Page 1 of 1

v6.0rc9 released

Posted: Fri Feb 08, 2013 2:17 pm
by normis
What's new in 6.0rc9 (2013-Feb-08 08:15):

*) ospf - fixed Summary-LSA prefix length check for OSPFv3, was not
accepting valid LSAs;
*) certificates - fix broken certificate handling (bug introduced in rc8) in all related programs;
*) fixed - bgp tcp-md5-key crash on CCR;
*) fixed interfaces list sometimes showing up empty;
*) fixed - ip addrs could be inactive for some types of interfaces which are added as bridge ports and disabled;

Note for Cloud Core Router users: after upgrading, please also upgrade the RouterBOOT with the console command "/system routerboard upgrade"
This is a highly recommended upgrade for all CCR series users. First upload this file, then run command: http://www.mikrotik.com/download/share/ ... 3_04_2.fwf


http://www.mikrotik.com/download

Re: v6.0rc9 released

Posted: Fri Feb 08, 2013 4:40 pm
by Attila
Dear Normis!

The v6.0rc9 tile all packages contain RouterBOOT 3.03 version.
This version of RouterBOOT same in older v6.0rc version...

Thx.

Attila

Re: v6.0rc9 released

Posted: Fri Feb 08, 2013 6:12 pm
by paoloaga
with 6.0rc9 on RB2011UAS, RB1100AHx2 and RB1200, the command "/ip dns cache-size=2048KiB" still results in an error.

Because of this, I can't deploy it with my automatic provisioning software.


-------

Another note, slightly off topic: this small flaw happens also on TILE platform with 6.0rc7.
[admin@gw1-vpr] > /ip dns set cache-size=2048KiB
value of cache-size contains invalid trailing characters
[admin@gw1-vpr] > /system resource print
uptime: 2w6d18h53m31s
version: 6.0rc7
build-time: Jan/18/2013 13:04:05
free-memory: 3072.7MiB
total-memory: 3964.0MiB
cpu: tilegx
cpu-count: 36
cpu-frequency: 1200MHz
cpu-load: 0%
free-hdd-space: 424.1MiB
total-hdd-space: 512.0MiB
architecture-name: tile
board-name: CCR1036-12G-4S
platform: MikroTik
I will try upgrading to rc9 later (can't reboot now).

Re: v6.0rc9 released

Posted: Fri Feb 08, 2013 6:29 pm
by jcem
"/ip dns set cache-size=2048"

works fine in RC9

RGDS

Re: v6.0rc9 released

Posted: Fri Feb 08, 2013 8:51 pm
by paoloaga
"/ip dns set cache-size=2048"
Sure, but if you add "KiB" at the end (that it is what "/ip dns export verbose" outputs), the command is not accepted, it's a (small but annoying) bug.

Re: v6.0rc9 released

Posted: Fri Feb 08, 2013 10:14 pm
by pyfgcrl
Any chance that 6rd is going to find its way into one of the RouterOS v6 RC builds? at&t and many large ISPs like it are now using 6rd to deploy IPv6. Not having it in RouterOS is a big issue for our clients that use RouterOS on the edge.

Re: v6.0rc9 released

Posted: Sat Feb 09, 2013 1:15 am
by Arnold2222
In RC9 I have still problem with all interfaces, they not appear in Interfaces and RB got 100% cpu usage, RB 433AH

Re: v6.0rc9 released

Posted: Sun Feb 10, 2013 12:13 am
by DogHead
Upgraded a point to point nstreme link from 6.0rc6 to rc9. One end used RB433 and the other used an Alix board (x86). Both with R52Hn cards. Link is set up using VPLS over a AP to Station link. AES encryption.

The RB433 looks fine with about 2% CPU, but the Alix board jumped up to 80% CPU. Under rc6 cpu load on the Alix board was about 5% with traffic. Sending about 15Mbps. Nothing too complex.

We don't have many Alix systems anymore, but it might be something you want to look at.

Re: v6.0rc9 released

Posted: Sun Feb 10, 2013 11:51 am
by engineertote
RC09 , all ethernet not appear and can not access via winbox

/interface print command not responding :(

Re: v6.0rc9 released

Posted: Sun Feb 10, 2013 12:17 pm
by SlayerCommand
RC09 , all ethernet not appear and can not access via winbox

/interface print command not responding :(

tried at MAC? Which your RB?

For these problems that I'm afraid to upgrade my RB.

Re: v6.0rc9 released

Posted: Sun Feb 10, 2013 3:25 pm
by doush
Routerboot is already 3.03.

Re: v6.0rc9 released

Posted: Sun Feb 10, 2013 3:46 pm
by ropeba
NAT is not working on CCR with rc9.

Re: v6.0rc9 released

Posted: Sun Feb 10, 2013 6:24 pm
by SlayerCommand
NAT is not working on CCR with rc9.
Excuse my ignorance, what most mean by CCR?

Re: v6.0rc9 released

Posted: Sun Feb 10, 2013 6:27 pm
by Dobby
NAT is not working on CCR with rc9.
Excuse my ignorance, what most mean by CCR?
CCR = Cloud Core Router :wink:

http://routerboard.com/CCR1036-12G-4S

Re: v6.0rc9 released

Posted: Sun Feb 10, 2013 9:06 pm
by LookinGooder
Is it normal, that E-mail password easy to see in .backup file? And Wi-Fi key too?
Is it not protected format?

Re: v6.0rc9 released

Posted: Sun Feb 10, 2013 10:23 pm
by morf
Is it normal, that E-mail password easy to see in .backup file? And Wi-Fi key too?
Is it not protected format?
I think it's not problem :)

Re: v6.0rc9 released

Posted: Sun Feb 10, 2013 10:59 pm
by payday
Is it normal, that E-mail password easy to see in .backup file? And Wi-Fi key too?
Is it not protected format?
"Important! The backup file contains sensitive information, do not store your backup files inside the router's Files directory, instead, download them, and keep them in a secure location. "
Citation from: http://wiki.mikrotik.com/wiki/Manual:Co ... Management

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 1:20 am
by przent
a) hard to notice
b) Applies to RouterOS: 2.9, v3, v4

I have something which most of you might not know...

Read especially part III.
I bet ROS 5.x, 6.x are about the same security level....

http://felinemenace.org/~andrewg/MikroT ... sis_Part1/
http://felinemenace.org/~andrewg/MikroT ... sis_Part2/
http://felinemenace.org/~andrewg/MikroT ... sis_Part3/

still think it`s nothing?

imagine me breaking into your tower somewhere "in the woods" and stealing your microtik

I will gain access to your network and I will also gain access to all your routers because of same password used everywhere.

It will take me 5 minutes to scan your network for unpatched windows and by using some script kiddy tool like metasploit to hack a few customers in few hours, stealing their data.

This is how a WISP can be put out of service in one dark night...

So be warned!

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 1:25 am
by SlayerCommand
Someone already updated RC9 in some RB450G? everything is normal with no problems?

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 5:39 am
by Beccara
a) hard to notice
b) Applies to RouterOS: 2.9, v3, v4

I have something which most of you might not know...

Read especially part III.
I bet ROS 5.x, 6.x are about the same security level....

http://felinemenace.org/~andrewg/MikroT ... sis_Part1/
http://felinemenace.org/~andrewg/MikroT ... sis_Part2/
http://felinemenace.org/~andrewg/MikroT ... sis_Part3/

still think it`s nothing?

imagine me breaking into your tower somewhere "in the woods" and stealing your microtik

I will gain access to your network and I will also gain access to all your routers because of same password used everywhere.

It will take me 5 minutes to scan your network for unpatched windows and by using some script kiddy tool like metasploit to hack a few customers in few hours, stealing their data.

This is how a WISP can be put out of service in one dark night...

So be warned!
In security once you have physical access it's game over, Also this requires you to extract the file from the flash of an RB or the HDD of a x86 box (Alot easier on x86)

The winbox entry is interesting but again requires a compromised PC at which point it's just time. It's another attack vector that requires social engineering to exploit and it's much easy to get granny to install bonzai buddy than it is a network engineer with user/pass for main routers.

Bit of a storm in a teacup really.

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 9:28 am
by normis
NAT is not working on CCR with rc9.
Please clarify what is not working, and send a supout.rif file to support. We have CCR routers with NAT and it works fine, maybe there is something specific in your configuration.

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 10:38 am
by normis
RC09 , all ethernet not appear and can not access via winbox

/interface print command not responding :(
engineertote, please write to support about this. can we get remote SSH access to your device?

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 10:55 am
by normis
First post has been updated with the CCR RouterBOOT upgrade file. http://www.mikrotik.com/download/share/ ... 3_04_2.fwf

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 11:09 am
by Masyanich
after update to rc 9, status of Connections disappeared (marked in red)
проблема.jpg

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 11:10 am
by normis
Is it normal, that E-mail password easy to see in .backup file? And Wi-Fi key too?
Is it not protected format?
yes, it is normal. do not store the backup file in public location, and do not give it to anybody.

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 11:12 am
by normis
after update to rc 9, status of Connections disappeared (marked in red)
it has been fixed in RC10 (not released yet)

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 11:16 am
by normis
a) hard to notice
b) Applies to RouterOS: 2.9, v3, v4

I have something which most of you might not know...

Read especially part III.
I bet ROS 5.x, 6.x are about the same security level....

http://felinemenace.org/~andrewg/MikroT ... sis_Part1/
http://felinemenace.org/~andrewg/MikroT ... sis_Part2/
http://felinemenace.org/~andrewg/MikroT ... sis_Part3/

still think it`s nothing?

imagine me breaking into your tower somewhere "in the woods" and stealing your microtik

I will gain access to your network and I will also gain access to all your routers because of same password used everywhere.

It will take me 5 minutes to scan your network for unpatched windows and by using some script kiddy tool like metasploit to hack a few customers in few hours, stealing their data.

This is how a WISP can be put out of service in one dark night...

So be warned!
Please clarify how you will break into something, if the backup file is not given to you? If you follow the manual, and store the file "in a secure location", no harm can be done. There is no solution to this, except by using encryption, which would require decryption keys.

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 11:31 am
by FutileNetworks
Under PPPoE Client, when bonding multilink pppoe links status only reports 1 Active link instead of the correct number.

Also [Ticket#2013012466000127] still unresolved, BGP session hangs in 'open sent' over multilinked pppoe link (2 or more) but works OK (Established BGP session) on single pppoe link. My ISP require I use TCP MD5 key on the BGP session. This is a new bug in v6, v5 worked fine.

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 11:45 am
by przent
No backup needed to compromise. It`s much easier to get access to physical equipment of a WISP. Most of the equipment is protected by nothing.

If I`m a script kiddy I do this:
a) Crack the case on the tower
b) http://manio.skyboo.net/mikrotik/
c) Do harm
d) Tell all my friends how good hacker I am.

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 11:46 am
by normis
No backup needed to compromise. It`s much easier to get access to physical equipment of a WISP. Most of the equipment is protected by nothing.

If I`m a script kiddy I do this:
a) Crack the case on the tower
b) http://manio.skyboo.net/mikrotik/
c) Do harm
d) Tell all my friends how good hacker I am.
Sorry but this is not related to this topic. Your described method requires somebody to keep a backup file on the router, which is against documentation recommendation. Also, breaking the case open, will not help if there is a routerboard inside.

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 11:54 am
by przent
If you follow the manual, and store the file "in a secure location", no harm can be done. There is no solution to this, except by using encryption, which would require decryption keys.
Normis, read the three part article in more depth or give the links to somebody able to understand it. I do not care about the backups as they are "just another security flaw" and the is a much bigger hole in the system.

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 11:55 am
by normis
If you follow the manual, and store the file "in a secure location", no harm can be done. There is no solution to this, except by using encryption, which would require decryption keys.
Normis, read the three part article in more depth or give the links to somebody able to understand it. I do not care about the backups as they are "just another security flaw" and the is a much bigger hole in the system.
This is not a serious security hole. Anybody can break into a bank and steal all the money. This is basically the same. Just put security guard and more locks on the door.

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 11:56 am
by przent
No backup needed to compromise. It`s much easier to get access to physical equipment of a WISP. Most of the equipment is protected by nothing.

If I`m a script kiddy I do this:
a) Crack the case on the tower
b) http://manio.skyboo.net/mikrotik/
c) Do harm
d) Tell all my friends how good hacker I am.
Sorry but this is not related to this topic. Your described method requires somebody to keep a backup file on the router, which is against documentation recommendation. Also, breaking the case open, will not help if there is a routerboard inside.
Oh really??!?!!? Want work if there is a RB inside:

Then what is this:
Hardware needed
- computer (laptop is a good choice for hard conditions) :)
- RouterBoard (i've tested it on versions: 532, 532A and 411 - but should work on all OpenWrt-supported RouterBoards, Cesco tested it on RB133C)
- serial console cable
- patch-cord


Now you are really panicking!

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 11:58 am
by normis
Please read one post above. Also, please stop posting in unrelated topics. You can email support if you want to continue

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 12:00 pm
by ditonet
a) Crack the case on the tower
In many countries it is being called the crime.

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 12:39 pm
by SlayerCommand
Someone already updated RC9 in some RB450G? everything is normal with no problems?

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 1:24 pm
by alexha
Someone already updated RC9 in some RB450G? everything is normal with no problems?
On my RB450G upgrade to version 6rc8 and 6rc9 leads to a loss in the channel. Returned to 6rc7 :(

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 1:25 pm
by normis
On my RB450G upgrade to version 6rc8 and 6rc9 leads to a loss in the channel. Returned to 6rc7 :(
what do you mean by "loss in the channel", please clarify?

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 1:36 pm
by alexha
what do you mean by "loss in the channel", please clarify?
I think the problem with the queues - until the limit is reached, all is OK. As soon as someone loads the channel, at other users Internet disappears. I wrote about this in support. Ticket #2013021166000275

This is compounded by low bandwidth of the channel - the queues is always loaded

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 2:29 pm
by ropeba
We use nat rules with address list but it not work.
After reset counter:

Image

after 23 seconds, but there is no anything nated.

Image

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 4:02 pm
by zlatkomajstor
We that own CCR should upload tilegx_3_04_2.fwf and then run upgrade command?

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 4:03 pm
by normis
zlatkomajstor, Yes! of course, also upgrade RouterOS itself.

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 4:05 pm
by Attila
Dear Normis!

Multicast routing (PIM-SM) same source (IPTV channel) with different client IP (Set Top Box) not working in CCR1036 (RC6,RC7,RC8,RC9). Same ROS version (RC6,RC7,RC8,RC9) and same configuration (1. RP, 3. Interface) working correctly in RB2011.

Please investigate this problem...


Thx.

Attila

Re: v6.0rc9 released

Posted: Mon Feb 11, 2013 4:07 pm
by zlatkomajstor
I upgraded the router to version RC9 but the firmware was the same as in RC7 and I didn't read the second line where it said that we should also upload that file and upgrade after that. This is also first time I read about this. I thought that the firmware is built inside the upgrade package as it was always in the past.

Re: v6.0rc9 released

Posted: Tue Feb 12, 2013 1:53 am
by sp8qjf
dhcp radius autoryzation still offered

Re: v6.0rc9 released

Posted: Tue Feb 12, 2013 5:29 am
by infused
How many people have done this on a CCR? I'm stilling running RC7 as it's stable for me.

Also, can you update the boot FW without doing the OS?

Re: v6.0rc9 released

Posted: Tue Feb 12, 2013 11:09 am
by honzam
How many people have done this on a CCR? I'm stilling running RC7 as it's stable for me.

Also, can you update the boot FW without doing the OS?
Yes, you can. Put the file http://www.mikrotik.com/download/share/ ... 3_04_2.fwf
info files. And then run command
/system routerboard upgrade

Re: v6.0rc9 released

Posted: Tue Feb 12, 2013 6:50 pm
by javii
After upgrading CCR to rc9, VRRP is not working well.

On a router reboot, I have to disable and enable again VRRP IP to get it working. Downgrading to rc7 works fine.

Re: v6.0rc9 released

Posted: Tue Feb 12, 2013 8:09 pm
by rpengineering
Dear All,

I've problem also with rc9 on RB433ah with OSFP and MPLS configured, when the router boot and OSFP goes running the RB reboot with kernel failure.

BR

Re: v6.0rc9 released

Posted: Tue Feb 12, 2013 9:25 pm
by estdata
MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 6.0rc9 (c) 1999-2013 http://www.mikrotik.com/

[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments

[Tab] Completes the command/word. If the input is ambigous,
a second [Tab] gives possible options

/ Move up to base level
.. Move up one level
/command Use command at the base level
(8 messages not shown)
feb/04/2013 05:12:20 system,error,critical router was rebooted without proper shutdown
feb/04/2013 11:24:13 system,error,critical router was rebooted without proper shutdown
feb/05/2013 06:02:30 system,error,critical router was rebooted without proper shutdown
feb/07/2013 14:54:46 system,error,critical router was rebooted without proper shutdown
feb/08/2013 05:18:48 system,error,critical router was rebooted without proper shutdown
feb/10/2013 09:08:06 system,error,critical router was rebooted without proper shutdown
feb/11/2013 17:44:23 system,error,critical router was rebooted without proper shutdown
feb/12/2013 19:47:02 system,error,critical router was rebooted without proper shutdown

Re: v6.0rc9 released

Posted: Wed Feb 13, 2013 8:55 am
by regardtv
Morning All!

I was very excited when I took at look at the Changelog for rc8 and saw initial Openflow support ... but now Changelog has been updated and that's no longer visible ....

I'd appreciate being involved in any Openflow testing ;-)

R

Re: v6.0rc9 released

Posted: Thu Feb 14, 2013 3:55 am
by Chupaka
I was very excited when I took at look at the Changelog for rc8 and saw initial Openflow support ... but now Changelog has been updated and that's no longer visible ....

I'd appreciate being involved in any Openflow testing ;-)
both rc8 and rc9 downloads contain 'openflow' package which you need to install for OpenFlow support

Re: v6.0rc9 released

Posted: Thu Feb 14, 2013 10:24 am
by zlatkomajstor
I am sending graphics of the CPU load on CCR1036 in three cases:

RouterOS v6.0rc7 Conntrack disabled
Image

RouterOS v6.0rc9 Conntrack disabled
Image

RouterOS v6.0rc9 firmware 3.04.2 Conntrack disabled
Image


About 5k users, static routes, BGP and couple of IP based firewall rules.

I think that there is still a lot of work in order to do better load balance on the CPU cores.

I haven't seen any problem with the router except sometimes I don't get readings thru SNMP. I didn't had this problem with other Mikrotik routers and the older RouterOS even if their CPU-s were working at higher load then on the CCR.

Re: v6.0rc9 released

Posted: Thu Feb 14, 2013 12:08 pm
by regardtv
both rc8 and rc9 downloads contain 'openflow' package which you need to install for OpenFlow support
Quite right - unwrapped my CCR1036 this morning, installed RC9 and saw the Openflow package ;-)

Re: v6.0rc9 released

Posted: Thu Feb 14, 2013 12:12 pm
by mrz
Morning All!

I was very excited when I took at look at the Changelog for rc8 and saw initial Openflow support ... but now Changelog has been updated and that's no longer visible ....

I'd appreciate being involved in any Openflow testing ;-)

R
Here is the little information on how to use Openflow on RouterOS.
http://wiki.mikrotik.com/wiki/Manual:OpenFlow

You can contact support to get more details.

Re: v6.0rc9 released

Posted: Fri Feb 15, 2013 12:29 am
by 5nik
Hello all,

I found this problem in RC9: When PPP tunnel was established, two mangle rules (changing MTU) are added. But on the end (not at first position) of existing rules in chain forward. When some rule before them accepts packet, they avoid changing MTU and communication is faulty.
I must manually move change MTU rules before others in forward chain.

I am not 100% sure, but in previous version (RC7 and older) I hadn't problem with this (changing MTU rule was at first postition).
(tested on RB751G)

Re: v6.0rc9 released

Posted: Fri Feb 15, 2013 1:10 am
by docmarius
The change MSS rules are in the "Mangle" table, while the other forward rules go into the "Filter" table.
According to the netfilter metamodel, mangle rules are applied before filter and NAT rules.

You can check this out here:
http://www.shorewall.net/NetfilterOverv ... l#Overview

So the position of change MTU in regard to other rules doesn't actually matter.
Unless there's an implementation fault.

Re: v6.0rc9 released

Posted: Fri Feb 15, 2013 12:42 pm
by 5nik
The change MSS rules are in the "Mangle" table, while the other forward rules go into the "Filter" table.
According to the netfilter metamodel, mangle rules are applied before filter and NAT rules.
I means rules in mangle table, in forward chain. I have packet marking rules (due traffic shaping).

But now I look in to other Mikrotiks with older firmwares (5.22) and Change MSS rules are on the end of table too. So this is not new in rc9, I must reorganize rules in mangle.

Re: v6.0rc9 released

Posted: Fri Feb 15, 2013 3:56 pm
by rafaeltdk
I need help, I need the firewall mangle functions, global out, and in global, however do not have the RC9?, in version 5.22 has my works normal full cache without them without full cache.

Re: v6.0rc9 released

Posted: Fri Feb 15, 2013 5:42 pm
by normis
rc10 has been released. please continue discussion in that topic, after you have upgraded. thanks!