Page 1 of 1

v6.43 [current] is released!

Posted: Mon Sep 10, 2018 9:52 am
by emils
RouterOS version 6.43 has been released in public "current" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.43 (2018-Sep-06 12:44):

MAJOR CHANGES IN v6.43:
----------------------
!) api - changed authentication process (https://wiki.mikrotik.com/wiki/Manual:API#Initial_login);
!) backup - do not encrypt backup file unless password is provided;
!) btest - requires at least v6.43 Bandwidth Test client when connecting to v6.43 or later version server except when authentication is not required;
!) cloud - added IPv6 support;
!) cloud - added support for licensed CHR instances (including trial);
!) cloud - reworked "/ip cloud ddns-enabled" implementation (suggested to disable service and re-enable after installation process);
!) radius - use MS-CHAPv2 for "login" service authentication;
!) romon - require at least v6.43 RoMON agent when connecting to v6.43 or later RoMON client device;
!) webfig - improved authentication process;
!) winbox - improved authentication process excluding man-in-the-middle possibility;
!) winbox - minimal required version is v3.15;
----------------------

Changes in this release:

*) backup - added support for new backup file encryption (AES128-CTR) with signatures (SHA256);
*) backup - generate proper file name when devices identity is longer than 32 symbols;
*) bridge - add dynamic CAP interface to tagged ports if "vlan-mode=use-tag" is enabled;
*) bridge - added an option to manually specify ports that have a multicast router (CLI only);
*) bridge - added a warning when untrusted port receives a DHCP Server message when DCHP Snooping is enabled;
*) bridge - added ingress filtering options to bridge interface;
*) bridge - added initial Q-in-Q support;
*) bridge - added more options to fine-tune IGMP Snooping enabled bridges (CLI only);
*) bridge - added per-port based "tag-stacking" feature;
*) bridge - added support for BPDU Guard;
*) bridge - added support for DHCP Option 82;
*) bridge - added support for DHCP Snooping;
*) bridge - added support for IGMP Snooping fast-leave feature (CLI only);
*) bridge - fixed dynamic VLAN table entries when using ingress filtering;
*) bridge - fixed "ingress-filtering", "frame-types" and "tag-stacking" value storing;
*) bridge - forward LACPDUs when "protocol-mode=none";
*) bridge - ignore tagged BPDUs when bridge VLAN filtering is used;
*) bridge - improved packet handling;
*) bridge - improved packet processing when bridge port changes states;
*) bridge - improved performance when bridge VLAN filtering is used without hardware offloading;
*) bridge - renamed option "vlan-protocol" to "ether-type";
*) capsman - added ability to use chain 3 for "HT TX chains" and "HT RX chains" selections (CLI only);
*) capsman - allow to change "radio-name" (CLI only);
*) capsman - increase timeout for the CAP to CAPsMAN communication;
*) certificate - added "expires-after" parameter;
*) certificate - do not allow to perform "undo" on certificate changes;
*) certificate - fixed RA "server-url" setting;
*) check-installation - improved system integrity checking;
*) chr - added checksum offload support for Hyper-V installations;
*) chr - added large send offload support for Hyper-V installations;
*) chr - added multiqueue support on Xen installations;
*) chr - added support for multiqueue feature on "virtio-net";
*) chr - added virtual Receive Side Scaling support for Hyper-V installations (might require more RAM assigned than in previous versions);
*) chr - by default enable link state tracking for virtual drivers with "/interface ethernet disable-running-check=no";
*) chr - do not show IRQ entries from removed devices;
*) chr - fixed interface name assign process when running CHR on Hyper-V;
*) chr - fixed interface name order when "virtio-net is not being used on KVM installations;
*) chr - fixed MTU changing process when running CHR on Hyper-V;
*) chr - fixed NIC hotplug for "virtio-net";
*) chr - improved balooning process;
*) chr - improved boot time for Hyper-V installations;
*) chr - provide part of network interface GUID at the beginning of "bindstr2" value when running CHR on Hyper-V;
*) chr - reduced RAM memory required per interface;
*) cloud - added simultaneous IPv4/IPv6 support;
*) cloud - close local UDP port if no activity;
*) console - added "dont-require-permissions" parameter for scripts;
*) console - added error log message when netwatch tries to execute script with insufficient permissions;
*) console - added error log message when scheduler tries to execute script with insufficient permissions;
*) console - do not show spare parameters on ping command;
*) console - made "once" parameter mandatory when using "as-value" on "monitor" commands;
*) console - removed automatic swapping of "from=" and "to=" in "for" loops;
*) crs317 - fixed Ethernet inteface stuck on 100 Mbps speed;
*) crs326/crs328 - fixed packet forwarding when port changes states with IGMP Snooping enabled;
*) crs328 - fixed transmit on sfp-sfpplus1 and sfp-sfpplus2 interfaces;
*) crs3xx - added hardware support for DHCP Snooping and Option 82;
*) crs3xx - added Q-in-Q hardware offloading support;
*) crs3xx - do not report SFP interface as running when interface on opposite side is disabled;
*) crs3xx - fixed ACL rate rules (introduced in v6.41rc27);
*) crs3xx - fixed flow control;
*) crs3xx - fixed SwOS config import;
*) defconf - fixed default configuration for RBSXTsq5nD;
*) defconf - fixed missing bridge ports after configuration reset;
*) dhcp - added dynamic IPv4/IPv6 "dual-stack" simple queue support, based on client's MAC address;
*) dhcp - reduced resource usage of DHCP services;
*) dhcpv4-client - fixed DHCP client that was stuck on invalid state;
*) dhcpv4-client - fixed double ACK packet handling;
*) dhcpv4-server - added "allow-dual-stack-queue" implementation (CLI only);
*) dhcpv4-server - do not allow override lease "always-broadcast" value based on offer type;
*) dhcpv4-server - improved performance when "rate-limit" and/or "address-list" setting is present;
*) dhcpv6-client - added missing "Server identifier" parameter in release message;
*) dhcpv6-client - fixed "add-default-route" parameter;
*) dhcpv6-client - fixed option handling;
*) dhcpv6-client - improved dynamic IPv6 pool addition process;
*) dhcpv6-server - added additional RADIUS parameters for Prefix delegation, "rate-limit" and "life-time";
*) dhcpv6-server - added "allow-dual-stack-queue" implementation (CLI only);
*) dhcpv6-server - added initial dynamic simple queue support;
*) dhcpv6-server - do not allow to run DHCPv6 server on slave interface;
*) dhcpv6-server - fixed dynamic simple queue creation for RADIUS bindings;
*) dns - fixed DNS cache service becoming unresponsive when active Hotspot server is present on the router (introduced in 6.42);
*) dude - fixed client auto upgrade (broken since 6.43rc17);
*) ethernet - do not show "combo-state" field if interface is not SFP or copper;
*) ethernet - properly handle Ethernet interface default configuration;
*) export - do not show w60g password on "hide-sensitive" type of export;
*) fetch - added "as-value" output format;
*) fetch - fixed address and DNS verification in certificates;
*) filesystem - fixed NAND memory going into read-only mode (requires "factory-firmware" >= 3.41.1 and "current-firmware" >= 6.43);
*) filesystem - improved software crash handling on devices with FLASH type memory;
*) health - added missing parameters from export;
*) health - fixed voltage measurements for RB493G devices;
*) health - improved speed of health measurement readings;
*) hotspot - allow to properly configure Hotspot directory on external disk for devices that have flash type storage;
*) hotspot - fixed RADIUS CoA & PoD by allowing to accept "NAS-Port-Id";
*) ike1 - added unsafe configuration warning for main mode with pre-shared-key authentication;
*) ike1 - purge both SAs when timer expires;
*) ike1 - zero out reserved bytes in NAT-OA payload;
*) ike2 - fixed initiator first policy selection;
*) ike2 - fixed rekeyed child deletion during another exchange;
*) ike2 - improved basic exchange logging readability;
*) ike2 - use "/32" netmask by default on initiator if not provided by responder;
*) interface - improved interface "last-link-down-time" and "last-link-up-time" values;
*) interface - improved reliability on dynamic interface handling;
*) ippool - improved used address error message;
*) ipsec - added "responder" parameter for "mode-config" to allow multiple initiator configurations;
*) ipsec - added "src-address-list" parameter for "mode-config" that generates dynamic "src-nat" rule;
*) ipsec - added warning messages for incorrect peer configuration;
*) ipsec - do not allow removal of "proposal" and "mode-config" entries that are in use;
*) ipsec - fixed AES-192-CTR fallback to software AEAD on ARM devices with wireless and RB3011UiAS-RM;
*) ipsec - fixed AES-CTR and AES-GCM key size proposing as initiator;
*) ipsec - fixed "static-dns" value storing;
*) ipsec - improved invalid policy handling when a valid policy is uninstalled;
*) ipsec - improved reliability on generated policy addition when IKEv1 or IKEv2 used;
*) ipsec - improved stability when using IPsec with disabled route cache;
*) ipsec - install all DNS server addresses provided by "mode-config" server;
*) ipsec - separate phase1 proposal configuration from peer menu;
*) ipsec - separate phase1 proposal configuration from peer menu;
*) ipsec - use monotonic timer for SA lifetime check;
*) kidcontrol - allow to edit discovered devices;
*) l2tp - allow setting "max-mtu" and "max-mru" bigger than 1500;
*) led - improved w60g alignment trigger;
*) leds - fixed LED behaviour when bonding is configured on SFP+ interfaces;
*) log - fixed false log warnings about system status after power on for CRS328-4C-20S-4S+;
*) log - show interface name on OSPF "different MTU" info log messages;
*) lte - added additional D-Link PIDs;
*) lte - added additional ID support for SIM7600 modem;
*) lte - added additional low endpoint SIM7600 PIDs;
*) lte - added eNB ID to info command;
*) lte - added extended LTE signal info for SIM7600 modules;
*) lte - added extended signal information for Quectel LTE EC25 and EP06 modem;
*) lte - added ICCID reading for info command R11e-LTE and R11e-LTE-US;
*) lte - added "registration-status" parameter under "/interface lte info" command;
*) lte - added roaming status reading for info command;
*) lte - added "sector-id" to info command;
*) lte - added support for alternative SIM7600 PID;
*) lte - added support for Novatel USB730LN modem with new ID;
*) lte - added support for Quanta 1k6e modem;
*) lte - allow to execute concurrent internal AT commands;
*) lte - allow to use multiple PLS modems at the same time;
*) lte - do not allow to remove default APN profile;
*) lte - do not allow to send "at-chat" commands for configless modems;
*) lte - expose GPS channel for PLS modems;
*) lte - fixed LTE registration in 2G/3G mode;
*) lte - fixed SIM7600 registration info;
*) lte - fixed SIM7600 series module support with newer device IDs;
*) lte - ignore empty MAC addresses during Passthrough discovery phase;
*) lte - improved modem event processing;
*) lte - improved r11e-LTE and r11e-LTE-US dialling process;
*) lte - improved r11e-LTE configuration exchange process;
*) lte - improved reading of SMS message after entering running state;
*) lte - improved readings of info command results for the SXT LTE;
*) lte - improved stability of USB LTE interface detection process;
*) lte - properly detect interface state when running for IPv6 only connection for R11e-LTE modem;
*) lte - renamed LTE scan tool field "scan-code" to "mcc-mnc";
*) lte - show UICC in correct format for SXT LTE devices;
*) lte - use "/32" address for the Passthrough feature when R11e-LTE module is used;
*) lte - use alphanumeric operator format in info command;
*) mac-telnet - improved reliability when connecting from RouterOS versions prior 6.43;
*) multicast - allow to add more than one RP per IP address for PIM;
*) ntp - allow to specify link-local address for NTP server;
*) ospf - improved link-local LSA flooding;
*) ospf - improved stability when originating LSAs with OSPFv3;
*) package - renamed "current-version" to "installed-version" under "/system package install";
*) ppp - added support for additional ID for E3531 modem;
*) ppp - added support for Alfa Network U4G modem;
*) ppp - added support for Telit LM940 modem;
*) ppp - improved modem mode switching;
*) ppp - show comments from "/ppp secrets" menu within "/ppp active" menu when client is connected;
*) quickset - recognize 160 MHz channel as HomeAP mode;
*) rb1100ahx4 - added DES and 3DES hardware acceleration support;
*) romon - fixed RoMON services becoming unavailable after disabled once during active scanning process;
*) romon - properly classify RoMON sessions in log and active users list;
*) routerboard - allow to fill up to half of the RAM memory with files on devices with FLASH storage;
*) routerboard - fixed "protected-routerboot" feature (introduced in v6.42);
*) routerboard - fixed wrongly reported RAM size on ARM devices;
*) routerboot - removed RAM test from TILE devices (routerboot upgrade required);
*) sfp - fixed default advertised link speeds;
*) smb - fixed valid request handling when additional options are used;
*) sms - converted "keep-max-sms" feature to "auto-erase";
*) sms - do not require "port" and "interface" parameters when sending SMS if already present in configuration;
*) sms - improved reliability on SMS reader;
*) snmp - added CAPsMAN "remote-cap" table;
*) snmp - added EAP identity to CAPsMAN registration table;
*) snmp - added "phy-rate" reading for "station-bridge" mode;
*) snmp - added "temp-exception" trap;
*) snmp - fixed interface speed reporting for predefined rates;
*) snmp - fixed "remote-cap" peer MAC address format;
*) ssh - disconnect all active connections when device gets rebooted or turned off;
*) ssh - strengthen strong-crypto (add aes-128-ctr and disallow hmac sha1 and groups with sha1);
*) supout - added "files" section to supout file;
*) supout - added info log message when supout file is created;
*) supout - added monitored bridge VLAN table to supout file;
*) supout - added "w60g" section to supout file;
*) switch - added CPU Flow Control settings for devices with a Atheros8227, QCA8337, Atheros8327, Atheros7240 or Atheros8316 switch chip;
*) switch - added support for port isolation by switch chip;
*) switch - fixed possible switch chip hangs after initialization on MediaTek and Atheros8327 switch chips;
*) swos - implemented "/system swos" menu that allows to upgrade, reset, save or load configuration and change address for dual-boot CRS devices (CLI only);
*) tile - added DES and 3DES hardware acceleration support;
*) tile - fixed false HW offloading flag for MPLS;
*) tr069-client - allow editing of "provisioning-code" attribute;
*) tr069-client - fixed setting of "DeviceInfo.ProvisioningCode" parameter;
*) tr069-client - use SNI extension for HTTPS;
*) upgrade - fixed RouterOS upgrade process from RouterOS v5 on PowerPC;
*) ups - improved UPS serial parsing stability;
*) usb - fixed modem initialisation on LtAP mini;
*) usb - fixed power-reset for hAP ac^2 devices;
*) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);
*) userman - fixed "shared-secret" parameter requiring "sensitive" policy;
*) vrrp - improved reliability on VRRP interface configured as a bridge port when "use-ip-firewall" is enabled;
*) w60g - added "beamforming-event" stats counter;
*) w60g - fixed random disconnects;
*) w60g - general stability and performance improvements;
*) watchdog - added "ping-timeout" setting;
*) webfig - do not automatically re-log in after logging out;
*) webfig - fixed occasional authentication failure when logging in;
*) webfig - fixed www service becoming unresponsive;
*) webfig - properly display time interval within Kid Control menu;
*) webfig - properly handle double clicking when logging in or out;
*) webfig - properly show NTP clients "last-adjustment" value;
*) winbox - added bridge Fast Forward statistics counters;
*) winbox - added "poe-fault" LED trigger;
*) winbox - added "tag-stacking" option to "Bridge/Ports";
*) winbox - allow to specify LTE interface when sending SMS;
*) winbox - fixed arrow key handling within table filter fields;
*) winbox - fixed "bad-blocks" value presence under "System/Resources";
*) winbox - fixed bridge port MAC learning parameter values;
*) winbox - fixed "IP/IPsec/Peers" section sorting;
*) winbox - fixed "write-sect-since-reboot" value presence under "System/Resources";
*) winbox - properly close session when uploading multiple files to the device at the same time;
*) winbox - removed duplicate "20/40/80MHz" value from "channel-width" setting options;
*) winbox - renamed "VLAN Protocol" to "EtherType" under bridge interface "VLAN" tab;
*) winbox - show HT MCS tab when "5ghz-n/ac" band is used;
*) winbox - show "Switch" menu on hAP ac^2 devices;
*) winbox - show "System/RouterBOARD/Mode Button" on devices that has such feature;
*) wireless - accept only valid path for sniffer output file parameter;
*) wireless - accept only valid path for sniffer output file parameter;
*) wireless - added "czech republic 5.8" regulatory domain information;
*) wireless - added "etsi2" regulatory domain information;
*) wireless - added option for RADIUS "called-station-id" format selection;
*) wireless - added option to disable PMKID for WPA2;
*) wireless - do not disconnect clients when WDS master connects with MAC address "00:00:00:00:00:00";
*) wireless - fixed "/interface wireless sniffer packet print follow" output;
*) wireless - fixed wireless interface lockup after period of inactivity;
*) wireless - improved Nv2 reliability on ARM devices;
*) wireless - improved Nv2 stability for 802.11n interfaces on RB953, hAP ac and wAP ac devices;
*) wireless - require "sniff" policy for wireless sniffer;
*) wireless - updated "czech republic" regulatory domain information;
*) wireless - updated "germany 5.8 ap" and "germany 5.8 fixed p-p" regulatory domain information;
*) x86 - improved Ethernet driver for Davicom DM9x0x;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after some problem has appeared on device

Please keep this forum topic strictly related to this concrete RouterOS release.

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 10:01 am
by freemannnn
wow. nice start of week!!!
ip cloud service and winbox connection so fast now.
dhcp snooping....love u guys!

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 10:43 am
by rushlife
super news, I will test it at soon as possible...
btw. It's a quite list of changes, you are doing great job, thx guys...

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 10:48 am
by bennyh
What about 3011 hardware IPSec acceleration, what introduced in RC?

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 10:53 am
by emils
Hardware accelerated IPsec for 3011 is not included in this release. Unfortunately, we could not get it working stable enough in time. It will be available in 6.44.

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 11:03 am
by petern
Sad to see this still here which is not good for anyone using radius to provide 2FA.
!) radius - use MS-CHAPv2 for "login" service authentication;

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 11:35 am
by bjornr
Interface speeds seem to be set explicitly after upgrading, is this related to the SNMP speed report changelog entry? I haven't tried connecting an interface at other speeds yet, but can I assume that this setting, while a part of /export, will change accordingly?
  /interface ethernet
- set [ find default-name=ether1 ] l2mtu=1582 name=ether1-gateway
- set [ find default-name=ether2 ] comment=node2
- set [ find default-name=ether3 ] comment=node3
- set [ find default-name=ether4 ] comment=node4
- set [ find default-name=ether5 ] comment=node5
+ set [ find default-name=ether1 ] l2mtu=1582 name=ether1-gateway speed=100Mbps
+ set [ find default-name=ether2 ] comment=node2 speed=100Mbps
+ set [ find default-name=ether3 ] comment=node3 speed=100Mbps
+ set [ find default-name=ether4 ] comment=node4 speed=100Mbps
+ set [ find default-name=ether5 ] comment=node5 speed=100Mbps

can't login with password on 6.43

Posted: Mon Sep 10, 2018 11:37 am
by vpithart
After `6.42.7` -> `6.43` and `/system routerboard upgrade`, login into the box doesn't accept the password anymore. Winbox: `wrong username or password`, ssh: keeps asking for password again and again. Lucky me having a ssh-key there.

It's `RB SXT G-5HPacD`, firmware-type: qca9550, factory-firmware: 3.14, current-firmware: 6.43, upgrade-firmware: 6.43. Using winbox 3.16.

Should anyone want supout.rif, email me.

Edit: Running `/ip ssh set always-allow-password-login=yes` after upgrade to 6.43 restores SSH password login. Winbox password login fails still.

Edit2:
Set the password to the same as before (/user set admin password=password1) -> winbox: `wrong username or password`
Set new password (/user set admin password=password2) -> winbox: login works again
Reset to the original pre-upgrade password (/user set admin password=password1) -> winbox: login still works.

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 11:43 am
by WirelessRudy
Now that's a list!

Question; is this list now mentioning everything changed/corrected since 6.42.7 or is it compared to 6.42?
Are any or all of these changes/corrections already available in previous v6.42.x versions?

If this is all new I might wait with installing this huge upgrade on my 6.42.6 and 6.42.7 devices. Experience learned me a new number version sometimes gives new issues as well, 'current' or not....
A long list like this one is prone to have some code errors in it that will only emerge if many other guinea pigs have installed this...

See how empty this tread stays the next days....

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 11:56 am
by Kindis
Just upgraded two CHR instances to 6.43 and all worked great but I cannot see Cloud under IP

!) cloud - added support for licensed CHR instances (including trial);

I do not see it in WinBox or via Webfig. Cleared cache and all that and does not appear. I can see it via console or SSH so I have managed to activate it but I still cannot see this via Winbox or Webfig.

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 12:10 pm
by osmoticzest
*) fetch - added "as-value" output format;
Assuming this is still the same functionality as described at https://wiki.mikrotik.com/wiki/Manual:T ... a_variable , I am surprised to find that when I do this:
/tool fetch mode=https host="mikrotik.com" url="https://mikrotik.com/aboutus" output=user as-value
I still receive a log line which reads
info fetch: file "aboutus" downloaded
even though no file appears to have been downloaded (and of course, I don't want it to be). Is this correct?

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 12:27 pm
by djdrastic
Wow that's a lot of changes

Some great features being added have to say.

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 12:29 pm
by mrz
Of course it will show "file downloaded", because to output something you need to download it first.

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 12:46 pm
by bennyh
Hardware accelerated IPsec for 3011 is not included in this release. Unfortunately, we could not get it working stable enough in time. It will be available in 6.44.
Cserkészbecsszó?
In english: Is it scout's honor to will be hw accel in 6.44? :)

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 12:47 pm
by OndrejHolas
Interface speeds seem to be set explicitly after upgrading, is this related to the SNMP speed report changelog entry? I haven't tried connecting an interface at other speeds yet, but can I assume that this setting, while a part of /export, will change accordingly?

I also have exactly the same in diff (RB750Gr3 6.42.7->6.43). In fact, nothing in configuration has changed, if you issue "/int eth exp verb" before upgrade, "speed=100Mbps" is also there, but in non-verbose export it is hidden as default. In 6.43, it is not hidden, probably default value is changed in 6.43. Nevertheless, when "auto-negotiation" is set to "yes" (default setting and thus hidden in non-verbose export in both versions), the "speed" setting has no effect, the port succesfully negotiates at best speed/duplex:

[admin@rb750gr3] > int eth exp
...
/interface ethernet
...
set [ find default-name=ether2 ] speed=100Mbps
...
[admin@rb750gr3] > int eth mon 1 once
name: ether2
status: link-ok
auto-negotiation: done
rate: 1Gbps
full-duplex: yes

tx-flow-control: no
rx-flow-control: no
advertising: 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
link-partner-advertising: 10M-half,10M-full,100M-half,100M-full,1000M-full



Ondrej

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 12:47 pm
by nightcom
RB3011, CRS326-24G-2S and RB750Gr3 upgraded with no problems

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 12:47 pm
by meesuk
Nice Job!

Thank you for your update about these.
*) bridge - add dynamic CAP interface to tagged ports if "vlan-mode=use-tag" is enabled;
*) bridge - improved performance when bridge VLAN filtering is used without hardware offloading;

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 12:48 pm
by bennyh
Hardware accelerated IPsec for 3011 is not included in this release. Unfortunately, we could not get it working stable enough in time. It will be available in 6.44.
Cserkészbecsszó?
In english: Is it scout's honor to will be hw accel in 6.44? :)

Nowadays I am too sceptic :)

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 1:05 pm
by eworm
*) fetch - added "as-value" output format;
Assuming this is still the same functionality as described at https://wiki.mikrotik.com/wiki/Manual:T ... a_variable , I am surprised to find that when I do this:
/tool fetch mode=https host="mikrotik.com" url="https://mikrotik.com/aboutus" output=user as-value
I still receive a log line which reads
info fetch: file "aboutus" downloaded
even though no file appears to have been downloaded (and of course, I don't want it to be). Is this correct?
The about-us site is a bad example, as it gives a lot of html output. See this example:
:put ([ /tool fetch url="https://www.eworm.de/ip/" output=user as-value ]->"data")
Or to put it into a variable:
:global result;
:set result ([ /tool fetch url="https://www.eworm.de/ip/" output=user as-value ]->"data");
:put $result;

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 1:22 pm
by alexvdbaan
bridge - add dynamic CAP interface to tagged ports if "vlan-mode=use-tag" is enabled;

Great work MT team!

I was wondering if you could elaborate on the dynamic vlan function? I can see that the Caps interfaces are included in the bridge and that the active interfaces are tagged in the dynamic vlan entry for PVID 1. I would expect that the dynamic caps interfaces are dynamically added to all the bridge vlan entries. I have also tried to add the Capsman interfaces in their own interface list. However the newly created interface list woith all the dynamic caps interfaces can not be selected in the bridge vlan entry.

Below the config for my test setup on 6.43
/interface bridge
add fast-forward=no name=Lo0 protocol-mode=none
add fast-forward=no name=bridge protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2 pvid=666
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/interface bridge settings
set allow-fast-path=no
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=ether2 vlan-ids=666
add bridge=bridge tagged=bridge,ether1 vlan-ids=200
add bridge=bridge tagged=bridge,ether4,ether5 vlan-ids=10,20,30,667

/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=vl10-data vlan-id=10 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=vl20-data vlan-id=20 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=vl30-data vlan-id=30 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=radius-data vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-eap disable-pmkid=yes eap-methods=passthrough encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=Radius-Sec
/caps-man configuration
add country=netherlands datapath=radius-data distance=indoors hide-ssid=no mode=ap name=DynVlan security=Radius-Sec ssid=AllVlan
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes package-path=/upgrade upgrade-policy=require-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=vl667
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=DynVlan name-format=prefix-identity name-prefix=5Ghz-
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=DynVlan name-format=prefix-identity name-prefix=2.4Ghz-

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 1:48 pm
by colinardo
Nice work!

Found a LOG problem with an IPv6 DHCP-CLIENT. The log says there was an error adding the dynamic prefix pool, but it actually is created correctly. Cosmetic problem?
dhcp,error failed to add ipv6 pool MYPOOL: ok
Confused :-).

Best regards
@colinardo

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 2:07 pm
by mozerd
Found a LOG problem with an IPv6 DHCP-CLIENT. The log says there was an error adding the dynamic prefix pool, but it actually is created correctly. Cosmetic problem?
dhcp,error failed to add ipv6 pool MYPOOL: ok
.....
.......
Yes, I have a similar issue:with the current release 6.43
dhcp,error failed to add ipv6 pool rogers-ipv6: ok
but it actually is created correctly.

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 2:44 pm
by JanezFord
Upgraded about 7 devices but stopped further upgrading because I can't connect to my hEX any more - user/pass for admin not accepted any more... I can login by ssh-key. I see vptihart also had issues with winbox connectivity.

So be very careful with this upgrade, you may lock yourself out of your device !! :)

JF.

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 2:52 pm
by Steveocee
Have just moved my CHR up and cannot see any Winbox entry for IP>Cloud however terminal I can access it and apply it.

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 2:57 pm
by strods
IP/Cloud feature will be added to Winbox interface for CHR in upcoming versions.

DHCPv6 error log message is a cosmetic issue which also will be fixed soon. This error actually tells that there is no error.

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 3:08 pm
by becs
Interface speeds seem to be set explicitly after upgrading, is this related to the SNMP speed report changelog entry? I haven't tried connecting an interface at other speeds yet, but can I assume that this setting, while a part of /export, will change accordingly?
  /interface ethernet
- set [ find default-name=ether1 ] l2mtu=1582 name=ether1-gateway
- set [ find default-name=ether2 ] comment=node2
- set [ find default-name=ether3 ] comment=node3
- set [ find default-name=ether4 ] comment=node4
- set [ find default-name=ether5 ] comment=node5
+ set [ find default-name=ether1 ] l2mtu=1582 name=ether1-gateway speed=100Mbps
+ set [ find default-name=ether2 ] comment=node2 speed=100Mbps
+ set [ find default-name=ether3 ] comment=node3 speed=100Mbps
+ set [ find default-name=ether4 ] comment=node4 speed=100Mbps
+ set [ find default-name=ether5 ] comment=node5 speed=100Mbps
Hello,
Interface ethernet speed appearing in the v6.43 configuration export is a cosmetic thing because of speed setting default value changes.
Since the speed setting does not take effect when "auto-negotiation=yes", it will not affect most configurations and to avoid breaking user modified values, the defaults are not updated during RouterOS upgrade, it is done only after configuration reset.

This cosmetic issue can be manually fixed by setting new values of "speed" according to v6.43 defaults:
/interface ethernet print default-config detail

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 3:22 pm
by eworm
[...] Since the speed setting does not take effect when "auto-negotiation=yes", [...]
Are you sure? I have a CRS where one port negotiates at 100M-full - probably due to bad wiring. If I set speed=1Gbps the port is flapping at 1000M-full.
This cosmetic issue can be manually fixed by setting new values of "speed" according to v6.43 defaults:
/interface ethernet print default-config detail
[admin@MikroTik] > /interface ethernet print default-config detail
expected end of command (line 1 column 27)

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 3:32 pm
by becs
eworm, changing speed setting no matter of its value initiates restart of ethernet port and if autonegotiation advertises 1000M-half,1000M-full, the CRS will try to negotiatiate 1Gbps link first before dropping to lower speed.

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 4:08 pm
by bbs2web
I'm pleasantly surprised to see that we were unaffected by the authentication changes. We use centralised RADIUS authentication to Active Directory and associate AD security group membership to RouterOS user group permissions. Winbox, SSH and local authentication continues to work...

VirtIO IRQ mapping is however incorrect in that input and output pairs are not bound to the same core.

6.43:
[davidh@router1] > sys resource irq print 
Flags: ro - read-only 
 #    IRQ USERS                                         CPU ACTIVE-CPU         COUNT
 0      1 i8042                                        auto          0            99
 1      6 floppy                                       auto          1             2
 2      9 acpi                                         auto          0             0
 3     11 usb1                                         auto          1            32
 4     12 i8042                                        auto          0             3
 5     14 ide0                                         auto          1         4 718
 6     15 ide1                                         auto          0             0
 7     40 virtio1-config                               auto          1             0
 8     41 virtio1-input.0                              auto          0       882 432
 9     42 virtio1-output.0                             auto          1             1
10     43 virtio1-input.1                              auto          0       586 986
11     44 virtio1-output.1                             auto          1             1
6.43rc12:
[davidh@router2] > sys resource irq print
Flags: ro - read-only 
 #    IRQ USERS                                                    CPU ACTIVE-CPU         COUNT
 0      1 i8042                                                   auto          0           703
 1      6 floppy                                                  auto          1             2
 2      9 acpi                                                    auto          2             0
 3     11 usb1                                                    auto          3     5 083 834
          virtio0                                          
 4     12 i8042                                                   auto          4         1 677
 5     14 ata_piix                                                auto          5             0
 6     15 ata_piix                                                auto          6             3
 7     40 virtio1-config                                          auto          7             0
 8     41 virtio1-requests                                        auto          0       281 478
 9     42 virtio2-config                                          auto          1            30
10 ro  43 virtio2-input.0                                         auto          0 3 251 566 126
11 ro  44 virtio2-output.0                                        auto          0     1 428 823
12 ro  45 virtio2-input.1                                         auto          1 2 303 315 949
13 ro  46 virtio2-output.1                                        auto          1     1 325 156
14 ro  47 virtio2-input.2                                         auto          2 1 446 390 462
15 ro  48 virtio2-output.2                                        auto          2     2 318 597
16 ro  49 virtio2-input.3                                         auto          3 1 738 920 888
17 ro  50 virtio2-output.3                                        auto          3       725 384
18 ro  51 virtio2-input.4                                         auto          4     8 744 012
19 ro  52 virtio2-output.4                                        auto          4     1 913 455
20 ro  53 virtio2-input.5                                         auto          5 1 095 525 257
21 ro  54 virtio2-output.5                                        auto          5     2 561 306
22 ro  55 virtio2-input.6                                         auto          6 4 161 506 922
23 ro  56 virtio2-output.6                                        auto          6       941 292
24 ro  57 virtio2-input.7                                         auto          7    46 834 723
25 ro  58 virtio2-output.7                                        auto          7       947 725

6.43rc12 appears to have gotten this right, 6.43 alternates the CPU assignments so that input for both queues is tied to the same processor...

PS: Yes, we disabled RPS on both routers:
[davidh@router1] > sys resource irq rps print 
Flags: X - disabled 
 #   NAME                                                                        
 0 X ether1

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 6:05 pm
by edcore
*) winbox - show "System/RouterBOARD/Mode Button" on devices that has such feature;

No Mode Button for hEX?

Image
Image


https://ibb.co/fAzp79
https://ibb.co/kok1LU

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 6:05 pm
by ErfanDL
WoW the speed of winbox windows loading now is very fast.
installed on RB2011UiAS2hND - hAP Lite - RB951Ui without any problem.

Sent from my C6833 using Tapatalk


Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 6:31 pm
by eddieb
Upgraded without any issues
RB2011UAS
RB1100
RB750GL
CCR1009
CRS125
RB962UIGS (10x)
CHR
CHR-DUDE

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 6:35 pm
by DimaFIX
Where can I download btest.exe?

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 6:56 pm
by bbs2web
Upgrade a hEX (RB750Gr3) yields the following changes when upgrading from 6.42.7 to 6.43:
/system resource irq rps
set ether1 disabled=no
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
Has this default been changed?

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 7:46 pm
by R1CH
-nm was a winbox issue-

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 8:48 pm
by DummyPLUG
10G on CCR1009 ethernet port? cosmetic issue?
Image

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 9:02 pm
by honzam
Upgraded about 7 devices but stopped further upgrading because I can't connect to my hEX any more - user/pass for admin not accepted any more... I can login by ssh-key. I see vptihart also had issues with winbox connectivity.

So be very careful with this upgrade, you may lock yourself out of your device !!
I have similar problem. After upgrade wAP-AC to 6.43 I can´t connet to router wia winbox 3.17 (wrong username or password)
But with the same name and password from neighbour router with mac-telnet it works , webfig also works. :shock:
Reported: Ticket#2018091022006001

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 9:14 pm
by mkx
This cosmetic issue can be manually fixed by setting new values of "speed" according to v6.43 defaults:
/interface ethernet print default-config detail
[admin@MikroTik] > /interface ethernet print default-config detail
expected end of command (line 1 column 27)
While command written by @becs, does not work neither in 6.42.7 nor in 6.43, the above issue is cosmetics only. The default value for speed attribute was 100Mbps on 6.42.7 (and earlier) and is 1Gbps since 6.43.

6.42.7:
/interface ethernet 
 /interface ethernet>export
# sep/10/2018 17:58:41 by RouterOS 6.42.7
# software id = TX5S-MT3T
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = XYZWXYZWXYZW
/interface ethernet
set [ find default-name=ether5 ] poe-out=off

 /interface ethernet> set [ find default-name=ether1 ] speed=
1Gbps  10Gbps  10Mbps  100Mbps

 /interface ethernet> print detail
Flags: X - disabled, R - running, S - slave
 0 R  name="ether1" default-name="ether1" mtu=1500 l2mtu=1598
      mac-address=6C:3B:6B:97:25:6F orig-mac-address=6C:3B:6B:97:25:6F
      arp=enabled arp-timeout=auto loop-protect=default
      loop-protect-status=off loop-protect-send-interval=5s
      loop-protect-disable-time=5m auto-negotiation=yes
      advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
      full-duplex=yes tx-flow-control=off rx-flow-control=off speed=100Mbps
      bandwidth=unlimited/unlimited switch=switch1
      
 /interface ethernet> set [ find default-name=ether1 ] speed=1Gbps
 /interface ethernet> export
# sep/10/2018 18:00:21 by RouterOS 6.42.7
# software id = TX5S-MT3T
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = XYZWXYZWXYZW
/interface ethernet
set [ find default-name=ether1 ] speed=1Gbps
set [ find default-name=ether5 ] poe-out=off

 /interface ethernet> print detail
Flags: X - disabled, R - running, S - slave
 0 R  name="ether1" default-name="ether1" mtu=1500 l2mtu=1598
      mac-address=6C:3B:6B:97:25:6F orig-mac-address=6C:3B:6B:97:25:6F
      arp=enabled arp-timeout=auto loop-protect=default
      loop-protect-status=off loop-protect-send-interval=5s
      loop-protect-disable-time=5m auto-negotiation=yes
      advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
      full-duplex=yes tx-flow-control=off rx-flow-control=off speed=1Gbps
      bandwidth=unlimited/unlimited switch=switch1
.
Needless to say that running speed of the port did not change, it was 100Mbps all the time (which is HW limitation of hAP ac).
On 6.43 is just the opposite: if I set speed to 1Gbps, this attribute disappears from exported configuration.

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 9:20 pm
by John39
After updating on all my devices I see such a picture.
download/file.php?mode=view&id=33580 download/file.php?mode=view&id=33579

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 9:27 pm
by ivanfm
After updating on all my devices I see such a picture.
download/file.php?mode=view&id=33580 download/file.php?mode=view&id=33579
I have found this "setW60Gap" variable in one of my upgraded devices (751G-2HnD).

I have not found any new variables in other 4 devices upgraded (different models).

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 11:08 pm
by DenisPDA
After updating on all my devices I see such a picture.
download/file.php?mode=view&id=33580 download/file.php?mode=view&id=33579
Similar problem + broken default script
hAP AC 6.42.7 > 6.43
MT_6.43.jpg
default_script_6.43_bad.txt
script_environment.txt

Re: v6.43 [current] is released!

Posted: Mon Sep 10, 2018 11:44 pm
by hknet
Do I read this correctly as _no_ routerboard-firmware upgrade is usually required coming from 6.43rc or 6.42.7?

thx
hk

Re: v6.43 [current] is released!

Posted: Tue Sep 11, 2018 12:01 am
by hknet
*bridge - added per-port based "tag-stacking" feature

trying to wrap my head around this vs the (previous) QinQ support by using ethertype=0x88a8

if I'm not mistaken this is now the more common support for QinQ using 0x8100 frames packing another 0x8100 frame into it (aka stacking).

my question here: if I set the bridge ethertype to 0x88a8 and then use per port stacking are still 0x8100 frames stacked or is this setup simply mutually exclusive to each other?

thx
hk

Re: v6.43 [current] is released!

Posted: Tue Sep 11, 2018 12:39 am
by poggs
Serious problems here upgrading a 2011UiAS from the final -rc: it failed to load the new kernel image and went in to Ether Boot mode almost straight away. I NetInstall'd 6.43 on to it, rebooted and all was fine until I power-cycled, at which time we were back to the same problem as before.

The only way around this I've found is to force backup-booter loading, so I'm on RouterBOOT-3.41, and the router will survive a power-cycle.

Has anyone else seen this issue, or can anyone recommend a better fix?

Re: can't login with password on 6.43

Posted: Tue Sep 11, 2018 12:47 am
by rmccracken
After `6.42.7` -> `6.43` and `/system routerboard upgrade`, login into the box doesn't accept the password anymore. Winbox: `wrong username or password`, ssh: keeps asking for password again and again. Lucky me having a ssh-key there.

It's `RB SXT G-5HPacD`, firmware-type: qca9550, factory-firmware: 3.14, current-firmware: 6.43, upgrade-firmware: 6.43. Using winbox 3.16.

Should anyone want supout.rif, email me.

Edit: Running `/ip ssh set always-allow-password-login=yes` after upgrade to 6.43 restores SSH password login. Winbox password login fails still.

Edit2:
Set the password to the same as before (/user set admin password=password1) -> winbox: `wrong username or password`
Set new password (/user set admin password=password2) -> winbox: login works again
Reset to the original pre-upgrade password (/user set admin password=password1) -> winbox: login still works.


Seeing exact same issue on CCR-1016. Is there a fix or work around? Our only backup file is currently on device, will hard resetting device remove backup file?

Re: v6.43 [current] is released!

Posted: Tue Sep 11, 2018 1:23 am
by eider
Since updating RouterBOOT to 6.43 I can now see "Boot OS" option under Routerboard->Settings for cAP lite. I'm pretty sure that cAP lite does not support SwOS.

Image

Re: v6.43 [current] is released!

Posted: Tue Sep 11, 2018 1:30 am
by mducharme
10G on CCR1009 ethernet port? cosmetic issue?
I'm getting the same thing on my hAP ac gig ethernet ports.

Also, like a previous poster, since the upgrade, Winbox is now opening up incredibly quickly. Why is it so fast now compared to earlier versions?

Re: v6.43 [current] is released!

Posted: Tue Sep 11, 2018 3:18 am
by UpRunTech
Hardware accelerated IPsec for 3011 is not included in this release. Unfortunately, we could not get it working stable enough in time. It will be available in 6.44.
Is this a driver you guys had to wrote from scratch? I am surprised it's taken so long but I still appreciate that it's coming.

I don't think you should release that summer intern from the basement until they have it working properly.

I too noticed Winbox loads my pile of open windows much faster too.

Re: v6.43 [current] is released!

Posted: Tue Sep 11, 2018 4:18 am
by Paternot
I don't think you should release that summer intern from the basement until they have it working properly.
Yeah. Throw him in the basement, and make him work! To get faster results, lock the door. :D

Re: v6.43 [current] is released!

Posted: Tue Sep 11, 2018 6:42 am
by mducharme
Hi,

I have found an issue with v6.43, when it comes to upgrade space on hAP lite.

hAP lite is unable to upgrade from 6.42.7 to 6.43 if both the main package and TR-069 package are installed. I have to remove the TR-069 package to get enough free space to upgrade the hAP lite. No other files on router. I was able to reinstall the TR-069 package afterwards.

Other device models seem to be fine.

Re: v6.43 [current] is released!

Posted: Tue Sep 11, 2018 8:49 am
by Tomato
Hi, I've found issue in 6.43 when creating/editing new user via web interface.

I can't edit user name, as a result all users are created with default names userXX
Look at pictures below to see this more clearly.
Снимок экрана от 2018-09-11 08-47-29.png
Снимок экрана от 2018-09-11 08-33-28.png

Re: v6.43 [current] is released!

Posted: Tue Sep 11, 2018 8:58 am
by fiberwave
10G on CCR1009 ethernet port? cosmetic issue?
Image
It's just advertising, not equal with the port's capabilities - they'll correct this I think.

Re: v6.43 [current] is released!

Posted: Tue Sep 11, 2018 9:13 am
by eider
Hi, I've found issue in 6.43 when creating/editing new user via web interface.
I believe editing being blocked is intentional. Definitely a bug when creating new user however.

Re: v6.43 [current] is released!

Posted: Tue Sep 11, 2018 11:56 am
by rushlife
upgraded hAP, with empty password I can confirm bug, it is no longer possible to login

Re: v6.43 [current] is released!

Posted: Tue Sep 11, 2018 2:18 pm
by Resnais
SXT LTE (1st gen):

1) On device startup it does not populate the route list correctly (does not add the LTE interface subnet in the route list). Have to disable/enable interface after startup so it would work correctly.
2) Passthrough interface option now showing in the LTE APN's section. Does it work now, or 6.43 does not check the device model?

Thank you,

Resnais

Re: v6.43 [current] is released!

Posted: Tue Sep 11, 2018 2:49 pm
by uldis
SXT LTE (1st gen):

1) On device startup it does not populate the route list correctly (does not add the LTE interface subnet in the route list). Have to disable/enable interface after startup so it would work correctly.
2) Passthrough interface option now showing in the LTE APN's section. Does it work now, or 6.43 does not check the device model?

Thank you,

Resnais
1) please make support output file when this happens and then another file when it is ok after disable/enable. Send those files to support@mikrotik.com
2) No the first generation SXT doesn't support it as it is mentioned in the wiki page.

Re: v6.43 [current] is released!

Posted: Tue Sep 11, 2018 3:18 pm
by apteixeira
Hello,

We just upgrade two CHR on AWS to last version of RouterOS and now we are not able to login.
Winbox: wrong username or password
SSH: Access denied

Any advice?

Regards.

Re: v6.43 [current] is released!

Posted: Tue Sep 11, 2018 3:21 pm
by InoX
In 12 hours I had to reboot two times my RB951ui router to get internet working again after the upgrade.
Never happened this before the upgrade.
First time setup on LHG5 user admin can't be changed, you must make one more user and delete admin after. I never user admin as username.

Re: v6.43 [current] is released!

Posted: Tue Sep 11, 2018 5:20 pm
by rmccracken
Hello,

We just upgrade two CHR on AWS to last version of RouterOS and now we are not able to login.
Winbox: wrong username or password
SSH: Access denied

Any advice?

Regards.
Any luck with this issue? We are having same problem.

Re: v6.43 [current] is released!

Posted: Tue Sep 11, 2018 5:25 pm
by nostromog
I upgraded one hAPac to 6.43 about 27 hours ago, everything is working well as far as I can tell. I'll upgrade our other machines during the weekend.

The machine I upgraded was the one running 6.43rc64 before (never got time to test the last rc).
it looks much faster now, but I guess rc are built with debug options while "current" releases are not.

Re: v6.43 [current] is released!

Posted: Tue Sep 11, 2018 5:33 pm
by honzam
Hello,

We just upgrade two CHR on AWS to last version of RouterOS and now we are not able to login.
Winbox: wrong username or password
SSH: Access denied

Any advice?
mac telnet a web access works for me

Re: v6.43 [current] is released!

Posted: Tue Sep 11, 2018 6:02 pm
by WebLuke
Found 2 things.

First my RouterBOARD wAP G-5HacT2HnD (US Version I think), I have been able to login with MAC SSH though from another device in winbox. But on the same network, using Winbox 3.17 I am unable to login (wrong username or password) using the IP or MAC. I have not tried to reset the password though SSH but this is the only device I have of a few types that have had this problem.

Second I have 3 RouterBOARD cAP Gi-5acD2nD, 2 are the US version, 1 International version. The 2 US versions have a defconf scrip for "dark-mode" that looks like it just turns the LEDs on or off. Yet the International version dose not have this script. And it seems like this script should actually just be a menu check in the System>LEDs menu.

Re: v6.43 [current] is released!

Posted: Tue Sep 11, 2018 8:27 pm
by eifLZ9D8zSwW
Hi,
I have some problem with fetch tool (ftp). Since I upgraded from 6.42.5 to 6.42.7 (on 6.43 it's still the same) my backup script isn't working. The fetch tool opens tcp conenction to ftp server and create files with 0bytes size, then timeout. I read the release notes but I haven't found anything about fetch. I have another rb750gr3 still on 6.42.5 and it's working fine, so my server is ok.

importatnt part of the script:
/tool fetch address="$ftphost" port=$ftpport src-path=$fname3 user="$ftpuser" mode=ftp password="$ftppassword" dst-path="$ftppath/$fname3" upload=yes

Any tips?

Mikrotik RB750Gr3.
thx

Re: v6.43 [current] is released!

Posted: Tue Sep 11, 2018 9:42 pm
by jp
*) ssh - disconnect all active connections when device gets rebooted or turned off;
This is awesome! Thank you

Re: v6.43 [current] is released!

Posted: Tue Sep 11, 2018 10:12 pm
by Nevon
IPsec..

I have two CCR1009 where I have L2TP/Ipsec tunnel between them. Sins 6.42.7 I have problem that I have almost 10% packet loss.. when I ping if I ping the other side of the tunnel.
I have 0% loss if I ping Internet IP outside the tunnel.
Both of the CCR have other L2TP/Ipsec tunnels to other sites and they dont have that problem..
Someone who knows where to look for errors?...

If I look at the ping results it pings 30ping and then 3 ping gets lost.. and then 30 ping.. and 3 lost...

Re: v6.43 [current] is released!

Posted: Tue Sep 11, 2018 10:49 pm
by sindy
Both of the CCR have other L2TP/Ipsec tunnels to other sites and they dont have that problem..
The only thing which comes to my mind is to check that the auth and enc algorithms in the proposal used between these two peers aren't unique among all the other tunnels, and if they are, change them for a test to some other ones which work on the other tunnels.

Re: v6.43 [current] is released!

Posted: Tue Sep 11, 2018 10:58 pm
by gondim
Hi all,

DHCPv6 PD Pool (PPP Profile) not work anymore. 6.40.9 work fine.

[]´s
Gondim

Re: v6.43 [current] is released!

Posted: Wed Sep 12, 2018 1:34 am
by usx
Had no issues when upgrading the following devices

1- RB450G
2- hEX 750 r3
3- hAP
4- RB951Ui-2nD
5- 2011UiAS-2HnD
6- mAP 2n
7- RB450G

Re: v6.43 [current] is released!

Posted: Wed Sep 12, 2018 1:41 am
by rmccracken
Hello,

We just upgrade two CHR on AWS to last version of RouterOS and now we are not able to login.
Winbox: wrong username or password
SSH: Access denied

Any advice?
mac telnet a web access works for me

We tried Mac telnet and same issue. Does anyone know if we hard reset device will it clear the backups stored on device?

Re: v6.43 [current] is released!

Posted: Wed Sep 12, 2018 6:27 am
by ksbravo
Hello,

After updating 6.42.7 > 6.43 mikrotik stopped browsing RB750GR3.

Has anyone had a similar problem?

Before the upgrade was working perfectly. The biggest problem is that I just forgot to backup.

Re: v6.43 [current] is released!

Posted: Wed Sep 12, 2018 6:57 am
by CsXen
Hi.
We tried Mac telnet and same issue. Does anyone know if we hard reset device will it clear the backups stored on device?

Hard reset did not erase FILES on RouterBoard NAND storage... I tried it yesterday on our RB750GL. :) (If hard reset is: pushing reset, while powering up to go back default config.)

Best regards: CsXen

Re: v6.43 [current] is released!

Posted: Wed Sep 12, 2018 8:51 am
by sindy
We tried Mac telnet and same issue. Does anyone know if we hard reset device will it clear the backups stored on device?
It depends on the version which was there before and how you have stored the backups. Since 6.? (sorry, I don't know exactly), you have to use a file name starting with flash/ to have that file stored permanently, otherwise it ends up on the ramdisk partition. So if you did so, you can be sure the backup file survives the restoration of default configuration; if you didn't, it still may survive if the upgrade process took into account this approach change but I'm far from sure here.

Re: v6.43 [current] is released!

Posted: Wed Sep 12, 2018 10:25 am
by osc86
The comment column is missing in ipsec peer menu in winbox, and my id is shown twice

Re: v6.43 [current] is released!

Posted: Wed Sep 12, 2018 10:35 am
by eworm
We tried Mac telnet and same issue. Does anyone know if we hard reset device will it clear the backups stored on device?
It depends on the version which was there before and how you have stored the backups. Since 6.? (sorry, I don't know exactly), you have to use a file name starting with flash/ to have that file stored permanently, otherwise it ends up on the ramdisk partition. So if you did so, you can be sure the backup file survives the restoration of default configuration; if you didn't, it still may survive if the upgrade process took into account this approach change but I'm far from sure here.
This does not depend on the RouterOS version but the device.

Re: v6.43 [current] is released!

Posted: Wed Sep 12, 2018 11:51 am
by mediana
After upgrade from 6.42.7 to 6.43, the L2TP/IPSec VPN between ROS and Draytek Vigor 2920 broken.
It showed failed to get valid proposal and failed to pre-process ph1 packet(side:1, status 1)
Downgrade to 6.42.7 and it worked as usual.

Re: v6.43 [current] is released!

Posted: Wed Sep 12, 2018 1:14 pm
by Neski
After upgrade from 6.42.7 to 6.43, the L2TP/IPSec VPN between ROS and Draytek Vigor 2920 broken.
It showed failed to get valid proposal and failed to pre-process ph1 packet(side:1, status 1)
Downgrade to 6.42.7 and it worked as usual.
Someone in other post write about default settings - just need to change option in L2TP/IPSec or load configuration once again

Re: v6.43 [current] is released!

Posted: Wed Sep 12, 2018 1:43 pm
by Splash
We have a huge memory leak on the new 6.43 code running on our CRS317's. Some devices seem to be more affected than others, but within 10hrs the device reboots due to low memory.

Re: v6.43 [current] is released!

Posted: Wed Sep 12, 2018 2:09 pm
by emils
After upgrade from 6.42.7 to 6.43, the L2TP/IPSec VPN between ROS and Draytek Vigor 2920 broken.
It showed failed to get valid proposal and failed to pre-process ph1 packet(side:1, status 1)
Downgrade to 6.42.7 and it worked as usual.
Can you please send supout.rif file to support@mikrotik.com ?

Re: v6.43 [current] is released!

Posted: Wed Sep 12, 2018 3:31 pm
by osc86
We have a huge memory leak on the new 6.43 code running on our CRS317's. Some devices seem to be more affected than others, but within 10hrs the device reboots due to low memory.
I encountered the same problem on a CCR while it was still rc. MT Support was unable to reproduce / fix it.
Only a netinstall solved it for me. I could restore the old config without further problems, though.

Re: v6.43 [current] is released!

Posted: Wed Sep 12, 2018 3:45 pm
by Splash
We have a huge memory leak on the new 6.43 code running on our CRS317's. Some devices seem to be more affected than others, but within 10hrs the device reboots due to low memory.
I encountered the same problem on a CCR while it was still rc. MT Support was unable to reproduce / fix it.
Only a netinstall solved it for me. I could restore the old config without further problems, though.
Thanks for the heads-up. Ive been asked to generate a support output close to when the device runs out of memory and then one just after its rebooted. I'm just wondering how a netinstall would fix the issue? Does it clear out something?

Re: v6.43 [current] is released!

Posted: Wed Sep 12, 2018 4:20 pm
by hzdrus
I'm pleasantly surprised to see that we were unaffected by the authentication changes. We use centralised RADIUS authentication to Active Directory and associate AD security group membership to RouterOS user group permissions. Winbox, SSH and local authentication continues to work...
Windows AD should be ok since MS-CHAPv2 is a Microsoft invention - and being that, not really secure. The reasons for breaking compatibility with non-MS 2FA products are not clear to me, in any case PAP/CHAP requests can still be tunneled via IPSEC etc to ensure security ...

Re: v6.43 [current] is released!

Posted: Wed Sep 12, 2018 4:21 pm
by sebastia
Hi

Upgraded from 6.42.7 on SXT LTE Kit (gen2), with LTE in pass-through. The host (dhcp client) received 100.x/32 address with 10.177.0.1 as "gw / remote point" ip.
Routing tables was updated too: with a DAC for 10.177.0.1 + backup route for 0/0 over same interface.
So far so good.

But, there was no ip connectivity. tried pinging usual suspects over lte: 8.8.4.4, 208.67.220.220, with no joy.

Then I've reverted back to 42.7 and connectivity returned.

Any idea what went wrong?

Thx
Seb

Re: v6.43 [current] is released!

Posted: Wed Sep 12, 2018 6:30 pm
by WebLuke
I have now noticed that my CRS125-24G-1S-2HnD is running out of memory, with 6.43.7 it ran around 95MB of free memory, with 6.43 it was down to 34MB free, over night it is now down to 31MB free. Good thing it don't have too much traffic going though this as multiple people are reporting reboots. Attached is a graph showing it slowly increase usage of memory.
We have a huge memory leak on the new 6.43 code running on our CRS317's. Some devices seem to be more affected than others, but within 10hrs the device reboots due to low memory.

Re: v6.43 [current] is released!

Posted: Wed Sep 12, 2018 7:02 pm
by fctsu001

"DHCPv6 PD Pool (PPP Profile) not work anymore."

i'v got this problem too.
When connection established, dinamic DHCPv6 server creating, but client not get address from pool.

Re: v6.43 [current] is released!

Posted: Wed Sep 12, 2018 7:18 pm
by Splash
I have now noticed that my CRS125-24G-1S-2HnD is running out of memory, with 6.43.7 it ran around 95MB of free memory, with 6.43 it was down to 34MB free, over night it is now down to 31MB free. Good thing it don't have too much traffic going though this as multiple people are reporting reboots. Attached is a graph showing it slowly increase usage of memory.
I sent 3 support output files 90%, 98% and then after the reboot 5%... at 98% the system was trying to swap as the SPI process ran at 100% on 1 CPU. I have a change at 3am to downgrade the switches back to 6.42.7 and hope the VLANs work with some of our providers.

Re: v6.43 [current] is released!

Posted: Thu Sep 13, 2018 2:26 am
by Ferrograph
Ive just got RBSXTR. LTE passthrough is broken. I've seen reports that it works on 6.42.7 but I've tried downgrading and it doesn't work. See my post here:

viewtopic.php?f=2&t=139038

Basically the DHCP relay part works but packets dont flow, "host not reachable" etc in traceroute tests.

I dont understand the /32 address change noted in the release notes, whats that about and why is it only for R11e modems?

Re: v6.43 [current] is released!

Posted: Thu Sep 13, 2018 2:42 am
by mducharme
Windows AD should be ok since MS-CHAPv2 is a Microsoft invention - and being that, not really secure. The reasons for breaking compatibility with non-MS 2FA products are not clear to me, in any case PAP/CHAP requests can still be tunneled via IPSEC etc to ensure security ...
For us this change is welcome, since we use Microsoft Windows NPS as a RADIUS server for login to our devices. Since Winbox previously required PAP/CHAP, we had to store user passwords with reversible encryption in active directory to allow RADIUS based Winbox login (SSH always worked without this, since it supported MS-CHAPv2). Now we no longer need to do this, and can instead keep the more secure default of encrypted passwords in AD. It would be nice though if MikroTik had a solution to the 2FA issue - perhaps allowing EAP?

Re: v6.43 [current] is released!

Posted: Thu Sep 13, 2018 4:57 am
by wojo
Found a LOG problem with an IPv6 DHCP-CLIENT. The log says there was an error adding the dynamic prefix pool, but it actually is created correctly. Cosmetic problem?
dhcp,error failed to add ipv6 pool MYPOOL: ok
.....
.......
Yes, I have a similar issue:with the current release 6.43
dhcp,error failed to add ipv6 pool rogers-ipv6: ok
but it actually is created correctly.
Same here!

Re: v6.43 [current] is released!

Posted: Thu Sep 13, 2018 10:05 am
by Splash
I sent 3 support output files 90%, 98% and then after the reboot 5%... at 98% the system was trying to swap as the SPI process ran at 100% on 1 CPU. I have a change at 3am to downgrade the switches back to 6.42.7 and hope the VLANs work with some of our providers.
The next 6.44beta version should contain a fix which needs to be tested.

Re: v6.43 [current] is released!

Posted: Thu Sep 13, 2018 10:17 am
by DummyPLUG
After update to 6.43 sometime the time will show in future, the correct link down time should be around Sep/13/2018 3:40 AM
from syslog:
03:40:18 interface,info ether3 link down
03:40:33 interface,info ether3 link up (speed 100M, full duplex)
03:40:36 interface,info ether3 link down
03:40:39 interface,info ether3 link up (speed 100M, full duplex)

Image

Re: v6.43 [current] is released!

Posted: Thu Sep 13, 2018 10:43 am
by ofer
I upgraded software and firmware for 3 x HapAC, No issues so far.

Thanks!

Re: v6.43 [current] is released!

Posted: Thu Sep 13, 2018 11:50 am
by colinardo
@wojo

Found a LOG problem with an IPv6 DHCP-CLIENT. The log says there was an error adding the dynamic prefix pool, but it actually is created correctly. Cosmetic problem?
dhcp,error failed to add ipv6 pool MYPOOL: ok
.....
.......
Yes, I have a similar issue:with the current release 6.43
dhcp,error failed to add ipv6 pool rogers-ipv6: ok
but it actually is created correctly.
Same here!

This is only a cosmetic issue and will be resolved in next release. Mikrotik support already answered this some posts above.

See
DHCPv6 error log message is a cosmetic issue which also will be fixed soon. This error actually tells that there is no error.

Re: v6.43 [current] is released!

Posted: Thu Sep 13, 2018 12:31 pm
by tesme33
admin password after upgrade EMPTY.

I discovered that the admin pass is empty after the upgrade. So could login without ANY pass.

Below how i fixed it.

[admin@MikroTik] >
11:31:18 echo: system,error,critical login failure for user admin from EC:8E:B5:5B:4E:92 via win
box
[admin@MikroTik] >
11:31:19 echo: system,error,critical login failure for user admin from EC:8E:B5:5B:4E:92 via win
box
[admin@MikroTik] > /ip ssh set always-allow-password-login=ye
[admin@MikroTik] > /user set admin password=PASSWORD
[admin@MikroTik] >

Re: v6.43 [current] is released!

Posted: Thu Sep 13, 2018 1:16 pm
by indnti
After reading all this posts I fear that there is a high probability to have a poor device after the upgrade.

Re: v6.43 [current] is released!

Posted: Thu Sep 13, 2018 1:44 pm
by macgaiver
admin password after upgrade EMPTY.
Scared the s**t out of me....
But - no it isn't, at least not for me!! 10+ routers no such issue

what devices?
what version did you upgrade from?

there have been rare cases in the past when part of configuration gets lost on upgrade. when was last time you Neinstalled that devices?

Re: v6.43 [current] is released!

Posted: Thu Sep 13, 2018 2:58 pm
by dg1kwa
L2TP/IPSec still not working. This problem start after upgrade so 6.42.7. Version before work perfect :(

Re: v6.43 [current] is released!

Posted: Thu Sep 13, 2018 4:12 pm
by emils
L2TP/IPsec works properly for me on 6.42.7 and 6.43, must be something specific to your configuration or network. Have you sent a supout.rif file to support@mikrotik.com?

Re: v6.43 [current] is released!

Posted: Thu Sep 13, 2018 5:49 pm
by Elliot
For those guys that say they got locked out from winbox. Please DO READ THE CHANGELOG. You now have to log with winbox no older than 3.15 ;)

Also great Job gus for fixing those security holes. But please check from time to time 0dayz for any upcomming exploits. I'm sure they are looking forward to break into RouterOS again...

api change isn't - Re: v6.43 [current] is released!

Posted: Thu Sep 13, 2018 6:50 pm
by mvalsasna
regarding this change:
!) api - changed authentication process (https://wiki.mikrotik.com/wiki/Manual:API#Initial_login);

as we have an application based on Net_RouterOS library (https://github.com/pear2/Net_RouterOS/), which is long unmantained, I tried 6.43, expecting it to break our application.

instead, it kept working normally. I sniffed traffic, and login is still performed in the pre-v6.43 style.

can you please clarify? is the old login method still supported? how long will it be supported?

tnx

MAtteo


Login method pre-v6.43:
/login
!done
=ret=ebddd18303a54111e2dea05a92ab46b4
/login
=name=admin
=response=001ea726ed53ae38520c8334f82d44c9f2
!done

Login method post-v6.43:
/login
=name=admin
=password=
!done

Re: v6.43 [current] is released!

Posted: Thu Sep 13, 2018 8:33 pm
by ehsanorveh
Hi
I have Mikrotik rb1100AHx2 and update Router OS to 6.43, After that The user have SSTP vpn connection, there connection lost after seconds, any body have this problem?

Re: v6.43 [current] is released!

Posted: Thu Sep 13, 2018 9:59 pm
by whitbread
*) bridge - improved performance when bridge VLAN filtering is used without hardware offloading;
Just testet 6.43 on a hap ac2 - everything went smooth so far.

As I am struggling for the best way to deal with my setup I did performance tests anyway. Just wanted to let you know that there is a performance improvement when using VLAN aware bridges but you have to use a magnifying glass. My values did increase from 360 to 380 Mbps w/o IP-Filtering and 345 to 365 Mbps w/ IP-Filtering, unfortunately far away from wire speed.
So bad you cannot use switch chip together with bridges anymore :(

Re: v6.43 [current] is released!

Posted: Thu Sep 13, 2018 10:05 pm
by kriszos
I updated my hAP ac^2 from 6.42.7 and upgraded firmware
after update my cpu usage rise from 2% to 30% and dhcp stopped working. export also hang out after /interface wireless. reboots doesn't helps. Downgraded to 6.42.7 now is working fine again.
I updated it again with same result.

Re: v6.43 [current] is released!

Posted: Thu Sep 13, 2018 11:12 pm
by mkx
So bad you cannot use switch chip together with bridges anymore :(
You can definitely use VLANs in "hybrid" mode ... do the VLAN filtering on switch chip (/interface ethernet switch) and "new bridge" (without using bridge vlan functionality) with individual ports as members.

Regarding low speed: I suspect your configuration is not optimal. I conducted some tests using VLANs on bridge (SW implementation) and I could achieve wire speed for port-to-port transfers (without any filtering) while CPU utilization was around 30% of a single core (8% overall CPU utilization).

Re: v6.43 [current] is released!

Posted: Thu Sep 13, 2018 11:30 pm
by Railander
Don't know if it's already been mentioned, but I can no longer change the name of a user in /user
It's not only the default user, it applies even to newly created users.
> user set admin name=test
failure: user name can't be changed

Re: v6.43 [current] is released!

Posted: Thu Sep 13, 2018 11:46 pm
by ozone
Upgraded Hap-lite (rb941) from 6.42.6 to 6.43 (Ros+Routerboot), and now internal dhcpv4-client (from an external DNSMASQ server) does not work anymore.
The RB does not get an valid IP anymore. (stays on "searching").
If you reboot the hap-lite, the hap-lite DOES get an IP... But when you request an IP while running, you do not.
If DHCP-server is another routerboard, no issue exists, only with DNSMASQ dhcp-server.

Tried also upgrading a HAP-ac to 6.43, then there is NO DHCPv4-client issue with external dnsmasq DHCP-servers. (with identical config as hap-lite)

Second issue on hap-lite is the reduced wifi performance. Drops about 30%.

Went back to 6.42.7 on hap-lite, and internal dhcpv4-client works again (from dnsmasq), and wifi speed is back up.

Thirdly, HAP-lite still has no ramdisk functionality like HAP-ac, so upgrading is a real pain in the *ss!
If you have a few saved config files on there, you can be happy to get upgrading working with ONLY system and wireless package.
Anything beyond that, and disk is full. No errormessage though, so a reboot then usually ends up in a bricked device where only netinstall will help out.
Had this a few times already on the hap-lite.
16MB flash is simply to small :(

Re: v6.43 [current] is released!

Posted: Fri Sep 14, 2018 12:04 am
by ozone
Oh Yeah,

Anyone tested what happens when you choose "SWos" in system->routerboard->settings->boot-os ?
(on a device that normally does not support that)

:)

Re: v6.43 [current] is released!

Posted: Fri Sep 14, 2018 1:52 am
by schadom
Upgraded two CCRs to 6.43 and no issues (including the described ones above) so far.
Only thing we noticed that the OpenVPN bridge was disabled after upgrading and we had to re-enable it manually.

*) winbox - fixed "sfp-connector-type" value presence under "Interface/Ethernet";
S-RJ01 SFP's are still shown with "Connector Type: LC" on 6.43 and Winbox v3.17 at least in our case.

Re: v6.43 [current] is released!

Posted: Fri Sep 14, 2018 2:32 am
by Cal5582
just had 6.43 break my RBM11G + R11e-5HacT wireless access point. after the update my mpcie card would no longer pick up but would display a red and yellow light. tried reseating card but no luck. restored back to mmips 6.42.7 and everything came back up and worked. looks to be a software issue. any way i can report this bug?

Re: v6.43 [current] is released!

Posted: Fri Sep 14, 2018 9:09 am
by ste
Updated a new CCR to 6.43. Added some bridges and then some vlans to the bridges. One vlan does not show as slave of the bridge. I guess a problem of the bridge changes. So I downgraded to stable. This bricked the ccr. Hangs with starting services. Netinstalled 6.43 and started over. So sure stable and long term matches the truth ?

Just a small rant after wasting 2 hours with "stable" software. Just call it "current" again ...

Re: v6.43 [current] is released!

Posted: Fri Sep 14, 2018 10:18 am
by dg1kwa
L2TP/IPsec works properly for me on 6.42.7 and 6.43, must be something specific to your configuration or network. Have you sent a supout.rif file to support@mikrotik.com?
when I have a little time I send. I not change any configuration last time.

Re: v6.43 [current] is released!

Posted: Fri Sep 14, 2018 12:09 pm
by osc86
After updating CCR1009 to 6.43 there is a problem with port stability! Has anyone else encountered such a problem?
I doubt this is a software issue. Seems only one port is affected.
I don't have such a problem on my CCR1009.

Re: v6.43 [current] is released!

Posted: Fri Sep 14, 2018 12:46 pm
by lomayani
I updated my hAP ac^2 from 6.42.7 and upgraded firmware
after update my cpu usage rise from 2% to 30% and dhcp stopped working. export also hang out after /interface wireless. reboots doesn't helps. Downgraded to 6.42.7 now is working fine again.
I updated it again with same result.
I seen the issue with dhcp stop working. check in dhcp server if you have dhcp server configured with unknown interface, if you have remove that and upgrade to 6.43. When you have dhcp-server configured with unkwnon interface and upgrade to 6.43 will cause dhcp to stop working

Re: v6.43 [current] is released!

Posted: Fri Sep 14, 2018 2:18 pm
by whitbread
So bad you cannot use switch chip together with bridges anymore :(
You can definitely use VLANs in "hybrid" mode ... do the VLAN filtering on switch chip (/interface ethernet switch) and "new bridge" (without using bridge vlan functionality) with individual ports as members.
Not sure if I understand you correctly - using bridge with hw offloading, then bridging vlan interfaces of 'switch bridge' to new plain bridges? I am using this config on my rb2011, but I thought it is blacklisted by Mikrotik?!?

Regarding low speed: I suspect your configuration is not optimal. I conducted some tests using VLANs on bridge (SW implementation) and I could achieve wire speed for port-to-port transfers (without any filtering) while CPU utilization was around 30% of a single core (8% overall CPU utilization).
Not sure if we are talking about the same here - I am doing real world tests with tcp and smb reaching 114MB/s when switching or bridging, but I need the filtering. So at the moment you turn on IP filtering with some rules present, performance breaks down to ~50% while cpu on hap ac2 is maxed out. Using VLAN aware bridges is even worse.

Re: v6.43 [current] is released!

Posted: Fri Sep 14, 2018 2:51 pm
by Splash
After updating CCR1009 to 6.43 there is a problem with port stability! Has anyone else encountered such a problem?
Nope, CCR1016, CCR1036 and CCR1072's all behaving.....

Re: v6.43 [current] is released!

Posted: Fri Sep 14, 2018 2:54 pm
by thg3x

"DHCPv6 PD Pool (PPP Profile) not work anymore."

i'v got this problem too.
When connection established, dinamic DHCPv6 server creating, but client not get address from pool.
I had the same problem.
The dynamic server is created, but the client router does not receive the pool.

Re: v6.43 [current] is released!

Posted: Fri Sep 14, 2018 3:52 pm
by mkx
You can definitely use VLANs in "hybrid" mode ... do the VLAN filtering on switch chip (/interface ethernet switch) and "new bridge" (without using bridge vlan functionality) with individual ports as members.
Not sure if I understand you correctly - using bridge with hw offloading, then bridging vlan interfaces of 'switch bridge' to new plain bridges? I am using this config on my rb2011, but I thought it is blacklisted by Mikrotik?!?
I mean the setup I discussed in this thread where I posted functionally identical setups, both done on then current ROS 6.42.7, one using switch chip VLAN and the other using bridge VLAN setup.

Regarding low speed: I suspect your configuration is not optimal. I conducted some tests using VLANs on bridge (SW implementation) and I could achieve wire speed for port-to-port transfers (without any filtering) while CPU utilization was around 30% of a single core (8% overall CPU utilization).
Not sure if we are talking about the same here - I am doing real world tests with tcp and smb reaching 114MB/s when switching or bridging, but I need the filtering. So at the moment you turn on IP filtering with some rules present, performance breaks down to ~50% while cpu on hap ac2 is maxed out. Using VLAN aware bridges is even worse.
I'm not sure about it either. I did this test:
WinPC <-- access port with PVID=42 --> RBD52G <-- trunk port --> RB951G <-- access port with PVID=42 --> LinPC
So both end machines used usual untagged access and both "border" routerboards did VLAN tagging/untagging. I was running iperf both TCP and UDP. And I could achieve wire speed transfers (but I had to tune iperf parameters to get there so obviously performance does depend on client setup). I posted some results of my tests here.

Re: v6.43 [current] is released!

Posted: Fri Sep 14, 2018 4:10 pm
by alexvdbaan
@MikroTik support, do you have any feedback on the question below?
bridge - add dynamic CAP interface to tagged ports if "vlan-mode=use-tag" is enabled;

Great work MT team!

I was wondering if you could elaborate on the dynamic vlan function? I can see that the Caps interfaces are included in the bridge and that the active interfaces are tagged in the dynamic vlan entry for PVID 1. I would expect that the dynamic caps interfaces are dynamically added to all the bridge vlan entries. I have also tried to add the Capsman interfaces in their own interface list. However the newly created interface list woith all the dynamic caps interfaces can not be selected in the bridge vlan entry.

Below the config for my test setup on 6.43
/interface bridge
add fast-forward=no name=Lo0 protocol-mode=none
add fast-forward=no name=bridge protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2 pvid=666
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/interface bridge settings
set allow-fast-path=no
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=ether2 vlan-ids=666
add bridge=bridge tagged=bridge,ether1 vlan-ids=200
add bridge=bridge tagged=bridge,ether4,ether5 vlan-ids=10,20,30,667

/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=vl10-data vlan-id=10 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=vl20-data vlan-id=20 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=vl30-data vlan-id=30 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=radius-data vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-eap disable-pmkid=yes eap-methods=passthrough encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=Radius-Sec
/caps-man configuration
add country=netherlands datapath=radius-data distance=indoors hide-ssid=no mode=ap name=DynVlan security=Radius-Sec ssid=AllVlan
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes package-path=/upgrade upgrade-policy=require-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=vl667
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=DynVlan name-format=prefix-identity name-prefix=5Ghz-
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=DynVlan name-format=prefix-identity name-prefix=2.4Ghz-

Re: v6.43 [current] is released!

Posted: Fri Sep 14, 2018 5:31 pm
by DummyPLUG
CCR1009, just found out all the "last link up time" is the current time in winbox (except those have link down will be in future), anyone have the same issue?

Re: v6.43 [current] is released!

Posted: Fri Sep 14, 2018 10:23 pm
by posetr
Hello , i am having difficuties about ccr1036-12g-4s when get udp attack with 0 length .

Using RouterOS 6.4 and here is the tcp dump of attack :

21:10:26.299021 IP 132.155.220.60.39812 > x.x.x.x.44710: UDP, length 0
21:10:26.299034 IP 180.19.33.203.lxi-evntsvc > x.x.x.x.2342: UDP, length 0
21:10:26.299035 IP 56.24.15.219.6200 > x.x.x.x.1234: UDP, length 0
21:10:26.299036 IP 11.90.77.183.23051 > x.x.x.x.44710: UDP, length 0
21:10:26.299057 IP 28.110.53.197.28188 > x.x.x.x.44710: UDP, length 0
21:10:26.299062 IP 215.92.148.235.23767 > x.x.x.x.3453: UDP, length 0
21:10:26.299064 IP 0.19.41.141.4864 > x.x.x.x.80: UDP, length 0
21:10:26.299065 IP 137.132.25.40.33929 > x.x.x.x.44710: UDP, length 0
21:10:26.299065 IP 49.38.104.169.9777 > x.x.x.x.110: UDP, length 0
21:10:26.299067 IP 203.183.15.186.47051 > x.x.x.x.44710: UDP, length 0
21:10:26.299185 IP 51.163.222.160.41779 > x.x.x.x.44710: UDP, length 0
21:10:26.299191 IP 0.33.48.114.8448 > x.x.x.x.4432: UDP, length 0
21:10:26.299193 IP 143.96.62.38.24719 > x.x.x.x.447: UDP, length 0

I have added many rule like :

0 chain=forward action=drop connection-state=invalid protocol=udp log=yes
log-prefix="log-paket"

1 chain=forward action=drop protocol=udp connection-bytes=0-10 log=yes
log-prefix="udp-attack"


It makes routerboard freeze and unaccesible, please help me to solve that.

No logs.

Re: v6.43 [current] is released!

Posted: Fri Sep 14, 2018 10:37 pm
by mkx
It really depends on scale of attack (and possibly there's some mis-handling of zero size UDP packets in ROS). But I'd say that major contribution to service failure is that you're logging each malformed UDP packet. Try to silently drop it, it might help your CCR to survive.

Re: v6.43 [current] is released!

Posted: Sat Sep 15, 2018 8:57 am
by ognjen
I don't have a problem with upgrade OS and fimware. Everything work fine (Dhcp, DNS, vlan, PPPoE, PPTP, L2TP, OVPN, CAPsMAN, Bridge, Wireless 802.11 over 5Ghz and 2.4GHz, Queue, Tools..). I don't under you guys, what u do to get a problem? :D

Joking apart.. I just see problem with scripts when try to start, but when check Don't requir Permissions problem is resolved.

Routers and switches what i upgrad is:
1x RB3011UiAS
2x RB2011UiAS
1x RB433
2x RBwAP2nDr2
1x CRS125-24G-1S-2HnD
3x RBwAPG-5HacT2Hnd
5x RB921GS-5HPacD r2 (mANTBox 19s)
2x RBLHGG-5acD-XL
1x CRS326-24G-2s+
2x RB SXT 5nD r2
4x RB750

Edit:
Who have problem with login on v6.43 need to upgrade winbox:
Image

Re: v6.43 [current] is released!

Posted: Sat Sep 15, 2018 9:22 am
by kriszos
I updated my hAP ac^2 from 6.42.7 and upgraded firmware
after update my cpu usage rise from 2% to 30% and dhcp stopped working. export also hang out after /interface wireless. reboots doesn't helps. Downgraded to 6.42.7 now is working fine again.
I updated it again with same result.
I seen the issue with dhcp stop working. check in dhcp server if you have dhcp server configured with unknown interface, if you have remove that and upgrade to 6.43. When you have dhcp-server configured with unkwnon interface and upgrade to 6.43 will cause dhcp to stop working
I indeed has dhcp on unkown interface. deleted it but that doesn't resolve the problem. After update to 6.43 I cant even make supout.rif file because it hangs at 1% while cpu usage is at 30%.
/tool profile shows tha cpu is used mostly by "unclassified", "spi" and "management"
Anybody has any ideas? I would like to not need to use netinstall.

Re: v6.43 [current] is released!

Posted: Sat Sep 15, 2018 10:51 am
by Kindis
I'm very happy with this build I must say. Must be the best .0 build ever provided. Been running it since launch and a lot of things are better. OSPF is faster for some reason but it may come down to the huge improvements to CHR under Hyper-V. Granted I do not have a advanced environment and do not use IPsec yet so other may have other experiences but overall I'm very happy and good job Mikrotik!!

Re: v6.43 [current] is released!

Posted: Sat Sep 15, 2018 10:59 am
by steen
Hello Folks!

This is a humble question, someone might have tested this ros version with wifi and nv2 on older mipsbe (ARM) devices like RB411, RB433, RB800 etc. and SXT, SEXTANT, QRT5 ?

Is this wifi problem fixed yet in this version ?

Version greater than 6.41.3 fully fails with wifi and nv2 hand has to be net installed in order to get back to working versions.

Re: v6.43 [current] is released!

Posted: Sun Sep 16, 2018 5:13 am
by DimaFIX
Changing the identity on hAp ac² crashes the router with an error: "kernel failure in previous boot".

Re: v6.43 [current] is released!

Posted: Sun Sep 16, 2018 11:56 am
by mkx
Changing the identity on hAp ac² crashes the router with an error: "kernel failure in previous boot".
You mean changing identity name as in
/system identity set name="some other name"
The above command doesn't crash my hAP ac² ... running ROS 6..43.

Re: v6.43 [current] is released!

Posted: Sun Sep 16, 2018 12:17 pm
by DimaFIX
Changing the identity on hAp ac² crashes the router with an error: "kernel failure in previous boot".
You mean changing identity name as in
/system identity set name="some other name"
The above command doesn't crash my hAP ac² ... running ROS 6..43.
Yes. I have problem with this option.

Re: v6.43 [current] is released!

Posted: Sun Sep 16, 2018 3:32 pm
by dvm
Changing the identity on hAp ac² crashes the router with an error: "kernel failure in previous boot".
I can not reproduce this issue on my hAP ac^2 with ROS 6.43 (both CLI and WinBox).

Re: v6.43 [current] is released!

Posted: Sun Sep 16, 2018 4:08 pm
by DimaFIX
I can not reproduce this issue on my hAP ac^2 with ROS 6.43 (both CLI and WinBox).
I don't know what the problem is. At me this problem is shown every time, even on a default config.

Re: v6.43 [current] is released!

Posted: Sun Sep 16, 2018 7:16 pm
by jasonx
Hi,

on 6.43 current.

dhcp server bindings not working

ip pool used prefix shows pppoe's ipv6

but on dhcp server bindings don't received ipv6 pppoe

somebody with this problem?

Re: v6.43 [current] is released!

Posted: Sun Sep 16, 2018 10:14 pm
by mducharme
Hi,

on 6.43 current.

dhcp server bindings not working

ip pool used prefix shows pppoe's ipv6

but on dhcp server bindings don't received ipv6 pppoe

somebody with this problem?
We have this problem sometimes on 6.42.6 dhcpv6 server where it is like the dhcpv6 binding disappears without being cleaned from the pool. We even had it happen with ipv4 dhcp where suddenly it was like all dhcp leases disappeared without disappearing from the ipv4 pool used addresses, causing pools to fill up before they should since suddenly hundreds of systems network received new leases. I opened a ticket but mikrotik just suspects some problem on our network. Open a ticket and maybe it will help them track the issue.

Re: v6.43 [current] is released!

Posted: Mon Sep 17, 2018 12:18 am
by alexsap
We have a huge memory leak on the new 6.43 code running on our CRS326's. We use vlan. Within 12hrs the device reboots due to low memory.

Re: v6.43 [current] is released!

Posted: Mon Sep 17, 2018 6:11 am
by acald3ron
Powebox problem: mikrotik router rebooted without proper shutdown

Re: v6.43 [current] is released!

Posted: Mon Sep 17, 2018 10:54 am
by venthyl
Hello , i am having difficuties about ccr1036-12g-4s when get udp attack with 0 length .

Using RouterOS 6.4 and here is the tcp dump of attack :

21:10:26.299021 IP 132.155.220.60.39812 > x.x.x.x.44710: UDP, length 0
21:10:26.299034 IP 180.19.33.203.lxi-evntsvc > x.x.x.x.2342: UDP, length 0
21:10:26.299035 IP 56.24.15.219.6200 > x.x.x.x.1234: UDP, length 0
21:10:26.299036 IP 11.90.77.183.23051 > x.x.x.x.44710: UDP, length 0
21:10:26.299057 IP 28.110.53.197.28188 > x.x.x.x.44710: UDP, length 0
21:10:26.299062 IP 215.92.148.235.23767 > x.x.x.x.3453: UDP, length 0
21:10:26.299064 IP 0.19.41.141.4864 > x.x.x.x.80: UDP, length 0
21:10:26.299065 IP 137.132.25.40.33929 > x.x.x.x.44710: UDP, length 0
21:10:26.299065 IP 49.38.104.169.9777 > x.x.x.x.110: UDP, length 0
21:10:26.299067 IP 203.183.15.186.47051 > x.x.x.x.44710: UDP, length 0
21:10:26.299185 IP 51.163.222.160.41779 > x.x.x.x.44710: UDP, length 0
21:10:26.299191 IP 0.33.48.114.8448 > x.x.x.x.4432: UDP, length 0
21:10:26.299193 IP 143.96.62.38.24719 > x.x.x.x.447: UDP, length 0

I have added many rule like :

0 chain=forward action=drop connection-state=invalid protocol=udp log=yes
log-prefix="log-paket"

1 chain=forward action=drop protocol=udp connection-bytes=0-10 log=yes
log-prefix="udp-attack"


It makes routerboard freeze and unaccesible, please help me to solve that.

No logs.

Hi i have similar problem

yesterday night
with no reason all Arm or 6.42.x devices hang up,
stop pass traffic,
stop respond even on mac ping
in the same time
manual power cycle was needed.

on one 450x device was ip watchdog, even this wasnt help.

450gx4 - bridge only ip local 192.168.5.x
450gx4- multibridge nat firewall different ips public ip firewalled
450gx2- router no bridge ip to core network 172.16. public ip firewalled

lhg60g - p2p link ip 192.168.88.x

6.42.1-6.42.7 verson on rb

Core network is network with
bridge wireless antennas,
and isolated by mikrotik routers to customers
every router in core network see each other in l2 (no vlan)

there is about 80 other mikrotik routers to serve internet
and 90 wds links soft below 6.42 nothing happend
no other arm devices

Any ideas ?

Regards

Re: v6.43 [current] is released!

Posted: Mon Sep 17, 2018 1:03 pm
by bbs2web
How does on obtain the default settings for menu items?

The '/system default-configuration print' command details the default initialisation script and does not show default values.

6.43 on a hAP ac (962UiGS-5HacT2HnT):
[davidh@router] > /int ethernet export 
# sep/17/2018 11:59:56 by RouterOS 6.43
# software id = 4KLB-K1IB
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 6737060E2E31
/interface ethernet
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full

PS: Would be useful to '/int ethernet export default'

Re: v6.43 [current] is released!

Posted: Mon Sep 17, 2018 1:17 pm
by chaostya
CRS125-24G-1S-2HnD
After update to 6.43 (including firmware update)
"router was rebooted without proper shutdown by watchdog timer" happened once for now.

Re: v6.43 [current] is released!

Posted: Mon Sep 17, 2018 1:45 pm
by dvm
How does on obtain the default settings for menu items?

The '/system default-configuration print' command details the default initialisation script and does not show default values.
1. Backup or export current config.
2. Disconnect router from internet and reset config without applying default configuration.
3. Connect to router via MAC.
3. /export verbose file=all_defaults, save this file for future reference
4. Restore backup or import config from step 1.

Re: v6.43 [current] is released!

Posted: Mon Sep 17, 2018 2:11 pm
by bbs2web
Thanks for your suggestions but that's fairly obvious. MikroTik change defaults in RouterOS releases and don't document changes properly (multi-line change log entries would be a start, linking changes to a bug tracking system would be much better). I still think it would be useful to have a command along the lines of '/int ether export default' so that one can adjust configurations after performing software and firmware updates.
How does on obtain the default settings for menu items?

The '/system default-configuration print' command details the default initialisation script and does not show default values.
1. Backup or export current config.
2. Disconnect router from internet and reset config without applying default configuration.
3. Connect to router via MAC.
3. /export verbose file=all_defaults, save this file for future reference
4. Restore backup or import config from step 1.

Re: v6.43 [current] is released!

Posted: Mon Sep 17, 2018 7:33 pm
by nin
I cannot upgrade to 6.43. I think something messed up with packets installed - please see the picture!
https://www.imagebanana.com/s/1183/icxyABjR.html

Please help me!

PS. CCR1016-12G

Re: v6.43 [current] is released!

Posted: Mon Sep 17, 2018 8:17 pm
by mkx
I cannot upgrade to 6.43. I think something messed up with packets installed
The wireless package is installed both in basic bundle and as separate package. Until you resolve this issue, you can not upgrade to newer version. Whatever you try, first create backup and text configuration export (/export file=<file.rsc>) and get them off your CCR.
You have at least two possibilities (in order of preference of MT staff I guess):
  1. uninstall the extra wireless package, the lower one on your screenshot.
  2. install separate packages - get ZIP file from download section of mikrotik pages. Upload all needed packages except wireless. After reboot CCR will be running ROS 6.37. I guess you don't need wireless package at all, but if you feel like installing it, install it after ROS is already running upgraded.
  3. netinstall CCR

Re: v6.43 [current] is released!

Posted: Mon Sep 17, 2018 10:20 pm
by nin
"The wireless package is installed both in basic bundle and as separate package."
Exactly this should absolutely never be possible!

Re: v6.43 [current] is released!

Posted: Mon Sep 17, 2018 10:21 pm
by nin
1. uninstall the extra wireless package, the lower one on your screenshot. -> FAILS.

Re: v6.43 [current] is released!

Posted: Mon Sep 17, 2018 10:25 pm
by nin
2, install separate packages - get ZIP file from download section of mikrotik pages. Upload all needed packages except wireless. After reboot CCR will be running ROS 6.37. I guess you don't need wireless package at all, but if you feel like installing it, install it after ROS is already running upgraded. -> FAILS!

Re: v6.43 [current] is released!

Posted: Mon Sep 17, 2018 10:52 pm
by nin
I need to learn about netinstall. It is too late here. Thanks I will come back asap.

Re: v6.43 [current] is released!

Posted: Mon Sep 17, 2018 11:19 pm
by Cal5582
any update on wireless cards not detecting on mmips devices?

Re: v6.43 [current] is released!

Posted: Tue Sep 18, 2018 11:38 am
by Splash
We have a huge memory leak on the new 6.43 code running on our CRS326's. We use vlan. Within 12hrs the device reboots due to low memory.
I reported this too with CRS317's and the only way I could resolve it was to downgrade back to 6.42.7. The fix is supposed to be coming out in the next beta.
They took some support files during the memory filling up and seem to think they have identified the issue.

Re: v6.43 [current] is released!

Posted: Tue Sep 18, 2018 11:51 am
by ithierack
CCR1009, just found out all the "last link up time" is the current time in winbox (except those have link down will be in future), anyone have the same issue?
Same here, also an CCR1009. Web-Interface displays correct, WinBox some time in the future. I think, it's only an "cosmetic problem" with WinBox.

Re: v6.43 [current] is released!

Posted: Tue Sep 18, 2018 12:00 pm
by nin
3. netinstall CCR -> WORKED!

I am running now 6.43.1 and all went smoothly.
Thanks for your help!

Re: v6.43 [current] is released!

Posted: Tue Sep 18, 2018 12:01 pm
by emils
New version 6.43.1 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=139353