MikroTik

osc86

hap ac2, exact same dns configuration. There must be something different on those devices showing this problem. Maybe it's a service or setting interacting with the dns, which is disabled on my devices.. just a guess. (Graph)

osc86

strange, I still see no increase in memory usage. The screenshot I posted is from a 750G r3 (hEX). Does this only occur on arm devices?
We use this device at work to provide internet access to guests, not too much traffic, around 100GB/month.

osc86

With 6.47.9, there is currently no indication of memory leaking when DoH is used. /ip dns set allow-remote-requests=yes use-doh-server=https://dns.adguard.com/dns-query verify-doh-cert=yes /ip dns static add address=94.140.14.14 name=dns.adguard.com add address=94.140.15.15 name=dns.adguard.com /cer...

osc86

I updated to this version and enabled DoH. So far everything seems to work as expected. Will keep an eye on the memory usage.

osc86

I can't get more than one peer per wireguard instance working at the time.
After a reboot the first client connecting "wins", all other don't receive traffic.
Multiple instances with just one peer each seem to work simultaneously.

osc86

Got it, thanks 👍

osc86

@peichl Thanks for the explanation. I assumed everything you enter there is treated as a string, because Data doesn't necessarily need to be an IP Address, it could also be a domain name, in case it's a CNAME or PTR record.

osc86

Maybe I'm doing something wrong, but the "contains" filter option doesn't work with "Data" in IP -> DNS -> Cache. If you don't put in the full string you won't get any results. But I guess this is what the "is" option is for. I only discovered this, because a few minute...

osc86

If you need anything MORE stable - go to Zyxel with their zyfwp.

but keep in mind that you share your admin account with anyone on the internet

https://nakedsecurity.sophos.com/2021/0 ... patch-now/

osc86

I hope we'll get an official statement from a Mikrotik representative. As a workaround I'm currently forwarding all DNS requests to an OpenBSD machine running unbound, which handels DoH and CF just fine. Would be great if this could be done on the router itself.

osc86

It seems static DNS records of type FWD are ignored once a DoH server is added.
Is this a design decision or a bug? If this is not going to change, we'll never be able to use it, because we need conditional forwarding.

osc86

Trusted checkbox appears twice in Bridge -> Ports -> <interface> -> General

osc86

oh, now I see. But it is confusing, needs to be fixed. Didn't notice this in earlier versions.

osc86

The Trusted checkbox at the top doesn't do anything? The bottom one is for DHCP Trust.

osc86

Which features are missing in your opinion?

avahi / mdns-reflection; I have to do this on a raspberry pi now. It's a necessary feature, if you separate your iot stuff from production networks.

osc86

Is this a bug or some kinda of new feature, my bridge gets new MAC every time i reboot router (Hex), just installed beta3, so DHCP reservation is messed up as it gets new ip every reboot. No, this has always been the case - really annoying. The bridge uses the mac-address of one of the slaved inter...

osc86

Updated my HAP AC2 from beta2 to beta3 and the device is constantly rebooting at about 1 minute of uptime.
There was only one critical log entry, the device restarted because of a kernel failure. Downgraded back to beta2.

osc86

what's in the disk log?
/log pr where buffer=disk topics~"critical"

osc86

6.48beta58: The default value for "LLDP MED Network Policy VLAN" is invalid. (IP > Neighbors > Discovery Settings)

osc86

you only allow 6Mbit/s basic rate, I use 6,9,12,24. This works fine with all of my devices.

osc86

We know that DHCP doesn't work in the current beta (for wireless clients), but for me the wireless interfaces are not passing any kind of traffic. Even if I use a static ip address / DNS / Gateway on a wireless device, it can't connect to any host on the network or the internet. The traffic is bridg...

osc86

Another DHCP feature I request is when a static lease is added, a static ARP entry for this IP Address should also be created. On Interfaces with arp=reply-only this is very useful. When a device later uses the static address instead of dhcp, communication breaks if the ARP entry is not added manual...

osc86

After updating to 6.47.4, my IPTV stopped working. Does anyone know how to fix it? Thank you in advance for your help. I also encountered problems with IPTV or multicast in general. I opened up a ticket with MT support, and currently there seems to be a bug where the "multicast-router=pemanent...

osc86

Can we please get an option to ignore different MTU sizes between routers that run ospf? This should be easy to implement.
I don't even know why ospf cares about this. It's job is to exchange routes, nothing more.

osc86

Bridge -> VLANs -> +
Default Value for VLAN IDs is invalid. Happens with latest ROS stable and beta, so this might be a winbox issue.

Screenshot_20200921_190339.png

osc86

- IGMP-Snooping feature on CCR breaks igmp-proxy. IGMP Join Requests generated by the router on the upstream interface are filtered out by the igmp snooping feature.
When disabled, it works fine, but overloads my eoip tunnels because the traffic is flooded to all ports (as expected).

osc86

pe1chl, you are right. I downloaded an earlier Version of Winbox and it behaves the same.
I really thought this would open a new Winbox window, like when you start winbox.exe.
Sorry for that.

osc86

Session > new, opens up a new session, and will not save upon exit if it's not done manually.

It may worked like this in previous versions, but with 3.27 it opens up nothing.
Tested on Windows 10 x64 and wine64.
It should open a new winbox window where you can select a new session.

osc86

Menu: Session -> New doesn't do anything

osc86

So far, one HAP AC2 didn't survive the update from 6.47.2 -> 6.47.3. No response via IP / RoMON. Have to check tomorrow what is going on. Another 951Ui-2HnD took ages to come back online again, and didn't reply to pings anymore, I had to reboot the router a second time (RouterBOARD FW Update) and ev...

osc86

*) discovery - allow choosing which discovery protocol is used (CLI only);
EDIT: just found out, you can choose multiple protocols, comma separated. Thanks for this welcome change, I can finally disable cdp.

osc86

It has been a long time since I saw a client that by default preferred 2.4 over 5 GHz connection.

Amazon Echo devices do this all the time.. At least 1.Gen ones that I have.

osc86

Any idea how a mangle setup with policy routing (mark routing) and connection / packet marking for qos could look like? Both need "stop processing" in prerouting chain. I experimented a bit with my existing rules, but I didn't get both working at the same time. Maybe I have to use a new ch...

osc86

Still no fix mentioned for discarded IPv6 Neighbor solicitations entering the bridge when igmp-snooping is enabled.
It's really annoying not being able to use IPv6 and igmp-snooping together on the same bridge.

osc86

Did someone already check if enabling igmp-snooping still breaks IPv6 connectivity like in V6?

osc86

Install an older smaller image, then upgrade to latest. Can't really recommend this. The past has shown that constantly downgrading and upgrading between different versions can lead to a corrupted configuration or an unstable system. The scripts used for converting the configuration are not perfect...

osc86

almost 25000000 Sector writes.. what are you doing to your flash memory?

osc86

jun/02/2020 16:05:59 system,error,critical error while running customized default configuration script: no such item jun/02/2020 16:05:59 system,error,critical Got this on a HAPac², boot time was increased too (about 2 minutes) EDIT: IMO it's a bit confusing that wifi, vlan and tunnel interfaces sh...

osc86

Thank you for your reply.
I have disabled igmp-snooping and now it works.
I hope Mikrotik support is aware of this problem and already working on a fix.

osc86

I have a few clients in a dmz (vlan 22) that use IPv6 for internet connectivity. After a machine boots, it gets the prefix and gateway via SLAAC, connectivity works without issues. Once the Neighbor entry for this client times out, and the client tries to establish a connection using IPv6, it fails....

osc86

When ipv6 changes, win10 can get the new address normally, but it cannot be used. It is necessary to disconnect the network port and restart. When can it be fixed, this problem has been for many years. So, is this a bug in ROS or Windows? This is so annoying, my workaround currently is to disable i...

osc86

*) winbox - fixed dates and times in interface link up/down properties (WinBox v3.24 required);

finally, thanks

osc86

@TheChad did you check the status of sip helper? (IP->Firewall->Service Ports->sip). Some people recommend to turn this off.

osc86

I spent days in testing different configurations, the best I could achieve was ~140Mb/s using IPSec over GREv6/EoIPv6 using an MTU of 1390, ~25ms rtt between the routers. The other device was a CHR with 1 Gb/s WAN connection and plenty of resources. Neither of the devices cpu cores were fully utiliz...

osc86

@nmt1900 seems this device is still running 6.45.8

osc86

There is a bridge configured on CCR1036-12G-4S MikroTik Router. There are 9 ethernet interfaces in that bridge and one root port (that leads to Internet). The bridge is in 255.255.255.0 network. It is possible to sent WOL Magic packet from router using tool wol mac=... command and the computer wake...

osc86

rb4011igs. after update, bridge mac address changes non stop
my log filled with
Code: Select all
"bridge" mac address changed to xx:xx:xx:xx:xx:xx
version 6.44.6 don't have this problem

Always set an admin mac address for bridges, or it will cause trouble sooner or later. Just my experience..

osc86

It appears that the "interface slideshow" (configured in the interfaces screen under the LCD menu) on devices like the CCR1009 has stopped working in this release...
Anyone else who can confirm that?

For me it's working fine. Tested with 2 interfaces, timeout 10 seconds.

osc86

The CCR2004-1G-12S+2XS looks promising. I would like to see some speed test results of GRE and EoIP over IPSec. With the current generation of CCRs (TILE) the results of using plain ipsec and tunnel over ipsec differ by a mile.

osc86

got this 2 days ago on a hEX, never seen this before with any version of ROS installed. apr/25 23:34:52 system,error,critical router rebooted because some critical program crashed. On my CCR the snmpd is crashing every other day, every time a reboot is required to fix it. This happens since 6.46.1 o...

osc86

Mikrotik really could've fixed this.. it has been reported long ago

winbox - Copy.jpg

osc86

Anyone know where to find 3.21?

32Bit: https://download.mikrotik.com/winbox/3.21/winbox.exe
64Bit: https://download.mikrotik.com/winbox/3.21/winbox64.exe

osc86

HAP AC2
After loading the router, 75 MB of memory is free, and after 4 days uptime, 55 MB of memory is free, I’ve cleaned the memory logs. Where did the memory leak?

No memory leak here with a HAP AC2

osc86

Upgraded my CloudCore, CCR10009-7g-1c-1s+ and it has been everything but stable. Keep loosing WAN and Lan interface connection, so does not matter if I'm inside lan or outside, still lost connection. After a few min, or seconds in best case, it comes online again. Pingdom reported it as network err...

osc86

smb on a security device is just crazy. It should be entirely removed from RouterOS. That's what nas devices are made for, firewalled behind the router.

osc86

I had tried several times but the firmware was not get updated, it always stuck on v4.64.3. And what was the reason? It's in Log. Do not know what the reason is. After system reboot all logs were gone, no way to trace what happen. I had tried Winbox 3.21 and through script, the result was the same,...

osc86

SNMP stoped workin...

Did you get an autosupout file? I already created a ticket for this issue.

osc86

I stand corrected (somehow)! It looks like Dude server cannot make RouterOS connections to other devices and ends up with STD failure, when RouterOS connection is made in context of limited user account. Previously it was possible with only "read" + "dude" permissions. Now it ha...

osc86

6.46.4 != 6.46.4 ok

osc86

yeah.. if everyone could stop posting images that are way to big, that'd be great.

I didn't complain about the post itself, but why do all the images have to be in 1000x1000+ px?

osc86

I hope this also includes routing marks for ipv6.

osc86

I will set this to unsolved again, because I just had an equal case where the ip route for my ipsec gre link network is not routing properly... And this time that trick is not working :/ I got the same error, even with a loopback interface. When you use 10. 24.1.112/29 instead, routing doesn't work...

osc86

Please give us the option, to not use any dynamic servers at all, no matter what the source is.
I don't want to use any kind of dynamic dns servers, for obvious reasons.
Who is using the dns servers the vpn/isp provides anyway..

osc86

I really would like to have Wireguard Support in V7.

osc86

Hello, something really weird with 6.46.1 I have all my IPv6 advertisements off, DHCPv6 off, yet my machines are getting IPv6 addresses. This behavior started after the upgrade. Make sure your "bridge" Interface is also turned off in IPv6/ND. Clients receive their address configuration th...

osc86

osc86 - Do you see this error on multiple devices or on a single router? What happens when you try to create a supout file? I get this error quiet often but only on CHR. A simple reboot solves the problem. It seems to me that the filesystem at some point switches to read-only mode. I'll do more tes...

osc86

these random 'could not save package' errors need to stop.
/sys sup-output
failed to create supout.rif file

osc86

Using CCR as dude agent (not server) is impossible with latest firmware versions; with 6.46 it's even worse. Selecting the CCR as Agent for the HeX, HAP-AC2 and RB951 causes all monitored devices behind the CCR to toggle between on- and offline all the time. The Connection between the devices is abs...

osc86

Quick Fix for the Dude: - stop dude server - copy entire /dude/files folder from 6.45.7 installation to your computer - rename files folder in 6.46 to something else - copy the files folder from your computer back to your 6.46 installation (/dude/) - start dude server I used Filezilla for this, ever...

osc86

i have a lot of RB450/RB450G (very old ones, i know), RB2011, RB3011 and some few RB750 Gr3. Update was smooth on all of them, and the only problem i noted is that skin completly stopped working on the RB750 Gr3 devices. I can't even save a new skin, for example, is gets back to auth page and never...

osc86

Background Images in the Dude won't load.
And what happened to the font, the "1" at the end isn't readable.

osc86

No, sorry emils. I didn't realize the changelog in the first post isn't the full changelog.
Couldn't find anything DHCPv6 related, my bad.
When 6.46 has been officially released, I'll try it again and report back. Thanks!

osc86

When will this error be fixed where DHCPv6 Client stays forever on "rebinding" without getting actual dhcp information? You always have to manually hit release / renew to restart the dhcp client process, then it immediately gets the dhcp information and switches status to bound. Really ann...

osc86

Don't know if this is directly related to 6.45.7 or just another bug in The DUDE. Never seen this before. Agent and the device to monitor do run the same Version of RouterOS. Agent is hEX (mmips), the other device is hAP ac^2 (arm). I only get this error for one device. https://i.imgur.com/2EvDH6a.p...

osc86

Today morning my CCR1009 suddenly stopped responding to snmp requests. Seems that all snmp related settings are gone. No changes were made recently. An export of /snmp never finishes. https://i.imgur.com/Y9XovSv.png EDIT: After a reboot it works again, with all my snmp settings restored. I created a...

osc86

when will this finally be fixed?

osc86

DUDE Server looses connection to some Agents running 6.45.6 like every 2-10 minutes, but reconnects succesfully after one or two seconds.
I don't think it's a network issue, there is a packet loss of 0.1% out of 1000 packets sent.

osc86

IP Cloud not working in 6.45.5 or 6.46beta38. keeps updating and does not work. [X] /ip cloud> print ddns-enabled: yes ddns-update-interval: none update-time: yes status: updating... [CORE] > ip cloud pr ddns-enabled: yes ddns-update-interval: none update-time: yes public-address: X.X:X.X public-ad...

osc86

I hope IPv6 VRF + policy routing will be added in a later beta release......

osc86

no luck with my hap ac2. Tried upgrading from 6.44 and using netinstall. Not a single frame is coming out of this thing on any ethernet port.
Edit: working now. Had to netinstall 6.45.5 only with system + dhcp package, than uploaded 7.0b1 npk and rebooted twice

osc86

Why do you not just unbundle all those packages on these basic spec. devices? It's the only way they are going to work for the vast majority. Sticking your collective heads in the sand isn't going to help. People repeatedly tell you on here that it's broken, but you don't seem to be listening. Inde...

osc86

Just bricked one of our CRS switches, connected via SFP to CCR. It was a testing one, but we still need to visit the site. How could SFP support get broken, if there are no SFP related changes? I expect fix to be released asap, not just in a mysterious stable release sometimes in the future? seems ...

osc86

SNMPv3 still broken in The DUDE....

osc86

Unlike TCP, GRE is completely stateless, there's no way the router knows if an incoming GRE packet is new, related, established or something else. On both endpoints of the tunnel you need to have these firewall rules set up. Output chain's default action is accept, so you only have to do it for inpu...

osc86

@baks this is why the drop invalid rule is placed AFTER the accept established,related,untracked rule. 1 ;;; defconf: accept established,related,untracked chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 2 ;;; defconf: drop invalid chain=input a...

osc86

File from 159.148.147.204 is corrupted.
https://159.148.172.226/routeros/6.44.5 ... 6.44.5.zip seems ok.

osc86

Any updates regarding the SNMPv3 PrivAuth <-> Dude Issue?
For sure there's something wrong, I set up a new dude server and this "bad packet" error happens on all my devices running 6.45.1, LibreNMS works fine, though.

osc86

My configurations use all types of tunnels.

GRE, IPIP, EoIP. All of them, over IPsec without any problems on my end.

same here, no issues.

osc86

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.

osc86

I can also confirm snmpv3 does not work in 6.45rc50 with Observium or snmpwalk.

@slackR Did you already open a ticket at Mikrotik Support?

osc86

for some reason, my device isn't responding to SNMPv3 queries anymore, since I upgraded to beta50. I'm using LibreNMS for monitoring my devices, also tried manually with snmpwalk -> no response. EDIT: [admin@CORE] /snmp community> pr d Flags: * - default 0 * name="librenms" addresses=::/0 ...

osc86

osc86, I can not reproduce the issue. Can you please send a supout.rif file to support@mikrotik.com?

Done. [Ticket#2019051022005463]

osc86

After upgrading from beta31 to beta34-42, all IKEv2 PSK ipsec tunnels don't come up, getting Authentication failed in the logs (yes, psk is the same on both sides, hasn't been changed). Downgrading to beta31 again resolves the issue. 16:50:20 ipsec notify: AUTHENTICATION_FAILED 16:50:20 ipsec,error ...

osc86

After ugrading from beta31 to beta34, none of the ipsec tunnels work. Reverted back to b31.

osc86

After I had big problems with ipsec in 6.44.1/hAP ac I remained using 44.1 for a while. Thinking that beta31 had already those issues fixed, I tried to upgrade with the following IPsec configuration: /ip ipsec peer add exchange-mode=ike2 name=router passive=yes /ip ipsec policy group add name=RoadW...

osc86

So this means wired 802.1x is now supported I guess. Any idea how we can configure this through CLI ? Also is there a planned GUI support version of it coming soon ? Before anyone asks. Configuration options for dot1x are not yet enabled in this release. Coming in next beta, most likely next week.

osc86

I have an CHR install which capsman is running. On 6.45beta27 I noticed that when I try to see on winbox the "Configurations" tab under Capsman settings or "CAP Interface", winbox close/crash without any error on Log window. I also updated to latest beta (6.45beta31) and sitll i...

osc86

I hope they'll add an option to remove single SAs in the future.

osc86

----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
----------------------
Amazing news! Thanks!

osc86

igmp-snooping is killing ipv6 connectivity, by not forwarding neighbor solicitation messages.
FF02:1:XXXX:XXXX isn't listed in MDB table, so no NS messages are exchanged between hosts.
This happens at least since beta22.

osc86

so why are we sitting with &^%%$& 16MB of NANDs

I agree, this is ridiculous

osc86

uninstall tr069 package, remove everything from /files, upgrade only routeros, after suiccessful upgrade install tr069 again

osc86

Tested Version on CCR1036-12G-4S - ROMON is not showing up in a discovery - ROMON appears to have been broken or some part of it. - CCR1036 is not showing up in ROMON list anymore after 44.1 installed. Anybody else seeing this.... or not! ? Updated a CCR1009, 2xCHR, 951Ui-2HnD, 750G r3, 2x 941-2nD ...

osc86

BUG – v.6.44 on ARM boxes RB3011 is losing IPSEC configuration After upgrade of ARM boxes (RB3011) to latest stable version 6.44, IPSEC is not working. Winbox GUI /ip ipsec section in is empty and no new config parameters can be added; In console /ip ipsec export gives just info that all subsection...

osc86

*) bridge - fixed possible memory leak when using "ingress-filtering=yes" on bridge interface; How did this bug manifest itself?? Been using this setup for a while and didnt notice any issues, on the other hand I dont really monitor that closely. I reported this problem to mt support. It ...

osc86

Another "bug" from version to version, form stable to stable release

"Future" time on GRE tunnels in (up\down) status field
May be someone know how it resolve?
Thanks!

Check System / Clock

All tunnel interfaces show the correct date and time on my devices.

osc86

updated a CCR1009 from 6.43.12 to 6.44 -> Lost connectivity on all eoip (ipsec) interfaces. Update: so it seems that this update broke ipsec completely on my device. The router locks up every time I try to access any menus under ip / ipsec. I only have about 5 tunnels configured with very basic sett...

osc86

I noticed a memory leak when bridge is set to frame-types=admit-only-vlan-tagged.
What is the device model affected?

CCR1009-7G-1C-1S+

osc86

I noticed a memory leak when bridge is set to frame-types=admit-only-vlan-tagged. Winbox and cli are unable to display interfaces / vlan / firewall rules etc after a few hours. A supout file takes like forever to generate and is corrupt when done.

osc86

are they still working on a fix?

IMG_0658.jpg

osc86

Most likely a supout.rif file is already generating in the backgound. Is there an autosupout.rif file in the Files menu? No, there are no files at all in the files menu. I had rebooted and tried again. It is still trying to generate the supout 5 hours later. If I go to the command line and type &qu...

osc86

thanks FransUrbo!
This also fixed the problem with iOS devices.

osc86

I still see SAs are not removed when they expire. Why isn't it possible to remove single SAs?

osc86

After updating CCR1009 to 6.43 there is a problem with port stability! Has anyone else encountered such a problem?

I doubt this is a software issue. Seems only one port is affected.
I don't have such a problem on my CCR1009.

osc86

We have a huge memory leak on the new 6.43 code running on our CRS317's. Some devices seem to be more affected than others, but within 10hrs the device reboots due to low memory. I encountered the same problem on a CCR while it was still rc. MT Support was unable to reproduce / fix it. Only a netin...

osc86

The comment column is missing in ipsec peer menu in winbox, and my id is shown twice

osc86

osc86, we are aware of the issue. It will be fixed until 6.43 is released in current release channel.

Something must have been changed with ipsec processing in rc64. No traffic is passing through the tunnels.
I moved back to 56, where everything works fine.

osc86

I lost all ipsec connections after updating to rc64 because of a bug in peer profiles.

osc86

even more important, the memory leak is still not fixed

osc86

Yesterday I set up an ipsec connection between 2 devices, one running 6.42.6 the other 6.43rc44. All IKE related settings were the same on both devices, but I wasn't able to establish a connection, unless I changed the hash algorithm to sha256 on the one running 6.42.6 and sha1 on the other. When I ...

osc86

anyone noticing a memory leak that ends with a kernel panic? this is on a CCR1009-7G-1C-1S+ running v6.43rc44

osc86

CPU hog issue is still not fixed in rc28
(Ticket#2018010522007579)

osc86

any updates on this, did you get it working?

osc86

Adding or removing vlans in MSTI makes my 1009 unreachable on all interfaces, have to power cycle to regain access.. 100% reproducible

osc86

How to correctly add virtual interfaces like eoip tunnels to the bridge? I tried 2 ways to get this working, without any luck. 1. When I add the tunnel interface as port to the bridge and create vlans on the bridge, the interface never comes up because of constant STP Learning/Discarding. I didn't f...

osc86

*) ipsec - allow to specify remote peer address as DNS name (CLI only);

does this mean ipsec tunnels can be established between 2 sites with dynamic ip addresses, so I can get rid of the additional L2TP Tunnel?

Search found 126 matches