Oh wow, that's a killer feature I've been waiting for years!*) ipsec - allow specifying two peers for a single policy for failover;
jun/02/2020 16:05:59 system,error,critical error while running customized default configuration script: no such item
jun/02/2020 16:05:59 system,error,critical
16:59:08 system,info router rebooted
16:59:14 system,error,critical error while running customized default configuration script: no such item
16:59:14 system,error,critical
16:59:19 bridge,info hardware offloading activated on bridge "bridge" ports: ether3-local,ether1-local,ether2-local,ether4-local,ether5-local
same error in RB4011 WIFI, if reboot the same message is loggedGot this on a HAPac², boot time was incereased too (about 2 minutes)Code: Select alljun/02/2020 16:05:59 system,error,critical error while running customized default configuration script: no such item jun/02/2020 16:05:59 system,error,critical
error while running customized default configuration script: no such item
It was reported in the 6.47rc topic and there was a reaction from MikroTik but apparently it was ignored before releasing it as stable.after upgrade 2011Ui:and:Code: Select allerror while running customized default configuration script: no such item
110.PNG
Why? Was the config gone? In my case it wasn't! And this error is always logged, it seems.need to reset and load the config back
at least my hap ac helpedWhy? Was the config gone? In my case it wasn't! And this error is always logged, it seems.need to reset and load the config back
In my RB2011 the messages were like this:If you experience a version related issue, then please provide a supout file from your router to support@mikrotik.com.
We added an error message in this RouterOS release that is printed out if configuration script provides an error. Most likely, there was a problem with the script all the time, simply now you get notified about it.
I had same issue with quad 9 DoH, but when I started to use 1.1.1.2 DoH, then it has worked much better. So far no DoH related connection issues in the log.DoH server connection error: Network is unreachable entry for 2-7 times per second
It is also the most practical way to increase transmit power beyond the legal limit while operating in the regulatory-domain mode.Winbox missing "antenna gain" setting for wireless. Lost the most practical way to reduce transmit power.
It is also the most practical way to increase transmit power beyond the legal limit while operating in the regulatory-domain mode.
That is probably why it is now gone.
With the newer releases setting something lower than the built in antenna gain is not possible.(Even not with the CLI)It is also the most practical way to increase transmit power beyond the legal limit while operating in the regulatory-domain mode.Winbox missing "antenna gain" setting for wireless. Lost the most practical way to reduce transmit power.
That is probably why it is now gone.
-----------------------------------------------------With the newer releases setting something lower than the built in antenna gain is not possible.(Even not with the CLI)It is also the most practical way to increase transmit power beyond the legal limit while operating in the regulatory-domain mode.Winbox missing "antenna gain" setting for wireless. Lost the most practical way to reduce transmit power.
That is probably why it is now gone.
If it is an external antenna either the GUI line will be back (I don't have such a device right now) , or the gain will be at "0" (how would the AP know the gain?) That is really beyond the legal limit.
Bizar twist in the head of the developers. (Like the way they handle "outdoor" frequencies in regulatory domain lists. Outdoor freq are not forbidden indoor, but MKT does.)
[admin@MktOmnitik] > interface wireless set antenna-gain=7
numbers: 0
failure: minimal antenna-gain for this country is 8
[admin@MktwAPac] > interface wireless set antenna-gain=1
numbers: 0
failure: minimal antenna-gain for this country is 2
[admin@hAPac2] > interface wireless set antenna-gain=1
numbers: 0
failure: minimal antenna-gain for this country is 3
system,error,critical error while running customized default configuration script: no such item
When I try to update the address on changeip.com, I also get this error. The address is not updated.I have installed ROS 6.47 on all my routers with great success. It seems to be working just fine. However, one quirk has popped up in my "ChangeIP DDNSScript". It now displays the following error.:
Screen Shot 2020-06-02 at 5.24.57 PM.png
I have not changed a thing in the script and it has been working fine through ROS 6.47RC2.
Thoughts?
-tp
Same here, after update to 6.47 my RB4011iGS+5HacQ2HnD-IN and cAP Ac..system,error,critical error while running customized default configuration script: no such item
system,error,critical
See this postSame here, after update to 6.47 my RB4011iGS+5HacQ2HnD-IN and cAP Ac..system,error,critical error while running customized default configuration script: no such item
system,error,critical
Antena gain was gone..
It may be that you all have a script that gives error, but RouterOS has not displayed it before. Try to disable all script and see if message goes away.We added an error message in this RouterOS release that is printed out if configuration script provides an error. Most likely, there was a problem with the script all the time, simply now you get notified about it.
It's strange.It may be that you all have a script that gives error, but RouterOS has not displayed it before. Try to disable all script and see if message goes away.
/system default-configuration print
I confirm quantity of sector writes is constantly fast increasingafter this release, I've got a massive write sector on my devices.
It is possible to use DoH only with "Verify DoH Certioficate" unchecked, or unchecked "Use CRL". Mikrotik is logging "DoH server connection error: SSL: handshake failed: unable to get certificate CRL (6)". I am using Cloudflare DoH, so installed DigiCertGlobalRootCA, but Mikrotik is telling me that CRL for this cert is invalid.https://jcutrer.com/howto/networking/mi ... over-https --> DoH configuration on MikroTik router
I can confirm this too (hAP ac lite, hAP ac^2).I've got a massive write sector on my devices.
Does this mean we will see the end of filtering via DNS anytime soon?!) dns - added client side support for DNS over HTTPS (DoH) (RFC8484);
Indeed it is silly. One would expect the DoH to be implemented just like all other external resolvers, that is:It seems to me that DNS FWD does not work if there is DoH set up. I can imagine people who want to FWD their internal domain zones while securing all external/public requests.
1+SMB is not working for me, log says
...
Probably not the same. I meant "IP/SMB|, server of router itself.1+SMB is not working for me, log says
...
SMB also broken on my R493G rig running 6.47. Can't access NAS on LAN behind router.
Netinstall 6.47 is still missing from the software download page.*) netinstall - signed netinstall.exe with Digital Signature;
This is not related to the support of DoH in the router. However, you are right that in the future your clients will no longer use your DNS resolver nor can you catch their attempts to use an external DNS resolver and dst-nat them to your own resolver.Does this mean we will see the end of filtering via DNS anytime soon?!) dns - added client side support for DNS over HTTPS (DoH) (RFC8484);
I also returned to 6.45.9 for writing which is useless 6.47I can confirm this too (hAP ac lite, hAP ac^2).I've got a massive write sector on my devices.
ROS 6.45.9 - uptime: 32m58s, write-sect-since-reboot: 167
ROS 6.46.6 - uptime: 33m4s, write-sect-since-reboot: 228
ROS 6.47 - uptime: 31m28s, write-sect-since-reboot: 2416
The configuration has not been changed. No actions were performed after reboots, except /system resource print.
Possibly the cause is *) disk - improved recently created file survival after reboots;?
I can confirm this too. Don't know what causing this.I confirm quantity of sector writes is constantly fast increasingafter this release, I've got a massive write sector on my devices.
I have this problem, with 2 AP. They don't have dynamic IP. They don't have DHCP servers. They are not used as DNS to the clients. I am not using CapsMAN. This is as barebones as I can get: just a dumb AP. Cloud is disabled too, and I didn't installed any extra package - just using the default ones. No scripts whatsoever too.I updated 3 different routers and have not encountered "sector write issues".
Sure the sector write count is at 2500 or so after updating a router without config changes, but it is not increasing and I am not alarmed by such numbers.
/system resource print
uptime: 8h43m38s
version: 6.47 (stable)
build-time: Jun/02/2020 07:38:00
factory-software: 6.29.1
free-memory: 22.9MiB
total-memory: 64.0MiB
cpu: MIPS 24Kc V7.4
cpu-count: 1
cpu-frequency: 650MHz
cpu-load: 4%
free-hdd-space: 3000.0KiB
total-hdd-space: 16.0MiB
write-sect-since-reboot: 14126
write-sect-total: 2127269
bad-blocks: 0%
architecture-name: mipsbe
board-name: hAP ac lite
platform: MikroTik
/system resource print
uptime: 8h47m36s
version: 6.47 (stable)
build-time: Jun/02/2020 07:38:00
factory-software: 6.29.1
free-memory: 23.0MiB
total-memory: 64.0MiB
cpu: MIPS 24Kc V7.4
cpu-count: 1
cpu-frequency: 650MHz
cpu-load: 2%
free-hdd-space: 3000.0KiB
total-hdd-space: 16.0MiB
write-sect-since-reboot: 14409
write-sect-total: 2127552
bad-blocks: 0%
architecture-name: mipsbe
board-name: hAP ac lite
platform: MikroTik
on 6.47
system - auto-upgrade still problem since 6.46 please fix it.
i've report this many times.
I have 35 683 586 here. That happened when I had the "/tool graphing" running for some interfaces and resources, with the "store on disk" option on.almost 25000000 Sector writes.. what are you doing to your flash memory?
I'm not worried about "500 writes". I'm concerned with the fact that the writes more than quadrupled, with this new version. Same hardware, same config. Just an upgrade - from 6.46.4 to 6.47.But my router (2011) still works OK so I am not so worried about 500 writes, as some others are.
I just did the same on my RB4011 and its working. Did you do the chain pem or just the root pem?It is possible to use DoH only with "Verify DoH Certioficate" unchecked, or unchecked "Use CRL". Mikrotik is logging "DoH server connection error: SSL: handshake failed: unable to get certificate CRL (6)". I am using Cloudflare DoH, so installed DigiCertGlobalRootCA, but Mikrotik is telling me that CRL for this cert is invalid.https://jcutrer.com/howto/networking/mi ... over-https --> DoH configuration on MikroTik router
I brought this topic up for beta and rc releases... Mikrotik's answer was that DoH is always preferred when configured.It seems to me that DNS FWD does not work if there is DoH set up. I can imagine people who want to FWD their internal domain zones while securing all external/public requests.
(If you want to test it, remember to flush cache before every request)
/ip dns static
add address=10.0.0.1 name=router.eworm.de
add address=10.0.0.10 name=host.router.eworm.de
$ dig +short A host.router.eworm.de @mt-6-46
10.0.0.10
$ dig +short AAAA host.router.eworm.de @mt-6-46
$ dig +short A host.router.eworm.de @mt-6-47
10.0.0.10
$ dig +short AAAA host.router.eworm.de @mt-6-47
eworm.de.
2a01:4f8:13a:16c2::80
/ip dns static
add address=10.0.0.1 name=router.eworm.de type=A
add address=10.0.0.10 name=host.router.eworm.de type=A
add regexp=".*\\.router\\.eworm\\.de\$" type=NXDOMAIN
Hi Strods, a sad choice , but its your RouterOS.
bpwl,krafg - The antenna gain setting is not available there anymore for the routers that have a built-in antenna.
+1 !!!I brought this topic up for beta and rc releases... Mikrotik's answer was that DoH is always preferred when configured.
In general that's a good idea, with this exception: I want to forward specific zones to dns servers in local network or vpn.
So please chance the priority list:
We want conditional forwarding of DNS queries AND DoH at the same time.
- forwarding with FWD record
- DoH
- regular DNS
Do you seriously expect us to keep an archive of supout files made before upgrading so we can send them to you in case there is a problem after upgrading??wuffzack,pe1chl - Please send two supout files from this router to support@mikrotik.com (one from v6.47 and one from the previous version that was installed on your router).
/ip ipsec profile
add dh-group=modp1536 enc-algorithm=aes-128 lifetime=8h name=modp1536 \
nat-traversal=no
/ip ipsec peer
add address=x.x.x.x/32 comment=peername disabled=yes local-address=\
x.x.x.x name=peer-peername profile=modp1536
/ip ipsec policy
add comment=peername disabled=yes dst-address=x.x.x.x/32 proposal=\
modp1536 sa-dst-address=x.x.x.x sa-src-address=x.x.x.x \
src-address=x.x.x.x/28 tunnel=yes
Consider rate-limiting the messages. Only print the message when it has not been printed within the last 10 or 60 seconds or so.templeos - We will consider changing the topic of these messages, but I think that you would like to know if the DNS server is not reachable when someone tries to use it.
I don't think it was a good idea. Probably the "MikroTik anwer" only described what was done in the actual implementation, not what should have been done.I brought this topic up for beta and rc releases... Mikrotik's answer was that DoH is always preferred when configured.
In general that's a good idea, with this exception: I want to forward specific zones to dns servers in local network or vpn.
- lookup the requested data in the static/cache table to find any static records or cached items. if found, return them.
- when the found item is FWD, forward the query to specified server using DNS (UDP/TCP port 53)
- when not found, check the configuration:
- when DoH is configured, forward the query over DoH.
- when DoH is not configured, forward it to one of the configured DNS servers (as before DoH was added).
- when the reply is received, store it in the cache and return it to the client.
Totally agree. There's no need to have the same log a gazillion times. This pretty much happens with every DoH dns warning and error. Not the topic is the issue here. It's the amount of messages in the log.Consider rate-limiting the messages. Only print the message when it has not been printed within the last 10 or 60 seconds or so.templeos - We will consider changing the topic of these messages, but I think that you would like to know if the DNS server is not reachable when someone tries to use it.
most probably dfs channel, wait or set a non dfs onecAP ac with 6.47 no brodcast 5G network, but in WinBox no errors. All seems fine.
Downgrading to 6.45.9 while the problem with sector recording is not resolved.Here in my hEX S it increased rapidly!
Short uptime and is at 87k +
13h uptime
This must be corrected !!
I don't think there was a change in this functionality, do you know how (limited) it worked in previous versions?I did not get IPv6 DNS Server's IP addresses with RA. Neither with LAN and neither with WLAN connections. I did disable IPv6 firewall, but nothing. 6.47 version of ROS.
I was getting the same until I got the proper root cert imported for cloudflare-dns.com. Once the CRL's were udpated, it stopped. Been clean for almost a day now. And I dont use cloudflare-dns.com I actually use 1.1.1.1/dns-query instead so I dont have to do a local DNS lookup and dont have to have non-DOH addresses in my DNS settings...This is the actual result of DoH. This build(6.47) is same as 6.47rc2. I'm fetching DoH connection error: idle timeout issue from both versions. This issue solves by rebooting router but not permanently. It starts after sometimes.
A.PNG
A1.PNG
a2.PNG
This will continue until reboot and start again this loop.
Ok! Thx you! Now upgrade to 6.47 again and check! Post here later....most probably dfs channel, wait or set a non dfs onecAP ac with 6.47 no brodcast 5G network, but in WinBox no errors. All seems fine.
/ip dns static add name=<name> type=AAAA address=<some special value indicating that there's no data>
/ip dns static add name=<name> type=AAAA no-data=yes
I don't think you want this. The nice thing about DNS is that it's hierarchical and searches can be optimized, so even when you have many records, it can be very fast. That's until you introduce non-DNS-like things like regexps, they ruin the simplicity, because it's another layer that requires different processing. They are useful, but they should be and extra tool and all simple configs should be possible without them.[*]apply the static list from top to bottom - regardless of whether it is simple or regexp
This is all you need:where did you get the "the proper root cert for cloudflare-dns.com" ?
Richard
/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=""
/ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
Install an older smaller image, then upgrade to latest.i have no idea how to make more free space...
hAP lite
Can't really recommend this. The past has shown that constantly downgrading and upgrading between different versions can lead to a corrupted configuration or an unstable system.Install an older smaller image, then upgrade to latest.
In my experience it sometimes happens that "System->Packages->Check for updates" does not work even though upgrade.mikrotik.com can be pinged.For example, if there is some kind of a cache between your router and download servers, then it can cache old "LATEST.6" file and as a result you might see wrong version number here. Then router downloads ("upgrade.mikrotik.com/routeros/package" + LATEST.6 file contents) file.
It is a known problem with hAP mini!Can't really recommend this. The past has shown that constantly downgrading and upgrading between different versions can lead to a corrupted configuration or an unstable system.
If you did search for this here on the forum, you would have found this viewtopic.php?t=1000572. When I exported my settings with commandall ports are exported withCode: Select allexport file=yyyy-mm-dd-export
, so the export looks like:Code: Select allspeed=100Mbps
- This is wrong, because I use 1Gbps. It is added by mistake and it may cause troubles when restoring backup. Happens on both devices.Code: Select allset [ find default-name=ether15 ] speed=100Mbps set [ find default-name=ether16 ] speed=100Mbps set [ find default-name=ether17 ] disabled=yes speed=100Mbps set [ find default-name=ether18 ] disabled=yes speed=100Mbps
Any forecast for fixing this error in the high writing of the NAND sectors?fs0c13ty,Grant,dvm,ErfanDL,pe1chl,dvm,pendie,Paternot,denisnk,JohnTRIVOLTA,WeWiNet,mirolm,faxxe,SnkB,nmt1900,osc86,pe1chl - We are currently looking into this.
I got this answer from support:Any forecast for fixing this error in the high writing of the NAND sectors?fs0c13ty,Grant,dvm,ErfanDL,pe1chl,dvm,pendie,Paternot,denisnk,JohnTRIVOLTA,WeWiNet,mirolm,faxxe,SnkB,nmt1900,osc86,pe1chl - We are currently looking into this.
Thanks for listening!
My Feedback was a bit different.I got this answer from support:Any forecast for fixing this error in the high writing of the NAND sectors?fs0c13ty,Grant,dvm,ErfanDL,pe1chl,dvm,pendie,Paternot,denisnk,JohnTRIVOLTA,WeWiNet,mirolm,faxxe,SnkB,nmt1900,osc86,pe1chl - We are currently looking into this.
Thanks for listening!
"Thank you for your report. Our team is working on this. The issue will be resolved in the upcoming RouterOS releases."
What you mean by "all BROKE"? Could you please be more precise? Depending on what exact version you've upgraded from, regulatory settings could have changed.I have a situation where I have a central WAP (INTL) and 2 HAP's (US) as bridges. They USED to use the 5Ghz band and after the upgrade it all BROKE.
I correctly had frequency-mode set to regulatory-domain, but apparently Mikrotik removed countries from the definitions based on the hardware version (INTL vs US).
Got everything running by switching the links to 2Ghz. 5Ghz is still broken.
I don't see a reason I shouldn't be able to use an INTL version and a US version together as long as you're properly using the settings for your region.
Just a comment to the Wiki that it does miss some information. When importing the certificate, you are asked for a password phrase. This is not mention in the Wiki and it not clear for me when to use this password.Everyone - DNS wiki page has been updated - https://wiki.mikrotik.com/wiki/Manual:I ... over_HTTPS
/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=""
/ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
what about local DOH server ? I have a cloudflare local DOH but not working with mikrotik.Of course, use any DoH server. Just like you can use any DNS server or any ISP connection. We can't tell you what provider to use.
This is more general information.But if someone had a long-term file somewhere in the cache, both stable and test?
long-term 6.45.8, stable 6.46.3 and tester 6.47beta35? I don't have any cache, only if the ISP had what it seemed to me probably, since there was no problem yet. . . Can I download eg 6.46.6 manually and upload to files-flash? Is my system updating after a reboot?
What do mean by "local"? Is that a local program (client) running on a other device in your local network connection to Cloudflare?what about local DOH server ? I have a cloudflare local DOH but not working with mikrotik.Of course, use any DoH server. Just like you can use any DNS server or any ISP connection. We can't tell you what provider to use.
I'm using cloudflare DOH server on raspberrypiWhat do mean by "local"? Is that a local program (client) running on a other device in your local network connection to Cloudflare?what about local DOH server ? I have a cloudflare local DOH but not working with mikrotik.Of course, use any DoH server. Just like you can use any DNS server or any ISP connection. We can't tell you what provider to use.
DoH server connection error: SSL: handshake failed: unable to get local issuer certificate (6)
I would hope (and assume) that at MikroTik, you have ample resources to setup a router at 6.46.2 or similar, create an IPsec tunnel and set it to disabled, and then try the upgrade. For me to replicate that, I would either have to take down my network, or try the operation on a CHR which I first have to create. I assume you can create new CHR instances running a specified version in a few seconds.pe1chl - No, we do not. Since you were posting a problem report here in the forum, I did ask for a file (if you have one) and if you do not have one, thought that you might downgrade, generate file and upgrade again. Regarding the DoH logs, what to do if the server is not reachable once for a second? Administrators should know about it.
right away.
Dear strods!dakotabcn - This does not seem to be related to v6.47. Please send supout file from this router to support@mikrotik.com.
llubik - Upgrade simply looks for upgrade.mikrotik.com/routeros/LATEST.6 file. Of course, you can download files from our download page, upload them to the router and reboot it.
DeGlucker - Problem with script error was already mentioned above. It will be fixed. Regarding the neighbor discovery issue, please provide supout file to support@mikrotik.com.
eworm - We will look into this.
sohel07,diablothebest,rajo - Please provide supout file from this router (generated while the issue is present) to support@mikrotik.com.
pe1chl - No, we do not. Since you were posting a problem report here in the forum, I did ask for a file (if you have one) and if you do not have one, thought that you might downgrade, generate file and upgrade again. Regarding the DoH logs, what to do if the server is not reachable once for a second? Administrators should know about it.
HZsolt - Did the same configuration work just fine on previous RouterOS versions?
rooneybuk - Did you make any changes after an upgrade (for example, enabled DoH or something else).
tricyclevent - Instead of using the RouterOS bundle package with disabled packages, you can install separate packages. Download them on our download page, upload to the router, and simply reboot it. Seems that you need to install only five packages, but currently there are ten installed on the router.
jetelina - Speed parameter shows the speed that is used if auto-negotiation is disabled. This was an old issue and the fact that you see this in the export shows that the issue is already resolved (100 Mbps shows in export since it does not default value anymore).
anav - I presume that this is a joke, but please do not post such messages. MikroTik did not provide such an answer to anyone in our support channel.
nexusds - I do not see such an issue. Maybe a specific policy is required. Please provide supout to support@mikrotik.com and name which policy did trigger this issue.
Everyone - DNS wiki page has been updated - https://wiki.mikrotik.com/wiki/Manual:I ... over_HTTPS
Everyone - I just wanted to remind you that if there is a new issue introduced in the concrete RouterOS version then please report this issue to support@mikrotik.com right away.
Apparently you have not installed it correctly, or you have not configured the MikroTik router correctly.I'm using cloudflare DOH server on raspberrypiWhat do mean by "local"? Is that a local program (client) running on a other device in your local network connection to Cloudflare?what about local DOH server ? I have a cloudflare local DOH but not working with mikrotik.Of course, use any DoH server. Just like you can use any DNS server or any ISP connection. We can't tell you what provider to use.
https://blog.cloudflare.com/deploying-g ... d-pi-hole/
also there is a problem with cloudflare public gateway over DOH. An error that appears in the mikrotik log:Code: Select allDoH server connection error: SSL: handshake failed: unable to get local issuer certificate (6)
[admin@MikroTik] /ip dns> print
servers: 1.1.1.1
dynamic-servers:
use-doh-server: https://cloudflare-dns.com/dns-query
verify-doh-cert: yes
allow-remote-requests: yes
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
max-concurrent-queries: 100
max-concurrent-tcp-sessions: 20
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 193KiB
I have a problem with the DHCP Server. I have connected a TP LINK AP200 as a repeater/bridge of the wifi network of Mikrotik. The repeater connects ok, I can ping it and login to web interface. When a client connects to tp link wifi network it can't get IP. The mikrotik log says DHCP Server offering lease 192.168.88.114 for (mac of the client) to (mac of the TP LINK) without success. If I put static ip to the client and connect to TP link everything works ok. I downgraded to firmware 6.46.6 and it works fine.
but I installed the certificate from the mikrotik DOH wiki tutorial !Apparently you have not installed it correctly, or you have not configured the MikroTik router correctly.I'm using cloudflare DOH server on raspberrypiWhat do mean by "local"? Is that a local program (client) running on a other device in your local network connection to Cloudflare?what about local DOH server ? I have a cloudflare local DOH but not working with mikrotik.Of course, use any DoH server. Just like you can use any DNS server or any ISP connection. We can't tell you what provider to use.
https://blog.cloudflare.com/deploying-g ... d-pi-hole/
also there is a problem with cloudflare public gateway over DOH. An error that appears in the mikrotik log:Code: Select allDoH server connection error: SSL: handshake failed: unable to get local issuer certificate (6)
When you make your own DoH server, of course you need to get a certificate for it, and you need to load the root certificate for that into the MikroTik just as described on the WiKi.
Erfan DL I suspect that the pi's cloudflared app is not able to validate the cert info you are sending it because it does not know what to do with it. You may want to review the cloudflared documentation to see if its possible to set up cert validation handshake with the router. The cloudflare site probably knows what to do when it sees the router validate the cert but the pi may notbut I installed the certificate from the mikrotik DOH wiki tutorial !Apparently you have not installed it correctly, or you have not configured the MikroTik router correctly.I'm using cloudflare DOH server on raspberrypiWhat do mean by "local"? Is that a local program (client) running on a other device in your local network connection to Cloudflare?
what about local DOH server ? I have a cloudflare local DOH but not working with mikrotik.
https://blog.cloudflare.com/deploying-g ... d-pi-hole/
also there is a problem with cloudflare public gateway over DOH. An error that appears in the mikrotik log:Code: Select allDoH server connection error: SSL: handshake failed: unable to get local issuer certificate (6)
When you make your own DoH server, of course you need to get a certificate for it, and you need to load the root certificate for that into the MikroTik just as described on the WiKi.
forget about Pihole. MikroTik has a problem with the cloudflare gateway over DOH. I installed the root certificate but it gives an error.Erfan DL I suspect that the pi's cloudflared app is not able to validate the cert info you are sending it because it does not know what to do with it. You may want to review the cloudflared documentation to see if its possible to set up cert validation handshake with the router. The cloudflare site probably knows what to do when it sees the router validate the cert but the pi may notbut I installed the certificate from the mikrotik DOH wiki tutorial !Apparently you have not installed it correctly, or you have not configured the MikroTik router correctly.I'm using cloudflare DOH server on raspberrypi
What do mean by "local"? Is that a local program (client) running on a other device in your local network connection to Cloudflare?
https://blog.cloudflare.com/deploying-g ... d-pi-hole/
also there is a problem with cloudflare public gateway over DOH. An error that appears in the mikrotik log:Code: Select allDoH server connection error: SSL: handshake failed: unable to get local issuer certificate (6)
When you make your own DoH server, of course you need to get a certificate for it, and you need to load the root certificate for that into the MikroTik just as described on the WiKi.
OK sorry about thatCould you please use "Post reply" button instead of quoting whole posts?
Is it so hard?
Do you think that such "quote escalation" helps to understand flow of discussion when you can just scroll one sentence back?
When I try to follow this instructions with Google DoH DNS and use only GlobalSign Root CA certificate I constantly get "server connection error: SSL: handshake failed: unable to get local issuer certificate (6)". To get DoH working I need to use all 3 certificate from dns.googleEveryone - DNS wiki page has been updated - https://wiki.mikrotik.com/wiki/Manual:I ... over_HTTPS
Depends on whether or not the server ships the intermediate certificate. Then looks like Google server does not.To get DoH working I need to use all 3 certificate from dns.google
This likely means your router has been hacked. It is advisable to do a clean netinstall.Something is wrong somewhere. Manually updated 6.46.3 to 6.46.6
/system package update install
download 6.46.3 and instal . . .
/ip dns static
# For domain.lan
add forward-to=192.168.100.1 name="domain.lan" type=FWD
# For *.domain.lan
add forward-to=192.168.100.1 regexp="\\.domain\\.lan\$" type=FWD
# For 192.168.100.*
add forward-to=192.168.100.1 regexp="\\.100\\.168\\.192\\.in-addr\\.arpa\$" type=FWD
It is a bit of a pity that the DNS server first checks regexp and then checks literal entries...Note that with the new static DNS record types you can forward both forward and reverse lookups:
Exactly what I described above with my issue. So +1!It would be nice when it first checked for exact matches of static records before it tried the regexp.
My US HAP's connect to the INTL WAP.What you mean by "all BROKE"? Could you please be more precise? Depending on what exact version you've upgraded from, regulatory settings could have changed.I have a situation where I have a central WAP (INTL) and 2 HAP's (US) as bridges. They USED to use the 5Ghz band and after the upgrade it all BROKE.
I correctly had frequency-mode set to regulatory-domain, but apparently Mikrotik removed countries from the definitions based on the hardware version (INTL vs US).
Got everything running by switching the links to 2Ghz. 5Ghz is still broken.
I don't see a reason I shouldn't be able to use an INTL version and a US version together as long as you're properly using the settings for your region.
You can use the command "/interface wireless info allowed-channels wlan" to check allowed channels with your current settings. If setting both sides identically still does not make a connection, please write an e-mail to support@mikrotik.com and provide supout.rif from AP and STA.
A clean netinstall = download the netinstall program and the current RouterOS version, and re-install the router with format of the filesystem and default configuration.
This likely means your router has been hacked. It is advisable to do a clean netinstall.
do you mean netinstal or just Reset Configuration (hw reset and download default configuration)?
Indeed, unfortunately re-ordering does not work, I already had my in-addr.arpa regexp at the bottom of the list because I had the static entries in previous versions as well.DNS entries are processed sequentially, just move the regex entry to the bottom (order by # column) and it will be checked last.
Sorry, regex seems to evaluated before static entries, which is indeed not to be expected.
Then it's better to reflect this in the manual to avoid future questions. Especially since Firefox allows you to save all required certificates at once:Depends on whether or not the server ships the intermediate certificate. Then looks like Google server does not.To get DoH working I need to use all 3 certificate from dns.google
Is hAP set to Installation="indoor" instead of "any" ? Mikrotik does not allow outdoor frequencies if set to "indoor". Only "outdoor" and "any" are meaningful settings for Installation.
My US HAP's connect to the INTL WAP.
WAP:
channels: 5180/20-Ceee/ac(30dBm),5745/20-Ceee/ac(30dBm),
5750/20-Ceee/ac(30dBm),5755/20-Ceee/ac(30dBm),
5760/20-Ceee/ac(30dBm),5765/20-Ceee/ac(30dBm)
HAP:
channels: 5180/20-Ceee/ac(28dBm)
Settings on all are: Freq=auto, fmode=regulatory-domain, country="united states 3" (although that NOW doesn't seem to be an option on the WAP)
As I keep telling (to myself, it seems), regexps don't belong to DNS. I can't deny that they can be useful when you want to match things like <anything>.ads.<anydomain>.<tld> or something, but it's closer to hack than proper feature. Basic config should not require use of regexps. No regexps = no problem.It would be nice when it first checked for exact matches of static records before it tried the regexp.
forward-zone:
name: "168.192.in-addr.arpa"
forward-addr: 10.0.0.1
forward-first: no
forward-zone:
name: "80.168.192.in-addr.arpa"
forward-addr: 10.0.0.2
forward-first: no
forward-zone:
name: "1.80.168.192.in-addr.arpa"
forward-addr: 10.0.0.3
forward-first: no
zone "168.192.in-addr.arpa" IN {
type forward;
forward only;
forwarders { 10.0.0.1; };
};
zone "80.168.192.in-addr.arpa" IN {
type forward;
forward only;
forwarders { 10.0.0.2; };
};
zone "1.80.168.192.in-addr.arpa" IN {
type forward;
forward only;
forwarders { 10.0.0.3; };
};
/ip dns static
add forward-to=10.0.0.3 regexp="^1\\.80\\.168\\.192\\.in-addr\\.arpa\$" type=FWD
add forward-to=10.0.0.2 regexp="^(.+\\.)\?80\\.168\\.192\\.in-addr\\.arpa\$" type=FWD
add forward-to=10.0.0.1 regexp="168\\.192\\.in-addr\\.arpa\$" type=FWD
/ip dns static
add forward-to=10.0.0.1 name="168.192.in-addr.arpa" type=FWD
add forward-to=10.0.0.2 name="80.168.192.in-addr.arpa" type=FWD
add forward-to=10.0.0.3 name="1.80.168.192.in-addr.arpa" type=FWD
You were correct SIR !!!! The wap was on ANY and the haps were on indoors. But why has it worked for years and now there are enforcing it?Is hAP set to Installation="indoor" instead of "any" ? Mikrotik does not allow outdoor frequencies if set to "indoor". Only "outdoor" and "any" are meaningful settings for Installation.
My US HAP's connect to the INTL WAP.
WAP:
channels: 5180/20-Ceee/ac(30dBm),5745/20-Ceee/ac(30dBm),
5750/20-Ceee/ac(30dBm),5755/20-Ceee/ac(30dBm),
5760/20-Ceee/ac(30dBm),5765/20-Ceee/ac(30dBm)
HAP:
channels: 5180/20-Ceee/ac(28dBm)
Settings on all are: Freq=auto, fmode=regulatory-domain, country="united states 3" (although that NOW doesn't seem to be an option on the WAP)
'Outdoor-only' frequencies do not exist, there are only "indoor-only" frequencies. But for some reason Mikrotik has this "outdoor-only" interpretation on outdoor allowed frequencies.
Rational: indoor-only frequencies disturb emergency services and other priority systems if used outdoor.
[admin@MktOmnitik] > interface wireless info country-info
country: united states3
ranges: 2402-2472/b,g,gn20,gn40(30dBm)
5170-5250/a,an20,an40,ac20,ac40,ac80,ac160,ac80+80(30dBm)/indoor
5735-5835/a,an20,an40,ac20,ac40,ac80,ac160,ac80+80(30dBm)/outdoor
With Mikrotiks interpretation, this list should have been
5170-5250/a,an20,an40,ac20,ac40,ac80,ac160,ac80+80(30dBm)/indoor
5735-5835/a,an20,an40,ac20,ac40,ac80,ac160,ac80+80(30dBm)
They are enforcing the regulator rules, step by step, update after update, because they have to, to keep their certification for FCC and CE. So suddenly from a specific version onward devices are bound to specific settings. (My SXTsq 5 ac's can only be set "outdoors" since some specific ROS version. But what if I use them indoor???). The same thing happened to the minimal antenna gain, what is a correct action. But they are not very systematic in their implementation and so the built-in frequency list and the logic interpreting that list is out of sync. (Either you allow outdoor freq for indoor installations, or you remove ALL the /outdoor tags in that list.)
You were correct SIR !!!! The wap was on ANY and the haps were on indoors. But why has it worked for years and now there are enforcing it?
Anyway... apparently I was going down the wrong trail with INTL vs US... although they did take the US definitions out of the 6.47 running on INTL.
Thanks again....
No need to change the thread header. I may be better to start a new thread.
Because there was that hack where "upgrade" would always install a fixed version even when it was lower, presumably to get back to a vulnerable version.pe1chl - What is the reason to believe that the router was hacked?
*) proxy - increased minimal free RAM that can not be used for proxy services;
I don't experience this problem, but it can be helpful to know that winbox connections immediately fail when there is no valid route for the traffic.everything works normally, but whenever you make a change to BGP that causes a refresh or update then winbox disconnects IMMEDIATELY.
[l@MKT] > tool fetch url="http://upgrade.mikrotik.com/routeros/LATEST.6" output=userpe1chl - What is the reason to believe that the router was hacked?
llubik - Please provide output of these commands - "tool fetch url="http://upgrade.mikrotik.com/routeros/LATEST.6" output=user", ":put [:resolve upgrade.mikrotik.com]".
In your photo I can see that you are using DoH DNS with name, but there are no static or dynamic DNS to resolve its own DoH DNS name.Wow DoH saved me from internet censorship.
The DoH server IP is entered in the static table.In your photo I can see that you are using DoH DNS with name, but there are no static or dynamic DNS to resolve its own DoH DNS name.
In MikroTiks wiki example they suggest that you add 1.1.1.1
This is a problem because you cannot use regulatory domain with your country, because antenna gain have to be set!bpwl,krafg - The antenna gain setting is not available there anymore for the routers that have a built-in antenna.
I'm worried quite a bit that not everyone will come to the forum to find out. If they only use the GUI the LHG 5 ac will remain at its default setting viewtopic.php?f=13&t=162077This is a problem because you cannot use regulatory domain with your country, because antenna gain have to be set!bpwl,krafg - The antenna gain setting is not available there anymore for the routers that have a built-in antenna.
Apparently he hacked it himself!! That makes it a bit less dangerous than when someone else changed that setting and possible was able to introduce bad firmware.Because there was that hack where "upgrade" would always install a fixed version even when it was lower, presumably to get back to a vulnerable version.pe1chl - What is the reason to believe that the router was hacked?
(a couple of scripts and changed DNS server which serves fake LATEST.6 file etc)
Dangerous to assume it can be fixed by reconfig.
Hi, Thanks for the feedback and reminder that disappearance of routes would disconnect me. I should have been clear as follows:I don't experience this problem, but it can be helpful to know that winbox connections immediately fail when there is no valid route for the traffic.
I.e. unlike the classical recommendation for TCP where an "unreachable" condition during the connection setup would be handled quickly but an "unreachable" after the connection was successfully setup should be handled lazily (first try a couple of times before giving up), it fails as soon as the route is not there.
So maybe when your action results in all routes going away or flapping to another interface, this explains why your winbox connection fails.
I agree with you that it is inconvenient, I would like my winbox connections to survive a route rebuild or a router reboot on an intermediate router, but they don't.
(with SSH that problem does not occur)
I basically agree with that, but note that with reverse-DNS it is not so easy as you write when you do not have either /8 /16 or /24 subnet mask!As I keep telling (to myself, it seems), regexps don't belong to DNS. I can't deny that they can be useful when you want to match things like <anything>.ads.<anydomain>.<tld> or something, but it's closer to hack than proper feature. Basic config should not require use of regexps. No regexps = no problem.It would be nice when it first checked for exact matches of static records before it tried the regexp.
I was just alarmed by Darmach that in his/her case it was found at 0. I don't know if he/she set it himself/herself.No, the antenna gain setting will not be left at 0, it will be set to the correct gain for the product you have. At least when there are no bugs.
The idea is that the user of the product can not set it to more than 30dBm EIRP (in most countries) as this is the max allowed power.
Of course it would be better when the user can still set it lower, but "fiddling with the gain" never was a reasonable way to do that.
There should just be a "dBm EIRP" setting in the wireless interface, that sets the radio output correspondingly (first subtract the fixed antenna gain of the product).
So, for a short link you might set it to 20dBm instead.
True, that's another case where regexp can be useful. On the other hand, it should be much more efficient to find the result when there are only non-regexp entries. With those you can follow the hierarchy, check TLD first, then second level, etc. Regexp can be anything, so the whole thing needs to be evaluated, all regexp entries for every query.... with reverse-DNS it is not so easy as you write when you do not have either /8 /16 or /24 subnet mask!
I think the RouterOS resolver currently is not walking the DNS name top-down like a full recursive resolver would do. It can only match the entire name or forward the query to another server to do the full resolving.True, that's another case where regexp can be useful. On the other hand, it should be much more efficient to find the result when there are only non-regexp entries. With those you can follow the hierarchy, check TLD first, then second level, etc. Regexp can be anything, so the whole thing needs to be evaluated, all regexp entries for every query.... with reverse-DNS it is not so easy as you write when you do not have either /8 /16 or /24 subnet mask!
That does the trick, thanks a lot for the hint!To solve this issue First you have to change your Wireless Interface(s) name to the pre-set.
wlan1,wlan2,wlan3....
And finally you must Reboot your device, after this your problem will be solved forever And after that you can personalize and change their name.
It's possible you have changed the pre-written Wireless Interface name
To solve this issue First you have to change your Wireless Interface(s) name to the pre-set.
wlan1,wlan2,wlan3....
And finally you must Reboot your device, after this your problem will be solved forever And after that you can personalize and change their name.
Hello Jotne, good morning.
As it says in the opening post: Please keep this forum topic strictly related to this particular RouterOS release.Did try with 6.45.9 as well but that exhibited the same problem.
We are seeing the same issue and rolling back all our 6.47 deployments. We did about 100 antennas as a test, and it not good. There is an issue with the phased array algorithm, perhaps? It doesn't know when it is locked in.Quick warning before putting 6.47 on 60GHz radios!
I loaded 6.47 on my 60GHz gear (wap60g, LHG, Cube's) and, with frequency 58320 (and region USA) selected, the links began to bounce all over the place.
Same issue with CRS125-24G-1S-RM. ROS 6.47, SFP ONU GePON is not detected any more. Rollback to 6.46.6 solved situation.On my hAP ac I have a major issue with 6.47. I had to rollback to 6.46.6.
On 6.47, my SFP module is no longer detected. It is a module ONT SERCOMM FGS202.
It's my first regression whith Mikrotik
I have the same problem 6.46.6 all 96 clients connect, after update 6.47 only 25-30 can connect at the same time, nothing suspicious in the logs. After downgrade to 6.46.6 all Clients are connectetAnyone else with a large number (over 130) of L2TP clients (only L2TP i.e. not L2TP/IPSec) notice that with 6.47, only a fraction (about 30 to 40) are able to connect to the router? I had to revert to 6.46.x to get my tunnels connected again.
Okay, I mentioned another release but I was testing it with 6.47 (hence in this thread) so from a strict perspective you are correct I shouldn't have mentioned it. Sometimes there are strange issues with software than manifest as problems with hardware. Try to forget the part about the non-6.47 softwareAs it says in the opening post: Please keep this forum topic strictly related to this particular RouterOS release.Did try with 6.45.9 as well but that exhibited the same problem.
viewtopic.php?f=21&t=161887&sid=65b55cc ... 52#p797499I also get ip/smb error on 6.47:
192.168.101.46 dialect: NT LM 0.12
192.168.101.46 session setup GSS error: 0x90000
192.168.101.46 dialect: SMB 2.002
192.168.101.46 session setup GSS error: 0x90000
Till this issue, for now I downgraded to 6.46.6 and all work fine.
Please fix it in next stable release.
I have the same problem 6.46.6 all 96 clients connect, after update 6.47 only 25-30 can connect at the same time, nothing suspicious in the logs. After downgrade to 6.46.6 all Clients are connectetAnyone else with a large number (over 130) of L2TP clients (only L2TP i.e. not L2TP/IPSec) notice that with 6.47, only a fraction (about 30 to 40) are able to connect to the router? I had to revert to 6.46.x to get my tunnels connected again.
Same for me aswellSMB is not working for me, log says
"
... dialect: SMB 2.002
session setup GSS error: 0x90000
"
On 6.47beta53 it works fine.
I totally agree. Each name entry can match only one name, each regexp entry can match multiple names.Exactly what I described above with my issue. So +1!It would be nice when it first checked for exact matches of static records before it tried the regexp.
Further testing shows reconnects are also a problem on 58320 on 6.46.6, just not as bad. As for 6.47, the problem only shows up if the AP's are upgraded. Clients still on 6.47 are actually working just fine now with 6.46.6 AP's.We are seeing the same issue and rolling back all our 6.47 deployments. We did about 100 antennas as a test, and it not good. There is an issue with the phased array algorithm, perhaps? It doesn't know when it is locked in.Quick warning before putting 6.47 on 60GHz radios!
I loaded 6.47 on my 60GHz gear (wap60g, LHG, Cube's) and, with frequency 58320 (and region USA) selected, the links began to bounce all over the place.
This is not the case for me. Both my L2TP server and the clients, that cannot connect, have only one WAN IP. The L2TP server is on Google cloud and most of the L2TP clients are on 3G/LTE.I'm also experiencing this issue and found that it happens when a client connects to an l2tp server that has multiple WAN IP's.
even wiser is to use https://1.1.1.2/dns-query for included free malware site blockingThis is all you need:
Code: Select all/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem /certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase="" /ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
It begins well, the Mikrotik support asked me to check the hardware ...Same issue with CRS125-24G-1S-RM. ROS 6.47, SFP ONU GePON is not detected any more. Rollback to 6.46.6 solved situation.On my hAP ac I have a major issue with 6.47. I had to rollback to 6.46.6.
On 6.47, my SFP module is no longer detected. It is a module ONT SERCOMM FGS202.
It's my first regression whith Mikrotik
I have suggested several times that MikroTik should add a capability to run user code in a "sandbox" (separate user, chrooted filesystem, etc) to allow users to add features they think are essential but are too much work / too little reward for MikroTik to add to RouterOS itself.Now only if Mikrotik could themselves add a pi-hole package to their RouterOS included packages to work together with DoH
I can expand further on this. In 6.46.6 when you open BGP Advertisements page in winbox, and you have many routes, the Winbox does not allow you to view all of them and instead gives a filter, and a warning about clicking a link to view all routes.To clarify, things that will trigger this include: enable/disable a bgp peer. Refresh a peer, resend routes, adjust a route filter, or make a new route filter, or drag and drop a route filter. Simply clicking enable on an already enabled route filter will do it too. Also a large number of route changes triggered by the remote peer will also cause it.
You can reconnect, and it will disconnect again IMMEDIATELY.
bpwl,krafg - The antenna gain setting is not available there anymore for the routers that have a built-in antenna.
I am fully aware of antenna gain setting that can be illegal.Antenna gain should not be changed, especially for devices with built-in antennas. What were you trying to achieve anyway?
If your signal is too weak, fix position or alignment. Playing with antenna gain is not the right way and can be illegal.
With a built-in antenna the antenna gain supposedly has been measured and there should be no reason to set it.I am fully aware of antenna gain setting that can be illegal.Antenna gain should not be changed, especially for devices with built-in antennas. What were you trying to achieve anyway?
If your signal is too weak, fix position or alignment. Playing with antenna gain is not the right way and can be illegal.
So, I fixed position and alignment.
Can antenna gain be illegal for routers that have detachable antennas?
I am sorry, but I do not understand why routers with built in antennas are affected with this, others are not.
Please explain, what is so special about builtin antennas, that they have to have this limit.
The manual page (https://wiki.mikrotik.com/wiki/Manual:I ... e/Wireless) says:using tx power mode "card rates" and "tx power" value
Hope they will react adequately to this issue at some point .It begins well, the Mikrotik support asked me to check the hardware ...Same issue with CRS125-24G-1S-RM. ROS 6.47, SFP ONU GePON is not detected any more. Rollback to 6.46.6 solved situation.On my hAP ac I have a major issue with 6.47. I had to rollback to 6.46.6.
On 6.47, my SFP module is no longer detected. It is a module ONT SERCOMM FGS202.
It's my first regression whith Mikrotik
I also tried 6.47rc2 and 7beta8 and it's the same thing with the SFP module.
Sentenced to stay in 6.46.6?
This is becoming a bad joke. Normis what was the last release you have worked with a Mikrotik with built-in antenna? " Card rates" cannot be set with regulatory domain !!! (It can actually mostly never be set)using tx power mode "card rates" and "tx power" value
wow! True. Tested on hAPac2...This is becoming a bad joke. Normis what was the last release you have worked with a Mikrotik with built-in antenna? " Card rates" cannot be set with regulatory domain !!! (It can actually mostly never be set)using tx power mode "card rates" and "tx power" value
On neither 2.4 GHz or 5 GHz
Klembord-2.jpg
Klembord-3.jpg
Tested on hAP ac2 and wAP ac, not uncommon devices.
"Card rates" do not work since a long time, you probably just confused it with the "all rates fixed", what is is more difficult to keep in legal limits as the higher MCSes have higher frequency side-lobes and must be set lower to be legal. (That was the reason for the gone "card rates"). Who will use that lower value as fixed rate?
The only thing that works now is this, and that is NOT, absolutely NOT, what we want or need.
Klembord-4.jpg
Klembord-5.jpg
Your limit check on the minimal gain for built in antenna is strict enough, and is almost everywhere (except for LGH, where it makes a major difference)
What we want is this, not in % please, but in total dBm (Like the empty "Current TX power" would be if not empty.)
Dynamic power is just another beauty , but hey with this it will do:
(The % is not linear, but highly related to dBm, but they better gave exact dB's instead)
Klembord-6.jpg
2 on wAP ac on both radios.What is default antenna-gain for wap ac and cap ac ? Because i cannot set even regulatory domain on my routers.
In documentation written 0 is default but if i set 0 then it is not possible to set regulatory domain.
https://mikrotik.com/product/RBwAPG-5HacT2HnDWhat is default antenna-gain for wap ac and cap ac ? Because i cannot set even regulatory domain on my routers.
In documentation written 0 is default but if i set 0 then it is not possible to set regulatory domain.
Agree. Even low-end vendors have ability to lower tx power in a simple way.With the inability to lower transmit power with the new versions, looks like it's time to look at other vendors.
I think you need to look first what powers it uses for the different MCS when set at the maximum allowed power (the automatically calculated values),Mode "all-rated-fixed"? Seems it is not safe since manual says "Can damage the card if transmit power is set above rated value of the card for used rate".
Mode "manual-table"? I'm not sure I want to set up TX power for every MCS explicitly.
Thanks for suggestion, but HAP AC^2 always shows current TX power as zeros for 2.4 GHz. And 5 GHz interface shows nothing.I think you need to look first what powers it uses for the different MCS when set at the maximum allowed power (the automatically calculated values),
and them use all-rates-fixed but with only values less than the maximum value you see in that list.
Agree. Even low-end vendors have ability to lower tx power in a simple way.With the inability to lower transmit power with the new versions, looks like it's time to look at other vendors.
Dear Mikrotik, what is official way to reduce TX power for HAP AC^2 with 6.47?
Mode "card-rates" does not work, "not supported".
Mode "all-rated-fixed"? Seems it is not safe since manual says "Can damage the card if transmit power is set above rated value of the card for used rate".
Mode "manual-table"? I'm not sure I want to set up TX power for every MCS explicitly.
I'd like to specify precise dBm or percent of maximum dBm.
Antenna gain was a workaround to do this, but now it is not possible.
I tried with a hAP AC and this shows the correct values for 2.4 GHz but indeed for 5 GHz it shows nothing.Thanks for suggestion, but HAP AC^2 always shows current TX power as zeros for 2.4 GHz. And 5 GHz interface shows nothing.I think you need to look first what powers it uses for the different MCS when set at the maximum allowed power (the automatically calculated values),
and them use all-rates-fixed but with only values less than the maximum value you see in that list.
i don't remember any ros version to ever show anything under 5 GHz
but indeed for 5 GHz it shows nothing.
Well, for those 2-band models maybe. For 5 GHz-only models (LHG5 etc) it works OK.i don't remember any ros version to ever show anything under 5 GHz
but indeed for 5 GHz it shows nothing.
I think the problem is in arm chips.For 5 GHz-only models (LHG5 etc) it works OK.
hap ac is mips alsoI think the problem is in arm chips.For 5 GHz-only models (LHG5 etc) it works OK.
LHG5 uses MIPS architecture.
Now (and possibly always) ROS does not have support for some wireless configurations.
/ip firewall filter remove [find where comment="testing"]
Does it work when you split it over two lines:With this stable v6.47 release on my CCR1009
via CLI if I issue the following directivethe directive completes without error but the rule is not removedCode: Select all/ip firewall filter remove [find where comment="testing"]
Why?
/ip firewall filter
remove [find where comment="testing"]
/ip firewall filter export
With this stable v6.47 release on my CCR1009
via CLI if I issue the following directivethe directive completes without error but the rule is not removedCode: Select all/ip firewall filter remove [find where comment="testing"]
Why?
Nope does not workDoes it work when you split it over two lines:Code: Select all/ip firewall filter remove [find where comment="testing"]
/ip firewall filter remove number=number
Another TestMake sure case is correct if text, also, might be other characters in the comment string, so maybe also try "like ~" instead of "equal ="
/ip firewall filter remove [find comment~" testing"]
Foarte interesant ce ai descoperit. Ai testat pe echipamentele tale sau informația ai luat-o din internet?Hello, we observed that in the ccr and rbs used as pppoe concentrators there were reports of slow navigation - version 6.47. A rb1100 normalized when placing an earlier version
give us more info about thatOh wow, that's a killer feature I've been waiting for years!*) ipsec - allow specifying two peers for a single policy for failover;
I have the same issue with a slightly different configuration (utilizing capsman). Also I notice that ARP entries no longer time out, which may be part of the issue?, even if you set a 5s timeout on the bridge. Do an IPScan of the subnet, and the blank entries just stay there forever. Also seeing some weirdness with the ARP entries themselves, instead of pointing to the actual devices, they are pointing another client I have bridging the connection, even when they aren't on that side of the bridge.Hello !
Unfortunately, the problem known from old versions of RouterOS has returned. TL-WR841 cannot get IP from Mikrotik DHCP (still get defconf offering lease without success). Downgrade to 6.46.6 and everything is back to normal.
viewtopic.php?t=119702
Problematic configuration:
TL-WR841 <-- WDS Client to MT --> hAP ac^2
After update 6.47 we faced with issue that two clients (L2TP/IPsec) with one ip address can't work fine, only one of them may to connect, another one get an error. On 6.46.6 we haven't this behaviour. It seems like NAT Traversal is broken. Did anyone else face with this?I have the same problem 6.46.6 all 96 clients connect, after update 6.47 only 25-30 can connect at the same time, nothing suspicious in the logs. After downgrade to 6.46.6 all Clients are connectetAnyone else with a large number (over 130) of L2TP clients (only L2TP i.e. not L2TP/IPSec) notice that with 6.47, only a fraction (about 30 to 40) are able to connect to the router? I had to revert to 6.46.x to get my tunnels connected again.
I'm also experiencing this issue and found that it happens when a client connects to an l2tp server that has multiple WAN IP's.
Scenario:
L2TP client has two tunnels, first tunnel connects to my server dedicated l2tp WAN IP, second tunnel to general internet WAN IP.
One connects but the other doesn't. If I make both tunnels the same IP then both connects.
Hope this helps in troubleshooting the latest version bug.
Regards
Hello, erchegov!After update 6.47 we faced with issue that two clients (L2TP/IPsec) with one ip address can't work fine, only one of they may to connect, another one get an error. On 6.46.6 we haven't this behaviour. It seems like NAT Traversal is broken. Did anyone else face with this?I have the same problem 6.46.6 all 96 clients connect, after update 6.47 only 25-30 can connect at the same time, nothing suspicious in the logs. After downgrade to 6.46.6 all Clients are connectetAnyone else with a large number (over 130) of L2TP clients (only L2TP i.e. not L2TP/IPSec) notice that with 6.47, only a fraction (about 30 to 40) are able to connect to the router? I had to revert to 6.46.x to get my tunnels connected again.
I'm also experiencing this issue and found that it happens when a client connects to an l2tp server that has multiple WAN IP's.
Scenario:
L2TP client has two tunnels, first tunnel connects to my server dedicated l2tp WAN IP, second tunnel to general internet WAN IP.
One connects but the other doesn't. If I make both tunnels the same IP then both connects.
Hope this helps in troubleshooting the latest version bug.
Regards
Please explain in detail what you mean. Where did you install the 6.47 (on the server, on the clients, or both) and who has a single IP address (the server, both the clients?).After update 6.47 we faced with issue that two clients (L2TP/IPsec) with one ip address can't work fine, only one of them may to connect, another one get an error. On 6.46.6 we haven't this behaviour. It seems like NAT Traversal is broken. Did anyone else face with this?
I mean that two L2TP/IPsec clients behind the same NAT don't work correctly with server on 6.47, but with server on 6.46.6 everything is fine.Please explain in detail what you mean. Where did you install the 6.47 (on the server, on the clients, or both) and who has a single IP address (the server, both the clients?).After update 6.47 we faced with issue that two clients (L2TP/IPsec) with one ip address can't work fine, only one of them may to connect, another one get an error. On 6.46.6 we haven't this behaviour. It seems like NAT Traversal is broken. Did anyone else face with this?
Are the two clients two different routers behind the same NAT or are they two client L2TP instances on the same router?
Please include your client and server config export for the L2TP server/client.
Two L2TP/IPsec clients behind the same NAT has never worked correctly unless you applied a complicated workaround, so I presume you don't mean that.
That is very strange. As far as I know it is not supposed to work in any version, but maybe there was a workaround in some sub-versions of 6.46I mean that two L2TP/IPsec clients behind the same NAT don't work correctly with server on 6.47, but with server on 6.46.6 everything is fine.
I use CCR1036 as l2tp/IPsec server and before updating to 6.47 i could connect two clients from the same NAT.
I also have another one CHR with 6.46.6 as L2tp/IPsec server and haven't troubles with connecting two client from same NAT.
CCR and CHR have the same configurations of L2TP and IPsec.
After update 6.47 we faced with issue that two clients (L2TP/IPsec) with one ip address can't work fine, only one of them may to connect, another one get an error. On 6.46.6 we haven't this behaviour. It seems like NAT Traversal is broken. Did anyone else face with this?I have the same problem 6.46.6 all 96 clients connect, after update 6.47 only 25-30 can connect at the same time, nothing suspicious in the logs. After downgrade to 6.46.6 all Clients are connectetAnyone else with a large number (over 130) of L2TP clients (only L2TP i.e. not L2TP/IPSec) notice that with 6.47, only a fraction (about 30 to 40) are able to connect to the router? I had to revert to 6.46.x to get my tunnels connected again.
I'm also experiencing this issue and found that it happens when a client connects to an l2tp server that has multiple WAN IP's.
Scenario:
L2TP client has two tunnels, first tunnel connects to my server dedicated l2tp WAN IP, second tunnel to general internet WAN IP.
One connects but the other doesn't. If I make both tunnels the same IP then both connects.
Hope this helps in troubleshooting the latest version bug.
Regards
I have a CCR1009 running with 20 L2TP/IPsec clients (and other things of course) and have had no issues, but I read that people with more than 30 clients have issues.My L2TP/IPSec clients failed after 6.47, was able to downgrade back to 6.46.6 and everything worked ok again.
13:31:30 dns,error DoH server connection error: Idle timeout - waiting data
13:31:30 dns,error DoH server connection error: Idle timeout - waiting data
13:31:43 dns,error DoH server connection error: SSL: internal error (6)
13:31:43 dns,error DoH server connection error: SSL: internal error (6)
13:31:45 dns,error DoH server connection error: SSL: internal error (6)
13:31:59 l2tp,ppp,info mzk1: terminating... - session closed
13:32:00 l2tp,ppp,info mzk1: disconnected
13:32:05 dns,error DoH server connection error: SSL: internal error (6)
13:32:05 dns,error DoH server connection error: SSL: internal error (6)
13:32:23 dns,error DoH server connection error: SSL: internal error (6)
13:32:25 dns,error DoH server connection error: SSL: internal error (6)
13:32:25 dns,error DoH server connection error: SSL: internal error (6)
13:32:25 dns,error DoH server connection error: SSL: internal error (6)
13:32:25 dns,error DoH server connection error: SSL: internal error (6)
13:32:36 dns,error DoH server connection error: SSL: internal error (6)
13:32:36 dns,error DoH server connection error: SSL: internal error (6)
13:32:36 dns,error DoH server connection error: SSL: internal error (6)
13:32:36 dns,error DoH server connection error: SSL: internal error (6)
13:32:36 dns,error DoH server connection error: SSL: internal error (6)
It's first what i did, tried to connect clients behind the same NAT ip to different endpoinds on server, but successfully connected only one of them.That is very strange. As far as I know it is not supposed to work in any version, but maybe there was a workaround in some sub-versions of 6.46I mean that two L2TP/IPsec clients behind the same NAT don't work correctly with server on 6.47, but with server on 6.46.6 everything is fine.
I use CCR1036 as l2tp/IPsec server and before updating to 6.47 i could connect two clients from the same NAT.
I also have another one CHR with 6.46.6 as L2tp/IPsec server and haven't troubles with connecting two client from same NAT.
CCR and CHR have the same configurations of L2TP and IPsec.
that I don't know about and which has now been removed again because it caused other problems...
I run two L2TP/IPsec servers each with a number of clients connected and I did not experience any problem with those, but they do not have
clients behind the same NAT. On one of them there is both a GRE/IPsec and a L2TP/IPsec tunnel from the same client IP, but they are to different
IPs on the server. When you have more than one IP on the server you can use that as a workaround.
(let each of the clients behind the same NAT connect to a different IP on the server)