v7.15rc [testing] is released!

Fri Apr 19, 2024 12:27 pm

RouterOS version 7.15rc has been released on the "v7 testing" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during the upgrade process;
3) Device has enough free storage space to download all RouterOS packages.

What's new in 7.15rc5 (2024-May-28 09:53):

*) lte - improved FG621-EA modem APN authentication;
*) route - improved system stability;
*) webfig - fixed issue where skin is not applied on first login after reboot (introduced in v7.15beta8);
*) wifi - improved interface initialization reliability on DFS channels;

What's new in 7.15rc4 (2024-May-20 14:43):

*) lte - fixed situation where link is not restored after Quectel MBIM modem firmware update;

What's new in 7.15rc3 (2024-May-13 18:26):

*) bridge - added error message if MLAG peer-port is configured with "mlag-id";
*) dns - added support for "adlist";
*) leds - fixed LEDs for RBLHGG-5HPacD2HPnD device (introduced in v7.15rc1);
*) lte - continue to dial on LTE attach config error for MBIM modems (introduced in v7.15rc1);
*) lte - do not show persistent interfaces for multi-apn slave interfaces;
*) lte - fixed USB alternate composition switching when "mode=mbim" (introduced in v7.15rc1);
*) lte - removed 2 APN restriction for RG520F-EU modem;
*) lte - use the correct network interface for multi-interface LTE modems;
*) media - added support for DLNA;
*) netinstall-cli - fixed incorrect server address assignment (introduced in v7.14);
*) ppp - fixed IPv4 accounting (introduced in v7.15beta9);
*) route - improved system stability;
*) route - rework of route attributes;
*) ssh - fixed bogus output;
*) system - skip configuration upgrade from RouterOS v6 on configuration reset;
*) wifi-qcom - fixed connectivity and authentication issues (introduced in v7.15beta9);
*) wifi-qcom - fixed fast BSS transition over distributed system (introduced in v7.15beta9);
*) wifi-qcom - fixed incorrect min-signal and max-signal values in the output of frequency-scan tool (introduced in v7.15rc1);

What's new in 7.15rc2 (2024-Apr-24 12:38):

!) system - added support for AMPERE (R) and ARM64 CHR installations (new ARM64 CHR image available);
*) bridge - added MVRP support;
*) chr - fixed management access (introduced in v7.15rc1);
*) discovery - added LLDP Maximum Frame Size TLV support;
*) file - fixed file list updates in certain situations (introduced v7.15rc1);
*) lte - added "at-chat" support for DELL T99W175 (PID: 0x05c6 VID: 0x90d5);
*) partitions - fixed missing partition information on certain devices (introduced in v7.15beta8);
*) ppp - enabled monitoring of registration state, RSRP, RSRQ, SINR, PCI, CellID for BG77 modem;
*) ppp - fixed info command and PPP client crash when SIM is not present (introduced in v7.15beta6);
*) qos-hw - added "offline" tx-manager (CLI only);
*) qos-hw - added Priority Flow Control for compatible switches (CLI only);
*) storage - improved configuration storing process on first system boot after configuration reset;
*) winbox - fixed missing information for CHR/x86 (introduced in v7.15rc1);

What's new in 7.15rc1 (2024-Apr-18 12:17):

!) system - added support for AMPERE (R) and ARM64 CHR installations (new ARM64 CHR image available);
*) bgp - added initial vpnv6 support;
*) bgp - correctly synchronize input.accept-nlri address list;
*) bgp - fixed selecting local.default-address from wrong VRF;
*) bgp - use IPv6 as default address-family for IPv6 sessions;
*) bridge - added error message if MLAG peer-port is configured with "mlag-id";
*) bridge - added MLAG peer-port events to logs;
*) bridge - added MVRP support;
*) bridge - do not allow multiple bonds with same "mlag-id";
*) bridge - use default "edge=auto" for dynamically bridged interfaces (PPP, VPLS, WDS);
*) certificate - allow replacing certificate with internal import;
*) certificate - delete certificate related files automatically from storage after import;
*) certificate - improved RSA key signature processing speed;
*) console - added "byte-array" option to ":convert" command;
*) console - added "rows" property for sniffer quick mode;
*) console - added link from "/iot/lora" to "/lora";
*) console - covert spaces, CR, LF in ":convert to=url" command;
*) console - fixed bogus console ports on ARM64 devices (introduced in v7.15beta6);
*) console - improved stability;
*) defconf - fixed unknown topics in log messages;
*) defconf - minor configuration script updates;
*) dhcpv4-relay - added VRF support;
*) discovery - added LLDP MAC/PHY Configuration/Status TLV support;
*) discovery - always send LLDP MED Power TLV if MED was received;
*) disk - improved support for file systems with non-ascii characters in file names;
*) disk - improved system stability;
*) disk - the "scan" command will now detect and include USB drives that were previously ejected;
*) dns - added VRF support;
*) fetch - added "idle-timeout" parameter;
*) file - avoid refreshing whole file system during file modification;
*) file - improved external storage detection;
*) install - cdrom and hdd install images contain additional packages that can be interactively selected;
*) lora - removed LoRa WinBox and console functionality duplication (moved to IoT package since v7.11);
*) lte - added "at-chat" support for DELL T99W175 (PID: 0x05c6 VID: 0x90d5);
*) lte - added support for concatenated AT commands in "modem-init" string;
*) lte - added support to set "modem-init" string for "dialer-less" modems;
*) lte - dropped support for R11e-LTE-US FOTA firmware update;
*) media - added support for DLNA;
*) ovpn - fixed minor typo in error message;
*) poe-out - added LLDP power management support for devices with single PoE-out port;
*) poe-out - moved "PoE LLDP" property from "/interface/ethernet/poe" to "/ip/neighbor/discovery-settings" and enable it by default;
*) ppp - added "enable-ipv6-accounting" option under PPP AAA menu (CLI only);
*) ppp - added addition support to monitor modem registration state, RSRP, RSRQ, SINR, PCI, CellID for BG77 modem;
*) ppp - allow underscores in domain names;
*) ptp - added PTP support for CCR2116 device;
*) qos-hw - added "profile" and "map" support for CPU port;
*) qos-hw - added per-queue traffic shapers (CLI only);
*) qos-hw - added Priority Flow Control for compatible switches (CLI only);
*) qos-hw - replaced buffer with bytes in QoS monitor;
*) queue - improved system stability (introduced in v7.6);
*) route - do not redistribute loopback address as connected route;
*) route - rework of route attributes;
*) sfp - added "100M-baseFX" link mode support for compatible devices;
*) smb - added logs for share connection requests;
*) smb - do not allow setting empty "comment" or "domain" properties;
*) snmp - added missing PoE-out status codes to MIKROTIK-MIB;
*) snmp - added new "mtxrOpticalVendorSerial" OID to MIKROTIK-MIB;
*) ssh - fixed bogus output;
*) sstp - added SNI support;
*) switch - added support for RSPAN mirroring on 98DXxxxx switches;
*) system - general work on optimizing the size of RouterOS packages;
*) vlan - limit "vlan-id" range from 1-4095 to 1-4094;
*) webfig - show inherited properties for wifi interfaces;
*) wifi-qcom - added configuration.distance setting to enable operation over multi-kilometer distances;
*) wifi-qcom - updated driver;
*) wifi-qcom-ac - fix interfaces getting stuck in "stopping" state after radar detection (introduced in v7.15beta9);
*) winbox - added "FT Preserve VLAN ID" setting under "WiFi/Configuration/FT" menu;
*) winbox - added drop down menu for "User" property when importing SSH key under "System/User/SSH Keys" and "System/User/SSH Private Keys" menus;
*) winbox - use correct values for "Jump Target" property under "IPv6/Firewall/Filter Rules" menu;
*) x86 - fixed VLAN tagged packet transmit for ice driver;

Other changes since v7.14:

!) system - added support for AMPERE (R) hardware (new ARM64 ISO file, new ARM64 extra-nics.npk package);
*) bgp - fixed prefix count when BGP sessions run with multiple AFIs;
*) bgp-vpn - use VRF interface as gateway for leaked connected routes;
*) branding - added option to hide default configuration prompt;
*) branding - added option to hide or replace default caps-mode-script;
*) bridge - improved protocol-mode STP, RSTP and MSTP stability;
*) bridge - rename monitor property "path-cost" to "actual-path-cost";
*) bridge - reworked dynamic VLAN creation;
*) certificate - added support for different ACME servers for ssl-certificate (CLI only);
*) certificate - added support for importing pbes2 encrypted private keys with aes128;
*) certificate - added trusted parameter for certificate import;
*) chr - allow to "generate-new-id" only while CHR is running on level "free" license;
*) chr - fixed bogus messages printed out while booting up the system (introduced in v7.14);
*) chr - fixed Xen and Vultr missing ethernet (introduced in v7.14);
*) console - added "proplist" parameter to interactive commands;
*) console - added "sanitize-names" property under "/console/settings" menu (option for replacing reserved characters with underscores for files, disabled by default);
*) console - added "type" parameter to ":resolve" command;
*) console - added "use-script-permissions" option when running scripts from CLI;
*) console - added hotkey "F8" to print entire multiline input;
*) console - added log for script execution failures;
*) console - added multi-line print in "/file" menu;
*) console - added option to get "about" value (dynamically created text field by RouterOS services like CAPsMAN);
*) console - added option to read and change file line endings in full-screen editor;
*) console - added warning log for modified filenames due to reserved characters;
*) console - do not convert string to array in ":deserialize" command;
*) console - fixed ":onerror" behavior when "do" block is missing;
*) console - fixed "export where" functionality in certain menus;
*) console - fixed console prompt when entering hot lock mode with "F7";
*) console - fixed DHCP server "authoritative=no" configuration export;
*) console - fixed do/while implementation not working with variables (introduced in v7.14);
*) console - fixed filtering by "dhcp" flag in "/ip/arp" menu;
*) console - fixed multiple typos in help;
*) console - optimized configuration export to prevent startup of processes without any configuration;
*) console - remove unnecessary serial ports for Alpine CPUs;
*) console - show system note before serial login if enabled;
*) console - use user permissions when running scripts from WinBox and WebFig;
*) container - do not allow negative number for "ram-high" setting;
*) defconf - do not override default DHCP server lease time;
*) defconf - fixed 5ghz-ax channel width for L11, L22 devices;
*) discovery - added LLDP Maximum Frame Size TLV support;
*) discovery - added LLDP Port Description TLV support;
*) discovery - advertise only physical interface name for LLDP PortID TLV;
*) discovery - fixed high CPU utilization when "tx-only" mode is set;
*) discovery - optimized LLDP information update;
*) disk - added option to auto configure media sharing;
*) disk - added support for formatting exfat file-system;
*) disk - improved support for formatting ext4 file-system;
*) disk - improved system stability when adding partition with no parent;
*) dns - added support for "adlist";
*) dns - improved system stability when caching entries;
*) eap - improved eap-peap, eap-mschap2 client authentication (dot1x/wireless/ipsec);
*) ethernet - fixed default names for CRS310-8G+2S+ device (introduced in v7.14);
*) ethernet - fixed interface disable for CRS326-4C+20G+2Q;
*) ethernet - fixed management port disable/enable on CCR2004-1G-12S+2XS, CCR2004-1G-2XS-PCIe, CCR2216, CCR2116 devices;
*) ethernet - improved port speed downshift functionality for CRS326-4C+20G+2Q;
*) fetch - changed topic "info" to "error" for permission denied logs;
*) fetch - fixed slow throughput due to "raw" logging which occurred even when not listening to the topic (introduced in v7.13);
*) file - allow adding and renaming files and directories;
*) file - fixed moving files to/from external storage (introduced in v7.15beta4);
*) health - added "cpu-temperature" for IPQ50xx devices;
*) health - added log for fan state changes on CRS3xx, CRS5xx, CCR2xxx, CCR1016r2, CCR1036r2 devices;
*) health - fixed fan behavior for CRS310-1G-5S-4S+ (introduced in v7.14);
*) health - fixed missing "cpu-temperature" on IPQ-60xx devices (introduced in v7.15beta8);
*) health - fixed rogue voltage on CRS510-8XS-2XQ-IN;
*) ipv6 - properly initialize default ND "interface=all" entry;
*) leds - fixed LEDs for L22 device;
*) lte - apply the same configuration for Microsoft branded EM12-G modem (Surface Mobile Broadband) as for Quectel EM12-G;
*) lte - fixed firmware upgrade not found issue for Chateau LTE12 (introduced in v7.15beta4);
*) lte - fixed R11e-LTE-US modem dial-up;
*) lte - make interface persistent (unused interface configs can be removed, allow to export and examine current configuration without the device present);
*) metarouter - removed support;
*) modem - send APN authentication for BG77 modem also if ppp-client interface created manually;
*) netinstall - improved stability;
*) ovpn - fixed import ovpn config when remote port is missing;
*) poe-out - fixed powering devices if input voltage is lower than 12V for hEX PoE (introduced in v7.9);
*) poe-out - improved firmware upgrade stability for AF/AT controlled boards;
*) ppp - added log when disconnecting a client due to "WISPr-Session-Terminate-Time" RADIUS attribute;
*) ppp - fixed "Framed-IPv6-Pool" usage when received from RADIUS;
*) ppp - fixed "on-down" script running even when tunnel was not up;
*) ppp - fixed reporting of frame error rate (introduced in v7.15beta8);
*) profiler - added "neighbor-discovery" task;
*) qos-hw - added congestion avoidance support for 98DX8xxx, 98DX4xxx, 98DX325x switch chips (CLI only);
*) qos-hw - added ECN marking support for compatible switches;
*) qos-hw - added support for QoS profile assignment via ACL rules;
*) qos-hw - added WRED support for compatible switches;
*) qos-hw - fixed port "print stats/usage" when using "from" property;
*) quickset - only show LTE mode for devices without other wireless interfaces;
*) radius - added "require-message-auth" option that requires "Message-Authenticator" in received Access-Accept/Challenge/Reject messages;
*) radius - include "Message-Authenticator" in any RADIUS communication messages besides accounting for all services;
*) route - do not allow routes with empty "dst-address";
*) route - fixed bgp-vpn prefix import with the same route distinguisher (RD);
*) route - improved system stability;
*) route - show route-distinguisher (RD) in route print;
*) route-filter - allow setting different AFI gateways;
*) route-filter - fixed ext community list matcher;
*) sfp - added "sfp-ignore-rx-los" setting;
*) sfp - fixed "sfp-tx-fault" state indication for CRS510;
*) sfp - fixed link establishment with 100Mbps optical modules (requires "/interface ethernet reset" or adding "100M-baseFX" modes for advertise or speed properties);
*) sfp - fixed missing Tx traffic at 10Gbps rate on CCR2004-16G-2S+ in rare cases;
*) sfp - ignore SFP RX LOS signal for modules with bad EEPROM;
*) sfp - improved "sfp-tx-power" value monitoring in certain cases;
*) sfp - improved auto-negotiation linking for some MikroTik cables and modules;
*) sfp - improved system stability for CR2004-1G-2XS-PCIe (introduced in v7.14);
*) sfp - improved system stability with some GPON modules for CCR2004 and CCR2116 devices;
*) sms - added option to select SMS storage;
*) sms - added SMS PDU to SMS inbox "print detail";
*) sms - added workaround for modems which do not notify regarding new SMS arrival (missing URC);
*) sms - improved SMS handling;
*) sms - removed SMS for SMIPS;
*) sms - use "gsm" logging topic for serial modem SMS logs;
*) socks - attempt to parse domain name as IP before resolving;
*) ssh - added support for user Ed25519 private keys;
*) ssh - export host Ed25519 public key;
*) ssh - fixed permissions to run ".auto.rsc" scripts;
*) ssh - require "policy" user policy when adding public key;
*) sstp - disconnect clients when server is disabled;
*) switch - added support for multiple ingress and egress port mirroring on 98DXxxxx switches;
*) switch - fixed L3HW and QoS monitor during switch reset;
*) system - added resource values (Product name, File name and File version) for Windows executable files;
*) system - fixed upgrade for CCR2004-1G-12S+2XS (introduced in v7.15beta6);
*) system - show "cpu-frequency" for Alpine CPUs;
*) system - updated office address in RouterOS license;
*) system - updated online manual links from "wiki" to the help documentation;
*) timezone - updated timezone information from "tzdata2024a" release;
*) traffic-flow - detect IPv4 source address if not set;
*) traffic-flow - improved system stability;
*) userman - added "require-message-auth" option that requires "Message-Authenticator" in received Access-Request messages;
*) userman - include "Message-Authenticator" in any RADIUS communication messages besides accounting for all services;
*) vlan - added MVRP (applicant) configuration option;
*) vlan - ensure that VLAN MTU remains unchanged when adjustments are made to the parent interface MTU, only modifications to the L2MTU might impact VLAN MTU;
*) vlan - fixed MTU reset on bridge after reboot;
*) vrf - fixed VRF interfaces being moved to main table after reboot (introduced in v7.14);
*) webfig - allow pasting with ctrl+v into terminal;
*) webfig - fixed column preferences for ordered tables;
*) wifi - added "reselect-interval" support;
*) wifi - changed interface default to "disabled=yes";
*) wifi - do not report disabled state for CAPsMAN managed interface;
*) wifi - fixed configuration export for "disabled" property;
*) wifi - improve channel selection after radar detection events;
*) wifi - improve regulatory compliance for L11, L22 devices;
*) wifi - improved stability of DFS check in the 5GHz-A band;
*) wifi - improved system stability when provisioning CAPs in certain cases;
*) wifi - rename "available-channels" parameter to "channel-priorities" and include desirability rating for each channel;
*) wifi - report current CAPsMAN address and identity on CAP;
*) wifi - show inherited properties with "print" command (replaces "actual-configuration") and added "print config" for showing only configured values;
*) winbox - added "Download" and "Flush" buttons under "System/Certificates/CRL" menu;
*) winbox - added "Flat Snoop" button under "WiFi" menu;
*) winbox - added "Request logout" button under "System/Users/Active Users" menu;
*) winbox - added "Trusted" checkbox under "System/Certificates/Import" menu;
*) winbox - added invalid flag under "IP/DHCP Relay" menu;
*) winbox - added key type and key length column for user SSH keys;
*) winbox - added missing SFP monitoring properties under "Interface/SFP" menu;
*) winbox - added passphrase option for SSH host key export;
*) winbox - added passphrase option for SSH host key import;
*) winbox - allow specifying size and rtmpfs size with M, G units under "System/Disks" menu;
*) winbox - allow to specify "M" or "G" postfix for download, upload or total limits under "User Manager/Limitations" menu;
*) winbox - do not show "Host Key Size" when using ed25519 key under "IP/SSH" menu;
*) winbox - fixed the issue where the skin file fails to appear in the user group menu after creation;
*) winbox - renamed "Channel" column to "Current Channel" under "Wifi" menu;
*) winbox - show "Valid Servers" and "Unknown Servers" column by default under "IP/DHCP Server/Alerts" menu;
*) winbox - show inherited properties for wifi interfaces;
*) winbox - show SIM settings for SXTR device under "Interfaces/LTE/Modem" menu;
*) winbox - updated icons for certain menus;
*) wireguard - added option to mark peer as responder only;
*) wireguard - added peer "name" field and display it in logs;
*) wireguard - do not attempt to connect to peer without specified endpoint-address;
*) wireguard - fixed "auto" argument usage for "private-key" and "preshared-key" settings;
*) wireguard - fixed performance issues showing QR code;
*) wireless - perform shorter channel availability check for 5600-5650MHz if regulatory domain permits it;
*) x86 - fixed ixgbe Tx hang by disabling TSO;
*) x86 - ice driver update to v1.13.7;
*) x86 - improved stability for RTL8125 driver;
*) x86 - ixgbe driver update to 5.19.9;
*) x86/chr - improved panic saving (increased minimal RAM requirements to 256MB);

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, please send a supout file from your router to support@mikrotik.com. File must be generated while a router is not working as suspected or after some problem has appeared on the device

Please keep this forum topic strictly related to this particular RouterOS release.

Fri Apr 19, 2024 12:39 pm

Holy changelog Batman !

loloski · Fri Apr 19, 2024 1:02 pm

using this RC in GNS3 you can't login via winbox it just simply saying logging even ssh connection it's not working :(, never seen this before

2.png

edit: webfig works

1.png

kalaposl · Fri Apr 19, 2024 2:27 pm

using this RC in GNS3 you can't login via winbox it just simply saying logging even ssh connection it's not working :(, never seen this before2.png

edit: webfig works

1.png

Same here. v7.14.2 OK, v.7.15rc not. SSH, Winbox, RoMON not working, webfig, telnet works.

qwertykolea · Fri Apr 19, 2024 3:12 pm

*) dns - added support for "adlist";

This doesn't work on hap ac2

winbox64_dGttAi5w27.png

ToTheFull · Fri Apr 19, 2024 3:34 pm

Works great here, do you have enough cache for all that Bling!

 /ip/dns/print
                      servers: 1.1.1.1,1.0.0.1
              dynamic-servers: 
               use-doh-server: 
              verify-doh-cert: no
   doh-max-server-connections: 5
   doh-max-concurrent-queries: 50
                  doh-timeout: 5s
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 131064KiB
                cache-max-ttl: 1w
      address-list-extra-time: 0s
                          vrf: main
                   cache-used: 50688KiB

/ip/dns/adlist/print                                    
Flags: X - disabled 
 0   file=apple.txt ssl-verify=no match-count=10 name-count=2 

 1   url="https://raw.githubusercontent.com/hagezi/dns-blocklists/main/hosts/pro.txt" ssl-verify=no 
     match-count=2168 name-count=438197

@normis
I thought you was adding adlist update timer ?? Did I miss-understand

massinia · Fri Apr 19, 2024 3:41 pm

*) dns - added support for "adlist";
This doesn't work on hap ac2
winbox64_dGttAi5w27.png

You're right, I already reported it with SUP-146323
I don't know if for privacy I can write what the assistance told me... if I did something wrong, please delete.
The support said that:

It looks like your device doesn't have enough storage on the device to use adlist. At the moment the adlist is downloaded to the NAND as well as stored in RAM, we are looking in to maybe changing the behavior, but sadly can't provide more details at the moment.

Z0ltan · Fri Apr 19, 2024 3:49 pm

Works great here, do you have enough cache for all that Bling!

@normis
I thought you was adding adlist update timer ?? Did I miss-understand

Do you have the wifi-qcom-ac package installed? If yes, I doubt you would have enough space to download the adlist.

ToTheFull · Fri Apr 19, 2024 3:54 pm

Works great here, do you have enough cache for all that Bling!

@normis
I thought you was adding adlist update timer ?? Did I miss-understand
Do you have the wifi-qcom-ac package installed? If yes, I doubt you would have enough space to download the adlist.

Was that for me?

Z0ltan · Fri Apr 19, 2024 3:56 pm

Yes, just didn't want to include the code part

Fri Apr 19, 2024 3:57 pm

That's for all potential adlist users. The feature requires storage and RAM, it is recommended for ARM64 devices that have those resources more than others

ToTheFull · Fri Apr 19, 2024 4:00 pm

I'll leave you to ponder you owm riddle....

ToTheFull · Fri Apr 19, 2024 4:01 pm

That's for all potential adlist users. The feature requires storage and RAM, it is recommended for ARM64 devices that have those resources more than others

And the update list timer?

ToTheFull · Fri Apr 19, 2024 4:02 pm

@ZOltan I'll leave you to ponder you owm riddle....

Z0ltan · Fri Apr 19, 2024 4:06 pm

What riddle? I was asking if you have the wifi-qcom-ac package installed on the hAP ac2 as I don't think adlist would work with such small free space.

andrewhi · Fri Apr 19, 2024 4:07 pm

What is the reason for vlan-id limit to 1 - 4094

qwertykolea · Fri Apr 19, 2024 4:13 pm

That's for all potential adlist users. The feature requires storage and RAM, it is recommended for ARM64 devices that have those resources more than others

Hello Normis, is it possible to change the location from local storage to a USB flash drive?
The second thing is that AdList works when I add it as a file, not as a link.

winbox64_EoASgwZwyq.png

Fri Apr 19, 2024 4:18 pm

What is the reason for vlan-id limit to 1 - 4094

IEEE 802.1Q specification, most likely

4,096 values provided by the 12-bit VID field minus reserved values at each end of the range, 0 and 4,095

Znevna · Fri Apr 19, 2024 5:46 pm

What's new in 7.15rc1 (2024-Apr-18 12:17):

!) system - added support for AMPERE (R) and ARM64 CHR installations (new ARM64 CHR image available);

wow :)

flapviv · Fri Apr 19, 2024 6:05 pm

Proxmox/Ryzen7/CHR upgraded from beta 9.
All is fine...

jookraw · Fri Apr 19, 2024 7:27 pm

What's new in 7.15rc1 (2024-Apr-18 12:17):

!) system - added support for AMPERE (R) and ARM64 CHR installations (new ARM64 CHR image available);

For anyone wondering, I was able to boot CHR on the Hetzner ARM instance with this version

Cha0s · Fri Apr 19, 2024 8:57 pm

using this RC in GNS3 you can't login via winbox it just simply saying logging even ssh connection it's not working :(, never seen this before2.png

edit: webfig works

1.png

Same here on a specific CHR installation.

All other upgrades I tried so far (CCR2004, RB4011, CHR) worked fine.

sinisa · Fri Apr 19, 2024 9:18 pm

Upgraded 2 CHRs acting as CAPsMANs, 10+ hAP ac2s, one cAP ac, one hAP AX2
Zero problems so far. SSH and Winbox working.

Kevo · Sat Apr 20, 2024 3:24 am

I had to manually clear the cache in my browser to get all the icons to show.

SkyBeam · Sat Apr 20, 2024 4:05 am

I tried this version too on CRS310-1G-5S-4S+ and facing the same issue as on all versions after 7.12.1: None of my 1Gbps RF45 copper SFPs enter running state. They all report link ok and sslave state but do not enter running state.

The issue was reported by others as well and the only solution seems to be to disable auto negotiation - which is not an option in some cases.

All my 10Gps LC SFP+ modules and 10Gbps DAC modules just enter running state fine.

Back to ROS 7.12.1.

pyfgcrl · Sat Apr 20, 2024 4:40 am

RouterOS version 7.15rc has been released on the "v7 testing" channel!

Other changes since v7.14:

*) ssh - added support for user Ed25519 private keys;

This hasn't been said elsewhere, so just a note for everyone else who's been curious about it: In order to import Ed25519 private keys, they appear to need to be in PKCS8 format.

ssh-keygen doesn't have the ability to convert Ed25519 keys yet, so until it does, you can convert it with it with the npm (JavaScript) package sshpk:

npm install -g sshpk
sshpk-conv -T openssh -t pkcs8 -p -f ~/.ssh/id_ed25519

and take the output of that, and you'll be able to import it into RouterOS 7.15rc1

Hope that helps.

Sat Apr 20, 2024 6:51 am

Model CRS309-1G-8S+
RouterOS 7.15 branch
Support Ticket SUP-150626

Webfig
Missing icons Wifi Wireguard Dot1X
Missing Partition

Winbox
Missing Partition

Screenshot_20240419_180916.png
Screenshot_20240419_181428.png

from changelog

*) metarouter - removed support;

nichky · Sat Apr 20, 2024 8:07 am

*) bgp - added initial vpnv6 support;

waithign to see some e.g. of how that works

faxxe · Sat Apr 20, 2024 8:25 am

CCR1009-7G-1C-1S:

DNS Adlist with +400k entrys - works well for about 1h for just 1 User
Then I tried to open all links in a bookmark folder using the middle mouse button function in Firefox.
There were about 50 links trying to open at the same time. This probably caused the DNS server to crash.
Until the CCR1009 was rebooted, it was no longer accessible.

Update: After reboot the DNS server was reachable for about 1h. Suddenly no response anymore.
Now disabled

brg3466 · Sat Apr 20, 2024 8:41 am

“*) lte - dropped support for R11e-LTE-US FOTA firmware update; ”

- which version EVER support R11e-LTE-US FOTA firmware update ???

Tanuki · Sat Apr 20, 2024 8:52 am

How can DNS via VRF be tested?

So far I've tried:
- Traceroute with 'use-dns' enabled
- SNTP client on the same VRF as DNS is configured as

Both appear to not work, and with 'torch' running on the egress interface I'm not seeing any DNS requests attempted.

rpingar · Sat Apr 20, 2024 10:07 am

an old bgp issue araised again in 7.15rc1, after one hour of operation:
- one core locked to 100% about routing
- slow prefixes advertisment (in this condition)
- some ipv6 bgp sessions closed by HoldTimer Expired

this kind of issue was fixed several months ago, and again present in this release candidate......
SUP-150642 opened

faxxe · Sat Apr 20, 2024 1:51 pm

CCR1009

wireguard: [peer1] xxxxxxxxxxxxxxxxxxxxxxxxxxxxx: Handshake for peer did not complete after 5 seconds, retrying (try 2)

How can i disable this message? countless ......

-faxxe

mantouboji · Sat Apr 20, 2024 5:25 pm

x86 ( a J1900 box)
ssh error

AX3 runs well .

Xymox · Sat Apr 20, 2024 8:32 pm

QoS question + Dante

I dont have any QoS options showing in Winbox yet on the CRS309-1G-8S+ ? I seem to be able to do settings on command line. Are these options and config going to be in Winbox ? Or just CLI ? Or maybe I am doing something wrong ?

I intend to do this switch bundled with Merging Technologies Pyramix Studio mixing setups running RAVENNA / AES 67 protocols without doing PTP. This is pretty much Dante.

From the doc page https://help.mikrotik.com/docs/pages/vi ... =189497483
"Starting from RouterOS v7.15, all MikroTik QoS-Capable devices comply with Dante. "

So has anyone tested this ? Is this good to go ?

I will need to start shipping these switches in 2-3 weeks and hopefully 7.15 will be a stable by then.

UpRunTech · Sun Apr 21, 2024 1:50 am

I noticed when upgrading from 7.14 to 7.15 that the bridge and ports on my devices were set to:

Bridge:
add name=BridgeMain port-cost-mode=short

Bridge Ports:
add bridge=BridgeMain interface=ether2 internal-path-cost=10 path-cost=10

The manual now says the default is "long". The issue I noticed with 7.15x on my 5009 and hapax2's is that the AP's and/or some Wifi devices would stop communicating with the network and I had to roll back to 7.14.x. I upgraded to rc1 last night and the issue came back again.

I have an iPad sitting here that was connecting to Wifi but not responding to DHCP requests. When I changed the values to "short" and costs back to default (which now show as 20000 instead of 10) suddenly DHCP started to work and the iPad is back online. A laptop in the next room with an AX200 card also stopped communicating and is also now back online. Coincidence? We'll see how is plays out today.

Why force older configs to "short"/10 anyway if the default is "long"/20000?

mblfone · Sun Apr 21, 2024 1:58 am

Same here. v7.14.2 OK, v.7.15rc not. SSH, Winbox, RoMON not working, webfig, telnet works.

Confirmed here as well: RoMON not working after 7.15rc1. More specifically, RoMON is no longer working through microwave links. I had to create EOIP tunnels to get Romon to access all of our routers.

UpRunTech · Sun Apr 21, 2024 2:03 am

Just curious, for those with Winbox and Romon issues are your bridge's cost mode forced to short and path-cost settings to 10?

fs0c13ty · Sun Apr 21, 2024 7:43 am

why kvm and extra-nic were removed from x86 iso file?

eworm · Sun Apr 21, 2024 10:23 am

Why force older configs to "short"/10 anyway if the default is "long"/20000?

Nothing is forced, and nothing is changed. These a just the old settings being preserved.

Sun Apr 21, 2024 4:13 pm

Why force older configs to "short"/10 anyway if the default is "long"/20000?

Answers at the top here; solution in the "Bridge Interface Path Costs" section near the end.

As it says, this behavior change is two releases old now. Please keep this thread on-topic.

EDIT: In that spirit, and in case anyone's wondering, I've found no new flotsam in the 7.15 line so far.

UpRunTech · Mon Apr 22, 2024 12:27 am

Answers at the top here; solution in the "Bridge Interface Path Costs" section near the end.

OK so that was the only flotsam change to the AP's and my router that since 7.13. I thought it happened in 7.14.x and I never bothered messing with the changes, just noted "hmmm new arguments for the bridge" with no obvious consequences.

Now, my point is since 7.15beta8 or 9 I have been having Wifi Clients and AP's stop communicating. Going back to 7.14.x settled things down. Back on 7.15rc1 the issue started again within a day. Changing these values to the new defaults of long/20000 and it's been about 24 hours and the problem hasn't come back whereas normally it would. The family lets me know quick-smart when Wifi stops performing. This is with a 5009 and hapax^2s.

My observation that the iPad sitting next to me just wouldn't respond to or accept a DHCP offer until the moment I made the change is significant too.

loloski · Mon Apr 22, 2024 8:25 am

@strods

like i said this is on GNS3 but on real device i haven't seen this issue, will send the file momentarily

edit: done SUP-150754

Kindis · Mon Apr 22, 2024 9:03 am

*) wifi-qcom - updated driver;

Is there a why to find out what this does? New version from the vendor and if so what does it fix/add/break?

ivicask · Mon Apr 22, 2024 9:34 am

Updated our switch CRS354 to 7.15rc and in morning half of clients couldnt get internet access,or couldnt get DHCP, nothing in logs, discovery didint work, had to revert to stable

Mon Apr 22, 2024 11:27 am

The issue with SSH, WinBox connection to CHR has been reproduced and will be fixed in upcoming RC version.

ogggi · Mon Apr 22, 2024 12:38 pm

And what about the upgrade for devices with 15.3MB memory(hapac2) ? Can I upgrade to 7.15rc1 where I only have 216kB of free memory ?

infabo · Mon Apr 22, 2024 1:42 pm

I would say, but have not tried: yes of course

edupre · Mon Apr 22, 2024 3:31 pm

*) sfp - improved system stability with some GPON modules for CCR2004 and CCR2116 devices;
Since the update v7.15rc1 on my CCR2116, my Alcatel GPON seems stable. The only downside is that I've lost the GPON status. I no longer have any readings for transmission, reception, temperature...

Mon Apr 22, 2024 3:48 pm

And what about the upgrade for devices with 15.3MB memory(hapac2) ?

"*) system - general work on optimizing the size of RouterOS packages;"

mszru · Mon Apr 22, 2024 6:51 pm

SSH key import fails:

/user/ssh-keys/import user=***** public-key-file=id_rsa.pub 
action timed out - try again, if error continues contact MikroTik support and send a supout file (13)

SUP-150854

EDIT:
It seems that SSH process hung on my freshly netinstalled router, as one of the CPU cores was 100% utilized by SSH. I was able to import the key after rebooting the router.

osc86 · Mon Apr 22, 2024 7:41 pm

after fixing ssh, please also add support for -sk public key types. (FIDO/U2F)

infabo · Mon Apr 22, 2024 8:30 pm

Feature freeze in RC....

bp0 · Mon Apr 22, 2024 9:12 pm

There is a change not included in change list. /system resource board-name for CHR now has extra information about the host/platform it is running on.
For example, it might now be "CHR x86 Xen HVM domU"
So, testing if board-name is "CHR" no longer works; you'd need to use something like /^CHR/.

rb9999 · Mon Apr 22, 2024 9:45 pm

I think system > license is kinda broken in chr 7.15rc1... console prints it out okay

chr-715rc1-system-license-print.png

Sit75 · Mon Apr 22, 2024 9:46 pm

And what about the upgrade for devices with 15.3MB memory(hapac2) ?

"*) system - general work on optimizing the size of RouterOS packages;"

It works well. ROM - there is enough space on the HDD now. What I'm still dealing with though is probably a memory leak. It was roughly 145MB of RAM when I rebooted. Now after 3 days only 118 MB. And the memory continues to decline. :-( I raised ticket SUP-147911, but nothing happened.

kiloon · Mon Apr 22, 2024 10:16 pm

RouterOS version 7.15rc has been released on the "v7 testing" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during the upgrade process;
3) Device has enough free storage space to download all RouterOS packages.

What's new in 7.15rc1 (2024-Apr-18 12:17):

*) lte - added "at-chat" support for DELL T99W175 (PID: 0x05c6 VID: 0x90d5);

Seems like it doesnt or something is missing... Same thing with simcard.
unsupported.JPG

Tue Apr 23, 2024 7:32 am

CCR1009-7G-1C-1S:

DNS Adlist with +400k entrys - works well for about 1h for just 1 User
Then I tried to open all links in a bookmark folder using the middle mouse button function in Firefox.
There were about 50 links trying to open at the same time. This probably caused the DNS server to crash.
Until the CCR1009 was rebooted, it was no longer accessible.

Update: After reboot the DNS server was reachable for about 1h. Suddenly no response anymore.
Now disabled

I have around 250,000 entries on a hAP ax2 and experience the same behavior, but it takes around a day before it exhibits this.

Tue Apr 23, 2024 8:27 am

Noted!

I think system > license is kinda broken in chr 7.15rc1... console prints it out okay
chr-715rc1-system-license-print.png

bbs2web · Tue Apr 23, 2024 9:10 am

DHCP snooping is unfortunately still not working on CRS devices. Please could this be fixed, embarrassing that client's network was broken due to rogue DHCP on their network and we can't enable DHCP snooping due to it then eating all packets although correct uplink port is set as trusted.

CRS devices (RB5009, hAP ax3, CRS112-8P-4S, CRS328-24P-4S+, CRS326-24G-2S+ and CRS354-4S+-2Q+) drop DHCP requests when we enabling DHCP snooping and there are VLANs configured. Yes, 'trusted=yes' is set correctly on the uplink port.

Herewith a visual switch VLAN mapping summary:
https://imgur.com/a/4aYzTtY

Herewith the export:

/interface bridge
  add admin-mac=78:9A:18:3D:26:5F auto-mac=no dhcp-snooping=yes name=bridge priority=0x7000 vlan-filtering=yes
/interface bridge port
  add bpdu-guard=yes bridge=bridge interface=ether1 pvid=17 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether2 pvid=17 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether3 pvid=17 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether4 pvid=17 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether5 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether6 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether7 pvid=17 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether8 pvid=17 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether9 pvid=17 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether10 pvid=17 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether11 pvid=17 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether12 pvid=17 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether13 pvid=17 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether14 pvid=17 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether15 pvid=17 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether16 pvid=17 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether17 pvid=17 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether18 pvid=17 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether19 pvid=17 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether20 pvid=17 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether21 pvid=17 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=ether22 pvid=17 restricted-role=yes
  add bridge=bridge interface=ether23 pvid=25 restricted-role=yes
  add bridge=bridge interface=ether24 pvid=25 restricted-role=yes
  add bridge=bridge interface=sfp-sfpplus1 trusted=yes
  add bpdu-guard=yes bridge=bridge interface=sfp-sfpplus2 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=sfp-sfpplus3 restricted-role=yes
  add bpdu-guard=yes bridge=bridge interface=sfp-sfpplus4 restricted-role=yes
/interface bridge vlan
  add bridge=bridge tagged="bridge,ether1,ether2,ether3,ether4,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,eth\
    er18,ether19,ether20,ether21,ether22,sfp-sfpplus1" vlan-ids=14
  add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=17
  add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=25
  add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=31
  add bridge=bridge tagged=bridge,ether5,ether6,sfp-sfpplus1 vlan-ids=100
  add bridge=bridge tagged=bridge,ether5,ether6,sfp-sfpplus1 vlan-ids=101
  add bridge=bridge tagged=bridge,ether5,ether6,sfp-sfpplus1 vlan-ids=102
  add bridge=bridge tagged=bridge,ether5,ether6,sfp-sfpplus1 vlan-ids=666
  add bridge=bridge tagged=bridge,ether5,ether6,sfp-sfpplus1 vlan-ids=667
/ip neighbor discovery-settings
  set lldp-med-net-policy-vlan=14

loloski · Tue Apr 23, 2024 9:19 am

You can always go back to v7.14.X DHCP snooping is working as expected on this version

infabo · Tue Apr 23, 2024 9:31 am

embarrassing that client's network was broken due to rogue DHCP on their network

Embarrassing using testing release on your clients network devices...🙄

flapviv · Tue Apr 23, 2024 9:41 am

Noted!

I think system > license is kinda broken in chr 7.15rc1... console prints it out okay
chr-715rc1-system-license-print.png

and confirmed on my CHR installation...

Tue Apr 23, 2024 10:10 am

RouterOS version 7.15rc has been released on the "v7 testing" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during the upgrade process;
3) Device has enough free storage space to download all RouterOS packages.

What's new in 7.15rc1 (2024-Apr-18 12:17):

*) lte - added "at-chat" support for DELL T99W175 (PID: 0x05c6 VID: 0x90d5);

Seems like it doesnt or something is missing... Same thing with simcard.
unsupported.JPG
This is already fixed and the fix will be included in the rc2 version.

ToTheFull · Tue Apr 23, 2024 10:52 am

CCR1009-7G-1C-1S:

DNS Adlist with +400k entrys - works well for about 1h for just 1 User
Then I tried to open all links in a bookmark folder using the middle mouse button function in Firefox.
There were about 50 links trying to open at the same time. This probably caused the DNS server to crash.
Until the CCR1009 was rebooted, it was no longer accessible.

Update: After reboot the DNS server was reachable for about 1h. Suddenly no response anymore.
Now disabled
I have around 250,000 entries on a hAP ax2 and experience the same behavior, but it takes around a day before it exhibits this.

I have 560,000 I can't say I've had any problems with crashing, if I open all my bookmarks at the same time my dns stops responding with the default settings. But if I do the following all my bookmarks open just fine as expected??

max-concurrent-queries: 1000
max-concurrent-tcp-sessions: 40

Added:

/ip/dns/print
                      servers: 1.1.1.1,1.0.0.1
              dynamic-servers: 
               use-doh-server: 
              verify-doh-cert: no
   doh-max-server-connections: 5
   doh-max-concurrent-queries: 50
                  doh-timeout: 5s
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 1000
  max-concurrent-tcp-sessions: 40
                   cache-size: 131064KiB
                cache-max-ttl: 1w
      address-list-extra-time: 0s
                          vrf: main
                   cache-used: 65585KiB

Sit75 · Tue Apr 23, 2024 5:57 pm

"*) system - general work on optimizing the size of RouterOS packages;"
It works well. ROM - there is enough space on the HDD now. What I'm still dealing with though is probably a memory leak. It was roughly 145MB of RAM when I rebooted. Now after 3 days only 118 MB. And the memory continues to decline. :-( I raised ticket SUP-147911, but nothing happened.

Another 10 MB of RAM left within 1 day.

Ullinator · Tue Apr 23, 2024 6:11 pm

It works well. ROM - there is enough space on the HDD now. What I'm still dealing with though is probably a memory leak. It was roughly 145MB of RAM when I rebooted. Now after 3 days only 118 MB. And the memory continues to decline. :-( I raised ticket SUP-147911, but nothing happened.
Another 10 MB of RAM left within 1 day.

Actual I can´t see any memory leaks on any of my systems, all are running with 7.15RC1. (Examples 3 of 16)
CCR2004-1G-12S+2XS:

hc_282.jpg

The devices have 7.15RC1 since 1day, 7h, 15min., so short after the release og the version.

CRS326-24S+-2Q+:

hc_283.jpg

CRS328-24P-4S+:

hc_284.jpg

So it seems not to be a general problem.... :-/

infabo · Tue Apr 23, 2024 7:28 pm

Another 10 MB of RAM left within 1 day.

Maybe post your device config and installed packages in a separate topic. This needs further inspection.

ID · Tue Apr 23, 2024 9:58 pm

Getting and "binding prefix mismatch" error at IPv6 PD over dhcp. Seems trying to bind someone's prefix after a while.

 21:46:37 dhcp,debug,packet recv server: <pppoe-user1> fe80::2 -> ff02::1:2
 21:46:37 dhcp,debug,packet type: renew
 21:46:37 dhcp,debug,packet transaction-id: 635501
 21:46:37 dhcp,debug,packet  -> clientid:   00030001 005056bf 3ea9
 21:46:37 dhcp,debug,packet  -> serverid:   00030001 005056bf 358d
 21:46:37 dhcp,debug,packet  -> oro: 23 
 21:46:37 dhcp,debug,packet  -> elapsed_time: 163
 21:46:37 dhcp,debug,packet  -> ia_pd: 
 21:46:37 dhcp,debug,packet    t1: 1800
 21:46:37 dhcp,debug,packet    t2: 2880
 21:46:37 dhcp,debug,packet    id: 0x2
 21:46:37 dhcp,debug,packet   -> ia_prefix: 
 21:46:37 dhcp,debug,packet     prefix: xxxx:xxxx:3:3001::/64
 21:46:37 dhcp,debug,packet     valid time: 3600
 21:46:37 dhcp,debug,packet     pref. time: 2880
 21:46:37 dhcp,debug processing client:005056bf3ea9 iapd:0x2
 21:46:37 dhcp,debug binding prefix mismatch: xxxx:xxxx:3:3003::/64 != xxxx:xxxx:3:3001::/64
 21:46:37 dhcp,debug binding not updated
 21:46:37 dhcp,debug,packet send <pppoe-user1> -> fe80::2%44
 21:46:37 dhcp,debug,packet type: reply
 21:46:37 dhcp,debug,packet transaction-id: 635501
 21:46:37 dhcp,debug,packet  -> clientid:   00030001 005056bf 3ea9
 21:46:37 dhcp,debug,packet  -> serverid:   00030001 005056bf 358d
 21:46:37 dhcp,debug,packet  -> dns_servers: 
 21:46:37 dhcp,debug,packet     xxxx:xxxx:0:10::10
 21:46:37 dhcp,debug,packet     xxxx:xxxx:0:10::11
 21:46:37 dhcp,debug,packet  -> ia_pd: 
 21:46:37 dhcp,debug,packet    t1: 43200
 21:46:37 dhcp,debug,packet    t2: 69120
 21:46:37 dhcp,debug,packet    id: 0x2
 21:46:37 dhcp,debug,packet   -> ia_prefix: 
 21:46:37 dhcp,debug,packet     prefix: xxxx:xxxx:3:3001::/64
 21:46:37 dhcp,debug,packet     valid time: 0
 21:46:37 dhcp,debug,packet     pref. time: 0

Also queue naming bit strange. Previous versions queue name and target was same.

queue.jpg

bbs2web · Tue Apr 23, 2024 10:11 pm

embarrassing that client's network was broken due to rogue DHCP on their network
Embarrassing using testing release on your clients network devices...🙄

This is broken in all RouterOS 7.x release, not just 7.15rc...

bbs2web · Tue Apr 23, 2024 10:15 pm

You can always go back to v7.14.X DHCP snooping is working as expected on this version

Nope, this issue may only appear with vlan filtering enabled but is confirmed to be an issue in 7.8, 7.9, 7.10, 7.11, 7.12, 7.13, 7.14 and now 7.15rc.

Worked fine on RouterOS 6...

loloski · Tue Apr 23, 2024 10:40 pm

[user@DCCJ-POP1-R1-EDGESW] > /interface/bridge/port export 
# 2024-04-24 03:36:24 by RouterOS 7.14.1
# software id = 12DQ-9QUD
#
# model = CRS326-24G-2S+
# serial number = HCQXXXXX
/interface bridge port
add bridge=DISTRIBUTION frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether1 pvid=80
add bridge=DISTRIBUTION frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=80
add bridge=DISTRIBUTION frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=81 trusted=yes
add bridge=DISTRIBUTION frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=81
add bridge=DISTRIBUTION comment="BRAS -> OLT (ether1)" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
add bridge=DISTRIBUTION frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6 pvid=20
add bridge=DISTRIBUTION frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether7 pvid=30
add bridge=DISTRIBUTION frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8 pvid=40
add bridge=DISTRIBUTION comment=HOTSPOT frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether9 pvid=100 trusted=\
    yes
add bridge=DISTRIBUTION comment="HOTSPOT UPSTREAM" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether10 pvid=70
add bridge=DISTRIBUTION frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether11 pvid=65
add bridge=DISTRIBUTION interface=ether12
add bridge=DISTRIBUTION interface=ether13
add bridge=DISTRIBUTION interface=ether14
add bridge=DISTRIBUTION frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether15 pvid=65
add bridge=DISTRIBUTION frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether16 pvid=65
add bridge=DISTRIBUTION frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether17 pvid=65
add bridge=DISTRIBUTION frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether18 pvid=65
add bridge=DISTRIBUTION interface=ether19
add bridge=DISTRIBUTION interface=ether20
add bridge=DISTRIBUTION interface=ether21
add bridge=DISTRIBUTION interface=ether22
add bridge=DISTRIBUTION interface=ether23
add bridge=DISTRIBUTION comment="802.1Q -> CORESW @ SFP-SFPPLUS1" frame-types=\
    admit-only-vlan-tagged interface=sfp-sfpplus1 pvid=4094 trusted=yes
add bridge=DISTRIBUTION comment=RESERVED interface=sfp-sfpplus2
[user@DCCJ-POP1-R1-EDGESW] >

Taken directly from production setup

infabo · Wed Apr 24, 2024 1:48 am

Embarrassing using testing release on your clients network devices...🙄
This is broken in all RouterOS 7.x release, not just 7.15rc...

There is one warning regarding VLAN + DHCP snooping: https://help.mikrotik.com/docs/display/ ... CPOption82
Maybe it helps.

Wed Apr 24, 2024 7:52 am

Please do remember that "increase in RAM usage" in 99% cases is a normal behaviour - that is why such a thing as RAM exists. Questions here are:

1) Does the increase stop at some point and remains the same? If yes, then some service has "max RAM/cache" setting or built-in limit specified and RAM usage will increase freely until this limit is reached (for example, not well-adjusted queue type settings, large MTU values specified, etc.);
2) Do you have some "lists" that might increase dynamically and even maybe without max table size limit possible. Excellent example is firewall address-list, DNS cache, connection tracking table, etc.
3) etc.

The fact that RAM usage is increasing does not necessarily mean that there is a bug. If you do think that there is a real memory leak, then please - reboot your router, wait for ~5 minutes, generate supout file A, wait, wait until RAM usage becomes very high and not much RAM is left for the system, generate supout file B, send both files to support@mikrotik.com.

Sit75 · Wed Apr 24, 2024 10:30 am

Please do remember that "increase in RAM usage" in 99% cases is a normal behaviour - that is why such a thing as RAM exists. Questions here are:

1) Does the increase stop at some point and remains the same? If yes, then some service has "max RAM/cache" setting or built-in limit specified and RAM usage will increase freely until this limit is reached (for example, not well-adjusted queue type settings, large MTU values specified, etc.);
2) Do you have some "lists" that might increase dynamically and even maybe without max table size limit possible. Excellent example is firewall address-list, DNS cache, connection tracking table, etc.
3) etc.

The fact that RAM usage is increasing does not necessarily mean that there is a bug. If you do think that there is a real memory leak, then please - reboot your router, wait for ~5 minutes, generate supout file A, wait, wait until RAM usage becomes very high and not much RAM is left for the system, generate supout file B, send both files to support@mikrotik.com.

Answer:

SUP-147911 was submitted on 03/24/2024 (exactly 1 month ago) with my configuration, supout.rif, images and explanation.

1) No - free memory decreases by about 10MB/day. I tried going to zero (18 days running), but around 38MB of free RAM a reboot was necessary - the router simply stopped routing packets.
2) No - only using QoS queues with fq-codel (without CAKE) - standard home use pppoe xDSL line. Quite simple configuration, nothing special.

This is what it looks like now:

massinia · Wed Apr 24, 2024 10:33 am

Hi, my hAP ac2 restarts itself when there are very large file transfers with SMB.
For more info: SUP-151054
Thanks

naxus · Wed Apr 24, 2024 11:08 am

Since the new driver was added some client devices are getting SA Query timeouts and have issues with connecting to wifi then. SUP-151059 created. I suppose it will be similar issue that was fixed for previous driver version already.

Nullcaller · Wed Apr 24, 2024 11:42 am

*) dns - added support for "adlist";

"We put pihole in your router, so you can pihole while you pihole"

Jokes aside, this is a great feature. Make containers a little bit more useful, and suddenly those relatively expensive ax devices look like an absolute bargain for the amount of RPis they are potentially replacing.

infabo · Wed Apr 24, 2024 1:00 pm

SUP-147911 was submitted on 03/24/2024 (exactly 1 month ago) with my configuration, supout.rif, images and explanation.

You need to keep the support ticket updated. You say RAM consumption increases by 10MB/day. OK, then send them your supout.rif daily. That's all you can do honestly. On a regular linux bug you could try all kind of debug settings, dig logs and kernel messages. But ROS hides this from us. So have no pity with MT support. Send them your findings. As much and detailled it can get. They decide to hide away everything - so they need to investigate/debug/troubleshoot on MT side.

DanMos79 · Wed Apr 24, 2024 6:06 pm

SUP-147911 was submitted on 03/24/2024 (exactly 1 month ago) with my configuration, supout.rif, images and explanation.

1) No - free memory decreases by about 10MB/day. I tried going to zero (18 days running), but around 38MB of free RAM a reboot was necessary - the router simply stopped routing packets.
2) No - only using QoS queues with fq-codel (without CAKE) - standard home use pppoe xDSL line. Quite simple configuration, nothing special.

This is what it looks like now:

@Sit75
Referring to your post (viewtopic.php?p=1067162#p1067162), did you assign a fq_codel_queue_type with 32MB buffer for each member of the queue tree?

If so, then the queue buffer clearly exceeds the RAM of your hAP ac² and and could lead to this behavior.

faxxe · Wed Apr 24, 2024 6:07 pm

I have around 250,000 entries on a hAP ax2 and experience the same behavior, but it takes around a day before it exhibits this.
I have 560,000 I can't say I've had any problems with crashing, if I open all my bookmarks at the same time my dns stops responding with the default settings. But if I do the following all my bookmarks open just fine as expected??

max-concurrent-queries: 1000
max-concurrent-tcp-sessions: 40

Thanks, the time frame until he stopped responding again was now 20 hours.
Then only a reboot helped again. Logging on to the router was possible as normal.

-faxxe

ivicask · Wed Apr 24, 2024 8:59 pm

Since the new driver was added some client devices are getting SA Query timeouts and have issues with connecting to wifi then. SUP-151059 created. I suppose it will be similar issue that was fixed for previous driver version already.

Also getting alot of query timeouts, vs zero problems on 7.14.

Sit75 · Wed Apr 24, 2024 9:45 pm

@Sit75
Referring to your post (viewtopic.php?p=1067162#p1067162), did you assign a fq_codel_queue_type with 32MB buffer for each member of the queue tree?

If so, then the queue buffer clearly exceeds the RAM of your hAP ac² and and could lead to this behavior.

My configuration is below. I simply mark the uplink traffic according to DSCP high 3 bits (with preference of ACK packets). Outbound traffic is divided into standard 8 queues under one outbound queue tree. Downstream traffic is handled by a single untagged queue. I didn't change any default buffer sizes or anything else. IP and IPv6 Mangles are identical copies. This configuration is the best from a bufferbloat perspective with absolutely minimal latency (9ms) and minimal latency variation (+3-4ms) under full load. That's the reason.

/queue type
add fq-codel-limit=1024 fq-codel-quantum=300 kind=fq-codel name=fq-codel-ethernet-upload
add fq-codel-limit=1024 fq-codel-quantum=600 kind=fq-codel name=fq-codel-ethernet-download

/queue tree
add bucket-size=0.01 comment="Upload Link" max-limit=25M name="DSCP->Priority - upload" parent=pppoe-out1 priority=1 queue=fq-codel-ethernet-upload
add comment="DSCP 01-07 (Priority 8 - Lowest)" name="8. Routine - upload" packet-mark=priority_8 parent="DSCP->Priority - upload" queue=fq-codel-ethernet-upload
add comment="DSCP 08-15 (Priority 7)" name="7. Priority - upload" packet-mark=priority_7 parent="DSCP->Priority - upload" priority=7 queue=fq-codel-ethernet-upload
add comment="DSCP 16-23 (Priority 6)" name="6. Immedate - upload" packet-mark=priority_6 parent="DSCP->Priority - upload" priority=6 queue=fq-codel-ethernet-upload
add comment="DSCP 24-31 (Priority 5)" name="5. Flash - upload" packet-mark=priority_5 parent="DSCP->Priority - upload" priority=5 queue=fq-codel-ethernet-upload
add comment="DSCP 32-39 (Priority 4)" name="4. Flash Override - upload" packet-mark=priority_4 parent="DSCP->Priority - upload" priority=4 queue=fq-codel-ethernet-upload
add comment="DSCP 40-47 (Priority 3)" name="3. Critical - upload" packet-mark=priority_3 parent="DSCP->Priority - upload" priority=3 queue=fq-codel-ethernet-upload
add comment="DSCP 48-55 (Priority 2)" name="2. Internetwork Control - upload" packet-mark=priority_2 parent="DSCP->Priority - upload" priority=2 queue=fq-codel-ethernet-upload
add comment="DSCP 56-63 (Priority 1 - Highest)" name="1. Network Control - upload" packet-mark=priority_1 parent="DSCP->Priority - upload" priority=1 queue=fq-codel-ethernet-upload
add comment="Download Link" max-limit=120M name="Download Link" packet-mark=no-mark parent=bridge queue=fq-codel-ethernet-download

/ip firewall mangle
add action=change-dscp chain=postrouting comment="ACK -> DSCP 34" new-dscp=34 packet-size=0-123 passthrough=yes protocol=tcp tcp-flags=ack
add action=set-priority chain=postrouting comment="Setting priority from DSCP high 3 bits" new-priority=from-dscp-high-3-bits passthrough=yes
add action=mark-packet chain=postrouting comment="DSCP 56-63 Priority 1" new-packet-mark=priority_1 out-interface-list=WAN passthrough=no priority=7
add action=mark-packet chain=postrouting comment="DSCP 48-55 Priority 2" new-packet-mark=priority_2 out-interface-list=WAN passthrough=no priority=6
add action=mark-packet chain=postrouting comment="DSCP 40-47 Priority 3" new-packet-mark=priority_3 out-interface-list=WAN passthrough=no priority=5
add action=mark-packet chain=postrouting comment="DSCP 32-39 Priority 4" new-packet-mark=priority_4 out-interface-list=WAN passthrough=no priority=4
add action=mark-packet chain=postrouting comment="DSCP 24-31 Priority 5" new-packet-mark=priority_5 out-interface-list=WAN passthrough=no priority=3
add action=mark-packet chain=postrouting comment="DSCP 16-23 Priority 6" new-packet-mark=priority_6 out-interface-list=WAN passthrough=no priority=2
add action=mark-packet chain=postrouting comment="DSCP 08-15 Priority 7" new-packet-mark=priority_7 out-interface-list=WAN passthrough=no priority=1
add action=mark-packet chain=postrouting comment="DSCP 00 -> Priority 7" dscp=0 new-packet-mark=priority_7 out-interface-list=WAN passthrough=no
add action=mark-packet chain=postrouting comment="DSCP 01-07 Priority 8" new-packet-mark=priority_8 out-interface-list=WAN passthrough=no priority=0

/ipv6 firewall mangle
add action=change-dscp chain=postrouting comment="ACK -> DSCP 34" new-dscp=34 packet-size=0-123 passthrough=yes protocol=tcp tcp-flags=ack
add action=set-priority chain=postrouting comment="Setting priority from DSCP high 3 bits" new-priority=from-dscp-high-3-bits passthrough=yes
add action=mark-packet chain=postrouting comment="DSCP 56-63 Priority 1" new-packet-mark=priority_1 out-interface-list=WAN passthrough=no priority=7
add action=mark-packet chain=postrouting comment="DSCP 48-55 Priority 2" new-packet-mark=priority_2 out-interface-list=WAN passthrough=no priority=6
add action=mark-packet chain=postrouting comment="DSCP 40-47 Priority 3" new-packet-mark=priority_3 out-interface-list=WAN passthrough=no priority=5
add action=mark-packet chain=postrouting comment="DSCP 32-39 Priority 4" new-packet-mark=priority_4 out-interface-list=WAN passthrough=no priority=4
add action=mark-packet chain=postrouting comment="DSCP 24-31 Priority 5" new-packet-mark=priority_5 out-interface-list=WAN passthrough=no priority=3
add action=mark-packet chain=postrouting comment="DSCP 16-23 Priority 6" new-packet-mark=priority_6 out-interface-list=WAN passthrough=no priority=2
add action=mark-packet chain=postrouting comment="DSCP 08-15 Priority 7" new-packet-mark=priority_7 out-interface-list=WAN passthrough=no priority=1
add action=mark-packet chain=postrouting comment="DSCP 00 -> Priority 7" dscp=0 new-packet-mark=priority_7 out-interface-list=WAN passthrough=no
add action=mark-packet chain=postrouting comment="DSCP 01-07 Priority 8" new-packet-mark=priority_8 out-interface-list=WAN passthrough=no priority=0

jordanp123 · Thu Apr 25, 2024 4:21 am

I'm not 100% but I think their might be an error lurking in the VRF segment again. Using the export functionality on the terminal I see that a IP route has been added which is good but it shows it has been added to the Main routing table, when checking using Winbox it shows it as being added to my VRF routing table (which is correct). Am I overlooking something or is this a bug ?

Thu Apr 25, 2024 7:15 am

Sit75 - This seems to probably be a story as old as the planet Earth - RouterOS and its great possibilities which come with a great responsibility. We more or less do let the system administrator to do any kinds of nonsense on the router, but you do that on your own risk. It seems that the reply from DanMos79 is completely accurate. You define a lot of queues with max buffer limits but do not take into consideration that buffer is allocated per queue and if total theoretically allocated memory exceeds router hardware resources, then even your router can reboot due to out of memory condition, and then it is not a memory leak, bur router doing exactly what it was told to do by system administrator. To be sure - I recommend that you adjust queue type limits, do the math on paper first. Queues start up without allocated memory - when you use them, then buffer increases, but it does not exceed the maximum limit. So in short - routers with queues and large buffer will bootup with low RAM usage and during its work, RAM usage will be consumed by simply traffic going through queues that are at the moment "installed". RAM is freed only when queue is removed.

P.S. You should see the exact same behaviour in older releases. In short - this issue does not seem to be an issue and has nothing to do with this release. Of course, please correct me, if you test this and I am wrong.

olgale · Thu Apr 25, 2024 8:33 am

I'm not 100% but I think their might be an error lurking in the VRF segment again. Using the export functionality on the terminal I see that a IP route has been added which is good but it shows it has been added to the Main routing table, when checking using Winbox it shows it as being added to my VRF routing table (which is correct). Am I overlooking something or is this a bug ?

Hello!

Thank you for provided example. It is a bug.

infabo · Thu Apr 25, 2024 9:22 am

@Sit75
Set your fqcodel memlimit to something low like 8MB. I did not count your queues but I guess you have less than 10. So this should exceed 80Mb. Or go even lower, 4MB to.

@strods

It should be a limit. A value it can't exceed at some point of time. Can be freed if not used anymore or not consumed when not needed.
So to say: queue empty -> fq-codel memory empty. Queue full -> fqcodel memory full. User should be able to stress this memory limit by running a Speedtest or something.

But it is reported to consume RAM over days slowly and not release this RAM anymore. This is a clear indication of bad garbage collection or not freeing allocated memory anymore. Commonly said as "memory leak".

"fq-codel-memlimit (default: 32.0MiB)
A total number of bytes that can be queued in this FQ-CoDel instance. Will be enforced from the fq-codel-limit parameter."
https://help.mikrotik.com/docs/display/ ... 0parameter.

And:
"memory_limit
sets a limit on the total number of bytes that can be queued in
this FQ-CoDel instance. The lower of the packet limit of the
limit parameter and the memory limit will be enforced. Default is
32 MB."
https://man7.org/linux/man-pages/man8/t ... %2032%20MB.

And instead of wild guesses, long writings about the history of earth: wouldnt it good to have facts? One should make a supout.rif, send it to MT support. MT support looks at the collected supout.rif data and responds: "dear reporter, we see a high memory consumption caused by X. It is normal behaviour." (or wrong behaviour depends).

But I have the fear, supout.rif isn't that powerful as we think. "dear reporter, nothing suspicious to find in your submitted supout.rif. no clue. Must be your fault!!1!!".

DanMos79 · Thu Apr 25, 2024 9:43 am

But it is reported to consume RAM over days slowly and not release this RAM anymore. This is a clear indication of bad garbage collection or not freeing allocated memory anymore. Commonly said as "memory leak".

It's not great if the currently unused memory is not become free again, but I wouldn't see it as a “memory leak” if the maximum allocated memory for the cache is not exceeded.
If ROS does not limit the upper limit of each cache (queue or other) when running out of memory, an “out of memory” condition can always occur if the user chooses the wrong settings.

radio303 · Thu Apr 25, 2024 10:03 am

hello everyone, is there a chance to be able to install it on 16 mb devices? I don't see size reduction anywhere in the changelog

Thu Apr 25, 2024 10:22 am

*) system - general work on optimizing the size of RouterOS packages;

hello everyone, is there a chance to be able to install it on 16 mb devices? I don't see size reduction anywhere in the changelog

Thu Apr 25, 2024 10:43 am

It's not great if the currently unused memory is not become free again

Doing so is not always possible.

Thu Apr 25, 2024 10:50 am

What's new in 7.15rc2 (2024-Apr-24 12:38):

!) system - added support for AMPERE (R) and ARM64 CHR installations (new ARM64 CHR image available);
*) bridge - added MVRP support;
*) chr - fixed management access (introduced in v7.15rc1);
*) discovery - added LLDP Maximum Frame Size TLV support;
*) file - fixed file list updates in certain situations (introduced v7.15rc1);
*) lte - added "at-chat" support for DELL T99W175 (PID: 0x05c6 VID: 0x90d5);
*) partitions - fixed missing partition information on certain devices (introduced in v7.15beta8);
*) ppp - enabled monitoring of registration state, RSRP, RSRQ, SINR, PCI, CellID for BG77 modem;
*) ppp - fixed info command and PPP client crash when SIM is not present (introduced in v7.15beta6);
*) qos-hw - added "offline" tx-manager (CLI only);
*) qos-hw - added Priority Flow Control for compatible switches (CLI only);
*) storage - improved configuration storing process on first system boot after configuration reset;
*) winbox - fixed missing information for CHR/x86 (introduced in v7.15rc1);

Cha0s · Thu Apr 25, 2024 12:30 pm

*) chr - fixed management access (introduced in v7.15rc1);
*) winbox - fixed missing information for CHR/x86 (introduced in v7.15rc1);

I confirm, both issues have been resolved in rc2.
Thanks.

flapviv · Thu Apr 25, 2024 2:10 pm

Hi,
No more printing licence issue in 7.15rc2 and CHR...
Thanx Mikrotik!

mantouboji · Thu Apr 25, 2024 2:58 pm

SSH works in 7.15rc2 x86

patg · Thu Apr 25, 2024 3:38 pm

I can confirm that routeros/wifi-qcom-ac + zerotier fits again in HAP ac2 flash ! (15mb)
112 KiB free space left after upgrade.
Thanks Mikrotik for caring to keep old hardware alive !

infabo · Thu Apr 25, 2024 4:16 pm

How much free space did you have with ROS 7.12.x+zerotier?

riv · Thu Apr 25, 2024 4:27 pm

Please make improvement for IS-IS

IS-IS still not working with MTU larger than 1500, and other routing protocol still can't redistribute IS-IS routes

patg · Thu Apr 25, 2024 4:31 pm

How much free space did you have with ROS 7.12.x+zerotier?

468 KiB

/system/resource
                   uptime: 3w5d43m19s
                  version: 7.12.1 (stable)
               build-time: Nov/17/2023 11:38:45
              free-memory: 154.4MiB
             total-memory: 256.0MiB
             free-hdd-space: 468.0KiB
          architecture-name: arm
               board-name: hAP ac^2
                 platform: MikroTik

/system/package
Columns: NAME, VERSION
# NAME      VERSION
0 routeros  7.12.1 
1 zerotier  7.12.1

Sit75 · Thu Apr 25, 2024 5:54 pm

Sit75 - This seems to probably be a story as old as the planet Earth - RouterOS and its great possibilities which come with a great responsibility. We more or less do let the system administrator to do any kinds of nonsense on the router, but you do that on your own risk. It seems that the reply from DanMos79 is completely accurate. You define a lot of queues with max buffer limits but do not take into consideration that buffer is allocated per queue and if total theoretically allocated memory exceeds router hardware resources, then even your router can reboot due to out of memory condition, and then it is not a memory leak, bur router doing exactly what it was told to do by system administrator. To be sure - I recommend that you adjust queue type limits, do the math on paper first. Queues start up without allocated memory - when you use them, then buffer increases, but it does not exceed the maximum limit. So in short - routers with queues and large buffer will bootup with low RAM usage and during its work, RAM usage will be consumed by simply traffic going through queues that are at the moment "installed". RAM is freed only when queue is removed.

P.S. You should see the exact same behaviour in older releases. In short - this issue does not seem to be an issue and has nothing to do with this release. Of course, please correct me, if you test this and I am wrong.

Thanks for the effort. On the other hand, there are 2 limits - memory and number of packets. The number of packets in fq_codel is set to 1024 and it is hard to believe that the average TCP packet size in my case will be 32kB (64kB is the theoretical maximum). Standard TCP packets typically follow 1500 bytes Eth frames to avoid fragmentation. Anyway, I upgraded the router to RouterOS 7.15 beta 2, decimated the 8 queues to 4 (use DSCP the highest 2 bits only not 3) and reduced the fq_codel memory size to 16 MiB and we'll see.

DarkNate · Fri Apr 26, 2024 12:03 am

Has MikroTik added BQL support for FQ_Codel (and everything else) on this RC version, yet?

Larsa · Fri Apr 26, 2024 12:13 am

If you can't find it in the release notes, it's probably not there, right? You'll have to manage with the already built-in flow control. If you really want BQL, I believe it's better to open a support ticket with a well-founded argument about why, instead of mentioning it in a user forum.

EDIT: @holvoetn, that sounds better and thanks for the cleanup!

loloski · Fri Apr 26, 2024 2:41 am

Where did wifi-qcom-ac package go? can't seems to find in extra package and why?

mkx · Fri Apr 26, 2024 8:02 am

Where did wifi-qcom-ac package go? can't seems to find in extra package and why?

It's in the extras package archive, where it had always been. However, AFAIK it's only available for ARM architecture(s).

Fri Apr 26, 2024 8:28 am

RouterOS changelog covers all the changes introduced in any particular release, despite ones that are there for products which are not released yet or features that are "on the way". The fact that we list in the changelog what was actually done, of course, differs of listing all the possible ways how the issue might have affected the network. We do write what was fixed/changed, not how it might have affected your router in a million different and impossible to predict ways. We do describe how the code was changed, not what might have happened if you are running A configuration, B configuration, C configuration etc. Otherwise, most of the changelog entries might require a book to cover all the possible ways how the router or network might be affected. We do consider this a better approach than simply ending changelog with - other changes and fixes.

Please keep RouterOS release topics strictly related to the particular release. These topics are made to make aware users of how a particular update might have changed something. Make as many new topics as you want for anything else or of course the best way - contact support.

Jotne · Fri Apr 26, 2024 8:39 am

There is a change not included in change list. /system resource board-name for CHR now has extra information about the host/platform it is running on.
For example, it might now be "CHR x86 Xen HVM domU"
So, testing if board-name is "CHR" no longer works; you'd need to use something like /^CHR/.

Good catch.

RouterOS changelog covers all the changes introduced in any particular release

I do see the "all the changes" mention. Why is not this mention in the change log? It will (and has) break script that uses this information.
What else are not listet in the change logs?

Fri Apr 26, 2024 8:45 am

This change came together with a ton of changes in a package of:

!) system - added support for AMPERE (R) and ARM64 CHR installations (new ARM64 CHR image available);

Yes, of course, there are more git commits in the code than entries in the changelog. Many of them are bundled into one generic log entry. But it is not like there would be only few entries about wireless listed in the changelog and fans for CCR would stop spinning. As mentioned before - please keep this topic related to 7.15 functionality, not anything else. For generic discussions - open new topics, please.

loloski · Fri Apr 26, 2024 8:54 am

@mkx

Thanks i don't know what i'm thinking i download the wrong extra package :)

Fri Apr 26, 2024 8:59 am

Please keep RouterOS release topics strictly related to the particular release. These topics are made to make aware users of how a particular update might have changed something. Make as many new topics as you want for anything else or of course the best way - contact support.

Cleanup done.

UpRunTech · Fri Apr 26, 2024 9:19 am

7.15.x has introduced the new feature of the two iPads in my house no longer roam reliably like they did with 7.14.x and earlier. The often stubbornly stick to the weaker AP they roamed away from. A quick Wifi on/off cycle gets them connected to the closer AP. 5009 and 2x hapax^2.

The family is complaining. Not good!

erlinden · Fri Apr 26, 2024 9:41 am

Are the two hAP ax's using different channels?

ToTheFull · Fri Apr 26, 2024 10:08 am

7.15.x has introduced the new feature of the two iPads in my house no longer roam reliably like they did with 7.14.x and earlier. The often stubbornly stick to the weaker AP they roamed away from. A quick Wifi on/off cycle gets them connected to the closer AP. 5009 and 2x hapax^2.

The family is complaining. Not good!

I had a laptop (intel wifi card AX200 series) refusing to move, it's a works laptop so I have no access to it, I had to force it to shift IE

interface/wifi/access-list/print
Columns: INTERFACE, MAC-ADDRESS, ACTION
# INTERFACE  MAC-ADDRESS        ACTION
1 wifi2      6C:A1:  reject
2 cap-wifi2  6C:A1:  reject

Fri Apr 26, 2024 10:17 am

7.15.x has introduced the new feature of the two iPads in my house no longer roam reliably like they did with 7.14.x and earlier. The often stubbornly stick to the weaker AP they roamed away from. A quick Wifi on/off cycle gets them connected to the closer AP. 5009 and 2x hapax^2.

The family is complaining. Not good!
I had a laptop (intel wifi card AX200 series) refusing to move, it's a works laptop so I have no access to it, I had to force it to shift IE

I also have AX200-series wifi card in my laptop (AX211) and no problem roaming in capsman environment with RB5009 / AX3 / AX2 (home).

ToTheFull · Fri Apr 26, 2024 10:20 am

I had a laptop (intel wifi card AX200 series) refusing to move, it's a works laptop so I have no access to it, I had to force it to shift IE
I also have AX200-series wifi card in my laptop (AX211) and no problem roaming in capsman environment with AX3 / AX2 (home) and other capsman setup using AX3 / cAP AX / AX Lite (client network).

yeah my own laptop has an ax card with no problems, I think this might be a driver problem but like I say, nothing I can do about it, it belongs to the Government!

ToTheFull · Fri Apr 26, 2024 10:23 am

I think what I'm trying to say is some of my stuff is getting sticky just now!

UpRunTech · Fri Apr 26, 2024 10:24 am

Are the two hAP ax's using different channels?

Yes.

I just walked around with my Galaxy A52 and laptop with AX200 and they roamed nice and snappily.

The iPads, not so much. One test there is a log entry saying the iPad roamed but the iPad's behaviour showed low signal and no data flowing and I was next to the new closer AP. Someone in Discord just reported the same thing in their log. The roam that wasn't.

osc86 · Fri Apr 26, 2024 12:13 pm

Many don't know this, but there's a diagnostic profile for iOS devices available. Once installed, you can see the current connected BSSID together with the signal strength, updated every 500-1000ms. Makes troubleshooting on these devices a lot easier. Also note that iPhones/iPads won't roam unless the signal is -72 or worse (at least in my experience).
The only downside is, that the profile expires every 7 days.
https://www.jiribrejcha.net/2024/02/app ... -easy-way/

ivicask · Fri Apr 26, 2024 2:42 pm

Still getting random query timeout disconnects on HAP AX3 on 7.15 RC2, no problems on 7.14, all started happening since new Qualcomm drivers got implemented.
Also roaming is super bad, clients hang on 2ghz practically near router full signal and never or rarely roam to 5ghz.
I hope this doesnt go into final release..

pe1chl · Fri Apr 26, 2024 3:43 pm

I still see a problem with announcing IPv6 addresses. When I enter an IPv6 address with advertise=yes that gets properly advertised.
When I change that to advertise=no, it is still advertised but with "Preferred lifetime: 0". That is OK, it means "deprecated" and a system with a properly functioning IPv6 stack will show that in the address list and no longer use it.
However, not all systems are properly functioning, so some of them ignore this and just use the address (e.g. Microsoft WINPE).
I thought the router would do this advertisement only for the Valid Lifetime and then stop it, but it doesn't happen it just continues. Even "disabling" the address does not help.
I know there have been changes to this in the 7.12.x timeframe and I thought problems like this were now fixed, but in 7.15rc2 I still see it.
Anyone knows if and when this will be fixed?

Sit75 · Fri Apr 26, 2024 7:09 pm

Still getting random query timeout disconnects on HAP AX3 on 7.15 RC2, no problems on 7.14, all started happening since new Qualcomm drivers got implemented.
Also roaming is super bad, clients hang on 2ghz practically near router full signal and never or rarely roam to 5ghz.
I hope this doesnt go into final release..

I have exactly the same finding with "SA Query timeout" and my kids with iPads complain about "WiFi quality". Additionally, in the iOS mobile app, the SSID is not displayed in RouterOS 7.15. RC1 or RC2. RouterOS 7.14.3 seems much better from this point of view.

pe1chl · Fri Apr 26, 2024 9:39 pm

That app issue is probably the app only supporting the old WiFi driver and you using the new one (or vice-versa).

Kanzler · Fri Apr 26, 2024 10:18 pm

@pe1chl
The app supports the new WiFi driver, but I haven't tested 7.15beta/rc

infabo · Fri Apr 26, 2024 10:47 pm

I hope the new Winbox introduces a new and more robust API....

maisondasilva · Sat Apr 27, 2024 6:14 am

same for me in rb4011

That's for all potential adlist users. The feature requires storage and RAM, it is recommended for ARM64 devices that have those resources more than others
Hello Normis, is it possible to change the location from local storage to a USB flash drive?
The second thing is that AdList works when I add it as a file, not as a link.
winbox64_EoASgwZwyq.png

elmomac · Sat Apr 27, 2024 12:02 pm

an old bgp issue araised again in 7.15rc1, after one hour of operation:
- one core locked to 100% about routing
- slow prefixes advertisment (in this condition)
- some ipv6 bgp sessions closed by HoldTimer Expired

this kind of issue was fixed several months ago, and again present in this release candidate......
SUP-150642 opened

Can confirm i am seeing the same issue on my CCR2216. After "testing" 7.15rc1 we only had 1 hour of uptime on an IX before being pinged for our session locking up.

rpingar · Sat Apr 27, 2024 12:41 pm

an old bgp issue araised again in 7.15rc1, after one hour of operation:
- one core locked to 100% about routing
- slow prefixes advertisment (in this condition)
- some ipv6 bgp sessions closed by HoldTimer Expired

this kind of issue was fixed several months ago, and again present in this release candidate......
SUP-150642 opened
Can confirm i am seeing the same issue on my CCR2216. After "testing" 7.15rc1 we only had 1 hour of uptime on an IX before being pinged for our session locking up.

it's a regression of an old bug.

UpRunTech · Sun Apr 28, 2024 2:43 am

Just now the iPad started asking for the Wifi password which it does know. Did not reconnect until I restarted the 5009.

Also my Galaxy A52 had a run of SA Query Timeouts earlier today. This is a big regression since 7.14.3 in the Wifi driver as that version worked nicely.

These 2 behaviours were something that would happen when I initially started using the Wifi driver last year and they seemed to have come back. I have the same connectivity and roaming issues as ivicask above.

infabo · Sun Apr 28, 2024 1:45 pm

rc2 already. Release of 7.15 may be 1 or maximum of 2 weeks ahead. The urge to release is enormous and overweights the support desk overload after going public with 7.15.😐

If being asked I would say they will release despite all these wifi issue reports here. But MT can prove me wrong. 😉

ToTheFull · Sun Apr 28, 2024 2:46 pm

How does this sort of cycle compare to the competition for wifi stability etc?
People wax lyrical that Ubi is fantastic, but I can't comment becase I don't use it. I would say the people that shout about it are either selling it or getting it for Free....

infabo · Sun Apr 28, 2024 5:51 pm

Following Ubiquiti forum threads on their releases....it isnt much of a difference 😛

CTassisF · Sun Apr 28, 2024 6:24 pm

I'm seeing lots of dhcp,warning dhcp offering lease 192.168.0.X for XX:XX:XX:XX:XX:XX without success since upgrading to v7.15rc2. This was not happening in v7.15rc1 or in betas.

ToTheFull · Sun Apr 28, 2024 7:45 pm

Following Ubiquiti forum threads on their releases....it isnt much of a difference 😛

I'll take your word for it, trying to follow their forum is like pulling teeth!

UpRunTech · Mon Apr 29, 2024 11:33 am

Things got bad yesterday with the iPads and a laptop so I rolled just the AX2's to 7.14.3 and left 7.15rc2 on the 5009. Wifi sanity has returned.

Mon Apr 29, 2024 11:36 am

Just now the iPad started asking for the Wifi password which it does know. Did not reconnect until I restarted the 5009.

Also my Galaxy A52 had a run of SA Query Timeouts earlier today. This is a big regression since 7.14.3 in the Wifi driver as that version worked nicely.

These 2 behaviours were something that would happen when I initially started using the Wifi driver last year and they seemed to have come back. I have the same connectivity and roaming issues as ivicask above.

when that happens, usually it means iPad is trying to use a technology it does not support. Maybe you enabled WPA3?

UpRunTech · Mon Apr 29, 2024 12:09 pm

when that happens, usually it means iPad is trying to use a technology it does not support. Maybe you enabled WPA3?

All my devices have worked fine for many months, in fact really nicely with below until the beta 9 came out. Putting just the AX2's back to 7.14.3 and they are fine again.

/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0/1 disabled=no ft=\
yes ft-over-ds=yes group-key-update=1h name=SecJGA

I agree, the behaviour resembles that of the drivers sometime back last year until some issues were fixed.

infabo · Mon Apr 29, 2024 12:28 pm

Just now the iPad started asking for the Wifi password which it does know. Did not reconnect until I restarted the 5009.

Also my Galaxy A52 had a run of SA Query Timeouts earlier today. This is a big regression since 7.14.3 in the Wifi driver as that version worked nicely.

These 2 behaviours were something that would happen when I initially started using the Wifi driver last year and they seemed to have come back. I have the same connectivity and roaming issues as ivicask above.
when that happens, usually it means iPad is trying to use a technology it does not support. Maybe you enabled WPA3?

I want to understand why you commented this way? User said: all working perfectly well until including 7.14.3.

Paternot · Mon Apr 29, 2024 2:01 pm

I want to understand why you commented this way? User said: all working perfectly well until including 7.14.3.

Probably because Mikrotik is still tuning these drivers, and there is a big chance that some new feature has been enabled? We see this time and again: a "wrong" way to configure something works for months. Then Mikrotik releases an update that fix a non conforming behavior - and suddenly we see lots of setups that "just worked" breaking.

It's irrelevant if You consider this a good or bad development policy: it is what it is. And being this, it's a valuable information/advice: check the logs, double check the configs. There is a chance You will see a little checkbox there, that is marked and shouldn't - or isn't and should.

If You find it and solve the problem, great. If You don't find it, great too: it's one more information to help debugging the problem.

Mon Apr 29, 2024 2:11 pm

User said: all working perfectly well until including 7.14.3.

More often than not, user forgot he changed something in the device or in the router.
It is possible previously iPad was connecting to 2GHz interface and now to 5GHz interface, and they both have different settings.

lubomirs · Mon Apr 29, 2024 2:41 pm

Has the wifi driver fundamentally changed so that it would connect to 2GHz with version 7.14.3 and 5GHz with version 7.15rc2?

infabo · Mon Apr 29, 2024 2:47 pm

It's irrelevant if You consider this a good or bad development policy: it is what it is.

The fact that wrong behaviour is changed completely (like how to address a vrf interface in firewall as for example) is a good thing. Not communicating these changes in changelog and let people debug the blackbox themselves. Not nice.

infabo · Mon Apr 29, 2024 2:50 pm

All my devices have worked fine for many months, in fact really nicely with below until the beta 9 came out. Putting just the AX2's back to 7.14.3 and they are fine again.

/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0/1 disabled=no ft=\
yes ft-over-ds=yes group-key-update=1h name=SecJGA

Maybe you don't need the "connect-priority=0/1" with the new driver and its this what breaks it. Why did you use "group-key-update=1h" instead of the 24h default?

Z0ltan · Mon Apr 29, 2024 3:32 pm

Also FT does not work without CAPSMAN; however, could somebody having the DHCP problems try changing the port-cost-mode to long and remove the default port cost values from the bridge ports?

infabo · Mon Apr 29, 2024 3:39 pm

Also FT does not work without CAPSMAN;

Did you mean this as a bug report? Because you can even benefit from FT without using CAPsMAN at all.

Kindis · Mon Apr 29, 2024 3:47 pm

Why did you use "group-key-update=1h" instead of the 24h default?

Default for group-key-update if you leave it empty is 5 min. This for me breaks a few IoT devices as they do not have the process power to calculate the key before it needs to be recalculated.
I set mine to 60 min as well.
https://help.mikrotik.com/docs/display/ ... +Interface

infabo · Mon Apr 29, 2024 4:00 pm

it is 24h according to docs.

"group-key-update (time interval)
Interval at which the group temporal key (key for encrypting broadcast traffic) is renewed. Defaults to 24 hours."
https://help.mikrotik.com/docs/display/ ... 24%20hours.

Z0ltan · Mon Apr 29, 2024 4:14 pm

Also FT does not work without CAPSMAN;
Did you mean this as a bug report? Because you can even benefit from FT without using CAPsMAN at all.

See here: https://help.mikrotik.com/docs/display/ ... Properties

For a client device to successfully roam between 2 APs, the APs need to be managed by the same instance of RouterOS. For information on how to centrally manage multiple APs, see CAPsMAN

Kindis · Mon Apr 29, 2024 4:25 pm

Aha so the group-key-update changed when moving from Wireless to Wifi. So 5 min apply for "old" wireless" and 24 hours is default for "new wifi".

infabo · Mon Apr 29, 2024 6:21 pm

See here: https://help.mikrotik.com/docs/display/ ... Properties

For a client device to successfully roam between 2 APs, the APs need to be managed by the same instance of RouterOS. For information on how to centrally manage multiple APs, see CAPsMAN

Nothing wrong with "For a client device to successfully roam between 2 APs, the APs need to be managed by the same instance of RouterOS". AP dont need to refer to hardware AP. Each wifi interface on ROS is an (logical) AP itself. Having an 2.4ghz and 5ghz with the same security configuration on the same ROS can benefit from FT without CAPsMAN as well.

Toms teaches us that it works even without running capsman: https://youtu.be/vkWPlsuyuKE?si=-n_aGIUT_WLnykqg&t=326

pe1chl · Mon Apr 29, 2024 6:40 pm

it works even without running capsman

That is only for roaming between 2.4 and 5 GHz on the same AP.
When you have 2 APs you need capsman.

infabo · Mon Apr 29, 2024 6:57 pm

Also FT does not work without CAPSMAN;

The goal was to correct this statement.

nescafe2002 · Mon Apr 29, 2024 7:00 pm

!) system - added support for AMPERE (R) and ARM64 CHR installations (new ARM64 CHR image available);

As I didn't manage to enable container support on arm64 CHR, I found another way to set device mode (on Hetzner Cloud):

Create a temporary x64 instance:

Install CHR x86
Enable container support
Enter rescue mode
Mount /dev/sda2 and copy /rw/rosmode.msg locally
Remove the x64 instance

On the arm64 instance:

Enter rescue mode
Mount /dev/sda2 and copy rosmode.msg to /rw
Reboot

Container support is now enabled:

[admin@MikroTik] > /system/resource/print
                   uptime: 6m37s
                  version: 7.15rc2 (testing)
               build-time: 2024-04-24 09:38:34
              free-memory: 3652.5MiB
             total-memory: 4000.0MiB
                      cpu: ARM64
                cpu-count: 2
                 cpu-load: 1%
           free-hdd-space: 8.9GiB
          total-hdd-space: 8.9GiB
  write-sect-since-reboot: 282
         write-sect-total: 282
        architecture-name: arm64
               board-name: CHR Hetzner vServer
                 platform: MikroTik

[admin@MikroTik] > /system/device-mode/print
       mode: enterprise
  container: yes

Z0ltan · Tue Apr 30, 2024 9:51 am

Also FT does not work without CAPSMAN;
The goal was to correct this statement.

Hard to consider switching between 2 SSID-s on the same device “roaming” but there you have it. Perhaps it would be nice to also file a bug report to have the wiki page updated to list this feature?

infabo · Tue Apr 30, 2024 11:52 am

It roams between 2.4ghz and 5ghz when they have the same SSID (and in fact the identical security configuration).

pe1chl · Tue Apr 30, 2024 12:17 pm

It does that without any roaming support at all! The roaming really isn't much faster with "Fast Roaming" (FT) and WPA2-PSK. The advantage of this addition is mainly there when you use WPA2-EAP (and also WPA3 I think).

Tue Apr 30, 2024 2:01 pm

UpRunTech - Can you please reproduce the wifi problem with authentication/roaming/etc. and generate supout files on your APs and CAPsMAN? Send all these files to support@mikrotik.com and let us know MAC address of the problematic wifi client. Same rules apply for anyone else having difficulties to access wireless network after an upgrade to this release.

infabo · Tue Apr 30, 2024 7:00 pm

It does that without any roaming support at all! The roaming really isn't much faster with "Fast Roaming" (FT) and WPA2-PSK. The advantage of this addition is mainly there when you use WPA2-EAP (and also WPA3 I think).

It fast roams (FT). Whether it is 2ms faster than BSS Transition (802.11v) or not. It works, it does what it does. And without any of 802.11r/802.11v the clients just disconnect and connect to another AP and it takes some seconds without connection at all. So no roaming, just disconnect and connect.

whatever · Tue Apr 30, 2024 7:33 pm

And without any of 802.11r/802.11v the clients just disconnect and connect to another AP

That's pretty much the definition of WiFi roaming.

and it takes some seconds without connection at all.

With PSK non-FT roaming takes only few milliseconds. If it takes multiple seconds for you, your AP- or L2-configuration is incorrect/bad.

infabo · Tue Apr 30, 2024 7:36 pm

Really? With old wireless driver I could see the wifi symbol on my Android device disappear and reappear after 1 ~second. It was clearly not just some milliseconds.
On wifi-qcom-ac it does practically not matter if FT enabled or not. It roams fast enough.

My personal experience with FT enabled is, it seems like some of my clients are more likely roaming between bands. As I walk around with one device, it constantly roams happily without interruptions. Without FT they tend to be more "sticky" and "think twice" and stay on one AP until signal reaches some client defined threshold (🍎 clients are famous for). But maybe just a subjective observation.

But this discussion is so completely off topic, we should stop it. Back to topic. I wish to see many fixes until we reach stable. Good luck!

Tue Apr 30, 2024 9:16 pm

With old wireless driver I could see the wifi symbol on my Android device disappear and reappear after 1 ~second.

The only case when I personally observed anything similar with the old drivers was if I forcibly kicked (via the access list) clients off an AP based on the signal strength. When I let the clients roam by themselves the transition is almost seamless.

With the new drivers and with FT enabled the roaming experience is slightly better for me mainly in that most clients roam more aggressively (earlier). But the transition speed difference is practically unnoticeable.

infabo · Tue Apr 30, 2024 9:35 pm

The only case when I personally observed anything similar with the old drivers was if I forcibly kicked (via the access list) clients off an AP based on the signal strength.

Right! I've already suppressed that. At least I don't need that dreadful access list stuff (band steering for the poor's) with the new driver anymore.

UpRunTech · Wed May 01, 2024 5:20 am

UpRunTech - Can you please reproduce the wifi problem with authentication/roaming/etc. and generate supout files on your APs and CAPsMAN?

Done.

stmx38 · Wed May 01, 2024 8:16 am

Is that somehow related to the 7.15rc2 or it is a known issue?

Screenshot 2024-05-01 at 08.09.46.png

And terminal does not show these 0.0.0.0 entries

/ip/dns/cache/print

pe1chl · Wed May 01, 2024 10:24 am

Really? With old wireless driver I could see the wifi symbol on my Android device disappear and reappear after 1 ~second. It was clearly not just some milliseconds.

That is just UI, I would not consider that a measurement.
It is better to e.g. make a VoIP phone call over WiFi and have it play music-on-hold, then walk around to see if the music is interrupted and for how long.
Or use this website and make a measurement while walking around (set the time to a minute or so): https://packetlosstest.com/

jriera · Wed May 01, 2024 9:01 pm

We have a problem with v7.15rc1, the PPPoE accounting don't send the bytes to radius. Example:

Always 0 bytes.

Acct-Input-Octets = 0
Acct-Input-Gigawords = 0
Acct-Input-Packets = 0
Acct-Output-Octets = 0
Acct-Output-Gigawords = 0
Acct-Output-Packets = 0
Acct-Status-Type = Interim-Update

Does the same happen to anyone else? Are Mikrotik aware of this bug?

ID · Wed May 01, 2024 9:41 pm

Using v7.15rc2 at test environment and accounting values come with 0, same like you.
Probably broken with ipv6 accounting change which is come with rc1.

kcarhc · Thu May 02, 2024 7:59 am

please check SUP-151768

The routing-table for IPv6 routes requires enabling any line of code in /routing/rule each time for it to take effect; this issue does not exist with IPv4. Specifically, when /routing/rule is empty, the routing-table for IPv6 routes does not work.

When /routing/rule is empty, the routing-table for IPv6 routes is ineffective. At this point, you just need to enable any disabled arbitrary code, even if it is unrelated to the specific routing-table.

/routing/rule
add action=lookup disabled=no routing-mark=main table=main

After doing this, the routing-table for IPv6 routes becomes effective. Then, even if you disable the above code, it still remains effective. Currently, this operation needs to be repeated every time the system is rebooted, an issue that does not occur with IPv4 routes.

pe1chl · Thu May 02, 2024 9:52 am

That is a "known bug" or "works as designed", depending on who you ask.
Personally I am not against requiring a specific rule for "action=lookup routing-mark=abcd table=abcd" but it should be documented and be consistent between IPv4 and IPv6.

Thu May 02, 2024 2:43 pm

The PPP RADIUS accounting issue is reported to our development team and will be resolved as soon as possible.

loloski · Thu May 02, 2024 3:29 pm

Is that PPP accounting radius issue is not covered with unit testing so that you can catch that early and minimize releasing software that has birth defects? hahaha just kidding, I'm just curious

kcarhc · Thu May 02, 2024 7:48 pm

please check SUP-151768

The routing-table for IPv6 routes requires enabling any line of code in /routing/rule each time for it to take effect; this issue does not exist with IPv4. Specifically, when /routing/rule is empty, the routing-table for IPv6 routes does not work.

When /routing/rule is empty, the routing-table for IPv6 routes is ineffective. At this point, you just need to enable any disabled arbitrary code, even if it is unrelated to the specific routing-table.
Code: Select all
/routing/rule
add action=lookup disabled=no routing-mark=main table=main
After doing this, the routing-table for IPv6 routes becomes effective. Then, even if you disable the above code, it still remains effective. Currently, this operation needs to be repeated every time the system is rebooted, an issue that does not occur with IPv4 routes.

The issue has been confirmed. After enabling and then disabling the code below, it initially works, but randomly fails after a certain period ranging from 15 minutes to 2 hours. Sometimes it may remain effective all day, but it will still randomly fail again. You will need to enable and then disable it once more to reactivate its effectiveness. It's quite peculiar.

/routing/rule/set [find table=main routing-mark=main] disabled=no
:delay 3s
/routing/rule/set [find table=main routing-mark=main] disabled=yes

However, if you constantly keep the following line of code active, you will find that the issue no longer bothers you. The trade-off is that simply having this line enabled in /routing/rule will result in a performance loss of at least 5-10%.

For example, I could achieve speeds of up to 5Gbps on speed test websites. After enabling the rule below, performance drops to between 3.5Gbps and 4Gbps. Disabling this rule after a while returns the speed to 5Gbps. What you need to do is avoid enabling any rules in /routing/rule so that your RouterOS can perform optimally, even though this rule seems to serve no apparent purpose.
Even writing a rule to drop any source address will similarly affect these performance metrics.

/routing/rule
add action=lookup disabled=no routing-mark=main table=main

The issue regarding performance impact caused by /routing/rule has been submitted as SUP-111098. please check.

olgale · Fri May 03, 2024 10:09 am

please check SUP-151768

The routing-table for IPv6 routes requires enabling any line of code in /routing/rule each time for it to take effect; this issue does not exist with IPv4. Specifically, when /routing/rule is empty, the routing-table for IPv6 routes does not work.

When /routing/rule is empty, the routing-table for IPv6 routes is ineffective. At this point, you just need to enable any disabled arbitrary code, even if it is unrelated to the specific routing-table.
Code: Select all
/routing/rule
add action=lookup disabled=no routing-mark=main table=main
After doing this, the routing-table for IPv6 routes becomes effective. Then, even if you disable the above code, it still remains effective. Currently, this operation needs to be repeated every time the system is rebooted, an issue that does not occur with IPv4 routes.

Hello!

Thank you for the report. The issue is reproduced in our labs and reported. However the issue is not really related to this topic as the issue is present in earlier ROS versions as well.

Sit75 · Sat May 04, 2024 11:27 am

Sit75 - This seems to probably be a story as old as the planet Earth - RouterOS and its great possibilities which come with a great responsibility. We more or less do let the system administrator to do any kinds of nonsense on the router, but you do that on your own risk. It seems that the reply from DanMos79 is completely accurate. You define a lot of queues with max buffer limits but do not take into consideration that buffer is allocated per queue and if total theoretically allocated memory exceeds router hardware resources, then even your router can reboot due to out of memory condition, and then it is not a memory leak, bur router doing exactly what it was told to do by system administrator. To be sure - I recommend that you adjust queue type limits, do the math on paper first. Queues start up without allocated memory - when you use them, then buffer increases, but it does not exceed the maximum limit. So in short - routers with queues and large buffer will bootup with low RAM usage and during its work, RAM usage will be consumed by simply traffic going through queues that are at the moment "installed". RAM is freed only when queue is removed.

P.S. You should see the exact same behaviour in older releases. In short - this issue does not seem to be an issue and has nothing to do with this release. Of course, please correct me, if you test this and I am wrong.
Thanks for the effort. On the other hand, there are 2 limits - memory and number of packets. The number of packets in fq_codel is set to 1024 and it is hard to believe that the average TCP packet size in my case will be 32kB (64kB is the theoretical maximum). Standard TCP packets typically follow 1500 bytes Eth frames to avoid fragmentation. Anyway, I upgraded the router to RouterOS 7.15 beta 2, decimated the 8 queues to 4 (use DSCP the highest 2 bits only not 3) and reduced the fq_codel memory size to 16 MiB and we'll see.

Memory leak, memory leak, memory leak...... No emotion, absolutely no change after applying the recommended solution. Still roughly 10 MiB/day of memory leak with standard router usage. It has around 150 MiB of free memory immediately after restart. After 5 and half days I'm at about 90 MiB. Neither C nor C++ has a native "garbage collector", therefore precise memory deallocation is necessary. If not, then we have a problem.

infabo · Sat May 04, 2024 11:55 am

90MB is not an issue so far. Observe and generate supout files daily.

ormandj · Sun May 05, 2024 1:12 am

Thanks for the effort. On the other hand, there are 2 limits - memory and number of packets. The number of packets in fq_codel is set to 1024 and it is hard to believe that the average TCP packet size in my case will be 32kB (64kB is the theoretical maximum). Standard TCP packets typically follow 1500 bytes Eth frames to avoid fragmentation. Anyway, I upgraded the router to RouterOS 7.15 beta 2, decimated the 8 queues to 4 (use DSCP the highest 2 bits only not 3) and reduced the fq_codel memory size to 16 MiB and we'll see.
Memory leak, memory leak, memory leak...... No emotion, absolutely no change after applying the recommended solution. Still roughly 10 MiB/day of memory leak with standard router usage. It has around 150 MiB of free memory immediately after restart. After 5 and half days I'm at about 90 MiB. Neither C nor C++ has a native "garbage collector", therefore precise memory deallocation is necessary. If not, then we have a problem.

Consuming available RAM over time does not mean there is a memory leak. If the consumption continues beyond the available RAM, this is different. Thankfully, there is no GC in the languages mentioned or we’d be dealing with the GC latency sporadically.

For example, in a stock Linux setup, you’d see “cache” increase as the VFS layer continues to use available memory to cache frequently accessed data, maximizing performance with spare memory. If there is an allocation request the cache will be evicted and memory returned to available status for allocation. The perceived memory usage climbs over time until leveling off, so RAM doesn’t sit unused and is instead used to increase performance. This is just one example of many.

Do you have some indication that your consumption isn’t this kind of behavior, but instead memory allocated but not being deallocated properly?

buset1974 · Sun May 05, 2024 6:55 am

Be careful Rc2 have CPU (cpu1, routing) lock 100% bugs, i believe caused by BGP and has been reported SUP-132127
It's also cause some configuration cannot be read.

/routing/bgp> export
# 2024-05-05 10:09:54 by RouterOS 7.15rc2
# software id = F7QD-XXXX
#
# model = CCR1009-7G-1C-1S+
# serial number = 7AEC06D5XXXX
#error exporting "/routing/bgp/template" (timeout)
#error exporting "/routing/bgp/connection" (timeout)

/tool/profile cpu=all freeze-frame-interval=5
Columns: NAME, CPU, USAGE
NAME CPU USAGE
firewall 0 0%
networking 0 0%
routing 0 1.5%
cpu0 1.5%
firewall 1 0%
networking 1 0%
routing 1 95.5%
cpu1 95.5%
cpu2 0%
networking 3 0%

thx

Sit75 · Sun May 05, 2024 4:06 pm

Thanks for the effort. On the other hand, there are 2 limits - memory and number of packets. The number of packets in fq_codel is set to 1024 and it is hard to believe that the average TCP packet size in my case will be 32kB (64kB is the theoretical maximum). Standard TCP packets typically follow 1500 bytes Eth frames to avoid fragmentation. Anyway, I upgraded the router to RouterOS 7.15 beta 2, decimated the 8 queues to 4 (use DSCP the highest 2 bits only not 3) and reduced the fq_codel memory size to 16 MiB and we'll see.
Memory leak, memory leak, memory leak...... No emotion, absolutely no change after applying the recommended solution. Still roughly 10 MiB/day of memory leak with standard router usage. It has around 150 MiB of free memory immediately after restart. After 5 and half days I'm at about 90 MiB. Neither C nor C++ has a native "garbage collector", therefore precise memory deallocation is necessary. If not, then we have a problem.

Memory leak status: 6 days and 18 hours - free memory is 78,4 MiB. Next status tomorrow - I expect roughly about 65 - 70 MiB.

kcarhc · Sun May 05, 2024 4:16 pm

Thanks for the effort. On the other hand, there are 2 limits - memory and number of packets. The number of packets in fq_codel is set to 1024 and it is hard to believe that the average TCP packet size in my case will be 32kB (64kB is the theoretical maximum). Standard TCP packets typically follow 1500 bytes Eth frames to avoid fragmentation. Anyway, I upgraded the router to RouterOS 7.15 beta 2, decimated the 8 queues to 4 (use DSCP the highest 2 bits only not 3) and reduced the fq_codel memory size to 16 MiB and we'll see.
Memory leak, memory leak, memory leak...... No emotion, absolutely no change after applying the recommended solution. Still roughly 10 MiB/day of memory leak with standard router usage. It has around 150 MiB of free memory immediately after restart. After 5 and half days I'm at about 90 MiB. Neither C nor C++ has a native "garbage collector", therefore precise memory deallocation is necessary. If not, then we have a problem.

The issue of memory or disk leak in the hAP ac2 has been confirmed as unresolvable. I have sold all my hAP ac2 units and replaced them with hAP ax3. Previous contacts with customer support were unable to provide a specific reason; they only noted that some configurations were stored, but these gradually decreased in size over time, eventually reaching 0 size. After a restart, the hAP ac2 turns into a brick, unable to boot, and can only be repaired through netinstall.

So, if you're just experiencing memory leaks, I suggest routinely restarting the device. What I encountered was the disk space leaking to zero. I'm not sure what was being recorded inside; the files directory was empty and of no help.

Moreover, this problem only occurs with RouterOS 7.x. Since the hAP ac2 is quite an old model, it seems the memory leak issue in RouterOS will not be resolved anytime soon.

Trust me, sell it and switch to the hAP ax2 if you want to use RouterOS v7. If you're just using the hAP ac2 for everyday activities, I recommend sticking with RouterOS v6.

Because its 16MB is really too small, and it's truly a torment.

Please check ticket SUP-85301 to see if this issue might be resolved in the future.

Sit75 · Sun May 05, 2024 6:22 pm

Memory leak, memory leak, memory leak...... No emotion, absolutely no change after applying the recommended solution. Still roughly 10 MiB/day of memory leak with standard router usage. It has around 150 MiB of free memory immediately after restart. After 5 and half days I'm at about 90 MiB. Neither C nor C++ has a native "garbage collector", therefore precise memory deallocation is necessary. If not, then we have a problem.
The issue of memory or disk leak in the hAP ac2 has been confirmed as unresolvable. I have sold all my hAP ac2 units and replaced them with hAP ax3. Previous contacts with customer support were unable to provide a specific reason; they only noted that some configurations were stored, but these gradually decreased in size over time, eventually reaching 0 size. After a restart, the hAP ac2 turns into a brick, unable to boot, and can only be repaired through netinstall.

So, if you're just experiencing memory leaks, I suggest routinely restarting the device. What I encountered was the disk space leaking to zero. I'm not sure what was being recorded inside; the files directory was empty and of no help.

Moreover, this problem only occurs with RouterOS 7.x. Since the hAP ac2 is quite an old model, it seems the memory leak issue in RouterOS will not be resolved anytime soon.

Trust me, sell it and switch to the hAP ax2 if you want to use RouterOS v7. If you're just using the hAP ac2 for everyday activities, I recommend sticking with RouterOS v6.

Because its 16MB is really too small, and it's truly a torment.

Please check ticket SUP-85301 to see if this issue might be resolved in the future.

If this is true, I would expect some serious announcement from Mikrotik. So far all I see from their side is pressure - "It's your fault - wrong configuration." What's even more serious is the fact that they still introduce new rather expensive HW based on the exact same hAP ac^2 IPQ-4019 256 Mib RAM and 16 MiB ROM with RouterOS 7 configuration as the new Chateau 5G R16.

pe1chl · Sun May 05, 2024 6:24 pm

So, if you're just experiencing memory leaks, I suggest routinely restarting the device. What I encountered was the disk space leaking to zero. I'm not sure what was being recorded inside; the files directory was empty and of no help.

Moreover, this problem only occurs with RouterOS 7.x. Since the hAP ac2 is quite an old model, it seems the memory leak issue in RouterOS will not be resolved anytime soon.

"memory leak" has NOTHING to do with "too little disk space"!!
For sure the 15.3M disk space of the hAP ac2 is a nuisance, and it is a good plan to discard these devices, but that is totally unrelated to complaints about memory leaks.

mkx · Sun May 05, 2024 6:27 pm

@kcarhc ... free storage space on 15.3MiB ARM devices is a different issue than RAM memory leak. It's common knowledge (without any speciffic insights) that hAP ac2 running ROS v7 should either be used as pretty simple AP or as router without any wireless package intalled. In both cases it runs pretty well without flash storage issues.
I understand that many users want to use it as router/AP combo, and in this case indeed running ROS v6 on it seems to be the best option.

Regarding "memory leak": it's most probably due to particular use case. My hAP ac2 is running 7.13.2 with uptime 7w3d. It doesn't have any wireless package installed and is used as router. Free memory is stable at 171MB (yup, my hAP ac2 is one of those "faulty" units with 256MB RAM installed). There have been a few "memory hogs" identified so far: address lists (dynamic entries with too long timeout), DNS cache, some queue types, etc. So without considering configuration (specially with regard to worst-case memory consumption) it's really hard to be talking about some bug in ROS causing memory leaks.

infabo · Sun May 05, 2024 10:33 pm

It's common knowledge (without any speciffic insights) that hAP ac2 running ROS v7 should either be used as pretty simple AP or as router without any wireless package intalled

wtf, for sure just your YMMV 2cent statement and no common knowledge..

kcarhc · Mon May 06, 2024 5:55 am

@mkx, you're correct, but as a user of a RouterOS router, I sync my configurations with friends nearby. If not synced, there is a lack in functionality and effectiveness.

However, memory leaks are indeed occurring. If it's used as an AP after a quick setup, and there are no DNS entries, forwarding, mangle, or /routing/rule configurations, then indeed, it won’t leak.

But if you use it with configurations similar to those from the old RouterOS v6, you will find that over time, memory will leak, and disk space will gradually drop to zero, so I really suggest:

Do not use RouterOS v7 on the hAP ac2. It would be best if the official recommendations are provided on the upgrade or on the website. Of course, it would be ideal if we could pinpoint exactly where the memory leaks and disk space issues are occurring.
The small memory on the hAP ac2 has been a headache more than once, sometimes even affecting upgrades due to insufficient space.
If you really want to use RouterOS v7, my advice is to switch to the hAP ax2. Otherwise, it is truly a torment.

m4rk3J · Mon May 06, 2024 6:12 am

I am using hAP ac2 with ww2 drivers as main router for one house and no space problems.. yes, i had to disable graphing, but now it is OK.
But I netinstalled it.

ac2.png

infabo · Mon May 06, 2024 9:48 am

It is best to use the version Mikrotik advertises on product page. So for example a HAP lite https://mikrotik.com/product/RB941-2nD#fndtn-downloads should use: 7.14.3

Screenshot_20240506-084206.png

😂😂😂😂😂😂😂😂😂😂😂😂

Mikrotik should really start to keep their thing clean and streamlined. Everytime when someone runs short of memory or something, there are plenty to find on the forum. Mt reaction: "boooooo user! how can you dare??? Your config is wrong! And didn't you read?? SMIPS with low 32MB ram aren't supposed to use V7!!!!"

"We do not recommend running v7 on hardware that does not have at least 64 MB of RAM."
https://help.mikrotik.com/docs/display/ ... 20of%20RAM.

Then, someone from MT lists V7 as the official and recommended version for download on the HAP lite product page.

pe1chl · Mon May 06, 2024 10:54 am

But if you use it with configurations similar to those from the old RouterOS v6, you will find that over time, memory will leak, and disk space will gradually drop to zero

Once again, and for the final time, "the memory" has NOTHING to do with "the disk space"!
These are two different things. They are in no way related. The memory is the RAM, the disk space is the FLASH.

Sit75 · Mon May 06, 2024 10:56 am

Another 10 MiB of RAM went down the next day. Now I have 71.3 MiB (256 MiB version hAP ac^2) in 7 days and 13 hours of operation.

pe1chl · Mon May 06, 2024 10:58 am

Then, someone from MT lists V7 as the official and recommended version for download on the HAP lite product page.

I agree that this is bad. They should not recommend v7 on devices that cannot run it. Devices like hAP lite even struggle when running later v6 versions, let alone v7.

But I guess it is similar to the performance issue. Performance figures are published for every router, but it never states which RouterOS version was used to obtain them. Performance can be considerably lower with v7, especially on older devices, but there are no warnings or even mentions on that on the product pages.

This certainly can be improved.

DanMos79 · Mon May 06, 2024 12:02 pm

Another 10 MiB of RAM went down the next day. Now I have 71.3 MiB (256 MiB version hAP ac^2) in 7 days and 13 hours of operation.

I have a total of six devices currently installed with ROS 7.14.3 (including three hAP ac² with only 128 MiB RAM running as APs with wifi-qcom-ac driver) and cannot see a memory leak on any of them. Only a small fluctuation in the RAM usage can be seen, but at most +/- 5 MiB (even less on the hAP ac²).

Maybe you can post your complete config?

massinia · Mon May 06, 2024 12:08 pm

@pe1chl @infabo

hAP Lite as AP with Wireguard tunnel active for months, the last reboot was done to update to 7.14.3 🤣

hap lite.jpg

Sorry... end of OT

Ullinator · Mon May 06, 2024 1:56 pm

Then, someone from MT lists V7 as the official and recommended version for download on the HAP lite product page.
I agree that this is bad. They should not recommend v7 on devices that cannot run it. Devices like hAP lite even struggle when running later v6 versions, let alone v7.

But I guess it is similar to the performance issue. Performance figures are published for every router, but it never states which RouterOS version was used to obtain them. Performance can be considerably lower with v7, especially on older devices, but there are no warnings or even mentions on that on the product pages.

This certainly can be improved.

Hmmm,...the alternative would be to declair those devices "End of Live" or "End of Support"...
but would this be the better solution instead of supporting old devices with the newest ROS with concerns?

Mon May 06, 2024 2:05 pm

Hmmm,...the alternative would be to declair those devices "End of Live" or "End of Support"...
but would this be the better solution instead of supporting old devices with the newest ROS with concerns?

One of the things that pushed me into the RouterOS world is the promise of 5 years of support minimum, and much longer in practice. My prior home office core switch was a TPLink PoS that wouldn't even speak to modern SSH clients without forcing use of obsolete ciphersuites, requiring that I either stop using its management functions — treating it like a dumb switch — or put up with known insecure SSH access.

Whatever you may think of MT's release engineering processes, their commitment to putting the latest software on anything that can possibly run it — regardless of how old it is — is thoroughly impressive, especially considering that none of this effort is supported by service contracts.

Name me another commercial competitor that does that, for free. The closest that comes to mind is the likes of pfSense and OpenWRT, where you get that type of backwards compatibility only by exploiting the labor of hobbyist maintainers. Even then, it's spotty as to how far back the support actually goes and how much that underappreciated hobbyist will pay attention when you have a problem.

woland · Mon May 06, 2024 2:16 pm

Hmmm,...the alternative would be to declair those devices "End of Live" or "End of Support"...
but would this be the better solution instead of supporting old devices with the newest ROS with concerns?

One of the best aspects of having MT hardware is it´s longevity! This is what sets them apart from any (?) other vendor. Since 7.14 I am running ROS 7 on my most devices (including HAPmini, HAPac2...), and it works. Yes I have not much space left, and I can´t run containers on them, etc. Who cares? My CAPac installations are for accessing WLAN and have multi SSID/VLAN. I don´t expect same performance and all the new features for the older devices.
I hope however no one will be able to convince MT for providing some ROS Basic without "enterprise" features like for example VLAN, routing, etc. More modularity yes, if possible, but please no RoS light! Sorry for the OT!

pe1chl · Mon May 06, 2024 2:28 pm

I think nobody would group "VLAN" under enterprise features or even features to be excluded from a light version!
To the contrary, I think the omission of VLAN features in the new WiFi driver is a serious omission that should really be fixed.
But a light version to be used on access points or home routers like hAP ac2 or the mini/lite devices could exclude things like MPLS, Autorouting, Proxy server, SMB, Hotspot, CAPSman server, etc.
These are features you do not need in an access point working in bridge mode in cooperation with a more powerful router that would provide those services where required.

Sit75 · Mon May 06, 2024 9:43 pm

Another 10 MiB of RAM went down the next day. Now I have 71.3 MiB (256 MiB version hAP ac^2) in 7 days and 13 hours of operation.

I have a total of six devices currently installed with ROS 7.14.3 (including three hAP ac² with only 128 MiB RAM running as APs with wifi-qcom-ac driver) and cannot see a memory leak on any of them. Only a small fluctuation in the RAM usage can be seen, but at most +/- 5 MiB (even less on the hAP ac²).

Maybe you can post your complete config?

Sure, you can try. It is standard home use AP with pppoe, dual frequency AP (2,4 + 5 GHz), Wireguard, IP4+IP6, DHCP, DNS, IP4 source NAT, standard FW IP4 and IP6 rules and marking traffic for Queue Tree for uplink (fq-codel). That is all.

/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mtu=1550 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether3 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether4 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether5 ] rx-flow-control=auto tx-flow-control=auto
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-n .width=20/40mhz-Ce configuration.country=xxxx .mode=ap .multicast-enhance=enabled .qos-classifier=priority .ssid=Net_DSL disabled=no mtu=1500 \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes .ft-preserve-vlanid=yes steering.neighbor-group=dynamic-_DSL-xxxx .rrm=yes .wnm=yes
set [ find default-name=wifi2 ] channel.band=5ghz-ac .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.country=xxxx .mode=ap .multicast-enhance=enabled .qos-classifier=priority .ssid=Net_DSL \
    disabled=no mtu=1500 security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes .ft-preserve-vlanid=yes steering.neighbor-group=dynamic-_DSL-xxxx .rrm=yes .wnm=yes
/interface wireguard
add comment="WireGuard interface" listen-port=xxxx mtu=1420 name=WireGuard
add comment=back-to-home-vpn listen-port=xxxx mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=ether1 mtu=1520 name=vlan-xxx vlan-id=xxx
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan-xxx name=pppoe-out1 user=xxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=xx.xx.xx.xx-xx.xx.xx.xx
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/queue type
add fq-codel-limit=1024 fq-codel-memlimit=4.0MiB fq-codel-quantum=300 kind=fq-codel name=fq-codel-ethernet-upload
add fq-codel-limit=1024 fq-codel-memlimit=8.0MiB fq-codel-quantum=600 kind=fq-codel name=fq-codel-ethernet-download
/queue tree
add bucket-size=0.01 comment="Upload Link" max-limit=25M name="DSCP->Priority - upload" parent=pppoe-out1 priority=1 queue=fq-codel-ethernet-upload
add comment="DSCP 01-15 (Priority 4)" max-limit=25M name="4. Routine - upload" packet-mark=priority_4 parent="DSCP->Priority - upload" priority=4 queue=fq-codel-ethernet-upload
add comment="DSCP 16-31 (Priority 3)" max-limit=25M name="3. Immedate - upload" packet-mark=priority_3 parent="DSCP->Priority - upload" priority=3 queue=fq-codel-ethernet-upload
add comment="DSCP 32-47 (Priority 2)" max-limit=25M name="2. Critical - upload" packet-mark=priority_2 parent="DSCP->Priority - upload" priority=2 queue=fq-codel-ethernet-upload
add comment="DSCP 48-63 (Priority 1 - Highest)" max-limit=25M name="1. Network Control - upload" packet-mark=priority_1 parent="DSCP->Priority - upload" priority=1 queue=fq-codel-ethernet-upload
add comment="Download Link" max-limit=120M name="Download Link" packet-mark=no-mark parent=bridge priority=3 queue=fq-codel-ethernet-download
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=*7
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge comment=defconf interface=wifi1
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=pppoe-out1 list=WAN
add interface=WireGuard list=LAN
/interface sstp-server server
set ciphers=aes256-sha
/interface wireguard peers
add allowed-address=xx.xx.xx.xx/32,xxxx:xxxx:xxxx:xxxx::xxxx:xxxx/128 comment=Tab1 interface=WireGuard name=peer1 public-key="xxxx"
add allowed-address=xx.xx.xx.xx/32,xxxx:xxxx:xxxx:xxxx::xxxx:xxxx/128 comment=Pho1 interface=WireGuard name=peer2 public-key="xxxx"
add allowed-address=xx.xx.xx.xx/32,xxxx:xxxx:xxxx:xxxx::xxxx:xxxx/128 comment=Tab2 interface=WireGuard name=peer3 public-key="xxxx"
/ip address
add address=xx.xx.xx.xx/24 comment=defconf interface=bridge network=xx.xx.xx.xx
add address=xx.xx.xx.xx/24 interface=WireGuard network=xx.xx.xx.xx
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes vpn-prefer-relay-code=EUR1
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=xx.xx.xx.xx client-id=xx:xx:xx:xx:xx:xx:xx comment="A serv" mac-address=xx:xx:xx:xx:xx:xx server=defconf
add address=xx.xx.xx.xx client-id=xx:xx:xx:xx:xx:xx comment="B serv" mac-address=xx:xx:xx:xx:xx:xx server=defconf
add address=xx.xx.xx.xx client-id=xx:xx:xx:xx:xx:xx comment="C serv" mac-address=xx:xx:xx:xx:xx:xx server=defconf
add address=xx.xx.xx.xx client-id=xx:xx:xx:xx:xx:xx comment="D serv" mac-address=xx:xx:xx:xx:xx:xx server=defconf
/ip dhcp-server network
add address=xx.xx.xx.xx/24 comment=defconf dns-server=xx.xx.xx.xx,xx.xx.xx.xx,xx.xx.xx.xx,xx.xx.xx.xx gateway=xx.xx.xx.xx netmask=24
/ip dns
set allow-remote-requests=yes servers=xx.xx.xx.xx,xx.xx.xx.xx,xx.xx.xx.xx
/ip dns static
add address=xx.xx.xx.xx comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="WireGuard listening" dst-port=xxxx protocol=udp
add action=accept chain=input comment="WireGuard remote LAN" src-address=xx.xx.xx.xx/24
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-dscp chain=postrouting comment="ACK -> DSCP 34" new-dscp=34 packet-size=0-123 passthrough=yes protocol=tcp tcp-flags=ack
add action=set-priority chain=postrouting comment="Setting priority from DSCP high 3 bits" new-priority=from-dscp-high-3-bits passthrough=yes
add action=mark-packet chain=postrouting comment="DSCP 56-63 Priority 1" new-packet-mark=priority_1 out-interface-list=WAN passthrough=no priority=7
add action=mark-packet chain=postrouting comment="DSCP 48-55 Priority 1" new-packet-mark=priority_1 out-interface-list=WAN passthrough=no priority=6
add action=mark-packet chain=postrouting comment="DSCP 40-47 Priority 2" new-packet-mark=priority_2 out-interface-list=WAN passthrough=no priority=5
add action=mark-packet chain=postrouting comment="DSCP 32-39 Priority 2" new-packet-mark=priority_2 out-interface-list=WAN passthrough=no priority=4
add action=mark-packet chain=postrouting comment="DSCP 24-31 Priority 3" new-packet-mark=priority_3 out-interface-list=WAN passthrough=no priority=3
add action=mark-packet chain=postrouting comment="DSCP 16-23 Priority 3" new-packet-mark=priority_3 out-interface-list=WAN passthrough=no priority=2
add action=mark-packet chain=postrouting comment="DSCP 00 -> Priority 3" dscp=0 new-packet-mark=priority_3 out-interface-list=WAN passthrough=no
add action=mark-packet chain=postrouting comment="DSCP 08-15 Priority 4" new-packet-mark=priority_4 out-interface-list=WAN passthrough=no priority=1
add action=mark-packet chain=postrouting comment="DSCP 01-07 Priority 4" new-packet-mark=priority_4 out-interface-list=WAN passthrough=no priority=0
/ip firewall nat
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface-list=WAN to-addresses=xx.xx.xx.xx
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=xx.xx.xx.xx/24,xx.xx.xx.xx/32
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=pub
/ipv6 address
add from-pool=pool58 interface=bridge
add from-pool=pool58 interface=WireGuard
/ipv6 dhcp-client
add interface=pppoe-out1 pool-name=pool58 request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=forward comment="Wireguard IPv6" in-interface=WireGuard out-interface-list=WAN src-address=xxxx:xxxx:xxxx:xxxx::/64
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall mangle
add action=change-dscp chain=postrouting comment="ACK -> DSCP 34" new-dscp=34 packet-size=0-123 passthrough=yes protocol=tcp tcp-flags=ack
add action=set-priority chain=postrouting comment="Setting priority from DSCP high 3 bits" new-priority=from-dscp-high-3-bits passthrough=yes
add action=mark-packet chain=postrouting comment="DSCP 56-63 Priority 1" new-packet-mark=priority_1 out-interface-list=WAN passthrough=no priority=7
add action=mark-packet chain=postrouting comment="DSCP 48-55 Priority 1" new-packet-mark=priority_1 out-interface-list=WAN passthrough=no priority=6
add action=mark-packet chain=postrouting comment="DSCP 40-47 Priority 2" new-packet-mark=priority_2 out-interface-list=WAN passthrough=no priority=5
add action=mark-packet chain=postrouting comment="DSCP 32-39 Priority 2" new-packet-mark=priority_2 out-interface-list=WAN passthrough=no priority=4
add action=mark-packet chain=postrouting comment="DSCP 24-31 Priority 3" new-packet-mark=priority_3 out-interface-list=WAN passthrough=no priority=3
add action=mark-packet chain=postrouting comment="DSCP 16-23 Priority 3" new-packet-mark=priority_3 out-interface-list=WAN passthrough=no priority=2
add action=mark-packet chain=postrouting comment="DSCP 00 -> Priority 3" dscp=0 new-packet-mark=priority_3 out-interface-list=WAN passthrough=no
add action=mark-packet chain=postrouting comment="DSCP 08-15 Priority 4" new-packet-mark=priority_4 out-interface-list=WAN passthrough=no priority=1
add action=mark-packet chain=postrouting comment="DSCP 01-07 Priority 4" new-packet-mark=priority_4 out-interface-list=WAN passthrough=no priority=0
/ipv6 nd
set [ find default=yes ] dns=xxxx:xxxx:xxxx::xxxx,xxxx:xxxx:xxxx:xxxx::xxxx other-configuration=yes
/system clock
set time-zone-name=Europe/Paris
/system leds settings
set all-leds-off=after-1h
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=xx.xx.xx.ntp.org
/system package update
set channel=testing
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Paternot · Mon May 06, 2024 10:39 pm

Hmmm,...the alternative would be to declair those devices "End of Live" or "End of Support"...
but would this be the better solution instead of supporting old devices with the newest ROS with concerns?

They can't do it. They said the devices would be supported by 5 years AFTER stopped being sold. At least it was this way, as far as I can remember.

Or am I getting senile?

codelogic · Mon May 06, 2024 11:09 pm

Hmmm,...the alternative would be to declair those devices "End of Live" or "End of Support"...
but would this be the better solution instead of supporting old devices with the newest ROS with concerns?
They can't do it. They said the devices would be supported by 5 years AFTER stopped being sold. At least it was this way, as far as I can remember.

Or am I getting senile?

You are not getting senile. This is still listed at the bottom of every hardware product page on their site:

"The device has an operating system preinstalled and licensed. No separate purchase is necessary and the product is ready to use. The device includes free software updates for the life of the product or a minimum of 5 years starting from date of purchase.."

biomesh · Tue May 07, 2024 12:27 am

What is "supported" - i.e. software updates for security fixes or software updates for new features and security fixes?

pyfgcrl · Tue May 07, 2024 1:25 am

As mentioned before - please keep this topic related to 7.15 functionality, not anything else. For generic discussions - open new topics, please.

　
Seems like a lot of incredibly off-topic diluting the value of the 7.15 thread. I keep getting notifications, thinking someone has something of value to add about their 7.15rc2 testing and I check in and it's more of this philosophical banter and complaining about memory usage that doesn't seem to be directly related to 7.15.

Don't know why we can't all respect MT support's repeated requests to keep conversation to specifically functionality new/changed in 7.15 so they can work on finalizing a clean release.
　

Please keep RouterOS release topics strictly related to the particular release. These topics are made to make aware users of how a particular update might have changed something. Make as many new topics as you want for anything else or of course the best way - contact support.

Sit75 · Tue May 07, 2024 9:37 am

As mentioned before - please keep this topic related to 7.15 functionality, not anything else. For generic discussions - open new topics, please.
　
Seems like a lot of incredibly off-topic diluting the value of the 7.15 thread. I keep getting notifications, thinking someone has something of value to add about their 7.15rc2 testing and I check in and it's more of this philosophical banter and complaining about memory usage that doesn't seem to be directly related to 7.15.

Don't know why we can't all respect MT support's repeated requests to keep conversation to specifically functionality new/changed in 7.15 so they can work on finalizing a clean release.
　
Please keep RouterOS release topics strictly related to the particular release. These topics are made to make aware users of how a particular update might have changed something. Make as many new topics as you want for anything else or of course the best way - contact support.

A memory leak is definitely not a "philosophical banter". It is related to the 7.15 release (and possibly the entire 7.x branch). If there is an "elephant in the room" and we don't want to talk about it, we have a much bigger problem. Sorry.

Anyway, the real facts about the 7.15rc2 release in my case. Operating time 8 days 11 hours, remaining free RAM memory 65.1 MiB. Free memory reduction during this time is >85 MiB RAM. Still continues around the 10-8 MiB/day decline.

infabo · Tue May 07, 2024 12:16 pm

@Sit75 Memory leak also on 7.14.3? If yes -> not strictly related to 7.15 and open separate topic and/or support ticket. If no -> keep us updated as it is related to 7.15.

PS: remove this line from your config

add bridge=bridge comment=defconf interface=*7