v7.12.1 [stable] is released!

Thu Nov 09, 2023 2:13 pm

RouterOS versions 7.12, 7.12.1 have been released in the "v7 stable" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

Notice - SFP/QSFP functionality has been refactored for consistent behavior and better scalability. Now, compliance with SFP/SFP+/QSFP MSA standard is mandatory. This may cause issues with SFP/QSFP modules that are not fully compliant. All current MikroTik modules abide this standard.

What's new in 7.12.1 (2023-Nov-17 13:38):

*) defconf - fixed bogus wifi password on certain Audience devices;
*) ipv6 - do not send out IPv6 RA deprecate message for re-used prefix;
*) ospf - fixed LSA Type3 advertisement for OSPFv2;
*) ppc - fixed RouterOS bootup (introduced in v7.12);
*) qsfp - fixed supported rates for breakout cables;
*) winbox - added missing arguments for "MAC Format" under "Wireless/Security Profiles/RADIUS" menu;

What's new in 7.12 (2023-Nov-09 09:45):

!) ethernet - changed "advertise" and "speed" arguments, and removed "half-duplex" setting under "/interface ethernet" menu;
!) health - removed "temperature" health entry from boards, where it was the same as "sfp-temperature";
!) sfp - convert configuration to support new link modes for SFP and QSFP type of interfaces;
*) api - fixed fetching objects with warning option from REST API;
*) bfd - fixed sessions when setting VRF;
*) bfd - improved system stability;
*) bgp - fixed "atomic-aggregate" always set in output;
*) bgp - fixed "input.filter-chain" argument selection in VPN configuration;
*) bgp - fixed local and remote port settings for BGP connections;
*) bgp - fixed typos and missing spaces in log messages;
*) bgp - implemented IGP metric sending in BGP messages;
*) bgp - improved logging;
*) bgp - increase "hold-time" limit to 65000;
*) bluetooth - added basic support for connecting to BLE peripheral devices;
*) bluetooth - use "g" units when decoding MikroTik beacon acceleration on peripheral devices menu;
*) bridge - fixed fast-path forwarding with HW offloaded vlan-filtering (introduced in v7.11);
*) bridge - fixed untagged VLAN entry disable;
*) bridge - fixed vlan-filtering stability with HW and non-HW offloaded ports (introduced in v7.10);
*) bridge - improved system stability;
*) bridge - improved vlan-filtering bridge stability with CAPsMAN (introduced in v7.11);
*) bth - added "Back To Home" VPN service for ARM, ARM64, and TILE devices;
*) calea - improved system stability when trying to add rules without the CALEA package;
*) certificate - allow to get and maintain Let's Encrypt certificate in IPv6 environment;
*) certificate - allow to remove issued certificates when CRL is not used;
*) certificate - fixed "subject-alt-name" duplicating itself when SCEP is used;
*) certificate - fixed certificate auto renewal via SCEP;
*) certificate - improved certificate validation logging error messages;
*) certificate - log CRL HTTP errors under the "error" logging topic;
*) chr - iavf updated driver to 4.9.1 version;
*) chr - increased OVA default RAM amount from 160MB to 256MB;
*) console - added ":jobname" command;
*) console - added "as-string" and "as-string-value" properties for "get" command;
*) console - added "terminal/ask" command;
*) console - added "transform" property for ":convert" command;
*) console - display "End-User License Agreement" prompt after configuration reset;
*) console - export required properties with default values;
*) console - fixed scheduler "on-event" script highlighting when editing;
*) console - improved ":totime" and ":tonum" commands and added ":tonsec" command for time value manipulation;
*) console - improved multi-argument property parsing into array;
*) console - improved randomness for ":rndstr" and ":rndnum" commands;
*) console - improved stability and responsiveness;
*) console - improved stability when editing long scripts;
*) console - improved stability when using "special-login";
*) console - improved system stability through RoMON session;
*) console - improved system stability when using autocomplete;
*) console - improved system stability;
*) console - restrict permissions to "read,write,reboot,ftp,romon,test" for scripts executed by DHCP, Hotspot, PPP and Traffic-Monitor services;
*) console - show full date and time in scheduler "next-run" property;
*) dhcp - fixed DHCP server and relay related response delays;
*) email - rename "address" property to "server";
*) ethernet - added "supported" and "sfp-supported" values for "monitor" command;
*) firewall - added "ein-snat" and "ein-dnat" connection NAT state matchers for filter and mangle rules;
*) flash - show more accurate "total-hdd-space" resource property;
*) gps - expose GPS port for Quectel EM12-G (vendor-id="0x2c7c", device-id="0x0512");
*) ike1 - fixed invalid key length on phase1 negotiation;
*) ike1 - log an error when non-RSA keys are being used;
*) ike2 - improved rekey collision handling;
*) interface - added "macvlan" interface support;
*) iot - fixed an issue where applying a script to GPIO pin caused GPIO to stop working;
*) iot - fixed behavior where GPIO output state would change on boot;
*) ipsec - fixed Diffie-Hellman public value encoding size;
*) ipsec - fixed IPSec policy when using modp3072;
*) ipsec - fixed minor typo in logs;
*) ipsec - reduce disk writes when started without active configuration;
*) ipv6 - fixed IPv6 RA delay time from 5s to 500ms according to RFC;
*) ipv6 - send RA and RA deprecate messages out three times instead of just once;
*) l3hw - fixed IPv6 route suppression;
*) l3hw - improved system stability during IPv6 route offloading;
*) l3hw - prioritize local IP addresses over the respective /32 and /128 routes;
*) led - fixed "interface-status" configuration for virtual interfaces;
*) led - fixed 5G modem mobile network category LED colours;
*) leds - added "dark-mode" functionality for RBwAPG-5HacD2HnD;
*) leds - added "wireless-status" and "wireless-signal-strength" configuration types for wifiwave2 interfaces;
*) log - improved logging for user actions;
*) lora - added LNS protocol support;
*) lte - added at-chat support and increased wait time on modem at-chat for Dell DW5821e, DW5821e-eSIM, DW5829e and DW5829e-eSIM;
*) lte - added SINR reporting for FG621-EA modem;
*) lte - changed R11e-LTE ARP behavior to NoArp;
*) lte - fixed 5G data-class reporting for Chateau 5G;
*) lte - fixed APN authentification in multi APN setup for R11e-LTE6;
*) lte - fixed FG621-EA possible timeouts during firmware upgrade;
*) lte - fixed IPv6 prefix for MBIM modems in multi-apn setup when IPv6 APN used as not first APN;
*) lte - fixed RSSI for FG621-EA modem to show the correct value;
*) lte - fixed Sierra modem detection for modems with vendor-specific USB descriptors;
*) lte - fixed Sierra modem initialization;
*) lte - fixed startup race condition when SIM card is in "up" slot for LtAP mini;
*) lte - fixed sub-interface auto-removal in multiple APN setups;
*) lte - show correct data class when connected to 5G SA network;
*) lte - use more compact logging messages;
*) modbus - added additional security settings for Modbus TCP;
*) mpls - added option to match and set MPLS EXP with bridge and mangle rules;
*) mpls - fixed "propagate-ttl=no" setting;
*) mpls - improved FastPath next-hop selection hash algorithm;
*) mqtt - added on-message feature for subscribed topics;
*) mqtt - added parallel-scripts-limit parameter to set maximum allowed number of scripts executed at the same time;
*) mqtt - added wildcard topic subscription support;
*) netinstall - added option to discard branding package;
*) netinstall - display package filename in GUI Description column if package description is not specified;
*) netinstall-cli - added empty configuration option "-e";
*) netinstall-cli - added option to discard branding package;
*) netinstall-cli - allow ".rsc" script filenames;
*) netinstall-cli - prioritise interface option over address option;
*) netinstall-cli - updated configuration option description;
*) netwatch - decreased "thr-tcp-conn-time" maximum limit to 30 seconds;
*) ospf - fixed adding ECMP routes;
*) ospf - fixed BFD on virtual-link with configured VRF;
*) ospf - fixed OSPFv3 authentication header length calculation;
*) ospf - fixed OSPFv3 not working with NSSA areas;
*) ospf - fixed parsing of opaque LSAs used by TE;
*) ospf - fixed translated NSSA routes not showing in backbone;
*) ovpn - added "tls-auth" option support for imported .ovpn profiles;
*) ovpn - improved system stability;
*) pimsm - fixed BSR update process;
*) pimsm - fixed UIB update process;
*) pimsm - improved system stability;
*) poe-out - driver optimization for AF/AT controlled boards;
*) poe-out - fixed rare CRS328 poe-out menu and poe-out port config loss after reboot;
*) poe-out - improved "auto" mode for devices with single PoE-out port;
*) poe-out - removed "auto" mode support for L009 devices;
*) port - add support for Huawei MS237h-517;
*) port - expose NMEA/DIAG ports for Dell DW5821e and DW5821e-eSIM;
*) qsfp - added 50Gbps rate support for QSFP28 interfaces;
*) qsfp - fixed incorrect QSFP temperature readings in negative temperature;
*) qsfp - improved auto link detection for AOC cables;
*) qsfp - use sub-interface configuration for establishing link (for 40Gbps and 100Gbps links, all sub-interfaces must be enabled);
*) quickset - fixed "LAN" interface list members if configuration does not contain bridge;
*) rip - added BFD support;
*) rip - fixed session not working in VRF;
*) route - added "single-process" configuration setting, enabled by default on devices with 64MB or less RAM memory;
*) route - added "suppress-hw-offload" setting for IPv6 routes;
*) route - fixed gateway after link restart;
*) route - removed deprecated "received-from" property;
*) route - reverse community "delete" and "filter" command behavior;
*) routerboard - added "reset-button" support for RB800, RB1100 and RB1100AHx2 devices;
*) routerboard - fixed "reset-button" support for wAP ac and wAP R ac devices;
*) sfp - added 5Gbps rate for SFP+ interface on 98DX224S, 98DX226S, and 98DX3236 switch chips;
*) sfp - fixed missing "rx-power" monitor with certain modules (introduced in v7.10);
*) sfp - fixed occasional bad EEPROM data reading for L009 devices;
*) sfp - improved interface stability for SFP and QSFP types of interfaces;
*) sfp - improved system stability with certain modules for 98DX224S, 98DX226S, 98DX3236, 98DX8216 and 98DX8208 switch chips;
*) snmp - changed "mtxrGaugeValue" type to integer;
*) ssh - added support for user ed25519 public keys;
*) ssh - allow to specify key owner on import;
*) ssh - fixed SSH tunnel performance (introduced in v7.10);
*) ssh - improved connection stability when pasting large chunks of text into console;
*) supout - added interface list members section;
*) supout - added LLDP power to supout.rif;
*) supout - fixed BFD section;
*) switch - improved resource allocation for 98DX224S, 98DX226S, and 98DX3236 switch chips;
*) switch - improved switch chip stability for CCR2004-16g-2s+ devices;
*) system - fixed process multithreading (introduced in v7.9);
*) system - improved system stability during booting for L009 devices;
*) system - improved system stability when MD5 checksums are used;
*) tftp - fixed empty file name matching;
*) tile - improved system stability when using queues;
*) traffic-generator - added "priority" property for "inject" command;
*) traffic-generator - fixed traffic-generator on CHR and x86;
*) usb - added support for RTL8153 USB ethernet on ARM, ARM64 and x86;
*) vrf - limit maximum VRFs to 1024;
*) vxlan - improved system stability for Tile devices;
*) webfig - fixed "Days" property configuration change under "IP/Firewall" menu;
*) webfig - fixed timezone for interface "Last Link Down/Up Time";
*) webfig - improved Webfig performance and responsiveness;
*) webfig - try to re-establish connection after disconnect;
*) wifiwave2 - added an alternative QoS priority assignment mechanism based on IP DSCP;
*) wifiwave2 - added comment property for registration-table;
*) wifiwave2 - added station-bridge interface mode;
*) wifiwave2 - correctly add interface to specified "datapath.interface-list";
*) wifiwave2 - do not show default "l2mtu" on compact export;
*) wifiwave2 - enable changing interface MTU and L2MTU;
*) wifiwave2 - fixed malformed Interworking packet elements;
*) wifiwave2 - fixed PTK renewal for interfaces in station mode;
*) wifiwave2 - fixed re-connection failures for 802.11ax interfaces in station mode;
*) wifiwave2 - fixed sniffer command not receiving any QoS null function frames when using 802.11ax radios;
*) wifiwave2 - fixed untagged VLAN 1 entry when using "vlan-id" setting together with vlan-filtering bridge;
*) wifiwave2 - fixed warning on CAP devices when radar detected;
*) wifiwave2 - implemented an option to transmit IP multicast packets as unicasts;
*) wifiwave2 - improved compliance with regulatory requirements;
*) wifiwave2 - limit L2MTU to 1560 until a fix is available for a bug causing interfaces to fail transmitting larger frames than that;
*) wifiwave2 - list APs with a higher maximum data rate as more preferable roaming candidates;
*) wifiwave2 - log more information regarding authentication failures;
*) wifiwave2 - make 4-way handshake procedure more robust when acting as supplicant (client);
*) wifiwave2 - use CAPsMAN's "datapath.vlan-id" on CAP for bridge port "pvid";
*) winbox - added "Addresses" property under "Routing/BFD/Configuration" menu;
*) winbox - added "BUS" property for USB Power Reset button for LtAP-2HnD and CCR1072;
*) winbox - added "Comment" under "Routing/BFD/Configuration" menu;
*) winbox - added "g" flag under "IPv6/Routes" menu;
*) winbox - added "Host Key Type" setting under "IP/SSH" menu;
*) winbox - added "Key Owner" setting under "System/User/SSH Keys" and "System/User/SSH Private Keys" menus;
*) winbox - added "Name Format" property under "WifiWave2/Provisioning" menu;
*) winbox - added "Remote Min Tx" parameter under "Routing/BFD/Session" menu;
*) winbox - added "Startup Delay" setting under "Tools/Netwatch" menu;
*) winbox - added "USB" button under "System/RouterBOARD" menu for LtAP-2HnD;
*) winbox - added "Use BFD" setting under "Routing/RIP/Interface-Template" menu;
*) winbox - added Enable/Disable button under "Routing/RIP/Static Neighbors" menu;
*) winbox - added missing properties under "WifiWave2" menu;
*) winbox - added MQTT subscription menu;
*) winbox - allow to change port numbers for SCTP, DCCP, and UDP-LITE protocols under "IP/Firewall" menus;
*) winbox - allow to set multiple addresses and added IPv6 support under "Interface/VETH" menu;
*) winbox - allow to specify server as DNS name under "Tools/Email" menu;
*) winbox - changed "MBR Partition Table" checkbox to unchecked by default under "System/Disks/Format-Drive" menu;
*) winbox - do not show "F" flag for disabled entries under "IP/Routes" menu;
*) winbox - fixed "Address" property under "WifiWave2/Remote-CAP" menu;
*) winbox - fixed "Do" property under "Routing/Filters/Select Rule" menu;
*) winbox - fixed "Group Key Update" maximum value under "WifiWave2/Security" menu;
*) winbox - fixed "Range" property under "Routing/Filters/Num Set" menu;
*) winbox - fixed "Switch" menu for CCR2004-16G-2S+;
*) winbox - fixed entry numbering and ordering under "WifiWave2/Provisioning" menu;
*) winbox - fixed minor typos;
*) winbox - improved support for certain properties under "WifiWave2/Interworking Profiles" menu;
*) winbox - rename "DSCP" setting to "DSCP (+ECN)" under "Tools/Traffic-Generator/Packet-Templates" menu;
*) winbox - rename "Name" setting to "List" under "IP,IPv6/Firewall/Address-List" menu;
*) winbox - rename "Password" button to "Change Now" under "System/Password" menu;
*) winbox - show "unknown" value for "FS" property under "System/Disks" menu if the data is not available;
*) wireguard - added "auto" and "none" parameter for "private-key" and "presharde-key" parameters;
*) wireguard - added "wg-export" and "wg-import" functionality (CLI only);
*) wireguard - allow to specify client settings under peer menu which will be included in configuration file and QR code;
*) wireguard - request public or private key to be specified in order to create peer;
*) wireless - added more "radius-mac-format" options (CLI only);
*) wireless - fixed malformed Interworking packet elements;
*) www - fixed allowed address setting for REST API users;
*) www - fixed fragmented POST data for SCEP service;
*) x86 - added support for Mellanox ConnectX-6 Dx NIC;
*) x86 - i40e updated driver to 2.23.17 version;
*) x86 - igb updated driver to 5.14.16 version;
*) x86 - igbvf updated driver from in-tree Linux kernel;
*) x86 - igc updated driver to 5.10.194 version;
*) x86 - ixgbe updated driver to 5.19.6 version;
*) x86 - Realtek r8169 updated driver;
*) x86 - updated latest available pci.ids;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while a router is not working as suspected or after some problem has appeared on the device

Please keep this forum topic strictly related to this particular RouterOS release.

kiaunel · Thu Nov 09, 2023 2:23 pm

Finally a "stable" release with udp vpn client working....

anav · Thu Nov 09, 2023 2:48 pm

Couple of questions
(1) what is "ein-snat" and "ein-dnat" ( searched mt docs and no match ).
(2) CLI winbox import & export capability - will this get ported to winbox eventually?

Edit: Thanks Strods! = https://help.mikrotik.com/docs/display/ ... pendentNAT

EIN= Endpoint Independent NAT

Rox169 · Thu Nov 09, 2023 3:12 pm

very nice looong changelog :) and looong testing RC state...thanks

fragtion · Thu Nov 09, 2023 3:22 pm

Wonderful !!

pcunite · Thu Nov 09, 2023 3:36 pm

I think I'm gonna throw caution to the wind and try this version.

Thu Nov 09, 2023 3:37 pm

https://help.mikrotik.com/docs/display/ ... pendentNAT

Couple of questions
(1) what is "ein-snat" and "ein-dnat" ( searched mt docs and no match ).
(2) CLI winbox import & export capability - will this get ported to winbox eventually?

gigabyte091 · Thu Nov 09, 2023 4:09 pm

AX3, cAP ax, RB5009 updated. No problems so far

erlinden · Thu Nov 09, 2023 4:13 pm

RB4011, hAP ax2, hEX S, wAP ac and cAP ac upgraded, no problems for me.

Rox169 · Thu Nov 09, 2023 4:16 pm

7.12 working on Hap AC3, Hap AX3, Hap AX2, Cube 60G AC, WAP 60G, SXT.

ErfanDL · Thu Nov 09, 2023 4:24 pm

Working on hAP Lite, RB2011UiAS2hND, 951Ui.

FurfangosFrigyes · Thu Nov 09, 2023 4:30 pm

The Dude client is corrupt on the download page!

mkx · Thu Nov 09, 2023 4:31 pm

RB951G boots with 7.12. Can't say if it's stable, nobody's at home ATM. ;-)

Thu Nov 09, 2023 4:34 pm

What do you mean with "corrupt"? Downloads just fine for me (https://download.mikrotik.com/routeros/ ... l-7.12.exe).

The Dude client is corrupt on the download page!

biomesh · Thu Nov 09, 2023 4:35 pm

Opened SUP-133893 where RA deprecate messages for an active RA are sent at the same time as the active RA.

Workaround: toggle "use interface duid" to temporarily get a new PD then it reverts back to the actual PD and the RA will be correct.

roe1974 · Thu Nov 09, 2023 4:36 pm

I am now planning to switch to 7.12 from 6.49.10 (RB4011iGS, ltAP, cAP ac). Is there anything to consider? ... i don't have a complex config (a few certificates, capsman, ovpn tunnel, DOH, some scripts). Thx for a short answer ;-).

Thu Nov 09, 2023 4:39 pm

Short answer: it might just work.
Longer answer: in case of odd behavior, consider netinstall to 7.12 so make sure you have your config exported and away from your devices.

Thu Nov 09, 2023 4:48 pm

Why is that a problem? That is intended behaviour at the moment.

Opened SUP-133893 where RA deprecate messages for an active RA are sent at the same time as the active RA.

Workaround: toggle "use interface duid" to temporarily get a new PD then it reverts back to the actual PD and the RA will be correct.

biomesh · Thu Nov 09, 2023 4:54 pm

Why is that a problem? That is intended behaviour at the moment.

Well you get a non working config:

prefix 2601:2c3:xxxx:dc32::/64
{
AdvValidLifetime 7200;
AdvPreferredLifetime 7200;
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
}; # End of prefix definition

prefix 2601:2c3:xxxx:dc32::/64
{
AdvValidLifetime 7200;
AdvPreferredLifetime 0;
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
}; # End of prefix definition

Your client will see the deprecate message and will never get an address. If the PD/RA is active, why would you deprecate it at the same time?

Thu Nov 09, 2023 5:04 pm

This is actually already fixed in 7.13 which is coming soon. Deprecate message will not be sent if actual prefix is re-used.

biomesh · Thu Nov 09, 2023 5:12 pm

This is actually already fixed in 7.13 which is coming soon. Deprecate message will not be sent if actual prefix is re-used.

Thanks - I have a workaround (mentioned before), so I'm good for now.

anav · Thu Nov 09, 2023 6:03 pm

This is actually already fixed in 7.13 which is coming soon. Deprecate message will not be sent if actual prefix is re-used.

7.13? not 7.12.1 ???

DeGlucker · Thu Nov 09, 2023 6:34 pm

WiFi is still broken on x86 platform. Was forced to roll back to 7.6 again.

marekm · Thu Nov 09, 2023 6:40 pm

KNOT-r2 updated to 7.12, #[SUP-130404] Modbus bug (2-register read short by 1 byte if 2nd byte of CRC is 0) still not fixed.
Also tried to downgrade, bug is there at least as far back as 7.1.5 factory software.

pe1chl · Thu Nov 09, 2023 7:01 pm

Researching the "hang during reboot" problem (when upgrading) again, I now found that this is the way to reproduce it:
- have rose-storage and user-manager packages installed
- add an nfs mount using a command like this: /disk add nfs-address=192.168.1.3 nfs-share=/local/mikrotik slot=nfs type=nfs
- perform a user manager backup like this: /user-manager/database/save name=nfs/umbackup overwrite=yes
- now the nfs mount remains "in use", one can no longer disable the nfs-mounted disk (error message: failure: could not unmount filesystem - probably somebody still uses it)
- when the router is now rebooted using the software command, it hangs. powercycle required.

Apparently making a user manager backup somehow keeps the output file or directory open. Not good.

helectro · Thu Nov 09, 2023 7:20 pm

Hi buy one Rb L41G-2axD I upgraded from 7.8 to 7.12and the Wireless interface disappeared, what should I do to get the wireless interface back?

Jotne · Thu Nov 09, 2023 7:21 pm

This is actually already fixed in 7.13 which is coming soon. Deprecate message will not be sent if actual prefix is re-used.
7.13? not 7.12.1 ???

My thought as well. I am looking forward for a stable long term release 7.12.8

mkx · Thu Nov 09, 2023 7:26 pm

Hi buy one Rb L41G-2axD I upgraded from 7.8 to 7.12and the Wireless interface disappeared, what should I do to get the wireless interface back?

Install wifwave2 package (from extra packages). Next time use built-in upgrade feature which upgrades all installed packages automaticalky.

sas2k · Thu Nov 09, 2023 7:49 pm

Updated 3 devices with similar config from 7.11.2 to 7.12 stable:
1. rb750 gr3 - works fine, including DoH. But no BTH feature.
2. Hap ac3- DoH doesnot work. Update: fixed with cli command "/certificate/settings/set crl-use=no";
3. Rb4011 - DoH doesnot work, BtH - unable to connect. Update: fixed with correct connection config. My fault.

helectro · Thu Nov 09, 2023 7:54 pm

Hi buy one Rb L41G-2axD I upgraded from 7.8 to 7.12and the Wireless interface disappeared, what should I do to get the wireless interface back?
Install wifwave2 package (from extra packages). Next time use built-in upgrade feature which upgrades all installed packages automaticalky.

Thank You Very Much Work Again

gigabyte091 · Thu Nov 09, 2023 8:07 pm

Updated 3 devices with similar config from 7.11.2 to 7.12 stable:
1. Hex s - works fine, including DoH.
2. Hap ac3- DoH doesnot work.
3. Rb4011 - DoH doesnot work, BtH - unable to connect.

Tested with RB5009 and AX3 and BTH is working without a problem. Will test with my RB4011 tomorrow.

DeGlucker · Thu Nov 09, 2023 10:53 pm

Confirm, DoH doesn't work normally after reboot/restart. On two routers I was forced to remove/reset DoH settings, only after that they was able to normally resolve DNS queries. One remote router behind NAT is still unreachable after upgrade because as I suppose it can't resolve DNS and connect via vpn to my home router. A lot of new bugs... WiFi broken, already within a year can't fix. Now DoH... I am so tired

Thu Nov 09, 2023 11:04 pm

1100AHx2 ... upgraded from rc6 ... seems to work ... a little bit of OSPF + iBGP

PortalNET · Fri Nov 10, 2023 1:12 am

Will try it out tomorrow on our test servers.. as i just came to the forum related to other speed issue on our servers Mellanox 40Gbps and 100Gbps adapter cards running ethernet mode.. speed issues..

will try it out tomorrow.

pothi · Fri Nov 10, 2023 4:00 am

Upgraded hapAC2 and SXT LTE. No new issues.

ssh - added support for user ed25519 public keys;

Thanks for the added support for ed25519 keys for user authentication.

djansen · Fri Nov 10, 2023 4:41 am

LTE Firmware Not Found - Devices using the FG621-EA LTE Interface

Chateau LTE6 - D53G-5HacD2HnD-TC&FG621-EA
hAP ax lite LTE6 - L41G-2axD&FG621-EA
ROS upgraded to v7.12

Attempting to upgrade the LTE firmware results in download failed.

Check for latest firmware version.

/interface/lte/firmware-upgrade lte1 
  installed: 16121.1034.00.01.01.03
     latest: 16121.1034.00.01.01.04

Attempting standard firmware upgrade.

/interface/lte/firmware-upgrade lte1 upgrade=yes 
  status: download failed

Attempted manual download of the firmware.

/tool/fetch https://upgrade.mikrotik.com/firmware/FG621-EA/16121.1034.00.01.01.04/image
  status: failed

failure: closing connection: <404 Not Found> 159.148.172.226:443 (4)

braveheartleo · Fri Nov 10, 2023 5:58 am

The correct URL to use to download the firmware upgrade of FG621-EA from 01.03 to 01.04 is

https://upgrade.mikrotik.com/firmware/FG621-EA/16121.1034.00.01.01.03/image

Fri Nov 10, 2023 7:48 am

sas2k, DeGlucker - Please send supout files from your non-working DoH client routers to support@mikrotik.com. Are you sure that log does not already tell what is wrong here?

welan · Fri Nov 10, 2023 8:07 am

7.12 not working with CCR2004-1G-12S+2XS and RJ45 SFP-GB-GE-T , very sad thing, you fix one thing and break another.

toto4ds · Fri Nov 10, 2023 8:46 am

Yep, Hap ac2 DoH doesnot work too.

vecino · Fri Nov 10, 2023 9:15 am

MD5 encryption still doesn't work with OSPFv3 - testing between FRRouting 9.0.1 and 7.12. FRRouting vs FRRouting works fine.

config:

/routing ospf interface-template set *9 area=backbone-v3 auth=md5 auth-id=1 auth-key=************** ...

log:

default-v3 { version: 3 router-id: 10.***.***.1 } backbone-v3 { 0.0.0.0 } interface { broadcast fe80::de2c:****:fe45:c**b%ether2 } authentication failed from fe80::3eec:****:fef2:4f**%*2 received message with authentication trailer

Fri Nov 10, 2023 9:23 am

For those who experience issues with the DoH service? Is "/certificate/settings/set crl-use=" set to "yes" on your routers? If it is "yes", then do DoH work if you change value to "no"?

Guscht · Fri Nov 10, 2023 9:25 am

7.12 not working with CCR2004-1G-12S+2XS and RJ45 SFP-GB-GE-T , very sad thing, you fix one thing and break another.

Yeah true, BUT never install a .0-version from MT in production ;)
They call it "stable" but in real words its more a "public beta".

Florian · Fri Nov 10, 2023 9:36 am

This is actually already fixed in 7.13 which is coming soon. Deprecate message will not be sent if actual prefix is re-used.
7.13? not 7.12.1 ???

I hope it's soon anyway, it's breaking some ipv6 scenarios...

DeGlucker · Fri Nov 10, 2023 9:53 am

For those who experience issues with the DoH service? Is "/certificate/settings/set crl-use=" set to "yes" on your routers? If it is "yes", then do DoH work if you change value to "no"?

Yes, once I set it to "No" DoH immediately starts working properly until next reboot. Then when I set this option back to "Yes" DoH starts working properly again.

baragoon · Fri Nov 10, 2023 9:58 am

Hi there!

If comment (multi words) is set via routing filters the extra quotes are shows in the routes section.

For example: comment set via DHCP script:

as you can see, there is no extrea quotes in the route comment

But, if comment is set via routing filter, you may see the next:

Is it possible to remove these extra quotes in the comment?
Thank you.

Fri Nov 10, 2023 9:59 am

and now re enable together with the download option too:

/certificate settings
set crl-download=yes crl-use=yes

negge · Fri Nov 10, 2023 10:04 am

Can confirm that the OpenVPN UDP issues described in viewtopic.php?p=1024643#p1024643 have been fixed in 7.12, at least for me.

DeGlucker · Fri Nov 10, 2023 10:09 am

and now re enable together with the download option too:

/certificate settings
set crl-download=yes crl-use=yes

and now I have following error messages in the log:
CRL fetch failed: closing connection: <302 Moved Temporarily location="http://www1.d-trust.net/crl/d-trust_roo ... 2_2009.crl"> 193.28.64.55:80 (6)
DoH server connection error: SSL: ssl: crl not found for: "CN=dns.google" (6)

Fri Nov 10, 2023 10:32 am

If crl-use is yes, RouterOS will check CRL for each certificate in a certificate chain, therefore, an entire certificate chain should be installed into a device - starting from Root CA, intermediate CA (if there are such), and certificate that is used for specific service.
For example, Google DoH full chain contains three certificates, Cloudflare has three certificates, and NextDNS has four certificates.

BWC · Fri Nov 10, 2023 10:49 am

I updated a CHR on AWS from 7.11.2 to 7.12 and it is not starting anymore, is there a known issue?

Even the serial console isn't showing anything, it looks like the whole instance is broken.

jplitza · Fri Nov 10, 2023 11:00 am

*) qsfp - use sub-interface configuration for establishing link (for 40Gbps and 100Gbps links, all sub-interfaces must be enabled);

Does that mean if I want to have a 40G link on the qsfp28-1 port of a CCR2216-1G-12XS-2XQ, I have to enable all qsfp28-1-{1,2,3,4} interfaces before updating? What will be the state of those sub-interfaces when the 40G link is established?

*) route - reverse community "delete" and "filter" command behavior;

So is the documented behavior the old or the new one? Could you please – whichever it is – clarify the documentation?

eworm · Fri Nov 10, 2023 11:17 am

and now re enable together with the download option too:

/certificate settings
set crl-download=yes crl-use=yes

How about extending the property verify-doh-cert with a new value yes-without-crl, just like fetch command with its property check-certificate?

sas2k · Fri Nov 10, 2023 11:58 am

For those who experience issues with the DoH service? Is "/certificate/settings/set crl-use=" set to "yes" on your routers? If it is "yes", then do DoH work if you change value to "no"?

There is no such item in the winbox gui.
Would you be so kind to provide cli script to get the current value of this param?
Thank you.

Ps. DoH doesnot work when "verify DoH certificate" is unchecked!
Ps2. "certificate/settings/set crl-use=no" resolves a problem.
So mikrotik decided to collect bug requests instead of setting "no" to new param that even cannot be found nowhere in the gui. Wow. . . Thank you for you care!

Fri Nov 10, 2023 12:16 pm

Unfortunately, until 7.11, use-crl setting did not work properly. We fixed CRL check in 7.11 thus, routers with half-certificate chains that worked in the past by mistake will not work anymore until the full certificate chain is not imported.

Fri Nov 10, 2023 12:20 pm

For those who experience issues with the DoH service? Is "/certificate/settings/set crl-use=" set to "yes" on your routers? If it is "yes", then do DoH work if you change value to "no"?
There is no such item in the winbox gui.
Would you be so kind to provide cli script to get the current value of this param?
Thank you.

Ps. DoH doesnot work when "verify DoH certificate" is unchecked!

There is. Go to Certificates menu

Fri Nov 10, 2023 12:24 pm

Ps. DoH doesnot work when "verify DoH certificate" is unchecked!

Do you have static DNS record that points to used DOH server DNS name?
What error message do you get in LOG?

hasmidzul · Fri Nov 10, 2023 12:48 pm

Hap AX3 DOH working fine on 7.12 stable.Using rethinkdns DOH

sas2k · Fri Nov 10, 2023 12:53 pm

There is. Go to Certificates menu

I checked it before I wrote:
1. It has another name.
2. It was unchecked!
3. When I did thru cli "certificate/settings/set crl-use=no" it helped. Before that this gui item did not work. Why?
4. Behaviour different on rb750gr3 vs hap ac3.
Both uchecked in the gui, rb750gr3 works fine as before. Hap ac3, rb4011b dont.

Are there any other checkboxes that I need to set thru cli despite their value in the gui?

Ps.
Why dont you name top checkbox as "Download CRL" ?
You should make it vise versa, to be not equal to "crl-download" cli param.

ID · Fri Nov 10, 2023 1:27 pm

I updated a CHR on AWS from 7.11.2 to 7.12 and it is not starting anymore, is there a known issue?

Even the serial console isn't showing anything, it looks like the whole instance is broken.

Upgrade v7.12 on vultr and no problem so far. Local instances of CHR and x86 upgraded and working fine also.

Fri Nov 10, 2023 1:39 pm

sas2k, there are no other checboxes. What RouterOS version are you running?

Njumaen · Fri Nov 10, 2023 1:55 pm

I'm missing something in the wireguard client config!

Right now, it creates a config with the line [copy does not work with winbox by the way]

AllowedIPs = 0.0.0.0/0, ::0

It is great for routing everything through the tunnel, but some people (like me ;) ) might need spilt-tunneling.

Please add something like "/interface/wireguard/peers/set client-allowedips"

Ralf.

bratislav · Fri Nov 10, 2023 2:07 pm

*) wifiwave2 - added station-bridge interface mode;

I presume this is incompatible with regular "wireless" package station-bridge and all APs not able to run wifiwave2 right?

Fri Nov 10, 2023 2:11 pm

Njumaen - Copy actually works. Simply, you do not see the "highlight". We will try to fix this in the future WInBox releases, but at the moment try to highlight the text, press right mouse button, select copy, and you are good to go.

As for the "client-allowed-ips" do you mean the parameter10.155 that will be installed on client device when importing configuration? IPs allowed from remote peer?

buset1974 · Fri Nov 10, 2023 2:12 pm

When upgrading v6.4x to latest v7.11.x.
value export import route target became invalids (suffix "L" added on the value)

> /routing/bgp/vpn/print
Flags: X - disabled, I - inactive
0 ;;; no available router id value
name="bgp-mpls-vpn-1"
import.route-targets=1L:1
export.route-targets=1L:1 .redistribute=connected,static,vpn,dhcp
route-distinguisher="1:1" vrf=vrf-Cust1

thx

sas2k · Fri Nov 10, 2023 2:15 pm

sas2k, there are no other checboxes. What RouterOS version are you running?

Yesterday posted all the fetails:

Updated 3 devices with similar config from 7.11.2 to 7.12 stable:
1. Hex s - works fine, including DoH.
2. Hap ac3- DoH doesnot work.
3. Rb4011 - DoH doesnot work, BtH - unable to connect.

Fri Nov 10, 2023 2:16 pm

send your supout.rif file to support@mikrotik.com from 7.12

eworm · Fri Nov 10, 2023 2:18 pm

I have crazy behavior on LtAP mini... The lte interface vanished after some seconds.

I've wanted to open an issue, thus enabled debug output for lte. It does no longer happen since then... The interface is available and running. A case of race condition caused by command timing perhaps?

Edit... Oh, it's gone now after I disabled debug output. Will open an issue anyway.

sas2k · Fri Nov 10, 2023 2:33 pm

send your supout.rif file to support@mikrotik.com from 7.12

No problem, but will it help?
I already set "certificate/settings/set crl-use=no", it resolved DoH problem.

Njumaen · Fri Nov 10, 2023 2:39 pm

As for the "client-allowed-ips" do you mean the parameter10.155 that will be installed on client device when importing configuration? IPs allowed from remote peer?

I do not know the internal parameter references of wireguard but simply generate the line

AllowedIPs =

out of the List of client-allowed-ips...

Example:

set client-allowed-ips = 10.200.200.1/32,192.168.1.0/24

should result in wg-config line in the [Peer] section

AllowedIPs = 10.200.200.1, 192.168.1.0/24

Simple as that ;-) wg works now as split-tunnel!

Cheers,

Ralf.

Guscht · Fri Nov 10, 2023 4:25 pm

my smol homenet works fine, but Im doin not DoH and BGP, OSPF stuff...

Screenshot 2023-11-10 152316.jpg

rajo · Fri Nov 10, 2023 8:22 pm

I updated a CHR on AWS from 7.11.2 to 7.12 and it is not starting anymore, is there a known issue?

Even the serial console isn't showing anything, it looks like the whole instance is broken.

I experienced this exact same issue when going from 7.7 to 7.10 with CHR on Google CE. I had to rebuild using an old snapshot.

In our case, I believe the issue was related to the CHR license not being applied when I upgraded from 6.49.x to 7.x, as evident from the last contact date in the license management page.

So its seems like, if the license cannot be verified within the allowed grace period, the CHR gets trashed during the reboot or upgrade.

This is terrible behavior MikroTik needs to change -- especially since we use CHR in a production environment to terminate hundreds of remote-site VPN connections. Instead of rendering a CHR install non-functional, when the license has not been verified outside the grace period, simply downgrade link speed and/or disable all functionality except that necessary to login to the CHR and correct the license issue.

mistercovert · Fri Nov 10, 2023 10:31 pm

Until this version Cloudflare secure DNS worked fine with no issues with the single Cloudflare cert. But DNS over HTTPS is now causing issues. I managed to download the certificate chain from Cloudflare and imported into certificates. Using a single static DNS of 1.1.1.1 with CRL download and Use CRL both ticked, it is continually giving me errors. I then added 8.8.8.8 in as another DNS option, then the certs then downloaded correctly, I deleted my temp 8.8.8.8 server and DNS over HTTPS worked perfectly for approx 20minutes when it disconnected a crapped out again.

Has anyone else had any success in getting cloudflare working with the 3 certificate chain?

radik101 · Sat Nov 11, 2023 12:16 am

No one was able to succeed, including Mikrotik itself.
For me, DOH only works on mipssbe, it doesn’t work on arm devices, if there are attempts to work, then only until a reboot.
Mikrotik simply cannot produce a new version without breaking something. This is already a tradition. It took so long to give birth to 7.12 and it still turned out broken. The further we go, the more Mikrotik disappoints.

infabo · Sat Nov 11, 2023 1:20 am

DOH enabled here, on a Chateau LTE12 and it is working flawlessly. arm device.

aoakeley · Sat Nov 11, 2023 1:36 am

*) wireguard - added "auto" and "none" parameter for "private-key" and "preshared-key" parameters;

I don't see the 'none' option.
In Winbox:
- For the Private Key, there is no option to select none, if you leave it blank it fills in "none" when you apply
- For the Preshared key, there is no option to select none, if you leave it blank it stays blank when you apply

Does not affect function, but is not intuitive.

bjohns · Sat Nov 11, 2023 2:22 am

Updated a RB4011iGS+5HacQ2HnD from v7.11.2 to v7.12. Has a Dell 3m 10GbE DAC (L56SF018-SD-R) connecting a CSS326-24G-2S+.

I had to unplug/plug the SFP for traffic to begin to flow, looked okay otherwise.

aoakeley · Sat Nov 11, 2023 3:50 am

*) email - rename "address" property to "server";

That's a lot of scripts that are going to need updating (well for our team anyway).
Not an issue, just thought I would highlight it.

Previous:
# Set Mail Server
/tool e-mail set address=[:resolve "mail.smtp2go.com"];

Change To:
# Set Mail Server
/tool e-mail set server="mail.smtp2go.com";

Renfrew · Sat Nov 11, 2023 4:33 am

*) ipv6 - fixed IPv6 RA delay time from 5s to 500ms according to RFC;

Upgraded hAP AX^3 from ROS 7.11.2 to 7.12, and upgraded the firmware, but IPv6 RA Delay Time still shows as 3 seconds and cannot be changed to 500ms. The parameter in ND only accepts seconds. Have I missed something?

yap99 · Sat Nov 11, 2023 8:29 am

On my rb850gx2 I have no service, I updated it remotely and now it no longer responds.

braveheartleo · Sat Nov 11, 2023 8:46 am

*) ipv6 - fixed IPv6 RA delay time from 5s to 500ms according to RFC;

Upgraded hAP AX^3 from ROS 7.11.2 to 7.12, and upgraded the firmware, but IPv6 RA Delay Time still shows as 3 seconds and cannot be changed to 500ms. The parameter in ND only accepts seconds. Have I missed something?

I am observing the same here, running 7.12. Perhaps this is a cosmetic issue, where it displays 3s but internally it is 500ms? And yes, you can't set ra-delay to any millisecond value, it rounds it down to 0s when attempting:

/ipv6 nd set 0 ra-delay=500ms
Warning: value of ra-delay was rounded down to 0s

aspen63 · Sat Nov 11, 2023 9:01 am

Upgraded my RB5009+three AX2 to 7.12 but still I have very slow speeds on my local network (around 23 MB/s) between my iPad and my NAS whereas I had around 50 MB/s before 7.11 or so. Don’t understand what to do.

rextended · Sat Nov 11, 2023 11:00 am

CCR2116-12G-4S+
Edge router on producion (with HA) 2 BGP IPv4, 1 BGP IPv6.
Uptime 1d 00:36:16, no problem.

mada3k · Sat Nov 11, 2023 1:11 pm

Upgraded my RB5009+three AX2 to 7.12 but still I have very slow speeds on my local network (around 23 MB/s) between my iPad and my NAS whereas I had around 50 MB/s before 7.11 or so. Don’t understand what to do.

Most likley wireless conditions change in some way. Wireless is wireless.

kometchtech · Sat Nov 11, 2023 1:46 pm

On my rb850gx2 I have no service, I updated it remotely and now it no longer responds.

I have also confirmed this situation.
I gave up and reverted to 7.11.2 with netinstall.

netravnen · Sat Nov 11, 2023 2:00 pm

MD5 encryption still doesn't work with OSPFv3 - testing between FRRouting 9.0.1 and 7.12. FRRouting vs FRRouting works fine.

config:
Code: Select all
/routing ospf interface-template set *9 area=backbone-v3 auth=md5 auth-id=1 auth-key=************** ...
log:
Code: Select all
default-v3 { version: 3 router-id: 10.***.***.1 } backbone-v3 { 0.0.0.0 } interface { broadcast fe80::de2c:****:fe45:c**b%ether2 } authentication failed from fe80::3eec:****:fef2:4f**%*2 received message with authentication trailer

Why not switch to HMAC-SHA-X Algorithm instead of MD5?

FRRouting 9.0 OSPFv3 docs

I have OSPFv3 running with HMAC-SHA-512 Auth between Bird 2.0.14 and ROS 7.12 with success. After the inclusion of bugfix "ospf - fixed OSPFv3 authentication header length calculation"

ROS 7.12

/routing ospf interface-template
add area=ospf3-backbone auth=sha512 auth-id=0 auth-key=\
    gsCHixQReM8cITbm8-8iedXG63ao8i9s dead-interval=20s disabled=no \
    hello-interval=5s interfaces=bridge1.3999 retransmit-interval=2s

Bird 2.0.14 (on Debian Linux 12)

protocol ospf v3 ospf3_main {
  area 0 {
    interface "br0.3999" {
      type broadcast;
      hello 5; retransmit 2; wait 10; dead 20;
      authentication cryptographic;
      password "gsCHixQReM8cITbm8-8iedXG63ao8i9s" { id 0; algorithm hmac sha512; };
      check link on;
    };
  };
}

Unless you capture the OSPFv3 packets on the wire and analyze the Authentication contents in e.g. Wireshark. It is hard to know what is going wrong for your setup with FRR 9.0.1 and ROS 7.12.

My problem was the the authentication header length before 7.12 was set to an incorrect value. Where ROS missed the addition of 16 bytes in the len field in the OSPFv3 authentication header. ( HMAC-SHA-512 / 8 = 64 bytes, instead of HMAC-SHA-512 / 8 + 16 = 80 bytes)

MrYan · Sat Nov 11, 2023 4:28 pm

Upgrade from 7.11.2 seems to have gone okay on 2x hEX (RB750Gr3) and 1x hAP AX^2. Noticed that on all of them I needed to reboot a second time to upgrade the routerboard firmware despite having "/system routerboard settings set auto-upgrade=yes" configured.

Like the extra logging for scripts that now tells you what it did.

gabacho4 · Sat Nov 11, 2023 4:33 pm

"Noticed that on all of them I needed to reboot a second time to upgrade the routerboard firmware despite having "/system routerboard settings set auto-upgrade=yes" configured."

This has always been required. All the auto-upgrade does is save you the effort of having to go in and manually upgrade the router board firmware before rebooting.

mkx · Sat Nov 11, 2023 4:39 pm

Noticed that on all of them I needed to reboot a second time to upgrade the routerboard firmware despite having "/system routerboard settings set auto-upgrade=yes" configured.

That's expected and has been so ever since auto-upgrade is available. The reason is that .fwf files with new routerboot are part of ROS package and are only available after new ROS version gets installed. What the auto-upgrade=yes does is that it installs the new routerboot firmware right after new ROS boots for the first time (so one doesn't have to go via System->RouterBOARD->Upgrade manually) ... but an extra reboot is still necessary.

This has been discussed on this forum before ... and MT staffers' response was that it is not possible to flash new routerboot image before new ROS is booted. Personaly I have hard time believing this (I guess it would be non-trivial and might pose a threat to stability of upgrade process, but I'm pretty sure it would be possible to do it in same leg as ROS upgrade).

rtlx · Sat Nov 11, 2023 5:22 pm

Given VPN tunnel:
[OpenVPN Client on MikroTik Router] to [OpenVPN Server on MikroTik router]

in UDP mode
IS STILL BROKEN.

When key renegotiation time arrives, the connection is aborted with the following messages on the server:

<CLIENT IP ADDRESS>: disconnected <TLS error: ssl: unexpected message (6)>
ovpn_server1: terminating... - TLS error: ssl: unexpected message (6)
<CLIENT IP ADDRESS>: disconnected <explicit peer disconnect>

mkx · Sat Nov 11, 2023 6:47 pm

... I was assured that this bug has been fixed in the 7.12 branch.
Well, it isn't. Still...

[sarcasm]
Well, 7.12 branch isn't abandoned/surpassed yet.
[/sarcasm]

rtlx · Sat Nov 11, 2023 6:49 pm

[sarcasm]Well, 7.12 branch isn't abandoned/surpassed yet.[/sarcasm]

Corrected/clarified :)

aspen63 · Sat Nov 11, 2023 7:40 pm

Upgraded my RB5009+three AX2 to 7.12 but still I have very slow speeds on my local network (around 23 MB/s) between my iPad and my NAS whereas I had around 50 MB/s before 7.11 or so. Don’t understand what to do.
Most likley wireless conditions change in some way. Wireless is wireless.

I have 3 hap x2 as access points. 5GHz spectrum is clear. The AP (in fact ANY of them) is in the line of sight but still…

Sat Nov 11, 2023 8:00 pm

Start a new thread and post network diagram and config of relevant devices.

MrYan · Sat Nov 11, 2023 8:31 pm

"Noticed that on all of them I needed to reboot a second time to upgrade the routerboard firmware despite having "/system routerboard settings set auto-upgrade=yes" configured."

This has always been required. All the auto-upgrade does is save you the effort of having to go in and manually upgrade the router board firmware before rebooting.

Ah, okay. Thanks for clarifying the behaviour.

mike19 · Sat Nov 11, 2023 9:56 pm

SFP Mikrotik S-RJ01 problem on CCR2216.

no link or 100M

Sat Nov 11, 2023 10:01 pm

No problem on RB5009.
Advertises 1Gb just nicely.

smotrov · Sun Nov 12, 2023 12:52 am

FoxGate ONU 1001XP-SFP is not initializing on RB5009 either Auto negotiation or force . Was working on 7.8 (with eeprom-checksum: bad to be precise).

monotsc · Sun Nov 12, 2023 12:54 am

dhcp server on x86 no longer working after upgrading from 7.11.2, status became "offered", anyone suffer the same ?

braveheartleo · Sun Nov 12, 2023 12:59 am

FoxGate ONU 1001XP-SFP is not initializing on RB5009 either Auto negotiation or force . Was working on 7.8 (with eeprom-checksum: bad to be precise).

Perhaps you missed this part from the announcement?

Notice - SFP/QSFP functionality has been refactored for consistent behavior and better scalability. Now, compliance with SFP/SFP+/QSFP MSA standard is mandatory. This may cause issues with SFP/QSFP modules that are not fully compliant. All current MikroTik modules abide this standard.

It may have worked before this release, but changes have been made to SFP functionality. It would seem that your SFP module is non-compliant. In that case, replace the SFP module with a compliant one or roll-back to any version before 7.12 if you're not ready to replace the module just yet but need it working.

smotrov · Sun Nov 12, 2023 1:34 am

replace the SFP module with a compliant one

I'd love to replace my SFP module with compliant, however, as far as I understand, Mikrotik is NOT have any compliant (such a simple thing) SFP EPON ONU. :-(

Now, I believe, this phrase should be deleted "MikroTik devices and SFP, SFP+, SFP28, QSFP+, and QSFP28 modules do not have any restrictions for other vendor equipment."

Mikrotik has just clearly restricted me from using other vendor equipment. Unbelievable.

guipoletto · Sun Nov 12, 2023 2:15 am

I'd love to replace my SFP module with compliant, however, as far as I understand, Mikrotik is NOT have any compliant (such a simple thing) SFP EPON ONU. :-(

Now, I believe, this phrase should be deleted "MikroTik devices and SFP, SFP+, SFP28, QSFP+, and QSFP28 modules do not have any restrictions for other vendor equipment."

Mikrotik has just clearly restricted me from using other vendor equipment. Unbelievable.

To be fair, "SFP-ONU" modules are not just simple transceivers, as defined in the MTA
they are full-blown router/bridges , with firmware, folded into a SFP mechanical form-factor (sometimes disregarding electrical and thermal specs)
let alone the firmware(and simulated EEPROM responses), those are amongst the crappiest CPE's possible, from a support, and stability standpoints.

To the point that Mikrotik themselves, and even finisar (that specializes in high-end transceivers), had products in this category, and pulled them from the market

The modules themselves are CRAP, This is not mikrotik's fault.

iustin · Sun Nov 12, 2023 2:26 am

I'd love to replace my SFP module with compliant, however, as far as I understand, Mikrotik is NOT have any compliant (such a simple thing) SFP EPON ONU. :-(

Now, I believe, this phrase should be deleted "MikroTik devices and SFP, SFP+, SFP28, QSFP+, and QSFP28 modules do not have any restrictions for other vendor equipment."

Mikrotik has just clearly restricted me from using other vendor equipment. Unbelievable.
To be fair, "SFP-ONU" modules are not just simple transceivers, as defined in the MTA
they are full-blown router/bridges , with firmware, folded into a SFP mechanical form-factor (sometimes disregarding electrical and thermal specs)
let alone the firmware(and simulated EEPROM responses), those are amongst the crappiest CPE's possible, from a support, and stability standpoints.

To the point that Mikrotik themselves, and even finisar (that specializes in high-end transceivers), had products in this category, and pulled them from the market

The modules themselves are CRAP, This is not mikrotik's fault.

Come on, it's not just SFP-ONU. I have a ticket open for six months for a simple SFP+ from Ubiquity (to replace S+RJ10), it's crickets, I test every new release, and it's still the same.

I wouldn't mind paying 2-3x for Mikrotiks own S+RJ10, if they wouldn't consume 2x power as the most recent chips.

toto4ds · Sun Nov 12, 2023 10:31 am

MLAG again began to lose the secondary switch.
This behavior was noticed before, but it worked on 7.11.
Treat the variable by rebooting both switches until the second one becomes available.
Although this may have never been fixed...

CRS326-24S+2Q+ x2

toto4ds · Sun Nov 12, 2023 11:04 am

Apparently the mlag is broken again, after about an hour, the primary switch went to 100% load.
And Zabbix started yelling: "Interface bond0: Ethernet has changed to lower speed than it was before". Оn all servers connected to the switches
There is nothing in the logs of the switches themselves

t0mm13b · Sun Nov 12, 2023 1:32 pm

Updated D53G-5HacD2HnD successfully, Two things spotted:

* the blue led light flashed pink when performing a modem upgrade, had to reboot twice.
* defconfig script changed the wireless specification from 7.11.2 to 7.12?

# 7.11.2
set $ifcId mode=ap-bridge band=2ghz-b/g/n disabled=no wireless-protocol=802.11 \
distance=indoors installation=indoor

to

# 7.12
set $ifcId mode=ap-bridge band=2ghz-b/g disabled=no wireless-protocol=802.11 \
distance=indoors installation=indoor

and

From:

# 7.11.2
set $ifcId mode=ap-bridge band=5ghz-a/n/ac disabled=no wireless-protocol=802.11 \
distance=indoors installation=indoor
set $ifcId channel-width=20/40/80mhz-XXXX;

To:

# 7.12
set $ifcId mode=ap-bridge band=5ghz-a disabled=no wireless-protocol=802.11 \
distance=indoors installation=indoor
set $ifcId channel-width=20mhz;

Any reason why the change?

BWC · Sun Nov 12, 2023 1:53 pm

I updated a CHR on AWS from 7.11.2 to 7.12 and it is not starting anymore, is there a known issue?

Even the serial console isn't showing anything, it looks like the whole instance is broken.
I experienced this exact same issue when going from 7.7 to 7.10 with CHR on Google CE. I had to rebuild using an old snapshot.

In our case, I believe the issue was related to the CHR license not being applied when I upgraded from 6.49.x to 7.x, as evident from the last contact date in the license management page.

So its seems like, if the license cannot be verified within the allowed grace period, the CHR gets trashed during the reboot or upgrade.

This is terrible behavior MikroTik needs to change -- especially since we use CHR in a production environment to terminate hundreds of remote-site VPN connections. Instead of rendering a CHR install non-functional, when the license has not been verified outside the grace period, simply downgrade link speed and/or disable all functionality except that necessary to login to the CHR and correct the license issue.

In my case it was a new instance which I created around Oct 15th and this date is shown as "Last Seen" on the license management as well. I guess the "Next Renewal Date" would be around Nov 15th, can't tell because it's broken :)

Gladly it was still the Trial License and I did not assigned the prepaid key, expiration date for that was Dec14th.

I created a new instance and hope for the best, the update process needs to be rock solid.

--Michael

pendie · Sun Nov 12, 2023 2:00 pm

I tried updating from 6.49.10 to 7.12 bootloop and tried netinstall, the result was the same, downgrading to 7.11.2, it worked with netinstall, I used an RB 850 GX2, for those of you, it's best to have the same as me, avoid 7.12

smotrov · Sun Nov 12, 2023 2:03 pm

The modules themselves are CRAP, This is not mikrotik's fault.

My device (SFP ONU) was working on RB5009. Now Mikrotik decided that is a CRAP (without offering any equivalent) and forbid me to install any future updates. Nice. Well done, Mikrotik!

flapviv · Sun Nov 12, 2023 2:04 pm

I tried updating from 6.49.10 to 7.12 bootloop and tried netinstall, the result was the same, downgrading to 7.11.2, it worked with netinstall, I used an RB 850 GX2, for those of you, it's best to have the same as me, avoid 7.12

Thanx to tell us on what kind of router, please...

pendie · Sun Nov 12, 2023 2:07 pm

I tried updating from 6.49.10 to 7.12 bootloop and tried netinstall, the result was the same, downgrading to 7.11.2, it worked with netinstall, I used an RB 850 GX2, for those of you, it's best to have the same as me, avoid 7.12
Thanx to tell us on what kind of router, please...

rb850gx2

slav0nic · Sun Nov 12, 2023 4:56 pm

What is requirements for station-bridge mode? Is it possible using old wireless 7.12 devices in station-bridge mode with wave2 7.12 ap or it's only for `wifiwave2 station-bridge < - > wifiwave2 ap` devices?

upd

found answer in the doc

The station-bridge mode, as implemented in the wifiwave2 package, is incompatible with APs running the bundled 'wireless' package and vice versa.

sas2k · Sun Nov 12, 2023 6:34 pm

Updated 3 devices with similar config from 7.11.2 to 7.12 stable:

fixed my problems.

carobeppe · Sun Nov 12, 2023 11:15 pm

Updated my AX^3 and the old but gold CRS125, everything is fine!

yap99 · Mon Nov 13, 2023 4:26 am

My rb850gx2 became unusable after updating to version 7.12. Apparently I'm not the only one, Mikrotik has to solve it or raise an alert.

vecino · Mon Nov 13, 2023 9:38 am

Why not switch to HMAC-SHA-X Algorithm instead of MD5?

FRRouting 9.0 OSPFv3 docs

I have OSPFv3 running with HMAC-SHA-512 Auth between Bird 2.0.14 and ROS 7.12 with success. After the inclusion of bugfix "ospf - fixed OSPFv3 authentication header length calculation"

ROS 7.12
Code: Select all
/routing ospf interface-template
add area=ospf3-backbone auth=sha512 auth-id=0 auth-key=\
    gsCHixQReM8cITbm8-8iedXG63ao8i9s dead-interval=20s disabled=no \
    hello-interval=5s interfaces=bridge1.3999 retransmit-interval=2s
Bird 2.0.14 (on Debian Linux 12)
Code: Select all
protocol ospf v3 ospf3_main {
  area 0 {
    interface "br0.3999" {
      type broadcast;
      hello 5; retransmit 2; wait 10; dead 20;
      authentication cryptographic;
      password "gsCHixQReM8cITbm8-8iedXG63ao8i9s" { id 0; algorithm hmac sha512; };
      check link on;
    };
  };
}
Unless you capture the OSPFv3 packets on the wire and analyze the Authentication contents in e.g. Wireshark. It is hard to know what is going wrong for your setup with FRR 9.0.1 and ROS 7.12.

My problem was the the authentication header length before 7.12 was set to an incorrect value. Where ROS missed the addition of 16 bytes in the len field in the OSPFv3 authentication header. ( HMAC-SHA-512 / 8 = 64 bytes, instead of HMAC-SHA-512 / 8 + 16 = 80 bytes)

@netravnen
Thanks for your answer. Yes I know about this option, but I guess to simplify my configuration file I prefer MD5, which I also use in OSPFv2. OSPFv2 can only do MD5 - https://docs.frrouting.org/en/stable-9.0/ospfd.html

I also want to alert Mikrotik guys to this problem so that they can fix it and make all variants functional.

herger · Mon Nov 13, 2023 10:08 am

OSPF stopped exporting local areas, again :-/ Has been working fine with 7.11.2, now everything needs to go into the backbone area to be functional. Looks very much like a regression to me, as I've seen this in the past but it then got better (and now worse again *sigh*)

netravnen · Mon Nov 13, 2023 10:10 am

Yes I know about this option, but I guess to simplify my configuration file I prefer MD5, which I also use in OSPFv2. OSPFv2 can only do MD5 - https://docs.frrouting.org/en/stable-9.0/ospfd.html

@vecino
From the GitHub Issue tracker (frrouting/frr#14398) It would seem HMAC SHA support in OSPFv2 is on the way for the next FRR 9 point release 🤘

vecino · Mon Nov 13, 2023 10:15 am

@netravnen
Wow - thanks for the info.

unlikely · Mon Nov 13, 2023 11:43 am

Not sure if it's related, but

DUDE DATABASE MOVED, 2M SECTOR WRITES IN TWO DAYS. AFTER ROS UPGRADE TO v7.12?

I think I almost immediately upgraded CCR2004 to v7.12 and I noticed today that since a couple of day my dude database was moved from USB/SSD storage to my main disk causing about 2.000.000 sector writes in two days (previously was 2M in 6 month).

Now I disabled dude, moved data directory again to usb/ssd, but dude refuses to stay running; after a reboot it turn stopped and data durectory revert to main disk.

EDIT:
Upgraded Nov 12 2023 from 7.11.2 to 7.12

# 2023-11-11 22:00:00 by RouterOS 7.11.2
# software id = G8MZ-MQ11
# model = CCR2004-16G-2S+
#
# 2023-11-12 22:00:00 by RouterOS 7.12
# software id = G8MZ-MQ11
# model = CCR2004-16G-2S+

Mon Nov 13, 2023 1:40 pm

Are you sure it's not because the slot name of USB disk changes after reboot ?

peracchi · Mon Nov 13, 2023 2:14 pm

I was unable to import the public key ED25519 from my YubiKey, either via the WinBox GUI "User List" or via the terminal command

/user ssh-keys import public-key-file=flash/pub/id_ed25519_sk.pub user=my-user

It gives the error "unable to load key file (wrong format or bad passphrase)!".

The contents of the file "id_ed25519_sk.pub" is:

sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAA0HdRkQwPCMwy/KxKR3A49kleuXZMvknZbU9aO0Ob2AAAAFnNzaDpZdWJpS2V5XzE4LjA4Ny43OTA= my-user@my-domain.com

I thought this update, to RouterOS v7.12, would allow the use of ED25519 keys for SSH into RouterOS.

Did I do something wrong or misunderstood "ssh - added support for user ed25519 public keys"?

rextended · Mon Nov 13, 2023 2:15 pm

Not sure if it's related, but...

As usual, you do not provide any useful info, like from what version you upgrade...

InfoForm · Mon Nov 13, 2023 3:00 pm

That's expected and has been so ever since auto-upgrade is available. The reason is that .fwf files with new routerboot are part of ROS package and are only available after new ROS version gets installed. What the auto-upgrade=yes does is that it installs the new routerboot firmware right after new ROS boots for the first time (so one doesn't have to go via System->RouterBOARD->Upgrade manually) ... but an extra reboot is still necessary.

Just my 2 cents.

Can Mikrotik add a flag to reboot the router automatically just after software + firmware upgrade ?
Like:

/system routerboard settings
set auto-upgrade-reboot=yes

This will have the advantage of having only one down time (and only one operation) for the cost of a small extra down time.
In production this will be very valuable.

pe1chl · Mon Nov 13, 2023 3:13 pm

Can Mikrotik add a flag to reboot the router automatically just after software + firmware upgrade ?
Like:
Code: Select all
/system routerboard settings
set auto-upgrade-reboot=yes
This will have the advantage of having only one down time (and only one operation) for the cost of a small extra down time.
In production this will be very valuable.

It really isn't a good idea (anymore) to set automatic firmware upgrade. The reason is that the firmware version now changes every time, it is the same as the RouterOS version. But usually there is no update at all in the firmware. Update just does nothing, but it incurs a small risk of rendering the router unbootable and requiring a netinstall using the backup booter.

It is best to update the firmware once after purchase of the device, and then only when release notes indicate some firmware change is required for the particular device you are running it on.
Then you can just do a manual update and consider if you even need the change to become active rightaway, or can wait to the next reboot.

DarkNate · Mon Nov 13, 2023 4:11 pm

It really isn't a good idea (anymore) to set automatic firmware upgrade. The reason is that the firmware version now changes every time, it is the same as the RouterOS version. But usually there is no update at all in the firmware. Update just does nothing, but it incurs a small risk of rendering the router unbootable and requiring a netinstall using the backup booter.

It is best to update the firmware once after purchase of the device, and then only when release notes indicate some firmware change is required for the particular device you are running it on.
Then you can just do a manual update and consider if you even need the change to become active rightaway, or can wait to the next reboot.

More harm can come from running a firmware version from 10 years ago, than upgrading the firmware each time automatically. I've seen too many MikroTik boxes in prod, running latest ROS, but firmware from 1965, and then they whine about why some SFP issue pops up or some other issues buried in the changelogs. I enforce auto-upgrade = yes as company policy, personally. But MikroTik could probably improve the user experience here, for sure.

owsugde · Mon Nov 13, 2023 4:42 pm

*) ovpn - improved system stability;

Can confirm that the OpenVPN UDP issues described in viewtopic.php?p=1024643#p1024643 have been fixed in 7.12, at least for me.

So can we assume OpenVPN is in a state comparable to ROS 6 again, stability-wise? Every release after 7.6 has been horribly unstable (including numerous complete lockups) for me, for any system running even one OVPN client.

Would be awesome if I could actually try new versions again on important routers.

spippan · Mon Nov 13, 2023 5:24 pm

Noticed that on all of them I needed to reboot a second time to upgrade the routerboard firmware despite having "/system routerboard settings set auto-upgrade=yes" configured.

That's expected and has been so ever since auto-upgrade is available. The reason is that .fwf files with new routerboot are part of ROS package and are only available after new ROS version gets installed. What the auto-upgrade=yes does is that it installs the new routerboot firmware right after new ROS boots for the first time (so one doesn't have to go via System->RouterBOARD->Upgrade manually) ... but an extra reboot is still necessary.

This has been discussed on this forum before ... and MT staffers' response was that it is not possible to flash new routerboot image before new ROS is booted. Personaly I have hard time believing this (I guess it would be non-trivial and might pose a threat to stability of upgrade process, but I'm pretty sure it would be possible to do it in same leg as ROS upgrade).

no

InfoForm · Mon Nov 13, 2023 5:29 pm

More harm can come from running a firmware version from 10 years ago, than upgrading the firmware each time automatically. I've seen too many MikroTik boxes in prod, running latest ROS, but firmware from 1965, and then they whine about why some SFP issue pops up or some other issues buried in the changelogs. I enforce auto-upgrade = yes as company policy, personally. But MikroTik could probably improve the user experience here, for sure.

I fully agree, we run into an issue when upgrading a CCR1009 with old firmware, after software update it never boot up, we have to do a net install.
This appends with 2 CCR1009 with old firmware and never with other CCR1009 having up to date firmware and bought at the same time.
As the firmware change every time now (at least the version), we set auto-upgrade = yes and do a reboot a minute or two after the upgrade.
Having this second reboot done automatically will be a good thing.

pe1chl · Mon Nov 13, 2023 5:50 pm

Of course he did not read what I wrote. I wrote "It is best to update the firmware once after purchase of the device" so you won't have ancient firmware.

DarkNate · Mon Nov 13, 2023 7:05 pm

Of course he did not read what I wrote. I wrote "It is best to update the firmware once after purchase of the device" so you won't have ancient firmware.

Bullshit. Buy a device today, netinstall with latest ROS and firmware. Now one year later, ROS version has changed 15 generations and firmware is 15 generations behind, and you're back to ancient firmware.

What advice are you even giving here? I don't see MikroTik advising customers to "run old firmware" in general. The consensus is ROS version and matching firmware versions ensures best possibility experience and stability.

vecino · Mon Nov 13, 2023 7:43 pm

@netravnen

I tried sha256, but it doesn't work. I've tried other keys - shorter and nothing.

FRRouting 9.0.1

ipv6 ospf6 authentication key-id 1 hash-algo hmac-sha-256 key 12CBFE21AC3D4D981AD4FD32C1A28E0DBE259A1F60E35BB6C4ADECD2989432F6

RouterOS 7.12

/routing ospf interface-template set *9 area=backbone-v3 auth=sha256 auth-id=1 auth-key=12CBFE21AC3D4D981AD4FD32C1A28E0DBE259A1F60E35BB6C4ADECD2989432F6 + etc

Log:

default-v3 { version: 3 router-id: 10.***.***.1 } backbone-v3 { 0.0.0.0 } interface { broadcast fe80::****:6eff:****:c79b%ether2 } authentication failed from fe80::****:efff:fef2:****%*2 sha mismatch

rextended · Mon Nov 13, 2023 9:27 pm

@pe1chl, @DarkNate
Wrong concept for both:
The point is not to keep the old firmware forever,
but is don't update it "instantly" when the new version comes out, without any test, automatically and without any control...
At least a waiting period of a few months and some test is recommended,
unless there is a very critical security update that do not involve fullshift™ CVE that start with "An authenticated user..."

mkx · Mon Nov 13, 2023 9:40 pm

I was unable to import the public key ED25519 from my YubiKey,

I successfully imported ed25519 keys, created by openssh. The pub file starts with "ssh-ed25519 ", continues with 69 characters (the actual publuc key) and followed with key owner identification (user@host). Format of file on yubikey is obviously different and it doesn't seem to be supported by ROS.

rtlx · Mon Nov 13, 2023 10:03 pm

*) ovpn - improved system stability;

Can confirm that the OpenVPN UDP issues described in viewtopic.php?p=1024643#p1024643 have been fixed in 7.12, at least for me.
So can we assume OpenVPN is in a state comparable to ROS 6 again, stability-wise? Every release after 7.6 has been horribly unstable (including numerous complete lockups) for me, for any system running even one OVPN client.

Would be awesome if I could actually try new versions again on important routers.

No in any way - see viewtopic.php?p=1035315#p1035315

Just look at the 7.13beta1 changelog:

*) ovpn - improved memory allocation during key-renegotiation;

Am I the only one with conclusion, that MikroTik programmers are reimplementing existing code? I have such fears for years now.
If they would be taking the original OpenVPN source code, then they won't have such problems - especially on the memory management level.

unlikely · Tue Nov 14, 2023 12:21 am

Are you sure it's not because the slot name of USB disk changes after reboot ?

Thanks for input. It seems to to me that the slot is always pcie1.

unlikely · Tue Nov 14, 2023 12:24 am

As usual, you do not provide any useful info, like from what version you upgrade...

As usual, I'm akways ready to reply to kind questions about useful informations needed to help me: from the previous version.

If you have any useful info, feel free to reply.

buset1974 · Tue Nov 14, 2023 8:08 am

Until v7.12 in MPLS L3 env/ topology.

/routing/route/print where routing-table=xxxx or /ip/route print where routing-table=xxxx did not show any routes when /ip/vrf interfaces=none.

Interfaces must fill with some working interfaces (dummy loopback) to make it works.
we also have to enable disable the /ip/vrf after interface set/added.

in v6, as long we create /ip route vrf name ,RD, import RT , export RT and even though interfaces value "empty" routing can be received/ shown.

thx

DarkNate · Tue Nov 14, 2023 3:24 pm

MikroTik's software quality is a very bad joke. Guys should go back to the first chapters of any good book on software engineering. It looks like in the past their software was written by the old timers and then the "young, dynamic, from big cities, who think they know better" came on board and ruined everything what the old timers put in place. That's why we have such a nightmare right now and that's why MikroTik can't be seen as a long term solution for production/enterprise/mission-critical networks. To this day, the simple PC with Linux OS is a few galaxys ahead of any MikroTik solution in terms of stability, reliability, updates...

Just look at the 7.13beta1 changelog:
Code: Select all
*) ovpn - improved memory allocation during key-renegotiation;
Am I the only one with conclusion, that MikroTik programmers are reimplementing existing code? I have such fears for years now.
If they would be taking the original OpenVPN source code, then they won't have such problems - especially on the memory management level.

I hope MikroTik does a clean, fresh, codebase for ROS v8 with fresh kernel base (latest long-term version at that point in time). Otherwise, we're really f***ed. At this point, Debian + FRR or BIRD or VPP is far more stable.

bajodel · Tue Nov 14, 2023 5:44 pm

(already said a couple of time in the last months .. and sent support requests)

Old v6 command "ip route check x.y.z.k" still missing!
e.g. /ip route check 8.8.8.8 (linux equivalent "ip route get 8.8.8.8")

It's very usefull when you have many routes in your routing table and you don't want to waste your time looking for the best match (and/or make mistakes chosing the wrong one when in a hurry or under pressure!)

it should be trivial to get it done..

Tue Nov 14, 2023 5:45 pm

Until v7.12 in MPLS L3 env/ topology.

/routing/route/print where routing-table=xxxx or /ip/route print where routing-table=xxxx did not show any routes when /ip/vrf interfaces=none.

Works for me in any version above 7.11

[admin@MikroTik] /ip/route> /ip vrf/print 
Flags: X - disabled; * - builtin 
 0    name="xx" interfaces=none 

 1  * name="main" interfaces=all 
[admin@MikroTik] /ip/route> /routing/route/print where routing-table=xx
Flags: U - UNREACHABLE; s - STATIC; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE
    DST-ADDRESS  GATEWAY  AFI  DISTANCE  SCOPE  TARGET-SCOPE
UsH 0.0.0.0/0    1.2.3.4  ip4  1         30     10

densenator · Tue Nov 14, 2023 6:52 pm

Did you planned fixing upgrade routeros from dude?

buset1974 · Wed Nov 15, 2023 5:17 am

Until v7.12 in MPLS L3 env/ topology.

/routing/route/print where routing-table=xxxx or /ip/route print where routing-table=xxxx did not show any routes when /ip/vrf interfaces=none.

Works for me in any version above 7.11
Code: Select all
[admin@MikroTik] /ip/route> /ip vrf/print 
Flags: X - disabled; * - builtin 
 0    name="xx" interfaces=none 

 1  * name="main" interfaces=all 
[admin@MikroTik] /ip/route> /routing/route/print where routing-table=xx
Flags: U - UNREACHABLE; s - STATIC; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE
    DST-ADDRESS  GATEWAY  AFI  DISTANCE  SCOPE  TARGET-SCOPE
UsH 0.0.0.0/0    1.2.3.4  ip4  1         30     10 

Dear Mrz,

please take a look this attachment.

this is when interfaces set to loopback

vrf-problem-v7-2.jpg

and this when i set interfaces-list into "none

vrf-problem-v7.jpg

thx

ZupoLlask · Wed Nov 15, 2023 10:35 am

from the previous version

And what is your previous version? 7.11.2?

fischerdouglas · Wed Nov 15, 2023 12:27 pm

(already said a couple of time in the last months .. and sent support requests)

Old v6 command "ip route check x.y.z.k" still missing!
e.g. /ip route check 8.8.8.8 (linux equivalent "ip route get 8.8.8.8")

It's very usefull when you have many routes in your routing table and you don't want to waste your time looking for the best match (and/or make mistakes chosing the wrong one when in a hurry or under pressure!)

it should be trivial to get it done..

Alias Commands (with args) would be a helpful solution to that...

fischerdouglas · Wed Nov 15, 2023 1:09 pm

https://cve.mitre.org/cgi-bin/cvename.c ... 2023-41570
"MikroTik RouterOS v7.1 to 7.11 was discovered to contain incorrect access control mechanisms in place for the Rest API."

MikroTik's stance of pretending that problems don't happen, and only recording in their release notes the CVEs that have immense repercussions is something they should feel ashamed of doing.

https://www.enricobassetti.it/2023/11/c ... -rest-api/
Timeline
I followed the responsible disclosure process described in the “Responsible disclosure of discovered vulnerabilities” page. I reported the vulnerability at 2023-08-19 09:46:00 UTC and received the ACK at 2023-08-24 07:43:00 UTC. The fix was released in version 7.12 at 2023-11-09 09:45:00 UTC (time point from RouterOS changelog).

*) www - fixed allowed address setting for REST API users;

wernerptu · Wed Nov 15, 2023 2:07 pm

Has anyone other than me noticed that this 7.12 update "killed" the stub area? I use stub area to summarize the PPPoE IPs and other IPs on each routerboard and only export /24 or larger blocks from the routerboard. I used it as follows and it works on 7.11.2 and earlier, but after updating to 7.12 it stopped working and even deleting, resetting and configuring it again, the routerboard doesn't work.

/routing ospf instance
add disabled=no name=backbone-v2 originate-default=never redistribute="" router-id=192.168.0.66 routing-table=main
add disabled=no name=backbone-v3 originate-default=never redistribute="" router-id=192.168.0.66 routing-table=main version=3
/routing ospf area
add disabled=no instance=backbone-v2 name=backbone-v2
add disabled=no instance=backbone-v3 name=backbone-v3
add area-id=0.0.0.66 disabled=no instance=backbone-v2 name=area-stub-v2 type=stub
add area-id=0.0.0.66 disabled=no instance=backbone-v3 name=area-stub-v3 type=stub
/routing ospf area range
add area=area-stub-v2 cost=10 disabled=no prefix=10.177.66.0/24
add area=area-stub-v2 cost=10 disabled=no prefix=100.70.66.0/24
add area=area-stub-v2 cost=10 disabled=no prefix=100.71.66.0/24
add area=area-stub-v2 cost=10 disabled=no prefix=172.17.66.0/24
add area=area-stub-v3 cost=10 disabled=no prefix=2804:XXXX:XXXX::/48
/routing ospf interface-template
add area=backbone-v2 cost=10 disabled=no interfaces=loopback networks=192.168.0.66/32 passive priority=1
add area=backbone-v3 cost=10 disabled=no interfaces=loopback networks=2804:XXXX:XXXX::/64 passive priority=1
add area=backbone-v2 cost=10 disabled=no interfaces=vlan10 networks=172.17.37.8/29 priority=1 type=ptp
add area=backbone-v3 cost=10 disabled=no interfaces=vlan10 priority=1 type=ptp
add area=area-stub-v2 comment="AREA STUB" cost=10 disabled=no networks=10.177.66.0/24,100.70.66.0/24,100.71.66.0/24,172.17.66.0/24 passive priority=1 type=ptp
add area=area-stub-v3 comment="AREA STUB" cost=10 disabled=no networks=2804:XXXX:XXXX::/48 passive priority=1 type=ptp

The only thing that I found strange (but it only works like that), was having to announce the stub area with type=ptp, instead of type=broadcast.

OpnsrC · Wed Nov 15, 2023 4:59 pm

I've been struggling with upgrading my hAP AX3 from 7.8. Any releases after, including 7.12, break it with the same disconnection behaviour on the log (see attachment). This setup has worked for me back in the 6.x (hAP AC) up until 7.8 (hAP AX3). I've combed through my config several times but couldn't find any obvious misconfiguration issues. I'm hoping somebody more knowledgeable than me can help. It's a "simple" setup and a short config. I would really appreciate your help, good people!

My hEX S has been upgrading like a champ and is on the latest 7.12 ROS version.

Update: Issue Fixed
- Turns out I just had to set the wireless interfaces as tagged instead of untagged under interface/bridge/vlan.
I don't know how I had that setup running for years but it ran without any issue. I had to reread the manual to find the answer for this updated ROS version.

brotherdust · Wed Nov 15, 2023 6:45 pm

Has anyone other than me noticed that this 7.12 update "killed" the stub area? I use stub area to summarize the PPPoE IPs and other IPs on each routerboard and only export /24 or larger blocks from the routerboard. I used it as follows and it works on 7.11.2 and earlier, but after updating to 7.12 it stopped working and even deleting, resetting and configuring it again, the routerboard doesn't work.

/routing ospf instance
add disabled=no name=backbone-v2 originate-default=never redistribute="" router-id=192.168.0.66 routing-table=main
add disabled=no name=backbone-v3 originate-default=never redistribute="" router-id=192.168.0.66 routing-table=main version=3
/routing ospf area
add disabled=no instance=backbone-v2 name=backbone-v2
add disabled=no instance=backbone-v3 name=backbone-v3
add area-id=0.0.0.66 disabled=no instance=backbone-v2 name=area-stub-v2 type=stub
add area-id=0.0.0.66 disabled=no instance=backbone-v3 name=area-stub-v3 type=stub
/routing ospf area range
add area=area-stub-v2 cost=10 disabled=no prefix=10.177.66.0/24
add area=area-stub-v2 cost=10 disabled=no prefix=100.70.66.0/24
add area=area-stub-v2 cost=10 disabled=no prefix=100.71.66.0/24
add area=area-stub-v2 cost=10 disabled=no prefix=172.17.66.0/24
add area=area-stub-v3 cost=10 disabled=no prefix=2804:XXXX:XXXX::/48
/routing ospf interface-template
add area=backbone-v2 cost=10 disabled=no interfaces=loopback networks=192.168.0.66/32 passive priority=1
add area=backbone-v3 cost=10 disabled=no interfaces=loopback networks=2804:XXXX:XXXX::/64 passive priority=1
add area=backbone-v2 cost=10 disabled=no interfaces=vlan10 networks=172.17.37.8/29 priority=1 type=ptp
add area=backbone-v3 cost=10 disabled=no interfaces=vlan10 priority=1 type=ptp
add area=area-stub-v2 comment="AREA STUB" cost=10 disabled=no networks=10.177.66.0/24,100.70.66.0/24,100.71.66.0/24,172.17.66.0/24 passive priority=1 type=ptp
add area=area-stub-v3 comment="AREA STUB" cost=10 disabled=no networks=2804:XXXX:XXXX::/48 passive priority=1 type=ptp

The only thing that I found strange (but it only works like that), was having to announce the stub area with type=ptp, instead of type=broadcast.

I've noticed this problem too. type=PTP doesn't fix it. I'll open a ticket with Mikrotik.

Edit:
Or not. Support portal is down lol

pe1chl · Wed Nov 15, 2023 8:54 pm

Just look at the 7.13beta1 changelog:
Code: Select all
*) ovpn - improved memory allocation during key-renegotiation;
Am I the only one with conclusion, that MikroTik programmers are reimplementing existing code? I have such fears for years now.
If they would be taking the original OpenVPN source code, then they won't have such problems - especially on the memory management level.

That is correct! Many functions that are readily available as open source projects are being re-implemented. Not everything, though.
We can only guess what is the reason. Maybe they don't like the licensing terms, maybe they don't want to contribute code back to the upstream when that is a requirement, maybe the open source versions are just too large to fit in that silly 16MB flash that so many MikroTik devices have.
OpenVPN is a wellknown troublespot. It is not an accident that they call it "ovpn" and not "OpenVPN". It is just a VPN that often interworks with OpenVPN, and also often not.

Another one is the DNS resolver. It has been broken again and again during extenstions with new functions, that are often done in a quite peculiar way (look at DoH...). And after all that, we still don't have DNSSEC support.
It would have been so much better when a well-developed and tested open source resolver had been taken onboard. I would say "unbound", others maybe say "dnsmasq". But it would have been through all the cycles of bugs that we now saw in RouterOS, and more feature-complete as well.
Yet they decide to waste time on development. Probably for a good reason, and the space restriction may be an important one.

rtlx · Wed Nov 15, 2023 9:34 pm

jbl42 · Thu Nov 16, 2023 12:45 am

I would say "unbound", others maybe say "dnsmasq"

I would also say "powerdns" ;-)

While I agree with your sentiments, at least since we have Docker this can be solved easily.
I started to run PowerDns and dnsmasq images, both working with almost no issues. Especially on the CCR2xxx with internal SSDs. But also on RB5009 with external USB SSD.

spippan · Thu Nov 16, 2023 12:51 am

(already said a couple of time in the last months .. and sent support requests)

Old v6 command "ip route check x.y.z.k" still missing!
e.g. /ip route check 8.8.8.8 (linux equivalent "ip route get 8.8.8.8")

It's very usefull when you have many routes in your routing table and you don't want to waste your time looking for the best match (and/or make mistakes chosing the wrong one when in a hurry or under pressure!)

it should be trivial to get it done..

something like that really needs to be implemented ASAP.
even a route table below 200 routes is a PITA to search and look if a given DST matches a fdb installed route!

look at the cisco equivalent "show ip route x.x.x.x" or checkpoint "show route destination x.x.x.x"

Thu Nov 16, 2023 1:01 am

cisco "show ip route x.x.x.x" is not equivalent to "ip route check".
You can already do the same as ciscos show ip route with

ip route print where x.x.x.x in dst-address

spippan · Thu Nov 16, 2023 2:45 am

cisco "show ip route x.x.x.x" is not equivalent to "ip route check".
You can already do the same as ciscos show ip route with
Code: Select all
ip route print where x.x.x.x in dst-address

neither is

ip route print where x.x.x.x in dst-address

an equivalent to cisco "show ip route x.x.x.x"
cisco gives a definitive result which mirrors the routers routing decision rather then MTs version of "hey i got these routes which MIGHT could be used to route your asked DST"

a "show" cmd. to reflect the routers routing decision to the current FDB would be great.
maybe there is one i do not know about yet...

bgp4 · Thu Nov 16, 2023 10:14 am

It seems that v7.12 stable will not generate OSPF LSA type3 - “inter-area-prefix“ while v7.11.2 stable is ok.
Here are configs:

[admin@ROS7.11.2A] >export
/ip address
add address=10.0.0.1/24 interface=ether1 network=10.0.0.0
add address=192.168.1.1/25 interface=ether2 network=192.168.1.0
/routing ospf instance
add disabled=no name=ospf-instance-1 router-id=192.168.1.1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=BB
add area-id=0.0.0.1 disabled=no instance=ospf-instance-1 name=1
/routing ospf area range
add area=1 disabled=no prefix=192.168.1.0/24
/routing ospf interface-template
add area=BB disabled=no interface=ether1
add area=1 disabled=no interface=ether2

[admin@ROS7.11.2B] >export
/ip address
add address=10.0.0.2/24 interface=ether1 network=10.0.0.0
add address=192.168.2.1/25 interface=ether2 network=192.168.2.0
/routing ospf instance
add disabled=no name=ospf-instance-1 router-id=192.168.2.1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=BB
add area-id=0.0.0.2 disabled=no instance=ospf-instance-1 name=2
/routing ospf area range
add area=2 disabled=no prefix=192.168.2.0/24
/routing ospf interface-template
add area=BB disabled=no interface=ether1
add area=2 disabled=no interface=ether2

[admin@ROS7.12A] >export
/ip address
add address=10.0.0.3/24 interface=ether1 network=10.0.0.0
add address=192.168.3.1/25 interface=ether2 network=192.168.3.0
/routing ospf instance
add disabled=no name=ospf-instance-1 router-id=192.168.3.1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=BB
add area-id=0.0.0.3 disabled=no instance=ospf-instance-1 name=3
/routing ospf area range
add area=3 disabled=no prefix=192.168.3.0/24
/routing ospf interface-template
add area=BB disabled=no interface=ether1
add area=3 disabled=no interface=ether2

[admin@ROS7.12B] >export
/ip address
add address=10.0.0.4/24 interface=ether1 network=10.0.0.0
add address=192.168.4.1/25 interface=ether2 network=192.168.4.0
/routing ospf instance
add disabled=no name=ospf-instance-1 router-id=192.168.4.1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=BB
add area-id=0.0.0.4 disabled=no instance=ospf-instance-1 name=4
/routing ospf area range
add area=4 disabled=no prefix=192.168.4.0/24
/routing ospf interface-template
add area=BB disabled=no interface=ether1
add area=4 disabled=no interface=ether2

I've opened a ticket in support portal, SUP-134571

Thu Nov 16, 2023 10:31 am

Well, as far as I know, the GPL license obligates, that any work based on existing GPL-licensed project must also be licensed under GPL. MikroTik doesn't comply to this and that's why in the past there were some questions about this very issue, like viewtopic.php?t=100746

What makes you think mikrotik does not comply? Internet rumors? posts from 10 years ago?

pe1chl · Thu Nov 16, 2023 10:35 am

cisco gives a definitive result which mirrors the routers routing decision rather then MTs version of "hey i got these routes which MIGHT could be used to route your asked DST"

a "show" cmd. to reflect the routers routing decision to the current FDB would be great.

Unfortunately it is not that easy. Remember you can have multiple routing tables with rules, route marking in mangle, and even VRF.

unlikely · Thu Nov 16, 2023 12:09 pm

from the previous version
And what is your previous version? 7.11.2?

The previous version was 7.11.2

Guessing if the issue I had and I have is related to other Dude issue I now read in this topic...

brandaoeb · Thu Nov 16, 2023 3:29 pm

Hi:
My RB4011 on firmware 7.12 reboot random from 45m to 3 ir 6 hours, on firmware 7.11.2 works fine.!!!
Can anyone help ir a clue, no messages on logs nothing .... Just reboots.

pe1chl · Thu Nov 16, 2023 3:50 pm

My RB4011 on firmware 7.12 reboot random from 45m to 3 ir 6 hours, on firmware 7.11.2 works fine.!!!
Can anyone help ir a clue, no messages on logs nothing .... Just reboots.

My RB4011 runs fine in 7.12
What are the first 5 messages after boot?
When you no longer can see these because there are a lot of other messages, configure logging to disk or syslog server...

brandaoeb · Thu Nov 16, 2023 5:15 pm

15:09:53 dns,error DoH server connection error: Network unreachable
15:09:53 dns,error DoH server connection error: Network unreachable [ignoring repeated messages]
15:09:56 interface,info BridgeLAN20 detect LAN
15:09:56 interface,info BridgeTSJogos detect LAN
15:10:04 interface,info ISP_1 link up
15:10:05 bridge,info "BridgeLAN20" mac address changed to xx.xx.xx.xx.....
15:10:05 interface,info Vlan98 link up
15:10:05 interface,info Vlan99 link up
15:10:05 interface,info vlan200 link up
15:10:05 interface,info vlan300 link up
15:10:05 interface,info vlan301 link up

brandaoeb · Thu Nov 16, 2023 5:17 pm

i no longer have 7.12 instaled but it was like this, the time was 00:02 or similar

brandaoeb · Thu Nov 16, 2023 5:20 pm

i have checked transformer and replaced ... the same i have used POE .. same thing. when i return to 7.11.2 OK..??!!

sas2k · Thu Nov 16, 2023 10:22 pm

New problem with DoH.
"Verify DoH certificate" was always on.
" /certificate/settings/set crl-use=no" was set after update to 7.12.

rb4011, after reboot some sites are resolved, some not!
For sure before each test I make DNS cache flush.

My Config :
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
add address=8.8.8.8 name=dns.google
add address=8.8.4.4 name=dns.google
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d use-doh-server=\
https://dns.google/dns-query verify-doh-cert=yes

The error can be seen at any device connected to router as unable to resolve dns

Mikrotik does the same:

[sas@MikroTik] > ping libreswan.org
invalid value for argument address:
invalid value of mac-address, mac address required
invalid value for argument ipv6-address
while resolving ip-address: could not get answer from dns server

After I switched off "verify-doh-cert=no", everything works fine.
Trust certs imported of course.
Ipv6 was always disabled.

aivarsm · Fri Nov 17, 2023 10:36 am

i can not add new cap to existed old capsMan

erlinden · Fri Nov 17, 2023 10:39 am

i can not add new cap to existed old capsMan

cAP ac or cAP ax? For the latter you will have to wait for v7.13 (currently beta) to be able.

aivarsm · Fri Nov 17, 2023 10:40 am

RBcAPGi-5acD2nD to RBD52G-5HacD2HnD

Fri Nov 17, 2023 11:44 am

So you're trying to add cAP XL ac to capsman controller running on AC2.
Correct ?

AC2 is running which version ? And which packages on it ?
cAP XL ac is running which version ? And which packages on it ?

aivarsm · Fri Nov 17, 2023 12:42 pm

nop
i am trying add cAP AC to hAP AC2
both are old AC.
manual provisioning works from `CAP Interface` tabs

actck · Fri Nov 17, 2023 2:38 pm

7.12 broken sfp pon-stick (model:XE-99S)
When the system reboot, pon-stick can not init successful although the port show 10G-UP.
Good job.

msaxl · Fri Nov 17, 2023 3:24 pm

It seems that v7.12 stable will not generate OSPF LSA type3 - “inter-area-prefix“ while v7.11.2 stable is ok.
Here are configs:

[admin@ROS7.11.2A] >export
/ip address
add address=10.0.0.1/24 interface=ether1 network=10.0.0.0
add address=192.168.1.1/25 interface=ether2 network=192.168.1.0
/routing ospf instance
add disabled=no name=ospf-instance-1 router-id=192.168.1.1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=BB
add area-id=0.0.0.1 disabled=no instance=ospf-instance-1 name=1
/routing ospf area range
add area=1 disabled=no prefix=192.168.1.0/24
/routing ospf interface-template
add area=BB disabled=no interface=ether1
add area=1 disabled=no interface=ether2

[admin@ROS7.11.2B] >export
/ip address
add address=10.0.0.2/24 interface=ether1 network=10.0.0.0
add address=192.168.2.1/25 interface=ether2 network=192.168.2.0
/routing ospf instance
add disabled=no name=ospf-instance-1 router-id=192.168.2.1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=BB
add area-id=0.0.0.2 disabled=no instance=ospf-instance-1 name=2
/routing ospf area range
add area=2 disabled=no prefix=192.168.2.0/24
/routing ospf interface-template
add area=BB disabled=no interface=ether1
add area=2 disabled=no interface=ether2

[admin@ROS7.12A] >export
/ip address
add address=10.0.0.3/24 interface=ether1 network=10.0.0.0
add address=192.168.3.1/25 interface=ether2 network=192.168.3.0
/routing ospf instance
add disabled=no name=ospf-instance-1 router-id=192.168.3.1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=BB
add area-id=0.0.0.3 disabled=no instance=ospf-instance-1 name=3
/routing ospf area range
add area=3 disabled=no prefix=192.168.3.0/24
/routing ospf interface-template
add area=BB disabled=no interface=ether1
add area=3 disabled=no interface=ether2

[admin@ROS7.12B] >export
/ip address
add address=10.0.0.4/24 interface=ether1 network=10.0.0.0
add address=192.168.4.1/25 interface=ether2 network=192.168.4.0
/routing ospf instance
add disabled=no name=ospf-instance-1 router-id=192.168.4.1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=BB
add area-id=0.0.0.4 disabled=no instance=ospf-instance-1 name=4
/routing ospf area range
add area=4 disabled=no prefix=192.168.4.0/24
/routing ospf interface-template
add area=BB disabled=no interface=ether1
add area=4 disabled=no interface=ether2

I've opened a ticket in support portal, SUP-134571

had the same issue beginning with 7.12rc2, the issue seems to be, as you said, that "directly" connected routes are not sent over area boundaries (lsa's of other routers are though). 7.13beta1 seems to fix it already, so I think they are aware of this but since nobody noticed the did not bother putting it in changelog (or 7.13 was branched before 7.12rc2 and is about to have that issue backported)

Swordforthelord · Fri Nov 17, 2023 5:02 pm

I created an IPv4 input rule on a hAP ac2 and I restricted it to an address list but the address list restriction did not work until I rebooted the router. Has anyone else encountered this?

mkx · Fri Nov 17, 2023 5:08 pm

I'm pretty sure address lists "work" immediately. There's another "gem" with regard to firewall: new drop rules only affect new connections. Already established connectiobs are not affected. Clearing connection tracking table does the job (but drops all the rest of established connections, unrelated to the new rule) and rebooting router is one way to achieve this.

anav · Fri Nov 17, 2023 5:13 pm

Nice explanation!

Swordforthelord · Fri Nov 17, 2023 5:14 pm

I'm pretty sure address lists "work" immediately. There's another "gem" with regard to firewall: new drop rules only affect new connections. Already established connectiobs are not affected. Clearing connection tracking table does the job (but drops all the rest of established connections, unrelated to the new rule) and rebooting router is one way to achieve this.

Agreed, I've never before implemented an address list that did not take effect immediately.
The need to clear the state table to allow new rules to work is normal, both for Mikrotik and other products. I checked the table before rebooting though, just to be thorough, and there were no established connections related to the issue I was experiencing. My logs showed multiple attempts from various sources and I tested myself from an unauthorized IP and was able to get through. After the reboot, everything was properly restricted.

jbl42 · Fri Nov 17, 2023 5:29 pm

There's another "gem" with regard to firewall: new drop rules only affect new connections

This is based on how iptables work: existing connections are in established stated what us usually handled by "established, related, (untracked)" rules before drop rules.
So new drop rules only apply to connections with state "new", what does not include existing connections.

What can be done is using a script traversing the connection table and dropping all existing connections with source/dest IP addresses/ports as matched by the new drop rule.

spippan · Fri Nov 17, 2023 5:33 pm

cisco gives a definitive result which mirrors the routers routing decision rather then MTs version of "hey i got these routes which MIGHT could be used to route your asked DST"

a "show" cmd. to reflect the routers routing decision to the current FDB would be great.
Unfortunately it is not that easy. Remember you can have multiple routing tables with rules, route marking in mangle, and even VRF.

to clarify:
in cisco world "show ip route w.x.y.z" is checked against the "main" routing table
for VRFs it is "show ip route vrf ABC w.x.y.z"

somthing like that i guess could also be implemented in ROS.

pe1chl · Fri Nov 17, 2023 5:37 pm

For VRF, yes. But RouterOS can also policy-route depending on source address, incoming interface, or routing mark (assigned in firewall mangle rule).
This is often used for loadbalancing/failover or for overlay networks, where VRF is much too restrictive.

akeeltaj · Fri Nov 17, 2023 8:45 pm

Any idea why PoE auto was removed for L009?

pe1chl · Fri Nov 17, 2023 10:33 pm

Any idea why PoE auto was removed for L009?

Most likely the hardware did not (reliably) support it...

brandaoeb · Sat Nov 18, 2023 8:43 am

Router 4011 reboots on 7.12
i have opened a support ticket: SUP-134808
Back to 7.11.2

bajodel · Sat Nov 18, 2023 1:28 pm

For VRF, yes. But RouterOS can also policy-route depending on source address, incoming interface, or routing mark (assigned in firewall mangle rule).
This is often used for loadbalancing/failover or for overlay networks, where VRF is much too restrictive.

You're right, but I'd be fine with the funcionality already present in ros6. More often than not in a core network you're not using strange policy-routes or magle manipulations, but you've plenty of routers & routes where you have to struggle to find the best match and follow it. When we have an issue and little time to troubleshoot these tools are life savers!
Besides, I guess I'm not the only one that avoid using conntrack in those routers (zero fw rules) to get simplicity and/or top performaces; in these cases if we need load balancing we go for ECMP (even though it's rare).

faxxe · Sat Nov 18, 2023 9:37 pm

CCR1009-7G-1C-1S+

As with every version since 7.8:
Suddenly the connection becomes slow; mostly the upload. Only a tenth of the line.

Now also with 7.12
Instead of 50Mbit upload only 10% of it. This after approx. 7 days of uptime.
With 7.8 on CCR1009 it was last +90 days without problems.

Netinstall 7.8

That was it.

Hominidae · Sat Nov 18, 2023 11:54 pm

Router 4011 reboots on 7.12
i have opened a support ticket: SUP-134808
Back to 7.11.2

Nope, not mine..must be unique to your setup/environment.

Joe1vm · Sun Nov 19, 2023 10:09 am

Hello, I am still facing the SA Query Timeout issue and some WIFi devices do not roam properly between the access points.
The workaround /interface/wifiwave2/configuration> set [find] security.connect-priority=0/1 works, but I am not sure that this is the right approach.

bbs2web · Sun Nov 19, 2023 10:34 am

Unable to get hardware offloading working on a hAP ax3 (C53UiG+5HPaxD2HPaxD), any suggestions?

/interface bridge
  add add-dhcp-option82=yes dhcp-snooping=yes name=bridge priority=0x7000 vlan-filtering=yes
/interface bridge port
  add bridge=bridge interface=ether1 trusted=yes comment="Uplink to core:"
  add bpdu-guard=yes bridge=bridge interface=ether2 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether3 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether4 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether5 restricted-role=yes
  add bridge=bridge interface=wifi1
  add bridge=bridge interface=wifi2
  add bridge=bridge interface=wifi3
  add bridge=bridge interface=wifi4
  add bridge=bridge interface=wifi5
  add bridge=bridge interface=wifi6
/interface bridge vlan
  add bridge=bridge tagged=bridge vlan-ids=1
  add bridge=bridge tagged=bridge,ether1,wifi1,wifi2,wifi3,wifi4,wifi5,wifi6 vlan-ids=52
  add bridge=bridge tagged=bridge,ether1,wifi1,wifi2,wifi3,wifi4,wifi5,wifi6 vlan-ids=53
  add bridge=bridge tagged=bridge,ether1,wifi1,wifi2,wifi3,wifi4,wifi5,wifi6 vlan-ids=666
  add bridge=bridge tagged=bridge,ether1,wifi1,wifi2,wifi3,wifi4,wifi5,wifi6 vlan-ids=667

Status:

[admin@Ash - Cottage] > int bridge/port print 
Flags: I - INACTIVE
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HOR
IZON
 #   INTERFACE  BRIDGE  HW   PVID  PRIORITY  PATH-COST  IN  HORIZON
 0   ether1     bridge  yes     1  0x80             10  10  none   
 1 I ether2     bridge  yes     1  0x80             10  10  none   
 2 I ether3     bridge  yes     1  0x80             10  10  none   
 3 I ether4     bridge  yes     1  0x80             10  10  none   
 4 I ether5     bridge  yes     1  0x80             10  10  none   
 5   wifi1      bridge          1  0x80             10  10  none   
 6   wifi2      bridge          1  0x80             10  10  none   
 7   wifi3      bridge          1  0x80             10  10  none   
 8   wifi4      bridge          1  0x80             10  10  none   
 9   wifi5      bridge          1  0x80             10  10  none   
10   wifi6      bridge          1  0x80             10  10  none

Similar configuration on a RB5009UG+S+ works perfectly:

/interface bridge
  add add-dhcp-option82=yes dhcp-snooping=yes name=bridge priority=0x6000 vlan-filtering=yes
/interface bridge port
  add bridge=bridge interface=ether1 restricted-role=yes trusted=yes
  add bridge=bridge interface=ether2 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether3 pvid=52 restricted-role=yes
  add bridge=bridge interface=ether4 restricted-role=yes
  add bridge=bridge interface=ether5 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether6 pvid=53 restricted-role=yes
  add bridge=bridge interface=ether7 restricted-role=yes
  add bridge=bridge interface=ether8 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=sfp-sfpplus1 restricted-role=yes
/interface bridge vlan
  add bridge=bridge tagged=bridge vlan-ids=1
  add bridge=bridge tagged=bridge,ether1,ether2,ether4,ether5,ether7,ether8 vlan-ids=52
  add bridge=bridge tagged=bridge,ether1,ether2,ether4,ether5,ether7,ether8 vlan-ids=53
  add bridge=bridge tagged=bridge,ether5 vlan-ids=200
  add bridge=bridge tagged=bridge,ether1,ether2,ether5,ether7,ether8 vlan-ids=666
  add bridge=bridge tagged=bridge,ether1,ether2,ether5,ether7,ether8 vlan-ids=667

Status:

[admin@Ash - Core] > int bridge/port print 
Flags: I - INACTIVE; H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON
#    INTERFACE     BRIDGE           HW   PVID  PRIORITY  PATH-COST  IN  HORIZON
0  H ether1        bridge           yes     1  0x80             10  10  none
1  H ether2        bridge           yes     1  0x80             10  10  none   
2  H ether3        bridge           yes    52  0x80             10  10  none   
3  H ether4        bridge           yes     1  0x80             10  10  none   
4  H ether5        bridge           yes     1  0x80             10  10  none   
5 IH ether6        bridge           yes    53  0x80             10  10  none   
6  H ether7        bridge           yes     1  0x80             10  10  none   
7  H ether8        bridge           yes     1  0x80             10  10  none   
8 IH sfp-sfpplus1  bridge           yes     1  0x80             10  10  none

whatever · Sun Nov 19, 2023 11:49 am

Hello, I am still facing the SA Query Timeout issue and some WIFi devices do not roam properly between the access points.
The workaround /interface/wifiwave2/configuration> set [find] security.connect-priority=0/1 works, but I am not sure that this is the right approach.

Thank you very much for that hint. I set up a mixed wave2 capsman setup with hap ax² and hap ac² and was wondering why roaming with my android phone was sometimes very slow.
Setting connect-priority=0/1 fixed it for me as well! Reading to the documentation, I don't see any issue with it: All it appears to do is preferring new AP connections to existing ones. Unless someone in your network is spoofing MAC addresses it should be fine.

MrYan · Sun Nov 19, 2023 11:56 am

Unable to get hardware offloading working on a hAP ax3 (C53UiG+5HPaxD2HPaxD), any suggestions?

The IPQ-PPE switch isn't supported yet for L2HW offload.

krli · Sun Nov 19, 2023 5:30 pm

Same thing here. Nothing from local areas is exported, it doesn't work having the area configured as nssa nor default.

OSPF stopped exporting local areas, again :-/ Has been working fine with 7.11.2, now everything needs to go into the backbone area to be functional. Looks very much like a regression to me, as I've seen this in the past but it then got better (and now worse again *sigh*)

challado · Sun Nov 19, 2023 10:36 pm

Same problem here. Wifi problems with HW-OFFLOAD on hAP ax^3
Latest versions of mikrotik solve the problem to some hardwares, bring problem to others. Solve to others, back to some. Very complicated.

Unable to get hardware offloading working on a hAP ax3 (C53UiG+5HPaxD2HPaxD), any suggestions?

/interface bridge
  add add-dhcp-option82=yes dhcp-snooping=yes name=bridge priority=0x7000 vlan-filtering=yes
/interface bridge port
  add bridge=bridge interface=ether1 trusted=yes comment="Uplink to core:"
  add bpdu-guard=yes bridge=bridge interface=ether2 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether3 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether4 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether5 restricted-role=yes
  add bridge=bridge interface=wifi1
  add bridge=bridge interface=wifi2
  add bridge=bridge interface=wifi3
  add bridge=bridge interface=wifi4
  add bridge=bridge interface=wifi5
  add bridge=bridge interface=wifi6
/interface bridge vlan
  add bridge=bridge tagged=bridge vlan-ids=1
  add bridge=bridge tagged=bridge,ether1,wifi1,wifi2,wifi3,wifi4,wifi5,wifi6 vlan-ids=52
  add bridge=bridge tagged=bridge,ether1,wifi1,wifi2,wifi3,wifi4,wifi5,wifi6 vlan-ids=53
  add bridge=bridge tagged=bridge,ether1,wifi1,wifi2,wifi3,wifi4,wifi5,wifi6 vlan-ids=666
  add bridge=bridge tagged=bridge,ether1,wifi1,wifi2,wifi3,wifi4,wifi5,wifi6 vlan-ids=667

Status:

[admin@Ash - Cottage] > int bridge/port print 
Flags: I - INACTIVE
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HOR
IZON
 #   INTERFACE  BRIDGE  HW   PVID  PRIORITY  PATH-COST  IN  HORIZON
 0   ether1     bridge  yes     1  0x80             10  10  none   
 1 I ether2     bridge  yes     1  0x80             10  10  none   
 2 I ether3     bridge  yes     1  0x80             10  10  none   
 3 I ether4     bridge  yes     1  0x80             10  10  none   
 4 I ether5     bridge  yes     1  0x80             10  10  none   
 5   wifi1      bridge          1  0x80             10  10  none   
 6   wifi2      bridge          1  0x80             10  10  none   
 7   wifi3      bridge          1  0x80             10  10  none   
 8   wifi4      bridge          1  0x80             10  10  none   
 9   wifi5      bridge          1  0x80             10  10  none   
10   wifi6      bridge          1  0x80             10  10  none

Similar configuration on a RB5009UG+S+ works perfectly:

/interface bridge
  add add-dhcp-option82=yes dhcp-snooping=yes name=bridge priority=0x6000 vlan-filtering=yes
/interface bridge port
  add bridge=bridge interface=ether1 restricted-role=yes trusted=yes
  add bridge=bridge interface=ether2 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether3 pvid=52 restricted-role=yes
  add bridge=bridge interface=ether4 restricted-role=yes
  add bridge=bridge interface=ether5 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether6 pvid=53 restricted-role=yes
  add bridge=bridge interface=ether7 restricted-role=yes
  add bridge=bridge interface=ether8 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=sfp-sfpplus1 restricted-role=yes
/interface bridge vlan
  add bridge=bridge tagged=bridge vlan-ids=1
  add bridge=bridge tagged=bridge,ether1,ether2,ether4,ether5,ether7,ether8 vlan-ids=52
  add bridge=bridge tagged=bridge,ether1,ether2,ether4,ether5,ether7,ether8 vlan-ids=53
  add bridge=bridge tagged=bridge,ether5 vlan-ids=200
  add bridge=bridge tagged=bridge,ether1,ether2,ether5,ether7,ether8 vlan-ids=666
  add bridge=bridge tagged=bridge,ether1,ether2,ether5,ether7,ether8 vlan-ids=667

Status:

[admin@Ash - Core] > int bridge/port print 
Flags: I - INACTIVE; H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON
#    INTERFACE     BRIDGE           HW   PVID  PRIORITY  PATH-COST  IN  HORIZON
0  H ether1        bridge           yes     1  0x80             10  10  none
1  H ether2        bridge           yes     1  0x80             10  10  none   
2  H ether3        bridge           yes    52  0x80             10  10  none   
3  H ether4        bridge           yes     1  0x80             10  10  none   
4  H ether5        bridge           yes     1  0x80             10  10  none   
5 IH ether6        bridge           yes    53  0x80             10  10  none   
6  H ether7        bridge           yes     1  0x80             10  10  none   
7  H ether8        bridge           yes     1  0x80             10  10  none   
8 IH sfp-sfpplus1  bridge           yes     1  0x80             10  10  none

buset1974 · Mon Nov 20, 2023 5:21 am

It seems that v7.12 stable will not generate OSPF LSA type3 - “inter-area-prefix“ while v7.11.2 stable is ok.
Here are configs:

[admin@ROS7.11.2A] >export
/ip address
add address=10.0.0.1/24 interface=ether1 network=10.0.0.0
add address=192.168.1.1/25 interface=ether2 network=192.168.1.0
/routing ospf instance
add disabled=no name=ospf-instance-1 router-id=192.168.1.1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=BB
add area-id=0.0.0.1 disabled=no instance=ospf-instance-1 name=1
/routing ospf area range
add area=1 disabled=no prefix=192.168.1.0/24
/routing ospf interface-template
add area=BB disabled=no interface=ether1
add area=1 disabled=no interface=ether2

[admin@ROS7.11.2B] >export
/ip address
add address=10.0.0.2/24 interface=ether1 network=10.0.0.0
add address=192.168.2.1/25 interface=ether2 network=192.168.2.0
/routing ospf instance
add disabled=no name=ospf-instance-1 router-id=192.168.2.1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=BB
add area-id=0.0.0.2 disabled=no instance=ospf-instance-1 name=2
/routing ospf area range
add area=2 disabled=no prefix=192.168.2.0/24
/routing ospf interface-template
add area=BB disabled=no interface=ether1
add area=2 disabled=no interface=ether2

[admin@ROS7.12A] >export
/ip address
add address=10.0.0.3/24 interface=ether1 network=10.0.0.0
add address=192.168.3.1/25 interface=ether2 network=192.168.3.0
/routing ospf instance
add disabled=no name=ospf-instance-1 router-id=192.168.3.1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=BB
add area-id=0.0.0.3 disabled=no instance=ospf-instance-1 name=3
/routing ospf area range
add area=3 disabled=no prefix=192.168.3.0/24
/routing ospf interface-template
add area=BB disabled=no interface=ether1
add area=3 disabled=no interface=ether2

[admin@ROS7.12B] >export
/ip address
add address=10.0.0.4/24 interface=ether1 network=10.0.0.0
add address=192.168.4.1/25 interface=ether2 network=192.168.4.0
/routing ospf instance
add disabled=no name=ospf-instance-1 router-id=192.168.4.1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=BB
add area-id=0.0.0.4 disabled=no instance=ospf-instance-1 name=4
/routing ospf area range
add area=4 disabled=no prefix=192.168.4.0/24
/routing ospf interface-template
add area=BB disabled=no interface=ether1
add area=4 disabled=no interface=ether2

I've opened a ticket in support portal, SUP-134571

have you try v 7.13.x?
is it fixed yet?

thx

msaxl · Mon Nov 20, 2023 11:03 am

It seems that v7.12 stable will not generate OSPF LSA type3 - “inter-area-prefix“ while v7.11.2 stable is ok.
Here are configs:

[admin@ROS7.11.2A] >export
/ip address
add address=10.0.0.1/24 interface=ether1 network=10.0.0.0
add address=192.168.1.1/25 interface=ether2 network=192.168.1.0
/routing ospf instance
add disabled=no name=ospf-instance-1 router-id=192.168.1.1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=BB
add area-id=0.0.0.1 disabled=no instance=ospf-instance-1 name=1
/routing ospf area range
add area=1 disabled=no prefix=192.168.1.0/24
/routing ospf interface-template
add area=BB disabled=no interface=ether1
add area=1 disabled=no interface=ether2

[admin@ROS7.11.2B] >export
/ip address
add address=10.0.0.2/24 interface=ether1 network=10.0.0.0
add address=192.168.2.1/25 interface=ether2 network=192.168.2.0
/routing ospf instance
add disabled=no name=ospf-instance-1 router-id=192.168.2.1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=BB
add area-id=0.0.0.2 disabled=no instance=ospf-instance-1 name=2
/routing ospf area range
add area=2 disabled=no prefix=192.168.2.0/24
/routing ospf interface-template
add area=BB disabled=no interface=ether1
add area=2 disabled=no interface=ether2

[admin@ROS7.12A] >export
/ip address
add address=10.0.0.3/24 interface=ether1 network=10.0.0.0
add address=192.168.3.1/25 interface=ether2 network=192.168.3.0
/routing ospf instance
add disabled=no name=ospf-instance-1 router-id=192.168.3.1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=BB
add area-id=0.0.0.3 disabled=no instance=ospf-instance-1 name=3
/routing ospf area range
add area=3 disabled=no prefix=192.168.3.0/24
/routing ospf interface-template
add area=BB disabled=no interface=ether1
add area=3 disabled=no interface=ether2

[admin@ROS7.12B] >export
/ip address
add address=10.0.0.4/24 interface=ether1 network=10.0.0.0
add address=192.168.4.1/25 interface=ether2 network=192.168.4.0
/routing ospf instance
add disabled=no name=ospf-instance-1 router-id=192.168.4.1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=BB
add area-id=0.0.0.4 disabled=no instance=ospf-instance-1 name=4
/routing ospf area range
add area=4 disabled=no prefix=192.168.4.0/24
/routing ospf interface-template
add area=BB disabled=no interface=ether1
add area=4 disabled=no interface=ether2

I've opened a ticket in support portal, SUP-134571

have you try v 7.13.x?
is it fixed yet?

thx

as said, 7.13beta1 and beta2 never had that issue. The real question is is that because they forked the 7.13 branch before 7.12rc2 (since they never noted something about ospf in the changelog of 7.13) or did they simply not mention that in the changelog hoping that nobody noticed the issue

msaxl · Mon Nov 20, 2023 11:05 am

Same thing here. Nothing from local areas is exported, it doesn't work having the area configured as nssa nor default.

OSPF stopped exporting local areas, again :-/ Has been working fine with 7.11.2, now everything needs to go into the backbone area to be functional. Looks very much like a regression to me, as I've seen this in the past but it then got better (and now worse again *sigh*)

my tests showed that it is not that local areas are not exported but routes that are "local" to the router do not cross area boundaries. putting everything in one area is a possibility to workaround this.

krli · Mon Nov 20, 2023 11:34 am

Same thing here. Nothing from local areas is exported, it doesn't work having the area configured as nssa nor default.

my tests showed that it is not that local areas are not exported but routes that are "local" to the router do not cross area boundaries. putting everything in one area is a possibility to workaround this.

Correct. It doesn't redistribute any connected route (I tested with interface templates by interface and by network). I wonder if enabling "redistribute connected" would make it work, but our routers are in production and I cannot test it (there are many connected routes that I don't want to redistribute). I downgraded to 7.11.2 and everything went back to normal.

msaxl · Mon Nov 20, 2023 11:57 am

it redistributes connected routes, but only on the area the route belongs to (this is why putting everything in for example area 0/backbone "fixes" it). "external" routes (= "redistribute connected") might work though since that is not bound to an area, so if it shows up it should show up on any area.
In short the issue is as someone already mentioned: inter-area routes are not generated.

ggr4y · Mon Nov 20, 2023 7:16 pm

After upgrade to RouterOS v7.12, my router on x86
experiencing RX errors on 10Gb interface on Intel X520
card. Can anybody help me to solve this problem?

ID · Mon Nov 20, 2023 8:27 pm

According to changelog intel drivers updated.

*) x86 - ixgbe updated driver to 5.19.6 version;

Be sure card firmware up-to-date also.

jplitza · Tue Nov 21, 2023 12:51 pm

To answer my own questions:

*) qsfp - use sub-interface configuration for establishing link (for 40Gbps and 100Gbps links, all sub-interfaces must be enabled);
Does that mean if I want to have a 40G link on the qsfp28-1 port of a CCR2216-1G-12XS-2XQ, I have to enable all qsfp28-1-{1,2,3,4} interfaces before updating? What will be the state of those sub-interfaces when the 40G link is established?

No, it works with sub-interfaces disabled.

*) route - reverse community "delete" and "filter" command behavior;
So is the documented behavior the old or the new one? Could you please – whichever it is – clarify the documentation?

The documented behavior (delete=remove matching, filter=remove non-matching) is the new one. Before 7.12, it worked the other way round.

Tue Nov 21, 2023 2:06 pm

What's new in 7.12.1 (2023-Nov-17 13:38):

*) defconf - fixed bogus wifi password on certain Audience devices;
*) ipv6 - do not send out IPv6 RA deprecate message for re-used prefix;
*) ospf - fixed LSA Type3 advertisement for OSPFv2;
*) ppc - fixed RouterOS bootup (introduced in v7.12);
*) qsfp - fixed supported rates for breakout cables;
*) winbox - added missing arguments for "MAC Format" under "Wireless/Security Profiles/RADIUS" menu;