MikroTik

OndrejHolas

Some users have bad performances with ipv4 and enabled bridge filters actives. In previous versions (7.7 and 7.8) there was no issue. Since 7.9 (stable) ipv4 bandwith is lower for about 35%. It seems that something in bridging code has indeed been changed - in my case the wired bridge ports on RB95...

OndrejHolas

Hi all, I've just discovered, that my 4-year-old RBD52 has its plastic case sticky. Tried to clean it with alcohol, but it helped only a bit. Seems to me like a plastic degradation, especially plastifier migration. Compared to RB952-TC's (hAP ac lite), that have almost the same case, but obviously m...

OndrejHolas

Upgraded from 6.48.2 to 6.48.3 on all boxes with wireless interfaces, both ROS and then firmware. After firmware upgrade and successfull reboot, the first hAP ac lite (RB952Ui-5ac2nD) suddenly froze (during /export ) and rebooted by watchdog: 21:32:53 system,error,critical router was rebooted withou...

OndrejHolas

This means you also have the implementation issues and not only the design flaws. According to the paper ( https://papers.mathyvanhoef.com/usenix2021.pdf ): CVE-2020-24587 - section 4, design flaw CVE-2020-24588 - section 3, design flaw CVE-2020-26144, CVE-2020-26146, CVE-2020-26147 - section 6, im...

OndrejHolas

...but given Mikrotik uses a very outdated Linux kernel, it is almost certainly susceptible to the OS-level vulnerabilities... The question is whether ROS uses completely its own code for 802.11 or relies on that code from kernel. In the latter case, ROS would be affected - look at the kernel patch...

OndrejHolas

Hello all, yesterday a few of new Wi-Fi vulnerabilites were announced. Since they are rather protocol- than implementation-specific, they are affecting multiple products from variuos vendors. Release notes for last stable and testing ROS don't mention anything that seems to be related to these vulne...

OndrejHolas

...the behavior can be different in different modes of bridge operation (full software bridging, fast path, switchchip aka hardware acceleration)... And indeed it is. I did a quick test on RB750GL (switchip Atheros 8327) and the results are: bridge in full software and fast path modes with protocol...

OndrejHolas

[*]bridge forwards LLDP frames Just to be clear - is this true also when protocol-mode differs from none on that bridge? I haven't tried it yet, we do not use bridges in any of the xSTP modes (at the edge APs, where we use bridges, there's really no need to include them in the spanning tree topolog...

OndrejHolas

Interesting. I wonder if this is related to the issue I had found? https://forum.mikrotik.com/viewtopic.php?f=21&t=171035&p=836796#p836789 When looking at the behavior it seems there are three different problems with LLDP: bridge forwards LLDP frames LLDP frames are sent VLAN-tagged and wit...

OndrejHolas

Tried to get LLDP-MED working with Cisco and Grandstream IP phones, but the behavior of ROS renders this function unusable. During the first contact, ROS responds to LLDP-MED probe from the phone by burst of LLDP frames that include MED TLVs - this behavior is correct, the phone catches information ...

OndrejHolas

Thanks EdPa, I appreciate your detailed answer. Now the conditions of the problem are clear and the mechanism makes sense. I haven't yet observed those communication drops due to the active hardware acceleration (all bridges I've tried so far were running inside switchchips with HW accel left on), w...

OndrejHolas

According to this post https://forum.mikrotik.com/viewtopic.php?t=172321#p842428 the version 6.49beta11 contains fix for SIP phone communication problems (Gigaset phones were heavily reported) that started after upgrade to 6.48, but I cannot find any relevant line in the changelog above. Could someo...

OndrejHolas

RB750GL with 6.48, directly connected Gigaset A540 IP (with latest firmware 42.248), no problems observed. Also checked with discovery turned on for all interfaces, including LLDP, and cold restart of the VoIP base (to achieve full init). Neither ping losses nor lagged/unreachable messages in Asteri...

OndrejHolas

Also noticed that after upgrade to 6.48 the hAP lite (RB941-2nD - smips) stopped transmitting LLDP frames (neither periodic nor after receiving MED probe from phone), although it still processes received LLDP frames (discovered phones are visible in /ip nei pr); all three discovery protocols are ena...

OndrejHolas

LLDP should not be forwarded from port to port under any circumstances Agreed. AFAIK, special L2 control protocols (especially those using multicast addresses 01-80-C2-00-00-00 to 01-80-C2-00-00-0F), including LLDP, are intended to be "bridge-to-bridge" and their frames should not be forw...

OndrejHolas

With IKEv2 the pfs group is inherited from phase 1, have a look at dh group in profiles. Perfect forward secret should be used even if set to none in proposals. Correct me if I am wrong, but I think you should set pfs-group to none in proposals on all devices for IKEv2. Just to clarify, in IKEv2, p...

OndrejHolas

Our 3011 is old but maybe not as old as yours it was shipping with firmware 3.41
Mine is indeed older, factory firmware is 3.27.

Finally, my old 3011 started to flap with another NIC connected, so the problem seems to be dependent on connected NIC (or its PHY?) as well.

OndrejHolas

To someone having problems with SIP phones: Could you please check log of the router with ROS 6.48, whether there are unexpected flapping events (link down/up) or not? Since the linkdowns last between 1 and 2 seconds (as observed in my lab), it could cause "Lagged" state in Asterisk when q...

OndrejHolas

Same on Gigaset S850A. Seems this update breaks SIP on multiple phones... any solution, or is downgrading the only option?

What transport do you use for SIP (UDP, TCP, TLS)?
Is the SIP conntrack helper active? (/ip firewall service-port print)

OndrejHolas

Our 3011 is old but maybe not as old as yours it was shipping with firmware 3.41

Mine is indeed older, factory firmware is 3.27.

Ondrej

OndrejHolas

Hi all, I have one spare RB3011 in lab, so I tried to upgrade it to 6.48 to see the problem with port flapping others mention here. So I did: upload ROS 6.48 packages to RB3011 with 6.47.7 (both ROS and firmware) sys reb (ROS upgraded) waited 10 minutes, no port flapping occurred upgraded firmware t...

OndrejHolas

You didn't have to set peer, but you had to set SA src/dst address for policy. Indeed. But for transport mode, the SA src/dst configuration was removed in 6.38.4: *) ipsec - hide SA address for transport policies The reason for this change was that SA src/dst addresses were not used at all in trans...

OndrejHolas

This is known problem. There were substantial changes in IPSec configuration structure in 6.43 (introduced peer profiles) and in 6.44 (identity). I've also observed the same errors when pasting working IPSec configuration to the new box. For somewhat reason now ROS requires to set the peer at the po...

OndrejHolas

During startup just after upgrade 6.46.2 -> 6.46.3, there are extra two lines in the log: 17:48:27 script,info Defconf(debug): isAp=0;isLte=0;model=cAPGi;numCombo=0;numGig=0;numSfp=0;numSfpPlus=0;other=;prefix=RouterBOARD;wireless= 5acD2nD 17:48:27 script,info Defconf(debug): w1=chains=0,1;frequency...

OndrejHolas

The Audience do have 2 5GHz band, 5GHz1 which is 2x2:2 support channel 36~64, 5GHz2 is 4x4:4 support channel 100~165 Thank you for clear information. So Audience does not meet my requirements and I'll go to RB922UAGS-5HPacD + R11e-5HacD. Hope the information about supported bands/channels will be c...

OndrejHolas

Hi all, I am considering replacing current office AP (hAP ac) with more powerful one. Since there are multiple SSIDs (including one for VoIP), I'd prefer to distribute SSIDs to different channels, thus looking for an AP with multiple 5GHz radios and Audience meets this. Although in specs on the web ...

OndrejHolas

RB911-5HnD (mipsbe), RouterOS 7.0 beta4 I tried to test (unrelated) problem with radar false positives (reproducible up to and including 6.46.1) also on ROS7. But after upgrade to 7beta4, the clients are almost unable to connect. I did independent wireless sniff on the same channel and found that AP...

OndrejHolas

Upgraded 2 CAPacs and 3 RB952s from 6.45.7, no issues, all boxes work as before upgrade. Although release notes mention wireless stability fixes and "improved radar detection algorithm", false positive radar detections on DFS channels still occur on 6.46 with the same average rate as in pr...

OndrejHolas

I've just briefly tested this scenario in beta3 and it seems to be fixed, although changelist does not mention it.

Ondrej

OndrejHolas

As 7.0beta2 was released to public moments ago, I've just re-tested scenarios described above on beta2 (ROS and firmware), observed behavior applies to 7.0beta2 as well, no change between beta1 and beta2.

Ondrej

OndrejHolas

HW: RB 3011UiAS ROS: 7.0beta1 Simple VLAN-aware bridge setup with ether9 as trunk port a ether10 as access port: [admin@rb3011] > /int bri exp /interface bridge add name=bridge0 protocol-mode=none pvid=998 vlan-filtering=yes /interface bridge port add bridge=bridge0 edge=yes frame-types=admit-only-u...

OndrejHolas

CCR1009, 6.44.3 -> 6.45.1. After upgrade, bonding interface didn't go up. I use two levels of bonding: two low level bonding interfaces, each consisting of two ethernets, bundled to LACP LAG; and one upper level bonding interface, consisting of the two LAGs: /interface bonding add mode=802.3ad name=...

OndrejHolas

It seems that archive all_packages-mmips-6.45.1.zip is truncated on one download server: https://159.148.147.204/routeros/6.45.1/all_packages-mmips-6.45.1.zip https://[2a02:610:7501:1000::196]/routeros/6.45.1/all_packages-mmips-6.45.1.zip Size: 10600448 SHA256: 6c4d219a8e59398c6fe821deec2f12c93bc72a...

OndrejHolas

LHG-5HPnD after upgrade (6.43.8 to 6.43.11) antenna gain has been set to 25dB (minimal value I can set), Rx dropped from -60dBm to -85dBm . If the other side was not upgraded also, Rx signal strength shown here seems to be corrected by antenna gain, but this is just number. The problem causing link...

OndrejHolas

+1

Nowadays, IPv6 perimeter firewalls at my customers' networks run on Linux due to the lack of IPv6 NAT (especially prefix translation) support in ROS.

Ondrej

OndrejHolas

It is probably not the 43 to 43.2 upgrade that did it, but instead, the routerboot firmware upgrade for 43. If you didn't reboot a second time after 6.43, the routerboot upgrade would not take place until the following reboot, which is probably by happenstance when you rebooted to upgrade to 6.43.2...

OndrejHolas

Interface speeds seem to be set explicitly after upgrading, is this related to the SNMP speed report changelog entry? I haven't tried connecting an interface at other speeds yet, but can I assume that this setting, while a part of /export, will change accordingly? I also have exactly the same in di...

OndrejHolas

Ondrej, did you include a supout.rif file taken while the problem was happening? do so... I didn't include supout.rif in the support case, because the displayable PoE status (print/monitor) on hEX S didn't show anything bad and nothing relevant was logged (turned on logging all about "poe-out&...

OndrejHolas

Would try latest 6.42.7 (make sure firmware is updated on System > Routerboard too). Failing that, would write support, linking to this post.

Already at 6.42.7 (both ROS and firmware). I've just sent mail to support with details and link to this topic.

OndrejHolas

Did you force poe to on on the hEX S when powering the hAP ac2 or left it on auto? On hEX S there are only two PoE-out modes - off and forced-on. Auto mode is not configurable: /interface ethernet poe> set ether5 poe-out=auto-on failure: This model does not support poe-out auto-on mode Ondrej

OndrejHolas

Hi, I use mikrotik hex s and hap ac2 ( hap ac2 - poe in ). hex s has 24V 1,2A power supply, but hap ac2 works unstable - I think it does not have enough power. What do I need to do - replace the power supply with a more powerful one? Hi, I have similar problem here with these two boxes, but my hAP ...

OndrejHolas

Received new hEX S today and SFP works fine with 6.42.6 and 6.42.7. The only combination I was able achieve the "no-link" status on SFP was with 6.42.6, coldbooted without SFP module and then inserted the module when RouterOS was already running. After warm reboot with module inserted, the...

OndrejHolas

Still exactly the same situation with 6.42.6 - unknown key size and imported key is not paired with its certificate. Lack of ECC support is quite big disadvantage, since many customers require ECC support (in certificate- and other contexts) for years. Libraries have support for EC certificates read...

OndrejHolas

In some situations, Intel 7260 ac adapters suffer firmware crashes. Typical combination of conditions is 5GHz band, >20MHz channel width and >1 chain. Setting AP to use 20MHz wide channel or to use only one chain helps. Also disabling 11n at the client side prevents firmware crashes. Tried latest fi...

OndrejHolas

Once you've found a machine you can physically fit it in to, it will work with the ath10k driver. R11e-5xxx adapters work with ath10k driver, but based on my experience with kernels 4.9+, you'll probably need some patches for the driver to work properly, notable problems are: - The EEPROM in the ad...

OndrejHolas

I've done dozens of tests so far. Following steps: - downgrading packages to 6.42.5 - reboot - downgrading firmware to 6.42.5 - shutdown - remove power, wait 10s - restore power and let the router boot with inserted SFP module (this seems to be important) can quite reliably make sfp1 work again. Als...

OndrejHolas

I've just observed exactly the same behavior on hEX S (6.42.6) with different SFP modules, including officially supported S-85DLC05D and Mikrotik's 3m DAC, and many setups (RB2011, RB3011, TP-Link MC220) - when one party is hEX S, link is down (nego done, rx power -15, but no-link); any other two bo...

Search found 47 matches