MikroTik

Posted: **Tue Feb 26, 2019 9:20 am**

RouterOS version 6.44 has been released in public "stable" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.44 (2019-Feb-25 14:11):

MAJOR CHANGES IN v6.44:
----------------------
!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);
!) ipsec - added new "identity" menu with common peer distinguishers;
!) ipsec - removed "main-l2tp" exchange-mode, it is the same as "main" exchange-mode;
!) ipsec - removed "users" menu, XAuth user configuration is now handled by "identity" menu;
!) radius - initial implementation of RadSec (RADIUS communication over TLS);
!) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only);
----------------------

Changes in this release:

*) bgp - properly update keepalive time after peer restart;
*) bridge - added option to monitor fast-forward status;
*) bridge - count routed FastPath packets between bridge ports under FastPath bridge statistics;
*) bridge - disable fast-forward when using SlowPath features;
*) bridge - fixed BOOTP packet forwarding when DHCP Snooping is enabled;
*) bridge - fixed DHCP Option 82 parsing when using DHCP Snooping;
*) bridge - fixed log message when hardware offloading is being enabled;
*) bridge - fixed packet forwarding when changing MSTI VLAN mappings;
*) bridge - fixed packet forwarding with enabled DHCP Snooping and Option 82;
*) bridge - fixed possible memory leak when using MSTP;
*) bridge - fixed system's identity change when DHCP Snooping is enabled (introduced in v6.43);
*) bridge - improved packet handling when hardware offloading is being disabled;
*) bridge - improved packet processing when bridge port changes states;
*) btest - added multithreading support for both UDP and TCP tests;
*) btest - added warning message when CPU load exceeds 90% (CLI only);
*) capsman - always accept connections from loopback address;
*) certificate - added support for multiple "Subject Alt. Names";
*) certificate - enabled RC2 cipher to allow P12 certificate decryption;
*) certificate - fixed certificate signing by SCEP client if multiple CA certificates are provided;
*) certificate - show digest algorithm used in signature;
*) chr - assign interface names based on underlying PCI device order on KVM;
*) chr - distribute NIC queue IRQ's evenly across all CPUs;
*) chr - fixed IRQ balancing when using more than 32 CPUs;
*) chr - improved system stability when insufficient resources are allocated to the guest;
*) cloud - added "ddns-update-interval" parameter;
*) cloud - do not reuse old UDP socket if routing changes are detected;
*) cloud - ignore "force-update" command if DDNS is disabled;
*) cloud - improved DDNS service disabling;
*) cloud - made address updating faster when new public address detected;
*) conntrack - added new "loose-tcp-tracking" parameter (equivalent to "nf_conntrack_tcp_loose" in netfilter);
*) console - renamed IP protocol 41 to "ipv6-encap";
*) console - updated copyright notice;
*) crs317 - fixed packet forwarding when LACP is used with hw=no;
*) crs3xx - fixed packet forwarding through SFP+ ports when using 100Mbps link speed;
*) crs3xx - improved fan control stability;
*) defconf - fixed configuration not generating properly on upgrade;
*) defconf - fixed default configuration loading on RB4011iGS+5HacQ2HnD-IN;
*) defconf - fixed IPv6 link-local address range in firewall rules;
*) dhcp - added "allow-dual-stack-queue" setting for IPv4/IPv6 DHCP servers to control dynamic lease/binding behaviour;
*) dhcp - properly load DHCP configuration if options are configured;
*) dhcpv4-server - added "parent-queue" parameter (CLI only);
*) dhcpv4-server - added "User-Name" attribute to RADIUS accounting messages;
*) dhcpv4-server - fixed service becoming unresponsive after interface leaves and enters the same bridge;
*) dhcpv4-server - use ARP for conflict detection;
*) dhcpv6-client - use default route distance also for unreachable route added by DHCPv6 client;
*) dhcpv6-server - allow to add DHCPv6 server with pool that does not exist;
*) dhcpv6-server - fixed missing gateway for binding's network if RADIUS authentication was used;
*) dhcpv6-server - improved DHCPv6 server stability when using "print" command;
*) dhcpv6-server - show "client-address" parameter for bindings;
*) discovery - detect proper slave interface on bounded interfaces;
*) discovery - fixed malformed neighbor information for routers that has incomplete IPv6 configuration;
*) discovery - send master port in "interface-name" parameter;
*) discovery - show neighbors on actual bridge port instead of bridge itself for LLDP;
*) e-mail - added info log message when e-mail is sent successfully;
*) e-mail - added support for multiple transactions on single connection;
*) ethernet - added "tx-rx-1024-max" counter to Ethernet stats;
*) ethernet - fixed IPv4 and IPv6 packet forwarding on IPQ4018 devices;
*) ethernet - fixed linking issues on wAP ac, RB750Gr2 and Metal 52 ac (introduced in v6.43rc52);
*) ethernet - fixed packet forwarding when SFP interface is disabled on hEX S;
*) ethernet - fixed VLAN1 forwarding on RB1100AHx4 and RB4011 devices;
*) ethernet - improved per core ethernet traffic classificator on mmips devices;
*) export - fixed "silent-boot" compact export;
*) fetch - added "http-header-field" parameter;
*) fetch - added option to specify multiple headers under "http-header-field", including content type;
*) fetch - fixed "without-paging" option;
*) fetch - improved file downloading to slow memory;
*) fetch - improved stability when using HTTP mode;
*) fetch - removed "http-content-type" parameter;
*) gps - increase precision for dd format;
*) gps - moved "coordinate-format" from "monitor" command to "set" parameter;
*) health - improved fan control stability on CRS328-24P-4S+RM;
*) hotspot - added "https-redirect" under server profiles;
*) hotspot - added per-user NAT rule generation based on "incoming-filter" and "outgoing-filter" parameters;
*) ike1 - do not allow using RSA-key and RSA-signature authentication methods simultaneously on single peer;
*) ike1 - fixed memory leak;
*) ike2 - added option to specify certificate chain;
*) ike2 - added peer identity validation for RSA auth (disabled after upgrade);
*) ike2 - allow to match responder peer by "my-id=fqdn" field;
*) ike2 - fixed local address lookup when initiating new connection;
*) ike2 - improved subsequent phase 2 initialization when no childs exist;
*) ike2 - properly handle certificates with empty "Subject";
*) ike2 - retry RSA signature validation with deduced digest from certificate;
*) ike2 - send split networks over DHCP (option 249) to Windows initiators if DHCP Inform is received;
*) ike2 - show weak pre-shared-key warning;
*) interface - added "pwr-line" interface support (more information will follow in next newsletter);
*) ipsec - added account log message when user is successfully authenticated;
*) ipsec - added basic pre-shared-key strength checks;
*) ipsec - added new "remote-id" peer matcher;
*) ipsec - allow to specify single address instead of IP pool under "mode-config";
*) ipsec - fixed active connection killing when changing peer configuration;
*) ipsec - fixed all policies not getting installed after startup (introduced in v6.43.8);
*) ipsec - fixed stability issues after changing peer configuration (introduced in v6.43);
*) ipsec - hide empty prefixes on "peer" menu;
*) ipsec - improved invalid policy handling when a valid policy is uninstalled;
*) ipsec - made dynamic "src-nat" rule more specific;
*) ipsec - made peers autosort themselves based on reachability status;
*) ipsec - moved "profile" menu outside "peer" menu;
*) ipsec - properly detect AES-NI extension as hardware AEAD;
*) ipsec - removed limitation that allowed only single "auth-method" with the same "exchange-mode" as responder;
*) ipsec - require write policy for key generation;
*) kidcontrol - added IPv6 support;
*) kidcontrol - added "reset-counters" command for "device" menu (CLI only);
*) kidcontrol - added statistics web interface for kids (http://router.lan/kid-control);
*) kidcontrol - added "tur-fri", "tur-mon", "tur-sat", "tur-sun", "tur-thu", "tur-tue", "tur-wed" parameters;
*) kidcontrol - dynamically discover devices from DNS activity;
*) kidcontrol - fixed validation checks for time intervals;
*) kidcontrol - properly detect time zone changes;
*) kidcontrol - use "/128" prefix-length for IPv6 addresses;
*) l2tp - fixed IPsec secret not being updated when "ipsec-secret" is changed under L2TP client configuration;
*) lcd - made "pin" parameter sensitive;
*) led - fixed default LED configuration for RBSXTsq-60ad;
*) led - fixed default LED configuration for wAP 60G AP devices;
*) led - fixed PWR-LINE AP Ethernet LED polarity ("/system routerboard upgrade" required);
*) lldp - fixed missing capabilities fields on some devices;
*) log - accumulate multiple e-mail messages before sending;
*) lte - added additional ID support for Novatel USB730L modem;
*) lte - added "cell-monitor" command for R11e-LTE international modem (CLI only);
*) lte - added "ecno" field for "info" command;
*) lte - added "firmware-upgrade" command for R11e-LTE international modems (CLI only);
*) lte - added initial support for multiple APN for R11e-4G (new modem firmware required);
*) lte - added initial support for Telit LN940;
*) lte - added multiple APN support for R11e-4G;
*) lte - added option to lock the LTE operator;
*) lte - added support for JioFi JMR1040 modem;
*) lte - fixed connection issue when LTE modem was de-registered from network for more than 1 minute;
*) lte - fixed DHCP IP acquire (introduced in v6.43.7);
*) lte - fixed DHCP relay packet forwarding when in passthrough mode;
*) lte - fixed IPv6 activation for R11e-LTE-US modems;
*) lte - fixed Jaton/SQN modems preventing router from booting properly;
*) lte - fixed LTE interface not working properly after reboot on RBSXTLTE3-7;
*) lte - fixed missing running (R) flag for Jaton LTE modems;
*) lte - fixed passthrough DHCP address forward when other address is acquired from operator;
*) lte - fixed reported "rsrq" precision (introduced in v6.43.8);
*) lte - improved compatibility for Alt38xx modems;
*) lte - improved SIM7600 initialization after reset;
*) lte - improved SimCom 7100e support;
*) lte - query "cfun" on initialization;
*) lte - require write policy for at-chat;
*) lte - update firmware version information after R11e-LTE/R11e-4G firmware upgrade;
*) netinstall - do not show kernel failure critical messages in the log after fresh install;
*) ntp-client - fixed "dst-active" and "gmt-offset" being updated after synchronization with server;
*) port - improved "remote-serial" TCP performance in RAW mode;
*) ppp - added "at-chat" command;
*) ppp - fixed dynamic route creation towards VPN server when "add-default-route" is used;
*) profiler - classify kernel crypto processing as "encrypting";
*) profile - removed obsolete "file-name" parameter;
*) proxy - removed port list size limit;
*) radius - implemented Proxy-State attribute handling in CoA and disconnect requests;
*) rb3011 - implemented multiple engine IPsec hardware acceleration support;
*) rb4011 - fixed SFP+ interface full duplex and speed parameter behavior;
*) rb4011 - improved SFP+ interface linking to 1Gbps;
*) rbm33g - improved stability when used with some USB devices;
*) romon - improved reliability when processing RoMON packets on CHR;
*) routerboard - removed "RB" prefix from PWR-LINE AP devices;
*) routerboard - require at least 10 second interval between "reformat-hold-button" and "max-reformat-hold-button";
*) smb - added commenting option for SMB users (CLI only);
*) smb - fixed macOS clients not showing share contents;
*) smb - fixed Windows 10 clients not able to establish connection to share;
*) sniffer - save packet capture in "802.11" type when sniffing on w60g interface in "sniff" mode;
*) snmp - added "dot1qPortVlanTable" and "dot1dBasePortTable" OIDs;
*) snmp - changed fan speed value type to Gauge32;
*) snmp - fixed "rsrq" reported precision;
*) snmp - fixed w60g station table;
*) snmp - removed "rx-sector" ("Wl60gRxSector") value;
*) snmp - report bridge ifSpeed as "0";
*) snmp - report ifSpeed 0 for sub-layer interfaces;
*) ssh - added "allow-none-crypto" parameter to disable "none" encryption usage (CLI only);
*) ssh - added error log message when key exchange fails;
*) ssh - close active SSH connections before IPsec connections on shutdown;
*) ssh - fixed public key format compatibility with RFC4716;
*) supout - fixed "poe-out" output not showing all interfaces;
*) supout - fixed Profile output on single core devices;
*) switch - added comment field to switch ACL rules;
*) switch - fixed ACL rules on IPQ4018 devices;
*) system - accept only valid path for "log-file" parameter in "port" menu;
*) system - removed obsolete "/driver" command;
*) tr069-client - added "check-certificate" parameter to allow communication without certificates;
*) tr069-client - added "connection-request-port" parameter (CLI only);
*) tr069-client - added support for InformParameter object;
*) tr069-client - fixed certificate verification for certificates with IP address;
*) tr069-client - fixed HTTP cookie getting duplicated with the same key;
*) tr069-client - increased reported "rsrq" precision;
*) traceroute - improved stability when sending large ping amounts;
*) traffic-flow - reduced minimal value of "active-flow-timeout" parameter to 1s;
*) tunnel - properly clear dynamic IPsec configuration when removing/disabling EoIP with DNS as "remote-address";
*) upgrade - made security package depend on DHCP package;
*) usb - improved power-reset error message when no bus specified on CCR1072-8G-1S+;
*) usb - improved USB device powering on startup for hAP ac^2 devices;
*) usb - increased default power-reset timeout to 5 seconds;
*) userman - added first and last name fields for signup form;
*) userman - show redirect location in error messages;
*) user - require "write" permissions for LTE firmware update;
*) vrrp - made "password" parameter sensitive;
*) w60g - added "10s-average-rssi" parameter to align mode (CLI only);
*) w60g - added align mode "/interface w60g align" (CLI only);
*) w60g - fixed scan in bridge mode;
*) w60g - improved PtMP performance;
*) w60g - improved reconnection detection;
*) w60g - improved "tx-packet-error-rate" reading;
*) w60g - renamed disconnection message when license level did not allow more connected clients;
*) w60g - renamed "frequency-list" to "scan-list";
*) watchdog - allow specifying DNS name for "send-smtp-server" parameter;
*) webfig - improved file handling;
*) winbox - added 4th chain selection for "HT TX chains" and "HT RX chains" under "CAPsMAN/CAP Interface/Wireless" tab;
*) winbox - added "allow-dual-stack-queue" parameter in "IP/DHCP Server" and "IPv6/DHCP Server" menus;
*) winbox - added "challenge-password" field when signing certificate with SCEP;
*) winbox - added "conflict-detection" parameter in "IP/DHCP Server" menu;
*) winbox - added "coordinate-format" parameter in LTE interface settings;
*) winbox - added "radio-name" setting to "CAPsMAN/CAP Interface/General" tab;
*) winbox - added "secondary-channel" setting to "CAPsMAN/CAP Interface/Channel" tab;
*) winbox - added src/dst address and in/out interface list columns to default firewall menu view;
*) winbox - added support for dynamic devices in "IP/Kid Control/Devices" tab;
*) winbox - allow setting "network-mode" to "auto" under LTE interface settings;
*) winbox - allow specifying interface lists in "CAPsMAN/Access List" menu;
*) winbox - fixed "IPv6/Firewall" "Connection limit" parameter not allowing complete IPv6 prefix lengths;
*) winbox - fixed L2MTU parameter setting on "W60G" type interfaces;
*) winbox - fixed "LCD" menu not shown on RB2011UiAS-2HnD;
*) winbox - fixed missing w60g interface status values;
*) winbox - improved file handling;
*) winbox - moved "Too Long" statistics counter to Ethernet "Rx Stats" tab;
*) winbox - organized wireless parameters between simple and advanced modes;
*) winbox - renamed "Default AP Tx Rate" to "Default AP Tx Limit";
*) winbox - renamed "Default Client Tx Rate" to "Default Client Tx Limit";
*) winbox - show "R" flag under "IPv6/DHCP Server/Bindings" tab;
*) winbox - show "System/RouterBOARD/Mode Button" on devices that have such feature;
*) winbox - show "W60G" wireless tab on wAP 60G AP;
*) wireless - added new "installation" parameter to specify router's location;
*) wireless - improved AR5212 response to incoming ACK frames;
*) wireless - improved connection stability for new model Apple devices;
*) wireless - improved NV2 performance for all ARM devices;
*) wireless - improved signal strength at low TX power on LHG 5 ac, LHG 5 ac XL and LDF 5 ac ("/system routerboard upgrade" required);
*) wireless - improved system stability for all ARM devices with wireless;
*) wireless - improved system stability for all devices with 802.11ac wireless;
*) wireless - improved system stability when scanning for other networks;
*) wireless - removed G/N support for 2484MHz in "japan" regulatory domain;
*) wireless - report last seen IP address in RADIUS accounting messages;
*) wireless - show "installation" parameter when printing configuration;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after some problem has appeared on device

Please keep this forum topic strictly related to this concrete RouterOS release.

Posted: **Tue Feb 26, 2019 9:41 am**

Congratulations on this massive release with 236 changes. I'm really looking forward to test.
Thx a lot!

Posted: **Tue Feb 26, 2019 10:14 am**

On my CRS106-1C-5S the cloud is not workig anymore with the Version 6.44.

Posted: **Tue Feb 26, 2019 10:15 am**

What specifically is not working ? Any errors ?

Posted: **Tue Feb 26, 2019 10:21 am**

I got new features on my hAP mini!

Interface #3, pwr-line1

Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU
 0  RS ether1-GW                           ether            1500  1598       2028
 1  RS ether2-Telia                        ether            1500  1598       2028
 2  RS ether3-RaspberryPi                  ether            1500  1598       2028
 3     pwr-line1                           ether            1500  1598       2028
 4  XS wlan-2GHz                           wlan             1500  1600       2290
 5  R  LAN                                 bridge           1500  1598
 6  R  LAN-Telia                           bridge           1500  1598
 7  RS vlan-LAN                            vlan             1500  1594

Posted: **Tue Feb 26, 2019 10:26 am**

v6.44 does not contain:
""!) winbox - improvements in connection handling to router with open winbox service (CVE-2019–3924);" ?
It is no information in changelog.

Posted: **Tue Feb 26, 2019 10:30 am**

no errors in the log.
I have checked the Internet but when I use IP/ Cloud/ and Force Update nothing happend. Also if i trie to upload a backup file to the cloud. Then i get connectin error in the terminal.

Posted: **Tue Feb 26, 2019 10:40 am**

v6.44 does not contain:
""!) winbox - improvements in connection handling to router with open winbox service (CVE-2019–3924);" ?
It is no information in changelog.

The issue is fixed in:

6.43.12 (2019-02-11 14:39)
6.44beta75 (2019-02-11 15:26)
6.42.12 (2019-02-12 11:46)

Posted: **Tue Feb 26, 2019 10:42 am**

v6.44 does not contain:
""!) winbox - improvements in connection handling to router with open winbox service (CVE-2019–3924);" ?
It is no information in changelog.

these changes are starting from v6.43.12, this change was already there, so it will not show up in 6.44 changelog

Posted: **Tue Feb 26, 2019 10:43 am**

I got new features on my hAP mini!

Interface #3, pwr-line1

Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU
 0  RS ether1-GW                           ether            1500  1598       2028
 1  RS ether2-Telia                        ether            1500  1598       2028
 2  RS ether3-RaspberryPi                  ether            1500  1598       2028
 3     pwr-line1                           ether            1500  1598       2028
 4  XS wlan-2GHz                           wlan             1500  1600       2290
 5  R  LAN                                 bridge           1500  1598
 6  R  LAN-Telia                           bridge           1500  1598
 7  RS vlan-LAN                            vlan             1500  1594

*) interface - added "pwr-line" interface support (more information will follow in next newsletter);

Posted: **Tue Feb 26, 2019 10:45 am**

Deleted as question was answered above

Posted: **Tue Feb 26, 2019 11:09 am**

*) winbox - allow specifying interface lists in "CAPsMAN/Access List" menu;

When on Access List I set interface list as interface on log got

rejected, forbidden by access-lis

Posted: **Tue Feb 26, 2019 11:12 am**

*) hotspot - added "https-redirect" under server profiles;

Is there an up-to-date manual on Hotspot? Or at least what does that option do?

Posted: **Tue Feb 26, 2019 11:25 am**

Congratulations on this massive release with 236 changes. I'm really looking forward to test.
Thx a lot!

236 changes to have new bugs introduced.....

Posted: **Tue Feb 26, 2019 11:31 am**

!) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only);
Just updated one SXT-Lite5ac connected to a 6.43.12 Netmetal and making the test to a 6.43.4 CCR

Where is the jitter? Where is the download result?
Package loss is stated as 100% (200/200) what does that mean?

New Speedtest CLI.JPG

Posted: **Tue Feb 26, 2019 11:50 am**

Below model don't have problem in my environment (I have 1-6 per model)
RB3011UiAS
RB2011UAS
CRS326-24G-2S+
CRS125-24G-1S-2HnD
RB921GS-5HPacD r2
RBLHG G-5acD-XL
SXT 5nD r2
RBwAP G-5HacT2HnD
RBwAP 2nD r2
RB433
RB750
RB960PGS

@WirelessRudy
If you set BTEST Authenticate, you need use full command like:
/tool speed-test user=YourUsernmae password=YourPassword address=10.30.30.30

Posted: **Tue Feb 26, 2019 12:20 pm**

and I thought MT code was close to perfect already.

Seriously, congrats to the team, this kind of effort is massive, I hope Normis gives them a few hours off!!

Posted: **Tue Feb 26, 2019 12:26 pm**

2011 ok

951G ok

hap ac lite...................... couldn't update to stable or testing from 6.43.11, went to 6.42.12 long..... ok. Retries to stable or beta nothing...... still stuck on long term.

u can get the support file from here.

https://mega.nz/#!JnZ1iIZL!MT9wQ2vhAXA4 ... _xZnMMqljo

Posted: **Tue Feb 26, 2019 12:39 pm**

2011 ok

951G ok

hap ac lite...................... couldn't update to stable or testing from 6.43.11, went to 6.42.12 long..... ok. Retries to stable or beta nothing...... still stuck on long term.

u can get the support file from here.

https://mega.nz/#!JnZ1iIZL!MT9wQ2vhAXA4 ... _xZnMMqljo

Take a look at the log entries:
"11:58:41 system,error not enough space for upgrade "

Posted: **Tue Feb 26, 2019 12:44 pm**

2011 ok

951G ok

hap ac lite...................... couldn't update to stable or testing from 6.43.11, went to 6.42.12 long..... ok. Retries to stable or beta nothing...... still stuck on long term.

u can get the support file from here.

https://mega.nz/#!JnZ1iIZL!MT9wQ2vhAXA4 ... _xZnMMqljo

You should not use Extra package bundle on devices with 16MiB disk space.

Posted: **Tue Feb 26, 2019 12:58 pm**

@WirelessRudy
If you set BTEST Authenticate, you need use full command like:
/tool speed-test user=YourUsernmae password=YourPassword address=10.30.30.30

I've done that but see no difference

The 'status' shows that the test is performing the different tests (udp and tcp up- and download) but comes back with status "done". No further info.

Maybe both the units engaged in the test have to be running 6.44? (I am not ready for that. Not going to to upgrade my main routers towards this new 6.44 for at least a week or two..... 6.44 has to proof itself first....

Posted: **Tue Feb 26, 2019 1:35 pm**

*) defconf - fixed IPv6 link-local address range in firewall rules;

a bit more details on this change? Those default rules are not upgraded automatically, so it would be good to see what exactly changed.
And in overall, it would be good to keep on wiki defconfs for each big releases.

Posted: **Tue Feb 26, 2019 1:58 pm**

filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/16 comment="defconf: accept DHCPv6-Client prefix delegation."

changed to:

filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."

Posted: **Tue Feb 26, 2019 2:00 pm**

Upgraded a RB851G (both RouterOS and RouterBOOT) from 6.42.12 today. I get errors every time I try to save a backup file (both local and cloud, same error).

[admin@xxxx] > /system backup save 
Saving system configuration
Configuration backup saved
08:54:42 echo: backup,critical error creating backup file: could not read all configuration files

[admin@xxxx] > /system resource print 
                   uptime: 41m36s
                  version: 6.44 (stable)
               build-time: Feb/25/2019 14:11:04
              free-memory: 100.9MiB
             total-memory: 128.0MiB
                      cpu: MIPS 74Kc V4.12
                cpu-count: 1
            cpu-frequency: 600MHz
                 cpu-load: 1%
           free-hdd-space: 108.2MiB
          total-hdd-space: 128.0MiB
  write-sect-since-reboot: 1252
         write-sect-total: 27904308
               bad-blocks: 0%
        architecture-name: mipsbe
               board-name: RB951G-2HnD
                 platform: MikroTik

Posted: **Tue Feb 26, 2019 2:02 pm**

Upgraded a RB851G (both RouterOS and RouterBOOT) from 6.42.12 today. I get errors every time I try to save a backup file (both local and cloud, same error).
Code: Select all
[admin@xxxx] > /system backup save 
Saving system configuration
Configuration backup saved
08:54:42 echo: backup,critical error creating backup file: could not read all configuration files

Try to regenerate the ssh host keys:

/ ip ssh regenerate-host-key

Posted: **Tue Feb 26, 2019 2:15 pm**

Upgraded a RB851G (both RouterOS and RouterBOOT) from 6.42.12 today. I get errors every time I try to save a backup file (both local and cloud, same error).
Code: Select all
[admin@xxxx] > /system backup save 
Saving system configuration
Configuration backup saved
08:54:42 echo: backup,critical error creating backup file: could not read all configuration files
Try to regenerate the ssh host keys:
Code: Select all
/ ip ssh regenerate-host-key

Thank you @eworm! You nailed it! I was just reading this other thread where you had the same issue, but for a previous version.

Posted: **Tue Feb 26, 2019 2:38 pm**

Nice MK,

Very big changes log, just waiting for the next Beta/rc version

Posted: **Tue Feb 26, 2019 2:46 pm**

No upgrade issues on RB750gr3 and HAPac2.

Hopefully the wireless on the HAPac2 is more stable as before.

Posted: **Tue Feb 26, 2019 3:03 pm**

problem(

Posted: **Tue Feb 26, 2019 3:06 pm**

Updated 3x HapAC everything seems to be ok, will test fixes later.

Thanks for the effort!

Posted: **Tue Feb 26, 2019 3:14 pm**

2011 ok

951G ok

hap ac lite...................... couldn't update to stable or testing from 6.43.11, went to 6.42.12 long..... ok. Retries to stable or beta nothing...... still stuck on long term.

u can get the support file from here.

https://mega.nz/#!JnZ1iIZL!MT9wQ2vhAXA4 ... _xZnMMqljo
Take a look at the log entries:
"11:58:41 system,error not enough space for upgrade "

2011 ok

951G ok

hap ac lite...................... couldn't update to stable or testing from 6.43.11, went to 6.42.12 long..... ok. Retries to stable or beta nothing...... still stuck on long term.

u can get the support file from here.

https://mega.nz/#!JnZ1iIZL!MT9wQ2vhAXA4 ... _xZnMMqljo
You should not use Extra package bundle on devices with 16MiB disk space.

I have only a backup file inserted and nothing more in files and the long term package intalled....... so what do u suggest?

Posted: **Tue Feb 26, 2019 3:24 pm**

You have so many extra packages installed which are not part of bundle. That is why there is no free space.
I would suggest to install unnecessary packages.

Posted: **Tue Feb 26, 2019 3:26 pm**

updated a CCR1009 from 6.43.12 to 6.44 -> Lost connectivity on all eoip (ipsec) interfaces.

Update: so it seems that this update broke ipsec completely on my device. The router locks up every time I try to access any menus under ip / ipsec.
I only have about 5 tunnels configured with very basic settings.
I'm really not impressed by this update so far, reverting back to 6.43.12 for now.

Posted: **Tue Feb 26, 2019 3:41 pm**

can we have cloud backup in winbox. me not so fan of cli.
options like restore,backup,delete and information of already uploaded backup will be nice in a menu. or maybe in the top of winbox information of last backup that exist or not in mikrotik server.

Posted: **Tue Feb 26, 2019 3:43 pm**

can we have cloud backup in winbox. me not so fan of cli.

I believe that will be in the future

Posted: **Tue Feb 26, 2019 3:45 pm**

I updated and got crash.

RB9561

Posted: **Tue Feb 26, 2019 3:47 pm**

To everyone in this thread. Please, if you experience version related issues, send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after some problem has appeared on device

Posted: **Tue Feb 26, 2019 4:03 pm**

I updated and my coffee machine started smoking.

Posted: **Tue Feb 26, 2019 4:15 pm**

updated a CCR1009 from 6.43.12 to 6.44 -> Lost connectivity on all eoip (ipsec) interfaces.

Create a rule in input chains for ipsec

Posted: **Tue Feb 26, 2019 4:21 pm**

You have so many extra packages installed which are not part of bundle. That is why there is no free space.
I would suggest to install unnecessary packages.

After unistalling some packages all done in 6.44 stable like i expected............. ty.

Posted: **Tue Feb 26, 2019 4:30 pm**

problem(

fix_space.zip

Posted: **Tue Feb 26, 2019 5:06 pm**

problem(
fix_space.zip

inside flash folder or outside and reboot? Which is the right one place to put it?

What does this package rly do?

Posted: **Tue Feb 26, 2019 5:13 pm**

problem(
fix_space.zip
inside flash folder or outside and reboot? Which is the right one place to put it?

In my cases it didn't matter.
But I think better flash folder

#!/bin/bash

if [ "$bootimage" != "1" ]; then rm -f /flash/bootimage; fi

mv /var/pdb/fix-space/image /tmp
rm -rf /var/pdb/fix-space

Posted: **Tue Feb 26, 2019 5:13 pm**

@WirelessRudy
If you set BTEST Authenticate, you need use full command like:
/tool speed-test user=YourUsernmae password=YourPassword address=10.30.30.30
I've done that but see no difference

The 'status' shows that the test is performing the different tests (udp and tcp up- and download) but comes back with status "done". No further info.

Maybe both the units engaged in the test have to be running 6.44? (I am not ready for that. Not going to to upgrade my main routers towards this new 6.44 for at least a week or two..... 6.44 has to proof itself first....

Both the client and the router that for the test need to be upgrade I found out in the eve of this day.

Posted: **Tue Feb 26, 2019 5:16 pm**

problem(
fix_space.zip
inside flash folder or outside and reboot? Which is the right one place to put it?
In my cases it didn't matter.
But I think better flash folder
Code: Select all
#!/bin/bash

if [ "$bootimage" != "1" ]; then rm -f /flash/bootimage; fi

mv /var/pdb/fix-space/image /tmp
rm -rf /var/pdb/fix-space

I did it both ways......... will i have to watch something happens after or just install and go on? What exactly do this package? The scipt is other way to install it or is the only way?

Posted: **Tue Feb 26, 2019 5:18 pm**

speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only)

This feature is nice indeed!

It wouldn't be me not to ask for more though

:
- Can the time the test run either be adjusted by administrator of just set longer. In many occasions the connection rates between the client and AP have to step up before a longer lasting level is
reached. The test average is kept low due this.
A full 1 minute test would be preferred, 2 would even be better, admin adjustable would be perfect.....
- Is this going to be implemented in Winbox?

Posted: **Tue Feb 26, 2019 5:23 pm**

I did it both ways......... will i have to watch something happens after or just install and go on? What exactly do this package? The scipt is other way to install it or is the only way?

Corrects a memory full error.
download/file.php?id=35767

Posted: **Tue Feb 26, 2019 5:35 pm**

I did it both ways......... will i have to watch something happens after or just install and go on? What exactly do this package? The scipt is other way to install it or is the only way?
Corrects a memory full error.
download/file.php?id=35767

Is it ok to install it in machines with no size problems like 2011 or 951g? Ty for the all info by the way

Posted: **Tue Feb 26, 2019 7:51 pm**

Couldn't get supout. But there seems to be an issue with DNS lookups. Running PPPoE session with static DNS of 1.1.1.1 could not resolve domains. Reverted to 6.43.12 fixed above issue.

Sent from my VTR-L29 using Tapatalk

Posted: **Tue Feb 26, 2019 8:13 pm**

Hello,

This fix: ppp - fixed dynamic route creation towards VPN server when "add-default-route" is used; still not working for me, on a RB750.

Anyone can help?

Posted: **Tue Feb 26, 2019 8:24 pm**

*) wireless - improved connection stability for new model Apple devices;
*) wireless - improved NV2 performance for all ARM devices;
*) wireless - improved system stability for all ARM devices with wireless;
*) wireless - improved system stability for all devices with 802.11ac wireless;

Just bought a Cap AC and these changes are really in time

Posted: **Tue Feb 26, 2019 8:26 pm**

Updated a CCR1009 and RB4011 without any issues. Great work MT!
Now please make us happy with some BGP improvements in 6.45

Posted: **Tue Feb 26, 2019 8:58 pm**

Updated all MT devices to 6.44. Now in Winbox Neighbors view the devices are no longer represented by their Bridges Admin MAC Address but by the MAC Address of the respective ethernet interface. This is not what I wanted, so the question is: is it a bug? Can I get the "old" setting somehow?

Posted: **Tue Feb 26, 2019 10:18 pm**

*) capsman - always accept connections from loopback address;

Hi, I tested but I still need input firewall rule to accept router IP to get working CAP on the same board as CAPsMAN:

/ip firewall filter
add action=accept chain=input protocol=udp dst-address="router IP" src-address="router IP"

/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge-local

/interface wireless cap
set discovery-interfaces=bridge-local interfaces=wlan1

Could you please share what should be the preferred config for CAP in CAPsMAN and update wiki?
https://wiki.mikrotik.com/wiki/Manual:S ... in_CAPsMAN

Posted: **Tue Feb 26, 2019 10:25 pm**

Any news about "Delegated-IPv6-Prefix" attribute for PPPoE??? → viewtopic.php?t=89443
Half Live 3 come out faster?

Posted: **Tue Feb 26, 2019 10:57 pm**

Email test is done, but sending e-mail from /tools/logging sender e-mail address is empty.
Log showing:
21:16:03 e-mail,error Error sending e-mail <l2tp,ppp,info,account xxxxxxx logged out, 142 57839 5 : invalid TO address
------
Piece from e-mail server log:
Feb 26 21:16:03 mail-xxxx postfix/submission/smtpd[2193]: NOQUEUE: reject: RCPT from xxxxx.xxx[192.168.xx.x]: 554 5.7.1 <admin@xxxx.xx>: Recipient address rejected: Policy rejection due to null sender; from=<> to=<admin@xxxx.xx> proto=ESMTP helo=<[192.168.xx.x]>
-----.
Firmware is 6.44 on hardware CCR1009-7G-1C-1S+

Early fimware version 6.43.12 and not showing this problem.

Sincerelly: Tamagochi

Posted: **Tue Feb 26, 2019 11:15 pm**

Can confirm the RB4011 SFP+ port is correctly working with a 3rd party 1G sfp. Thanks guys!

Posted: **Wed Feb 27, 2019 12:26 am**

RB4011iGS+5HacQ2HnD 6.44
After install, L2TP/IPSEC tunnels stopped working, "no auth key". I gave them the secrets peer by peer. The tunnels went up. Just in case i made a reboot, and then again all connections were down. Then i realized that the full ipsec menu was EMPTY. Tried to make supout, it was stuck at 1%. Made a restore from backup, now everything seems to be ok. Strange as it is.

Posted: **Wed Feb 27, 2019 2:51 am**

Just i need info about this:

!) ipsec - removed "users" menu, XAuth user configuration is now handled by "identity" menu;

Basically from now we have to use identity tab. Because USER has been replaced with it. I got PC clients using this features

Does it will covered ?

/ip ipsec identity
add auth-method=pre-shared-key-xauth peer=peer1 secret="secret" xauth-login=user xauth-password=pass

Posted: **Wed Feb 27, 2019 4:00 am**

Just upgraded to 6.44

/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict peer=peer9 policy-template-group=redescambo xauth-login=alfandega1
add auth-method=pre-shared-key-xauth generate-policy=port-strict peer=peer9 policy-template-group=redescambo xauth-login=alfandega2
add auth-method=pre-shared-key-xauth generate-policy=port-strict peer=peer9 policy-template-group=redescambo xauth-login=paternot
add auth-method=pre-shared-key-xauth generate-policy=port-strict peer=peer9 policy-template-group=redescambo xauth-login=valida
add auth-method=pre-shared-key-xauth generate-policy=port-strict peer=peer9 policy-template-group=redescambo xauth-login=victor

All of them are related to a "peer9" group. It didn't exist - was created on the upgrade.

This is my peer tab:

/ip ipsec peer
add comment="Redescambo psk xauth" name=peer9 passive=yes profile=profile_1

Working ok after upgrade.

Posted: **Wed Feb 27, 2019 5:29 am**

Just upgraded to 6.44

/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict peer=peer9 policy-template-group=redescambo xauth-login=alfandega1
add auth-method=pre-shared-key-xauth generate-policy=port-strict peer=peer9 policy-template-group=redescambo xauth-login=alfandega2
add auth-method=pre-shared-key-xauth generate-policy=port-strict peer=peer9 policy-template-group=redescambo xauth-login=paternot
add auth-method=pre-shared-key-xauth generate-policy=port-strict peer=peer9 policy-template-group=redescambo xauth-login=valida
add auth-method=pre-shared-key-xauth generate-policy=port-strict peer=peer9 policy-template-group=redescambo xauth-login=victor

All of them are related to a "peer9" group. It didn't exist - was created on the upgrade.

This is my peer tab:

/ip ipsec peer
add comment="Redescambo psk xauth" name=peer9 passive=yes profile=profile_1

that was my point User has been replaced with pre-shared-key-xauth user and password.

I want to be sure before implement on my clients

Working ok after upgrade.

Posted: **Wed Feb 27, 2019 7:40 am**

Kampfwurst - What is the error that you get? Does your router have an access to cloud2.mikrotik.com? Test it from CLI (Winbox would use computers DNS in order to resolve this address);
Simono - Please provide an example rule that you use in access list and interface configuration within an e-mail to support@mikrotik.com;
Chupaka - We will update wiki page as soon as possible;
WirelessRudy - Do you have an access to this IP address? Please provide supout file from your router to support@mikrotik.com. Speed Test works just fine for me to/from all accessible IP addresses;
osc86, MDE, geiger - Please provide supout file from your router to support@mikrotik.com;
lenciso - Please provide more information about what kind of crash did you experience on your router;
isacalmeida - Please provide an example. This fix was made in order to fix an issue when, for example, you have PPPoE tunnel which creates default route and then have an L2TP tunnel over it. Then special route towards L2TP server must be created dynamically which uses PPPoE as a gateway, if L2TP adds its own default route. Otherwise L2TP server would be reachable over L2TP tunnel itself which is not correct;
Chaosphere64 - Are these devices discovered by MNDP? If yes, then please provide supout file from your router to support@mikrotik.com;
Pea - This change allows to specify interfaces under "/caps-man manager interface" menu and at the same time allows to use router itself as a CAP and CAPsMAN at the same time. Before you could not forbid all and allow traffic from router itself to CAPsMAN. It affects interface list not the firewall. Firewall accept rule still must be present;
saaremaa - What is the question here actually? Delegated-IPv6-Prefix is already working for DHCP service (RADIUS). Such parameter is not available yet for PPP service. If you make PPPoE server which then distributes addresses by using DHCP service, then this will not work since users are authenticated by using PPP service, not DHCP;
tamagochi - Do you mean that e-mail settings were corrupted? I do not see how this would be possible by this upgrade. If you downgrade router back, then setting re-appears? Please test if when you downgrade device, set TO parameter, upgrade back and the setting is gone again;
Nicky - If details about new IPsec implementation are not clear from the changelog, then please write to support@mikrotik.com. Provide your configuration and an example of configuration which can not seem to get working. We will help you as soon as possible;

Posted: **Wed Feb 27, 2019 8:23 am**

Hello,

After the upgrade, the VPN client cannot connects. One of my colleague updated 5 routers. Please don't ask me why, but not working. Can I ask any expert where and what can I have to change to make it working again?

TIA

Posted: **Wed Feb 27, 2019 8:27 am**

There is a problem on RB4011 on wifi 5Ghz. CAPSMAN mode or not.

When a client transitions from RB4011 wifi 5ghz to another device, the physical interface 5ghz crash. Enable only reload.

While seen only with the iPhone XS, XS Max, new iPad Pro. This is a problem only on RB4011.

So it was up to 6.44. You have not fixed this problem. Sent you the supout.rif file to the support@mikrotik.com, Ticket#2019022722003126

Posted: **Wed Feb 27, 2019 8:31 am**

Hello,

After the upgrade, the VPN client cannot connects. One of my colleague updated 5 routers. Please don't ask me why, but not working. Can I ask any expert where and what can I have to change to make it working again?

TIA

Hi,

What VPN solution do you use? I guess you mean you can not connect to the VPN server on the Mikrotik router.
If you use IPSEC check change log:
*) ipsec - moved "profile" menu outside "peer" menu;
and
ipsec - removed "users" menu, XAuth user configuration is now handled by "identity" menu;

Best regards,
Geo

Posted: **Wed Feb 27, 2019 8:51 am**

strods, Your message → viewtopic.php?f=1&t=89443&start=100#p691742

In short, if under "/radius" menu you have selected service "DHCP", then "Delegated-IPv6-Prefix" is supported. If under "/radius" menu you have selected "PPP" service, then "Delegated-IPv6-Prefix" is not supported at the moment.

OK understood.

One step at the time - we added "Delegated-IPv6-Prefix" suport for DHCP in v6.43, we will see what we can do about PPP service in future RouterOS releases.

in v6.44 this does not work for me.
My users work with PPP(PPPoE ) and should receive a static prefix from Billing (tied to an account) via "Delegated-IPv6-Prefix" attribute. This is a requirement of government.
When authorization has occurred, a dynamic DHCPV6 server should be created for this PPPoE connection and distribute the associated (in billing) IPV6-Prefix to the subscriber.

Posted: **Wed Feb 27, 2019 9:18 am**

*) hotspot - added "https-redirect" under server profiles;

I can't find this option under server profiles !

Posted: **Wed Feb 27, 2019 9:31 am**

Updated all my devices from 6.43.12 to 6.44 thru dude, no problems

Eddie

Posted: **Wed Feb 27, 2019 10:22 am**

Hello all
After performed update 6.44 on 2011UiAS E-mail notification is working incorrectly (Log messages send to me by e-mail). As I have found out field "from" in e-mail message does not fill (It is empty). Moreover if you try to check e-mail it works rightly and field from fill corectly.
Could you help me to fix it, please? May be I don't know anything? Before update It was working rightly.

Posted: **Wed Feb 27, 2019 10:36 am**

Mikrotik....... ok and great job,

Now we need to get priorities first.

speed test is nice, i understand but is useless, some other things u implement also ok and we ty for that, but.........

We need SQM package with codel algorithm

If u undertsand what is this ( i know u understand ) u will include it i suppose sometime.

Regards.

Posted: **Wed Feb 27, 2019 10:47 am**

Upgraded a RB851G (both RouterOS and RouterBOOT) from 6.42.12 today. I get errors every time I try to save a backup file (both local and cloud, same error).
Code: Select all
[admin@xxxx] > /system backup save 
Saving system configuration
Configuration backup saved
08:54:42 echo: backup,critical error creating backup file: could not read all configuration files
Try to regenerate the ssh host keys:
Code: Select all
/ ip ssh regenerate-host-key
Thank you @eworm! You nailed it! I was just reading this other thread where you had the same issue, but for a previous version.

As this pops up every now and then... Mikrotik should consider extending the error handling - in case of ssh host key file print something like: "could not read ssh host key file, try to regenerate: / ip ssh regenerate-host-key"

Posted: **Wed Feb 27, 2019 11:11 am**

Hello,

After upgrade from 6.43.8 to 6.44 all my comments were lost for /ip ipsec policies and peers. I manage more than 60 VPN to one of my Mikrotiks and Mikrotiks I installed to customer use sometimes 3 or more VPN
Can you imagine the amount of work needed to put it back in order if I update all my device? Luckily I tested on one before a massive upgrade.

Please keep comments, they are useful.

Vincent

Posted: **Wed Feb 27, 2019 12:44 pm**

Strange ... IPSec works for me

after upgrade 6.43.12 -> 6.44

IPSeced IPIP and GRE tunnels work smooth after upgrade, self-reconnected without problems. Comments still in place.

Posted: **Wed Feb 27, 2019 12:59 pm**

that was my point User has been replaced with pre-shared-key-xauth user and password.

I want to be sure before implement on my clients

Working ok after upgrade.

I was using pre-shared-key-xauth and password. Yes, the system created that "peer9" out of the blue - but it did it only to have something on the peers tab. It is just a placeholder.

Posted: **Wed Feb 27, 2019 1:06 pm**

ROS 6.44. When exporting

/ip neighbor discovery-settings

, inversion is not taken into account. Be careful!

ROS_6.44_neighbor.jpg

Posted: **Wed Feb 27, 2019 1:13 pm**

Strange ... IPSec works for me after upgrade 6.43.12 -> 6.44

IPSeced IPIP and GRE tunnels work smooth after upgrade, self-reconnected without problems. Comments still in place.

Some of my device are in 6.43.12. I ll test.
Thank you for your reply.

Vincent

Posted: **Wed Feb 27, 2019 1:19 pm**

I have now updated two wAP AC, One 493G, Two CHR's, one 4011 and two 3011. One 3011 hold several GRE tunnels with IPSec and no issues after upgrade. Endpoints to where GRE tunnels are connecting are still on 6.43.12 so no issues between versions either.
Great job MT!

Posted: **Wed Feb 27, 2019 1:30 pm**

ROS 6.44. When exporting
Code: Select all
/ip neighbor discovery-settings
, inversion is not taken into account. Be careful!
ROS_6.44_neighbor.jpg

This is strictly spoken not a 6.44 issue, as the problem exists in 6.43 as well. You are welcome to report it, with supout.rif, to support.

Posted: **Wed Feb 27, 2019 1:38 pm**

Upgraded my hAP AC2 from 6.43.4 without issues. Working fine ! Thanks MT

Posted: **Wed Feb 27, 2019 1:58 pm**

Currently looks like missing IPsec configuration after an upgrade is caused by having a 6.44beta version installed at some point in the past. If the router is missing some IPsec related configuration after an upgrade, please generate a supout.rif file as soon as possible before doing any other changes and send it to us.

Paternot, everything looks good for you. Users menu was removed, each user is automatically converted to an identity and assigned to the peer.

Posted: **Wed Feb 27, 2019 2:32 pm**

https-redirect is not working

Posted: **Wed Feb 27, 2019 2:51 pm**

Currently looks like missing IPsec configuration after an upgrade is caused by having a 6.44beta version installed at some point in the past. If the router is missing some IPsec related configuration after an upgrade, please generate a supout.rif file as soon as possible before doing any other changes and send it to us.

Paternot, everything looks good for you. Users menu was removed, each user is automatically converted to an identity and assigned to the peer.

@Emils,

I alway use stable channel. So I m sure I never had beta somewhere on my devices.
I modify my configuration after finding missing configuration.
if that happen again, I ll send supout.rif file.

Kind regards,

Vincent

Posted: **Wed Feb 27, 2019 3:18 pm**

Paternot, everything looks good for you. Users menu was removed, each user is automatically converted to an identity and assigned to the peer.

Yes, it all works great - excellent job! I was pointing out to nichky that the upgrade went smooth.

Posted: **Wed Feb 27, 2019 3:36 pm**

WirelessRudy - Do you have an access to this IP address? Please provide supout file from your router to support@mikrotik.com. Speed Test works just fine for me to/from all accessible IP addresses;

Already know the answer. Both units need to be 6.44 to have all CLI bandwidth features working.

Posted: **Wed Feb 27, 2019 5:12 pm**

Noticed DHCP feature is enabled after upgrade to v6.44 (firmware also updated) on CCR1036-12G-4S,
If I attempt to disable DHCP again and reboot, it says "can not disable dhcp-6.44: security depends on it"

Sorry if this is not related to this version, upgraded from a slightly older version. Not the end of the world, just thought I would note it.

Posted: **Wed Feb 27, 2019 5:29 pm**

The dhcp package is mandatory, as mentioned in change log, but you should be able to delete / disable any dhcp servers or clients.

What's new in 6.44 (2019-Feb-25 14:11):

Changes in this release:

*) upgrade - made security package depend on DHCP package

Posted: **Wed Feb 27, 2019 5:53 pm**

tamagochi - Do you mean that e-mail settings were corrupted? I do not see how this would be possible by this upgrade. If you downgrade router back, then setting re-appears? Please test if when you downgrade device, set TO parameter, upgrade back and the setting is gone again;

No, e-mail settings are not corrupt, showing good, but sender address is null <>... Settings are not gone, i checked all parameters.
I try downgrade to 6.42.12 e-mail is perfekt when VPN user logged in. Set TO parameters also are good admin received email, but sender empty.

email_setting.PNG

log_to_email.PNG

Posted: **Wed Feb 27, 2019 9:05 pm**

kefealo - Without additional information we are blind. Please provide supout file to support@mikrotik.com from router which is not working properly but was working just fine before an upgrade;
saaremaa - Sorry about that. I mixed both services together. We do support Delegated-IPv6-Prefix for DHCP service but not for PPP yet. It is in our plans to add support for this in the future;
ErfanDL - Not yet added to GUI "/ip hotspot profile set https-redirect=";
VincentL - We are very sorry that you experienced such problem. We will look into this and try to reproduce this problem. If we manage to do so, then we will fix this problem in next release;
xtrans - What exactly is not working? Please provide more details (preferably to support@mikrotik.com);
tamagochi - Please send supout file and problem description to support@mikrotik.com. We will look into this. I can not seem to reproduce this problem and e-mail are being sent to me without any problems from my routers (log, simple e-mail send command, etc.).

Posted: **Wed Feb 27, 2019 10:52 pm**

...
ErfanDL - Not yet added to GUI "/ip hotspot profile set https-redirect=";
...

Please can you explain this new feature and how is working.
Tks

Posted: **Wed Feb 27, 2019 11:16 pm**

"I cannot upgrade my devices through DUDE which is running on a RB750GR3. I tried it with dude client 6.43.12 and 6.44. Dude says "needed packages are not available". I also tried several types mipsbe, arm, tile."

Solved, maybe broken packages.

Posted: **Thu Feb 28, 2019 12:30 am**

major issues upgrading rb952Ui to 6.43.12 and 6.44
The upgrade to 6.43.12 from 6.43.7 went ok, but 6.43.12 caused the device to go into high cpu usage and eventually crash with autosup out being generated. The first 2 times this happened router got rebooted by customer in about 15-20 minutes. The third time I was present and connected to a ethernet port. Router had high cpu usage for about 3-4 minutes after which all routing and dhcp seemed to stop working. I rebooted after about 1-2 minutes and the router became paperweight - it would not boot. Had a bit of a hard time getting it to netinstall, but after 30+ minutes of retries it did. Since on 6.43.12 customer has complained that either laptops cannot connect or connect for 10 minutes and get kicked out. Log investigation showed computers were unable to get their DHCP lease renewed, (increasing to 24 hours kind of solved that), and the router frequently logging certain mac address disconnected, group key exchange timeout. Investigation indicated these are all windows devices.
6.43.12 also caused the router to rename a usb disk from disk2 to disk 3.
Upgrade to 6.44 from 6.43.12 went mostly ok, but the issues persisted - both the broken dhcp lease renew and the bund of wireless devices getting disconnected with a group key exchange timeout. I am able to reproduce with another 952 and a laptop in my lab. The group key exchange timeout happens approximately every 5 minutes.

Posted: **Thu Feb 28, 2019 12:36 am**

...
ErfanDL - Not yet added to GUI "/ip hotspot profile set https-redirect=";
...
Please can you explain this new feature and how is working.
Tks

Yes please, an exaplanation ?

for both features:

*) hotspot - added "https-redirect" under server profiles;
*) hotspot - added per-user NAT rule generation based on "incoming-filter" and "outgoing-filter" parameters;

thanks,

Posted: **Thu Feb 28, 2019 1:36 am**

*) discovery - detect proper slave interface on bounded interfaces;

If this means reporting the neighbor on each interface of the bond, then it works as expected.
It is just not correct, since the neighbor should appear only once because it is a single logical interface.
And some of them show the IP only on one of the instances.
Was this really necessary?

Posted: **Thu Feb 28, 2019 5:59 am**

I am also seeing the blank from header email issue after upgrading to 6.44 from 6.42.5.

The default from address (/tool email print) is set to what it should be for me but does not get passed along for my email log actions. If I send a test message and manually specify the from header, the mail is sent successfully.

I've enabled email,debug logging and can confirm that it shows "send MAIL FROM: <>" in the logs

Our Postfix mail relay shows "from=<>" as the header and receives a bounce from Gmail with the error: "Messages missing a valid address in From: 550 5.7.1 header, or having no From: header, are not accepted."

I've confirmed this is an issue with 6.44 on two different model routers that I've upgraded so far. Considering this breaks log email notifications, this is quite important for us.

Please let me know what else I can provide. Thanks!

Posted: **Thu Feb 28, 2019 6:27 am**

One of my hEX enabled auto-upgrade. It upgraded this morning(I’m in Macau) to 6.44. The new version messed the interface list result firewall filter went wrong. The situation is: I got 2 more interfaces in a interface list which wasn’t before update(and the list supposed to be blocked by firewall). It’s a big issue if an upgrade could be able to mess up config. Do you need an investigation?

Posted: **Thu Feb 28, 2019 7:51 am**

tamagochi - Do you mean that e-mail settings were corrupted? I do not see how this would be possible by this upgrade. If you downgrade router back, then setting re-appears? Please test if when you downgrade device, set TO parameter, upgrade back and the setting is gone again;

No, e-mail settings are not corrupt, showing good, but sender address is null <>... Settings are not gone, i checked all parameters.
I try downgrade to 6.42.12 e-mail is perfekt when VPN user logged in. Set TO parameters also are good admin received email, but sender empty.

email_setting.PNG

log_to_email.PNG

did you send email so far?

Posted: **Thu Feb 28, 2019 8:30 am**

Hi,
Didn't understand this topic (how it works):

*) lte - added "firmware-upgrade" command for R11e-LTE international modems (CLI only);

Tried to update WAP-LTE with CLI - it shows that exist new firmware - enter "upgrade"
/ interface lte firmware-upgrade lte1
installed: MikroTik_CP_2.160.000_v008
latest: MikroTik_CP_2.160.000_v010

/ interface lte firmware-upgrade lte1 upgrade=yes
.... lost connection.... reboot.... same version on modem

Posted: **Thu Feb 28, 2019 9:04 am**

/ interface lte firmware-upgrade lte1 upgrade=yes
.... lost connection.... reboot.... same version on modem

I have 2 carriers with 2 different SIMs. One works, one seems to block it!

Posted: **Thu Feb 28, 2019 9:32 am**

Hi,
Didn't understand this topic (how it works):
*) lte - added "firmware-upgrade" command for R11e-LTE international modems (CLI only);
Tried to update WAP-LTE with CLI - it shows that exist new firmware - enter "upgrade"
/ interface lte firmware-upgrade lte1
installed: MikroTik_CP_2.160.000_v008
latest: MikroTik_CP_2.160.000_v010

/ interface lte firmware-upgrade lte1 upgrade=yes
.... lost connection.... reboot.... same version on modem

Did you login via LTE connection? Lost connection is expected then, probably failed upgrade is as well. I use this script for remote upgrade: unattended-lte-firmware-upgrade

Posted: **Thu Feb 28, 2019 10:06 am**

............ Since on 6.43.12 customer has complained that either laptops cannot connect or connect for 10 minutes and get kicked out. Log investigation showed computers were unable to get their DHCP lease renewed, (increasing to 24 hours kind of solved that), and the router frequently logging certain mac address disconnected, group key exchange timeout. Investigation indicated these are all windows devices.
6.43.12 also caused the router to rename a usb disk from disk2 to disk 3.
Upgrade to 6.44 from 6.43.12 went mostly ok, but the issues persisted - both the broken dhcp lease renew and the bund of wireless devices getting disconnected with a group key exchange timeout. I am able to reproduce with another 952 and a laptop in my lab. The group key exchange timeout happens approximately every 5 minutes.

we have the same problem in our company where we have a lot of HP notebooks with intel wifi cards. I don't have time to analyze this, so we go back to 6.42.12

Posted: **Thu Feb 28, 2019 10:34 am**

Updated a CCR1009 and RB4011 without any issues. Great work MT!
Now please make us happy with some BGP improvements in 6.45

Quote!!

is it true that for the BGP sessions, RouterOS use only one core?

Posted: **Thu Feb 28, 2019 11:11 am**

Hi,
Didn't understand this topic (how it works):
*) lte - added "firmware-upgrade" command for R11e-LTE international modems (CLI only);
Tried to update WAP-LTE with CLI - it shows that exist new firmware - enter "upgrade"
/ interface lte firmware-upgrade lte1
installed: MikroTik_CP_2.160.000_v008
latest: MikroTik_CP_2.160.000_v010

/ interface lte firmware-upgrade lte1 upgrade=yes
.... lost connection.... reboot.... same version on modem
Did you login via LTE connection? Lost connection is expected then, probably failed upgrade is as well. I use this script for remote upgrade: unattended-lte-firmware-upgrade

Yes, the same connection of course

because that's LTE router, it didn't had another one "internet" inside

only from mobile provider....
Maybe failed - there is no log messages about process, nothing, It is very well, that after the "failed update" the device has recovered connection after reboot.
Thanks for the script, i will test it on "non-production" router, first and after that on installed

Posted: **Thu Feb 28, 2019 11:15 am**

/ interface lte firmware-upgrade lte1 upgrade=yes
.... lost connection.... reboot.... same version on modem
I have 2 carriers with 2 different SIMs. One works, one seems to block it!

Maybe that's my case too, will try to investigate too...

Posted: **Thu Feb 28, 2019 11:26 am**

Another "bug" from version to version, form stable to stable release

"Future" time on GRE tunnels in (up\down) status field
May be someone know how it resolve?
Thanks!

Posted: **Thu Feb 28, 2019 11:58 am**

Updated a CCR1009 and RB4011 without any issues. Great work MT!
Now please make us happy with some BGP improvements in 6.45
Quote!!

is it true that for the BGP sessions, RouterOS use only one core?

Yes, it is.

Posted: **Thu Feb 28, 2019 12:02 pm**

Another "bug" from version to version, form stable to stable release

"Future" time on GRE tunnels in (up\down) status field
May be someone know how it resolve?
Thanks!

Check System / Clock

All tunnel interfaces show the correct date and time on my devices.

Posted: **Thu Feb 28, 2019 12:06 pm**

Incorrect time is cosmetic Winbox bug noticed when there are multiple Winbox instances open. If you check in terminal, time is reported correctly.

Posted: **Thu Feb 28, 2019 1:10 pm**

command

/interface wireless set wlan1 band=5ghz-onlyac;

on RB711G (no AC wifi) run is ok. No fail, no error but wifi not function.

this automatization script is not function, function only on AC devices because no error if set onlyAC on noAC devices.

 	:do { /interface wireless set wlan1 band="5ghz-n/ac"; :log info "usage 5g-n/ac"; } on-error={
	    :do { /interface wireless set wlan1 band="5ghz-onlyn"; :log info "usage 5g-n"; } on-error={
	        :do { /interface wireless set wlan1 band="5ghz-a"; :log info "usage 5g-a"; } on-error={
	        }
	    }
	}

Posted: **Thu Feb 28, 2019 1:18 pm**

Works as expected:

[admin@4p_DUT_DISC Lite5] /interface wireless> set band=5ghz-n/ac                 
Script Error: action cancelled
[admin@4p_DUT_DISC Lite5] /interface wireless> set  0 band=5ghz-n/ac  
failure: bad band or frequency, see 'wireless info' for supported channels
[admin@4p_DUT_DISC Lite5] /interface wireless> :do { set 0 band=5ghz-n/ac } on-err
or={ :put "error"} 
error

Not 6.44 version specific, most likely related to wireless card you have, contact support for more details.

Posted: **Thu Feb 28, 2019 1:31 pm**

RB711G not wifi AC. SXT report error, RB711G no error.

Posted: **Thu Feb 28, 2019 1:34 pm**

Kampfwurst - What is the error that you get? Does your router have an access to cloud2.mikrotik.com? Test it from CLI (Winbox would use computers DNS in order to resolve this address);
Simono - Please provide an example rule that you use in access list and interface configuration within an e-mail to support@mikrotik.com;
Chupaka - We will update wiki page as soon as possible;
WirelessRudy - Do you have an access to this IP address? Please provide supout file from your router to support@mikrotik.com. Speed Test works just fine for me to/from all accessible IP addresses;
osc86, MDE, geiger - Please provide supout file from your router to support@mikrotik.com;
lenciso - Please provide more information about what kind of crash did you experience on your router;
isacalmeida - Please provide an example. This fix was made in order to fix an issue when, for example, you have PPPoE tunnel which creates default route and then have an L2TP tunnel over it. Then special route towards L2TP server must be created dynamically which uses PPPoE as a gateway, if L2TP adds its own default route. Otherwise L2TP server would be reachable over L2TP tunnel itself which is not correct;
Chaosphere64 - Are these devices discovered by MNDP? If yes, then please provide supout file from your router to support@mikrotik.com;
Pea - This change allows to specify interfaces under "/caps-man manager interface" menu and at the same time allows to use router itself as a CAP and CAPsMAN at the same time. Before you could not forbid all and allow traffic from router itself to CAPsMAN. It affects interface list not the firewall. Firewall accept rule still must be present;
saaremaa - What is the question here actually? Delegated-IPv6-Prefix is already working for DHCP service (RADIUS). Such parameter is not available yet for PPP service. If you make PPPoE server which then distributes addresses by using DHCP service, then this will not work since users are authenticated by using PPP service, not DHCP;
tamagochi - Do you mean that e-mail settings were corrupted? I do not see how this would be possible by this upgrade. If you downgrade router back, then setting re-appears? Please test if when you downgrade device, set TO parameter, upgrade back and the setting is gone again;
Nicky - If details about new IPsec implementation are not clear from the changelog, then please write to support@mikrotik.com. Provide your configuration and an example of configuration which can not seem to get working. We will help you as soon as possible;

Hello strods,

In my scenario, I have a PPPoE connection and a PPTP VPN, both with the default route enabled. After updating the version, the bug remains when the both are with the default route.

Posted: **Thu Feb 28, 2019 2:24 pm**

there is a bug in RB2011UiAS-2HnD with HUAWEI USB 3G Dongle. the dongle cannot be detecting in RB2011UiAS-2HnD, but with RB951Ui working without problem.

Posted: **Thu Feb 28, 2019 3:43 pm**

Hi,

I got issue on the IKE to Iphone VPN after upgrade to 6.44, the iphone doesn't connect to the IKE VPN and show error message that the router did not respond, previously was working fine. Just to sharing this and i got no solution on it yet.

Posted: **Thu Feb 28, 2019 3:59 pm**

Incorrect time is cosmetic Winbox bug noticed when there are multiple Winbox instances open. If you check in terminal, time is reported correctly.

What terminal command can get time UP|DOWN from gre interface status in terminal???
/interface gre .... ??

I know only for Ethernet
Thanks!

Posted: **Thu Feb 28, 2019 4:03 pm**

this "pwr-line1" interface appeared after upgrade to 6.44 on a haplite.

Posted: **Thu Feb 28, 2019 4:05 pm**

Another "bug" from version to version, form stable to stable release

"Future" time on GRE tunnels in (up\down) status field
May be someone know how it resolve?
Thanks!
Check System / Clock

All tunnel interfaces show the correct date and time on my devices.

Checked, ntp-ok, sync- ok, auto-time-zone-off-manual, cloud tyme resync-off, that's on both sides of tunnel

Posted: **Thu Feb 28, 2019 4:18 pm**

Hello all!

We have the following configuration:

2x CCR-1036, 3x different IPv4 channels between them (L2/L3), eoip tunnels are setupped and working fine over this channels.
All this eoip tunnels are RSTP-bridged and working fine before update to 6.44. After update we have this message in log:

eoip-tunnel1: bridge port received packet with own address as source address ([MAC address of this bridge]), probably loop

Message exists only on non-root bridge, and sometimes we see dropped packets (i suggest at the moment of loop test, 1-2 per minute).
eoip-tunnel1 have the hightest priority in this bridge so its active.

If we degrade firmware to long-term, everything is working ok, no errors or messages or dropped packets.

Why this happening? Maybe this is bug?

Posted: **Thu Feb 28, 2019 6:39 pm**

Incorrect time is cosmetic Winbox bug noticed when there are multiple Winbox instances open. If you check in terminal, time is reported correctly.

When will it be fixed? This has been reported for many releases by now.

Posted: **Thu Feb 28, 2019 6:46 pm**

I've updated all my routerbords including all the APs, SXT SA and RB921GS from 6.42.3 to 6.44 and had problems with clients with kinda low signal, -68, -70, -72dbm... In the versio 6.42.3 Mikrotik had made improvements on the NV2 Protocol and said then that clients with low signals from that version on would not affect the whole sector. After upgrading to 6.44 in three of our sectors, many clients started complaining about slow speed. In these three sectors we have one or two clients with kinda of poor signal, -68 to -73dbm, but they were all working okay, no complaints at all since upgrading to 6.42.3 or 6.42.6. In the version 6.44 it seems the NV2 protocol is not working as it was on version 6.42.3 to 6.42.6 or so. We have sectors with 6.42.3 and .6 and they're all working nicely with NV2, but not if I try with version 6.44. All clients are 6.40.9 <--- could this be the culprit or the NV2 protocol in this version is not working as it used to work in 6.42.3?

Posted: **Thu Feb 28, 2019 7:03 pm**

Another "bug" from version to version, form stable to stable release

"Future" time on GRE tunnels in (up\down) status field
May be someone know how it resolve?
Thanks!

Well, this must be of help to Mikrotik. I also still see the same on my last up- and downtime columns in my wAP60G devices. Future times. Before it could be days ahead, now its the proper day, but some hours ahead..... (and yes, timesettings are properly configured. Log and time on header show correct time.)

Made a suppout report on 6.43.8 I believe but indeed not solved yet.....

Posted: **Thu Feb 28, 2019 8:07 pm**

Incorrect time is cosmetic Winbox bug noticed when there are multiple Winbox instances open. If you check in terminal, time is reported correctly.

Well, would still be nice to see it corrected in a new update since I have it in all my wAP60G's shown in winbox to see when and how many times the links still disconnect.

And "cosmetic"? How is that? We are talking digital here..... "Cosmetic" is when you meet a nice girl in the disco that shows absolutely ugly the next morning when her "cosmetics" are ruined.....

Posted: **Thu Feb 28, 2019 11:56 pm**

Hi,

On CRS317 two SPFs working in previous version is not seen by system anymore.

Yellow bidi is seen for uplink thank god, but blue is not there any more.

/M

Posted: **Fri Mar 01, 2019 12:22 am**

NV2 in this release has been improved for mixed networks. But still my Omnitik serves some 14 clients 130% better with 802.11ac rts/cts then NV2.
And this P2MP works in 40Mhz where part of it overlaps other remote AP's. Spectrum is pretty full.

Before the difference between NV2 and 802.11 was almost 200% in favor of the latter.
So improvement for NV2 yes, but still not the same as 802.11.

Posted: **Fri Mar 01, 2019 12:49 am**

"NV2 in this release has been improved for mixed networks."

Please, explain the definition of "mixed networks". As far as I know I can only use NV2 with mikrotik gear.

And what happend to what Mikrotik stated a few month ago when they've released version 6.42.3 saying that now one bad client don't affect the whole sector? I jumped from 6.42.3 to 6.44 and the experience was terrible! In version 6.42.3 everything was in balance, one or two bad signal clients is not affecting the others at lease not in a way clients can tell. I had to downgrade to 6.42.3...

Posted: **Fri Mar 01, 2019 1:23 am**

"NV2 in this release has been improved for mixed networks."

Please, explain the definition of "mixed networks". As far as I know I can only use NV2 with mikrotik gear.

And what happend to what Mikrotik stated a few month ago when they've released version 6.42.3 saying that now one bad client don't affect the whole sector? I jumped from 6.42.3 to 6.44 and the experience was terrible! In version 6.42.3 everything was in balance, one or two bad signal clients is not affecting the others at lease not in a way clients can tell. I had to downgrade to 6.42.3...

well, the context was in the sense of mixing "mipsbe" (and "mipsle") devices with "arm" equipped processors where several people seems to have problems with.

Apart from that you are right, in NV2 only mikrotik gear works. But in 802.11 you can also use any other 802.11 brand device.
Another advantage (a bit beside the topic though) is that 802.11 is the only way to ran a frequency band SSID scan (NOT a spectral scan for most devices!) while not breaking the client-AP connection.
That is a real valuable tool in nowadays P2MP networks. (A spectral scan would be preferable though.)

Posted: **Fri Mar 01, 2019 2:20 am**

Hmmm, after about one day, on my CCR1009, all static routes configured for connected PPtP and SSTP clients (I have no other types to check) disappeared, and connectivity to the client's subnets was lost.
Disconnecting the clients and allowing them to reconnect restored the routes...
As if those routes somehow expired.
I will keep an eye on it if it happens again...

Posted: **Fri Mar 01, 2019 9:08 am**

Incorrect time is cosmetic Winbox bug noticed when there are multiple Winbox instances open. If you check in terminal, time is reported correctly.

But it happen for me even with one winbox instance, I had this problem with 3.17/3.18 and no problem with 3.16

Posted: **Fri Mar 01, 2019 12:35 pm**

*) gps - increase precision for dd format;

Hi, could it be that the calculation from dms-format to dd-format is incorrect ?
For example: in winbox/system/GPS-GUI I switch between dms and dd format.

In dms I get 49 29' 6.954'
when I switch to dd I get 49.004852
in my calculation it should be 49.485265

Is ist my false or is this a wrong calculation....in firmware 6.43.12 there was no problem.
Regards

Posted: **Fri Mar 01, 2019 1:09 pm**

*) gps - increase precision for dd format;

Hi, could it be that the calculation from dms-format to dd-format is incorrect ?
For example: in winbox/system/GPS-GUI I switch between dms and dd format.

In dms I get 49 29' 6.954'
when I switch to dd I get 49.004852
in my calculation it should be 49.485265

Is ist my false or is this a wrong calculation....in firmware 6.43.12 there was no problem.
Regards

This has been reported for the beta and rc releases as well. Now idea if Mikrotik is aware, write at support@mikrotik.com to make sure.

Posted: **Fri Mar 01, 2019 2:17 pm**

speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only)

This feature is nice indeed!

It wouldn't be me not to ask for more though :
- Can the time the test run either be adjusted by administrator of just set longer. In many occasions the connection rates between the client and AP have to step up before a longer lasting level is
reached. The test average is kept low due this.
A full 1 minute test would be preferred, 2 would even be better, admin adjustable would be perfect.....
- Is this going to be implemented in Winbox?

<tab> <tab> after address reveals additional options

 /tool speed-test 
connection-count  do  duration  file  interval  password  test-duration user  address

specify test-duration you can run it for hours.

Posted: **Fri Mar 01, 2019 3:58 pm**

*) gps - increase precision for dd format;

Hi, could it be that the calculation from dms-format to dd-format is incorrect ?
For example: in winbox/system/GPS-GUI I switch between dms and dd format.

In dms I get 49 29' 6.954'
when I switch to dd I get 49.004852
in my calculation it should be 49.485265

Is ist my false or is this a wrong calculation....in firmware 6.43.12 there was no problem.
Regards
This has been reported for the beta and rc releases as well. Now idea if Mikrotik is aware, write at support@mikrotik.com to make sure.

Fix is in 6.45beta3

Posted: **Fri Mar 01, 2019 4:16 pm**

Fix is in 6.45beta3

6.45 beta3 already? Wow, You guys are really cranking up the speed!

Posted: **Fri Mar 01, 2019 4:29 pm**

6.45 beta3 already? Wow, You guys are really cranking up the speed!

It's like 7.0 beta1 - it's probably here, but you don't see it and cannot upgrade to it xD Sorry...

Posted: **Fri Mar 01, 2019 5:48 pm**

6.45 beta3 already? Wow, You guys are really cranking up the speed!
It's like 7.0 beta1 - it's probably here, but you don't see it and cannot upgrade to it xD Sorry...

Hahaha You are funny but I have to agree with you

Posted: **Fri Mar 01, 2019 6:02 pm**

since 6.44 IPsec tunnels stop working for me, it says: no identity suits proposal, failed to get valid proposal. Maybe my setup is not the best but until 6.43.12 it was working well.

Posted: **Fri Mar 01, 2019 6:54 pm**

since 6.44 IPsec tunnels stop working for me, it says: no identity suits proposal, failed to get valid proposal. Maybe my setup is not the best but until 6.43.12 it was working well.

I solved that - in IPsec peer identity there was My ID Type set to address, I switched it do auto and use the router's (internal - its behind nat) IP in other end settings (It is Kerio Control)

Posted: **Fri Mar 01, 2019 8:09 pm**

loose-tcp-tracking is no longer working!
after upgrade and reboot all existing TCP connections across the router are stuck, and firewall logs "tcp (ACK, PSH)" packets being dropped.
normally, after a router reboot an outgoing TCP packet on an existing connection (no NAT in use!) will re-establish the tracking entry when loose-tcp-tracking is selected (the default).
now all connections need to be re-connected.

new connections are processed correctly, but existing connections are not.

Posted: **Fri Mar 01, 2019 9:34 pm**

Hello guys, has someone try RADIUS RadSec (RADIUS communication over TLS)?

Because for me this one doesn't work,
I was set all things, that was suggested in wiki, but in .log I see an error when I try to connect to my VPN (IPSec XAuth) and can't connect;
.

*when I turn off radsec to udp, RADIUS works great!

...

**in wiki I see just:

***logging (radius, debug)
shows that the 127.0.0.1 try connect to port 2083, then 127.0.0.1 to port 8968

(Mikrotik Support could you be so kind to add 2083 port into WIKI as additional information),
and provide to us info about port 8968, please,
add more info about RadSec, here https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client!
Thank you!

Can anyone suggest something/help?

Thank you in advance!

Posted: **Sat Mar 02, 2019 3:04 am**

https-redirect is not working

You can't redirect HTTPS - the security provided by HTTPS means that unless you control the client devices and can install custom root certs, certificate validation will fail and users will see security errors. Mikrotik of all people should know this... what does this option even try to do?

Posted: **Sat Mar 02, 2019 3:29 am**

well, the context was in the sense of mixing "mipsbe" (and "mipsle") devices with "arm" equipped processors where several people seems to have problems with.

Apart from that you are right, in NV2 only mikrotik gear works. But in 802.11 you can also use any other 802.11 brand device.
Another advantage (a bit beside the topic though) is that 802.11 is the only way to ran a frequency band SSID scan (NOT a spectral scan for most devices!) while not breaking the client-AP connection.
That is a real valuable tool in nowadays P2MP networks. (A spectral scan would be preferable though.)

So, these fixes made for improving NV2 with mixed devices has made things worse for those running mipsbe only devices? Because for me it is bad now and I only use mipsbe devices. It now means that I can't upgrade my APs anymore? I'm stuck to 6.42.3 or Mikrotik will do something about it?

I myself would prefer using 802.11 instead of NV2, but in my scenario I find NV2 to be more stable then 802.11, not regarding throughput, but quality in general.

Posted: **Sat Mar 02, 2019 9:17 am**

I've upgraded my hAP AC2 and my wireless printer stopped working - I can open printer web page from my computer, but nothing gets printed when my computer is connected to the same network. When I'm outside my network and connect witch OpenVPN to my router - everything gets printed.
And also my TV with chromecast isn't discoverable by Chrome, and TV has full access to Internet.
Downgrade to 6.42.12 solves all the issues.
Pawel

Posted: **Sat Mar 02, 2019 9:23 am**

Bug in ROS 6.44
[admin@MikroTik] > log print
09:00:29 system,info installed system-6.44
09:00:29 system,info installed advanced-tools-6.44
09:00:29 system,info installed multicast-6.44
09:00:29 system,info installed ntp-6.44
09:00:29 system,info installed routing-6.44
09:00:29 system,error can not install security-6.44: dhcp-6.44 is not installed, but is required

Posted: **Sat Mar 02, 2019 9:53 am**

This is not a bug, it tells you that you must install DHCP package now, read carefully the change list:
*) upgrade - made security package depend on DHCP package

Posted: **Sat Mar 02, 2019 10:05 am**

What is actual dependency behind this?

Posted: **Sat Mar 02, 2019 11:21 am**

What is actual dependency behind this?

Security package implements IKEv2 (among other things), which may now require DHCP in some configurations. Check this entry in ChangeLog:

*) ike2 - send split networks over DHCP (option 249) to Windows initiators if DHCP Inform is received;

Posted: **Sat Mar 02, 2019 11:41 am**

well, the context was in the sense of mixing "mipsbe" (and "mipsle") devices with "arm" equipped processors where several people seems to have problems with.

Apart from that you are right, in NV2 only mikrotik gear works. But in 802.11 you can also use any other 802.11 brand device.
Another advantage (a bit beside the topic though) is that 802.11 is the only way to ran a frequency band SSID scan (NOT a spectral scan for most devices!) while not breaking the client-AP connection.
That is a real valuable tool in nowadays P2MP networks. (A spectral scan would be preferable though.)
So, these fixes made for improving NV2 with mixed devices has made things worse for those running mipsbe only devices? Because for me it is bad now and I only use mipsbe devices. It now means that I can't upgrade my APs anymore? I'm stuck to 6.42.3 or Mikrotik will do something about it?

I myself would prefer using 802.11 instead of NV2, but in my scenario I find NV2 to be more stable then 802.11, not regarding throughput, but quality in general.

Where are you getting the information that the upgrade make things worse for mipsbe only devices? Nobody said that. I have full mipsbe P2MP networks too and they run fine after the upgrade. I don't know if NV2 has been improved for them, I run them in 802.11 anyway. But nobody reported so far in full mipsbe networks the new version is worse...

You can just update your networks because there are other improvements as well.

Posted: **Sat Mar 02, 2019 3:24 pm**

In my network things were running smoothly without complaints from clients, the day after going from 6.42.3 to 6.44 we starded receiving many complaints about slow internet speed. In two sectors we have two clients with signal going from -68 to -72 and these clients were using the Internet without any complaint along with the other ones on the same sector, but right after upgrading to 6.44 these "bad" signal clients and others that never complained about something started calling us saying the internet was slow...My conclusion is, something is not as good as it was on 6.42.3 in NV2 for misbe devices. You were the one that said something was done to improve things for mixed networks so I assumed that these improvements have caused something negative for mipsbe only networks or for them all regarding "bad" signal clients on the sector. Mikrotik had made a promise a few months ago that from that time on bad clients would not affect other clients on the same sector, but it seems this is not true for the newer ROS versions.

Posted: **Sun Mar 03, 2019 12:20 am**

the graphical representation stopped working after the update of crs317-1g-16s + was working normal in version 6.43 but then I did the update to 6.44 and stopped working and a message appeared in the log "timeout while waiting from program 20", I need help...

Posted: **Sun Mar 03, 2019 12:37 am**

In my network things were running smoothly without complaints from clients, the day after going from 6.42.3 to 6.44 we starded receiving many complaints about slow internet speed. In two sectors we have two clients with signal going from -68 to -72 and these clients were using the Internet without any complaint along with the other ones on the same sector, but right after upgrading to 6.44 these "bad" signal clients and others that never complained about something started calling us saying the internet was slow...My conclusion is, something is not as good as it was on 6.42.3 in NV2 for misbe devices. You were the one that said something was done to improve things for mixed networks so I assumed that these improvements have caused something negative for mipsbe only networks or for them all regarding "bad" signal clients on the sector. Mikrotik had made a promise a few months ago that from that time on bad clients would not affect other clients on the same sector, but it seems this is not true for the newer ROS versions.

Check country code in ros
And signals
They kill power in some countrys

Posted: **Sun Mar 03, 2019 9:30 am**

This is not a bug, it tells you that you must install DHCP package now, read carefully the change list:
*) upgrade - made security package depend on DHCP package

Very stupid dependence! I don't need DHCP at many situations, but need SSH. So i have had installed: advanced-tools, security, system packages only. But now i have to use DHCP?! Nonsense!!!

Posted: **Sun Mar 03, 2019 10:53 am**

Update from 6.40.8 to 6.44 seems to remove "system note" content.

Resolve: My mistake, I was removing all file, just to make space and be sure, that nothing is left in there. And I've removed the sys-note file.

Posted: **Sun Mar 03, 2019 12:02 pm**

Very stupid dependence! I don't need DHCP at many situations, but need SSH. So i have had installed: advanced-tools, security, system packages only. But now i have to use DHCP?! Nonsense!!!

Ideally, the new function of IKEv2 that requires DHCP would just be disabled until DHCP is installed (preferably with a remark in the user interface).
So DHCP only has to be installed when that function is desired.
But realistically it will probably be difficult to maintain such functions separate in the package dependencies and it would be better to merge packages
like dhcp, security, ipv6 and ppp all into system, leaving the packaging system only for real oddities like gps, ups, ntp, hotspot etc.

Posted: **Sun Mar 03, 2019 2:11 pm**

saaremaa - Sorry about that. I mixed both services together. We do support Delegated-IPv6-Prefix for DHCP service but not for PPP yet. It is in our plans to add support for this in the future;

Why on earth would you implement it for one service and not for another ? PPPoE is actually the one where it would have been more important to get it implemented, because that's more commonly used in broadband distribution than DHCP.

Especially when it comes to FTTH and VDSL.

/M

Posted: **Sun Mar 03, 2019 10:27 pm**

In my network things were running smoothly without complaints from clients, the day after going from 6.42.3 to 6.44 we starded receiving many complaints about slow internet speed. In two sectors we have two clients with signal going from -68 to -72 and these clients were using the Internet without any complaint along with the other ones on the same sector, but right after upgrading to 6.44 these "bad" signal clients and others that never complained about something started calling us saying the internet was slow...My conclusion is, something is not as good as it was on 6.42.3 in NV2 for misbe devices. You were the one that said something was done to improve things for mixed networks so I assumed that these improvements have caused something negative for mipsbe only networks or for them all regarding "bad" signal clients on the sector. Mikrotik had made a promise a few months ago that from that time on bad clients would not affect other clients on the same sector, but it seems this is not true for the newer ROS versions.

dadoremix gave you a possible answer..

I did not see signal getting less in software updates. But indeed, the country code I used I has to set to 'no_country' to get my network back to where it was....

Posted: **Sun Mar 03, 2019 11:09 pm**

In my network things were running smoothly without complaints from clients, the day after going from 6.42.3 to 6.44 we starded receiving many complaints about slow internet speed. In two sectors we have two clients with signal going from -68 to -72 and these clients were using the Internet without any complaint along with the other ones on the same sector, but right after upgrading to 6.44 these "bad" signal clients and others that never complained about something started calling us saying the internet was slow...My conclusion is, something is not as good as it was on 6.42.3 in NV2 for misbe devices. You were the one that said something was done to improve things for mixed networks so I assumed that these improvements have caused something negative for mipsbe only networks or for them all regarding "bad" signal clients on the sector. Mikrotik had made a promise a few months ago that from that time on bad clients would not affect other clients on the same sector, but it seems this is not true for the newer ROS versions.

Check country code in ros
And signals
They kill power in some countrys

We use superchannel.

Posted: **Sun Mar 03, 2019 11:57 pm**

Mikrotik RB4011iGS+ from version 6.43.12 to 6.44.

Devices from VLANs stopped responding.
I have created a bridge that contains a sfp port.
VLAN assigned to the bridge.
From the mikrotik SFP port to the other switch.
The port SFP on the other switch is tagged, unfortunately, it does not respond correctly after the update (ping time out).
Rollback old version and now it works correctly.
What could be the reason?

Posted: **Mon Mar 04, 2019 3:19 am**

On 4011iGS.... after update the SFP started flapping 1-2 times per second.
It is 1gb SFP.
The port is not in bridge, it have vlans. Updated to the test version but the flapping continued. Then downgraded back to 6.43.12 and it works again.
The SFP module is @irLAN. They are widely used in Bulgaria because of the price. I moved the SFP to a switch and it works there too.
From the SFP properties page in winbox:
Vendor part number: SFP-LH-SM
Serial: H50001116

Posted: **Mon Mar 04, 2019 5:08 am**

MikroTik as remote DHCP server for relay purposes (not connected directly to the network that DHCP is used on) stops giving leases after upgrade, seemingly due to new ARP conflict detection feature. Disabling conflict detection resolves the issue. Shouldn't this feature shut itself off if the router doesn't have an IP on the target subnet (and therefore can't make ARP requests)?

Posted: **Mon Mar 04, 2019 9:37 am**

We use superchannel.

The country setting now has priority, so your superchannel won't work unless you have country set to no_country_set. The forum is full of discussions about this change...

Posted: **Mon Mar 04, 2019 10:39 am**

i just test https-redirect option

https-redirect=yes
if unlogged user try to open https website, it will be redirected to hostpot login with https. same behavior as previous version
so browser will show cert warning because cert common name is not same with domain

https-redirect=no
if unlogged user try to open https website, it will be rejected/refused so browser will error like there is no internet access

CMIIW

Posted: **Mon Mar 04, 2019 11:06 am**

*) lte - fixed LTE interface not working properly after reboot on RBSXTLTE3-7;

Hi, my RBSXTLTE3-7 stops working after firmware upgrade. LTE interface is not working with status "Changing band", also there is an error in log "reply timeout for ate0".

Posted: **Mon Mar 04, 2019 11:16 am**

Hello Every MikroTik fans.
I upgraded my STX LTE router to 6.44 stable version software. Unfortunatelly when i was rebooted my router i have only half signal value on band 7, when i was try to switch router for band 3 everything crashes and I can't connect to any LTE network.
I was try to install oldest stabled versions of software but every time i had same problem: in first use i had only half signal in band 7 and crash when i was switched to band 3.

I have a LTE broadcasting tower some about 400 maybe 500 meters of my location. This is parameters of LTE transmitter:
Play (26006) ID: SKA3305 This transmitter use band 3 GSM1800 GSM900 LTE1800 LTE2100 LTE800 UMTS2100 UMTS900

Greetings Tom

Posted: **Mon Mar 04, 2019 11:18 am**

*) lte - fixed LTE interface not working properly after reboot on RBSXTLTE3-7;
Hi, my RBSXTLTE3-7 stops working after firmware upgrade. LTE interface is not working with status "Changing band", also there is an error in log "reply timeout for ate0".

I have same problem

Posted: **Mon Mar 04, 2019 11:26 am**

Has anybody else ran into a weird problem where SSH would not connect after upgrading to 6.44? Everything was still working up to and including 6.43.12.

I have a setup that's like this:

[Ubuntu Desktop] <-- Office LAN (172.26.2.0/24) --> [RouterBoard "ovpn-endpoint" running OpenVPN server] <-- OpenVPN --> [RouterBoard "router2" running OpenVPN client] <-- bridge-local --> [Raspberry Pi]

When router2 was running RouterOS 6.43.12, I used to be able to SSH into the Raspberry Pi from my Ubuntu Desktop, by doing:

ssh foo@172.28.2.179

where 172.28.2.179 is the Raspberry Pi's IP from router2's DHCP server, within bridge-local.

I could do this because my Office LAN has a DHCP option telling my Ubuntu Desktop to send packets for 172.28.2.0/24 via the "ovpn-endpoint" RouterBoard.

router2 has an IP route rule so it knows to send back packets destined for 172.26.2.0/24 via the OpenVPN connection.

Now, after upgrading router2 to RouterOS 6.44, I see this when I do `ssh -v foo@172.28.2.179`:

OpenSSH_7.6p1 Ubuntu-4ubuntu0.2, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /home/kal/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 172.28.2.179 [172.28.2.179] port 22.
debug1: Connection established.
debug1: identity file /home/kal/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /home/kal/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/kal/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/kal/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/kal/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/kal/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/kal/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/kal/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.2

And then it gets stuck.

In router2, I see these IP firewall filter rules:

Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; default configuration
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 1    ;;; default configuration
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

 2    ;;; default configuration
      chain=input action=drop in-interface=ether1-gateway log=no log-prefix="" 

 3    ;;; default configuration
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 

 4    ;;; Allow only the registration and scan raspberry pis and the scanner to access the internet.
      chain=forward action=accept src-address-list=with_internet_access out-interface=ether1-gateway log=no log-prefix="" 

 5    ;;; Forbid everybody else from accessing the internet.
      chain=forward action=drop out-interface=ether1-gateway log=no log-prefix="" 

 6    ;;; Forward related and established connections from the internet to the registration and scan raspberry pis and the scanner.
      chain=forward action=accept connection-state=established,related in-interface=ether1-gateway log=no log-prefix="" 

 7    ;;; Drop forwarding from the internet for everybody else.
      chain=forward action=drop in-interface=ether1-gateway log=no log-prefix="" 

 8    ;;; default configuration
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

 9    ;;; default configuration
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1-gateway log=no log-prefix=""

Rule 8 is dropping packets during the SSH handshake for some reason.

If I enable logging (`/ip firewall filter set 8 log=yes log-prefix="debug"`), I see that it's dropping packets like these:

16:05:46 firewall,info debug forward: in:bridge-local out:ovpn-out1, src-mac b8:27:eb:53:4c:91, proto TCP (SYN,ACK), 172.28.2.179:22->172.26.2.229:55490, len 60 
16:05:48 firewall,info debug forward: in:ovpn-out1 out:bridge-local, proto TCP (ACK,FIN), 172.26.2.229:55490->172.28.2.179:22, len 52 
16:05:57 firewall,info debug forward: in:ovpn-out1 out:bridge-local, proto TCP (ACK,PSH), 172.26.2.229:55500->172.28.2.179:22, len 93 
16:05:58 firewall,info debug forward: in:bridge-local out:ovpn-out1, src-mac b8:27:eb:53:4c:91, proto TCP (SYN,ACK), 172.28.2.179:22->172.26.2.229:55500, len 60 
16:06:04 firewall,info debug forward: in:ovpn-out1 out:bridge-local, proto TCP (ACK,PSH), 172.26.2.229:55500->172.28.2.179:22, len 93 
16:06:06 firewall,info debug forward: in:bridge-local out:ovpn-out1, src-mac b8:27:eb:53:4c:91, proto TCP (SYN,ACK), 172.28.2.179:22->172.26.2.229:55500, len 60 
16:06:18 firewall,info debug forward: in:ovpn-out1 out:bridge-local, proto TCP (ACK,PSH), 172.26.2.229:55500->172.28.2.179:22, len 93 
16:06:22 firewall,info debug forward: in:bridge-local out:ovpn-out1, src-mac b8:27:eb:53:4c:91, proto TCP (SYN,ACK), 172.28.2.179:22->172.26.2.229:55500, len 60

If I disable rule 8 (`/ip firewall filter disable 8`), SSH goes through.

Does anybody have any idea why the packets are being dropped as invalid in RouterOS 6.44?

To be clear, my SSH connections are *not* NAT'ed. All of the RouterBoards involved have `/ip route` rules that just forward the packets through the correct connection without NAT'ing. They're only acting as gateways.

Posted: **Mon Mar 04, 2019 3:08 pm**

i update to 6.44 but when i wana use ip cloud sometimes about half of time i try "Error: request Timed out" what should i do?

Send report to support@mikrotik.com including .rif File.

Posted: **Mon Mar 04, 2019 3:49 pm**

PWR-Line port on hAP

Posted: **Mon Mar 04, 2019 3:59 pm**

After upgrade from ROS 6.43.12 to 6.44 - I have lost possibility co connect to my MT with L2TP (with preshared key) VPN. I was changing firewall settings, trying other.... but after downgrade to 6.43.12 - IT WORKS AGAIN. So something is BAD with ROS 6.44 and L2TP VPN ! MikroTik team - please repir that ROS 6.44 BUG.

Posted: **Mon Mar 04, 2019 5:00 pm**

*) lte - fixed LTE interface not working properly after reboot on RBSXTLTE3-7;
Hi, my RBSXTLTE3-7 stops working after firmware upgrade. LTE interface is not working with status "Changing band", also there is an error in log "reply timeout for ate0".

Exactly my problem.

I remotely upgraded my SXTLTE3-7 from far away. After that I didnt see the VPN connection. Luckily I have other friends that can help me remote to downgrade to the previous version.

Posted: **Mon Mar 04, 2019 10:52 pm**

PWR-Line port on hAP

I am wondering too

Posted: **Tue Mar 05, 2019 12:52 pm**

Hi

Since the last update we have had multiple clients complaining about existing sites where VoIP experiences issues, from de-registration, no audio, one way audio.
Currently we downgrading the clients back to 6.43.8 which works.

I've sent multiple supouts and support tickets to Support with no feedback.

We're a big distributor of Mikrotik, and this is the first we get with VoIP.

Posted: **Tue Mar 05, 2019 1:10 pm**

Hi

Since the last update we have had multiple clients complaining about existing sites where VoIP experiences issues, from de-registration, no audio, one way audio.
Currently we downgrading the clients back to 6.43.8 which works.

I've sent multiple supouts and support tickets to Support with no feedback.

We're a big distributor of Mikrotik, and this is the first we get with VoIP.

I have a suggestion that the problem is in the firewall (6.44)
Connection-state errors (estabilished, invalid, related)
To be precise
That connection is dropped for reasons that are not understandable.
I found a solution for myself
Create an allow rule above (estabilished, related)
But it's not right

Posted: **Tue Mar 05, 2019 1:20 pm**

Upgrading my RB750 from RouterOS 6.40.8 to 6.44 leaves all IPsec peers with "unknown" profiles.
And it looks like any IPsec peer settings were lost since only "default" profile exist.

Do I have to jump to another version first and then jump to 6.44?

Gonna go test if it also happen if I upgrade to 6.42.12 long-trem.

Posted: **Tue Mar 05, 2019 1:23 pm**

Hi

Since the last update we have had multiple clients complaining about existing sites where VoIP experiences issues, from de-registration, no audio, one way audio.
Currently we downgrading the clients back to 6.43.8 which works.

I've sent multiple supouts and support tickets to Support with no feedback.

We're a big distributor of Mikrotik, and this is the first we get with VoIP.
I have a suggestion that the problem is in the firewall (6.44)
Connection-state errors (estabilished, invalid, related)
To be precise
That connection is dropped for reasons that are not understandable.
I found a solution for myself
Create an allow rule above (estabilished, related)
But it's not right

Can you share an example of this established related firewall rule please if you don't mind.
Yeah I agree, this is no right.
Would love some answers from Mikrotik, because I have 6 cases in 3 last week and open cases open since last week.

Posted: **Tue Mar 05, 2019 1:53 pm**

Hi

Since the last update we have had multiple clients complaining about existing sites where VoIP experiences issues, from de-registration, no audio, one way audio.
Currently we downgrading the clients back to 6.43.8 which works.

I've sent multiple supouts and support tickets to Support with no feedback.

We're a big distributor of Mikrotik, and this is the first we get with VoIP.
I have a suggestion that the problem is in the firewall (6.44)
Connection-state errors (estabilished, invalid, related)
To be precise
That connection is dropped for reasons that are not understandable.
I found a solution for myself
Create an allow rule above (estabilished, related)
But it's not right
Can you share an example of this established related firewall rule please if you don't mind.
Yeah I agree, this is no right.
Would love some answers from Mikrotik, because I have 6 cases in 3 last week and open cases open since last week.

This is a rough example.

1 action=accept chain=forward dst-address=10.10.10.10 src-address=8.8.8.8

1 rule without specifying connection-state

2 action=accept chain=forward connection-state=established,related
3 action=drop chain=forward connection-state=invalid

Posted: **Tue Mar 05, 2019 1:57 pm**

Hi

Since the last update we have had multiple clients complaining about existing sites where VoIP experiences issues, from de-registration, no audio, one way audio.
Currently we downgrading the clients back to 6.43.8 which works.

I've sent multiple supouts and support tickets to Support with no feedback.

We're a big distributor of Mikrotik, and this is the first we get with VoIP.
I have a suggestion that the problem is in the firewall (6.44)
Connection-state errors (estabilished, invalid, related)
To be precise
That connection is dropped for reasons that are not understandable.
I found a solution for myself
Create an allow rule above (estabilished, related)
But it's not right

Maybe it could be related to the bug that I reported above? (loose TCP connection tracking no longer works)
It could be that there were changes in the connection tracking firewall that have side effects like this.

Posted: **Tue Mar 05, 2019 2:26 pm**

Maybe it could be related to the bug that I reported above? (loose TCP connection tracking no longer works)
It could be that there were changes in the connection tracking firewall that have side effects like this.

I can say with complete confidence that on average I have 15% fewer connections. (6.44)

Posted: **Tue Mar 05, 2019 6:02 pm**

*) bgp - properly update keepalive time after peer restart;

what exactly this fix for?
i still having problem with bgp withdraw on PE - CE
and also i still having bgp stuck on vrf.

thx

Posted: **Tue Mar 05, 2019 6:59 pm**

*) bgp - properly update keepalive time after peer restart;

what exactly this fix for?

I have seen issues with BGP when the keepalive time is not set equal at both peers.
According to the protocol spec the lower of the two keepalive times should be used by both peers.
But in practice it sometimes happened that each peer used its own local keepalive time and the route was flapping when one is >3 times the other.
(e.g. default is 180 and I sometimes set this to 15 on wireless links where BFD is not in use)

Maybe this has been fixed now. But you could always work around it by configuring the same keepalive time on both routers.

Posted: **Wed Mar 06, 2019 2:06 am**

2 x CRS326-24G-2S+ - Updated to version 6.44 and working fine ..
1 x CCR1072-1G-8S+ - Updated to version 6.44 and working fine ..

1 x CRS317-1G-16S+ - Upgraded to version 6.44 and running fine for up to 4 hours, the SNMP and Graphics Tool features stop working and, consequently, the interface view no longer looks like winbox ...

Posted: **Wed Mar 06, 2019 2:27 am**

*) bgp - properly update keepalive time after peer restart;

what exactly this fix for?
I have seen issues with BGP when the keepalive time is not set equal at both peers.
According to the protocol spec the lower of the two keepalive times should be used by both peers.
But in practice it sometimes happened that each peer used its own local keepalive time and the route was flapping when one is >3 times the other.
(e.g. default is 180 and I sometimes set this to 15 on wireless links where BFD is not in use)

Maybe this has been fixed now. But you could always work around it by configuring the same keepalive time on both routers.

i see, yes i have that problem too, after migration, we have all bgp's flapping so i have to set keepalive on both side.

thanks for the info.

Posted: **Wed Mar 06, 2019 3:38 am**

Hi

Since the last update we have had multiple clients complaining about existing sites where VoIP experiences issues, from de-registration, no audio, one way audio.
Currently we downgrading the clients back to 6.43.8 which works.

I've sent multiple supouts and support tickets to Support with no feedback.

We're a big distributor of Mikrotik, and this is the first we get with VoIP.
I have a suggestion that the problem is in the firewall (6.44)
Connection-state errors (estabilished, invalid, related)
To be precise
That connection is dropped for reasons that are not understandable.
I found a solution for myself
Create an allow rule above (estabilished, related)
But it's not right
Maybe it could be related to the bug that I reported above? (loose TCP connection tracking no longer works)
It could be that there were changes in the connection tracking firewall that have side effects like this.

Looks like we're all hit by the same problem, manifested over different application protocols. See my post above.

Posted: **Wed Mar 06, 2019 7:25 am**

2 x CRS326-24G-2S+ - Updated to version 6.44 and working fine ..
1 x CCR1072-1G-8S+ - Updated to version 6.44 and working fine ..

1 x CRS317-1G-16S+ - Upgraded to version 6.44 and running fine for up to 4 hours, the SNMP and Graphics Tool features stop working and, consequently, the interface view no longer looks like winbox ...

1 x CRS317-1G-16S+ - Upgraded to version 6.44 and running fine for up to 4 hours, the SNMP and Graphics Tool features stop working and, consequently, the interface view no longer looks like winbox...

CRS317-1G-16S+ - After 4 hours the switch stops responding to the command ... which gets frozen when digit is not returned by the console ...

/interface print

Posted: **Wed Mar 06, 2019 12:23 pm**

I Installed 6.44 on my CRS328-24p and my CRS317 switches.

I now have some real problems logging in to the web interface using Firefox on the CRS317: I type the userid and passwd but login fails with: ERROR: Not Found.
This does not happen all the time, but only 1 in 30 logins or so succeeds.
Login through Chromium works all the time.
I have seen the same on the CRS328 but only sporadically.
Does anybody have a suggestion how to solve this?

Posted: **Wed Mar 06, 2019 4:05 pm**

Maybe it could be related to the bug that I reported above? (loose TCP connection tracking no longer works)
It could be that there were changes in the connection tracking firewall that have side effects like this.
Looks like we're all hit by the same problem, manifested over different application protocols. See my post above.

Indeed there really appears to be some bug. Not only are the existing connections lost after reboot (not working loose-tcp-tracking) but also I see firewall log messages that indicate that tracking of existing connections has been lost at some time even though te connections still exist.
(of course that was less of a problem when loose tracking was still working)
In my case it were TCP TLS connections (port 443) and the loss of those is often not catastrophic, they will be re-established without the user noticing, but in case of VoIP it could be different.

I hope MikroTik will look into this matter. I see no changelog entry that explains what is happening here.

Posted: **Wed Mar 06, 2019 7:06 pm**

BUG – v.6.44 on ARM boxes RB3011 is losing IPSEC configuration

After upgrade of ARM boxes (RB3011) to latest stable version 6.44, IPSEC is not working.
Winbox GUI /ip ipsec section in is empty and no new config parameters can be added;
In console /ip ipsec export gives just info that all subsections can’t be exported.

Posted: **Wed Mar 06, 2019 7:22 pm**

BUG – v.6.44 on ARM boxes RB3011 is losing IPSEC configuration

After upgrade of ARM boxes (RB3011) to latest stable version 6.44, IPSEC is not working.
Winbox GUI /ip ipsec section in is empty and no new config parameters can be added;
In console /ip ipsec export gives just info that all subsections can’t be exported.

I had the same problem.
Official response from support:

Yes, this confirms the issue is caused by some old 6.44beta version converting some of the configuration. And when you downgraded and upgraded again, it run into these issues.

I downgraded to 6.43, exported the config (and certificates), removed everything in /ip ipsec from the text file, fresh installed 6.44 and imported the config from the text file.
Making a backup of the router running 6.43 and importing it in 6.44 won't work.
Once 6.44 is installed, you have to redo the ipsec configuration by hand.

Posted: **Wed Mar 06, 2019 7:42 pm**

We use superchannel.
The country setting now has priority, so your superchannel won't work unless you have country set to no_country_set. The forum is full of discussions about this change...

All our APs are set to "no_country_set" since forever.

Posted: **Thu Mar 07, 2019 4:36 am**

Maybe it could be related to the bug that I reported above? (loose TCP connection tracking no longer works)
It could be that there were changes in the connection tracking firewall that have side effects like this.
Looks like we're all hit by the same problem, manifested over different application protocols. See my post above.
Indeed there really appears to be some bug. Not only are the existing connections lost after reboot (not working loose-tcp-tracking) but also I see firewall log messages that indicate that tracking of existing connections has been lost at some time even though te connections still exist.
(of course that was less of a problem when loose tracking was still working)
In my case it were TCP TLS connections (port 443) and the loss of those is often not catastrophic, they will be re-established without the user noticing, but in case of VoIP it could be different.

I hope MikroTik will look into this matter. I see no changelog entry that explains what is happening here.

A bit more info: it appears (for me at least) that this problem crops up if the forward and return paths of the connections are somehow not symmetrical.

In my case, somebody disabled DHCP options 121 and 249 in our office router without telling me, so this is what was happening to the packets:

Forward path:

[ My PC ] ==(office LAN)==>
[ Main RouterBoard of my office (RouterOS 6.43.2) ] ==(office LAN)==>
[ OpenVPN endpoint RouterBoard (RouterOS 6.43.12) ] ==(OpenVPN connection)==>
[ Remote RouterBoard (RouterOS 6.44) ] ==(bridge-local)==>
[ Raspberry Pi ]

Return path:

[ Raspberry Pi ] ==(bridge-local)==>
[ Remote RouterBoard ] ==(OpenVPN connection)==>
[ OpenVPN endpoint RouterBoard ] ==(office LAN)==>
[ My PC ]

Note how the "Main RouterBoard of my office" is skipped in the return path. This is because my OpenVPN endpoint RouterBoard and my PC are actually in the same office LAN.

The Main RouterBoard used to serve out DHCP options 121 and 249 that tell PCs on the office LAN to just use the OpenVPN endpoint RouterBoard as gateway for reaching the Remote RouterBoard's bridge-local network.

Instead, with those DHCP options disabled, my PC sent packets to the Main RouterBoard first because its the default route, then, the Main RouterBoard (with its own `/ip route` rule) re-routed the packets to the OpenVPN endpoint RouterBoard. My Raspberry Pi would reply directly to my PC's IP (remember, no NAT'ing), and the packet eventually reaches the OpenVPN endpoint RouterBoard, which sends the reply packet directly to my PC, without going through the Main RouterBoard.

Once I re-enabled those DHCP options, the Main RouterBoard of my office is skipped in the forward path as well, so the forward and return paths are symmetrical again, and SSH is working again without having to allow "invalid" packets through the Remote RouterBoard. Still, I don't understand why the Remote RouterBoard can be sensitive to path symmetry.

Posted: **Thu Mar 07, 2019 5:48 am**

2 x CRS326-24G-2S+ - Updated to version 6.44 and working fine ..
1 x CCR1072-1G-8S+ - Updated to version 6.44 and working fine ..

1 x CRS317-1G-16S+ - Upgraded to version 6.44 and running fine for up to 4 hours, the SNMP and Graphics Tool features stop working and, consequently, the interface view no longer looks like winbox ...
1 x CRS317-1G-16S+ - Upgraded to version 6.44 and running fine for up to 4 hours, the SNMP and Graphics Tool features stop working and, consequently, the interface view no longer looks like winbox...

CRS317-1G-16S+ - After 4 hours the switch stops responding to the command ... which gets frozen when digit is not returned by the console ...
Code: Select all
/interface print

unfortunately, I had to go back to version 6.43.12, the CRS317, which turned out to be good again and did not crash or give graphics anymore ...

mikrotik friends check it out on CRS317 that has problems with version 6.44 ...

Posted: **Thu Mar 07, 2019 11:12 am**

The same IPSEC config problem on some RB2011 (mipsBE) device too.

Console output:
/ip ipsec profile> add .....
error - contact MikroTik support and send a supout file

/ip ipsec export
#error exporting /ip ipsec mode-config
#error exporting /ip ipsec peer
#error exporting /ip ipsec policy group
#error exporting /ip ipsec profile
#error exporting /ip ipsec proposal
#error exporting /ip ipsec identity
#error exporting /ip ipsec policy
#error exporting /ip ipsec settings

Upgrade was done from latest stable 6.43.12 to next release stable 6.44.

Posted: **Thu Mar 07, 2019 6:24 pm**

PWR-Line port on hAP
I am wondering too

Not a bug.
Interface for new PWR line adapter comming next months.
hAP mini & hAP lite has it. Basicly power the device and transfer data via microusb port.

Sent from my SM-G950F using Tapatalk

Posted: **Fri Mar 08, 2019 1:21 pm**

PWR-Line port on hAP
I am wondering too
Not a bug.
Interface for new PWR line adapter comming next months.
hAP mini & hAP lite has it. Basicly power the device and transfer data via microusb port.

Sent from my SM-G950F using Tapatalk

And the new powerline with microusb

Sent from my SM-G950F using Tapatalk

Posted: **Fri Mar 08, 2019 2:31 pm**

Interface for new PWR line adapter comming next months.
hAP mini & hAP lite has it. Basicly power the device and transfer data via microusb port.

Also the mAP Lite 2nd (at least mine, revision r2. I'm not sure about older ones)

I just bought a few and they came with this surprise.

Posted: **Fri Mar 08, 2019 2:50 pm**

Will UK users be disappointed again though, with no UK variant plug? :/

Posted: **Fri Mar 08, 2019 2:55 pm**

Maybe its time for UK to change to EU plug.
Ahh, I did forget UK goes out of EU

I have travel around the world and UK plug is one the ugliest and largest plug out there....

Posted: **Fri Mar 08, 2019 3:34 pm**

Maybe its time for UK to change to EU plug.
Ahh, I did forget UK goes out of EU

I have travel around the world and UK plug is one the ugliest and largest plug out there....

I live in Sweden but I must say the UK plug is one of the bulkiest to work work with it is also one if the smartest with fuse in the plug and designed for a large contact surface and also be child friendly.

Posted: **Fri Mar 08, 2019 4:47 pm**

Maybe its time for UK to change to EU plug.
Ahh, I did forget UK goes out of EU

I have travel around the world and UK plug is one the ugliest and largest plug out there....
I live in Sweden but I must say the UK plug is one of the bulkiest to work work with it is also one if the smartest with fuse in the plug and designed for a large contact surface and also be child friendly.

They say that is the most safety Plug, as you need to insert the earth ping to "unlock" the energizing plug as well with this individually surge protection with fuses another handly about the UK plug is that they have a switch so y can shut down the plug without removing the plug I think this clever move, the only downside of this is that you lose a lot of space, so in a wall outlet can be only 2 plug

Posted: **Fri Mar 08, 2019 5:07 pm**

Maybe its time for UK to change to EU plug.
Ahh, I did forget UK goes out of EU

I have travel around the world and UK plug is one the ugliest and largest plug out there....
I live in Sweden but I must say the UK plug is one of the bulkiest to work work with it is also one if the smartest with fuse in the plug and designed for a large contact surface and also be child friendly.
They say that is the most safety Plug, as you need to insert the earth ping to "unlock" the energizing plug as well with this individually surge protection with fuses another handly about the UK plug is that they have a switch so y can shut down the plug without removing the plug I think this clever move, the only downside of this is that you lose a lot of space, so in a wall outlet can be only 2 plug

Houses with proper electrical installation like most in (West-?)Europe have fuses and differential to protect the user. An extra protection in the plug is overdone.

Apart from that, the flat pins in fact are worse for surface contact then round. With round pins there is always change for better contact with the clamp then when its flat.
No, the English design is not the best.... we remove them where we can (many English customers in this Western European country I work!)

Posted: **Fri Mar 08, 2019 7:22 pm**

Interface for new PWR line adapter comming next months.
hAP mini & hAP lite has it. Basicly power the device and transfer data via microusb port.
Also the mAP Lite 2nd (at least mine, revision r2. I'm not sure about older ones)

This requires the new hardware, old mAP lite can not get this from software.

Posted: **Fri Mar 08, 2019 7:24 pm**

I still do not get what really is this new power line.

MikroTik

v6.44 [stable] is released!

v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.44 [stable] is released!