MikroTik

@moep please contact support and attach supout files from rc version and supout file from downgraded router where ipsec is crashing.

Password size was limited, in next RC this limitation will be removed.

Version 6.38rc51 has been released.
Changes since previous version:

!) switch - added hardware STP functionality for CRS devices and small Atheros switch chips (http://wiki.mikrotik.com/wiki/Manual:CR ... e_Protocol);
*) bridge - fixed VLAN BPDU rx and tx when connected to non-RouterOS device with STP functionality;
*) capsman - fixed CAP upgrade when separate wireless package is used (introduced in 6.37);
*) console - fixed multi argument value unset;
*) dhcp - fixed DNS server assignment to client if dynamic server exists and is from another IP family;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) hotspot - fixed nat rule port setting in hs-unauth-to chain by changing it from dst-port to src-port on Walled Garden ip return rules;
*) ipsec - do not auto-negotiate more SAs than needed;
*) ipsec - make generated policies always as unique;
*) ipsec - show active flag when policy has active SA;
*) ipsec - various additional work on IKEv1/IKEv2 support;
*) ipv6 - moved empty IPv6 pool error message to error topic;
*) radius - added IPSec service to console;
*) snmp - always report bonding speed as speed from first bonding slave;
*) wireless - fixed action frame handling for WDS nodes;
*) wireless - fixed full "spectral-history" header print on AP modes;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

Version 6.38rc51 has been released.

Those RCs just keep coming and coming

This is going to be the biggest release ever.

Version 6.38rc51 has been released.

Those RCs just keep coming and coming

This is going to be the biggest release ever.

I hope to be one of the best releases ... Bug free and stable Christmas gift,for all Mikrotik fans.

Version 6.38rc51 has been released.
Changes since previous version:
...
*) ipsec - various additional work on IKEv1/IKEv2 support;
....

Seems that IKE polishing is taking some hard time and effort, to my memory this is first time RC have reached 50+ EVER!!!

Note: hardware RSTP is finally working as expected, thanks!

This is going to be one of the biggest RouterOS releases.

Thanks to Mikrotik support and developers for all the hard work they are putting in.

Can anyone confirm that STP only works with master/slave port and no additional "/interface ethernet switch vlan" config?

Version 6.38rc52 has been released.
Changes since previous version:
*) bonding - fixed "tx-drop" on VLAN over bonding on x86;
*) bonding - fixed kernel failure when bonding slave interface receives BPDU (introduced in 6.38rc51);
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) ethernet - fixed "tx-fcs-error" on SFP+ interfaces when loop-protect is enabled ;
*) ipsec - fixed kernel failure on tile with sha256 when hardware encryption is not being used;
*) ipsec - fixed ph2 auto-negotiation by checking policies in correct order;
*) ipsec - various additional work on IKEv1/IKEv2 support;
*) ipv6 - fixed "accept-router-advertisements" behaviour;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

Just sent one report. I tried upgrading from rc48 to rc52 on a point to point link using two SXT-ac units. The wlan interface associated correctly to the AP but it stopped moving packets.

Downgrading the station SXT-AC to rc48 made it work again.

Just tried RB2011 upgrade from 6.37.2 to 6.38.rc52. Router did not returned after upgrade.
After visual inspection is clear that system is in boot loop (on startup are lighting up 3 port leds and after 3s everything goes down). At the boot the LCD display shows, that system is loading kernel, then it stops and after 1s it try again.....

Support guys what you can advice? netinst? or i can get some info whats happening via serial console?

At the log console MT6.38rc52:
"package channel changed by admin" - wtat's that?!
I have never seen that log before. I hav NO wireless package at this RB493G.
So - what does mean that log info? It's "system,info" category message.

At the log console MT6.38rc52:
"package channel changed by admin" - wtat's that?!
I have never seen that log before. I hav NO wireless package at this RB493G.
So - what does mean that log info? It's "system,info" category message.

you changed channel in "/system package update set channel=" or in winbox choose different item in dropdown

I found a strange behavior with 6.38rc52 vs. 6.38rc48.

Here the architecture:

Additional info:
- EdgeSwitch has STP disabled
- hEX POE has its ports in bridge mode acting as a managed POE switch
- hAP is also bridged and runs a NTP Server with GPS, with its wireless interface disabled
- RB922 has 2 wireless interfaces, using VLANs and BGP with the RB1100

Now there is a strange behavior when trying to access the components from a machine connected to the Edgeswitch.
- The moment I upgrade the RB922 to 6.38rc52, the access to the hEX POE and the connected camera will fail.
- If I reset the RB260GSP, the hEX and the camera will come on line for some 30 sec and then be inaccessible again.
- The system behaved correctly when both 922 and hAP used 6.38rc48 (hEX and RB1100 had 6.37.3)
- The RB922 behaves correctly in both instances
- Downgrading the RB622 to 6.37.3 brings normal behavior back

Hi Marius,

Do you have STP enabled on any of the bridges inside MikroTik routers?
It appears that there is new functionality in this area. I read that STP is now supported on switch chips with
the trick (?) of providing it from a connected bridge. I often set the STP protocol to "none" on bridges in cases
where there is no danger of loops, did you try that?

Thank you Rob for the suggestion.

I disabled STP on the hEX POE and on the hAP and it seems to work now.
But I still did not expect this to happen...

It is not correct but maybe it can be explained from the new functions in 38rc.
Did you also try to enable STP everywhere?
When there is no bridge in the RB260 it could be required to add one.
(I did not really investigate the "STP for switch provided by bridge" function yet)

In non working conditions, all routers had RTSP enabled on the connected bridges, including on VLAN bridges.
Just the Edgeswitch has STP/RTSP disabled, because I did not get it to work on VLANs with it enabled.

Can someone tell how is CPU usage with site 2 site VPN connection using IKEv2?

Ike is phase1 protocol so in terms of forward speed over the tunnel ike2 does not differ from ikev1.

Anybody had a look at the latest v6.38rc changelogs? Seriously guys, what's up? 165 changes since v6.37.3?

Never ever has a changelog been so huge. That's going to be the biggest release for MikroTik ever. Looking forward to it, can't await v6.38 showing up in channel bugfix only.

*) nand - implemented once a week nand refresh to improve stored data integrity *) nand - improved nand refresh feature to enhance stored data integrity

Why dont you add an option to turn on/ off those features introduced in 6.35 rc 43 and 6.36 rc 7?


Merry Christmas!

Wasn't such feature implemented some time ago already? Reinventing a wheel....

Exactly!

..[cut]..
*) bridge - fixed VLAN BPDU rx and tx when connected to non-RouterOS device with STP functionality;
..[cut]..

Can I have more info about that ? Thank you.

Anyone experiencing mangle problems on 6.38rc52? I'll elaborate:

Problem started approximately one day after I replaced some configuration on a RB2011 to a hEX v3. Mangle is pretty simple, chain prerouting from a vlan with action mark routing. Today it stopped working and I can't seem to find the problem, double checked NAT/Firewall/routes and nothing, only strange thing is I find lots of "time wait" TCP States on connections. Testing speed, latency and upload is ok, but download shows error.

Interesting thing is that the error occurs in this network where I have a route to the ISP modem, but If I route it to a PPPoE connection, it works fine. Can't put that modem in bridge though, and tested connection directly to the modem, or without the mangle and works fine.

Let me know if I haven't made myself clear, but any help is appreciated.

Well, I've had a similar issue somewhere in this RC at 2016-12-02.

The following NAT rules were passed.

This was fixed by disabling and enabling the concerend rules a single time.
(As the firewall rules filter on connection state dstnat, the traffic couldn't get through)
I've downgraded and re-upgraded several times but couldn't reproduce the issue therefore did not report it.

This is not mangle related, but also concerns connection tracking. Could you try disabling / enabling the mangle rules and check the outcome? Perhaps create a backup and/or supout.rif before if it has effect for support ticket purposes.

Thanks for the quick response. I've certainly disabled and enabled the rules during the troubleshooting, but not sure if tested without altering anything else. Will do first thing on the afternoon and send the supout to support anyway, since I'm not the first with similar issues, maybe it's not something I'm doing wrong.

Will try disabling the related nat and firewall rules too, just in case.

Well, I've had a similar issue somewhere in this RC at 2016-12-02.

The following NAT rules were passed.

When you add NAT rules for traffic that is already flowing, the NAT rule will not be triggered anymore
because the established session will pre-empt that. Same reason why the NAT rule onlu counts
the first packet of every session (some people wonder why the counters on NAT rules are so low).

When this leads to confusing situations, it is best to reboot the router.

are there plans to add NAT for IPv6 ?
at home i have dynamic ipv6 from the provider and a static ipv6 net with no flatrate at tunnelprovider.
the simplest solution is to NAT unknown networks und known networks without NAT for static firewall config.

Now that I installed the 6.38rc on my home router, I notice a new problem in the WebFig:
The AS number for a BGP peer is displayed as a signed value. AS values that are near to the 32-bit unsigned limit (i.e. the Private AS range 4200000000 - 4294967294) are incorrectly displayed as negative numbers.
This is unfortunate as we widely use these AS numbers in our HAMNET network.

This is the third bug in WebFig in 6.38RC that I encounter and that appears to be related to signed/unsigned handling.
I think an investigation into possible further issues similar to this is in order. It appears some datatype change has been made that is not correct or not well tested for consequences.

As mentioned in other threads there still is an issue with DHCPv6 PD in certain scenarios.
My provider uses DHCPv6 PD to assign IPv6 addresses, the lease has a 2 hour lifetime but it becomes invalid when the PPPoE session is closed.
While everything works OK in RouterOS with a DHCPv6 client configured on the PPPoE interface, unfortunately the router stores the obtained
lease and does not track the down-status of PPPoE. When the link has been reset or the modem is rebooted, the existing lease is used but
the provider does not route IPv6 until a new lease is obtained. It recovers at the end of the 2 hour lifetime period or when a RELEASE is done,
but it would be preferable when a new lease is requested automatically whenever:
- the router is rebooted
- the underlying PPPoE link goes down

As I understand that in some other cases this behavior may not be optimal or be considered nonstandard, maybe an option could be
added to the DHCPv6 client such that it:
- does not store the lease on disk
- deletes the lease whenever the link goes down

Or alternatively: provide a mechanism to run a script whenever a PPPoE link comes up, so I can put this command into that:
/ipv6 dhcp-client release [find status=bound]
That fixes the problem immediately...

Version 6.39rc has been released:
http://forum.mikrotik.com/viewtopic.php?f=21&t=116357