Page 1 of 1

v6.43.4 [stable] is released!

Posted: Thu Oct 18, 2018 10:40 am
by emils
RouterOS version 6.43.4 has been released in public "stable" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.43.4 (2018-Oct-17 06:37):

Changes in this release:

*) bridge - do not learn untagged frames when filtering only tagged packets;
*) bridge - fixed possible memory leak when VLAN filtering is used;
*) bridge - improved packet handling when hardware offloading is being disabled;
*) bridge - properly forward unicast DHCP messages when using DHCP Snooping with hardware offloading;
*) crs328 - improved link status update on disabled SFP+ interface when using DAC;
*) crs3xx - fixed possible memory leak when disabling bridge interface;
*) crs3xx - properly read "eeprom" data after different module inserted in disabled interface;
*) dhcpv4-server - use client MAC address for dual stack queue when "client-id" is not received;
*) dhcpv6-server - fixed dynamic binding addition on solicit when IA_PD does not contain prefix (introduced in v6.43);
*) dhcpv6-server - recreate DHCPv6 server binding if it is no longer within prefix pool when rebinding/renewing;
*) ipsec - allow multiple peers to the same address with different local-address (introduced in v6.43);
*) led - added "dark-mode" functionality for LHG and LDF series devices;
*) led - added "dark-mode" functionality for wsAP ac lite, RB951Ui-2nD, hAP and hAP ac lite devices;
*) led - fixed default LED configuration for SXT LTE kit devices;
*) led - fixed power LED turning on after reboot when "dark-mode" is used;
*) ntp - fixed possible NTP server stuck in "started" state;
*) romon - improved packet processing when MTU in path is lower than 1500;
*) routerboard - show "boot-os" option only on devices that have such feature;
*) traffic-flow - fixed post NAT port reporting;
*) w60g - added "frequency-list" setting;
*) w60g - added interface stats;
*) w60g - fixed interface LED status update on connection;
*) w60g - general stability and performance improvements;
*) w60g - improved stability for short distance links;
*) w60g - renamed "mcs" to "tx-mcs" and "phy-rate" to "tx-phy-rate";

What's new in 6.43.3 (2018-Oct-05 13:12):

(factory only release)

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after some problem has appeared on device

Please keep this forum topic strictly related to this concrete RouterOS release.

Re: v6.43.4 [stable] is released!

Posted: Thu Oct 18, 2018 12:52 pm
by Cha0s
*) ipsec - allow multiple peers to the same address with different local-address (introduced in v6.43);
Thanks for including this fix.
It works ok now :)

Re: v6.43.4 [stable] is released!

Posted: Thu Oct 18, 2018 1:14 pm
by nichky
*) ipsec - allow multiple peers to the same address with different local-address (introduced in v6.43);
Thanks for including this fix.
It works ok now :)
i pointed on same things

Re: v6.43.4 [stable] is released!

Posted: Thu Oct 18, 2018 2:09 pm
by mediana
x86 upgrade will take a little bit longer and show following script error in log file, while Mikrotik devices not:
DefConf Gen: Unable to find ethernet interfaces (timeout 30sec)

Re: v6.43.4 [stable] is released!

Posted: Thu Oct 18, 2018 4:22 pm
by mikruser
This IPsec bug still not fixed viewtopic.php?f=2&t=136445

Re: v6.43.4 [stable] is released!

Posted: Thu Oct 18, 2018 4:25 pm
by andriys
This IPsec bug still not fixed viewtopic.php?f=2&t=136445

What is the purpose of writing this in all version-specific topics? This is clearly not a regression since the previous version, so please stop.

Have you written to support, by the way? In case you have, did they acknowledge this as a bug (likely specific to your configuration) and not a configuration problem?

Re: v6.43.4 [stable] is released!

Posted: Thu Oct 18, 2018 4:42 pm
by mikruser
This is not a configuration issue (this configuration worked fine for 7 years)
problem occurs after upgrade to 6.42.x or 6.43.x

Re: v6.43.4 [stable] is released!

Posted: Thu Oct 18, 2018 4:48 pm
by pcunite
*) led - added "dark-mode" functionality

Sunglasses not needed anymore?

Re: v6.43.4 [stable] is released!

Posted: Thu Oct 18, 2018 5:06 pm
by eddieb
Upgraded thru DUDE without any issues

CCR1009-8G-1S (running multiple l2tp/ipsec tunnels)
RB1100
RB750GL
CRS125-24G-1S
RB962UiGS-5HacT2HnT (10x)
CHR running DUDE

Re: v6.43.4 [stable] is released!

Posted: Thu Oct 18, 2018 11:09 pm
by eduardofora
upgrade 6.43.2 to 6.43.4 delete DHCP-Client configurated

Re: v6.43.4 [stable] is released!

Posted: Thu Oct 18, 2018 11:14 pm
by matuss
updated Hex S from 6.43.2 and cAP ac from 6.43 including firmware and everything seems to be working.

Re: v6.43.4 [stable] is released!

Posted: Fri Oct 19, 2018 12:59 am
by Davis
When updating from 6.43.2 to 6.43.4 one of my hAP ac2 logged this message (similar to message in this post after update to 6.43.4):
oct/19 00:10:46 script,warning DefConf gen: Unable to find wireless interface(s)

However all the configuration seems to be intact and this message is NOT logged on subsequent reboots.

Re: v6.43.4 [stable] is released!

Posted: Fri Oct 19, 2018 1:54 am
by vecernik87
When updating from 6.43.2 to 6.43.4 one of my hAP ac2 logged this message (similar to message in this post after update to 6.43.4):
oct/19 00:10:46 script,warning DefConf gen: Unable to find wireless interface(s)

However all the configuration seems to be intact and this message is NOT logged on subsequent reboots.
I noticed same when updating RBD52G (hAP ac^2) from 6.42.3 to 6.42.5. Issue was reported to support in Ticket#2018062922002154. According to them, "The issue is caused by Graphing and Virtual Wireless interfaces which causes an interface loading delay when the router is booting up."
In my case, it was also originally fine - no consequences. But after few restart my hAP lost wlan interfaces - it was not disabled, it simply did not appear at all. I found that if I delete graphing interface rules, wlan interfaces instantly appear.

Re: v6.43.4 [stable] is released!

Posted: Fri Oct 19, 2018 3:47 am
by notToNew
My RB912R-2nD-kit refuses to upgrade. After downloading and rebooting, 6.43.2 ist still my OS.
Nothing in the logs.
I'm currently not at the same location to do a netinstall...

Re: v6.43.4 [stable] is released!

Posted: Fri Oct 19, 2018 4:01 am
by mducharme
*) dhcpv6-server - fixed dynamic binding addition on solicit when IA_PD does not contain prefix (introduced in v6.43);
*) dhcpv6-server - recreate DHCPv6 server binding if it is no longer within prefix pool when rebinding/renewing;
Are you sure this is fixed? I just upgraded and am still having the same problem, at least with L2TP server. The binding is not being created.

Re: v6.43.4 [stable] is released!

Posted: Fri Oct 19, 2018 11:01 am
by ofer
I updated my 3xHAP AC units everything seems fine but a couple of iPhone XS units that still have issues
There seems to be a DNS query rate limit so after a while the phones are not sending queries anymore(Apple fault?)
I'm open to ideas about this issue

Thanks!

Re: v6.43.4 [stable] is released!

Posted: Fri Oct 19, 2018 11:50 am
by nightcom
RB3011, RB750Gr3 and CRS326-24G-2S upgraded without problems

Re: v6.43.4 [stable] is released!

Posted: Fri Oct 19, 2018 12:21 pm
by anuser
In 6.44beta17(?) there was a bugfix mentioned for 802.11ac. Any reason that this one didn't make it into 6.43.4 release?

Re: v6.43.4 [stable] is released!

Posted: Sat Oct 20, 2018 4:40 pm
by HarryK
Same issue with my RB3011, refuse to upgrade.
My RB912R-2nD-kit refuses to upgrade. After downloading and rebooting, 6.43.2 ist still my OS.
Nothing in the logs.
I'm currently not at the same location to do a netinstall...

Re: v6.43.4 [stable] is released!

Posted: Sat Oct 20, 2018 6:38 pm
by complex1
RB2011 upgraded without problems, no issues so far.

Re: v6.43.4 [stable] is released!

Posted: Sat Oct 20, 2018 8:20 pm
by IS0FFD
*) led - added "dark-mode" functionality

Sunglasses not needed anymore?
in my LDF I can not find the function....

Re: v6.43.4 [stable] is released!

Posted: Sun Oct 21, 2018 12:56 pm
by grusu
*) led - added "dark-mode" functionality

Sunglasses not needed anymore?
in my LDF I can not find the function....
Is not dark-mode function - is a functionality.
On some devices, you can close the LEDs using the command:
all-leds-off
Read here:
https://wiki.mikrotik.com/wiki/Manual:S ... ds_Setting

And here:
viewtopic.php?t=132379#p650277

Re: v6.43.4 [stable] is released!

Posted: Sun Oct 21, 2018 1:00 pm
by IS0FFD
*) led - added "dark-mode" functionality

Sunglasses not needed anymore?
in my LDF I can not find the function....
Is not dark-mode function - is a functionality.
On some devices, you can close the LEDs using the command:
all-leds-off
Read here:
https://wiki.mikrotik.com/wiki/Manual:S ... ds_Setting

And here:
viewtopic.php?t=132379#p650277
tnx!

Re: v6.43.4 [stable] is released!

Posted: Sun Oct 21, 2018 8:33 pm
by tetecko
After upgrade, my Metal G-52SHPacn starts rebooting
Screenshot 2018-10-21 at 19.28.14.png

Re: v6.43.4 [stable] is released!

Posted: Mon Oct 22, 2018 6:19 am
by DummyPLUG
CCR1009, memory usage higher then normal and keep increasing slowly when compare to 6.42.7, I am talking about 100MB+ different, as I had schedule reboot so dunno if it just higher memory usage or leak.

Re: v6.43.4 [stable] is released!

Posted: Mon Oct 22, 2018 7:21 am
by strods
mducharme - Can you provide more details about the problem that you have? Preferably over e-mail to support@mikrotik.com? Provide supout file from your DHCPv6 server and more details about the problem - which client was trying to connect and did not receive a prefix, was the exact same configuration working just fine on v6.42.x?

Re: v6.43.4 [stable] is released!

Posted: Mon Oct 22, 2018 9:28 am
by mrz
x86 upgrade will take a little bit longer and show following script error in log file, while Mikrotik devices not:
DefConf Gen: Unable to find ethernet interfaces
Error may appear if default script generator is unable to find Ethernet interfaces within 30seconds after boot. On x86 you shouldn't worry about failure at all, since generated default configuration is the same as fallback config (192.168.88.1 on ether1)

Re: v6.43.4 [stable] is released!

Posted: Mon Oct 22, 2018 10:43 am
by nichky
At the moment i don't have router who supported *) led - added "dark-mode. Just im wondering how does it look like

*) led - added "dark-mode" functionality for wsAP ac lite, RB951Ui-2nD, hAP and hAP ac lite devices;

Re: v6.43.4 [stable] is released!

Posted: Mon Oct 22, 2018 4:02 pm
by schadom
CCR1009, memory usage higher then normal and keep increasing slowly when compare to 6.42.7, I am talking about 100MB+ different, as I had schedule reboot so dunno if it just higher memory usage or leak.

Upgraded our CCR1009s to 6.43.4 yesterday and no issues so far. In our case memory consumption even seems to be much better than before.
Running multiple BGP IXP peering sessions, route filters, vlans, bridges, ip firewall as well as receiving two BGP full feeds for IPv4 and v6.

Re: v6.43.4 [stable] is released!

Posted: Tue Oct 23, 2018 7:05 am
by DummyPLUG
CCR1009, memory usage higher then normal and keep increasing slowly when compare to 6.42.7, I am talking about 100MB+ different, as I had schedule reboot so dunno if it just higher memory usage or leak.

Upgraded our CCR1009s to 6.43.4 yesterday and no issues so far. In our case memory consumption even seems to be much better than before.
Running multiple BGP IXP peering sessions, route filters, vlans, bridges, ip firewall as well as receiving two BGP full feeds for IPv4 and v6.
Thanks for your feedback, I will try reset it first.

Re: v6.43.4 [stable] is released!

Posted: Tue Oct 23, 2018 12:17 pm
by Miracle
When I set comment for PPTP client, it reconnect !
New feature ?

Mac Address leaked from VLAN to main interface (CCR1009, Hex r3), I have 2 bridge same mac, it cause packet loop due leaked.

Re: v6.43.4 [stable] is released!

Posted: Tue Oct 23, 2018 12:25 pm
by andriys
When I set comment for PPTP client, it reconnect !
New feature ?
It has always been like that. Changing comment on any interface brings that interface down and then back up.

PS. The next time you post to a release topic please make sure you are reporting a problems that is specific to (was introduced in) this specific release. Thanks.

Re: v6.43.4 [stable] is released!

Posted: Tue Oct 23, 2018 1:02 pm
by anuser
I'm running 2x CCR1036 as CAPSMAN controller in active passive setup. With 6.43.4 today all Accesspoints fein active controller changed to passive with messages ~":ffff 10.30.17.3 faules to Connect, timeout" for all access points.

I have two monitoring server within my Network, which ping the CCR1036 one tine each second. They didn't Show any loss from the CCR1036.

Is there any known problem?

Re: v6.43.4 [stable] is released!

Posted: Tue Oct 23, 2018 5:02 pm
by Miracle
When I set comment for PPTP client, it reconnect !
New feature ?
It has always been like that. Changing comment on any interface brings that interface down and then back up.

PS. The next time you post to a release topic please make sure you are reporting a problems that is specific to (was introduced in) this specific release. Thanks.
Sorry, I don't know it down when I change comment until this update.
But leak Mac address is serious now because "Loop protect" disable main Interface

Re: v6.43.4 [stable] is released!

Posted: Tue Oct 23, 2018 11:13 pm
by abrandecky
I have noticed in Ip-firewall-mangle strange display of Bytes values.
I have e.g. mark connection and it shows 7999154942.6 GiB
In version e.g. 6.30 it was OK.

Please fix it in future version.

Thank you

Re: v6.43.4 [stable] is released!

Posted: Wed Oct 24, 2018 3:29 am
by hknet
Hi
upgraded CCR1072 - works fine.
but: snmp, warning arises with "timeout while waiting for program 79"
which is not ideal.

regards,
hk

Re: v6.43.4 [stable] is released!

Posted: Wed Oct 24, 2018 11:54 pm
by Chupaka
Mac Address leaked from VLAN to main interface (CCR1009, Hex r3), I have 2 bridge same mac, it cause packet loop due leaked.
What do you mean? As far as I remember, VLAN has always had the same MAC address as its parent Ethernet interface.

And, as always, you can freely change MAC address of bridge interface via "Admin MAC Address" property.

Re: v6.43.4 [stable] is released!

Posted: Thu Oct 25, 2018 2:45 am
by mducharme
mducharme - Can you provide more details about the problem that you have? Preferably over e-mail to support@mikrotik.com? Provide supout file from your DHCPv6 server and more details about the problem - which client was trying to connect and did not receive a prefix, was the exact same configuration working just fine on v6.42.x?
Nevermind - I was mistaken. When troubleshooting the issue with earlier 6.43.x versions I changed the client DHCPv6 interface b/c I wanted to see if the client could get a prefix from the server if not on a PPP interface type (to see if the problem only affected PPP tunnels), and forgot that I had changed the client setting.

Re: v6.43.4 [stable] is released!

Posted: Thu Oct 25, 2018 5:38 am
by Miracle
Mac Address leaked from VLAN to main interface (CCR1009, Hex r3), I have 2 bridge same mac, it cause packet loop due leaked.
What do you mean? As far as I remember, VLAN has always had the same MAC address as its parent Ethernet interface.

And, as always, you can freely change MAC address of bridge interface via "Admin MAC Address" property.
I mean all of mac address of vlan leak.
Bridge - Hosts table increase 2- 3 times after update and I see all mac address of vlan as main interface

Re: v6.43.4 [stable] is released!

Posted: Thu Oct 25, 2018 7:14 pm
by dougunder
Be very careful!

Upgraded a number of devices from 6.42.3 with no problems.

Today I attempted upgrade of a HAP AC running 6.40rc6 in the field and it started boot looping.
Customer was complaining about issues so I assumed it was a bad device and swapped it out.

Just attempted upgrade of a 6.42rc6 HAP AC and getting the same behavior (I think, no physical access ATM).

Tread carefully folks.

Further more:

I tried to recreate the issue on the bench by net-installing a device to the affected version.
Worked just fine. I've got a funny feeling this is an extension of the space bug terribly affecting 16G devices.
Only now it doesn't fail to install and log "no space" it tries to install and boot loops.

Re: v6.43.4 [stable] is released!

Posted: Fri Oct 26, 2018 12:32 am
by tuxtlequino
The Queues are not working right. I have a ccr1009 as my main router. This is the queue I have
/queue simple add burst-limit=768k/0 burst-threshold=128k/0 burst-time=2s/0s max-limit=512k/2M name=Simple target=VLAN21,VLAN22,VLAN23,VLAN24
And I noticed that it wasn't doing anything. The strange thing is that once I had torch running in a particular interface, the queue works as intended. Tried restarting router. Tried a series of experiments (same queue, but on a single VLAN) and obtained the same result. Any ideas? How do I submit a bug?

Re: v6.43.4 [stable] is released!

Posted: Fri Oct 26, 2018 12:52 am
by Chupaka
So, it was working in previous versions and was broken in 6.43.4, right?

But by your description, it looks like you're using FastTrack. According to the docs, it skips Queues.

Re: v6.43.4 [stable] is released!

Posted: Fri Oct 26, 2018 1:08 am
by tuxtlequino
So, it was working in previous versions and was broken in 6.43.4, right?

But by your description, it looks like you're using FastTrack. According to the docs, it skips Queues.
Thank you. I moved some rules and didn't noticed that my FastTrack rule ended up above and it was FastTracking this traffic before it got to the forward rules.

Now it kind of makes sense that the Queues worked when torching since it was going through all of my traffic instead of FastTracking.

Re: v6.43.4 [stable] is released!

Posted: Sat Oct 27, 2018 1:33 pm
by NetworkPro
pref-src in alternative routing table, in combination with output mangle routing do not set the correct output IP

Re: v6.43.4 [stable] is released!

Posted: Sat Oct 27, 2018 5:00 pm
by Chupaka
pref-src in alternative routing table, in combination with output mangle routing do not set the correct output IP
I believe it's because src-ip is selected in 'main' routing table, and mangle output is after routing decision (where src-ip is being selected) but before routing adjustment (where you can select new routing table but it's too late for changing src-ip).

And I don't believe it's regression in 6.43.4...

Re: v6.43.4 [stable] is released!

Posted: Sat Oct 27, 2018 5:43 pm
by NetworkPro
yes, I remember, however this breaks the pref-src functionality, so I report it as a (design) bug. I think pref-src should actually adjust the outgoing IP in this scenario as well.

Re: v6.43.4 [stable] is released!

Posted: Sat Oct 27, 2018 5:55 pm
by sindy
The issue is not the information itself but the choice of topic, or rather report channel, for it.

The "vX.X is released" topics are here to report issues specific to that release. As no topics or sub-forum for feature requests has been open, I believe support@mikrotik.com is the right channel to ask for them.

Re: v6.43.4 [stable] is released!

Posted: Mon Oct 29, 2018 11:25 am
by Kraken2k
RB2011 upgraded without problems, no issues so far.
Same here

Re: v6.43.4 [stable] is released!

Posted: Mon Oct 29, 2018 2:57 pm
by Vesic
Hi
Europe/Volgograd time zone is incorrect. should be GMT Offset +04:00 from October 28

Re: v6.43.4 [stable] is released!

Posted: Mon Oct 29, 2018 6:55 pm
by Chupaka
Hi
Europe/Volgograd time zone is incorrect. should be GMT Offset +04:00 from October 28
It's not MiktoTik problem. All websites I can found show GMT +03:00 for Volgograd today, even Google.

If +04:00 is true, it needs to be fixed in TimeZone Database, not in applications.

Re: v6.43.4 [stable] is released!

Posted: Mon Oct 29, 2018 7:32 pm
by ivanfm
Hi
Europe/Volgograd time zone is incorrect. should be GMT Offset +04:00 from October 28
It's not MiktoTik problem. All websites I can found show GMT +03:00 for Volgograd today, even Google.

If +04:00 is true, it needs to be fixed in TimeZone Database, not in applications.
This Volgograd change was published in tzdata on 2018-10-18, probably will have a long time to be updated in the servers.

https://github.com/eggert/tz/blob/ddc67 ... 2/NEWS#L50

The brazilian change was published in tzdata on 2018-01-12 and mikrotik and google maps does not use it yet.

Re: v6.43.4 [stable] is released!

Posted: Tue Oct 30, 2018 7:24 am
by Vesic
Hi
Europe/Volgograd time zone is incorrect. should be GMT Offset +04:00 from October 28
It's not MiktoTik problem. All websites I can found show GMT +03:00 for Volgograd today, even Google.

If +04:00 is true, it needs to be fixed in TimeZone Database, not in applications.
https://www.timeserver.ru/cities/ru/volgograd
https://blogs.technet.microsoft.com/dst ... st-russia/

i

Re: v6.43.4 [stable] is released!

Posted: Tue Oct 30, 2018 8:42 am
by Chupaka
Anyway, 6.43.4 was released even before this was updated in TZ database :) Politicians appeared to be slower than tech guys.

Write to support@mikrotik.com and ask them to update TZ info. Maybe in next version :)

Re: v6.43.4 [stable] is released!

Posted: Wed Oct 31, 2018 7:43 am
by notToNew
Sometimes after reboot, my Ltap Mini looses password and let me login without any.

Rebooting again often fixes the problem.
For security considerations this is extremely... Any ideas?
Have not seen this on any other MT router, and have several 100 in the field.

Re: v6.43.4 [stable] is released!

Posted: Fri Nov 02, 2018 8:42 am
by Ulypka
what about Ticket#2018101022007579?
My ccr still crashing to get fragmented packet of EOIP

Re: v6.43.4 [stable] is released!

Posted: Fri Nov 02, 2018 8:43 am
by ieleja
hAP ac ( 962UiGS-5HacT2HnT), upgraded at Oct/17 with 6.43.4 build [Oct/17/2018 06:37:48]

after that get 8 reboots up today, that at boot leaves in LOG:
router was rebooted without proper shutdown by watchdog timer

there are no configuration changes, high loads
current firmware 6.43

Re: v6.43.4 [stable] is released!

Posted: Fri Nov 02, 2018 8:57 am
by npero
Some problem but with 960GSP just regular restart by watchdog every 4 days in old version 6.42.xx have uptime 100day and more, support give me generic answer netinstall to last version and if happens again send again supout.rif.
Also have PowerBox Pro for now only one watchdog restart after update to 6.43.

It is easy to do netinstall for router in your room but in the tower, for now I look this as a new feature automatically router restart nice :) or automatic cache cleaner nice new feature.

Re: v6.43.4 [stable] is released!

Posted: Fri Nov 02, 2018 9:43 am
by Chaosphere64
hAP ac ( 962UiGS-5HacT2HnT), upgraded at Oct/17 with 6.43.4 build [Oct/17/2018 06:37:48]

after that get 8 reboots up today, that at boot leaves in LOG:
router was rebooted without proper shutdown by watchdog timer

there are no configuration changes, high loads
current firmware 6.43
+1
Exactly the same problem (3x hAP ac + 1 hEX PoE)

Re: v6.43.4 [stable] is released!

Posted: Fri Nov 02, 2018 5:28 pm
by GreatForcez
I bought two brand new hEX routers, both came with RouterOS 6.40.4. Upgraded from System -> Packages with default configuration still in place. After the upgrade, I could not log back in (it said "wrong username or password"), also WinBox neighbour discovery was not working. But internet traffic was working fine, so I know the router booted and was running succesfully, but I could not access it. Reboot did not help, had to manually reset the device using the reset button. After resetting, I was able to log back in again and the router was succesfully updated. Confirmed this issue with two brand new hEX routers, serial numbers show "..../806/r3" so revision 3???

Also upgraded two CCR1036, no problems.

Re: v6.43.4 [stable] is released!

Posted: Tue Nov 06, 2018 11:42 pm
by usmany
HI All,
I tried to upgrade my box, see result i got on attached file.

Need way out from this mess please

Re: v6.43.4 [stable] is released!

Posted: Wed Nov 07, 2018 8:52 am
by NetworkPro
@usmany this should solve it for you

backup your config with a backup file, as well as export to text format

upgrade to the latest beta with only the packages you are using and you want to keep

system
security
advanced-tools
wireless
dhcp
ppp

upload only these npks

if everything goes fine, then switch back to stable if you need, or keep the beta until the next stable is released

Re: v6.43.4 [stable] is released!

Posted: Fri Nov 09, 2018 6:29 am
by eXS
After upgrade & logging in for the first time the "Check for Updates" dialog was blank & giving an "error could not connect out of streams resources" at the bottom, this error remained despite trying "Check for updates" - by near accident i noticed if i changed the "Channel" drop down list the error went away and changed back to the normal "System is already up to date" when changed back to "current".

google -> "out of streams resources"

Re: v6.43.4 [stable] is released!

Posted: Sat Nov 10, 2018 12:59 pm
by Aytishnikcom
RB 3011 does not work SNTP Client, netinstall did not help.
If you disable the SNTP Client then Cloud update time works

translate.google

Re: v6.43.4 [stable] is released!

Posted: Sat Nov 10, 2018 1:23 pm
by Chupaka
does not work
what does that mean?

can you ping NTP server? don't you block NTP packets in Firewall Filter?

Re: v6.43.4 [stable] is released!

Posted: Sat Nov 10, 2018 1:47 pm
by Aytishnikcom
RB 3011 When you do reset configuration, and you select the default configuration, the SNTP Client also does not work anyway.
SNTP Client works well on rb2011, RB1100AHx4, 951G-2HnD, D52G-5HacD2HnD-TC
translate.google
ping Image https://prnt.sc/lgnog5
# nov/10/2018 14:29:33 by RouterOS 6.43.4
# software id = a98y-5s1n
#
# model = RouterBOARD 3011UiAS

/ip firewall filter
add action=accept chain=input comment="ACCEPT WinBox after knock" dst-port=\
    8291 in-interface-list=WAN protocol=tcp src-address-list=KNOCK-SUCCESS
add action=jump chain=input comment="Check port knock  (__1__)" icmp-options=\
    8:0-255 jump-target=knock packet-size=!0-99 protocol=icmp
add action=return chain=knock comment="KNOCK FAILURE return  (__2__)" \
    src-address-list=KNOCK-FAILURE
add action=add-src-to-address-list address-list=KNOCK-SUCCESS \
    address-list-timeout=1h chain=knock comment=\
    "KNOCK 3rd - success 10  (__3__)" packet-size=10 src-address-list=\
    KNOCK2
add action=return chain=knock comment="KNOCK 3rd - success return  (__4__)" \
    src-address-list=KNOCK-SUCCESS
add action=add-src-to-address-list address-list=KNOCK-FAILURE \
    address-list-timeout=1m chain=knock comment=\
    "KNOCK 3rd - failure  (__5__)" src-address-list=KNOCK2
add action=return chain=knock comment="KNOCK 3rd - failure return  (__6__)" \
    src-address-list=KNOCK-FAILURE
add action=add-src-to-address-list address-list=KNOCK2 address-list-timeout=\
    1m chain=knock comment="KNOCK 2nd - success 7  (__7__)" packet-size=7 \
    src-address-list=KNOCK1
add action=return chain=knock comment="KNOCK 2nd - success return  (__8__)" \
    src-address-list=KNOCK2
add action=add-src-to-address-list address-list=KNOCK-FAILURE \
    address-list-timeout=1m chain=knock comment=\
    "KNOCK 2nd - failure  (__9__)" src-address-list=KNOCK1
add action=return chain=knock comment="KNOCK 2nd - failure return  (__10__)" \
    src-address-list=KNOCK-FAILURE
add action=add-src-to-address-list address-list=KNOCK1 address-list-timeout=\
    1m chain=knock comment="KNOCK 1st - success 10  (__11__)" packet-size=\
    10
add action=return chain=knock comment="KNOCK 1st - success return  (__12__)" \
    src-address-list=KNOCK1
add action=add-src-to-address-list address-list=KNOCK-FAILURE \
    address-list-timeout=1m chain=knock comment=\
    "KNOCK 1st - failure  (__13__)"
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=2w chain=input comment=\
    "scanners-1  Port scanners to list" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=2w chain=input comment=\
    "scanners-2  NMAP FIN Stealth scan" protocol=tcp tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=2w chain=input comment="scanners-3  SYN/FIN scan" \
    protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=2w chain=input comment="scanners-4  SYN/RST scan" \
    protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=2w chain=input comment=\
    "scanners-5  FIN/PSH/URG scan" protocol=tcp tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=2w chain=input comment="scanners-6  ALL/ALL scan" \
    protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=2w chain=input comment="scanners-7  NMAP NULL scan" \
    protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="scanners-8  dropping port scanners" \
    src-address-list=port_scanners
add action=drop chain=forward comment="scanners-9  dropping port scanners" \
    src-address-list=port_scanners
add action=drop chain=input comment="Brute Forcers_winbox_black_list - 1" \
    dst-port=8291 in-interface-list=WAN protocol=tcp src-address-list=\
    black_list
add action=add-src-to-address-list address-list=black_list \
    address-list-timeout=8h chain=input comment=\
    "Brute Forcers_add_black_list - 2" connection-state=new dst-port=8291 \
    in-interface-list=WAN protocol=tcp src-address-list=Winbox_Ssh_stage3
add action=add-src-to-address-list address-list=Winbox_Ssh_stage3 \
    address-list-timeout=1m chain=input comment=\
    "Brute Forcers_Ssh_stage3  -  3" connection-state=new dst-port=8291 \
    in-interface-list=WAN protocol=tcp src-address-list=Winbox_Ssh_stage2
add action=add-src-to-address-list address-list=Winbox_Ssh_stage2 \
    address-list-timeout=1m chain=input comment=\
    "Brute Forcers_Ssh_stage2  -  4" connection-state=new dst-port=8291 \
    in-interface-list=WAN protocol=tcp src-address-list=Winbox_Ssh_stage1
add action=add-src-to-address-list address-list=Winbox_Ssh_stage1 \
    address-list-timeout=1m chain=input comment=\
    "Brute Forcers_Ssh_stage1  -  5" connection-state=new dst-port=8291 \
    in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Drop DNS" dst-port=53 in-interface-list=\
    WAN protocol=udp
add action=drop chain=input comment="Drop DNS" dst-port=53 in-interface-list=\
    WAN protocol=tcp
add action=drop chain=input comment="Block hole Windows - 1" dst-port=\
    135,137-139,445,593,4444 protocol=tcp
add action=drop chain=forward comment="Block hole Windows - 2" dst-port=\
    135,137-139,445,593,4444 protocol=tcp
add action=drop chain=input comment="Block hole Windows - 3" dst-port=\
    135,137-139 protocol=udp
add action=drop chain=forward comment="Block hole Windows - 4" dst-port=\
    135,137-139 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=torrent dst-port=50000 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="torrent UDP" dst-port=50000 \
    in-interface-list=WAN protocol=udp
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

does not work
what does that mean?

can you ping NTP server? don't you block NTP packets in Firewall Filter?

Re: v6.43.4 [stable] is released!

Posted: Tue Nov 13, 2018 9:38 am
by JimmyNyholm
6.43.4 is Stable branch and includes *) bridge - do not learn untagged frames when filtering only tagged packets;
When do we recon that this patch will be available in "Long Term" branch?

Re: v6.43.4 [stable] is released!

Posted: Sat Nov 17, 2018 8:21 am
by eXS
Today the firewall connections list on one of my 1100x2's in winbox would keep going blank, progressively remaining/becoming more blank the longer the window was left open, despite 300-400 (fluctuating) "items" (bottom of connections window) - for a moment i thought it was because the list was actually clearing out, but checking in the terminal shows a list each time while the winbox connections window shows nothing. closing & re-opening the firewall window reliably brings back the list.

Also, albeit only twice/rarely, i've gotten a login authentication error logged, at the same time as i'm logging in, using stored credentials, it's as if i'm connecting too fast after launching winbox or something, that or resources being tied up is causing a glitch when i'm launching/connecting quickly, i'm not sure.

things feel kind of buggy lately, but i don't know if it's this-version specific as i'm doing things that i wasn't before. i couldn't afford a 2nd re-boot after the last upgrade (above post) which i've had to do in the past for other misc/buggy reasons on other devices after reset or upgrade.

Re: v6.43.4 [stable] is released!

Posted: Sun Nov 18, 2018 10:44 pm
by venthyl
LHG 60, 6.43.4 after uograde

ap died after 3th frequency change

no ping response, no link with second device

Re: v6.43.4 [stable] is released!

Posted: Fri Nov 23, 2018 7:33 pm
by schadom
BGP route filtering seems broken starting with v6.43.x. Eample below.

IXP Peering:
> routing bgp peer print detail where name=AS_SOMEPEER
Flags: X - disabled, E - established 
 0 E name="AS_SOMEPEER" instance=default remote-address=x.x.x.x remote-as=12345 tcp-md5-key="xxx" 
     nexthop-choice=default multihop=no route-reflect=no hold-time=3m ttl=default max-prefix-limit=10 
     in-filter=ixp-peer-in out-filter=ixp-ixp-peer-out address-families=ip default-originate=never remove-private-as=no 
     as-override=no passive=no use-bfd=no 

In-Filter:
> routing filter print where chain=ixp-peer-in
Flags: X - disabled 
 0   ;;; ---- IXP Peer In ----
     chain=ixp-peer-in prefix-length=16-24 address-family=ip invert-match=no action=accept set-bgp-local-pref=300 
     set-bgp-prepend-path="" 
     
 1   chain=ixp-peer-in address-family="" invert-match=no action=reject set-bgp-prepend-path=""

IP Route:
> ip route print detail where received-from=AS_SOMEPEER
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 ADb  dst-address=x.x.x.x/19 gateway=x.x.x.x gateway-status=x.x.x.x reachable via  sfp-sfpplus1 distance=20 
        scope=40 target-scope=10 bgp-as-path="12345" bgp-local-pref=300 bgp-med=0 bgp-origin=igp received-from=AS_SOMEPEER 

 1 ADb  dst-address=x.x.x.x/32 gateway=x.x.x.x gateway-status=x.x.x.x reachable via  sfp-sfpplus1 distance=20 
        scope=40 target-scope=10 bgp-as-path="12345" bgp-origin=igp received-from=AS_SOMEPEER 

 2 ADb  dst-address=x.x.x.x/32 gateway=x.x.x.x gateway-status=x.x.x.x reachable via  sfp-sfpplus1 distance=20 
        scope=40 target-scope=10 bgp-as-path="12345" bgp-origin=igp received-from=AS_SOMEPEER 

 3 ADb  dst-address=x.x.x/22 gateway=x.x.x.x gateway-status=x.x.x.x reachable via  sfp-sfpplus1 distance=20 
        scope=40 target-scope=10 bgp-as-path="12345" bgp-local-pref=300 bgp-origin=igp received-from=AS_SOMEPEER 

Why are the /32 routes installed and active? Seems like the prefix-length=16-24 filter attribute is handled incorrectly.
Already contacted MT support two days ago, no reply yet.

Thanks

Re: v6.43.4 [stable] is released!

Posted: Fri Nov 23, 2018 9:00 pm
by mducharme
Why are the /32 routes installed and active? Seems like the prefix-length=16-24 filter attribute is handled incorrectly.
Already contacted MT support two days ago, no reply yet.
I think the address-family="" in your reject rule is probably causing it to not match anything.

Re: v6.43.4 [stable] is released!

Posted: Fri Nov 23, 2018 9:09 pm
by schadom
I think the address-family="" in your reject rule is probably causing it to not match anything.
Already tried that, no difference. From my perspective a reject rule without any attributes (inculding address-family) should always reject everything.

Re: v6.43.4 [stable] is released!

Posted: Fri Nov 23, 2018 9:13 pm
by mducharme
Already tried that, no difference. From my perspective a reject rule without any attributes (inculding address-family) should always reject everything.
address-family="" on the reject rule would only reject routes where address-family = NULL, which should never be true.

If you want it to reject any address family you need !address-family instead of address-famiy=""

Re: v6.43.4 [stable] is released!

Posted: Fri Nov 23, 2018 9:15 pm
by schadom
Already tried that, no difference. From my perspective a reject rule without any attributes (inculding address-family) should always reject everything.
address-family="" on the reject rule would only reject routes where address-family = NULL, which should never be true.

If you want it to reject any address family you need !address-family instead of address-famiy=""

You are right, thank you very much! This is quite irritating and could possibly be improved in future ROS/Winbox releases, as address-family=NULL should never occur. After collapsing the address-family options in Winbox, the reject rule works as expected:

asdf.png

Additionally invert-match=no (default) and set-bgp-prepend-path="" (default) are also added for every newly created rule by default, eg.:

> add chain=test action=reject
> print where chain=test      
Flags: X - disabled 
 0   chain=test invert-match=no action=reject set-bgp-prepend-path="" 

The current approach just bloats the /routing filter print output with unnecessary information.
What speaks against hiding attributes if they have default values?

Re: v6.43.4 [stable] is released!

Posted: Sat Nov 24, 2018 7:58 am
by mducharme
Additionally invert-match=no (default) and set-bgp-prepend-path="" (default) are also added for every newly created rule by default
When I create a new routing filter rule on my home router (running 6.43.4) it does not have those added for every newly created rule by default. I'm not sure how you are getting those on newly created rules by default, unless you are creating them by copying existing rules.

The thing about address-family="" vs. !address-family is well documented when it comes to working with the MikroTik firewall since the routing filters and the firewall are designed similarly. This behavior can catch people by surprise the first time, but once you know to look for it (collapsing the options in your screenshot above), the behavior is entirely consistent throughout the firewall and routing filter interface. Although I agree that it would be nice if the result was made more clear than it is, there are more important issues to be fixed.

Re: v6.43.4 [stable] is released!

Posted: Thu Nov 29, 2018 6:51 pm
by tevolo
We have experienced many issues with 6.43.4 and losing the DHCP server functionality. We recently upgraded 20 CCRs from 6.38/6.38.1 and on 4 of the routers, DHCP server doesn't work. Eventually the router slows down too and cannot make a Supout.rif file. The DHCP server is shown in the config file, but it doesn't work and if you attempt to add a new dhcp server on the Bridge, it doesn't work. Reboot attempts do not resolve anything. We even tried to fix with onsite netinstalls which do not repair the DHCP server problems.
Only fix was to downgrade 6.42.7 and DHCP server comes back.
Been having way too many problems with RouterOS and updates lately. Really hoping for some stability very soon as reputation is going sour for us and Mikrotik.
Snap 2018-11-29 at 09.42.26.png

Re: v6.43.4 [stable] is released!

Posted: Sat Dec 01, 2018 2:41 am
by Grvuser
Just Updated to this SW release, and I am unable to connect to Groove. It keeps giving me a invalid username and password. Tried resetting a couple of times, but it doesn't seem to reset at all. It connects to the setup network right away. Any help would be appreciated to connect back to Groove.

Re: v6.43.4 [stable] is released!

Posted: Sat Dec 01, 2018 3:10 pm
by cdemers
Have you tried using the latest winbox?


Sent from my SM-A520W using Tapatalk


Re: v6.43.4 [stable] is released!

Posted: Mon Dec 03, 2018 3:03 am
by vecernik87
Just Updated to this SW release, and I am unable to connect to Groove. It keeps giving me a invalid username and password. Tried resetting a couple of times, but it doesn't seem to reset at all. It connects to the setup network right away. Any help would be appreciated to connect back to Groove.
@Grvuser: Which version did you upgrade from? There has been several changes recently which affects the way how winbox communicate and it is recommended to use newest winbox (currently 3.18) to avoid issues when logging in. Invalid username/password is one of typical issues which happens on older Winbox versions under some circumstances.

We have experienced many issues with 6.43.4 and losing the DHCP server functionality.
@tevolo: How many dhcp-servers do you have on each router and how many users per one dhcp-server? If you have any update about this issue, please share it. What are other "many issues"? Is there anything else except dhcp-server issues?

Re: v6.43.4 [stable] is released!

Posted: Mon Dec 03, 2018 2:20 pm
by emils
New version 6.43.7 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=142316