v7.11.2 [stable] is released!

Tue Aug 15, 2023 3:20 pm

RouterOS version 7.11, 7.11.1 and 7.11.2 have been released in the "v7 stable" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.11.2 (2023-Aug-31 16:55):

*) dhcp - fixed DHCP server "authoritative" and "delay-threshold" settings (introduced in v7.11.1);

What's new in 7.11.1 (2023-Aug-30 13:41):

*) bridge - fixed fast-path forwarding with HW offloaded vlan-filtering (introduced in v7.11);
*) bridge - fixed untagged VLAN entry disable;
*) bridge - fixed vlan-filtering stability with HW and non-HW offloaded ports (introduced in v7.10);
*) bridge - improved system stability;
*) bridge - improved vlan-filtering bridge stability with CAPsMAN (introduced in v7.11);
*) console - improved stability and responsiveness;
*) dhcp - fixed DHCP server and relay related response delays;
*) ipsec - fixed IPSec policy when using modp3072;
*) lte - fixed startup race condition when SIM card is in "up" slot for LtAP mini;

What's new in 7.11 (2023-Aug-15 09:33):

*) api - disallow executing commands without required parameters;
*) bfd - fixed "actual-tx-interval" value and added "remote-min-tx" (CLI only);
*) bfd - improved system stability;
*) bluetooth - added "decode-ad" command for decoding raw Bluetooth payloads (CLI only);
*) bluetooth - added "Peripheral devices" section which displays decoded Eddystone TLM and UID, iBeacon and MikroTik Bluetooth payloads;
*) bluetooth - added new AD structure type "service-data" for Bluetooth advertisement;
*) bridge - added more STP-related logging;
*) bridge - added warning when VLAN interface list contains ports that are not bridged;
*) bridge - fixed MAC learning on "switch-cpu" port with enabled FastPath;
*) bridge - fixed MSTP BPDU aging;
*) bridge - fixed MSTP synchronization after link down;
*) bridge - prevent bridging the VLAN interface created on the same bridge;
*) certificate - allow to import certificate with DNS name constraint;
*) certificate - fixed PEM import;
*) certificate - fixed trust store CRL link if generated on an older version (introduced in v7.7);
*) certificate - improved CRL download retry handling;
*) certificate - removed request for "passphrase" property on import;
*) certificate - require CRL presence when using "crl-use=yes" setting;
*) certificate - restored RSA with SHA512 support;
*) conntrack - fixed "active-ipv4" property;
*) console - added ":convert" command;
*) console - added default value for "rndstr" command (16 characters from 0-9a-zA-Z);
*) console - fixed incorrect date when printing "value-list" with multiple entries;
*) console - fixed minor typos;
*) console - fixed missing "parent" for script jobs (introduced in v7.9);
*) console - fixed missing return value for ping command in certain cases;
*) console - fixed printing interval when resizing terminal;
*) console - improved flag printing in certain menus;
*) console - improved stability and responsiveness;
*) console - improved stability when canceling console actions;
*) console - improved stability when using fullscreen editor;
*) console - improved timeout for certain commands and menus;
*) console - improved VPLS "cisco-id" argument validation;
*) container - added IPv6 support for VETH interface;
*) container - added option to use overlayfs layers;
*) container - adjust the ownership of volume mounts that fall outside the container's UID range;
*) container - fixed duplicate image name;
*) container - fixed IP address in container host file;
*) defconf - do not change admin password if resetting with "keep-users=yes";
*) dhcp-server - fixed setting "bootp-lease-time=lease-time";
*) discovery - fixed "lldp-med-net-policy-vlan" (introduced in v7.8 );
*) dns - improved system stability when processing static DNS entries with specified address-list;
*) ethernet - fixed forced half-duplex 10/100 Mbps link speeds on CRS312 device;
*) ethernet - improved interface stability for CRS312 device;
*) fetch - improved timeout detection;
*) firewall - added warning when PCC divider argument is smaller than remainder;
*) firewall - fixed mangle "mark-connection" with "passthrough=yes" rule for TCP RST packets;
*) firewall - improved system stability when using "endpoint-independent-nat";
*) graphing - added paging support;
*) health - added more gradual control over fans for CRS3xx, CRS5xx, CCR2xxx devices;
*) health - fixed configuration export for "/system/health/settings" menu;
*) hotspot - allow number as a first symbol in the Hotspot server DNS name;
*) ike1 - fixed Phase 1 when using aggressive exchange mode (introduced in v7.10);
*) ike2 - improved SA rekeying reply process;
*) ike2 - improved system stability when closing phase1;
*) ike2 - improved system stability when making configuration changes on active setup;
*) ike2 - log "reply ignored" as non-debug log message;
*) ipsec - fixed public key export (introduced in v7.10);
*) ipsec - fixed signature authentication using secp521r1 certificate (introduced in v7.10);
*) ipsec - improved IKE2 rekey process;
*) ipsec - properly check ph2 approval validity when using IKE1 exchange mode;
*) l3hw - changed minimal supported values for "neigh-discovery-interval" and "neigh-keepalive-interval" properties;
*) l3hw - fixed /32 and /128 route offloading after nexthop change;
*) l3hw - fixed incorrect source MAC usage for offloaded bonding interface;
*) l3hw - improved system responsiveness during partial offloading;
*) l3hw - improved system stability during IPv6 route offloading;
*) l3hw - improved system stability;
*) led - fixed manually configured user LED for RB2011;
*) leds - blink red system-led when LTE is not connected to the network on D53 devices;
*) leds - fixed system-led color for "GSM EGPRS" RAT on D53 devices;
*) lora - added new EUI field;
*) lora - added uplink message filtering option using NetID or JoinEUI;
*) lora - moved LoRa service to IoT package;
*) lora - properly apply configuration changes when multiple LoRa cards are used;
*) lora - updated LoRa firmware for R11e-LR8, R11e-LR9 and R11e-LR2 cards;
*) lte - added "at-chat" support for Dell DW5821e-eSIM modem;
*) lte - added "at-chat" support for Dell DW5829 modem;
*) lte - added "at-chat" support for Fibocom L850-GL modem;
*) lte - added "at-chat" support for SIMCom 8202G modem;
*) lte - added "band" info to the "monitor" command for MBIM modems that support serving cell info reporting over MBIM;
*) lte - added extended support for Neoway N75 modem;
*) lte - fixed Dell DW5821e "at-chat" support;
*) lte - fixed LtAP mini default SIM slot "down" changeover to "up" after an upgrade (introduced in v7.10beta1);
*) lte - fixed NR SINR reporting for Chateau 5G;
*) lte - fixed R11e-LTE, R11e-LTE6 legacy 2G/3G RAT mode selection;
*) lte - fixed Telit LE910C4 "at-chat" support;
*) lte - improved initial interface startup time for SXT LTE 3-7;
*) lte - improved system stability when changing the "radio" state for MBIM modems;
*) lte - only listen to DHCP packets for LTE passtrough interface in auto mode when looking for the host;
*) modem - added initial support for BG77 modem DFOTA firmware update;
*) modem - changed Quectel EC25 portmap to expose DM (diag port), DM channel=0, GPS channel=1;
*) modem - fixed missing sender's last symbol in SMS inbox if the sender is an alphabetic string;
*) mpls - improved MPLS TCP performance;
*) mqtt - added more MQTT publish configuration options;
*) mqtt - added new MQTT subscribe feature;
*) netwatch - added "src-address" property;
*) netwatch - changed "thr-tcp-conn-time" argument to time interval;
*) ovpn - do not try to use the "bridge" setting from PPP/Profile, if the OVPN server is used in IP mode (introduced in v7.10);
*) ovpn - fixed OVPN server peer-id negotiation;
*) ovpn - fixed session-timeout when using UDP mode;
*) ovpn - improved key renegotiation process;
*) ovpn - include "connect-retry 1" and "reneg-sec" parameters into the OVPN configuration export file;
*) ovpn - properly close OVPN session on the server when client gets disconnected;
*) package - treat disabled packages as enabled during upgrade;
*) poe - fixed missing PoE configuration section under specific conditions;
*) poe-out - advertise LLDP power-mdi-long even if no power allocation was requested (introduced in v7.7);
*) pppoe - fixed PPPoE client trying to establish connection when parent interface is inactive;
*) profile - added "container" process classifier;
*) profile - properly classify "console" related processes;
*) qos-hw - keep VLAN priority in packets that are sent from CPU;
*) quickset - correctly apply configuration when using "DHCP Server Range" property;
*) resource - fixed erroneous CPU usage values;
*) rose-storage - added "scsi-scan" command (CLI only);
*) rose-storage - added disk stats for ramdisks;
*) rose-storage - fixed RAID 0 creation;
*) rose-storage - limit striped RAID element size to smallest disk size;
*) route - added comment for BFD configuration (CLI only);
*) route - convert BFD timers from milliseconds to microseconds after upgrade;
*) routerboard - fixed "gpio-function" setting on RBM33G ("/system routerboard upgrade" required);
*) routerboard - improved RouterBOOT stability for Alpine CPUs ("/system routerboard upgrade" required);
*) routerboard - removed unnecessary serial port for netPower16P and hAP ax lite devices ("/system routerboard upgrade" required);
*) routerboot - increased etherboot bootp timeout to 40s on MIPSBE and MMIPS devices ("/system routerboard upgrade" required);
*) sfp - fixed incorrect optical SFP temperature readings (introduced in v7.10);
*) sfp - improved interface stability for 98DX8208, 98DX8212, 98DX8332, 98DX3257, 98DX4310, 98DX8525, 98DX3255, 98PX1012 based switches;
*) sfp - improved optical QSFP interface handling for 98DX8332, 98DX3257, 98DX4310, 98DX8525 switches;
*) sfp - improved Q/SFP interface stability for 98DX8208, 98DX8212, 98DX8332, 98DX3257, 98DX4310, 98DX8525, 98DX3255, 98PX1012 switches;
*) sfp - reduce CPU load due to SFP interface handling for CCR2116, CCR2216, CCR2004-12S+2XS, CRS312, CRS518 devices (introduced in v7.9)
*) sms - increased wait time for modem startup;
*) ssh - fixed host public key export (introduced in v7.9);
*) ssh - fixed private key import (introduced in v7.9);
*) ssh - fixed SSH key agreement on the client side when ed25519 used under server settings;
*) ssh - fixed user RSA private key import;
*) switch - fixed "reset-counters" for "switch-cpu";
*) switch - fixed BPDU packet processing on MT7621, MT7531 with HW offloaded vlan-filtering;
*) switch - improved multicast packet forwarding on MT7621;
*) system - disallow setting a non-existing CPU core number for system IRQ;
*) system - increased maximum supported CPU core count to 512 on CHR and x86;
*) system - reduced RAM usage for SMIPS devices;
*) tftp - improved file name matching;
*) user - added "sensitive" policy requirement for SSH key and certificate export;
*) w60g - improved stability for Cube 60Pro ac and CubeSA 60Pro ac devices;
*) webfig - added option to enable wide view in item list;
*) webfig - fixed "Connect To" configuration changes for L2TP client;
*) webfig - fixed gray-out italic font for entries after enable;
*) webfig - use router time zone for date and time;
*) wifiwave2 - added "steering" parameters and menu to set up and monitor AP neighbor groups (CLI only);
*) wifiwave2 - added more information on roaming candidates to BSS transition management requests (802.11v) and neighbor report responses (802.11k);
*) wifiwave2 - added option to filter frames captured by the sniffer command (CLI only);
*) wifiwave2 - automatically add wifi interfaces to appropriate bridge VLAN when wireless clients with new VLAN IDs connect;
*) wifiwave2 - changed default behavior for handling duplicate client MAC addresses, added settings for changing it (CLI only);
*) wifiwave2 - enabled PMK caching with EAP authentication types;
*) wifiwave2 - fixed "reg-info" information for several countries;
*) wifiwave2 - fixed "security.sae-max-failure" rate not limiting authentications correctly in some cases;
*) wifiwave2 - fixed clearing CAPsMAN Common Name when disabling "lock-to-caps-man";
*) wifiwave2 - fixed interface hangs on IPQ6010-based boards (introduced in v7.9);
*) wifiwave2 - improved stability when changing interface settings;
*) wifiwave2 - improved stability when receiving malformed WPA3-PSK authentication frames;
*) wifiwave2 - make info log less verbose during client roaming (some info moved to wireless,debug log);
*) wifiwave2 - rename "reg-info" country argument from "Macedonia" to "North Macedonia";
*) wifiwave2 - use correct status code when rejecting WPA3-PSK re-association;
*) winbox - added missing status values for Ethernet and Cable Test;
*) winbox - added warning about non-running probe due to "startup-delay";
*) winbox - fixed "Storm Rate" property under "Switch/Port" menu;
*) winbox - fixed BGP affinity display;
*) winbox - fixed default "Ingress Filtering" value under "Bridge" menu;
*) winbox - improved supout.rif progress display;
*) winbox - rename "Group Master" property to "Group Authority" under "Interface/VRRP" menu;
*) wireguard - fixed peer connection using DNS name on IP change;
*) wireguard - fixed peer IPv6 "allowed-address" usage;
*) wireless - ignore EAPOL Logoff frames;
*) x86 - updated e1000 driver;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while a router is not working as suspected or after some problem has appeared on the device

Please keep this forum topic strictly related to this particular RouterOS release.

Rox169 · Tue Aug 15, 2023 3:22 pm

First :)

ROS 7.11 Upgraded on:

hap AX3
hap AC3
hap AC2
Cube60G AC
WAP60G
SXT
..................all OK

loloski · Tue Aug 15, 2023 3:45 pm

2.png

so far upgrade for 1036,1072,317,326,4011,HAPAC2 went without a hitch

mantouboji · Tue Aug 15, 2023 3:56 pm

*) ssh - fixed user RSA private key import;

OK

dioeyandika · Tue Aug 15, 2023 4:01 pm

RB750Gr3 nice warning before start

Screenshot 2023-08-15 200001.png

mazel · Tue Aug 15, 2023 4:42 pm

Around 18 of 30 LtAP mini units are not on-line after update (they are on remote locations so I do not know if they are off-line due to LTE modem issue after update or stuck in boot-loop). Using IPsec IKE2 VPN.

Edit: what means *) lte - fixed LtAP mini default SIM slot "down" changeover to "up" after an upgrade (introduced in v7.10beta1); if we have default "up" sim slot on all units.

Amm0 · Tue Aug 15, 2023 4:52 pm

While UI for BTH is gone as expected, I notice BTH config from 7.11rc builds remains and works – this seems right, since that part is just WG config.

But is the DNS for BTH going to remain active? e.g. I have couple working peers using the <sn>.vpn.mynetname.net to resolve the router's public IP. In my case it doesn't need the proxy part of BTH... so curious if the DNS part is going to break...

eworm · Tue Aug 15, 2023 5:02 pm

I have CCR1009-7G-1C-1S+ go crazy with console crashes, script errors (action timed out) and more. Sadly even generating a support output file fails...
Opened issue SUP-125133.

tim427 · Tue Aug 15, 2023 5:09 pm

routeros7.11.png

All updated without a problem :)

Tue Aug 15, 2023 5:10 pm

While UI for BTH is gone as expected, I notice BTH config from 7.11rc builds remains and works – this seems right, since that part is just WG config.

But is the DNS for BTH going to remain active? e.g. I have couple working peers using the <sn>.vpn.mynetname.net to resolve the router's public IP. In my case it doesn't need the proxy part of BTH... so curious if the DNS part is going to break...

This is expected behavior. We did not want to break your running configs. We just did not want to put "stable" stamp on BTH yet.

kcarhc · Tue Aug 15, 2023 5:15 pm

please check SUP-125134
[RouterOS 7.11] RB5009 after upgrade to 7.11 route empty and cannot output suprif

kcarhc · Tue Aug 15, 2023 5:17 pm

RB5009_7.11.png

erlinden · Tue Aug 15, 2023 5:19 pm

My bonding interface on the RB4011 was no longer working correctly. I was able to ping it from the router and the camera's could communicate (initiated by the NAS), but the corporate network could neither ping nor communicate through browser or native Synology app with the NAS.

Config can be supplied, supout file is sent per mail. Came from v7.10.1, same for v7.10.2.

After downgrading to v7.10.2, everything was up again.

cAP ac, hEX s and wAP ac upgraded without any problems.

parham · Tue Aug 15, 2023 5:41 pm

Very nice upgrade,
*) netwatch - added "src-address" property;

Please add the option to be able the ping IP for failover in route. example: check gateway ping 1.1.1.1 that would helps

usern · Tue Aug 15, 2023 5:55 pm

Back to Home VPN not included in release version?

Edit: nvm, didn't realise to CTRL+F abbreviation: viewtopic.php?t=198641#p1019025

Amm0 · Tue Aug 15, 2023 5:59 pm

Yeah src-address= to netwatch is good add, thanks!

Please add the option to be able the ping IP for failover in route. example: check gateway ping 1.1.1.1 that would helps

+1, recursive routing is PITA. I had a similar idea to yours: viewtopic.php?t=192844

Tue Aug 15, 2023 6:00 pm

Back to Home VPN not included in release version?

Edit: nvm, didn't realise to CTRL+F abbreviation: viewtopic.php?t=198641#p1019025

BTH will be back on 7.12, no worries.

Kraken2k · Tue Aug 15, 2023 6:30 pm

RB4011iGS+5HacQ2HnD updated without any issues so far :)

Thanks!

TOD · Tue Aug 15, 2023 6:32 pm

Although I don't see direct mention in changelog, but problem with IPsec with intermediate certificates finaly resolved in this version -_-

Upd.
If you are still getting an error after upgrade, then remove the root certificate, re-import, and correct tunnels configurations where this certificate was used.
I had such problem on one of my devices(RB4011) and the described workaround helped.

pe1chl · Tue Aug 15, 2023 6:49 pm

Installed it on my RB4011iGS+5HacQ2HnD which has user-manager, rose-storage and container packages installed.
rose-storage is used to mount an NFS volume which I use for backups, no files are open. container is installed but no containers configured.
The router powers an LHG5XL on ether10, which I have shutdown before upgrade.
Then I use "system->packages->check for updates" to find and download the 4 required packages. They are downloaded OK and I manually reboot.

Now something funny happens: the interface LEDs for all ethernet interfaces turn off, except ether10 (the one powering the LHG). Then the router is stuck, I can wait a long time but nothing ever happens. When I powercycle it, the update has not been applied, but when I download it again and reboot, it succeeds.
The previous version was 7.11beta4 which had been running for about a month. This I think is the 3rd time that this scenario happens. It seems like it gets stuck in the upgrade when it had quite some uptime, but not when the upgrade is done immediately after the reboot.
I think next time I will first reboot and see if that succeeds, before downloading the upgrade and reboot again. Because in the end that is what I am doing anyway.

Has anyone else seen this? (during this upgrade or in other recent upgrades)

Guscht · Tue Aug 15, 2023 7:55 pm

Just da smol home-network:

smol-net-1.jpg

Found no issues.

pcunite · Tue Aug 15, 2023 8:15 pm

Very nice upgrade,
*) netwatch - added "src-address" property;

Please add the option to be able the ping IP for failover in route. example: check gateway ping 1.1.1.1 that would helps

Yes, please.

Institor · Tue Aug 15, 2023 8:36 pm

"DoH server connection error: SSL: ssl: CRL not found (6)" error (same as in previous RC versions mentioned in viewtopic.php?t=198228)
I don't understand this:

viewtopic.php?t=198228#p1016666

If use-crl is set to yes, RouterOS will check CRL for each certificate in a certificate chain, therefore, an entire certificate chain should be installed into a device - starting from Root CA, intermediate CA (if there are such), and server certificate that is used for specific service.

Why should it require the entire chain, especially "server certificate that is used for specific service"? This cert can be changed on server side at any time.

Guscht · Tue Aug 15, 2023 9:06 pm

Very nice upgrade,
*) netwatch - added "src-address" property;

Please add the option to be able the ping IP for failover in route. example: check gateway ping 1.1.1.1 that would help

+1 this would solve the whole brainfck with the recursive route lookup target-scope-with-undocumented-incremnt stuff

Paternot · Tue Aug 15, 2023 10:33 pm

Just upgraded one hAP ac lite that was laying around here. It's working as a 5GHz station, connected on another hAP ac lite.

What I did:
1) Created an wireguard tunnel, and
2) Created an EoIP tunnel, using wireguard.

Why? Just because. I wanted to see how well it would do. Bear in mind that both tunnels run on local network - so latency is negligible.

The test was CPU bound (100% usage with 0% packet loss) and the result is this (on a 800/800 link):

Larsa · Tue Aug 15, 2023 10:48 pm

WG/ChaCha lack support för HW acceleration

Fmarte · Tue Aug 15, 2023 10:56 pm

Hello,

ipsec - refresh peer's DNS only when phase 1... is down.

Confirmed, this problem still persists in version 7.11 Stable.

:(

Fmarte · Tue Aug 15, 2023 11:07 pm

In 6.48 (I think) a feature was added for "ipsec - refresh peer's DNS only when phase 1 is down". This resolved an issue in older versions where VPN providers with DNS records with short TTLs would disconnect and reconnect after refreshing the DNS record and receiving a different IP, even theough the tunnel was still active and working.

Since version 7.8 the problem is back, so it seems that the function has been removed again.

I just updated to version 7.11 and the problem still persists.

Is anyone able to confirm this, and is it planned to be reimplemented? Failing that does anyone have a viable workaround other than static DNS records / connecting by IP?

Thanks.

Jotne · Tue Aug 15, 2023 11:31 pm

So its ok for 7.7?
And you have made a support case for it?

Fmarte · Tue Aug 15, 2023 11:45 pm

Yes, in version 7.7 this problem does not exist.

I have not contacted support, I thought it was something that was going to be solved but I see that from version 7.8 to 7.11 it is a lot.

I will be contacting support.

Thank you!

Paternot · Wed Aug 16, 2023 12:18 am

WG/ChaCha lack support för HW acceleration

Yes, it does. But so does IPSec on this hardware. So...

jookraw · Wed Aug 16, 2023 1:36 am

After the upgrade to rOS 7.11, no device is able to connect to any SSID on the 2.4Ghz radio on my hAP ax2. SUP-125184

I only see the following log repeating:
xx:xx:xx:xx:xx:xx@SSID reauthenticating

Already tried:
- Removed the full wifiwave2 config and reapplied it
- downgrade to 7.10.2
- upgraded back to 7.11 wihout any wifi config and applied the config again

oeyre · Wed Aug 16, 2023 2:14 am

Hi,

Can I please get some more detail about this? Link to RFC, forum topic, etc?

*) mpls - improved MPLS TCP performance;

mhenriques · Wed Aug 16, 2023 2:50 am

I have CCR1009-7G-1C-1S+ go crazy with console crashes, script errors (action timed out) and more. Sadly even generating a support output file fails...
Opened issue SUP-125133.

Keep us posted. I have 02 of those beasts on a customer network running V7.10.2. Will refrain from upgrading until hear more from Mikrotik.

Mauricio

mhenriques · Wed Aug 16, 2023 2:52 am

please check SUP-125134
[RouterOS 7.11] RB5009 after upgrade to 7.11 route empty and cannot output suprif

Keep us posted. Have a RB5009UG+S+ at home and will refrain from upgrading until hearing more from Mikrotik.

Mauricio

kreb · Wed Aug 16, 2023 4:38 am

interestingly CCR2116 has better temps after 7.11 upgrade, with 20% min fan speed.

rolling · Wed Aug 16, 2023 9:20 am

Hi,

RB5009UG, CRS328, CRS326, CRS317, hAP, hAP_AC3 upgraded without issues.

Site to site WG tunnels, static routes, wifiwave2...

Regads.

jookraw · Wed Aug 16, 2023 10:02 am

Another one for my collection.
My RB4011 does not allow a device connected to bridge port on a specific vlan to reach to any other device on that vlan, unless I'm running "Torch" on the port.
SUP-125214
Downgrade to 7.10.2 fixes it.

I'm also suspecting issues on my RB5009, I'll downgrade it to see if I'm right

eworm · Wed Aug 16, 2023 10:05 am

I have CCR1009-7G-1C-1S+ go crazy with console crashes, script errors (action timed out) and more. Sadly even generating a support output file fails...
Opened issue SUP-125133.

Generating an export results in this before console crashes, just again:

#error exporting "/caps-man/channel" (timeout)
#error exporting "/caps-man/configuration" (timeout)
#error exporting "/caps-man/datapath" (timeout)
#error exporting "/caps-man/rates" (timeout)
#error exporting "/caps-man/security" (timeout)

Also I have seen this on CHR now, running CAPsMAN as well. I think the issue is hidden there, and not related to architecture.

Happily I could generate a support output file this time on CHR, so let's hope for some results.

diamuxin · Wed Aug 16, 2023 10:46 am

Hi,

Issues with CAPSMAN on a RB4011 router, error type "removing stale connection". Back to version v7.10 and OK.

BR.

erlinden · Wed Aug 16, 2023 10:55 am

My RB4011 does not allow a device connected to bridge port on a specific vlan to reach to any other device on that vlan, unless I'm running "Torch" on the port.
SUP-125214

Sounds like my problem, where you able to ping it from the router?
SUP-125143

mazel · Wed Aug 16, 2023 11:17 am

Around 18 of 30 LtAP mini units are not on-line after update (they are on remote locations so I do not know if they are off-line due to LTE modem issue after update or stuck in boot-loop). Using IPsec IKE2 VPN.

Edit: what means *) lte - fixed LtAP mini default SIM slot "down" changeover to "up" after an upgrade (introduced in v7.10beta1); if we have default "up" sim slot on all units.

I have to warn all users who wants to update LtAP mini units to ROS 7.11. All off-line units mentioned above (more than half of units) have SIM-Failure after update, nothing but only downgrade to ROS 7.10.2 helps. So I cannot recommend updating of LtAP mini units...

Edit: It seems that units using IPsec IKE2 having issues connecting back (even HEX and HEX S over LAN) - I am using scripts to reset VPN connection (disable and re-enable peer) when no connection or reboot when no connection for 1 hour not helping also. And units using LTE having SIM-Failure issue. So far, this "stable" update is the worst since first ROS 7 release.

ivicask · Wed Aug 16, 2023 11:20 am

Hi,

Issues with CAPSMAN on a RB4011 router, error type "removing stale connection". Back to version v7.10 and OK.

BR.

I got RB4011 and capsman works fine on 7.11, usually that error is firewall problem, try allowing UDP "5246,5247" on input chain on your bidge side and see if fixes it on v.7.11

pe1chl · Wed Aug 16, 2023 11:20 am

My RB4011 does not allow a device connected to bridge port on a specific vlan to reach to any other device on that vlan, unless I'm running "Torch" on the port.
SUP-125214
Sounds like my problem, where you able to ping it from the router?
SUP-125143

I am having this same problem. I have an RB4011 and I have ports from both switch chips in the same VLAN-filtering bridge. My PC is on a trunked port on switch1 and two devices are untagged on a VLAN on switch2. I cannot ping them from the PC anymore, and when I torch on one of them or disable hardware offloading it works again, but for the other device it does not solve it.
I see that when the device that works with hw offloading off is pinged with offloading on, the reply arrives on the wrong VLAN (untagged on the PC).
The devices with problems can both be pinged from the router.
Something is seriously broken here!

jookraw · Wed Aug 16, 2023 11:23 am

My RB4011 does not allow a device connected to bridge port on a specific vlan to reach to any other device on that vlan, unless I'm running "Torch" on the port.
SUP-125214
Sounds like my problem, where you able to ping it from the router?
SUP-125143

From the router I can ping the device on that particular port, but nothing on another port. when pinging from the router the other devices are "magically" reachable from affected device.

pe1chl · Wed Aug 16, 2023 11:47 am

Yes, for some time. It looks like there is some problem with broadcast (and thus ARP) handling.

steginger · Wed Aug 16, 2023 11:48 am

My RB4011 does not allow a device connected to bridge port on a specific vlan to reach to any other device on that vlan, unless I'm running "Torch" on the port.
SUP-125214
Sounds like my problem, where you able to ping it from the router?
SUP-125143

I seem to have similar problem with a RB1100AHx4.

eth7 is a trunk port for my VLANs. One of those VLANs is untagged on eth11.
From some other switch (hEX) connected to eth7 I can ping RB1100, but nothing that is connected to eth11.
eth6/8/9 are also trunk ports for those VLANs, but traffic from those ports (coming in via some hAP ac2) works from/to eth11.
Difference is maybe that working traffic from eth6/8/9 is actually routed by RB1100 to the VLAN on eth11, while the not working traffic from eth7 only shall be "switched" to eth11.

Going back to 7.10.2 everything works fine again.

rb9999 · Wed Aug 16, 2023 12:15 pm

After updating my knot lr8 kit from 7.10.2 to 7.11 lora gateway seems to be disabled after reboot. it is reproducable by rebooting the device.. even though i manually started the gw, it remains enabled only till a reboot

diamuxin · Wed Aug 16, 2023 12:21 pm

usually that error is firewall problem, try allowing UDP "5246,5247" on input chain on your bidge side and see if fixes it on v.7.11

But CAPSMAN has always worked fine with v7.10 without the need to open ports 5246 and 5247, I understand that internally CAPSMAN already enables them.

rb9999 · Wed Aug 16, 2023 12:27 pm

fun fact.. lora lr8 it also forgets which server it should be using after every reboot... using "TTN v3 (eu1)" usually...

pe1chl · Wed Aug 16, 2023 12:32 pm

fun fact.. lora lr8 it also forgets which server it should be using after every reboot... using "TTN v3 (eu1)" usually...

You may be having the "some configuration forgotten at reboot" issue that has appeared in v7 for several people.
Try to export your config (and download it), netinstall the device to 7.11 without config, and then paste the exported config again (from winbox connected to MAC address).
See if that solves your problem without downgrading. There may be a corruption in the configuration database.
It would be convenient when MikroTik would add some "rebuild configuration" feature that does this all automatically within the router.
(export config to a file, reset database, import the exported config back in)

madgrok · Wed Aug 16, 2023 12:49 pm

OpenVPN (UDP)
hAP AC3. Very similar problem (viewtopic.php?t=197690). But addresses and routes are present.

Sent supout.rif to support@mikrotik.com.

Systematic problems with ovpn are really annoying.

DeGlucker · Wed Aug 16, 2023 12:59 pm

When you will finally fix WiFi on x86 systems ?!?!?! I was forced to rollback to 7.6 again !!!

PackElend · Wed Aug 16, 2023 1:04 pm

What's new in 7.11 (2023-Aug-15 09:33):

*) bridge - added warning when VLAN interface list contains ports that are not bridged;
*) bridge - prevent bridging the VLAN interface created on the same bridge;

does this have any impact on existing VLAN configuration?

memelchenkov · Wed Aug 16, 2023 1:24 pm

This update is relatively slow. Don't worry if your router is not up in few seconds. Await several minutes.

rb9999 · Wed Aug 16, 2023 1:25 pm

fun fact.. lora lr8 it also forgets which server it should be using after every reboot... using "TTN v3 (eu1)" usually...
You may be having the "some configuration forgotten at reboot" issue that has appeared in v7 for several people.
Try to export your config (and download it), netinstall the device to 7.11 without config, and then paste the exported config again (from winbox connected to MAC address).
See if that solves your problem without downgrading. There may be a corruption in the configuration database.
It would be convenient when MikroTik would add some "rebuild configuration" feature that does this all automatically within the router.
(export config to a file, reset database, import the exported config back in)

Thanks for the info.. As it's a remote system I'll try this the next time I'll be at the location... I hope everything will remain online till then.

pe1chl · Wed Aug 16, 2023 2:15 pm

It is just a suggestion, it may also be a version-related problem. But I have seen this issue myself in v7 and have seen others report it (on earlier v7.x versions). After doing the above procedure it did not come back.

pe1chl · Wed Aug 16, 2023 2:18 pm

What's new in 7.11 (2023-Aug-15 09:33):

*) bridge - added warning when VLAN interface list contains ports that are not bridged;
*) bridge - prevent bridging the VLAN interface created on the same bridge;
does this have any impact on existing VLAN configuration?

Maybe. For me the VLAN-filtering bridge is now broken and I had to revert to 7.11beta. I think my config is OK, but maybe MikroTik will at some time clarify what config you cannot have in this version.

Guscht · Wed Aug 16, 2023 2:52 pm

*) bridge - prevent bridging the VLAN interface created on the same bridge;

Even after reading this a few times, I dont know what this means?

Evgeniy29 · Wed Aug 16, 2023 3:00 pm

I have CCR1038-8G-2S+ and CRS328-4C-20S-4S+. They are connected to each other by a cable XS+DA0001. Connect 10G. This port in Trunk. On RouterOS 7.10.2 Stable all works fine.

Today I update my devices to ROS 7.11. I got the following problem: If I reboot CRS328, on CCR1038 stopping all VLANs interfaces and halt CAPsMAN. Only reboot CCR1038 helps.

I downgrade my devices to ROS 7.10.2.

Please correct this bug.

pe1chl · Wed Aug 16, 2023 3:23 pm

*) bridge - prevent bridging the VLAN interface created on the same bridge;
Even after reading this a few times, I dont know what this means?

Yeah... I think they mean adding a vlan subinterface created on a bridge (the CPU side, to have an address and routing on it) as a port on the bridge itself. That could result in an encapsulation loop, which maybe crashes the system, uses all memory, eats CPU time or whatever.

Amm0 · Wed Aug 16, 2023 3:33 pm

*) bridge - prevent bridging the VLAN interface created on the same bridge;

Just tried it.

If you have an /interface/vlan that's listening (interface=) on a bridge & then add that VLAN interface as a port in /interface/bridge/port on the same bridge... RouterOS will add it, but marks it as invalid (e.g. "I" shown). This make sense since it is, actually, an invalid configuration – it just let you do that in previous releases to ill effects as @pe1chl describes.

You can still add a VLAN interface as port on a different bridge.

jvanhambelgium · Wed Aug 16, 2023 6:29 pm

Updated LAB RB3011 to 7.11 and all seems fine (for my limited use-cases ; basic PPPoE Internet, IPSEC-tunnel to RB5009 etc)

bandit1200 · Wed Aug 16, 2023 7:02 pm

+1 something in VLAN filtering/HW Offload seems broken.

RB4011
Bridge/VLAN with VLAN filtering and HW offload, across two switch groups.
Can't ping device from one switch group to the other switch group.

Fun to track down, because when I turned on packet sniffer, it worked fine. (cause it disabled HW offload, I presume.)

Wed Aug 16, 2023 7:17 pm

+1 something in VLAN filtering/HW Offload seems broken.

RB4011
Bridge/VLAN with VLAN filtering and HW offload, across two switch groups.
Can't ping device from one switch group to the other switch group.

Fun to track down, because when I turned on packet sniffer, it worked fine. (cause it disabled HW offload, I presume.)

take a look at this info

https://help.mikrotik.com/docs/display/ ... witchchips

Wed Aug 16, 2023 7:25 pm

Thanks for the feedback on RB4011/RB1100AHx4 with HW offloaded vlan-filtering. The problem is reproduced, and we are working on a solution.

It is related to the FastPath fix (introduced in v7.11rc1):
*) bridge - fixed MAC learning on "switch-cpu" port with enabled FastPath

Running Torch or Sniffer solves it because it disables bridge FastPath, the same as using:
/interface bridge settings
set allow-fast-path=no

bandit1200 · Wed Aug 16, 2023 8:22 pm

Thanks for the feedback on RB4011/RB1100AHx4 with HW offloaded vlan-filtering. The problem is reproduced, and we are working on a solution.

Super, thanks!

kotrbus · Wed Aug 16, 2023 8:54 pm

OpenVPN (UDP)
hAP AC3. Very similar problem (viewtopic.php?t=197690). But addresses and routes are present.

Sent supout.rif to support@mikrotik.com.

Systematic problems with ovpn are really annoying.

same HW, same problem. TCP mode works, UDP not. Mikrotik Team could you please fix it?

bommi · Wed Aug 16, 2023 9:40 pm

Running Torch or Sniffer solves it because it disables bridge FastPath, the same as using:
/interface bridge settings
set allow-fast-path=no

I thought I had the same problem on my hEX S, but disabling the fast-path didn't help.
The device does not respond on all vlans interfaces on the bridge after a few minutes.
Only the access over the wan interface, which is not bound to any bridges is working.
A rollback to 7.10.2 fixes this.

domingotorres · Wed Aug 16, 2023 10:05 pm

when i to try make a file export, the password of the user hotspot is wrong no exists
you can replicate "export file=backup"

İmposss · Wed Aug 16, 2023 10:13 pm

Hello, I have two hapax3 devices. One is located on the upper floor of my house and the other on the lower floor, and I use the one on the upper floor as a router and the one on the lower floor as a cap. They are connected to each other with a cable. All of my problems are related to wifiwave2.

I'm using Wifiwave2 with CapsMan. I have the main router set to local mode, and the cap is set to capsman managed mode.

In version 7.10.2, the "rejected, can't find PMKSA" messages that I was receiving have been resolved in 7.11. However, I've started getting "SA Query timed out" messages now, and another issue I noticed is that devices are no longer able to roam. Instead of receiving a "Connection lost" message, receiving an "SA Query timed out" message.

As a result, due to disconnections and packet losses in wireless device connections, I reverted to version 7.10.2.

main router conf.


/interface bridge
add admin-mac=xx arp=proxy-arp auto-mac=no name="Local Bridge"
add admin-mac=xx auto-mac=no name="PPPoE Bridge"
/interface ethernet
set [ find default-name=ether1 ] poe-out=off
/interface vlan
add interface="PPPoE Bridge" name="PPPoE vlan35" vlan-id=35
/interface pppoe-client
add add-default-route=yes allow=pap disabled=no interface="PPPoE vlan35" \
    keepalive-timeout=60 name=PPPoE user=xxxxx
/interface list
add name=WAN
add name=LAN
/interface wifiwave2 channel
add band=2ghz-ax disabled=no frequency=2412,2452 name="xxxx" width=\
    20/40mhz-Ce
add band=5ghz-ax disabled=no frequency=5240 name="xxxx" skip-dfs-channels=\
    all width=20/40/80mhz
/interface wifiwave2 datapath
add bridge="Local Bridge" disabled=no name=datapath
/interface wifiwave2 security
add authentication-types=wpa2-psk disable-pmkid=yes disabled=no encryption=\
    ccmp,gcmp,ccmp-256,gcmp-256 name=xxx
/interface wifiwave2 configuration
add channel="xxxx" country=Turkey datapath=datapath disabled=no mode=ap \
    name="xxxx" security=xxx ssid=xxx tx-power=13
add channel="xxxx" datapath=datapath disabled=no mode=ap name=\
    "xxxx" security=xxx ssid="xxxx"
add channel="xxx" country="United States" datapath=datapath disabled=no \
    mode=ap name="xxxx" security=Apo ssid=xxx tx-power=20
add channel="xxxx" datapath=datapath disabled=no mode=ap name=\
    "xxxxz" security=xxx ssid="xxx"
/ip pool
add name=DHCP ranges=192.168.xx.100-192.168.8.254
/ip dhcp-server
add add-arp=yes address-pool=DHCP interface="Local Bridge" lease-time=10m name=\
    "Local DHCP"
/ppp profile
set *0 change-tcp-mss=default use-ipv6=default
/interface bridge port
add bridge="Local Bridge" interface=ether2
add bridge="Local Bridge" interface=ether3
add bridge="Local Bridge" interface=ether4
add bridge="Local Bridge" interface=ether1
add bridge="PPPoE Bridge" interface=ether5
add bridge="Local Bridge" interface=dynamic
/ip neighbor discovery-settings
set discover-interface-list=!WAN
/ip settings
set accept-source-route=yes tcp-syncookies=yes
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=default enabled=yes \
    use-ipsec=required
/interface list member
add interface="Local Bridge" list=LAN
add interface=PPPoE list=WAN
add interface=ether5 list=WAN
add interface="PPPoE vlan35" list=WAN
add interface="PPPoE Bridge" list=WAN
/interface wifiwave2 cap
set discovery-interfaces="Local Bridge" slaves-datapath=datapath
/interface wifiwave2 capsman
set enabled=yes interfaces="Local Bridge" package-path="" \
    require-peer-certificate=no upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration="xxxx" \
    slave-configurations="xxxx" supported-bands=2ghz-ax,2ghz-n
add action=create-dynamic-enabled disabled=no master-configuration="xxxx" \
    slave-configurations="xxxx" supported-bands=5ghz-ax
/ip address
add address=192.168.xx.xx/24 interface="Local Bridge" network=192.168.8.0
/ip dhcp-server config
set store-leases-disk=never

/ip dhcp-server network
add address=192.168.8.0/24 dns-server=192.168.8.59,192.168.8.49 gateway=\
    192.168.8.59 ntp-server=162.159.200.123
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d use-doh-server=\
    https://dns.adguard-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=2606:4700:4700::1001 name=cloudflare-dns.com type=AAAA
add address=2606:4700:4700::1111 name=cloudflare-dns.com type=AAAA
add address=1.0.0.1 name=cloudflare-dns.com
add address=1.1.1.1 name=cloudflare-dns.com
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
add address=192.168.8.59 name="Local DNS1"
add address=192.168.8.49 name="Local DNS2"
add address=fe80::c6ad:34ff:fe01:4059 name="Local DNS1" type=AAAA
add address=fe80::4a8f:5aff:feef:d049 name="Local DNS2" type=AAAA
add address=94.140.14.14 name=dns.adguard-dns.com
add address=94.140.15.15 name=dns.adguard-dns.com
add address=2a10:50c0::ad1:ff name=dns.adguard-dns.com type=AAAA
add address=2a10:50c0::ad2:ff name=dns.adguard-dns.com type=AAAA
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=no_forward_ipv4
add address=169.254.0.0/16 comment=RFC6890 list=no_forward_ipv4
add address=224.0.0.0/4 comment="RFC6890 multicast" disabled=yes list=\
    no_forward_ipv4
add address=255.255.255.255 comment=RFC6890 disabled=yes list=no_forward_ipv4
add address=127.0.0.0/8 comment=RFC6890 list=bad_ipv4
add address=192.0.0.0/24 comment=RFC6890 list=bad_ipv4
add address=192.0.2.0/24 comment="RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="RFC6890 documentation" list=bad_ipv4
add address=0.0.0.0/8 comment=RFC6890 list=not_global_ipv4
add address=10.0.0.0/8 comment=RFC6890 list=not_global_ipv4
add address=100.64.0.0/10 comment=RFC6890 list=not_global_ipv4
add address=169.254.0.0/16 comment=RFC6890 list=not_global_ipv4
add address=172.16.0.0/12 comment=RFC6890 list=not_global_ipv4
add address=192.0.0.0/29 comment=RFC6890 list=not_global_ipv4
add address=192.168.0.0/16 comment=RFC6890 list=not_global_ipv4
add address=198.18.0.0/15 comment="RFC6890 benchmark" list=not_global_ipv4
add address=224.0.0.0/4 comment=multicast list=bad_src_ipv4
add address=255.255.255.255 comment=RFC6890 list=bad_src_ipv4
add address=0.0.0.0/8 comment=RFC6890 list=bad_dst_ipv4
add address=224.0.0.0/4 comment="RFC6890 multicast" disabled=yes list=\
    bad_dst_ipv4
add address=240.0.0.0/4 comment="RFC6890 reserved" disabled=yes list=bad_ipv4
add address=240.0.0.0/4 comment="RFC6890 reserved" list=not_global_ipv4
add address=255.255.255.255 comment=RFC6890 list=not_global_ipv4
/ip firewall filter
add action=accept chain=input comment="accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=accept chain=input comment=capsman dst-address-type=local protocol=\
    udp src-address-type=local src-port=5246,5247
add action=accept chain=input comment=capsman dst-address-type=local dst-port=\
    5246,5247 protocol=udp src-address-type=local
add action=accept chain=input comment="accept l2tp" dst-port=1701,4500,500 \
    protocol=udp src-address-list=!no_nas
add action=drop chain=input comment="drop all coming from WAN" \
    in-interface-list=WAN
add action=accept chain=forward comment="accept all that matches IPSec policy" \
    ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop bad forward IPs" src-address-list=\
    no_forward_ipv4
add action=drop chain=forward comment="drop bad forward IPs" dst-address-list=\
    no_forward_ipv4
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn
/ip firewall nat
add action=accept chain=srcnat comment="accept all that matches IPSec policy" \
    ipsec-policy=out,ipsec
add action=masquerade chain=srcnat out-interface=PPPoE
/ip firewall raw
add action=accept chain=prerouting comment="enable for transparent firewall" \
    disabled=yes
add action=accept chain=prerouting comment="accept DHCP discover" dst-address=\
    255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp src-address=\
    0.0.0.0 src-port=68
add action=accept chain=prerouting comment=capsman dst-address-type=local \
    dst-port=5246,5247 protocol=udp src-address-type=local
add action=accept chain=prerouting comment=capsman dst-address-type=local \
    protocol=udp src-address-type=local src-port=5246,5247
add action=drop chain=prerouting comment="drop echo request from wan" \
    icmp-options=8:0-255 in-interface-list=WAN protocol=icmp
add action=drop chain=prerouting comment="drop bogon IP's" src-address-list=\
    bad_ipv4
add action=drop chain=prerouting comment="drop bogon IP's" dst-address-list=\
    bad_ipv4
add action=drop chain=prerouting comment="drop bogon IP's" src-address-list=\
    bad_src_ipv4
add action=drop chain=prerouting comment="drop bogon IP's" dst-address-list=\
    bad_dst_ipv4
add action=drop chain=prerouting comment="drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment="drop forward to local lan from WAN" \
    dst-address=192.168.8.0/24 in-interface-list=WAN
add action=drop chain=prerouting comment=\
    "drop local if not from default IP range" in-interface-list=LAN \
    src-address=!192.168.8.0/24
add action=drop chain=prerouting comment="drop bad UDP" port=0 protocol=udp
add action=drop chain=prerouting comment="drop bad tcp" port=0 protocol=tcp
add action=jump chain=prerouting comment="jump to ICMP chain" disabled=yes \
    jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="jump to TCP chain" disabled=yes \
    jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment="accept everything else from LAN" \
    in-interface-list=LAN
add action=accept chain=prerouting comment="accept everything else from WAN" \
    in-interface-list=WAN
add action=accept chain=prerouting comment="drop the rest"
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=PPPoE type=external
add interface="Local Bridge" type=internal
/ipv6 address
add address=::c6ad:34ff:fe01:4059 eui-64=yes from-pool=ipv6 interface=\
    "Local Bridge"
/ipv6 dhcp-client
add interface=PPPoE pool-name=ipv6 request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=fe80::/10 comment="RFC6890 Linked-Scoped Unicast" disabled=yes \
    list=no_forward_ipv6
add address=ff00::/8 comment=multicast disabled=yes list=no_forward_ipv6
add address=::1/128 comment="RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="RFC6890 IPv4 mapped" list=bad_ipv6
add address=2001::/23 comment=RFC6890 list=bad_ipv6
add address=2001:db8::/32 comment="RFC6890 documentation" list=bad_ipv6
add address=2001:10::/28 comment="RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="ipv4 compat" list=bad_ipv6
add address=100::/64 comment="RFC6890 Discard-only" list=not_global_ipv6
add address=2001::/32 comment="RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="RFC6890 Benchmark" list=not_global_ipv6
add address=fc00::/7 comment="RFC6890 Unique-Local" list=not_global_ipv6
add address=::/128 comment=unspecified list=bad_dst_ipv6
add address=::/128 comment=unspecified list=bad_src_ipv6
add address=ff00::/8 comment=multicast list=bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="accept ICMPv6 after RAW" protocol=icmpv6
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=accept chain=input comment="accept UDP traceroute" port=33434-33534 \
    protocol=udp
add action=accept chain=input comment="accept DHCPv6-Client prefix delegation." \
    dst-port=546 protocol=udp src-address=fe80::/16
add action=accept chain=input comment="accept IKE" dst-port=500,4500 protocol=\
    udp
add action=accept chain=input comment="accept IPSec AH" protocol=ipsec-ah
add action=accept chain=input comment="accept IPSec ESP" protocol=ipsec-esp
add action=drop chain=input comment="drop all coming from WAN" \
    in-interface-list=WAN
add action=accept chain=forward comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop bad forward IPs" disabled=yes \
    src-address-list=no_forward_ipv6
add action=drop chain=forward comment="drop bad forward IPs" disabled=yes \
    dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="rfc4890 drop hop-limit=1" disabled=yes \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="accept ICMPv6 after RAW" disabled=yes \
    protocol=icmpv6
add action=accept chain=forward comment="accept HIP" disabled=yes protocol=139
add action=accept chain=forward comment="accept IKE" disabled=yes dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="accept AH" disabled=yes protocol=\
    ipsec-ah
add action=accept chain=forward comment="accept ESP" disabled=yes protocol=\
    ipsec-esp
add action=accept chain=forward comment="accept all that matches IPSec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "drop everything else not coming from LAN" disabled=yes in-interface-list=\
    !LAN
/ipv6 firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn
/ipv6 firewall raw
add action=accept chain=prerouting comment="enable for transparent firewall" \
    disabled=yes
add action=accept chain=prerouting comment="RFC4291, section 2.7.1" \
    dst-address=ff02::1:ff00:0/104 icmp-options=135:0-255 protocol=icmpv6 \
    src-address=::/128
add action=drop chain=prerouting comment="drop echo request from wan" \
    icmp-options=128:0-255 in-interface-list=WAN protocol=icmpv6
add action=accept chain=prerouting comment="accept local multicast scope" \
    dst-address=ff02::/16
add action=accept chain=prerouting comment="accept site multicast scope" \
    dst-address=ff05::/16
add action=drop chain=prerouting comment="drop other multicast destinations" \
    dst-address=ff00::/8
add action=drop chain=prerouting comment="drop bogon IP's" src-address-list=\
    bad_ipv6
add action=drop chain=prerouting comment="drop bogon IP's" dst-address-list=\
    bad_ipv6
add action=drop chain=prerouting comment="drop packets with bad SRC ipv6" \
    src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment="drop packets with bad dst ipv6" \
    dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="jump to ICMPv6 chain" disabled=yes \
    jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment="accept everything else from WAN" \
    in-interface-list=WAN
add action=accept chain=prerouting comment="accept everything else from LAN" \
    in-interface-list=LAN
add action=accept chain=prerouting comment="drop the rest"
/ipv6 nd
set [ find default=yes ] dns=\
    fe80::c6ad:34ff:fe01:4059,fe80::4a8f:5aff:feef:d049
/system clock
set time-zone-name=Europe/Istanbul
/system identity
set name="hAP ax3"
/system logging
add disabled=yes topics=dhcp,debug
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=2606:4700:f1::123
add address=162.159.200.123
/system routerboard reset-button
set enabled=yes hold-time=0s..5s on-event="system shutdown"

cap conf.


/interface bridge
add admin-mac=48:8F:5A:EF:D0:49 arp=proxy-arp auto-mac=no name="Local Bridge"
/interface ethernet
set [ find default-name=ether1 ] poe-out=off
/interface list
add name=LAN
add name=WAN
/interface wifiwave2 datapath
add bridge="Local Bridge" disabled=no name=datapath
/interface wifiwave2
# managed by CAPsMAN
# mode: AP, SSID: Apo, channel: 2412/ax/Ce
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
    datapath=datapath disabled=no name=wlan2.4GHz
# managed by CAPsMAN
# mode: AP, SSID: Apo, channel: 5240/ax/eeeC
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
    datapath=datapath disabled=no name=wlan5GHz
/port
set 0 name=serial0
/interface bridge port
add bridge="Local Bridge" interface=ether1
add bridge="Local Bridge" interface=ether2
add bridge="Local Bridge" interface=ether3
add bridge="Local Bridge" interface=ether4
add bridge="Local Bridge" interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set accept-source-route=yes tcp-syncookies=yes
/ipv6 settings
set accept-router-advertisements=yes max-neighbor-entries=15360
/interface list member
add interface="Local Bridge" list=LAN
/interface wifiwave2 cap
set discovery-interfaces="Local Bridge" enabled=yes slaves-datapath=datapath
/ip dhcp-client
add interface="Local Bridge"
/ip dhcp-server config
set store-leases-disk=never
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d use-doh-server=\
    https://dns.adguard-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.xx.xx name="Local DNS2"
add address=192.168.xx.xx name="Local DNS1"
add address=fe80::4a8f:5aff:feef:d049 name="Local DNS2" type=AAAA
add address=fe80::c6ad:34ff:fe01:4059 name="Local DNS1" type=AAAA
add address=45.90.28.95 name=dns.nextdns.io
add address=45.90.30.95 name=dns.nextdns.io
add address=2a07:a8c0::89:ef8e name=dns.nextdns.io type=AAAA
add address=2a07:a8c1::89:ef8e name=dns.nextdns.io type=AAAA
add address=94.140.14.14 name=dns.adguard-dns.com
add address=94.140.15.15 name=dns.adguard-dns.com
add address=2a10:50c0::ad1:ff name=dns.adguard-dns.com type=AAAA
add address=2a10:50c0::ad2:ff name=dns.adguard-dns.com type=AAAA
/ipv6 firewall address-list
add address=ff02::/16 list="linklocal multicast"
add address=ff05::/16 list="linklocal multicast"
add address=fe80::/10 list="linklocal multicast"
/ipv6 firewall filter
add action=accept chain=input comment="accept ICMPv6 after RAW" protocol=icmpv6
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=accept chain=input comment="accept linklocal multicast" \
    dst-address-list="linklocal multicast"
add action=accept chain=input comment="accept UDP traceroute" port=33434-33534 \
    protocol=udp
add action=accept chain=input comment="accept DHCPv6-Client prefix delegation." \
    dst-port=546 protocol=udp src-address=fe80::/16
add action=accept chain=input comment="accept IKE" dst-port=500,4500 protocol=\
    udp
add action=accept chain=input comment="accept IPSec AH" protocol=ipsec-ah
add action=accept chain=input comment="accept IPSec ESP" protocol=ipsec-esp
add action=drop chain=input comment="drop all coming from WAN" src-mac-address=\
    C4:AD:34:01:40:59
add action=accept chain=input log=yes
/system clock
set time-zone-name=Europe/Istanbul
/system identity
set name="hAP ax3 2"
/system note
set show-at-login=no
/system routerboard reset-button
set enabled=yes hold-time=0s..5s on-event="system shutdown"

Edit: all of them solved.
For SA query timeout:

/interface/wifiwave2/configuration> set [find] security.connect-priority=0/1

pe1chl · Wed Aug 16, 2023 10:21 pm

when i to try make a file export, the password of the user hotspot is wrong no exists
you can replicate "export file=backup"

In version 7.x you need to use: "export show-sensitive file=backup" to include passwords etc.

mhenriques · Wed Aug 16, 2023 11:34 pm

Will V7.* ever have a "long term" release?

domingotorres · Thu Aug 17, 2023 12:11 am

Thanks

clambert · Thu Aug 17, 2023 12:24 am

Hi,

Can I please get some more detail about this? Link to RFC, forum topic, etc?

*) mpls - improved MPLS TCP performance;

I asked about this here viewtopic.php?p=1009237#p1009237, but the answer was a joke.

jayooo · Thu Aug 17, 2023 1:20 am

Upgrading to 7.11 makes my HEX unusable. Internet speed is barely above 0, and nowhere even near 1mbps.

I am using vlans, both tagged and untagged. I see that there are a lot of vlan changes in the changelog. Based on the fact that so many people here are having no issues, I assume it is something to do with the vlan changes in 7.11 causing my issues.

When I downgrade to 7.10.2 without making any other changes, speeds are back up to 400mbps and everything works properly.

DeviceLocksmith · Thu Aug 17, 2023 3:53 am

Fasttrack stopped working with L3HW turned off on CCR2116. IPv6 forwarding continued to work (because there's no fasttrack). Turning off fasttrack FW rules brought IPv4 forwarding back. L3HW also helps, but it's not stable enough for me (connections start timing out over time). Router on a stick with combination of tagged and untagged ports, NAT on untagged Internet port. Had to revert back to 7.10.2

ashpri · Thu Aug 17, 2023 4:13 am

Problem with my HAPAC2 after 7.11 (ROS and RouterBOARD) from 7.9.2. HAPAC2 locks up every 15-30 mins consistently. Downgraded to 7.10.2.

oeyre · Thu Aug 17, 2023 5:24 am

I asked about this here viewtopic.php?p=1009237#p1009237, but the answer was a joke.

Yes, quite disappointing that valid and politely asked questions for such a vague change line are brushed aside or ignored.

OBIM · Thu Aug 17, 2023 6:06 am

What is Wifi Wave 2 for?

mantouboji · Thu Aug 17, 2023 6:22 am

I upgraded my RB4011iGS+5HacQ2HnD from V7.10.2 to V7.11, and my Wireless(2.4ghz + 5ghz) lost to Wifi Wave2 that is not working. Mode now have only AP and Station.
I wish I can have my Wireless back.
I think every other things seem okay.

RB4011 only supports wave2 in 5G band, no 2.4G . So don’t install wifiwave2 package unless you have another 2.4G AP .

OBIM · Thu Aug 17, 2023 7:15 am

I upgraded my RB4011iGS+5HacQ2HnD from V7.10.2 to V7.11, and my Wireless(2.4ghz + 5ghz) lost to Wifi Wave2 that is not working. Mode now have only AP and Station.
I wish I can have my Wireless back.
I think every other things seem okay.
RB4011 only supports wave2 in 5G band, no 2.4G . So don’t install wifiwave2 package unless you have another 2.4G AP .

Yes, I disabled Wifi wave2 and everything is okay, full wireless is back.

bommi · Thu Aug 17, 2023 7:54 am

What is Wifi Wave 2 for?

You can find all information about wifiwave2 here:
https://help.mikrotik.com/docs/display/ROS/WifiWave2

OBIM · Thu Aug 17, 2023 8:04 am

What is Wifi Wave 2 for?
You can find all information about wifiwave2 here:
https://help.mikrotik.com/docs/display/ROS/WifiWave2

Thank you.

Larsa · Thu Aug 17, 2023 8:16 am

What is Wifi Wave 2 for?

Wave2 = core device drivers supplied by the chip manufacture. Previous drivers were developed by MT.

dredex · Thu Aug 17, 2023 9:45 am

RB750Gr3 with 5 VLANs on Bridge, after the update Default VLAN 1 not reaching internet and other VLANs can't connect to anything in Default VLAN.
The problem is fixed after disabling Hardware Offload on Trunk Interface

Thu Aug 17, 2023 9:52 am

This should have been fixed with this:
-- switch - fixed BPDU packet processing on MT7621, MT7531 with HW offloaded vlan-filtering;

Best to create supout.rif and make support ticket.
Probably still some border case which was missed.

repcio · Thu Aug 17, 2023 12:31 pm

I did upgrade on CRS354 and LtAP on both systems failed to upgrade and I had to to a netinstall.
Systems we doing up/down on ethernet port (on LtAP, to CSR354 i need to drive 100km :/ )

AdB · Thu Aug 17, 2023 12:32 pm

CapsMan / Wifiwawe2 stopped working on a network with RB5009UG (CapsManager) and hAP ax lite (managed by CapsMan) after v7.11 upgrade.
Had to downgrade to v7.10.2 to be able to restart.

Generally speaking, CapsMan on Wifiwave2 is not so clear, especially the part concerning the "provisioning" mechanism. Perhaps I'm completely stupid, perhaps there is bugs in Mikrotik RouterOS, perhaps it's unclear explainations in Mikrotik help, but I'm loosing hours on this subject and I'm fed up. It's a shame because CapsMan is a very good idea.
A technical video on WifiWave2 CapsMan configuration can help a lot, but I did not found one.

eworm · Thu Aug 17, 2023 12:38 pm

I am in contact with support regarding issues with capsman. Looks like this is not caused by capsman itself, but handling of dynamic interfaces in bridge.
Currently running 7.12alpha74 on a CHR, works without issue for now. Holding thumbs...

rtlx · Thu Aug 17, 2023 4:41 pm

OpenVPN in UDP mode, TLSv1.2 only, on hex Gr3 still fails when key renegotiation timeout is reached.

deanMK · Thu Aug 17, 2023 4:51 pm

Someone tested this on hAP AX3? How is wifi on this build?

Thu Aug 17, 2023 4:59 pm

Someone tested this on hAP AX3? How is wifi on this build?

No problems seen since yesterday. Haven't seen any real showstoppers anymore since 7.10 (for my use case).

Joe1vm · Thu Aug 17, 2023 6:19 pm

Hello,
after the update from 7.10.2 I have very similar issue as was reported by İmposss few posts above.
Multiple SA Query timed out" message for some devices, which are not able to be roamed properly - the connection is interupted for few seconsd.

My Topology is: RB5009UG+S+IN – main router (port1 WAN, port 2 connected to Cisco switch), CAPSMAN, CISCO SG300-28P – switch, 2x HAP ax2 and hAP ax3(connected to switch and configured as CAPs.

pothi · Thu Aug 17, 2023 6:29 pm

@deanMK no issues so far from my limited testing with this version on hAP AX3.

Thu Aug 17, 2023 7:39 pm

@joe1vm
Best to create supout.rif and contact support.

Adriahno · Thu Aug 17, 2023 8:13 pm

Someone tested this on hAP AX3? How is wifi on this build?

Now worst than before :)

karhill · Thu Aug 17, 2023 8:25 pm

Someone tested this on hAP AX3? How is wifi on this build?

Running well on a hAP ax2. I had lots of wifi issues (basically 5GHZ radio dropping off line) with 7.9 and 7.10. I'm not ready to say the wifi is problem-free, but's much better in my case.

raphaps · Thu Aug 17, 2023 9:53 pm

Openvpn with about 150 connections running on TCP crashes after 40 minutes. It was working fine until 7.11beta2, after that it was just a problem.

jayooo · Fri Aug 18, 2023 12:40 am

Thanks for the feedback on RB4011/RB1100AHx4 with HW offloaded vlan-filtering. The problem is reproduced, and we are working on a solution.

It is related to the FastPath fix (introduced in v7.11rc1):
*) bridge - fixed MAC learning on "switch-cpu" port with enabled FastPath

Running Torch or Sniffer solves it because it disables bridge FastPath, the same as using:
/interface bridge settings
set allow-fast-path=no

Same issue on HEX! HW Offload Enable = vlans broken. Disable HW offload = VLANS working

Actually, disabling fast-path does not fix it on HEX. You have to go into each port and disable HW Offload to fix it.

Panbambaryla · Fri Aug 18, 2023 8:33 am

The same hardware offloading related problems happens to me on CCR2004-16G-2S+ with v.7.11. Adding bonding interface (LACP) to a multiple VLAN LAN-side bridge (port 7 & 8 - the same internal switch-chip) causing many router-switch disconnections and LAG flapping. Disabling HW offloading on that specific bonding interface resolves the problem.

Fri Aug 18, 2023 8:41 am

Please provide supout.rif to support so they can look into these cases.

AUsquirrel · Fri Aug 18, 2023 9:01 am

Upgraded 2 x 5009, 2 x cAP, 1 x mAP and 1 x cAP ax.

I have had the issue reported by AdB and eworm that my 5009 running my capsman is "dropping" the VLANs for any VLAN edge ports on the 5009. This includes the management vlan that then drops the wireless networks.

The rest are working fine.

jhbarrantes · Fri Aug 18, 2023 9:58 am

Upgraded 2 x 5009, 2 x cAP, 1 x mAP and 1 x cAP ax.

I have had the issue reported by AdB and eworm that my 5009 running my capsman is "dropping" the VLANs for any VLAN edge ports on the 5009. This includes the management vlan that then drops the wireless networks.

The rest are working fine.

Hi,

had the same issue with an hEX-S with VLAN filtering enabled, running CAPsMAN and 3x cAP-AC's. I workaround this by removing "bridgeLocal" as discovery interface in the cAPs, and adding them a CAPsMAN address (so finding the CAPsMAN in L3, rather than L2). Just if it helps as a temporal solution.

Regards!

AUsquirrel · Fri Aug 18, 2023 11:22 am

Upgraded 2 x 5009, 2 x cAP, 1 x mAP and 1 x cAP ax.

I have had the issue reported by AdB and eworm that my 5009 running my capsman is "dropping" the VLANs for any VLAN edge ports on the 5009. This includes the management vlan that then drops the wireless networks.

The rest are working fine.
Hi,

had the same issue with an hEX-S with VLAN filtering enabled, running CAPsMAN and 3x cAP-AC's. I workaround this by removing "bridgeLocal" as discovery interface in the cAPs, and adding them a CAPsMAN address (so finding the CAPsMAN in L3, rather than L2). Just if it helps as a temporal solution.

Regards!

Hi jhbarrantes,
Thanks for that suggestion. I have rolled the router back to 7.10.2 for now. I do have the CAPSMAN address set as well as the discovery interface on my APs is their bridge.

I will give Mikrotik a couple of days to release the patch first. I have the wireless networks back up.

jbl42 · Fri Aug 18, 2023 3:16 pm

Looks like this is not caused by capsman itself, but handling of dynamic interfaces in bridge.
>
I have had the issue reported by AdB and eworm that my 5009 running my capsman is "dropping" the VLANs for any VLAN edge ports on the 5009

On my RB5009 running 7.11 it indeed seems like VLAN HW offload fails for all access/edge ports added dynamically to a bridge.
At least for me hw offload for VLAN filtering starts working if access ports are explicitly added as untagged to the bridge, instead of having them added dynamically based on the port PVID.

pe1chl · Fri Aug 18, 2023 3:56 pm

The same hardware offloading related problems happens to me on CCR2004-16G-2S+ with v.7.11. Adding bonding interface (LACP) to a multiple VLAN LAN-side bridge (port 7 & 8 - the same internal switch-chip) causing many router-switch disconnections and LAG flapping. Disabling HW offloading on that specific bonding interface resolves the problem.

This configuration already did not work for me BEFORE the problems with the 7.11 release were introduced (I am using 7.11beta4).
I removed the bridge which also removes the HW accel, and use the bonding interface directly with the VLAN subinterfaces on top, then it works OK.
But this probably is not the same bug as many users now see in 7.11 because that was introduced in 7.11rc1, a later version.
Support said that I had to enable RSTP on the bridge to work around it, but that did not fix it for me.

Fri Aug 18, 2023 3:58 pm

Thanks again for the feedback!

The issue with vlan-filtering bridge running together with CAPsMAN has been reproduced and we are looking for a fix.

@bommi, jayooo, dredex - regarding issues with HW offloaded vlan-filtering bridges on hEX or hEX-S. Can please you share supout.rif files to support@mikrotik.com? Let us know the SUP ticket number.

@jbl42 - did not manage to repeat this in our labs. Can you please share supout.rif files to support@mikrotik.com? Let us know the SUP ticket number.

Z0ltan · Fri Aug 18, 2023 4:50 pm

There is no workaround for the vlan-filtering bridge running together with CAPsMAN issue in 7.11, only reverting back to 7.10.2? I tried disabling fast-track but it didn't work, so I have reverted to 7.10.2 for now.

pe1chl · Fri Aug 18, 2023 4:56 pm

Rumor has it that disabling fast-path on the bridge and/or hw accel on the port would solve it, but I have downgraded before having tested all possibilities.

Z0ltan · Fri Aug 18, 2023 4:57 pm

I disabled fast-path on the bridge and didn't even have hw offloading due to the CAP interfaces being in the same bridge but it was still not working (wifi associated but there was no DHCP, likely because the VLAN ID got dropped somewhere).

Fri Aug 18, 2023 5:03 pm

Did not find any workarounds, unfortunately. Disabling fast-path or HW offloading will not resolve this, it is a different issue.

pOZORjED · Fri Aug 18, 2023 5:07 pm

Can we get a “update” to go back to 7.10.2? As downgrade seems to be broken as well. Really need my network back!

bommi · Fri Aug 18, 2023 5:14 pm

Can we get a “update” to go back to 7.10.2? As downgrade seems to be broken as well. Really need my network back!

For me the downgrade worked. Uploaded the old version and hit the "Downgrade" Button in the Package Update menu.

pOZORjED · Fri Aug 18, 2023 5:21 pm

Wait, you did a upload and downgrade? Invited downgrade, no result. Upload and reboot, no success. Didn’t try this option. If I can get a connection again I will try this

pe1chl · Fri Aug 18, 2023 5:27 pm

You need to check first which packages you have installed (under system->packages). Then you download the lower released version of ALL those packages (normally it will be only the routeros package) from the download archive and upload them to the "files" section of the router (not in a folder!) and you then click the downgrade button in system->packages.

jayooo · Sat Aug 19, 2023 1:00 am

Wait, you did a upload and downgrade? Invited downgrade, no result. Upload and reboot, no success. Didn’t try this option. If I can get a connection again I will try this

If you are manually rebooting, you are doing it wrong. Upload the old package file, then click Downgrade button. It will reboot by itself as soon as you click "Downgrade".

jayooo · Sat Aug 19, 2023 1:03 am

Thanks again for the feedback!

The issue with vlan-filtering bridge running together with CAPsMAN has been reproduced and we are looking for a fix.

@bommi, jayooo, dredex - regarding issues with HW offloaded vlan-filtering bridges on hEX or hEX-S. Can please you share supout.rif files to support@mikrotik.com? Let us know the SUP ticket number.

@jbl42 - did not manage to repeat this in our labs. Can you please share supout.rif files to support@mikrotik.com? Let us know the SUP ticket number.

Ok, I emailed the supout and put your name in the body of the email. I did not receive a ticket number or any email response. Edit: It just replied the ticket number. SUP-125522

This is easily reproducible. Just create a bridge, a trunk port and an access port. Leave HW enabled, enable vlan-filtering. It stops working, although you can PING between networks, but the speed is nearly zero. Not enough speed to even open websites.

AUsquirrel · Sat Aug 19, 2023 3:44 am

---SNIP----

Ok, I emailed the supout and put your name in the body of the email. I did not receive a ticket number or any email response. Edit: It just replied the ticket number. SUP-125522

This is easily reproducible. Just create a bridge, a trunk port and an access port. Leave HW enabled, enable vlan-filtering. It stops working, although you can PING between networks, but the speed is nearly zero. Not enough speed to even open websites.

Hi Jayooo,
That matches what I saw on my 5009. The three vlans without any edge ports and a trunk port, hardware accel and VLAN filtering stayed up and worked no issues. The two VLANs with edge ports on the 5009 would stop working at some point after a reboot.

peterda · Sun Aug 20, 2023 1:15 am

My hEX S is now hanging every two days and need to be powercycled every time.
No clue on why, happened twice after the upgrade to 7.11.
Very anoying since the router has been reliable pre 7.11.
My configuration has not changed for over half a year.

Maggiore81 · Sun Aug 20, 2023 11:21 am

My hEX S is now hanging every two days and need to be powercycled every time.
No clue on why, happened twice after the upgrade to 7.11.
Very anoying since the router has been reliable pre 7.11.
My configuration has not changed for over half a year.

Just downgrade the unit to 7.10.2 and also downgrade the routerboot to be sure!

peterda · Sun Aug 20, 2023 11:53 am

Thanks Maggiore81, i will try that asap.

pe1chl · Sun Aug 20, 2023 12:02 pm

As is the case with most software, you will learn that it is usually not a good idea to install a .0 release, at least not immediately.
Always wait for the .1 to appear (7.11.1) and/or wait a couple of weeks to see if maybe it is not required.

kehrlein · Sun Aug 20, 2023 12:18 pm

Updated soft- and firmware to 7.11 on these models without any issues:

x86
RB750GL
RB760iGS (hEX S)
RBcAPGi-5acD2nD (cAP ac)
RBwAPG-5HacD2HnD (wAP ac)
CRS309-1G-8S+

mahfuzazam · Sun Aug 20, 2023 5:24 pm

Updated below models:
- 3 x RB4011iGS+RM
- 1 x CCR2004-16G-2S+
- 1 x CCR1036-12G-4S
- 1 x RB450Gx4

RB4011 is showing high in temperature, avg. is 48C. Downgrading to 7.10.2 makes the average temp 40C.

Rustie0125 · Sun Aug 20, 2023 7:59 pm

Hey, Updated my LTAP routers with V7.11 and use them as Lorawan gateways
I tried using the new NetID filtering for messages but I seemed to have blocked all messages.

I see the lora documentation has not been updated yet, so Im hoping someone can explain how to use the NetID filter.
More importantly the Intendent NetID allowable range formatting/syntax

Thanx

jayooo · Mon Aug 21, 2023 4:05 pm

Mikrotik replied to my supout ticket and they have confirmed that they have reproduced the VLAN issues on HEX/HEX-S in 7.11 and are working on that fix.

mazel · Mon Aug 21, 2023 4:14 pm

All devices using IPsec IKE2 with /certificate set crl-download=yes crl-store=ram crl-use=yes getting error can't verify peer's certificate from store after upgrade from ROS 7.10.2 to ROS 7.11. After downgrading back to 7.10.2 issue is gone. All devices with set crl-download and crl-use to value "no" having no issues at all. This is very inconvenient to have this type of issue when upgrading remote units without any other admin access then VPN (units in public internet behind ISP NAT).

evince · Mon Aug 21, 2023 5:47 pm

Very nice upgrade,
*) netwatch - added "src-address" property;

Please add the option to be able the ping IP for failover in route. example: check gateway ping 1.1.1.1 that would helps

+1. It'd be very useful.

jbl42 · Mon Aug 21, 2023 8:53 pm

As is the case with most software, you will learn that it is usually not a good idea to install a .0 release, at least not immediately.

I conquer. With SW, it is usually safe to upgrade from a stable minor release to the next. Like form *stable* 7.10.2 to *stable* 7.11.
But with Mikrotik you have to learn that stable does not mean anything and updating from one stable minor to the next stable minor is expected to break long standing features. Like completely borking OpenVPN with 7.10 or VLAN filtering on many devices with 7.11, just to mention some recent examples.

I'm using Mikrotik since many years. They make wonderful devices with an unbeatable price point regarding features, but always had an exceptional low bar on SW quality and a complete lack of shame about introducing easy to test regressions with minor stable releases.

meth · Mon Aug 21, 2023 8:54 pm

VXLAN stop working between 1036 and netpower over OSPF, on FDB getting remote IP's zeros on both sides

anuser · Tue Aug 22, 2023 11:19 am

I have CCR1009-7G-1C-1S+ go crazy with console crashes, script errors (action timed out) and more. Sadly even generating a support output file fails...
Opened issue SUP-125133.

Same problem with a CCR1036-8G-2S+
=> Back to 7.10.2

ksteink · Tue Aug 22, 2023 3:19 pm

Just da smol home-network:

smol-net-1.jpg

Found no issues.

What tool do you use for massive upgrades?

kryztoval · Tue Aug 22, 2023 3:22 pm

I am seeing a lot of jitter in the connection now, my ping in games used to be less than 80ms but right now it is 3x the amount with this version. I think the only change was that I updated all mikrotik devices to 7.11 and it sure started happening after this update.

I have a "complicated" network path. Router -> AP ->VPLS/MLPS bridge -> Station -> Router -> modem. But that was there with 7.10 without jitter.

Even speed test shows the same throughtput but now the ping during upload and download spikes up and before it didn't do that. Just a heads up and something to look out for in case your setup shows this behaviour.

ksteink · Wed Aug 23, 2023 12:15 am

I have upgraded a bunch of devices such as:

- RB2011
- RB3011
- RB4011
- RB5009
- CRS326
- CRS328
- hAP AC2
- hEX S

All upgrade went well (no issues) BUT I have 2 hEX S with VLANs and those simple come up but users get timeout. Doing a downgrade restores the process so I think there is a bug there.

jayooo · Wed Aug 23, 2023 12:28 am

All upgrade went well (no issues) BUT I have 2 hEX S with VLANs and those simple come up but users get timeout. Doing a downgrade restores the process so I think there is a bug there.

The hex vlan workaround is a few posts up. No need to downgrade.

lolman10 · Wed Aug 23, 2023 2:21 am

İ have tplink acess point on mikrotik LDF5 outdoor.
İ had 7.10.2 version . i updated 7.11 after that my tplink acess point wifi speed about 1 mbps or more less but my with cat6 cable speed 86 mbps.
i downrage 7.10.2 but still nothing change. its seems my wifi totaly broken with all version software . i tried another acess point
still same result .

Tplink Phone Wifi test

Tplink cat6 Cable Test

jayooo · Wed Aug 23, 2023 4:44 am

İ have tplink acess point on mikrotik LDF5 outdoor.
İ had 7.10.2 version . i updated 7.11 after that my tplink acess point wifi speed about 1 mbps or more less but my with cat6 cable speed 86 mbps.
i downrage 7.10.2 but still nothing change. its seems my wifi totaly broken with all version software . i tried another acess point
still same result .

That isn't an upgrade issue then, assuming you did actually downgrade both the package and the router board firmware.

lolman10 · Wed Aug 23, 2023 5:58 am

İ have tplink acess point on mikrotik LDF5 outdoor.
İ had 7.10.2 version . i updated 7.11 after that my tplink acess point wifi speed about 1 mbps or more less but my with cat6 cable speed 86 mbps.
i downrage 7.10.2 but still nothing change. its seems my wifi totaly broken with all version software . i tried another acess point
still same result .

That isn't an upgrade issue then, assuming you did actually downgrade both the package and the router board firmware.

but i tried with another acess point i still get bad wifi speed. before i update mikrotik .i didnt had problem. with cable i get full speed. its very strange problem

jayooo · Wed Aug 23, 2023 6:30 am

That isn't an upgrade issue then, assuming you did actually downgrade both the package and the router board firmware.
but i tried with another acess point i still get bad wifi speed. before i update mikrotik .i didnt had problem. with cable i get full speed. its very strange problem

That isn't a mikrotik issue. You say that "with cable" you get full speed but with 3rd party access point you get slow speed. However, BOTH of those scenarios are "with cable" from the mikrotik perspective. You aren't using mikrotik wifi.

Plus, the only different between mikrotik versions is just software. Once you downgrade back to the same version, there is no difference.

mmc · Wed Aug 23, 2023 8:04 am

ipv6 ospfv3 stops working after interface template once set to passive state for maintenance purposes.

after trying to unset passive state in ospf interface template, the underlying ipv6 ospf interface stays in passive state forever.

only chance to bring it back to 'not passive' state is by disabling the underlying 'physical' vlan interface, which is a no-go in case you have a dual-stack vlan interface.

reported with supout and complete documentation with ticket
#[SUP-125878]: ros 7.11 / ipv6 ospfv3 interface stays in passive state

TosLin · Wed Aug 23, 2023 10:46 am

//
The issue with vlan-filtering bridge running together with CAPsMAN has been reproduced and we are looking for a fix.
//

My rb4011 hangs when access points are provisioned.
Have gone back to 7.10.2

eworm · Wed Aug 23, 2023 10:58 am

The CAPsMAN issue has been fixed in RouterOS 7.12alpha108... Let's hope we will see this in releases soon.

Jotne · Wed Aug 23, 2023 11:57 am

And since beta comes after alfa, this may already be in 7.12beta 1
viewtopic.php?t=198723

pe1chl · Wed Aug 23, 2023 11:58 am

And since beta comes after alfa, this may already be in 7.12beta 1

It isn't.

lolman10 · Wed Aug 23, 2023 4:08 pm

but i tried with another acess point i still get bad wifi speed. before i update mikrotik .i didnt had problem. with cable i get full speed. its very strange problem
That isn't a mikrotik issue. You say that "with cable" you get full speed but with 3rd party access point you get slow speed. However, BOTH of those scenarios are "with cable" from the mikrotik perspective. You aren't using mikrotik wifi.

Plus, the only different between mikrotik versions is just software. Once you downgrade back to the same version, there is no difference.

its totaly about mikrotik. i tried one more diffirent acess point. 2.4 ghz slow speed 1mbps but 5 ghz i get full speed. Before update mikrotik i get also full speed 2.4 ghz. in total i tried 3 diffirent acess point all same. with that update maybe some setitngs changed ?

its my settings

erlinden · Wed Aug 23, 2023 4:28 pm

its my settings

Better to share your config:

/export file=anynameyoulike

Make sure to remove serial and any other private information (like public IP).

In regards to your settings:

nv2 nstreme is Mikrotik only
Superchannel!?
why post 5GHz radio while you experience problems with the 2.4GHz radio?

Better to start a seperate topic where we can go in depth.

K0NCTANT1N · Wed Aug 23, 2023 5:58 pm

"station pseudobridge" + "nv2"

Are you serious?
https://wiki.mikrotik.com/wiki/Manual:W ... tion_Modes

mkx · Wed Aug 23, 2023 6:19 pm

"station pseudobridge" + "nv2"

Are you serious?
https://wiki.mikrotik.com/wiki/Manual:W ... tion_Modes

The setting in screenshot means "nv2 OR nstreme OR 802.11" and in conjunction with any of station modes it means that station will adjust to AP's wireless protocol settings (so if AP is TPlink which obviously knows nothing about Mikrotik's proprietary protocols, station will use 802.11 protocol. Nothing wrong with these settings. However, if device is used in any of station* modes, all other settings (band, channel width and frequency) should be left to defaults (band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX frequency=auto) to allow station to follow AP to whatever it chooses to do. It's only sensible to set these parameters by hand if device operates in one of AP modes.

peterda · Wed Aug 23, 2023 7:52 pm

Downgraded my hEX S to 7.10.2 and it is stable again, no more hangs.

lolman10 · Wed Aug 23, 2023 8:08 pm

"station pseudobridge" + "nv2"

Are you serious?
https://wiki.mikrotik.com/wiki/Manual:W ... tion_Modes
The setting in screenshot means "nv2 OR nstreme OR 802.11" and in conjunction with any of station modes it means that station will adjust to AP's wireless protocol settings (so if AP is TPlink which obviously knows nothing about Mikrotik's proprietary protocols, station will use 802.11 protocol. Nothing wrong with these settings. However, if device is used in any of station* modes, all other settings (band, channel width and frequency) should be left to defaults (band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX frequency=auto) to allow station to follow AP to whatever it chooses to do. It's only sensible to set these parameters by hand if device operates in one of AP modes.

can you please check this topic

viewtopic.php?p=1020928#p1020928

Sidewindr · Thu Aug 24, 2023 2:20 am

Yep, looks like CAPsMAN is broken in v7.11 I have the same issue on a CCR1036-12G-4S.

CAPsMAN basically becomes unresponsive and I notice also that the VLAN's on my bridge interface also have no status i.e. no R (Running) status.

I have CCR1009-7G-1C-1S+ go crazy with console crashes, script errors (action timed out) and more. Sadly even generating a support output file fails...
Opened issue SUP-125133.
Generating an export results in this before console crashes, just again:
Code: Select all
#error exporting "/caps-man/channel" (timeout)
#error exporting "/caps-man/configuration" (timeout)
#error exporting "/caps-man/datapath" (timeout)
#error exporting "/caps-man/rates" (timeout)
#error exporting "/caps-man/security" (timeout)
Also I have seen this on CHR now, running CAPsMAN as well. I think the issue is hidden there, and not related to architecture.

Happily I could generate a support output file this time on CHR, so let's hope for some results.

krafg · Thu Aug 24, 2023 5:20 am

Updated all my devices successfully. For now all is working fine.

Regards.

Rox169 · Thu Aug 24, 2023 7:18 am

you better write those devices...

si458 · Thu Aug 24, 2023 12:32 pm

had a weird one with a site using a hEX S,
upgraded from 7.10.2 to 7.11, suddenly all comps couldnt see internet,
but all voip phones where working (on there own vlan attached to the bridge)
spotted vlan-filtering was switched on, on the bridge, so switched it off, suddenly all comps get internet again?
never used vlan-filtering, never enabled it, but randomly switched itself on?

kowal · Thu Aug 24, 2023 12:37 pm

Yep, looks like CAPsMAN is broken in v7.11 I have the same issue on a CCR1036-12G-4S.

CAPsMAN basically becomes unresponsive and I notice also that the VLAN's on my bridge interface also have no status i.e. no R (Running) status.
Generating an export results in this before console crashes, just again:
Code: Select all
#error exporting "/caps-man/channel" (timeout)
#error exporting "/caps-man/configuration" (timeout)
#error exporting "/caps-man/datapath" (timeout)
#error exporting "/caps-man/rates" (timeout)
#error exporting "/caps-man/security" (timeout)
Also I have seen this on CHR now, running CAPsMAN as well. I think the issue is hidden there, and not related to architecture.

Happily I could generate a support output file this time on CHR, so let's hope for some results.

Are you guys using "normal" capsman or wifiwave2? I've wifiwave2 capsman on rb5009 and it makes supout without problems.

erlinden · Thu Aug 24, 2023 12:43 pm

Please elaborate @si458: vlan attached to bridge and vlan-filtering on the bridge? Perhaps share (part of) your config?

si458 · Thu Aug 24, 2023 12:47 pm

Please elaborate @si458: vlan attached to bridge and vlan-filtering on the bridge? Perhaps share (part of) your config?

I have a bridge with 4 ports attached, ether2-5
I have a van setup on the bridge vlan9

Some reason inside the bridge settings vlan-filtering had switched itself on? I've never used this setting?

The bridge has 1 ip range and the vlan has another ip range

Will get config when near laptop

wtechlink · Thu Aug 24, 2023 5:24 pm

I had an issue upgrading from 7.10.2 on one of my 12 2216's. It deleted the loopback bridge so my admin IP and NAT were not working. I recreated the bridge and assigned the IPs to it and all was good, just kind of strange that it happened on one of my routers and not the others.

jayooo · Fri Aug 25, 2023 4:19 am

The VLAN issues seem to be fixed in 7.12beta3! I just installed it, and re-enabled HW, all is good.

Ikk · Fri Aug 25, 2023 9:35 am

Hello, I can't update LtAP to version 7.11, tried on 5 pcs in the office, from different versions (7.8 to 7.10.2). No method of updating (downloading or manually uploading files) works. Only via NetInstall.

Maggiore81 · Fri Aug 25, 2023 9:46 am

@lkk what is the error?

Ikk · Fri Aug 25, 2023 1:17 pm

@Maggiore81 Hello, the problem with the update was on my side. I overlooked the new condition that the IoT package must also be newly installed for Lory to run. Can this new condition be somehow automated?

Chupaka · Sat Aug 26, 2023 6:41 pm

Amm0 · Sat Aug 26, 2023 6:46 pm

[...] I overlooked the new condition that the IoT package must also be newly installed for Lory to run. Can this new condition be somehow automated?

There have been a few reports like this in forum. I think you have just add the IoT package and uninstall LoRa before upgrade to avoid.
Although normally RouterOS deals with these things, not with the LoRa.npk → IoT.npk change it seems.

Ocean · Sun Aug 27, 2023 11:25 am

OpenVPN (UDP)
hAP AC3. Very similar problem (viewtopic.php?t=197690). But addresses and routes are present.

I confirm this problem exists!

hAP AC2

P.S. works in TCP mode

kryztoval · Sun Aug 27, 2023 5:35 pm

I can confirm that the same configuration on 7.10 had a ping-under-load of around 20ms while the 7.11 with the exact same configuration has a ping-under-load of around 65ms

This is also noticeable while keeping a flow of packets instead of a burst. Streaming video services would not trigger this as easy as playing a game or doing a multiconnection download would.

Time for me to dig in and try to isolate this, this will be fun. I can't expect mikrotik to figure the solution to this if I can't at least replicate it consistently so they can test reproduce it. :(

Mystique · Sun Aug 27, 2023 9:18 pm

*) dns - improved system stability when processing static DNS entries with specified address-list;

I used to have weird and random dns timeouts..

MK dns was backed by three servers accessed via via Wireguard connections.

DNS timeouts seem to be gone

I have static records defined

ffries · Mon Aug 28, 2023 1:35 am

After updating my knot lr8 kit from 7.10.2 to 7.11 lora gateway seems to be disabled after reboot. it is reproducable by rebooting the device.. even though i manually started the gw, it remains enabled only till a reboot

I can confirm this on my two wap-lr8 gateways.
I migrated to iot package and removed previous lora package.
After upgrade and reboot, I also lost some some Lora configuration (antenna gain, network servers, gps spoof coordinates, etc ...).

So if you own a WAP-LR8 ... do not upgrade to 7.11.

oeyre · Tue Aug 29, 2023 3:44 am

Hi,

Can I please get some more detail about this? Link to RFC, forum topic, etc?

*) mpls - improved MPLS TCP performance;

Seriously though, what does this mean?

Tech dump plz

Sidewindr · Tue Aug 29, 2023 5:24 am

Yep, looks like CAPsMAN is broken in v7.11 I have the same issue on a CCR1036-12G-4S.

CAPsMAN basically becomes unresponsive and I notice also that the VLAN's on my bridge interface also have no status i.e. no R (Running) status.

Are you guys using "normal" capsman or wifiwave2? I've wifiwave2 capsman on rb5009 and it makes supout without problems.

Normal CAPsMAN, not Wifiwave2. It works fine on 7.10.2 but falls over after upgrading to 7.11.

i4ko · Tue Aug 29, 2023 8:30 am

Doesn't seem at all stable to me. On a RBwAPGR-5HacD2HnD with EC25-V LTE modem it was working normally when the lte modem was set to serial (from inside routeros; usbnet mode on the ec25 card is 2). After disabling the ppp interface setting the lte modem mode to mbim (from routeros, no change on the ec25 usbnet as 2 is already mbim), and rebooting the device the following happened:
1. dhcp server was no longer giving out ip addresses on wifi, but is giving them on ethernet ports, and the dhcp server is actually running on the bridge interface where both the ethernet port and wifi are
2. unable to log into the router except for a short time after power on (about the first 10 seconds) and at mac address at that. If more time passes, or trying ip the router will claim that username and password are not correct, even on ssh. Trying to open terminal from winbox and login as it will claim password is wrong. Winbox does not properly update past the first 2-3 second if at all
2.1 one time I was able to connect to winbox and immediately hit the terminal button - there was a wall of text that logins failed due to critical process crash and I was logged in normally instead of being told that login failed
2.2. winbox shows about 168mb free ram which does not seem right as the device should only have 128 total.

after multiple loops of winbox and hard power down and power on, I managed to get winbox to open with terminal logged in. I typed /interface/lte/settings set mode=serial, pressed enter and it did nothing, after a minute or so the router printed "interrupted" and disconnected. After a few more tries, I was able to get to the same point, winbox open with logged in terminal and this time it was a matter of recalling the command from history and pressing enter. That did work and on the next power-off, power-on I was able to log into the router, get wifi to connect and get an address and log into it with ssh at a later point in time. Just to make sure I am not crazy, I repeated the process to put the lte interface mode to mbim again, and the same happened, but this time I know how to get it back to serial.. In any case, that is not what a "stable" release should do. There is a supout file which I have no idea one which power cycle was created.

the reason I was trying all that is that though my ppp profile asks for ipv6 and is set on the ppp interface, routeros sets an IPv4 only APN sting into the modem. I've verified that by disabling the PPP interface, manually connecting to the LTE card and setting IPv4IPv6 apn, but as soon as the ppp interface is enabled, the APN set in the modem is again IP (ipv4) only. That has been an issue at least on the last few 7.x releases

pe1chl · Tue Aug 29, 2023 11:59 am

Doesn't seem at all stable to me.

For the 1000th time: "stable" in the version name does not mean it works without bugs, it never crashes, it does what you want.
"stable" means it is not being tinkered with all the time.
Sure the 7.11 version has more than the average number of nasty problems for a "stable" release, I would not recommend installing it.
Either use 7.10.2 and wait for 7.11.1 or install a testing version.

buset1974 · Thu Aug 31, 2023 9:14 am

VPLS bigger than 1558 did not works in v7.11
but if one of the PE's using v6 it works like a charm.
i did change both PW control domain into "default" and "Enabled", both are has the same result.

See all the details in viewtopic.php?p=1022490#p1022490

thx

Thu Aug 31, 2023 10:05 am

What's new in 7.11.1 (2023-Aug-30 13:41):

*) bridge - fixed fast-path forwarding with HW offloaded vlan-filtering (introduced in v7.11);
*) bridge - fixed untagged VLAN entry disable;
*) bridge - fixed vlan-filtering stability with HW and non-HW offloaded ports (introduced in v7.10);
*) bridge - improved system stability;
*) bridge - improved vlan-filtering bridge stability with CAPsMAN (introduced in v7.11);
*) console - improved stability and responsiveness;
*) dhcp - fixed DHCP server and relay related response delays;
*) ipsec - fixed IPSec policy when using modp3072;
*) lte - fixed startup race condition when SIM card is in "up" slot for LtAP mini;

erlinden · Thu Aug 31, 2023 10:24 am

Upgrade went smooth:

RB4011
hEX s
wAP ac
cAP ac
hAP ax2

adithepocz · Thu Aug 31, 2023 10:46 am

I'm waiting for mikrotik to fix bug mpls propagate-ttl on mikrotik 7.11.1 (stable) but I don't see change for this.

Please check SUP-118482

fragtion · Thu Aug 31, 2023 1:17 pm

Since v7.11.1, I can no longer use channel 5320 on RB4011iGS+HacQ2HnD (US version)... it says "no supported channels"

It was possible in v7.11.

Is this intentional? More importantly, why do the changelogs say nothing about this?

I'm using wifiwave2 on the device

erlinden · Thu Aug 31, 2023 1:23 pm

What channel width are you using, @fragtion? If using 80 MHz, you might have to select extension channel eeCe or eeeC.

fragtion · Thu Aug 31, 2023 1:29 pm

What channel width are you using, @fragtion? If using 80 MHz, you might have to select extension channel eeCe or eeeC.

Band: 5GHz AC
Channel Width: 20/40/80MHz
Frequency: 5320 (Under Radios, I see that 5320 is removed from the whole "Current channels" table when country "United States" or "Canada" is selected)

Before it was working as a DFS channel that was subject to radar scanning, which I was fine with. Now it can't be used at all, leaving me with basically no noise-free channels to use in current environment.. :/

John39 · Thu Aug 31, 2023 1:46 pm

After updating to 7.11.1, some devices like Xiaomi smart vacuum cleaner, underfloor heating sensors, etc. cannot connect to CAPsMAN. I keep seeing the following entry in the logs - rejected, requests wrong RSN group cipher.

What should I do to make everything work? I have Mikrotik 5009 and CAP XL access points

Thu Aug 31, 2023 2:16 pm

Check debug logs, see what is the error

erlinden · Thu Aug 31, 2023 2:26 pm

Can you select channel 5300, @fragtion? That would make sense in case of 80MHz Ceee.
Can you please share your config:

/export file=anynameyoulike

Remove serial and any other private information like public IP.

fragtion · Thu Aug 31, 2023 2:30 pm

Can you please share your config:

Why? This is clearly related to the upgrade. 5320 is selectable on 7.11 but not 7.11.1. I downgraded to 7.11 and can now use the channel again until I purchase another wireless AP to replace the wi-fi on my RB4011.
So it's not config related, you could easily reproduce it on a similarly country-locked device. For the record I'm still on 7.11.1 routerboot firmware so this restriction is being applied on a npk level

rextended · Thu Aug 31, 2023 2:37 pm

Band: 5GHz AC
Channel Width: 20/40/80MHz
Frequency: 5320 (Under Radios, I see that 5320 is removed from the whole "Current channels" table when country "United States" or "Canada" is selected)

Before it was working as a DFS channel that was subject to radar scanning, which I was fine with. Now it can't be used at all, leaving me with basically no noise-free channels to use in current environment.. :/

If this is true:
https://en.wikipedia.org/wiki/List_of_W ... h/n/ac/ax)
It is clear that you are not clear how things work.
You can not use 5320 with Ceee, but at least as single 20 channel, or eC at 20/40 or eeeC at 20/40/80, etc.

erlinden · Thu Aug 31, 2023 2:38 pm

Why?

To check current settings and to give an explanation. You can provide only the wireless part.

fragtion · Thu Aug 31, 2023 2:39 pm

I can't use 5320 regardless of which channel width option is selected. The channel is no longer part of the selectable range for this regulatory domain on this device. And yes, this better conforms with the device description/specifications on MT website, for this locked down variant.

https://mikrotik.com/product/rb4011igs_5hacq2hnd_in:

RB4011iGS+5HacQ2HnD-IN-US (USA) is factory locked for 2412-2462MHz, 5170-5250MHz and 5725-5835MHz frequencies. This lock can not be removed.

I'm just saying, it was possible to use this frequency in prior wifiwave versions but was silently removed in 7.11.1, which is a real bummer. I thought they were maybe revising this since v7, which would have explained why the device was no longer so restricted. Evidently that is not the case..

rextended · Thu Aug 31, 2023 2:47 pm

Since MikroTik do not have TPC, now all frequences that must have TPC are forbidden on US market...
Those are FCC rules, not MikroTik choices.
If the rules of the State change, it is not MikroTik's job to inform customers, it is assumed that they already know the law, which does not admit ignorance.

fragtion · Thu Aug 31, 2023 2:51 pm

Yeah, except that I'm now using the device here in South Africa...

rextended · Thu Aug 31, 2023 2:54 pm

Yeah, except that I'm now using the device here in South Africa...

So the other question is why did you buy a device for the American market, and then you didn't resell it when you moved to South Africa...

Unfortunately they are forced by the FCC that, if they want to sell in America, they must be so strict on the products...

fragtion · Thu Aug 31, 2023 2:56 pm

So the other question is why did you buy a device for the American market, and then you didn't resell it when you moved to South Africa...

That's an irrelevant and extraneous question (with all due respect). Besides for the fact that Mikrotik as a brand is generally not so popular in the US market, perhaps I did try to sell it and nobody showed interest especially when they read that I have the locked variant and they knew that it's possible to buy the international version even through vendors like Amazon if they really wanted to...

So yeah let's rather remain focused on the fact that the software has changed and that this change was not included in the changelog ;)

rextended · Thu Aug 31, 2023 2:57 pm

If the rules of the State change, it is not MikroTik's job to inform customers, it is assumed that they already know the law, which does not admit ignorance.

If you use a peripheral outside of how it was meant to be used, that's your business.

fragtion · Thu Aug 31, 2023 3:00 pm

If you use a peripheral outside of how it was meant to be used, that's your business.

So it's not MikroTik's business/duty to inform customers of a software change correcting regulatory channel enforcement? I'll wait for your infinite insight in answering this question then

memelchenkov · Thu Aug 31, 2023 3:03 pm

7.11 comparing to 7.10 has some issues with Wi-Fi signal strength on Chateau.

buset1974 · Thu Aug 31, 2023 3:09 pm

Check debug logs, see what is the error

Hi normis,

Could you check my report regarding vpls defragment problem?
viewtopic.php?p=1022490#p1022490
It's happen in v7

Thx

John39 · Thu Aug 31, 2023 3:26 pm

Check debug logs, see what is the error

I don't see any errors in the debug logs or look at them incorrectly. For many years of operation of your equipment, such problems have not arisen, but now I don’t even know how to find a problem, please help me with a solution.

It seems that there have been some changes with the wireless interface, as a result of which some devices have stopped connecting. Even if you disable the access point from capsman and configure wi-fi on it separately, still not all devices can connect to it.

elmomac · Thu Aug 31, 2023 3:38 pm

SUP-114337 is still not fixed even in 7.11.1 "stable"

I still cannot turn Ipv6 HW acceleration on at L3HW - this case has been open since April / ROS 7.8 on my CCR2216.

pe1chl · Thu Aug 31, 2023 3:46 pm

People... bugs and features that are not mentioned in the release notes are most likely not fixed. No need to refer to that after a new stable release.
When you want to mention it at all (probably useless), do so in the 7.12beta topic.

John39 · Thu Aug 31, 2023 3:51 pm

Check debug logs, see what is the error

After rolling back the capsman controller to version 7.11, the problem was solved. Access points themselves on version 7.11.1

patrickmkt · Thu Aug 31, 2023 5:41 pm

I've lost my license key!!!

The upgrade to 7.11.1 on my CCR1036-12G-4S went well. However after rebooting for the firmware update, I got a warning that I had no license key and that my router will stop working after 24 hours.
I tried to click on update license key but it did not work.
After a third reboot however the license was back....
I'm glad that I did a monitored update as usually my router is updating automatically. I would have not caught that problem and my script would have not done a third reboot.