8)
dfa0: 00000000 00000000 00000000 00000000
dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
WLAN Panic @ fw_get_core_dump:3216: Take care of the TARGET ASSERT first

Disabling the wlan interfaces -> scheduling wifi2wave for uninstall -> reboot -> upgrade to 7.6 + add wifi2wave -> enabling wlan interfaces and adding conf back worked.

Rox169 · Tue Oct 18, 2022 4:38 pm

MT any statement? Is it safe to upgrade from 7.5 to 7.6? Are you working on fix?

Guscht · Tue Oct 18, 2022 4:44 pm

Findings:

*) ethernet - added "5Gbps" option for speed setting;

NOPE:

Screenshot 2022-10-18 153547.jpg

--------------------

*) l3hw - added "l3hw-settings" sub menu under the switch menu;

NOPE again:

Screenshot 2022-10-18 154011.jpg

--------------------

*) sfp - improved QSFP/SFP interface stability for 98DXxxxx and 98PX1012 switches;

But still only 50% of the CPU capacity for CRS328??!!

--------------------

*) winbox - added "address-list" parameter under "IP/DNS/Static" menu;

It is not linked to the IP/Firewall/Adress Lists? Which "Lists" do I enter here?

Screenshot 2022-10-18 153639.jpg

gotsprings · Tue Oct 18, 2022 4:45 pm

MT any statement? Is it safe to upgrade from 7.5 to 7.6? Are you working on fix?

Do it on your bench or someplace where you can run Netinstall... In case the $#!+ Hits the Fan.

tigro11 · Tue Oct 18, 2022 4:47 pm

Possible that the details are always asked and are not automatically written???
Winbox version and on what platform?

winbox 3.37 windows

Znevna · Tue Oct 18, 2022 4:51 pm

NOPE:
NOPE again:

Those two changelog entries don't mention anything about WinBox, from which you provided the screenshots.
Look for them in CLI.

Tue Oct 18, 2022 4:52 pm

In our tests, hAP ac3 and WifiWave2 seem to work fine with 7.6. If you encounter any issues, please contact support with supout.rif file and backup file, if possible, create backup file prior to upgrade, and share it with us.

Guscht · Tue Oct 18, 2022 4:58 pm

Those two changelog entries don't mention anything about WinBox, from which you provided the screenshots.
Look for them in CLI.

Normally, they write "CLI only" if so, and if not, its referred to Winbox and CLI?! So far is my understanding of their changelog-nomenclature.

Like in:

*) dns - added "match-subdomain" option for static entries (CLI only);

Rox169 · Tue Oct 18, 2022 5:23 pm

Just upgraded in hap AC3 from 7.5 to 7.6 with WiFiwave2 and no issues...

biomesh · Tue Oct 18, 2022 5:30 pm

Those two changelog entries don't mention anything about WinBox, from which you provided the screenshots.
Look for them in CLI.

These work via winbox on all of the devices that I upgraded.

crs317, crs318, crs326, ccr2004, crs112, cap ac. For the cap ac and crs112 obviously the l3hw options are not there. I did update the firmware and ROS.

spippan · Tue Oct 18, 2022 5:40 pm

@Guscht

*) ethernet - added "5Gbps" option for speed setting;

is it visible via the CLI ?

*) l3hw - added "l3hw-settings" sub menu under the switch menu;

"MT" might not support L3HW?!

Jotne · Tue Oct 18, 2022 6:06 pm

MT any statement? Is it safe to upgrade from 7.5 to 7.6? Are you working on fix?

I see you have already upgraded. But a simple answer on this is:
Wait some weeks and see what other writes in this thread.
Never ever upgrade a production router first day of a new release.

netbus · Tue Oct 18, 2022 6:08 pm

where can I find macsec settings in winbox?

malobert · Tue Oct 18, 2022 6:15 pm

Upgrade went well on my RB5009 from 7.6rc3 to 7.6. But there is a problem with partitions, I can not copy part1 to part0 anymore.
Copying goes to > 750% and than copying stops with an error

Schermafbeelding 2022-10-18 om 16.57.28.png

Schermafbeelding 2022-10-18 om 17.14.07.png

Tried do downgrade, pulled my usb disk, uninstalled the container package.
Repartitioned to 1 part, and after that partitioned back to 2 parts, copy still has an error.
Booting form part1 is not possible.

dmayan · Tue Oct 18, 2022 6:39 pm

- BGP Sessions stopped for no reason (wich previously worked OK)
- BGP Sessions prefix count still at 0
- BGP advertisements dump not working (I know you can see them on CLI now, but the button is there and it doesn't work)

Are we still testing a pre-alpha?

Guscht · Tue Oct 18, 2022 6:52 pm

where can I find macsec settings in winbox?

A "tab" under Interfcaes:

Screenshot 2022-10-18 175142.jpg

theosoft · Tue Oct 18, 2022 7:23 pm

@malobert

Upgrade went well on my RB5009 from 7.6rc3 to 7.6. But there is a problem with partitions, I can not copy part1 to part0 anymore.
Copying goes to 750% and than copying stops with an error

viewtopic.php?p=961612&hilit=theosoft#p961612

It is reproduced and solution in progress..

VETH related bug...

armandfumal · Tue Oct 18, 2022 8:13 pm

Like 7.6rc2 and 7.6.rc3 this 7.6 release has the same issue for us.

CCR2216, 2 bgp links full table, around 1.900.000 prefixes in routing table.

issue with cli command : /routing/bgp/advertisements/

when using /routing/bgp/advertisements/print with where command to filter a peer, that working with no issue.

but
when using just /routing/bgp/advertisements/print, causing 100% cpu at routing & management process and memory is falling down rapidly. after lost 9Gb RAM we device to force reboot...

nobody has this issue ?

regards

evilsabc · Tue Oct 18, 2022 9:31 pm

CCR2116 - Reboot every 2 hours without any reasons

I'm using 295 nats rules actually i plan to remove all of them and route directly but for the moment the router keep rebooting anyone with this problem ?

armandfumal · Tue Oct 18, 2022 9:36 pm

CCR2116 - Reboot every 2 hours without any reasons

I'm using 295 nats rules actually i plan to remove all of them and route directly but for the moment the router keep rebooting anyone with this problem ?

did you have an autosupout file created at reboot ?

malobert · Tue Oct 18, 2022 9:50 pm

@theosoft

@malobert
Upgrade went well on my RB5009 from 7.6rc3 to 7.6. But there is a problem with partitions, I can not copy part1 to part0 anymore.
Copying goes to 750% and than copying stops with an error
viewtopic.php?p=961612&hilit=theosoft#p961612

It is reproduced and solution in progress..

VETH related bug...

Aah, thank you for the answer !
I deleted my VETH, and indeed copy works again.

nichky · Tue Oct 18, 2022 10:34 pm

https://help.mikrotik.com/docs/pages/vi ... edfeatures

still no,

let say

/interface eoip/ovpn/l2tp...
add remote-address=192.168.1.1@vrf1

the error that im geting is not a valid dns name (6)

jvanhambelgium · Tue Oct 18, 2022 10:58 pm

Updated my RB5009 from 7.5 to 7.6 (both RouterOS + firmware)
No issues in my setup.

evilsabc · Tue Oct 18, 2022 11:04 pm

CCR2116 - Reboot every 2 hours without any reasons

I'm using 295 nats rules actually i plan to remove all of them and route directly but for the moment the router keep rebooting anyone with this problem ?
did you have an autosupout file created at reboot ?

No what happen is the router boot me out of the winbox and all the vlan stop working nothing work i have to reboot it manually to make it work again for about 2 hours and so on

evilsabc · Wed Oct 19, 2022 12:01 am

After the problem came back again it seem that the SFP+2 stop passing traffic until i disable and renable the port ...

sirbryan · Wed Oct 19, 2022 12:17 am

Upgraded my SOHO CCR2116 from 7.4.1 to 7.6, and reenabled L3HW for fasttrack NAT offloading only. So far, so good.

Anecdotally, speed tests between my desktop and my Ookla server improved (from 2500Mbps upload to 3000Mbps upload), and tests to WiFi 6 endpoints improved by 100mbps or so, while router CPU sits at 0%.

It's nice to see BGP advertisements again.

ormandj · Wed Oct 19, 2022 12:24 am

When adding new or opening an existing DHCP Server in Webfig, "DHCP Option Set" will get pre-filled to one of those you have configured. Even on an existing DHCP server, it will pre-fill one of your options. If you click "OK" without deselecting it, you will end up with a configuration you may not have intended. SUP-95439 submitted.

osc86 · Wed Oct 19, 2022 12:32 am

not a valid dns name (6)

I'm getting the same error on my device (arm64).

eworm · Wed Oct 19, 2022 12:33 am

I've seen the DHCP option set issue with RouterOS 7.5 already... So this is not new.

bbs2web · Wed Oct 19, 2022 12:42 am

Any chance MikroTik could consider adding an option to enable/disable IPv6 Router Advertisement (RA) Guard when adding interfaces to a bridge?

The following forum post appear to provide the necessary requirements to allow one to 'tick the box' to comply with RFC 6105 or superseding RFC 7113:

[SOLVED] CRS - Hardware offloaded (MC-LAG compatible) bridge with IPv6 RA Guard

sirbryan · Wed Oct 19, 2022 1:29 am

I have a second CCR2116 that I was trying to install this on. It has been partitioned just like my first, running 7.4.1. Both say 64MB per file system. The second one keeps failing on update with "not enough space for upgrade." What's ironic is the first one that was successful has the extra packages (ZeroTier, Dude, etc.) but the second has hardly anything, and has 42MB of space left. It originally had 7.4, and I was able to upgrade to 7.4.1, but it won't go to 7.6, neither from uploading the package directly, or from "Check for Updates" in Webfig.

nichky · Wed Oct 19, 2022 2:11 am

*) macsec - added configuration support with VLAN, ARP, DHCP and bridge tagging/untagging;

do we need to pun macsec interface in to the bridge to make it work ?

armandfumal · Wed Oct 19, 2022 2:35 am

After the problem came back again it seem that the SFP+2 stop passing traffic until i disable and renable the port ...

Not SFP or dac câble issue ? Or used brand not working correctly with this version...

evilsabc · Wed Oct 19, 2022 2:40 am

After the problem came back again it seem that the SFP+2 stop passing traffic until i disable and renable the port ...
Not SFP or dac câble issue ? Or used brand not working correctly with this version...

I tried with different dac cable and transceiver all is working correctly it seem that over 1 gbps the bug occur

moutazsalem · Wed Oct 19, 2022 2:46 am

I wanted to report a bug in ROS 7.6 (RB760iGS):
I use the usb power-reset feature to control power of an auxiliary device.

so i set it to sleep for one day using this command
#> system/routerboard/usb/power-reset duration=1d

usually, i cancel the power-reset command before the day passes, using the command
#> system/routerboard/usb/power-reset duration=1s

the later command overrides the first one and the device boots up.

With the 7.6 update, when trying to execute the second command, i get an error message stating that there is a power reset already in progress and the device would still be off.

Is there any way in 7.6 to cancel the power reset command or override it?

stanelie · Wed Oct 19, 2022 3:29 am

CapsMan stopped working when I upgraded from 7.5. None of the controlled access points (CAPs) would connect to CapsMan. I downgraded and everything went back to normal. (small setup with 20 access points)

ttys0 · Wed Oct 19, 2022 3:47 am

Just upgraded from 7.4.3 to 7.6 on a CRS354-48P-4S+2Q+ and everything seems to be working just fine.

nescafe2002 · Wed Oct 19, 2022 8:26 am

Is there any way in 7.6 to cancel the power reset command or override it?

moutazsalem, nice example of how every change breaks someone's workflow :)

eworm · Wed Oct 19, 2022 8:43 am

moutazsalem, nice example of how every change breaks someone's workflow :)

https://m.xkcd.com/1172/

😝

Wed Oct 19, 2022 8:56 am

Being close to those devices I bit the bullet...
Upgraded 2x AC3 with wifiwave2 and Hex.
No noticeable problems.

mantouboji · Wed Oct 19, 2022 11:04 am

IPv6 wireguard bug still exists

tigro11 · Wed Oct 19, 2022 12:13 pm

Possible that the details are always asked and are not automatically written???
Winbox version and on what platform?
winbox 3.37 windows

If I run Winbox from local, it works, if I perform winbox from wireguard tunnel, it blocks and does not enter.

erlinden · Wed Oct 19, 2022 12:19 pm

If I run Winbox from local, it works, if I perform winbox from wireguard tunnel, it blocks and does not enter.

Is this new behaviour? Can you share your config (/ip/firewall/filter/ export)? Make sure to remove any privacy related information

evbocharov · Wed Oct 19, 2022 12:20 pm

fix arp-ping?

nichky · Wed Oct 19, 2022 12:35 pm

no, even ip route check does not

tigro11 · Wed Oct 19, 2022 12:38 pm

If I run Winbox from local, it works, if I perform winbox from wireguard tunnel, it blocks and does not enter.
Is this new behaviour? Can you share your config (/ip/firewall/filter/ export)? Make sure to remove any privacy related information

/interface bridge
add admin-mac=X:X:X:X:X:X auto-mac=no comment=defconf name=bridge \
    protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-WAN-SKY
set [ find default-name=ether4 ] name=ether4-WIFI
/interface wireguard
add listen-port=51820 name=TUNNEL-NEGOZIO
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add comment="Always TCP: No fixed port" name=speedtest-servers regexp=\
    "^.*(get|GET).+speedtest.*\$"
add name=Youtube regexp="^.+(youtube.com|youtube.net|.youtube.|.youtube).*\$"
add name=WhatsApp regexp=\
    "^.+(whatsapp.com|whatsapp.net|.whatsapp.|.whatsapp).*\$"
add name=Facebook regexp=\
    "^.+(facebook.com|facebook.net|.facebook.|.facebook).*\$"
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
add local-address=10.0.8.1 name=OVPN use-encryption=yes
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=WAN1
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge ingress-filtering=no interface=ether4-WIFI
/interface bridge settings
set allow-fast-path=no
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set route-cache=no tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=TUNNEL-NEGOZIO list=LAN
add interface=ether2-WAN-SKY list=WAN
/interface ovpn-server server
set auth=sha1 certificate=SERVER cipher=aes256 default-profile=OVPN enabled=\
    yes port=1180 protocol=udp require-client-certificate=yes
/interface wireguard peers
add allowed-address=10.0.8.1/32,192.168.0.0/24 endpoint-address=X.X.X.X \
    endpoint-port=51820 interface=TUNNEL-NEGOZIO persistent-keepalive=10s \
    public-key="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=10.7.2.1/16 comment=INTERNET interface=ether1-WAN network=\
    10.7.0.0
add address=10.0.8.2 interface=TUNNEL-NEGOZIO network=10.0.8.1
add address=192.168.11.100/24 interface=ether2-WAN-SKY network=192.168.11.0
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" disabled=yes list=\
    not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" disabled=yes list=\
    not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
    not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add list=ddos-attackers
add list=ddos-target
add address=192.168.1.200 list=SMB
add address=192.168.0.200 list=SMB
add address=10.0.8.1 disabled=yes list=SMB
/ip firewall filter
add action=drop chain=forward comment="BLOCK WHATSAP" disabled=yes \
    layer7-protocol=WhatsApp
add action=drop chain=forward comment="BLOCK FACEBOOK" disabled=yes \
    layer7-protocol=Facebook
add action=drop chain=forward comment="BLOCK YOUTUBE" disabled=yes \
    layer7-protocol=Youtube
add action=drop chain=input comment="BLOCK DNS Wan" connection-state=new \
    dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="BLOCK DNS Wan" connection-state=new \
    dst-port=53 in-interface-list=WAN protocol=tcp
add action=add-src-to-address-list address-list=smb-flood \
    address-list-timeout=none-dynamic chain=forward comment=\
    "SMB Flood Gathering" connection-limit=100,32 dst-port=445 in-interface=\
    bridge protocol=tcp
add action=add-src-to-address-list address-list=snpp-flood \
    address-list-timeout=none-dynamic chain=forward comment=\
    "SNPP/Backdoor Flood\r\
    \nGathering" connection-limit=20,32 dst-port=444 in-interface=bridge \
    protocol=tcp
add action=add-src-to-address-list address-list=msf-indication \
    address-list-timeout=none-dynamic chain=forward comment=\
    "Metasploit Indication" connection-limit=20,32 dst-port=4444 \
    in-interface=bridge protocol=tcp
add action=add-src-to-address-list address-list=ssh-flood \
    address-list-timeout=none-dynamic chain=forward comment=\
    "SSH Flood Gathering" connection-limit=20,32 dst-port=22 in-interface=\
    bridge protocol=tcp
add action=add-src-to-address-list address-list=telnet-flood \
    address-list-timeout=none-dynamic chain=forward comment=\
    "Telnet Flood\r\
    \nGathering" connection-limit=20,32 dst-port=23 in-interface=bridge \
    protocol=tcp
add action=log chain=forward comment="Abnormal Traffic" connection-bytes=\
    80000000 disabled=yes limit=1,5:packet log-prefix=Abnormal-Traffic
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=forward comment="Port scanners to list " \
    in-interface=!bridge log-prefix="port scanner" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=DoS_Attacked \
    address-list-timeout=5m chain=input comment=DoS_Attacked \
    connection-limit=32,32 protocol=tcp
add action=tarpit chain=input comment=DoS_Attacked connection-limit=10,32 \
    protocol=tcp src-address-list=DoS_Attacked
add action=drop chain=forward comment="Bloccare IP addresses BOGON" \
    src-address=0.0.0.0/8
add action=return chain=detect-ddos comment="SYN-ACK Flood" dst-limit=\
    32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack
add action=drop chain=forward comment="dropping port scanners" \
    src-address-list="port scanners"
add action=drop chain=input comment="dropping port scanners" \
    src-address-list="port scanners"
add action=drop chain=input comment="drop echo request" icmp-options=8:0 \
    in-interface-list=WAN protocol=icmp
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" icmp-options=4:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=accept chain=input comment="Allow OpenVPN" dst-port=1180 protocol=\
    tcp
add action=accept chain=input comment="Allow Wireguard" dst-port=51820 \
    protocol=udp
add action=accept chain=input comment=winbox dst-port=1170 protocol=tcp
add action=accept chain=input comment="Allow Established connections" \
    connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="ACCETTA TRAFFICO DA WIREGUARD" \
    in-interface=TUNNEL-NEGOZIO src-address=192.168.0.0/24
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="COMPUTER METEO" src-mac-address=\
    X:X:X:X:X:X
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=add-src-to-address-list address-list=FW_Block_unkown_port \
    address-list-timeout=1d chain=input comment=\
    "Add IP of user to access list if they have tried port that is not open." \
    disabled=yes in-interface-list=WAN log-prefix=FI_AS_port-test \
    src-address=!10.7.0.1
add action=drop chain=icmp comment="deny all other types"
add action=drop chain=input comment="Drop Invalid connections" \
    connection-state=invalid in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=input comment="BLOCCO BLACKLIST" connection-state=new \
    in-interface-list=!LAN src-address-list=blacklist
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed NO DROP TUNNEL TRAFFIC" \
    connection-nat-state=!dstnat connection-state=new dst-address-list=!SMB \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed NO DROP TUNNEL TRAFFIC" \
    connection-nat-state=!dstnat connection-state=new dst-address-list=!SMB \
    in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
add action=drop chain=forward comment="Drop invalid connections" \
    connection-state=invalid
/ip firewall mangle
add action=change-mss chain=forward comment=MTU in-interface=TUNNEL-NEGOZIO \
    new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=change-ttl chain=prerouting comment="NO TRaceroute" new-ttl=\
    increment:1 passthrough=yes
add action=mark-connection chain=prerouting comment="MARK PER WAN1" \
    connection-state=new in-interface=ether1-WAN new-connection-mark=\
    WAN1_conn
add action=mark-routing chain=prerouting comment="MARK PER WAN1" \
    connection-mark=WAN1_conn in-interface-list=LAN new-routing-mark=WAN1
/ip firewall nat
add action=dst-nat chain=dstnat comment="Force using DNS LAN" disabled=yes \
    dst-port=53 in-interface=bridge protocol=udp to-ports=53
add action=dst-nat chain=dstnat comment="DNS GOOGLE VALERIO" disabled=yes \
    dst-port=53 protocol=udp src-mac-address=X:X:X:X:X:X to-addresses=\
    8.8.8.8 to-ports=53
add action=dst-nat chain=dstnat comment="WEBCAM CASA" dst-port=8181 \
    in-interface=ether1-WAN protocol=tcp src-address=!192.168.0.0/24 \
    to-addresses=192.168.1.51 to-ports=8080
add action=dst-nat chain=dstnat comment="Winbox WIFI" dst-port=1175 \
    in-interface=TUNNEL-NEGOZIO protocol=tcp src-address=192.168.0.11 \
    to-addresses=192.168.1.100 to-ports=1170
add action=dst-nat chain=dstnat comment="DAVIS WIFI" dst-port=8090 \
    in-interface=TUNNEL-NEGOZIO protocol=tcp src-address=192.168.0.11 \
    to-addresses=192.168.5.40 to-ports=80
add action=masquerade chain=srcnat comment="TUNNEL NEGOZIO" dst-address=\
    192.168.0.0/24 ipsec-policy=out,none out-interface=TUNNEL-NEGOZIO
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
    limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
    icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
    icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
    icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
    icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
    icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
    5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
    11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
add action=drop chain=prerouting comment=DDOS dst-address-list=ddos-target \
    src-address-list=ddos-attackers
add action=drop chain=prerouting comment="DNS Amplification" dst-port=53 \
    in-interface-list=WAN protocol=udp
add action=drop chain=prerouting comment="Well-Known Port+ winbox da wan" \
    dst-port=2000,22,23,80,53,1170 in-interface=!TUNNEL-NEGOZIO \
    in-interface-list=WAN protocol=tcp
add action=drop chain=prerouting comment=\
    "Well-Known Virus/Flooding Port- esscludo ip nas" dst-address-list=!SMB \
    dst-port=445,2000,4444,444 in-interface-list=LAN protocol=tcp
add action=drop chain=prerouting comment="Memcached Flood" in-interface-list=\
    LAN protocol=udp src-port=11211
add action=drop chain=prerouting comment="drop port scanner" in-interface=\
    !TUNNEL-NEGOZIO src-address-list="port scanners"
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN log=yes src-address-list=not_global_ipv4
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
add action=accept chain=prerouting in-interface=TUNNEL-NEGOZIO src-address=\
    192.168.0.0/24
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
    limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
    icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
    icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
    icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
    icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
    icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
    5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
    11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
add action=drop chain=prerouting in-interface-list=WAN protocol=!tcp \
    src-address=!X.X.X.X src-address-list=FW_Block_unkown_port
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    10.7.0.1 pref-src=0.0.0.0 routing-table=WAN1 scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=2 dst-address=192.168.5.0/24 gateway=192.168.1.100 \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=3 dst-address=192.168.0.0/24 \
    gateway=10.0.8.1 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.11.1 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.1.0/24,10.0.8.0/30,192.168.0.11/32 port=1170
set api-ssl disabled=yes
/ppp secret
add name=vrcomputer profile=OVPN remote-address=10.0.8.5 service=ovpn
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=ROUTER-CASA
/system ntp client
set mode=broadcast
/tool bandwidth-server
set enabled=no
/tool e-mail
set address=X.X.X.X from=noreply@XXXXXXX.com user=smtp@XXXXXXXX.it
/tool graphing interface
add interface=ether1-WAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no

reevansxyz · Wed Oct 19, 2022 12:39 pm

Nothing seriously troubling, it's just that I know—I logged out from the web interface, but it says that I am still logged on via web; RB5009UG+S+IN.

MikroUser · Wed Oct 19, 2022 12:47 pm

Have problems on a CCR2004-16g-2s and sfponu module.
Issue shows after firmware update add next boot, no pon link at sfp.
SFP is visible and hardware info is ok, but no pon link.
So after every firmware update i need get out sfponu and insert it again, only after that pon link is ok. Simple rebooting doesnt solve problem
That same problem was on a rb4011, rb5009. I think some power reset solution for sfp+ port needed.

And onemore, when fasttrack is enabled (action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes ) all wireguard connections works very slow and dropping packets. Tried play with mtu but only disabling fasttrack helps.

pe1chl · Wed Oct 19, 2022 1:00 pm

/routing/bgp/advertisements/print now shows a detailed list, where on rc1 it showed only a summary. There was a "show" command that showed the full list.
So now I tried /routing/bgp/advertisements/print count-only to see if it maybe shows a summary only.
It showed:
704
no such item (4)
From now on, /routing/bgp/advertisements/print only shows a single item and then it prints that no such item (4) error.

Safic · Wed Oct 19, 2022 1:09 pm

CapsMan stopped working when I upgraded from 7.5. None of the controlled access points (CAPs) would connect to CapsMan. I downgraded and everything went back to normal. (small setup with 20 access points)

Are your cAPs running ROS 7.6?

Wed Oct 19, 2022 1:40 pm

/routing/bgp/advertisements/print now shows a detailed list, where on rc1 it showed only a summary. There was a "show" command that showed the full list.
So now I tried /routing/bgp/advertisements/print count-only to see if it maybe shows a summary only.
It showed:
704
no such item (4)
From now on, /routing/bgp/advertisements/print only shows a single item and then it prints that no such item (4) error.

[admin@dr_05] /routing/bgp/advertisements> print count-only 
848915
[admin@dr_05] /routing/bgp/advertisements> print 
 0 peer=bgp_feed-1 dst=23.161.0.0/24 
   bgp.nexthop=10.155.101.183 .origin=0 .as-path=sequence 444 

 0 peer=to_231-1 dst=60.48.0.0/14 
   bgp.nexthop=10.155.101.1 .origin=0 .as-path=sequence 444 65530 100 6667 1273 4788 4788 
   .communities=35859:2842,41743:2842,47883:2842,49940:2842,51200:46098,53760:46098,55855:63748 
   .atomic-aggregate=yes 

....

Works, maybe anything else you did to trigger the problem? Or list is changing when you are doing the print?

Ullinator · Wed Oct 19, 2022 2:03 pm

CapsMan stopped working when I upgraded from 7.5. None of the controlled access points (CAPs) would connect to CapsMan. I downgraded and everything went back to normal. (small setup with 20 access points)
Are your cAPs running ROS 7.6?

Update of CAPsMAN from 7.5 to 7.6 went smooth, even on CAPsMAN itself and on all AP´s (5x) also. (ROS and FW).
From what version did you came from? (AP´s)

erlinden · Wed Oct 19, 2022 2:06 pm

/interface bridge
add admin-mac=X:X:X:X:X:X auto-mac=no comment=defconf name=bridge \
protocol-mode=none

What a most creative implementation of firewall rules. You have to do some work on that.
In that mess you will probably find the blocking rule as well.

jovaf32128 · Wed Oct 19, 2022 2:07 pm

Hap ac3 log: error while running customized default configuration script: no such item

Tried to rename wifi back to wlan1 and wlan2 (also to wifi1 and wifi2) and reboot, nothing changed

Phaere · Wed Oct 19, 2022 2:34 pm

Waiting for BFD in 2025, ok..

rumahnetmks · Wed Oct 19, 2022 2:57 pm

RB4011iGS+5HacQ2HnD-IN + hAP-AC3 at two different location 7.5 to 7.6 seems working fine.
RB4011iGS+5HacQ2HnD-IN have simple office network with vlan filtering on. Using regular wireless package all seem fine, no problems with connected device.
hAP-AC3 have simple home network with vlan filtering on. Using wifiwave2 wpa3 enable, all device still connect without any problem.

pe1chl · Wed Oct 19, 2022 4:04 pm

/routing/bgp/advertisements/print now shows a detailed list, where on rc1 it showed only a summary. There was a "show" command that showed the full list.
So now I tried /routing/bgp/advertisements/print count-only to see if it maybe shows a summary only.
It showed:
704
no such item (4)
From now on, /routing/bgp/advertisements/print only shows a single item and then it prints that no such item (4) error.
...
Works, maybe anything else you did to trigger the problem? Or list is changing when you are doing the print?

I did not do much, at first I entered the /routing/bgp/advertisements/print command, which in rc1 (I never installed rc2 or rc3) printed a short listing of my BGP peers and the number of advertisements to each of them.
Now under 7.6 it started to print a list of advertisements (each with peer, dst, details like AS list) in paginated mode, I printed 3 or 4 pages then interrupted it.
Then I did the /routing/bgp/advertisements/print count-only to see what that would do, and from then on the no such item (4) message appeared after a single item. This item is for an iBGP peer. I can no longer scroll back far enough to see what would have been the next item and if there is anything particular about it.

Is the original brief list that only showed the number of advertisements to each peer still somehow accessible?

breili · Wed Oct 19, 2022 6:13 pm

Looks like sstp-client with mschap2 is broken since 7.4 and with 7.6 the log doesn't seem to contain useful data anymore:
(sorry for the long code snippet showing log messages for 7.3.1, 7.4 and 7.6. BB seemed not to like it as 3 code snippets)

################################################
# 7.3.1 is the last one working
 11:27:55 sstp,ppp,debug uw: LCP open
 11:27:55 sstp,ppp,debug,packet  uw: sent LCP ConfReq id=0x1
 11:27:55 sstp,ppp,debug,packet    <magic 0x20b5cf3b>
 11:27:55 sstp,ppp,debug,packet  uw: rcvd LCP ConfReq id=0x0
 11:27:55 sstp,ppp,debug,packet    <mru 4091>
 11:27:55 sstp,ppp,debug,packet    <magic 0x9f299f49>
 11:27:55 sstp,ppp,debug,packet    <pcomp>
 11:27:55 sstp,ppp,debug,packet    <accomp>
 11:27:55 sstp,ppp,debug,packet    <auth 0xc227>
 11:27:55 sstp,ppp,debug,packet    <callback 0x06>
 11:27:55 sstp,ppp,debug,packet    <mrru 1614>
 11:27:55 sstp,ppp,debug,packet    <ed 0x01 4c 31 e9 33 4b af 41 e6 96 bd 10 1a 2e 91 cc e5 00 00 00 00>
 11:27:55 sstp,ppp,debug,packet  uw: sent LCP ConfRej id=0x0
 11:27:55 sstp,ppp,debug,packet    <pcomp>
 11:27:55 sstp,ppp,debug,packet    <accomp>
 11:27:55 sstp,ppp,debug,packet    <callback 0x06>
 11:27:55 sstp,ppp,debug,packet    <mrru 1614>
 11:27:55 sstp,ppp,debug,packet    <ed 0x01 4c 31 e9 33 4b af 41 e6 96 bd 10 1a 2e 91 cc e5 00 00 00 00>
 11:27:55 sstp,ppp,debug,packet  uw: rcvd LCP ConfAck id=0x1
 11:27:55 sstp,ppp,debug,packet    <magic 0x20b5cf3b>
 11:27:55 sstp,ppp,debug,packet  uw: rcvd LCP ConfReq id=0x1
 11:27:55 sstp,ppp,debug,packet    <mru 4091>
 11:27:55 sstp,ppp,debug,packet    <magic 0x9f299f49>
 11:27:55 sstp,ppp,debug,packet    <auth 0xc227>
 11:27:55 sstp,ppp,debug,packet  uw: sent LCP ConfNak id=0x1
 11:27:55 sstp,ppp,debug,packet    <auth  mschap2>
 11:27:55 sstp,ppp,debug,packet  uw: rcvd LCP ConfReq id=0x2
 11:27:55 sstp,ppp,debug,packet    <mru 4091>
 11:27:55 sstp,ppp,debug,packet    <magic 0x9f299f49>
 11:27:55 sstp,ppp,debug,packet    <auth  mschap2>
 11:27:55 sstp,ppp,debug,packet  uw: sent LCP ConfAck id=0x2
 11:27:55 sstp,ppp,debug,packet    <mru 4091>
 11:27:55 sstp,ppp,debug,packet    <magic 0x9f299f49>
 11:27:55 sstp,ppp,debug,packet    <auth  mschap2>
 11:27:55 sstp,ppp,debug uw: LCP opened

################################################
# 7.4 is the first not working version.
 16:25:31 sstp,ppp,debug uw: LCP lowerup
 16:25:31 sstp,ppp,debug,packet  uw: sent LCP ConfReq id=0x3
 16:25:31 sstp,ppp,debug,packet    <magic 0x3c390d4d>
 16:25:31 sstp,ppp,debug uw: LCP open
 16:25:31 sstp,ppp,debug,packet  uw: rcvd LCP ConfReq id=0x0
 16:25:31 sstp,ppp,debug,packet    <mru 4091>
 16:25:31 sstp,ppp,debug,packet    <magic 0xd275f908>
 16:25:31 sstp,ppp,debug,packet    <pcomp>
 16:25:31 sstp,ppp,debug,packet    <accomp>
 16:25:31 sstp,ppp,debug,packet    <auth 0xc227>
 16:25:31 sstp,ppp,debug,packet    <callback 0x06>
 16:25:31 sstp,ppp,debug,packet    <mrru 1614>
 16:25:31 sstp,ppp,debug,packet    <ed 0x01 4c 31 e9 33 4b af 41 e6 96 bd 10 1a 2e 91 cc e5 00 00 00 00>
 16:25:31 sstp,ppp,debug,packet  uw: sent LCP ConfRej id=0x0
 16:25:31 sstp,ppp,debug,packet    <pcomp>
 16:25:31 sstp,ppp,debug,packet    <accomp>
 16:25:31 sstp,ppp,debug,packet    <auth 0xf0e9>
 16:25:31 sstp,ppp,debug,packet    <callback 0x06>
 16:25:31 sstp,ppp,debug,packet    <mrru 1614>
 16:25:31 sstp,ppp,debug,packet    <ed 0x01 4c 31 e9 33 4b af 41 e6 96 bd 10 1a 2e 91 cc e5 00 00 00 00>
 16:25:31 sstp,ppp,debug,packet  uw: rcvd LCP ConfAck id=0x3
 16:25:31 sstp,ppp,debug,packet    <magic 0x3c390d4d>
 16:25:31 sstp,ppp,debug,packet  uw: rcvd LCP TermReq id=0x1
 16:25:31 sstp,ppp,debug,packet     08F9uD200<CDt00000397
 16:25:31 sstp,ppp,debug,packet  uw: sent LCP TermAck id=0x1
 16:25:31 sstp,ppp,debug uw: LCP lowerdown

################################################
# 7.6 is not working either but debug logs for sstp/ppp have gone sparse too
 16:43:04 sstp,ppp,info uw: initializing...
 16:43:04 sstp,ppp,info uw: initializing...
 16:43:04 sstp,ppp,info uw: connecting...
 16:43:04 sstp,ppp,info uw: connecting...
 16:43:05 sstp,packet uw sending
 16:43:05 sstp,packet SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ HTTP/1.1r
 16:43:05 sstp,packet Content-Length: 18446744073709551615r
 16:43:05 sstp,packet Host: ::r
 16:43:05 sstp,packet r
 16:43:05 sstp,packet
 16:43:05 sstp,ppp,debug uw: CCP close
 16:43:05 sstp,ppp,debug uw: BCP close
 16:43:05 sstp,ppp,debug uw: IPCP close
 16:43:05 sstp,ppp,debug uw: IPV6CP close
 16:43:05 sstp,ppp,debug uw: MPLSCP close
 16:43:05 sstp,ppp,info uw: terminating... - closed by remote peer
 16:43:05 sstp,ppp,info uw: terminating... - closed by remote peer
 16:43:05 sstp,ppp,debug uw: LCP lowerdown

The client conntects to an windows ras server (I've little control over that one).
Client config is simple:

/interface sstp-client
add authentication=mschap2 connect-to=some.host.net http-proxy=0.0.0.0 name=uw pfs=yes profile=uw tls-version=only-1.2 user="domain\\some.user" \
    verify-server-address-from-certificate=no verify-server-certificate=yes
/ppp profile
add change-tcp-mss=yes name=uw use-encryption=yes use-ipv6=no use-mpls=no use-upnp=no

rextended · Wed Oct 19, 2022 6:56 pm

CCR2116-12G-4S+ now on production
from netinstalled 7.6beta7 on "test",
previously updated via drag&drop npk from 7.6beta7 to 7.6beta8 on "test",
previously updated via drag&drop npk from 7.6beta8 to 7.6rc1 on "pre-production",
updated again via drag&drop npk from 7.6rc1 to 7.6 (stable) on "production"

BGP v4: WORK (AS->not-MikroTik AS multi-peer ebgp)
BGP v6: WORK (AS->not-MikroTik AS single-peer ebgp)

BUG:
1) Dual boot still required for upgrade the RouterBOOT.
2) RouterOS package still called "routeros" instead of "routeros-arm64" (on this model) and this prevent "The Dude" to be able to upgrade the device.
3) The Original User-Manager not exist on RouterOS v7. The surrogate can not even be compared with the Original v6.

ilmars · Wed Oct 19, 2022 7:06 pm

After full upgrade to v7.6 no issues with CCR1072, CRS317, CRS326-24S+2Q+, CRS328 this far. BGP works fine.

Yet MLAG (on top of 2 interface bonding) between two CRS317 switches (intialially 7.5) was flapping when only one of the switches was update/upgraded. After second MLAG switch was updated/upgraded to 7.6 MLAG flapping issue went away.

nexusds · Wed Oct 19, 2022 7:39 pm

Have problems on a CCR2004-16g-2s and sfponu module.
Issue shows after firmware update add next boot, no pon link at sfp.
SFP is visible and hardware info is ok, but no pon link.
So after every firmware update i need get out sfponu and insert it again, only after that pon link is ok. Simple rebooting doesnt solve problem
That same problem was on a rb4011, rb5009. I think some power reset solution for sfp+ port needed.

And onemore, when fasttrack is enabled (action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes ) all wireguard connections works very slow and dropping packets. Tried play with mtu but only disabling fasttrack helps.

Disabling Fasttrack made it worse for my testing. definitely something changed in wireguard as its dropping packets etc. What port are you using for your wireguard?

godovic · Wed Oct 19, 2022 7:48 pm

I have a problem with RB921GS-5HPacD-15S and RBSXTsqG-5acD. The client can "see" mANTbox15s only on 5500 mhz?
I cannot confirm if it is only an 7.6 version issue, because the devices are new, and both devices was upgraded to 7.6 with latest firmware - before setup.

qatar2022 · Wed Oct 19, 2022 7:55 pm

it's very very slow to download update for 11 MT device

gstitt · Wed Oct 19, 2022 8:01 pm

*) ospf - fixed checksum calculation;

All routers upgraded to this version now complain with "wrong checksum from <blah>" and OSPF isn't propogating routes.

kenyloveg · Wed Oct 19, 2022 8:03 pm

The ugly premission denied issue seems still exist in 7.6
I'm able to run adguardhome without errors, until I edit AdguardHome.yaml to set upstream_dns_file: disk1/adguardhome/conf/greatfire.txt
Then log report permission denied error.

pe1chl · Wed Oct 19, 2022 8:08 pm

Hap ac3 log: error while running customized default configuration script: no such item

Tried to rename wifi back to wlan1 and wlan2 (also to wifi1 and wifi2) and reboot, nothing changed

I think with the wifiwave2 package installed, it is now to be considered "the normal and accepted behavior".... or else it would have been fixed by now.

rextended · Wed Oct 19, 2022 8:12 pm

@mkx

sep/02/2022 16:13:17 system,error,critical error while running customized default configuration script: bad command name wireless (line 985 column 25)
sep/02/2022 16:13:17 system,error,critical

When the "get-custom-defconf" is interrupted for some reason, the "flag" get-custom-defconf runned successfully is not set, and everytime at reboot it try to run the script,
is why everytime, for every reboot, you get that error.
(The error is on the file "get-custom-defconf" on system package, not on wifiwave2 package)

MikroTik Staff, please, deliver to who manage the get-custom-defconf file this message:

   # wait wlan3 it takes 7sec slower to load than wlan1/2 on Audience
    $addCL ("  :local count 0;")
    $addCL ("  :while ([/interface wireless find default-name=\"wlan3\"] = \"\") do={ ")
    $addCL ("    :if (\$count = 15) do={")
    $addCL ("      :log warning \"DefConf: Unable to find wlan3 interface\";")
    $addCL ("      /quit")
    $addCL ("    }")
    $addCL ("    :delay 1s; :set count (\$count +1);")
    $addCL ("  };")

    # TODO: set band and ext, probably use setWlan function
    $addCL ("  /interface wireless {")
    $addCL ("    :local wl3 [find default-name=\"wlan3\"]")
    $addCL ("    :local wlanMac  [get \$wl3 mac-address];")
    $addCL ("    :set ssid \"SYNC-\$[:pick \$wlanMac 9 11]\$[:pick \$wlanMac 12 14]\$[:pick \$wlanMac 15 17]\"")
    $addCL ("    set \$wl3 disabled=no mode=ap-bridge band=5ghz-a/n/ac ssid=\$ssid security-profile=wpsSync wps-mode=push-button")
    # set channnel width 20/40/80mhz-XXXX (russia 20/40mhz-XX)


<<< LINE 983 >>>    # wait wlan3 it takes 7sec slower to load than wlan1/2 on Audience
    :local count 0;
<<< @mkx LINE 985 >>>    :while ([/interface wireless find default-name="wlan3"] = "") do={
      :if ($count = 30) do={
        :log warning "DefConf: Unable to find wlan3 interface";
        /quit
      }
      :delay 1s; :set count ($count +1);
    };

<<< LINE 993 >>>    :local hwInfo [/interface wireless info hw-info [.. find where default-name="wlan3"] as-value];
      $addDL ("#|     channel-width: 20/40mhz-XX;")
<<< LINE 995 >>>      $addCL ("    set \$wl3 channel-width=20/40mhz-XX")
    $addCL ("  };")
}

Accidentally the already converted block was not deleted, old code and unused chunks were left from line 983 to line 995.
[Also on line 993 is present a useless local variable (never used anywhere) that give error, becase call directly /int wireless for set his value]

Simply deleting the lines from 983 to 995 solve the problem.

Thanks.

NetHorror · Wed Oct 19, 2022 8:19 pm

*) ospf - fixed checksum calculation;

All routers upgraded to this version now complain with "wrong checksum from <blah>" and OSPF isn't propogating routes.

+1

has the same issue on hap ac3 and 951G-2HnD

Wed Oct 19, 2022 10:04 pm

@rextended
Shoot a mail to support pointing to your post. Maybe it gets more attention that way.

irrwitzer · Wed Oct 19, 2022 11:27 pm

I think I've got a bug with /routing/bgp/advertisements/print with IPv6 sessions:

 > /routing/bgp/advertisements/print detail where peer=bgp-22-2-1
 0 peer=bgp-22-2-1 dst=2001:c76:a00:300::/56 local-pref=100 nexthop=10c:760a::2200 origin=0

The next-hop value ist just bullshit. Fortunately it's just a display bug, because the routes are advertised with the correct next-hop:

> ipv6/route/print where dst-address=2001:c76:a00:300::/56
Flags: D - DYNAMIC; A - ACTIVE; b, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS            GATEWAY           DISTANCE
DAb 2001:c76:a00:300::/56  2001:c76:a00::22       200

BR,
Johannes

nexusds · Thu Oct 20, 2022 1:22 am

Have problems on a CCR2004-16g-2s and sfponu module.
Issue shows after firmware update add next boot, no pon link at sfp.
SFP is visible and hardware info is ok, but no pon link.
So after every firmware update i need get out sfponu and insert it again, only after that pon link is ok. Simple rebooting doesnt solve problem
That same problem was on a rb4011, rb5009. I think some power reset solution for sfp+ port needed.

And onemore, when fasttrack is enabled (action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes ) all wireguard connections works very slow and dropping packets. Tried play with mtu but only disabling fasttrack helps.
Disabling Fasttrack made it worse for my testing. definitely something changed in wireguard as its dropping packets etc. What port are you using for your wireguard?

My issue in the end was an in-path CR354-48G-4S+2Q+ causing issues with Bonding of interfaces to another switch as well as packets dropping around 20% inside the switch. Rebooting it didnt help, but backing this switch down to 7.5 solved the issue.

WildWest · Thu Oct 20, 2022 1:35 am

Can somebody explain how to do that?
*) lte - added support to perform FOTA upgrade from local file for EG12-EA, EG18-EA, RG502Q-AE, EG06-A, EP06-A modems;

pothi · Thu Oct 20, 2022 4:35 am

Updated hAP AC2 from 7.5 to 7.6. No issues so far.

gotsprings · Thu Oct 20, 2022 5:37 am

Updated Audience from 7.5 to 7.6. was already using wave 2 driver.

Seems channels can no longer be B/G/N. Also it didn't like whatever I had left the key exchange time out as, and zeroed it.

Gave it the benefit of the doubt and netinstalled 7.6 with WAVE2 and Zerotier.

Still get a red error in log after booting.

Rebuilt bridge, ports, dhcp-client, then rebuilt WiFi. Redid all the wifi settings and set channels, SSID and password with WPA2.

And yes I have more problems keeping clients connected...

Turning the radios back off again.

pexeforadagua · Thu Oct 20, 2022 8:10 am

ospf simple auth error "route,ospf,info Discarding packet: wrong chekcsum" between 6.49.7 and 7.6
7.5 and 6.x works well

It gave the same error here (all were previously in version 7.5), when updating to 7.6, OSPF stopped working with the checksum error, I tried to remove and reconfigure and it still didn't solve it, the way was to go back to version 7.5 , done everything went back to normal!

kenyloveg · Thu Oct 20, 2022 8:43 am

The ugly premission denied issue seems still exist in 7.6
I'm able to run adguardhome without errors, until I edit AdguardHome.yaml to set upstream_dns_file: disk1/adguardhome/conf/greatfire.txt
Then log report permission denied error.

No more issues by uploading file through sftp, instead of ftp.

thedix · Thu Oct 20, 2022 8:54 am

After upgrading hEX S from 7.5 to 7.6 I see IPSec errors when connecting from client to server (connection is established successfully):

Oct/20/2022 12:42:07   ipsec, error    unable to get certificate CRL(3) at depth:0 cert:CN=...
Oct/20/2022 12:42:07   ipsec, error    unable to get certificate CRL(3) at depth:1 cert:C=...

All the CRLs are accessible and visible at Certificates/CRL.
7.5 works fine without errors.

eworm · Thu Oct 20, 2022 9:10 am

I noticed that in active-peers menu the id is now prefixed with "CN=" and I had to adopt that change in some scripts.
Possibly this causes more issues with specific configurations? Do you have key IDs in your configuration?

draid · Thu Oct 20, 2022 10:14 am

Hex S SFP info is still unavaliable. All boxes are empty. Does anyone still have this problem?

giulianoz · Thu Oct 20, 2022 12:18 pm

Ac3 from 7.6rc2 to 7.6 updated successfully
Packages installed
Wifiwave2
Container
ZeroTier

HasanAlawlaki · Thu Oct 20, 2022 1:51 pm

Session time left
Still not shown on hotspot active?
Any solution?

anuser · Thu Oct 20, 2022 2:20 pm

CCR1036-8G-2S+
log says: "snmp, warning timeout while waiting for program 48"
=> All CAPs lost connection, echo timeout

johnson73 · Thu Oct 20, 2022 3:07 pm

Updated hAP AC3 from 7.5 to 7.6. So far there are no problems.

StepBee · Thu Oct 20, 2022 3:20 pm

I think I've got a bug with /routing/bgp/advertisements/print with IPv6 sessions:
Code: Select all
 > /routing/bgp/advertisements/print detail where peer=bgp-22-2-1
 0 peer=bgp-22-2-1 dst=2001:c76:a00:300::/56 local-pref=100 nexthop=10c:760a::2200 origin=0
The next-hop value ist just bullshit. Fortunately it's just a display bug, because the routes are advertised with the correct next-hop:
Code: Select all
> ipv6/route/print where dst-address=2001:c76:a00:300::/56
Flags: D - DYNAMIC; A - ACTIVE; b, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS            GATEWAY           DISTANCE
DAb 2001:c76:a00:300::/56  2001:c76:a00::22       200
BR,
Johannes

+1 - in my case the characters of the IPv6 address are shifted and ::<less than 4 characters> is resolved wrong for example ::15 is resolved to :1500 instead of :0015
But indeed, luckily its only a display bug

stanelie · Thu Oct 20, 2022 4:31 pm

CapsMan stopped working when I upgraded from 7.5. None of the controlled access points (CAPs) would connect to CapsMan. I downgraded and everything went back to normal. (small setup with 20 access points)
Are your cAPs running ROS 7.6?

Not yet. To be able to update them to 7.6 from capsman, you need to upgrade the capsman server first. But it's a catch 22, since the access points lose connectivity as soon as I upgrade the capsman server.

stanelie · Thu Oct 20, 2022 4:32 pm

Are your cAPs running ROS 7.6?
Update of CAPsMAN from 7.5 to 7.6 went smooth, even on CAPsMAN itself and on all AP´s (5x) also. (ROS and FW).
From what version did you came from? (AP´s)

The access points are on 7.5.

gotsprings · Thu Oct 20, 2022 9:56 pm

Log into the caps and update them directly.

k0n24d · Thu Oct 20, 2022 10:52 pm

*) firewall - fixed usage of "netmap" action for IPv6 source NAT;

Not sure what this means. From what I see source nat using netmap doesn't seem to work correctly.

I have a srcnat rule to netmap from fdyy:yyyy:yyyy:yyyy::/64 to 2a01:xxxx:xxxx:xxxx::/64.
But every single outgoing connection has an ipv6 source address set to 2a01:xxxx:xxxx:xxxx::

gotsprings · Fri Oct 21, 2022 12:33 am

Are your cAPs running ROS 7.6?
Not yet. To be able to update them to 7.6 from capsman, you need to upgrade the capsman server first. But it's a catch 22, since the access points lose connectivity as soon as I upgrade the capsman server.

I just did a new install.

Updated the router to 7.6 out of the box. Loaded my caps-man template.
Set the caps to caps mode.
They all connected and requested an update.

Had to log into each to set passwords and update firmware.

MTU value kept setting itself to zero.

And now log doesn't show clients connecting and disconnecting.

Ohh joy.

Safic · Fri Oct 21, 2022 9:39 am

Update of CAPsMAN from 7.5 to 7.6 went smooth, even on CAPsMAN itself and on all AP´s (5x) also. (ROS and FW).
From what version did you came from? (AP´s)
The access points are on 7.5.

Yesterday I've updated from 7.5 to 7.6 ccr1016 with capsman, crs328, some capAC2 and wAPac. All fine! cAPs get update before capsman router.

mabels · Fri Oct 21, 2022 11:31 am

I just updated from 7.5 to 7.6 on CRS326-24G-2S+RM and now it's a brick.
I did not try to debug into it --- i just want to let know this.
I tried now the factory-reset procedure and the device shows no reaction --- only the blue power led is flashing -- not link on ether1 to netinstall ....

Thx

Meno

pe1chl · Fri Oct 21, 2022 11:41 am

There is a difference between the factory-reset procedure and the netinstall procedure. You need to follow them (the orchestration of pressing/releasing the reset button and the application of power) very closely, or else you get the wrong thing or nothing at all.

loloski · Fri Oct 21, 2022 12:47 pm

i have much higher success rate of doing netinstall in linux rather than windows 10 or 11, even though i have only 1 interface enable on this environment, if you see in the commandline sendfile you can safely release the button and rest assured netinstall will do its thing from formatting the device send the actual firmware and rebooting the device

Fri Oct 21, 2022 1:17 pm

Same here.
I keep on old Dell laptop especially for that purpose (2008 and no battery).

rextended · Fri Oct 21, 2022 2:19 pm

I just updated from 7.5 to 7.6 on CRS326-24G-2S+RM and now it's a brick.

I haved the same problem some weeks ago, but is not RouterOS the problem: after reboot do not start.
Check the capacitor on power adapter, try to replace it with another new...
(any between 12V/24V is good, but must be 1A at least)

Panbambaryla · Fri Oct 21, 2022 2:37 pm

Same here.
I keep on old Dell laptop especially for that purpose (2008 and no battery).

Doesn't make sense, IMHO, as it works perfectly well under Ubuntu as virtual machine (Hyper-V) in Windows 10/11.

rextended · Fri Oct 21, 2022 2:39 pm

CCR2116-12G-4S+ now on production
[…]
BGP v4: WORK (AS->not-MikroTik AS multi-peer ebgp)
BGP v6: WORK (AS->not-MikroTik AS single-peer ebgp)
[…]

Still true after 2 days...

rextended · Fri Oct 21, 2022 2:41 pm

Till now, I never have a single problem with netinstall on old / new computers, if the OS is correctly configured, and netinstall correctly configured and used.

tigro11 · Fri Oct 21, 2022 4:57 pm

winbox 3.37 windows
If I run Winbox from local, it works, if I perform winbox from wireguard tunnel, it blocks and does not enter.

news this problem?

Fri Oct 21, 2022 5:05 pm

news this problem?

Most likely this is your problem

add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN

Your wireguard interface is not part of the LAN list.
So it gets dropped.

Either add wireguard to LAN.
Or add a rule before this one allowing wireguard on input.

tigro11 · Fri Oct 21, 2022 7:21 pm

moderator nite: no need to quote whole preceding post. Just use "Post Reply" button.

The Wireguard interface is on the LAN list

chiem · Sat Oct 22, 2022 12:43 am

https://help.mikrotik.com/docs/pages/vi ... edfeatures

How about some documentation on how the /ip/dns/static address-list field is supposed to be used?

mafiosa · Sat Oct 22, 2022 10:58 am

Till now, I never have a single problem with netinstall on old / new computers, if the OS is correctly configured, and netinstall correctly configured and used.

Offtopic: Good to see your powers clipped. Simping for mikrotik and telling that all bugs or missing features are user's fault doesn't help in the long run. One of the worst moderator on a technical forum.

rextended · Sat Oct 22, 2022 12:06 pm

Obviously I can't refer to the linux version, which I don't use.
Sorry to disappoint you, but whatever you write, it doesn't change the facts, after 15 years and dozens of PCs,
if netinstall doesn't work, it's definitely the fault of how the user tries to use it, or Windows settings.
Netinstall cannot solve Windows problems and MikroTik staff can not solve them for Microsoft.

Panbambaryla · Sat Oct 22, 2022 12:30 pm

moderator nite: no need to quote whole preceding post. Just use "Post Reply" button.

That's simply not true... MT is using some uncommon functions which makes it almost impossible to use it right form the start in Windows. Don't you think if it was a good product there would be no complains? There are many different for example TFTP implementations which simply work without any extra work required, the same should apply to this product. We are here with some extra IT knowledge then average user and almost everybody here knows how to handle Windows. The problem is the app itself which should be redesigned according to nowadays systems specification and probably written from scratch.

To moderator: during my message composition time another post can appear, so quoting the one I am responding to, is the best, direct approach to keep things tight. The forum should eventually cut the quotations to a few first sentences if not implemented yet.
Also, if quoting is allowed in the editor it's up to me to use it or not. I don't want anybody edit my post if I decided how I wanted it to look like!

gotsprings · Sat Oct 22, 2022 12:45 pm

I can get netinstall to work on windows, as soon as I take down every single firewall program, and make sure my network is set as private.

Sat Oct 22, 2022 12:56 pm

@Panbambaryla:
L2 protocol used for MAC level access to device is really uncommon feature not available for other brands.
It's a HUGE adventage when it comes to configuration errors and lets you to go back from "point of no return" but ...
L2 protocols are not so simple to manage as setting IP for particular interface. Even then you have to deal with proper priorities of gateways to let the traffic go lo proper interface. World is not so simple.

Not blaming Microsoft and beeing "advocatus diaboli" of MT or vice-versa if you wish but you have consider that some nonstandard solutions are not as obvious to use as simple straight console connection.

mkx · Sat Oct 22, 2022 1:02 pm

I second the opinion that it is definitely possible to make netinstall less fragile. There are quite a few apps around which utilize (win)pcap library to do the low-level data transfers (e.g. binding to a particular network interface) ... which seems to be one of bigger problems of windows executable.
The question, which remains to be answered, is whether MT will dedicate some developers' time to improve things in due time (yeah, it's not a bug report, it's a feature/improvement request).

pe1chl · Sat Oct 22, 2022 1:05 pm

Yes it also needs an interface select widget, and that would be part of such an improvement as well. The program fails to work on systems with more network interfaces, even on Linux.
As the protocol isn't documented anyway, it may also be best to just overhaul it completely and change to a simple TCP connection that does everything. That should solve the firewall issues too.

Sat Oct 22, 2022 1:06 pm

Check the capacitor on power adapter, try to replace it with another new...(any between 12V/24V is good, but must be 1A at least)

Capacitor or fuse as 1A requirement for capacitors makes no sense.

rextended · Sat Oct 22, 2022 1:27 pm

Is for another power adapter, not for anotehr capacitor for replace the damaged on power adapter...

mkx · Sat Oct 22, 2022 1:29 pm

As the protocol isn't documented anyway, it may also be best to just overhaul it completely and change to a simple TCP connection that does everything. That should solve the firewall issues too.

"Simple" TCP might not be so simple ... I guess the tricky part of netinstall binary is that it includes BOOTP/DHCP server and TFTP server, additionally device opens sort of control connection (could be it's actually a service which gets started after device boots from image received from netinstall server via TFTP) which allows netinstall binary to push actual npk files and default configuration ... none of which is possible using simple TFTP. Surely netinstall could relly on other (standard) servers to provide these services, but that would mean multiple servers (by multiple vendors) with appropriate config. I guess that would proove a nightmare for every Mikrotik user but hard-core network admins. I guess the tricky part is to bind BOOTP/DHCP and TFTP services to correct interface, at least BOOTP/DHCP service has to listen to "raw" IP/UDP network interface to catch those broadcasts from client. Even standard ISC DHCP server on linux used to bind to raw network device to deal with requests reliably (I'm not sure about recent versions though).

pe1chl · Sat Oct 22, 2022 3:51 pm

That is what I mean: do not use BOOTP, TFTP etc but just run a TCP service on some port where a client can make a TCP connection and do all the things it needs to do (upload the image, the parameters, etc). it could be port 80 or 443, even. The netinstall could likely be done from a browser extension or javascript app.
That way there will be no firewall issues on the client. The IP of the router can be fixed. Of course then there still is the inconvenient issue that you need to set a fixed IP on the computer, but with the current netinstall you need to do that anyway.
I guess the reason for not doing it this way in the pat was to keep the ROM code as small as possible, and a "simple" UDP BOOTP and TFTP client would be smaller than a TCP implementation, but I guess with todays devices that issue is not that important anymore.

DL7JP · Sat Oct 22, 2022 4:26 pm

RB1100AH, CRS125-24G, hAP ac, hAP ac^2, CCR2004-16G: Upgraded, no problems noticed.

mkx · Sat Oct 22, 2022 5:42 pm

That is what I mean: do not use BOOTP, TFTP etc but just run a TCP service ...

To do that, device (client) has to do full IP self-setup anyway ... which means DHCP server somewhere. And for simple bootstrap client currently re-uses standard protocols (BOOTP and TFTP). According to your idea this part would be part of routerboot (making it more complex and prone to bugs preventing device from being unbricked). The rest of process (uploading packages and config) is probably (I didn't wireshark that part) already over IP and only fails occasionally (the part where upload "finishes" in microseconds, but device doesn't do anything).

I still think it's a good idea to have bare minimum routerboot and have everything else neatly packed in single executable so the netinstall can be performed with direct connection between device and management computer, without any additional 3rd party services. The whole thing only has to become less fragile and it seems the fragility is in the windows executable (since linux executable seems to perform much better with same routerboot in devices).

Panbambaryla · Sat Oct 22, 2022 7:36 pm

@Panbambaryla:
L2 protocol... [...]

I don't understand what you wanted to explain. If L2 would be enough for Netinstall to work defining IP addresses would be unnecessary.

Jotne · Sat Oct 22, 2022 7:51 pm

To moderator: during my message composition time another post can appear, so quoting the one I am responding to, is the best, direct approach to keep things tight. The forum should eventually cut the quotations to a few first sentences if not implemented yet.

You can see after you have posted if a new message in the mean time has entered between your latest post and replied post(not a problem on this small forum). Then you can edit your post and quote whats needed. Another stuff happens when you quote a post, an email are sent to the user.
Continue discuss quoting here: viewtopic.php?t=168474

This thread is a about 7.6. Make a new thread about Netinstall. I never have needed to do it. One reason is that I never upgrade the first day after new releases, so avoid mayor flaws.

Omar007 · Sat Oct 22, 2022 7:55 pm

*) firewall - fixed usage of "netmap" action for IPv6 source NAT;

Not sure what this means. From what I see source nat using netmap doesn't seem to work correctly.

I have a srcnat rule to netmap from fdyy:yyyy:yyyy:yyyy::/64 to 2a01:xxxx:xxxx:xxxx::/64.
But every single outgoing connection has an ipv6 source address set to 2a01:xxxx:xxxx:xxxx::

Same here but with a /48 on both sides. It looks like IPv6 NETMAP is still broken, no matter which direction you go in (prerouting/dstnat or postrouting/srcnat).

sirbryan · Sat Oct 22, 2022 8:02 pm

Sooo, back to 7.6.

I have three CCR2116's, two of which do full BGP tables to three providers (filtered to a single AS away) and feed the combination into a third 2116 that then feeds our CGNAT core. The 2116's were all running 7.4.1 with L3HW offload and BGP overlaid on OSPF between them, and working fine. The two border routers have a 10Gbps fiber connection to each other and the one in the middle is connected to the other two via low-latency (<1ms) E-band radios. We see roughly 500-700Mbps per provider, for a combination of 1-2Gbps throughout most of the day and evening.

After testing 7.6 on a few smaller routers, I loaded it onto these three. For the bulk of the day, things seemed to be just fine with the exact same config. But later in the day customers started complaining of random disconnects and slow bandwidth. Further investigation showed OSPF resets in the logs, particularly between the middle one and one of the borders. Monitoring the live graphs of both routers and radios showed traffic stopping for a second or two. One at a time, I backed off the routers to 7.4.1 (hoorah for partitions and exceedingly fast boot time of the 2116's!). From what I could tell, as long as L3HW offload was off on the router(s) that had 7.6, OSPF stopped bouncing.

Now they're all backed off to 7.4.1, L3HW offload is re-enabled, and I've had no OSPF resets or traffic drops. Unfortunately I wasn't in a position to grab support files, but perhaps this scenario can be rebuilt in a lab, or other providers who see this will benefit and perhaps share anything else they've learned.

sirbryan · Sat Oct 22, 2022 11:14 pm

On the upside,

I am running 7.6 on the home/office CCR2116. I put in a 500GB NVME disk and loaded up piHole to start. Pretty slick. Containers have come a long way since 7.1.

With 1TB-4TB SSD's at a reasonable price, I'm thinking some owncloud, FreePBX/Asterisk, etc. and you've got a sweet box for managed services. Also excited to see what I can do with my cluster of RB5009's and CCR2004-16G-2S+ and their USB3 ports.

drasir · Sun Oct 23, 2022 12:59 am

ros76_partition.jpg

So this isn't right? Rb5009UPr
Part1 now broken after i canceled this process.. Anything known?

malobert · Sun Oct 23, 2022 12:40 pm

ros76_partition.jpg

So this isn't right? Rb5009UPr
Part1 now broken after i canceled this process.. Anything known?

Search in this thread for partition for the solution, you are not the only one. I had this after the upgrade. Delete your veth interface and everything works well after that.

drasir · Sun Oct 23, 2022 7:17 pm

ros76_partition.jpg

So this isn't right? Rb5009UPr
Part1 now broken after i canceled this process.. Anything known?
Search in this thread for partition for the solution, you are not the only one. I had this after the upgrade. Delete your veth interface and everything works well after that.

That's what i did beforehand.. Funny enough "partitioN" does not return results.. searching for "veth" however did!

Thanks, that did it!

miasharmse84 · Mon Oct 24, 2022 11:57 am

CCR2116-12G-4S+ now on production
from netinstalled 7.6beta7 on "test",
previously updated via drag&drop npk from 7.6beta7 to 7.6beta8 on "test",
previously updated via drag&drop npk from 7.6beta8 to 7.6rc1 on "pre-production",
updated again via drag&drop npk from 7.6rc1 to 7.6 (stable) on "production"

BGP v4: WORK (AS->not-MikroTik AS multi-peer ebgp)
BGP v6: WORK (AS->not-MikroTik AS single-peer ebgp)

BUG:
1) Dual boot still required for upgrade the RouterBOOT.
2) RouterOS package still called "routeros" instead of "routeros-arm64" (on this model) and this prevent "The Dude" to be able to upgrade the device.
3) The Original User-Manager not exist on RouterOS v7. The surrogate can not even be compared with the Original v6.

Sounds positive,
How many routes are you receiving from BGP peers?

rextended · Mon Oct 24, 2022 12:07 pm

Only the default routes from all 3 peers, they are the same provider, the second IPv4 is for failover.
As long as you have no special routing needs or have multiple providers, etc., it is useless to have any full route table.

miasharmse84 · Mon Oct 24, 2022 12:13 pm

Thx @rextended.
I would be interested to know if anyone is running 7.6 in production with full internet routing table or at least receiving more than 500k routes from peers.

Paternot · Mon Oct 24, 2022 2:25 pm

/routing/bgp/advertisements/print now shows a detailed list, where on rc1 it showed only a summary. There was a "show" command that showed the full list.
So now I tried /routing/bgp/advertisements/print count-only to see if it maybe shows a summary only.
It showed:
704
no such item (4)
From now on, /routing/bgp/advertisements/print only shows a single item and then it prints that no such item (4) error.

It's the same for me.
hEX, upgraded from a netinstalled 7.4.1 to 7.6

> /routing/bgp/advertisements/print count-only 
4366
no such item (4)

Everything else looks like it's working for me. Wireguard, IPSEC, GRE tunnels, SSH, BGP...

armandfumal · Mon Oct 24, 2022 2:52 pm

Only the default routes from all 3 peers, they are the same provider, the second IPv4 is for failover.
As long as you have no special routing needs or have multiple providers, etc., it is useless to have any full route table.
Thx @rextended.
I would be interested to know if anyone is running 7.6 in production with full internet routing table or at least receiving more than 500k routes from peers.

I'm using it with 2 BGP full tables, around 1.900.000 prefixes in table...

miasharmse84 · Mon Oct 24, 2022 3:00 pm

Thanks for the reply. Can you comment on the stability?
- How long does it take to build the routing table if the router reboots or if the eBGP peer is disconnected?
- Do you have any concerns or is running stable?
- Would you recommend for ISP production environment?

Many thx.

rextended · Mon Oct 24, 2022 4:49 pm

On my test for make working v7 like v6 I dump all both full tables (not the IPv6 table) (I do not remember total number of records) on less than 3 min for sure.
I do not remember exact time.

MEDO11 · Mon Oct 24, 2022 8:53 pm

Hap ac3 with ww2 succesfully updated from 7.5 stable thru system->packages. Routerboard updated without issues too.

armandfumal · Mon Oct 24, 2022 10:08 pm

Thanks for the reply. Can you comment on the stability?
- How long does it take to build the routing table if the router reboots or if the eBGP peer is disconnected?
- Do you have any concerns or is running stable?
- Would you recommend for ISP production environment?

Many thx.

It is stable, I have 2 CCR2216 with 2 BGP full table each, it works as edge routers, I can reboot each without impact of the backbone. iBgp is instant running, eBgp is about 3 mins to be 100%...all is IPV4 and IPV6...
Know issues: prefix counters still not works, don't check advertised prefix without filter data(all lists) it take 100% CPU and memory leaks when build the list...
At overall it is running BGP as edge without issues, stable connection...

rextended · Mon Oct 24, 2022 10:15 pm

Are the CCR2116-12G-4S+ model?
Very powerful

jbl42 · Mon Oct 24, 2022 10:40 pm

Installed 7.6 without issues on several RB4011(no WiFi) and R5009. Basic setups (NAT, VLAN filtered bridge, some simple queues, basic firewalling, DHCP client/server), all working fine so far.

Different on CCR2216:
BPG/OSPF with large (300'000+) tables and L3HW enabled is unstable and peer connections flap with OSPF resets in the log.
For us, this issues started with 7.5 and did not improve with 7.6.
The OSPF CRC "fix" causes packet drops with ("%OSPF-4-ERRRCV: Received invalid packet: Bad Checksum")

Had to go back to 7.4.1 to get things stable.

nannou9 · Tue Oct 25, 2022 2:06 am

Cloud backup stopped working for me on all 7.6 devices( rb4011, crs305, audience)
Says error from apis.
Was working on 7.5.

miasharmse84 · Tue Oct 25, 2022 9:23 am

Thx @rextended @armandfumal

We are planning an upgrade from 7.5 to 7.6 later this week on our BGP router, CCR2116. We are currently receiving around 130 000 routes from one eBGP peer, however when trying to add a second eBGP peer which would send us an estimated additional 160 000 routes we see the following error messages in the log "Write to bgp failed (32) { #buf=1 max=64 sk=Socket{ 5[0] } }"

This causes my entire routing table to stop working and routes to working BGP peers have to rebuild as well.
I am hoping 7.6 will fix this issue for us.

I will revert with some feedback.

armandfumal · Tue Oct 25, 2022 10:16 am

@miasharmse84

I had the same issue with 7.5, corrected since 7.6 beta8....

alexspils · Tue Oct 25, 2022 1:35 pm

updated hex from 7.2 to 7.6 but version remains the same

juniorespow · Tue Oct 25, 2022 2:20 pm

Like 7.6rc2 and 7.6.rc3 this 7.6 release has the same issue for us.

CCR2216, 2 bgp links full table, around 1.900.000 prefixes in routing table.

issue with cli command : /routing/bgp/advertisements/

when using /routing/bgp/advertisements/print with where command to filter a peer, that working with no issue.

but
when using just /routing/bgp/advertisements/print, causing 100% cpu at routing & management process and memory is falling down rapidly. after lost 9Gb RAM we device to force reboot...

nobody has this issue ?

regards

I have the same problem

hecatae · Tue Oct 25, 2022 4:58 pm

updated hex from 7.2 to 7.6 but version remains the same

Hi,

You've updated RouterOS but not Routerboard, please follow https://www.youtube.com/watch?v=WPW3mHlEzn4

rextended · Tue Oct 25, 2022 5:24 pm

Hi,

You've updated RouterOS but not Routerboard, please follow https://www.youtube.com/watch?v=WPW3mHlEzn4

Hi,

You've posted on the forum without understanding the post you mention, please view download/file.php?id=56334

kenyloveg · Tue Oct 25, 2022 5:36 pm

My scripts in /ppp/profile is randomly not working anymore after upgraded to 7.6

:global new
:global old
:global status
    :set status [/interface get [/interface find  name=("pppoe-out1")] running]
    :if ($status=true) do={
     :set new [/ip address get [/ip address find dynamic=yes interface=("pppoe-out1")] address]
     :set new [:pick $new 0 ([:len $new] -3)]
     :set old [/ip firewall nat get [find comment=("src-nat")] to-addresses]
      :if  (!($new=$old)) do={
      /ip firewall nat set [/ip firewall nat find comment=("src-nat")] to-addresses=$new
       }}

By enable, disable interface pppoe-out1, to address=xx.xx.xx.xx sometimes don't change, sometimes do.

/ip firewall nat
add action=src-nat chain=srcnat comment=src-nat ipsec-policy=out,none out-interface=pppoe-out1 to-addresses=xx.xx.xx.xx

Thanks

rextended · Tue Oct 25, 2022 6:27 pm

you must write script correctly, regardless routeros version, the differencies between v6 and v7 are on get address only

:if ([/interface get pppoe-out1 running]) do={
    :local new [/ip address get ([find where interface=pppoe-out1]->0) address]
    :set   new [:pick $new 0 [:find $new "/"]]
    :local old [/ip firewall nat get [find where comment="src-nat"] to-addresses]
    :if  ($new != $old) do={
        /ip firewall nat set [find where comment="src-nat"] to-addresses=$new
    }
}

or better, removing all useless parts, if you put this on ppp profile / scripts / on up:

/ip firewall nat set [find where comment="src-nat"] to-addresses=$"local-address"

riv · Tue Oct 25, 2022 8:17 pm

VPNV4 routes not advertising to BGP peers

Anyone having the same issue?

kenyloveg · Tue Oct 25, 2022 9:01 pm

or better, removing all useless parts, if you put this on ppp profile / scripts / on up:
Code: Select all
/ip firewall nat set [find where comment="src-nat"] to-addresses=$"local-address"

If "local-address" would never be broken, this should be the best way.
Thank you.

kenyloveg · Tue Oct 25, 2022 9:02 pm

or better, removing all useless parts, if you put this on ppp profile / scripts / on up:
Code: Select all
/ip firewall nat set [find where comment="src-nat"] to-addresses=$"local-address"

If "local-address" would never be broken, this should be the best way.
Thank you.

sirbryan · Tue Oct 25, 2022 10:09 pm

Thx @rextended.
I would be interested to know if anyone is running 7.6 in production with full internet routing table or at least receiving more than 500k routes from peers.

I was, until my internal OSPF links started flapping.

sirbryan · Tue Oct 25, 2022 10:12 pm

BPG/OSPF with large (300'000+) tables and L3HW enabled is unstable and peer connections flap with OSPF resets in the log.
For us, this issues started with 7.5 and did not improve with 7.6.
The OSPF CRC "fix" causes packet drops with ("%OSPF-4-ERRRCV: Received invalid packet: Bad Checksum")

Had to go back to 7.4.1 to get things stable.

Glad to see it wasn't just me. Did you try disabling L3HW offload? That fixed it for me on 7.6, but kind of defeated the purpose of using those routers in the first place. :-)

jbl42 · Tue Oct 25, 2022 10:44 pm

No, I did not try to disable L3HW.
I don't see any value in running a ROS version with broken L3HW on a CCR2216. As you mentioned, the large scale L3HW capabilities are the reason to pay the extra money for a CCR2216 in the first place.

tommyd · Wed Oct 26, 2022 11:14 am

when using /routing/bgp/advertisements/print with where command to filter a peer, that working with no issue.
but
when using just /routing/bgp/advertisements/print, causing 100% cpu at routing & management process and memory is falling down rapidly. after lost 9Gb RAM we device to force reboot...

nobody has this issue ?

I do, for way smaller tables on WAN routers (CCR2004-1G-12S+2XS). Rapid memory leak and reboot in few minutes after issuing the

print

command

Edit: even

/routing/bgp/advertisements/print count-only

causes memory leak and eventually reboot

pe1chl · Wed Oct 26, 2022 11:31 am

I see no such leaks but I have only 750 routes so maybe it is not so visible then. I presume the command makes some temporary table in memory for all routes it is going to print.
However I had that "No such item (4)" problem I mentioned above and now I see it rectified itself after the BGP peers went down/up due to the ISP modem having rebooted last night. That has apparently cleared something up. That problem now is not reproducible.

nichky · Wed Oct 26, 2022 11:32 am

2.4 on v7.6

DenisPDA · Wed Oct 26, 2022 1:20 pm

Why such loading at an empty configuration????

hex_7.6.JPG

hex_7.6_2.JPG

What was done
1. Full configuration reset
2. Netinstall
Problem persists

Wed Oct 26, 2022 1:37 pm

Please send or post supout.rif file. Maybe we can see a little more from the file

DenisPDA · Wed Oct 26, 2022 1:59 pm

Please send or post supout.rif file. Maybe we can see a little more from the file

supout.zip

rextended · Wed Oct 26, 2022 3:55 pm

@DenisPDA
The unwritten question is:
>>>Why does it take so long to export and so much CPU is used during export one "blank" configuration?
Otherwise it seems the question is simply:
>>>Why does the CPU have such high usage without any configuration?

The answer is simple, the device must not use optimized network functions, but various CPU calculations during the export,
because it does not just "copy" a file from the internal memory to the .rsc file,
but must check the configuration of each individual item,
and dynamically create the difference file to export to the configuration.

tigro11 · Wed Oct 26, 2022 4:09 pm

moderator nite: no need to quote whole preceding post. Just use "Post Reply" button.
The Wireguard interface is on the LAN list

I have excluded all the rules of the Mangle and Raw firewall, but the connection does not work, there must be some other problems.

rextended · Wed Oct 26, 2022 4:21 pm

Non usare le sessioni di altri dispositivi... che magari sono di versioni differenti. Seleziona su Session <none>

rextended · Wed Oct 26, 2022 4:23 pm

RB5009UG+S+ with netinstalled 7.2.3 => /sys rou up 7.6
Apparently work without problems.

tigro11 · Wed Oct 26, 2022 6:33 pm

Non usare le sessioni di altri dispositivi... che magari sono di versioni differenti. Seleziona su Session <none>

niente da fare, non funziona

rextended · Wed Oct 26, 2022 7:02 pm

I do not understand where is the problem :(

tigro11 · Wed Oct 26, 2022 7:15 pm

I do not understand where is the problem :(

does not enter on winbox, blocks on that screen

miasharmse84 · Thu Oct 27, 2022 9:41 am

@miasharmse84

I had the same issue with 7.5, corrected since 7.6 beta8....

We upgrade the CCR2116 to 7.6 this morning but our second BGP peer is still not coming up. When enabling the peer it starts to load some routes and then suddenly stops with the same error message as version 7.5 in the log: Write to bgp failed (32) { #buf=1 max=64 sk=Socket{ 5 a } }

rextended · Thu Oct 27, 2022 9:47 am

does not enter on winbox, blocks on that screen

ok, I understand that, ma non ho capito perché ti ci fa ¯\_( ͡° ͜ʖ ͡°)_/¯

Taner · Thu Oct 27, 2022 10:47 am

Hello, do you have any issues with RB1100AHx2 after upgrading to 7.6 from 7.5?

fabeni · Thu Oct 27, 2022 3:37 pm

Good Morning
We were testing with the CCR2116 using it for PPPoE, we got 2400 connections, we had some problems....
CPU rising to 100% with 2GB of traffic
PPPoE disconnecting in bulk
Simple Queue not being removed and not allowing pppoe to reconnect because it said it already had a simple queue running.
We had to take out the CCR2116 and put the CCR1036 in place.
In version 7.7 beta, I didn't see anything talking about PPPoE, was something done?

arainbow · Fri Oct 28, 2022 11:58 am

ROS 7.6:
rb750gr3, ipv6 dhcpclient on pppoe-client can't get prefix.Tried multiple times, still doesn't work.
hap ac2 work fine.

dakobg · Fri Oct 28, 2022 6:28 pm

Ovpn. - vrf .. cool :)

Maggiore81 · Fri Oct 28, 2022 10:07 pm

Hello, do you have any issues with RB1100AHx2 after upgrading to 7.6 from 7.5?

No.
We have on duty 3x 1100AHx2 that were upgraded successfully with no issues.

rpingar · Sat Oct 29, 2022 8:23 pm

we are experiencing problems with simple-queue by pppoe on x86 platform, around 5000 vlan with 5000 pppoe-server (one for each client) over them.
sometime the simple queue got not removed when the client disconnect. So the client is not able to reauthenticate because it found a same queue present.
The only way to recover is to reboot it.

regards

loloski · Sun Oct 30, 2022 2:27 am

@rpingar

Wow that was huge and to avoid broadcast storm you guys create one instance and a vlan per customer, is this BRAS in bare metal or under hypervisor? care to share the setup a little bit