Community discussions

MikroTik App
 
EdPa
MikroTik Support
MikroTik Support
Topic Author
Posts: 340
Joined: Fri Sep 15, 2017 10:05 am
Location: Riga
Contact:

v7.11beta [testing] is released!

Thu Jun 22, 2023 1:23 pm

RouterOS version 7.11beta has been released on the "v7 testing" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.11beta7 (2023-Jul-24 14:45):

*) certificate - allow to import certificate with DNS name constraint;
*) certificate - require CRL presence when using "crl-use=yes" setting;
*) conntrack - fixed "active-ipv4" property;
*) console - added ":convert" command;
*) dhcp-server - fixed setting "bootp-lease-time=lease-time";
*) ike2 - log "reply ignored" as non-debug log message;
*) modem - added initial support for BG77 modem DFOTA firmware update;
*) modem - changed Quectel EC25 portmap to expose DM (diag port), DM channel=0, GPS channel=1;
*) ovpn - do not try to use the "bridge" setting from PPP/Profile, if the OVPN server is used in IP mode (introduced in v7.10);
*) ovpn - improved key renegotiation process;
*) ovpn - include "connect-retry 1" and "reneg-sec" parameters into the OVPN configuration export file;
*) routerboot - increased etherboot bootp timeout to 40s on MIPSBE and MMIPS devices ("/system routerboard upgrade" required);
*) ssh - fixed private key import (introduced in v7.9);
*) user - added "sensitive" policy requirement for SSH key and certificate export;
*) webfig - fixed gray-out italic font for entries after enable;

What's new in 7.11beta6 (2023-Jul-18 14:06):

*) bfd - improved system stability;
*) bth - added "Back To Home" VPN service for ARM, ARM64 and TILE devices;
*) certificate - removed request for "passphrase" property on import;
*) defconf - do not change admin password if resetting with "keep-users=yes";
*) modem - fixed missing sender's last symbol in SMS inbox if the sender is an alphabetic string;
*) ssh - fixed host public key export (introduced in v7.9);
*) tftp - improved file name matching;

What's new in 7.11beta5 (2023-Jul-17 10:07):

*) bridge - added warning when VLAN interface list contains ports that are not bridged;
*) bth - added "Back To Home" VPN service for 802.11ax devices with wifiwave2 package;
*) console - fixed incorrect date when printing "value-list" with multiple entries;
*) console - improved stability when using fullscreen editor;
*) container - added IPv6 support for VETH interface;
*) container - adjust the ownership of volume mounts that fall outside the container's UID range;
*) hotspot - allow number as a first symbol in the Hotspot server DNS name;
*) lora - added uplink message filtering option using NetID or JoinEUI;
*) qos-hw - keep VLAN priority in packets that are sent from CPU;
*) resource - fixed erroneous CPU usage values;
*) sfp - reduce CPU load due to SFP interface handling for CCR2116, CCR2216, CCR2004-12S+2XS, CRS312, CRS518 devices (introduced in v7.9)
*) webfig - fixed "Connect To" configuration changes for L2TP client;
*) wifiwave2 - automatically add wifi interfaces to appropriate bridge VLAN when wireless clients with new VLAN IDs connect;
*) wifiwave2 - fixed multicast frame delivery (introduced in v7.11beta2);
*) wifiwave2 - fixed registration table statistics (introduced in v7.11beta4);

What's new in 7.11beta4 (2023-Jul-05 13:33):

*) bluetooth - added "decode-ad" command for decoding raw Bluetooth payloads (CLI only);
*) bluetooth - added "Peripheral devices" section which displays decoded Eddystone TLM and UID, iBeacon and MikroTik Bluetooth payloads;
*) bridge - added warning when VLAN interface list contains ports that are not bridged;
*) bridge - prevent bridging the VLAN interface created on the same bridge;
*) console - fixed incorrect default value of ":return" command (introduced in v7.11beta2);
*) console - improved stability and responsiveness;
*) container - fixed duplicate image name;
*) dns - improved system stability when processing static DNS entries with specified address-list;
*) ipsec - improved IKE2 rekey process;
*) ipsec - properly check ph2 approval validity when using IKE1 exchange mode;
*) l3hw - changed minimal supported values for "neigh-discovery-interval" and "neigh-keepalive-interval" properties;
*) l3hw - fixed /32 and /128 route offloading after nexthop change;
*) l3hw - fixed incorrect source MAC usage for offloaded bonding interface;
*) l3hw - improved system responsiveness during partial offloading;
*) l3hw - improved system stability;
*) leds - blink red system-led when LTE is not connected to the network on D53 devices;
*) leds - fixed system-led color for "GSM EGPRS" RAT on D53 devices;
*) lte - fixed Dell DW5221E "at-chat" support;
*) lte - only listen to DHCP packets for LTE passtrough interface in auto mode when looking for the host;
*) package - treat disabled packages as enabled during upgrade;
*) profile - added "container" process classifier;
*) profile - properly classify "console" related processes;
*) quickset - correctly apply configuration when using "DHCP Server Range" property;
*) rose-storage - added "scsi-scan" command (CLI only);
*) route - added comment for BFD configuration (CLI only);
*) route - convert BFD timers from milliseconds to microseconds after upgrade;
*) sfp - improved optical QSFP interface handling for 98DX8332, 98DX3257, 98DX4310, 98DX8525 switches;
*) wifiwave2 - fixed "reg-info" information for several countries;
*) wifiwave2 - fixed interface hangs on IPQ6010-based boards (introduced in v7.9);
*) wifiwave2 - rename "reg-info" country argument from "Macedonia" to "North Macedonia";
*) winbox - fixed "Storm Rate" property under "Switch/Port" menu;
*) winbox - fixed BGP affinity display;
*) wireless - ignore EAPOL Logoff frames;
*) x86 - updated e1000 driver;

What's new in 7.11beta2 (2023-Jun-21 14:39):

*) api - disallow executing commands without required parameters;
*) bfd - fixed "actual-tx-interval" value and added "remote-min-tx" (CLI only);
*) bluetooth - added new AD structure type "service-data" for Bluetooth advertisement;
*) bridge - added more STP-related logging;
*) bridge - fixed MSTP BPDU aging;
*) bridge - fixed MSTP synchronization after link down;
*) certificate - fixed PEM import;
*) certificate - restored RSA with SHA512 support;
*) console - added default value for "rndstr" command (16 characters from 0-9a-zA-Z);
*) console - fixed minor typos;
*) console - fixed missing "parent" for script jobs (introduced in v7.9);
*) console - fixed missing return value for ping command in certain cases;
*) console - fixed printing interval when resizing terminal;
*) console - improved flag printing in certain menus;
*) console - improved stability and responsiveness;
*) console - improved timeout for certain commands and menus;
*) console - improved VPLS "cisco-id" argument validation;
*) container - added option to use overlayfs layers;
*) discovery - fixed "lldp-med-net-policy-vlan" (introduced in v7.8 );
*) ethernet - improved interface stability for CRS312 device;
*) fetch - improved timeout detection;
*) firewall - added warning when PCC divider argument is smaller than remainder;
*) firewall - fixed mangle "mark-connection" with "passthrough=yes" rule for TCP RST packets;
*) graphing - added paging support;
*) health - added more gradual control over fans for CRS3xx, CRS5xx, CCR2xxx devices;
*) health - fixed configuration export for "/system/health/settings" menu;
*) ike2 - improved system stability when closing phase1;
*) ike2 - improved system stability when making configuration changes on active setup;
*) l3hw - improved system stability during IPv6 route offloading;
*) led - fixed manually configured user LED for RB2011;
*) lora - added new EUI field;
*) lora - moved LoRa service to IoT package;
*) lora - properly apply configuration changes when multiple LoRa cards are used;
*) lora - updated LoRa firmware for R11e-LR8, R11e-LR9 and R11e-LR2 cards;
*) lte - added "at-chat" support for Dell DW5821e-eSIM modem;
*) lte - added extended support for Neoway N75 modem;
*) lte - fixed NR SINR reporting for Chateau 5G;
*) lte - fixed Telit LE910C4 "at-chat" support;
*) lte - improved initial interface startup time for SXT LTE 3-7;
*) mpls - improved MPLS TCP performance;
*) mqtt - added more MQTT publish configuration options;
*) mqtt - added new MQTT subscribe feature;
*) netwatch - added "src-address" property;
*) netwatch - changed "thr-tcp-conn-time" argument to time interval;
*) ovpn - fixed OVPN server peer-id negotiation;
*) ovpn - fixed session-timeout when using UDP mode;
*) ovpn - properly close OVPN session on the server when client gets disconnected;
*) poe - fixed missing PoE configuration section under specific conditions;
*) pppoe - fixed PPPoE client trying to establish connection when parent interface is inactive;
*) rose-storage - added disk stats for ramdisks;
*) rose-storage - fixed RAID 0 creation;
*) rose-storage - limit striped RAID element size to smallest disk size;
*) routerboard - fixed "gpio-function" setting on RBM33G ("/system routerboard upgrade" required);
*) routerboard - improved RouterBOOT stability for Alpine CPUs ("/system routerboard upgrade" required);
*) routerboard - removed unnecessary serial port for netPower16P and hAP ax lite devices ("/system routerboard upgrade" required);
*) sfp - improved interface stability for 98DX8208, 98DX8212, 98DX8332, 98DX3257, 98DX4310, 98DX8525, 98DX3255, 98PX1012 based switches;
*) ssh - fixed user RSA private key import;
*) switch - fixed "reset-counters" for "switch-cpu";
*) system - disallow setting a non-existing CPU core number for system IRQ;
*) system - increased maximum supported CPU core count to 512 on CHR and x86;
*) system - reduced RAM usage for SMIPS devices;
*) w60g - improved stability for Cube 60Pro ac and CubeSA 60Pro ac devices;
*) webfig - added option to enable wide view in item list;
*) webfig - use router time zone for date and time;
*) wifiwave2 - added "steering" parameters and menu to set up and monitor AP neighbor groups (CLI only);
*) wifiwave2 - added more information on roaming candidates to BSS transition management requests (802.11v) and neighbor report responses (802.11k);
*) wifiwave2 - added option to filter frames captured by the sniffer command (CLI only);
*) wifiwave2 - changed default behavior for handling duplicate client MAC addresses, added settings for changing it (CLI only);
*) wifiwave2 - enabled PMK caching with EAP authentication types;
*) wifiwave2 - fixed "security.sae-max-failure" rate not limiting authentications correctly in some cases;
*) wifiwave2 - fixed clearing CAPsMAN Common Name when disabling "lock-to-caps-man";
*) wifiwave2 - improved stability when changing interface settings;
*) wifiwave2 - improved stability when receiving malformed WPA3-PSK authentication frames;
*) wifiwave2 - make info log less verbose during client roaming (some info moved to wireless,debug log);
*) wifiwave2 - use correct status code when rejecting WPA3-PSK re-association;
*) winbox - added missing status values for Ethernet and Cable Test;
*) winbox - added warning about non-running probe due to "startup-delay";
*) winbox - fixed default "Ingress Filtering" value under "Bridge" menu;
*) winbox - improved supout.rif progress display;
*) winbox - rename "Group Master" property to "Group Authority" under "Interface/VRRP" menu;
*) wireguard - fixed peer connection using DNS name on IP change;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while a router is not working as suspected or after some problem has appeared on the device

Please keep this forum topic strictly related to this particular RouterOS release.
 
User avatar
own3r1138
Forum Veteran
Forum Veteran
Posts: 727
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 1:38 pm

Thank you.
Interesting, I have to check this one out.
*) system - reduced RAM usage for SMIPS devices;
Last edited by own3r1138 on Thu Jun 22, 2023 1:51 pm, edited 1 time in total.
 
mh04
just joined
Posts: 2
Joined: Thu Apr 20, 2023 9:30 am

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 1:50 pm

SNMP Routing Table error ("Error: OID not increasing:") still not fixed, which exists since version 7.9 (SUP-117934 / SUP-119410).

7.9 changelog:
*) snmp - improved outputting of routes;
Unfortunately you didn't improve it, you broke it.

You can reproduce the problem by creating multiple routes with the same destination.
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 1:51 pm

Thank you for the beta. What are the changes compare the alpha? Has been the WiFi bug fixed?

Thank you
 
leonardogyn
just joined
Posts: 18
Joined: Wed Dec 04, 2019 4:47 pm

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 2:05 pm

*) webfig - added option to enable wide view in item list;
.
This is awesome, thanks a lot for that Mikrotik :) Please consider allowing the "wide view" to be set as default somehow, and not requiring to click on the icon each time. Please also consider, and i'm asking that once again, consider also giving us the option to choose between inline or 'newline' comments.
 
User avatar
clambert
Member Candidate
Member Candidate
Posts: 161
Joined: Wed Jun 12, 2019 5:04 am

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 2:27 pm

*) mpls - improved MPLS TCP performance;
What can this mean?
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1658
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 2:31 pm

*) mpls - improved MPLS TCP performance;
What can this mean?
It works better now :)
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2975
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 2:43 pm

The Better is the Enemy of good :) :) :)
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 2:45 pm

@strods you should better to answer more serious questions :) Has been the WiFi bug fixed?
 
epkulse
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Sat Oct 27, 2012 12:57 am

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 2:47 pm

Does this include correction for issue with wifi and "key handshake timeout"?
 
Guntis
MikroTik Support
MikroTik Support
Posts: 203
Joined: Fri Jul 20, 2018 1:40 pm

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 2:51 pm

This version includes the changes that were present in 7.11alpha127 that was shared on the forum. While some users have reported improvements with this version, the issue is not fully resolved. We are still working on it.
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 2:56 pm

so you still have not reproduce the issue in your lab? It takes somethimes some time/days to apper so it will be difficult to fix it without reproduction in your lab. Lets see if anyone will report this issue on the beta.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 3:28 pm

SNMP Routing Table error ("Error: OID not increasing:") still not fixed, which exists since version 7.9 (SUP-117934 / SUP-119410).

7.9 changelog:
*) snmp - improved outputting of routes;
Unfortunately you didn't improve it, you broke it.

You can reproduce the problem by creating multiple routes with the same destination.
Also it does not support multiple route tables, it only returns routes from the main table.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 3:30 pm

*) webfig - added option to enable wide view in item list;
.
This is awesome, thanks a lot for that Mikrotik :) Please consider allowing the "wide view" to be set as default somehow, and not requiring to click on the icon each time. Please also consider, and i'm asking that once again, consider also giving us the option to choose between inline or 'newline' comments.
I think in general, it has to be considered to have persistent settable viewing options in webfig. There are none, so first that has to be implemented.
 
User avatar
fischerdouglas
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Thu Mar 07, 2019 6:38 pm
Location: Brazil
Contact:

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 3:37 pm

Update Failure!
From 7.10 with all extra packages installed and disabled.

Log error -> "can not install lora-7.11beta2: iot is not installed, but is required"
But is not true!
iot was installed, but disabled.

Follow the historical evidence on screenshots.
01_RouterOS_FailureOnUpdateTo_v7.11beta2_BeforeFirstTry_v7.10.jpg
02_RouterOS_FailureOnUpdateTo_v7.11beta2_LogAfterReboot.jpg
03_RouterOS_FailureOnUpdateTo_v7.11beta2_UninstallLora.jpg
04_RouterOS_FailureOnUpdateTo_v7.11beta2_SecondTryAfterUninstallLora.jpg
05_RouterOS_SuccessOnUpdateTo_v7.11beta2.jpg
06_RouterOS_v7.11beta2_BeforeReinstallLora.jpg
07_RouterOS_v7.11beta2_ErrorAfterFistrTryReinstallLora.jpg
08_RouterOS_v7.11beta2_Enable-iot.jpg
09_RouterOS_v7.11beta2_BeforeSecondTryReinstallLora_With-iotEnabled.jpg
10_RouterOS_v7.11beta2_SucessrAfterSecondTryReinstallLora_With-iotEnabled.jpg
11_RouterOS_v7.11beta2_Disable-iotAnd-lora.jpg
12_RouterOS_v7.11beta2_Sucess_AfterWorkarounds.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 3:41 pm

Classic logic error, the text of the error is wrong, it should be "can not install lora-7.11beta2: iot is not enabld or installed, but is required"


I'm really having a hard time understanding why you needlessly install all the extra packages if you then disable them...
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 3:46 pm

*) system - reduced RAM usage for SMIPS devices;
Wow, even more!
*) wireguard - fixed peer connection using DNS name on IP change;
Any details? What case should it fix?
 
User avatar
mantouboji
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Mon Aug 01, 2022 2:21 pm
Location: Shanghai

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 3:51 pm

*) ssh - fixed user RSA private key import;
Are you serious?

still broken .
You do not have the required permissions to view the files attached to this post.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3343
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 4:32 pm

*) bridge - added more STP-related logging;
More and better logging do we like.
Hopefully timestamp will be fixed and the prefix logging mess.
viewtopic.php?t=124291

Will do some test on the STP and see if I can make a splunk dashboard on it.
 
User avatar
fischerdouglas
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Thu Mar 07, 2019 6:38 pm
Location: Brazil
Contact:

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 4:46 pm

I'm really having a hard time understanding why you needlessly install all the extra packages if you then disable them...
Humm... This is my own testbed.
I do it (and many other stupid things) for testing... And reporting. After all, it's a beta.

In production, only the packages that are actually used.
Classic logic error...
So I shouldn't report?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 4:51 pm

So I shouldn't report?
Excuse the translator..... Probably the idioms in Italian do not translate them as one would expect...

I meant that of course you have to report them, but in this case I think it's a spelling omission/error...
¯\_( ͡° ͜ʖ ͡°)_/¯
 
User avatar
clambert
Member Candidate
Member Candidate
Posts: 161
Joined: Wed Jun 12, 2019 5:04 am

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 4:58 pm

*) mpls - improved MPLS TCP performance;
What can this mean?
It works better now :)
My question is because I can't understand the relationship between the transport protocol TCP and MPLS. As far as I understand, MPLS is agnostic of the protocol present in the transport layer.
 
leonardogyn
just joined
Posts: 18
Joined: Wed Dec 04, 2019 4:47 pm

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 5:21 pm

I think in general, it has to be considered to have persistent settable viewing options in webfig. There are none, so first that has to be implemented.
.
That makes sense ... so let's consider it :) That's really a must. Cookies are our friends :)
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4324
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 5:36 pm

*) console - improved timeout for certain commands and menus;
Thanks — timeout= in /terminal/inkey now works again!
{
  :put "$[/terminal style escape]Press any key to exit loop"; 
  :local keypress 0xFFFF;
  while (keypress=0xFFFF) do={ 
      :put "$[/terminal style none]$[:rndstr]" 
      /terminal cuu    
      :set keypress [/terminal inkey timeout=1s]
  }
}
 
wispmikrotik
Member Candidate
Member Candidate
Posts: 144
Joined: Tue Apr 25, 2017 10:43 am

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 5:53 pm


What's new in 7.11beta2 (2023-Jun-21 14:39):

*) netwatch - added "src-address" property;

Thanks!!!!!! Finally, no more mangle rules for doing this.
 
cyayon
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Wed Aug 24, 2022 9:39 am

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 6:43 pm

lot of fixes in this release, hope to have a better QA than previous release...
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 6:54 pm

jut to let you know...my wifi speed on AX3 is one of the worst ever
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4324
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 7:05 pm

Good one here too... This subtle one makes MQTT a lot more potentially useful...
*) mqtt - added new MQTT subscribe feature;
...but it be nice to attach a script to the MQTT subscribe, like on-message={:do{}} – otherwise it going take polling the /iot/mqtt/subscriptions/recv to use it.

And perhaps the abbreviated "recv" in the CLI might be clear if it was just "messages" or "received"
Last edited by Amm0 on Thu Jun 22, 2023 7:14 pm, edited 1 time in total.
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 7:12 pm


What's new in 7.11beta2 (2023-Jun-21 14:39):

*) netwatch - added "src-address" property;

Thanks!!!!!! Finally, no more mangle rules for doing this.
¨
what is this good for?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 7:21 pm

It is useful when you have more than one outgoing link and want to monitor if the links are up.
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 7:24 pm

so you do ping to outgoing link?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 7:24 pm

Or you have multiple IPs on LANs and you want not use the IP with less walue, but the specific one....
 
volkirik
Member Candidate
Member Candidate
Posts: 212
Joined: Sat Jul 23, 2016 2:03 pm

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 7:33 pm

there is newer alpha (development) release (with build time of 16:17:11) on mikrotik website..

you may need to check it out before reporting issues

https://box.mikrotik.com/d/c1ce5f170ea1467db0d2/
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 7:45 pm

yes, but it is alpha, alpha should be older than beta....and there is no changelog so it is woth to try it?
 
ToTheCLI
Frequent Visitor
Frequent Visitor
Posts: 95
Joined: Mon Jan 04, 2016 3:54 am

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 8:03 pm

*) pppoe - fixed PPPoE client trying to establish connection when parent interface is inactive;

So when parent interface is inactive what happens, does it not try to initialize connection?
 
dragoalato1988
just joined
Posts: 7
Joined: Sun Aug 29, 2010 2:06 pm

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 8:24 pm

Hi all, what is the correct way to have pppoe simple queues dynamically created as children of a Parent queue, and update the target list on connection and disconnection?

I was thinking about address lists or interface lists, but it seems the target ignores all of these.

Thank you
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 3135
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 8:45 pm

Hi all, what is the correct way to have pppoe simple queues dynamically created as children of a Parent queue, and update the target list on connection and disconnection?

I was thinking about address lists or interface lists, but it seems the target ignores all of these.

Thank you
please open a separate topic

this topic is only for v7.11 beta related discussion
 
volkirik
Member Candidate
Member Candidate
Posts: 212
Joined: Sat Jul 23, 2016 2:03 pm

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 9:43 pm

yes, but it is alpha, alpha should be older than beta....and there is no changelog so it is woth to try it?
unfortunately, there is no changelog. but please re-read my post, build time is newer (later) than beta2. so it should be fixing beta2 bug.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Thu Jun 22, 2023 10:18 pm

jut to let you know...my wifi speed on AX3 is one of the worst ever
Worst ever, I wouldn't say. Still low 600 here.
But it looks to be noticeably slower, yes.

Might have to do some more tests with other versions tomorrow to know for sure for myself.
 
User avatar
Seán
just joined
Posts: 16
Joined: Mon Jun 22, 2020 12:24 pm
Location: Ireland
Contact:

Re: v7.11beta [testing] is released!

Fri Jun 23, 2023 2:46 am

Thanks — timeout= in /terminal/inkey now works again!
I can confirm it's working for me also, I can finally use the inkey command in my scripts that otherwise would get stuck waiting for a keypress. I think it was broken since RouterOS v7.3.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 914
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: v7.11beta [testing] is released!

Fri Jun 23, 2023 8:48 am

there is newer alpha (development) release (with build time of 16:17:11) on mikrotik website..

you may need to check it out before reporting issues

Not really: viewtopic.php?t=197277#p1009205

This version includes the changes that were present in 7.11alpha127 that was shared on the forum. While some users have reported improvements with this version, the issue is not fully resolved. We are still working on it.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Fri Jun 23, 2023 9:11 am

Don't waste time on alpha unless explicitly instructed to do so by MT staff.
For me the latest version now is this beta.

Running for almost 11h now on AX3 and A2, so far no more strange log entries seen related to wifi disconnect/disassociated.
Some disconnects yes, but that's me moving around in the house with my phone in my pocket :-)
 
hagoyi
newbie
Posts: 33
Joined: Wed May 17, 2023 8:36 pm

Re: v7.11beta [testing] is released!

Fri Jun 23, 2023 9:38 am

7.11beta2 IKEv2 client does not connect to 7.10 IKEv2 server! Revert to 7.10
Here is ipsec client log:
 08:22:53 ipsec ike2 starting for: 777.777.777.777
 08:22:53 ipsec adding payload: SA
 08:22:53 ipsec,debug => (size 0x30)
 08:22:53 ipsec,debug 00000010 00000021 01010001 01000001 01000001 10010100 01000001 01000001
 08:22:53 ipsec,debug 01000001 03000001 00000001 01000011
 08:22:53 ipsec adding payload: KE
 08:22:53 ipsec,debug => (size 0x90)
 08:22:53 ipsec,debug 00012320 00151230 000123f1 da6f8cfc c8bdec53 d71232b5 a471238f 98e123a2
 08:22:53 ipsec,debug 71dc1233 8212362d 035d1232 488e4e37 c912323d 37123b0c 31765626 9ce1230b
 08:22:53 ipsec,debug 0be12344 ba123ab1 4123f93a 0000003b 4f123b45 830e9279 8a3123fc a4122012
 08:22:53 ipsec,debug 13a12372 2b1233ea a123aff7 07f4b4e1 46121588 64b371e3 6e123204 80d1a07a
 08:22:53 ipsec,debug d2112321 016e1233 4d12315f b3ce21b7
 08:22:53 ipsec adding payload: NONCE
 08:22:53 ipsec,debug => (size 0x1c)
 08:22:53 ipsec,debug 0000001c ec271232 c4f12316 a13123f3 ee1233ba 6913232c c5e1262c
 08:22:53 ipsec adding notify: NAT_DETECTION_SOURCE_IP
 08:22:53 ipsec,debug => (size 0x1c)
 08:22:53 ipsec,debug 0000001c 00012304 451123ef 789123d2 ed12347f 1701234e 8d123049
 08:22:53 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
 08:22:53 ipsec,debug => (size 0x1c)
 08:22:53 ipsec,debug 0000001c 00001235 e2b123d3 c4712af5 fda1232e 2123215dc 43123b4d
 08:22:53 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
 08:22:53 ipsec,debug => (size 0x8)
 08:22:53 ipsec,debug 00000008 0000402e
 08:22:53 ipsec <- ike2 request, exchange: SA_INIT:0 777.777.777.777[4500] a6be46361893bb01:0000000000000000
 08:22:53 ipsec,debug ===== sending 312 bytes from 192.168.100.2[4500] to 777.777.777.777[4500]
 08:22:53 ipsec,debug 1 times of 316 bytes message will be sent to 777.777.777.777[4500]
 08:23:02 ipsec <- ike2 init retransmit request, exchange: SA_INIT:0 777.777.777.777[4500] a6be46361893bb01:0000000000000000
 08:23:02 ipsec,debug ===== sending 312 bytes from 192.168.100.2[4500] to 777.777.777.777[4500]
 08:23:02 ipsec,debug 1 times of 316 bytes message will be sent to 777.777.777.777[4500]
 08:23:07 ipsec <- ike2 init retransmit request, exchange: SA_INIT:0 777.777.777.777[4500] a6be46361893bb01:0000000000000000
 08:23:07 ipsec,debug ===== sending 312 bytes from 192.168.100.2[4500] to 777.777.777.777[4500]
 08:23:07 ipsec,debug 1 times of 316 bytes message will be sent to 777.777.777.777[4500]
 08:23:12 ipsec <- ike2 init retransmit request, exchange: SA_INIT:0 777.777.777.777[4500] a6be46361893bb01:0000000000000000
 08:23:12 ipsec,debug ===== sending 312 bytes from 192.168.100.2[4500] to 777.777.777.777[4500]
 08:23:12 ipsec,debug 1 times of 316 bytes message will be sent to 777.777.777.777[4500]
 08:23:17 ipsec ike2 init timeout request, exchange: SA_INIT:0 777.777.777.777[4500] a6be46361893bb01:0000000000000000
 08:23:17 ipsec IPsec-SA expired: ESP/Tunnel 192.168.100.2[500]->777.777.777.777[500] 
 08:23:17 ipsec acquire for policy: 10.10.1.0/24 <=> 10.10.0.0/24
 08:23:17 ipsec policy group mismatch, ignoring.
 
 
gdanov
Member Candidate
Member Candidate
Posts: 161
Joined: Thu Jan 17, 2019 1:10 pm

Re: v7.11beta [testing] is released!

Fri Jun 23, 2023 10:41 am

*) wireguard - fixed peer connection using DNS name on IP change;
Any details? What case should it fix?
yes — any chance to ever get a changelog that's actually informative? especially given this is test release, so users need to understand what's the expected or corrected behavior?

or I guess we should be thankful for any handouts, as usual, and not make too much noise.
 
stich86
just joined
Posts: 8
Joined: Mon Oct 31, 2022 8:44 pm

Re: v7.11beta [testing] is released!

Fri Jun 23, 2023 10:47 am

this doesn't work:

*) lte - added "at-chat" support for Dell DW5821e-eSIM modem;

each AT commands still report "Modem not supported". Any way to add also telemetry using MBIN on these modules?
I've already opened a support case SUP-119507
 
troffasky
Member
Member
Posts: 436
Joined: Wed Mar 26, 2014 4:37 pm

Re: v7.11beta [testing] is released!

Fri Jun 23, 2023 4:12 pm

*) w60g - improved stability for Cube 60Pro ac and CubeSA 60Pro ac devices;
The 7.11alpha I was given by support did not fix this one for me.
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Fri Jun 23, 2023 5:01 pm

*) w60g - improved stability for Cube 60Pro ac and CubeSA 60Pro ac devices;
The 7.11alpha I was given by support did not fix this one for me.
did not fix what?
 
troffasky
Member
Member
Posts: 436
Joined: Wed Mar 26, 2014 4:37 pm

Re: v7.11beta [testing] is released!

Fri Jun 23, 2023 6:06 pm

Reboots on the AP, ie, did not improve stability.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Fri Jun 23, 2023 8:44 pm

Worst ever, I wouldn't say. Still low 600 here.
But it looks to be noticeably slower, yes.

Might have to do some more tests with other versions tomorrow to know for sure for myself.
Did additional testing, consistently low 800 now using TP-Link AX USB device.
Same with 7.8 and 7.10.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.11beta [testing] is released!

Fri Jun 23, 2023 9:38 pm

Tested today on ax2,3, cap ax, no problems with wifi.

@holvoetn what are you using for testing speed ?
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Fri Jun 23, 2023 10:51 pm

I use openspeedtest locally on on my NAS server but you can install it on raspberry also.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Sat Jun 24, 2023 12:14 am

Iperf in container on rb5009.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1389
Joined: Tue Jun 23, 2015 2:35 pm

Re: v7.11beta [testing] is released!

Sat Jun 24, 2023 7:12 am

OVPN works much better!!
 
deanMK
newbie
Posts: 33
Joined: Sat Apr 12, 2014 2:46 pm
Location: Macedonia

Re: v7.11beta [testing] is released!

Sat Jun 24, 2023 10:36 am

I cant make any difference into wifi stability. No link downtime for last 24 hours. Works stable for me. hAP AX3.
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Sat Jun 24, 2023 12:11 pm

For the first time I have on log that WiFi device roamed from WiFi 5ghz to 2Ghz and the opposite. It seems that WiFi roaming is finally working
 
massinia
Member Candidate
Member Candidate
Posts: 184
Joined: Thu Jun 09, 2022 7:20 pm

Re: v7.11beta [testing] is released!

Sat Jun 24, 2023 1:55 pm

It seems that WiFi roaming is finally working
It worked before as well, it wasn't just reported in the log 🙄
 
User avatar
jimmer
just joined
Posts: 19
Joined: Wed Mar 06, 2019 10:06 am
Location: Tasmania, Australia

Re: v7.11beta [testing] is released!

Sat Jun 24, 2023 2:55 pm

I can confirm I no longer have the OpenVPN UDP connection issues I had with 7.10, just upgraded from 7.9.2 to 7.11beta2 on my RB3011-iUAS-RM and all OVPN tunnels came up clean and stayed up.
 
deanMK
newbie
Posts: 33
Joined: Sat Apr 12, 2014 2:46 pm
Location: Macedonia

Re: v7.11beta [testing] is released!

Sat Jun 24, 2023 4:04 pm

Wifi performance still poor in this build too.. Constantly buffering on smartphones. But think that MKT devs are in good way to push first "stable" build.
 
ak4020
newbie
Posts: 32
Joined: Mon Mar 23, 2020 11:35 am

Re: v7.11beta [testing] is released!

Sat Jun 24, 2023 4:52 pm

hopefully also have been fixed the kernel problems that are present since 7.10 in the ccr ( we have 6 devices with the same probleme since 7.10 )
router was rebooted without proper shutdown, probably kernel failure
kernel failure in previous boot
 
massinia
Member Candidate
Member Candidate
Posts: 184
Joined: Thu Jun 09, 2022 7:20 pm

Re: v7.11beta [testing] is released!

Sat Jun 24, 2023 7:33 pm

Wifi performance still poor in this build too.. Constantly buffering on smartphones. But think that MKT devs are in good way to push first "stable" build.
For me the wifi performance is excellent, with hap ax3 I exceed with speedtest 790 Mbps
No buffering problem with smartphones
 
Joe1vm
newbie
Posts: 28
Joined: Sat Apr 06, 2013 4:07 pm

Re: v7.11beta [testing] is released!

Sat Jun 24, 2023 9:31 pm

Hello. Hap ax2 working as CAP powered via POE repeatedly connects and disconnects from LAN/CAPSMAN (port flapping?)- interval 10-60s.
Downgraded to 7.10, no issue since, stable as before.
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Sun Jun 25, 2023 9:12 am

Hi, is here anyone who had situation wit this beta? Anyone could not join WiFi on this beta? My AX3 is ok at the moment but sometimes it takes me few days to get this error.
Thank you
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Sun Jun 25, 2023 9:13 am

Is only out since Thursday.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.11beta [testing] is released!

Sun Jun 25, 2023 9:20 am

No problem for now, everything is working like it should, at least for me.

I tried iperf3 test, im geting 450-620 Mbps on ax2, i tested with ubiquiti u6 lite and im getting 378-470Mbps max.
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Sun Jun 25, 2023 10:10 am

Good to know that ax from Mikrotik can beat simple ax from ubiquity
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.11beta [testing] is released!

Sun Jun 25, 2023 10:25 am

Yea, but i can't get 800 Mbps that @holvoetn mention.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Sun Jun 25, 2023 10:27 am

What device do you use to test ?
My laptop with Intel wifi card can't get it either. It can't do wifi6.
But using usb tplink ax adapter, it does.

And again, can not stress it enough, do make sure the used channel is clear for your usage.

3 parts when testing.
Device A
Device B
Medium in between
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.11beta [testing] is released!

Sun Jun 25, 2023 1:47 pm

Intel AX200, AP is ax2 and server is on container on ax3, channel is clear.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Sun Jun 25, 2023 1:49 pm

When you test, what's the CPU usage on AX3 or AX2 ?
If one of the cores is at 100%, that's your bottleneck.

EDIT: just checked when doing iperf from PC wired to AX3, 2.5Gb trunk to RB5009-container. CPU is around 49% on RB5009, below 20% on AX3, results (as expected) around 950-960Mbps.
Towards RB5009.
Which is way more powerful then AX3.
So I am going to guess you have a bottleneck on AX3 when running that container.
Last edited by holvoetn on Sun Jun 25, 2023 2:18 pm, edited 5 times in total.
 
ToTheFull
Member
Member
Posts: 402
Joined: Fri Mar 24, 2023 3:24 pm

Re: v7.11beta [testing] is released!

Sun Jun 25, 2023 2:06 pm

Pick the bones out of this hAP ax2 5500Ceee
Speedtest from rpi4 through router to pc (primitve but hey!)
Singlethread
iperf3 -c 192.168.0.135

- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 719 MBytes 603 Mbits/sec 271 sender
[ 5] 0.00-10.00 sec 717 MBytes 601 Mbits/sec receiver


iperf3 -c 192.168.0.135 -R
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate
[ 5] 0.00-10.00 sec 418 MBytes 351 Mbits/sec sender
[ 5] 0.00-10.00 sec 416 MBytes 349 Mbits/sec receiver



Multithread
iperf3 -c 192.168.0.135 -P 10 -b 1000M
[SUM] 0.00-10.00 sec 961 MBytes 806 Mbits/sec 81 sender
[SUM] 0.00-10.01 sec 946 MBytes 793 Mbits/sec receiver


iperf3 -c 192.168.0.135 -P 10 -b 1000M -R
[SUM] 0.00-10.01 sec 710 MBytes 595 Mbits/sec sender
[SUM] 0.00-10.00 sec 707 MBytes 593 Mbits/sec receiver

WiFi hAP ax2 CLI to PC btest.exe running server


tool/speed-test address=192.168.0.135
status: udp download
time-remaining: 19s
ping-min-avg-max: 1.78ms / 2.64ms / 5.14ms
jitter-min-avg-max: 3us / 409us / 2.81ms
loss: 0% (0/200)
tcp-download: 739Mbps local-cpu-load:66%
tcp-upload: 916Mbps local-cpu-load:41% remote-cpu-load:1%

Ethernet/usb test pi to pc

forward singlethread also primitive usb setup/adapter

[ ID] Interval Transfer Bitrate
[ 5] 0.00-10.00 sec 1.07 GBytes 916 Mbits/sec sender
[ 5] 0.00-10.00 sec 1.06 GBytes 912 Mbits/sec receiver

reverse singlethread
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate
[ 5] 0.00-10.00 sec 1.07 GBytes 916 Mbits/sec sender
[ 5] 0.00-10.00 sec 1.06 GBytes 912 Mbits/sec receiver

Edit: Forgive me I mixed up the last two tests, here they are in full
-----------------------------------------------------------
Server listening on 5201 (test #7)
-----------------------------------------------------------
Accepted connection from 192.168.0.8, port 45268
[ 5] local 192.168.0.135 port 5201 connected to 192.168.0.8 port 45270
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.00 sec 111 MBytes 931 Mbits/sec
[ 5] 1.00-2.00 sec 112 MBytes 941 Mbits/sec
[ 5] 2.00-3.00 sec 111 MBytes 933 Mbits/sec
[ 5] 3.00-4.00 sec 107 MBytes 899 Mbits/sec
[ 5] 4.00-5.00 sec 112 MBytes 941 Mbits/sec
[ 5] 5.00-6.00 sec 108 MBytes 909 Mbits/sec
[ 5] 6.00-7.00 sec 109 MBytes 913 Mbits/sec
[ 5] 7.00-8.00 sec 111 MBytes 933 Mbits/sec
[ 5] 8.00-9.00 sec 106 MBytes 890 Mbits/sec
[ 5] 9.00-10.00 sec 103 MBytes 866 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate
[ 5] 0.00-10.00 sec 1.07 GBytes 916 Mbits/sec sender
-----------------------------------------------------------
Server listening on 5201 (test #8)
-----------------------------------------------------------
Accepted connection from 192.168.0.8, port 45272
[ 5] local 192.168.0.135 port 5201 connected to 192.168.0.8 port 45274
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.00 sec 112 MBytes 939 Mbits/sec
[ 5] 1.00-2.00 sec 111 MBytes 928 Mbits/sec
[ 5] 2.00-3.00 sec 112 MBytes 940 Mbits/sec
[ 5] 3.00-4.00 sec 112 MBytes 939 Mbits/sec
[ 5] 4.00-5.00 sec 112 MBytes 941 Mbits/sec
[ 5] 5.00-6.00 sec 112 MBytes 941 Mbits/sec
[ 5] 6.00-7.00 sec 112 MBytes 941 Mbits/sec
[ 5] 7.00-8.00 sec 112 MBytes 940 Mbits/sec
[ 5] 8.00-9.00 sec 112 MBytes 939 Mbits/sec
[ 5] 9.00-10.00 sec 112 MBytes 940 Mbits/sec
[ 5] 10.00-10.00 sec 325 KBytes 874 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate
[ 5] 0.00-10.00 sec 1.09 GBytes 939 Mbits/sec receiver

 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.11beta [testing] is released!

Sun Jun 25, 2023 7:23 pm

When you test, what's the CPU usage on AX3 or AX2 ?
If one of the cores is at 100%, that's your bottleneck.

EDIT: just checked when doing iperf from PC wired to AX3, 2.5Gb trunk to RB5009-container. CPU is around 49% on RB5009, below 20% on AX3, results (as expected) around 950-960Mbps.
Towards RB5009.
Which is way more powerful then AX3.
So I am going to guess you have a bottleneck on AX3 when running that container.
On ax2 I get max CPU usage on core 1, 51%, on ax3 same core, 33%
 
ToTheFull
Member
Member
Posts: 402
Joined: Fri Mar 24, 2023 3:24 pm

Re: v7.11beta [testing] is released!

Sun Jun 25, 2023 8:24 pm

Push it harder.. 20 streams
iperf3 -c -P 20 -t 50
About 50% all cores ax2 for me
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Sun Jun 25, 2023 8:32 pm

I use at least -P 5, usually -P 10.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.11beta [testing] is released!

Sun Jun 25, 2023 9:04 pm

I tried with -P 5 and -P 10, same results, on wired connection i get 948 Mbps no problem. Maybe its just intel wifi card because with ubiquiti AP i get slower speeds
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Sun Jun 25, 2023 9:07 pm

When your computer is connected via wifi, what does it show as data rate in wifi settings ? If not 1200/1200, you will never get 800mbps.
Does it show wifi6 ?
 
ToTheFull
Member
Member
Posts: 402
Joined: Fri Mar 24, 2023 3:24 pm

Re: v7.11beta [testing] is released!

Sun Jun 25, 2023 9:17 pm

CMD prompt
netsh wlan show interface
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.11beta [testing] is released!

Sun Jun 25, 2023 9:34 pm

Name                   : Wi-Fi 2
    Description            : Intel(R) Wi-Fi 6 AX200 160MHz
    GUID                   :
    Physical address       : 
    Interface type         : Primary
    State                  : connected
    SSID                   : Mikrotik
    BSSID                  : 
    Network type           : Infrastructure
    Radio type             : 802.11ax
    Authentication         : WPA3-Personal  (H2E)
    Cipher                 : CCMP
    Connection mode        : Auto Connect
    Band                   : 5 GHz
    Channel                : 144
    Receive rate (Mbps)    : 1201
    Transmit rate (Mbps)   : 1201
    Signal                 : 93%
    Profile                : Mikrotik
 
ToTheFull
Member
Member
Posts: 402
Joined: Fri Mar 24, 2023 3:24 pm

Re: v7.11beta [testing] is released!

Sun Jun 25, 2023 9:42 pm

I had reduced speed at channel 144 you know this already.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.11beta [testing] is released!

Sun Jun 25, 2023 9:44 pm

This is on auto settings, i will try to change it manually to 5500 MHz (ch100)
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Sun Jun 25, 2023 9:54 pm

Never use auto.
You don't know what it will take then.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.11beta [testing] is released!

Sun Jun 25, 2023 10:16 pm

I set 5500, better results, peak 715, avg 552 after 10 sec. If i run for longer i get same, about 459 Mbps
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Mon Jun 26, 2023 8:50 am

Hi,

I have many SA Query timeout on this beta with new DELL notebook WiFi AX. I downgraded to 7.10 and SA Query timeout is gone but on this version I had WiFi issue too with not able to join WiFi after a while. This is nightmare I will have to downgrade to 7.8 :///////
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.11beta [testing] is released!

Mon Jun 26, 2023 10:34 am

How often do you get SA Query timeout ?
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Mon Jun 26, 2023 10:46 am

Every minute, but I'm on 7.10 now. There is no SA query timeout with the same device.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.11beta [testing] is released!

Mon Jun 26, 2023 11:24 am

Try 7.11beta2, i don't have any problem for now
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Mon Jun 26, 2023 11:47 am

can you read? all of those issues happend on 7.11beta2.....
 
Guntis
MikroTik Support
MikroTik Support
Posts: 203
Joined: Fri Jul 20, 2018 1:40 pm

Re: v7.11beta [testing] is released!

Mon Jun 26, 2023 12:51 pm

SA Query Timeout on its own is not an issue, unless it is truly excessive.
In short - this means that the client left the router range, AP sent an information request in order to check, if the client is still present and did not receive an answer. Thus - the client has left the range. Completely normal debug log message - this is not an error or warning. Just an informational message.
In greater detail:
SA Query Timeout is a normal part of wireless behavior. It is a security feature.
SA Query is triggered in the following scenario:
1) On AP there is a valid security association for the station
2) AP receives an Association request from an already associated station
3) AP responds with Association request rejected - "Association Comeback interval" Status Code:30. - this is done in order for AP to understand if the association request came from an attacker, or if it came from a station that got out of range, and was not able to disassociate beforehand.
4) AP sends SA Query Request to the station. Using original encryption that was used with the client beforehand. If the client sends SA Query Response, it will mean that the initial association request came from Attacker.
5) If the Client doesn't give SA Query response, it means that the real client got disconnected, or rather was out of range, and didn't disassociate from AP properly, and restarted association to AP - no attacker is present in this case. And at this point, you will see SA Query Timeout in the log.

That's just to say that if you notice some timeouts, it's not necessarily an issue, but if they are constant, especially for a client that was not moved out of range, then a deeper investigation should be done. In such cases, where it's constant or seems excessive, please create a support ticket, with supout.rif file made after the issue appears, along information about the wireless client and it's the wireless network card that had this issue.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.11beta [testing] is released!

Mon Jun 26, 2023 12:56 pm

can you read? all of those issues happend on 7.11beta2.....
Sorry, I didn't read carefully.
 
massinia
Member Candidate
Member Candidate
Posts: 184
Joined: Thu Jun 09, 2022 7:20 pm

Re: v7.11beta [testing] is released!

Mon Jun 26, 2023 8:52 pm

hAP ax3: wireless crashed after only 3 days, nobody can't login... wrong password.
After months of tests for me it is starting to become unnerving, I need a stable product and I think I will evaluate other brands.
It's a real shame because the wireless performance is excellent.
New supout.rif file attached to SUP-116928
 
solaoxo
Member Candidate
Member Candidate
Posts: 101
Joined: Sun Oct 20, 2013 8:38 pm

Re: v7.11beta [testing] is released!

Tue Jun 27, 2023 6:06 am

When policy routing is not used and the ip assigned by dns is not local dns, it can be redirected to local dns normally. After policy routing is used, dns cannot be directed to the local.
This is normal in the ros 6 version, and the 7 version has not been fixed yet.
 
sudanking
just joined
Posts: 14
Joined: Tue Mar 17, 2020 4:20 pm

Re: v7.11beta [testing] is released!

Tue Jun 27, 2023 6:41 am

hAP ax3: wifi still not fixed... Very disappointed.
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Tue Jun 27, 2023 7:53 am

what problem with wifi?
 
naxus
just joined
Posts: 2
Joined: Tue Jan 12, 2021 2:33 pm

Re: v7.11beta [testing] is released!

Tue Jun 27, 2023 1:30 pm

I have noticed that roaming mostly works fine when using WPA2 only (using capsman so roaming between APs) and doesn't work properly on devices that prefer WPA3 when using WPA2/3 mixed. However sometimes the roaming fails with SA query timeout even on WPA2 only mode. New supout attached to SUP-116463
 
User avatar
msilcher
just joined
Posts: 7
Joined: Mon Mar 09, 2009 9:39 pm
Location: Argentina

Re: v7.11beta [testing] is released!

Tue Jun 27, 2023 3:21 pm

IKE2 is broken since 7.10, can't get site to site working properly. Created SUP-117869 two months ago but issue still persists.
 
wispmikrotik
Member Candidate
Member Candidate
Posts: 144
Joined: Tue Apr 25, 2017 10:43 am

Re: v7.11beta [testing] is released!

Tue Jun 27, 2023 4:02 pm

IKE2 is broken since 7.10, can't get site to site working properly. Created SUP-117869 two months ago but issue still persists.
Hi,

What happens to him? What is your setup?

Regards,
 
User avatar
msilcher
just joined
Posts: 7
Joined: Mon Mar 09, 2009 9:39 pm
Location: Argentina

Re: v7.11beta [testing] is released!

Tue Jun 27, 2023 4:09 pm

IKE2 is broken since 7.10, can't get site to site working properly. Created SUP-117869 two months ago but issue still persists.
Hi,

What happens to him? What is your setup?

Regards,
I'm using Mikrotik spokes to a Cisco hub and phase2 rekey is not working, tunnel breaks and starts again. Support sent me to test some 7.11 alpha releases which won't even establish the tunnel in the first place (I get INVALID_SYNTAX responses from hub). I'm using more than one policy per spoke.
On 7.9 it worked pretty well...
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2975
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: v7.11beta [testing] is released!

Tue Jun 27, 2023 4:12 pm

I have noticed that roaming mostly works fine when using WPA2 only (using capsman so roaming between APs) and doesn't work properly on devices that prefer WPA3 when using WPA2/3 mixed. However sometimes the roaming fails with SA query timeout even on WPA2 only mode. New supout attached to SUP-116463
As a comment to MT problems ... upgraded Ruckus Unleashed network to WPA3 firmware and enabled WPA2+WPA3 and then some computers started to have problems with connections. Switched back to WPA2 only solved problems. I think that poor WiFi cards drivers could be a problem.
 
wispmikrotik
Member Candidate
Member Candidate
Posts: 144
Joined: Tue Apr 25, 2017 10:43 am

Re: v7.11beta [testing] is released!

Tue Jun 27, 2023 4:13 pm

Hi,

So we're in the same problem, it seems (SUP-120165).

I am experiencing disconnections every 30 minutes, which matches the "Lifetime" of phase 2 (proposal) even though I have "PFS Pool" set to none.

In previous versions I did not notice this behavior.
IPsec-SA expired before completion of key change.

Regards,
 
User avatar
msilcher
just joined
Posts: 7
Joined: Mon Mar 09, 2009 9:39 pm
Location: Argentina

Re: v7.11beta [testing] is released!

Tue Jun 27, 2023 4:18 pm

Hi,

So we're in the same problem, it seems (SUP-120165).

I am experiencing disconnections every 30 minutes, which matches the "Lifetime" of phase 2 (proposal) even though I have "PFS Pool" set to none.

In previous versions I did not notice this behavior.
IPsec-SA expired before completion of key change.
Regards,
Yes, it looks like we are in the same boat. Are you also using Cisco on one end or is it MKT to MKT for you?

I'm not using PFS because it never worked well between Cisco and Mikrotik. My phase 2 timer is 4 hours, I see new SAs created after the soft timer expires but old SAs don't get deleted and eventually break the tunnel.
 
wispmikrotik
Member Candidate
Member Candidate
Posts: 144
Joined: Tue Apr 25, 2017 10:43 am

Re: v7.11beta [testing] is released!

Tue Jun 27, 2023 4:26 pm

In this case, it's against a VPN provider (surfshark in this case), which I don't know will use on your side.
 
solaoxo
Member Candidate
Member Candidate
Posts: 101
Joined: Sun Oct 20, 2013 8:38 pm

Re: v7.11beta [testing] is released!

Tue Jun 27, 2023 7:33 pm

QQ截图20230628002957.png
In PPP, it is possible to call scripts separately for going online and going offline. Why doesn’t the dhcp client distinguish between going online and going offline? Many scripts are specified to be used when going online or when going offline.
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: v7.11beta [testing] is released!

Tue Jun 27, 2023 7:42 pm

@solaoxo dhcp client is not one pppoe-client that have on-up and on-down, but have more status
:if ($bound = 1) do={ } else={ }

It's not a bad idea to read the manual...
https://wiki.mikrotik.com/wiki/Manual:I ... pt_example
 
buset1974
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Wed Sep 13, 2006 12:12 pm
Location: Jakarta

Re: v7.11beta [testing] is released!

Wed Jun 28, 2023 5:24 am

/routing/route/print where received-from=bgp1
or
/routing/route/print where received-from bgp1

did not works, wait for hours and no prefix has displayed

thx
 
massinia
Member Candidate
Member Candidate
Posts: 184
Joined: Thu Jun 09, 2022 7:20 pm

Re: v7.11beta [testing] is released!

Wed Jun 28, 2023 11:16 am

hAP ax3: wireless crashed after only 3 days, nobody can't login... wrong password.
After months of tests for me it is starting to become unnerving, I need a stable product and I think I will evaluate other brands.
It's a real shame because the wireless performance is excellent.
New supout.rif file attached to SUP-116928
It crashed again after 2 days and no devices can connect: bad password error.
Incredible how unstable the wireless is in this 7.11beta2 ...
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Wed Jun 28, 2023 11:41 am

it is not only in 7.11beta2....this happend to me on 7.9 and even on 7.10 so the last stable is 7.8
 
massinia
Member Candidate
Member Candidate
Posts: 184
Joined: Thu Jun 09, 2022 7:20 pm

Re: v7.11beta [testing] is released!

Wed Jun 28, 2023 12:10 pm

Mine hAP ax3 with 7.9 crashed after about 20 days but with 7.11beta2 it's almost unusable, it crashes too often.
I will downgrade, I am very disappointed because I thought it was much more stable...
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.11beta [testing] is released!

Wed Jun 28, 2023 1:37 pm

/routing/route/print where received-from=bgp1
or
/routing/route/print where received-from bgp1

did not works, wait for hours and no prefix has displayed

thx
That is correct. You need to use "belongs-to".
received-from is a field from RouterOS v6 that is no longer supported in any 7.x version, it would be better if it were removed from the list.
(or it should be fixed so it works again)
 
peich1
just joined
Posts: 13
Joined: Mon Dec 11, 2017 9:43 am

Re: v7.11beta [testing] is released!

Wed Jun 28, 2023 4:38 pm

Anyone can confirm if the CPU and rebooting problems with OVPN since 7.8 have been fixed?

The line "properly close OVPN session on the server when client gets disconnected" in the log seems to be related about this problem.
 
deanMK
newbie
Posts: 33
Joined: Sat Apr 12, 2014 2:46 pm
Location: Macedonia

Re: v7.11beta [testing] is released!

Wed Jun 28, 2023 10:40 pm

Randomly causing internet downtime or very slow speeds and after some time back to previous state. I cant even load video into 1080p with my hAP AX3. Wired connection !
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Wed Jun 28, 2023 11:28 pm

Apart from 7.9, both ax2 and ax3 have been pretty solid for me, some occasional hiccup on wifi on 7.10. Never reboot. Never wired problems.

Couldn't accept it otherwise with at least 2 days a week working from home.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.11beta [testing] is released!

Thu Jun 29, 2023 7:15 am

Maybe your hardware is faulty ? I mean, my devices are rock solid now and i never had problems with wired connections to router...
 
User avatar
mantouboji
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Mon Aug 01, 2022 2:21 pm
Location: Shanghai

Re: v7.11beta [testing] is released!

Thu Jun 29, 2023 8:54 am

*) wireguard - fixed peer connection using DNS name on IP change;
Any details? What case should it fix?
Is it true?

I use wireguard to connect AX2 and RB4011 in two ISPs , RB4011 use dynamic domain name to as a HUB, wait AX2 connect.

Once RB4011 reboot, change to a new IP, and update domain name (xxx.dyndns.info ), the ax2 resolv the new domain name correctly, but wireguard peer still attemp to connect old IP, so must reboot AX2 to resolv it.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v7.11beta [testing] is released!

Thu Jun 29, 2023 10:41 am

That's WG behaviour by design, and people solve that problem with scripts: viewtopic.php?t=166214

So, your explanation brings even more questions: when does router decide that it needs to resolve the name again? With scripts, I control that; with unknown automagic - hmmm...
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Thu Jun 29, 2023 10:47 am

Is keep-alive being used on peer side (I suppose AX2, then) ?
Already tried to just wait until the DNS resolution has had its time (it can take a while ...) ?

But the script-workaround is the most certain, that's true. I still use it myself.
 
ivicask
Member
Member
Posts: 438
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: v7.11beta [testing] is released!

Thu Jun 29, 2023 12:20 pm

) wireguard - fixed peer connection using DNS name on IP change
I removed all scripts and this finally fixes WG and it works properly with dynamic hosts on ip change
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v7.11beta [testing] is released!

Thu Jun 29, 2023 1:47 pm

@mantouboji for a client the IP address does not to be renewed until TTL expires.

So what is the TTL of your DNS registration?

WG will renew the resolve on restart of the WG peer. You can't check every so many seconds if the DNS changes brcause of Round Robin when having multiple IP addresses. Then MT could have built-in a option that enables to say it is using a dynamic DNS that only will return one IP address.

Automating that, ckeck DNS and accept different IP when connection is lost. User needs to activate that procedure.
 
ivicask
Member
Member
Posts: 438
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: v7.11beta [testing] is released!

Thu Jun 29, 2023 2:26 pm

@mantouboji for a client the IP address does not to be renewed until TTL expires.

So what is the TTL of your DNS registration?

WG will renew the resolve on restart of the WG peer. You can't check every so many seconds if the DNS changes brcause of Round Robin when having multiple IP addresses. Then MT could have built-in a option that enables to say it is using a dynamic DNS that only will return one IP address.

Automating that, ckeck DNS and accept different IP when connection is lost. User needs to activate that procedure.
TTL doesn't matter, i have hosts with 15 sec TTL and after ip changes WG never connects back even after several days unless you re-toogle it, which also requires scripts or netwatch for monitoring.

Anyway i repeat, Mikrotiks fix works and issue is solved!
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v7.11beta [testing] is released!

Thu Jun 29, 2023 3:26 pm

@mantouboji for a client the IP address does not to be renewed until TTL expires.

So what is the TTL of your DNS registration?

WG will renew the resolve on restart of the WG peer. You can't check every so many seconds if the DNS changes brcause of Round Robin when having multiple IP addresses. Then MT could have built-in a option that enables to say it is using a dynamic DNS that only will return one IP address.

Automating that, ckeck DNS and accept different IP when connection is lost. User needs to activate that procedure.
TTL doesn't matter, i have hosts with 15 sec TTL and after ip changes WG never connects back even after several days unless you re-toogle it, which also requires scripts or netwatch for monitoring.

Anyway i repeat, Mikrotiks fix works and issue is solved!

Once RB4011 reboot, change to a new IP, and update domain name (xxx.dyndns.info ), the ax2 resolv the new domain name correctly, but wireguard peer still attemp to connect old IP, so must reboot AX2 to resolv it.
 
User avatar
Paternot
Forum Guru
Forum Guru
Posts: 1056
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: v7.11beta [testing] is released!

Thu Jun 29, 2023 4:47 pm

That's WG behaviour by design, and people solve that problem with scripts: viewtopic.php?t=166214
True. But there is another WG behaviour, by design, that should solve this with the use of keep alive:

One host should update the other address if it got a message signed with the correct key. So, with keep alive on, in theory we should only need DNS to establish the initian connection. After this one host will (should) update the other address if it changes. And this is by design.

https://www.wireguard.com/#built-in-roaming
 
massinia
Member Candidate
Member Candidate
Posts: 184
Joined: Thu Jun 09, 2022 7:20 pm

Re: v7.11beta [testing] is released!

Thu Jun 29, 2023 5:10 pm

Edited
Last edited by massinia on Wed Jul 05, 2023 12:36 am, edited 1 time in total.
 
buset1974
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Wed Sep 13, 2006 12:12 pm
Location: Jakarta

Re: v7.11beta [testing] is released!

Fri Jun 30, 2023 5:55 am

/routing/route/print where received-from=bgp1
or
/routing/route/print where received-from bgp1

did not works, wait for hours and no prefix has displayed

thx
That is correct. You need to use "belongs-to".
received-from is a field from RouterOS v6 that is no longer supported in any 7.x version, it would be better if it were removed from the list.
(or it should be fixed so it works again)
Hi peichl, i tried /routing/route/print where belongs-to did not works either.
can u capture yours for example, maybe i did wrong

thx
 
EgidijusL
just joined
Posts: 12
Joined: Fri Feb 07, 2020 1:25 am

Re: v7.11beta [testing] is released!

Fri Jun 30, 2023 10:11 am

... and no one knows why...😭
I'm fine so far
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.11beta [testing] is released!

Fri Jun 30, 2023 11:25 am

Hi peichl, i tried /routing/route/print where belongs-to did not works either.
can u capture yours for example, maybe i did wrong
Parameter of "belongs-to" is like "bgp-IP-1.2.3.4" when your BGP peer has address 1.2.3.4
Probably for other routing protocols it will be similar.
It can also be "static" or "connected".
 
User avatar
CTassisF
newbie
Posts: 36
Joined: Thu Jun 11, 2020 10:26 pm
Location: São Paulo, Brazil
Contact:

Re: v7.11beta [testing] is released!

Fri Jun 30, 2023 4:36 pm

My hAP ax3 with 10 WifiWave2 interfaces (open, owe, wpa2, wpa3) is quite stable in 7.11beta2.

[cesar@hAP-ax3] > /system/resource/print 
                   uptime: 1w1d32m18s
                  version: 7.11beta2 (development)
               build-time: Jun/21/2023 11:39:58
         factory-software: 7.5
              free-memory: 591.3MiB
             total-memory: 928.0MiB
                      cpu: ARM64
                cpu-count: 4
            cpu-frequency: 864MHz
                 cpu-load: 1%
           free-hdd-space: 93.7MiB
          total-hdd-space: 128.5MiB
  write-sect-since-reboot: 96088
         write-sect-total: 487465
               bad-blocks: 0%
        architecture-name: arm64
               board-name: hAP ax^3
                 platform: MikroTik
 
eryan
just joined
Posts: 3
Joined: Thu Oct 05, 2017 4:41 pm

Re: v7.11beta [testing] is released!

Sat Jul 01, 2023 10:55 am

cAP AX with 7.11beta2

The WiFi issue described in the thread and earlier posts in the forum seems to reproduce still. All WiFi clients (WPA2+WPA3 PSK enabled) sporadically drop about once a day and are unable to reconnect. Rebooting the router fixes the issue for some time.
 
massinia
Member Candidate
Member Candidate
Posts: 184
Joined: Thu Jun 09, 2022 7:20 pm

Re: v7.11beta [testing] is released!

Sat Jul 01, 2023 11:14 am

@eryan I'm trying everything, using only WPA2 seems to improve a bit but then after a few days it comes back.
In these conditions the ax series products are not stable, I suggest you plan a daily reboot...
 
manojlovicl
Frequent Visitor
Frequent Visitor
Posts: 55
Joined: Mon Aug 18, 2014 11:48 pm

Re: v7.11beta [testing] is released!

Sat Jul 01, 2023 11:31 am

OVPN works much better!!
I can confirm it too... Waiting so long for this fix! Thank you MikroTik!

Luka
 
buset1974
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Wed Sep 13, 2006 12:12 pm
Location: Jakarta

Re: v7.11beta [testing] is released!

Sat Jul 01, 2023 4:19 pm

Hi peichl, i tried /routing/route/print where belongs-to did not works either.
can u capture yours for example, maybe i did wrong
Parameter of "belongs-to" is like "bgp-IP-1.2.3.4" when your BGP peer has address 1.2.3.4
Probably for other routing protocols it will be similar.
It can also be "static" or "connected".
Still having problem with receive- from and belong-to, i have to use /ip/route/print where gateway=xxxxx

Thx
 
massinia
Member Candidate
Member Candidate
Posts: 184
Joined: Thu Jun 09, 2022 7:20 pm

Re: v7.11beta [testing] is released!

Sat Jul 01, 2023 6:01 pm

hAP ax2 as cAP, disconnects start after two days...
# 2023-07-01 16:54:22 by RouterOS 7.11beta2
# software id = R6XF-XXXX
#
 06-23 04:57:39 system,info installed system-7.11beta2
 06-23 04:57:39 system,info installed wifiwave2-7.11beta2
 06-23 04:57:40 system,info router rebooted
 06-23 04:57:46 system,error,critical error while running customized default configuration script: no such item
 06-23 04:57:46 system,error,critical 
 06-23 04:57:49 interface,info ether2 link up (speed 1G, full duplex)
 06-23 04:57:49 dhcp,info dhcp-client on bridge got IP address 192.168.10.2
 06-23 04:57:57 caps,info selected CAPsMAN MikroTik@48:A9:8A:0E:18:EB%*8
 06-23 04:57:57 caps,info connected to MikroTik@48:A9:8A:0E:18:EB%*8
 06-23 04:58:38 system,critical,info cloud change time Jun/23/2023 04:58:09 => Jun/23/2023 04:58:38
 06-23 06:59:15 caps,info disconnected from MikroTik@48:A9:8A:0E:18:EB%*8, failed to connect
 06-23 07:00:01 caps,info selected CAPsMAN MikroTik@48:A9:8A:0E:18:EB%*8
 06-23 07:00:01 caps,info connected to MikroTik@48:A9:8A:0E:18:EB%*8
 06-24 10:06:12 radvd,warning received Router Solicitation packet with invalid code=6
 06-24 10:06:16 radvd,warning received Router Solicitation packet with invalid code=6
 06-25 09:27:40 radvd,warning received Router Solicitation packet with invalid code=6
 06-25 09:27:44 radvd,warning received Router Solicitation packet with invalid code=6
 06-26 20:00:49 caps,info disconnected from MikroTik@48:A9:8A:0E:18:EB%*8, failed to connect
 06-26 20:01:33 caps,info selected CAPsMAN MikroTik@48:A9:8A:0E:18:EB%*8
 06-26 20:01:34 caps,info connected to MikroTik@48:A9:8A:0E:18:EB%*8
 06-26 20:03:57 system,info,account user admin logged in from 192.168.10.26 via winbox
 06-26 20:04:10 system,info,account user admin logged out from 192.168.10.26 via winbox
 06-27 18:55:23 radvd,warning received Router Solicitation packet with invalid code=6
 06-28 18:49:34 radvd,warning received Router Solicitation packet with invalid code=6
 06-29 09:00:34 radvd,warning received Router Solicitation packet with invalid code=6
 06-29 09:00:38 radvd,warning received Router Solicitation packet with invalid code=6
 06-30 18:59:39 radvd,warning received Router Solicitation packet with invalid code=6
 06-30 18:59:43 radvd,warning received Router Solicitation packet with invalid code=6
 14:30:52 caps,info disconnected from MikroTik@48:A9:8A:0E:18:EB%*8, failed to connect
 14:30:56 caps,info selected CAPsMAN MikroTik@48:A9:8A:0E:18:EB%*8
 14:30:56 caps,info connected to MikroTik@48:A9:8A:0E:18:EB%*8
 14:55:26 caps,info disconnected from MikroTik@48:A9:8A:0E:18:EB%*8, failed to connectå
 14:55:30 caps,info selected CAPsMAN MikroTik@48:A9:8A:0E:18:EB%*8
 14:55:30 caps,info connected to MikroTik@48:A9:8A:0E:18:EB%*8
 15:00:20 caps,info disconnected from MikroTik@48:A9:8A:0E:18:EB%*8, failed to connect
 15:00:25 caps,info selected CAPsMAN MikroTik@48:A9:8A:0E:18:EB%*8
 15:00:25 caps,info connected to MikroTik@48:A9:8A:0E:18:EB%*8
 15:25:25 caps,info disconnected from MikroTik@48:A9:8A:0E:18:EB%*8, failed to connect
 15:25:29 caps,info selected CAPsMAN MikroTik@48:A9:8A:0E:18:EB%*8
 15:25:29 caps,info connected to MikroTik@48:A9:8A:0E:18:EB%*8
 16:52:44 system,info,account user admin logged in from 192.168.10.20 via winbox
 16:54:09 system,info,account user admin logged in from 192.168.10.20 via local
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Sat Jul 01, 2023 6:14 pm

Best to create supout and send it to support.

PS That 4th line in your log file seems to indicate there is something wrong with default config ?
 
massinia
Member Candidate
Member Candidate
Posts: 184
Joined: Thu Jun 09, 2022 7:20 pm

Re: v7.11beta [testing] is released!

Sat Jul 01, 2023 10:21 pm

Thanks for your reply holvoetn.
I don't know... it's an error that often happens also in the hap ax3, many users have also reported it.
 
User avatar
Plugpulled
just joined
Posts: 10
Joined: Sat Feb 29, 2020 2:34 pm

Re: v7.11beta [testing] is released!

Sun Jul 02, 2023 8:44 pm

Still having Wifi issues with hAP AX3. Downgrading back to 7.8. sigh
 
EgidijusL
just joined
Posts: 12
Joined: Fri Feb 07, 2020 1:25 am

Re: v7.11beta [testing] is released!

Mon Jul 03, 2023 1:38 pm

@Plugpulled
At least report errors to support, or just talk on the forum?
 
User avatar
Plugpulled
just joined
Posts: 10
Joined: Sat Feb 29, 2020 2:34 pm

Re: v7.11beta [testing] is released!

Mon Jul 03, 2023 9:17 pm

@Plugpulled
At least report errors to support, or just talk on the forum?
There are no errors present in the logs. Ever since 7.9 there are numerous reports about Wifi stability on Wifiwave2 devices. Since this is a testing/beta version i had to report.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Tue Jul 04, 2023 8:01 pm

AC3 LTE with fixed wan and lte
PCC setup 50/50
Wireguard to home and ipsec ike2 towards Azure.
Mangle and routing rules to direct VPN traffic to fixed wan itf.

Every time I enable LTE, ipsec connection goes dead.
Nothing in log.
Disable lte and kill peer connections, nice ipsec again.

Downgrade to 7.10, no problems anymore.

Couldn't grab supout, it is a customer setup and I had to get it fixed.
My mistake for getting 7.11b2 on that device 🙄
 
User avatar
doneware
Trainer
Trainer
Posts: 647
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: v7.11beta [testing] is released!

Tue Jul 04, 2023 11:57 pm

MQTT subscriber is great, thanks a lot, i've been waiting for years for this feature. but an "on-message" event-handler would be also necessary here.

how about enabling MQTT publisher as logging target?
[admin@wifi-out] /system/logging/action> add target=
disk     echo     email     memory     remote   mqtt
[admin@wifi-out] /system/logging/action> add target=mqtt broker=mybroker1 topic="logs/wifi-out/$topic"


where $topic would be automatically mapped to the logging topic, e.g. "system, info"
 
EdPa
MikroTik Support
MikroTik Support
Topic Author
Posts: 340
Joined: Fri Sep 15, 2017 10:05 am
Location: Riga
Contact:

Re: v7.11beta [testing] is released!

Thu Jul 06, 2023 10:50 am

What's new in 7.11beta4 (2023-Jul-05 13:33):

*) bluetooth - added "decode-ad" command for decoding raw Bluetooth payloads (CLI only);
*) bluetooth - added "Peripheral devices" section which displays decoded Eddystone TLM and UID, iBeacon and MikroTik Bluetooth payloads;
*) bridge - added warning when VLAN interface list contains ports that are not bridged;
*) bridge - prevent bridging the VLAN interface created on the same bridge;
*) console - fixed incorrect default value of ":return" command (introduced in v7.11beta2);
*) console - improved stability and responsiveness;
*) container - fixed duplicate image name;
*) dns - improved system stability when processing static DNS entries with specified address-list;
*) ipsec - improved IKE2 rekey process;
*) ipsec - properly check ph2 approval validity when using IKE1 exchange mode;
*) l3hw - changed minimal supported values for "neigh-discovery-interval" and "neigh-keepalive-interval" properties;
*) l3hw - fixed /32 and /128 route offloading after nexthop change;
*) l3hw - fixed incorrect source MAC usage for offloaded bonding interface;
*) l3hw - improved system responsiveness during partial offloading;
*) l3hw - improved system stability;
*) leds - blink red system-led when LTE is not connected to the network on D53 devices;
*) leds - fixed system-led color for "GSM EGPRS" RAT on D53 devices;
*) lte - fixed Dell DW5221E "at-chat" support;
*) lte - only listen to DHCP packets for LTE passtrough interface in auto mode when looking for the host;
*) package - treat disabled packages as enabled during upgrade;
*) profile - added "container" process classifier;
*) profile - properly classify "console" related processes;
*) quickset - correctly apply configuration when using "DHCP Server Range" property;
*) rose-storage - added "scsi-scan" command (CLI only);
*) route - added comment for BFD configuration (CLI only);
*) route - convert BFD timers from milliseconds to microseconds after upgrade;
*) sfp - improved optical QSFP interface handling for 98DX8332, 98DX3257, 98DX4310, 98DX8525 switches;
*) wifiwave2 - fixed "reg-info" information for several countries;
*) wifiwave2 - fixed interface hangs on IPQ6010-based boards (introduced in v7.9);
*) wifiwave2 - rename "reg-info" country argument from "Macedonia" to "North Macedonia";
*) winbox - fixed "Storm Rate" property under "Switch/Port" menu;
*) winbox - fixed BGP affinity display;
*) wireless - ignore EAPOL Logoff frames;
*) x86 - updated e1000 driver;
 
epkulse
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Sat Oct 27, 2012 12:57 am

Re: v7.11beta [testing] is released!

Thu Jul 06, 2023 11:04 am

Does Beta4 contain the fix for AX-devices as in 7.11 alpha 179? I believe the Alpha resolves the "key handshake timeout" issue...
 
User avatar
FToms
MikroTik Support
MikroTik Support
Posts: 90
Joined: Fri Jul 24, 2020 3:28 pm

Re: v7.11beta [testing] is released!

Thu Jul 06, 2023 11:16 am

Yes. The relevant line in the changelog is the one about fixed interface hangs.
 
epkulse
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Sat Oct 27, 2012 12:57 am

Re: v7.11beta [testing] is released!

Thu Jul 06, 2023 11:17 am

Thanks! I will upgrade.
 
User avatar
mantouboji
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Mon Aug 01, 2022 2:21 pm
Location: Shanghai

Re: v7.11beta [testing] is released!

Thu Jul 06, 2023 11:55 am

7.11beta4 ssh private key still broken , what are you doing ?
 
aivarsm
just joined
Posts: 4
Joined: Thu Dec 14, 2017 7:08 pm

Re: v7.11beta [testing] is released!

Thu Jul 06, 2023 4:03 pm

something wrong with PWR. after added bridge vlan filtering:
interface/bridge/set bridge-local-lan ingress-filtering=yes frame-types=admit-only-vlan-tagged vlan-filtering=yes pvid=1
interface pwr-line1 flapping up/down every 10-15sec

v7.8 it not working too
 
killersoft
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

Re: v7.11beta [testing] is released!

Thu Jul 06, 2023 4:28 pm

LoRa device EUI cannot be set !
 
kcarhc
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Thu Feb 01, 2018 9:54 am

Re: v7.11beta [testing] is released!

Thu Jul 06, 2023 9:46 pm

kernel failure in previous boot
please check SUP-121322
[RouterOS 7.11beta4]kernel failure in previous boot
You do not have the required permissions to view the files attached to this post.
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Thu Jul 06, 2023 9:49 pm

Hi, I'm running few hours beta4 on AX3 all good it's too soon to say how good is the fix. But thank you
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Thu Jul 06, 2023 9:49 pm

kernel failure in previous boot
please check SUP-121322
[RouterOS 7.11beta4]kernel failure in previous boot
Could you at least write your device?
 
deanMK
newbie
Posts: 33
Joined: Sat Apr 12, 2014 2:46 pm
Location: Macedonia

Re: v7.11beta [testing] is released!

Thu Jul 06, 2023 11:11 pm

*) wifiwave2 - fixed interface hangs on IPQ6010-based boards (introduced in v7.9);

What meen this bug fix? What interface hangs?
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Thu Jul 06, 2023 11:40 pm

*) wifiwave2 - fixed interface hangs on IPQ6010-based boards (introduced in v7.9);

What meen this bug fix? What interface hangs?
I have the same questions. Could you please Mikrotik team provide more info?
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 552
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: v7.11beta [testing] is released!

Fri Jul 07, 2023 2:21 am

wifiwave2 <- wifi interfaces ..maybe ? ;-)

Read above in the thread and on the 7.10 one (viewtopic.php?t=197095)
Many users reported that wifi stops working after some time.
 
User avatar
FToms
MikroTik Support
MikroTik Support
Posts: 90
Joined: Fri Jul 24, 2020 3:28 pm

Re: v7.11beta [testing] is released!

Fri Jul 07, 2023 9:06 am

What meen this bug fix? What interface hangs?
Starting with RouterOS 7.9, IPQ-6010 wifi interfaces would malfunction under certain conditions.
The malfunctions would cause client device disconnections and subsequent key handshake timeouts until the AP is rebooted.
This fix prevents the malfunction from occurring.
 
User avatar
marsbeetle
newbie
Posts: 48
Joined: Sun Feb 19, 2023 9:57 am

Re: v7.11beta [testing] is released!

Fri Jul 07, 2023 9:54 am

The malfunctions would cause client device disconnections and subsequent key handshake timeouts until the AP is rebooted.
This fix prevents the malfunction from occurring.
That's great news, finally! ...and well done for finding and fixing this difficult problem. Just this morning I woke up to find all my IoT devices disconnected from wifi and unable to connect again until I rebooted.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.11beta [testing] is released!

Fri Jul 07, 2023 11:22 am

I want to express my concern over the amount of disk space on ARM devices with 16MB of flash, like the hAP ac2 (but there are many others).
In a plain install with the hAP ac2 only operating in bridge mode as a WiFi access point, with this version I have only 1MB space remaining. And it decreases with every version (obviously due to the added features).
I think the use of optional packages for features that a typical home user does not need (and that do not introduce cross-dependencies) should be re-considered...
 
JardinEspanol
newbie
Posts: 38
Joined: Sun Dec 22, 2019 6:16 pm
Location: California

Re: v7.11beta [testing] is released!

Fri Jul 07, 2023 9:08 pm

Should modem be DW5821e in change list line:
lte - fixed Dell DW5221E "at-chat" support;
 
massinia
Member Candidate
Member Candidate
Posts: 184
Joined: Thu Jun 09, 2022 7:20 pm

Re: v7.11beta [testing] is released!

Fri Jul 07, 2023 10:57 pm

I want to express my concern over the amount of disk space on ARM devices with 16MB of flash, like the hAP ac2 (but there are many others).
In a plain install with the hAP ac2 only operating in bridge mode as a WiFi access point, with this version I have only 1MB space remaining. And it decreases with every version (obviously due to the added features).
I think the use of optional packages for features that a typical home user does not need (and that do not introduce cross-dependencies) should be re-considered...
You are absolutely right!
1 MB remaining without additional packages anyway seems little to me...
Never done netinstall, I was also able to use together the ZeroTier and Containers packages
Image
 
buset1974
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Wed Sep 13, 2006 12:12 pm
Location: Jakarta

Re: v7.11beta [testing] is released!

Sun Jul 09, 2023 6:21 am

What's new in 7.11beta4 (2023-Jul-05 13:33):

*) bluetooth - added "decode-ad" command for decoding raw Bluetooth payloads (CLI only);
*) bluetooth - added "Peripheral devices" section which displays decoded Eddystone TLM and UID, iBeacon and MikroTik Bluetooth payloads;
*) bridge - added warning when VLAN interface list contains ports that are not bridged;
*) bridge - prevent bridging the VLAN interface created on the same bridge;
*) console - fixed incorrect default value of ":return" command (introduced in v7.11beta2);
*) console - improved stability and responsiveness;
*) container - fixed duplicate image name;
*) dns - improved system stability when processing static DNS entries with specified address-list;
*) ipsec - improved IKE2 rekey process;
*) ipsec - properly check ph2 approval validity when using IKE1 exchange mode;
*) l3hw - changed minimal supported values for "neigh-discovery-interval" and "neigh-keepalive-interval" properties;
*) l3hw - fixed /32 and /128 route offloading after nexthop change;
*) l3hw - fixed incorrect source MAC usage for offloaded bonding interface;
*) l3hw - improved system responsiveness during partial offloading;
*) l3hw - improved system stability;
*) leds - blink red system-led when LTE is not connected to the network on D53 devices;
*) leds - fixed system-led color for "GSM EGPRS" RAT on D53 devices;
*) lte - fixed Dell DW5221E "at-chat" support;
*) lte - only listen to DHCP packets for LTE passtrough interface in auto mode when looking for the host;
*) package - treat disabled packages as enabled during upgrade;
*) profile - added "container" process classifier;
*) profile - properly classify "console" related processes;
*) quickset - correctly apply configuration when using "DHCP Server Range" property;
*) rose-storage - added "scsi-scan" command (CLI only);
*) route - added comment for BFD configuration (CLI only);
*) route - convert BFD timers from milliseconds to microseconds after upgrade;
*) sfp - improved optical QSFP interface handling for 98DX8332, 98DX3257, 98DX4310, 98DX8525 switches;
*) wifiwave2 - fixed "reg-info" information for several countries;
*) wifiwave2 - fixed interface hangs on IPQ6010-based boards (introduced in v7.9);
*) wifiwave2 - rename "reg-info" country argument from "Macedonia" to "North Macedonia";
*) winbox - fixed "Storm Rate" property under "Switch/Port" menu;
*) winbox - fixed BGP affinity display;
*) wireless - ignore EAPOL Logoff frames;
*) x86 - updated e1000 driver;
/routing/route/print where received-from or /routing/route/print where belongs-to broken, please fix it.

in cisco we have this command sh ip bgp nei xxxxxx routes

thx


thx
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.11beta [testing] is released!

Sun Jul 09, 2023 12:21 pm

/routing/route/print where received-from or /routing/route/print where belongs-to broken, please fix it.
print where received-from is broken, but print where belongs-to works fine. you are likely using it wrong.
 
bbs2web
Member Candidate
Member Candidate
Posts: 234
Joined: Sun Apr 22, 2012 6:25 pm
Location: Johannesburg, South Africa
Contact:

Re: v7.11beta [testing] is released!

Sun Jul 09, 2023 4:46 pm

Is the following already a known problem or should I try engaging with support@mikrotik.com?


The following is architecture related, essentially trying to pre-answer 'why' questions:

RB5009UG+S+ is configured as central router with an IP in each VLAN, managing DHCP and layer3 filtering between VLANs (eg guests can't access rfc1918). This router also runs CAPSMAN WiFiwave2 to manage 3 SSIDs on both 2.4 and 5 GHz bands which then manages 3 x hAP ax3 devices.

SSIDs are:
Home
WPA2/3-PSK IPv4 natted subnet with client isolation. Guests get assigned Google recursive DNS resolvers via DHCP, are filtered by layer 3 firewall rules and restricted from talking to other clients wirelessly (still need to confirm if this also isolates guest traffic ingressing the wired LAN uplink from another AP).

Office
WPA3-EAP IPv4 + IPv6 routed subnet without isolation. This subnet also receives proxied mDNS announcements from resources in the guest network (eg printers or displays) where unicast stream allowances are then exempt from the guest layer 3 filtering. Authentication is EAP-TLS via AD CS managing certificates on domain joined assets, RADIUS server is PacketFence, which auths the machine in to a machine network VLAN and then re-auths as the logged in user after login, again using SSL certificates. Users providing their AD credentials (aka EAP-MSCHAPv2) will result in them landing in the guest VLAN, without bandwidth or time restrictions, this is a form of BYOD network for mobile devices that only interact with public IP destinations.

Guest
WPA3-PSK Enrolment portal managed by PacketFence validates guests using either SMS or email OTP confirmation. In the event of email validation the guest is granted 10 minutes access, to access the email and confirm receipt. Some corporate assets may however be preferred in the Office network, but lack the ability to manage SSL certificates necessary for EAP-TLS. PacketFence thwarts MAC address spoofing attacks by combining MAC based authentication with DHCP fingerprinting. The result is that one can flexibly manage the role and subsequent VLAN assignment by manually registering devices connecting to this PSK network.

PSK is vulnerable to PMKID weaknesses so we disable it together with fast transition for the 'Home' SSID's security settings. The 'Office' SSID allows PMKID and enables fast transition to allow for roaming between APs. The 'Guest' SSID again has PMKID disabled, as it's using PSK and we don't want the client roaming between APs using a cached state when PacketFence kicks the client to implement role assignment changes (eg client completes enrolment and is assigned the guest role).
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk disable-pmkid=yes disabled=no ft=no ft-over-ds=no management-protection=allowed name=Home wps=disable
add authentication-types=wpa3-eap disable-pmkid=no disabled=no ft=yes ft-over-ds=yes management-protection=required name=radius-eap wps=disable
add authentication-types=wpa3-psk disable-pmkid=yes disabled=no ft=no ft-over-ds=no management-protection=required name=radius-mac wps=disable
Right, so we essentially want to drop wireless clients in to RADIUS controlled VLANs. This all works perfectly, including wireless CoA (RADIUS Change of Authorization), when we were running the 3 x hAP ax3 routers without them being controlled by CAPSMAN. Roaming then however only works between radios on a given hAP ax3 so I read the documentation for CAPSMAN and reconfigured that portion. The enrolled hAP ax3 routers now exclusively have the following local configuration remaining:
/interface wifiwave2
# managed by CAPsMAN
# mode: AP, SSID: Home, channel: 5180/ax/Ceee
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap disabled=no
# managed by CAPsMAN
# mode: AP, SSID: Home, channel: 2437/ax
set [ find default-name=wifi2 ] configuration.manager=capsman disabled=no
/interface wifiwave2 cap
set discovery-interfaces=vlan1 enabled=yes

Problem that we're experiencing:
Even though CAPSMAN WiFiwave2 manager has provisioning templates set as 'action=create-enabled' the wireless interfaces are dropped and re-created when loosing sight of CAPSMAN or applying any changes. The problem is essentially that we needed to include the WiFi interfaces in the bridge and then allow access to relevant VLANs. When this re-assignment happens the WiFi interface numbers are incremented and thereafter no longer match what's configured:
After reboot:
/interface bridge
add add-dhcp-option82=yes dhcp-snooping=yes name=bridge priority=0x7000 vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether1 trusted=yes
add bridge=bridge interface=ether2 pvid=200
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wifi1
add bridge=bridge interface=wifi2
add bridge=bridge interface=wifi3
add bridge=bridge interface=wifi4
add bridge=bridge interface=wifi5
add bridge=bridge interface=wifi6
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether1,wifi1,wifi2,wifi3,wifi4,wifi5,wifi6 vlan-ids=1
add bridge=bridge tagged=bridge,ether1,wifi1,wifi2,wifi3,wifi4,wifi5,wifi6 vlan-ids=52
add bridge=bridge tagged=bridge,ether1,wifi1,wifi2,wifi3,wifi4,wifi5,wifi6 vlan-ids=53
add bridge=bridge tagged=bridge,ether1 untagged=ether2 vlan-ids=200
add bridge=bridge tagged=bridge,ether1,wifi1,wifi2,wifi3,wifi4,wifi5,wifi6 vlan-ids=666
add bridge=bridge tagged=bridge,ether1,wifi1,wifi2,wifi3,wifi4,wifi5,wifi6 vlan-ids=667
PS: Ports besides ether1 and ether2 are configured for 802.1X port based authentication with MAC address based authentication fallback. VLAN assignments via PacketFence for ethernet devices works perfectly, except that RADIUS CoA is frustratingly lacking.



Question:
Is it a known quirk, that wifi3-wifi6 CAPSMAN controlled slave interfaces disappear and then re-appear on enrolled APs with different reference names? This breaks forwarding for connecting clients, until we go and either restart or update invalid references.
Are there any simple work arounds available?
Has anyone written a script to restart an AP when bridge ports are in an invalid/inactive/missing state? Perhaps simply pruning and adjusting VLAN membership without the brute force would be better though...


Temporary but ugly work around is to restart the hAP ax3 if uptime is more than 10 minutes and wifi3 interface is not found being part of bridge:
/system scheduler
add interval=1m name="CAP - Restart due to missing 'wifi3'" on-event=":if ([/sys\
    tem resource get uptime] > 00:10:00) do={\r\
    \n  /interface bridge port  {\r\
    \n    :local varif [find interface=wifi3]\r\
    \n    :if ([:len \$varif] = 0) do={\r\
    \n      /sys reboot\r\
    \n    }\r\
    \n  }\r\
    \n}" policy=reboot,read start-date=1970-01-01 start-time=00:00:00
Last edited by bbs2web on Mon Jul 10, 2023 10:27 am, edited 1 time in total.
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Mon Jul 10, 2023 9:22 am

Hi,

I have issue with speed detection of LAN on AX2.

Image

Once is detected speed 1G and once 100M with the same device.
 
FurfangosFrigyes
newbie
Posts: 47
Joined: Sun Feb 25, 2018 11:45 am

Re: v7.11beta [testing] is released!

Mon Jul 10, 2023 9:32 am

Hi,

I have issue with speed detection of LAN on AX2.

Image

Once is detected speed 1G and once 100M with the same device.
This most often happens because of a cable fault
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Mon Jul 10, 2023 9:34 am

I will try to change it but Im not on the location so I will report result in few weeks :/
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Mon Jul 10, 2023 9:46 am

Hi,

I have issue with speed detection of LAN on AX2.

Once is detected speed 1G and once 100M with the same device.
It goes from 1G to 100M to 1G and so forth ...
What device is attached to that port ?
I've seen that behavior in the past with a printer going in power-down mode (to be correct: it really got my attention when it happened during the day because my son had changed power settings on that device without telling me).
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Mon Jul 10, 2023 10:00 am

it is intel NUC, but nobody was changing anythink, it is PC for parents only. I hope it will be the cable. The cable is original it looks good but it is few/many years old.Before changing the cable I do not want to send supout.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Mon Jul 10, 2023 10:39 am

And how are power settings on that Intel NUC ? If it goes to eco-mode after some minutes, that's what you see then.
If that's the case, I wouldn't worry about it. Normal behavior and everything is working as designed.
 
Simonej
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Sun Aug 22, 2021 3:34 am

Re: v7.11beta [testing] is released!

Mon Jul 10, 2023 10:55 am

Once is detected speed 1G and once 100M with the same device.
Hi, I would not bother support for this if this happens when not using the device, I had the same behaviour on some PCs, it's ethernet going in low power mode, maybe check ErP setting in BIOS.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.11beta [testing] is released!

Mon Jul 10, 2023 12:13 pm

Yes, it is quite normal that a device that supports 1Gbps switches down to lower speed (100M or even 10M) when in power save mode.
I had the same issue with a mediabox, it even did a new DHCP request every time it came out of power save mode (also resulting in a log).
There is some setting for the level of power saving and when I decreased that a bit it was no longer happening.
 
kcarhc
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Thu Feb 01, 2018 9:54 am

Re: v7.11beta [testing] is released!

Mon Jul 10, 2023 12:15 pm

20230710.png
"This issuce occurs randomly, and the cause is unknown.
It has been confirmed to occur on RB450Gx4/RB4011/RB5009/CHR.
It is also not due to insufficient memory.

Downgrading to 7.9 resolves all issues, but upgrading to 7.11beta4, the problem occurs randomly.
The duration can be as short as one hour or as long as several hours.

This problem is not related to containers. Even after disabling and not starting containers,
the problem still occurs randomly."
20230710_Resources.png
You do not have the required permissions to view the files attached to this post.
 
bbs2web
Member Candidate
Member Candidate
Posts: 234
Joined: Sun Apr 22, 2012 6:25 pm
Location: Johannesburg, South Africa
Contact:

Re: v7.11beta [testing] is released!

Mon Jul 10, 2023 1:28 pm

Enabling DHCP snooping on a RB5009, where I technically do not want any interface marked as a trusted bridge port as this router is the DHCP for the various subnets, results in DHCP being filtered and nothing obtaining an IP.

Configuration:
[admin@RB5009UG+S+] > int bridge export 
/interface bridge
add name=bridge dhcp-snooping=yes add-dhcp-option82=yes priority=0x6000 vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=sfp-sfpplus1
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2,ether5 vlan-ids=1
add bridge=bridge tagged=bridge,ether2,ether5 vlan-ids=52
add bridge=bridge tagged=bridge,ether2,ether5 vlan-ids=53
add bridge=bridge tagged=bridge,ether5 vlan-ids=200
add bridge=bridge tagged=bridge,ether2,ether5 vlan-ids=666
add bridge=bridge tagged=bridge,ether2,ether5 vlan-ids=667

[admin@RB5009UG+S+] > /int vlan export 
/interface vlan
add comment="Management" interface=bridge name=vlan1 vlan-id=1
add comment="Guest WiFi:" interface=bridge name=vlan52 vlan-id=52
add comment="Guest - No IPv6:" interface=bridge name=vlan53 vlan-id=53
add comment=LTE interface=bridge name=vlan200 vlan-id=200
add comment="PacketFence - Registration:" interface=bridge name=vlan666 vlan-id=666
add comment="PacketFence - Isolation:" interface=bridge name=vlan667 vlan-id=667
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Tue Jul 11, 2023 8:30 am

Just to let you know... I have 7.11beta4 running for few days on AX3, 2x AX2 and AC3 no problems with WiFi, no disconection so it loooks good.
Last edited by Rox169 on Tue Jul 11, 2023 8:30 am, edited 1 time in total.
 
User avatar
MadEngineer
Member Candidate
Member Candidate
Posts: 141
Joined: Mon May 02, 2011 10:47 am
Location: New Zealand

Re: v7.11beta [testing] is released!

Tue Jul 11, 2023 8:30 am

In case anyone else goes looking for IPQ6010, see this page https://mikrotik.com/products/matrix and look for "IPQ-6010"
 
User avatar
FToms
MikroTik Support
MikroTik Support
Posts: 90
Joined: Fri Jul 24, 2020 3:28 pm

Re: v7.11beta [testing] is released!

Tue Jul 11, 2023 11:18 am

Is it a known quirk, that wifi3-wifi6 CAPSMAN controlled slave interfaces disappear and then re-appear on enrolled APs with different reference names?
Yes, the 'create-enabled' provisioning policy ensures that interface IDs stay static on the CAPsMAN, but not the cAP.
You can ensure wireless interfaces are always added as bridge ports on the cAP by specifying it in the wireless datapath settings, not in the bridge port configuration.
Unfortunately, this will not ensure that the interface is added to the appropriate bridge VLANs. We're working on enabling that.
In the meantime, I can suggest a less cumbersome workaround - Instead of having the schedhuled script reboot the cAP, you could have it reconfigure bridge VLANs.
# cAP WiFi bridge port configuration in datapath settings, not /bridge/port menu
/interface/wifiwave2/datapath add name=bridged bridge=bridge interface
/interface/wifiwave2 set [find] datapath=bridged
/interface/wifiwave2/cap cap set slaves-datapath=bridged
# schedhuled script to reconfigure bridge VLANs if any include unused interface IDs
/global taggedVLANIDs {52;53;666;667}
/global untaggedVLANIDs {1}
/global wifis [/int wifi find where bound]
/global wifiNames ""
:foreach wifi in=$wifis do={
    /global wifiName [/int wifi get $wifi name]
    /set wifiNames ($wifiNames . "," . $wifiName)
}
/global PortList ("ether1,bridge" . $wifiNames)
/global VLANsWithDefunctIDs [/int bridge vlan find where tagged~"\\*" or untagged~"\\*"]
:foreach defunctVLAN in=$VLANsWithDefunctIDs do={
    :foreach VLANID in=$taggedVLANIDs do={
        if ([/int/bridge/vlan get $defunctVLAN vlan-id]=$VLANID) do={
                /int/bridge/vlan set $defunctVLAN tagged=$PortList
        }
    }
    :foreach VLANID in=$untaggedVLANIDs do={
        if ([/int/bridge/vlan get $defunctVLAN vlan-id]=$VLANID) do={
                /int/bridge/vlan set $defunctVLAN untagged=$PortList
        }
    }
}
Finally, if RADIUS CoA worked with standalone APs, it should work with CAPsMAN as well.
Have you perhaps forgotten to set `/radius/incoming/set accept=yes` on CAPsMAN? If not, are you sure the CoA message is reaching CAPsMAN?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.11beta [testing] is released!

Tue Jul 11, 2023 4:22 pm

During an attempt to migrate the config from another router (as usual, a lot of work to cut/paste config sections) I mistakenly deleted the default BGP template. Winbox just deleted it without any warning.
Now the commandline to reconfigure the default (/routing bgp template set default disabled=no output.network=bgp-networks router-id=1.2.3.4) is rejected with "no such item", and when I try to add a new template instead winbox marks it as invalid (everything red), although in command mode no error is shown.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: v7.11beta [testing] is released!

Tue Jul 11, 2023 4:34 pm

Temporarly you can solve with deleting all templates, reboot, and after that do this
/routing bgp template
add as=65530 disabled=no name=default routing-table=main
and add back the other templates, set the default template, then set the correct template for each "connection"...


I never use the default objects, I often just disable them (or ignore them if not disableable) and create the new ones I need.
 
cyayon
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Wed Aug 24, 2022 9:39 am

Re: v7.11beta [testing] is released!

Tue Jul 11, 2023 4:51 pm

Hi,

i do not understand this, someone could explain please ?

*) bridge - prevent bridging the VLAN interface created on the same bridge;
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Tue Jul 11, 2023 5:01 pm

I saw that too yesterday when toying with AX Lite, capsman and VLANs.
Not sure what this is supposed to prevent since the config I was trying, was correct (in my view).

Also noticed something else in IP/Cloud:
2 tabs with BTH VPN and BTH VPN WIreguard (BTH = Back To Home).
What are those supposed to be used for??
Can't see anything in the release notes for that.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.11beta [testing] is released!

Tue Jul 11, 2023 5:03 pm

Temporarly you can solve with deleting all templates, reboot, and after that do this
/routing bgp template
add as=65530 disabled=no name=default routing-table=main
and add back the other templates, set the default template, then set the correct template for each "connection"...
Well, as it is still a work in progress I have just done an export, edited the export a bit, then reset configuration with that export as initial script.
Fortunately that works OK on this router (CCR2004-16G-2S+).
I never use the default objects, I often just disable them (or ignore them if not disableable) and create the new ones I need.
I agree, but in this config that was not done. Probably I change to that.
There is another bug: the default as (as=65530) is not exported (as it is a default value) but it is a required parameter.
I noticed and reported that before, but it has not been fixed.

So to summarize:
- it should not be possible to delete default bgp template (as in other cases where defaults are shown)
- when exporting bgp configuration, as number should always be exported also when it is 65530.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: v7.11beta [testing] is released!

Tue Jul 11, 2023 5:18 pm

- when exporting bgp configuration, as number should always be exported also when it is 65530.
I do not notice that before, but is a bug for sure.....
 
leonardogyn
just joined
Posts: 18
Joined: Wed Dec 04, 2019 4:47 pm

Re: v7.11beta [testing] is released!

Tue Jul 11, 2023 5:26 pm

And once again, i'll beg once more for Mikrotik Dev Team, PLEASE consider to 7.12 (or even 7.11 General Availability) the option of getting back the old comment style on the webfig. The FORCED inline-comments, for the webfig, is bad for lots of reasons already discussed and already completly ignored by you. Please give us the OPTION of choosing which one to use, just like Winbox does. That change basically ruined the use of comments larger than a few characters on the webfig, specially for those not using very wide monitors.

Please consider the OPTION to choose which one to use, please!
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Tue Jul 11, 2023 5:53 pm

Also noticed something else in IP/Cloud:
2 tabs with BTH VPN and BTH VPN WIreguard (BTH = Back To Home).
What are those supposed to be used for??
Can't see anything in the release notes for that.
Asked support about it, no response yet.

But toying with it, it might be something interesting.
Looks like they made some kind of wizard to enable "phone home" VPN service using wireguard, with private/public keys for interface and peer, QR code and the works.
But it looks like it still needs some further polishing :lol:
 
User avatar
fischerdouglas
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Thu Mar 07, 2019 6:38 pm
Location: Brazil
Contact:

Re: v7.11beta [testing] is released!

Tue Jul 11, 2023 7:22 pm

Also noticed something else in IP/Cloud:
2 tabs with BTH VPN and BTH VPN WIreguard (BTH = Back To Home).
What are those supposed to be used for??
Can't see anything in the release notes for that.
Using 7.11beta4 here and did not see nothing like you mentioned.
I must confess that I'm a bit curious to see that.
mikrotik_7.11beta4_ip-cloud.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
fischerdouglas
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Thu Mar 07, 2019 6:38 pm
Location: Brazil
Contact:

Re: v7.11beta [testing] is released!

Tue Jul 11, 2023 7:32 pm

Using 7.11beta4 here and did not see nothing like you mentioned.
I must confess that I'm a bit curious to see that.
Maybe related to some packages like iot or tr069 ?
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Tue Jul 11, 2023 7:43 pm

How odd ... it doesn't show in RB5009, AX2, mAP, MAP Lite, Hex, ...
But it does on AX3 and AX Lite ?

It seems to create a WG itf with own address range.

See screenshots.
IPcloud1.jpg
ipcloud2.jpg
ipcloud3.jpg

Print from terminal with QR code (but you need to zoom WAY OUT)

ipcloud4.jpg
And that QR code can be used to add new tunnel in WG client on smartphone (briefly tested the creation, did not test the tunnel since that AX3 is behind another router, so it will not work that way).
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: v7.11beta [testing] is released!

Tue Jul 11, 2023 8:34 pm

*) bridge - prevent bridging the VLAN interface created on the same bridge;

Just guessing, but this (erroneous) code snippet was accepted before:
/interface bridge
add name=test-bridge vlan-filtering=yes
/interface bridge vlan
add bridge=test-bridge tagged=test-bridge vlan-ids=111
/interface vlan
add name=test-vlan-111 interface=test-bridge vlan-id=111
/interface bridge port
add bridge=test-bridge interface=test-vlan-111 pvid=111

I hope that the above quoted change means that ROS will not accept the last command in the code above.
 
cyayon
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Wed Aug 24, 2022 9:39 am

Re: v7.11beta [testing] is released!

Tue Jul 11, 2023 9:05 pm

Thanks
 
kcarhc
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Thu Feb 01, 2018 9:54 am

Re: v7.11beta [testing] is released!

Tue Jul 11, 2023 9:35 pm

please check SUP-121758 dns-to-address-list match issue.

First and foremost, I would like to express my gratitude for the addition of the comment feature to dns-to-address-list in version 7.11.
It was through this feature that I discovered the underlying cause of irregular domain matching, including streaming domain names.

By adding the following code as the last rule in dns-static:
/ip dns static
add address-list=DNS_BYPASS comment=DNS_BYPASS forward-to=dns.isp regexp=
"[-a-zA-Z0-9][-a-zA-Z0-9][-a-zA-Z0-9][-a-zA-Z0-9]+\.[a-z][a-z]+" type=FWD
I realized that despite configuring rules in advance on RouterOS, traffic was still being directed to the DNS_BYPASS list.
This suggests that, to some extent, the preceding matching rules occasionally fail to take effect and do not result in a match.

I have actually discovered the following issue:
I had set nflxvideo.net to be directed to DNS_PROXY before DNS_BYPASS, but it still appeared in DNS_BYPASS.
This indicates that the record did not match any rules in DNS_PROXY.

The image below displays the rule lists for DNS_PROXY and DNS_BYPASS.
The video addressing the specific problem, along with additional details, has been uploaded to SUP-121758.

dns-to-address-list both DNS_PROXY and DNS_BYPASS
dns-to-address-regex_1.png
DNS_PROXY
dns-to-address-regex_2.png
DNS_BYPASS
dns-to-address-regex_3.png
You do not have the required permissions to view the files attached to this post.
 
bbs2web
Member Candidate
Member Candidate
Posts: 234
Joined: Sun Apr 22, 2012 6:25 pm
Location: Johannesburg, South Africa
Contact:

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 5:46 am

You can ensure wireless interfaces are always added as bridge ports on the cAP by specifying it in the wireless datapath settings, not in the bridge port configuration.
Many thanks for the script to dynamically fix the bridge VLAN assignments, that is a much better solution instead of restarting the managed CAPs. Also great to hear that multiple VLAN assignments per enrolled WiFi interface in datapath settings is on the roadmap.
Finally, if RADIUS CoA worked with standalone APs, it should work with CAPsMAN as well.
RADIUS CoA works perfectly for wireless but doesn't appear to be working for dot1x (ethernet) interfaces. This would most probably require a port to be temporarily disabled, so that the connected device re-initiates DHCP once placed in the different VLAN. This is in essence so that a guest devices connected to a hardwired port times out on EAP, falls back to MAC based authentication, is placed in the registration VLAN (if not known). Everything works as desired up to this point, when the user completes registration the CoA should most probably re-trigger 802.1X and flap the port on MAC authentication.

PS: Great work so far on RouterOS 7 and CAPsMAN, almost ready to start replacing Aruba/Cisco/Ubiquiti as the recommended reference architectures for a zero trust methodology at corporate or enterprise clients!
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4324
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 6:43 am

Also noticed something else in IP/Cloud:
2 tabs with BTH VPN and BTH VPN WIreguard (BTH = Back To Home).
---
How odd ... it doesn't show in RB5009, AX2, mAP, MAP Lite, Hex, ...
But it does on AX3 and AX Lite ?
Certainly a new move for Mikrotik, not just ARM, but specific ones. But works-as-advertised on an ax3 - you check the box to enable & creates a WG iface/subnet and NAT rule. Trying to use the QR took the most time ;). e.g. they use proportional font with # text for a QR in winbox (instead of graphic) & but in CLI...it has a [ANSI] graphic with /ip/cloud/print but renders halfway across the screen. And :put [/ip/cloud/get vpn-wireguard-client-config-qrcode] - doesn't seem to respect the newlines in the ASCII QR text, nor use ANSI graphic for QR in CLI like /ip/cloud/print.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 10:37 am

@kcarhc
[-a-zA-Z0-9][-a-zA-Z0-9][-a-zA-Z0-9][-a-zA-Z0-9]+\.[a-z][a-z]+
Use a valid RegEx for DNS:
viewtopic.php?p=876023#p876023
"^(([a-zA-Z0-9][a-zA-Z0-9-]{0,61}){0,1}[a-zA-Z]\.){1,9}[a-zA-Z][a-zA-Z0-9-]{0,28}[a-zA-Z]$"

Neither mine nor yours take into account when "_" is used only as first character on a label, to indicate more parameters than IPs like:
_acme.example.com
_domainkey.example.com
_autodiscover._tcp.example.com
because "The underscore has a special role. It's permitted for the first character in SRV records by RFC definition."
Last edited by rextended on Thu Jul 13, 2023 2:33 am, edited 1 time in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 11:43 am

Here is the first documentation about our new Back to Home VPN service: https://help.mikrotik.com/docs/display/ROS/Back+To+Home

ARM device needed. Provides easy VPN to your router, even if behind NAT. Android app is being published today, iPhone app coming this or next week.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 11:46 am

(briefly tested the creation, did not test the tunnel since that AX3 is behind another router, so it will not work that way).
actually it will, because if router is behind NAT, connection will be going through our relay service, securely
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 11:49 am

Back to Home VPN service
Nice feature!!!

It will solve the need of many with very little effort!!!
Thank you all.
Last edited by rextended on Wed Jul 12, 2023 11:53 am, edited 3 times in total.
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 11:52 am

it is soo cool Normis, thaank you
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 11:54 am

Only during BETA period it is limited to 802.11ax devices with wifiwave2 package.
We will expand supported device list after 7.11 release
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 11:55 am

Logical, very good ;) Sorry if I made you confuse...

But at least I prevented the discontent and the usual question of the other users... :))
Last edited by rextended on Wed Jul 12, 2023 11:57 am, edited 2 times in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 11:56 am

Yes, we want to see load on our relay service. So people with AX devices, please test, and see what speeds you get
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 12:48 pm

Only during BETA period it is limited to 802.11ax devices with wifiwave2 package.
We will expand supported device list after 7.11 release
Actually not entirely ?
It doesn't show on AX2.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 12:50 pm

(briefly tested the creation, did not test the tunnel since that AX3 is behind another router, so it will not work that way).
actually it will, because if router is behind NAT, connection will be going through our relay service, securely
OK, Q: how does this relate to Zerotier then ??
Competing service, sort of ?
Just asking ...
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 1:00 pm

1) it should work on AX2, try the Android app.
2) no relation to zerotier. this is a wireguard tunnel
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 1:09 pm

1) it should work on AX2, try the Android app.
I'm not at home but from Winbox, the tabs are not visible on AX2. They do show on AX3 and AX Lite.

Screenshot from AX2 connected via VPN to home :D
You do not have the required permissions to view the files attached to this post.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 1:10 pm

Some winbox cache thing. Try to clear caches and make sure Winbox is up to date. Main config should be done via App when in the LAN, not remotely
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3343
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 1:14 pm

I do understand that you need ARM device, but what do AX and WifiWave2 Package have to do with VPN?
Wireless VPN :)
 
ToTheFull
Member
Member
Posts: 402
Joined: Fri Mar 24, 2023 3:24 pm

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 1:18 pm

Just for the Record i don't see them on either cAP ax or my hAP ax2 cleared the cache still no. anyway I don't have a phone to try either :(
Last edited by ToTheFull on Wed Jul 12, 2023 1:19 pm, edited 1 time in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 1:18 pm

limits the testing pool
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 1:18 pm

anyway I don't have a phone
:shock:
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 1:23 pm

Clarification, currently the early beta is enabled only for these models:

"L41G-2axD"
"L41G-2axD&FG621-EA"
"C52iG-5HaxD2HaxD-TC"
"C53UiG+5HPaxD2HPaxD"
"S53UG+5HaxD2HaxD-TC&FG621-EA"
"S53UG+5HaxD2HaxD-TC&EG18-EA"
"S53UG+M-5HaxD2HaxD-TC&RG502Q-EA"
"L009UiGS-2HaxD-IN";

7.11 stable will unlock it for all ARM64 and possibly more devices in future. This is a gradual rollout, to see what our relays are capable of.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 1:29 pm

Nice feature, app downloaded, will try with my ax3 today.

EDIT: This is for phones only ? Do you plan to release app for windows/macos/linux ?
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 1:52 pm

The QR code works on wireguard client on Android.
Didn't test the connection but the tunnel was made with the keys as presented in Winbox.

Still unsure about Winbox cache etc since that same Winbox environment did show these tabs for AX Lite and AX3. So why not on AX2 ?
Will test more this evening when I'm home.
 
User avatar
antonsb
MikroTik Support
MikroTik Support
Posts: 411
Joined: Sun Jul 24, 2016 3:12 pm
Location: Riga, Latvia

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 1:53 pm

it works as regular wireguard client - PCs can use existing wireguard clients to connect.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 1:59 pm

confirmed that hAP ax2 not showing the menus is a bug
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 2:00 pm

Nice feature, app downloaded, will try with my ax3 today.

EDIT: This is for phones only ? Do you plan to release app for windows/macos/linux ?
app is just to make one click config and one click connection. But like Antons said, you can also use regular Wireguard app in any device. Just more config needed in that case. And the app not as pretty
 
User avatar
Kanzler
Member Candidate
Member Candidate
Posts: 135
Joined: Wed Oct 05, 2022 6:55 pm
Location: Ukraine

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 2:20 pm

Clarification, currently the early beta is enabled only for these models:
hAP ac3 please)))🙄🙄🙄🙏
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 2:24 pm

hAP ac3 please
And my "Audience"?

Why should they activate your own model and not what others have?
Otherwise it would no longer be a limited beta...
You wait like the others: don't break the eggs in the basket.
 
ToTheFull
Member
Member
Posts: 402
Joined: Fri Mar 24, 2023 3:24 pm

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 2:35 pm

Easy Now... I've never used a VPN/ set one up etc... yes I know, small world

I have tunnels running through my router that I have no control over, will the following process break anything ?

Install wireguard.... PC
1.Connect to router
2.Enable DDNS Cloud service: `/ip/cloud/set ddns-enabled=yes`
3.Enable Back To Home: `/ip/cloud/set back-to-home-vpn=enabled`

copy keys or whatever from here to wireguard app?
4.Print tunnel configuration: `/ip/cloud/print`
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 3:37 pm

The Back To Home process will activate wireguard on your router and setup a dedicated tunnel, make some IP pool, some firewall rules (? didn't check?), ....
It should not break anything else but since this is so new, I wouldn't do this on a device which you need to be operating for others.

At home or lab, with something completely under your own control, that's something else.
 
ToTheFull
Member
Member
Posts: 402
Joined: Fri Mar 24, 2023 3:24 pm

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 3:47 pm

The Back To Home process will activate wireguard on your router and setup a dedicated tunnel, make some IP pool, some firewall rules (? didn't check?), ....
It should not break anything else but since this is so new, I wouldn't do this on a device which you need to be operating for others.

At home or lab, with something completely under your own control, that's something else.
Thanks for for your wisdom, i'll try early in the morning. I just wanted to smash some data through to help.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 3:48 pm

It will make one firewall rule:
 0  D ;;; cloud vpn
      chain=input action=accept protocol=udp dst-port=xxxxx 
 
ToTheFull
Member
Member
Posts: 402
Joined: Fri Mar 24, 2023 3:24 pm

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 4:33 pm

It will make one firewall rule:
 0  D ;;; cloud vpn
      chain=input action=accept protocol=udp dst-port=xxxxx 
Thanks, it just can't be that simple for me can it. i give up.
/ip/cloud/set back-to-home-vpn=enabled
expected end of command (line 1 column 15)
All my services are dissabled apart from Winbox.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4324
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 4:37 pm

I quibbled about the QR mechanics... But BTH relay support does seem to work. Great work here!

On my ax3 test router, a direct WG connection would not otherwise be possible. I just check the boxes, and status showed as "running(relay4: reachable via relay, relay6: connecting)". And now see webfig actually has a viewable/usable QR code for the iOS WireGuard app.

I'll offer that speed isn't great (e.g. various admin web pages on the remote site load slow even). Since the icmp latency is ~400-500ms from iPhone in US via BTH proxy, that's likely why it's slow. ZT (which I disabled to test BTH) was getting around 100ms from same points. Guessing ZT's roots are closer than Latvia... Now if y'all added a btest to the iOS app, I could tell you how fast/slow it is ;)

But next question...does BTH VPN always use the relay? e.g. if direct internet connection to router is actually possible, will <sn>.vpn.mynetname.net DNS resolve to the public IP of router...or it always via the proxy in LV?
 
User avatar
sirbryan
Member
Member
Posts: 400
Joined: Fri May 29, 2020 6:40 pm
Location: Utah
Contact:

Re: v7.11beta [testing] is released!

Wed Jul 12, 2023 7:10 pm

@normis What are the chances that the relay server could be self-hosted, i.e. for service providers? For example, I have a lot of customers with hAP's behind CGNAT. If I could host a relay on a CHR or CCR2116, their app/device could be configured to use that relay, which then forwards their tunnels to their own router at home. This would provide the least amount of overhead and latency, and highest possible throughput, especially for road warriors.
 
kcarhc
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Thu Feb 01, 2018 9:54 am

Re: v7.11beta [testing] is released!

Thu Jul 13, 2023 2:07 am

@kcarhc
[-a-zA-Z0-9][-a-zA-Z0-9][-a-zA-Z0-9][-a-zA-Z0-9]+\.[a-z][a-z]+
Use a valid RegEx for DNS:
viewtopic.php?p=876023#p876023
"^(([a-zA-Z0-9][a-zA-Z0-9-]{0,61}){0,1}[a-zA-Z]\\.){1,9}[a-zA-Z][a-zA-Z0-9-]{0,28}[a-zA-Z]\$"

Neither mine nor yours take into account when "_" is used only as first character on a label, to indicate more parameters than IPs like:
_acme.example.com
_domainkey.example.com
_autodiscover._tcp.example.com
because "The underscore has a special role. It's permitted for the first character in SRV records by RFC definition."
RouterOS does not support regular expressions like {0,61}. At least that's what Support said last time.
I don't need to match domain names, so I don't need a regular expression for domains.
The goal is to match all domain names that were not matched by previous rules.
[-a-zA-Z0-9][-a-zA-Z0-9][-a-zA-Z0-9][-a-zA-Z0-9]+ As for this part, it requires 4 characters instead of 3.
RouterOS does not allow it. If you write 3 characters, it won't let you add it and will say it's an invalid regular expression.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: v7.11beta [testing] is released!

Thu Jul 13, 2023 2:26 am

Thanks @kcarhc you are thanked on post on the link.

All domain not matched before?
just use one single dot, but match also invalid DNS requests.
for regexp on dns effectively work differently from scripts...
just replace {} with (near) equivalent commands
from "^(([a-zA-Z0-9][a-zA-Z0-9-]{0,61}){0,1}[a-zA-Z]\.){1,9}[a-zA-Z][a-zA-Z0-9-]{0,28}[a-zA-Z]$" to
^(([a-zA-Z0-9][a-zA-Z0-9-]*)?[a-zA-Z]\.)+[a-zA-Z][a-zA-Z0-9-]*[a-zA-Z]$
For "RFC definition" can be added one underscore before the first "a"
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.11beta [testing] is released!

Thu Jul 13, 2023 8:57 am

@normis What are the chances that the relay server could be self-hosted, i.e. for service providers? For example, I have a lot of customers with hAP's behind CGNAT. If I could host a relay on a CHR or CCR2116, their app/device could be configured to use that relay, which then forwards their tunnels to their own router at home. This would provide the least amount of overhead and latency, and highest possible throughput, especially for road warriors.
This new function is for convenience. A one click solution. If you need other things or self hosting, there is no more need for our service. Just set up your own Wireguard tunnels or use Zerotier which can achieve the same result.
 
ffries
Member Candidate
Member Candidate
Posts: 178
Joined: Wed Aug 25, 2021 6:07 pm

Re: v7.11beta [testing] is released!

Thu Jul 13, 2023 10:05 am

I cannot sure, but Wireguard seems to have problems on latest 7.11 beta4.
I am using wireguard between my house and summer house.
CCR2004 (house) <-> RB5009 (summer house) over wireguard

I am also using EoIP to fetch IP TV from my house which needs ipv4+ipv6.
So both devices have a small additional software bridge but this was never a problem before.

Primary bridge: hardware acceleration + wireguard
Secondary bridge : software bridge with EoIP for IP tv

Yesterday, under 7.11 beta4 I had very low output nearly 1 to 20 Mbit/s
I noticed it because I could not watch TV in my summer house.
Nothing special in logs, I rebooted several times without success.

Then I downgraded to RouterOS 7.10.2 and output was around 200 Mbits (x10 times faster) instantly.
I did some testing connecting remotely over wireguard using my laptop.
CC2004 <=> Laptop with wireguard

The issue was only with wireguard and downgrading to RouterOS 7.10.2 fixed everything.
Hope this helps.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Thu Jul 13, 2023 11:17 am

Can't say I see that problem ?
Home RB5009 using 7.11b4, daily copy job of +-8Gb via WG from work server to home laptop. I consistently see about 80-90 Mbps (limited by work 100/100 connection).

Not saying what you see is not correct, just saying it may not be a generic problem.

Can you upgrade again and when it happens, send supout.rif to support ?
Then they can investigate further to see what's happening.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.11beta [testing] is released!

Thu Jul 13, 2023 11:34 am

This new function is for convenience. A one click solution. If you need other things or self hosting, there is no more need for our service. Just set up your own Wireguard tunnels or use Zerotier which can achieve the same result.
Probably what he means is to re-use the easy one click QR code configuration. You could allow the setting of a domain name for an alternate service, describe the required service configuration (i.e. what you have running now), and then the QR codes would one-click-generate a tunnel via that alternate service.
The setting of the domain name could then be done as part of a branding package.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: v7.11beta [testing] is released!

Thu Jul 13, 2023 1:47 pm

No, we plan to run our own relays. No self hosting.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.11beta [testing] is released!

Thu Jul 13, 2023 1:57 pm

I cannot sure, but Wireguard seems to have problems on latest 7.11 beta4.
I am using wireguard between my house and summer house.
CCR2004 (house) <-> RB5009 (summer house) over wireguard

I am also using EoIP to fetch IP TV from my house which needs ipv4+ipv6.
So both devices have a small additional software bridge but this was never a problem before.

Primary bridge: hardware acceleration + wireguard
Secondary bridge : software bridge with EoIP for IP tv

Yesterday, under 7.11 beta4 I had very low output nearly 1 to 20 Mbit/s
I noticed it because I could not watch TV in my summer house.
Nothing special in logs, I rebooted several times without success.

Then I downgraded to RouterOS 7.10.2 and output was around 200 Mbits (x10 times faster) instantly.
I did some testing connecting remotely over wireguard using my laptop.
CC2004 <=> Laptop with wireguard

The issue was only with wireguard and downgrading to RouterOS 7.10.2 fixed everything.
Hope this helps.
Can confirm that, ROS7.7 speeds were 71/70 Mbps (our office connection is 75/75, public IP) now with 7.11beta4 23/41 Mbps

Office router is hex S
 
lubomirs
just joined
Posts: 6
Joined: Tue Feb 05, 2019 4:07 pm

Re: v7.11beta [testing] is released!

Thu Jul 13, 2023 2:25 pm

VPN: "7.11 stable will unlock it for all ARM64 and possibly more devices in future."
So it won't be released for hap ac2 in the future either? hap ac2 = ARM 32 bits
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Thu Jul 13, 2023 2:36 pm

AX Lite isn't ARM64 either. It works there already.
Patience.
 
lubomirs
just joined
Posts: 6
Joined: Tue Feb 05, 2019 4:07 pm

Re: v7.11beta [testing] is released!

Thu Jul 13, 2023 2:44 pm

But I don't install wifiwave2 on hap ac2. . . only 128 RAM
Why should it depend on wifiwave2?
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Thu Jul 13, 2023 2:56 pm

It shouldn't.
It's basis Wireguard so in theory available for all devices running ROS7.
I guess they started with the AX-line to include this feature (but they missed AX2 there which is confirmed as bug).
 
kcarhc
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Thu Feb 01, 2018 9:54 am

Re: v7.11beta [testing] is released!

Thu Jul 13, 2023 7:23 pm

Thanks @kcarhc you are thanked on post on the link.

All domain not matched before?
just use one single dot, but match also invalid DNS requests.
for regexp on dns effectively work differently from scripts...
just replace {} with (near) equivalent commands
from "^(([a-zA-Z0-9][a-zA-Z0-9-]{0,61}){0,1}[a-zA-Z]\.){1,9}[a-zA-Z][a-zA-Z0-9-]{0,28}[a-zA-Z]$" to
^(([a-zA-Z0-9][a-zA-Z0-9-]*)?[a-zA-Z]\.)+[a-zA-Z][a-zA-Z0-9-]*[a-zA-Z]$
For "RFC definition" can be added one underscore before the first "a"

I haven't used the feature to match all domain names before because it's pointless.
It just results in a bunch of meaningless IP addresses.
Now, with the addition of comments in dns-to-address-list, I use it to record domain names.

Through this feature, I discovered an issue with DNS matching.
Some domain names are partially in DNS_PROXY and partially in DNS_BYPASS,
indicating that the rules in DNS_PROXY failed to match,
resulting in the last rule of DNS_BYPASS being applied.



Regarding [a-zA-Z0-9-]* that you mentioned, using * on RouterOS may occasionally fail to match. I have already confirmed this with support, but they have been unable to resolve it. They cannot find the cause, and it seems to be a random and rare occurrence. I have previously recorded and submitted a bug report, but it remains unresolved due to its low reproducibility rate.

here is the config office.com regexp
DNS_PROXY_regexp_office.com.png
here is the config office.com subdomain
DNS_PROXY_subdomain_office.com.png
here is the config DNS_BYPASS
DNS_BYPASS_all_other_DOMAIN.png
here is the office.com in DNS_BYPASS
DNS_BYPASS_office.com.png
office.com should be in DNS_PROXY, by rule line 728 or 729, whether it's a regexp or subdomain.
However, it appears in DNS_BYPASS,means by rule line 1008, which indicates that none of the preceding rules matched.

that's why sometime dns-to-address-list not working well to PROXY netflix and other steaming service

MikroTik, please fix the DNS functionality as it is a fundamental feature.
Please fix the regular expression matching functionality.
Please add support for upstream DNS server load balancing and concurrency.
Additionally, please fix the issue where AAAA records still result in blank resolution.

We really need a stable DNS server in RouterOS.
You do not have the required permissions to view the files attached to this post.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4324
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: v7.11beta [testing] is released!

Fri Jul 14, 2023 5:51 am

2) no relation to zerotier. this is a wireguard tunnel
Well, the only one is WireGuard+BTH solves a similar need for VPN when both ends are behind NAT/CGNAT...but @normis is right the similarities stops there.
Why the sooner we see BTH on xMIPSx, the better, since ZeroTier on MIPS seems forever forestalled.
 
noradtux
newbie
Posts: 39
Joined: Mon May 24, 2021 6:33 pm

Re: v7.11beta [testing] is released!

Fri Jul 14, 2023 9:33 am

With 7.10 I have been seeing unstable BFD sessions on CCR2216 with L3HW enabled. With 7.11beta4 this seems to be fixed :)
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.11beta [testing] is released!

Sat Jul 15, 2023 12:08 am

The NTP server does not reply to queries from systems that are also configured in the NTP client server list, even when that particular server is not currently selected as the sync source.
So with a couple of systems and routers each configured to use all the others as reference, plus some external references, most internal sync connections do not work.
 
noradtux
newbie
Posts: 39
Joined: Mon May 24, 2021 6:33 pm

Re: v7.11beta [testing] is released!

Sat Jul 15, 2023 10:58 am

So I've been having issues with IPv6 over Wireguard on wAP (arm) from ROS 7.10 ongoing. In "allowed-networks" I had /48 networks. I got this to work again by replacing those with /64's. Issue is ongoing, SUP-120497.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: v7.11beta [testing] is released!

Sat Jul 15, 2023 11:00 am

Seems that ntp-client treats servers like standard NTP package does with "server" entries. Standard NTP package has also "peer" entries, which (if both sides are configured similarly) enables symmetric behaviour. Such configuration might be risky if both sides are not equally trusted so I kind of understand current behaviour of MT NTP client.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.11beta [testing] is released!

Sat Jul 15, 2023 1:04 pm

Well, that is mostly historic. In the past I have used that but it never worked completely right. With any other NTP package you can cross-refer them using normal server entries and it will work fine. Of course when you query another server that tells you the time and that YOU are the source it has locked to, that reply will be "ignored" (in different ways depending on the actual server software in use).
However in RouterOS, there will simply be no reply at all to any queries sent from an address configured as server. It probably is a mistake somewhere, the server maybe checks the source address of incoming requests against the list of servers (to handle replies), and then discards it because it is not an expected reply.
 
User avatar
npeca75
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Thu Aug 03, 2017 3:12 pm

Re: v7.11beta [testing] is released!

Sun Jul 16, 2023 4:21 pm

So I've been having issues with IPv6 over Wireguard on wAP (arm) from ROS 7.10 ongoing. In "allowed-networks" I had /48 networks. I got this to work again by replacing those with /64's. Issue is ongoing, SUP-120497.
you are nor alone
i am using v6 /112 and v6 /32
on some platforms it is working, on some NOT (like CHR, ARM)
SUP-121761
last working version on all platforms was 7.9.2
 
AresPo
just joined
Posts: 12
Joined: Thu Sep 02, 2021 7:06 pm

Re: v7.11beta [testing] is released!

Sun Jul 16, 2023 7:42 pm

No, we plan to run our own relays. No self hosting.
Hi, Do you have any plans to develop these ovpn features?

*UDP mode
*LZO compression
*TLS authentication
*authentication without username/password
 
patrick7
Member
Member
Posts: 351
Joined: Sat Jul 20, 2013 2:40 pm

Re: v7.11beta [testing] is released!

Mon Jul 17, 2023 1:52 am

OpenVPN is dead, long live Wireguard
 
ivicask
Member
Member
Posts: 438
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: v7.11beta [testing] is released!

Mon Jul 17, 2023 10:12 am

Is access list broken ?
/interface wifiwave2 access-list
add action=reject disabled=no interface=2GHz  signal-range=-120..-51
I wana kick clients at home with very strong signal from 2ghz to force them to roam to 5ghz, its not working for me.
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Mon Jul 17, 2023 10:18 am

Is access list broken ?
/interface wifiwave2 access-list
add action=reject disabled=no interface=2GHz  signal-range=-120..-51
I wana kick clients at home with very strong signal from 2ghz to force them to roam to 5ghz, its not working for me.
I was wondering about this solution too but I have question.....What will happend if a device has only WiFi 2,4Ghz?? The device will not be able to connect any network with this rule so be carefull with implementation.
 
ivicask
Member
Member
Posts: 438
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: v7.11beta [testing] is released!

Mon Jul 17, 2023 10:26 am

Thats why i wrote "at home" I have all 5ghz capable devices dont worry :)

Also @mikrotik when we will be able to change minimum rates on Wave2? I want to disable lower rates which helps with roaming great deal and also improves performance overall.
 
Simonej
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Sun Aug 22, 2021 3:34 am

Re: v7.11beta [testing] is released!

Mon Jul 17, 2023 1:26 pm

@Guntis,
/interface wifiwave2 configuration set  rrm=yes
is not working anymore, any info about the new "steering" options?
/interface wifiwave2 steering add neighbor-group     rrm     wnm   
 
EdPa
MikroTik Support
MikroTik Support
Topic Author
Posts: 340
Joined: Fri Sep 15, 2017 10:05 am
Location: Riga
Contact:

Re: v7.11beta [testing] is released!

Mon Jul 17, 2023 2:52 pm

What's new in 7.11beta5 (2023-Jul-17 10:07):

*) bridge - added warning when VLAN interface list contains ports that are not bridged;
*) bth - added "Back To Home" VPN service for 802.11ax devices with wifiwave2 package;
*) console - fixed incorrect date when printing "value-list" with multiple entries;
*) console - improved stability when using fullscreen editor;
*) container - added IPv6 support for VETH interface;
*) container - adjust the ownership of volume mounts that fall outside the container's UID range;
*) hotspot - allow number as a first symbol in the Hotspot server DNS name;
*) lora - added uplink message filtering option using NetID or JoinEUI;
*) qos-hw - keep VLAN priority in packets that are sent from CPU;
*) resource - fixed erroneous CPU usage values;
*) sfp - reduce CPU load due to SFP interface handling for CCR2116, CCR2216, CCR2004-12S+2XS, CRS312, CRS518 devices (introduced in v7.9)
*) webfig - fixed "Connect To" configuration changes for L2TP client;
*) wifiwave2 - automatically add wifi interfaces to appropriate bridge VLAN when wireless clients with new VLAN IDs connect;
*) wifiwave2 - fixed multicast frame delivery (introduced in v7.11beta2);
*) wifiwave2 - fixed registration table statistics (introduced in v7.11beta4);
 
ToTheFull
Member
Member
Posts: 402
Joined: Fri Mar 24, 2023 3:24 pm

Re: v7.11beta [testing] is released!

Mon Jul 17, 2023 3:11 pm

Thankyou Team.
*) wifiwave2 - fixed registration table statistics (introduced in v7.11beta4);
 
ivicask
Member
Member
Posts: 438
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: v7.11beta [testing] is released!

Mon Jul 17, 2023 3:13 pm

Thankyou Team.
*) wifiwave2 - fixed registration table statistics (introduced in v7.11beta4);
Maybe this was reason access list was also broken? Will try when im home.
 
User avatar
FToms
MikroTik Support
MikroTik Support
Posts: 90
Joined: Fri Jul 24, 2020 3:28 pm

Re: v7.11beta [testing] is released!

Mon Jul 17, 2023 3:52 pm

Is access list broken ?
/interface wifiwave2 access-list
add action=reject disabled=no interface=2GHz  signal-range=-120..-51
I wana kick clients at home with very strong signal from 2ghz to force them to roam to 5ghz, its not working for me.
If you want to kick clients with strong signal, you should specify signal-range=-51..120 for a rejecting access-list rule.
 
User avatar
Ullinator
just joined
Posts: 17
Joined: Tue Jun 08, 2021 12:53 pm
Location: North-West Germany

Re: v7.11beta [testing] is released!

Mon Jul 17, 2023 5:31 pm

*) wifiwave2 - automatically add wifi interfaces to appropriate bridge VLAN when wireless clien´t work forments with new VLAN IDs connect;
Doesn´t work for me. In the bridge the VLAN-ID is still VLAN-ID 1, instead of 99 for my guest-WLAN.

Here´s the correct view from the CAPsMAN:
hc_157.jpg
And here the view on the bridge on the CAP:
hc_153.jpg
Both devices run 7.11 Beta5
@MT: is there something special to do in Beta5?
You do not have the required permissions to view the files attached to this post.
 
ivicask
Member
Member
Posts: 438
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: v7.11beta [testing] is released!

Mon Jul 17, 2023 5:47 pm

Is access list broken ?
/interface wifiwave2 access-list
add action=reject disabled=no interface=2GHz  signal-range=-120..-51
I wana kick clients at home with very strong signal from 2ghz to force them to roam to 5ghz, its not working for me.
If you want to kick clients with strong signal, you should specify signal-range=-51..120 for a rejecting access-list rule.
Hey, this kinda works, now it doesnt allow my phone to connect to on 2ghz if im close to router so it seams it works, but...

If i connect to 2ghz while far from router and on low signal then move closer to router its still stuck on 2ghz and it never gets kicked or roams to 5ghz(ft is enabled)...

Its like Access list is only checked on initial connection of client but it doesn't check it any further.

Any more tips how to achieve this?
 
ToTheFull
Member
Member
Posts: 402
Joined: Fri Mar 24, 2023 3:24 pm

Re: v7.11beta [testing] is released!

Mon Jul 17, 2023 6:19 pm

Turn off use random MAC Address per device, long shot
 
ivicask
Member
Member
Posts: 438
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: v7.11beta [testing] is released!

Mon Jul 17, 2023 6:21 pm

Yeah i did that already...

EDIT:

I added this script to scheduler to run every 10 sec
:local MacAddress "xx:xx:xx:xx:xx:xx"
:local ClientSignal -51
:local InterfaceName 2GHz
/interface wifiwave2 registration-table remove [find where mac-address=$MacAddress and signal > $ClientSignal and interface=$InterfaceName]
And while it does work perfect it self, problem is phone takes 5 sec to reconnect from 2ghz to 5ghz after being kicked like this...

Unless there are some other tricks in FT or /interface/wifiwave2/steering we need option to change minimum rates so we can improve roaming decisions made by clients.

Reason im asking for this because my devices get stuck for days on 2ghz even if im 1m from AP, on other WIFI6 vendor APs this just works and my phone auto roams back to 5ghz from 2ghz when im back to good signal (like going outside then back to office), on Mikrotik only see client roam(its even printed in log) when i run out of 5ghz signal then moves me to 2ghz, but never returns me back to 5ghz.
Last edited by ivicask on Mon Jul 17, 2023 6:56 pm, edited 1 time in total.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3343
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: v7.11beta [testing] is released!

Mon Jul 17, 2023 6:55 pm

*) bth - added "Back To Home" VPN service for 802.11ax devices with wifiwave2 package;
Do Wifiwave2 package contains part of the VPN code, if so why?
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Mon Jul 17, 2023 7:40 pm

From what I understood, it will come to the rest as well. After all, it's wireguard and that's already available for all devices capable of running ROS7.

Just AX line for now to test the waters.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.11beta [testing] is released!

Mon Jul 17, 2023 8:22 pm

*) wifiwave2 - fixed registration table statistics (introduced in v7.11beta4);
Can confirm that it's working again :D
 
kcarhc
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Thu Feb 01, 2018 9:54 am

Re: v7.11beta [testing] is released!

Mon Jul 17, 2023 8:50 pm

What's new in 7.11beta5 (2023-Jul-17 10:07):

*) bridge - added warning when VLAN interface list contains ports that are not bridged;
*) bth - added "Back To Home" VPN service for 802.11ax devices with wifiwave2 package;
*) console - fixed incorrect date when printing "value-list" with multiple entries;
*) console - improved stability when using fullscreen editor;
*) container - added IPv6 support for VETH interface;
*) container - adjust the ownership of volume mounts that fall outside the container's UID range;
*) hotspot - allow number as a first symbol in the Hotspot server DNS name;
*) lora - added uplink message filtering option using NetID or JoinEUI;
*) qos-hw - keep VLAN priority in packets that are sent from CPU;
*) resource - fixed erroneous CPU usage values;
*) sfp - reduce CPU load due to SFP interface handling for CCR2116, CCR2216, CCR2004-12S+2XS, CRS312, CRS518 devices (introduced in v7.9)
*) webfig - fixed "Connect To" configuration changes for L2TP client;
*) wifiwave2 - automatically add wifi interfaces to appropriate bridge VLAN when wireless clients with new VLAN IDs connect;
*) wifiwave2 - fixed multicast frame delivery (introduced in v7.11beta2);
*) wifiwave2 - fixed registration table statistics (introduced in v7.11beta4);
please check SUP-119969 kernel failure in 7.11beta5
KERNEL_FAILURE_IN_PREVIOUS_BOOT_7.11beta5.png
You do not have the required permissions to view the files attached to this post.
 
ToTheFull
Member
Member
Posts: 402
Joined: Fri Mar 24, 2023 3:24 pm

Re: v7.11beta [testing] is released!

Mon Jul 17, 2023 9:00 pm

strike that
Last edited by ToTheFull on Mon Jul 17, 2023 9:14 pm, edited 1 time in total.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.11beta [testing] is released!

Mon Jul 17, 2023 9:08 pm

Don't know what this mean but everything is working for now:

Screenshot_2023-07-17-20-07-25-579_com.mikrotik.android.tikapp-edit.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: v7.11beta [testing] is released!

Mon Jul 17, 2023 10:46 pm

Its like Access list is only checked on initial connection of client but it doesn't check it any further.

Any more tips how to achieve this?

There's another ACL property: allow-signal-out-of-range ... and to my surprise it seems to be largely ignored in manual (both old and new). It can be set in two ways:
  1. allow-signal-out-of-range=always
    This is default setting and seems that effect is what you're observing: ACL is only evaluated when client tries to connect.
  2. allow-signal-out-of-range=<time interval>
    <time interval> seems to be duration (e.g. "10s"), during which (an already connected) client can be outside configured signal-range and ACL rule doesn't execute. Only after time interval elapses, ACL gets executed. It is useful to set allow-signal-out-of-range property both in accept and reject rules ... if these are in pairs (remember, tehre's always theimplicit ultimate accept rule), then setting allow-signal-out-of-range on both accept and reject rules creates a kind of hysteresis which can reduce number of disconnects when client is in border conditions (radio signal tends to fluctuate by a few dB due to various reasons, also people movind in vicinity of either AP or client can distract EMF enough to be measurable).
 
ivicask
Member
Member
Posts: 438
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: v7.11beta [testing] is released!

Mon Jul 17, 2023 11:48 pm

I know all this but it doesnt work regardless of this setting .For now my script in scheduler works to help band steer to 5ghz until mikrotik does some fixes /improvments to wave2.
 
UpRunTech
Member Candidate
Member Candidate
Posts: 238
Joined: Fri Jul 27, 2012 12:11 pm

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 12:22 am

Bug report:

* Latest beta 5, I just noticed on the RB5009 ethernet interfaces the FP Tx and FP Tx Packet rate counters are always 0.
* CAPSMAN log messages have %*d after the MAC address eg: disconnecting WAP@xx:xx:xx:xx:xx:xx%*d, activity timeout
 
kcarhc
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Thu Feb 01, 2018 9:54 am

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 2:58 am

I think I have found the reason for the kernel crash.
Disable the following two new supported endpoint-independent-nat codes:
The occurrence of RouterOS kernel failure has significantly decreased.
/ip firewall nat
add action=endpoint-independent-nat chain=srcnat out-interface-list=WAN protocol=udp
add action=endpoint-independent-nat chain=dstnat in-interface-list=WAN protocol=udp
Previously, kernel failure would happen every 1-2 hours,
but now it remains stable after 6 hours.
KERNEL_FAILURE_7.11beta5.png
Because I have a NAS in my internal network that is constantly uploading and downloading BitTorrent files for 24 hours,
I believe it is causing RouterOS kernel failure in versions 7.10.x and 7.11beta. It was running stable on version 7.9.

In my case, versions 7.10.x and 7.11beta introduced the comment for dns-to-address-list and endpoint-independent-nat.

Currently, it is known that version 7.10 introduced the issue of crashes with dns-to-address-list.
Both version 7.10 and 7.11 randomly experience kernel failure.
It has been preliminarily determined that enabling endpoint-independent-nat increases the frequency and shortens the occurrence time of kernel failure.
You do not have the required permissions to view the files attached to this post.
 
User avatar
elbantany
newbie
Posts: 29
Joined: Fri Jul 14, 2023 12:58 pm
Location: Indonesia
Contact:

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 3:26 am

Help me pleas add this fix in link,
Teseted v7.10.1 & 7.10.2
cAP ac
AX2

viewtopic.php?t=197789
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 6:40 am

Bug report:

* Latest beta 5, I just noticed on the RB5009 ethernet interfaces the FP Tx and FP Tx Packet rate counters are always 0.
Interesting .... I see it only on the FP TX Packet rate counters. RX moves.
Best to report to support@mikrotik.com.
 
User avatar
FToms
MikroTik Support
MikroTik Support
Posts: 90
Joined: Fri Jul 24, 2020 3:28 pm

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 7:36 am

*) wifiwave2 - automatically add wifi interfaces to appropriate bridge VLAN when wireless clien´t work forments with new VLAN IDs connect;
Doesn´t work for me. In the bridge the VLAN-ID is still VLAN-ID 1, instead of 99 for my guest-WLAN.
Check the /interface/bridge/vlan menu, not /interface/bridge/port.
 
User avatar
FToms
MikroTik Support
MikroTik Support
Posts: 90
Joined: Fri Jul 24, 2020 3:28 pm

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 7:44 am

I know all this but it doesnt work regardless of this setting .For now my script in scheduler works to help band steer to 5ghz until mikrotik does some fixes /improvments to wave2.
7.11beta2 enabled 802.11v BSS transition management requests and 802.11k neighbor report responses.
What more would you like AP to do to facilitate roaming?
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 7:58 am

Does anybody else have problem with BTH ? After update it's no longer working. App says it's connected but I have no internet connection and I can't ping devices on my network.
 
ivicask
Member
Member
Posts: 438
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 8:59 am

I know all this but it doesnt work regardless of this setting .For now my script in scheduler works to help band steer to 5ghz until mikrotik does some fixes /improvments to wave2.
7.11beta2 enabled 802.11v BSS transition management requests and 802.11k neighbor report responses.
What more would you like AP to do to facilitate roaming?
Ability to change rates.
 
User avatar
FToms
MikroTik Support
MikroTik Support
Posts: 90
Joined: Fri Jul 24, 2020 3:28 pm

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 9:22 am

To lower the distance at which a link can be established?
You can do that by manually lowering maximum transmit power.
 
Simonej
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Sun Aug 22, 2021 3:34 am

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 9:42 am

@FToms,
/interface wifiwave2 configuration set  rrm=yes
is not working anymore, any info about the new "steering" options?
/interface wifiwave2 steering add neighbor-group     rrm     wnm   
 
User avatar
FToms
MikroTik Support
MikroTik Support
Posts: 90
Joined: Fri Jul 24, 2020 3:28 pm

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 9:57 am

We'll update the documentation shortly.
'configuration.rrm' has been renamed to 'steering.rrm' and it enables or disables responses to neighbor report requests.
'steering.wnm' disables or enables responses to BSS transition management queries.

Those 2 types of frames both include a list of APs that are suggested as roaming candidates to clients interested in this info.
By default all APs with the same SSID and authentication settings are put in the same neighbor group. See /interface/wifiwave2/neighbour-group for active AP groups.
5GHz APs are listed as more desirable roaming candidates than 2.4GHz APs.
We'll appreciate suggestions on what functionality and configuration options you would like to have added to the steering menu.
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 203
Joined: Wed Aug 09, 2017 1:15 pm

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 10:09 am

@gigabyte091 BTH tested and is working ok here, even behind NAT. Remember to add an additional allow rule, in case you put a deny all rule at the end of your forward chain.
 
Simonej
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Sun Aug 22, 2021 3:34 am

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 10:14 am

We'll update the documentation shortly.
Thanks, waiting for it.
Is always CAPsMAN + ft=yes required for a device to roam between APs?
 
ivicask
Member
Member
Posts: 438
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 10:15 am

To lower the distance at which a link can be established?
You can do that by manually lowering maximum transmit power.
Well what about when im on lower signal on 5ghz, if i could disable lower rates, like set min 24 or 36 as i had on wave1 so my devices dont get stuck on lower 5ghz signal and move to another AP or 2ghz from same ap way sooner.

Cant even imagine dense setups with large amounts of APS, disabling lower rates is a must!
 
User avatar
FToms
MikroTik Support
MikroTik Support
Posts: 90
Joined: Fri Jul 24, 2020 3:28 pm

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 11:24 am

Is always CAPsMAN + ft=yes required for a device to roam between APs?
The 'security.ft' setting enables 802.11r fast roaming.
For fast roaming to be possible between APs, they must be managed by the same instance of RouterOS. So a client device can roam between the interfaces of a dual-band AP or between multiple cap interfaces managed by the same CAPsMAN instance or between one of the local interfaces on capsman and one of its cAPs.
This is, ofcourse, if security.ft is enabled and the interfaces have the same SSID and authentication type.
Oh, and a client device may not support 802.11r with all authentication types. In our testing, for example, Windows 10 with an Intel wireless cards could take advantage of 802.11r with EAP authentication, but not PSK, while Apple devices gladly used it with all authentication types.
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 11:44 am

If I have only one HAP AX3 and I want to enable roaming, should I use capsman when I use only one AP?
 
dksoft
Member Candidate
Member Candidate
Posts: 153
Joined: Thu Dec 06, 2012 8:56 am
Location: Germany

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 12:10 pm

What's new in 7.11beta5 (2023-Jul-17 10:07):

*) container - added IPv6 support for VETH interface;
Can you please provide some instructions how to add dual-stack IPv4+IPv6 address to a container?
Thanks
dksoft
 
User avatar
FToms
MikroTik Support
MikroTik Support
Posts: 90
Joined: Fri Jul 24, 2020 3:28 pm

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 12:33 pm

If I have only one HAP AX3 and I want to enable roaming, should I use capsman when I use only one AP?
In such cases, capsman is not necessary.
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 12:43 pm

Thank you for your answer in this case should be ticked FT but without DS?
 
User avatar
FToms
MikroTik Support
MikroTik Support
Posts: 90
Joined: Fri Jul 24, 2020 3:28 pm

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 12:54 pm

Fast transition over DS is a an optional variant of 802.11r.
You can enable it in any setup, where you've enabled FT. If a client device does not support it, it will perform FT over air.
 
User avatar
Ullinator
just joined
Posts: 17
Joined: Tue Jun 08, 2021 12:53 pm
Location: North-West Germany

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 1:06 pm

*) wifiwave2 - automatically add wifi interfaces to appropriate bridge VLAN when wireless clien´t work forments with new VLAN IDs connect;
Doesn´t work for me. In the bridge the VLAN-ID is still VLAN-ID 1, instead of 99 for my guest-WLAN.
Check the /interface/bridge/vlan menu, not /interface/bridge/port.
Hi FToms,
even in the /interface/bridge/vlan no other VLAN-ID than 1 appears.

Here´s the view from the CAPsMAN and the connected devices. You see one device connected to my IOT WLAN with VLA N-ID 98:
hc_314.jpg
The device is connected with my CAP-AX-BUERO:
hc_316.jpg
But on the CAP itself no VLAN 98 appears:
hc_315.jpg
And in the /interface/bridge/port no wifi12 appears:
hc_317.jpg
Please see SUP-115988!!
So again, sorry, it is NOT working as expected :-/
You do not have the required permissions to view the files attached to this post.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 1:35 pm

@gigabyte091 BTH tested and is working ok here, even behind NAT. Remember to add an additional allow rule, in case you put a deny all rule at the end of your forward chain.
It was working before update just fine, i will see if something was changed when update was done
 
kcarhc
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Thu Feb 01, 2018 9:54 am

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 1:53 pm

Confirmed kernel failure is due to excessive connections and excessive traffic.
Bittorrent software is being used to simultaneously download 10 torrents.
Within 10 minutes, kernel failure is triggered 100% of the time, leading to an automatic restart.
The total number of connections is approximately around 5000.
TCP connections account for 40%, which is 2000.
UDP connections account for 60%, which is 3000.
The WAN port is configured as pppoe-client.
KERNEL_FAILURE_7.11beta5_BT.png
The screenshot depicts stable operation for 17 hours prior to the crash without enabling endpoint-independent-nat.
Enabling it caused a crash within 5 minutes, and in several other tests, kernel failure was also triggered within 10 minutes.
You do not have the required permissions to view the files attached to this post.
 
ToTheFull
Member
Member
Posts: 402
Joined: Fri Mar 24, 2023 3:24 pm

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 1:56 pm

Sorry I misunderstood what I was looking at regarding BTH.
Great service.
Last edited by ToTheFull on Tue Jul 18, 2023 8:40 pm, edited 2 times in total.
 
User avatar
FToms
MikroTik Support
MikroTik Support
Posts: 90
Joined: Fri Jul 24, 2020 3:28 pm

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 1:57 pm

And in the /interface/bridge/port no wifi12 appears:
There are 2 settings on a cAP, where datapath is specified.
/interface/wifiwave2/set [find] datapath= will set the datapath for master interfaces.
/interface/wifiwave2/cap set slaves-datapath will set datapath for slave ('virtual') interfaces. I'm guessing you've not set this setting, so the virtual IoT interface is not a bridge port.
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 203
Joined: Wed Aug 09, 2017 1:15 pm

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 2:17 pm

don't know if it's a winbox or ros bug:
if you enable bth and copy the generated "back-to-home-vpn" firewall rule, you're unable to move the new rule afterwards: cannot move builtin (6).
 
dksoft
Member Candidate
Member Candidate
Posts: 153
Joined: Thu Dec 06, 2012 8:56 am
Location: Germany

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 3:09 pm

What's new in 7.11beta5 (2023-Jul-17 10:07):

*) container - added IPv6 support for VETH interface;
Can you please provide some instructions how to add dual-stack IPv4+IPv6 address to a container?
Thanks
dksoft
/interface veth
add address=10.0.0.6/20,fd00::6/64 comment="Docker container" gateway=10.0.0.1 gateway6=fd00::1 name=PIHOLE
 
User avatar
antonsb
MikroTik Support
MikroTik Support
Posts: 411
Joined: Sun Jul 24, 2016 3:12 pm
Location: Riga, Latvia

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 3:19 pm

Can you please provide some instructions how to add dual-stack IPv4+IPv6 address to a container?
Thanks
dksoft
Done! Look under Tips and Tricks section.
 
flapviv
just joined
Posts: 16
Joined: Wed Oct 13, 2021 7:50 am

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 4:14 pm

Can you please provide some instructions how to add dual-stack IPv4+IPv6 address to a container?
Thanks
dksoft
Done! Look under Tips and Tricks section.
Very easy to configure!
 
User avatar
sirbryan
Member
Member
Posts: 400
Joined: Fri May 29, 2020 6:40 pm
Location: Utah
Contact:

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 5:28 pm

Unless there are some other tricks in FT or /interface/wifiwave2/steering we need option to change minimum rates so we can improve roaming decisions made by clients.

Reason im asking for this because my devices get stuck for days on 2ghz even if im 1m from AP, on other WIFI6 vendor APs this just works and my phone auto roams back to 5ghz from 2ghz when im back to good signal (like going outside then back to office), on Mikrotik only see client roam(its even printed in log) when i run out of 5ghz signal then moves me to 2ghz, but never returns me back to 5ghz.
What channel sizes are you running on 2.4 and 5? What phone (operating system)?

Apple devices, for example, will prefer 80MHz over 40 or 20, and start looking to change once they get in the -70's. Those are just two things they take into consideration (their website has the full breakdown of their selection criteria). I'd imagine other vendors are similar.

Accordingly, I set up my customers' hAP's with 20MHz 2.4GHz channels (40MHz is a mess) and 40- or 80MHz on their 5GHz radio, depending on how much bandwidth they've subscribed to (40MHz for 50-150Mbps, 80MHz for 200-500Mbps).

Clients will hold on to whatever they've got in favor of keeping your connection up. Unless the device and the AP are actively working out an AP transition plan (see specs for 802.11k, v, r, etc.), they'll rarely transition smoothly if the AP force-kicks them without giving them somewhere to go.
 
ivicask
Member
Member
Posts: 438
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 5:59 pm

@sirbryan i run 20mhz and 80mhz for 5ghz ,devices are Samsung s23 ultra , Tab S8, Asus laptops with ax20x etc..
 
User avatar
CTassisF
newbie
Posts: 36
Joined: Thu Jun 11, 2020 10:26 pm
Location: São Paulo, Brazil
Contact:

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 6:44 pm

After updating to 7.11beta5, all containers are showing 0.0.0.0 as their own IP in /etc/hosts.

For example, here's my AdGuard container:

[cesar-ro@RB5009] > /container/print 
 0 name="4736436b-e3cc-4f12-a794-7f128e0a26cf" tag="adguard/adguardhome:latest" os="linux" arch="arm64" interface=adguard root-dir=usb1-part1/adguard-root mounts=adguard-opt-adguardhome-conf,adguard-opt-adguardhome-work dns=172.31.0.254 
   hostname="adguard" workdir="/opt/adguardhome/work" start-on-boot=yes status=running 

[cesar-ro@RB5009] > /container/shell number=0
/ # cat /etc/hosts
127.0.0.1  localhost
::1        localhost ip6-localhost ip6-loopback
fe00::0    ip6-localnet
ff00::0    ip6-mcastprefix
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters

0.0.0.0 adguard

And here's my Zabbix Proxy container:

[cesar-ro@RB5009] > /container/print 
 1 name="a05ce710-4794-48c3-98c2-d0469807d7dd" tag="zabbix/zabbix-proxy-sqlite3:alpine-6.0-latest" os="linux" arch="arm64" interface=zabbix envlist="zabbix" root-dir=usb1-part1/zabbix-root 
   mounts=zabbix-var-lib-zabbix-db_data,zabbix-var-lib-zabbix-enc dns=172.31.0.254 hostname="zabbix" workdir="/var/lib/zabbix" start-on-boot=yes status=running 

[cesar-ro@RB5009] > /container/shell number=1
bash-5.1# cat /etc/hosts
127.0.0.1  localhost
::1        localhost ip6-localhost ip6-loopback
fe00::0    ip6-localnet
ff00::0    ip6-mcastprefix
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters

0.0.0.0 zabbix
 
vovan700i
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Wed Jun 06, 2012 8:34 am

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 7:08 pm

Done! Look under Tips and Tricks section.
Hi @antonsb, thank you for implementing IPv6 for containers, it is highly appreciated.

The following issues occurred for me on RB5009 with v7.11b5:
1) I added an IPv6 address and an IPv6 gateway to the existing veth interface using the following command. I checked it using "/container print" and it was ok. Then I attached to the container's shell and there were neither IPv6 address not IPv6 gateway I assigned, even after I restarted the container multiple times. So, probably for now, only adding new veth may work.
/container set 0 address=172.17.0.3/16,fd8d:5ad2:24:2::2/64 gateway6=fd8d:5ad2:24:2::1
2) After step (1) I decided to restart the host, and the veth interface with IPv6 address and gateway disappeared completely (other veth were ok), so that its container wouldn't even start (showing unknown interface).
3) Winbox doesn't support IPv6 for containers yet.

Could you please look at it further and resolve these issues?
 
curtdept
just joined
Posts: 2
Joined: Wed Nov 17, 2021 8:00 am

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 7:16 pm

Bug report:

* Latest beta 5, I just noticed on the RB5009 ethernet interfaces the FP Tx and FP Tx Packet rate counters are always 0.
Interesting .... I see it only on the FP TX Packet rate counters. RX moves.
Best to report to support@mikrotik.com.
Interesting, mine only seems to happen on TX on 2.5GB interfaces
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 8:26 pm

We'll update the documentation shortly.
'configuration.rrm' has been renamed to 'steering.rrm' and it enables or disables responses to neighbor report requests.
'steering.wnm' disables or enables responses to BSS transition management queries.

Those 2 types of frames both include a list of APs that are suggested as roaming candidates to clients interested in this info.
By default all APs with the same SSID and authentication settings are put in the same neighbor group. See /interface/wifiwave2/neighbour-group for active AP groups.
5GHz APs are listed as more desirable roaming candidates than 2.4GHz APs.
We'll appreciate suggestions on what functionality and configuration options you would like to have added to the steering menu.
How to enable steering ? I can't find anything in winbox and when i tried using terminal it says bad command...
 
Rox169
Member
Member
Posts: 467
Joined: Sat Sep 04, 2021 1:47 am

Re: v7.11beta [testing] is released!

Tue Jul 18, 2023 11:55 pm

I have the same question......

How to enable steering ?
 
User avatar
FToms
MikroTik Support
MikroTik Support
Posts: 90
Joined: Fri Jul 24, 2020 3:28 pm

Re: v7.11beta [testing] is released!

Wed Jul 19, 2023 7:57 am

Responses to neighbor report requests and BSS transition management queries are enabled by default.
That's the extent of the band steering as currently implemented.
 
User avatar
coddy
just joined
Posts: 3
Joined: Mon Nov 11, 2013 7:13 am

Re: v7.11beta [testing] is released!

Wed Jul 19, 2023 8:12 am

I added the following to 'enable' steering

On the CAPsMAN
/interface wifiwave2 steering
add name=<NameOfSteeringGroup> neighbor-group=dynamic-<wifiSSID>-<RandomHex> rrm=yes wnm=yes
Note: You do not get autocomplete for the neighbor-group-dynamic= parameter, you need to obtain the name of the group manually first.

To get the dynamic group name:
/interface/wifiwave2/steering/neighbor-group/print

This will list all of your SSIDs and the MAC addresses from each AP wifi interface that carry the SSID. Unfortunately the random hex digits making up the end of the neighbor group name appear to change on each reboot - which creates a problem with creating a steering rule connected to that neighbor group.

I need to update the config on the CAPsMAN each time I reboot it, to ensure the neighbor-group name is updated to the new dynamic group name.

I get good roaming across the AX3's using 5GHz channel (Disabled 2GHz because all client devices are 5GHz capable and it forces the devices to roam quicker than they do when holding onto a weak 2GHz signal).

Don't know anything more about this, no docs, and I am sure Mikrotik will need to update the implementation so we don't get neighbor group names changing all the time. Would be nice to get more definitive information about this, but it looks like it is a work in progress. Lets see what Mikrotik can come up with.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.11beta [testing] is released!

Wed Jul 19, 2023 8:42 am

If it work in progress then it's better to wait, al least for me... And add this function to winbox maybe
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: v7.11beta [testing] is released!

Wed Jul 19, 2023 10:05 am

Regarding BTH, i disabled and then reenabled BTH, added new tunnel and now it's working like before, without any other modifications.

Who is online

Users browsing this forum: No registered users and 5 guests