MikroTik

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

WARNING!
This is applicable only for users using Webfig.
If you have only used Webfig on specific router and have never used CLI or Winbox on this device, then after upgrade/reboot device will be reset to default configuration.

Instructions to avoid this:
1) Connect to device through CLI or Winbox before upgrade to 6.39;
2) Reject default configuration;
3) Upgrade device.

The issue will be fixed in 6.39.1.

What's new in 6.39 (2017-Apr-27 10:06):

!) bridge - added "fast-forward" setting and counters (enabled by default only for new bridges) (CLI only);
!) bridge - added support for special and faster case of fastpath called "fast-forward" (available only on bridges with 2 interfaces);
!) bridge - reverted bridge BPDU processing back to pre-v6.38 behaviour; (v6.40 will have another separate VLAN-aware bridge implementation);
!) filesystem - fixed rare situation when filesystem failed to read all configuration on startup;
!) filesystem - fixed rare situation when filesystem went into read-only mode (some configuration might have gotten lost on reboot);
!) firewall - discontinued support for p2p matcher (old rules will become invalid);
!) kernel - fixed UDP checksum handling in rare oveflow situations;
!) l2tp - added fastpath support when MRRU is enabled;
!) ppp - completely rewritten internal fragmentation algorithm (when MRRU is used), optimized for multicore;
!) ppp - implemented internal algorithm for "change-mss", no mangle rules necessary;
!) pppoe - added fastpath support when MRRU and MLPPP are enabled;
!) quickset - configuration changes are now applied only on "OK" and "Apply" (not on mode change);
!) tile - fixed IPSec hardware acceleration out-of-order packet problem, significantly improved performance;
!) winbox - minimal required version is v3.11;
*) address - fixed crash when address is assigned to another bridge port;
*) api - fixed double dynamic flags for "/ip firewall address-list print";
*) capsman - added "extension-channel" XX and XXXX auto matching modes;
*) capsman - added "keepalive-frames" setting;
*) capsman - added "skip-dfs-channels" setting;
*) capsman - added CAP discovery interface list support;
*) capsman - added DFS support;
*) capsman - added EAP identity to registration table;
*) capsman - added ability to specify multiple channels in frequency field;
*) capsman - added save-channel option to speed up frequency selection on CAPsMAN restart;
*) capsman - added support for "background-scan" and channel "reselect-interval";
*) capsman - added support for static virtual interfaces on CAP;
*) capsman - changed channel "width" name to "control-channel-width" and changed default values;
*) capsman - improved CAP status querying;
*) capsman - improved support for communicating frame priority between CAP and CAPsMAN;
*) certificate - SCEP client now supports FQDN URL and port;
*) certificate - allow CRL address to be specified as DNS name;
*) console - fixed "/ip neighbor discovery" export;
*) console - fixed DHCP/PPP add-default-route distance minimal value to 1;
*) console - fixed crash;
*) console - fixed incorrect ":put [/lcd get enabled]" value;
*) ddns - improved "dns-update" authentication validation;
*) defconf - fixed Groove 52 ac band settings;
*) defconf - fixed default configuration generation when wireless package is disabled;
*) dhcp-client - added "script" option which executes script on state changes;
*) dhcpv4 - fixed string option parser;
*) dhcpv4-server - added "lease-hostname" script parameter;
*) dhcpv4-server - by default make server "authoritative";
*) dhcpv4-server - do some lease checks only on enabled object;
*) discovery - fixed LLDP discovery, IPv6 address was not parsed correctly;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=21&t=116471);
*) email - check for errors during SMTP exchange process;
*) ethernet - added "voltage-too-low" status for single port power injector devices;
*) ethernet - fixed "loop-protect" on "master-port";
*) ethernet - fixed rare switch chip hang (could cause port flapping);
*) ethernet - fixed unnecessary power cycle of powered device when changing any poe-out related setting on single port power injector devices;
*) ethernet - renamed "rx-lose" to "rx-loss" in ethernet statistics;
*) ethernet - reversed poe-priority on hEX PoE and OmniTIK 5 PoE to make "poe-priority" consistent to all other RouterOS priorities;
*) fastpath - fixed rare crash on devices with dynamic interfaces;
*) fetch - added "http-data" and "http-method" parameters to allow delete, get, post, put methods (content-type=application/x-www-form-urlencoded by default);
*) fetch - fixed authentication failure;
*) fetch - fixed download issue over HTTPS;
*) gps - added "fix-quality" and "horizontal-dilution" parameters;
*) graphing - fixed graph disappearance after power outage;
*) hotspot - added access to HTTP headers using $(http-header-name);
*) ike1 - fixed ph2 ID logging;
*) ike2 - allow multiple child SA traffic selectors on re-key;
*) ike2 - always replace empty TSi with configured address if it is available;
*) ike2 - check child state before allowing rekey;
*) ike2 - default to /32 peer address mask;
*) ike2 - fixed CTR mode;
*) ike2 - fixed EAP message length;
*) ike2 - fixed ISA handler object removal on SA delete;
*) ike2 - fixed RSA authentication without EAP;
*) ike2 - fixed ctr mode;
*) ike2 - fixed disabled DPD;
*) ike2 - fixed last EAP auth payload type;
*) ike2 - fixed ph2 state when sending notify;
*) ike2 - fixed policy release during SA negotion;
*) ike2 - fixed state when sending delete packet;
*) ike2 - improved logging;
*) ike2 - kill only child SAs which are not re-keyed by remote peer;
*) ike2 - log RADIUS timeout message under error topic;
*) ike2 - remove old SA after rekey;
*) ike2 - send EAP identity as user-name RADIUS attribute;
*) ike2 - update "calling_station_id" RADIUS attribute;
*) ike2 - update peer identity after successful EAP authentication;
*) ippool - return proper error message when trying to create duplicate name;
*) ipsec - added "last-seen" parameter to active connection list;
*) ipsec - allow mixing aead algorithms in proposal;
*) ipsec - better responder flag calculator for console;
*) ipsec - disallow AH+ESP combined policies ;
*) ipsec - do not loose "use-ipsec=yes" parameter after downgrade;
*) ipsec - enable aes-ni on i386 and x64 for cbc, ctr and gcm modes;
*) ipsec - fixed "/ip ipsec policy group export verbose";
*) ipsec - fixed "mode-cfg" verbose export;
*) ipsec - fixed SA authentication flag;
*) ipsec - renamed "hw-authenc" flag to "hw-aead";
*) ipsec - show hardware accelerated authenticated SAs;
*) ipsec - updated tilera classifier for UDP encapsulated ESP;
*) l2tp - added support for multiple L2TP tunnels (not to be confused with sessions) between same endpoints (required in some LNS configurations);
*) l2tp - fixed hidden attribute decryption in forwarded CHAP responses for LNS;
*) l2tp-server - added "caller-id-type" to forward calling station number to RADIUS on authentication;
*) l2tp-server - added "use-ipsec=required" option;
*) l2tp-server - fixed upgrade to keep "use-ipsec=yes" in L2TP server;
*) leds - added LTE modem access technology trigger;
*) leds - changed error message on unsupported board;
*) leds - do not update single LED state when it is not changed;
*) leds - show warning on print when "modem-signal-threshold" is not available;
*) log - added "gps" topic;
*) log - added "tr069" topic;
*) log - added missing "license limit exceeded" log entry;
*) log - added warning when Winbox/Dude sessions were denied;
*) log - do not show changes in packet if NAT has not been used;
*) log - make SNMP logs more compact;
*) lte - added "session-uptime" in info command;
*) lte - added LTE signal level reading for Cinterion modems;
*) lte - added error handling for remote AT execute;
*) lte - added initial support for DWR-910 modem;
*) lte - added initial support for Quectel ec25;
*) lte - added initialization for Cinterion;
*) lte - added log entry for SMS delivery report;
*) lte - added support for Vodafone R216 (Huawei);
*) lte - buffer AT events while info command is active;
*) lte - fixed "/interface lte info X once";
*) lte - fixed IPv6 address prefix on interface
*) lte - fixed network mode selection for me909u, mu609;
*) lte - fixed older standard CEREG parsing;
*) lte - fixed support for Huawai R216;
*) lte - fixed user-command;
*) lte - reset interface stats on "link-down";
*) netinstall - fixed typos;
*) ntp - restart NTP client when it is stuck in error state;
*) ppp - added "bridge-horizon" option under PPP/Profile;
*) ppp - added option to specify "interface-list" in PPP/Profile;
*) ppp - fixed rare kernel failure on PPP client connection;
*) ppp - fixed rare kernel failure when receiving IPv6 address on PPP interface;
*) ppp - include rates, limits and address-lists parameters in RADIUS accounting requests;
*) ppp-client - added support for Datacard 750UL, DWR-730 and K4607-Zr;
*) pppoe - added warning on PPPoE client/server, if it is configured on slave interface;
*) pppoe - set default keepalive 10s for newly created PPPoE clients;
*) quickset - added initial LTE AP mode support;
*) rb1100ahx2 - fixed random counter resets for ether12,13;
*) rb3011 - added partitioning support;
*) smb - fixed different memory leaks and crashes;
*) smb - fixed share path on devices with "/flash" directory;
*) smips - reduced RouterOS main package size;
*) snmp - "No Such Instance" error message is replaced with "No Such Object";
*) snmp - added fan-speed OIDs in "/system health print oid";
*) snmp - added optical table;
*) snmp - fixed rare crash;
*) snmp - improved getall filter;
*) snmp - improved response speed when multiple requests are received within short period of time;
*) snmp - increase "engineBoots" value on reboot;
*) snmp - optimized bridge table processing;
*) tile - added initial support for NVMe SSD disk drives;
*) tile - fixed IPSec crash (introduced in 6.39rc64);
*) tile - optimized hardware encryption;
*) tr069-client - added "Device.Hosts.Host.{i}." support;
*) tr069-client - added "Device.WiFi.NeighboringWiFiDiagnostic." support;
*) tr069-client - added "Ethernet.Interface.{i}.MACAddress" parameter;
*) tr069-client - added DHCP server support;
*) tr069-client - added Upload RPC "2 Vendor Log File" support;
*) tr069-client - added architecture name parameter (X_MIKROTIK_ArchName - vendor specific);
*) tr069-client - added basic stats parameters for some interface types;
*) tr069-client - added basic support for "/ip firewall filters";
*) tr069-client - added connection request authentication;
*) tr069-client - added firewall NAT support using vendor Parameters;
*) tr069-client - added parameters for DNS client management support;
*) tr069-client - added ping diagnostics support;
*) tr069-client - added support for escaped entity references (& < > ' ");
*) tr069-client - added support for managing "/system/identity/" value;
*) tr069-client - added support for memory and CPU load parameters;
*) tr069-client - added support for uploading/downloading factory script;
*) tr069-client - added traceroute diagnostics support;
*) tr069-client - close connection if CPE considers XML as invalid;
*) tr069-client - fixed "AddObjectResponse" "InstanceNumber" value;
*) tr069-client - fixed "Device.ManagementServer." value update;
*) tr069-client - fixed XML special character parsing;
*) tr069-client - fixed crash on =acs-url change special case;
*) tr069-client - fixed special escape characters on XML data send;
*) tr069-client - fixed write for "Device.ManagementServer.URL";
*) tr069-client - general improvements on reducing storage space;
*) tr069-client - generate random connection request target path;
*) tr069-client - hide "Device.PPP.Interface.{i}.Password" value;
*) tr069-client - improved LTE monitoring process;
*) tr069-client - increased performance on GetParameterValues;
*) tr069-client - made any Download RPC overwrite configuration except ".alter";
*) tr069-client - make more Parameters deny active notifications;
*) tr069-client - set CHR license ID as ".SerialNumber" value to avoid "no serial number" error in ACS;
*) traceroute - small fix;
*) tunnels - fixed reboot loop on configurations with IPIP and EoIP tunnels (introduced in 6.39rc68);
*) usb - added support for more CP210X devices;
*) userman - allow "name-for-user" to be empty and not unique;
*) userman - automatically select all newly created users to generate vouchers;
*) userman - fixed rare crash when User Manager requested file does not exist on router;
*) userman - fixed rare web interface crash while using Users section;
*) wAP ac - improved 2.4GHz wireless performance;
*) webfig - added menu bar to quickly select between Webfig, Quickset and Terminal;
*) webfig - allow shorten bytes to k,M,G in firewall "connection-bytes" and "connection-rates";
*) webfig - allow to change global variable contents;
*) webfig - allow to enter frequency ranges in wireless scan list;
*) webfig - allow to select "default-encryption" profile on PPP tunnels;
*) webfig - correctly specify routing filter prefix;
*) webfig - do not allow to reorder items if table is sorted by some column;
*) webfig - fixed bridge property display;
*) webfig - fixed delays on key press in terminal;
*) webfig - fixed tab ordering on Google Chrome;
*) webfig - fixed "last-link-up" & "last-link-down" time information;
*) webfig - improved field layout;
*) webfig - make Terminal window work within Webfig window;
*) webfig - show all available options under "Advanced Mode" for wireless interfaces;
*) webfig - show proper error messages for optional erroneous text fields;
*) winbox - added "Flush" button under unicast-fdb menu;
*) winbox - added "group-key-update" to CAPsMAN security settings;
*) winbox - added "k" and "M" unit support to PPP secret limit-bytes parameters;
*) winbox - added "memory-scroll", "filter-cpu", "filter-ipv6-address", "filter-operation-between-entries" parameters;
*) winbox - added "save-selected" setting under CAPsMAN channels;
*) winbox - added "static-virtual" to wireless CAP;
*) winbox - added GPS menu;
*) winbox - added protected routerboard parameters under routerboard settings menu;
*) winbox - allow shorten bytes to k,M,G in firewall "connection-bytes" and "connection-rates";
*) winbox - allow to change user password to empty one;
*) winbox - allow to not specify certificate in IPSec peer settings;
*) winbox - allow to specify "route-distance" in "dhcp-client" if "special-classless" mode is selected;
*) winbox - allow to specify certificate type when exporting it;
*) winbox - allow to specify interfaces that CAPsMAN can use for management;
*) winbox - allow unhide SNMP passwords;
*) winbox - allowed to specify static-dns as list;
*) winbox - do not allow Packet Sniffer "memory-limit" and "file-limit" lower than 10KiB;
*) winbox - do not create time field when copying CAPsMAN access list entry;
*) winbox - do not show "dpd-max-failures" on IKEv2;
*) winbox - do not show empty LTE fields in Info menu;
*) winbox - do not start Traffic Generator automatically when opening "Quick Start";
*) winbox - do not try to disable dynamic items from firewall tables;
*) winbox - fixed "Montly" typo to "Monthly" in Graphing menu;
*) winbox - fixed CAPsMAN channels frequency (allow to specify a list of them);
*) winbox - fixed IPSec "mode-config" DNS settings;
*) winbox - fixed issue when working IPSec policies were shown as invalid;
*) winbox - fixed misleading error when trying to export certificate;
*) winbox - fixed typo in BGP advertisements menu Aggragator->Aggregator;
*) winbox - hide "wps-mode" & "security-profile" in wireless nv2 mode;
*) winbox - hide health menu on RB450;
*) winbox - improved "/tool torch";
*) winbox - increased maximal number of Winbox sessions 20->100;
*) winbox - properly name CAP Interface on new interface creation;
*) winbox - properly show "dhcp-server" warnings;
*) winbox - properly show IPSec "installed-sa" "enc-algorithm" when it is aes-gcm;
*) winbox - properly show wireless registration table stat counters;
*) winbox - removed "sfp-rate-select" setting from ethernet interface;
*) winbox - removed unnecessary "/system health" menu on "hAP ac lite";
*) winbox - set default "dhcp-client" "default-route-distance" value to 1;
*) winbox - show "A" flag for IPSec policies;
*) winbox - show "H" flag for IPSec installed SAs;
*) winbox - show PoE-OUT current, voltage and power only on devices which can report these values;
*) wireless - added Egypt 5.8 country settings;
*) wireless - added PEAP authentication support for wireless station mode;
*) wireless - apply broadcast bit to DHCP requests when using "station-pseudobridge" mode;
*) wireless - do not allow equal MAC addresses between multiple Virtual APs when same "master-interface" is used;
*) wireless - fixed RBSXT5HacD2nr2 small channel support;
*) wireless - fixed crash while running "spectral-scan";
*) wireless - fixed dynamic wireless interface removal from bridge ports when changing wireless mode;
*) wireless - fixed false positive DFS radar detection caused by iPhone 6s devices;
*) wireless - fixed issue when wireless interfaces might not show up in CAP mode;
*) wireless - fixed occasional crash on interface disabling;
*) wireless - fixed rare crash on nv2 configurations;
*) wireless - fixed rare wireless ac interface lockup;
*) x86 - added support for NVMe SSD disk drives;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

Cool
Very big changelog
i a near future the changelog wil be on a book

On CRS125, console spits the following: Is this something to worry about ?

kostikbel - This is a harmless message. It shows up on upgrade. There is no need to worry about it at all.

WOW....

Awesome, well done.

Lets hope bugs are minimal on it.

Enable/Disable buttons and key shortcuts (enable/disable) on anything BGP related (instances, peers, filters, etc), stopped working on winbox 2.

Minimum version is 3.11 winbox


Sent from my iPhone using Tapatalk Pro

Minimum version is 3.11 winbox

That refers to winbox 3.

There have been multiple 'minimum versions' requirements in previous releases but that always refers to Winbox 3 since Winbox 3 doesn't download the dlls from the router as winbox 2 does. So the winbox client must be up to date to be able to connect to the router.

Winbox 2 does not work this way. It's just a loader. It downloads the specific version dlls from the router. If winbox 2 was not supported anymore the router wouldn't even provide any dlls for winbox 2 to be able to connect.

Great! Starting tests...

Hi,

I am interested in this change log entry:

!) bridge - reverted bridge BPDU processing back to pre-v6.38 behaviour; (v6.40 will have another separate VLAN-aware bridge implementation);

What happened? Is there a thread about this?

Updated an LHG5 from 6.35.4 to 6.39
Came back to default IP address after reboot.
Used Quickset to set a different IP... now is unreachable.
I have seen a similar problem on another LHG5, address in the Neighbor discovery packets is 0.0.0.0
and it shows as empty on the list in another router, mac-telnet does not work.
After powercycle it is back at defaults again.
I think it indicates the flash is corrupted and it requires a netinstall.
Is there any way to "reboot to netinstall" from the "running" version without having to press the button?
(the device is mounted on the roof...)

Is there any way to "reboot to netinstall" from the "running" version without having to press the button?

Try this:

Pretty serious issue for RB3011 users that have "tried" to repartition on past versions renders the router unbootable with a kernel corruption and bootloop.

When I first got the RB3011 my first thing was to re-partition to 2 partitions so that I can keep a backup before any updates. Didn't work! (As we know)
Now, with this new version I saw that it was fixed in the release notes so I thought fantastic! I shall update!

However, it seems that my past attempts must have done something because when I consoled into the router and checked the partitions it was showing 2!

So I tried swapping partitions, nothing. Didn't work. The fix is to go into the repartition menu via console and change the partition number back to 1 partition. Once done the router rebooted and loaded up fine.

Then I tested in winbox the repartition to 2 and that works fine. Though the display doesn't show the version loaded, it's blank and copy to other partition shows part. Probably just a display error as the router is working fine.

So, a suggestion for the devs. On RB3011 devices, when upgraded to this new version, it should FORCE the partition count to 1 to prevent this issue!

Cheers,
Neil

Is there any way to "reboot to netinstall" from the "running" version without having to press the button?

Try this:

Code: Select all

/system routerboard settings set boot-device=try-ethernet-once-then-nand
/system reboot

Thanks, that sounds like a good way!

Winbox Wireless Security profile missing

Upgraded to this version and my bgp stop passing traffic!

Had to revert back

Same issue with RB3011 as reported by Brightstar, bootloop on RB3011 after updating it to 6.39

Same issue with RB3011 as reported by Brightstar, bootloop on RB3011 after updating it to 6.39

Same here.

Same issue with RB3011 as reported by Brightstar, bootloop on RB3011 after updating it to 6.39

Same here.

Here as well.

Due to the previous posts I was alerted an got my W10 notebook loaded with netinstall and both stable and current .npk at hand
Thank to the FSM, I did daily config-backups on an attached SSD (where the Dudes datatbase is) so a netboot of 6.39 and restore of the latest config was really easy!

I'm one of those guys trying to do create a partition "in the old days"... Just my luck..

No other problems so far...

Ralf.

RB2011 Does Not BOOT after Upgrade

You can review correspondence in the following post:
viewtopic.php?f=1&p=594913

Hi,
!) bridge - reverted bridge BPDU processing back to pre-v6.38 behaviour; (v6.40 will have another separate VLAN-aware bridge implementation);
What happened? Is there a thread about this?

RB1100AHx2 multiple public addresses on ethernet 12, after upgrade only some of them are reachable. Packet sniffer shows incoming traffic to eth12/respective IP but no activity in mangle prerouting. Before upgrade and after downgrade (from 6.37.5(stable)) all is working fine.

Here, there is a trouble about Port Forwarding with 951Ui router board running Router OS v6.39(just updated). The story:

I currently use a Hikvision NVR with the setting below:
- IP address: 192.168.1.111 /24
- HTTP port: 80
- Server port: 8000
My router IP address: 192.168.1.1
My Public IP address: 36.37.xxx.123

Now the problem is that i need to remote view my NVR using public IP, but i cannot make the port forwarding to work.
By the way, i am kind of not so clear about port forwarding in Mikrotik. Yet in the past, I used to make it work by just using a simple rule like this

" chain=dstnat action=dst-nat to-addresses=192.168.1.111 to-ports=80 protocol=tcp dst-address=36.37.xxx.123 dst-port=80 "
Yet, this rules doesn't work now. Is there something that i missed? Please someone help me solve this issue
All the help is appreciated!!!

6.39 - another epic fail bugged version from mikrotik. Kill ipsec, kill sip-trunk.

Downgrade to 6.37.5, and all work fine.

Same issue with RB3011 as reported by Brightstar, bootloop on RB3011 after updating it to 6.39

Same here.

Here as well.

Due to the previous posts I was alerted an got my W10 notebook loaded with netinstall and both stable and current .npk at hand
Thank to the FSM, I did daily config-backups on an attached SSD (where the Dudes datatbase is) so a netboot of 6.39 and restore of the latest config was really easy!

I'm one of those guys trying to do create a partition "in the old days"... Just my luck..

No other problems so far...

Ralf.

For me it was a little more complicated.
My daily backups did not work for some reason. When I tried to restore the backup it always said that the password was wrong. Even though the backup was created without a password.

I had to find an older backup before 6.38.5, restore that, then restore the latest backup. If I tried to restore the latest backup directly I always got 'bad password' error either on a 6.38.5 fresh netinstall or 6.39 fresh netinstall.

Here, there is a trouble about Port Forwarding with 951Ui router board running Router OS v6.39(just updated). The story:

I currently use a Hikvision NVR with the setting below:
- IP address: 192.168.1.111 /24
- HTTP port: 80
- Server port: 8000
My router IP address: 192.168.1.1
My Public IP address: 36.37.xxx.123

Now the problem is that i need to remote view my NVR using public IP, but i cannot make the port forwarding to work.
By the way, i am kind of not so clear about port forwarding in Mikrotik. Yet in the past, I used to make it work by just using a simple rule like this

" chain=dstnat action=dst-nat to-addresses=192.168.1.111 to-ports=80 protocol=tcp dst-address=36.37.xxx.123 dst-port=80 "
Yet, this rules doesn't work now. Is there something that i missed? Please someone help me solve this issue
All the help is appreciated!!!

Shouldn't this be to-ports=8000? -> chain=dstnat action=dst-nat to-addresses=192.168.1.111 to-ports=80
You said your server hosts on port 8000

Upgraded my 2011 to 6.39 without problems.
- IPSEC-IPSEC tunnel works,
- IPSEC-L2TP dailin works,
- Firewall rulez works,
- DHCP works,
- CAPS-MAN (2x 962, 1x 2011) works ...
no problems so far

E.

HAP ac lite - After update I can't create SMB share on external drive (usb). Can somebody confirm that?

Upgrade went well on RB750GL but DNS has gone berserk

my hAP ac lite gone with bootloop after upgrade to 6.39
and my CHR too.

Updated some devices :

RouterBOARD wAP 2nD r2 : all configuration was lost, the device had to be reconfigured from scratch.
RB951 and 751 : without trouble.

Upgrade went well on RB750GL but DNS has gone berserk

check whether you're being used as an attack amplifier

look whether /ip dns cache is filled with junk entries

I just finished testing 6.39 release on 951G and hEX.

The hEX is the edge router and 951G is an ap/switch.

On the 951G i have an ip-camera connected on port 5 and the port is in a bridge with a vlan that goes to the main router,this vlan has a 10.x.x.x/24 subnet on it and the lan subnet is 192.x.x.x/24.

This configuration worked fine on 6.35 and previous versions i could reach the ipcamera on the 10.x.x.x/24 subnet from my lan subnet. On 6.39 could not connect to the ip-camera.The weird thing is that the camera was receiving DHCP settings but i could not ping or reach.

If i setup a DHCP client on the bridge of the 951G that contains the port and vlan it would receive an ip and i could now ping the camera from the 951G but still not from the network.

On port 5 of the 951G i connected a mAPlite and tried to see if there is something wrong with the camera,but i found the same behavior. The mAPlite was getting an ip form DHCP server but i was not able to reach the lan or even the gateway on the 10.x.x.x/24 network.

Here, there is a trouble about Port Forwarding with 951Ui router board running Router OS v6.39(just updated). The story:

I currently use a Hikvision NVR with the setting below:
- IP address: 192.168.1.111 /24
- HTTP port: 80
- Server port: 8000
My router IP address: 192.168.1.1
My Public IP address: 36.37.xxx.123

Now the problem is that i need to remote view my NVR using public IP, but i cannot make the port forwarding to work.
By the way, i am kind of not so clear about port forwarding in Mikrotik. Yet in the past, I used to make it work by just using a simple rule like this

" chain=dstnat action=dst-nat to-addresses=192.168.1.111 to-ports=80 protocol=tcp dst-address=36.37.xxx.123 dst-port=80 "
Yet, this rules doesn't work now. Is there something that i missed? Please someone help me solve this issue
All the help is appreciated!!!

Shouldn't this be to-ports=8000? -> chain=dstnat action=dst-nat to-addresses=192.168.1.111 to-ports=80
You said your server hosts on port 8000

Dear Marino, Thanks for your reply. Indeed, i did forwarding for both port 80 and 8000. yet, it doesn't work.
Anyway, I just found out another thing, that is I can remote to my NVR when i connect my device(PC or Phone) to another network such as Mobile Data or another Wifi..This means the port forwarding is partly working..The real problem is that i cannot not remote to NVR when my device and NVR are in the same network. So what is the problem?
Any further comments are appreciated

I just found out another thing, that is I can remote to my NVR when i connect my device(PC or Phone) to another network such as Mobile Data or another Wifi..This means the port forwarding is partly working..The real problem is that i cannot not remote to NVR when my device and NVR are in the same network. So what is the problem?

The problem is that you need NAT Loopback or NAT Hairpinning for this to work from within the same subnet.
Your rules most likely do not cover this and the latest update definitely did not cause that.

Upgraded couple of devices: cAP2n, mAP Lite, wAPac, 3011, 750, x86 Alix and all without any issue.
Services like CAPsMAN, DHCP, OVPN, firewall, NTP... etc. no problems

Here, there is a trouble about Port Forwarding with 951Ui router board running Router OS v6.39(just updated). The story:

I currently use a Hikvision NVR with the setting below:
- IP address: 192.168.1.111 /24
- HTTP port: 80
- Server port: 8000
My router IP address: 192.168.1.1
My Public IP address: 36.37.xxx.123

Now the problem is that i need to remote view my NVR using public IP, but i cannot make the port forwarding to work.
By the way, i am kind of not so clear about port forwarding in Mikrotik. Yet in the past, I used to make it work by just using a simple rule like this

" chain=dstnat action=dst-nat to-addresses=192.168.1.111 to-ports=80 protocol=tcp dst-address=36.37.xxx.123 dst-port=80 "
Yet, this rules doesn't work now. Is there something that i missed? Please someone help me solve this issue
All the help is appreciated!!!

Shouldn't this be to-ports=8000? -> chain=dstnat action=dst-nat to-addresses=192.168.1.111 to-ports=80
You said your server hosts on port 8000

Dear Marino, Thanks for your reply. Indeed, i did forwarding for both port 80 and 8000. yet, it doesn't work.
Anyway, I just found out another thing, that is I can remote to my NVR when i connect my device(PC or Phone) to another network such as Mobile Data or another Wifi..This means the port forwarding is partly working..The real problem is that i cannot not remote to NVR when my device and NVR are in the same network. So what is the problem?
Any further comments are appreciated

Hi, herewith an example for nat hairpin your subnet:

chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.1.0/24 out-interface=<your lan interface> log=no

Place it before the other nat rules. Hope this helps.

Just updated to 6.39 from 37.5. on RB2011UiAS-2HnD-IN. It went smoothly.
It's nice to see IP Cloud (DDNS) starts working again. It has been broken for a quite while....

It could be irrelevant but I always ensure that all filename.npk (extracted form relevant zip), when placed under Files List tab, are shown with proper icons (red arrow) before I do a System Reboot to flash new firmware (This is my preferred way). I don't recall having an issue with flashing new firmware to date.

The Routerboard settings are not being stored. I tried to change the boot device setting. After a reboot the previous setting has been restored. Also the "reformat hold button" time is set to 00:00:00 every time after reboot,- even though 00:00:00 it is not an accepted value.

Not sure if this is a version related issue...

I have
Hex3 with vlans ugrade ok
Rb435g upgrade ok
Sxt lite2 p2p link upgrade ok
Rstp bridge working


Sent from my iPhone using Tapatalk Pro

Upgrade went well on RB750GL but DNS has gone berserk

check whether you're being used as an attack amplifier

look whether /ip dns cache is filled with junk entries

Actually you are right ... on that particular router i forgot to close input from internet ...and it was literally bombarded by millions of DNS request ...
Thanks ...

Hi,

Can somebody explain this "ppp - implemented internal algorithm for "change-mss", no mangle rules necessary;" .Because now I'm still using mangle to modify tcp mss.

Cheers,
Faiz

Yesterday upgraded my RB3011 from 6.38.5 to 6.39. All works good.
Then I upgraded a lot of wAP, wAP-ac, mAP, cAP and other access points via RB3011's CAPSMAN.
All access points upgraded successfully.

Upgraded 6.38.5 to 6.39
No problem on RB450 and RB433

We've upgraded a variety of devices without issues (CCR1036-12G-4S, CCR1036-8G-2S+, CHR, x86, RB433GL RB411U, hAP ac, 750Gr2, 750Gr3) which utilise MPLS, VPLS, BGP, OSPF, bridging, L2TP (server & client), etc...

We have however noticed that a CHR router appears to be restarting its SNMP process almost exactly once an hour and is sending warmStart SNMP traps, herewith a sample: Device's uptime: Device's clock: SNMP process uptime is 5.05 seconds, although system uptime is several hours.We monitor 1962 SNMP items every 60 seconds where Zabbix groups SNMP queries together (ie not querying every SNMP OID individually).

*) dhcpv4-server - added "lease-hostname" script parameter;


Cannot get this variable to work. Other previously available variables are working.

It would be useful if lease-scripts could execute when the IP is not renewed by the client, so that we can easily remove a DNS entry.

I tried to use for this but it does not work.

In the mean time here is a workaround to get the hostname :
This line using the new lease-hostname parameter does not work :

(admin please delete) --- Turns out my ISP authentication served borked at the same time I updated FW and I assumed the wrong thing.

But what about this viewtopic.php?f=21&t=119302&p=588548#p588548 problem?
viewtopic.php?f=21&t=118642&p=585489&hi ... ot#p585489

Please make the 10sec keep alive timeout from pppoe unselectable

RB SXT 5HPnD - upgrade from 6.38.5 to 6.39 successful

RB 751U-2HnD - upgrade from 6.38.5 to 6.39 router keeps reloading default configuration after every reboot, tried reflashing, setting from scratch, but after reboot configuration is wiped and default is loaded - this is really bad.

Reverting to 6.38.5

@FIPTech Then use 'leaseHostName' variable instead of 'lease-hostname'.

HTH,

Sir i have problem

rules p2p block bit torrent its gone...

some one can help me fix then?

dont say downgrade sir... i need solution for renew OS 6.39 thanks you

Killed my RB2011iL. I managed to downgrade it but it still locks up as soon as a LAN device tries to access WAN.

If I hard reset to factory; will my saved backup config still be there?

I have an RB2011 that never came back from the upgrade. On-site personnel report the screen is stuck at "loading kernel". Working on serial access now.

Sir i have problem

rules p2p block bit torrent its gone...

some one can help me fix then?

dont say downgrade sir... i need solution for renew OS 6.39 thanks you

Those rules did not work anyway.
It is not easy to block such things due to advances in the protocols to avert blocking.

just upgraded one of my 15 RB2011 routers to v 6.39... totally crashed. Was not able log back into it without driving to the site. Upon re-accessing it everything in the programming was wiped back to default. Took multiple trys to get the IP address set to static, kept reverting to automatic. once I got it stay I was able to get it to downgrade to 6.37 bugfix. Never had this issue with a OS upgrade, whats up?

I actually "killed the cat" twice! Once at the site after the first downgrade and got the router back working, I attempted to do the upgrade again, assuming there must have been a glitch the first time, NOPE! same issue. I am not able to send the issue to Mikrotik as is stated to do because when it wipes back to default the router can no longer access the internet.

Same here. Bricked my 2011. VERY frustrating. Had to work additional time to restore config on another router, it's on 6.34.5. What's happening? haven't you guys at Mikrotik tested it on the hardware?

Sir i have problem

rules p2p block bit torrent its gone...

some one can help me fix then?

dont say downgrade sir... i need solution for renew OS 6.39 thanks you

Those rules did not work anyway.
It is not easy to block such things due to advances in the protocols to avert blocking.

Hi, I also looking for solution, run FW L7 instead of p2p matcher.

L7 matching is becoming more and more difficult due to encryption, and the use of random portnumbers
makes it difficult to apply it to a limited part of the traffic. That results in performance problems and
false positives on traffic you did not want to filter.
I know it is an unwelcome message, but "blocking certain traffic" is becoming less and less viable.

L7 matching is becoming more and more difficult due to encryption, and the use of random portnumbers
makes it difficult to apply it to a limited part of the traffic. That results in performance problems and
false positives on traffic you did not want to filter.
I know it is an unwelcome message, but "blocking certain traffic" is becoming less and less viable.

Agree,
There is hardware dedicated for that propose.
Router is was not designed to filter l7

Enviado de meu XT1580 usando Tapatalk

Upgrading wAP G-5HacT2HnD from 6.38.5 to 6.39 led to factory reset after reboot (I saw a similar report posted). The configuration was lost. Restoring from backup worked, but I observed subjective decrease of connection quality over wifi (noticeable lags, connections stuck). Downgrade to 6.38.5 worked and connection quality was ok again.

Issues spoted:

1) *CRITICAL* - the same as CMNET and ulysses:
- RB750Gr3 - updated correctly
BUT
- RBwAPG-5HacT2HnD - after upgrade configuration lost, seems router is not saving configuration - applying configuration changes works, but power loss or reboot option ends with factory configuration
- RB941-2ND - as above - after upgrade configuration lost, applying configuration changes works, but power loss or reboot option ends with factory configuration

2) Minor:
WebFig ->Quickset - Country selection
After setting any country, saving and reloading the page shows country one further on the list. Eg - default option "no_country_selected" is shown as "north_korea", seting "poland" after reloading shows "portugal"

I can confirm the above on several devices (mostly LHG5).
There is really something here that has to be fixed!

!) firewall - discontinued support for p2p matcher (old rules will become invalid);

So how we should detect p2p traffic now?
p2p matcher with two-step method (add destination ip to address list and block/prioritize this list) is working very good for me.

Updated 6.39 OK:

• two hAP lite (smips RB941-2nD) devices
• one RB751U-2HnD (mipsbe) device
• one hEX (mmips RB750Gr3) device

But another hEX RB750Gr3 bricked into bootloop (BEEP, reboot, BEEP, reboot, ... ) and doesn't accept any control actions -- netinstall too.
What can I do with it? RMA?

!) firewall - discontinued support for p2p matcher (old rules will become invalid);

So how we should detect p2p traffic now?
p2p matcher with two-step method (add destination ip to address list and block/prioritize this list) is working very good for me.

It's great that you think it did it's job, but actually it was not doing anything.
It was broken for a long time, and was not actually capturing any modern p2p traffic, instead it was breaking some legitimate traffic.
You can make actually working rules with l7 filters:

https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7

This is applicable only for users using Webfig.

We have managed to reproduce problem with default configuration after reboot. We will try to fix this as soon as possible.
If you have only used Webfig on specific router and have never used CLI or Winbox on this device, then after upgrade/reboot device will be reset to default configuration.

Instructions to avoid this:
1) Connect to device through CLI or Winbox before upgrade to 6.39;
2) Reject default configuration;
3) Upgrade device.

It's great that you think it did it's job, but actually it was not doing anything.

It's doing its job pretty well actually.
I just checked it again right now on 6.39rc41.

Rules disabled:



Rules enabled:

!) firewall - discontinued support for p2p matcher (old rules will become invalid);

So how we should detect p2p traffic now?
p2p matcher with two-step method (add destination ip to address list and block/prioritize this list) is working very good for me.

For BitTorrent traffic (sorry for video only -- that's not my content):
https://www.youtube.com/watch?v=diA-5e7TdZM

This is applicable only for users using Webfig.

We have managed to reproduce problem with default configuration after reboot. We will try to fix this as soon as possible.
If you have only used Webfig on specific router and have never used CLI or Winbox on this device, then after upgrade/reboot device will be reset to default configuration.

Instructions to avoid this:
1) Connect to device through CLI or Winbox before upgrade to 6.39;
2) Reject default configuration;
3) Upgrade device.

How about those who DID upgrade to 6.39 and have bricked/bootlooping devices?
Any special instructions to recover?

Ansy - This problem will reset configuration of device. It will not make device go into bootloop. If you have such problem, then write to support@mikrotik.com. Send backups, export files, supout file so we can try to trace the issue. If device has serial port, then connect to router through it and check what you can see on it.

Hi Everyone
I have routerboard Hap Ac Lite RB952UI -5AC2ND.. Today i update new version 6.39 and after install
my router still reboot every second.. Can't connect,, i tried to boot with netinstall but doesn't work..
Can you help please!!

So how we should detect p2p traffic now?

Personally I haven't found any 100% reliable method without having to do some settings on each torrent client's PC (read bellow).
But I haven't looked into it the last 2-3 years to be honest, so there maybe other solutions now.

The old p2p matcher that mikrotik had only worked for non encrypted bittorrent transfers, which AFAICT are pretty much non-existent nowadays.


What I ended up doing was configure Windows to set a custom DSCP (TOS) tag on all packets generated by uTorrent (or whatever application you want).
Then with a simple mangle rule I can match this DSCP and apply a custom packet mark which in turn is used in my queues.
It works flawlessly and it doesn't care about which ports the client is using or if it has encryption enabled.

A few months back I tried implementing the same solution on a Linux desktop but with little research I didn't find any way to do dscp tagging per process.
So it definitely isn't a universal solution, but it works for me

https://www.youtube.com/watch?v=diA-5e7TdZM

Thanks, i know about layer7 based solutions.

Personally I haven't found any 100% reliable method without having to do some settings on each torrent client's PC (read bellow).
But I haven't looked into it the last 2-3 years to be honest, so there maybe other solutions now.

Nobody talk about 100% but please take a look at screenshots in my comment #67 — only three simple rules almost stopped uploads in torrent client. No DSCP, no L7.

https://www.youtube.com/watch?v=diA-5e7TdZM

Thanks, i know about layer7 based solutions.

Personally I haven't found any 100% reliable method without having to do some settings on each torrent client's PC (read bellow).
But I haven't looked into it the last 2-3 years to be honest, so there maybe other solutions now.

Nobody talk about 100% but please take a look at screenshots in my comment — only three simple rules almost stopped uploads in torrent client. No DSCP, no L7.

My solution does work 100% but it needs for each PC on your network to setup Policy Based QoS via Group Policy editor to apply the DCSP tag.
It's not the easiest to setup and maintain, but since I implemented this about 4-5 years ago I've never ever had any problems with torrents being mis-classified by my firewall/queues. Actually this method doesn't even care if the traffic is bittorrent or not. It will limit whatever that comes out of uTorrent.

I saw your screenshots but they mean nothing to me tbh. I can't see the full rules nor your exact configuration on qBittorrent.
Either way, encryption is the way to go and the old p2p matcher would have stopped working sooner or later anyway. The last 7 years it never worked for me with encryption enabled.

That said, if your goal is to block the bittorrent traffic instead of doing traffic shaping on it, then this has been solved for many years now without using the p2p matcher.. Search on the forum to find the relevant threads on the subject.

Code: Select all

loading kernel... OK
setting up elf image... OK
jumping to kernel code
ERROR: no system package found!
Kernel panic - not syncing: Attempted to kill init!
Rebooting in 1 seconds..

RouterBOOT booter 3.33

RouterBoard 2011UiAS-2HnD

CPU frequency: 600 MHz
 Memory speed: 200 MHz
  Memory size: 128 MiB
    NAND size: 128 MiB

Press any key within 5 seconds to enter setup.....

RB2011 Does Not BOOT after Upgrade

This Problem
please help
i recover my RB2011 With netinstall
but i dont know what was wrong with my rb2011

This is applicable only for users using Webfig.

We have managed to reproduce problem with default configuration after reboot. We will try to fix this as soon as possible.
If you have only used Webfig on specific router and have never used CLI or Winbox on this device, then after upgrade/reboot device will be reset to default configuration.

Ok that probably matches most of the cases where I have seen it fail. Good find!
However, note that there is not only the case of "back to default configuration" but also "no longer able to save any configuration".
Is that covered by this as well?

Big thanks for script on dhcp-client, it's handy.
BUT, what about script for "dhcp-client" integrated in ppp client / section ?

Thanks guys.

RB750r2: No openvpn interfaces after reboot, no certificates, device went back to defaults. After setup and reboot defaults again.

So, what should we do with the bricked devices? Downgrade? I am still to follow the netinstall route... Honestly, last thing I was planning to do on my holiday

Try with netinstall
And again set as new
Do not restore old config, make it ad new


Sent from my iPhone using Tapatalk Pro

*) dhcp-client - added "script" option which executes script on state changes;

FINALLY!

Now we can make actual stateful DDNS updates whenever they're needed instead of running a script every x minutes!

Lots of enhancements in this version. Kudos!

Well, I should have read that thread before...

just upgraded my RB2011iL-RM yesterday evening, and it crashed...
Will have to go to the location to check what is broken, but I guess, after reading this posts, it has lost its config or I have to netinstall it.....
I always use winbox, also for upgrading (system packages online upgrade)

@ ditonet

Thanks, i did forget to put " " around the lease-hostname variable

stupid error.

So the final working script to write a DNS record for each IP lease :

(note that this is a simplified script, it does not verify neither delete DNS multiple registrations and does not delete the DNS recording when the IP is released.)
I would be interested to know if somebody success in deleting a record at IP releasing.

This is something quite standard in DHCP clients (Dibbler for example), this could be coded inside Router OS for simplicity.

Hi guys, we are developers of Radius software - splynx.com and it looks that inside the 6.39 were broken Accounting STOP packets.
It was reported to us by several clients today. The issue is described below :

In case when Mikrotik stops the PPP session, it sends wrong Framed-IP address (10.0.0.0). We work with the Framed-IP address as part of session identification, so our Radius cannot close the session correctly. In all previous versions always correct Framed-IP address came back from Mikrotik to Radius server.

Here is a correct START packet, where Framed-IP is the IP address of customer (192.168.102.5) :

START:
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 15728642
NAS-Port-Type = Ethernet
User-Name = "alex"
Calling-Station-Id = "C8:2A:14:2D:05:AE"
Called-Station-Id = "service1"
NAS-Port-Id = "ether3"
Acct-Session-Id = "81300002"
Framed-IP-Address = 192.168.102.5
Acct-Authentic = RADIUS
Event-Timestamp = "May 2 2017 18:15:50 CEST"
Acct-Status-Type = Start
NAS-Identifier = "NAS-SPLYNX"
Acct-Delay-Time = 0
NAS-IP-Address = 10.0.1.36

And here is a STOP packet with broken Framed-IP address :
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 15728642
NAS-Port-Type = Ethernet
User-Name = "alex"
Calling-Station-Id = "C8:2A:14:2D:05:AE"
Called-Station-Id = "service1"
NAS-Port-Id = "ether3"
Acct-Session-Id = "81300002"
Framed-IP-Address = 10.0.0.0
Acct-Authentic = RADIUS
Event-Timestamp = "May 2 2017 18:16:38 CEST"
Acct-Session-Time = 48
Idle-Timeout = 0
Session-Timeout = 0
X-Ascend-Data-Rate = 1000000
Ascend-Xmit-Rate = 1000000
X-Ascend-Data-Rate = 500000
Ascend-Data-Rate = 500000
Mikrotik-Rate-Limit = "500000/1000000 0/0 0/0 1/1 5 250000/500000"
Acct-Input-Octets = 55500
Acct-Input-Gigawords = 0
Acct-Input-Packets = 862
Acct-Output-Octets = 6912
Acct-Output-Gigawords = 0
Acct-Output-Packets = 54
Acct-Status-Type = Stop
Acct-Terminate-Cause = NAS-Request
NAS-Identifier = "NAS-SPLYNX"
Acct-Delay-Time = 0
NAS-IP-Address = 10.0.1.36

Here is a slightly better script to add a DNS entry for each DHCP lease. Version 6.39 simplify the script thanks to the new lease-hostname variable.

This one check for existence of static DNS entries with the same fully qualified domain names or same addresses and delete them before adding a new DNS entry, if necessary.
If a static DNS entry with the same domain name and same address as the lease exist the script does not update the DNS server.

See https://wiki.mikrotik.com/wiki/Setting_ ... DHCP_lease for more informations (old method, more processor hungry).

This script use the DHCP server lease script function available recently.

This is applicable only for users using Webfig.

We have managed to reproduce problem with default configuration after reboot. We will try to fix this as soon as possible.
If you have only used Webfig on specific router and have never used CLI or Winbox on this device, then after upgrade/reboot device will be reset to default configuration.

Instructions to avoid this:
1) Connect to device through CLI or Winbox before upgrade to 6.39;
2) Reject default configuration;
3) Upgrade device.

Diagnosis: correct - problems with devices configured by Webfig
Solution: wrong/not working

Description:
RBwAPG-5HacT2HnD yesterday after multiple retries brought to normal operation by reverting to 6.38.5 firmware and reconfiguring to production configuration.
Following strods advice:
- connected to wAP ac via winbox
- winbox without asking reverted configuration of wAP to factory one
- upgraded to 6.39
- connected via Winbox to make initial changes
- configuration finalized via Webfig
- test through "Reboot" option - failed - wAp woke up with factory configuration
- downgrade to 6.38.5, reconfigurig everything, working again as supposed

Learning: if you won't like to be beta tester and spend 4 hours of your time on finding the issues/solutions, wait at least 2 weeks before upgrading to new version of firmware

HAP ac lite - After update I can't create SMB share on external drive (usb). Can somebody confirm that?

can confirm with hEX and attached 1 TB USB SSD
also the exisiting shares are inaccessible!

please fix it

HAP ac lite - After update I can't create SMB share on external drive (usb). Can somebody confirm that?

can confirm with hEX and attached 1 TB USB SSD
also the exisiting shares are inaccessible!

please fix it

Same here on HapAC

Sent from my SM-G930F using Tapatalk

!) firewall - discontinued support for p2p matcher (old rules will become invalid);

So how we should detect p2p traffic now?
p2p matcher with two-step method (add destination ip to address list and block/prioritize this list) is working very good for me.

It's great that you think it did it's job, but actually it was not doing anything.
It was broken for a long time, and was not actually capturing any modern p2p traffic, instead it was breaking some legitimate traffic.
You can make actually working rules with l7 filters:

https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7

Normis it actually worked with unencrypted p2p. That was all I really cared for. What I would be interested to know is how does a L7 filter performer compared to the p2p matcher?

Running 2 BGP Full Routing Table here and 2 additional regional table on a CCR1036-12G-4S and after upgrade from v6.38 to v6.39 I noticed some CPU usage decrease. Previously one CPU core was always 100%, now with v6.39 it fluctuates between 85-95%.
Also power consumption is down by almost 1Wh (this grabbed my attention in the first place, then discovered the lower CPU usage).

Good job guys! Perhaps you can also let us know what was done in BGP area to lower the CPU usage?

Version 6.39.1 has been released:
viewtopic.php?f=21&t=121306