v6.45.1 [stable] is released!

rifkytech · Tue Jul 02, 2019 3:57 am

me to, but i have problem on api, i can connect with winbox, but i can't login with API ( wrong password ). why?
Do you use new login style in API?
https://wiki.mikrotik.com/wiki/Manual:API#Initial_login

yes, i am use it

rifkytech · Tue Jul 02, 2019 3:58 am

me to, but i have problem on api, i can connect with winbox, but i can't login with API ( wrong password ). why?
Do you use new login style in API?
https://wiki.mikrotik.com/wiki/Manual:API#Initial_login

I use CHR

elgrandiegote · Tue Jul 02, 2019 4:31 am

CHR --> "ERROR: wrong username or password" when I try to login with WinBox 3.18

it is seen that this version was not very tested....

berzerker · Tue Jul 02, 2019 5:56 am

!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;

Since this is "as initiator," can I assume this isn't supported for running as a roadwarrior config?

If so, when is support for that coming, if at all?

lomayani · Tue Jul 02, 2019 7:11 am

this release is crashing ccr having vpls tunnels. Downgrading back to 6.44.3 no issue

Tue Jul 02, 2019 7:53 am

ludvik - On some specific and very rare case Ethernet interface on TILE routers could lock up. Now this problem is resolved;
ndbjorne, kobuki, smileymattj - Bugfix version (long-term) will be released as soon as possible;
eworm, matiaszon, toxmost, Stanleyssm, wpeople, petrb, lomayani - I recommend that you provide supout file to support@mikrotik.com in order to get more information about the problem that you are experiencing;
pacman88 - CRS3xx switches now can better handle traffic passing through the switch if interface speeds are different;
nmt1900 - Can you reproduce this problem once more? Actually. sounds that this was simply a coincidence and the problem was caused by something else besides static ARP entries;
raystream, nichky, LetMeRepair, proximus, Cha0s, 3bs, Vlad2, sterod, mserge, STEVEUK1, elgrandiegote - We can not seem to reproduce the problem with Winbox login. Can you provide more details? From which version did you upgrade your router? Do you, for example, use RADIUS for Winbox authorisation?
SimWhite, nuffrespect, w0lt, snake27, Hyperlight - Please try to add a new firewall rule at every end of the tunnel and see if it starts to work properly? The rule should be located at the top (at least before drop rules) of input firewall filter rules chain (/ip firewall filter add chain=input action=accept protocol=gre src-address=[address that is configured as a remote-address on your GRE tunnel interface]);
rifkytech, bleblas, marcperea, mducharme, nerxu, jwilkinson6028 - If you cannot login into your router by using API please make sure that you have updated API authentication script (https://wiki.mikrotik.com/wiki/Manual:API#Initial_login);
anav - Is this problem related to RouterOS v6.45.1 or this is simply a configuration related question?
OndrejHolas - We will resolve this problem as soon as possible;
markos222 - Currently fix is available only in v6.45. Fix will be backported to long-term versions aswell;
adonato - MIPS and MMIPS are two differnet architectures. Is it RB750 or RB750Gr3? Please name precise model.

mkx · Tue Jul 02, 2019 7:57 am

Hello I have a Router RB 750 and when I tried to update from winbox or donwloading the file from mikrotik
after I rebot, I get this message:

" system,error can not install routeros-mipsbe-6.45.1: it is not made for m
mips, but for mips "

Some know what to do?

Which particular RB750 ... the old RB750UP which is MIPSBE, or the new hEX (RB750Gr3) which is MMIPS or some other RB750 which might be MIPS? You can check it by running command /system resource print (it's in the architecture-name field).

Or are you using the built-in way of upgrading (/system package update install)?

3bs · Tue Jul 02, 2019 8:10 am

raystream, nichky, LetMeRepair, proximus, Cha0s, 3bs, Vlad2, sterod, mserge, STEVEUK1, elgrandiegote - We can not seem to reproduce the problem with Winbox login. Can you provide more details? From which version did you upgrade your router? Do you, for example, use RADIUS for Winbox authorisation?

Upgraded from version 6.44.3, no RADIUS, internal authorisation.

SimWhite · Tue Jul 02, 2019 8:12 am

SimWhite, nuffrespect, w0lt, snake27, Hyperlight - Please try to add a new firewall rule at every end of the tunnel and see if it starts to work properly? The rule should be located at the top (at least before drop rules) of input firewall filter rules chain (/ip firewall filter add chain=input action=accept protocol=gre src-address=[address that is configured as a remote-address on your GRE tunnel interface]);

GRE up and running now on the both sides.

Tue Jul 02, 2019 8:31 am

3bs - Can you please:

1) Try to log into your router by using Winbox;
2) See that authentication fails;
3) Log into your router by another method;
4) Generate supout file;
5) Download file from the router;
6) Send this file to support@mikrotik.com?

Abdock · Tue Jul 02, 2019 8:39 am

Have tried to download few times all_packages-mmips-6.45.1 when extracting it says director is empty.

3bs · Tue Jul 02, 2019 8:59 am

3bs - Can you please:

1) Try to log into your router by using Winbox;
2) See that authentication fails;
3) Log into your router by another method;
4) Generate supout file;
5) Download file from the router;
6) Send this file to support@mikrotik.com?

Sent.

emils · Tue Jul 02, 2019 9:03 am

all_packages-mmips-6.45.1.zip should be working now.

jvparis · Tue Jul 02, 2019 9:13 am

Using a SXTsq 5 ac with v6.45.1 the only installation-type that is available when using frequency-mode-regulatory-domain is "outdoors". Can I no longer legally use this device indoors and profit from the wider frequency spectrum? I already know the workaround using superchannel...

Cetalfio · Tue Jul 02, 2019 9:22 am

In the new version of ROS no problem logging on to a RB750 r2 via ssh and Winbox and also mac-telnet, access is right from the local LAN network. If instead I try on an LHG associated as a wireless station to an AP 921, access is possibile only via ssh. Winbox, telnet and mac-telnet do not work the error is: invalid Login and Password.
Cetalfio

Tue Jul 02, 2019 9:25 am

Everyone who is experiencing Winbox login problems, please:

1) Make sure that you use Winbox 3.18;
2) If you use Winbox 3.18, then close all of the Winbox applications (for example, reboot computer) and try again;
3) Check if you can log into your router over WEB interface (Webfig).

Tue Jul 02, 2019 9:30 am

jvparis - Which country have you selected? What happens, if you try to use this command "/interface wireless set [interface_name] country=[your_country] frequency-mode=regulatroy-domain installation=indoor"? What kind of an error do you get?

SimWhite · Tue Jul 02, 2019 9:36 am

SimWhite, nuffrespect, w0lt, snake27, Hyperlight - Please try to add a new firewall rule at every end of the tunnel and see if it starts to work properly? The rule should be located at the top (at least before drop rules) of input firewall filter rules chain (/ip firewall filter add chain=input action=accept protocol=gre src-address=[address that is configured as a remote-address on your GRE tunnel interface]);

strods, Could you tell is this a bug or a feature? Will it be fixed in the next updates or we should use such kind of rules started from 6.45.1?

jvparis · Tue Jul 02, 2019 9:37 am

jvparis - Which country have you selected? What happens, if you try to use this command "/interface wireless set [interface_name] country=[your_country] frequency-mode=regulatroy-domain installation=indoor"? What kind of an error do you get?

Hi strods!
country is germany. This is the error:

[admin@sxt-wds] <SAFE> /interface wireless set wlan1 country=germany frequency-mode=regulatory-domain installation=indoor 
failure: allowed installation type is outdoor

FogOfWar · Tue Jul 02, 2019 9:38 am

The login problem is major.
Two LHG-R-s, passwords do not match, even worse, via romon, blank password is accepted although password is set.
Downgraded either to 6.44.3 and 6.44.18 but problem persists. Via romon, password is not accepted, blank password IS accepted.
After logging in, when new terminal is opened, it will fail with wrong password (as it was blank for romon login). correct one is accepted.

Without downgrading, not any password in most interfaces was accepted. Only SSH accepted correct password.
Clear configuration , password change etc. did not change the behaviour.

This password store change needs a rollback ASAP.

petrb · Tue Jul 02, 2019 9:41 am

Hi normis,

please explane last line from log. Radius PD DHCPv6, Access-Accept receive but auth failed? What is that? No bindings in dhcpv6. Works in 6.44.3.

00:37:41 radius,debug,packet sending Access-Request with id 27 to 192.168.43.1:1812 
00:37:41 radius,debug,packet     Signature = 0x31ba2d3f58e4837ca33071255ad9bb62 
00:37:41 radius,debug,packet     NAS-Port-Type = 15 
00:37:41 radius,debug,packet     NAS-Port = 2199912456 
00:37:41 radius,debug,packet     Calling-Station-Id = 0xf09fc24af7e8 
00:37:41 radius,debug,packet     Called-Station-Id = "server1" 
00:37:41 radius,debug,packet     Delegated-IPv6-Prefix = ::/64 
00:37:41 radius,debug,packet     User-Name = "F0:9F:C2:4A:F7:E8" 
00:37:41 radius,debug,packet     User-Password = 0x00000000 
00:37:41 radius,debug,packet     NAS-Identifier = "RB4011-1" 
00:37:41 radius,debug,packet     NAS-IP-Address = 10.177.1.1 
00:37:41 radius,debug,packet received Access-Accept with id 27 from 192.168.43.1:1812 
00:37:41 radius,debug,packet     Signature = 0x883ffcd554726f9b161fde42cd81e7ad 
00:37:41 radius,debug,packet     Framed-IP-Address = 192.168.177.15 
00:37:41 radius,debug,packet     Framed-Route = "213.192.5.17/32 192.168.177.15 1" 
00:37:41 radius,debug,packet     MT-Rate-Limit = "5M/5M" 
00:37:41 radius,debug,packet     MT-Address-List = "neplatic" 
00:37:41 radius,debug,packet     Calling-Station-Id = "F0-9F-C2-4A-F7-E8" 
00:37:41 radius,debug,packet     Delegated-IPv6-Prefix = 2a01:5e0:30:1000::/60 
00:37:41 radius,debug received reply for 17:22 
00:37:41 dhcp,error item: radius authentication failed for f09fc24af7e8 ::/64: prefix changed ::/64 -> 2a01:5e0:30:1000::/60

Anumrak · Tue Jul 02, 2019 9:46 am

Impossile to upgrade hAP lite. Please fix this. All unnecessary features were disabled. It's not working.

nichky · Tue Jul 02, 2019 9:48 am

raystream, nichky, LetMeRepair, proximus, Cha0s, 3bs, Vlad2, sterod, mserge, STEVEUK1, elgrandiegote - We can not seem to reproduce the problem with Winbox login. Can you provide more details? From which version did you upgrade your router? Do you, for example, use RADIUS for Winbox authorisation?
Upgraded from version 6.44.3, no RADIUS, internal authorisation.

Same...Upgraded from version 6.44.3, no RADIUS, internal authorisation.
i upgrade on two devices,on one of them is okay other one no, and i'm not going to upgrade the rest of routers

Xymox · Tue Jul 02, 2019 10:15 am

4011 fail. Sorta. Its remote and started rebooting and being really weird. It would come up and seem fine, but then, go offline again..

For some reason it wont switch back to the partition with 6.44.3 in it. It shows A but when I reboot it does not switch back to it.

Its not up long enough to realy explore what is wrong. I was able to get the config backup off it, so, at least if need be I can setup another and send it out for swap out.

It was set to a higher CPU speed. Which has worked fine for 6 months, going back to the fact CPU speed after the upgrade to 6.45.1 might have fixed it.

Weird issue.

I did upgrade a bunch of CCRs and a few 2011's. No issues.. Just this one 4011..Which was overclocked..

nmt1900 · Tue Jul 02, 2019 10:31 am

It looks like Dude has problems with SNMP access.

snmpwalk to other Mikrotik device causes this to appear in log of target device

10:22:24 snmp,debug unsupported v3 security level 
10:22:24 snmp,debug v3 err: 0 unsupported security
10:22:24 snmp,debug bad packet

and snmpwalk times out. We have LibreNMS set up for monitoring and it works fine as it did before.SNMP is set up as v3 private access.

Dude is updated to 6.45.1. It is hard to say whether Dude is the problem or RouterOS on the device itself...

baragoon · Tue Jul 02, 2019 10:34 am

Openvpn broken on v6.45.1. Downgrading back to 6.44.3 and it works.
On client side logs observing this line repeatedly

openvpn[30190]: write to TUN/TAP : Invalid argument (code=22)

nerxu · Tue Jul 02, 2019 10:37 am

Winbox login problem, please:
winbox 3.18 - tools-clear cache WORK

API login problems, please:
change all script (lms,serwer,PHP...) - are you fu... crazy ? I must change all my programs

90% admins says now : F...

kanitelka · Tue Jul 02, 2019 10:44 am

Hi!
After updating, there was a problem.
I have two incoming channels - main and backup.
VPN (pptp and L2TP)
I can only connect to the backup channel (pptp or l2tp). The port is open on the main channel, the logs are empty
Settings and rules after the update did not change.

bleblas · Tue Jul 02, 2019 10:57 am

Winbox login problem, please:
winbox 3.18 - tools-clear cache WORK

API login problems, please:
change all script (lms,serwer,PHP...) - are you fu... crazy ? I must change all my programs
90% admins says now : F...

the problem is, we don't know what we need to change.

WTC · Tue Jul 02, 2019 11:02 am

hello,

after upgrade to 6.45.1 we were unable to login to CHR instance(We use it as package source) from clients using System -> AutoUpgrade -> Upgrade Package Sources. In log on CHR we had login failure.
On CHR after downgrade to 6.44.3 and restoring config from backup file. It's working. We won't update clients mikrotiks until this issue is addressed.

thnak you

Michael

Vlad2 · Tue Jul 02, 2019 11:04 am

1) (problem with authorization in WinBox after updating to 6.45.1)

And I have the same thing, routers 951, 952, 760. The old RouterBOARD cAP 2n access point and a number of other similar devices.
Radius is not present, settings usual, authorization standard internal, and on a number of devices, after updating - at an input the authorization error was written.
The right to counsel from the team Mikrotik: tried with 3 different computers, all copies of WinBox and closed and opened, two of the 3 computers have to be rebooted. But there is an authorization error (and there is the first time when connecting). Well other users see and read, also the error is present.
Simple decision: 3.19 release WinBox and to upgrade and reset to zero CACHE/cleaned automatically.

2) (problem with not being able to update firmware on RB941)
Hap Lite (RB941) - can't update it, it is to be away, on the disk of the router nothing, no files, no folders. Address-there are no sheets in memory, there is no load on the router. The router was rebooted twice, the error - there is not enough space for updating. I have the feeling(I think) that it is not enough just trivia, 100-150 kilobytes would be removed from the new firmware.
I cannot use NetInstall, the router to be far from me and I consider that the firmware has to be placed on an internal disk of a router and at least still kilobyte 50-90 has to remain. So that am asking team Mikrotik optimize firmware for architecture smips to RB941 can be was renew.
Well, no, so close the model and do not sell it already.

P.S.
People who have RB932 - check, maybe there is a problem with lack of disk space ?
And sorry for bad English

Tue Jul 02, 2019 11:05 am

Everyone who is experiencing problems with Winbox authorization - we will release a new Winbox loader with a fix for this problem as soon as possible. We are very sorry for any inconvenience caused.

llubik · Tue Jul 02, 2019 11:07 am

Hapac2 . . . Don't worry me anymore. What version, it infinitely L2TP_IPSec. It's really nervous. Failed to pre-process ph2 packet.

TimurA · Tue Jul 02, 2019 11:10 am

People who have RB932 - check, maybe there is a problem with lack of disk space ?
And sorry for bad English

hello, no problem on RB932, only RB941

and

that's where the developers were in a hurry? The problem with the 5ghz interface on the RB4011 has not been resolved. falls.

UMarcus · Tue Jul 02, 2019 11:16 am

Upgraded RB4011 from 6.44.3 to 6.45.1 - no issues
Well, actually there is one - the bridge MAC address has changed so the network discovery on Windows must be done again. In my case the bridge MAC addr is the same as for eth7 interface. Interesting what it depends on...
Best
Bam

Here same issue on 3 Devices upgraded from 6.44.3 to 6.45.1.

In my case this cause two major problems :
1. Static DHCP offer of DHCP Server didn't work because of changed MAC -> Login to know IP Address didn't work anymore because get no or a dynamic address from DHCP server
2. The Bridge get the MAC from the WLAN Interface which cause major porblem's in CAPSMAN configuration. There was a lot of 'receive packet from same interface, may loop' messages in the CPASMAN log. The cap client interface's repeatedly connect / disconnect from the CAPSMAN -> WLAN dead

I fix this issue by set the Admin MAC of each bridge manualy.

roe1974 · Tue Jul 02, 2019 11:16 am

@strods

I have same MAC adress on SFP+ and WLAN Interface 5G (QCA9984) ..... the 2.4GHz Interface has another MAC Adress.
The SFP+ Port is disabled, so do i need to do any changes/resets ?

regards, Richard

TimurA · Tue Jul 02, 2019 11:22 am

@strods

I have same MAC adress on SFP+ and WLAN Interface 5G (QCA9984) ..... the 2.4GHz Interface has another MAC Adress.
The SFP+ Port is disabled, so do i need to do any changes/resets ?

regards, Richard

reset wlan interface configuration

/interface wireless reset-configuration wlan1

dash · Tue Jul 02, 2019 11:59 am

System -> Auto Upgrade feature seems to be broken. Working fine with versions prior to 6.45.

I have a remote Router hosting ROS packages. Other mikrotik routers in the same network are scheduled to check if there is new ROS version on the remote (local network) Mikrotik router. With 6.45 this feature is not working anymore. Clients that want to update cant login anymore. On the remote router I see 'login failures' in the logfile each time a client tries to access it.
Already tried creating a new user and adding group 'full' to it, but with no success...

nuffrespect · Tue Jul 02, 2019 12:03 pm

SimWhite, nuffrespect, w0lt, snake27, Hyperlight - Please try to add a new firewall rule at every end of the tunnel and see if it starts to work properly? The rule should be located at the top (at least before drop rules) of input firewall filter rules chain (/ip firewall filter add chain=input action=accept protocol=gre src-address=[address that is configured as a remote-address on your GRE tunnel interface]);
strods, Could you tell is this a bug or a feature? Will it be fixed in the next updates or we should use such kind of rules started from 6.45.1?

The same question, Mikrotik-Team? Bug | Option | ?

Tue Jul 02, 2019 12:48 pm

!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
Since this is "as initiator," can I assume this isn't supported for running as a roadwarrior config?

If so, when is support for that coming, if at all?

Road warrior client is always an initiator, so I do not see the reason why it shouldn't be supported.

Tue Jul 02, 2019 12:54 pm

nuffrespect - Actually bug was the fact that your tunnel did work before. Please see related changelog entry:

"conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160)"

sindy · Tue Jul 02, 2019 1:05 pm

Actually bug was the fact that your tunnel did work before.

I've always thought that the incoming GRE packets get accepted by the chain=input action=accept connection-state=established rule because the corresponding connection gets created by the locally originated GRE packet passing through chain output. What's wrong with this idea?

Tue Jul 02, 2019 1:10 pm

It is wrong if initiator is remote router.

spacex · Tue Jul 02, 2019 1:12 pm

It looks like Dude has problems with SNMP access.

snmpwalk to other Mikrotik device causes this to appear in log of target device
Code: Select all
10:22:24 snmp,debug unsupported v3 security level 
10:22:24 snmp,debug v3 err: 0 unsupported security
10:22:24 snmp,debug bad packet
and snmpwalk times out. We have LibreNMS set up for monitoring and it works fine as it did before.SNMP is set up as v3 private access.

Dude is updated to 6.45.1. It is hard to say whether Dude is the problem or RouterOS on the device itself...

I have that same problem

Anumrak · Tue Jul 02, 2019 2:34 pm

Everyone who is experiencing problems with Winbox authorization - we will release a new Winbox loader with a fix for this problem as soon as possible. We are very sorry for any inconvenience caused.

Hey. What about low capacity of space in hAP lite? Watever I did, it says not enough space. Every time.

serhio · Tue Jul 02, 2019 2:46 pm

RB1100AHx2 - after upgrade from 6.42.6 > 6.45.1, the router is very unstable. Self reboots on irregular intervals happen.

I tried to disable unnecessary packets (like IPv6, MPLS, Wireless or HotSpot) without any meaningful result.

I sent the email to the support team (with attached support.rif), but no response yet.

I'm considering rollback to 6.43.16 LTS. In addition, I will wait with updates on other devices.

In addition, the IPsec rules aren't transferred automatically and all tunnels went down. I needed to fix all of them manually.

pe1chl · Tue Jul 02, 2019 2:56 pm

SimWhite, nuffrespect, w0lt, snake27, Hyperlight - Please try to add a new firewall rule at every end of the tunnel and see if it starts to work properly? The rule should be located at the top (at least before drop rules) of input firewall filter rules chain (/ip firewall filter add chain=input action=accept protocol=gre src-address=[address that is configured as a remote-address on your GRE tunnel interface]);

I have always had this firewall rule, I presume it is fine as well?

add action=accept chain=input ipsec-policy=in,ipsec protocol=gre

(I have not upgraded yet, running 6.44.3 and this rule as a couple of matches about the same as our number of tunnels)

Chupaka · Tue Jul 02, 2019 3:19 pm

API login problems, please:
change all script (lms,serwer,PHP...) - are you fu... crazy ? I must change all my programs
90% admins says now : F...

If admins don't want to use more secure login - they simply don't upgrade RouterOS versions. If you upgrade RouterOS - what's the problem in upgrading your API library (it should be shared among all your scripts) too?

adonato · Tue Jul 02, 2019 3:23 pm

ludvik - On some specific and very rare case Ethernet interface on TILE routers could lock up. Now this problem is resolved;
ndbjorne, kobuki, smileymattj - Bugfix version (long-term) will be released as soon as possible;
eworm, matiaszon, toxmost, Stanleyssm, wpeople, petrb, lomayani - I recommend that you provide supout file to support@mikrotik.com in order to get more information about the problem that you are experiencing;
pacman88 - CRS3xx switches now can better handle traffic passing through the switch if interface speeds are different;
nmt1900 - Can you reproduce this problem once more? Actually. sounds that this was simply a coincidence and the problem was caused by something else besides static ARP entries;
raystream, nichky, LetMeRepair, proximus, Cha0s, 3bs, Vlad2, sterod, mserge, STEVEUK1, elgrandiegote - We can not seem to reproduce the problem with Winbox login. Can you provide more details? From which version did you upgrade your router? Do you, for example, use RADIUS for Winbox authorisation?
SimWhite, nuffrespect, w0lt, snake27, Hyperlight - Please try to add a new firewall rule at every end of the tunnel and see if it starts to work properly? The rule should be located at the top (at least before drop rules) of input firewall filter rules chain (/ip firewall filter add chain=input action=accept protocol=gre src-address=[address that is configured as a remote-address on your GRE tunnel interface]);
rifkytech, bleblas, marcperea, mducharme, nerxu, jwilkinson6028 - If you cannot login into your router by using API please make sure that you have updated API authentication script (https://wiki.mikrotik.com/wiki/Manual:API#Initial_login);
anav - Is this problem related to RouterOS v6.45.1 or this is simply a configuration related question?
OndrejHolas - We will resolve this problem as soon as possible;
markos222 - Currently fix is available only in v6.45. Fix will be backported to long-term versions aswell;
adonato - MIPS and MMIPS are two differnet architectures. Is it RB750 or RB750Gr3? Please name precise model.

Hello I have a RouterBOARD 750G r3

uptime: 14h59m39s
version: 6.44.3 (stable)
build-time: Apr/23/2019 12:37:03
factory-software: 6.36.1
free-memory: 167.8MiB
total-memory: 256.0MiB
cpu: MIPS 1004Kc V2.15
cpu-count: 4
cpu-frequency: 880MHz
cpu-load: 6%
free-hdd-space: 172.0KiB
total-hdd-space: 16.3MiB
write-sect-since-reboot: 146662
write-sect-total: 84183238
bad-blocks: 0%
architecture-name: mmips
board-name: hEX
platform: MikroTik

boquepasha · Tue Jul 02, 2019 3:29 pm

Greetings!

We've observed similar behaviour with a customer of ours who has a RouterBOARD LHG 5nD, but not quite the same. We had mac-telnet access before upgrading routerOS to 6.45.1. After the upgrade, we can no longer log in by mac-telnet login, but we can through any other method, including Winbox. We've tried disabling and enabling the mac-telnet server to no avail. After downgrading to 6.44.3 (and restoring the missing password) we recovered mac-telnet access, as well as any other acces we had. So far we've stopped our upgrade schedule until this problem gets sorted out.

elgrandiegote · Tue Jul 02, 2019 3:35 pm

Hi strods,

i've upgraded several devices from version 6.44.3 (RB3011, RB2011) but the problem is with the CHR, however i can connect via ssh without problem,
I use WinBox 3.18 without RADIUS
regards

ludvik - On some specific and very rare case Ethernet interface on TILE routers could lock up. Now this problem is resolved;
ndbjorne, kobuki, smileymattj - Bugfix version (long-term) will be released as soon as possible;
eworm, matiaszon, toxmost, Stanleyssm, wpeople, petrb, lomayani - I recommend that you provide supout file to support@mikrotik.com in order to get more information about the problem that you are experiencing;
pacman88 - CRS3xx switches now can better handle traffic passing through the switch if interface speeds are different;
nmt1900 - Can you reproduce this problem once more? Actually. sounds that this was simply a coincidence and the problem was caused by something else besides static ARP entries;
raystream, nichky, LetMeRepair, proximus, Cha0s, 3bs, Vlad2, sterod, mserge, STEVEUK1, elgrandiegote - We can not seem to reproduce the problem with Winbox login. Can you provide more details? From which version did you upgrade your router? Do you, for example, use RADIUS for Winbox authorisation?
SimWhite, nuffrespect, w0lt, snake27, Hyperlight - Please try to add a new firewall rule at every end of the tunnel and see if it starts to work properly? The rule should be located at the top (at least before drop rules) of input firewall filter rules chain (/ip firewall filter add chain=input action=accept protocol=gre src-address=[address that is configured as a remote-address on your GRE tunnel interface]);
rifkytech, bleblas, marcperea, mducharme, nerxu, jwilkinson6028 - If you cannot login into your router by using API please make sure that you have updated API authentication script (https://wiki.mikrotik.com/wiki/Manual:API#Initial_login);
anav - Is this problem related to RouterOS v6.45.1 or this is simply a configuration related question?
OndrejHolas - We will resolve this problem as soon as possible;
markos222 - Currently fix is available only in v6.45. Fix will be backported to long-term versions aswell;
adonato - MIPS and MMIPS are two differnet architectures. Is it RB750 or RB750Gr3? Please name precise model.

3bs · Tue Jul 02, 2019 3:37 pm

Hey. What about low capacity of space in hAP lite? Watever I did, it says not enough space. Every time.

Try uninstall additional packages, then update. After update install packages.

dakotabcn · Tue Jul 02, 2019 3:48 pm

I have downgraded to 6.44.3 the rb4011 with wifi due fails with L2TP connections
Mi computer connect with any problem, but other users no connect, the log report phase1 negotiation failed
Others router RB3011 have the same issue
All routers have NAT for Inet (the ftth/hfc router is wit NAT) and all computers have win8/10 with nat trasversal
This bug is vert bad, please repair

thx!

lenciso · Tue Jul 02, 2019 4:07 pm

I updated 2 RB2011 and 2 RB951 without problems.

berzerker · Tue Jul 02, 2019 4:08 pm

!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
Since this is "as initiator," can I assume this isn't supported for running as a roadwarrior config?

If so, when is support for that coming, if at all?
Road warrior client is always an initiator, so I do not see the reason why it shouldn't be supported.

Well, I'm receiving an error trying to add an identity for IKEv2 w/ EAP-TLS authentication, saying it's only supported as a client.

[admin@RB4011] /ip ipsec identity> add peer=ikev2 auth-method=eap eap-methods=eap-tls remote-certificate=ios-client generate-policy=port-strict
failure: only EAP client supported

Tue Jul 02, 2019 4:11 pm

As far as I understand you are trying to configure server. Server requires RADIUS server with EAP support. Locally on the router it is not supported.

berzerker · Tue Jul 02, 2019 4:19 pm

As far as I understand you are trying to configure server. Server requires RADIUS server with EAP support. Locally on the router it is not supported.

Ok...so that goes back to my original question. Will this be supported without the requirement of RADIUS, locally on ROS?

Gusse · Tue Jul 02, 2019 4:21 pm

RESOLVED: OVPN Server Binding was causing some issues. I deleted the old one instances and made a new one, then it started to work again.

I noticed issues with Android OpenVPN client after upgrade. Before it worked ok, but now I get this. Log full of this TUN write error.

16:08:56.806 -- EVENT: ASSIGN_IP

16:08:56.884 -- Connected via tun

16:08:56.885 -- EVENT: CONNECTED info='xxxx@xxc.xxx:1194 (xxx.xxx.xxx.xxx) via /TCPv4 on tun/10.0.0.84/ gw=[10.0.0.85/]' trans=TO_CONNECTED

16:09:22.049 -- TUN write error: write_some: Invalid argument

16:09:22.054 -- TUN write error: write_some: Invalid argument

enzain · Tue Jul 02, 2019 4:22 pm

Some routers after upgrade not allow login

Username or password incorrect.

Cha0s · Tue Jul 02, 2019 4:38 pm

Everyone who is experiencing problems with Winbox authorization - we will release a new Winbox loader with a fix for this problem as soon as possible. We are very sorry for any inconvenience caused.

While you are at it, will you fix the interfaces last up/down times on winbox that are in the future?

sindy · Tue Jul 02, 2019 4:39 pm

It is wrong if initiator is remote router.

Can you be more verbose? "initiator" is a role of an IPsec peer, but there is no "initiator/responder" or "client/server" role related to GRE, both ends of the tunnel are sending no matter whether the remote end responds or not and no matter whether a corresponding IPsec policy is available or not, and no matter what is the role of the IPsec peer used by that policy. As there are no ports in GRE, and as the ID field is the same for all packets, an IP.A (local) ->IP.B (remote) packet passing the output chain should create a tracked connection, so a received packet IP.B->IP.A should match "connection-state=established" in the input chain.

Tue Jul 02, 2019 4:54 pm

In terms of connection tracking there will be always the one that initiates/creates (call it whatever you like) new connection. If remote device trying to initiate connection it should not be accepted by "establish/related" rule because connection does not exist yet. That is what happened before the fix.

artem1 · Tue Jul 02, 2019 5:05 pm

After upgrade my CHR on intel with aes-ni to 6.45.1 I see flag "Hardware AEAD" is gray (off) (in IPSEC on installed SA tab).
Before upgrade this flag was shown as enabled (black).
Enc: sha1+aes-cbc128

petern · Tue Jul 02, 2019 5:08 pm

Can you be more verbose? "initiator" is a role of an IPsec peer, but there is no "initiator/responder" or "client/server" role related to GRE, both ends of the tunnel are sending no matter whether the remote end responds or not and no matter whether a corresponding IPsec policy is available or not, and no matter what is the role of the IPsec peer used by that policy. As there are no ports in GRE, and as the ID field is the same for all packets, an IP.A (local) ->IP.B (remote) packet passing the output chain should create a tracked connection, so a received packet IP.B->IP.A should match "connection-state=established" in the input chain.

I think you have it the wrong way around. GRE itself may not have initiator/responder terminology, but connection-tracking does. Thus, if the GRE packet first comes from the remote side, you need to explicitly allow it and not rely on established, as it isn't yet an established connection. I've always used an explicit allow rule for this, as that's how it should work.

Anumrak · Tue Jul 02, 2019 5:19 pm

Hey. What about low capacity of space in hAP lite? Watever I did, it says not enough space. Every time.
Try uninstall additional packages, then update. After update install packages.

This is abnormal behavior. I'll wait for a fix for this.

sindy · Tue Jul 02, 2019 5:36 pm

In terms of connection tracking there will be always the one that initiates/creates (call it whatever you like) new connection. If remote device trying to initiate connection it should not be accepted by "establish/related" rule because connection does not exist yet. That is what happened before the fix.

OK, so I assume you are saying that if the GRE packet comes from outside first (and, logically, doesn't match connection-state=established), no outgoing GRE packet will ever be sent because the local side only responds to connection attempts coming from the remote one inside the GRE tunnel, and the GRE packets carrying these connection attempts get dropped.

What about the GRE keepalives then? I've often created GRE tunnels with no actual payload traffic to use them for minutes and they did come up nevertheless, so I've always thought the keepalive packets are what creates the tracked connection.

nmt1900 · Tue Jul 02, 2019 6:34 pm

nmt1900 - Can you reproduce this problem once more? Actually. sounds that this was simply a coincidence and the problem was caused by something else besides static ARP entries

Router has one bridge with 2 addresses/subnets on it without VLANs and ARP in reply-only mode.

Subnet 1 has DHCP with add-arp-for-leases=yes and it is main subnet with client devices in it.
Subnet 2 has only some other devices in it for testing and static ARP entries for these devices in router's ARP list.

This setup worked without problems before, but now there is a problem:
subnet 1 works OK, devices can access each other and public internet and this subnet can be accessed over incoming VPN connection
subnet 2 cannot be accessed from subnet 1 and devices in subnet 2 cannot access router, subnet 1 or public internet. Devices in it cannot be accessed over incoming VPN connection either. Other Mikrotik devices in subnet 2 can only be accessed by MAC telnet or RoMON when problem is present.

Devices from subnet 2 will regain access after their static ARP entries are removed and added back, but after some time problem comes back - just like ARP entries are aged out, but still existing in list.

Everything works OK, when ARP is set to enabled mode.
If ARP is left to reply-only mode and accept rule (subnet 1 and subnet 2 as both source and destination) is added to forward chain, then it looks like this rule also solves the problem. This was not needed before

Long story got shorter - I moved one device with static address and ARP entry from subnet 2 to subnet 1. For some weird reason additional dynamic ARP entry started popping up with old IP address and it did not went away although IP address did not exist at that time. Then I moved this device back to subnet 2 and only the right ARP entry remained. Problem disappeared after that.

buset1974 · Tue Jul 02, 2019 7:09 pm

i'am having "rebooted without proper shutdown by watchdog timer" again after upgrading to 6.45.1 on CCR-1036-8G-2S+ from 6.44.3
It's has ipv4 and ipv6 running on the routers
We have this kind of issues last years and already fixed and it happen again now, please check my tickets #2018060122002189
Please check what changed on 6.45.1 that caused this happen again.

thx

antonina2 · Tue Jul 02, 2019 7:30 pm

Updated the router to the current version.
After the update, we can not work.

LAN computers behind RB951 cannot connect to PPTP servers.
We stopped work. Help.

P.S. Sorry, I know English very bad.

sindy · Tue Jul 02, 2019 7:33 pm

Updated the router to the current version.
After the update, we can not work. LAN computers behind RB951 cannot connect to PPTP servers.
We stopped work. Help.

P.S. Sorry, I know English very bad.

PPTP uses GRE to transport data. If the PPTP connections seem to be up but no data actually pass through them, look earlier in this thread for the firewall rule necessary to allow GRE to work. As the PPTP clients run on the LAN computers, not on the Mikrotik itself, the rule will have to be effective in the forward chain.

antonina2 · Tue Jul 02, 2019 7:38 pm

PPTP uses GRE to transport data. If the PPTP connections seem to be up but no data actually pass through them, look earlier in this thread for the firewall rule necessary to allow GRE to work. As the PPTP clients run on the LAN computers, not on the Mikrotik itself, the rule will have to be effective in the forward chain.

I tried different rules from this branch, nothing helps. Could you give an example of the rule? Thanks.

1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 4    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 

 5    ;;; defconf: accept in ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec 

 6    ;;; defconf: accept out ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec 

 7    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

 8    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

 9    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

10    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix="" 

11    ;;; Drop BOGONS List
      chain=input action=drop src-address-list=BOGONS in-interface-list=WAN log=yes log-prefix=""

sindy · Tue Jul 02, 2019 7:40 pm

Could you give an example of the rule?

/ip firewall filter add chain=forward action=accept protocol=gre src-address=ip.address.of.the.PPTP.server

It must be at the right place in the forward chain. If you're not sure, create a dedicated topic and post the export of your configuration there. See my automatic signature for details.

The rule should be placed between rules 8 and 9 in your /ip firewall filter print above.

And more than that:

as we talk about multiple PPTP servers, you probably need to use src-address-list in the rule, which contains addresses of all the servers, not just a single src-address,
as we talk about the forward chain, you need another rule where the same address-list is used as dst-address-list, as the first packet to be tunneled via GRE may come from either direction.

jsadler · Tue Jul 02, 2019 7:47 pm

I also have the Winbox Login Problem that has been mentioned....

I note that this is ***INTERMITTENT*** and so far it seems to only happen on links with higher latency.

I've upgraded approx 20 devices. This may or may not be a coincidence, however I have noted that devices that are nearby to my location are fine (approx 15) and don't have any login issues. Devices which are far away, eg international, or local but via LTE mobile data links (eg high latency) etc seem to have the issue (5 devices)

I've seen the login issue on CHR, LTAP and CRS, so I don't think it matters which hardware variant you are using.

When my login is failing, if I keep clicking connect in Winbox, it will usually connect after 5 to 10 attempts.

Note that the router logs the invalid connection attempt as a login failure for user xyz with the source IP of the winbox client, but other than that nothing else of interest is logged.

Cheers,
Jono.

petrb · Tue Jul 02, 2019 7:53 pm

DHCPv6 PD with RADIUS not work with dhcp6c in linux/ubnt .... work in 6.44.3. Work with DHCPv6 client with mikrotik. Very simple radius configuration:

744d288d0d1e => Mikrotik DHCPv6 client works (can fail when prefix is changed and release action is not invoked)
f09fc24af7e8 => UBNT/Ubuntu tested linux dhcp6c FAIL - works in 6.44.3

dhcp,error item: radius authentication failed for f09fc24af7e8 ::/60: prefix changed ::/60 -> 2a01:5e0:31:1000::/60

select * from radcheck

f09fc24af7e8      | Auth-Type          | := | Accept 
744d288d0d1e      | Auth-Type          | := | Accept

select * from radreply

f09fc24af7e8      | Delegated-IPv6-Prefix | =  | 2a01:5e0:31:1000::/60
744d288d0d1e      | Delegated-IPv6-Prefix | =  | 2a01:5e0:31:2000::/60

EDIT: main difference between dhcp6 client in MK and other is in receive value "ia_pd prefix" in first solication and compare value with radius. MK client not send "ia_pd prefix". Linux send ::/64(::/60 in my exmaple).

cat /etc/dhcp6c.conf

interface ath0 {
	request domain-name-servers;
	send ia-na 1;
	send ia-pd 1;
	script "/usr/bin/dhcp6c-state";
};

id-assoc na 1 {
};

id-assoc pd 1 {
	prefix ::/60 infinity;
	prefix-interface eth0 {
		sla-id 0;
		sla-len 4;
	};
};

nightcom · Tue Jul 02, 2019 8:21 pm

I see some of you have problems, just to make it more clear below is list of units that I upgraded to 6.45.1 without problems

RB3011UiAS-RM
hex RB750Gr3

Upgraded via Winbox 3.18

mserge · Tue Jul 02, 2019 8:41 pm

Everyone who is experiencing problems with Winbox authorization - we will release a new Winbox loader with a fix for this problem as soon as possible. We are very sorry for any inconvenience caused.

Any news about when will the new winbox be available?

kadety · Tue Jul 02, 2019 8:49 pm

Some routers after upgrade not allow login

Username or password incorrect.

I have the same problem. RB951G

Username or password incorrect.

Does anyone have a solution? Please

antonina2 · Tue Jul 02, 2019 9:10 pm

/ip firewall filter add chain=forward action=accept protocol=gre src-address=ip.address.of.the.PPTP.server

It must be at the right place in the forward chain. If you're not sure, create a dedicated topic and post the export of your configuration there. See my automatic signature for details.

The rule should be placed between rules 8 and 9 in your /ip firewall filter print above.

And more than that:
as we talk about multiple PPTP servers, you probably need to use src-address-list in the rule, which contains addresses of all the servers, not just a single src-address,

as we talk about the forward chain, you need another rule where the same address-list is used as dst-address-list, as the first packet to be tunneled via GRE may come from either direction.

For me it does not work.

Experimentally found out.
We have always been disabled service-port

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

Enabling pptp solved the problem.
Now the clients of the local network can connect to the pptp servers in the Internet.

2mrz & strods
This is a bug, or so it is conceived?
Why does this affect forward pptp?

/ip firewall service-port
set pptp disabled=yes

sindy · Tue Jul 02, 2019 9:43 pm

This is a bug, or so it is conceived?

Please do read the previous posts of this topic. @strods has already explained that a bug (with its own CVE) was the previous behaviour, where incoming GRE was allowed to pass through the firewall even without a corresponding permissive rule in place.

Why does this affect forward pptp?
Code: Select all
/ip firewall service-port
set pptp disabled=yes

It didn't come to my mind you could have the helpers disabled as by default they are enabled, so I was expecting a PPTP helper didn't exist at all, so I've suggested those rules above. My fault.

The whole /ip firewall service-port section deals with cases where communication using one protocol controls establishment of connections which use another protocol. So the firewall analyses the information in the control protocol and creates a connection-tracking record marked with connection-state=related in advance, before the first packet of that "controlled" connection arrives. So in the particular case of PPTP, when a PPTP control session between a client and the server gets established inside a TCP session (port 1723 on server side), the PPTP helper in the firewall prepares a tracked GRE connection between the IP addresses of the client and the server, so the rule action=accept chain=forward connection-state=established,related accepts these packets even though no rule explicitly permitting them exists in the forward chain.

/ip firewall connection-print where protocol~"gre" should show you a connection marked with E in the attributes column, which means Expected, which means connection-state=related.

adonato · Tue Jul 02, 2019 10:07 pm

ludvik - On some specific and very rare case Ethernet interface on TILE routers could lock up. Now this problem is resolved;
ndbjorne, kobuki, smileymattj - Bugfix version (long-term) will be released as soon as possible;
eworm, matiaszon, toxmost, Stanleyssm, wpeople, petrb, lomayani - I recommend that you provide supout file to support@mikrotik.com in order to get more information about the problem that you are experiencing;
pacman88 - CRS3xx switches now can better handle traffic passing through the switch if interface speeds are different;
nmt1900 - Can you reproduce this problem once more? Actually. sounds that this was simply a coincidence and the problem was caused by something else besides static ARP entries;
raystream, nichky, LetMeRepair, proximus, Cha0s, 3bs, Vlad2, sterod, mserge, STEVEUK1, elgrandiegote - We can not seem to reproduce the problem with Winbox login. Can you provide more details? From which version did you upgrade your router? Do you, for example, use RADIUS for Winbox authorisation?
SimWhite, nuffrespect, w0lt, snake27, Hyperlight - Please try to add a new firewall rule at every end of the tunnel and see if it starts to work properly? The rule should be located at the top (at least before drop rules) of input firewall filter rules chain (/ip firewall filter add chain=input action=accept protocol=gre src-address=[address that is configured as a remote-address on your GRE tunnel interface]);
rifkytech, bleblas, marcperea, mducharme, nerxu, jwilkinson6028 - If you cannot login into your router by using API please make sure that you have updated API authentication script (https://wiki.mikrotik.com/wiki/Manual:API#Initial_login);
anav - Is this problem related to RouterOS v6.45.1 or this is simply a configuration related question?
OndrejHolas - We will resolve this problem as soon as possible;
markos222 - Currently fix is available only in v6.45. Fix will be backported to long-term versions aswell;
adonato - MIPS and MMIPS are two differnet architectures. Is it RB750 or RB750Gr3? Please name precise model.

Hello I have a RouterBOARD 750G r3

uptime: 14h59m39s
version: 6.44.3 (stable)
build-time: Apr/23/2019 12:37:03
factory-software: 6.36.1
free-memory: 167.8MiB
total-memory: 256.0MiB
cpu: MIPS 1004Kc V2.15
cpu-count: 4
cpu-frequency: 880MHz
cpu-load: 6%
free-hdd-space: 172.0KiB
total-hdd-space: 16.3MiB
write-sect-since-reboot: 146662
write-sect-total: 84183238
bad-blocks: 0%
architecture-name: mmips
board-name: hEX
platform: MikroTik

Sorry, bu Does anyone know what to do??

fmoses · Tue Jul 02, 2019 10:14 pm

After upgrading to 6.45.1 PPPOE Profile bandwidth defaults are not creating simple queues. Radius auth is working but if the radius server does not send Mikrotik-Rate for a user ( meaning use the profiles default settings ) it does not. Only users with a defined Mikrotik-Rate get simple queues created... IE for higher bandwidth packages..

gdemtcev · Tue Jul 02, 2019 10:22 pm

RouterOS version 6.45.1 (2019-Jun-27 10:23) has broken RADIUS PAP auth!!!

We have 500+ clients with Mikrotik devices and 27 june in our RADIUS server we see many errors from Mikrotik devices:

Mon Jul 1 11:04:53 2019 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [XX-XX-FA-92-17-09/XX-XX-FA-92-17-0] (from client internet-network port 2152726528 cli XX:XX::FA:92:17:09)
Mon Jul 1 11:12:29 2019 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [XX-XX-80-DC-6F-96/XX-XX-80-DC-6F-9L1\313\033\\ݍ\351\037\231,\205\201҅\236] (from client internet-network port 2152726529 cli XX:XX::80:DC:6F:96)
Mon Jul 1 11:12:40 2019 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [XX-XX-80-DC-6F-96/XX-XX-80-DC-6F-9\006o\377\255\202[\224>\264\351\3103%xe\234] (from client internet-network port 2152726530 cli XX:XX:80:DC:6F:96)
... and man many many logs ...

After update to 6.45.1 all request from Mikrotik to RADIUS have broken last symbol in password (PAP, plain text)

We reproduce this bug in our office on 5+ devices.

How i can open bug report to this error?

ivanfm · Tue Jul 02, 2019 10:56 pm

RouterOS version 6.45.1 (2019-Jun-27 10:23) has broken RADIUS PAP auth!!!

We have 500+ clients with Mikrotik devices and 27 june in our RADIUS server we see many errors from Mikrotik devices:

Mon Jul 1 11:04:53 2019 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [XX-XX-FA-92-17-09/XX-XX-FA-92-17-0] (from client internet-network port 2152726528 cli XX:XX::FA:92:17:09)
Mon Jul 1 11:12:29 2019 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [XX-XX-80-DC-6F-96/XX-XX-80-DC-6F-9L1\313\033\\ݍ\351\037\231,\205\201҅\236] (from client internet-network port 2152726529 cli XX:XX::80:DC:6F:96)
Mon Jul 1 11:12:40 2019 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [XX-XX-80-DC-6F-96/XX-XX-80-DC-6F-9\006o\377\255\202[\224>\264\351\3103%xe\234] (from client internet-network port 2152726530 cli XX:XX:80:DC:6F:96)
... and man many many logs ...

After update to 6.45.1 all request from Mikrotik to RADIUS have broken last symbol in password (PAP, plain text)

We reproduce this bug in our office on 5+ devices.

How i can open bug report to this error?

This reports should be made by e-mail to support@mikrotik.com .

I have already reported it for hotspot ( #2019070222007151 ) and other person also found same problem in wireless authentication : viewtopic.php?f=19&t=149811

I did not receive any response from my ticket .

OndrejHolas · Tue Jul 02, 2019 10:57 pm

CCR1009, 6.44.3 -> 6.45.1. After upgrade, bonding interface didn't go up. I use two levels of bonding: two low level bonding interfaces, each consisting of two ethernets, bundled to LACP LAG; and one upper level bonding interface, consisting of the two LAGs:

/interface bonding
add mode=802.3ad name=lacp1 slaves=ether5,ether6 transmit-hash-policy=layer-3-and-4
add mode=802.3ad name=lacp2 slaves=ether7,ether8 transmit-hash-policy=layer-3-and-4
add down-delay=1s mode=active-backup name=trunk1 primary=lacp1 slaves=lacp1,lacp2 transmit-hash-policy=layer-2-and-3 up-delay=5s

Up to version 6.44.3 this worked reliably. After upgrade to 6.45.1, the low level bondings (lacp1 and lacp2) go up after boot, but the upper level bonding (trunk1) doesn't notice link change from its slaves and remains down. Disconnecting and reconnecting cables, firmware upgrade, warm and cold reboots, nothing helps.

After disabling and re-enabling upper level bonding interface (/int disa trunk1; /int ena trunk1), it starts to work, including functional failover/failback after link state changes of slaves. Nevertheless, this works only until reboot.

Permanent workaround that worked for me:

/system scheduler
add name="trunk1 fix 6.45.1" on-event=":delay 10s;/int disa trunk1;/int ena trunk1" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup

Submitted to support as Ticket#2019070222008098.

Ondrej

sindy · Tue Jul 02, 2019 11:05 pm

Sorry, bu Does anyone know what to do??

adonato - instead of the package for mipsbe you've tried to install, download the package for mmips which is the architecture of your device as reported by /system resource print.

gdemtcev · Tue Jul 02, 2019 11:11 pm

RouterOS version 6.45.1 (2019-Jun-27 10:23) has broken RADIUS PAP auth!!!

We have 500+ clients with Mikrotik devices and 27 june in our RADIUS server we see many errors from Mikrotik devices:

Mon Jul 1 11:04:53 2019 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [XX-XX-FA-92-17-09/XX-XX-FA-92-17-0] (from client internet-network port 2152726528 cli XX:XX::FA:92:17:09)
Mon Jul 1 11:12:29 2019 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [XX-XX-80-DC-6F-96/XX-XX-80-DC-6F-9L1\313\033\\ݍ\351\037\231,\205\201҅\236] (from client internet-network port 2152726529 cli XX:XX::80:DC:6F:96)
Mon Jul 1 11:12:40 2019 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [XX-XX-80-DC-6F-96/XX-XX-80-DC-6F-9\006o\377\255\202[\224>\264\351\3103%xe\234] (from client internet-network port 2152726530 cli XX:XX:80:DC:6F:96)
... and man many many logs ...

After update to 6.45.1 all request from Mikrotik to RADIUS have broken last symbol in password (PAP, plain text)

We reproduce this bug in our office on 5+ devices.

How i can open bug report to this error?
This reports should be made by e-mail to support@mikrotik.com .

I have already reported it for hotspot ( #2019070222007151 ) and other person also found same problem in wireless authentication : viewtopic.php?f=19&t=149811

I did not receive any response from my ticket .

Already send, twice, but not response yet...(

Panbambaryla · Wed Jul 03, 2019 12:59 am

Upgraded RB4011 from 6.44.3 to 6.45.1 - no issues
Well, actually there is one - the bridge MAC address has changed so the network discovery on Windows must be done again. In my case the bridge MAC addr is the same as for eth7 interface. Interesting what it depends on...
Best
Bam

Well, the bridge MAC address changes with RB4011 WiFI reboot so from time to time you will have to change your Windows network from public to private until it cycles all MAC addresses from your eth interfaces. Mikrotik, could you please explain if it is expected behaviour or rather some side effect of the latest firmware?
Best, Bam

Spirch · Wed Jul 03, 2019 4:16 am

wow 4 pages already, i'm happy to always wait a few days before installing things that can bring down my network or make thing difficult.

people still deploy stuff in mass without testing them?

time to wait a little bit longer and see the evolution of this thread

Xymox · Wed Jul 03, 2019 5:07 am

Upgraded RB4011 from 6.44.3 to 6.45.1 - no issues
Well, actually there is one - the bridge MAC address has changed so the network discovery on Windows must be done again. In my case the bridge MAC addr is the same as for eth7 interface. Interesting what it depends on...
Best
Bam
Well, the bridge MAC address changes with RB4011 WiFI reboot so from time to time you will have to change your Windows network from public to private until it cycles all MAC addresses from your eth interfaces. Mikrotik, could you please explain if it is expected behaviour or rather some side effect of the latest firmware?
Best, Bam

I saw some real weirdness with the 4011.. Maybe the above is part of it. Briefly it was rebooting too. The unit has settled down and I am going to try and downgrade it back to 44.3..

Im running 45.1 on my home CCR and so far it seems fine, but, im just doing a home NAT setup, nothing involved at all.

YEA... Remember everybody, use partitions if your device supports them. Makes for a easy switch back. Before upgrading, copy to and save to a partition. THEN upgrade. You then have a fall back. I would like to be able to pick partitions from the LCD on units that have a LCD..

Wed Jul 03, 2019 7:51 am

spacex - We will look into this problem;
Anumrak - Yes, hAP lite and similar routers are designed to run RouterOS bundle package and can be upgraded without any problems, as long as you do not store anything else on your router that might fill up the storage. If there is not enough space on the disk for upgrades - remove files, limit features that use disk and use separate packages instead of RouterOS bundle package;
boquepasha - Which RouterOS version is installed on the router from which you start MAC Telnet session? Is it at least RouterOS version 6.43?
elgrandiegote, enzain, jsadler, kadety - As mentioned in previous posts, we have already resolved this problem and will release Winbox 3.19 with a fix as soon as possible;
dakotabcn, artem1, petrb, fmoses, Xymox - I recommend that you provide supout file to support@mikrotik.com in order to get more information about the problem that you are experiencing;
Gusse - Can you reproduce this problem once more? Actually, sounds that this was simply a coincidence and the problem was caused by something else;
Cha0s - Unfortunately, this problem is not resolved yet;
mserge - I can not tell you precisely when it will be released, but it will happen as soon as possible (hopefully later today);
adonato - You have not replied which router do you have. Provide the output of the command ":put [/system resource get architecture]". It will tell you which architecture packages you must download in order to upgrade your router;
Panbambaryla - That is why you can set static MAC address on the bridge interface. If it is not set, then the bridge will use MAC address of the first interface which is loaded in RouterOS after a reboot;

Everyone - Please note that MikroTik team provide free support for you if you have a software or hardware related problem. Usually, we reply within three business days (sometimes it might take longer). All of the tickets that you have created will be replied to as soon as possible.

Murmaider · Wed Jul 03, 2019 9:34 am

170 updates and changes and not one BGP improvement...

boquepasha · Wed Jul 03, 2019 9:59 am

That might be the problem, strods. The device from where we were trying to mac-telnet our customer had version 6.42.3. We'll upgrade that device and tell you back with our findings.

petrb · Wed Jul 03, 2019 10:33 am

Supout file was sent to the support. Thanks

NetVicious · Wed Jul 03, 2019 10:39 am

Hi!
As I read before on this thread It seems 6.45.1 has some problem with GRE.
I have some Mikrotik RB450G (call they A, B, C, .....) connected to one RB850Gxx2 (call him as master).

"Master" has one PPTP Server binding for each other (A, B, C).

After upgrading all the devices to 6.45.1, A and C cannot connect to "master" within PPTP, but B was working perfectly.

A, B and C had practically the same configuration.

After trying some changes, I did a downgrade on A and C and it's PPP started to work another time without doing any other change.

I did some screenshots of the logs

Log with 6.45.1 (pptp don't connects)

Log with 6.44.3 (pptp connects correctly)

pe1chl · Wed Jul 03, 2019 11:07 am

As I read before on this thread It seems 6.45.1 has some problem with GRE.

When you do make the effort of reading the topic first and seeing others with the same problem, why don't you go that tiny step further and read the replies that they got (also from MikroTik) about the cause of this "problem with GRE" and how you can solve it other dan by downgrading?

pe1chl · Wed Jul 03, 2019 11:10 am

Upgraded RB4011 from 6.44.3 to 6.45.1 - no issues
Well, actually there is one - the bridge MAC address has changed so the network discovery on Windows must be done again. In my case the bridge MAC addr is the same as for eth7 interface. Interesting what it depends on...
Best
Bam
Well, the bridge MAC address changes with RB4011 WiFI reboot so from time to time you will have to change your Windows network from public to private until it cycles all MAC addresses from your eth interfaces. Mikrotik, could you please explain if it is expected behaviour or rather some side effect of the latest firmware?
Best, Bam

As always, when the MAC address of a bridge is important you should not configure it as "auto mac" but rather set its "admin mac address" manually.
You can just copy and paste the address it has now.

NetVicious · Wed Jul 03, 2019 11:30 am

As I read before on this thread It seems 6.45.1 has some problem with GRE.
When you do make the effort of reading the topic first and seeing others with the same problem, why don't you go that tiny step further and read the replies that they got (also from MikroTik) about the cause of this "problem with GRE" and how you can solve it other dan by downgrading?

Sorry. I did the downgrade as a fast attempt to fix the problem because I had users waiting to connect.
I read the thread after the downgrade.
I will try the temporal fix later when users are not working.

Anumrak · Wed Jul 03, 2019 11:39 am

spacex - We will look into this problem;
Anumrak - Yes, hAP lite and similar routers are designed to run RouterOS bundle package and can be upgraded without any problems, as long as you do not store anything else on your router that might fill up the storage. If there is not enough space on the disk for upgrades - remove files, limit features that use disk and use separate packages instead of RouterOS bundle package;
boquepasha - Which RouterOS version is installed on the router from which you start MAC Telnet session? Is it at least RouterOS version 6.43?
elgrandiegote, enzain, jsadler, kadety - As mentioned in previous posts, we have already resolved this problem and will release Winbox 3.19 with a fix as soon as possible;
dakotabcn, artem1, petrb, fmoses, Xymox - I recommend that you provide supout file to support@mikrotik.com in order to get more information about the problem that you are experiencing;
Gusse - Can you reproduce this problem once more? Actually, sounds that this was simply a coincidence and the problem was caused by something else;
Cha0s - Unfortunately, this problem is not resolved yet;
mserge - I can not tell you precisely when it will be released, but it will happen as soon as possible (hopefully later today);
adonato - You have not replied which router do you have. Provide the output of the command ":put [/system resource get architecture]". It will tell you which architecture packages you must download in order to upgrade your router;
Panbambaryla - That is why you can set static MAC address on the bridge interface. If it is not set, then the bridge will use MAC address of the first interface which is loaded in RouterOS after a reboot;

Everyone - Please note that MikroTik team provide free support for you if you have a software or hardware related problem. Usually, we reply within three business days (sometimes it might take longer). All of the tickets that you have created will be replied to as soon as possible.

There are no files on the flash drive. Why I didn't need to remove other packages in previous upgrades?

Wed Jul 03, 2019 11:40 am

I will try the temporal fix later when users are not working.

Temporary? Please read the topic once again, carefully. This version fixes a bug that allowed GRE to work even when your device was configured improperly. So you do not need to apply a temporary fix, but rather permanently fix your configuration.

NetVicious · Wed Jul 03, 2019 12:11 pm

@andriys. Sorry but I don't saw the official strods post answering a lot of posts of this threads with the info about GRE.

I said temporary fix because I have some RB450G with 6.45.1 running perfectly against a RB850Gx2 with 6.45.1 without any new firewall rule about GRE. That's why I though it's a temporary fix.

jetzcezt · Wed Jul 03, 2019 12:20 pm

Hello good People :) ,

if you are using PEAR2_Net_RouterOS-1.0.0b6 API by Vasil Rangelov (boenrobot), replace code on Client.php for 7 rows, start at line 292 until line 298, to be :

$request->setArgument('password',$password);

just that one line for make it usable again.

Wed Jul 03, 2019 12:48 pm

Winbox 3.19 has been released:

viewtopic.php?f=21&p=737780#p737780

Wed Jul 03, 2019 12:51 pm

@andriys. Sorry but I don't saw the official strods post answering a lot of posts of this threads with the info about GRE.

It was in a (rather long) post here.
And then a followup here.

joserudi · Wed Jul 03, 2019 12:56 pm

After upgrading to 6.45.1 PPPOE Profile bandwidth defaults are not creating simple queues. Radius auth is working but if the radius server does not send Mikrotik-Rate for a user ( meaning use the profiles default settings ) it does not. Only users with a defined Mikrotik-Rate get simple queues created... IE for higher bandwidth packages..

I have the same problem, PPPOE and HOTSPOT Profile defaults bandwith are not creating simple rules. Only its possible acroos radius-rate

glee · Wed Jul 03, 2019 1:13 pm

Is there any ETA for long-term release which will fix vulnerabilities?

sindy · Wed Jul 03, 2019 1:39 pm

@andriys. Sorry but I don't saw the official strods post answering a lot of posts of this threads with the info about GRE.

I said temporary fix because I have some RB450G with 6.45.1 running perfectly against a RB850Gx2 with 6.45.1 without any new firewall rule about GRE. That's why I though it's a temporary fix.

For these GRE (and EoIP, it's the same story as EoIP is an application using GRE) tunnels which work in 6.45.1 without modification, something at both ends must be sending initial connection requests to the tunnel (TCP SYN, DNS queries, whatever), so each end creates an established connection in its local firewall on its own. It may also be caused by keepalives configured on GRE itself if there is no spontaneous traffic. Tunnel ends where keepalive is disabled and all local side devices are just listening servers will not establish the GRE tunnel without the rule in chain input of ip firewall filter (if they are tunnel endponi devices themselves); for transit PPTP, and maybe also for locally terminated PPTP, the PPTP helper must be enabled in ip firewall service-port.

notToNew · Wed Jul 03, 2019 1:43 pm

Is there any ETA for long-term release which will fix vulnerabilities?

You didnt read the thread, did you?

glee · Wed Jul 03, 2019 2:08 pm

Is there any ETA for long-term release which will fix vulnerabilities?
You didnt read the thread, did you?

I did, so far there has been only "as soon as possible". It's been 6 days!
I don't get it why it is taking so long.. Fixes for CVE-2018-14847 were released for all channels at same day.

Lifz · Wed Jul 03, 2019 2:14 pm

Is there any ETA for long-term release which will fix vulnerabilities?
You didnt read the thread, did you?
I did, so far there has been only "as soon as possible". It's been 3 days!
I don't get it why it is taking so long.. Fixes for CVE-2018-14847 were released for all channels at same day.

Long term: When a Stable release has been out for a while and seems to be stable enough, it gets promoted into the Long Term branch, replacing an older release, which is then moved to Archive. This consecutively adds new features.

jamesw · Wed Jul 03, 2019 2:23 pm

We are also facing the same issue with Hotspot / RADIUS authentication broken because the Password that is send to RADIUS is garbage/corrupt.

This is affecting 1000+ customers to a big issue.

Case raised; ticket #2019070322005393

Thanks for any help.

James

pe1chl · Wed Jul 03, 2019 2:31 pm

Is there any ETA for long-term release which will fix vulnerabilities?

You can fix the vulnerabilities using a firewall rule...

LeftyTs · Wed Jul 03, 2019 2:32 pm

In a CRS326, RoS complains about collisions in a half duplex interface. I have had problems before with this interface as it needed to be reset every few days [Ticket#2018122022004844]. I have even set the specific Ethernet interface to "full-duplex=no speed=10Mbps" and those warning messages should not exist as it is normal for collisions to occur in half duplex interfaces.

12:40:19 interface,warning ether16 excessive or late collision, link duplex mismatch?

In any case, there seems to be improvement from previous versions as the Gigabit interfaces have not stopped from working yet when I was testing the beta version.

glee · Wed Jul 03, 2019 2:36 pm

Is there any ETA for long-term release which will fix vulnerabilities?
You didnt read the thread, did you?
I did, so far there has been only "as soon as possible". It's been 6 days!
I don't get it why it is taking so long.. Fixes for CVE-2018-14847 were released for all channels at same day.
Long term: When a Stable release has been out for a while and seems to be stable enough, it gets promoted into the Long Term branch, replacing an older release, which is then moved to Archive. This consecutively adds new features.

I would argue that releasing software that includes security fixes should be also released to all channels at same day since this will leave devices who are running on long-term channel exploitable. There wasn't even "Testing" channel release, so they really rushed it out only for Stable channel... why? I guess cause of the security fixes.. why not handle long-term same way?

Anywho I upgraded our lab two days ago to 6.45.1. These are my notes:

These models have been running OK.

CCR1016-12S-1S+

CRS317-1G-16S+

CRS226-24G-2S+

RB M33G with R11e-LTE and R11e-4G

wAP 60GHz

SXTsq 5GHz

RB3011UiAS

RB4011iGS+

hAP AC

cAP AC

Features tested with this release in lab.

Streaming Packet Sniffer

LTE

L2TP over IPsec

EoIP over IPSec

SSTP

IPSec

OSPF

VRRP

Bonding

Mangle

Queues

Wireless

CAPsMAN

SNMPv3

pe1chl · Wed Jul 03, 2019 3:23 pm

I would argue that releasing software that includes security fixes should be also released to all channels at same day since this will leave devices who are running on long-term channel exploitable.

The portion of devices running the latest long-term version and being actively managed by someone/some team who would install a security update in the current long-term channel immediately once it becomes available is likely very, very, very small.

Especially as there is no automatic update mechanism (with its associated security fix channel) in RouterOS, most devices are not regularly updated and many run versions that are very old and have really critical vulnerabilities (compared to this one).
People that elect to run the long-term version also usually are quite conservative in updating it.

Furthermore, you can fix this one with a firewall rule. I have done so early on, and it has not yet revealed attempts to exploit it.
Of course that does not mean it will never happen.

glee · Wed Jul 03, 2019 3:29 pm

I would argue that releasing software that includes security fixes should be also released to all channels at same day since this will leave devices who are running on long-term channel exploitable.
The portion of devices running the latest long-term version and being actively managed by someone/some team who would install a security update in the current long-term channel immediately once it becomes available is likely very, very, very small.

Especially as there is no automatic update mechanism (with its associated security fix channel) in RouterOS, most devices are not regularly updated and many run versions that are very old and have really critical vulnerabilities (compared to this one).
People that elect to run the long-term version also usually are quite conservative in updating it.

Furthermore, you can fix this one with a firewall rule. I have done so early on, and it has not yet revealed attempts to exploit it.
Of course that does not mean it will never happen.

We are running long-term for customers and we are automatically updating the devices via Ansible with three phases (1day; 5days; 10days delay). Few of our partners are doing the same.
Yes I know we can fix this with firewall rule, we just finished testing our Ansible playbooks for phase1 clients - ~300 devices OK. Going to deploy it to phase2 and phase3 rings now.

seregaelcin · Wed Jul 03, 2019 3:34 pm

After update 6.44.3->6.45.1 pptp-client doesn't work - connecting.... disconnecting....connecting.... disconnecting....
After downgrade 6.45.1->6.44.3 it works

Ulypka · Wed Jul 03, 2019 3:36 pm

2018101022007579 still present

2019.07.03-10:17:52.91@10: 2300: recalculate OSPFv2 routes
2019.07.03-10:17:53.73@10: repairDelete: done, deleted 0
2019.07.03-10:17:53.74@10: repairAdd: done, added 4060
2019.07.03-10:17:54.90@10: 2302: recalculate OSPFv2 routes
2019.07.03-10:25:41.17@3:
2019.07.03-10:25:41.17@3:
2019.07.03-10:25:41.17@3: /nova/bin/route
2019.07.03-10:25:41.17@3: --- signal=12 --------------------------------------------
2019.07.03-10:25:41.17@3:
2019.07.03-10:25:41.17@3: r00=0x000000007fbef774 r01=0x000000007fbef77c r02=0x000000007fbef77c
2019.07.03-10:25:41.17@3: r03=0x000000007fbef848 r04=0x00000000002aeca8 r05=0x00000000003b9940
2019.07.03-10:25:41.17@3: r06=0x0000000000000000 r07=0x0000000000000000 r08=0x0000000000000000
2019.07.03-10:25:41.17@3: r09=0x0000000000000000 r10=0x00000000003b9958 r11=0x00000000003b995c
2019.07.03-10:25:41.17@3: r12=0x000000000057f5f0 r13=0x0000000000000000 r14=0x000000000057f5e8
2019.07.03-10:25:41.17@3: r15=0x0000000000000001 r16=0x0000000000000001 r17=0x00000000002aedcc
2019.07.03-10:25:41.17@3: r18=0x0000000000000001 r19=0x0000000000000000 r20=0x00000000005979e8
2019.07.03-10:25:41.17@3: r21=0x00000000ffffffff r22=0x0000000008ff0003 r23=0x00000000005979d8
2019.07.03-10:25:41.17@3: r24=0x000000007fbef728 r25=0x000000007fbef728 r26=0x00000000000197a0
2019.07.03-10:25:41.17@3: r27=0x0000000000250128 r28=0x0000000077d5b5f0 r29=0x0000000000000100
2019.07.03-10:25:41.17@3: r30=0x000000007fbef780 r31=0x000000007fbef77c r32=0x000000007fbef774
2019.07.03-10:25:41.17@3: r33=0x000000007fbef83c r34=0x000000007fbef848 r35=0x00000000003b9950
2019.07.03-10:25:41.17@3: r36=0x000000007fbef844 r37=0x00000000003b9954 r38=0x00000000002aeca8
2019.07.03-10:25:41.17@3: r39=0x00000000003b9940 r40=0x00000000003c60d8 r41=0x00000000000000fe
2019.07.03-10:25:41.17@3: r42=0x00000000003b9958 r43=0x00000000ac1a1005 r44=0x0000000000000001
2019.07.03-10:25:41.17@3: r45=0x0000000000028948 r46=0x00000000000288c8 r47=0x0000000000000086
2019.07.03-10:25:41.17@3: r48=0x0000000077ae1444 r49=0x00000000000653e0 r50=0x0000000077e5cd70
2019.07.03-10:25:41.17@3: r51=0x0000000077ec2040 r52=0x000000007fbefd90 tp=0x0000000077f22fa0
2019.07.03-10:25:41.17@3: sp=0x000000007fbef760 lr=0x00000000001726b0 pc=0x0000000077d5b618
2019.07.03-10:25:41.17@3: ics=0x0000000000000000 faultnum=0x000000000000001d
2019.07.03-10:25:41.17@3:
2019.07.03-10:25:41.17@3: maps:
2019.07.03-10:25:41.17@3: 00010000-00250000 r-xp 00000000 00:0f 659 /nova/bin/route
2019.07.03-10:25:41.17@3: 77af0000-77b20000 r-xp 00000000 00:0f 468 /lib/libgcc_s.so.1
2019.07.03-10:25:41.17@3: 77b30000-77d30000 r-xp 00000000 00:0f 465 /lib/libc-2.17.so
2019.07.03-10:25:41.17@3: 77d50000-77d70000 r-xp 00000000 00:0f 448 /lib/libuc++.so
2019.07.03-10:25:41.17@3: 77d80000-77da0000 r-xp 00000000 00:0f 451 /lib/libucrypto.so
2019.07.03-10:25:41.17@3: 77db0000-77dc0000 r-xp 00000000 00:0f 453 /lib/libufiber.so
2019.07.03-10:25:41.17@3: 77dd0000-77de0000 r-xp 00000000 00:0f 467 /lib/libdl-2.17.so
2019.07.03-10:25:41.17@3: 77e00000-77e10000 r-xp 00000000 00:0f 454 /lib/libubox.so
2019.07.03-10:25:41.17@3: 77e20000-77ec0000 r-xp 00000000 00:0f 450 /lib/libumsg.so
2019.07.03-10:25:41.17@3: 77ed0000-77f10000 r-xp 00000000 00:0f 462 /lib/ld-2.17.so
2019.07.03-10:25:41.17@3:
2019.07.03-10:25:41.17@3: stack: 0x7fbf0000 - 0x7fbef760
2019.07.03-10:25:41.17@3: 98 26 17 00 00 00 00 00 20 f8 be 7f 00 00 00 00 44 14 ae 77 58 99 3b 00 58 99 3b 00 80 f7 be 7f
2019.07.03-10:25:41.17@3: 00 00 00 00 00 00 00 00 01 00 00 00 05 10 1a ac 05 10 1a ac 00 00 00 00 cc f8 be 7f 00 00 00 00
2019.07.03-10:25:41.17@3:
2019.07.03-10:25:41.17@3: backtrace: 0x77e53ce0 0x77b08e28 0x77d5b618 0x001726b0 0x00172fd0 0x77e5cee0 0x77e56968 0x77e5b3b8 0x77db8170 0x77e59fd0 0x77e51b10 0x77e51be0 0x77e5eda8 0x0001dca0 0x77b4aa40 0x000215a8
2019.07.03-10:25:41.17@3: extra 0x7fbef96c
2019.07.03-10:25:41.17@3: virtual void nv::Looper::dispatchMessage(nv::message&)
2019.07.03-10:25:41.17@3: Handler: 0x00000081
2019.07.03-10:25:41.17@3: true--- nv::message --------
2019.07.03-10:25:41.17@3: bool [local::1002]=true
2019.07.03-10:25:41.17@3: bool [SYS_REPLYEXP]=true
2019.07.03-10:25:41.17@3: u32 [SYS_POLICY]=-16385 0xffffbfff 255.191.255.255
2019.07.03-10:25:41.17@3: u32 [STD_FILTER]=5 0x5 5.0.0.0
2019.07.03-10:25:41.17@3: u32 [SYS_TYPE]=TYPE_REQUEST
2019.07.03-10:25:41.17@3: u32 [STD_GETALLID]=6162984 0x5e0a28 40.10.94.0
2019.07.03-10:25:41.17@3: u32 [SYS_REQID]=556 0x22c 44.2.0.0
2019.07.03-10:25:41.17@3: u32 [SYS_CMD]=CMD_GETALL
2019.07.03-10:25:41.17@3: message [STD_GETALL_COOKIE]...
2019.07.03-10:25:41.17@3: true --- nv::message --------
2019.07.03-10:25:41.17@3: u32 [3]=-1407578107 0xac1a1005 5.16.26.172
2019.07.03-10:25:41.17@3: u32 [STD_ID]=1 0x1 1.0.0.0
2019.07.03-10:25:41.17@3: u32 [1]=1 0x1 1.0.0.0
2019.07.03-10:25:41.17@3: u32 [2]=-1407578107 0xac1a1005 5.16.26.172
2019.07.03-10:25:41.17@3: u32 [14]=2824504 0x2b1938 56.25.43.0
2019.07.03-10:25:41.17@3: u32[0x00000000] [SYS_TO]=
2019.07.03-10:25:41.17@3: u32[0x00000002] [SYS_FROM]=0x00000030, 0x000000

seregaelcin · Wed Jul 03, 2019 5:05 pm

After update 6.44.3->6.45.1 pptp-client doesn't work - connecting.... disconnecting....connecting.... disconnecting....
After downgrade 6.45.1->6.44.3 it works

i created gre input firewall rule and replaced over fasstrack. pptp-client connected. Solved

Panbambaryla · Wed Jul 03, 2019 5:20 pm

After update 6.44.3->6.45.1 pptp-client doesn't work - connecting.... disconnecting....connecting.... disconnecting....
After downgrade 6.45.1->6.44.3 it works
i created gre input firewall rule and replaced over fasstrack. pptp-client connected. Solved

No need to...
Just enable ip firewall service ports pptp NAT helper... It's been mentioned so many timees in here...

maxsaf · Wed Jul 03, 2019 5:33 pm

The Dude - RouterOS checkmark doesn't work anymore. Error "invalid user name or password (6), next attempt at Jul/04 14:25:10"

gepelbaum · Wed Jul 03, 2019 6:04 pm

My update report:
Dear, after updating the 6.44.3 version 6.45.1 experience that the name field of the ipsec tunnels was removed, this occurred in all devices where I had ipsec configured and in some had several tunnels configured.
For the rest, I did not see any problem although this if I present productivity problems in the clients.
regards

nmt1900 · Wed Jul 03, 2019 6:30 pm

It looks like SNMP access from Dude works OK with SNMPv1 or SNMPv2c. Maybe something with SNMPv3 authentication or encryption is wrong in Dude?

It looks like Dude has problems with SNMP access.

snmpwalk to other Mikrotik device causes this to appear in log of target device
Code: Select all
10:22:24 snmp,debug unsupported v3 security level 
10:22:24 snmp,debug v3 err: 0 unsupported security
10:22:24 snmp,debug bad packet
and snmpwalk times out. We have LibreNMS set up for monitoring and it works fine as it did before.SNMP is set up as v3 private access.

Dude is updated to 6.45.1. It is hard to say whether Dude is the problem or RouterOS on the device itself...
I have that same problem

mserge · Wed Jul 03, 2019 6:40 pm

Winbox 3.19 has been released:

viewtopic.php?f=21&p=737780#p737780

I tried it but i still get same error "Wrong user or password", any ideas?

theplanet · Wed Jul 03, 2019 6:41 pm

There is a major problem with Hotspot + Radius + Mac Authentication... i have dmasoftlab radius and after the upgrade no client connected automatically... before the upgrade all working... and now no mac auth... I've found the problem, is is http pap , has to be disabled.

nostromog · Wed Jul 03, 2019 7:43 pm

I upgraded 2 mAP Lite without a single issue, and another old 750GL. Same

On the other side, the hAP ac that could not be upgraded/downgraded to 6.44.* or 6.45beta* because it had the 100% looping CPU on ipsec is stil behaving the same.

It hangs in some initial script that tries to modify ipsec policies depending on dynamic local ip, it hangs on "/ export" or "/ip ipsec <whatever>". I can't generate a supout because it hangs

Again, downgrading to long-term works, and it recovers a very simple and working, ipsec configuration:

/ip ipsec export hide-sensitive 
# jul/03/2019 18:35:52 by RouterOS 6.43.16
# software id = <edited>
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = <edited>
/ip ipsec mode-config
add address-pool=vpn2 name=RW-cfg split-include=192.168.87.0/24,192.168.90.0/24,192.168.91.0/24
/ip ipsec policy group
add name=RoadWarrior
/ip ipsec peer
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=RW-cfg passive=yes policy-template-group=RoadWarrior
/ip ipsec policy
add dst-address=192.168.91.0/24 group=RoadWarrior src-address=192.168.87.0/24 template=yes
add dst-address=192.168.91.0/24 group=RoadWarrior src-address=192.168.90.0/24 template=yes
add dst-address=192.168.91.0/24 group=RoadWarrior src-address=192.168.91.0/24 template=yes
add disabled=yes dst-address=192.168.91.0/24 group=RoadWarrior src-address=0.0.0.0/0 template=yes
/ip ipsec user
add name=user2
add name=user
add name=user3

Deleting the ipsec configuration and upgrading loops the same. I'll keep it in long-term until either a stable version works or a long-term version works "past" the problem, or I can make netinstall work, which I have not been able for the moment...

There is another, remote office machine, that I'm scared to upgrade because I'm afraid that the issue will happen again and I can't easily recover the machine. It is quite critical and far away.

Is any of the other people that was experiencing with me this 100% CPU loop in ipsec in 6.44-6.45 been able to recover? How?

sindy · Wed Jul 03, 2019 8:43 pm

It hangs in some initial script that tries to modify ipsec policies depending on dynamic local ip, it hangs on "/ export" or "/ip ipsec <whatever>". I can't generate a supout because it hangs

Have you tried to reset the machine to defaults before or better after upgrade to 6.45.1 and then manually create the IPsec configuration from the export rather than letting the upgrade script do that? This clearly cannot be used on the production machine but it should at least confirm that the IPsec part is the trigger, so you could be able to remove the IPsec configuration on the production machine before the upgrade if you can provide some other means to access it remotely (ssh, https) and recreate the IPsec part after the upgrade.

Other than that, a support.rif of the state before upgrade should be enough for support to simulate the same process at their end.

owsugde · Wed Jul 03, 2019 9:52 pm

All I can say is be very careful with this update. I have rolled it out on some remote devices, and now, one isn't having ethernet connectivity at all (at the least) and the other isn't coming back up over OVPN.

Can't say more about what has caused this in particular, yet. Probably will have to be on premises tomorrow because of this, more on it then...

DotTest37 · Wed Jul 03, 2019 10:33 pm

What does exactly mean:
!) user - removed insecure password storage;
?

pe1chl · Wed Jul 03, 2019 10:37 pm

What does exactly mean:
!) user - removed insecure password storage;
?

It is already written in the head of the release notes!
In older RouterOS versions before 6.43 the passwords were stored in plaintext.
In the 6.43 version they were changed to hashes but the plaintext version remained so you could downgrade and still have your passwords.
Now the plaintext versions are deleted, so when you downgrade from 6.45.1 to a 6.42 or older version you lose all your passwords.

dlausch · Wed Jul 03, 2019 10:54 pm

i have found the failure.
connecting with the android app over vpn (i am not at home) is fine.
connecting with winbox from my windows laptop over vpn is fone too.

only winbox running with wine on my macbook shows this failure
and after deleting the cache in winbox it connects again on my macbook

I've got a similar issue...

I'm unable to connect my Router / APs etc by IOS app, no matter if VPN or WLAN.
The logs say: "system,error,critical login failure for user david from 10.200.5.13 via tikapp"

Via Winbox, SSH or Web no problems.
So I had to turn of the network for my Kids by ssh, not by app...

Greetz
David

CharlyBrown · Wed Jul 03, 2019 11:08 pm

Hi Guys, I recently updated 2 of my routers, one of them has Dude installed, and when I try to login through API, I receive the same error.
The las version installed on my routers are 6.44, and the API login style is the one indicated on the wiki.
Other strange thing, when I try to use AUTO UPGRADE option from other routers I receive the same error. (wrong password). The configured server with update packages are the router with DUDE, with 6.51 version.-
I try to reset de admin password, api password and nothing happened.
When I try to connect through API and AUTO UPGRADE option between routers with 6.44 version, everything works fine.
If need more information about those tests please tell me.

me to, but i have problem on api, i can connect with winbox, but i can't login with API ( wrong password ). why?
Do you use new login style in API?
https://wiki.mikrotik.com/wiki/Manual:API#Initial_login

DotTest37 · Wed Jul 03, 2019 11:12 pm

What does exactly mean:
!) user - removed insecure password storage;
?
It is already written in the head of the release notes!
In older RouterOS versions before 6.43 the passwords were stored in plaintext.
In the 6.43 version they were changed to hashes but the plaintext version remained so you could downgrade and still have your passwords.
Now the plaintext versions are deleted, so when you downgrade from 6.45.1 to a 6.42 or older version you lose all your passwords.

Which passwords?
The one used to log in on Router OS?
The ones for PPP accounts?
Anything else?
Which ones?
Are we talking also the password visibility when you do EXPORT on the CLI? (you see all passwords there)

salah · Thu Jul 04, 2019 1:51 am

can anyone help me to enable this future (dot1x) on my LAN network

I have a tp-link access point with WPA/WPA2 enterprise authentication.

faraujo88 · Thu Jul 04, 2019 2:31 am

Hi Guys

I am having problem to update my device,

it complete and reboot , but when i go to check the currentversion, is still 6.42 and not 6.45

Please Help

Can U send log? did u check correct architecture?

faraujo88 · Thu Jul 04, 2019 2:32 am

What does exactly mean:
!) user - removed insecure password storage;
?
It is already written in the head of the release notes!
In older RouterOS versions before 6.43 the passwords were stored in plaintext.
In the 6.43 version they were changed to hashes but the plaintext version remained so you could downgrade and still have your passwords.
Now the plaintext versions are deleted, so when you downgrade from 6.45.1 to a 6.42 or older version you lose all your passwords.
Which passwords?
The one used to log in on Router OS?
The ones for PPP accounts?
Anything else?
Which ones?
Are we talking also the password visibility when you do EXPORT on the CLI? (you see all passwords there)

I guess it refears to Management users.

winet · Thu Jul 04, 2019 5:59 am

i think, v6.45.1 still have security hole. this happened last night. it's v6.45.1, and had already created new user credential on it, removed the old one. and somehow, the router made a vpn interface with the old deleted user login.

xtrans · Thu Jul 04, 2019 6:19 am

This version is not automatically show captive portal on hotspot
I downgrade to 6.44.3 and fix.

winet · Thu Jul 04, 2019 6:35 am

ah got it, there is something on the system scheduler

Thu Jul 04, 2019 7:05 am

joserudi - Please send supout file to support@mikrotik.com. Generate file while the problem is present and name at least single user which does not get rate-limit;
LeftyTs, Ulypka, gepelbaum, nostromog, CharlyBrown, xtrans - Please send supout file to support@mikrotik.com. Generate file while the problem is present;
mserge - Make sure that you use Winbox 3.19. If the problem persists, then generate a new supout file on your router after failed Winbox login attempt and send it to support@mikrotik.com;
owsugde - Is it possible that you are using a certificate verification feature which was introduced in this release? "ovpn - added "verify-server-certificate" parameter for OVPN client (CVE-2018-10066)"
dlausch - Sound like you have the same problem as we did with Winbox. Also new iOS MikroTik mobile application update will be released very soon;

Everyone - Everyone who is experiencing RADIUS related problems with authentication since v6.45, we will soon release 6.46beta version with potential fix for the problem;
Everyone - Long-term version will be released as soon as possible. There is no ETA since everyone will want version as stable as possible. We can not simply name date and time when the version will be released. It depends on test results.

xtrans · Thu Jul 04, 2019 7:32 am

Requesting for /ip hotspot active Session time left to be editable.

bubniakz · Thu Jul 04, 2019 7:49 am

we use CRM, ISPadmin, which communicates with MKT by API, but when updating to 6.45.1
API doesnt work, because new API authentification is not implement in our CRM. It says
"killing PID 25009, API number exceeds the limit", but when downgrade to 6.44.3, which
worked with CRM prior and should have compatibility with old API authentification, it
doesnt work anymore and still have API error.

Log in MKT: "login failure via API"

thanks for help

buset1974 · Thu Jul 04, 2019 8:30 am

joserudi - Please send supout file to support@mikrotik.com. Generate file while the problem is present and name at least single user which does not get rate-limit;
LeftyTs, Ulypka, gepelbaum, nostromog, CharlyBrown, xtrans - Please send supout file to support@mikrotik.com. Generate file while the problem is present;
mserge - Make sure that you use Winbox 3.19. If the problem persists, then generate a new supout file on your router after failed Winbox login attempt and send it to support@mikrotik.com;
owsugde - Is it possible that you are using a certificate verification feature which was introduced in this release? "ovpn - added "verify-server-certificate" parameter for OVPN client (CVE-2018-10066)"
dlausch - Sound like you have the same problem as we did with Winbox. Also new iOS MikroTik mobile application update will be released very soon;

Everyone - Everyone who is experiencing RADIUS related problems with authentication since v6.45, we will soon release 6.46beta version with potential fix for the problem;
Everyone - Long-term version will be released as soon as possible. There is no ETA since everyone will want version as stable as possible. We can not simply name date and time when the version will be released. It depends on test results.

CCR1036-8G-2S+ , having random reboot by watchdog after upgrade to 6.45.1.
I have sent the supout file

thx

tesme33 · Thu Jul 04, 2019 8:42 am

Hi
im attaching the config. There is nothing fancy in. But once the package is downloaded only 60KiB are left on the flash.
And this is just not enough. Now i need to figure out how to upgrade ind. packages step by step. Never did this before.

In between i was upgrading a CCR1009. Works. But also no fancy config. Just routing,dhcp and firewall.

Hi
upgraded crs326 and one hap lite without issues : 6.43.3 --> 6.45.1
one hap lite wont upgrade. I suspect space problem, but there are no files on the system.

It's the oroblem with free memory. Devices with small flash (less than 64MB) download upgrade packages to RAM ... and for that some 12MB RAM should be free. Free RAM on your hAP lite is quite low ... do you have some large address list?

arsalansiddiqui · Thu Jul 04, 2019 8:56 am

Hi, i have upgraded my two RB750 to v6.45.1 and they are not let me access through api, and my 6.43.8, 6.44.3 is connecting to api normally, i'm using default port and i'm accessing in php.
Before upgrading i can connect both tiks with api.
Thanks

kanitelka · Thu Jul 04, 2019 9:14 am

After update 6.44.3->6.45.1 pptp-client doesn't work - connecting.... disconnecting....connecting.... disconnecting....
After downgrade 6.45.1->6.44.3 it works
i created gre input firewall rule and replaced over fasstrack. pptp-client connected. Solved

The problem is only with PPTP?

Reinis · Thu Jul 04, 2019 9:15 am

Hi, i have upgraded my two RB750 to v6.45.1 and they are not let me access through api, and my 6.43.8, 6.44.3 is connecting to api normally, i'm using default port and i'm accessing in php.
Before upgrading i can connect both tiks with api.
Thanks

https://wiki.mikrotik.com/wiki/Manual:API#Initial_login

Chupaka · Thu Jul 04, 2019 10:35 am

but when downgrade to 6.44.3, which
worked with CRM prior and should have compatibility with old API authentification, it
doesnt work anymore and still have API error.

Log in MKT: "login failure via API"

thanks for help

When you upgraded to 6.45, plaintext passwords were removed. That's why you cannot use old login method on that router. You may try to recreate/reset password for API user on 6.44

mangust479 · Thu Jul 04, 2019 11:08 am

I updated 37 routers of different models, at all the error is observed: one core of CPU is loaded for 100% by process of routing, OSPF falls off when you come into the OSPF settings that there in general there is nothing. There is information when it is able to be corrected? I wrote to support already.

le1 · Thu Jul 04, 2019 11:32 am

Hello, I have problem with radius server authentication

hotspot,info,debug {MAC Address} (192.168.88.18): login failed: RADIUS server is not responding
hotspot,info,debug {MAC Address} (192.168.88.18): trying to log in by http-pap

arsalansiddiqui · Thu Jul 04, 2019 12:34 pm

Hi, i have upgraded my two RB750 to v6.45.1 and they are not let me access through api, and my 6.43.8, 6.44.3 is connecting to api normally, i'm using default port and i'm accessing in php.
Before upgrading i can connect both tiks with api.
Thanks
https://wiki.mikrotik.com/wiki/Manual:API#Initial_login

i did not understand it, what changes should i do to login ?

$API->connect($ip_address, $api_username, $api_password, $port );

arsalansiddiqui · Thu Jul 04, 2019 12:44 pm

me to, but i have problem on api, i can connect with winbox, but i can't login with API ( wrong password ). why?
Do you use new login style in API?
https://wiki.mikrotik.com/wiki/Manual:API#Initial_login
I use CHR

Have you figure it out ?

Thu Jul 04, 2019 1:02 pm

@arsalansiddiqui you need to fix your API wrapper so that login parameters are sent as described in the wiki.
Here is another topic
viewtopic.php?f=9&t=136475

arsalansiddiqui · Thu Jul 04, 2019 1:22 pm

@arsalansiddiqui you need to fix your API wrapper so that login parameters are sent as described in the wiki.
Here is another topic
viewtopic.php?f=9&t=136475

I got it

tdw · Thu Jul 04, 2019 1:35 pm

we use CRM, ISPadmin, which communicates with MKT by API, but when updating to 6.45.1
API doesnt work, because new API authentification is not implement in our CRM. It says
"killing PID 25009, API number exceeds the limit", but when downgrade to 6.44.3, which
worked with CRM prior and should have compatibility with old API authentification, it
doesnt work anymore and still have API error.

Log in MKT: "login failure via API"

thanks for help

@bubniakz As stated in the release notes, and as noted here https://ispadmin.eu/en/mikrotik-api-in- ... t-working/

As 6.45.x erases passwords stored with the 'old' method of reversible encryption, after downgrading you will also have to recreate the password or restore from backup.

When upgrading firmware:
6.42.12 and prior: old method only -> 6.43.x & 6.44.x: old & new methods -> 6.45.x and later: new method only
When downgrading firmware:
6.45.x and later: new method only -> 6.43.x & 6.44.x: new method -> 6.42.12 and prior: no passwords

TDodger · Thu Jul 04, 2019 1:57 pm

I've read the thread, I seem to be the only one having problems with WebFig...
Upgraded from 6.44.3 to 6.45.1
WinBox worked/works fine, both 3.18 and 3.19
But when I use WebFig, it works only over http Port 80, not via https Port 443 which I normally use.
It says: ERROR: Not Found
But same user/password works via WinBox and http.
So I guess maybe a problem with my (self created) certificate? I didn't change anything in the config after upgrading to 6.45.1

nichky · Thu Jul 04, 2019 1:57 pm

*) dhcpv4-server - added "client-mac-limit" parameter;

which number over here goes?

owsugde · Thu Jul 04, 2019 2:06 pm

owsugde - Is it possible that you are using a certificate verification feature which was introduced in this release? "ovpn - added "verify-server-certificate" parameter for OVPN client (CVE-2018-10066)"

I don't think this is it, because a cold reboot done by the customer "fixed" it. At this time I don't know what it could have been really. For now, I went to longterm anyway, because RADIUS hotspot login by http-pap was disabled on stable somehow and we're using this.

Elans · Thu Jul 04, 2019 2:52 pm

It looks like Dude has problems with SNMP access.

snmpwalk to other Mikrotik device causes this to appear in log of target device
Code: Select all
10:22:24 snmp,debug unsupported v3 security level 
10:22:24 snmp,debug v3 err: 0 unsupported security
10:22:24 snmp,debug bad packet
and snmpwalk times out. We have LibreNMS set up for monitoring and it works fine as it did before.SNMP is set up as v3 private access.

Dude is updated to 6.45.1. It is hard to say whether Dude is the problem or RouterOS on the device itself...

spacex
nmt1900
Make sure that your monitored device "IP-SNMP communities" and The Dude "server settings" SNMP custom profile does not have any mismatch.

pe1chl · Thu Jul 04, 2019 3:01 pm

we use CRM, ISPadmin, which communicates with MKT by API, but when updating to 6.45.1
API doesnt work, because new API authentification is not implement in our CRM.

You should ask the creator of that software for an update, or investigate how it works and update it yourself.
(e.g. when it uses the wellknown PHP API you can update just that file)

nmt1900 · Thu Jul 04, 2019 3:25 pm

spacex
nmt1900
Make sure that your monitored device "IP-SNMP communities" and The Dude "server settings" SNMP custom profile does not have any mismatch.

There is no mismatch and these community settings have been used for long time. Only Dude fails and it worked fine with 6.44.3. After testing it looks like only way to get it work with Dude is to use SNMPv2c or SNMPv1.

Ulypka · Thu Jul 04, 2019 3:38 pm

joserudi - Please send supout file to support@mikrotik.com. Generate file while the problem is present and name at least single user which does not get rate-limit;
LeftyTs, Ulypka, gepelbaum, nostromog, CharlyBrown, xtrans - Please send supout file to support@mikrotik.com. Generate file while the problem is present;
mserge - Make sure that you use Winbox 3.19. If the problem persists, then generate a new supout file on your router after failed Winbox login attempt and send it to support@mikrotik.com;
owsugde - Is it possible that you are using a certificate verification feature which was introduced in this release? "ovpn - added "verify-server-certificate" parameter for OVPN client (CVE-2018-10066)"
dlausch - Sound like you have the same problem as we did with Winbox. Also new iOS MikroTik mobile application update will be released very soon;

Everyone - Everyone who is experiencing RADIUS related problems with authentication since v6.45, we will soon release 6.46beta version with potential fix for the problem;
Everyone - Long-term version will be released as soon as possible. There is no ETA since everyone will want version as stable as possible. We can not simply name date and time when the version will be released. It depends on test results.

It is exist Ticket:
[Ticket#2018101022007579]

fdk · Thu Jul 04, 2019 5:25 pm

Hi,

After upgrading to stable version, I lost access via my users' users even by reconfiguring the passwords. the pppoe server also stopped interpreting the maximum time set by the uptime AAA for the connections. I was forced to go back to version 4.43.16 which normalized.

llag · Thu Jul 04, 2019 5:51 pm

yesterday I upgrade the CRS317 and the CRS328 POE. Since the upgrade I have seen 70 flaps of the link between the 2. See also viewtopic.php?f=2&t=141633&p=738127&hil ... 3d#p738127
I used to see the link flap once a day or every few days on 6.44
Mikrotik, what is happening here?

machack · Thu Jul 04, 2019 6:41 pm

RouterOS version 6.45.1 has been released in public "stable" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45.1 (2019-Jun-27 10:23):

Important note!!!
Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading.
Old API authentication method will also no longer work, see documentation for new login procedure:
https://wiki.mikrotik.com/wiki/Manual:API#Initial_login

MAJOR CHANGES IN v6.45.1:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control;
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
!) security - fixed vulnerabilities CVE-2018-1157, CVE-2018-1158;
!) security - fixed vulnerabilities CVE-2019-11477, CVE-2019-11478, CVE-2019-11479;
!) security - fixed vulnerability CVE-2019-13074;
!) user - removed insecure password storage;
----------------------

Changes in this release:

*) bridge - correctly display bridge FastPath status when vlan-filtering or dhcp-snooping is used;
*) bridge - correctly handle bridge host table;
*) bridge - fixed log message when hardware offloading is being enabled;
*) bridge - improved stability when receiving traffic over USB modem with bridge firewall enabled;
*) capsman - fixed CAP system upgrading process for MMIPS;
*) capsman - fixed interface-list usage in access list;
*) ccr - improved packet processing after overloading interface;
*) certificate - added "key-type" field;
*) certificate - added support for ECDSA certificates (prime256v1, secp384r1, secp521r1);
*) certificate - fixed self signed CA certificate handling by SCEP client;
*) certificate - made RAM the default CRL storage location;
*) certificate - removed DSA (D) flag;
*) certificate - removed "set-ca-passphrase" parameter;
*) chr - legacy adapters require "disable-running-check=yes" to be set;
*) cloud - added "replace" parameter for backup "upload-file" command;
*) conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160);
*) conntrack - significant stability and performance improvements;
*) crs317 - fixed known multicast flooding to the CPU;
*) crs3xx - added ethernet tx-drop counter;
*) crs3xx - correctly display auto-negotiation information for SFP/SFP+ interfaces in 1Gbps rate;
*) crs3xx - fixed auto negotiation when 2-pair twisted cable is used (downshift feature);
*) crs3xx - fixed "tx-drop" counter;
*) crs3xx - improved switch-chip resource allocation on CRS326, CRS328, CRS305;
*) defconf - added "custom-script" field that prints custom configuration installed by Netinstall;
*) defconf - automatically set "installation" parameter for outdoor devices;
*) defconf - changed default configuration type to AP for cAP series devices;
*) defconf - fixed channel width selection for RU locked devices;
*) dhcp - create dual stack queue based on limitations specified on DHCPv4 server lease configuration;
*) dhcp - do not require lease and binding to have the same configuration for dual-stack queues;
*) dhcp - show warning in log if lease and binding dual-stack related parameters do not match and create separate queues;
*) dhcpv4-server - added "client-mac-limit" parameter;
*) dhcpv4-server - added IP conflict logging;
*) dhcpv4-server - added RADIUS accounting support with queue based statistics;
*) dhcpv4-server - added "vendor-class-id" matcher (CLI only);
*) dhcpv4-server - improved stability when performing "check-status" command;
*) dhcpv4-server - replaced "busy" lease status with "conflict" and "declined";
*) dhcpv6-client - added option to disable rapid-commit;
*) dhcpv6-client - fixed status update when leaving "bound" state;
*) dhcpv6-server - added additional RADIUS parameters for Prefix delegation, "rate-limit" and "life-time";
*) dhcpv6-server - added "address-list" support for bindings;
*) dhcpv6-server - added "insert-queue-before" and "parent-queue" parameters;
*) dhcpv6-server - added RADIUS accounting support with queue based statistics;
*) dhcpv6-server - added "route-distance" parameter;
*) dhcpv6-server - fixed dynamic IPv6 binding without proper reference to the server;
*) dhcpv6-server - override prefix pool and/or DNS server settings by values received from RADIUS;
*) discovery - correctly create neighbors from VLAN tagged discovery messages;
*) discovery - fixed CDP packets not including address on slave ports (introduced in v6.44);
*) discovery - improved neighbour's MAC address detection;
*) discovery - limit max neighbour count per interface based on total RAM memory;
*) discovery - show neighbors on actual mesh ports;
*) e-mail - include "message-id" identification field in e-mail header;
*) e-mail - properly release e-mail sending session if the server's domain name can not be resolved;
*) ethernet - added support for 25Gbps and 40Gbps rates;
*) ethernet - fixed running (R) flag not present on x86 interfaces and CHR legacy adapters;
*) ethernet - increased loop warning threshold to 5 packets per second;
*) fetch - added SFTP support;
*) fetch - improved user policy lookup;
*) firewall - fixed fragmented packet processing when only RAW firewall is configured;
*) firewall - process packets by firewall when accepted by RAW with disabled connection tracking;
*) gps - fixed missing minus close to zero coordinates in dd format;
*) gps - make sure "direction" parameter is upper case;
*) gps - strip unnecessary trailing characters from "longtitude" and "latitude" values;
*) gps - use "serial0" as default port on LtAP mini;
*) hotspot - added "interface-mac" variable to HTML pages;
*) hotspot - moved "title" HTML tag after "meta" tags;
*) ike1 - adjusted debug packet logging topics;
*) ike2 - added support for ECDSA certificate authentication (rfc4754);
*) ike2 - added support for IKE SA rekeying for initiator;
*) ike2 - do not send "User-Name" attribute to RADIUS server if not provided;
*) ike2 - improved certificate verification when multiple CA certificates received from responder;
*) ike2 - improved child SA rekeying process;
*) ike2 - improved XAuth identity conversion on upgrade;
*) ike2 - prefer SAN instead of DN from certificate for ID payload;
*) ippool - improved logging for IPv6 Pool when prefix is already in use;
*) ipsec - added dynamic comment field for "active-peers" menu inherited from identity;
*) ipsec - added "ph2-total" counter to "active-peers" menu;
*) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods;
*) ipsec - added traffic statistics to "active-peers" menu;
*) ipsec - disallow setting "src-address" and "dst-address" for transport mode policies;
*) ipsec - do not allow adding identity to a dynamic peer;
*) ipsec - fixed policies becoming invalid after changing priority;
*) ipsec - general improvements in policy handling;
*) ipsec - properly drop already established tunnel when address change detected;
*) ipsec - renamed "remote-peers" to "active-peers";
*) ipsec - renamed "rsa-signature" authentication method to "digital-signature";
*) ipsec - replaced policy SA address parameters with peer setting;
*) ipsec - use tunnel name for dynamic IPsec peer name;
*) ipv6 - improved system stability when receiving bogus packets;
*) ltap - renamed SIM slots "up" and "down" to "2" and "3";
*) lte - added initial support for Vodafone R216-Z;
*) lte - added passthrough interface subnet selection;
*) lte - added support for manual operator selection;
*) lte - allow setting empty APN;
*) lte - allow to specify URL for firmware upgrade "firmware-file" parameter;
*) lte - do not show error message for info commands that are not supported;
*) lte - fixed session reactivation on R11e-LTE in UMTS mode;
*) lte - improved firmware upgrade process;
*) lte - improved "info" command query;
*) lte - improved R11e-4G modem operation;
*) lte - renamed firmware upgrade "path" command to "firmware-file" (CLI only);
*) lte - show alphanumeric value for operator info;
*) lte - show correct firmware revision after firmware upgrade;
*) lte - use default APN name "internet" when not provided;
*) lte - use secondary DNS for DNS server configuration;
*) m33g - added support for additional Serial Console port on GPIO headers;
*) ospf - added support for link scope opaque LSAs (Type 9) for OSPFv2;
*) ospf - fixed opaque LSA type checking in OSPFv2;
*) ospf - improved "unknown" LSA handling in OSPFv3;
*) ovpn - added "verify-server-certificate" parameter for OVPN client (CVE-2018-10066);
*) ppp - added initial support for Quectel BG96;
*) proxy - increased minimal free RAM that can not be used for proxy services;
*) rb3011 - improved system stability when receiving bogus packets;
*) rb4011 - fixed MAC address duplication between sfp-sfpplus1 and wlan1 interfaces (wlan1 configuration reset required);
*) rb921 - improved system stability ("/system routerboard upgrade" required);
*) routerboard - renamed 'sim' menu to 'modem';
*) sfp - fixed S-35LC20D transceiver DDMI readouts after reboot;
*) sms - added USSD message functionality under "/tool sms" (CLI only);
*) sms - allow specifying multiple "allowed-number" values;
*) sms - improved delivery report logging;
*) snmp - added "dot1dStpPortTable" OID;
*) snmp - added OID for neighbor "interface";
*) snmp - added "write-access" column to community print;
*) snmp - allow setting interface "adminStatus";
*) snmp - fixed "send-trap" not working when "trap-generators" does not contain "temp-exception";
*) snmp - fixed "send-trap" with multiple "trap-targets";
*) snmp - improved reliability on SNMP service packet validation;
*) snmp - properly return multicast and broadcast packet counters for IF-MIB OIDs;
*) ssh - accept remote forwarding requests with empty hostnames;
*) ssh - added new "ssh-exec" command for non-interactive command execution;
*) ssh - fixed non-interactive multiple command execution;
*) ssh - improved remote forwarding handling (introduced in v6.44.3);
*) ssh - improved session rekeying process on exchanged data size threshold;
*) ssh - keep host keys when resetting configuration with "keep-users=yes";
*) ssh - use correct user when "output-to-file" parameter is used;
*) sstp - improved stability when received traffic hits tarpit firewall;
*) supout - added IPv6 ND section to supout file;
*) supout - added "kid-control devices" section to supout file;
*) supout - added "pwr-line" section to supout file;
*) supout - changed IPv6 pool section to output detailed print;
*) switch - properly reapply settings after switch chip reset;
*) tftp - added "max-block-size" parameter under TFTP "settings" menu (CLI only);
*) tile - improved link fault detection on SFP+ ports;
*) tr069-client - added LTE CQI and IMSI parameter support;
*) tr069-client - fixed potential memory corruption;
*) tr069-client - improved error reporting with incorrect firware upgrade XML file;
*) traceroute - improved stability when sending large ping amounts;
*) traffic-generator - improved stability when stopping traffic generator;
*) tunnel - removed "local-address" requirement when "ipsec-secret" is used;
*) userman - added support for "Delegated-IPv6-Pool" and "DNS-Server-IPv6-Address" (CLI only);
*) w60g - do not show unused "dmg" parameter;
*) w60g - prefer AP with strongest signal when multiple APs with same SSID present;
*) w60g - show running frequency under "monitor" command;
*) winbox - added "System/SwOS" menu for all dual-boot devices;
*) winbox - do not allow setting "dns-lookup-interval" to "0";
*) winbox - show "LCD" menu only on boards that have LCD screen;
*) wireless - fixed frequency duplication in the frequency selection menu;
*) wireless - fixed incorrect IP header for RADIUS accounting packet;
*) wireless - improved 160MHz channel width stability on rb4011;
*) wireless - improved DFS radar detection when using non-ETSI regulated country;
*) wireless - improved installation mode selection for wireless outdoor equipment;
*) wireless - set default SSID and supplicant-identity the same as router's identity;
*) wireless - updated "china" regulatory domain information;
*) wireless - updated "new zealand" regulatory domain information;
*) www - improved client-initiated renegotiation within the SSL and TLS protocols (CVE-2011-1473);

What's new in 6.45 (2019-Jun-21 09:00):

(factory only release)

What's new in 6.44.4 (2019-May-09 12:14):

(factory only release)

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after some problem has appeared on device

Please keep this forum topic strictly related to this particular RouterOS release.

After Upgrade 6.45.1.... My DHCP server dosent work anymore.. use radius to validate.... roolback...

maxsaf · Thu Jul 04, 2019 7:10 pm

On my CRS317-1G-16S+ i see in log "timeout while waiting for program 16" and "timeout while waiting for program 20".
Also errors "login failure for user admin from (Dude IP) via dude"

seregaelcin · Thu Jul 04, 2019 8:49 pm

No need to...
Just enable ip firewall service ports pptp NAT helper... It's been mentioned so many timees in here...

Thank, i didn't know

petrb · Thu Jul 04, 2019 9:34 pm

After Upgrade 6.45.1.... My DHCP server dosent work anymore.. use radius to validate.... roolback...

Fix in 6.46beta

chubbs596 · Fri Jul 05, 2019 7:49 am

Hi Mikrotik support

I have also send a support email for this.

We make use of the Auto upgrade feature we have the necesary upgrade files hosted on a central router with a user upgrade added for the Auto upgrade purpose
We add the below on all client routers, and with scripts and schedulers we daily check for upgrades,

This way we can choose when to upgrade our routers by just uploading new files to the central router and the next shcheduled run all routers shecduled will upgrade

/system upgrade upgrade-package-source
add address=x.x.x.x user=upgrade

Now since 6.45.1 we get authentication issues. we get below in the logs

06:05:36 system,error,critical login failure for user upgrade from x.x.x.x via winbox
06:05:36 system,error,critical login failure for user upgrade from x.x.x.x via winbox

Before we were running 6.44.3 with no issues we got below in the logs

02:00:00 system,info,account user upgrade logged in from x.x.x.x via winbox
02:00:00 system,info,account user upgrade logged in from x.x.x.x via winbox

le1 · Fri Jul 05, 2019 7:57 am

Hello, I have problem with radius server authentication

hotspot,info,debug {MAC Address} (192.168.88.18): login failed: RADIUS server is not responding
hotspot,info,debug {MAC Address} (192.168.88.18): trying to log in by http-pap

When will you fix this problem?

emils · Fri Jul 05, 2019 8:27 am

RADIUS authentication issue is already fixed in the latest beta. We will try to release a new stable version next week with a few fixes.

Elans · Fri Jul 05, 2019 8:42 am

spacex
nmt1900
Make sure that your monitored device "IP-SNMP communities" and The Dude "server settings" SNMP custom profile does not have any mismatch.
There is no mismatch and these community settings have been used for long time. Only Dude fails and it worked fine with 6.44.3. After testing it looks like only way to get it work with Dude is to use SNMPv2c or SNMPv1.

Can not reproduce your described problem, only with mismatched configuration. Have you tried to create new SNMP profile in The Dude and/or IP-SNMP communities? There must be something specific, if problem persist, you may try to send your supout.rif file to support@mikrotik.com.

skylark · Fri Jul 05, 2019 8:43 am

The issue with login via auto-upgrade feature is reproduced and will be fixed in upcoming RouterOS versions.

nostromog · Fri Jul 05, 2019 9:31 am

It hangs in some initial script that tries to modify ipsec policies depending on dynamic local ip, it hangs on "/ export" or "/ip ipsec <whatever>". I can't generate a supout because it hangs
Have you tried to reset the machine to defaults before or better after upgrade to 6.45.1 and then manually create the IPsec configuration from the export rather than letting the upgrade script do that? This clearly cannot be used on the production machine but it should at least confirm that the IPsec part is the trigger, so you could be able to remove the IPsec configuration on the production machine before the upgrade if you can provide some other means to access it remotely (ssh, https) and recreate the IPsec part after the upgrade.

Thanks!!! It had not occurred to me that this might work, because when it first happened I downgraded, disabled the security package and upgraded again in the hope that this would allow me to re-enable and proceed. This worked, but re-enabling brought back the problem.

This machine is production but not really remote, no concern about loosing access. The only concern was downtime, but I did the whole operation yesterday during the night.

I did what you suggested: upgraded, went back to default configuration, re-executed the relevant parts of the export and I'm now in 6.45.1 I tried to restore a backup before but the problem reproduced, so re-executing from a export script was the winner.

The suggestion from support to netinstall would have amounted to much more work: first netinstall itself, then re-creating the configuration in exactly the same way, so basically I would have done to do the same.

Other than that, a support.rif of the state before upgrade should be enough for support to simulate the same process at their end.

Support did not asked me that, but they could find the problem (some corruption of the configuration created by some previous version, maybe a test with a beta) just by looking into a backup.

chubbs596 · Fri Jul 05, 2019 9:57 am

The issue with login via auto-upgrade feature is reproduced and will be fixed in upcoming RouterOS versions.

Thanks Guys

NetVicious · Fri Jul 05, 2019 11:26 am

As I posted before I had (as others) problems with GRE with this new version of RouterOS. In my case I'm using pptp VPN tunnels.
I have a master router acting as pptp Server and some other devices acting as pptp client.
2 of that clients had problems trying to connect to the pptp server after the 6.45.1 upgrade. After a downgrade all was OK another time. 3 other clients with the same configuration and hardware had no problems after the upgrade. So something strange was somewhere.

I discovered the problem was on the helper service for the pptp service on

IP / Firewall / Service Ports

On the routers with problems I had on the pptp item the 1723 port. That item was in red. That show me the tip to try removing the port on that item. I don't remember to add that port so it should be there from a lot of years ago when it was a default setting.

After that change pptp worked perfectly another time after the 6.45.1 upgrade.

Obviously this fix should work only for pptp VPN tunnels. For other setups that use GRE you should add ONE of the fixes posted on this thread:

/ip firewall filter add chain=input action=accept protocol=gre src-address=
/ip firewall raw add action=notrack chain=prerouting protocol=gre

GambarottoM · Fri Jul 05, 2019 12:35 pm

Hi everyone,

I have a problem with queue and idle timeout in my default profile with radius authaticated users.

When a user try to login with the radius authetication (this one works for me), he will use my default user profile.
BUT he won't get my custom IDLE-TIMEOUT and won't create a NEW QUEUE in queues list, that are both in my user default profile.

If I use a local user with the same user profile, I don't have this problem.
If I use different parameters, I tried for example "keepalive-timeout", they will work as usual.

I don't know why, but these two paramethers are skipped in the authetication process with radius.
In addition to that my radius doesn't provide these two paramethers...

Problem only in v.6.45.1, in v6.44.3 (my previous version) all ok.

Thanks

nmt1900 · Fri Jul 05, 2019 12:51 pm

spacex
nmt1900
Make sure that your monitored device "IP-SNMP communities" and The Dude "server settings" SNMP custom profile does not have any mismatch.
There is no mismatch and these community settings have been used for long time. Only Dude fails and it worked fine with 6.44.3. After testing it looks like only way to get it work with Dude is to use SNMPv2c or SNMPv1.
Can not reproduce your described problem, only with mismatched configuration. Have you tried to create new SNMP profile in The Dude and/or IP-SNMP communities? There must be something specific, if problem persist, you may try to send your supout.rif file to support@mikrotik.com.

Problem persists even after SNMP settings are reconfigured on both sides - this has been tested on RB450Gx4, RB750Gr3 and CHR as Dude servers (3 different architectures). I sent supout files.

buset1974 · Fri Jul 05, 2019 1:39 pm

having problem upgrading hAP lite to 6.45.1 from 6.44.2

"system, error not enough space for upgrade."

thx

mkx · Fri Jul 05, 2019 2:00 pm

having problem upgrading hAP lite to 6.45.1 from 6.44.2

"system, error not enough space for upgrade."

In order to upgrade ROS, your hAP lite needs at least some 14MB RAM free (possibly even more) and around 1MB hdd free. Both are displayed using command /system resource print (fields free-memory and free-hdd-space respectively).

If your RAM is low, try to reboot device (in case there are some processes which incrementally consume RAM, such as connection tracking or dynamic address lists). If hdd is low, try to remove some files which might occupy space - check output of /file print).

le1 · Fri Jul 05, 2019 3:08 pm

RADIUS authentication issue is already fixed in the latest beta. We will try to release a new stable version next week with a few fixes.

Thnx a lot

dk5980 · Fri Jul 05, 2019 3:30 pm

I am having 350 plus hotspot locations as my clients and hAP lite is being used almost @ 50 locations, and they got updated automatic. Now from every of those location I am getting complaints that hotspot login page is not coming automatically. user need to put the hotspot gateway ip or hotspot dns address in address bar of browser.

please resolve it ASAP, or suggest some work around.

I am having no such problem in rb850gx2, or rb450 or even hAP AC lite, all other routers are seems ok with this upgrade with as hotspot gateway.

freemannnn · Fri Jul 05, 2019 3:43 pm

I am having 350 plus hotspot locations as my clients and hAP lite is being used almost @ 50 locations, and they got updated automatic. Now from every of those location I am getting complaints that hotspot login page is not coming automatically. user need to put the hotspot gateway ip or hotspot dns address in address bar of browser.

please resolve it ASAP, or suggest some work around.

I am having no such problem in rb850gx2, or rb450 or even hAP AC lite, all other routers are seems ok with this upgrade with as hotspot gateway.

updated automatic????? there is not such option in ros. maybe you have a script that does that. disable it.
why you update all business customers at once at the first day of ROS release? update one check-wait everything is ok and after do the others.
when something works dont touch it!

STEPHANVS · Fri Jul 05, 2019 3:48 pm

Download/Upload counters showed way off values in interface window, zero activity on my transmission server, higher CPU usage. All on an RB951G-2HnD. Rolled back to 6.44.3 for now.

dk5980 · Fri Jul 05, 2019 4:49 pm

I am having 350 plus hotspot locations as my clients and hAP lite is being used almost @ 50 locations, and they got updated automatic. Now from every of those location I am getting complaints that hotspot login page is not coming automatically. user need to put the hotspot gateway ip or hotspot dns address in address bar of browser.

please resolve it ASAP, or suggest some work around.

I am having no such problem in rb850gx2, or rb450 or even hAP AC lite, all other routers are seems ok with this upgrade with as hotspot gateway.

updated automatic????? there is not such option in ros. maybe you have a script that does that. disable it.
why you update all business customers at once at the first day of ROS release? update one check-wait everything is ok and after do the others.
when something works dont touch it!

Yes, because of script.
I did not run the script on first day, it was yesterday, and till then nobody complained the issue. Yesterday evening when i got to know the issue from several clients one by one etc then I took the notice. because other than hAP lite router, no one else complained till now and everything is working fine in them.

Please suggest me something . I cant make downgrade them.

bnw · Fri Jul 05, 2019 5:23 pm

*) fetch - added SFTP support;

Good news !
Any way to use SSH key instead of password for login phase ?
Thank you !

osc86 · Fri Jul 05, 2019 5:39 pm

Any updates regarding the SNMPv3 PrivAuth <-> Dude Issue?
For sure there's something wrong, I set up a new dude server and this "bad packet" error happens on all my devices running 6.45.1, LibreNMS works fine, though.

NetVicious · Fri Jul 05, 2019 7:28 pm

Yes, because of script.
I did not run the script on first day, it was yesterday, and till then nobody complained the issue. Yesterday evening when i got to know the issue from several clients one by one etc then I took the notice. because other than hAP lite router, no one else complained till now and everything is working fine in them.

Please suggest me something . I cant make downgrade them.

You have remote access from your office to each device?
You can launch within the RouterOS api a downgrade command for each device at the same time.
I don't have the downgrade option on my mtkManager but it can be easily added.

nostromog · Fri Jul 05, 2019 8:25 pm

In order to upgrade ROS, your hAP lite needs at least some 14MB RAM free (possibly even more) and around 1MB hdd free. Both are displayed using command /system resource print (fields free-memory and free-hdd-space respectively).

If your RAM is low, try to reboot device (in case there are some processes which incrementally consume RAM, such as connection tracking or dynamic address lists). If hdd is low, try to remove some files which might occupy space - check output of /file print).

I wonder if those two short paragraphs by mkx should be present as a footnote in every new release announcement, subtituting hAP lite -> device

It would save some bad experience for users, and some work for support.

vb99 · Fri Jul 05, 2019 9:20 pm

my web proxy not work on this version. may somebody give me help?

waeel · Sat Jul 06, 2019 12:40 am

Hi support
When update 6.45.1 dont log in via api user or password erro
can you help me pls

sindy · Sat Jul 06, 2019 12:55 am

read previous posts in this topic, search for "api".

eworm · Sat Jul 06, 2019 1:00 am

I have serve issues with all my IPSec responders. As far as I can tell about half of my IPSec initiator devices do not get addresses from mode-config.
Not sure about the details. Anybody else seen this?

One after another the IPSec links came up without any configuration change. Finally today (after four days) every single link is up.
I can no longer reproduce - this looks as reliable as before the update. My guess is that any state data was corrupted on update and replaced successively later on.

Grant · Sat Jul 06, 2019 9:10 am

Hello!
after upgrading to version 6.45.1, power wi-fi lowered, permanent disconnects appeared, especially in the next room
device hAP ac lite

tesme33 · Sat Jul 06, 2019 2:10 pm

In order to upgrade ROS, your hAP lite needs at least some 14MB RAM free (possibly even more) and around 1MB hdd free. Both are displayed using command /system resource print (fields free-memory and free-hdd-space respectively).

If your RAM is low, try to reboot device (in case there are some processes which incrementally consume RAM, such as connection tracking or dynamic address lists). If hdd is low, try to remove some files which might occupy space - check output of /file print).
I wonder if those two short paragraphs by mkx should be present as a footnote in every new release announcement, subtituting hAP lite -> device It would save some bad experience for users, and some work for support.

Hi @nostromog
i would say even with the paragraphs you are not able to make the upgrade.
I have no files at all on my haplite (2 pcs) and only a minimal config. One worked and one not.
So what now ?

salah · Sat Jul 06, 2019 3:02 pm

hi,
I upgrade my router from 6.43 to 6.45.1

i get a problem when I connect my laptop (win10) with 802.1x authentication to the router with dot1x server and user-manager enabled.

authentication method: Microsoft PEAP
secured pass: (EAP-MSCHAP V2)

I get this error (unknown authentication algorithm )

log:

salah · Sat Jul 06, 2019 3:09 pm

having problem upgrading hAP lite to 6.45.1 from 6.44.2

"system, error not enough space for upgrade."

thx

copy everything from file to your computer, upgrade your router and get your file back to the router after upgrade .

pe1chl · Sat Jul 06, 2019 4:29 pm

having problem upgrading hAP lite to 6.45.1 from 6.44.2
copy everything from file to your computer, upgrade your router and get your file back to the router after upgrade .

When you have files on your hAP lite, you are doing something wrong! This is a low-end router that is not supposed to have files on it. There is no space.
I booted my hAP lite (which is not in active use) and upgraded it from 6.44.3 to 6.45.1 without any problem.
Before the upgrade it had 8mb RAM free and apparently that is enough.

dk5980 · Sat Jul 06, 2019 5:17 pm

Yes, because of script.
I did not run the script on first day, it was yesterday, and till then nobody complained the issue. Yesterday evening when i got to know the issue from several clients one by one etc then I took the notice. because other than hAP lite router, no one else complained till now and everything is working fine in them.

Please suggest me something . I cant make downgrade them.
You have remote access from your office to each device?
You can launch within the RouterOS api a downgrade command for each device at the same time.
I don't have the downgrade option on my mtkManager but it can be easily added.

Where I may get this mtkManager ?

Iwanche · Sat Jul 06, 2019 8:49 pm

Does someone have a problem with mac telnet login via neighbours?

Won't login with any user and pass or without pass, nor admin..

mahadiapps · Sat Jul 06, 2019 10:07 pm

Dear Sir,

I have CCR 1036 8G-2S+ Router. When Router os update V6.45.1 ( stable) this code doesn't working, or login mikrotik router how to change please help.

<?php
/*****************************
 *
 * RouterOS PHP API class v1.5
 * Author: Denis Basta
 * Contributors:
 *    Nick Barnes
 *    Ben Menking (ben [at] infotechsc [dot] com)
 *    Jeremy Jefferson (http://jeremyj.com)
 *    Cristian Deluxe (djcristiandeluxe [at] gmail [dot] com)
 *
 * http://www.mikrotik.com
 * http://wiki.mikrotik.com/wiki/API_PHP_class
 *
 ******************************/

class routeros_api
{
    var $debug = false;      // Show debug information
    var $error_no;           // Variable for storing connection error number, if any
    var $error_str;          // Variable for storing connection error text, if any
    var $attempts = 5;       // Connection attempt count
    var $connected = true;  // Connection state
    var $delay = 3;          // Delay between connection attempts in seconds
    var $port = 8728;        // Port to connect to
    var $timeout = 3;        // Connection attempt timeout and data read timeout
    var $socket;             // Variable for storing socket resource
    
    /**
     * Print text for debug purposes
     *
     * @param string      $text       Text to print
     *
     * @return void
     */
    function debug($text)
    {
        if ($this->debug)
            echo $text . "\n";
    }
	
	
    /**
     * 
     *
     * @param string        $length
     *
     * @return void
     */
    function encode_length($length)
    {
        if ($length < 0x80) {
            $length = chr($length);
        } else if ($length < 0x4000) {
            $length |= 0x8000;
            $length = chr(($length >> 8) & 0xFF) . chr($length & 0xFF);
        } else if ($length < 0x200000) {
            $length |= 0xC00000;
            $length = chr(($length >> 16) & 0xFF) . chr(($length >> 8) & 0xFF) . chr($length & 0xFF);
        } else if ($length < 0x10000000) {
            $length |= 0xE0000000;
            $length = chr(($length >> 24) & 0xFF) . chr(($length >> 16) & 0xFF) . chr(($length >> 8) & 0xFF) . chr($length & 0xFF);
        } else if ($length >= 0x10000000)
            $length = chr(0xF0) . chr(($length >> 24) & 0xFF) . chr(($length >> 16) & 0xFF) . chr(($length >> 8) & 0xFF) . chr($length & 0xFF);
        return $length;
    }
	
	
    /**
     * Login to RouterOS
     *
     * @param string      $ip         Hostname (IP or domain) of the RouterOS server
     * @param string      $login      The RouterOS username
     * @param string      $password   The RouterOS password
     *
     * @return boolean                If we are connected or not
     */
    function connect($ip, $login, $password)
    {
        for ($ATTEMPT = 1; $ATTEMPT <= $this->attempts; $ATTEMPT++) {
            $this->connected = false;
            $this->debug('Connection attempt #' . $ATTEMPT . ' to ' . $ip . ':' . $this->port . '...');
            $this->socket = @fsockopen($ip, $this->port, $this->error_no, $this->error_str, $this->timeout);
            if ($this->socket) {
                socket_set_timeout($this->socket, $this->timeout);
                $this->write('/login');
                $RESPONSE = $this->read(false);
                if ($RESPONSE[0] == '!done') {
                    $MATCHES = array();
                    if (preg_match_all('/[^=]+/i', $RESPONSE[1], $MATCHES)) {
                        if ($MATCHES[0][0] == 'ret' && strlen($MATCHES[0][1]) == 32) {
                            $this->write('/login', false);
                            $this->write('=name=' . $login, false);
                            $this->write('=response=00' . md5(chr(0) . $password . pack('H*', $MATCHES[0][1])));
                            $RESPONSE = $this->read(false);
                            if ($RESPONSE[0] == '!done') {
                                $this->connected = true;
                                break;
                            }
                        }
                    }
                }
                fclose($this->socket);
            }
            sleep($this->delay);
        }
        if ($this->connected)
            $this->debug('Connected...');
        else
            $this->debug('Error...');
        return $this->connected;
    }
	
	
    /**
     * Disconnect from RouterOS
     *
     * @return void
     */
    function disconnect()
    {
        fclose($this->socket);
        $this->connected = false;
        $this->debug('Disconnected...');
    }
	
	
    /**
     * Parse response from Router OS
     *
     * @param array       $response   Response data
     *
     * @return array                  Array with parsed data
     */
    function parse_response($response)
    {
        if (is_array($response)) {
            $PARSED      = array();
            $CURRENT     = null;
            $singlevalue = null;
            foreach ($response as $x) {
                if (in_array($x, array(
                    '!fatal',
                    '!re',
                    '!trap'
                ))) {
                    if ($x == '!re') {
                        $CURRENT =& $PARSED[];
                    } else
                        $CURRENT =& $PARSED[$x][];
                } else if ($x != '!done') {
                    $MATCHES = array();
                    if (preg_match_all('/[^=]+/i', $x, $MATCHES)) {
                        if ($MATCHES[0][0] == 'ret') {
                            $singlevalue = $MATCHES[0][1];
                        }
						$CURRENT[$MATCHES[0][0]] = (isset($MATCHES[0][1]) ? $MATCHES[0][1] : '');
					}
                }
            }
            if (empty($PARSED) && !is_null($singlevalue)) {
                $PARSED = $singlevalue;
            }
            return $PARSED;
        } else
            return array();
    }
	
	
    /**
     * Parse response from Router OS
     *
     * @param array       $response   Response data
     *
     * @return array                  Array with parsed data
     */
    function parse_response4smarty($response)
    {
        if (is_array($response)) {
            $PARSED  = array();
            $CURRENT = null;
            $singlevalue = null;
            foreach ($response as $x) {
                if (in_array($x, array(
                    '!fatal',
                    '!re',
                    '!trap'
                ))) {
                    if ($x == '!re')
                        $CURRENT =& $PARSED[];
                    else
                        $CURRENT =& $PARSED[$x][];
                } else if ($x != '!done') {
                    $MATCHES = array();
                    if (preg_match_all('/[^=]+/i', $x, $MATCHES)) {
                        if ($MATCHES[0][0] == 'ret') {
                            $singlevalue = $MATCHES[0][1];
                        }
                        $CURRENT[$MATCHES[0][0]] = (isset($MATCHES[0][1]) ? $MATCHES[0][1] : '');
					}
                }
            }
            foreach ($PARSED as $key => $value) {
                $PARSED[$key] = $this->array_change_key_name($value);
            }
            return $PARSED;
            if (empty($PARSED) && !is_null($singlevalue)) {
                $PARSED = $singlevalue;
            }
        } else {
            return array();
        }
    }
	
	
    /**
     * Change "-" and "/" from array key to "_"
     *
     * @param array       $array      Input array
     *
     * @return array                  Array with changed key names
     */
    function array_change_key_name(&$array)
    {
        if (is_array($array)) {
            foreach ($array as $k => $v) {
                $tmp = str_replace("-", "_", $k);
                $tmp = str_replace("/", "_", $tmp);
                if ($tmp) {
                    $array_new[$tmp] = $v;
                } else {
                    $array_new[$k] = $v;
                }
            }
            return $array_new;
        } else {
            return $array;
        }
    }
	
	
    /**
     * Read data from Router OS
     *
     * @param boolean     $parse      Parse the data? default: true
     *
     * @return array                  Array with parsed or unparsed data
     */
    function read($parse = true)
    {
        $RESPONSE = array();
        $receiveddone = false;
        while (true) {
            // Read the first byte of input which gives us some or all of the length
            // of the remaining reply.
            $BYTE   = ord(fread($this->socket, 1));
            $LENGTH = 0;
            // If the first bit is set then we need to remove the first four bits, shift left 8
            // and then read another byte in.
            // We repeat this for the second and third bits.
            // If the fourth bit is set, we need to remove anything left in the first byte
            // and then read in yet another byte.
            if ($BYTE & 128) {
                if (($BYTE & 192) == 128) {
                    $LENGTH = (($BYTE & 63) << 8) + ord(fread($this->socket, 1));
                } else {
                    if (($BYTE & 224) == 192) {
                        $LENGTH = (($BYTE & 31) << 8) + ord(fread($this->socket, 1));
                        $LENGTH = ($LENGTH << 8) + ord(fread($this->socket, 1));
                    } else {
                        if (($BYTE & 240) == 224) {
                            $LENGTH = (($BYTE & 15) << 8) + ord(fread($this->socket, 1));
                            $LENGTH = ($LENGTH << 8) + ord(fread($this->socket, 1));
                            $LENGTH = ($LENGTH << 8) + ord(fread($this->socket, 1));
                        } else {
                            $LENGTH = ord(fread($this->socket, 1));
                            $LENGTH = ($LENGTH << 8) + ord(fread($this->socket, 1));
                            $LENGTH = ($LENGTH << 8) + ord(fread($this->socket, 1));
                            $LENGTH = ($LENGTH << 8) + ord(fread($this->socket, 1));
                        }
                    }
                }
            } else {
                $LENGTH = $BYTE;
            }
            // If we have got more characters to read, read them in.
            if ($LENGTH > 0) {
                $_      = "";
                $retlen = 0;
                while ($retlen < $LENGTH) {
                    $toread = $LENGTH - $retlen;
                    $_ .= fread($this->socket, $toread);
                    $retlen = strlen($_);
                }
                $RESPONSE[] = $_;
                $this->debug('>>> [' . $retlen . '/' . $LENGTH . '] bytes read.');
            }
            // If we get a !done, make a note of it.
            if ($_ == "!done")
                $receiveddone = true;
            $STATUS = socket_get_status($this->socket);
            if ($LENGTH > 0)
                $this->debug('>>> [' . $LENGTH . ', ' . $STATUS['unread_bytes'] . ']' . $_);
            if ((!$this->connected && !$STATUS['unread_bytes']) || ($this->connected && !$STATUS['unread_bytes'] && $receiveddone))
                break;
        }
        if ($parse)
            $RESPONSE = $this->parse_response($RESPONSE);
        return $RESPONSE;
    }
	
	
    /**
     * Write (send) data to Router OS
     *
     * @param string      $command    A string with the command to send
     * @param mixed       $param2     If we set an integer, the command will send this data as a "tag"
     *                                If we set it to boolean true, the funcion will send the comand and finish
     *                                If we set it to boolean false, the funcion will send the comand and wait for next command
     *                                Default: true
     *
     * @return boolean                Return false if no command especified
     */
    function write($command, $param2 = true)
    {
        if ($command) {
            $data = explode("\n", $command);
            foreach ($data as $com) {
                $com = trim($com);
                fwrite($this->socket, $this->encode_length(strlen($com)) . $com);
                $this->debug('<<< [' . strlen($com) . '] ' . $com);
            }
            if (gettype($param2) == 'integer') {
                fwrite($this->socket, $this->encode_length(strlen('.tag=' . $param2)) . '.tag=' . $param2 . chr(0));
                $this->debug('<<< [' . strlen('.tag=' . $param2) . '] .tag=' . $param2);
            } else if (gettype($param2) == 'boolean')
                fwrite($this->socket, ($param2 ? chr(0) : ''));
            return true;
        } else
            return false;
    }
	
	
    /**
     * Write (send) data to Router OS
     *
     * @param string      $com        A string with the command to send
     * @param array       $arr        An array with arguments or queries
     *
     * @return array                  Array with parsed
     */
    function comm($com, $arr = array())
    {
        $count = count($arr);
        $this->write($com, !$arr);
        $i = 0;
        foreach ($arr as $k => $v) {
            switch ($k[0]) {
                case "?":
                    $el = "$k=$v";
                    break;
                case "~":
                    $el = "$k~$v";
                    break;
                default:
                    $el = "=$k=$v";
                    break;
            }
            $last = ($i++ == $count - 1);
            $this->write($el, $last);
        }
        return $this->read();
    }
}
?>