MikroTik

Posted: **Thu Jul 05, 2018 9:52 pm**

wAP60G 240m link updated from rc32 to rc42, client not connecting any more in scan see signal but not connecting, back to 6.42.5 it is working again, but seem to me it is not stable as has been in 6.42.1.

Also please check scan for frequency 64800 seems to me it is not scanning that frequency when click scan button.
Fixes for connecting issues will be included in next RC version

I can confirm, LHG60 does not connect for more than few seconds, still disconnecting and reconnecting. Back on 6.42.5 - works again OK.

Posted: **Thu Jul 05, 2018 11:19 pm**

wAP60G 240m link updated from rc32 to rc42, client not connecting any more in scan see signal but not connecting, back to 6.42.5 it is working again, but seem to me it is not stable as has been in 6.42.1.

Also please check scan for frequency 64800 seems to me it is not scanning that frequency when click scan button.
Fixes for connecting issues will be included in next RC version
I can confirm, LHG60 does not connect for more than few seconds, still disconnecting and reconnecting. Back on 6.42.5 - works again OK.

same here

Posted: **Fri Jul 06, 2018 1:09 am**

If you remove the w60g interface from getting added to bridge, the link works. otherwise it reconnects constantly.

Please fix

Posted: **Fri Jul 06, 2018 1:21 am**

I wonder if the same limitations and/or problems apply to LHGG-60ad. Anyone installed them? We are expecting a pair of those and I was wondering what would be the best stable ROS for it. It will be a production link so stability is a must.

Posted: **Fri Jul 06, 2018 7:05 am**

amokkatmt - If your router can reach cloud server over IPv6, then Cloud should resolve to IPv6 address instead of IPv4. That happens automatically;
npero, mlenhart, mistry7, CoMMyz - Improvements on this version have had some side affects that will be resolved in upcoming rc releases;
notToNew - Problem was present because upgrade was made directly from pre-6.41 release. With rc42 upgrade from these versions should work just fine regarding this matter;
nz_monkey, msatter - This device does not have anything to show under System/Health menu. As you can see, this product does not have anything listed under "Other" as a monitoring tool (https://mikrotik.com/product/cap_ac), but for example, this one does (https://mikrotik.com/product/RB1100Dx4);
sutrus, LeftyTs - Please contact support@mikrotik.com regarding this matter;
irghost - Can you reach cloud.mikrotik.com from your device? I recommend that you contact support@mikrotik.com;
LeftyTs - Do not ever use an rc version on important devices. Rc versions are released strictly for testing purposes (for your test labs, not for real life scenarios).

Posted: **Fri Jul 06, 2018 8:08 am**

amokkatmt - If your router can reach cloud server over IPv6, then Cloud should resolve to IPv6 address instead of IPv4. That happens automatically;

Does it resolve to IPv6 address exclusively then? That would be a real issue for be, because I have devices connected via dual stack, but connect to them from IPv4-only networks.

Posted: **Fri Jul 06, 2018 10:11 am**

I wonder if the same limitations and/or problems apply to LHGG-60ad. Anyone installed them? We are expecting a pair of those and I was wondering what would be the best stable ROS for it. It will be a production link so stability is a must.

6.42.5 (latest current till now) works OK for me.

Posted: **Fri Jul 06, 2018 10:12 am**

At the moment RouterOS tries to resolve cloud2.mikrotik.com IPv4 and IPv6 addresses. After that tries to reach IPv4 server, if server is reachable over IPv4, then this address will be used. if IPv4 server is not reachable, then try to use IPv6. At the moment IPv6 cloud is used as a fallback.

Posted: **Fri Jul 06, 2018 12:39 pm**

So, if RouterOS connects to the Cloud via IPv4 address, it adds 'A' record, and via IPv6 it adds 'AAAA' record? Can we have adding both records, or at least force A record to be added? I have ipip tunnels between routers, and I don't think they will work if address changes from A to AAAA after upgrade/reboot...

Posted: **Fri Jul 06, 2018 12:43 pm**

Fallback? That's worrying.. I'd rather have IPv6 as an optional feature.

I'm hosting several services on IPv4 endpoints (NATted to internal servers, DNS entry CNAME'd to mynetname.net).
Some services could be hosted via IPv6, but they'd have different IPv6 address (no IPv6 NAT possible).
Some services cannot be hosted via IPv6.

If cloud update fails somehow, I'd rather have the old IPv4 entry stay the same than to suddenly have an IPv6 address which would break all of the hosted-behind-the-MT services.

Posted: **Tue Jul 10, 2018 1:00 pm**

I would better have two separate checkboxes in /ip cloud, one for IPv4 and one for IPv6. Depending on which option is checked, DNS records for the automatically generated FQDN should be created for the IPv4 address, the IPv6 address or BOTH. Even better, have two automatically generated FQDNs, one with a "-ip4" and one with "-ip6" suffixes after the serial number and associate each with the respective address.

Posted: **Tue Jul 10, 2018 7:48 pm**

Even better, have two automatically generated FQDNs, one with a "-ip4" and one with "-ip6" suffixes after the serial number and associate each with the respective address.

Why do you think two DNS names (one with A record and one with AAAA record) is better than having one DNS name with both A and AAAA records?

Posted: **Tue Jul 10, 2018 7:55 pm**

Because that way you can explicitly choose using which protocol you want to connect to the device by choosing the corresponding domain name

Posted: **Wed Jul 11, 2018 11:58 am**

Even better, have two automatically generated FQDNs, one with a "-ip4" and one with "-ip6" suffixes after the serial number and associate each with the respective address.
Why do you think two DNS names (one with A record and one with AAAA record) is better than having one DNS name with both A and AAAA records?

Because if for example you have a network with different restrictions for IPv4 and IPv6, you can explicity choose which protocol to use to manage the devices, instead of the device deciding for you.

Posted: **Thu Jul 12, 2018 2:08 pm**

Version 6.43rc44 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

MAJOR CHANGES IN v6.43:
----------------------
!) api - changed authentication process (https://wiki.mikrotik.com/wiki/Manual:API#Initial_login);
!) backup - do not encrypt backup file unless password is provided;
!) btest - requires at least v6.43 Bandwidth Test client when connecting to v6.43 or later version server except when authentication is not required;
!) cloud - added IPv6 support;
!) cloud - added support for licensed CHR instances (including trial);
!) cloud - reworked "/ip cloud ddns-enabled" implementation (suggested to disable service and re-enable after installation process);
!) mac-telnet - require at least v6.43 MAC Telnet client when connecting to v6.43 or later version server;
!) radius - use MS-CHAPv2 for "login" service authentication;
!) romon - require at least v6.43 RoMON agent when connecting to v6.43 or later RoMON client device;
!) webfig - improved authentication process;
!) winbox - improved authentication process excluding man-in-the-middle possibility;
!) winbox - minimal required version is v3.15;
----------------------

Other changes in this release:

*) backup - added support for new backup file encryption (AES128-CTR) with signatures (SHA256);
*) crs326/crs328 - fixed untagged packet forwarding through tagged ports when pvid=1;
*) crs3xx - fixed tagged packet forwarding in 802.1ad aware bridges (introduced in 6.43rc13);
*) dhcpv6 - improved reliability on IPv6 DHCP services;
*) lte - added support for alternative SIM7600 PID;
*) sms - improved reliability on SMS reader;
*) w60g - temporary disabled distance measurement feature;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

Note that release candidate versions are published strictly for testing purposes and should not be used on production routers.

Posted: **Thu Jul 12, 2018 2:53 pm**

*) dhcpv6 - improved reliability on IPv6 DHCP services;

Please do not post change notes like that!
Is it another security issue? Is it recommended to update and/or are there workarounds for issues?

Posted: **Thu Jul 12, 2018 2:56 pm**

If dhcpv6 was not working reliably for you then upgrade.

Posted: **Thu Jul 12, 2018 3:11 pm**

In previous cases when such change notices were posted it became clear later that in fact there was a security problem that was being covered up.
(e.g. some buffer overrun with potential code execution, like in the webserver and the smb server)
Somewhat later the same fix appeared as a current version and everyone was urged to upgrade.
Later when all hell broke loose, we were referred back to the update we should have done because it was recommended, all "to improve reliability".

Posted: **Thu Jul 12, 2018 10:55 pm**

Not all of the problems can be summarized in one sentence. Or the cause of the problem can lead up to different consequences. Sometimes end-user even can not see software issue and that can be seen in supout file only by MikroTik staff. For example, DHCPv6 issue could lead to DHCPv6 service crash (can be seen only by MikroTik staff) and IPv6 services could not work or work incorrectly.

As you can see in 6.43rc release - we are improving changelog so important notes would be more noticeable. Also, for example, Winbox vulnerability issue was mentioned in changelog and special topics were made.

Posted: **Fri Jul 13, 2018 12:57 am**

For example, DHCPv6 issue could lead to DHCPv6 service crash (can be seen only by MikroTik staff) and IPv6 services could not work or work incorrectly.

Could this, by any remote chance, be related to the issue described here?
DHCP is installed/enabled but not used at all on both ipv4/ipv6.

Posted: **Fri Jul 13, 2018 3:01 am**

I agree that the release notes have improved much with the extra information. Then we have the ticket system that and it often unclear if a ticket is solved and I have written several time that a bug was not solved for me and then the line in the release notes was for an other bug in the same part of RouterOS.

If we could see if the ticket is resolved or still waiting, it would be great.

Posted: **Fri Jul 13, 2018 6:42 am**

Cha0s - It is not possible to answer your question without seeing supout file from your router. As you know - if you think that there is a software issue on your router, then contact support@mikrotik.com.

Posted: **Fri Jul 13, 2018 10:57 am**

As you can see in 6.43rc release - we are improving changelog so important notes would be more noticeable. Also, for example, Winbox vulnerability issue was mentioned in changelog and special topics were made.

Yes, it has certainly improved! good to see that warnings like that are now also visible when doing the one-click-upgrade from the router itself. Lots of people never look here so they do not see the warnings about winbox versions when they are not in the changelog.
There still could be some improvement in the clarity of one-line changelog notices, especially when using words like "reliability" that in the past have been used where "security" should actually have been written.

Posted: **Fri Jul 13, 2018 6:32 pm**

*) backup - added support for new backup file encryption (AES128-CTR) with signatures (SHA256);

So encryption=rc4 is the old behaviour, encryption=aes-sha256 is the new one? What is the default if I do not specify the option?

Posted: **Fri Jul 13, 2018 6:35 pm**

default now is aes-sha256

Posted: **Mon Jul 16, 2018 12:00 am**

Are you still working on hAP ac2's WiFi performance? I use laptop with Intel 7260 and WiFi performance is very poor (it fluctuates a lot within a huge range between 20 KB/s and 9 MB/s with average around 500 KB/s. The same laptop achieves 250 Mbit (which is what I pay for) when I use router provided by ISP (both stay almost in the same place).

Posted: **Mon Jul 16, 2018 11:32 am**

Are you still working on hAP ac2's WiFi performance? I use laptop with Intel 7260 and WiFi performance is very poor (it fluctuates a lot within a huge range between 20 KB/s and 9 MB/s with average around 500 KB/s. The same laptop achieves 250 Mbit (which is what I pay for) when I use router provided by ISP (both stay almost in the same place).

What type of laptop do you have, do you know the WiFi chip and number of antennas it has? There are no known issues with the mentioned model, it works fine for most people

Posted: **Mon Jul 16, 2018 8:06 pm**

Are you still working on hAP ac2's WiFi performance? I use laptop with Intel 7260 and WiFi performance is very poor (it fluctuates a lot within a huge range between 20 KB/s and 9 MB/s with average around 500 KB/s. The same laptop achieves 250 Mbit (which is what I pay for) when I use router provided by ISP (both stay almost in the same place).

Do you have updated wifi card drivers? Use the Intel® Driver & Support Assistant, or manually locate it.
He had the same problem and the update helped.

Posted: **Mon Jul 16, 2018 10:10 pm**

Are you still working on hAP ac2's WiFi performance? I use laptop with Intel 7260 and WiFi performance is very poor (it fluctuates a lot within a huge range between 20 KB/s and 9 MB/s with average around 500 KB/s. The same laptop achieves 250 Mbit (which is what I pay for) when I use router provided by ISP (both stay almost in the same place).
What type of laptop do you have, do you know the WiFi chip and number of antennas it has? There are no known issues with the mentioned model, it works fine for most people

It's Sony Vaio Pro 13 (https://www.trustedreviews.com/reviews/sony-vaio-pro-13).
I suppose that this is the card: https://ark.intel.com/en/products/75440 ... ess-N-7260
I'm using 5 GHz N/AC (2.4 is disabled because I don't need it).
Please find useful parts of uname, lspci, systool and dmesg below.
Let me know if you need anything more.

# uname -a
Linux vp 4.17.5-1-ARCH #1 SMP PREEMPT Sun Jul 8 17:27:31 UTC 2018 x86_64 GNU/Linux

# lspci
01:00.0 Network controller: Intel Corporation Wireless 7260 (rev 6b)
        Subsystem: Intel Corporation Dual Band Wireless-N 7260
        Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+
        Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
        Latency: 0, Cache Line Size: 64 bytes
        Interrupt: pin A routed to IRQ 44
        Region 0: Memory at f7c00000 (64-bit, non-prefetchable) [size=8K]
        Capabilities: [c8] Power Management version 3
                Flags: PMEClk- DSI+ D1- D2- AuxCurrent=0mA PME(D0+,D1-,D2-,D3hot+,D3cold+)
                Status: D0 NoSoftRst- PME-Enable- DSel=0 DScale=0 PME-
        Capabilities: [d0] MSI: Enable+ Count=1/1 Maskable- 64bit+
                Address: 00000000fee08004  Data: 4023
        Capabilities: [40] Express (v2) Endpoint, MSI 00
                DevCap: MaxPayload 128 bytes, PhantFunc 0, Latency L0s <512ns, L1 unlimited
                        ExtTag- AttnBtn- AttnInd- PwrInd- RBE+ FLReset+ SlotPowerLimit 0.000W
                DevCtl: Report errors: Correctable- Non-Fatal- Fatal- Unsupported-
                        RlxdOrd- ExtTag- PhantFunc- AuxPwr+ NoSnoop+ FLReset-
                        MaxPayload 128 bytes, MaxReadReq 128 bytes
                DevSta: CorrErr- UncorrErr- FatalErr- UnsuppReq- AuxPwr+ TransPend-
                LnkCap: Port #0, Speed 2.5GT/s, Width x1, ASPM L0s L1, Exit Latency L0s <4us, L1 <32us
                        ClockPM+ Surprise- LLActRep- BwNot- ASPMOptComp-
                LnkCtl: ASPM L1 Enabled; RCB 64 bytes Disabled- CommClk+
                        ExtSynch- ClockPM+ AutWidDis- BWInt- AutBWInt-
                LnkSta: Speed 2.5GT/s, Width x1, TrErr- Train- SlotClk+ DLActive- BWMgmt- ABWMgmt-
                DevCap2: Completion Timeout: Range B, TimeoutDis+, LTR+, OBFF Via WAKE#
                         AtomicOpsCap: 32bit- 64bit- 128bitCAS-
                DevCtl2: Completion Timeout: 16ms to 55ms, TimeoutDis-, LTR+, OBFF Disabled
                         AtomicOpsCtl: ReqEn-
                LnkCtl2: Target Link Speed: 2.5GT/s, EnterCompliance- SpeedDis-
                         Transmit Margin: Normal Operating Range, EnterModifiedCompliance- ComplianceSOS-
                         Compliance De-emphasis: -6dB
                LnkSta2: Current De-emphasis Level: -3.5dB, EqualizationComplete-, EqualizationPhase1-
                         EqualizationPhase2-, EqualizationPhase3-, LinkEqualizationRequest-
        Capabilities: [100 v1] Advanced Error Reporting
                UESta:  DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
                UEMsk:  DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
                UESvrt: DLP+ SDES+ TLP- FCP+ CmpltTO- CmpltAbrt- UnxCmplt- RxOF+ MalfTLP+ ECRC- UnsupReq- ACSViol-
                CESta:  RxErr- BadTLP- BadDLLP- Rollover- Timeout- NonFatalErr-
                CEMsk:  RxErr- BadTLP- BadDLLP- Rollover- Timeout- NonFatalErr+
                AERCap: First Error Pointer: 00, ECRCGenCap- ECRCGenEn- ECRCChkCap- ECRCChkEn-
                        MultHdrRecCap- MultHdrRecEn- TLPPfxPres- HdrLogCap-
                HeaderLog: 00000000 00000000 00000000 00000000
        Capabilities: [140 v1] Device Serial Number 5c-51-4f-xx-xx-xx-xx-xx
        Capabilities: [14c v1] Latency Tolerance Reporting
                Max snoop latency: 3145728ns
                Max no snoop latency: 3145728ns
        Capabilities: [154 v1] Vendor Specific Information: ID=cafe Rev=1 Len=014 <?>
        Kernel driver in use: iwlwifi
        Kernel modules: iwlwifi


# systool -vm iwlwifi
Module = "iwlwifi"

  Attributes:
    coresize            = "327680"
    initsize            = "0"
    initstate           = "live"
    refcnt              = "1"
    srcversion          = "A082116DEC439F44B0AAD63"
    taint               = ""
    uevent              = <store method only>

  Parameters:
    11n_disable         = "0"
    amsdu_size          = "0"
    antenna_coupling    = "0"
    bt_coex_active      = "Y"
    d0i3_disable        = "Y"
    d0i3_timeout        = "1000"
    debug               = "0"
    disable_11ac        = "N"
    fw_monitor          = "N"
    fw_restart          = "Y"
    lar_disable         = "N"
    led_mode            = "0"
    nvm_file            = "(null)"
    power_level         = "0"
    power_save          = "N"
    swcrypto            = "0"
    uapsd_disable       = "3"

  Sections:
    .altinstr_replacement= "0xffffffffc0a9da3d"
    .altinstructions    = "0xffffffffc0ab9f10"
    .bss                = "0xffffffffc0abeec0"
    .data.once          = "0xffffffffc0abd8f0"
    .data               = "0xffffffffc0abb300"
    .exit.text          = "0xffffffffc0a9da2c"
    .gnu.linkonce.this_module= "0xffffffffc0abeb80"
    .init.text          = "0xffffffffc0acd000"
    .note.gnu.build-id  = "0xffffffffc0a9e000"
    .orc_unwind         = "0xffffffffc0ab35dd"
    .orc_unwind_ip      = "0xffffffffc0aaf6c5"
    .parainstructions   = "0xffffffffc0aba090"
    .ref.data           = "0xffffffffc0abdd00"
    .rodata             = "0xffffffffc0a9e5c0"
    .rodata.str1.1      = "0xffffffffc0aa9bbb"
    .rodata.str1.8      = "0xffffffffc0aab858"
    .smp_locks          = "0xffffffffc0ab9f2c"
    .strtab             = "0xffffffffc0adab40"
    .symtab             = "0xffffffffc0ace000"
    .text               = "0xffffffffc0a7c000"
    .text.unlikely      = "0xffffffffc0a9da45"
    __bpf_raw_tp_map    = "0xffffffffc0abd900"
    __bug_table         = "0xffffffffc0abd0b0"
    __jump_table        = "0xffffffffc0abb000"
    __kcrctab           = "0xffffffffc0a9e490"
    __kcrctab_gpl       = "0xffffffffc0a9e4a0"
    __ksymtab           = "0xffffffffc0a9e030"
    __ksymtab_gpl       = "0xffffffffc0a9e070"
    __ksymtab_strings   = "0xffffffffc0aaf130"
    __mcount_loc        = "0xffffffffc0ab9488"
    __param             = "0xffffffffc0ab9c68"
    __tracepoints_ptrs  = "0xffffffffc0aba1b0"
    __tracepoints_strings= "0xffffffffc0aba280"
    __tracepoints       = "0xffffffffc0abe540"
    _ftrace_events      = "0xffffffffc0abdc20"

# dmesg | grep -i iwl
[    3.119352] iwlwifi 0000:01:00.0: enabling device (0000 -> 0002)
[    3.124355] iwlwifi 0000:01:00.0: loaded firmware version 17.948900127.0 op_mode iwlmvm
[    3.288512] iwlwifi 0000:01:00.0: Detected Intel(R) Dual Band Wireless N 7260, REV=0x144
[    3.314884] iwlwifi 0000:01:00.0: base HW address: 5c:51:4f:xx:xx:xx
[    3.516017] ieee80211 phy0: Selected rate control algorithm 'iwl-mvm-rs'
[    3.518324] iwlwifi 0000:01:00.0 wlp1s0: renamed from wlan0

Are you still working on hAP ac2's WiFi performance? I use laptop with Intel 7260 and WiFi performance is very poor (it fluctuates a lot within a huge range between 20 KB/s and 9 MB/s with average around 500 KB/s. The same laptop achieves 250 Mbit (which is what I pay for) when I use router provided by ISP (both stay almost in the same place).
Do you have updated wifi card drivers? Use the Intel® Driver & Support Assistant, or manually locate it.
He had the same problem and the update helped.

I don't use Windows, I don't have it installed. I use latest Linux kernel so yes, the driver is in latest version

I use this latptop with many APs all over the world and it has no issues. As I said before, I get 250 Mbit in my house using router provided by my ISP where Mikrotik is not even close. Both routers are next to each other.

Posted: **Tue Jul 17, 2018 4:23 am**

Version 6.43rc40 has been released.

*) userman - fixed compatibility with PayPal TLS 1.2;

I hope it's not off topic, but when should we expect this to hit the current branch? I have a production userman router that seems to be having some recent Paypal issues lately.

Posted: **Thu Jul 19, 2018 8:22 pm**

sorry for the question, but is it possible to make sure that when I paste a firewall rule script, the doubles are not loaded?

thank you

Posted: **Thu Jul 19, 2018 9:36 pm**

How is that related to 6.43rc in particular? There is a different section on the forum for these questions, called Scripting.

Posted: **Thu Jul 19, 2018 9:57 pm**

sorry, delete message

Posted: **Fri Jul 20, 2018 11:44 pm**

model: CRS317-1G-16S+
release: v6.43rc44

we use some ports with non-10G SFPs (ie 1G-SX and 1G-TX modules with fiber and copper).

those modules get auto negotiation 'incomplete', while claiming the link is ok but no working datatransmission can be established.

regards,
hk

Posted: **Sat Jul 21, 2018 2:50 am**

model: hAP ac^2 (arm) - RouterBOARD D52G-5HacD2HnD-TC
release: v6.43rc44

I'm experiencing memory leakage. After 8 days of running, free RAM is down to ~90MB (starting at ~205MB after a fresh reboot). The device is "losing" ~14MB of free memory a day...

I don't have any fancy configuration, logs etc. are written external etc.

Anyone else getting this?

Posted: **Sat Jul 21, 2018 1:39 pm**

anyone noticing a memory leak that ends with a kernel panic? this is on a CCR1009-7G-1C-1S+ running v6.43rc44

Posted: **Sat Jul 21, 2018 6:39 pm**

Anyone else getting this?

This is weekly graph on my hAP ac²

Posted: **Sun Jul 22, 2018 1:04 pm**

Yesterday I set up an ipsec connection between 2 devices, one running 6.42.6 the other 6.43rc44.
All IKE related settings were the same on both devices, but I wasn't able to establish a connection, unless I changed the hash algorithm to sha256 on the one running 6.42.6 and sha1 on the other.

When I added a new peer configuration using IKEv2, it killed all other non-IKEv2 connections immediately, which shouldn't happen either.

Posted: **Mon Jul 23, 2018 9:13 am**

Version 6.43rc45 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

MAJOR CHANGES IN v6.43:
----------------------
!) api - changed authentication process (https://wiki.mikrotik.com/wiki/Manual:API#Initial_login);
!) backup - do not encrypt backup file unless password is provided;
!) btest - requires at least v6.43 Bandwidth Test client when connecting to v6.43 or later version server except when authentication is not required;
!) cloud - added IPv6 support;
!) cloud - added support for licensed CHR instances (including trial);
!) cloud - reworked "/ip cloud ddns-enabled" implementation (suggested to disable service and re-enable after installation process);
!) mac-telnet - require at least v6.43 MAC Telnet client when connecting to v6.43 or later version server;
!) radius - use MS-CHAPv2 for "login" service authentication;
!) romon - require at least v6.43 RoMON agent when connecting to v6.43 or later RoMON client device;
!) webfig - improved authentication process;
!) winbox - improved authentication process excluding man-in-the-middle possibility;
!) winbox - minimal required version is v3.15;
----------------------

Other changes in this release:

*) ethernet - improved stability when changing ethernet interface L2MTU on CRS328-24P-4S+ (introduced in v6.43rc11);
*) ipsec - improved invalid policy handling when a valid policy is uninstalled;
*) lte - added additional ID support for SIM7600 modem;
*) sfp - fixed default advertised link speeds;
*) vrrp - fixed VRRP packet processing on VirtualBox and VMWare hypervisors;
*) winbox - properly display all flags for bridge host entries;
*) winbox - show "System/RouterBOARD/Mode Button" on devices that has such feature;
*) wireless - improved Nv2 reliability on ARM devices;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

Note that release candidate versions are published strictly for testing purposes and should not be used on production routers.

Posted: **Mon Jul 23, 2018 11:01 am**

Mikrotik update server 2a02:610:7501:1000::196 still reports 6.43rc44 1531295119.

GET /routeros/LATEST.6rc HTTP/1.1
Host: upgrade.mikrotik.com

HTTP/1.1 200 OK
Date: Mon, 23 Jul 2018 08:01:34 GMT
Content-Type: application/octet-stream
Content-Length: 20
Last-Modified: Thu, 12 Jul 2018 11:05:13 GMT
Connection: keep-alive
ETag: "5b4735e9-14"
Server: ThirdWorldFileDaemon
Access-Control-Allow-Origin: *
Accept-Ranges: bytes

6.43rc44 1531295119

Edit:
Now redirecting to https://download.mikrotik.com/routeros/LATEST.6rc, same cluster.

[2a02:610:7501:1000::196] => 6.43rc44 1531295119
[2a02:610:7501:4000::226] => 6.43rc45 1531816238
159.148.172.226 => 6.43rc45 1531816238
159.148.147.204 => 6.43rc44 1531295119

Edit2:
Now properly propagated.

Posted: **Mon Jul 23, 2018 11:55 am**

So, in this version still i have a problem with Tools/SMS when i try to send sms shows me sms send failed: timeout?

Any news around that problem?

Posted: **Mon Jul 23, 2018 12:09 pm**

As a workaround worth trying if this issue complicates your life, it might be possible to send the SMSes using /interface lte at-chat and the AT command used to send SMSes on your modem model.

Posted: **Mon Jul 23, 2018 12:20 pm**

*) wireless - improved Nv2 reliability on ARM devices;

The first point-to-point tests with nv2 on arm are not satisfactory. We will perform more tests

Posted: **Mon Jul 23, 2018 4:32 pm**

As a workaround worth trying if this issue complicates your life, it might be possible to send the SMSes using /interface lte at-chat and the AT command used to send SMSes on your modem model.

it`s not that the idea? i use this usb stick only for sms netwatch(internet it`s not include it), but i don`t understand why evyrything work normaly before with this gsm option and now did`t not.

Posted: **Mon Jul 23, 2018 5:09 pm**

This is a release candidate. Things do break as you add/improve functionality as nobody makes no mistakes at all. Se s tim smiř (in Czech).

Posted: **Mon Jul 23, 2018 5:26 pm**

Little bit better but the issue still present

*) wireless - improved Nv2 reliability on ARM devices;

The first point-to-point tests with nv2 on arm are not satisfactory. We will perform more tests

Posted: **Mon Jul 23, 2018 10:14 pm**

hAP AC2 still works very poorly with Intel Corporation Dual Band Wireless-N 7260. Transfer rate approximately 10 times slower than with other routers and often drops to 0 kbps.

Posted: **Mon Jul 23, 2018 10:21 pm**

Little bit better but the issue still present

can you show some results? i was experiencing performance varying between 250-430Mbps using SXTsq ACs with early 6.43rc builds even under excellent conditions.

Posted: **Tue Jul 24, 2018 11:38 am**

NOOOOO!!!! -"radius - use MS-CHAPv2 for "login" service authentication;"

I hope there is a setting for this. chap, chapv2 with or without ms flavour is doing nothing good to the fact that static passwords are weak and should not be used.

We use one time passwords witch will not work in replay mode due to the fact of being ONE TIME. this makes all challenge based algorithm fail there simply is nothing to do challange on.

put PAP back now or atleast make it a setting so admins may choose the best setting for their env and needs. Make this setting universal så that we may use onetime radius password for winbox as well.

I have requested this many times.... This should be a setting is it or is it not? (Have not yet tested the RC in a router but will later this week.)

Posted: **Tue Jul 24, 2018 3:36 pm**

Ok so now I test the RC45 Build. My setup scripts fail can't rename user admin anymore? WHY?

Posted: **Tue Jul 24, 2018 3:45 pm**

*) wireless - improved Nv2 reliability on ARM devices;

The first point-to-point tests with nv2 on arm are not satisfactory. We will perform more tests

Just a question without intention of doubting what you say: why use NV2 on PtP?

Posted: **Tue Jul 24, 2018 4:07 pm**

And even worse the chap packet that you send out doest not contain any password (you are sending empty radius request even before asking the user of a password. Clean upp your code and enable PAP/CHAP/MSCHAP as option NOW!

I'm trying this RC in a CRS328-4C-20S-4S+RM

After downgrading to Current 6.42.6 Radius pap (one time passwords) and rename admin works like a charm again.

Posted: **Tue Jul 24, 2018 4:26 pm**

Ok so now I test the RC45 Build. My setup scripts fail can't rename user admin anymore? WHY?

yeah, that's funny

[admin@internal] > user set admin name=adminn
failure: user name can't be changed

Posted: **Tue Jul 24, 2018 5:13 pm**

Changing name of logged in user is not good idea. What if you are logged as different user?

Posted: **Tue Jul 24, 2018 5:26 pm**

Changing name of logged in user is not good idea. What if you are logged as different user?

[sergey@router.home] > /user set admin name adminn
failure: user name can't be changed

Posted: **Tue Jul 24, 2018 5:46 pm**

even more important, the memory leak is still not fixed

Posted: **Tue Jul 24, 2018 6:17 pm**

Drop of RADIUS PAP support for ssh logins is a big problem for us too.

We're using a one-time password implementation which is impossible to integrate with MS-CHAPv2 - the security appliance only stores the hash of the PIN (fixed part of the password) and because of this cannot support MS-CHAPv2 since it would require to store PIN as clear-text. 6.43rc is forcing us to drop the OTP, actually decreasing security of the network.

Please allow us to make decisions on how to secure our network ourselves and make a setting allowing to select PAP for "login" service authentication. In any case RADIUS requests can always be sent via encrypted tunnels, while MS-CHAPv2 security strength has been watered down to level of a long obsolete single DES56 - one can find online services that will crack it in a day.

Posted: **Wed Jul 25, 2018 12:12 pm**

*) wireless - improved Nv2 reliability on ARM devices;

The first point-to-point tests with nv2 on arm are not satisfactory. We will perform more tests
Just a question without intention of doubting what you say: why use NV2 on PtP?

I always use nv2 with mikrotik. There are some noise in my city.

Posted: **Wed Jul 25, 2018 1:49 pm**

Drop of RADIUS PAP support for ssh logins is a big problem for us too.

We're using a one-time password implementation which is impossible to integrate with MS-CHAPv2 - the security appliance only stores the hash of the PIN (fixed part of the password) and because of this cannot support MS-CHAPv2 since it would require to store PIN as clear-text. 6.43rc is forcing us to drop the OTP, actually decreasing security of the network.

Please allow us to make decisions on how to secure our network ourselves and make a setting allowing to select PAP for "login" service authentication. In any case RADIUS requests can always be sent via encrypted tunnels, while MS-CHAPv2 security strength has been watered down to level of a long obsolete single DES56 - one can find online services that will crack it in a day.

I agree.
If the internal system works with hash passwords ok, but If the router manager has a secure radius and want to use this kind of system should be permitted.
The SSH passwords are plain text in the encrypted tunnel and PAP still can be used.

Posted: **Fri Jul 27, 2018 6:34 pm**

Hi, need some help to configure a paypal payment option with hotspot and usermanager. Just found this and update it to the RC version, but still need help on this.

Posted: **Mon Jul 30, 2018 5:14 pm**

Hi, need some help to configure a paypal payment option with hotspot and usermanager. Just found this and update it to the RC version, but still need help on this.

This is definitely the wrong thread for your request. There are separate threads and parts of the forum for those kind of questions. This thread is solely for issues with this particular release version and it's update.

Posted: **Tue Jul 31, 2018 4:03 pm**

>What's new in 6.43rc45 (2018-Jul-17 08:30):
>Changes in this release :
>sfp - fixed default advertised link speeds;

please say: what exactly was corrected

Posted: **Thu Aug 02, 2018 11:51 am**

Version 6.43rc51 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

MAJOR CHANGES IN v6.43:
----------------------
!) api - changed authentication process (https://wiki.mikrotik.com/wiki/Manual:API#Initial_login);
!) backup - do not encrypt backup file unless password is provided;
!) btest - requires at least v6.43 Bandwidth Test client when connecting to v6.43 or later version server except when authentication is not required;
!) cloud - added IPv6 support;
!) cloud - added support for licensed CHR instances (including trial);
!) cloud - reworked "/ip cloud ddns-enabled" implementation (suggested to disable service and re-enable after installation process);
!) mac-telnet - require at least v6.43 MAC Telnet client when connecting to v6.43 or later version server;
!) radius - use MS-CHAPv2 for "login" service authentication;
!) romon - require at least v6.43 RoMON agent when connecting to v6.43 or later RoMON client device;
!) webfig - improved authentication process;
!) winbox - improved authentication process excluding man-in-the-middle possibility;
!) winbox - minimal required version is v3.15;
----------------------

Other changes in this release:

*) bridge - added per-port based "tag-stacking" feature;
*) bridge - fixed "ingress-filtering", "frame-types" and "tag-stacking" value storing;
*) bridge - improved bridge port state changing process;
*) bridge - improved packet processing when bridge port changes states;
*) bridge - renamed option "vlan-protocol" to "ether-type";
*) certificate - do not allow to perform "undo" on certificate changes;
*) crs3xx - added command that forces fan detection on fan-equipped devices;
*) crs3xx - fixed port disable on CRS326 and CRS328 devices;
*) dhcpv6-client - allow to set "default-route-distance";
*) dhcpv6-client - fixed "add-default-route" parameter;
*) dhcpv6-client - fixed option handling;
*) dhcpv6-server - added additional RADIUS parameters for Prefix delegation, "rate-limit" and "life-time";
*) ethernet - fixed default ethernet advertise values after configuration reset (introduced in v6.43rc33)
*) filesystem - fixed NAND memory going into read-only mode (requires "factory-firmware" >= 3.41.1 and "current-firmware" >= 6.43);
*) health - fixed voltage measurements for RB493G devices;
*) hotspot - allow to properly configure Hotspot directory on external disk for devices that have flash type storage;
*) hotspot - fixed RADIUS CoA & PoD by allowing to accept "NAS-Port-Id";
*) ike1 - added unsafe configuration warning for main mode with pre-shared-key authentication;
*) ike1 - zero out reserved bytes in NAT-OA payload;
*) ike2 - fixed rekeyed child deletion during another exchange;
*) ike2 - improved basic exchange logging readability;
*) ipsec - fixed "sa-src-address" deduction from "src-address" in tunnel mode;
*) ipsec - fixed "static-dns" value storing (CLI only);
*) ipsec - fixed AES-CTR and AES-GCM key size proposing as initiator;
*) ldp - properly load LDP configuration;
*) led - fixed default LED configuration for RBLHGG-5acD-XL devices;
*) lte - added "registration-status" parameter under "/interface lte info" command;
*) lte - added additional D-Link PIDs;
*) lte - added additional low endpoint SIM7600 PIDs;
*) lte - added signal readings under "/interface lte scan" for 3G and GSM modes;
*) lte - fixed memory leak on USB disconnect;
*) lte - fixed SMS send feature when not in LTE network;
*) lte - ignore empty MAC addresses during Passthrough discovery phase;
*) lte - properly detect interface state when running for IPv6 only connection for R11e-LTE modem;
*) multicast - allow to add more than one RP per IP address for PIM;
*) ospf - improved link-local LSA flooding;
*) rb1100ahx4 - added DES and 3DES hardware acceleration support;
*) routerboot - removed RAM test from TILE devices (routerboot upgrade required);
*) sfp - hide "sfp-wavelength" parameter for RJ45 transceivers;
*) snmp - added "phy-rate" reading for "station-bridge" mode;
*) snmp - fixed "remote-cap" peer MAC address format;
*) ssh - strengthen strong-crypto (add aes-128-ctr and disallow hmac sha1 and groups with sha1);
*) tile - added DES and 3DES hardware acceleration support;
*) w60g - added distance measurement feature;
*) w60g - fixed random disconnects;
*) w60g - improved MCS rate detection process;
*) w60g - improved MTU change handling;
*) w60g - properly close connection with station on disconnect;
*) wireless - fixed "/interface wireless sniffer packet print follow" output;
*) wireless - fixed packet processing after removing wireless interface from CAP settings;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

Note that release candidate versions are published strictly for testing purposes and should not be used on production routers.

Posted: **Thu Aug 02, 2018 12:21 pm**

Version 6.43rc51 has been released.

*) ike1 - zero out reserved bytes in NAT-OA payload;

Thank you, I will test it soon and report.

Posted: **Thu Aug 02, 2018 12:33 pm**

*) filesystem - fixed NAND memory going into read-only mode (requires "factory-firmware" >= 3.41.1 and "current-firmware" >= 6.43);

Please clarify:
Ex:
I run 6.40.8
System routerboard print:

routerboard: yes
model: RouterBOARD 3011UiAS
serial-number: 689A05572F46
firmware-type: ipq8060
factory-firmware: 3.27
current-firmware: 3.41
upgrade-firmware: 3.41

Will the fix be included only in later production runs?
I was under the assumption that the factory-firmware identifies the firmware ver# the device initially shipped with,
and it can't be somehow upgraded.
Or we are talking about bakup routerboot code... (in which case I still think it is not user-upgradeable?).
Nothing relevant on the wiki.
Thanks.

Posted: **Thu Aug 02, 2018 12:35 pm**

*) bridge - added per-port based "tag-stacking" feature

Can this also be explained. Similar to selective q-in-q?

Posted: **Thu Aug 02, 2018 3:02 pm**

I have LtAP mini International Kit and have LTE some stability issues. Is it worth upgrading to 6.43rc51 version as it claims fix for my case

*) usb - fixed modem initialisation on LtAP mini;

Is it stable enough for LtAP device at least?

Posted: **Fri Aug 03, 2018 10:46 am**

Hi,

Something is wrong with the Hash Algorithms in Peer Proposal setting in v6.43.51:

Peer Proposal mismatch.PNG

If I have to set the SHA1 algorithm, in WinBox I have to set md5.

Posted: **Fri Aug 03, 2018 5:42 pm**

Version 6.43rc51 has been released.

*) ike1 - zero out reserved bytes in NAT-OA payload;
Thank you, I will test it soon and report.

Unfortunately it is the same - report sent to support.
Any others who try to do IPsec from a Draytek router behind NAT?

Posted: **Fri Aug 03, 2018 10:33 pm**

rc51 seems better on point-to-point Wireless Wires (fixed dropping issues in 6.42.6)
But we're still seeing a lot of disconnects with multipoint.

Posted: **Sat Aug 04, 2018 1:17 pm**

Will the fix be included only in later production runs?
I was under the assumption that the factory-firmware identifies the firmware ver# the device initially shipped with,
and it can't be somehow upgraded.
Or we are talking about bakup routerboot code... (in which case I still think it is not user-upgradeable?).
Nothing relevant on the wiki.

I think factory routerboard firmware = backup bootloader.
It's normally not allowed but seems possible to upgrade the factory version: https://wiki.mikrotik.com/wiki/Manual:R ... D_settings

The backup RouterBOOT version can not be older than v3.24 version. A special package is provided to upgrade the backup RouterBOOT (DANGEROUS). Newer devices will have this new backup loader already installed at the factory. Download the package for:

I usually assumed the factory/backup version to be completely irrelevant unless you force it by a RESET button sequence (or possibly some other means).
I still think this is the case here. The new feature will probably be available when using the normal boot loader (of a high enough version) but be absent when using the backup bootloader (either manually forced or may be automatically triggered if the "main" one is too corrupted to do anything).

I never tried but thought the secondary (factory) version can be upgraded too, either via Netinstall or even just by using the "force backup booter" and initiating an upgrade from ROS. But I never felt the need, so never tried... I just tried to latter (force backup and upgrade from ROS) but it's not that easy. I wonder if Netinstall could do it.

Edit:
Oh! And I think even though we now have a matching ROS and bootloader version (even for every incremental, let alone RC version), that firmware still has some internal version number (probably still somewhere around 3.4x for ROS 6.4x). So this change only complicates this question (it's probably possible to have basically the same factory backup and "main" booloader on a device even though the visible version number is seemingly much higher on the normally-upgradeable "main" firmware).

I think they just rebuild the source code of the bootloader for every ROS release, so it has a matching version number but this no longer indicates they made any change to the source. But this seems to be impractical because now we don't know when the code actually changes.

Posted: **Sat Aug 04, 2018 8:58 pm**

Will the fix be included only in later production runs?
I was under the assumption that the factory-firmware identifies the firmware ver# the device initially shipped with,
and it can't be somehow upgraded.
Or we are talking about bakup routerboot code... (in which case I still think it is not user-upgradeable?).
Nothing relevant on the wiki.
I think factory routerboard firmware = backup bootloader.
It's normally not allowed but seems possible to upgrade the factory version: https://wiki.mikrotik.com/wiki/Manual:R ... D_settings
The backup RouterBOOT version can not be older than v3.24 version. A special package is provided to upgrade the backup RouterBOOT (DANGEROUS). Newer devices will have this new backup loader already installed at the factory. Download the package for:
I usually assumed the factory/backup version to be completely irrelevant unless you force it by a RESET button sequence (or possibly some other means).
I still think this is the case here. The new feature will probably be available when using the normal boot loader (of a high enough version) but be absent when using the backup bootloader (either manually forced or may be automatically triggered if the "main" one is too corrupted to do anything).

I never tried but thought the secondary (factory) version can be upgraded too, either via Netinstall or even just by using the "force backup booter" and initiating an upgrade from ROS. But I never felt the need, so never tried... I just tried to latter (force backup and upgrade from ROS) but it's not that easy. I wonder if Netinstall could do it.

Edit:
Oh! And I think even though we now have a matching ROS and bootloader version (even for every incremental, let alone RC version), that firmware still has some internal version number (probably still somewhere around 3.4x for ROS 6.4x). So this change only complicates this question (it's probably possible to have basically the same factory backup and "main" booloader on a device even though the visible version number is seemingly much higher on the normally-upgradeable "main" firmware).

I think they just rebuild the source code of the bootloader for every ROS release, so it has a matching version number but this no longer indicates they made any change to the source. But this seems to be impractical because now we don't know when the code actually changes.

All valid considerations.
I suppose they do refer to the secondary bootloader,
in witch case they should provide a "special" package for the users who would want to upgrade the backup loader.
Still, I would like a clarification from mikrotik.

Posted: **Sat Aug 04, 2018 11:08 pm**

in witch case they should provide a "special" package for the users who would want to upgrade the backup loader.

In my opinion the best solution would be to always auto-upgrade the main bootloader along every ROS upgrade (without the need to issue manual reboot twice) and allow the user to manually upgrade the backup bootloader once the new ROS successfully booted with an upgraded main bootloader (which is a fair enough confirmation that the device is stable enough with the new bootloader to use ROS for bootloader changes, thus it's probably possible to downgrade if some small error occurs later on).

Posted: **Sat Aug 04, 2018 11:40 pm**

Hi

I ran into a strange problem.
I had to reinstall the system with Netinstall to the latest rc51 version.

My device is a CRS109-8G-1S-2HnD which is a DHCP client on the SFP copper port (ISP is UPC). I try to run a speedtest.net from my desktop PC .

After everything was ready, i tried to run a speedtest, The speed was 80Mbps with 90% of cpu load. The idle load was 17%.
Ok, i installed back to the 6.42.6. The speed was 400Mbps with 50% of cpu load. Idle load is 4%.
Nice. So i did some screenshot from the tools/profile.
The last step was back to 6.43rc51 to reproduce the problem. But now everything is looks nice, on this RC i can get the 400Mbps with the same load as it was on the 6.42.6...

I don't know what happened, i didn't changed the config.... but now looks like everything is ok...

Just write this post as a note, may be helps to somebody.

Posted: **Sun Aug 05, 2018 4:44 pm**

*) sfp - hide "sfp-wavelength" parameter for RJ45 transceivers;

"sfp-connector-type" is still falsely displayed as "LC" for S-RJ01 modules in Winbox and CLI

Posted: **Mon Aug 06, 2018 12:08 am**

in queues tree in parent does not appear to select queue of hotspot users like <hotspot-john>

Posted: **Mon Aug 06, 2018 10:23 am**

*) bridge - added per-port based "tag-stacking" feature

Can this also be explained. Similar to selective q-in-q?

Would also like this explained

Posted: **Mon Aug 06, 2018 11:56 am**

Hi, I'm also using PAP with radius for authentication to support 2FA logins. Using only chap is not helpful. Is feedback here taken on board or is there a more official way to get this heard?

Posted: **Mon Aug 06, 2018 2:05 pm**

*) bridge - added per-port based "tag-stacking" feature

Can this also be explained. Similar to selective q-in-q?

Wiki has been updated with an example:
https://wiki.mikrotik.com/wiki/Manual:I ... g_stacking

Selective QinQ is not possible yet, only port based QinQ or CVID stacking is possible now.

Posted: **Mon Aug 06, 2018 4:46 pm**

Hi,

Here is a problem with CRS317 and rc51.

My configuration :
some clients <---> CRS326 <===== Trunk1(only tagged VLANs) =====> CRS317 <===== Trunk2 (only tagged VLANS) ====> CRS328 <---> some clients

Installation with version 6.42.6 for the three devices : no problem.

Upgrade on version 6.43rc51 for the three devices :
everything is working like version 6.42.6, except the fact that CRS317 is unreachable for remote management via CRS326/CRS328 :
- no access to the web pages
- no access with winbox + it doesn't appear in 'neighbors'
CSR317 is still manageable through a direct connection to one of its ports.

1st Test : I decide to change CRS317 with and old TP-link switch with the same VLAN/Trunk configuration. The TP-Link switch is available for remote management via CRS326/CRS328.
2nd Test : I rebuild CRS317 with a netsintall of version 6.43rc51 and a fresh configuration. Same behaviour, the CRS317 is unreachable for remote management via CRS326/CRS328.

Are you aware of this king of problem with the RC version ?
If I find the time, I'll do a last test by reinstalling version 6.42.6 on the CRS317 only.

Posted: **Wed Aug 08, 2018 2:45 pm**

Found the problem and it was that I changed to an other DNS server that did not Round Robin by default.

Posted: **Tue Aug 14, 2018 1:33 pm**

Version 6.43rc56 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

MAJOR CHANGES IN v6.43:
----------------------
!) api - changed authentication process (https://wiki.mikrotik.com/wiki/Manual:API#Initial_login);
!) backup - do not encrypt backup file unless password is provided;
!) btest - requires at least v6.43 Bandwidth Test client when connecting to v6.43 or later version server except when authentication is not required;
!) cloud - added IPv6 support;
!) cloud - added support for licensed CHR instances (including trial);
!) cloud - reworked "/ip cloud ddns-enabled" implementation (suggested to disable service and re-enable after installation process);
!) mac-telnet - require at least v6.43 MAC Telnet client when connecting to v6.43 or later version server;
!) radius - use MS-CHAPv2 for "login" service authentication;
!) romon - require at least v6.43 RoMON agent when connecting to v6.43 or later RoMON client device;
!) webfig - improved authentication process;
!) winbox - improved authentication process excluding man-in-the-middle possibility;
!) winbox - minimal required version is v3.15;
----------------------

Other changes in this release:

!) security - fixed vulnerabilities CVE-2018-1156, CVE-2018-1157, CVE-2018-1158, CVE-2018-1159;
*) bridge - added support for BPDU Guard (CLI only);
*) bridge - added support for DHCP Option 82 (disables hardware offloading, CLI only);
*) bridge - added support for DHCP Snooping (disables hardware offloading, CLI only);
*) bridge - forward LACPDUs when "protocol-mode=none";
*) bridge - improved packet handling;
*) cloud - added simultaneous IPv4/IPv6 support;
*) console - added "dont-require-permissions" parameter for scripts;
*) dhcpv4-relay - fixed false invalid flag presence;
*) dhcpv6-server - do not allow to run DHCPv6 server on slave interface;
*) dhcpv6-server - fixed dynamic simple queue creation for RADIUS bindings;
*) dhcpv6-server - properly update interface for dynamic DHCPv6 servers;
*) ethernet - fixed possible link flaps after disabling/enabling the interface (introduced in v6.43rc51);
*) ethernet - improved large packet handling on ARM devices with wireless;
*) ethernet - removed obsolete slave flag from "/interface vlan" menu;
*) hotspot - fixed customized HTML file usage (introduced in 6.43rc47);
*) ike1 - zero out reserved bytes in NAT-OA payload;
*) ike2 - fixed initiator first policy selection;
*) ippool - improved used address error message;
*) ipsec - added warning messages for incorrect peer configuration;
*) ipsec - separate phase1 proposal configuration from peer menu;
*) ppp - fixed interface enabling after a while if none of them where active;
*) ppp - improved modem mode switching;
*) snmp - added "temp-exception" trap;
*) switch - fixed possible switch chip hangs after initialization on MediaTek and Atheros8327 switch chips;
*) tile - fixed false HW offloading flag for MPLS;
*) tr069-client - allow editing of "provisioning-code" attribute (CLI only);
*) tr069-client - fixed unresponsive tr069 service when blackhole route is present;
*) upgrade - fixed RouterOS upgrade process from RouterOS v5;
*) ups - improved UPS serial parsing stability;
*) w60g - general stability and performance improvements;
*) w60g - stop doing distance measurements after first successful measurement;
*) winbox - added "default-route-distance" parameter for "IPv6/DHCP-client" menu;
*) winbox - fixed "sfp-connector-type" value presence under "Interface/Ethernet";
*) winbox - fixed warning presence for "IP/IPsec/Peers" menu;
*) winbox - fixed "write-sect-since-reboot" value presence under "System/Resources";
*) winbox - show "System/RouterBOARD/Mode Button" on devices that has such feature;
*) wireless - added option to disable PMKID for WPA2 (CLI only);
*) wireless - fixed memory leak when performing wireless scan on ARM;
*) wireless - updated "united-states" regulatory domain information;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

Note that release candidate versions are published strictly for testing purposes and should not be used on production routers.

Posted: **Tue Aug 14, 2018 1:46 pm**

Nice..
Good work
I get very happy when there are a lot of changes logs, even if I don't use 80% of this improvement , I get happy for whose does.
Can't wait to this became stable release.

Sent from my XT1580 using Tapatalk

Posted: **Tue Aug 14, 2018 1:52 pm**

sorry now works.

Posted: **Tue Aug 14, 2018 3:38 pm**

*) bridge - added support for DHCP Option 82 (disables hardware offloading, CLI only);
*) bridge - added support for DHCP Snooping (disables hardware offloading, CLI only);

Could we please get some examples of how to use these features on the Wiki ?

I cannot see any of the options I would expect, e.g. being able to set the contents of the Option-82 injection string with variables for the first feature, or being able to specify the valid DHCP server for the second.

Posted: **Tue Aug 14, 2018 4:09 pm**

*) wireless - added option to disable PMKID for WPA2 (CLI only);

All my everyday devices still connects just fine.

Posted: **Tue Aug 14, 2018 5:59 pm**

Code: Select all
*) bridge - added support for DHCP Option 82 (disables hardware offloading, CLI only);
*) bridge - added support for DHCP Snooping (disables hardware offloading, CLI only);
Could we please get some examples of how to use these features on the Wiki ?

I cannot see any of the options I would expect, e.g. being able to set the contents of the Option-82 injection string with variables for the first feature, or being able to specify the valid DHCP server for the second.

Did you specify which ports are trusted ports under /interface bridge port?

Posted: **Tue Aug 14, 2018 7:29 pm**

Still seeing multipoint Wireless Wire disconnects with 6.43rc56. I don't think the RC branch has been stable on these since rc17

6.42.3 continues to be my recommended version.

Posted: **Tue Aug 14, 2018 10:57 pm**

Code: Select all
*) bridge - added support for DHCP Option 82 (disables hardware offloading, CLI only);
*) bridge - added support for DHCP Snooping (disables hardware offloading, CLI only);
Could we please get some examples of how to use these features on the Wiki ?

I cannot see any of the options I would expect, e.g. being able to set the contents of the Option-82 injection string with variables for the first feature, or being able to specify the valid DHCP server for the second.

I second that!

Posted: **Wed Aug 15, 2018 11:08 am**

Hello,

Funny thing after Version 6.43rc56 , my DHCPv6 client is showing in red in winbox, even though everything is working, and my ipv6 connectivity is ok. Still after after re-creating it from scratch... Not a big deal, but...

ipv6.JPG

Posted: **Wed Aug 15, 2018 11:57 am**

*) ike1 - zero out reserved bytes in NAT-OA payload;

I tested it again with Draytek router behind NAT and now it works OK!
Thanks!

Posted: **Thu Aug 16, 2018 12:31 am**

*) console - added "dont-require-permissions" parameter for scripts;

How does this one work? Any specific commands that it works with?

Posted: **Thu Aug 16, 2018 4:16 am**

I notice that in 6.43rc34 the /interface bridge vlan untagged= configuration no longer strips all the C-tags from a packet with multiple C-tags. Instead it only strips the top C-tag.
Will this be the case in the production version?
If so, would it be possible to reinstate the former behaviour as an option?

Posted: **Thu Aug 16, 2018 7:02 am**

*) bridge - added support for BPDU Guard (CLI only);

Where I can change this settings via CLI?

Posted: **Thu Aug 16, 2018 10:39 am**

IntrusDave - you can find more information about this option here:
https://wiki.mikrotik.com/wiki/Manual:S ... repository
https://wiki.mikrotik.com/wiki/Manual:T ... Properties

diablothebest - this can be done under /interface bridge port
https://wiki.mikrotik.com/wiki/Manual:I ... t_Settings

ath - can you please port an example and configuration when this was working?

Posted: **Fri Aug 17, 2018 11:00 pm**

Funny thing after Version 6.43rc56 , my DHCPv6 client is showing in red in winbox, even though everything is working, and my ipv6 connectivity is ok. Still after after re-creating it from scratch... Not a big deal, but...

Same in Webfig and Terminal. DHCPv6 client Flag = I - invalid.
IPv6 connection works without problems.

[admin@migo] /ipv6 route> check
status: ok
interface: pppoe-out1
nexthop: ::

[admin@migo] /ipv6 route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable
#      DST-ADDRESS               GATEWAY                  DISTANCE
0 ADS	 ::/0			pppoe-out1			1
1 DS	 ::/0			fe80::90:1a00:2a3:47c...	1
2 ADSU	 2001:4dd2:8986::/48					1
3 ADC	 2001:4dd2:8986::/64    bridge-local			0

[admin@migo] /ipv6 dhcp-client> print
Flags: D - dynamic, X - disabled, I - invalid
#    INTERFACE	STATUS          REQUEST         PREFIX            ADDRESS
0  I	pppoe-out1       bound              prefix             2001:4dd2:8986::/48, 22h28m17s

Posted: **Sat Aug 18, 2018 1:32 am**

So, I spun up a brand new CHR in AWS and updated it to 6.43rc56, to play around with it. One of my main goals was to update the ruby 'mtik' gem to use the new login method, so that when the 6.43 is eventually released for real, I can continue to use it.

Oddly, though, the old login method still seemed to work on 6.43rc56. Is it intended that both methods are available at the moment? While that certainly provides a better transitional user experience, it does seem to imply that the unhashed password is still being stored (at least insofar as I understand the challenge-response login process).

Can anyone clarify this?

Posted: **Sat Aug 18, 2018 9:19 pm**

Just posting a datapoint that the disable-pmkid=yes option works flawlessly with android, iphone, ipad, 2x windows 10 laptop, a macbook pro and a LG smart tv.

Posted: **Mon Aug 20, 2018 11:53 pm**

Version 6.43rc56 has been released.

*) w60g - stop doing distance measurements after first successful measurement;

I have to report, that distance measurement does not work correctly. On AP side it reports 706.54m while on client side just 374.28m (374.28 is the correct distance)

Posted: **Wed Aug 22, 2018 5:02 pm**

hi guys, it seems to me that it is still not possible to change the date format in dd / mm / yyyy. It would be very useful as I also work with userman reports.
Does anyone have a solution?
thank you
Valerio

Posted: **Wed Aug 22, 2018 5:04 pm**

hi guys, it seems to me that it is still not possible to change the date format in dd / mm / yyyy. It would be very useful as I also work with userman reports.
Does anyone have a solution?
thank you
Valerio

I agree with that, it should be possible to have a system setting that changes the date format everywhere, but it would be feature request not something for the v6.43rc topic.

Posted: **Wed Aug 22, 2018 5:09 pm**

very strange, now all the devices have the ability to change the format of the date ....
I am amazed that until now nobody has raised the problem

Posted: **Thu Aug 23, 2018 12:07 am**

Version 6.43rc56 as well as version 6.43rc51 are good builds for 951Ui-2nD.WAN PPPoE stability , good wireless signal for what i use in my house.No problems for a casual SOHO user.

Posted: **Thu Aug 23, 2018 8:15 pm**

I lose my UserManager database on last RC!

Posted: **Thu Aug 23, 2018 8:17 pm**

Lost all userman data on last RC...

Posted: **Thu Aug 23, 2018 8:52 pm**

very strange, now all the devices have the ability to change the format of the date ....
I am amazed that until now nobody has raised the problem

viewtopic.php?t=134098

Posted: **Fri Aug 24, 2018 10:12 am**

Version 6.43rc64 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

MAJOR CHANGES IN v6.43:
----------------------
!) api - changed authentication process (https://wiki.mikrotik.com/wiki/Manual:API#Initial_login);
!) backup - do not encrypt backup file unless password is provided;
!) btest - requires at least v6.43 Bandwidth Test client when connecting to v6.43 or later version server except when authentication is not required;
!) cloud - added IPv6 support;
!) cloud - added support for licensed CHR instances (including trial);
!) cloud - reworked "/ip cloud ddns-enabled" implementation (suggested to disable service and re-enable after installation process);
!) mac-telnet - require at least v6.43 MAC Telnet client when connecting to v6.43 or later version server;
!) radius - use MS-CHAPv2 for "login" service authentication;
!) romon - require at least v6.43 RoMON agent when connecting to v6.43 or later RoMON client device;
!) security - fixed vulnerabilities CVE-2018-1156, CVE-2018-1157, CVE-2018-1158, CVE-2018-1159;
!) webfig - improved authentication process;
!) winbox - improved authentication process excluding man-in-the-middle possibility;
!) winbox - minimal required version is v3.15;
----------------------

Other changes in this release:

*) bridge - added an option to manually specify ports that have a multicast router (CLI only);
*) bridge - added a warning when untrusted port receives a DHCP Server message when DCHP Snooping is enabled;
*) bridge - added more options to fine-tune IGMP Snooping enabled bridges (CLI only);
*) bridge - added support for DHCP Option 82 (CLI only);
*) bridge - added support for DHCP Snooping (CLI only);
*) bridge - added support for IGMP Snooping fast-leave feature (CLI only);
*) cloud - close local UDP port if no activity;
*) console - made "once" parameter mandatory when using "as-value" on "monitor" commands;
*) console - removed automatic swapping of "from=" and "to=" in "for" loops;
*) crs326/crs328 - fixed packet forwarding when port changes states with IGMP Snooping enabled;
*) crs3xx - added hardware support for DHCP Snooping and Option 82;
*) crs3xx - fixed packet forwarding when "frame-type" is changed (introduced in v6.43rc51);
*) crs3xx - fixed SwOS config import;
*) defconf - fixed default configuration for RBSXTsq5nD;
*) dhcpv6-client - fixed false invalid flag (introduced in v6.43rc56);
*) fetch - added "as-value" output format;
*) fetch - fixed address and DNS verification in certificates;
*) health - added missing parameters from export;
*) ipsec - added warning messages for incorrect peer configuration;
*) ipsec - improved stability when using IPsec with disabled route cache;
*) leds - fixed LED behaviour when bonding is configured on SFP+ interfaces;
*) lte - added "sector-id" to info command;
*) lte - fixed SIM7600 series module support with newer device IDs;
*) ppp - added support for Alfa Network U4G modem;
*) rb3011 - added IPsec hardware acceleration support;
*) snmp - added EAP identity to CAPsMAN registration table;
*) supout - added monitored bridge VLAN table to supout file;
*) switch - added CPU Flow Control settings for devices with a Atheros8227, QCA8337, Atheros8327, Atheros7240 or Atheros8316 switch chips;
*) tr069-client - use SNI extension for HTTPS;
*) ups - improved UPS serial parsing stability;
*) w60g - added "beamforming-event" stats counter;
*) w60g - fixed random disconnects;
*) w60g - general stability and performance improvements;
*) wireless - accept only valid path for sniffer output file parameter;
*) wireless - added "czech republic 5.8" regulatory domain information;
*) wireless - added "etsi2" regulatory domain information;
*) wireless - added option to disable PMKID for WPA2;
*) wireless - updated "czech republic" regulatory domain information;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

Note that release candidate versions are published strictly for testing purposes and should not be used on production routers.

Posted: **Fri Aug 24, 2018 11:07 am**

*) rb3011 - added IPsec hardware acceleration support;

That was.. unexpected!

Posted: **Fri Aug 24, 2018 11:26 am**

Dear Mikrotik stuff,
please add dhcp option82 to dhcp server

Posted: **Fri Aug 24, 2018 11:32 am**

Already possible with RADIUS server.

Posted: **Fri Aug 24, 2018 12:23 pm**

*) rb3011 - added IPsec hardware acceleration support;
That was.. unexpected!

very-very-very-very big thanks for the Miki stuff if it works

If they fix the web proxy ipv6 website support too that will makes me very happy

Posted: **Fri Aug 24, 2018 12:55 pm**

*) rb3011 - added IPsec hardware acceleration support;

That was.. unexpected!

And VERY VERY welcome! Thanks Mktik!

Posted: **Fri Aug 24, 2018 1:01 pm**

Already possible with RADIUS server.

Yes i know that.
But to keep radius only for option82 not very smart. isn't?

Posted: **Fri Aug 24, 2018 1:20 pm**

The winbox behaviour where winbox closes upon reconnecting to a previously broken connection, is again here since v3.16. It occurs not always, but quite often. Mktik, can you please look into it?

Another issue: I am trying to connect to a device via RoMON which runs over a EoIP connection (L2 only, not bridged, no IPs) which is established over a L2TP tunnel. Even though the L2TP tunnel is quite stable, winbox cannot stay connected for more than a few seconds at a time. Actually, winbox opens the RoMON connection, but any list (say, interfaces) shows up empty and after a few seconds the window closes. Any ideas?

Posted: **Fri Aug 24, 2018 3:13 pm**

*) wireless - added "czech republic 5.8" regulatory domain information;
*) wireless - updated "czech republic" regulatory domain information;

Is it what I mean? So now we'll have two czech 5GHz ranges now - one for traditional channels and second for channels over 5700 which can have max transmit power 20dBi only?
If yes, It's great! Because now I have big problem if I have the wireless link calculated for 30dBi and DFS switches to channel over 5700 and 20dBi..

Posted: **Fri Aug 24, 2018 3:33 pm**

[admin@MikroTik] > :put [/tool fetch https://www.eworm.de/ip/ output=user as-value ]
data=80.133.168.147;downloaded=0;duration=00:00:01;status=finished

Finally we can fetch data without writing and reading a file. Thanks a lot!

Looks like it's required to cut the data part, though... Or is there a way to put the data only into a variable?

Posted: **Fri Aug 24, 2018 3:34 pm**

*) rb3011 - added IPsec hardware acceleration support;

Maybe we could have some hope that RB750Gr3 would get HW support sooooon.

Posted: **Fri Aug 24, 2018 3:36 pm**

*) rb3011 - added IPsec hardware acceleration support;
Maybe we could have some hope that RB750Gr3 would get HW support sooooon.

It has support for harware ipsec for a long time...

Posted: **Fri Aug 24, 2018 3:38 pm**

Maybe we could have some hope that RB750Gr3 would get HW support sooooon.

RB750 Gr3 does have hardware acceleration of IPsec ever since the first release. What it does not have is "hardware acceleration" of VLAN handling on the switch chip.

Posted: **Fri Aug 24, 2018 3:55 pm**

What it does not have is "hardware acceleration" of VLAN handling on the switch chip.

Unfortunately this is true for most devices, some of them have quite a decent switch chip built in.

Posted: **Fri Aug 24, 2018 3:56 pm**

Code: Select all
[admin@MikroTik] > :put [/tool fetch https://www.eworm.de/ip/ output=user as-value ]
data=80.133.168.147;downloaded=0;duration=00:00:01;status=finished
Finally we can fetch data without writing and reading a file. Thanks a lot!

Looks like it's required to cut the data part, though... Or is there a way to put the data only into a variable?

[admin@MikroTik] > :global test
[admin@MikroTik] > :set test [ / tool fetch https://www.eworm.de/ip/ output=user as-value ]
[admin@MikroTik] > :put [ :pick $test 0 ]
80.133.168.147

Works!
Thanks Mikrotik!

(BTW, what the hell make the formatting go nuts?)

Posted: **Fri Aug 24, 2018 3:59 pm**

Never mind.

Posted: **Fri Aug 24, 2018 4:00 pm**

eworm, proper syntax would be:

:local test ([tool fetch url="https://www.eworm.de/ip" output=user as-value]->"data");
:put $test;

https://wiki.mikrotik.com/wiki/Manual:T ... a_variable

Posted: **Fri Aug 24, 2018 4:03 pm**

eworm, proper syntax would be:
Code: Select all
:local test ([tool fetch url="https://www.eworm.de/ip" output=user as-value]->"data");
:put $test;
https://wiki.mikrotik.com/wiki/Manual:T ... a_variable

Even better! Thanks a lot!

Posted: **Fri Aug 24, 2018 4:04 pm**

I lost all ipsec connections after updating to rc64 because of a bug in peer profiles.

Posted: **Fri Aug 24, 2018 4:12 pm**

osc86, we are aware of the issue. It will be fixed until 6.43 is released in current release channel.

Posted: **Fri Aug 24, 2018 4:18 pm**

(BTW, what the hell make the formatting go nuts?)

You have to use preview and add some empty lines before the [code] ones where necessary.

Posted: **Fri Aug 24, 2018 8:07 pm**

osc86, we are aware of the issue. It will be fixed until 6.43 is released in current release channel.

Something must have been changed with ipsec processing in rc64. No traffic is passing through the tunnels.
I moved back to 56, where everything works fine.

Posted: **Fri Aug 24, 2018 8:27 pm**

osc86, we are aware of the issue. It will be fixed until 6.43 is released in current release channel.

It would be nice if that would also be communicated in the changelog if something gets broken in the process and there is knowledge about that. Preferable also in red to warn.
Saves downgrades for some who are using that specific feature.

Posted: **Fri Aug 24, 2018 8:50 pm**

osc86, we are aware of the issue. It will be fixed until 6.43 is released in current release channel.
Something must have been changed with ipsec processing in rc64. No traffic is passing through the tunnels.
I moved back to 56, where everything works fine.

Contact support with attached supout file.

Posted: **Fri Aug 24, 2018 9:10 pm**

And what about making radius login scheme selectable. chap for people who use static shit that can be challenged pap for us who only use one time passwords.

Posted: **Fri Aug 24, 2018 9:12 pm**

And what about making radius login scheme selectable. chap for people who use static shit that can be challenged pap for us who only use one time passwords. And therefore Inherrently dosen't have anything to do a challenge on. (CHAP is unusable in this case)

Posted: **Sat Aug 25, 2018 3:53 am**

I updated to rc64, but it seems I can not communicate with ipv6. There was no problem with at least rc56.
We used netinstall to reintroduce rc64, but the situation has not changed.

Posted: **Sun Aug 26, 2018 2:06 pm**

I updated to rc64, but it seems I can not communicate with ipv6. There was no problem with at least rc56.

Same problem here, I updated from rc51 to rc64 and now the mikrotik does not seems to forward ipv6 packets anymore.

Posted: **Mon Aug 27, 2018 12:10 pm**

I updated to rc64, but it seems I can not communicate with ipv6. There was no problem with at least rc56.
Same problem here, I updated from rc51 to rc64 and now the mikrotik does not seems to forward ipv6 packets anymore.

Strange, all works fine here after upgrading to rc64

Posted: **Mon Aug 27, 2018 9:47 pm**

*) rb3011 - added IPsec hardware acceleration support;

VERY VERY welcome! Thanks Mktik!

Posted: **Tue Aug 28, 2018 7:57 am**

*) rb3011 - added IPsec hardware acceleration support;
VERY VERY welcome! Thanks Mktik!

Has anybody tried it? Any positive changes? Are CPU loads lower? Is it stable?

Posted: **Tue Aug 28, 2018 12:05 pm**

Has anybody tried it? Any positive changes? Are CPU loads lower? Is it stable?

IPsec throughput test results will be published on the RB3011 product page in the next few days. Currently one user has reported a kernel failure caused by the new hardware acceleration. We are looking into it and hopefully will be able to fix it in the next release candidate version. Initial tests show approximately 4 times higher throughput compared to software encryption.

Posted: **Tue Aug 28, 2018 10:42 pm**

I cant update CCR1009-7G-1C from 6.43rc51 to 6.43rc64, i click check for updates, download&install, after reboot i still have old version.Tried also manually downloading the file and puting into root and rebooting, same thing.

EDIT:I figured it , i had other router package so it failed to select proper one to install.

Posted: **Thu Aug 30, 2018 8:34 am**

Version 6.43rc66 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

MAJOR CHANGES IN v6.43:
----------------------
!) api - changed authentication process (https://wiki.mikrotik.com/wiki/Manual:API#Initial_login);
!) backup - do not encrypt backup file unless password is provided;
!) btest - requires at least v6.43 Bandwidth Test client when connecting to v6.43 or later version server except when authentication is not required;
!) cloud - added IPv6 support;
!) cloud - added support for licensed CHR instances (including trial);
!) cloud - reworked "/ip cloud ddns-enabled" implementation (suggested to disable service and re-enable after installation process);
!) mac-telnet - require at least v6.43 MAC Telnet client when connecting to v6.43 or later version server;
!) radius - use MS-CHAPv2 for "login" service authentication;
!) romon - require at least v6.43 RoMON agent when connecting to v6.43 or later RoMON client device;
!) security - fixed vulnerabilities CVE-2018-1156, CVE-2018-1157, CVE-2018-1158, CVE-2018-1159;
!) webfig - improved authentication process;
!) winbox - improved authentication process excluding man-in-the-middle possibility;
!) winbox - minimal required version is v3.15;
----------------------

Changes in this release:

*) bridge - added support for BPDU Guard;
*) bridge - added support for DHCP Snooping;
*) bridge - ignore tagged BPDUs when bridge VLAN filtering is used;
*) certificate - fixed RA "server-url" setting;
*) console - added "dont-require-permissions" parameter for scripts;
*) dhcpv6-client - improved dynamic IPv6 pool addition process;
*) ipsec - added "responder" parameter for "mode-config" to allow multiple initiator configurations;
*) ipsec - fixed AES-192-CTR fallback to software AEAD on ARM devices with wireless and RB3011UiAS-RM;
*) ipsec - fixed "static-dns" value storing;
*) ipsec - improved invalid policy handling when a valid policy is uninstalled;
*) ipsec - separate phase1 proposal configuration from peer menu;
*) l2tp - allow setting "max-mtu" and "max-mru" bigger than 1500;
*) lte - fixed LTE registration in 2G/3G mode;
*) ppp - added support for Telit LM940 modem;
*) rb3011 - added IPsec hardware acceleration support;
*) snmp - fixed interface speed reporting for predefined rates;
*) supout - added "files" section to supout file;
*) switch - added CPU Flow Control settings for devices with a Atheros8227, QCA8337, Atheros8327, Atheros7240 or Atheros8316 switch chip;
*) tr069-client - allow editing of "provisioning-code" attribute;
*) userman - fixed "shared-secret" parameter requiring "sensitive" policy;
*) webfig - fixed www service becoming unresponsive;
*) winbox - added "tag-stacking" option to "Bridge/Ports";
*) winbox - fixed "bad-blocks" value presence under "System/Resources";
*) winbox - fixed "IP/IPsec/Peers" section sorting;
*) winbox - renamed "VLAN Protocol" to "EtherType" under bridge interface "VLAN" tab;
*) winbox - show "System/RouterBOARD/Mode Button" on devices that has such feature;
*) wireless - accept only valid path for sniffer output file parameter;
*) wireless - require "sniff" policy for wireless sniffer;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

Note that release candidate versions are published strictly for testing purposes and should not be used on production routers.

Posted: **Thu Aug 30, 2018 9:47 am**

just installed latest rc to test dhcp snooping and was amazed how fast winbox connects remotely to my rb at office that i upgraded.

Posted: **Thu Aug 30, 2018 10:07 am**

I updated a system from 6.42.7 to 6.43rc66, now my ipsec connections are broken... Peer configuration had a comment about wrong parameter (can't give the exact wording). Switched mode-config to "none", now setting it to "request-only" fails:

[admin@Mikrotik] > / ip ipsec peer set mode-config=request-only [ find where !dynamic ]
failure: Wrong mode-config

Posted: **Thu Aug 30, 2018 10:09 am**

Send a supout.rif file to support@mikrotik.com

Posted: **Thu Aug 30, 2018 10:41 am**

Send a supout.rif file to support@mikrotik.com

Done, Ticket#2018083022003478

Posted: **Thu Aug 30, 2018 10:50 am**

As usual, client PC under Routerboard can not connect with IPv6.
Also, if you try to disable dhcp-snooping or option 82 again and enable it again, it is confirmed that the command times out.

[Ticket#2018083022003334]

Posted: **Thu Aug 30, 2018 10:54 am**

I updated a system from 6.42.7 to 6.43rc66, now my ipsec connections are broken... Peer configuration had a comment about wrong parameter (can't give the exact wording). Switched mode-config to "none", now setting it to "request-only" fails:
Code: Select all
[admin@Mikrotik] > / ip ipsec peer set mode-config=request-only [ find where !dynamic ]
failure: Wrong mode-config

Worked around the issue:

/ ip ipsec mode-config add name=request responder=no system-dns=no
/ ip ipsec peer set mode-config=request [ find where !dynamic ]

So my system is up and running, but I suppose this is not how things are supposed to work.

Posted: **Thu Aug 30, 2018 8:21 pm**

As usual, client PC under Routerboard can not connect with IPv6.
Also, if you try to disable dhcp-snooping or option 82 again and enable it again, it is confirmed that the command times out.

[Ticket#2018083022003334]

Problems were solved by netinstalling Routerboard, which can not be connected normally from client PC under Routerboard with ipv6.
However, it is unknown whether this correspondence is satisfactory.

Posted: **Sat Sep 01, 2018 10:53 pm**

I can't change the name of the admin user:

[admin@MikroTik] > /user set 0 name=test
failure: user name can't be changed

nor any other user.

Posted: **Sun Sep 02, 2018 11:47 am**

There is a problem with 6.43RC66 on hAP AC2. My router reboot itself with info in log file: system,error,critical System rebooted because of kernel failure every half hour to 6 hours.

Posted: **Sun Sep 02, 2018 1:39 pm**

Can you fetch autosupout.rif from the device and send it to support?

Posted: **Sun Sep 02, 2018 9:12 pm**

Sorry, I can't. I downgraded soft to 6.42.7

Posted: **Thu Sep 06, 2018 4:46 pm**

Technically this is not about the release candidate version, posting here because of changelog:

!) cloud - reworked "/ip cloud ddns-enabled" implementation (suggested to disable service and re-enable after installation process);

Me device is running current version 6.42.7 and I want to update the latest release candidate. Looks like disabling ddns fails:

[admin@MikroTik] > / ip cloud set ddns-enabled=no
[admin@MikroTik] > / ip cloud print
    ddns-enabled: no
     update-time: yes
  public-address: 198.51.100.65
        dns-name: xxxxxxxx.sn.mynetname.net
          status: Error: request timed out

I can still query dns for my address. This should remove the record from dns, no?

Posted: **Thu Sep 06, 2018 5:47 pm**

After a while ... depends on how often is RB supposed to renew the DDNS record. If you turn cloud off, cloud (hopefully) doesn't know it and records have to expire.

Posted: **Thu Sep 06, 2018 5:55 pm**

After a while ... depends on how often is RB supposed to renew the DDNS record. If you turn cloud off, cloud (hopefully) doesn't know it and records have to expire.

No. From https://wiki.mikrotik.com/wiki/Manual:IP/Cloud:

After router sends it's IP address to the cloud server, it will stay on the server permanently. DNS name (/ip cloud dns-name) will resolve to last sent IP address. When user set /ip cloud set ddns-enabled=no router will send message to server to disable DNS name for this routerboard.

Posted: **Thu Sep 06, 2018 6:16 pm**

After a while ... depends on how often is RB supposed to renew the DDNS record. If you turn cloud off, cloud (hopefully) doesn't know it and records have to expire.
No. From https://wiki.mikrotik.com/wiki/Manual:IP/Cloud:

After router sends it's IP address to the cloud server, it will stay on the server permanently. DNS name (/ip cloud dns-name) will resolve to last sent IP address. When user set /ip cloud set ddns-enabled=no router will send message to server to disable DNS name for this routerboard.

Posted: **Thu Sep 06, 2018 9:59 pm**

Technically this is not about the release candidate version, posting here because of changelog:

!) cloud - reworked "/ip cloud ddns-enabled" implementation (suggested to disable service and re-enable after installation process);
Me device is running current version 6.42.7 and I want to update the latest release candidate. Looks like disabling ddns fails:
Code: Select all
[admin@MikroTik] > / ip cloud set ddns-enabled=no
[admin@MikroTik] > / ip cloud print
    ddns-enabled: no
     update-time: yes
  public-address: 198.51.100.65
        dns-name: xxxxxxxx.sn.mynetname.net
          status: Error: request timed out
I can still query dns for my address. This should remove the record from dns, no?

Works now, at least after some retries. Possibly the servers were too loaded?

Posted: **Fri Sep 07, 2018 9:24 pm**

As usual, client PC under Routerboard can not connect with IPv6.
Also, if you try to disable dhcp-snooping or option 82 again and enable it again, it is confirmed that the command times out.

[Ticket#2018083022003334]

If IPv6 is configured on a bridge, you may need to mark the bridge port as "Trusted".
This resolved the issue for us.

Posted: **Sat Sep 08, 2018 4:40 pm**

I can't change the name of the admin user:

[admin@MikroTik] > /user set 0 name=test
failure: user name can't be changed

nor any other user.

same here.

rc56 was fine.

MikroTik

v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!

Re: v6.43rc [release candidate] is released!