v7.10, 7.10.1 and more [stable] are released!

Thu Jun 15, 2023 2:31 pm

RouterOS version 7.10 has been released in the "v7 stable" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.10.2 (2023-Jul-12 12:45):

*) wifiwave2 - fixed interface hangs on IPQ6010-based boards (introduced in v7.9);

What's new in 7.10.1 (2023-Jun-27 12:03):

*) ovpn - fixed OVPN server peer-id negotiation;
*) webfig - use router time zone for date and time;

What's new in 7.10 (2023-Jun-15 08:17):

!) ipv6 - fixed DNS server processing by IPv6/ND services (CVE-2023-32154);
!) route - added BFD;
*) bgp - allow to filter BGP sessions by AFI;
*) bgp - changed default VPNv4 import distance to iBGP value (200);
*) bgp - do not check route distinguisher on import;
*) bgp - fixed "as-override" and rename to "output.as-override";
*) bgp - fixed "remove-private-as" and rename to "output.remove-private.as";
*) bgp - show address family in advertisements;
*) bgp - show approximate received prefix count by the session;
*) branding - fixed custom logo (introduced in v7.8 );
*) bridge - fixed HW offloaded STP state on port disable;
*) bridge - fixed HW offloading for vlan-filtered bridge on devices with multiple switches (introduced in v7.8 );
*) bridge - fixed incorrect host moving between ports with enabled FastPath;
*) certificate - fixed displaying of certificate serial number;
*) certificate - improved error reporting for Let's Encrypt certificate;
*) certificate - restore available "key-usage" property options;
*) conntrack - added read-only "active-ipv4" and "active-ipv6" fields to "/ip/firewall/connection/tracking" (CLI only);
*) console - added timeout error for configuration export;
*) console - changed time format according to ISO standard;
*) console - disable output when using "as-value" parameter;
*) console - fixed ":terminal inkey" input when resizing terminal;
*) console - fixed "print without-paging" output in some cases;
*) console - hide past commands with sensitive arguments;
*) console - improved stability when using command completion;
*) container - fixed "container pull" to support OCI manifest format;
*) container - fixed crash due to missing system directories;
*) container - improved default internal environment values;
*) defconf - allow to use device factory preset credentials in Flashfig and Netinstall configuration files;
*) defconf - fixed default configuration for RBSXTLTE3-7;
*) dhcp-server - fixed accounting on RADIUS interim update;
*) dhcpv4-server - added name for "IPv6-Only Preferred" option (108) in debug logs;
*) doh - less verbose logging;
*) firewall - added "endpoint-independent-nat" support;
*) firewall - added "nth" option for IPv6 firewall;
*) gps - expose GPS port for Quectel RM520N-GL;
*) ike2 - improved child SA delete request processing;
*) iot - added option to send Modbus function code commands directly from RouterOS (CLI only);
*) ipsec - added hardware acceleration support for IPQ-5010 (hAP ax lite);
*) ipsec - refactor public key authentication;
*) ipsec - removed "ec2n185" and "ec2n155" values from proposal configurations;
*) ipv6 - fixed IPv6 address removal;
*) l3hw - added "autorestart" option to L3HW settings;
*) l3hw - added advanced configuration options for fine-tuning the L3HW offload (l3hw-settings are cleared after upgrade or downgrade) (CLI only);
*) l3hw - added error message and reset "l3-hw-offloading=no" if L3HW driver fails to start;
*) l3hw - added monitoring options for L3HW utilization (CLI only);
*) l3hw - fixed /32 route deletion;
*) l3hw - fixed IPv6 ECMP route offloading;
*) l3hw - fixed offloading of /32 IPv4 and /128 IPv6 routes;
*) l3hw - fixed route table offloading during large volume of route updates;
*) l3hw - improved host and nexthop offloading;
*) l3hw - improved offloading of IPv6 hosts after L3HW driver restart;
*) l3hw - improved performance of partial offloading;
*) l3hw - improved route offloading after gateway change;
*) l3hw - improved system stability for partial routing table offload;
*) leds - fixed modem RAT mode indication on hAP ac^3 LTE6 WPS mode button LEDs;
*) lora - improved gateway card detection and upgrade logic;
*) lora - updated firmware version for LoRaWAN gateway (for R11e-LoRa8, R11e-LoRa9 cards);
*) lte - added serving cell query for MBIM modems with necessary MBIM extension;
*) lte - disable DHCP request filtering (UDP port 67) for Chateau 5G;
*) lte - fixed APN authentication for R11e-LTE6 modem;
*) lte - fixed Google Pixel 7 tethering support;
*) lte - improved MBIM modem firmware reported error handling when settings RAT modes;
*) lte - improved modem firmware upgrade stability for MBIM modems;
*) lte - improved stability for Chateau 5G LTE modem firmware upgrade;
*) lte - reduced SIM slot switchover time for MBIM modems with UUIC reset support;
*) lte - stop "cell-monitor" on LTE interface configuration change for MBIM modems;
*) mpls - added FastPath support;
*) netwatch - added warning about non-running probe due to "startup-delay" (CLI only);
*) ovpn - added initial support for V2 data transfer protocol;
*) ovpn - improved system stability;
*) poe - fixed bogous "poe-in-voltage" values when using DC jack for RB5009;
*) pppoe - fixed PPPoE client scan when server is sending PADO messages without Service-Name tag;
*) qos-hw - added QoS marking support for 98DXxxxx switches (CLI only);
*) qos-hw - renamed VLAN "priority" field to "pcp" to avoid confusion;
*) rose-storage - added support for multiple smb users and smb shares;
*) route - improved system stability when removing multicast forwarding entries;
*) routerboard - fixed memory test on CCR2116-12G-4S+ ("/system routerboard upgrade" required);
*) routerboard - improved RouterBOOT stability for Alpine CPUs ("/system routerboard upgrade" required);
*) routerboot - increased "preboot-etherboot" maximum value to 30 seconds ("/system routerboard upgrade" required);
*) scheduler - fixed incorrectly started scheduler during reboot or shutdown;
*) sfp - fixed "rate" monitor value for SFP interface on L009UiGS series devices;
*) sfp - fixed combo-ether link monitor for CRS328-4C-20S-4S+ switch;
*) sfp - fixed combo-sfp linking at 1G rate for CRS312 switch;
*) sfp - improved 10G interface stability for 98DX8208, 98DX8212, 98DX8332, 98DX3257, 98DX4310, 98DX8525, 98DX3255, 98PX1012 based switches;
*) sfp - improved module compatibility with bad EEPROM data for RB4011, RB5009, CCR2xxx, CRS312 and CRS518 devices;
*) sfp - improved Q/SFP interface stability for 98DX8208, 98DX8212, 98DX8332, 98DX3257, 98DX4310, 98DX8525, 98DX3255, 98PX1012 switches;
*) sfp - improved SFP interface handling for RB4011, RB5009, CCR2xxx and CRS518 devices;
*) sfp - improved system stability with certain SFP modules for CCR2216 and CRS518 devices;
*) sfp - report EEPROM data even if "auto-init-failed" has occurred;
*) smb - improved SMB v1 operation;
*) sniffer - fixed large .pcap file limit;
*) snmp - added "engine-id-suffix" setting and display actual "engine-id" as read-only property;
*) snmp - added BGP peer table support IPv4 only (1.3.6.1.2.1.15.3.1);
*) snmp - added new "mtxrInterfaceStatsTxRx1024ToMax" OID to MIKROTIK-MIB;
*) ssh - added inline key "passphrase" property;
*) ssh - fixed RouterOS SSH client login when using a key (introduced in v7.9);
*) switch - added more precise "storm-rate" configuration options for 98DXxxxx switches (CLI only);
*) switch - fixed storm rate on 10G links for 98DX8208, 98DX8216, 98DX8212, 98DX8332, 98DX3257, 98DX4310, 98DX8525, 98DX3255 switches;
*) system - improved watchdog reporting in log after reboots for several ARM and ARM64 devices;
*) system - reduced RAM usage for SMIPS devices;
*) tile - fixed support for microSD card;
*) tr069 - added 5G SCC "SNR" parameter for modems that report it;
*) upgrade - do not run manual upgrade if some packages are missing;
*) ups - fixed updating of "battery-voltage" property;
*) vrrp - added warning if "sync-connection-tracking=yes" while the global connection tracking is inactive;
*) vrrp - added warning if the VRRP group is misconfigured;
*) vrrp - added warning if VRRP or its interface does not have an IP address;
*) vrrp - do not start connection synchronization if the global connection tracking is inactive;
*) vrrp - fixed issue where disabled VRRP interface is affecting group;
*) vrrp - fixed VRRP interface state on physical cable disconnection;
*) vrrp - improved system stability on changing "group-authority" or "sync-connection-tracking";
*) vrrp - renamed "group-master" to "group-authority" to avoid confusion with VRRP master;
*) vrrp - send VRRP announcements only by "group-authority";
*) w60g - improved interface stability for PTMP setups;
*) webfig - added high-resolution favicon;
*) webfig - allow limitless upper bounds for number range;
*) webfig - allow to set "0" second time for fields with default values;
*) webfig - changed time format according to ISO standard;
*) webfig - display date and time in local time zone;
*) webfig - fixed missing "WifiWave2" menu;
*) webfig - fixed missing property names in "WifiWave2" menu;
*) webfig - redesigned item configuration display;
*) webfig - redesigned top menu bar;
*) webfig - removed "Tools/Telnet" menu;
*) webfig - removed auto-login with default credentials (admin without a password);
*) wifiwave2 - avoid transmitting extra bytes at the end of the packet after stripping a VLAN tag;
*) wifiwave2 - do not show placeholder transmit power values on interface startup;
*) wifiwave2 - fixed CAP connection when provisioning "manager=capsman";
*) wifiwave2 - fixed CAP interface name when using "name-format";
*) wifiwave2 - fixed connectivity issues wheen access-list is used;
*) wifiwave2 - fixed DFS channel availability warning (introduced in v7.9);
*) wifiwave2 - fixed dynamic interface adding to bridge on CAP device;
*) wifiwave2 - fixed inability to disable CAPsMAN when there are RADIUS-authenticated clients connected;
*) wifiwave2 - fixed incorrect limits on number of interfaces in station mode;
*) wifiwave2 - fixed interface name change when restoring backup;
*) wifiwave2 - fixed key handshake timeout with re-associating clients;
*) wifiwave2 - fixed OWE authentication compatibility with 802.11ax client devices;
*) wifiwave2 - fixed OWE authentication compatibility with third-party client devices (introduced in v7.8 );
*) wifiwave2 - fixed wireless throughput issues after 802.11r client roaming events on 802.11ac devices;
*) wifiwave2 - improve protections against DoS attacks on WPA3-PSK;
*) wifiwave2 - improved logging when an interface is unable to assign a VLAN tag to client;
*) wifiwave2 - improved system stability when trying to exceed virtual AP limit;
*) wifiwave2 - less verbose logging when WPA3-PSK clients are connecting;
*) wifiwave2 - other system stability improvements;
*) wifiwave2 - restore interface running state when connection to CAPsMAN is lost;
*) winbox - added "MPLS/Settings" menu;
*) winbox - added "Queues" configuration tab when creating new entries under "IPv6/DHCP-Server" menu;
*) winbox - rename "URL" property to "Action data" under "IP/Web-Proxy/Access" menu;
*) wireguard - fixed IPv6 traffic processing with multiple peers;
*) wireguard - retry "endpoint-address" DNS query on failed resolve;
*) x86 - ice driver update to v1.11.14;
*) zerotier - make "identity" setting sensitive;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while a router is not working as suspected or after some problem has appeared on the device

Please keep this forum topic strictly related to this particular RouterOS release.

loloski · Thu Jun 15, 2023 3:00 pm

Upgraded a testbed hapac2 so far working

tim427 · Thu Jun 15, 2023 3:02 pm

I'm super happy with the BGP addition in SNMP; `bgpPeerTable` (https://oidref.com/1.3.6.1.2.1.15.3)
It would be awesome if

`bgpLocalAs` (https://oidref.com/1.3.6.1.2.1.15.2) and,
`bgpIdentifier` (https://oidref.com/1.3.6.1.2.1.15.4),

are also added for some NMS-products.

pe1chl · Thu Jun 15, 2023 3:14 pm

Why is a stable version released with a half-hearted implementation of the change in time format?
I think it is a good change in principle, but it seems controversial for scripting (discussion elsewhere) and now we have a mix of formats all over the place.
Would it not be better to make the complete change, or roll back when it cannot be completed, at the point of stable release?

mafiosa · Thu Jun 15, 2023 3:15 pm

Upgraded Rb5009 non poe. Seems to be working fine.

ivanfm · Thu Jun 15, 2023 3:24 pm

Why is a stable version released with a half-hearted implementation of the change in time format?
I think it is a good change in principle, but it seems controversial for scripting (discussion elsewhere) and now we have a mix of formats all over the place.
Would it not be better to make the complete change, or roll back when it cannot be completed, at the point of stable release?

Also they know that are a problem on dates show on webfig, and I just found that it depends of your browser timezone.

Grant · Thu Jun 15, 2023 3:40 pm

Hello
*) l3hw - added monitoring options for L3HW utilization (CLI only);

How to use it?

seedbedUnmoved · Thu Jun 15, 2023 3:58 pm

Anyone test on a Hap ax2 or 3? I can't test until later but I've been stuck on 7.8 because of a stability bug introduced in 7.9

Rox169 · Thu Jun 15, 2023 4:00 pm

Fix for WiFi will be in 7.11 so stay at 7.8

Thu Jun 15, 2023 4:01 pm

L3HW monitor: https://help.mikrotik.com/docs/display/ ... ng-Monitor

Usage:

/interface/ethernet/switch/l3hw-settings monitor

/interface/ethernet/switch/l3hw-settings/advanced monitor

usx · Thu Jun 15, 2023 4:12 pm

.

The following Bug which was introduced in 7.9 still exists:

Re: v7.9 [stable] is released! -- Post by usx » Mon May 08, 2023 9:12 pm

There is a new bug in WebFig. When toggling the enabled/disabled state from disabled to enabled, the entire row stays grey as if it were disabled.

For example in WiFi Interfaces or Firewall rules, I think it applies all the tables with rows which can be toggled.

.

Other than that, no issues on mAP

Caci99 · Thu Jun 15, 2023 4:16 pm

Fix for WiFi will be in 7.11 so stay at 7.8

What fix are you referring to? This release has several fixes on wifi wave2.

ToTheCLI · Thu Jun 15, 2023 4:31 pm

Just updated to 7.10 firmware and routerboard on RB5009 everything working as expected with MA5671A.

pitron · Thu Jun 15, 2023 4:39 pm

RB4011 after update lost ovpn.
Connecting
Established
Disconndcted

<user> detect UNKNOWN
I am not sure how was before
Any ideas?

anav · Thu Jun 15, 2023 4:51 pm

Still waiting to get a response from MT of how this is to be used and why it was implemented............... ?????
*) firewall - added "endpoint-independent-nat" support;

rextended · Thu Jun 15, 2023 5:12 pm

Larsa · Thu Jun 15, 2023 5:37 pm

Why is a stable version released with a half-hearted implementation of the change in time format?

I'll second that! When will this be fixed??

tyu · Thu Jun 15, 2023 5:38 pm

Endpoint-independent NAT is documented in the help pages and has a link to an RFC describing what it might be used for.

Rox169 · Thu Jun 15, 2023 6:20 pm

Fix for WiFi will be in 7.11 so stay at 7.8
What fix are you referring to? This release has several fixes on wifi wave2.

Clients can not connect WiFi only reboot will help. Check forum there is plenty of reports.

rextended · Thu Jun 15, 2023 6:21 pm

Still waiting to get a response from MT of how this is to be used and why it was implemented............... ?????
*) firewall - added "endpoint-independent-nat" support;

"Endpoint-Independent Mapping" is defined in [BEH-UDP] as follows:

The NAT reuses the port mapping for subsequent packets sent from
the same internal IP address and port (X:x) to any external IP
address and port.

"Endpoint-Independent Filtering" is defined in [BEH-UDP] as follows:

The NAT filters out only packets not destined to the internal
address and port X:x, regardless of the external IP address and
port source (Z:z). The NAT forwards any packets destined to
X:x. In other words, sending packets from the internal side of
the NAT to any external IP address is sufficient to allow any
packets back to the internal endpoint.

A NAT device employing the combination of "Endpoint-Independent
Mapping" and "Endpoint-Independent Filtering" will accept incoming
traffic to a mapped public port from ANY external endpoint on the
public network.

Simply put, the whole World can have access to that permanently open port in the NAT.

Basically it's only for online play, if you can't configure UPnP or whoever programmed the game did it like shit.
Once the connection from the PC/Console to another host is opened, any other host, indeed anything else in the world, not only the game...
can reach the gaming peripheral, with the consequent security risks.

dioeyandika · Thu Jun 15, 2023 6:22 pm

*) bridge - fixed HW offloaded STP state on port disable;
*) bridge - fixed HW offloading for vlan-filtered bridge on devices with multiple switches (introduced in v7.8 );
*) bridge - fixed incorrect host moving between ports with enabled FastPath;

setup before upgrade too 7.10 (before is 7.8) STP = none, HW Offload run

1.jpg

internet really slow after upgrade too 7.10 before is normal with that setup (7.8)
setup after upgrade enable RSTP and IGMP Snooping, DHCP Snooping, Add DHCP Option 82, HW Offload off, internet back too normal

2.jpg

This on RB750Gr3, i am scratch my head over one hours are this the best setting for 7.10 for now?

pitron · Thu Jun 15, 2023 6:37 pm

OVPN log:
⏎[Jun 15, 2023, 17:32:18] Client exception in transport_recv: process_server_push_error: Problem accepting server-pushed peer-id: parse/range issue

works well til 7.10

anav · Thu Jun 15, 2023 6:58 pm

NM..................

rextended · Thu Jun 15, 2023 7:04 pm

You read my post? ;)
viewtopic.php?t=197095#p1007949

rextended · Thu Jun 15, 2023 7:09 pm

Put into production on CCR2116-12G-4S+ with 3 full BGP tables (2 IPv4 only, 1 IPv6 only)
No, I haven't gone crazy, I have multiple RouterBOARDs in HA on the same link...

kenyloveg · Thu Jun 15, 2023 7:20 pm

*) bridge - fixed HW offloaded STP state on port disable;
*) bridge - fixed HW offloading for vlan-filtered bridge on devices with multiple switches (introduced in v7.8 );
*) bridge - fixed incorrect host moving between ports with enabled FastPath;

setup before upgrade too 7.10 (before is 7.8) STP = none, HW Offload run 1.jpg internet really slow after upgrade too 7.10 before is normal with that setup (7.8)
setup after upgrade enable RSTP and IGMP Snooping, DHCP Snooping, Add DHCP Option 82, HW Offload off, internet back too normal 2.jpg
This on RB750Gr3, i am scratch my head over one hours are this the best setting for 7.10 for now?

According to
https://help.mikrotik.com/docs/display/ ... +Switching
you should't enable any STP or snooping on your bridge, only if you know exactly why you need these...

anav · Thu Jun 15, 2023 7:22 pm

You read my post? ;)
viewtopic.php?t=197095#p1007949

Now I did LOL.
So instead of implementing ZeroTrust Cloudflare tunnel for all devices to help so many users setup servers more securely,
MT opted to implement an obscure protocol needed for shittily designed games that in comparison is a fraction of the use cases compared to
the real need by home users and some business users to secure servers.
In fact, while MT is opening up routers to get hacked with that so questionable 'feature', they refuse to implement one that actually
allows users to run servers WITHOUT exposing their public IP to the world and their networks.

Please tell me this is not EU logic but strictly Latvian logic??

rextended · Thu Jun 15, 2023 7:40 pm

NO, this is the logic "the game is broken, router must fix that". You can replace "game" with any other word, and is still the same approach.

npeca75 · Thu Jun 15, 2023 7:58 pm

IPv6 wireguard broken on

CHR
RB5009
HEX S

working on
RB450G
HEX

same configs & network work as expected on 7.9.2

dioeyandika · Thu Jun 15, 2023 8:20 pm

*) bridge - fixed HW offloaded STP state on port disable;
*) bridge - fixed HW offloading for vlan-filtered bridge on devices with multiple switches (introduced in v7.8 );
*) bridge - fixed incorrect host moving between ports with enabled FastPath;

setup before upgrade too 7.10 (before is 7.8) STP = none, HW Offload run 1.jpg internet really slow after upgrade too 7.10 before is normal with that setup (7.8)
setup after upgrade enable RSTP and IGMP Snooping, DHCP Snooping, Add DHCP Option 82, HW Offload off, internet back too normal 2.jpg
This on RB750Gr3, i am scratch my head over one hours are this the best setting for 7.10 for now?
According to
https://help.mikrotik.com/docs/display/ ... +Switching
you should't enable any STP or snooping on your bridge, only if you know exactly why you need these...

your right i delete all the firewall filter rule and restore to default config it seem back to normal again, something must be the couse in that rule

wintech2003 · Thu Jun 15, 2023 8:37 pm

I'm super happy with the BGP addition in SNMP; `bgpPeerTable` (https://oidref.com/1.3.6.1.2.1.15.3)
It would be awesome if

`bgpLocalAs` (https://oidref.com/1.3.6.1.2.1.15.2) and,

`bgpIdentifier` (https://oidref.com/1.3.6.1.2.1.15.4),

are also added for some NMS-products.

Does this actually work for you? I'm not getting any output for that oid when I do an snmpwalk, nor does Observium/LibreNMS get a list of BGP peers.

nik247 · Thu Jun 15, 2023 8:43 pm

Try upgrade CAP AC without success from 7.9 to 7.10.

[xxx@cap-ac] > system/routerboard/print 
       routerboard: yes
        board-name: cAP ac
             model: RBcAPGi-5acD2nD
          revision: r2
     serial-number: B9320BEXXXXX
     firmware-type: ipq4000L
  factory-firmware: 6.44
  current-firmware: 7.9
  upgrade-firmware: 7.9

After downloading router go to reboot and still on 7.9. In log next error....
router was rebooted without proper shutdown, probably kernel failure

Updated: successfully updated to 7.10 over downgrade to 7.8

vovan700i · Thu Jun 15, 2023 8:56 pm

*) sfp - fixed "rate" monitor value for SFP interface on L009UiGS series devices;
*) sfp - fixed combo-ether link monitor for CRS328-4C-20S-4S+ switch;
*) sfp - fixed combo-sfp linking at 1G rate for CRS312 switch;
*) sfp - improved 10G interface stability for 98DX8208, 98DX8212, 98DX8332, 98DX3257, 98DX4310, 98DX8525, 98DX3255, 98PX1012 based switches;
*) sfp - improved module compatibility with bad EEPROM data for RB4011, RB5009, CCR2xxx, CRS312 and CRS518 devices;
*) sfp - improved Q/SFP interface stability for 98DX8208, 98DX8212, 98DX8332, 98DX3257, 98DX4310, 98DX8525, 98DX3255, 98PX1012 switches;
*) sfp - improved SFP interface handling for RB4011, RB5009, CCR2xxx and CRS518 devices;
*) sfp - improved system stability with certain SFP modules for CCR2216 and CRS518 devices;
*) sfp - report EEPROM data even if "auto-init-failed" has occurred;

Hello! Please, beware that some of these improvements make Chinese SFP modules (e.g. ONTi Gigabit RJ45 SFP module from Aliexpress) report temperature of 255 degrees which triggers SFP module disabling (for 10 minutes, but it repeats) since the default SFP shutdown temperature is 95 degrees. Thus, you may have problems connecting to your devices after this update if you use such modules.

irrwitzer · Thu Jun 15, 2023 8:57 pm

Does this actually work for you? I'm not getting any output for that oid when I do an snmpwalk, nor does Observium/LibreNMS get a list of BGP peers.

Here it's working fine for IPv4 only. 99% of my network is ipv6 though.

Regarding observium/librenms, that's exactly why he's asking for bgpLocalAs and bgpIdentifier to enable observium's discovery feature.

wintech2003 · Thu Jun 15, 2023 9:03 pm

Does this actually work for you? I'm not getting any output for that oid when I do an snmpwalk, nor does Observium/LibreNMS get a list of BGP peers.
Here it's working fine for IPv4 only. 99% of my network is ipv6 though.

The thing is that for me that OID doesn't give any output at all :(

snmpwalk -v 1 -c <community> <router_ip> 1.3.6.1.2.1.15

just comes out empty.

Regarding observium/librenms, that's exactly why he's asking for bgpLocalAs and bgpIdentifier to enable observium's discovery feature.

Amen to that! :)

hagoyi · Thu Jun 15, 2023 9:06 pm

My mistake

leonardogyn · Thu Jun 15, 2023 9:08 pm

Where is /System/LCD settings on RB2011? Is ROS7 stop supporting it?

.
I'm running RoSv7 on quite a few RB2011s, and LCD menu is there as always, supported and working.

twingman · Thu Jun 15, 2023 9:09 pm

BFD is working, but I think desired and actual TX/RX intervals are not working. On one side there is some time (0,05s), on second there is 0.1s and used interval is 0.1s. If I remember, BFD should choose bigger TX/RX interval (which side has it bigger). Isn't it?

denisun · Thu Jun 15, 2023 10:00 pm

RB4011 after update lost ovpn.
Connecting
Established
Disconndcted

<user> detect UNKNOWN
I am not sure how was before
Any ideas?

In rb4011 i have a poll error.

Everything worked ok in previous version.
I get data in firewall > filter > input
but not in NAT record.
Usr/psw its ok but i get poll error.

What is this error?
I cant find anything for this.

Its the same issue from 7.10rc1:
viewtopic.php?p=1005699#p1005699

whatever · Thu Jun 15, 2023 10:25 pm

Fix for WiFi will be in 7.11 so stay at 7.8

Fix for what issue?

Rox169 · Thu Jun 15, 2023 10:31 pm

Fix for WiFi will be in 7.11 so stay at 7.8
Fix for what issue?

can you read? read above in this topic....

pe1chl · Thu Jun 15, 2023 10:38 pm

The thing is that for me that OID doesn't give any output at all :(
Code: Select all
snmpwalk -v 1 -c <community> <router_ip> 1.3.6.1.2.1.15

Works fine here!

doctorrock · Thu Jun 15, 2023 10:40 pm

*) sfp - fixed "rate" monitor value for SFP interface on L009UiGS series devices;
*) sfp - fixed combo-ether link monitor for CRS328-4C-20S-4S+ switch;
*) sfp - fixed combo-sfp linking at 1G rate for CRS312 switch;
*) sfp - improved 10G interface stability for 98DX8208, 98DX8212, 98DX8332, 98DX3257, 98DX4310, 98DX8525, 98DX3255, 98PX1012 based switches;
*) sfp - improved module compatibility with bad EEPROM data for RB4011, RB5009, CCR2xxx, CRS312 and CRS518 devices;
*) sfp - improved Q/SFP interface stability for 98DX8208, 98DX8212, 98DX8332, 98DX3257, 98DX4310, 98DX8525, 98DX3255, 98PX1012 switches;
*) sfp - improved SFP interface handling for RB4011, RB5009, CCR2xxx and CRS518 devices;
*) sfp - improved system stability with certain SFP modules for CCR2216 and CRS518 devices;
*) sfp - report EEPROM data even if "auto-init-failed" has occurred;
Hello! Please, beware that some of these improvements make Chinese SFP modules (e.g. ONTi Gigabit RJ45 SFP module from Aliexpress) report temperature of 255 degrees which triggers SFP module disabling (for 10 minutes, but it repeats) since the default SFP shutdown temperature is 95 degrees. Thus, you may have problems connecting to your devices after this update if you use such modules.

I got problems with DACs (Direct Attach cables) since the update.
They don't work anymore, both with auto-negociation and manual transfer rate setting.
One is Ipolex and other is HiFiber. Both don't work anymore. Very annoying ...

teleport · Thu Jun 15, 2023 11:03 pm

RouterOS version 7.10 has been released in the "v7 stable" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.10 (2023-Jun-15 08:17):

*) ssh - fixed RouterOS SSH client login when using a key (introduced in v7.9);

can confirm above is fixed. if you still have issues do these steps:

remove private (on RouterOS) and public (on the remote host) keys;
downgrade RouterOS to version 7.8;
Export RouterOS SSH keys;
import new private key in RouterOS, the public key in the remote host;
check if ssh-exec to the remote host works;
upgrade RouterOS to version 7.10 and check if ssh-exec to the remote host works.

krafg · Thu Jun 15, 2023 11:39 pm

Upgraded all my devices from ROS6. My first time with ROS7. For now all is working flawlessly.

LtAP, PowerBox Pro, BaseBox 2 and BaseBox 5.

Regards.

DudeBeFishing · Fri Jun 16, 2023 12:06 am

I'm using a CCR-2004-16G-2S+ and a wAP AC (RBwAPG-5HacD2HnD).

I upgraded the CCR-2004-16G-2S+ to 7.10. I tried upgrading the wAP AC through CAPsMAN and noticed the Upgrade button is not working. I click Upgrade and nothing happens.I waited about 10 minutes. It usually confirms if I want to upgrade, then the wAP comes back up in 30s or so. I tried Winbox and the web interface.

EDIT: I think I'm blocking the wAP's access to WAN. I uploaded RouterOS 7.10 to the CCR-2004 and now the upgrade button works.

infabo · Fri Jun 16, 2023 12:08 am

<post for topic subscription>

Sir, there is a funcionality for this already.

dooh · Fri Jun 16, 2023 1:23 am

RouterOS version 7.10 has been released in the "v7 stable" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.10 (2023-Jun-15 08:17):

!) ipv6 - fixed DNS server processing by IPv6/ND services (CVE-2023-32154);
!) route - added BFD;
*) bgp - allow to filter BGP sessions by AFI;
*) bgp - changed default VPNv4 import distance to iBGP value (200);
*) bgp - do not check route distinguisher on import;
*) bgp - fixed "as-override" and rename to "output.as-override";
*) bgp - fixed "remove-private-as" and rename to "output.remove-private.as";
*) bgp - show address family in advertisements;
*) bgp - show approximate received prefix count by the session;

Thank you for the new features, I can confirm that prefix count seems to work fine, but what does "bgp - show address family in advertisements" mean?

/routing/bgp/advertisements/print is still empty, all session have ".keep-sent-attributes=yes"

[admin@CCR1] > /routing/bgp/advertisements/print detail

[admin@CCR1] > /routing/bgp/advertisements/print count-only
0

Amm0 · Fri Jun 16, 2023 4:44 am

!) route - added BFD;

In docs it says: "Features not yet supported [...] enabling BFD for ip route gateways"

Is that a forever thing, or "coming soon"?

felixka · Fri Jun 16, 2023 6:25 am

Hello! Please, beware that some of these improvements make Chinese SFP modules (e.g. ONTi Gigabit RJ45 SFP module from Aliexpress) report temperature of 255 degrees which triggers SFP module disabling (for 10 minutes, but it repeats) since the default SFP shutdown temperature is 95 degrees. Thus, you may have problems connecting to your devices after this update if you use such modules.
I got problems with DACs (Direct Attach cables) since the update.
They don't work anymore, both with auto-negociation and manual transfer rate setting.
One is Ipolex and other is HiFiber. Both don't work anymore. Very annoying ...

Yes, this has been an issue for me on CCR2004-16G-2S+ since a few releases ago (I think it started with 7.8). Luckily that device has a backup GbE into the network. But for a few releases the DAC has not been working for me anymore. I see RX traffic on it but nothing on the TX side.

nichky · Fri Jun 16, 2023 7:33 am

we got issues with RR, is not exchanging the routes on the main table between iBGP

pitron · Fri Jun 16, 2023 7:52 am

RB4011 after update lost ovpn.
Connecting
Established
Disconndcted

<user> detect UNKNOWN
I am not sure how was before
Any ideas?
In rb4011 i have a poll error.

Everything worked ok in previous version.
I get data in firewall > filter > input
but not in NAT record.
Usr/psw its ok but i get poll error.

What is this error?
I cant find anything for this.

Its the same issue from 7.10rc1:
viewtopic.php?p=1005699#p1005699

Ovpn client log show more info.
I have similar ovpn setup and I am back to 7.9.2 working fine again.

disappointed · Fri Jun 16, 2023 8:51 am

IPsec not working after update. Freezes on first packet phase1 and can not auth on Strongswan server.
I spent an hour trying to find the cause and couldn't. I had to go back to the previous ROS.
The same config on 7.9.2 is working.

Hominidae · Fri Jun 16, 2023 9:13 am

thanks, updated my small zoo:

RB4011 (SFP+: MT S+AO)
hex Gr2 (Switch mode)
CRS309 (SFP+: DACs from Aristo, Cisco, MT S+AO, fs.com 80m 10G-T)
CRS326-24G-2S (SFP+: DACs from Aristo), running wifi capsman
LHGG
wAP-ac 2ndGen (CAP)
2x hap-ac^3 (WW2 APs) no ww2-capsman, container (Adguard-home)
CHR

...VLANs, Wireguard, SFP+ Modules all good.
Container on hap-ac^3 needed re-install to start properly.

Caci99 · Fri Jun 16, 2023 10:29 am

What fix are you referring to? This release has several fixes on wifi wave2.

Clients can not connect WiFi only reboot will help. Check forum there is plenty of reports.

That is a very general statement you are stating. There are plenty of reports but not all can be attributed to ROS, many can be misconfiguration. When you say fix will come at 7.11, it is understood that some particular fix will come at 7.11.
In the change log of 7.10 there are some wifi wave2 fixes like

*) wifiwave2 - fixed key handshake timeout with re-associating clients;

and many others

Jaggl · Fri Jun 16, 2023 10:30 am

Since this Update my OpenVPN Windows Clients are unable to connect. Mikrotik to Mikrotik with OpenVPN is working. Anyone else see this Problem?

kcarhc · Fri Jun 16, 2023 10:35 am

please check SUP-119380
RouterOS 7.10 dns dynamic-servers random lost on all type device, RB5009/RB4011/RB450Gx4/CHR
Downgrading to version 7.9.2 everything is fine, but when upgrading to 7.10, random loss occurs.

1.jpg

2.jpg

this link
viewtopic.php?t=196774
maybe the same issue

fakeusername2022 · Fri Jun 16, 2023 12:05 pm

My OpenVPN Server stopped working after this update!
I get this error on client side:

"Client exception in transport_recv: process_server_push_error: Problem accepting server-pushed peer-id: parse/range issue"

After downgrading to 7.9 the problem solved!

fakeusername2022 · Fri Jun 16, 2023 12:06 pm

OVPN log:
⏎[Jun 15, 2023, 17:32:18] Client exception in transport_recv: process_server_push_error: Problem accepting server-pushed peer-id: parse/range issue

works well til 7.10

Same problem here...

pe1chl · Fri Jun 16, 2023 12:13 pm

I don't use MikroTik OVPN but when I read the above error message I would guess maybe the peer-id used by MikroTik is the "/system identity" that you have set, and you may be able to solve that issue by using a more plain identity than you have now? (try only letters and numbers, for example).

denisun · Fri Jun 16, 2023 12:17 pm

In rb4011 i have a poll error.

Everything worked ok in previous version.
I get data in firewall > filter > input
but not in NAT record.
Usr/psw its ok but i get poll error.

What is this error?
I cant find anything for this.

Its the same issue from 7.10rc1:
viewtopic.php?p=1005699#p1005699
Ovpn client log show more info.
I have similar ovpn setup and I am back to 7.9.2 working fine again.

This is logs from stock openvpn client in android 13.1.


[Jun 15, 2023, 21:37:23] OpenVPN core 3.git:: android arm64 64-bit PT_PROXY

[Jun 15, 2023, 21:37:23] ----- OpenVPN Start -----

[Jun 15, 2023, 21:37:23] EVENT: CORE_THREAD_ACTIVE

[Jun 15, 2023, 21:37:23] Frame=512/2048/512 mssfix-ctrl=1250

[Jun 15, 2023, 21:37:23] EVENT: RESOLVE

[Jun 15, 2023, 21:37:26] Contacting .201:1194 via UDP

[Jun 15, 2023, 21:37:26] EVENT: WAIT

[Jun 15, 2023, 21:37:26] Connecting to [.sn.mynetname.net]:1194 (.201) via UDPv4

[Jun 15, 2023, 21:37:26] EVENT: CONNECTING

[Jun 15, 2023, 21:37:26] Tunnel Options:V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client

[Jun 15, 2023, 21:37:26] Creds: Username/Password

[Jun 15, 2023, 21:37:26] Peer Info:
IV_VER=3.git::
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
IV_GUI_VER=net.openvpn.connect.android_3.3.4-9290
IV_SSO=webauth,openurl,crtext


[Jun 15, 2023, 21:37:26] VERIFY OK: depth=1, /C=GR/ST=TH/L=T/O=HomeMikrotik/OU=changeme/CN=HomeMikrotikCA/name=changeme/emailAddress=mail@host.domain, signature: RSA-SHA1

[Jun 15, 2023, 21:37:26] VERIFY OK: depth=0, /C=GR/ST=TH/L=T/O=HomeMikrotik/OU=changeme/CN=server/name=changeme/emailAddress=mail@host.domain, signature: RSA-SHA1

[Jun 15, 2023, 21:37:26] SSL Handshake: peer certificate: CN=server, 1024 bit RSA, cipher: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD


[Jun 15, 2023, 21:37:26] Session is ACTIVE

[Jun 15, 2023, 21:37:26] Sending PUSH_REQUEST to server...

[Jun 15, 2023, 21:37:26] EVENT: WARN info='TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future'

[Jun 15, 2023, 21:37:26] EVENT: GET_CONFIG

[Jun 15, 2023, 21:37:26] OPTIONS:
0 [redirect-gateway]
1 [dhcp-option] [DNS] [192.168.5.36]
2 [ping] [20]
3 [ping-restart] [60]
4 [topology] [subnet]
5 [route-gateway] [192.168.5.39]
6 [ifconfig] [192.168.5.115] [255.255.255.0]
7 [peer-id] [16777215]


[Jun 15, 2023, 21:37:26] Client exception in transport_recv: process_server_push_error: Problem accepting server-pushed peer-id: parse/range issue

[Jun 15, 2023, 21:37:26] Client terminated, restarting in 2000 ms...


[Jun 15, 2023, 21:46:52] ----- OpenVPN Stop -----

[Jun 15, 2023, 21:46:52] EVENT: CORE_THREAD_DONE

vuk · Fri Jun 16, 2023 12:27 pm

Since v7.9 and now with v7.10 VPN (L2TP) via IPIP tunnel with IPSec is unusable, totally slow, but I see no errors in the log.
This issue was/is not present with v7.8, only since then.

I tried to turn off IPSec over the IPIP tunnel, but same, totally slow, e.g. web pages doesn't even load.

Router1: hAP AX3 (initiator)
Router2: hAP AC3 (responder)

supout file attached

7.10_supout.zip

UPDATE: after downgrading to 7.8 only on hAP AX3, VPN works fine again. hAP AC3 is still on 7.10, issue seems to occur only on AX3.

Fri Jun 16, 2023 1:27 pm

BFD is working, but I think desired and actual TX/RX intervals are not working.

There's been some confusion with the naming, actual tx actually shows the value of the remote tx interval. But actual tx is actually picked the highest value as it should. Will be fixed in one of the next versions.

HeinoHomm · Fri Jun 16, 2023 2:12 pm

After the upgrade to v7.10 (stable). The ovpn client will no longer emerge into the the ip/address table. Also there will be a missing entry in the routing table, i.e. there is no gateway. Due to this, the router is no longer able to exchange ip packets between the network and the ovpn client.

rextended · Fri Jun 16, 2023 2:15 pm

Put into production on CCR2116-12G-4S+ with 3 full BGP tables (2 IPv4 only, 1 IPv6 only)
No, I haven't gone crazy, I have multiple RouterBOARDs in HA on the same link...

For now, all BGPs uptime for 19:10:13 without interruption....

jimmer · Fri Jun 16, 2023 2:26 pm

RB4011 after update lost ovpn.
Connecting
Established
Disconndcted

<user> detect UNKNOWN
I am not sure how was before
Any ideas?

I have the same problem, also found it in 7.10rc3 and reported it in the thread a few weeks back, bug still in 7.10 in the stable release :(
Remote clients constantly connect via OpenVPN and disconnect every second

Jun 16 21:14:30 laurel-rb3011-gw connection established from 10.3.xx.xx, port: 34599 to 10.1.xx.xx
Jun 16 21:14:30 laurel-rb3011-gw : using encoding - AES-256-CBC/SHA256
Jun 16 21:14:30 laurel-rb3011-gw jimmer logged in, 10.10.17.148 from 10.3.xx.xx
Jun 16 21:14:30 laurel-rb3011-gw <ovpn-jimmer>: connected
Jun 16 21:14:30 laurel-rb3011-gw <10.1.36.60>: disconnected <poll error>
Jun 16 21:14:30 laurel-rb3011-gw <ovpn-jimmer>: terminating... - poll error
Jun 16 21:14:31 laurel-rb3011-gw jimmer logged out, 1 0 0 0 0 from 10.3.xx.xx
Jun 16 21:14:31 laurel-rb3011-gw <ovpn-jimmer>: disconnected

This happens over and over every second until I kill the login process on the client, works fine in 7.8 and 7.9.2, somethings got cooked in the 7.10rc build and it's made its way (again) into the 7.10 stable branch.

Same OpenVPN login using RouterOS 7.9.2:

Jun 16 21:23:11 laurel-rb3011-gw connection established from 10.3.xx.xx, port: 44765 to 10.1.xx.xx
Jun 16 21:23:11 laurel-rb3011-gw : using encoding - AES-256-CBC/SHA256
Jun 16 21:23:11 laurel-rb3011-gw jimmer logged in, 10.10.17.149 from 10.3.xx.xx
Jun 16 21:23:11 laurel-rb3011-gw <ovpn-jimmer>: connected

Stays connected, can pass data over it.

Platform is RB3011-iUAS-RM.

mikrotikshell · Fri Jun 16, 2023 3:34 pm

The same, while using OpenVPN:

Client exception in transport_recv: process_server_push_error: Problem accepting server-pushed peer-id: parse/range issue

kai · Fri Jun 16, 2023 4:04 pm

SSH client seems a bit broken.
I use the mikrotik as a client to connect to something like a UniFi - it attempts a connection but it immediately quits. It doesn't get as far as asking for a login or password.

It works in 7.7

Edit: also works ok in 7.10rc1

teleport · Fri Jun 16, 2023 4:50 pm

SSH client seems a bit broken.
I use the mikrotik as a client to connect to something like a UniFi - it attempts a connection but it immediately quits. It doesn't get as far as asking for a login or password.

It works in 7.7

Edit: also works ok in 7.10rc1

refer
viewtopic.php?t=196154

Aurum · Fri Jun 16, 2023 5:18 pm

RB4011 after update lost ovpn.
Connecting
Established
Disconndcted

<user> detect UNKNOWN

Same. Downgraded and it works again...

raphaps · Fri Jun 16, 2023 6:17 pm

I also have a problem with openvpn, on an RB4011. Since version 7.8, the system is unstable and restarts before completing 15 minutes of uptime. I have around 150 ovpn connections. I updated to v7.10 and the same problem occurred, the last version that worked fine was v7.7.

johnson73 · Fri Jun 16, 2023 6:21 pm

After upgrade to 7.10 this device is ok.
RB4011
CCR1009

bandini981 · Fri Jun 16, 2023 6:52 pm

OVPN log:
⏎[Jun 15, 2023, 17:32:18] Client exception in transport_recv: process_server_push_error: Problem accepting server-pushed peer-id: parse/range issue

works well til 7.10

Same here. Also stopped working Passepartout (iOS app) and other Mikrotik OpenVPN clients.

Paternot · Fri Jun 16, 2023 6:53 pm

"bgp - show approximate received prefix count by the session;"

How much is this "approximate"? Is it a case of "we run a second thread to count this, so may be a little off if something changes during the count" or is it "we will count it one time, when the connection is made, and never again?"

How (in)exact is this number?

bandini981 · Fri Jun 16, 2023 7:03 pm

OVPN log:
⏎[Jun 15, 2023, 17:32:18] Client exception in transport_recv: process_server_push_error: Problem accepting server-pushed peer-id: parse/range issue

works well til 7.10
Same here. Also stopped working Passepartout (iOS app) and other Mikrotik OpenVPN clients.

Downgraded to 7.9.2 and everything is ok

donkeyKong · Fri Jun 16, 2023 7:06 pm

After upgrade to v7.10, seeing problems with switches using the 98DX8212 switch chip.

Ticket is SUP-119408

macak · Fri Jun 16, 2023 7:10 pm

Android OpenVPN Connect is fail to connect.

From logs: disconnected <poll error>.

Note - mikrotik to mikrotik connected without problems. I don't test too much that connection is stable.
Downgraded to 7.9.1 - I can connect from Android again.

Please fix it.

wavestar · Fri Jun 16, 2023 8:01 pm

Upgraded Rb5009 non POE version. Everything is working.

I don't use any VPN.

estradmes · Fri Jun 16, 2023 10:13 pm

Upgraded CCR2116, for now route delete with l3hw works

Rox169 · Fri Jun 16, 2023 10:54 pm

The wifi bug is still present. I had another situation. I was connected to WiFi with Oneplus9, Lenovo T431s and samsung TV and suddendly no internet and I can not login to WiFi anymore. This time I had time to send supout. SUP-119465.

MT please fix this ASAP it is present already in two "stable" versions..

pe1chl · Fri Jun 16, 2023 11:20 pm

"bgp - show approximate received prefix count by the session;"

How much is this "approximate"? Is it a case of "we run a second thread to count this, so may be a little off if something changes during the count" or is it "we will count it one time, when the connection is made, and never again?"

How (in)exact is this number?

In my router it seems to be accurate, noting that it includes prefixes discarded by the in-filter in the count (which v6 does not include). Prefixes filtered by the "Input accept NLRI" are not counted.
It also is re-calculated at least regularly (maybe everytime you request it?).

Still, there is the problem that has been present since the first v7 release that an open window on the BGP Sessions list is NOT refreshed automatically, so the displayed number of prefixes will remain the same until you hit F5.
Hopefully at some time MikroTik can fix this and make the window auto-refreshing just like the BGP Peers window was in v6, and so many other windows still are in v7.

vuk · Fri Jun 16, 2023 11:29 pm

BFD is working, but I think desired and actual TX/RX intervals are not working.
There's been some confusion with the naming, actual tx actually shows the value of the remote tx interval. But actual tx is actually picked the highest value as it should. Will be fixed in one of the next versions.

@mrz are there any know issues in 7.9 and 7.10 regarding L2TP and IPIP Tunnel + IPSec, which might cause this: viewtopic.php?p=1008075#p1008075
Others report similar issues, I see OVPN related problems?!

nexusds · Fri Jun 16, 2023 11:46 pm

After upgrade to v7.10, seeing problems with switches using the 98DX8212 switch chip.

Ticket is SUP-119408

what is the issue you are having?

nexusds · Fri Jun 16, 2023 11:52 pm

default ipsec phase1 profile algorithm (when used for eoip for example) if using DES will no longer work.. have to change it to something else (I chose aes-256 - didn't test other algorithms as I would need to adjust a number of units)

AUsquirrel · Sat Jun 17, 2023 1:28 am

Upgrade was successful.

Now have a suspected bug in the IPV6 filter rule that has a source IPV6 address list and an IPV6 address range. It is going past the rule to the drop and log rule. Tried with various combinations and no luck.

Both networks are VLANs

donkeyKong · Sat Jun 17, 2023 1:40 am

After upgrade to v7.10, seeing problems with switches using the 98DX8212 switch chip.

Ticket is SUP-119408
what is the issue you are having?

Switch is not detecting anymore an SFP ONT Sercomm FGS202. This use case is common for several users in France of a large ISP (Orange) who have replaced the vendor’s original hardware with MikroTik HW.

Paternot · Sat Jun 17, 2023 2:25 am

In my router it seems to be accurate, noting that it includes prefixes discarded by the in-filter in the count (which v6 does not include). Prefixes filtered by the "Input accept NLRI" are not counted.
It also is re-calculated at least regularly (maybe everytime you request it?).

Ah, thanks. Looks like the "inaccurate" was just to prevent someone trying to debug something and taking the "count differs by two" seriously.

Or, in other words, "close enough for government work".

anav · Sat Jun 17, 2023 3:03 am

7.10 (almost) stable. Just get rid of OVPN and solves a bulk of issues.

own3r1138 · Sat Jun 17, 2023 8:42 am

7.10 (almost) stable. Just get rid of OVPN and solves a bulk of issues.

ezgif.com-optimize.gif

ech1965 · Sat Jun 17, 2023 9:14 am

Small request:

I understand stable releases topics are read by people upgrading from stable to stable. in that case single big squashed changelog makes sense
People being in the testing train recevice "incremental" change log ( 1st post of the topic updated). this is also great
We only miss the last step: incremental changelog between last rc and stable. is stable identical to last rc or are there last minute changes ?
Would it be possible to add this changelog eg in "locking" post of rc thread ( #184 )
Many thanks
EC

thuety · Sat Jun 17, 2023 10:18 am

updated fine on CRS305, RB2011, RB951
sstp tunnels still work

t0mm13b · Sat Jun 17, 2023 10:55 am

Updated ok on Chateau LTE 18

pe1chl · Sat Jun 17, 2023 12:05 pm

Ah, thanks. Looks like the "inaccurate" was just to prevent someone trying to debug something and taking the "count differs by two" seriously.

Or, in other words, "close enough for government work".

I use these values (and I presume most people would) not as an indication if there are 400 or 401 routes via some peer, but to generally
oversee what is behind each peer connection, and relate that to what I know is "normal". So when I see 1 or 3 where I normally see 766,
I know that this peer still advertises its own local network(s) but has lost a connection to some other place in the network which has a
lot of routes. This is also the reason why I requested this feature to be back, and apparently it is a commonly requested one.

Of course it is not perfect but it does not have to be. What makes it less usable is that it isn't refreshed anymore, like it was in v6.
There is a MISLEADING "Uptime" column that instead of showing the uptime at the moment the window was refreshed, shows a ticking
uptime increasing all the time, even when the connection is actually DOWN. Either refresh should come back, or that ticking should go.

pe1chl · Sat Jun 17, 2023 12:14 pm

I understand stable releases topics are read by people upgrading from stable to stable. in that case single big squashed changelog makes sense
People being in the testing train recevice "incremental" change log ( 1st post of the topic updated). this is also great
We only miss the last step: incremental changelog between last rc and stable. is stable identical to last rc or are there last minute changes ?

I proposed before that instead of these one-line change logs, MikroTik should put all changes in a database that has fields for this single line,
for a pointer to relevant documentation (page in the help site), a possible warning related to the change ("date format has changed, you will
need to adapt your scripts when they use the system date"), a longer description of the change when relevant (what exactly has been fixed),
etc. And then there should be a webpage where you can input two different version numbers, and the output will be the change list as we get
now, but "between those two versions"). With clickable items to send you to documentation or more info.

I think it should not be more work than what we get now, but it would be much more usable. And the old style plain text one-line lists can
be automatically generated from this for the changes list displayed by the device itself.

nichky · Sat Jun 17, 2023 12:31 pm

*) ovpn - improved system stability;

not to sure what u mean by that. On v7.10 ovpn is totally broken

mantouboji · Sat Jun 17, 2023 12:44 pm

ssh client broken , it even works well in 7.10rc serials .

I don't want to downgrade, pls fix it ASAP

volkirik · Sat Jun 17, 2023 12:54 pm

*) ovpn - improved system stability;

not to sure what u mean by that. On v7.10 ovpn is totally broken

indeed. doesnt even show local & remote addresses

lets hope stable ovpn in next release..

nichky · Sat Jun 17, 2023 1:58 pm

ssh client broken , it even works well in 7.10rc serials

what exactly?

mantouboji · Sat Jun 17, 2023 2:03 pm

OK. I tried to downgrade to 7.8 re-add private and public keys , and then upgrade to 7.10 again, solved it.

I think that must because a bug in 7.9 destroyed the inner key data record.

patrickmkt · Sat Jun 17, 2023 3:21 pm

Still no fix on certificate crl using sha512
viewtopic.php?p=1008226#p1008226

eddieb · Sat Jun 17, 2023 3:32 pm

Just upgraded a bunch of MT to 7.10 without problems

CRS125/HAP AC/hEX/RB750

Jotne · Sat Jun 17, 2023 8:15 pm

This is unacceptable for a "stable" update channel

It may be stable for 99.9% of all the user. You will never ever find a 100% stable software. Not sure how many times the last 20+ years I have updated stable Cisco software due to bugs, sometimes serious bugs that takes down the network.

It may be a combination of some of your settings that create the problem.
Why do you have UPnP enabled?
https://nordvpn.com/no/blog/what-is-upnp/

Some of the function you have:
Capsman
Bgp
Ospf
Zerotier
Ovpn
IPv6

Try simplify your config. Test function for function.

zdiv · Sat Jun 17, 2023 8:59 pm

Still no "?" in CLI.
F1 has replaced "?" but terminals only understand characters, not keys.

Function keys are naturally captured by applications.
yes it works from Winbox, but is at best cumbersome solution and makes no sense.
"?" works on almost anything else having CLI.
F1 is to be used for help about applications and not commands typed inside CLI.

So ^[OP from terminal or F1 from Winbox terminal ... !

securex · Sat Jun 17, 2023 9:00 pm

What is the latest version of dude client ( x86 platform) ?
a see 7.10 - https://mikrotik.com/download, download and see inside 7.9....

rextended · Sat Jun 17, 2023 9:02 pm

What is the latest version of dude client ( x86 platform) ?
a see 7.10 - https://mikrotik.com/download, download and see inside 7.9....

Is the same identical program just with the version number changed....

Sun Jun 18, 2023 3:11 am

terminals only understand characters,

We’ve had F1 on ANSI X3.64 compatible terminals at least since the VT220, released in 1983. If you’re using a terminal emulator that can’t send F1, get a better terminal emulator; they’re plentiful.

mantouboji · Sun Jun 18, 2023 7:22 am

1) remove any public and private keys
2) downgrad to 7.8
3) import both public and private keys , ssh client is OK
4) upgrade to 7.10
5) ssh client OK

but If remove all key and re-import in 7.10, ssh client broken.

In 7.10. letsencrypt broken again? my duckdns.org dynamic domain name only has a AAAA ipv6 address .

pe1chl · Sun Jun 18, 2023 11:38 am

This is unacceptable for a "stable" update channel
It may be stable for 99.9% of all the user. You will never ever find a 100% stable software.

Once again: "stable" in the name of the MikroTik releases does not mean the software itself is stable, in that it does not crash and does not
have serious other problems (bugs).

The tag "stable" only means this is a release that will not be changed for some time, unless important problems are fixed.
The other tags "alpha" and "beta" and "rc" are for testing new developments, and would be updated ~weekly. That is not the case for "stable".
So "stable" refers to the stability of the release, not to the stability of the software itself.
And "long-term" is another "stable" release that for an even longer time receives those minor updates for important problems.

I know it is all too tempting to interpret "stable" in the context of software stability, but I don't think that claim has been made by MikroTik.
Regularly development versions with known problems are released into "stable" in the middle of hefty discussions about the problems.

rextended · Sun Jun 18, 2023 11:56 am

Put into production on CCR2116-12G-4S+ with 3 full BGP tables (2 IPv4 only, 1 IPv6 only)
No, I haven't gone crazy, I have multiple RouterBOARDs in HA on the same link...
For now, all BGPs uptime for 19:10:13 without interruption....

Still all up and working without problems. (2d 16:54:56)

ech1965 · Sun Jun 18, 2023 1:17 pm

I understand stable releases topics are read by people upgrading from stable to stable. in that case single big squashed changelog makes sense
People being in the testing train recevice "incremental" change log ( 1st post of the topic updated). this is also great
We only miss the last step: incremental changelog between last rc and stable. is stable identical to last rc or are there last minute changes ?
I proposed before that instead of these one-line change logs, MikroTik should put all changes in a database that has fields for this single line,
for a pointer to relevant documentation (page in the help site), a possible warning related to the change ("date format has changed, you will
need to adapt your scripts when they use the system date"), a longer description of the change when relevant (what exactly has been fixed),
etc. And then there should be a webpage where you can input two different version numbers, and the output will be the change list as we get
now, but "between those two versions"). With clickable items to send you to documentation or more info.

I think it should not be more work than what we get now, but it would be much more usable. And the old style plain text one-line lists can
be automatically generated from this for the changes list displayed by the device itself.

No need to change the changelog structure, In the last "locking post" in RC topic, just add the changelog between last rc and stable or "stable is the same as rxX" and "that's it"

pe1chl · Sun Jun 18, 2023 2:48 pm

That is only a solution for that particular case. My proposal also solves the issue where people upgrade from version x.y to x.y+2 in one jump, read the x.y+2 change notes (that are displayed on their screen as part of the upgrade process), but have never seen the x.y+1 change notes and the important information and warnings it contains.
Making a "custom" change note would generate the proper list of changes, including omission of notes in x.y+2 saying "fixed bug introduced in x.y+1" which would be irrelevant to those people.
It should be relatively easy to do and remove the "editorial" task of generating change notes by scanning all internally registered changes.

DeGlucker · Sun Jun 18, 2023 3:25 pm

x86 Atheros 9380 (AR5BXB112) WiFi is still not working !!!
Was forced to rollback to ROS 7.6 again !!!
Already during four releases you broke WiFi on Atheros 9380 and can't fix it !!!

densenator · Sun Jun 18, 2023 4:54 pm

Try to upgrade my Hap ax^2 to 7.10 And problem with wi-fi still exist.
key handshake timeout
I have default config and opened support ticked already.
Downgrade to 7.8 and problem is solved.

Jotne · Sun Jun 18, 2023 5:53 pm

Stop posting things that do not relate to v7.10 stable release.

rextended · Sun Jun 18, 2023 6:28 pm

This forum is not reddit...

When common sense isn't enough...
I'd like to see if I started posting pornographic images how many people would be shocked, but it's not prohibited anywhere...
So it goes without saying that avatars that are offensive to others should be avoided.
Then if one puts a daisy and someone complains because he hates flowers....

MikroTik - Registration code

By accessing “MikroTik” (hereinafter “we”, “us”, “our”, “MikroTik”, “https://forum.mikrotik.com”),
you agree to be legally bound by the following terms.
If you do not agree to be legally bound by all of the following terms then please do not access and/or use “MikroTik”.
We may change these at any time and we’ll do our utmost in informing you,
though it would be prudent to review this regularly yourself as your continued usage of “MikroTik” after changes mean you agree to be legally bound
by these terms as they are updated and/or amended.

Our forums are powered by phpBB (hereinafter “they”, “them”, “their”, “phpBB software”, “www.phpbb.com”, “phpBB Limited”, “phpBB Teams”)
which is a bulletin board solution released under the “GNU General Public License v2” (hereinafter “GPL”) and can be downloaded from www.phpbb.com.
The phpBB software only facilitates internet based discussions;
phpBB Limited is not responsible for what we allow and/or disallow as permissible content and/or conduct.
For further information about phpBB, please see: https://www.phpbb.com/.

You agree not to post any abusive, obscene, vulgar, slanderous, hateful, threatening, sexually-orientated
or any other material that may violate any laws be it of your country, the country where “MikroTik” is hosted or International Law.
Doing so may lead to you being immediately and permanently banned, with notification of your Internet Service Provider if deemed required by us.
The IP address of all posts are recorded to aid in enforcing these conditions.
You agree that “MikroTik” have the right to remove, edit, move or close any topic at any time should we see fit.
As a user you agree to any information you have entered to being stored in a database.
While this information will not be disclosed to any third party without your consent,
neither “MikroTik” nor phpBB shall be held responsible for any hacking attempt that may lead to the data being compromised.

anav · Sun Jun 18, 2023 6:42 pm

You agree not to post any abusive, obscene, vulgar, slanderous, hateful, threatening, sexually-orientated, negative feline comments
or any other material that may violate.......

Fixed it for ya........

Amm0 · Sun Jun 18, 2023 6:50 pm

Well, v7.10 must relatively stable if the discussion turns to politics.

But I think @pe1chl has a worthwhile suggestion here in the context of winbox's system>packages's view showing all of the release notes between the current and purposed version...

My proposal also solves the issue where people upgrade from version x.y to x.y+2 in one jump, read the x.y+2 change notes (that are displayed on their screen as part of the upgrade process), but have never seen the x.y+1 change notes and the important information and warnings it contains.

theosoft · Sun Jun 18, 2023 7:12 pm

OpenVPN Connection interupted.

I do have this effect also. So i started playing arround.
1. In the log i recognized, that the connection is interupted with a period of a multiple of hours. That means 1h, 2h, or even 6 hours and so on.
Is there a timeout of 3600 sec. somewhere?
2. On the client side (OpenWRT) i found a setting called "reneg_sec", Renegotiate data chan. key after seconds.
I set it to 90 sec. and the frequency of interuption increased. And again a multiple of 90 sec.
3. OK. I tried it in the opposite direction. Now 86400 sec. But then the interuption was a multiple of 1h again. Maybe the microtik also triggers the
negotiation with a timeout of 3600 sec.
4. With OPENVPN,DEBUG on, there are entries regarding openvpn handling. It seems, that the SOFTREST Trigger is not succesfull, but the HARRESET
trigger does.

So i think it is related to "Renegotiate data channel key" process.

regards

jaxed7 · Sun Jun 18, 2023 8:21 pm

7.10 (almost) stable. Just get rid of OVPN and solves a bulk of issues.

My friend, I'm curious as to why you're opposed to OVPN and actively seeking its removal from RouterOS. However, a simple poll would reveal that a significant number of RouterOS users rely on OVPN. Why, you ask? It's because in areas and countries with high levels of restriction, OVPN is often the last and only solution that works. Additionally, it's highly compatible with a wide range of operating systems and devices, making it a versatile choice for many users.

Plugpulled · Sun Jun 18, 2023 9:12 pm

Upgraded both my RB4011 and HAP AX3 using as AP.

RB4011 (Wifi) - stable on 7.9 and 7.10 via LAN and Wifi.

HAP AX3 i upgraded from 7.8 because 7.9 was very unstable with constant Wifi disconnections, random restarts so had to downgrade to 7.8. But even on 7.10 i'm still having the same issue. Downgrading to 7.8 its stable. I have connected Hap Ax3's Ether1 port to ether10 POE port of RB4011 so made my ether1 port of hap ax3 as LAN. DHCP on bridge(ether1, wifi2g, wifi5g). Wifi works for some 30mins then none of my devices are getting connected Mac, iPhone, Homepod, PS5, TV etc until i reboot the ax3. I have no errors in log.

Is anyone else having the same problem?

anav · Sun Jun 18, 2023 9:14 pm

7.10 (almost) stable. Just get rid of OVPN and solves a bulk of issues.
My friend, I'm curious as to why you're opposed to OVPN and actively seeking its removal from RouterOS. However, a simple poll would reveal that a significant number of RouterOS users rely on OVPN. Why, you ask? It's because in areas and countries with high levels of restriction, OVPN is often the last and only solution that works. Additionally, it's highly compatible with a wide range of operating systems and devices, making it a versatile choice for many users.

Hi Jax, thanks for taking the time to make a thoughtful reply. I didnt know that was the case ( last hope for VPN in some areas ) and if so, then agree the ongoing lack of focus to fix the issues is more than annoying, its disrespectful.
I thought ovpn was something cooked up by those using non ipsec routers and using merlin and other after market hack firmwares to emulate VPN. With the advent of wireguard I saw no purpose for a hack job VPN. Wireguard is also cross platform. Are you saying that OVPN is possible where Wireguard is not? I would have thought zerotier a much better solution for such difficult situations?

In any case, I will no longer mention OVPN in a negative light, and come on Mikrotik FIX IT ALREADY!! Then add zerotrust cloudflare tunnel!!

Rox169 · Sun Jun 18, 2023 9:23 pm

Upgraded both my RB4011 and HAP AX3 using as AP.

RB4011 (Wifi) - stable on 7.9 and 7.10 via LAN and Wifi.

HAP AX3 i upgraded from 7.8 because 7.9 was very unstable with constant Wifi disconnections, random restarts so had to downgrade to 7.8. But even on 7.10 i'm still having the same issue. Downgrading to 7.8 its stable. I have connected Hap Ax3's Ether1 port to ether10 POE port of RB4011 so made my ether1 port of hap ax3 as LAN. DHCP on bridge(ether1, wifi2g, wifi5g). Wifi works for some 30mins then none of my devices are getting connected Mac, iPhone, Homepod, PS5, TV etc until i reboot the ax3.

Is anyone else having the same problem?

Yes, read the forum... many people reported this bug. It is in 7.9 and 7.10. You should downgrade to 7.8

Plugpulled · Sun Jun 18, 2023 9:27 pm

Upgraded both my RB4011 and HAP AX3 using as AP.

RB4011 (Wifi) - stable on 7.9 and 7.10 via LAN and Wifi.

HAP AX3 i upgraded from 7.8 because 7.9 was very unstable with constant Wifi disconnections, random restarts so had to downgrade to 7.8. But even on 7.10 i'm still having the same issue. Downgrading to 7.8 its stable. I have connected Hap Ax3's Ether1 port to ether10 POE port of RB4011 so made my ether1 port of hap ax3 as LAN. DHCP on bridge(ether1, wifi2g, wifi5g). Wifi works for some 30mins then none of my devices are getting connected Mac, iPhone, Homepod, PS5, TV etc until i reboot the ax3.

Is anyone else having the same problem?
Yes, read the forum... many people reported this bug. It is in 7.9 and 7.10. You should downgrade to 7.8

Yeah i have downgraded to 7.8 :(

frank333 · Sun Jun 18, 2023 10:40 pm

With webfig you can no longer see the data clearly, every time you have to open the submenu.
Even when writing scripts, the input form is really painful.
I wonder why when there is a functional interface it is always changed to a nonsensical one.
The remove and run script buttons are too close together sometimes you risk deleting the script .😡

Schermata del 2023-06-18 21.30.39.jpeg

buset1974 · Mon Jun 19, 2023 5:05 am

finally v7 can do /routing/bgp/advertisement print.
i dont know when exactly this feature silently added.

thx

Paternot · Mon Jun 19, 2023 8:58 am

I thought ovpn was something cooked up by those using non ipsec routers and using merlin and other after market hack firmwares to emulate VPN. With the advent of wireguard I saw no purpose for a hack job VPN. Wireguard is also cross platform. Are you saying that OVPN is possible where Wireguard is not? I would have thought zerotier a much better solution for such difficult situations?

Far from it. The implementation of OVPN used by Mikrotik is... not great. But the VPN itself is quite good, and have several capabilities that are usefull. One of them is easy of use when dealing with a huge number of clients - since one can force configurations on them, and they can be made by templates. Another is the use of signed certificates - that is another great thing in several situations.

One thing that OVPN does different from Wireguard is the possibility of using TCP. One can pass through several simple firewalls (if they don't do DPI) just using OVPN/TCP on port 443.

Wireguard has a smaller codebase, is easier to do simple things with and is faster. OVPN does several things that we would have to hack away with Wireguard to get working.

nichky · Mon Jun 19, 2023 9:08 am

does anyone have ovpn running on v7.10?

own3r1138 · Mon Jun 19, 2023 9:41 am

Anyone who uses OVPN knows that anything higher than 7.7 will render OVPN unusable.

own3r1138 · Mon Jun 19, 2023 9:51 am

I thought ovpn was something cooked up by those using non ipsec routers and using merlin and other after market hack firmwares to emulate VPN.

viewtopic.php?t=196619#p1005390

Are you saying that OVPN is possible where Wireguard is not? YES

I would have thought zerotier a much better solution for such difficult situations?
That one is also restricted due to US sanctions.

In any case, I will no longer mention OVPN in a negative light, and come on Mikrotik FIX IT ALREADY!! Then add zerotrust cloudflare tunnel!!
Firstly, thank you for not being toxic about OVPN anymore.
Secondly, don't we all wait for that day to come?

mantouboji · Mon Jun 19, 2023 11:37 am

In 7.10 Let's Encrypt problem still exists?

If my dynamic DNS have both IPv4 and IPv6 address, /certificate/enable-ssl-certificate dns-name=MYNAME.duckdns.org will run , but since IPv4 port 80 was blocked by ISP, failed at end.

If DDNS has only IPv6 address, without IPv4 . it will fail at all, like this:

[admin@RB4011] > /certificate/enable-ssl-certificate dns-name=my4011.duckdns.org
  progress: [error] could not resolve 'my4011.duckdns.org'

but reolve OK:


[admin@RB4011] > :put [ :resolv  my4011.duckdns.org ]               
240e:xxxx:xxxx:xxxx::1

petardo · Mon Jun 19, 2023 11:49 am

After the upgrade to v7.10 (stable). The ovpn client will no longer emerge into the the ip/address table. Also there will be a missing entry in the routing table, i.e. there is no gateway. Due to this, the router is no longer able to exchange ip packets between the network and the ovpn client.

same here

miasharmse84 · Mon Jun 19, 2023 11:55 am

Upgraded our CCR2216 to 7.10. We are running BGP with around 500k routes on IPv4. This is working for us at least for the last 24 hours.

We have an issue with IPv6. When going to "IPv6 - Routes", it seems as if Winbox is loading all IPv4 Routes
When running "ipv6/route/print count-only" in terminal I get 30 routes on IPv6, howerver, when opening the IPv6 -Routes window in Winbox it is counting up to 500k (see screenshot)

IPv6-Routes.png

pe1chl · Mon Jun 19, 2023 2:20 pm

Yes that is correct, it seems that the IP->Routes and IPv6->Routes views are just "filters" on a single table with all the routes.
However, there seems to be a problem in your case. In my router I *do* see the IPv6 routes in that window.
(but then it shows "22 items out of 1180" where 1180 is the total number of routes for IPv4 and IPv6)
Doesn't it show the routes after it has finished the counting?

DarkNate · Mon Jun 19, 2023 2:55 pm

For those asking for EIM-NAT aka full cone NAT, as I kept saying, MikroTik's implementation is broken.

I tested it with this tool:
https://github.com/HMBSbige/NatTypeTester

While it is "endpoint independent mapping", it fails to comply with the RFCs. Because when I test using the tool, it is port restricted cone, meaning only the original destination peer can reach back to your IP:Port. ANY external peers cannot reach your IP:Port, therefore RFC violation.

This problem doesn't exist on Cisco, Juniper and many other vendors like Huawei that supports REAL full cone NAT.

I have no idea what's going on with MikroTik software quality. I disabled the EIM-NAT config in my personal lab because it's simply broken and seems to make it even worse than tradtional netmap config.

hashbang · Mon Jun 19, 2023 3:21 pm

mpls - added FastPath support;

wht will be the advantage of this feature. We are planning to use crs 317 for mpls/vpls . Will it benefit in P case scenario
ty

Mon Jun 19, 2023 3:28 pm

Regarding the OVPN issue with "Problem accepting server-pushed peer-id: parse/range issue"! We have managed to reproduce the problem and are working on a fix for it.

miasharmse84 · Mon Jun 19, 2023 3:35 pm

Yes that is correct, it seems that the IP->Routes and IPv6->Routes views are just "filters" on a single table with all the routes.
However, there seems to be a problem in your case. In my router I *do* see the IPv6 routes in that window.
(but then it shows "22 items out of 1180" where 1180 is the total number of routes for IPv4 and IPv6)
Doesn't it show the routes after it has finished the counting?

It does eventually show the IPv6 routes, but I have to wait several minutes for it to work through all the IPv4 routes.
Is it supposed to be like that?

pe1chl · Mon Jun 19, 2023 3:49 pm

It does eventually show the IPv6 routes, but I have to wait several minutes for it to work through all the IPv4 routes.
Is it supposed to be like that?

Well, I think not. But at the moment it seems to be how it works.
I have two suggestions for improvement:
1. for this particular case, there should be a separate command to retrieve IPv4 and IPv6 routes only, which does fast selection before going through the entire list
2. in general, winbox should be changed so that filters specified in the GUI are actually sent to the router and applied there, instead of applying them locally in winbox on the plain data retrieved from the router.

This is especially important on large collections of data like route tables, connection tables, DNS cache, etc.

VadiKO · Mon Jun 19, 2023 3:56 pm

I also have a problem with my hAP AX3

Wi-Fi disappears and the log gives an error: key handshake timeout

Solved the problem by rolling back to 7.8

DarkNate · Mon Jun 19, 2023 5:01 pm

I also have a problem with my hAP AX3

Wi-Fi disappears and the log gives an error: key handshake timeout

Solved the problem by rolling back to 7.8

This seems to have fixed that problem for me:
disable-pmkid=yes

leonardogyn · Mon Jun 19, 2023 5:11 pm

After the upgrade to v7.10 (stable). The ovpn client will no longer emerge into the the ip/address table. Also there will be a missing entry in the routing table, i.e. there is no gateway. Due to this, the router is no longer able to exchange ip packets between the network and the ovpn client.

.
I *cannot* confirm that ... everything working just fine here with v7.10 as openvpn-client on several (about 30) boxes of different models. And overal, ovpn-client seems pretty stable now, after the v7.8 nightmare has ended.

spippan · Mon Jun 19, 2023 5:33 pm

For now, all BGPs uptime for 19:10:13 without interruption....
Still all up and working without problems. (2d 16:54:56)

BFD activated or BFD not in use at the moment?

ksteink · Mon Jun 19, 2023 6:05 pm

I have updated the following devices:

- 1 x CRS328-24P
- 2 x RB5009UG
- 2 x RB450Gx4
- 2 x cAP
- 5 x CRS326-24G
- 3 x RB4011
- 1 x RB3011
- 2 x RB2011
- 10 x hAP AC2
- 6 x hEX S
- 1 x RB951Ui-2HnD

All went well with no issues detected during the upgrade or afterwards :)

obscurus · Mon Jun 19, 2023 8:41 pm

After update to v7.10 on RB5009 and BFD enable i see
OSPFv2 crypto sequence invalid spam in log every 2-5 second, but i can't see any problem with ospf.

ospf-1 { version: 2 router-id: 192.168.77.1 } ospf-area-1 { 0.0.0.0 } interface { p2p 172.16.18.1%wireguard3 } neighbor { router-id: 192.168.100.2 state: Full } crypto sequence invalid

How i can disable it?

lele · Mon Jun 19, 2023 10:58 pm

That is a very general statement you are stating. There are plenty of reports but not all can be attributed to ROS, many can be misconfiguration. When you say fix will come at 7.11, it is understood that some particular fix will come at 7.11.

It's a general statement for sure. But 7.10 still has some major issue with wifiwave2 at least on the hap ax^[2|3].
We have several systems, they work perfectly stable on 7.8, can't stay up more than 24hrs on 7.9 and 7.10 final before needing a reboot, or no client can associate ('key handshake timeout').

Wouldn't bet a finger on configuration, given how quirky wifiwave2 configuration is, yet, if it works fine for 24 hours, and works on 7.10, the odds are slim.

macak · Mon Jun 19, 2023 11:30 pm

After the upgrade to v7.10 (stable). The ovpn client will no longer emerge into the the ip/address table. Also there will be a missing entry in the routing table, i.e. there is no gateway. Due to this, the router is no longer able to exchange ip packets between the network and the ovpn client.
.
I *cannot* confirm that ... everything working just fine here with v7.10 as openvpn-client on several (about 30) boxes of different models. And overal, ovpn-client seems pretty stable now, after the v7.8 nightmare has ended.

Hi.

What do you mean 'boxes'? Other mikrotik routers?. Do you try ovpn clients on other OSes like Android/Windows/Linux?

dooh · Tue Jun 20, 2023 12:14 am

Ok, so prefix count for IPv6 does not seem to work ok, prefinx count shows as "4294909605" which is invalid, it should show about 174K

#sh ipv6 bgp neighbors 1011::15 advertised-routes
There are 174824 routes advertised to neighbor 1011::15

routing-table=peerings nexthop-choice=force-self multihop=yes hold-time=1m30s keepalive-time=30s uptime=20h36m51s880ms last-started=2023-06-19 03:25:31 last-stopped=2023-06-19 03:25:21 prefix-count=4294909605

leonardogyn · Tue Jun 20, 2023 4:06 am

What do you mean 'boxes'? Other mikrotik routers?. Do you try ovpn clients on other OSes like Android/Windows/Linux?

.
By "boxes" i mean different MK routers, different models. All my MK routers are using ovpn-client, protocol TCP, to a Linux server. Have not tried other combinations indeed.

kcarhc · Tue Jun 20, 2023 7:15 am

pleacse check SUP-119718
[RouterOS 7.10]router was rebooted without proper shutdown
on RouerOS 7.9 CHR working well for long time.

SUP-119718.jpg

mazel · Tue Jun 20, 2023 9:17 am

Still having issues with Wireless Clients. But now, it seems that after upgrade from 7.8 to 7.10 only devices with WiFi6 chips - Samsung S22 (6) and laptop with Intel AX210 (6E) - having issues and not connecting, other devices connects without issues (configuration more or less the same as in topic viewtopic.php?t=195929). When I downgrade back to 7.8 all devices connects flawlessly.

ROS 7.10 on RB5009 ok.
ROS 7.10 on LtAP mini ok.
ROS 7.10 on LHG XL 5 ac ok.
ROS 7.10 on hAP (RB951Ui-2nD) ok.
ROS 7.10 on HEX S ok.
ROS 7.10 on hEX ok.

gigx205 · Tue Jun 20, 2023 9:38 am

Also having problems with my OpenVPN on 7.10.

I reverted back to 7.9.2. - everything works fine

Muschelpuster · Tue Jun 20, 2023 11:18 am

I *cannot* confirm that ... everything working just fine here with v7.10 as openvpn-client on several (about 30) boxes of different models. And overal, ovpn-client seems pretty stable now, after the v7.8 nightmare has ended.

I can't confirm this. After upgrading no OpenVPN is coming up on my RouterBoard. All clients are Mikrotik RouterBoards with different V6 FW. This issue occurs also with 6.49.8.

Niels

volkirik · Tue Jun 20, 2023 11:19 am

Dear Mikrotik Team;

Please fix OPENVPN, its time for 7.11 beta1

rextended · Tue Jun 20, 2023 12:31 pm

Regarding the OVPN issue with "Problem accepting server-pushed peer-id: parse/range issue"! We have managed to reproduce the problem and are working on a fix for it.

Rox169 · Tue Jun 20, 2023 12:55 pm

Dear Mikrotik Team;

Please fix WiFi issue, its time for 7.11 beta :)

wuhoatu · Tue Jun 20, 2023 1:01 pm

Just updateed my Hex S to ROS 7.10 stable and it seems that Check Gateway = ping/arp/bfd does not working any more. I means case in IP / Route, Check Gateway = ping/arp/bfd will result Check Gateway Ok unchecked and all connections will be routing through main only.

Jotne · Tue Jun 20, 2023 1:36 pm

7.11 beta are for new functions.
7.10.1 are for fixing problems with 7.10 like Wifi/openVPN etc.
I am looking forward for 7.10.10 Long Term release. :)

rextended · Tue Jun 20, 2023 1:46 pm

The first long-term? 7.23.5 @ September....

ToTheFull · Tue Jun 20, 2023 1:57 pm

@Guntis thanks for the Alpha will test!

wispmikrotik · Tue Jun 20, 2023 2:06 pm

viewtopic.php?t=196170

We have introduced several improvements regarding the AX stability. It is still a work in progress, but in order to gather more feedback as soon as possible, here is a link to the latest alpha version that contains these fixes. The fixes are mainly targeted at the issue discussed in this thread - the inability of WifiWave2 interfaces to authenticate the clients.

Please treat it with caution. If you experience any wireless-related issues with this alpha build, then let us know at support@mikrotik.com
https://box.mikrotik.com/d/e700b4d034174bce8a22/

In a few hours, we will test this version. Thank you @Guntis.

rextended · Tue Jun 20, 2023 2:19 pm

Well...

DarkNate · Tue Jun 20, 2023 2:37 pm

Well...

I don't know why MikroTik calls it “stable”, when it's really beta, and why they call it beta when it's really alpha.

I'm a big MikroTik user, but I'm losing faith in their software quality and Q/A.

bluecrow76 · Tue Jun 20, 2023 2:43 pm

Mikrotik support provided me with the same ROS routeros-7.11alpha126 firmware to try about an hour ago.

While I didn't have any physical hardware I could easily test the alpha firmware on, I spun up a test CHR instance with 7.10 and verified that the OpenVPN Server bug was present on a CHR instance. I then upgraded the test instance to ROS 7.11alpha126. I can confirm that after the upgrade I can once again connect to the Mikrotik OpenVPN server (TCP) once again using OpenVPN Connect client version 3.3.7 (2979) (latest).

Looking forward to that fix being incorporated into the "stable" firmware. 👍

Smokeshow · Tue Jun 20, 2023 3:40 pm

A couple issues

1) CCR2004-16F-2S+PC, "export" fails for me. Seemingly related to the bridge config. Other areas export successfully.

[admin@MikroTik] /interface/bridge> export
# 2023-06-20 06:33:15 by RouterOS 7.10
# software id = 1839-P0T5
#
# model = CCR2004-16G-2S+
# serial number = HDD085GSQZX
/interface bridge
add ingress-filtering=no name=bridge priority=0 vlan-filtering=yes

[admin@MikroTik] /routing> export
# 2023-06-20 06:38:09 by RouterOS 7.10
# software id = 1839-P0T5
#
# model = CCR2004-16G-2S+
# serial number = HDD085GSQZX
/routing id
add disabled=no id=x.x.x.x name=x.x.x.x select-dynamic-id="" select-from-vrf=main
/routing ospf instance
add disabled=no name=ospf-instance-1 originate-default=never redistribute="" router-id=x.x.x.x routing-table=main
/routing ospf area
add disabled=no instance=ospf-instance-1 name=ospf-area-1
/routing ospf interface-template
add area=ospf-area-1 auth=md5 auth-id=1 auth-key=comm2000 disabled=no interfaces=sfp1.vlan2001
add area=ospf-area-1 disabled=no interfaces=bridge,vlan5,vlan15,vlan30 passive

2) Most likely related to above. In winbox or webfig, the Bridge -> Hosts is blank.

3)I cannot pass tagged VLAN traffic across a bridge (bridge is configured as all 16 ether, and SFP+2) unless I add the "bridge" interface as a tagged member of the particular VLAN. I would post my config, but I cannot export.
This works, but if I remove "bridge" from tagged, it will not pass, at the very least from SFP+ to ether ports.

Screenshot 2023-06-20 064323.png

kcarhc · Tue Jun 20, 2023 4:09 pm

Dear Mikrotik Team;

Please fix DNS issue, its time for 7.10.1

Frederick88 · Tue Jun 20, 2023 4:14 pm

updated hAP ax3 to 7.10 stable.

WiFI seems a lot better. No "authentication" related errors, and no 5GHz radio malfunctions yet.

I also noticed that my laptop picks up the SSID from the hAP instantly now, whereas <7.10 the SSID took a lot longer to show compared to other wifi APs in the area...

JJT211 · Tue Jun 20, 2023 5:16 pm

Put into production on CCR2116-12G-4S+ with 3 full BGP tables (2 IPv4 only, 1 IPv6 only)
No, I haven't gone crazy, I have multiple RouterBOARDs in HA on the same link...

Ive seen you post this several times that you have 2 RB's in HA. One with v6 and the other on the latest v7. Just curious, how are you doing this? VRRP?

rextended · Tue Jun 20, 2023 5:44 pm

Yes, and they do nothing else, so that if there is a microbreak, the customers lines do not fall. (the uptime is now 4d 22:42:48)

raphaps · Tue Jun 20, 2023 6:47 pm

Openvpn is working again on version 7.11alpha126 provided by support. Android clients are now able to connect. Test performed on an RB4011.

volkirik · Tue Jun 20, 2023 7:52 pm

get 7.11alpha (development) for testing

https://box.mikrotik.com/d/c1ce5f170ea1467db0d2/

contact support for feedback

Jotne · Tue Jun 20, 2023 9:45 pm

If you read some post up in the thread, there is a download link. Post by wispmikrotik

Joe1vm · Tue Jun 20, 2023 11:06 pm

*) container - fixed "container pull" to support OCI manifest format
Thank you. It works well now.

Tue Jun 20, 2023 11:29 pm

If you read some post up in the thread, there is a download link. Post by wispmikrotik

Only arm and arm64 in that link (probably because those are the wifiwave2 capable platforms).

clambert · Tue Jun 20, 2023 11:45 pm

*) mpls - added FastPath support;

Has anyone tried this functionality? Counters associated with fast-path in /mpls/settings/ are kept at zero:


[admin@LSR] > mpls/settings/print 
     dynamic-label-range: 16-1048575
           propagate-ttl: yes
         allow-fast-path: yes
  mpls-fast-path-packets: 0
    mpls-fast-path-bytes: 0

jeremyb · Wed Jun 21, 2023 4:19 am

1) remove any public and private keys
2) downgrad to 7.8
3) import both public and private keys , ssh client is OK
4) upgrade to 7.10
5) ssh client OK

but If remove all key and re-import in 7.10, ssh client broken.

In 7.10. letsencrypt broken again? my duckdns.org dynamic domain name only has a AAAA ipv6 address .

I confirm this is still happening in v7.10
It may even work one time and then not work the next.

nclmrc · Wed Jun 21, 2023 1:35 pm

LLDP-MED (Voice VLAN) on NON POE Port doesn't work from 7.8

viewtopic.php?p=987143#p987143

Paternot · Wed Jun 21, 2023 3:14 pm

--- EDITED TYPO --

Problem with Wireguard. hEX upgraged from 7.9.1 to 7.10 stable.

With 7.9.1 it worked perfectly, with several clients - some of them I used my same private key. Others I used a different one. All of them have different public keys. VPN traffic is IPv6 only and the peers are IPv4 only.

First problem: wireguard connection is established, but no traffic pass between hosts.
Solution: add "::/0" to the list of "allowed-address". I already had "allowed-address=fd00::/8,fe80::/10" declared (these hosts only use private IPv6 networks, hence the "fd00::/8" part). After this, the router can ping the peer and my BGP peerings are up again. But not much else.

Second problem, after solving the first one:
A client on one network can't ping even the interface of the other peer. Yes, it worked before. Yes, I downgraded to 7.9.1 and everything is back to normal.

So, back to 7.9.1 and waiting on 7.10.1

kcarhc · Wed Jun 21, 2023 4:30 pm

Anyone who has upgraded to 7.10 and encounters DNS crashes,
can try using the following code to disable the dns-to-address-list configuration first:

/ip dns static set [find where address-list!=""] address-list=""

It is known that version 7.10, due to the addition of endpoint-independent-nat, involves major changes to the firewall.
This causes the dns-to-address-list interaction feature to induce DNS crashes.

ntsecrets · Wed Jun 21, 2023 7:55 pm

Why is a stable version released with a half-hearted implementation of the change in time format?
I think it is a good change in principle, but it seems controversial for scripting (discussion elsewhere) and now we have a mix of formats all over the place.
Would it not be better to make the complete change, or roll back when it cannot be completed, at the point of stable release?
Also they know that are a problem on dates show on webfig, and I just found that it depends of your browser timezone.

I am seeing this too, the dates shown in webfig are one day behind the real date which was totally confusing. Checked via the console and the date and time are correct there. Version 7.10 on 2 different devices.

eworm · Wed Jun 21, 2023 8:06 pm

I do not think this is expected... Can we have the year in logs, please? (Time only for the current day is ok, but just part of the date is a no-go.)

[admin@jupiter] > /log/print
[...]
 06-20 09:04:34 ssh,info publickey accepted for user: admin
[...]

By the way... Why do the lines start with a space?

kiaunel · Wed Jun 21, 2023 8:46 pm

After the upgrade to v7.10 (stable). The ovpn client will no longer emerge into the the ip/address table. Also there will be a missing entry in the routing table, i.e. there is no gateway. Due to this, the router is no longer able to exchange ip packets between the network and the ovpn client.
same here

I can confirm this , if the clients are added to a bridge , from profile , there is no ip entry or route to them. When they are not included in the bridge you can reach them .
But still have some problems with connects/disconnects like every version after 7.7

kcarhc · Thu Jun 22, 2023 2:46 am

please check SUP-119969
[RouterOS 7.10]kernel failure in previous boot

kernel failure in previous boot.jpg

jaxed7 · Thu Jun 22, 2023 3:12 am

My friend, I'm curious as to why you're opposed to OVPN and actively seeking its removal from RouterOS. However, a simple poll would reveal that a significant number of RouterOS users rely on OVPN. Why, you ask? It's because in areas and countries with high levels of restriction, OVPN is often the last and only solution that works. Additionally, it's highly compatible with a wide range of operating systems and devices, making it a versatile choice for many users.
Hi Jax, thanks for taking the time to make a thoughtful reply. I didnt know that was the case ( last hope for VPN in some areas ) and if so, then agree the ongoing lack of focus to fix the issues is more than annoying, its disrespectful.
I thought ovpn was something cooked up by those using non ipsec routers and using merlin and other after market hack firmwares to emulate VPN. With the advent of wireguard I saw no purpose for a hack job VPN. Wireguard is also cross platform. Are you saying that OVPN is possible where Wireguard is not? I would have thought zerotier a much better solution for such difficult situations?

In any case, I will no longer mention OVPN in a negative light, and come on Mikrotik FIX IT ALREADY!! Then add zerotrust cloudflare tunnel!!

Hello Anav, I haven't had much experience with Wireguard as it is often blocked by certain ISPs, areas, or countries in the networks I work with. However, there may be some advanced settings that can be adjusted to make it work. Regarding Zerotier, I have heard a lot about it but have not yet had the opportunity to explore it. I am hopeful that MikroTik will add it to their offerings, as more options are always better. With their packages, the possibilities are endless. If the MikroTik team cannot keep up with demand, perhaps it is time to consider going semi or completely open source and allowing the community to build what they need.

It is worth noting that heavy DPI and filtering on Cloudflare IPs have made their services less useful.

By the way, I would be happy to grant you access to these types of networks and environments. With your expertise, we may be able to find a solution together.

kenyloveg · Thu Jun 22, 2023 6:57 am

previous (7.9.x) ikev2 site to site is not working on 7.10 (upgraded from 7.9.x)
already reported through support, still no feedback

Jotne · Thu Jun 22, 2023 7:59 am

I do not think this is expected... Can we have the year in logs, please? (Time only for the current day is ok, but just part of the date is a no-go.)
Code: Select all
[admin@jupiter] > /log/print
[...]
 06-20 09:04:34 ssh,info publickey accepted for user: admin
[...]
By the way... Why do the lines start with a space?

There is a simple solution to this. Why not use the 21 !!!!! year old standard for time format?
https://www.rfc-editor.org/rfc/rfc3339

Larsa · Thu Jun 22, 2023 8:11 am

IMO the whole date-gate disaster should be fixed once and for all.

eworm · Thu Jun 22, 2023 10:13 am

I think with "time format according to ISO standard" they refer to ISO 8601, which is fine.

However the year should not be stripped. I guess that is not intended and possibly a left-over from old code.

rextended · Thu Jun 22, 2023 10:15 am

By the way... Why do the lines start with a space?

(because month/day are xxx/xx on previous format, etc.)

rextended · Thu Jun 22, 2023 10:18 am

However the year should not be stripped.

IMO the whole date-gate disaster should be fixed once and for all.

The problem on the crap format of the date on the log, 4 different formats depending on the date and time of the machine...
We have been asking them for years that the format of the date in the logs must be only one yyyy-MM-dd hh:mm:ss, regardless current date and time........

cyayon · Thu Jun 22, 2023 10:55 am

Anyone who has upgraded to 7.10 and encounters DNS crashes,
can try using the following code to disable the dns-to-address-list configuration first:
Code: Select all
/ip dns static set [find where address-list!=""] address-list=""
It is known that version 7.10, due to the addition of endpoint-independent-nat, involves major changes to the firewall.
This causes the dns-to-address-list interaction feature to induce DNS crashes.

Hi,

what are "major changes to the firewall" please ?

Thu Jun 22, 2023 11:02 am

There are no major changes in firewall.

cyayon · Thu Jun 22, 2023 12:15 pm

There are no major changes in firewall.

Thanks.
Do you plan to release a 7.10.1 to resolve DNS static issues ?

nmt1900 · Thu Jun 22, 2023 12:46 pm

Finally decided to bite the bullet and upgrade 7.9.2 -> 7.10. PPPoE WAN and IKE2 VPN work as before and CPU usage on old CRS112 switch seems to have gone down a little bit (Dude shows the change 11% -> 8-9%).

DynDNS seems to work OK. As I have OpenVPN deployed only on v6 then I can not tell anything about that on this one...

Thu Jun 22, 2023 1:20 pm

Anyone who has upgraded to 7.10 and encounters DNS crashes,
can try using the following code to disable the dns-to-address-list configuration first:
Code: Select all
/ip dns static set [find where address-list!=""] address-list=""
It is known that version 7.10, due to the addition of endpoint-independent-nat, involves major changes to the firewall.
This causes the dns-to-address-list interaction feature to induce DNS crashes.

This DNS issue has nothing to do with the firewall. The issue is caused by static entries with the address-list option enabled. The issue is reproduced and will be resolved as soon as possible.

badmonkey · Thu Jun 22, 2023 3:54 pm

*) wireguard - fixed IPv6 traffic processing with multiple peers;

Doesn't seem like it.

The issue remains if the allowed-address set on the router is an ipv6 /64.
It works but only if that peer is the most recently enabled.
If another peer is enabled, the 1st will stop working on ipv6.
If the allowed-address is a /128 however the bug does seem to disappear. I can disabled/re-enable other peers no problem.

eworm · Thu Jun 22, 2023 4:01 pm

The issue remains if the allowed-address set on the router is an ipv6 /64.

These networks do not overlap, no? If they do the behavior is expected.

noradtux · Thu Jun 22, 2023 4:03 pm

*) wireguard - fixed IPv6 traffic processing with multiple peers;
Doesn't seem like it.

The issue remains if the allowed-address set on the router is an ipv6 /64.
It works but only if that peer is the most recently enabled.
If another peer is enabled, the 1st will stop working on ipv6.
If the allowed-address is a /128 however the bug does seem to disappear. I can disabled/re-enable other peers no problem.

Wait, do the allowed-address ranges of your peers overlap or are they even identical? If so, I would be surprised if it where supported.

pcunite · Fri Jun 23, 2023 4:14 am

ROS 7.10 seems that Check Gateway = ping/arp/bfd does not work any more. In IP / Route, Check Gateway = ping/arp/bfd will result in Check Gateway Ok. Unchecked and all connections will be routing through main only.

I don't know when, but this seems to have been introduced a couple of versions back. It appeared to work with ROS v7.7. I'm having similar trouble trying to implement MultiWAN on anything newer.

Update:
The issue was not with v7.10 and not a bug. Just a change in behavior with how RoS v7 works.

dinosgb · Fri Jun 23, 2023 2:01 pm

new modem FW release for the Chateau 5G after the 7.10 upgrade!
Dear Support, can you pls post a summary of the improvements in the new modem FW release?
thank you

radekpv · Fri Jun 23, 2023 2:59 pm

cAP ax lost wifi interface after upgrade to version 7.10 - tested on 2 pieces.
On the first cap ax - reset to default, netinstall , system routerboard upgrade ... - not helped

A new cap ax out of the box, turned on, updated from original version 7.7 to 7.10 arm64 - package routeros-7.10-arm64.npk:
[admin@MikroTik] > system/routerboard/print
routerboard: yes
board-name: cAP ax
model: cAPGi-5HaxD2HaxD
serial-number: HE6.......
firmware-type: ipq6000
factory-firmware: 7.7
current-firmware: 7.7
upgrade-firmware: 7.10

[admin@MikroTik] > log/print
00:04:02 system,info installed system-7.10
00:04:02 system,info router rebooted
00:04:13 interface,info ether2 link up (speed 1G, full duplex)
00:04:15 system,info,account user admin logged in from 70:85:C2:94:68:8A via winbox
00:04:44 script,warning DefConf gen: Unable to find wireless interface(s)
00:04:44 system,error,critical error while running customized default configuration script: interrupted
00:04:44 system,error,critical
00:13:57 system,info,account user admin logged in via local
00:14:10 smb,info created new share: pub

[admin@MikroTik]