v6.49.1 [stable] is released!

emils · Wed Nov 17, 2021 2:45 pm

RouterOS version 6.49.1 has been released in public "stable" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.49.1 (2021-Nov-17 10:06):

MAJOR CHANGES IN v6.49.1:
----------------------
!) device-mode - added feature locking mechanism;
----------------------

Changes in this release:

*) certificate - improved stability when sending bogus SCEP message;
*) conntrack - limit total connection tracking table size based on installed RAM size;
*) crs3xx - fixed interface linking for some optical QSFP+ modules on CRS354 devices;
*) dhcpv6-server - fixed DUID generation with timestamp;
*) health - improved temperature reporting;
*) led - added "dark-mode" functionality control with Mode button for cAP XL ac;
*) leds - fixed LTE LED default mapping for LHGG;
*) lte - improved RSSI reporting on R11e-LTE6;
*) routerboot - enabling "protected-routerboot" feature requires a press of a button;
*) snmp - fixed IPsec-SA byte and packet counter reporting;
*) sstp - fixed client stuck in "nonce matching" state;
*) system - improved system stability if device is upgraded from RouterOS and/or RouterBOOT v6.41.4 or older;
*) traffic-flow - added systematic count-based packet sampling support;
*) upgrade - added new "upgrade" channel for upgrades between major versions;
*) winbox - added "Modbus" menu support;
*) wireless - added U-NII-2 support for US and Canada country profiles for cAP ac XL and QRT 5 ac;
*) wireless - fixed frequency range information on IPQ4019;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after some problem has appeared on device

Please keep this forum topic strictly related to this particular RouterOS release.

pietroscherer · Wed Nov 17, 2021 3:01 pm

*) dhcpv6-server - fixed DUID generation with timestamp;

Thanks MT. I´ll test it.

mducharme · Wed Nov 17, 2021 3:11 pm

What is this? !) device-mode - added feature locking mechanism;

I see you have "enterprise" and "home" as device modes, what is the difference?

Emil66 · Wed Nov 17, 2021 3:12 pm

dhcpv6-server - fixed DUID generation with timestamp;

Is there a way to trigger this without reinstalling the router, or generally to reset the DUID?

Edit: Sorry, I missed that it is just for the server. Question remains: Can the client DUID be reset without reinstalling the router?

Jotne · Wed Nov 17, 2021 3:25 pm

[admin@M-6_49_1] > /system device-mode print
mode: enterprise

zainarbani · Wed Nov 17, 2021 3:27 pm

!) device-mode - added feature locking mechanism
*) traffic-flow - added systematic count-based packet sampling support

further explanations please

Wed Nov 17, 2021 3:48 pm

The manual for device-mode can be found here: https://help.mikrotik.com/docs/pages/vi ... evice-mode

freemannnn · Wed Nov 17, 2021 3:50 pm

routerboot - enabling "protected-routerboot" feature requires a press of a button;

i cant find the option "enable protected routerboot" in "system - routerboard - settings" like it used to be. where is it?

infabo · Wed Nov 17, 2021 3:51 pm

you need to press "a button"!11!!

freemannnn · Wed Nov 17, 2021 3:52 pm

which button in rb2011? and which button in hap ac2?
and what if i am the admin and i want to enable protected routerboot to my routers remotely? not possible anymore?

DenisPDA · Wed Nov 17, 2021 3:56 pm

MT_6.49.1.JPG

pe1chl · Wed Nov 17, 2021 4:01 pm

what if i am the admin and i want to enable protected routerboot to my routers remotely? not possible anymore?

Yes, that is the goal of this change. protected routerboot is abused by criminals asking ransom money to unlock compromised routers, so it requires physical presence to enable protected routerboot from now on...

Wed Nov 17, 2021 4:02 pm

As it is shown in the documentaion and menu,

update: please activate by turning power off or [b]pressing reset or mode button[/b]

pe1chl · Wed Nov 17, 2021 4:21 pm

[deleted]

pe1chl · Wed Nov 17, 2021 4:26 pm

As a test, I tried to upgrade my hAP ac2 that now has just 5 separate packages 6.49 installed (advanced-tools,dhcp,security,system,wireless) to the manually uploaded bundle package for 6.49.1 and it fails with "not enough space for upgrade".
It looks like upgrading from separate packages to bundle package does not work on 16MB flash devices, I did the same on a RB2011 and a RB4011 without problem.

Earlier I tried to upgrade the hAP ac2 to v7.1rc6 encountering the same issue, which apparently is not a v6-to-v7 issue but just a "separate packages to bundle package on 16MB flash devices" issue. (SUP-66267)

mkamenjak · Wed Nov 17, 2021 4:48 pm

Will MIPSBE devices continue to randomly die on routerboot upgrade with this release?
Have CCR long boot issues been fixed?

pe1chl · Wed Nov 17, 2021 4:54 pm

i cant find the option "enable protected routerboot" in "system - routerboard - settings" like it used to be. where is it?

It is now only in cli mode, no more in winbox. Probably another attempt to avoid remote tampering, this was also already done in v7.1rc6.

prislonsky · Wed Nov 17, 2021 5:12 pm

i cant find the option "enable protected routerboot" in "system - routerboard - settings" like it used to be. where is it?
It is now only in cli mode, no more in winbox. Probably another attempt to avoid remote tampering, this was also already done in v7.1rc6.

But the message about the need to press the button is not displayed in the console. Only displayed in the winbox. Not logical

pe1chl · Wed Nov 17, 2021 5:35 pm

But the message about the need to press the button is not displayed in the console. Only displayed in the winbox. Not logical

When the protected-routerboot=enabled setting is done and then a print is done to display the current setting, it shows the message about the button in red.
This is in fact the same as in winbox, the message is shown in the "current status" of that menu.

eworm · Wed Nov 17, 2021 5:46 pm

Earlier I tried to upgrade the hAP ac2 to v7.1rc6 encountering the same issue, which apparently is not a v6-to-v7 issue but just a "separate packages to bundle package on 16MB flash devices" issue. (SUP-66267)

Can you please share that support issue with me? My address is mail@username.de... Thanks!

Tubeorange667 · Wed Nov 17, 2021 6:09 pm

after upgrading the Hap ac from V 6.49, it takes more time to boot than what was required by V.6.49

East2 · Wed Nov 17, 2021 6:58 pm

Will MIPSBE devices continue to randomly die on routerboot upgrade with this release?
Have CCR long boot issues been fixed?

The same die...
hAP ac lite firmware routerboard and die again.

freemannnn · Wed Nov 17, 2021 7:05 pm

i cant find the option "enable protected routerboot" in "system - routerboard - settings" like it used to be. where is it?
It is now only in cli mode, no more in winbox. Probably another attempt to avoid remote tampering, this was also already done in v7.1rc6.

ok thanx

R1CH · Wed Nov 17, 2021 7:08 pm

The description for flagged mode is confusing. On one part it says it checks for system files, but on another part it says it checks your configuration.

If suspicious configuration is detected, the suspicious configuration will be disabled and the flagged parameter will be set to "yes"

What is considered "suspicious"? If I have firewall rules to allow myself remote access, how can RouterOS know if these are suspicious or not? This sounds very risky if it will disable configuration it thinks is suspicious, a great way to get locked out of a remote router.

deadkat · Wed Nov 17, 2021 7:13 pm

@East2, do they die when updating from 6.49 or did you first downgrade to an older version and then upgrade to 6.49.1 to test this?
I would appreciate more information regarding your experiences

braveheartleo · Wed Nov 17, 2021 7:49 pm

As a test, I tried to upgrade my hAP ac2 that now has just 5 separate packages 6.49 installed (advanced-tools,dhcp,security,system,wireless) to the manually uploaded bundle package for 6.49.1 and it fails with "not enough space for upgrade".
It looks like upgrading from separate packages to bundle package does not work on 16MB flash devices, I did the same on a RB2011 and a RB4011 without problem.

Earlier I tried to upgrade the hAP ac2 to v7.1rc6 encountering the same issue, which apparently is not a v6-to-v7 issue but just a "separate packages to bundle package on 16MB flash devices" issue. (SUP-66267)

Hi,

I have the same device and setup as you, I use separate packages install on my ac2, and I didn't encounter the "not enough space" issue during upgrade. (And I upgraded twice already now, from 6.47.10 to 6.49, then to 6.49.1)

Here are the installed packages on mine

Flags: X - disabled
 #   NAME                  VERSION                  SCHEDULED
 0   system                6.49.1                                            1   advanced-tools        6.49.1
 2   dhcp                  6.49.1                                            3   multicast             6.49.1
 4   ipv6                  6.49.1                                            5   wireless              6.49.1
 6   ppp                   6.49.1                                            7   security              6.49.1

And /system resources print:

uptime: 34m55s
version: 6.49.1 (stable)                                                 
build-time: Nov/17/2021 10:06:00
factory-software: 6.45.9
free-memory: 67.4MiB
total-memory: 128.0MiB                                                               cpu: ARMv7
cpu-count: 4
cpu-frequency: 488MHz
cpu-load: 0%
free-hdd-space: 2232.0KiB
 total-hdd-space: 15.3MiB
write-sect-since-reboot: 98
 write-sect-total: 15340
 bad-blocks: 0%
 architecture-name: arm                                                             board-name: hAP ac2
  platform: MikroTik

eworm · Wed Nov 17, 2021 7:51 pm

I have the same device and setup as you, I use separate packages install on my ac2, and I didn't encounter the "not enough space" issue during upgrade. (And I upgraded twice already now, from 6.47.10 to 6.49, then to 6.49.1)

The upgrade itself is not an issue and works reliable. Switching back to the bundle package is what fails.

braveheartleo · Wed Nov 17, 2021 7:58 pm

The upgrade itself is not an issue and works reliable. Switching back to the bundle package is what fails.

Hmm, I don't think that's what pe1chl was trying to do, if I'm understanding the post right. And even if that was the case that the user was trying to switch back from separate to bundle, then I think the right way would have been to netinstall the bundle package. 😊

May I also add that I upgraded mine via /system package update install, and not via the manual upgrade of uploading the bundle package to the device, as pe1chl stated in the post.

pe1chl · Wed Nov 17, 2021 8:11 pm

Can you please share that support issue with me? My address is mail@username.de... Thanks!

The number is already in the posting and the content is the same (i.e. it mentions the scenario and what is failing).

pe1chl · Wed Nov 17, 2021 8:16 pm

The upgrade itself is not an issue and works reliable. Switching back to the bundle package is what fails.
Hmm, I don't think that's what pe1chl was trying to do, if I'm understanding the post right. And even if that was the case that the user was trying to switch back from separate to bundle, then I think the right way would have been to netinstall the bundle package. 😊

I do not see why for this particular scenario a netinstall would be the way to go, especially when that is not documented on some MikroTik page.
Remember, it works fine on routers with more than 16MB flash, you can switch back and forth between separate and bundle by just uploading the desired .npk files and reboot. I tested that on RB2011 and RB4011 but it probably works on all routers.
It is also no problem to switch from bundle to separate packages on a 16MB router.
But now at this time it is not possible to switch back from separate to bundle, and because of that it is not possible to upgrade to v7 either.
I only bring this up because MikroTik may not yet be aware of it and may be able to fix this so people can upgrade to v7 easier.
When I want to do a netinstall I can always do that, on this router. But on many more remotely located routers it will be more difficult.

braveheartleo · Wed Nov 17, 2021 8:28 pm

Remember, it works fine on routers with more than 16MB flash, you can switch back and forth between separate and bundle by just uploading the desired .npk files and reboot. I tested that on RB2011 and RB4011 but it probably works on all routers.
It is also no problem to switch from bundle to separate packages on a 16MB router.

I understand now, and defer to your greater experience, as mine is limited to 16MB hAPs. I have not tried switching back and forth this way, only by doing netinstall, as relying on my limited understanding, one couldn't unbundle a bundled package by merely deleting the undesired package, which is not allowed. It needs to be installed unbundled, like a newly formatted device, which a netinstall does.

mkx · Wed Nov 17, 2021 8:36 pm

one couldn't unbundle a bundled package by merely deleting the undesired package, which is not allowed. It needs to be installed unbundled, like a newly formatted device, which a netinstall does.

Unbundling can be easily done by uploading only needed/wanted npk files to device and reboot it. No netinstall is needed. ROS always tries to upgrade from uploaded file(s) at reboot time if uploaded file has higher ROS version than the running one.

I'm guessing that re-bundling fails for the same reason as does upgrade of bundled installation on devices with low free space and is not actually related to re-bundling process.

pe1chl · Wed Nov 17, 2021 8:47 pm

I'm guessing that re-bundling fails for the same reason as does upgrade of bundled installation on devices with low free space and is not actually related to re-bundling process.

Well, there is actually enough free space. My guess is that the calculation of required space over-estimates the requirement when installing a bundle over separate packages, and then aborts with the "not enough space" message, while on routers with more than 16MB flash the calculated requirement is still within available space and the bundle is installed correctly (with all separate packages deleted).
I will probably just netinstall my hAP ac2, but it would be better when upgrades to v7 will still be possible in the future on the many devices with separate packages I remotely admin.
And I understand that the "bug" is in the currently-running version, not in the update being installed, so for it to be fixed there first has to be a v6 release that fixes the problem and only after *that* is installed a switch to *another* new version with bundle package will be possible, so better have this behind us now before there will be no more v6 releases...

tweetyspn · Wed Nov 17, 2021 9:06 pm

*) routerboot - enabling "protected-routerboot" feature requires a press of a button;

I suggest that ONLY the alteration of defaults of reformat-hold-button and reformat-hold-button-max triggers the additional requirement to press a button and not the activation of protected-routerboot itself.
This way protected-routerboot can be set remotely (that's extremely useful for ISPs and service providers for automated deployments) and there is no fear of criminal/etc abuse.

Just remember, that protected-routerboot was initially there to protect the router configuration itself, and that's perfectly fine with the defaults of reformat-hold-button/-max. If someone wants to actually make really difficult to reset/netinstall the router (by altering reformat-hold-button/-max), then a button should be pressed.

Caci99 · Wed Nov 17, 2021 9:08 pm

*) routerboot - enabling "protected-routerboot" feature requires a press of a button;

Finally!! I have been talking multiple times to Mikrotik about this since long. Glad they took some measures now.
There is still a risk you can be locked out by some malicious employers who can have physical access. I'd like to see the feature gone forever or at least not available to CCR-s, CRS-s, any arm, basically devices that act as core routers and switches that control the whole network.
The feature is there to protect you from stealing or altering your own device but it can do more harm if you are left out of a network you are responsible to.

Jotne · Wed Nov 17, 2021 9:57 pm

There is still a risk you can be locked out by some malicious employers who can have physical access. I

If you take security seriously, all network equipment and servers etc should be in a locked space.
Would you place a server outside in public, no. Just with an usb emulating mouse or keyboard you could install lots of stuff.

mkx · Wed Nov 17, 2021 9:59 pm

If you take security seriously, all network equipment and servers etc should be in a locked space.

Yup. And not connected to any network. Or power grid.

Jotne · Wed Nov 17, 2021 10:03 pm

Yup. And not connected to any network. Or power grid.

😁

💻🔌 🧮

kehrlein · Wed Nov 17, 2021 10:23 pm

Upgrade to 6.49.1 resulted in a boot loop of hEX S (RB760iGS).
Due to an automatically script for firmware update, I can't say if the issue occured after installing the software or the firmware.
No access to device was possible until Netinstall, which solved the issue.

nithinkumar2000 · Wed Nov 17, 2021 10:32 pm

Delegated-IPv6-Prefix Parameter is not available/missing in Radius Accounting for PPP Service...

Please refer the attached Image... This is not allowing ISP to Implement IPv6 to our customers.. Kindly do the Needful Team Mikrotik.

Radius Debug.JPG

This is really Important for Internet Service Providers for Implementing IPv6 to out Customers..

Zacharias · Wed Nov 17, 2021 10:33 pm

Upgrade to 6.49.1 resulted in a boot loop of hEX S (RB760iGS).
Due to an automatically script for firmware update, I can't say if the issue occured after installing the software or the firmware.
No access to device was possible until Netinstall, which solved the issue.

I 've seen that on firmware upgrade on 6.49 as well ...

Caci99 · Wed Nov 17, 2021 10:41 pm

There is still a risk you can be locked out by some malicious employers who can have physical access. I
If you take security seriously, all network equipment and servers etc should be in a locked space.
Would you place a server outside in public, no. Just with an usb emulating mouse or keyboard you could install lots of stuff.

You qoted me but did not read in full I guess. I am not talking about server placed by the bus station, I am talking about someone who has credentials to access the rack room as I am not the only one who does.

nithinkumar2000 · Wed Nov 17, 2021 10:51 pm

Its is Found that Delegated IPv6 Prefix Parameter is not Received in Radius Accounting Packet for PPP Service. Please refer Screenshot Attached in above post.

We are getting Delegated IPv6 Prefix Parameter when we turn on DHCP in Radius menu but issue is that none of the parameters match with PPP Service.

Example: Caller-ID is PPP username in DHCP account but in PPP accounting the Caller-ID is Service name of the PPP Server, Similarly all other parameters…

This is creating difficulty for us to log the Delegated-IPv6-Prefix to users and due to this we are unable to implement the IPv6 to our Customers.

In India it is mandatory to Implement IPv6 before June 2022. As the Radius Accounting if not sending Delegated IPv6 Prefix in PPP Service it is creating a huge delay in implementation Process.

Hope Team Mikrotik will understand Our Situation and do the needful to resolve the same at the earliest.

Jotne · Wed Nov 17, 2021 11:04 pm

I am not talking about server placed by the bus station, I am talking about someone who has credentials to access the rack room as I am not the only one who does.

You can never ever trust some 100%, but you can take lot of measure to make your solution as secure as possible within the budget you have.

mducharme · Thu Nov 18, 2021 12:09 am

It is worrisome that it sounds like 6.49.1 has not fixed all of the upgrade issues where devices go into boot loops. Perhaps there were two causes of this and MikroTik has fixed only one.

bpwl · Thu Nov 18, 2021 1:46 am

Well .... security features and their usefulness depend on your user environment and enterprise/consultant/home activities.

Used to manage from Europe quite some installations in China and the US, and 21 other countries, from the company HQ. HQ was in control, devices were bought locally but configured by HQ.
Now I configure private MT devices in another country in Europe, where i never come near to one of the devices. (They are bought locally again)
I worked very well wit the prevous "protected routerboard" setting. Not the owner was in control, I was.

*) routerboot - enabling "protected-routerboot" feature requires a press of a button;

breaks that model.
It is common in IT that who has physical access is in control, I know. But it's not what we need in this setup.
viewtopic.php?t=176437#p891184
The owner is not even near when devices are used.

There is some hope: viewtopic.php?t=180445#p891633 , if a "power-off/power-on cycle" would enable this for a short time.
Text says: "turning power off or pressing reset or mode button".
Devices are powered over PoE from a managed switch or Powerbox, so network managers are remotely in control of the power cycle and it's timing.
But I guess this power cycle alternative is only for the "device-mode" changes.

New releases: "you win some, you lose some". One has to adapt.
"Protected-Routerboot will have to be set while physically cabling the device (That is not done by the owner)., or better after the config is tested, if a physical button press is needed.

rextended · Thu Nov 18, 2021 1:49 am

PLEASE ADD THE OPPORTUNITY TO DISABLE QUICKSET,
like the actual disabilitable container, fetch, scheduler, traffic-gen,
ipsec, pptp, smb, l2tp, proxy, sniffer, zerotier, bandwidth-test, email, hotspot, romon, socks!!!

Znevna · Thu Nov 18, 2021 1:59 am

@bpwl what's the big issue? if you configure remote devices someone has to plug them in for you.
So the button push is easy, whoever plugs the device gets a call to push the button when asked. woah, magic.

r00t · Thu Nov 18, 2021 2:20 am

What is considered "suspicious"? If I have firewall rules to allow myself remote access, how can RouterOS know if these are suspicious or not? This sounds very risky if it will disable configuration it thinks is suspicious, a great way to get locked out of a remote router.

Yeah, I don't like this "flagged" stuff either. With zero control over it, this sounds like a trap that's waiting to cut your access at the worst moment because some of your configuration is misdetected or you upload "wrong" file or something like that.
I understand Mikrotik is trying to protect home users from backdoors and what else, but really... there should be a way to turn this off.
You can make it enabled by default and make sure you can't disable it afterwards (so to turn it off, netinstall with "no default config" would have to be used) but just have some way...

Znevna · Thu Nov 18, 2021 2:23 am

you mean like setting flagging-enabled to no?
As written in the docs? https://help.mikrotik.com/docs/pages/vi ... evice-mode

CoMMyz · Thu Nov 18, 2021 2:41 am

*) routerboot - enabling "protected-routerboot" feature requires a press of a button;

I suggest that ONLY the alteration of defaults of reformat-hold-button and reformat-hold-button-max triggers the additional requirement to press a button and not the activation of protected-routerboot itself.
This way protected-routerboot can be set remotely (that's extremely useful for ISPs and service providers for automated deployments) and there is no fear of criminal/etc abuse.

Just remember, that protected-routerboot was initially there to protect the router configuration itself, and that's perfectly fine with the defaults of reformat-hold-button/-max. If someone wants to actually make really difficult to reset/netinstall the router (by altering reformat-hold-button/-max), then a button should be pressed.

PLEASE read this recommendation. I concur only to use the button when setting the time requirement on something more than 100 seconds for example. ISP's use this a lot and this would completely break the original purpose of this feature.

r00t · Thu Nov 18, 2021 3:11 am

you mean like setting flagging-enabled to no?
As written in the docs? https://help.mikrotik.com/docs/pages/vi ... evice-mode

Ah... must have missed this... my bad. Peace in the world is restored.

mducharme · Thu Nov 18, 2021 3:38 am

PLEASE ADD THE OPPORTUNITY TO DISABLE QUICKSET,

I believe you can do this now in v7 with webfig skins, as they work in winbox. I'm not sure if this works with the MikroTik app yet though.

elgrandiegote · Thu Nov 18, 2021 4:08 am

after updating to version 6.49.1 (CHR) openvpn server stopped working, (connection restart)

downgrade to 6.49 and it work fine again.

Railander · Thu Nov 18, 2021 4:09 am

does this update fix the issue introduced in previous version where after updating the firmware, CCRs with simple queues enabled would take way too long to reboot? (~15 mins)

nichky · Thu Nov 18, 2021 5:39 am

interesting, /sys shutdown, doesn't affect device-mode, which is greater!

Jotne · Thu Nov 18, 2021 8:30 am

interesting, /sys shutdown, doesn't affect device-mode, which is greater!

Manual is clear about this.

After changing the device-mode, you need to confirm it, by pressing a button on the device itself, or perform a "cold reboot" - that is, unplug the power:

If you could do a soft reboot, it would not have worked as intended.

Zacharias · Thu Nov 18, 2021 10:08 am

*) winbox - added "Modbus" menu support;

Any more info on that ?

eddieb · Thu Nov 18, 2021 10:47 am

upgraded all my devices from 6.49 to 6.49.1 as always with 2nd reboot to upgrade firmware. No problems ...

CCR1009 took 30 sec to flash and reboot, 2nd reboot took less than 15 seconds

------------------------------------------------------------------------------------------------------------------
6.49.1 (stable) on :
CCR1009-8G-1S, CRS125-24G-1S, RB1100, RB962UiGS-5HacT2HnT, RB931-2nD, RB951G-2HnD, RB750GL ,RB2011UAS-RM, PWR-LINE-AP, RBwAPGR-5HacD2HnD, RB750Gr3 (dude)
feeding ADSBExchange https://www.adsbexchange.com/how-to-feed/

bpwl · Thu Nov 18, 2021 10:48 am

@bpwl what's the big issue? if you configure remote devices someone has to plug them in for you.
So the button push is easy, whoever plugs the device gets a call to push the button when asked. woah, magic.

As I said... it all depends on your situation.
My installing/button pushing buddy is on-site 4 weeks in a year. He must ask permission to each owner to enter the houses, collect the keys, what cannot be done when tenants have booked the house.
But don't worry. "Protected routerboard" will be set at installation time now. And for the installed base the 6.49.1 is not in scope this year or next year.
And if the factory firmware is not above 6.49, there is still "downgrade - set or unset protection - upgrade".

tweetyspn · Thu Nov 18, 2021 12:04 pm

*) routerboot - enabling "protected-routerboot" feature requires a press of a button;

I suggest that ONLY the alteration of defaults of reformat-hold-button and reformat-hold-button-max triggers the additional requirement to press a button and not the activation of protected-routerboot itself.
This way protected-routerboot can be set remotely (that's extremely useful for ISPs and service providers for automated deployments) and there is no fear of criminal/etc abuse.

Just remember, that protected-routerboot was initially there to protect the router configuration itself, and that's perfectly fine with the defaults of reformat-hold-button/-max. If someone wants to actually make really difficult to reset/netinstall the router (by altering reformat-hold-button/-max), then a button should be pressed.
PLEASE read this recommendation. I concur only to use the button when setting the time requirement on something more than 100 seconds for example. ISP's use this a lot and this would completely break the original purpose of this feature.

If something else could be the trigger of 'press of a button' requirement instead of protected-routerboot=enabled, then it should be the alteration of defaults ( reformat-hold-button=20s, reformat-hold-button-max=10m ). It can't be any other value, as it would be arguable if it is 100s or 50s or ..

protected-routerboot is there to protect the router configuration, it isn't the evil feature that should be gone, it is a really useful for service providers, etc. where remote installation is the only available option, as @bpwl also says, too viewtopic.php?t=180445#p891719

pe1chl · Thu Nov 18, 2021 2:23 pm

"Protected-Routerboot will have to be set while physically cabling the device (That is not done by the owner)., or better after the config is tested, if a physical button press is needed.

I think there is no way that you can install MikroTik devices with default config from factory, and then immediately do remote management on them.
There will always have to be some local reconfiguration. Either you do this at a distribution center (maybe using netinstall) or you do that on-site (maybe from a laptop of the installer).
They will have to insert at least some configuration for a VPN or maybe load the TR.069 package when you have deployed that.
The person doing that can also setup the routerboot settings and confirm via button press.
When you prepare the routers in some local distribution center, it can be done there.

It is not different in routers from (some) other manufacturer! The times are changing and the security has to be improved.

bpwl · Thu Nov 18, 2021 3:41 pm

I think there is no way that you can install MikroTik devices with default config from factory, and then immediately do remote management on them.

This is way off-topic. But just to answer. They just have to plug them in (power on), as long as there is another well configured MT AP within wifi reach. In one response in this forum I helped someone who forgot to configure his 5 wAP devices and did send them over. Just make a station connect to the default open Mikrotik WLAN, and use the Telnet app (works like a proxy) on the good AP to configure the defaulted device. I can do this only with RouterOS, but it is as magic and gives me a sorcerers status. :-)

(That's also the way I recovered from the "impatient tenant who had pushed the only available button on the hAP ac2". I rolled out the "routerboot protection" later as mitigation, fully remotely, on all devices. I love the amount of control you have with RouteOS ! )

ErfanDL · Thu Nov 18, 2021 3:41 pm

what's the upgrade in channel ?

Screenshot 2021-11-18 171057.jpg

Chupaka · Thu Nov 18, 2021 4:03 pm

*) upgrade - added new "upgrade" channel for upgrades between major versions;

Looks like v7 won't get into 'stable' or 'long-term' for v6

mozerd · Thu Nov 18, 2021 4:13 pm

On my Winbox 3.31 upgrade reveals 7.1tc6 whereas Development reveals 7.1rc6 ... IMO this is not good practice as it conveys the wrong impression .... IMO if upgrade is to be kept then release candidates should be removed from the Development channel. The natural progression is Alpha[Development], Beta[release candidate], Stable, LT ...

pe1chl · Thu Nov 18, 2021 5:26 pm

I rolled out the "routerboot protection" later as mitigation, fully remotely, on all devices. I love the amount of control you have with RouteOS !

Yeah, but the criminals love it as well. That is why this kind of thing has to end.
And MikroTik is quite late to the security party, that is why there are now hundreds of thousands of MikroTik routers in a botnet, and we see the
first victims here (undoubtedly there are many more that we don't see on the forum) who can either pay a ransom or bin all their MikroTik equipment.
Sure that was after insecure configuration, but still that is not an acceptable situation.

pe1chl · Thu Nov 18, 2021 5:29 pm

*) upgrade - added new "upgrade" channel for upgrades between major versions;
Looks like v7 won't get into 'stable' or 'long-term' for v6

It was probably done to make way for an in-place one-click upgrade to v7 (no need to manually download a package and upload it to the router, as it is now).
Not that I think that v7 is ready for that, especially when using features like BGP, but when they want a sizable number of users to eventually upgrade to v7 this has to be prepared.

bpwl · Thu Nov 18, 2021 7:04 pm

I rolled out the "routerboot protection" later as mitigation, fully remotely, on all devices. I love the amount of control you have with RouteOS !
Yeah, but the criminals love it as well. That is why this kind of thing has to end.
And MikroTik is quite late to the security party, that is why there are now hundreds of thousands of MikroTik routers in a botnet, and we see the
first victims here (undoubtedly there are many more that we don't see on the forum) who can either pay a ransom or bin all their MikroTik equipment.
Sure that was after insecure configuration, but still that is not an acceptable situation.

I know. (I'm a CISSP) Let me be clear DOS and Ransom must be avoided at all cost. So the "special" actions for these critical lock settings are a must.
I was just wondering if they had implemented the priviledged control mode enabled the first "nnn seconds" after power on or not (like in some other devices).
Wondering based on the "button push or power reset" doc line for device-mode.
This would have allowed my lazy nightly full remote control. But never mind my installation buddy passes there 2 times a year.
Netinstall prohibited is a quite hard lockout. Recover from a stupid (firewall or VLAN filtering enable) lockout by mistake could be lengthy then if "protect routerboot" enabled?

tweetyspn · Thu Nov 18, 2021 8:17 pm

@Pe1tchl, @Bpwl, criminals do prohibit netinstall by altering defaults of reformat-hold-button and reformat-hold-button-max, is that right or am I missing something?

So, when someone wants to play with these, maliciously or not, then he would have to press a button! NOT when protected-routerboot is enabled with defaults.

What do you think on this proposed solution?

pothi · Fri Nov 19, 2021 4:40 am

*) upgrade - added new "upgrade" channel for upgrades between major versions;

In hAP ac2, I don't see "upgrade" channel after updating to the latest stable (6.49.1). Am I missing something?

rushlife · Fri Nov 19, 2021 8:05 am

there is no upgrade when you already have newest version

mkamenjak · Fri Nov 19, 2021 9:45 am

It is worrisome that it sounds like 6.49.1 has not fixed all of the upgrade issues where devices go into boot loops. Perhaps there were two causes of this and MikroTik has fixed only one.

Reading the hangelog and it seems to me they did not fix this bug at all.

I am seriously disappointed that Mikrotik is not PRIORITIZING this issue.

rextended · Fri Nov 19, 2021 10:15 am

You have really readed something?

*) system - improved system stability if device is upgraded from RouterOS and/or RouterBOOT v6.41.4 or older;

The question is if all possible cases are covered or not, securely not.

Fri Nov 19, 2021 11:04 am

So all my friends and relatives have Mikrotik Routers at home, mostly they know their way around quickset and how to upgrade that is bassically it.
One of them have contacted me because their device showed that they as FLAGGED, and it looks like in was part of Meris botnet, with configuration in system schedule, pptp tunnel to unknown location and some SOCKS configuration.
So i contacted most of my friends with MT and asked them to upgrade to this version. 2 more came in as FLAGGED.... out if 16.

First impression - really nice feature!!!.
I will problably have to force some device-mode on them also, just as safeguard.

mkamenjak · Fri Nov 19, 2021 11:07 am

You have really readed something?

*) system - improved system stability if device is upgraded from RouterOS and/or RouterBOOT v6.41.4 or older;
The question is if all possible cases are covered or not, securely not.

That does not seem like that issue at all. We are arguing semantics now but when that issue will get fixed(if?) it will probably be written more like this(at least I would write it like this):
*) system - fixed boot loop issue after upgrading to the latest RouterBOOT firmware

Fri Nov 19, 2021 11:33 am

Hi, everyone.

mkamenjak, the issue with upgrades from old RouterOS/RouterBOOT versions has been fixed in this release. Also, the problem in the 6.49/6.48.5 versions did not appear due to the RouterBOOT upgrade, it simply started after the second reboot.

East2, I did not manage to create a reboot loop on my hAP ac lite when upgrading to 6.49.1 (from old or new RouterOS/RouterBOOT versions). So something else might be causing this problem. Can you share more details? What RouterOS/RouterBOOD version did you use before the upgrade? Did this happen with other versions as well? Perhaps the problem is related to a specific configuration?

mkamenjak · Fri Nov 19, 2021 2:02 pm

Hi, everyone.

mkamenjak, the issue with upgrades from old RouterOS/RouterBOOT versions has been fixed in this release. Also, the problem in the 6.49/6.48.5 versions did not appear due to the RouterBOOT upgrade, it simply started after the second reboot.

East2, I did not manage to create a reboot loop on my hAP ac lite when upgrading to 6.49.1 (from old or new RouterOS/RouterBOOT versions). So something else might be causing this problem. Can you share more details? What RouterOS/RouterBOOD version did you use before the upgrade? Did this happen with other versions as well? Perhaps the problem is related to a specific configuration?
Out of memory it was a standard public IP-NAT-DHCP configuration.

Many users are having this problem and it seems thay stillhave that problem.
I have personally had only one bricked device which has long since been thrown in the trash. However I read the forums and many have the same problem. It seems even with 6.49.1.
If you wish I can send you a sanitized backup of the configuration from the bricked device somewhere privately?

What RouterOS/RouterBOOD version did you use before the upgrade?

6.46.x, most likely 6.46.6.

Did this happen with other versions as well?

For me this happened while upgrading RouterBOOT firmware on 6.48.5l. Others have discovered the same issue on 6.49 and it seems 6.49.1 as well.

Perhaps the problem is related to a specific configuration?

What kind of configuration could stop a device from booting?

East2 · Fri Nov 19, 2021 2:10 pm

Mikrotik was without configuration 6.48.3 only dhcp-client and that's it, connected via POE. After the first restart, everything was fine, after the restart with the RouterBoard update and after it a cyclic reboot.

pe1chl · Fri Nov 19, 2021 2:17 pm

So all my friends and relatives have Mikrotik Routers at home, mostly they know their way around quickset and how to upgrade that is bassically it.
One of them have contacted me because their device showed that they as FLAGGED, and it looks like in was part of Meris botnet, with configuration in system schedule, pptp tunnel to unknown location and some SOCKS configuration.
So i contacted most of my friends with MT and asked them to upgrade to this version. 2 more came in as FLAGGED.... out if 16.

Ok now the interesting question of course is: do you tell them to change something in the default config that allows others to access the management interface of the router from the internet (e.g. to allow you access when they need help), or are they using the default configuration including the default firewall as it as in the last couple of releases?
When you do not arrange access to the management interface from the outside (opening port 22,23,80 or 8291), it is possible that they were attacked from the inside, e.g. via some malware or a malicious webpage.
But it would be interesting to know if that really occurs on such a large scale, or if it is due to bad firewall practice.

Ullinator · Fri Nov 19, 2021 4:58 pm

Update (ROS and FW) made from 6.49 to 6.49.1 (ARM) on following devices without problems:
2x CRS328-2P-4S+
2x CRS326-24G-2S+
RB4011iGS+5HacQ2Hnd
4x cAP AC
1x cAP AC XL

My "Core" Router CRS326-24S+2Q+ (MIBSBE) will be updated later.....when I´ll get a downtime.

From my side, good Job MIkroTik ;-)

Fri Nov 19, 2021 5:10 pm

My "Core" Router CRS326-24S+2Q+ (MIBSBE) will be updated later.....when I´ll get a downtime.

Don't push your luck ... :lol:

Ullinator · Fri Nov 19, 2021 5:21 pm

My "Core" Router CRS326-24S+2Q+ (MIBSBE) will be updated later.....when I´ll get a downtime.
Don't push your luck ... :lol:

The downtime was approved from my family faster as expected, upgrade on my Core router was also done without problems. :-)

steen · Fri Nov 19, 2021 9:33 pm

Hello Folks!

A warning!
The Dude packages was disabled and databases fully lost the dude setup was factory resetted.

This happened upgrading two CHR with running the dude installations hosted on KVM.
RoS 6.49 -> 6.49.1

Had to restore database from backup to get them up on track again.

kehrlein · Fri Nov 19, 2021 11:12 pm

Upgrade to 6.49.1 resulted in a boot loop of hEX S (RB760iGS).
Due to an automatically script for firmware update, I can't say if the issue occured after installing the software or the firmware.
No access to device was possible until Netinstall, which solved the issue.

Updated on these models without any issues:
RB1100AHx4
RB750GL
CRS309-1G-8S+
CRS112-8P-4S
RBcAPGi-5acD2nD (cAP ac)
RBcAPGi-5acD2nD-XL (cAP XL ac)

inteq · Sat Nov 20, 2021 1:46 am

No issues updating on:
RB1100AHx2,AHx4 and Dude edition. RB4011, CCR1009 and a lonely HeX S
HAP AC2&3
WAP and CAP AC (old and new models),Audience
CRS312

Guscht · Sat Nov 20, 2021 2:02 am

Will MIPSBE devices continue to randomly die on routerboot upgrade with this release?
Have CCR long boot issues been fixed?

Hi, for the CCR and long boot issue: I can confirm the issue is gone!!

I was the first one reporting this after 6.49 came out, I had a long discussion with MT regarding this issue, but they were able to recreate it in their labs and send me a beta-version. With this beta and now the final 6.49.1 the issue was/is gone. We updated now all our CCR1036 and CCR1072 and they boot as fast as with 6.48.x.

pe1chl · Sat Nov 20, 2021 11:16 am

Hi, for the CCR and long boot issue: I can confirm the issue is gone!!

Thanks for the info! (I have some CCR in use for which I postponed update)

flapviv · Sat Nov 20, 2021 11:39 am

Hi, for the CCR and long boot issue: I can confirm the issue is gone!!
Thanks for the info! (I have some CCR in use for which I postponed update)

Yesterday, I upgraded my CCR2004-1G-12X-2XS, and reboot was very quick.

osc86 · Sat Nov 20, 2021 4:55 pm

Updated a CCR2004-1G-12S+2XS from 6.49 to 6.49.1.
Exactly one day later, the router was rebooted by watchdog. This is not looking good, will keep an eye on it.

aivarsm · Sun Nov 21, 2021 3:02 pm

CapsMan ... wifi users who are registered in "access list" did not listed "Registration table" IF they are connected to another microtik (mAP in my case) in repeater mode.

if capsMan wifi network extended via wifi extender, connected allowed users not visible.

mkx · Sun Nov 21, 2021 5:54 pm

CapsMan ... wifi users who are registered in "access list" did not listed "Registration table" IF they are connected to another microtik (mAP in my case) in repeater mode.

if capsMan wifi network extended via wifi extender, connected allowed users not visible.

If client is connected to wifi extender, from wireless radio point of view it's not connected to cAP ... hence CAPsMAN doesn't see it as wireless client.

aivarsm · Mon Nov 22, 2021 12:15 am

yes, yes ... but client wifi private passphrase works. it can connect to wireless SSID

jirinovak · Mon Nov 22, 2021 6:31 am

Hello, I have RB1100Ahx4 and DHCPs on VPLS lines where clients are connected. DHCP works but status of clients is waiting. Does anyone have the same problem?
RB1100Ahx4 - VPLS To - PE - AP in bridge - Clients v 6.49. and 6.49.1

DHCP status waiting flaw are also affected clients TP-links directly connected to ethernet on RB1100Ahx4.

I can see in log that static leases are being assigned. The time of waiting correspond with reboot RB1100AHx4 and upgrade to new version.

Sometimes I can see in winbox that Client is bound but after few second disappear.

mkx · Mon Nov 22, 2021 8:38 am

yes, yes ... but client wifi private passphrase works. it can connect to wireless SSID

You seem to expect that wifi extender is sort of signal booster. Well, it's not, it simply wouldn't work like that.The way wifi extenders work is that they act both as WiFi client (connected to "normal" AP) and WiFi AP. The "big feature" is that they copy off security profile from AP they connect to so they seem the same as AP to wireless clients. Then they simply forward frames between client and AP, possibly performing MAC address translation. If client is connected to extender, then AP will only see extender as connected client.

bpwl · Mon Nov 22, 2021 12:57 pm

Sometimes I can see in winbox that Client is bound but after few second disappear.

DHCP client "offered" and then disappears, is well known (certainly with wifi-extenders, when the "offer" never reaches the client because the MAC address of the client is used and not the one from the the wifi-extender. The client behind a wifi-extender (pseudo bridge) can only be reached with the extender MAC address and the client IP address , or with full broadcast. (IP and MAC ! The broadcast MAC is has been missing with MT DHCP server))

jbl42 · Mon Nov 22, 2021 2:38 pm

*)health - improved temperature reporting

We can confirm -274° temp readings in System/Health and SNMP fixed on RB4011 with 6.49.1 (in our case introduced with 6.49.0)

Zacharias · Mon Nov 22, 2021 2:46 pm

*)health - improved temperature reporting
We can confirm -274° temp readings in System/Health and SNMP fixed on RB4011 with 6.49.1 (in our case introduced with 6.49.0)

I can't confirm that... RB4011 with 6.49 reports temperature correctly...

pe1chl · Mon Nov 22, 2021 2:56 pm

I can't confirm that... RB4011 with 6.49 reports temperature correctly...

So for your device it is most interesting to know if it still works ok with 6.49.1
Because it seems to be rocket-science to make a temperature reading working correctly on all models and hardware versions.

Ullinator · Mon Nov 22, 2021 3:47 pm

I can't confirm that... RB4011 with 6.49 reports temperature correctly...
So for your device it is most interesting to know if it still works ok with 6.49.1
Because it seems to be rocket-science to make a temperature reading working correctly on all models and hardware versions.

For me it works on RB4011 with 6.49 and actually also with 6.49.1

hc_052.jpg

ksteink · Mon Nov 22, 2021 4:10 pm

I updated 21 devices from different models (RB2011, RB4011, CRS326, CRS312, hEX S, hAP AC2, cAP) and everything went smooth :). Thanks!

pe1chl · Mon Nov 22, 2021 4:48 pm

For me it works on RB4011 with 6.49 and actually also with 6.49.1

It is mainly interesting to hear from people for which it does NOT work in some version. It is clear that there are different situations with different results, probably different hardware revisions.

aivarsm · Mon Nov 22, 2021 10:44 pm

anyway, client behind repeater must be visible, as their MAC address used as private access list rule, and MAC used to assign statis dhcp address. and at end, this client MAC address used firewall filter.
All others services works with client MAC behind repeater, only capsMan simple 'one tab' could not.

sound as simple missing sql part .. select bla, bla, bla, some_different_client_id from ...

Sometimes I can see in winbox that Client is bound but after few second disappear.
DHCP client "offered" and then disappears, is well known (certainly with wifi-extenders, when the "offer" never reaches the client because the MAC address of the client is used and not the one from the the wifi-extender. The client behind a wifi-extender (pseudo bridge) can only be reached with the extender MAC address and the client IP address , or with full broadcast. (IP and MAC ! The broadcast MAC is has been missing with MT DHCP server))

nichky · Tue Nov 23, 2021 12:37 am

in regarding to Device-mode,i'm not really understand what flagged does.
wiki saying:

"If the system has detected unauthorized access to RouterOS, the status "flagged" is set to yes. If "flagged" is set to yes, for your safety, certain limitations are put in place. See below chapter for more information. "

which is not clear enough.

Kindis · Tue Nov 23, 2021 9:49 am

I agree with what is written above. I have no routers that are flagged but if I did what should I do? And how do I see it is flagged? Do I need to run a command every time to see it?
Great Idea but more info would be good.

pe1chl · Tue Nov 23, 2021 10:38 am

It is not that difficult, right? It tries to detect certain configuration patterns that are suspicious because they are used by malware, and when it detects one it sets a flag and disallows a lot of operations, and issues a message when further config changes are attempted.
This is of course done in an attempt to lockdown routers that are currently affected by malware and are in a botnet.

Of course it won't work, because:
- this check is only added when the user actually updates their device, which many users in the category affected by this problem never do
- the check is only done on reboot, and many users never reboot their router
- the check is likely static, i.e. it is not fetched from some cloud server, so once the malware authors have analyzed it they can change their malware so it will not be detected anymore, and the arms race repeats where the new version will only be detected once the user has updated their router

Maybe I am wrong and the flagged check will actually download signatures (like a virus scanner does), but I doubt it. That would be mentioned in the documentation.
I think in this category there should be some "automatic upgrade" feature were every delivered router where the admin has not explicitly disabled that, the router will auto-upgrade via some security-updates channel where new versions are released only when security issues have been found in RouterOS. That would at least keep most of those millions of routers that are just installed-and-forgotten a bit secure.
Probably there should also be some protection via the device-mode feature to enforce explicit action before allowing admin access from the internet, but I realize that is difficult to implement. One would likely not want to disallow ALL firewall mods until a device mode has been enabled, because too many users would want or need to enable that and the risk even exists that they use that opportunity to disable all security measures implemented via device-mode.

Guscht · Tue Nov 23, 2021 7:02 pm

Is there an OID for the "flagged" status? Id love to monitor it...
Its still unclear to me what triggers a flagged state and how I can resolve the situation.

The only thing I understand, If the device gets flagged some things wont work. And I would say a OID to monitor the flagged state is mandatory.
Sadly a /system device-mode> print oid doesn't the trick.

pe1chl · Tue Nov 23, 2021 7:28 pm

I think it will check for a combination of things like "the /ip socks facility is enabled", "an SSTP client is configured", "a scheduled job is present" etc.
When it matches the pattern for malware, the flag status is enabled.
To disable it, review the config and remove what is related to the malware, reset the flagged state via /system/device-mode/update flagged=no as mentioned in the documentation.
Or better: netinstall the device and rebuild the configuration from defaults.

Tue Nov 23, 2021 7:52 pm

I think it will check for a combination of things like "the /ip socks facility is enabled", "an SSTP client is configured", "a scheduled job is present" etc.
When it matches the pattern for malware, the flag status is enabled.

Then it should also be possible to change those conditions.
For some all you mention can be specifically configured by the owner.
Doesn't make sense that each and every time flagged status gets triggered then.

stanislavdavid · Tue Nov 23, 2021 11:41 pm

I have too reboot loop with 951G - MIPSBE - It was ADSL router with L2TP Client
netinstall is not working. Any idea how to test netinstall with backup bootloader?

Mikrotik was without configuration 6.48.3 only dhcp-client and that's it, connected via POE. After the first restart, everything was fine, after the restart with the RouterBoard update and after it a cyclic reboot.

faber33 · Wed Nov 24, 2021 3:35 pm

*) winbox - added "Modbus" menu support;

It will probably only work in KNOT, so still no regular MODBUS TCP :(

jirinovak · Wed Nov 24, 2021 10:24 pm

Sometimes I can see in winbox that Client is bound but after few second disappear.
DHCP client "offered" and then disappears, is well known (certainly with wifi-extenders, when the "offer" never reaches the client because the MAC address of the client is used and not the one from the the wifi-extender. The client behind a wifi-extender (pseudo bridge) can only be reached with the extender MAC address and the client IP address , or with full broadcast. (IP and MAC ! The broadcast MAC is has been missing with MT DHCP server))

Thanks for replay. Is there a any solution except netinstall? I downgraded router to 6.48.5 and problem persist. I do not have any extender etc.

Thank you.

gyropilot · Wed Nov 24, 2021 11:48 pm

Successfully updated both RouterOS and Routerboard firmware in a hAP AC Lite (RB952Ui-5ac2nD) from 6.48.4 to 6.49.1 without any problems.

bpwl · Wed Nov 24, 2021 11:54 pm

Thanks for replay. Is there a any solution except netinstall? I downgraded router to 6.48.5 and problem persist. I do not have any extender etc.

I think your DHCP problem is not related to the 6.49.1 or 6.48.5 release.
The issues are much older. viewtopic.php?t=116963
And I believe (besides the STP disable action) that this here gets to some attempt to mitigate it (set the ff:ff:ff:ff:ff:ff broadcast MAC address) : viewtopic.php?t=160180#p842558

sindy · Wed Nov 24, 2021 11:55 pm

Is there a any solution except netinstall?

There are many possible reasons why the DHCP process doesn't succeed, so the first thing to do is sniffing to reveal what actually happens. I'd say open a dedicated topic as your issue doesn't seem to be specific to 6.49.1 and it will need some talk on what to do and what are the results.

The chance that a netinstall would solve it is quite low.

jirinovak · Thu Nov 25, 2021 2:09 pm

Thanks for replay. Is there a any solution except netinstall? I downgraded router to 6.48.5 and problem persist. I do not have any extender etc.
I think your DHCP problem is not related to the 6.49.1 or 6.48.5 release.
The issues are much older. viewtopic.php?t=116963
And I believe (besides the STP disable action) that this here gets to some attempt to mitigate it (set the ff:ff:ff:ff:ff:ff broadcast MAC address) : viewtopic.php?t=160180#p842558

You are right. Problem was not related to the 6.49.1 release. It helped to remove pools and import them back and set correct pool to the DHCP.

Thanks

winap · Fri Nov 26, 2021 9:06 pm

Please, where can I find a voltage and temp measure? I mean in previous FW it was in health, but now I can't see it..
Thank you.

Zacharias · Fri Nov 26, 2021 9:09 pm

Please, where can I find a voltage and temp measure? I mean in previous FW it was in health, but now I can't see it..
Thank you.

Its still there...
What is the device Model ?

winap · Fri Nov 26, 2021 9:19 pm

Please, where can I find a voltage and temp measure? I mean in previous FW it was in health, but now I can't see it..
Thank you.
Its still there...
What is the device Model ?

RBSXTsqG-5acD...but where is the health now please? :D
It was in system-health..
But I think it wont work in some new version, so they block it :D

pe1chl · Fri Nov 26, 2021 9:35 pm

Please, where can I find a voltage and temp measure? I mean in previous FW it was in health, but now I can't see it..

Getting voltage and temperature measurements to work across all possible device models and revisions appears to be like rocket science!
Every new release there is a group of devices where it no longer works. Be patient and it will return (and fail for someone else...)

felodimul · Sat Nov 27, 2021 12:20 am

So is this version a "real stable" version? (Concept referred to in this post about how 6.48.5 is NOT a "real stable" version):

viewtopic.php?t=179260#p886907

Zacharias · Sat Nov 27, 2021 12:59 pm

So is this version a "real stable" version? (Concept referred to in this post about how 6.48.5 is NOT a "real stable" version):

viewtopic.php?t=179260#p886907

You found any problems on this version ?

felodimul · Sat Nov 27, 2021 4:43 pm

I haven't installed it yet. I'm waiting for the "big guns" on this forum to give it the OK. :-D

bpwl · Sat Nov 27, 2021 7:38 pm

Netinstall prohibited is a quite hard lockout. Recover from a stupid (firewall or VLAN filtering enable) lockout by mistake could be lengthy then if "protect routerboot" enabled?

After seeing what it takes to recover from a stupid lockout with "routerboot protected" enabled , I changed strategy.
(Only want to avoid that people erase the config by accident, when trying to "solve some wifi problem" on their own with the 2 available buttons on a hAP ac2.)
Since 6.47.10 the "reset" button can also be linked to own instructions (script or command line) . So I inserted "/system reboot" for the reset button.

Question now is , what happens if I set the hold time from 0.6 till 60 sec. Is it still possible to erase the config by holding longer than one minute ??
i.o.w. is the normal reset function (reset/CAPs mode/NETinstall) of the reset button delayed or disabled ????
Can the reset function still be invoked with pressing before power is applied?

Zacharias · Sat Nov 27, 2021 8:26 pm

Netinstall prohibited is a quite hard lockout. Recover from a stupid (firewall or VLAN filtering enable) lockout by mistake could be lengthy then if "protect routerboot" enabled?
After seeing what it takes to recover from a stupid lockout with "routerboot protected" enabled , I changed strategy.
(Only want to avoid that people erase the config by accident, when trying to "solve some wifi problem" on their own with the 2 available buttons on a hAP ac2.)
Since 6.47.10 the "reset" button can also be linked to own instructions (script or command line) . So I inserted "/system reboot" for the reset button.

Question now is , what happens if I set the hold time from 0.6 till 60 sec. Is it still possible to erase the config by holding longer than one minute ??
i.o.w. is the normal reset function (reset/CAPs mode/NETinstall) of the reset button delayed or disabled ????
Can the reset function still be invoked with pressing before power is applied?

The reset button will work ( during boot ) even if disabled, for example for netinstall or reset to defaults...
Only using the Protected Routerboot feature can actually disable the Reset Button.
The reset button will not erase any config by itself... If the time is set to default 0..60s then when you press it within that time it will run the script you have manually configured... If it is left blank it won't do anything. ( while the device is already powered on and has completed the Booting process )

bpwl · Sat Nov 27, 2021 9:06 pm

Txs @Zacharias.
The key here is "during boot", that is fine as mitigation. Just wonder now why they could reset the config without power reset or reboot.
(They must have pressed until something blinked)
.

Klembord-2.jpg

pe1chl · Sun Nov 28, 2021 11:48 am

(Only want to avoid that people erase the config by accident, when trying to "solve some wifi problem" on their own with the 2 available buttons on a hAP ac2.)

In that case you may want to deliver your devices with a modified default config script that installs the config that YOU want to be the default.
Then, the "solve some problem by using the button" will actually help when the config was somehow messed up!

flapviv · Mon Nov 29, 2021 7:30 am

Hello
How can i find any reson why it was rebooted ?
version 6.49.1

Hello,
Could you please tell us the hardware on which that happened?
Thanx

tomislav91 · Wed Dec 01, 2021 1:07 am

MicrosoftTeams-image.png

after upgrading.
anyone has this problem?

tukan · Wed Dec 01, 2021 12:41 pm

MicrosoftTeams-image.png
MicrosoftTeams-image.png

after upgrading.
anyone has this problem?

On which device?

sindy · Wed Dec 01, 2021 3:15 pm

@tomislav91, what does /ip socks export say, could it be that the issue is not related to upgrade but to a botnet suqtting on your device?

iqbaldalban · Thu Dec 02, 2021 1:50 am

I wish netwatch added a menu to select the interface used to monitor the network on a multi wan system to be able to run commands when one of the wans is off

eworm · Thu Dec 02, 2021 9:39 am

I wish netwatch added a menu to select the interface used to monitor the network on a multi wan system to be able to run commands when one of the wans is off

Packet flow follows the usual routing...
On my devices I route specific addresses (for example 1.0.0.1) via different WAN to monitor...
But this is not release specific, if you are interested search the forum or open your own topic.

buset1974 · Fri Dec 03, 2021 9:34 am

bgp routing selection on vrf environtment (vpn4) still broken.
It cannot choose the right path.

simple-topology-multihoming.jpg

(please the topology)
1. After CPE rebooted PE-C see that next-hop to 10.10.110.1 will be go to PE-A (good)
2. When CPE disable bgp to PE-A. PE-C see that next-hop will be go to PE-B (good)
3. When CPE re-enable BGP to PE-A, PE-C keep see that next-hop will be go to PE-B (not GOOD)

i've reported years ago and still not fixed yet :(
but if i change PE-A or PE-B into Cisco everything works fine.

thx

JimBouse · Fri Dec 03, 2021 4:02 pm

I like that devices prompt for a password change on a expired or blank password but it presents a new challenge to remote device management.

We have a link in our billing CRM that allows the office staff to access the customer routers via L2TP tunnel and a private IP address.
We have the admin account set with no password but only allows access from certain IP addresses (our office subnet).
If 6.49.x is going to make the users change the password, we need to be able to send the password in the URL so the office personnel don't have to type the password repeatedly.

Perhaps something like: http://router.ip.address.here/?login=so ... s=somepass

If you need more information, I am happy to assist.

Thanks,
Jim

Poundbury · Fri Dec 03, 2021 6:38 pm

Anyone have experience of jumping large release versions?
On 4 CCR (tile) routers, upgrading the routerboot to 6.49.1 has resulted in non booting hardware.
The RouterOs upgrade was fine, and the routers rebooted into 6.49.1.
However, "system package upgrade" reports a success message and then the router would no longer boot.
One went into Etherboot and was recoverable with netinstall.
The others just stuck in a reboot loop and had to be recovered with a serial cable:

RouterBOOT booter 6.46.4
CCR1009-7G-1C

CPU frequency: 1000 MHz
Memory size: 1024 MiB
NAND size: 128 MiB

Press any key within 2 seconds to enter setup..

loading kernel... OK
setting up elf image... OK
jumping to kernel code
opendir: No such file or directory
ERROR: no system package found!
Kernel panic - not syncing: Attempted to kill init!

Starting stack dump of tid 1, pid 1 (init) on cpu 8 at cycle 17303905857
frame 0: 0xfffffff700520100 dump_stack+0x0/0x20 (sp 0xfffffe003eedfc08)
frame 1: 0xfffffff700519098 panic+0x168/0x398 (sp 0xfffffe003eedfc08)
frame 2: 0xfffffff700053b18 do_exit+0x1c8/0xd48 (sp 0xfffffe003eedfcb0)
frame 3: 0xfffffff7000547e0 do_group_exit+0xf0/0x1e8 (sp 0xfffffe003eedfd78)
frame 4: 0xfffffff7000548f8 __wake_up_parent+0x0/0x18 (sp 0xfffffe003eedfdb0)
frame 5: 0xfffffff700520e58 handle_syscall+0x210/0x2d0 (sp 0xfffffe003eedfdc0)
<syscall while in user mode>
frame 6: 0x9c158 0x9c158 (sp 0x7f97f970)
Stack dump complete
Rebooting in 1 seconds..Resetting chip and restarting.

Support told me to upgrade incrementally to avoid this, but gave example versions that skipped versions and I am therefore confused as to which upgrades are permissable from which versions. They said:

"Perform upgrade by steps and install the newest versions with the smallest jumps. In case when the device is remotely unavailable.
Suggested stable versions for upgrade are > 6.44.4, 6.46.6, 6.48.4, 6.49."

I've never come across this before - usually a router can be upgraded from any version to the latest without incident.
Can someone clarify the supported upgrade path for me?

Mike

mhugo · Sat Dec 04, 2021 5:59 pm

Anyone have experience of jumping large release versions?

I've never come across this before - usually a router can be upgraded from any version to the latest without incident.
Can someone clarify the supported upgrade path for me?

Got similar issue upgrading a 317 to 6.49.1. from 6.42.something As this is remote and hard to reach we havent checked it yet as it still seems to forward traffic fine but management is not reachable.

Has never been an issue for me before either.

/M

netflow · Sun Dec 05, 2021 11:50 pm

My hAP ac2 had a kernel issue when attempting to update from 6.48.4 to 6.49.1 and hopefully reverted to 6.48.4. Waiting for next stable then...

emils · Mon Dec 06, 2021 1:30 pm

New version 6.49.2 has been released in stable RouterOS channel:

viewtopic.php?t=180947

Who is online