v6.38 [current] is released!

Mon Jan 02, 2017 2:41 pm

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

Important note!!!
RouterOS v6.38 contains STP/RSTP changes which makes bridges compatible with IEEE 802.1Q-2014 by sending and processing BPDU packets without VLAN tag.
To avoid STP/RSTP compatibility issues with older RouterOS versions, upgrade RouterOS to v6.38 on all routers in Layer2 networks with VLAN and STP/RSTP configurations.
The recommended procedure is to start by upgrading the remotest routers and gradually do it to the Root Bridge device.
If after upgrade you experience loss of connectivity, then disabling STP/RSTP on RouterOS bridge interface will restore connectivity so you can complete upgrade process on your network.

!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set xauth-use-radius=yes";
!) ipsec - added IKEv2 support;
!) ipsec - added IKEv2 EAP RADIUS passthrough authentication for responder;
!) ipsec - added support for unique policy generation;
!) ipsec - removed IKEv1 ah+esp support;
!) snmp - added basic get and walk functionality "/tool snmp-[get|walk]";
!) switch - added hardware STP functionality for CRS devices and small Atheros switch chips (http://wiki.mikrotik.com/wiki/Manual:CR ... e_Protocol);
!) tr069-client - initial implementation (as separate package) (cli only);
!) winbox - Winbox 3.7 is the minimum version that can connect to RouterOS;
*) arp - added "local-proxy-arp" feature;
*) bonding - added "forced-mac-address" option;
*) bonding - fixed "tx-drop" on VLAN over bonding on x86;
*) bridge - fixed rare crash on bridge port removal;
*) bridge - fixed VLAN BPDU rx and tx when connected to non-RouterOS device with STP functionality;
*) bridge - require admin-mac to be specified if auto-mac is disabled;
*) bridge - show bridge port name in port monitor;
*) capsman - added "group-key-update" parameter;
*) capsman - added possibility to change arp, mtu, l2mtu values in datapath configuration;
*) capsman - fixed CAP upgrade when separate wireless package is used (introduced in 6.37);
*) capsman - use correct source address in reply to unicast discovery requests;
*) ccr - added AHCI driver for Samsung XP941 128GB AHCI M.2;
*) certificates - added support for PKCS#12 export;
*) certificates - allow import multiple certs with the same key;
*) certificates - fixed crash when crl is removed while it is being fetched;
*) certificates - fixed trust chain update on local certificate revocation in programs using ssl;
*) certificates - if no name provided create certificate name automatically from certificate fields;
*) console - fixed multi argument value unset;
*) crs - added comment ability in more switch menus;
*) crs - fixed rare kernel failure on switch reset (for example, reboot);
*) dhcp - fixed DNS server assignment to client if dynamic server exists and is from another IP family;
*) dhcp - fixed issue when dhcp-client was still possible on interfaces with "slave" flag and using slave interface MAC address;
*) dhcp - show dhcp server as invalid and log an error when interface becomes a slave;
*) dhcp-server - fixed when wizard was unable to create pool >dhcp_pool99;
*) discovery - added LLDP support;
*) discovery - removed 6to4 tunnels from "/ip neighbor discovery menu";
*) dns - added "max-concurrent-queries" and "max-concurrent-tcp-sessions" settings;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) ethernet - added "k" and "M" unit support to Ethernet Bandwidth setting;
*) ethernet - fixed "tx-fcs-error" on SFP+ interfaces when loop-protect is enabled;
*) export - do not show interface comment in "/ip neighbor discovery" menu;
*) export - updated default values to clean up export compact;
*) fastpath - fixed rare crash;
*) fastpath - fixed x86 bridge fast-path status shown as active even if it is manually disabled;
*) file - fixed file manager crash when file transfer gets cancelled;
*) firewall - added "creation-time" to address list entries;
*) firewall - added sctp/dccp/udp-lite support for "src-port", "dst-port", "port" and "to-ports" firewall options;
*) firewall - do not defragment packets which are marked with "notrack" in raw firewall;
*) firewall - fixed "time" option by recognizing weekday properly (introduced in v6.37.2);
*) firewall - fixed dynamic raw rule behaviour;
*) firewall - fixed rule activation if "time" option is used and no other active rules are present;
*) firewall - increased max size of connection tracking table to 1048576;
*) firewall - new faster "connection-limit" option implementation;
*) firewall - significantly improved large firewall rule set import performance;
*) graphing - fixed queue graphs showing up in web interface if aggregate name size >57840 symbols;
*) health - show power consumption on devices which has voltage and current monitor;
*) hotspot - fixed nat rule port setting in "hs-unauth-to" chain by changing it from "dst-port" to "src-port" on Walled Garden ip "return" rules;
*) interface - changed loopback interface mtu to 1500;
*) interface - do not treat multiple zeros as single zero on name comparison;
*) interface - show link stats in "/interface print stats-detail" output;
*) ipsec - added ability to specify static IP address at "send-dns" option;
*) ipsec - added ph2 accounting for each policy "/ip ipsec policy ph2-count";
*) ipsec - allow to specify explicit split dns address;
*) ipsec - changed logging topic from error to debug when empty pfkey messages are received;
*) ipsec - do not auto-negotiate more SAs than needed;
*) ipsec - ensure generated policy refers to valid proposal;
*) ipsec - fixed camellia crypto algorithm module loading;
*) ipsec - fixed IPv6 remote prefix;
*) ipsec - fixed kernel failure on tile with sha256 when hardware encryption is not being used;
*) ipsec - fixed peer configuration my-id IPv4 address endianness;
*) ipsec - fixed ph2 auto-negotiation by checking policies in correct order;
*) ipsec - load ipv6 related modules only when ipv6 package is enabled;
*) ipsec - make generated policies always as unique;
*) ipsec - non passive peers will also establish SAs from policy without waiting for the first packet;
*) ipsec - optimized logging under ipsec topic;
*) ipsec - show active flag when policy has active SA;
*) ipsec - show SA "enc-key-size";
*) ipsec - split "mode-config" and "send-dns" arguments;
*) ipv6 - added "no-dad" setting to ipv6 addresses;
*) ipv6 - fixed "accept-router-advertisements" behaviour;
*) ipv6 - moved empty IPv6 pool error message to error topic;
*) lcd - improved performance, causes less cpu load;
*) led - fixed dark mode for cAP 2nD (http://wiki.mikrotik.com/wiki/Manual:Sy ... ds_Setting);
*) log - fixed "System rebooted because of kernel failure" message to show after 1st crash reboot;
*) lte - added support for more Vodafone K4201-Z, Novatel USB620L, PANTECH UML295 and ZTE MF90 modems;
*) lte - allow to execute concurrent info commands;
*) lte - fixed dwm-222, Pantech UML296 support;
*) lte - fixed init delay after power reset;
*) lte - increased delay when setting sms send mode;
*) lte - return info data when all the fields are populated;
*) metarouter - fixed startup process (introduced in 6.37.2);
*) mmips - fixed traffic accounting in "/interface" menu;
*) ospf - fixed route crash caused by memory corruption when there are multiple active interfaces;
*) ppp - fixed packet size calculation when MRRU is set (was 2 bytes bigger than MTU allows);
*) ppp - significantly improved shutdown speed on servers with many active tunnels;
*) ppp - significantly improved tunnel termination process on servers with many active tunnels;
*) profile - added "bfd" and "remote-access" processes;
*) profile - added ability to monitor cpu usage per core;
*) profile - make profile work on mmips devices;
*) profile - properly classify "wireless" processes;
*) queue - fixed "time" option by recognizing weekday properly (introduced in v6.37.2);
*) radius - added IPSec service (cli only);
*) rb750Gr3 - fixed ipsec with 3des+md5 to work on this board;
*) rb850Gx2 - fixed pcb temperature monitor if temperature was above 60C;
*) resolver - ignore cache entries if specific server is used;
*) routerboot - show log message if router CPU/RAM is overclocked;
*) script - increment run count value when script is executed from snmp;
*) snmp - always report bonding speed as speed from first bonding slave;
*) snmp - fixed rare crash when incorrectly formatted packet was received;
*) snmp - provide sinr in lte table;
*) ssh - added routing-table setting (cli only);
*) ssh - fixed lost "/ip ssh" settings on upgrade from version older than 5.15;
*) system - reboot device on critical program crash;
*) tile - fixed kernel failure when when IPv6 ICMP packet is sent through PPP interface;
*) time - updated time zones;
*) traceroute - fixed memory leak;
*) traffic-flow - fixed flow sequence counter and length;
*) trafficgen - fixed compact export when "header-stack" includes tcp;
*) trafficgen - fixed crash when IPv6 traffic is processed;
*) trafficgen - fixed potential crash when very big frame is generated;
*) trafficgen - improved fastpath support;
*) tunnel - fixed transmit packets occasionally not going through fastpath;
*) tunnel - properly export keepalive value;
*) usb - fixed kernel failure when Nexus 6P device is removed;
*) users - added minimal required permission set for full user group;
*) users - added TikApp policy;
*) vlan - allow to add multiple VLANs which name starts with same number and has same length;
*) vrrp - do not show unrelated log warning messages about version mismatch;
*) watchdog - do not send supout file if "auto-send-supout" is disabled;
*) webfig - added extra protection against XSS exploits;
*) webfig - show ipv6 addresses correctly;
*) webfig - show properly interface last-link-up/down times;
*) winbox - added "Complete" flag to arp table;
*) winbox - added "untracked" option to firewall "connection-state" setting;
*) winbox - added Dude icon to Dude menu;
*) winbox - allow to enable/disable traffic flow targets;
*) winbox - allow to run profile from "/system resources" menu;
*) winbox - allow to specify interface for leds with "interface-speed" trigger;
*) winbox - do not allow to set "loop-protect-send-interval" to 0s;
*) winbox - do not show hotspot user profile incoming and outgoing filters and marks as set if there is no value specified;
*) winbox - fixed crash when legacy Winbox version was used;
*) winbox - fixed default values for interface "loop-protect-disable-time" and "loop-protect-send-interval";
*) winbox - fixed missing "IPv6/Settings" menu;
*) winbox - fixed typo in "propagate-ttl" setting;
*) winbox - make cert signing include provided ca-crl-host;
*) winbox - moved ipsec peer "exchange-mode" to General tab;
*) winbox - properly show VHT basic and supported rates in CAPsMAN;
*) winbox - removed spare values from loop-protect menu;
*) winbox - show all related HT tab settings in 2GHz-g/n mode;
*) winbox - show primary and secondary ntp addresses as 0.0.0.0 if none are set;
*) winbox - show proper ipv6 connection timeout;
*) wireless - added API command to report country-list (/interface/wireless/info/country-list);
*) wireless - added CRL checking for eap-tls;
*) wireless - fixed action frame handling for WDS nodes;
*) wireless - fixed custom channel extension-channel appearance in console;
*) wireless - fixed full "spectral-history" header print on AP modes;
*) wireless - fixed rare kernel failure when connecting to nv2 access point with legacy rate select;
*) wireless - fixed upgrade from older wireless packages when AP interface had empty SSID;
*) wireless - take in account channel width when returning supported channels;
*) wireless - use VLAN ID 0 in RADIUS message to disable VLAN tagging;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

G2Dolphin · Mon Jan 02, 2017 2:53 pm

Never seen that big changelog yet.

Thank you, and a have a happy New Year!

irghost · Mon Jan 02, 2017 4:01 pm

*) radius - added IPSec service (cli only);

please at it in Winbox

patrick7 · Mon Jan 02, 2017 4:15 pm

*) snmp - always report bonding speed as speed from first bonding slave;

Why? Bondings with 2x1Gbps are now shown as 1Gbps which is not true.
Except from the STP problems which I already reported by E-Mail - good work!

Happy new year.

Mon Jan 02, 2017 4:33 pm

patrick7 - Bonding in past reported 2Gbps always. It did not matter if bonding had 2,3,4,5, etc. slave interfaces. Now it will simply report single link speed:
*) snmp - always report bonding speed as speed from first bonding slave;

chg123 · Mon Jan 02, 2017 4:34 pm

Strange Bug:
After upgrading my CCR1009-8G-1S-1S+ from 6.37.3 to 6.38 the exported config mixed up the interface IDs:

/interface ethernet
set [ find default-name=ether5 ] l2mtu=1520 name=ether1-kbd
set [ find default-name=ether6 ] l2mtu=1520 name=ether2
set [ find default-name=ether7 ] l2mtu=1520 name=ether3
set [ find default-name=ether8 ] l2mtu=1520 name=ether4-inl
set [ find default-name=ether1 ] name=ether5-wan-lacp1-1
set [ find default-name=ether2 ] name=ether6-wan-lacp1-2
set [ find default-name=ether3 ] name=ether7-wan
set [ find default-name=ether4 ] name=ether8-wan

This was definitely NOT the actively running config since i did not rename the interfaces that crappy

Just to make sure that the export was wrong tried to load this config into the zeroed device but it failed.

after a manual correction to:

/interface ethernet
set [ find default-name=ether1 ] l2mtu=1520 name=ether1-kbd
set [ find default-name=ether2 ] l2mtu=1520
set [ find default-name=ether3 ] l2mtu=1520
set [ find default-name=ether4 ] l2mtu=1520 name=ether4-inl
set [ find default-name=ether5 ] name=ether5-wan-lacp1-1
set [ find default-name=ether6 ] name=ether6-wan-lacp1-2
set [ find default-name=ether7 ] name=ether7-wan
set [ find default-name=ether8 ] name=ether8-wan

everything worked fine.

Is there any explanation for this effect?

Cheers,

Christoph

Chupaka · Mon Jan 02, 2017 4:55 pm

*) arp - added "local-proxy-arp" feature;
*) bonding - added "forced-mac-address" option;

Any chance to get some documentation for those features?

*) traffic-flow - fixed flow sequence counter and length;

What was wrong with it?

*) winbox - allow to run profile from "/system resources" menu;

Can't see anything in Resources...

Chupaka · Mon Jan 02, 2017 4:57 pm

After upgrading my CCR1009-8G-1S-1S+ from 6.37.3 to 6.38 the exported config mixed up the interface IDs:

/interface ethernet
set [ find default-name=ether5 ] l2mtu=1520 name=ether1-kbd
set [ find default-name=ether6 ] l2mtu=1520 name=ether2
set [ find default-name=ether7 ] l2mtu=1520 name=ether3
set [ find default-name=ether8 ] l2mtu=1520 name=ether4-inl
set [ find default-name=ether1 ] name=ether5-wan-lacp1-1
set [ find default-name=ether2 ] name=ether6-wan-lacp1-2
set [ find default-name=ether3 ] name=ether7-wan
set [ find default-name=ether4 ] name=ether8-wan

This was definitely NOT the actively running config since i did not rename the interfaces that crappy

Just to make sure that the export was wrong tried to load this config into the zeroed device but it failed.

At least it was because ether6 cannot be renamed to ether2: ether2 already exists and will be renamed later

So sorting in Export should be not by name, but by default-name

Campano · Mon Jan 02, 2017 5:27 pm

Nice work, now try! and check all is working

Siona · Mon Jan 02, 2017 6:37 pm

!) ipsec - added support for unique policy generation;

*) ipsec - added ability to specify static IP address at "send-dns" option;
*) ipsec - added ph2 accounting for each policy "/ip ipsec policy ph2-count";
*) ipsec - allow to specify explicit split dns address;
*) ipsec - changed logging topic from error to debug when empty pfkey messages are received;
*) ipsec - do not auto-negotiate more SAs than needed;
*) ipsec - ensure generated policy refers to valid proposal;
*) ipsec - fixed camellia crypto algorithm module loading;
*) ipsec - fixed IPv6 remote prefix;
*) ipsec - fixed kernel failure on tile with sha256 when hardware encryption is not being used;
*) ipsec - fixed peer configuration my-id IPv4 address endianness;
*) ipsec - fixed ph2 auto-negotiation by checking policies in correct order;
*) ipsec - load ipv6 related modules only when ipv6 package is enabled;
*) ipsec - make generated policies always as unique;
*) ipsec - non passive peers will also establish SAs from policy without waiting for the first packet;
*) ipsec - optimized logging under ipsec topic;
*) ipsec - show active flag when policy has active SA;
*) ipsec - show SA "enc-key-size";
*) ipsec - split "mode-config" and "send-dns" arguments;

.

Is it working out of box? Or need I configure this?
Especially unique policy.

borisk · Mon Jan 02, 2017 6:56 pm

Hello!

Sorry, what mean

*) interface - changed loopback interface mtu to 1500;

? There is special loopback interface now? Can't find it.

Regards,
Boris

pietroscherer · Mon Jan 02, 2017 7:02 pm

*) routerboot - show log message if router CPU/RAM is overclocked;

It's possible to have a info message, when the router's CPU/RAM is out of factory/default value?

DuduZZZ · Mon Jan 02, 2017 7:16 pm

Hello,

After upgrade in the log appear: system, info, critical - memory overclocked. All device which is contain 128 MB memory.

Devices affected in my network:
1x RB2011UiAS
2x CRS109-8G-1S-2HnD
2x CRS125-24G-1S

Devices not affected in my network:
2x RB3011UiAS

Thanks & Regards,
David

JimmyNyholm · Mon Jan 02, 2017 7:36 pm

patrick7 - Bonding in past reported 2Gbps always. It did not matter if bonding had 2,3,4,5, etc. slave interfaces. Now it will simply report single link speed:
*) snmp - always report bonding speed as speed from first bonding slave;

For LACP that is Totally Wrong. In protocol less bonding this may be acceptable Something I never Use.
A bond with LACP have prerequisites that states that all members should be same link speed.
The snmp value for speed on a bond interface with LACP should be speed from first link (all is same) times number of link that have an active partner and is currently Aggregating and Hashing. This is how we can monitor if a fault is bound to happen.

cheeze · Mon Jan 02, 2017 7:46 pm

patrick7 - Bonding in past reported 2Gbps always. It did not matter if bonding had 2,3,4,5, etc. slave interfaces. Now it will simply report single link speed:
*) snmp - always report bonding speed as speed from first bonding slave;
For LACP that is Totally Wrong. In protocol less bonding this may be acceptable Something I never Use.
A bond with LACP have prerequisites that states that all members should be same link speed.
The snmp value for speed on a bond interface with LACP should be speed from first link (all is same) times number of link that have an active partner and is currently Aggregating and Hashing. This is how we can monitor if a fault is bound to happen.

Correct me if I'm incorrect here but, I don't believe LACP bundles are something that RouterOS does. They haven't implemented that to my knowledge. It's been asked (a lot) and now maybe since they are not focusing on the current routing stack they might do it...

edit:

I was wrong, Mikrotik does support LACP/802.3ad

I'm sorry

moep · Mon Jan 02, 2017 8:15 pm

First of all happy new year and nice work on overall ipsec improvements.

But the password length is still capped to 31 characters, which creates incompatibility to previous versions with long xauth passwords
i wrote this here:
http://forum.mikrotik.com/viewtopic.php ... 86#p573186

please try to fix it

JanezFord · Mon Jan 02, 2017 10:11 pm

Upgraded many devices without problems except two of rb912uag-2hnd with r11e-5nhd which never came back online - same config - cap client. Remote poe off/on did not help. Be carefull if you have rb912 devices.

JF.

Edit: Also missing one of rb951g-2hnd devices. Will not upgrade rest until sure of 6.38 stability.
Edit2: rb951g-2hnd came back online ... still missing both 912s ... poe reboot not helping.

JimmyNyholm · Mon Jan 02, 2017 10:18 pm

edit:

I was wrong, Mikrotik does support LACP/802.3ad

I'm sorry

Right. I would not be a customer if they had not supported LACP. On the plus side is that they even have minimum link property for channel up state. I bought the 1036 before 1072 was out and I only use the two sfp+ ports LACP bundled to our redundant Core. Now with 1072 We have even more ports. Waiting eagerly for qsfp+ and qsfp28 Products from MT but that will be the day. Not so interesting before everything is multicore anyway.

csi · Mon Jan 02, 2017 10:30 pm

Happy new year first!

After upgrading some of my boxes, I get an issue with a CRS109-8G-1S-2HnD. I use some tagged VLANs between a RB3011 and the CRS box. When I upgrade the CRS box, the interfaces are not useable and the CRS box is not reachable. When I take a downgrade to 6.37.3 the device is back. I have tested twice and also with an fresh upload of the firmware to the box. Normally I use the CAPsMan to upgrade my devices.

Please let me know, if you need some more information.

Cheers
csi

pe1chl · Mon Jan 02, 2017 10:43 pm

I use some tagged VLANs between a RB3011 and the CRS box. When I upgrade the CRS box, the interfaces are not useable and the CRS box is not reachable.

Did you read the release notes?

JimmyNyholm · Mon Jan 02, 2017 10:45 pm

Hello!

Sorry, what mean
*) interface - changed loopback interface mtu to 1500;
? There is special loopback interface now? Can't find it.

Regards,
Boris

+1 What does it say? Do we have Loopback Interface Now? Cant seem to find either in winbox nor in cli.

GioMac · Mon Jan 02, 2017 11:00 pm

Great release... And IPSec died for RW configuration

jan/03 00:43:12 ipsec,info respond new phase 1 (Identity Protection): x.x.x.x
2[500]<=>y.y.y.y[500] 
jan/03 00:43:13 ipsec,info ISAKMP-SA established x.x.x.x[4500]-y.y.y.y[
4500] spi:zzzz
jan/03 00:43:13 ipsec,info acquired 192.168.23.250 address for y.y.y.y[4500] 
jan/03 00:43:13 ipsec,info Xauth login succeeded for user: giomac 
jan/03 00:43:14 ipsec,error y.y.y.y[ failed to pre-process ph2 packet. 
jan/03 00:43:17 ipsec,error y.y.y.y[ peer sent packet for dead phase2 
jan/03 00:43:20 ipsec,error y.y.y.y[ peer sent packet for dead phase2 
jan/03 00:43:23 ipsec,error y.y.y.y[ peer sent packet for dead phase2 
jan/03 00:43:26 ipsec,error y.y.y.y[ peer sent packet for dead phase2 
jan/03 00:43:29 ipsec,error y.y.y.y[ peer sent packet for dead phase2 
jan/03 00:43:32 ipsec,error y.y.y.y[ peer sent packet for dead phase2 
jan/03 00:43:35 ipsec,error y.y.y.y[ peer sent packet for dead phase2 
jan/03 00:43:38 ipsec,error y.y.y.y[ peer sent packet for dead phase2 
jan/03 00:43:41 ipsec,error y.y.y.y[ peer sent packet for dead phase2 
jan/03 00:43:44 ipsec,info purging ISAKMP-SA x.x.x.x[4500]<=>y.y.y.y[45
00] spi=jjjj. 
jan/03 00:43:45 ipsec,info ISAKMP-SA deleted x.x.x.x[4500]-y.y.y.y[4500
] spi:wwww rekey:1 
jan/03 00:43:45 ipsec,info releasing address 192.168.23.250

csi · Mon Jan 02, 2017 11:07 pm

I use some tagged VLANs between a RB3011 and the CRS box. When I upgrade the CRS box, the interfaces are not useable and the CRS box is not reachable.
Did you read the release notes?

Yes I have. But I'm not using STP and bridges only for the WiFi interfaces. Or have I made a mistake with my thinking?

locodog · Mon Jan 02, 2017 11:14 pm

Hello!

Sorry, what mean
*) interface - changed loopback interface mtu to 1500;
? There is special loopback interface now? Can't find it.

Regards,
Boris

+1 What does it say? Do we have Loopback Interface Now? Cant seem to find either in winbox nor in cli.

There is no Loopback interface added. If you need loopback interface simply create bridge and do not add any ports to it. (MTU of 1500 is for that empty bridge used as loopback).

locodog · Mon Jan 02, 2017 11:16 pm

I use some tagged VLANs between a RB3011 and the CRS box. When I upgrade the CRS box, the interfaces are not useable and the CRS box is not reachable.
Did you read the release notes?

Also, does this affects L2 connections with another vendors? What exactly changed so that VLAN on 6.38 is different from vlan 6.37 and older?

pe1chl · Tue Jan 03, 2017 12:05 am

I use some tagged VLANs between a RB3011 and the CRS box. When I upgrade the CRS box, the interfaces are not useable and the CRS box is not reachable.
Did you read the release notes?
Yes I have. But I'm not using STP and bridges only for the WiFi interfaces. Or have I made a mistake with my thinking?

Bridges have STP enabled by default. Did you set "protocol: none" on your bridges? If not, they have STP.

csi · Tue Jan 03, 2017 2:20 am

I use some tagged VLANs between a RB3011 and the CRS box. When I upgrade the CRS box, the interfaces are not useable and the CRS box is not reachable.
Did you read the release notes?
Yes I have. But I'm not using STP and bridges only for the WiFi interfaces. Or have I made a mistake with my thinking?
Bridges have STP enabled by default. Did you set "protocol: none" on your bridges? If not, they have STP.

On the CRS the bridges are disabled, on the RB3011 not of course. I have enabled RSTP on CRS for testing, but same problem.

JimmyNyholm · Tue Jan 03, 2017 11:36 am

*) interface - changed loopback interface mtu to 1500;
There is no Loopback interface added. If you need loopback interface simply create bridge and do not add any ports to it. (MTU of 1500 is for that empty bridge used as loopback).

This is well known to all of us this is why we are asking this question.
The release notes states that mtu values have changed for Loopback Interface. Hello WHAT LOOPBACK INTERFACE.

pe1chl · Tue Jan 03, 2017 11:42 am

Probably the loopback interface (lo) internal to the Linux system that is beneath the RouterOS that you can see from the outside.
This by default has an MTU of 65536. Maybe this caused problems in some special case where traffic is sent via the loopback
for internal operations of the router and the first hop has a large MTU but later hops have smaller MTU.

Plnt · Tue Jan 03, 2017 12:22 pm

Hello,

After upgrade in the log appear: system, info, critical - memory overclocked. All device which is contain 128 MB memory.

Devices affected in my network:
1x RB2011UiAS
2x CRS109-8G-1S-2HnD
2x CRS125-24G-1S

Devices not affected in my network:
2x RB3011UiAS

Thanks & Regards,
David

I have the same problem on two different RouterBOARD 911 Lite5 after the upgrade. I didn't do any overclocking on the devices. Apart from the message I didn't noticed any problems - everything works fine.

jan/03/2017 11:08:24 system,info,critical memory overclocked

[admin@xxx] > /system routerboard print 
                ;;; Warning: memory overclocked
...

Tue Jan 03, 2017 12:23 pm

Do not worry about these overclocked messages - they are still work on progress. If you have not overclocked device manually, then there is no need to worry about that.
We are still improving this feature.

alfonzz · Tue Jan 03, 2017 12:41 pm

Hello,
After upgrade in the log appear: system, info, critical - memory overclocked. All device which is contain 128 MB memory.

It happens me too - on SXT lite5 with 64MB memory...
wtf?

Zorro · Tue Jan 03, 2017 1:31 pm

fantastic news !!
*put teapot on, unpacked pack of (vanilla)cookies and immediately start celebrating THAT !!*
thanks for continued efforts to Improve your products/ROS, MT !!
happy new year, anyone !

hgkeh · Tue Jan 03, 2017 2:08 pm

I just upgraded my RB751U-2HnD, and after reboot all my LED stop functioning (no light).

kristaps · Tue Jan 03, 2017 3:17 pm

Just upgraded five RB751U with different configurations to 6.38 . All booted up without issues.

@hgkeh can you please post your configuration that you used on RB751U, that we can try to replicate your issue.

hgkeh · Tue Jan 03, 2017 3:35 pm

# jan/03/2017 21:28:33 by RouterOS 6.38
# software id = 6QRW-GN7H
#
/interface bridge
add admin-mac=00:0C:42:E1:C1:A7 auto-mac=no mtu=1500 name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-full,100M-full,1000M-full name=\
    ether1-gateway rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] advertise=10M-full,100M-full,1000M-full name=\
    ether2-gateway rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether3 ] advertise=10M-full,100M-full,1000M-full name=\
    ether3-master-local rx-flow-control=auto speed=1Gbps tx-flow-control=auto
set [ find default-name=ether4 ] advertise=10M-full,100M-full,1000M-full master-port=\
    ether3-master-local name=ether4-slave-local rx-flow-control=auto speed=1Gbps \
    tx-flow-control=auto
set [ find default-name=ether5 ] advertise=10M-full,100M-full,1000M-full master-port=\
    ether3-master-local name=ether5-slave-local rx-flow-control=auto speed=1Gbps \
    tx-flow-control=auto
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether3-master-local
/interface bridge settings
set use-ip-firewall=yes
/ip settings
set rp-filter=strict tcp-syncookies=yes
/ip address
add address=x.x.x.x/x comment="default configuration" interface=ether3-master-local \
    network=x.x.x.x
add address=x.x.x.x/x interface=ether1-gateway network=x.x.x.x
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=\
    ether2-gateway use-peer-dns=no use-peer-ntp=no
/ip dhcp-server
add address-pool=default-dhcp lease-time=1h name=dhcp1
/ip dhcp-server network
add address=x.x.x.x/x comment="default configuration" dns-server=x.x.x.x \
    gateway=x.x.x.x
/ip dns
set allow-remote-requests=yes max-udp-packet-size=512 servers=\
    x.x.x.x,x.x.x.x
/ip dns static
add address=x.x.x.x name=router
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=yes protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established \
    disabled=yes
add action=accept chain=input comment="default configuration" connection-state=related \
    disabled=yes
add action=drop chain=input comment="default configuration" disabled=yes in-interface=\
    ether1-gateway
add action=accept chain=input comment=Management dst-address=192.168.88.1 in-interface=\
    bridge-local
add action=drop chain=input comment="Drop ICMP to gateway (OA)" in-interface=\
    ether1-gateway protocol=icmp
add action=drop chain=input comment="Drop ICMP to gateway (Time)" in-interface=\
    ether2-gateway protocol=icmp
add action=accept chain=input comment="Allow Established and related connections" \
    connection-state=established,related
add action=accept chain=input comment="IPTV multicast forwarding" disabled=yes protocol=\
    igmp
add action=accept chain=forward disabled=yes protocol=udp
add action=fasttrack-connection chain=forward comment=Fasttrack connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
add action=jump chain=forward comment="Make jumps to new chains" jump-target=tcp protocol=\
    tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add action=drop chain=input comment="Drop everything else"
add action=drop chain=forward comment="Block \"bogon\" IP addresses" src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=yes dst-port=135 \
    protocol=tcp
add action=drop chain=tcp comment="deny NBT" disabled=yes dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" disabled=yes dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=udp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp \
    src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
    1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h \
    chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp \
    src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=\
    input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 protocol=tcp \
    src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w \
    chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w \
    chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w \
    chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w \
    chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w \
    chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w \
    chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w \
    chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" src-address-list=\
    "port scanners"
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" \
    icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=10.0.0.0/8 new-routing-mark=OA \
    passthrough=no
add action=mark-routing chain=prerouting dst-address=172.16.0.0/12 new-routing-mark=OA \
    passthrough=no
add action=mark-routing chain=prerouting dst-address=192.168.100.0/24 new-routing-mark=OA \
    passthrough=no
add action=mark-routing chain=prerouting disabled=yes dst-address=x.x.x.x \
    new-routing-mark=VPN passthrough=no
add action=mark-routing chain=prerouting disabled=yes dst-address=x.x.x.x \
    new-routing-mark=OA passthrough=no
add action=mark-routing chain=prerouting disabled=yes dst-address=x.x.x.x \
    new-routing-mark=Time passthrough=no
add action=mark-routing chain=prerouting content=x.x.x.x disabled=yes \
    new-routing-mark=OA passthrough=no
add action=mark-routing chain=prerouting new-routing-mark=Time passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=\
    ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=ether2-gateway
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip pool
add name=default-dhcp next-pool=default-dhcp ranges=x.x.x.x/x
/ip route
add distance=1 gateway=x.x.x.x routing-mark=OA
add distance=1 gateway=ether2-gateway routing-mark=Time
/ip route rule
add dst-address=x.x.x.x/x table=main
add dst-address=x.x.x.x/x table=OA
add dst-address=x.x.x.x/x table=OA
add dst-address=1x.x.x.x/x table=OA
add routing-mark=OA table=OA
add routing-mark=Time table=Time
add routing-mark=VPN table=VPN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
/ip smb shares
set [ find default=yes ] disabled=yes
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 disabled=yes interface=ether2-gateway upstream=yes
add disabled=yes interface=bridge-local
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes primary-ntp=x.x.x.x secondary-ntp=x.x.x.x
/system routerboard settings
set cpu-frequency=250MHz
/tool bandwidth-server
set enabled=no
/tool mac-server
add interface=ether2-gateway
add interface=ether3-master-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-gateway
add interface=ether3-master-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add
add interface=bridge-local

nastitek · Tue Jan 03, 2017 3:59 pm

Just upgraded to 6.38 HAP AC Lite.

Monitoring with Dude utilizes memory to 100% killing winbox 3.7 connection during this period.

Any recommendations?

Tue Jan 03, 2017 4:12 pm

RE: Important note!!!
To avoid STP/RSTP compatibility issues with older RouterOS versions upgrade RouterOS on all routers in Layer2 networks with VLAN and STP/RSTP configurations.

I sure wish I would of known about this issue prior to upgrading a dozen Mikrotiks last month. Because of spanning-tree issues, I had the biggest/longest network outage since starting my ISP business over 10 years ago.

North Idaho Tom Jones

Tue Jan 03, 2017 5:04 pm

RE: Important note!!!
To avoid STP/RSTP compatibility issues with older RouterOS versions upgrade RouterOS on all routers in Layer2 networks with VLAN and STP/RSTP configurations.

I sure wish I would of known about this issue prior to upgrading a dozen Mikrotiks last month. Because of spanning-tree issues, I had the biggest/longest network outage since starting my ISP business over 10 years ago.

North Idaho Tom Jones

Last month? Full version with this feature was released only this year.
Did you upgrade your production network to Release Candidate version?? if yes, that outage is all on you, all on you.

docmarius · Tue Jan 03, 2017 6:01 pm

Something seems wrong with PPPoE upload:
ROS 6.38:

ROS 6.36.4:

Ignore download speed since it shows some variations due to network load.
For upload 13Mbps was the best result, having some tests peaking at 2-3Mbps.
Both are done on my RB1100AHx2 with the same configuration, repeated several times on multiple dynamic IPs, with the same behavior.
Speedtest server is local to my ISP. Maximum speed is 1Gb/200Mb.
ROS 6.37.3 was working OK, too.

com2com · Tue Jan 03, 2017 6:59 pm

Software 6.38 cpu usage for fasttrack connections very high. For example ( 951g-2hnd at 750mhz) bandwidth 300 Mbps 6.37.3 cpu usage 30-40, 6.38 cpu usage 80-85.

pe1chl · Tue Jan 03, 2017 7:54 pm

Something seems wrong with PPPoE upload:

Hmm on my RB2011 with my 50/24 VDSL it appears to be all normal, I achieve the expected upload rate.
(a bit below 24 Mbps)

hknet · Tue Jan 03, 2017 9:30 pm

any details on the obviously also new RouterBoard Firmware v.3.36?

w32pamela · Tue Jan 03, 2017 10:10 pm

It is not possible in v6.38 to make a connection from a device configured as a CPE to an encrypted AP when using the Webfig Quick Set page. The link appears to broken between the Quick Set entries and the Security Profile.

moep · Tue Jan 03, 2017 10:12 pm

First of all happy new year and nice work on overall ipsec improvements.

But the password length is still capped to 31 characters, which creates incompatibility to previous versions with long xauth passwords
i wrote this here:
http://forum.mikrotik.com/viewtopic.php ... 86#p573186

please try to fix it

nje431 · Tue Jan 03, 2017 10:50 pm

Can you elaborate on the RSTP incompatibility? We've been using 6.30/6.34/6.36 for some time now between different devices without a problem, including inter-operating with another vendor (A few HP/Aruba 48 port switches). Does this change affect the inter-operability with other vendors?

Thanks.

Njumaen · Tue Jan 03, 2017 10:54 pm

I had the following strange (???) behaviour:

RB3011 (6.36.4 bugfix) is connected to CRS125 (6.38 current).

Unless I set the STP protocol mode to "none" on the RB3011 local bridge they lose connection when I upgrade the RB3011 to 6.38

Is this intended? Why? What's the point I am missing?

Happy New Year to all,

Ralf.

pe1chl · Tue Jan 03, 2017 11:03 pm

Is this intended? Why? What's the point I am missing?

You forgot to read the release notes!!

Important note!!!
To avoid STP/RSTP compatibility issues with older RouterOS versions upgrade RouterOS on all routers in Layer2 networks with VLAN and STP/RSTP configurations.

sup5 · Tue Jan 03, 2017 11:41 pm

Today I found a severe bug with 6.38:
It will not (or at least incompletely) learn MAC-Addresses on a bridge connected to the master-port of a switch.

This totally might explain these issues.

nacer · Tue Jan 03, 2017 11:43 pm

I had situation with 6.38 on my CRS
I have CRS-1009 router and CRS-125-24G switch. Both of them was ROS 6.37. I upgraded both to 6.38.
I am using Port based VLAN tagging described in http://wiki.mikrotik.com/wiki/Manual:Interface/VLAN / example #1 on my CRS-125-24
After 6.38 and all IP traffic stopped on my switch. When I disabled Vlan taggings IP traffic started on my management LAN.

I downgraded to 6.37 and Vlan problem disappeared.

İs this the problem you mentioned "To avoid STP/RSTP compatibility issues with older RouterOS versions upgrade RouterOS on all routers in Layer2 networks with VLAN and STP/RSTP configurations."

Thank you.

Cascuda · Tue Jan 03, 2017 11:57 pm

Hello,

After upgrade in the log appear: system, info, critical - memory overclocked. All device which is contain 128 MB memory.

Devices affected in my network:
1x RB2011UiAS
2x CRS109-8G-1S-2HnD
2x CRS125-24G-1S

Devices not affected in my network:
2x RB3011UiAS

Thanks & Regards,
David

I've update the "RB2011UiAS" router from 6.37.2 to 6.38 and have same mistake when open the terminal of winbox. Any solution?
I return to a version safe 6.36.4 "Bugfix only"...

Njumaen · Wed Jan 04, 2017 12:16 am

Is this intended? Why? What's the point I am missing?
You forgot to read the release notes!!

Important note!!!
To avoid STP/RSTP compatibility issues with older RouterOS versions upgrade RouterOS on all routers in Layer2 networks with VLAN and STP/RSTP configurations.

Sure I did not forgot this!

The issues came *with* upgrading the RB3011. No upgrade - no issue... Still confused...

rgbiernat · Wed Jan 04, 2017 8:57 am

Just upgraded my shiny new HEX (RB750GR3) from v6.37.3 to latest stable v6.38. Unfortunately it did not come back. Instead it keeps beeping every 10sec.
I am not using any fancy stuff just natting between an telco edge router and my internal network. A reset did not work. Will try a Netinstall in a few minutes.

DuduZZZ · Wed Jan 04, 2017 9:21 am

Hello,

After upgrade in the log appear: system, info, critical - memory overclocked. All device which is contain 128 MB memory.

Devices affected in my network:
1x RB2011UiAS
2x CRS109-8G-1S-2HnD
2x CRS125-24G-1S

Devices not affected in my network:
2x RB3011UiAS

Thanks & Regards,
David
I've update the "RB2011UiAS" router from 6.37.2 to 6.38 and have same mistake when open the terminal of winbox. Any solution?
I return to a version safe 6.36.4 "Bugfix only"...

strods from MikroTik Support wrote:

Tue Jan 03, 2017 11:23 am
Do not worry about these overclocked messages - they are still work on progress. If you have not overclocked device manually, then there is no need to worry about that.
We are still improving this feature.

Cascuda · Wed Jan 04, 2017 9:36 am

strods from MikroTik Support wrote:

Tue Jan 03, 2017 11:23 am
Do not worry about these overclocked messages - they are still work on progress. If you have not overclocked device manually, then there is no need to worry about that.
We are still improving this feature.

Thanks DuduZZZ, I read the comment of Mikrotik Support but I prefere usage a version safe where don't show any error.

Wed Jan 04, 2017 10:00 am

Can you elaborate on the RSTP incompatibility? We've been using 6.30/6.34/6.36 for some time now between different devices without a problem, including inter-operating with another vendor (A few HP/Aruba 48 port switches). Does this change affect the inter-operability with other vendors?

Thanks.

Previously RSTP in RouterOS bridges worked more like a per-VLAN RSTP and caused troubles with standard RSTP with VLANs.
Since most enterprise level switches understand RPVST, likely, there were not any compatibility problems with older RouterOS versions.

Wed Jan 04, 2017 10:21 am

Njumaen - please generate supout files on your RB3011 and CRS125 and send them to support@mikrotik.com

nacer - please generate supout files on your CCR1009 and CRS125 send and them to support@mikrotik.com

Njumaen · Wed Jan 04, 2017 10:33 am

And there is another issue

RB3011 (my router) on 6.38 download max. 3.25 Mbps
installed 3.63.4 results in max. 110 Mbps as to be explected
tripple checked - same result.
no queues
upload max both approx 8Mbps..

So for my part I'll stick on the bugfix only on the RB3011...

Update 1: digging deeper...

Usually my Mac is connected to the CRS125 that is connected to the RB3011 by a bonding Interface.

Connecting the Mac to the RB3011 and performing the same test this is what I get

Perfect!!! Cannot expect a better download!

Update 2: deeper...

Pinging RB3011 from Mac connected to CRS125
Disabled the bonding interface
Conncection lost... as expected
Connected both by a single cable...
Connection. One ping.. Connection lost! Red October??? "only ONE ping!!!"
Ahhh... Port on CRS125 has a flapping "learning" at bridge port status
Setting STP protocol mode of bridge to "none"
Connection! Lots of pings...
Speedof.me is nearly perfect!!! I 118 MBps down.. I skip the picture...
(Remember: RB3011 on 6.36.4 - CRS125 on 6.38)

Update 3: nothing gonna stop me now...

Upgrade RB3011 to 6.38
STP protocol mode of bridge is already set to "none"
no ping problem
Speedof.me is horrible again! Max 2.8MBps down

I skip the picture.

works for me:

RB3011 on 6.36.4
CRS125 on 6.38
STP protocol mode of both bridges set to "none"

@Mikrotik - it is so awesome how easily one can switch the routeros releases! \o/

csi · Wed Jan 04, 2017 11:32 am

I had situation with 6.38 on my CRS
I have CRS-1009 router and CRS-125-24G switch. Both of them was ROS 6.37. I upgraded both to 6.38.
I am using Port based VLAN tagging described in http://wiki.mikrotik.com/wiki/Manual:Interface/VLAN / example #1 on my CRS-125-24
After 6.38 and all IP traffic stopped on my switch. When I disabled Vlan taggings IP traffic started on my management LAN.

I downgraded to 6.37 and Vlan problem disappeared.

İs this the problem you mentioned "To avoid STP/RSTP compatibility issues with older RouterOS versions upgrade RouterOS on all routers in Layer2 networks with VLAN and STP/RSTP configurations."

Thank you.

I had the same issue, tagged VLANs between CRS and Routerboard. I have configured the CRS as described in the Wiki, but it does not work with 6.38. What I have done is to build a bridge on the RB and put the ether-interface which is connected to the CRS in that bridge. At the end there is one bridge with one interface. Or if you have more connections to CRS devices you should implement different bridges per ether interfaces. Then the connections in the VLANs works as expected. Second a build also a one bridge for one interface on the CRS and then it works as described within the wiki.

Build the bridge per tagged VLAN does not work in this case. It need to be the ether interfaces on both sites. Hopefully that helps you.

Cheers
csi

majestic · Wed Jan 04, 2017 11:38 am

Just upgraded my shiny new HEX (RB750GR3) from v6.37.3 to latest stable v6.38. Unfortunately it did not come back. Instead it keeps beeping every 10sec.
I am not using any fancy stuff just natting between an telco edge router and my internal network. A reset did not work. Will try a Netinstall in a few minutes.

Hi there,

I also have several of these routers (RB750Gr3's) and as much as I really would love to upgrade to this version, I am a little worried of potentially bricking them thus leaving me without connectivity. Could you please let me know if the netinstall managed to rescue your device or not and also has anyone else with this same version suffered the same problem or is this just one rare occasion?

Really would appreciate you or others to confirm if there is a serious problem with this upgrade on RB750Gr3.

Thanks in advance.

onnoossendrijver · Wed Jan 04, 2017 12:25 pm

Really would appreciate you or others to confirm if there is a serious problem with this upgrade on RB750Gr3.

Thanks in advance.

I experienced no problems when upgrading my RB750Gr3 from version 6.37.3 to version 6.38

vitaliyy · Wed Jan 04, 2017 12:28 pm

Updating to 6.38 fastrack is broken, maximum download and upload speed is 150 Mbits, after downgraded to 6.37.3 all ok, speed about 800-850 Mbits

majestic · Wed Jan 04, 2017 12:39 pm

Really would appreciate you or others to confirm if there is a serious problem with this upgrade on RB750Gr3.

Thanks in advance.
I experienced no problems when upgrading my RB750Gr3 from version 6.37.3 to version 6.38

Thanks very much for letting me know.

Note · Wed Jan 04, 2017 1:57 pm

i get in logs a critical system error "memory overclocked"

majestic · Wed Jan 04, 2017 2:00 pm

i get in logs a critical system error "memory overclocked"

Mikrotik has confirmed to ignore it if you haven't manually overlocked it. Its a feature they are improving on.

Wed Jan 04, 2017 2:39 pm

Updating to 6.38 fastrack is broken, maximum download and upload speed is 150 Mbits, after downgraded to 6.37.3 all ok, speed about 800-850 Mbits

What device you are testing the fasttrack?
Please report to support@mikotik.com with a support output file attached.

Boter · Wed Jan 04, 2017 2:41 pm

For now everything runs smoothly and as expected. I still dont use it for wifi p2p or p2mp links, because of wifi "problems", on other devices as I said - works great

Mazutti · Wed Jan 04, 2017 3:01 pm

Just upgraded my shiny new HEX (RB750GR3) from v6.37.3 to latest stable v6.38. Unfortunately it did not come back. Instead it keeps beeping every 10sec.
I am not using any fancy stuff just natting between an telco edge router and my internal network. A reset did not work. Will try a Netinstall in a few minutes.
Hi there,

I also have several of these routers (RB750Gr3's) and as much as I really would love to upgrade to this version, I am a little worried of potentially bricking them thus leaving me without connectivity. Could you please let me know if the netinstall managed to rescue your device or not and also has anyone else with this same version suffered the same problem or is this just one rare occasion?

Really would appreciate you or others to confirm if there is a serious problem with this upgrade on RB750Gr3.

Thanks in advance.

Had no problems upgrading my RB750Gr3 to 6.38, only difference from the described, is that I upgraded from 6.38rc52.

majestic · Wed Jan 04, 2017 3:03 pm

Just upgraded my shiny new HEX (RB750GR3) from v6.37.3 to latest stable v6.38. Unfortunately it did not come back. Instead it keeps beeping every 10sec.
I am not using any fancy stuff just natting between an telco edge router and my internal network. A reset did not work. Will try a Netinstall in a few minutes.
Hi there,

I also have several of these routers (RB750Gr3's) and as much as I really would love to upgrade to this version, I am a little worried of potentially bricking them thus leaving me without connectivity. Could you please let me know if the netinstall managed to rescue your device or not and also has anyone else with this same version suffered the same problem or is this just one rare occasion?

Really would appreciate you or others to confirm if there is a serious problem with this upgrade on RB750Gr3.

Thanks in advance.
Had no problems upgrading my RB750Gr3 to 6.38, only difference from the described, is that I upgraded from 6.38rc52.

Awesome, thank you for the confirmation and as soon as I get home, I will update mine.

Thanks again everyone who's put my mind at ease.

nje431 · Wed Jan 04, 2017 3:26 pm

Can you elaborate on the RSTP incompatibility? We've been using 6.30/6.34/6.36 for some time now between different devices without a problem, including inter-operating with another vendor (A few HP/Aruba 48 port switches). Does this change affect the inter-operability with other vendors?
Q
Thanks.
Previously RSTP in RouterOS bridges worked more like a per-VLAN RSTP and caused troubles with standard RSTP with VLANs.
Since most enterprise level switches understand RPVST, likely, there were not any compatibility problems with older RouterOS versions.

Thanks for the explanation. Currently we use straight up RSTP, but I can see a day coming when we could benefit from using MSTP. Any plans to add that option?

Wed Jan 04, 2017 3:30 pm

First of all happy new year and nice work on overall ipsec improvements.

But the password length is still capped to 31 characters, which creates incompatibility to previous versions with long xauth passwords
i wrote this here:
http://forum.mikrotik.com/viewtopic.php ... 86#p573186

please try to fix it

It is fixed, I have no problems using 33character passwords and longer. Contact support with supout file if you still cannot use longer passwords.

vitaliyy · Wed Jan 04, 2017 3:34 pm

Updating to 6.38 fastrack is broken, maximum download and upload speed is 150 Mbits, after downgraded to 6.37.3 all ok, speed about 800-850 Mbits
What device you are testing the fasttrack?
Please report to support@mikotik.com with a support output file attached.

model: RouterBOARD 962UiGS-5HacT2HnT
support output file contains pre-shared key in clear text format I will not send it
v 6.7.3

CPU load 85-90%
and after update
v 6.8

and CPU load 100%

Wed Jan 04, 2017 3:37 pm

vitaliyy, please provide the export file to support@mikrotik.com from both versions (you can replace the pre-shared keys in those files).
At least on my spare hAP AC router I got 500/700Mbps (download/upload), I hit ISP bandwidth limit.

majestic · Wed Jan 04, 2017 7:48 pm

Hi Guys,

I have just received another RB750Gr3 in the post today and I decided to update the firmware and rOS as the first things I do before configuring it. After doing the upgrade(s) I started to adjust the packages which are installed by default as there are a few which isn't so useful to me like wireless and hotspot as it doesn't have wireless in this model.

I then just found that there is a very small graphical bug with the icon that is used for disabled packages.

I am enclosing a screenshot below which shows the disabled missing graphic.

https://www.dropbox.com/s/8xhlamew8y1yi ... 0.png?dl=0

If you look at my existing router (same one but previous rOS version, you will see its much neater graphic.

https://www.dropbox.com/s/u107oxfziubmd ... 4.png?dl=0

Im sure its just an oversight that the main image seems to have a bad graphic.

HTH

ErfanDL · Wed Jan 04, 2017 8:29 pm

I upgrade my hap lite to 6.38 and upgrade firmware to 3.36 whats chanelog in new firmware version 3.36 for hap lite?

Sent from my C6833 using Tapatalk

dadoremix · Wed Jan 04, 2017 9:26 pm

Every update new problems
When was 5.x no problems with updates
6.1x was last stable, future realese fix on fix
I have also hex r3 with vlan bridge and problems
5ghz sxt ap lvl4 update to 6,38 and die
Maybe config conflict?
But he is in bridge and no other config
Bad bad and bad

Sent from my iPhone using Tapatalk Pro

storp · Wed Jan 04, 2017 11:52 pm

After updating RB2011 I got issues with flapping sfp-port. All worked fine before on 6.37.3 and now I reverted back to bugfix only and all is fine again.

LexaKnyazev · Thu Jan 05, 2017 12:13 am

ROS: v6.38
RB: CRS125-24G-1S-2HnD and 2011UiAS (both 3.33)

WebFig doesn't allow to set "Profile" property for L2TP-Client or PPTP-Client interfaces. WinBox (3.7) works as expected.

Steps to reproduce:

Open WebFig
Interfaces -> Add New -> PPTP Client
Fill in "Connect To" and "User" fields
Select "default-encryption" in "Profile"
Click "Apply"
Profile switches to "default".

Abdock · Thu Jan 05, 2017 7:20 am

Most of our 1100Ax2 are freezing and have to be power cycled.

moep · Thu Jan 05, 2017 3:22 pm

It was not fixed for my situation, when the main site was 6.38 and the clients were still 6.37.3.
It was "fixed" by upgrading every router to 6.38 which was not planned this day.
This still means that IPsec with xAuth and a password longer than 31 Chars is treated differently in ROS 6.37.3 than in 6.38 which leads to problems when "old" clients try to connect.

First of all happy new year and nice work on overall ipsec improvements.

But the password length is still capped to 31 characters, which creates incompatibility to previous versions with long xauth passwords
i wrote this here:
http://forum.mikrotik.com/viewtopic.php ... 86#p573186

please try to fix it
It is fixed, I have no problems using 33character passwords and longer. Contact support with supout file if you still cannot use longer passwords.

Thu Jan 05, 2017 3:34 pm

Thanks, we will look into this problem

R1CH · Thu Jan 05, 2017 3:54 pm

Updating to 6.38 fastrack is broken, maximum download and upload speed is 150 Mbits, after downgraded to 6.37.3 all ok, speed about 800-850 Mbits

Fasttrack is working fine for me on a RB951G-2HnD in a simple home NAT setup. Maybe something else in your config is causing it.

zinkpad · Thu Jan 05, 2017 6:13 pm

Hi all,

I updated my RB951G-2HnD to 6.38 version and I have an issue with my laptop (ThinkPad T420s), it's connects fine to my WLAN but it's disconnected after 5min. aprox.

Watching the log I can see a lot of entries like this:

Jan/05/2017 16:20:40 xx:xx:xx:xx:xx:xx@wlan1: connected
Jan/05/2017 16:20:55 xx:xx:xx:xx:xx:xx@wlan1: reassociating
Jan/05/2017 16:20:55 xx:xx:xx:xx:xx:xx@wlan1: disconnected, ok
Jan/05/2017 16:20:55 xx:xx:xx:xx:xx:xx@wlan1: connected
Jan/05/2017 16:21:05 xx:xx:xx:xx:xx:xx@wlan1: reassociating
Jan/05/2017 16:21:05 xx:xx:xx:xx:xx:xx@wlan1: disconnected, ok
Jan/05/2017 16:21:05 xx:xx:xx:xx:xx:xx@wlan1: connected
....

I rebooted the router and the issue it's not gone, finally I downgraded it to 6.37.3 and it's working fine again.

(the laptop has been in the same place all the time).

Regards.

AlexN · Thu Jan 05, 2017 10:07 pm

Changes with RSTP is a complete disaster!!! IMHO such changes are not the subject for release branch! RPVST was great approach with high level of flexibility. Now if we just update all our routers in L2 segment it won't work at all (fortunately tested on the table) and I'm talking about network that comes across few cities not a few offices!

And tell me what should I do with this situation now?

Upgrade to future versions is not possible without almost complete redo of L2 logic of whole network. With RPVST it was also possible to assign different bridges as root for vlans that have same parent interface and yes you may need it in some situations. Now this doesn't work.

Please, revert this changes back!!! Put it to some beta ROS version first, give it good tests with feedbacks and provide same functionality with minimum reconfiguration required. Otherwise it turns for us into hell, really. Especially if similar "surprises" will come in future releases in the branch that considered as production branch.

MartijnVdS · Thu Jan 05, 2017 10:53 pm

Put it to some beta ROS version first, give it good tests with feedbacks and provide same functionality with minimum reconfiguration required.

It's been in an RC version for months. It's now in the "current" release channel. If you need the old functionality, there's the "bugfix only" channel.

killersoft · Fri Jan 06, 2017 12:49 am

Installed 6.38 to a 50+ device mix of MT routers/crs devices(~50%) and AP's(~50%) from v6.37.1.

Had 3x devices die from a 6.37.1 ->6.38 upgrade ( 1xRBwAP2nD & 2xRB912UAG-2HPnD), had to net-install to fix.

*** Had ALL 5x RB2011UiAS 2x CRS125-24G-1S give a WARNING in the log about OVERCLOCKED RAM at boot.

I am in process of rolling back all 50+ MT devices to 6.37.3..

Mazutti · Fri Jan 06, 2017 4:01 am

On RB750Gr3, where I have two PPPoE links to ISP, if I disable the secondary one, I can´t reenable it (tried through winbox, winbox "new terminal" and ssh).

Log shows the initializing/connecting messages, but nothing else, and the interface won´t go up / get ip address. Log shows this entries just once every time I put the PPPoE client down/up.

Anyway, can´t reboot or put the main PPPoE client down now, but I will do ASAP and report back.

cheeze · Fri Jan 06, 2017 4:44 am

To all who have upgraded to 6.38 I just wanted to give some info on what I have found.

I have found that I needed to rediscover all of my devices for 6.38 as I lost all SNMP graphing/oids that were CPU, temperatures, and voltages. However it was quickly fixed with a full rediscovery of the device.

I just wanted to give everyone a heads up that have upgraded.

zipvault · Fri Jan 06, 2017 4:49 am

issue with my check for update

http://forum.mikrotik.com/viewtopic.php?f=13&t=116504

Miracle · Fri Jan 06, 2017 6:01 am

Changes with RSTP is a complete disaster!!! IMHO such changes are not the subject for release branch! RPVST was great approach with high level of flexibility. Now if we just update all our routers in L2 segment it won't work at all (fortunately tested on the table) and I'm talking about network that comes across few cities not a few offices!

And tell me what should I do with this situation now?

Upgrade to future versions is not possible without almost complete redo of L2 logic of whole network. With RPVST it was also possible to assign different bridges as root for vlans that have same parent interface and yes you may need it in some situations. Now this doesn't work.

Please, revert this changes back!!! Put it to some beta ROS version first, give it good tests with feedbacks and provide same functionality with minimum reconfiguration required. Otherwise it turns for us into hell, really. Especially if similar "surprises" will come in future releases in the branch that considered as production branch.

I got a nightmare after upgrade ccr1009 & crs125 to 6.38.
All vlan via switchip error.
They should be test carefully more before release this to stable version

moep · Fri Jan 06, 2017 7:59 am

I found several other bugs:

RB2011 with NTP-Package is losing the correct time while displaying "synchronized" after a while, it does not matter if I enter another routerboard or official NTP-Servers. (Standard System-SNTP not tested, as I need the NTP-Server portion)

IPsec xAuth with Mode Config (ROS as Client): sometimes after a SA-Rekey the devices are losing their IP-Adresses and are not getting them back until ich do a manual peer "kill connections" which is obviously not the way to go. Until is do this, they have no IP-Address on the Interface making the tunnel anymore and display an invalid policy while at the same time having another identical dynamic policy which is not working because of the missing IP-Address.

kiler129 · Fri Jan 06, 2017 9:14 am

What's the upgrade scenario for CAPsMAN controller and devices?

Currently CAP<->Controller communication is done on VLAN, so if I go and upgrade controller I will loose communication with CAPs. If I upgrade CAP it will no longer connect to controller.
Am I missing something?

DuduZZZ · Fri Jan 06, 2017 10:27 am

Installed 6.38 to a 50+ device mix of MT routers/crs devices(~50%) and AP's(~50%) from v6.37.1.
Had 3x devices die from a 6.37.1 ->6.38 upgrade ( 1xRBwAP2nD & 2xRB912UAG-2HPnD), had to net-install to fix.
*** Had ALL 5x RB2011UiAS 2x CRS125-24G-1S give a WARNING in the log about OVERCLOCKED RAM at boot.
I am in process of rolling back all 50+ MT devices to 6.37.3..

strods from MikroTik Support wrote:

Tue Jan 03, 2017 11:23 am
Do not worry about these overclocked messages - they are still work on progress. If you have not overclocked device manually, then there is no need to worry about that.
We are still improving this feature.

Please read the topic above.

73/dx

pe1chl · Fri Jan 06, 2017 10:38 am

RB2011 with NTP-Package is losing the correct time while displaying "synchronized" after a while, it does not matter if I enter another routerboard or official NTP-Servers. (Standard System-SNTP not tested, as I need the NTP-Server portion)

On my 2011 it works OK. Primary NTP server on the LAN, secondary on the internet.

moep · Fri Jan 06, 2017 10:40 am

are you using the separate NTP Package or integrated SNTP-Client?

RB2011 with NTP-Package is losing the correct time while displaying "synchronized" after a while, it does not matter if I enter another routerboard or official NTP-Servers. (Standard System-SNTP not tested, as I need the NTP-Server portion)
On my 2011 it works OK. Primary NTP server on the LAN, secondary on the internet.

pe1chl · Fri Jan 06, 2017 11:04 am

The NTP package of course, that is what you are talking about.
From my own local server I have also added the router as a reference and I see this:

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
x127.127.8.0     .DCFa.           0 l   73   64  356    0.000   -1.904 2049498
+127.127.28.0    .GPS.            0 l    8   16  377    0.000   13.589   0.187
*127.127.28.1    .PPS.            0 l    7   16  377    0.000   -0.002   0.002
 192.168.1.1     192.168.1.3      2 u   34   64  377    0.213   -1.042   0.033

So it is synchronized.

moep · Fri Jan 06, 2017 11:19 am

thats odd that it is working in your environment
but it was already odd that the 2011 was the only device in the network with this problem.

a periodic "restart" of ntp (disable+delay+enable) solves the problem at the moment for about 5 minutes as the clock deviates again
devices that are using this ntp-server are still getting bad packets with "server-not-synchronized"

zcache · Fri Jan 06, 2017 12:05 pm

Hi all,
After upgrade to 6.38, I feel my routerbox temperature too high than before. As I often check before upgraded the temperature about 50-51 but now it is 60-62, anybody have same with me?
My box is: RB850Gx2, already downgrade cpu speed to 400MHz but not effective.

willianwrm · Fri Jan 06, 2017 12:30 pm

Today I found a severe bug with 6.38:
It will not (or at least incompletely) learn MAC-Addresses on a bridge connected to the master-port of a switch.

I did notice this bug too: because of not learning MAC-Addresses on the bridge all packets are being broadcasted! My VPN is getting all the ether-master packets.

In the bridge there is only one MAC learned from ether2, but there are a lot of MAC in ARP Table:

The good news are:

What's new in 6.39rc7 (2017-Jan-05 12:24):
*) bridge - fixed MAC address learning from switch master-port;

MartijnVdS · Fri Jan 06, 2017 2:19 pm

Hi all,
After upgrade to 6.38, I feel my routerbox temperature too high than before. As I often check before upgraded the temperature about 50-51 but now it is 60-62, anybody have same with me?
My box is: RB850Gx2, already downgrade cpu speed to 400MHz but not effective.

From the changelog:

*) rb850Gx2 - fixed pcb temperature monitor if temperature was above 60C;

pe1chl · Fri Jan 06, 2017 3:08 pm

a periodic "restart" of ntp (disable+delay+enable) solves the problem at the moment for about 5 minutes as the clock deviates again
devices that are using this ntp-server are still getting bad packets with "server-not-synchronized"

Maybe your clock crystal is too far off to keep synchronized.

moep · Fri Jan 06, 2017 3:21 pm

i did another reboot of the device
now the time stays correct and the other router syncs with this NTP server
i hope it stays that way

a periodic "restart" of ntp (disable+delay+enable) solves the problem at the moment for about 5 minutes as the clock deviates again
devices that are using this ntp-server are still getting bad packets with "server-not-synchronized"
Maybe your clock crystal is too far off to keep synchronized.

pe1chl · Fri Jan 06, 2017 4:35 pm

unfortunately the MikroTik NTP does not implement the management interface so it is difficult to see what is going on inside.
(of course, if it would be implemented, it would require subnet permission settings like in the SNMP service, or else it
would be abused for DDOS)

Fri Jan 06, 2017 4:46 pm

IPsec xAuth with Mode Config (ROS as Client): sometimes after a SA-Rekey the devices are losing their IP-Adresses and are not getting them back until ich do a manual peer "kill connections" which is obviously not the way to go. Until is do this, they have no IP-Address on the Interface making the tunnel anymore and display an invalid policy while at the same time having another identical dynamic policy which is not working because of the missing IP-Address.

Thanks problem confirmed, will try to fix in next v6.39rc version

kujo · Fri Jan 06, 2017 6:32 pm

Who then tested the limit of connections? it seems that the filter rule is not working with him! CHR 6.38

/ip firewall filter add connection-state=new chain=forward connection-nat-state=dst-nat dst-port=443 connection-limit=100,32

Sorry! Work well!! Need add not! To connection-limit

Sent from my iPhone using Tapatalk

sup5 · Fri Jan 06, 2017 8:05 pm

Important note!!!
To avoid STP/RSTP compatibility issues with older RouterOS versions upgrade RouterOS on all routers in Layer2 networks with VLAN and STP/RSTP configurations.

Is there a detailed description how (PV)(R)STP was handled prior ROS 6.38 versus it is being handled with ROS 6.38?

There should be a global setting to restore the old behaviour.
There are large networks which don't use the switch-chip-feature at all and cannot be upgraded at once.

kevini · Fri Jan 06, 2017 9:25 pm

I have the same issue with the Fasttrack on 6.38. With 6.37.3 I had my full 250mbit internet speed without any issues. With 6.38 it dropped to 30Mbit the packets are going through the FP but not at the rates expected.

I have 2 x Hex Gr2's and I use EOIP with IPsec between them. This cannot use the FP but with 6.38 this seems to make all the packets slow. When I disable the EOIP tunnel the speed comes back immediately.

I upgraded to 6.39rc and it works fine again with the EOIP tunnel. So it is either fixed or not merged from 6.38 yet.

Any suggestions? I'm going to upgrade to GR3's in the future to have everything on the FP but since my Comcast upload limits the speed for now it was not needed.

mariuslazar · Fri Jan 06, 2017 9:55 pm

Software 6.38 cpu usage for fasttrack connections very high. For example ( 951g-2hnd at 750mhz) bandwidth 300 Mbps 6.37.3 cpu usage 30-40, 6.38 cpu usage 80-85.

My 951G dropped from 305 Mb/s with ~50% CPU (6.37.3) to 210 Mb/s with 100% CPU (6.38). I had to downgrade to keep the speed up.

If I check the profiler I can see the "networking" is taking ~30%. On 6.37.3 it was about 1% on full speed.

AlexN · Sat Jan 07, 2017 12:19 am

There should be a global setting to restore the old behaviour.
There are large networks which don't use the switch-chip-feature at all and cannot be upgraded at once.

Totally agree. MikroTik team, please, implement this feature. This would be really helpful.

kubisek78 · Sat Jan 07, 2017 10:12 am

Another:

I have RB450G (router1/ovpn server) and 2011UAS (router2/client1) and RB751G (router3/client2). LAN networks of all routers are bridged over OVPN at the server side (and client1+client2 are bridged over EoIP beacause they are in same WAN).
I have found (after upgrading to 6.38 on all RBs) when any client is connected to the OVPN server, the download speed at the router1/server drops to approx 1Mbps (normally DSL 20/2).
When all ovpn clients are disconnected, the spped goes back to 20/2.
I also have found when any of the ovpn clients is connected, there is a lot of upload traffic through DSL pppoe interface. When I "cut" all clients, traffic dissapear and download speed rise to 20 Mb.

Reverting back to 6.37.3 - works perfectly.

ryan0803 · Sat Jan 07, 2017 12:48 pm

I had situation with 6.38 on my CRS
I have CRS-1009 router and CRS-125-24G switch. Both of them was ROS 6.37. I upgraded both to 6.38.
I am using Port based VLAN tagging described in http://wiki.mikrotik.com/wiki/Manual:Interface/VLAN / example #1 on my CRS-125-24
After 6.38 and all IP traffic stopped on my switch. When I disabled Vlan taggings IP traffic started on my management LAN.

I downgraded to 6.37 and Vlan problem disappeared.

İs this the problem you mentioned "To avoid STP/RSTP compatibility issues with older RouterOS versions upgrade RouterOS on all routers in Layer2 networks with VLAN and STP/RSTP configurations."

Thank you.

i have the same problem

i downgrade to 6.37.1 all problem just vanish

pe1chl · Sat Jan 07, 2017 12:56 pm

Please can 6.37.x be made the bugfix release?
There has to be a convenient way to update routers to this version that proves to be quite stable,
and avoid the current problems with 6.38 without having to go back to 6.36.4

darkprocess · Sat Jan 07, 2017 3:40 pm

There is some performance issues on 6.38
On my RB3011
ROS 6.37.3
Download 900Mb/s
Upload 200Mb/s
CPU 14% during speedtest

ROS 6.37.3
Download 260Mb/s
Upload 200Mb/s
CPU 67% during speedtest

I'm back to 6.37.3

heviejob · Sat Jan 07, 2017 8:48 pm

I had the same issue between rb750GL and rb850Gx2. After update to 6.83 on both PPPoE connections over VLANS stopped working. I fiddled for about an hour trying to get the VLANs to work and had to roll back to restore service. I think the changelog needs to be more detailed when such far-reaching changes are done.

GuntherDW · Sun Jan 08, 2017 7:13 am

I have the same issue with the Fasttrack on 6.38. With 6.37.3 I had my full 250mbit internet speed without any issues. With 6.38 it dropped to 30Mbit the packets are going through the FP but not at the rates expected.

Any suggestions? I'm going to upgrade to GR3's in the future to have everything on the FP but since my Comcast upload limits the speed for now it was not needed.

I have a RB750Gr3, almost new, received it around xmas. Updated from 6.37.3, got the 100/20 from my VDSL2 connection over PPPoE, with FP for around ~2-10% CPU usage.
It still says it's going over FP, but takes up to 40%.

This was a minute after I closed Torch to check for bandwith usage.
I did the same test 5 minutes after that and the CPU usage went back down to its previous 2-10%.
The wiki does state that "Torch/packet sniffer/.." type stuff will break the FP stuff, but it seems a bit more delayed now?

Long story short at first I was afraid that I was suffering from the same issue, but it turned out alright.
This is on a somewhat simple NAT home setup though. Modem into the RB to the internal network. Haven't really done anything with VLAN's or VPN's yet.

qiet72 · Sun Jan 08, 2017 2:32 pm

Same problem here, except downgrading to 6.37.3 also makes the vlan problem disappear. This was tested on a hAP ac. Other MikroTik and X86 devices do not seem to have this problem though.
The STP/RSTP compatibility issue does not seem to affect me though as I have 6.37.3 on hAP ac, 6.38 on X86 PC and hAP lite (smips) all connected to the same layer 2 network.

Qiet72

I had situation with 6.38 on my CRS
I have CRS-1009 router and CRS-125-24G switch. Both of them was ROS 6.37. I upgraded both to 6.38.
I am using Port based VLAN tagging described in http://wiki.mikrotik.com/wiki/Manual:Interface/VLAN / example #1 on my CRS-125-24
After 6.38 and all IP traffic stopped on my switch. When I disabled Vlan taggings IP traffic started on my management LAN.

I downgraded to 6.37 and Vlan problem disappeared.

İs this the problem you mentioned "To avoid STP/RSTP compatibility issues with older RouterOS versions upgrade RouterOS on all routers in Layer2 networks with VLAN and STP/RSTP configurations."

Thank you.

liamalxd · Sun Jan 08, 2017 4:39 pm

I think this started in 6.37.3, but it's still broken in 6.38. On my CCR 1009-8G-1S-1S+ the fan speed is not reported correctly in fan1-speed in /system health:

> system health print
fan-mode: auto
use-fan: main
active-fan: main
cpu-overtemp-check: yes
cpu-overtemp-threshold: 70C
cpu-overtemp-startup-delay: 1m
voltage: 24V
current: 825mA
temperature: 31C
cpu-temperature: 55C
power-consumption: 19.9W
psu1-state: ok
psu2-state: ok
fan1-speed: 0RPM

This used to report correctly and seems to start working if you set the use-fan to auxiliary and then back to main again, but breaks again upon a reboot.

pe1chl · Sun Jan 08, 2017 8:11 pm

The fan speed is reported as zero when it is below some threshold (but still running).
When it spins up due to higher outside temp it is displayed. Probably a bug, yes.

colinardo · Sun Jan 08, 2017 9:13 pm

Hi.
I discovered the following problem with the current 6.38 Release on a RB951G-2HnD with the auto certificate feature of CAPsMan:
If you request certificate with a CAP on the same device as the CAPsMAN, the device is unable to issue the private key for the certificate. The certificate for CAP is created ('I' can be seen in certificate list) but without private key ('K' is missing in certificate list), thus it cannot be used by CAP. Also if you manually create the certificate on the router itself with private key, it's not accepted, log says certificate is not valid anymore, but it actually is ... really weird!

Version 6.37.3 in contrast is working fine.

Best regards
@colinardo

manulu · Mon Jan 09, 2017 5:23 am

I have a problem once i've upgrade to
dude-install-6.38.exe
dude-6.38.npk
RB2011UiAS-2HnD
Windows 7 32

the error

no dude package

emikrotik · Mon Jan 09, 2017 8:30 am

Strange Bug:
After upgrading my CCR1009-8G-1S-1S+ from 6.37.3 to 6.38 the exported config mixed up the interface IDs:

/interface ethernet
set [ find default-name=ether5 ] l2mtu=1520 name=ether1-kbd
set [ find default-name=ether6 ] l2mtu=1520 name=ether2
set [ find default-name=ether7 ] l2mtu=1520 name=ether3
set [ find default-name=ether8 ] l2mtu=1520 name=ether4-inl
set [ find default-name=ether1 ] name=ether5-wan-lacp1-1
set [ find default-name=ether2 ] name=ether6-wan-lacp1-2
set [ find default-name=ether3 ] name=ether7-wan
set [ find default-name=ether4 ] name=ether8-wan

This was definitely NOT the actively running config since i did not rename the interfaces that crappy

Just to make sure that the export was wrong tried to load this config into the zeroed device but it failed.

after a manual correction to:

/interface ethernet
set [ find default-name=ether1 ] l2mtu=1520 name=ether1-kbd
set [ find default-name=ether2 ] l2mtu=1520
set [ find default-name=ether3 ] l2mtu=1520
set [ find default-name=ether4 ] l2mtu=1520 name=ether4-inl
set [ find default-name=ether5 ] name=ether5-wan-lacp1-1
set [ find default-name=ether6 ] name=ether6-wan-lacp1-2
set [ find default-name=ether7 ] name=ether7-wan
set [ find default-name=ether8 ] name=ether8-wan

everything worked fine.

Is there any explanation for this effect?

Cheers,

Christoph

Have also experienced this issue 3 times on 2 routers.

LIV2 · Mon Jan 09, 2017 9:23 am

On both my CRS125 and my mAP 2n installing 6.38 results in a unit that won't boot, for both I had to revert to an earlier version using netboot. is this a known issue?

Mon Jan 09, 2017 9:33 am

Hi.
I discovered the following problem with the current 6.38 Release on a RB951G-2HnD with the auto certificate feature of CAPsMan:
If you request certificate with a CAP on the same device as the CAPsMAN, the device is unable to issue the private key for the certificate. The certificate for CAP is created ('I' can be seen in certificate list) but without private key ('K' is missing in certificate list), thus it cannot be used by CAP. Also if you manually create the certificate on the router itself with private key, it's not accepted, log says certificate is not valid anymore, but it actually is ... really weird!

Version 6.37.3 in contrast is working fine.

Best regards
@colinardo

Thank you for the report, we will try to fix this problem in the v6.39.

Mon Jan 09, 2017 9:38 am

There is some performance issues on 6.38
On my RB3011
ROS 6.37.3
Download 900Mb/s
Upload 200Mb/s
CPU 14% during speedtest

ROS 6.37.3
Download 260Mb/s
Upload 200Mb/s
CPU 67% during speedtest

I'm back to 6.37.3

Please report to support@mikrotik.com with a support output file so we could check the configuration and try to reproduce your problem.

Mon Jan 09, 2017 9:40 am

Software 6.38 cpu usage for fasttrack connections very high. For example ( 951g-2hnd at 750mhz) bandwidth 300 Mbps 6.37.3 cpu usage 30-40, 6.38 cpu usage 80-85.
My 951G dropped from 305 Mb/s with ~50% CPU (6.37.3) to 210 Mb/s with 100% CPU (6.38). I had to downgrade to keep the speed up.

If I check the profiler I can see the "networking" is taking ~30%. On 6.37.3 it was about 1% on full speed.

Please report to support@mikrotik.com with a support output file so we could check the configuration and try to reproduce your problem.

kevini · Tue Jan 10, 2017 12:30 am

I submitted my info, I had the standard network diagram etc request which I don't have time to provide. Hopefully with all the people reporting the performance issues they resolve it soon.

zcache · Tue Jan 10, 2017 2:30 am

Hi all,
After upgrade to 6.38, I feel my routerbox temperature too high than before. As I often check before upgraded the temperature about 50-51 but now it is 60-62, anybody have same with me?
My box is: RB850Gx2, already downgrade cpu speed to 400MHz but not effective.
From the changelog:

*) rb850Gx2 - fixed pcb temperature monitor if temperature was above 60C;

Yes, but I wonder why the temperature rise up too high, 10 degree from previous version. Although the box working same function.

[admin@MikroTik] > system health print 
          voltage: 12V
      temperature: 49C
  cpu-temperature: 60C
[admin@MikroTik] >

kiler129 · Tue Jan 10, 2017 3:13 am

Yes, but I wonder why the temperature rise up too high, 10 degree from previous version. Although the box working same function.

From the change log I would assume your board temperature was like 60*C, but ROS was showing lower one (which was fixed in 6.38).

zcache · Tue Jan 10, 2017 5:14 am

Yes, but I wonder why the temperature rise up too high, 10 degree from previous version. Although the box working same function.
From the change log I would assume your board temperature was like 60*C, but ROS was showing lower one (which was fixed in 6.38).

Ohh!! I got it, that it mean the box has kidding me so long time... haha

moep · Tue Jan 10, 2017 8:01 am

I might have found some other IPsec related bugs:
1. sometimes the new "PH states" are not correct, traffic is flowing but there is "no PH2" or "ready to send" which often only reverts after phase1 rekey or new phase2
2. if the initiator is reconnecting too fast e.g. after PPPoE 24 hour reconnect and the old SAs are not flushed on responder, the initiator thinks he is connected and has SAs but the responder has an invalid policy and no traffic can flow.
EDIT
If a peer reconnects after PPoE 24h disconnect within DPD timeout and with a another IP address than before, there will be the situation described in 2.,
I tested this by setting delay before attempting to reconnect to a value greater than the DPD timeout which "solved" the problem. Bit this is clearly not the expected behaviour.
UPDATE
even my workaround did not solve the problem
UPDATE2:
now again a second reboot after the upgrade seems to solve this problem for now (testet with a script doing disable+enable)

as usual, please fix

thank you in advance

Psiho · Tue Jan 10, 2017 10:43 am

Hello! DHCP server in 6.38 and higher version include bug with synthetic NIC (Hyper-V) on my RB-951G. When virtual NIC trying to get offer from dhcp following message in log is appear:

- dhcp,warning,info,debug dhcp1 offering lease Virtual_NIC_IP for Virtual_NIC_MAC without success

As result i lost connect to Hyper-V HOST also. 6.39RC9 - same problem. Return to 6.37 and all become OK again.

majestic · Tue Jan 10, 2017 12:03 pm

Please can 6.37.x be made the bugfix release?
There has to be a convenient way to update routers to this version that proves to be quite stable,
and avoid the current problems with 6.38 without having to go back to 6.36.4

Agree. It would be nice if after every new release that a new repo say called old current/stable or something was created and used to store the previous version as it's very frustrating to have to use net install to switch back to the exact version we were running before.

Also net install has to be done onsite which is not very convenient. If it was more easier to return back to our old version rather then bugfix branch, I'm sure more people would be helping to try and debug issues.

notToNew · Tue Jan 10, 2017 12:22 pm

Please can 6.37.x be made the bugfix release?
There has to be a convenient way to update routers to this version that proves to be quite stable,
and avoid the current problems with 6.38 without having to go back to 6.36.4

No, please NOT!!! 6.36.4 is the only version which works with some older WIFI-Devices, like INTEL 2200.
This version should be supported until the new wireless-package is fixed.

pe1chl · Tue Jan 10, 2017 1:13 pm

Please can 6.37.x be made the bugfix release?
There has to be a convenient way to update routers to this version that proves to be quite stable,
and avoid the current problems with 6.38 without having to go back to 6.36.4
Agree. It would be nice if after every new release that a new repo say called old current/stable or something was created and used to store the previous version

I have suggested that in the 6.39rc thread already but I suspect it cannot be done in an existing release (e.g. by serving a different file from the update server)
so for the current release the marking of 6.37 as bugfix release is probably the only way.
Some people apparently require 6.36.4 but they can just stay at their existing install or use netinstall on new devices.
The currently most occuring situation is "updated to 6.38 then want to go back until new issues are fixed" and for that making 6.37.3 the bugfix release, if only
temporarily, would be easiest.

Tue Jan 10, 2017 1:23 pm

Hello! DHCP server in 6.38 and higher version include bug with synthetic NIC (Hyper-V) on my RB-951G. When virtual NIC trying to get offer from dhcp following message in log is appear:

- dhcp,warning,info,debug dhcp1 offering lease Virtual_NIC_IP for Virtual_NIC_MAC without success

As result i lost connect to Hyper-V HOST also. 6.39RC9 - same problem. Return to 6.37 and all become OK again.

We need more detailed report - provide us export file or support output file so we could try to reproduce this problem.

Psiho · Tue Jan 10, 2017 2:07 pm

Hello! DHCP server in 6.38 and higher version include bug with synthetic NIC (Hyper-V) on my RB-951G. When virtual NIC trying to get offer from dhcp following message in log is appear:

- dhcp,warning,info,debug dhcp1 offering lease Virtual_NIC_IP for Virtual_NIC_MAC without success

As result i lost connect to Hyper-V HOST also. 6.39RC9 - same problem. Return to 6.37 and all become OK again.
We need more detailed report - provide us export file or support output file so we could try to reproduce this problem.

To reproduce this problem you just need to try obtain IP by guest OS's NIC (Hyper-V) from DHCP server in 6.38 and higher version ROS. As for me - i must again do upgrade-downgrade cycle on Router in production. This may take a while - 1 day at least. What will take a less time?

DuduZZZ · Tue Jan 10, 2017 2:28 pm

Hello! DHCP server in 6.38 and higher version include bug with synthetic NIC (Hyper-V) on my RB-951G. When virtual NIC trying to get offer from dhcp following message in log is appear:

- dhcp,warning,info,debug dhcp1 offering lease Virtual_NIC_IP for Virtual_NIC_MAC without success

As result i lost connect to Hyper-V HOST also. 6.39RC9 - same problem. Return to 6.37 and all become OK again.
We need more detailed report - provide us export file or support output file so we could try to reproduce this problem.
To reproduce this problem you just need to try obtain IP by guest OS's NIC (Hyper-V) from DHCP server in 6.38 and higher version ROS. As for me - i must again do upgrade-downgrade cycle on Router in production. This may take a while - 1 day at least. What will take a less time?

I think you don't understand. Uldis request a supout.rif file. More information: http://www.mikrotik.com/support

Psiho · Tue Jan 10, 2017 2:40 pm

Ok, will try to do this tonight

janisk · Tue Jan 10, 2017 3:26 pm

your hyper-v client is a dhcp-client receiving the address from the DHCP server? Or vice versa - server that gives out addresses to mipsbe (or various) devices?

Psiho · Tue Jan 10, 2017 4:06 pm

your hyper-v client is a dhcp-client receiving the address from the DHCP server?

Yes. Mikrotik - DHCP server. Guest OS on HOST and HOST himself - clients

In addition - when described error is occurred, the affected clients remaining in "offering" state in DHCP server - Leases table with cycled 30s timeout. Seems like synthethic NIC dont answer on offer from DHCP, while real ones work as usual. In ROS 6.37 all work fine with both NIC.

gilester · Tue Jan 10, 2017 4:34 pm

your hyper-v client is a dhcp-client receiving the address from the DHCP server?
Yes. Mikrotik - DHCP server. Guest OS on HOST and HOST himself - clients

In addition - when described error is occurred, the affected clients remaining in "offering" state in DHCP server - Leases table with cycled 30s timeout. Seems like synthethic NIC dont answer on offer from DHCP, while real ones work as usual. In ROS 6.37 all work fine with both NIC.

We have observed exactly this with a UniFi UAP-LR and a Soekris Engineering Net4801 board. We have reverted to 6.37.3 to restore correct DHCP behaviour.

Thanks
Giles.

darkmanlv · Wed Jan 11, 2017 2:42 am

fastpath problem on 6.38 with hap ac, download speed dropped to 200 mbps from 500-800 mbps, cpu load is 100%

on 6.37.3 all ok

darkmanlv · Wed Jan 11, 2017 2:48 am

No, please NOT!!! 6.36.4 is the only version which works with some older WIFI-Devices, like INTEL 2200.
This version should be supported until the new wireless-package is fixed.

i have the same problem with hap lite, old toshiba notebook with intel 2200bg doesn`t work if upgrade to 6.37.xx or 6.38, works perfectly on 6.36.4

IanEKB · Wed Jan 11, 2017 9:01 am

Good day!
Error with updating status (reachable) in static routes. System displays "unreachable" for static route, but it is reachable.
Traffic did not go through a second ISP because of this. Changing Distance values did not help.

Fix: change checking gateway type to ARP from PING (WinBox displays reachable now). I turn option back to ping, but status reachable was saved.
Reload whether the status if ISP gateway is not available and will be available again? I not tested it.

Info: SFP-interface (SFP module: WDM SFP-G-03SC-B).

I do not know whether there was a problem in early versions.

P.S.: I am sorry for bad english.

notToNew · Wed Jan 11, 2017 9:31 am

No, please NOT!!! 6.36.4 is the only version which works with some older WIFI-Devices, like INTEL 2200.
This version should be supported until the new wireless-package is fixed.
i have the same problem with hap lite, old toshiba notebook with intel 2200bg doesn`t work if upgrade to 6.37.xx or 6.38, works perfectly on 6.36.4

I have >60 IP-Cams, which only work on 6.36.4. I hope no one asks me to replace them all just because of this

majestic · Wed Jan 11, 2017 9:54 am

Please can 6.37.x be made the bugfix release?
There has to be a convenient way to update routers to this version that proves to be quite stable,
and avoid the current problems with 6.38 without having to go back to 6.36.4

No, please NOT!!! 6.36.4 is the only version which works with some older WIFI-Devices, like INTEL 2200.
This version should be supported until the new wireless-package is fixed.

Adding an extra repo wouldn't effect anything, wouldn't touch the existing versions available, it only would give users an alternative to install, I.e old stable.

notToNew · Wed Jan 11, 2017 10:05 am

Adding an extra repo wouldn't effect anything, wouldn't touch the existing versions available, it only would give users an alternative to install, I.e old stable.

I agree! But the quoted question was not to add an extra version, it was about to replace the current bugfix-version. I support adding a new one!!

majestic · Wed Jan 11, 2017 10:07 am

Adding an extra repo wouldn't effect anything, wouldn't touch the existing versions available, it only would give users an alternative to install, I.e old stable.
I agree! But the quoted question was not to add an extra version, it was about to replace the current bugfix-version. I support adding a new one!!

My bad, wasn't intended. Should proof read what I type more

sorry about that.

MoDest · Wed Jan 11, 2017 10:26 am

It's good idea to add "creation time" column to firewall address list. I hope you do it and for firewall filters and NAT. With this will be easier to find outdated rules in big firewalls with many rules.

Wed Jan 11, 2017 10:32 am

You could use the note feature for that. Enter reason why each rule is made.

pe1chl · Wed Jan 11, 2017 10:42 am

You could use the note feature for that. Enter reason why each rule is made.

In some cases it could be nice to have a "countdown timer" with a rule like with address list members,
to temporarily open some thing without risk to forget to remove it later, but I do not consider it important
enough to make it into a feature request. The comment feature already is a very nice advantage of
RouterOS over competing products and even operating systems.

JuanRamiro · Wed Jan 11, 2017 10:51 am

After upgrading to 6.38, my pppoe connection to WAN speed test makes cpu go to 100%. FastTrack counters seem OK --> FastTrack seems to be configured properly.
Because of the cpu, the router no longer gets 300 mbps at 45% of CPU. Now I get up to 200 mbps at 100%.

notToNew · Wed Jan 11, 2017 10:57 am

You could use the note feature for that. Enter reason why each rule is made.
In some cases it could be nice to have a "countdown timer" with a rule like with address list members,
to temporarily open some thing without risk to forget to remove it later, but I do not consider it important
enough to make it into a feature request. The comment feature already is a very nice advantage of
RouterOS over competing products and even operating systems.

my whish is to get an "time"-object which I can add to any firewall-rules. The tiime-object should have an beginning and an end-datetime.
If added, the rule is only enabled within this time! This has several advantages: 1. Having the "countdown timer" you mentioned 2. Allowing me to enable several
"mainenance"-rules(with several vlans i have over 50 of them) by just extending the end-datetime of this "timeobject" named "Maintenance-AllowExternalAccess "....

pe1chl · Wed Jan 11, 2017 11:24 am

my whish is to get an "time"-object which I can add to any firewall-rules. The tiime-object should have an beginning and an end-datetime.

Well that is already available, but it appears that it allows only cyclic definitions and no date fields. That can probably be fixed rather easily.

notToNew · Wed Jan 11, 2017 11:36 am

Well that is already available, but it appears that it allows only cyclic definitions and no date fields. That can probably be fixed rather easily.

Somehow... it should be available as an own "object", just like the adress-list. If so, I can add several named "time-objects" and add them to te corresponding rules.

pe1chl · Wed Jan 11, 2017 11:43 am

That functionality is not available in netfilter I think, so it would have to be implemented entirely in the management layer.
(you maintain some time object but in reality it is modified in all rules that refer to it)
That is probably more work to implement. The "time" match has this functionality:

   time
       This matches if the packet arrival time/date is within a  given  range.
       All  options  are optional, but are ANDed when specified. All times are
       interpreted as UTC by default.

       --datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]

       --datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
              Only match during the given time, which must be in ISO 8601  "T"
              notation.   The  possible  time  range is 1970-01-01T00:00:00 to
              2038-01-19T04:17:07.

              If --datestart or --datestop are not specified, it will  default
              to 1970-01-01 and 2038-01-19, respectively.

       --timestart hh:mm[:ss]

       --timestop hh:mm[:ss]
              Only  match during the given daytime. The possible time range is
              00:00:00 to 23:59:59. Leading zeroes are allowed (e.g.  "06:03")
              and correctly interpreted as base-10.

       [!] --monthdays day[,day...]
              Only match on the given days of the month. Possible values are 1
              to 31. Note that specifying 31  will  of  course  not  match  on
              months  which  do  not have a 31st day; the same goes for 28- or
              29-day February.

       [!] --weekdays day[,day...]
              Only match on the given weekdays. Possible values are Mon,  Tue,
              Wed,  Thu,  Fri,  Sat, Sun, or values from 1 to 7, respectively.
              You may also use two-character variants (Mo, Tu, etc.).

       --contiguous
              When --timestop is smaller than --timestart value, match this as
              a single time period instead distinct intervals.  See EXAMPLES.

       --kerneltz
              Use  the  kernel  timezone instead of UTC to determine whether a
              packet meets the time regulations.

As you can see, datestart and datestop fields could easily be added to give oneshot temporary rules
in addition to the daily/weekly rules that already are available.

notToNew · Wed Jan 11, 2017 3:04 pm

That functionality is not available in netfilter I think, so it would have to be implemented entirely in the management layer.

I know this from shorewall, It is really a nice feature and a nice addition to Mikrotik and I'd appreciate also this smaller solution.
My suggestion from above is just the more "global" version of this.

cristanboj · Wed Jan 11, 2017 3:45 pm

hi guys,

does anyone of you encountered problems in PCC after upgrading their Mikrotik OS?

PCC currently is not working anymore after upgrading . please help.

easyspot · Wed Jan 11, 2017 4:09 pm

GrooveA-52HPn:
Wifi working but scan, freq usage, align, snooper not working. Downgrade to 6.32.4 all working.
Solved: need to press start lol

Wed Jan 11, 2017 6:32 pm

hi guys,

does anyone of you encountered problems in PCC after upgrading their Mikrotik OS?

PCC currently is not working anymore after upgrading . please help.

Just a guess - did you enable fasttrack?

driven · Thu Jan 12, 2017 12:27 am

After upgrading to 6.38, my pppoe connection to WAN speed test makes cpu go to 100%. FastTrack counters seem OK --> FastTrack seems to be configured properly.
Because of the cpu, the router no longer gets 300 mbps at 45% of CPU. Now I get up to 200 mbps at 100%.

Confirm - at 6.38 (and possibly earlier, updated from 6.37) fasttrack is broken, dynamic rules are in "passtrough", as well as on devices that do not support this feature. Downgrade to 6.37 recovers it.

moep · Thu Jan 12, 2017 7:44 am

I might have found some other IPsec related bugs:
1. sometimes the new "PH states" are not correct, traffic is flowing but there is "no PH2" or "ready to send" which often only reverts after phase1 rekey or new phase2
2. if the initiator is reconnecting too fast e.g. after PPPoE 24 hour reconnect and the old SAs are not flushed on responder, the initiator thinks he is connected and has SAs but the responder has an invalid policy and no traffic can flow.
EDIT
If a peer reconnects after PPoE 24h disconnect within DPD timeout and with a another IP address than before, there will be the situation described in 2.,
I tested this by setting delay before attempting to reconnect to a value greater than the DPD timeout which "solved" the problem. Bit this is clearly not the expected behaviour.
UPDATE
even my workaround did not solve the problem
UPDATE2:
now again a second reboot after the upgrade seems to solve this problem for now (testet with a script doing disable+enable)
UPDATE3
second reboot does not solve this for long. after two days the problem is back. responder shows invalid dynamic policy while initiator thinks that he is connected.

as usual, please fix
thank you in advance

UPDATE4
it seems that a double reconnect with a delay makes it possible to "solve" it.
on first (re)connect the bad invalid policy is created on responder and not automatically flushed in time. on second (re)connect the bad policy is removed and a new valid one is created allowing traffic to flow.

sbeauchamp · Thu Jan 12, 2017 3:32 pm

does this fix the out of order packets on the CCR models when using the encryption hardware acceleration?

pe1chl · Thu Jan 12, 2017 4:14 pm

does this fix the out of order packets on the CCR models when using the encryption hardware acceleration?

No.

zennik · Fri Jan 13, 2017 1:17 am

I've noticed with all of my HAP and 2011 Routers I tested on the bench, 6.38 gets really pissy with IPsec after it's running for a few hours. With each one, after about 2-3 hours it just stops passing IPSec traffic, and I can't go into IP/IPSec in Winbox or CLI, and I can't do a config export unless I disable the security package and reboot.
Winbox just gives me no info on those tabs, and in CLI as soon as I go to do a 'print' under any category in IPsec, it just hangs.

pe1chl · Fri Jan 13, 2017 10:30 am

[quote="zennik"][/quote]
Not here. Post your config and/or send a supout.rif file to support.

berny · Fri Jan 13, 2017 11:32 pm

Not sure if bug...

I upgraded to 6.38, I already reset the config to default

When I download or run speed test, the speed (tx/rx) appears also on wlan1 interface, but my pc is connected only via ethernet5

JohnTRIVOLTA · Fri Jan 13, 2017 11:55 pm

I upgraded hEX/v3 - mmips/ to 6.38, firmware to 3.35 . This release broke my speed to 250Mbit/s max for tcp or udp per direction/rx or tx/, both speed 130-150 per direction, whats happenеd ?Only now the load of cpu have equal threads load 20-30%, previously only one thread work on 100% load but speed up 1300Mbit/s!

Mon Jan 16, 2017 5:33 pm

v6.38.1 is released
http://forum.mikrotik.com/viewtopic.php?f=21&t=116951