does this mean that if the free memory is less than 256 megabytes, the router will crash with "out of memory"?*) x86/chr - improved panic saving (increased minimal RAM requirements to 256MB);
Your URL has to two // in it.Since today I get this error::local changelog ([/tool fetch "https://upgrade.mikrotik.com//routeros/NEWESTa7.stable" as-value output=user] -> "data");Download from upgrade.mikrotik.com FAILED: Fetch failed with status 403
Updating an entire fleet of routers within 2 hours after release of a .0 release?Exciting release packed with updates and bug fixes. My whole fleet of routers (30+, various architectures) updated successfully, and good to see over 700kb of free space on my hAP ac2 (from around 300kb on 7.14.3)
Good job dev team :D
It appears that the default /ip/firewall/connection/tracking udp-timeout has changed from 10s to 30s but I do not see that in the changelog.
What's new in 7.14 (2024-Feb-29 09:10):
*) firewall - increased default "udp-timeout" value from 10s to 30s;
Thats Sir James Fragtion to you Sir. He likes living dangerously! :-)Updating an entire fleet of routers within 2 hours after release of a .0 release?Exciting release packed with updates and bug fixes. My whole fleet of routers (30+, various architectures) updated successfully, and good to see over 700kb of free space on my hAP ac2 (from around 300kb on 7.14.3)
Good job dev team :D
I hope it is a test network...
Me too, me too....Disappointed not to see a router fix for wireguard coming in on WAN2 when WAN2 is secondary WAN and mangling this traffic does not work.
It's not about syntax errors, but runtime errors. Probably your script is accessing a configuration item that does not exist. You need to debug that, one way or another. I have to admit that it is not that easy with RouterOS sometimes.@eworm - You are probably right, but how to find where is the specific syntax error, to be able to fix it. Scripts do all what is required and only say check manualy :-)
Important is that sripts are working. Will fight with syntax to tune them later :-)It's not about syntax errors, but runtime errors. Probably your script is accessing a configuration item that does not exist. You need to debug that, one way or another. I have to admit that it is not that easy with RouterOS sometimes.@eworm - You are probably right, but how to find where is the specific syntax error, to be able to fix it. Scripts do all what is required and only say check manualy :-)
Always read the release notes before you install!woooa
CHR, 7.14.3 -> 7.15
free memory decreased significantly
Probably cause of:woooa
CHR, 7.14.3 -> 7.15
free memory decreased significantly
*) x86/chr - improved panic saving (increased minimal RAM requirements to 256MB);
I doubt this is the reason. you pasted two disabled Access List rules.....hAP ax2 7.15 don't work Access List - this rule don’t work:
After update to 7.15 no one can connect via WiFiCode: Select all/interface wifi access-list add action=accept allow-signal-out-of-range=always disabled=yes signal-range=-75..0 add action=reject disabled=yes
I doubt this is the reason. you pasted two disabled Access List rules.....hAP ax2 7.15 don't work Access List - this rule don’t work:
After update to 7.15 no one can connect via WiFiCode: Select all/interface wifi access-list add action=accept allow-signal-out-of-range=always disabled=yes signal-range=-75..0 add action=reject disabled=yes
@Evgeniy29
viewtopic.php?t=206877#p1075214
viewtopic.php?t=206877&start=300#p1077122
This problem was still in beta version
Use CLI ... navigate to scripts and then "print" them and the error would be highlited/reported in terminal ... strange synteax checking but better that than nothing@eworm - You are probably right, but how to find where is the specific syntax error, to be able to fix it. Scripts do all what is required and only say check manualy
:)*) ptp - added PTP support for CCR2116 device;
[admin@ccr2116] > /system/ptp
bad command name ptp (line 1 column 9)
[admin@ccr2116] > /system/routerboard/print
routerboard: yes
model: CCR2116-12G-4S+
serial-number: ***********
firmware-type: al64v3
factory-firmware: 7.8
current-firmware: 7.15
upgrade-firmware: 7.15
[admin@ccr2116] > /system/package/print proplist=name,version where name=routeros
Columns: NAME, VERSION
# NAME VERSION
5 routeros 7.15
another one:@Evgeniy29
viewtopic.php?t=206877#p1075214
viewtopic.php?t=206877&start=300#p1077122
This problem was still in beta version
Hap ax3AX HW or older ARM AC with wave2 drivers?
When you are not distributing 127.0.0.1, you should have written that.??? How not distributing 127.0.0.1 address is "stripping functionality"? It does not even make sense to distribute 127.0.0.1, it is called "localhost" for a reason.
*) route - do not redistribute 127.0.0.1 as connected route;
247 listed. Exactly the same as in 7.14 ;)After Long Wait ROS v7.15 with huge change log is here
{:return ""}
:do {:return ""} on-error={:put error}
as others have said, if the changelog entry really means "we won't redistribute 127.0.0.1 as a connected route" then the changelog needs to say specifically that, because now that you have the loopback interface type, "loopback address" is extremely ambiguous!??? How not distributing 127.0.0.1 address is "stripping functionality"? It does not even make sense to distribute 127.0.0.1, it is called "localhost" for a reason.
Seriously, guys, cut them a little slack. Google "Loopback address" and >90% of the results refer to 127.0.0.1 (and a couple to ::1). You'll note that the terse changelog entry said "loopback address" singular, as in the loopback address. It didn't say "loopback interface" or "loopback addresses" or "addresses assigned to loopback."as others have said, if the changelog entry really means "we won't redistribute 127.0.0.1 as a connected route" then the changelog needs to say specifically that, because now that you have the loopback interface type, "loopback address" is extremely ambiguous!??? How not distributing 127.0.0.1 address is "stripping functionality"? It does not even make sense to distribute 127.0.0.1, it is called "localhost" for a reason.
Here is one example why I do wait some weeks before upgrade more that some test devicesUpdating an entire fleet of routers within 2 hours after release of a .0 release?Exciting release packed with updates and bug fixes. My whole fleet of routers (30+, various architectures) updated successfully, and good to see over 700kb of free space on my hAP ac2 (from around 300kb on 7.14.3)
Good job dev team :D
I hope it is a test network...
This is far from the first time some are broken on the first releases of new version.The issue with wifi access-list or in other words, wrong signal levels recognized at the beginning of wifi client connection, has been reproduced, and we will solve it as soon as possible. We are very sorry for any inconvenience caused.
What about ::1 ?@loloski
just 127.0.0.1
Well, generally that is what is referred to as "the loopback address".Seriously, guys, cut them a little slack. Google "Loopback address" and >90% of the results refer to 127.0.0.1 (and a couple to ::1).
# 2024-05-31 10:16:46 by RouterOS 7.15
# software id = UGTZ-ZKF4
#
08:50:35 wireless,info 88:57:1D:4C:9A:B1@A6-CAPax--KG-FL--2-GHz-6 connected, signal strength -47
08:50:35 dhcp,info dhcp-VLAN32 assigned 10.18.32.51 for 88:57:1D:4C:9A:B1 Samsung-Washer
08:50:35 script,info DHCP2DNS: registering static domain name Waschmaschine-Samsung-KG-Kueche.32.hnet for address 10.18.32.51 with ttl 00:05:00
08:50:35 system,info static dns entry added by script:dhcp-lease-script (*30BE3 = /ip dns static add address=10.18.32.51 comment=#DHCP disabled=no name=Waschmaschine-Samsung-KG-Kueche.32.hnet ttl=5m)
08:50:37 wireless,info 88:57:1D:4C:9A:B1@A6-CAPax--KG-FL--2-GHz-6 disconnected, connection lost, signal strength -47
08:50:40 wireless,info 88:57:1D:4C:9A:B1@A6-CAPax--KG-FL--2-GHz-6 connected, signal strength -48
08:50:40 dhcp,info dhcp-VLAN32 deassigned 10.18.32.51 for 88:57:1D:4C:9A:B1 Samsung-Washer
08:50:40 script,info DHCP2DNS: removing static domain name(s) for address 10.18.32.51
08:50:40 system,info static dns entry removed by script:dhcp-lease-script/action:5804 (/ip dns static remove *30BE3)
08:50:40 dhcp,info dhcp-VLAN32 assigned 10.18.32.51 for 88:57:1D:4C:9A:B1 Samsung-Washer
08:50:40 script,info DHCP2DNS: registering static domain name Waschmaschine-Samsung-KG-Kueche.32.hnet for address 10.18.32.51 with ttl 00:05:00
08:50:40 system,info static dns entry added by script:dhcp-lease-script (*30BE4 = /ip dns static add address=10.18.32.51 comment=#DHCP disabled=no name=Waschmaschine-Samsung-KG-Kueche.32.hnet ttl=5m)
08:50:42 wireless,info 88:57:1D:4C:9A:B1@A6-CAPax--KG-FL--2-GHz-6 disconnected, connection lost, signal strength -48
08:50:46 wireless,info 88:57:1D:4C:9A:B1@A6-CAPax--KG-FL--2-GHz-6 connected, signal strength -48
08:50:46 dhcp,info dhcp-VLAN32 deassigned 10.18.32.51 for 88:57:1D:4C:9A:B1 Samsung-Washer
08:50:46 script,info DHCP2DNS: removing static domain name(s) for address 10.18.32.51
08:50:46 system,info static dns entry removed by script:dhcp-lease-script/action:5805 (/ip dns static remove *30BE4)
08:50:46 dhcp,info dhcp-VLAN32 assigned 10.18.32.51 for 88:57:1D:4C:9A:B1 Samsung-Washer
08:50:46 script,info DHCP2DNS: registering static domain name Waschmaschine-Samsung-KG-Kueche.32.hnet for address 10.18.32.51 with ttl 00:05:00
08:50:46 system,info static dns entry added by script:dhcp-lease-script (*30BE5 = /ip dns static add address=10.18.32.51 comment=#DHCP disabled=no name=Waschmaschine-Samsung-KG-Kueche.32.hnet ttl=5m)
08:50:48 wireless,info 88:57:1D:4C:9A:B1@A6-CAPax--KG-FL--2-GHz-6 disconnected, connection lost, signal strength -47
08:50:52 wireless,info 88:57:1D:4C:9A:B1@A6-CAPax--KG-FL--2-GHz-6 connected, signal strength -47
08:50:53 dhcp,info dhcp-VLAN32 deassigned 10.18.32.51 for 88:57:1D:4C:9A:B1 Samsung-Washer
08:50:53 script,info DHCP2DNS: removing static domain name(s) for address 10.18.32.51
08:50:53 system,info static dns entry removed by script:dhcp-lease-script/action:5806 (/ip dns static remove *30BE5)
08:50:53 dhcp,info dhcp-VLAN32 assigned 10.18.32.51 for 88:57:1D:4C:9A:B1 Samsung-Washer
08:50:53 script,info DHCP2DNS: registering static domain name Waschmaschine-Samsung-KG-Kueche.32.hnet for address 10.18.32.51 with ttl 00:05:00
08:50:53 system,info static dns entry added by script:dhcp-lease-script (*30BE6 = /ip dns static add address=10.18.32.51 comment=#DHCP disabled=no name=Waschmaschine-Samsung-KG-Kueche.32.hnet ttl=5m)
08:50:55 wireless,info 88:57:1D:4C:9A:B1@A6-CAPax--KG-FL--2-GHz-6 disconnected, connection lost, signal strength -49
08:50:59 wireless,info 88:57:1D:4C:9A:B1@A6-CAPax--KG-FL--2-GHz-6 connected, signal strength -46
08:50:59 dhcp,info dhcp-VLAN32 deassigned 10.18.32.51 for 88:57:1D:4C:9A:B1 Samsung-Washer
08:50:59 script,info DHCP2DNS: removing static domain name(s) for address 10.18.32.51
08:50:59 system,info static dns entry removed by script:dhcp-lease-script/action:5807 (/ip dns static remove *30BE6)
08:50:59 dhcp,info dhcp-VLAN32 assigned 10.18.32.51 for 88:57:1D:4C:9A:B1 Samsung-Washer
08:50:59 script,info DHCP2DNS: registering static domain name Waschmaschine-Samsung-KG-Kueche.32.hnet for address 10.18.32.51 with ttl 00:05:00
08:50:59 system,info static dns entry added by script:dhcp-lease-script (*30BE7 = /ip dns static add address=10.18.32.51 comment=#DHCP disabled=no name=Waschmaschine-Samsung-KG-Kueche.32.hnet ttl=5m)
The signal range does nothing, as you allow it "ALWAYS" to be out of range. So whatever the signal range is, this rule will work...I turned them off so that wifi would work
08:87:C7:54:87:F8@wifi1 associated, signal strength 37
08:87:C7:54:87:F8@wifi1 connected, signal strength 37
1C:57:DC:6C:C6:BA@wifi1 associated, signal strength 59
1C:57:DC:6C:C6:BA@wifi1 connected, signal strength 59
in the log the signal strength is greater than zero, but should be less.
I doubt this is the reason. you pasted two disabled Access List rules.....
A similar change is needed for the "Tx Power" column, currently there are two columns with the same name which results in empty data if you reopen the WiFi window.
*) winbox - renamed "Channel" column to "Current Channel" under "Wifi" menu;
There are many such cases in RouterOS/Winbox! There really should be someone who walks along all property lists and weeds them out.A similar change is needed for the "Tx Power" column, currently there are two columns with the same name which results in empty data if you reopen the WiFi window.
*) winbox - renamed "Channel" column to "Current Channel" under "Wifi" menu;
Turn off fast roaming support... that usually fixes connection problems for old or simple devices.But one device (a Samsung washer) cannot log into the WIFI network. It couldn't do that in any of the older versions either.
Is there anything you can do about it?
The Big OISD recommended list consumes ~ 31 MB of ram.I did play around with Adlist a bit but, if what I've read is correct, it doesn't work when DoH is enabled and it also consumes a lot of RAM.
[johann@hap1] > :put [:resolve ipv4.ipv64.net]
144.76.85.238
[johann@hap1] > :put [:resolve ipv6.ipv64.net]
2a01:4f8:192:1326::bad:c0de
[johann@hap1] > ping ipv4.ipv64.net
SEQ HOST SIZE TTL TIME STATUS
0 144.76.85.238 56 56 72ms269us
1 144.76.85.238 56 56 72ms587us
2 144.76.85.238 56 56 72ms662us
sent=3 received=3 packet-loss=0% min-rtt=72ms269us avg-rtt=72ms506us max-rtt=72ms662us
[johann@hap1] > ping 2a01:4f8:192:1326::bad:c0de
SEQ HOST SIZE TTL TIME STATUS
0 2a01:4f8:192:1326::bad:c0de 56 58 17ms516us echo reply
1 2a01:4f8:192:1326::bad:c0de 56 58 17ms93us echo reply
2 2a01:4f8:192:1326::bad:c0de 56 58 17ms252us echo reply
sent=3 received=3 packet-loss=0% min-rtt=17ms93us avg-rtt=17ms287us max-rtt=17ms516us
[johann@hap1] > ping ipv6.ipv64.net
invalid value for argument address:
invalid value of mac-address, mac address required
invalid value for argument ipv6-address
failure: dns name exists, but no appropriate record
[johann@hap1] >
Does this include fix to SUP-146116 (RB5009 crashes when accessing SMB share)?*) smb - do not allow setting empty "comment" or "domain" properties;
Setting signal-range=-75..120 should solve the problemhAP ax2 7.15 don't work Access List - this rule don’t work:
/interface wifi access-list
add action=accept allow-signal-out-of-range=always signal-range=-75..0
add action=reject
After update to 7.15 no one can connect via WiFi
I am surprised that people do not have that already. In the manual it says that the default range is -120..120 so I would expect that one starts from there.Setting signal-range=-75..120 should solve the problem
--> So ROS will run on Raspberry Pi? That would be nice :)!) system - added support for AMPERE (R) and ARM64 CHR installations (new ARM64 CHR image available);
/interface ethernet switch rule
add dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF new-dst-ports="" ports=sfp-8 switch=switch1
interface/ethernet/switch/set qos-hw-offloading=no switch1
As long as your R Pi runs a hypervisor (CHRs run as virtual machines, not on bare metal).--> So ROS will run on Raspberry Pi? That would be nice :)!) system - added support for AMPERE (R) and ARM64 CHR installations (new ARM64 CHR image available);
Hello pe1chl,Turn off fast roaming support... that usually fixes connection problems for old or simple devices.
You can create another SSID for only those devices and leave fast roaming on the primary network.
I have the same device and that's why I checked specifically; I haven't seen any port failure for about 18 hours.RB4011iGS+ seems to shut ethernet ports randomly.
Does it also mean ZeroTier finally comes to CHR? Has anybody tried to install zerotier.npk on ARM64 CHR?--> So ROS will run on Raspberry Pi? That would be nice :)!) system - added support for AMPERE (R) and ARM64 CHR installations (new ARM64 CHR image available);
If you want to reject connections when signal level is under -75 dBm, then only one rule should be needed which rejects signals in range -120..-75. Anything not matching the rule would be accepted.Setting signal-range=-75..120 should solve the problemhAP ax2 7.15 don't work Access List - this rule don’t work:
/interface wifi access-list
add action=accept allow-signal-out-of-range=always signal-range=-75..0
add action=reject
After update to 7.15 no one can connect via WiFi
signal-range=-120..-75 allow-signal-out-of-range=10s ssid-regexp="" action=reject
Same here, but not consistently each time it runs, just occasionally.CCR1009 RoS v 7.15 stable
All my scripts shown below run without error when launched from scripts or CLI or from scheduler under RoS 7.14.2
Under RoS 7.15 if they are launched from scheduler I get an error in log to check manually … when run from scripts or CLI no issue
We had to disable MPLS on all our 2216 because of substantial packet drops on 7.14.3. The VPLS tunnels were running but unusable due to packet loss, which was also present in packets routed on the core network. We are still investigating, cause the issue is present only on 2216. There has been no reply from support jet.I try today v7.15 on 3 different 4011.
VPLS vs 7.14 2216 doesn't go running.
After dowgrade it to 7.14 interface goes up with no configuration change.
Anyone noticed this issue?
Disappointed too, tried mangling and route rules, all goes back to main route table, hope to see this in the next release!Disappointed not to see a router fix for wireguard coming in on WAN2 when WAN2 is secondary WAN and mangling this traffic does not work.
Upgraded a pair of RB4011 here, selected as one is original and other is a rev2. Ethernet ports stable for 24 hours - early days. Will keep monitoring ...RB4011iGS+ seems to shut ethernet ports randomly.
...
I did, only issue I have so far is this. I'm still using legacy wireless package since I was unable to install combination of wifi-qcom-ac with containers and larger custom config on 16MB device. Now I noticed that some space is freed (approx. 450KiB free before, now 1040 KiB) and maybe wifi-qcom-ac will fit now, will try it when I find time.Any chateau LTE 12 users with 16Mb flash upgraded to this release?
I also noticed that there's a firmware upgrade for RG502Q-EA. From RG502QEAAAR13A03M4G_02.001.02.001 to RG502QEAAAR13A03M4G_02.002.02.002There seems to be stability issues with Chateau 5G after modem firmware and ROS upgrade.
https://upgrade.mikrotik.com/firmware/R ... .001/imageAnyone has a link for the previous firmware version RG502QEAAAR13A03M4G_02.001.02.001 so I can downgrade?
Thanks!https://upgrade.mikrotik.com/firmware/R ... .001/imageAnyone has a link for the previous firmware version RG502QEAAAR13A03M4G_02.001.02.001 so I can downgrade?
Double check if RG502Q-EA is correct modem model on your device.
Small memory leak update. The kernel crashed apparently out of memory with the autosupout.rif file generated. I uploaded it to an existing open ticket SUP-147911. I hope Mikrotik engineers find the cause and fix it.Did you fix the memory leak issue in 7.15 final? I'm still running 7.15RC3 to prove to this forum that RouterOS 7.x has a SERIOUS memory problem for the non-believers. Now after about 18 days I only have 15.8 MiB memory free (from 256 MiB). And the memory constantly and regularly decreases.
Do show us how you did it, i'll try it out on 7.15 too to see if it works the same#anav, #narapon, #Guscht, im also waiting for this fix.
In the meantime i'm using workaround to force wireguard traffic getting response from WAN2 if it was intiali send to WAN2. So you can say that there is a way to get properly working wireguard wtih two wan's which allows some users by contected to wan1 and some to wan2 in same time. It's done by mangle rules with little trick/hack. Tested on ROS 7.12 and below, gonna test it next week on 7.15, i'm almost sure its still gonna work.
Unfortunately I cannot get it to downgrade.https://upgrade.mikrotik.com/firmware/R ... .001/imageAnyone has a link for the previous firmware version RG502QEAAAR13A03M4G_02.001.02.001 so I can downgrade?
Double check if RG502Q-EA is correct modem model on your device.
> /interface/lte/firmware-upgrade lte1 upgrade=yes firmware-file="https://upgrade.mikrotik.com/firmware/RG502Q-EA/RG502QEAAAR13A03M4G_02.001.02.001/image"
status: firmware timeout
Did you try download image with fetch and set image filename for firmware-file instead url?Unfortunately I cannot get it to downgrade.
It downloads the firmware, it starts installing it and then the interface goes in invalid state and it never recovers. After a reboot the newest firmware is still installed.
thanks eworm for this pointer, was facing those errors popping up since 7.15 upgrade.It's not about syntax errors, but runtime errors. Probably your script is accessing a configuration item that does not exist. You need to debug that, one way or another. I have to admit that it is not that easy with RouterOS sometimes.@eworm - You are probably right, but how to find where is the specific syntax error, to be able to fix it. Scripts do all what is required and only say check manualy :-)
I upgraded to this modem version with my chateau 5g and use three UK, aggregates b1 + b3 +n78@100mhz +n78@40mhz. Still on 7.13.5, I've not upgraded to 7.15 yet, waiting for other with 16mb flash devices to go first.I also noticed that there's a firmware upgrade for RG502Q-EA. From RG502QEAAAR13A03M4G_02.001.02.001 to RG502QEAAAR13A03M4G_02.002.02.002There seems to be stability issues with Chateau 5G after modem firmware and ROS upgrade.
No mention in the changelog as always, I haven't upgraded yet.
[admin@JacoCoelhoAdv] > /system/resource/print
[ .... ]
version: 7.15 (stable)
[ .... ]
[admin@JacoCoelhoAdv] > /file print where name~"skins"
# NAME TYPE SIZE CREATION-TIME
20 flash/skins directory 2024-06-02 10:52:13
23 flash/skins/wifiquefunciona7.json .json file 3770 2024-06-02 10:57:15
....
[admin@JacoCoelhoAdv] > /user group set full skin=wifiquefunciona7
input does not match any value of skin
[admin@JacoCoelhoAdv] >
Very true, RouterOS is lacking a lot of control structures in scripting. A proper exit command (without error!) comes to mind, elif (as a step between if and else), and possibly most important continue (or next) and break (or last or whatever) in loops.on my end it's because some of my scripts were testing conditions (with 'if') and if condition met, then would quit the script by calling ':error'
This was to avoid many nested if: instead of nesting if conditions to execute the desired code (and many tabs), I prefixed the desired code with exit conditions.
With 7.15, using ':error' or ':quit' in a script run with scheduler triggers this log warning.
I wish routerOS would have a simple break command in a script that we can call without triggering an error
What is the meaning of this rule?Setting signal-range=-75..120 should solve the problem
I am growing doubtful of raising of SUP-xxx resulting in material change, as there's countless raised SUP-xxx which failed to bring routerOS on par with linux-based counterparts:Very true, RouterOS is lacking a lot of control structures in scripting. A proper exit command (without error!) comes to mind, elif (as a step between if and else), and possibly most important continue (or next) and break (or last or whatever) in loops.on my end it's because some of my scripts were testing conditions (with 'if') and if condition met, then would quit the script by calling ':error'
This was to avoid many nested if: instead of nesting if conditions to execute the desired code (and many tabs), I prefixed the desired code with exit conditions.
With 7.15, using ':error' or ':quit' in a script run with scheduler triggers this log warning.
I wish routerOS would have a simple break command in a script that we can call without triggering an error
I have a long standing issue on this topic (SUP-112102). Please open your own, the more the better.
And this is why I'm still on 7.13 :(P.S. After updating to 7.15 (hAP ax3), my Wi-Fi started to drop out randomly.
I may have some to do with this:MQTT no longer works after upgrade to 7.15
same for AX2P.S. After updating to 7.15 (hAP ax3), my Wi-Fi started to drop out randomly.
Ax3, ax2, ax lite ... no issues here. Nada.same for AX2P.S. After updating to 7.15 (hAP ax3), my Wi-Fi started to drop out randomly.
Because no one step forward and take a bullet first even stable releases. Just think about why.I wish more people would test during the beta/rc periods with their nuanced setups. I mean if you are willing to upgrade to stable and encounter issues there what's the difference between that and upgrading to beta or rc (beta/rc has never bricked a router from my experience)?
Ax3, have problem wi-fi, always disconnectedAx3, ax2, ax lite ... no issues here. Nada.
Ax3, have problem wi-fi, always disconnectedAx3, ax2, ax lite ... no issues here. Nada.
skrin.png
Please open a support ticket and include a supout file from the device.When I cast a movie from my smartphone to my TV via Chromecast, in a few seconds —no more than 10–20 seconds— all the WiFi devices in the house get disconnected. I mean all of them, 2 phones, 1 laptop and Chromecast itself.
Please open a support ticket and include a supout file from the device.Ax3, have problem wi-fi, always disconnected
Tested mosquitto and AWS and both brokers work on 7.15. Please send us a rif file via a ticket:MQTT no longer works after upgrade to 7.15
Same as above, please send us a rif file via the ticket system:Disappointed IOT does not get connection to the internet and when I downgrade to 7.14.3 connected again to the internet
They do not receive messages sent to the topic that they are subscribed to. Tried on 2116 and knot with same result. Back to 7.14.3 they work normally. Sending some rifs to support.Tested mosquitto and AWS and both brokers work on 7.15. Please send us a rif file via a ticket:MQTT no longer works after upgrade to 7.15
https://mikrotik.com/support
The devices are located on the same floor at a distance of 5-8 meters and almost on a straight side.ax^3 works fine, single disconnections I see in the logs is related to the device which is the 5 floors away and signal is -86/-90 - so, it is expected.
2024-06-03 09:12:51 by RouterOS 7.15Can you share your config (if you haven't done already), @VadiKO?
software id = 1N2D-52R9
model = C53UiG+5HPaxD2HPaxD
serial number = HExxxxxADQ
/interface bridge add name=bridge1 port-cost-mode=short
/interface bridge add arp=reply-only comment="for shop" name=bridge_for_shop port-cost-mode=short
/interface wifi set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=disabled .width=20mhz configur
ation.country="United States" .mode=ap .ssid=AirPortExtreme mtu=1500 security.authentication-types=wpa2-psk,wpa3-psk .
wps=disable
/interface wireguard add disabled=yes listen-port=51820 mtu=1420 name=wireguard2
/interface wireguard add listen-port=51830 mtu=1420 name=wireguard_contabo
/interface list add name=LAN
/interface list add name=WAN
/interface wifi security add authentication-types=wpa2-psk comment="for shop" disabled=no name=for_shop
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk comment="for 5G" disabled=no name=for5G wps=disabl
e
/interface wifi set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=5180,5260,5500 .skip-dfs-channels=disa
bled .width=20/40/80mhz configuration.country="United States" .mode=ap .ssid=MikroTik disabled=no mtu=1500 security=fo
r5G
/interface wifi add configuration.mode=ap .ssid=for_shop mac-address=4A:A9:8A:49:5C:D8 master-interface=wifi2 mtu=1500
name=wifi3_virtual security=for_shop security.encryption=ccmp
/ip pool add comment=my name=pool1 ranges=192.168.1.2-192.168.1.254
/ip pool add comment="for shop" name=pool_for_shop ranges=10.10.10.2-10.10.10.254
/ip dhcp-server add address-pool=pool1 comment=my interface=bridge1 lease-time=1d name=dhcp_my
/ip dhcp-server add add-arp=yes address-pool=pool_for_shop comment="for shop" interface=bridge_for_shop lease-time=12h
name=dhcp_fro_shop
/ip smb users set [ find default=yes ] disabled=yes
/routing table add comment=wg disabled=no fib name=wg_mark
/interface bridge port add bridge=bridge1 interface=ether2 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge1 interface=ether3 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge1 interface=ether4 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge1 interface=wifi1 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge1 interface=wifi2 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge_for_shop comment="for shop" interface=wifi3_virtual internal-path-cost=10 pat
h-cost=10
/ip firewall connection tracking set udp-timeout=10s
/ip neighbor discovery-settings set discover-interface-list=LAN
/ipv6 settings set max-neighbor-entries=15360
/interface detect-internet set detect-interface-list=WAN
/interface list member add interface=bridge1 list=LAN
/interface list member add interface=ether5 list=WAN
/interface list member add comment=wg2 interface=wireguard2 list=WAN
/interface list member add comment=wgcontabo interface=wireguard_contabo list=WAN
/interface wifi access-list add action=accept allow-signal-out-of-range=always disabled=yes signal-range=-95..120
/interface wifi access-list add action=reject disabled=yes
/interface wireguard peers add allowed-address=0.0.0.0/0 disabled=yes endpoint-address=185.xx.xx.142 endpoint-port=51
820 interface=wireguard2 name=peer1 persistent-keepalive=10s preshared-key="DC/FSg/dFHC8stXdtixxxxteniF6rtYo
w=" public-key="hT6d1boflhSvG07x+xxxxx//x+lk/IgxAIjc="
/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=85.xx.xx.14 endpoint-port=51830 interface=
wireguard_contabo name=peer2 persistent-keepalive=20s public-key="SHtmJXzPTxocONGuxxxxxrBQGTmi1fULsIkw="
/ip address add address=192.168.1.1/24 comment=local interface=bridge1 network=192.168.1.0
/ip address add address=193.xx.xx.160/24 comment=net-city interface=ether5 network=193.xx.xx.0
/ip address add address=10.167.51.3/24 comment=wg2 disabled=yes interface=wireguard2 network=10.167.51.0
/ip address add address=10.10.10.1/24 comment="for shop" interface=bridge_for_shop network=10.10.10.0
/ip address add address=10.100.10.2/24 comment=wgcontabo interface=wireguard_contabo network=10.100.10.0
/ip arp add address=192.168.1.3 comment=ergo interface=bridge1 mac-address=C6:7B:F2:30:F3:BB
/ip dhcp-server lease add address=192.168.1.252 client-id=1:3c:15:c2:c5:95:98 comment=mac mac-address=3C:15:C2:C5:95:9
8 server=dhcp_my
/ip dhcp-server lease add address=192.168.1.66 comment="terneo 1" mac-address=CC:50:E3:27:3A:96 server=dhcp_my
/ip dhcp-server lease add address=192.168.1.62 client-id=1:30:1b:97:32:4e:d comment=hikvision mac-address=30:1B:97:32:
4E:0D server=dhcp_my
/ip dhcp-server lease add address=192.168.1.61 comment="terneo 2" mac-address=CC:50:E3:C5:93:D8 server=dhcp_my
/ip dhcp-server lease add address=192.168.1.58 client-id=1:30:1b:97:2c:aa:90 comment="hikvision pvr" mac-address=30:1B
:97:2C:AA:90 server=dhcp_my
/ip dhcp-server lease add address=192.168.1.56 client-id=1:30:95:87:e0:39:4a comment=.onn mac-address=30:95:87:E0:39:4
A server=dhcp_my
/ip dhcp-server lease add address=192.168.1.55 client-id=1:0:3:43:80:2:35 comment=KM1 mac-address=00:03:43:80:02:35 se
rver=dhcp_my
/ip dhcp-server lease add address=192.168.1.54 client-id=1:10:2c:6b:c2:50:25 comment=KM6 mac-address=10:2C:6B:C2:50:25
server=dhcp_my
/ip dhcp-server lease add address=192.168.1.67 client-id=1:f4:a4:75:87:50:5f comment=T1000 mac-address=F4:A4:75:87:50:
5F server=dhcp_my
/ip dhcp-server lease add address=192.168.1.9 client-id=1:4a:eb:c0:bf:a8:a0 comment=ergo mac-address=4A:EB:C0:BF:A8:A0
server=dhcp_my
/ip dhcp-server lease add address=192.168.1.8 client-id=1:b8:9a:2a:d:27:c1 comment=yepo mac-address=B8:9A:2A:0D:27:C1
server=dhcp_my
/ip dhcp-server lease add address=10.10.10.3 client-id=1:e0:3f:49:28:7b:88 comment=68u mac-address=E0:3F:49:28:7B:88 s
erver=dhcp_fro_shop
/ip dhcp-server lease add address=192.168.1.29 client-id=1:30:b1:b5:4d:90:4 comment=LG mac-address=30:B1:B5:4D:90:04 s
erver=dhcp_my
/ip dhcp-server lease add address=192.168.1.7 client-id=1:4e:88:97:2e:72:ed comment=ergo mac-address=4E:88:97:2E:72:ED
server=dhcp_my
/ip dhcp-server lease add address=192.168.1.10 client-id=1:78:8a:86:4a:c6:e1 comment=philips_NEW mac-address=78:8A:86:
4A:C6:E1 server=dhcp_my
/ip dhcp-server network add address=10.10.10.0/24 dns-server=94.140.15.15,94.140.14.14 gateway=10.10.10.1
/ip dhcp-server network add address=192.168.1.0/24 dns-server=94.140.15.15,94.140.14.14 gateway=192.168.1.1 netmask=24
/ip dns set allow-remote-requests=yes cache-size=4096KiB servers=94.140.15.15,94.140.14.14
/ip firewall address-list add address=192.168.1.252 comment=mac list=full_wg
/ip firewall address-list add address=192.168.1.67 comment=pc list=full_wg
/ip firewall address-list add address=192.168.1.54 comment=KM6 list=full_wg
/ip firewall address-list add address=192.168.1.55 comment=KM1 list=full_wg
/ip firewall address-list add address=192.168.1.56 comment=.onn list=full_wg
/ip firewall address-list add address=192.168.1.46 comment="my pc" disabled=yes list=full_wg
/ip firewall address-list add address=192.168.1.7 comment=ergo list=full_wg
/ip firewall address-list add address=192.168.1.8 comment=yepo list=full_wg
/ip firewall address-list add address=192.168.1.29 comment=LG list=full_wg
/ip firewall address-list add address=192.168.1.10 comment=Philips_NEW list=full_wg
/ip firewall filter add action=accept chain=input connection-state=established,related,untracked in-interface-list=WAN
/ip firewall filter add action=accept chain=input comment=winbox connection-state=new dst-port=1111 protocol=tcp
/ip firewall filter add action=drop chain=input comment="drop invalid connection" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: acept ICMP" protocol=icmp
/ip firewall filter add action=drop chain=input comment="defconf: drop all notcoming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="hikvision 9" dst-port=9000 in-interface-list=WAN protocol
=tcp
/ip firewall filter add action=accept chain=forward comment=video dst-port=37777,2222,3333 in-interface-list=WAN proto
col=tcp
/ip firewall filter add action=accept chain=forward comment="hikvision 10" dst-port=8000 in-interface-list=WAN protoco
l=tcp
/ip firewall filter add action=accept chain=forward comment=vu+ dst-port=1100 in-interface-list=WAN protocol=tcp
/ip firewall filter add action=accept chain=forward connection-state=established,related,untracked in-interface-list=W
AN
/ip firewall filter add action=drop chain=forward comment="forvard invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATTed" connection-nat-st
ate=dstnat connection-state=new in-interface-list=WAN
/ip firewall filter add action=jump chain=input comment="jump to ICMP filters" jump-target=icmp protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 pr
otocol=icmp
/ip firewall filter add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
/ip firewall filter add action=drop chain=icmp comment="deny all other types"
/ip firewall mangle add action=change-ttl chain=prerouting comment="ttl for do not detect provider" new-ttl=increment:
1 passthrough=yes
/ip firewall mangle add action=mark-routing chain=prerouting comment=wg new-routing-mark=wg_mark passthrough=no src-ad
dress-list=full_wg
/ip firewall mangle add action=change-mss chain=forward comment="wg2 new mss" disabled=yes new-mss=clamp-to-pmtu out-i
nterface=wireguard2 passthrough=no protocol=tcp tcp-flags=syn
/ip firewall mangle add action=change-mss chain=forward comment="wgcontabo new mss" new-mss=clamp-to-pmtu out-interfac
e=wireguard_contabo passthrough=no protocol=tcp tcp-flags=syn
/ip firewall nat add action=masquerade chain=srcnat comment="masquerade LAN to WAN" out-interface-list=WAN
/ip firewall nat add action=dst-nat chain=dstnat comment=video disabled=yes dst-port=37777 in-interface=ether1 protoco
l=tcp to-addresses=192.168.1.117
/ip firewall nat add action=masquerade chain=srcnat comment="video local" dst-address=192.168.1.0/24 src-address=192.1
68.1.0/24
/ip firewall nat add action=dst-nat chain=dstnat comment=video dst-address=193.xx.xx.160 dst-port=37777 protocol=tcp
to-addresses=192.168.1.2
/ip firewall nat add action=dst-nat chain=dstnat comment="hikvision 10" dst-address=193.xx.xx.160 dst-port=8000 proto
col=tcp to-addresses=192.168.1.62
/ip firewall nat add action=dst-nat chain=dstnat comment=vu+ dst-address=193.xx.xx.160 dst-port=1100 protocol=tcp to-
addresses=192.168.1.11
/ip firewall nat add action=src-nat chain=srcnat comment="to mik 2" disabled=yes dst-address=10.167.51.4 dst-port=2222
protocol=tcp to-addresses=10.167.51.3
/ip firewall nat add action=netmap chain=dstnat comment="to mik 2" disabled=yes dst-address=192.168.1.1 dst-port=2222
in-interface-list=WAN protocol=tcp to-addresses=10.167.51.4 to-ports=2222
/ip firewall nat add action=dst-nat chain=dstnat comment="con to mik 2 ah" disabled=yes dst-address=193.xx.xx.160 por
t=2222 protocol=tcp to-addresses=10.167.51.4 to-ports=2222
/ip firewall nat add action=dst-nat chain=dstnat comment="hikvision 9" dst-address=193.xx.xx.160 dst-port=9000 protoc
ol=tcp to-addresses=192.168.1.58
/ip firewall nat add action=dst-nat chain=dstnat comment="con to mik 2 contabo" dst-address=193.xx.xx.160 port=2222 p
rotocol=tcp to-addresses=10.100.10.4 to-ports=2222
/ip firewall service-port set ftp disabled=yes
/ip firewall service-port set tftp disabled=yes
/ip firewall service-port set h323 disabled=yes
/ip firewall service-port set sip disabled=yes
/ip firewall service-port set pptp disabled=yes
/ip route add check-gateway=ping comment=net-city disabled=no distance=1 dst-address=0.0.0.0/0 gateway=193.107.74.1 ro
uting-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add comment=wg2 disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=wireguard2 pref-src="" routing-table=w
g_mark scope=30 suppress-hw-offload=no target-scope=10
/ip route add comment=wgcontabo disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard_contabo routing-table=w
g_mark scope=30 suppress-hw-offload=no target-scope=10
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set ssh disabled=yes
/ip service set api disabled=yes
/ip service set winbox port=1111
/ip service set api-ssl disabled=yes
/ip smb shares set [ find default=yes ] directory=/pub
/system clock set time-zone-name=Europe/Kiev
/system identity set name=ax3
/system leds set 4 disabled=yes
/system leds set 5 disabled=yes
/system logging add topics=wireless,debug
/system logging add disabled=yes topics=dhcp,debug
/system note set show-at-login=no
/system ntp client set enabled=yes
/system ntp client servers add address=0.pool.ntp.org
/system ntp client servers add address=1.pool.ntp.org
/tool graphing interface add interface=ether5
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
/tool mac-server ping set enabled=no
I do have similar problems, which improve if I switch off 2G. I suspect the fast transition or steering going bad.has so far solved the problem by disabling wifi2 (2GHz).
Now another device disconnects and reconnects all the time, it's an Iphone 13 Pro Max, and there is an Iphone 12 next to it and it has a stable connection. I don't understand anything anymore...
skrins.png
Oh darnit. I already upgraded my CRS354. And I'm not seeing what you're seeing.ACHTUNG !!! ALERT !
Do not use this version with CRS354 !!!
Huge packetloss, huge performance drop, unusable on some ports.
Same, switch stops forwarding traffic properly after few hours, had to revert ..ACHTUNG !!! ALERT !
Do not use this version with CRS354 !!!
Huge packetloss, huge performance drop, unusable on some ports.
There clearly is a bug in that. It logs failure even for scripts like '/log info message="host X is up"' called from netwatch as UP-script!*) console - added log for script execution failures;
Please revert this change. 99% of my info logs is now `... connect request user:GUEST ...` :/*) smb - added logs for share connection requests
We are anxiously awaiting improvements in the logging functionality that allow the admin to suppress such messages...Please revert this change. 99% of my info logs is now `... connect request user:GUEST ...` :/*) smb - added logs for share connection requests
That would be great... I remember I had some similar case with some of the logs which should be filtered for me, but there were no avail. option, just to remove that whole topic from logging...We are anxiously awaiting improvements in the logging functionality that allow the admin to suppress such messages...
Please revert this change. 99% of my info logs is now `... connect request user:GUEST ...` :/
(like adding a unique ID to every message that can be suppressed in logging rules, and/or filtering by regexp)
Not sure I follow, but downgrading to 7.14.3 with no config changes fixed our issue, I saw similar reports on facebook wisp talk groupCheck your routing table, I bet there is a route received from some other peer and is not actually locally originated. Trace where this route is coming from.
It's routes we originate but the source AS is wrong, it appears as if it's a downstream AS customer of ours but it's a local originated route, the source AS changes frequentlyThere are no reports indicating that actually v7.15 is the one originating this route, from what is known is what I mentioned previously, route is received from other peer, not originated.
Contact support with supout file and /routing/bgp/advertisements output showing the route you are talking about.
here is the report from facebook:There are no reports indicating that actually v7.15 is the one originating this route, from what is known is what I mentioned previously, route is received from other peer, not originated.
Contact support with supout file and /routing/bgp/advertisements output showing the route you are talking about.
We don't have any downstream customer I guess I don't know how to communicate it in a way that you will understand me but a random 32-bit AS was showing as the source with our AS after that, meaning we are originating the announcement but a randomly changing source AS was addedIf it comes from the downstream customer then it is customer originated route not locally originated route. And it should be investigated why the customer is sending you that route only when you upgrade to v7.15, or maybe it is just a coincidence and has nothing to do with v7.15
/tool netwatch
add host=8.8.8.8 type=simple up-script="/log info message=\"host X is up\""
10:12:53 netwatch,info event up [ type: simple, host: 8.8.8.8 ]
10:12:53 script,info host X is up
There clearly is a bug in that. It logs failure even for scripts like '/log info message="host X is up"' called from netwatch as UP-script!*) console - added log for script execution failures;
I also noticed that several scripts that have been trouble free for 15 years (like /export and /backup simple scripts) are reporting failed in log, but running a few times it will be successful. Both 7.14 & 7.15Are you able to run this command successfully in terminal?Code: Select all/tool netwatch add host=8.8.8.8 type=simple up-script="/log info message=\"host X is up\""
Code: Select all10:12:53 netwatch,info event up [ type: simple, host: 8.8.8.8 ] 10:12:53 script,info host X is up
There clearly is a bug in that. It logs failure even for scripts like '/log info message="host X is up"' called from netwatch as UP-script!
I also noticed that several scripts that have been trouble free for 15 years (like /export and /backup simple scripts) are reporting failed in log, but running a few times it will be successful. Both 7.14 & 7.15Are you able to run this command successfully in terminal?Code: Select all/tool netwatch add host=8.8.8.8 type=simple up-script="/log info message=\"host X is up\""
Code: Select all10:12:53 netwatch,info event up [ type: simple, host: 8.8.8.8 ] 10:12:53 script,info host X is up
I have same problem. sent all details to support with ticket SUP-154594There are no reports indicating that actually v7.15 is the one originating this route, from what is known is what I mentioned previously, route is received from other peer, not originated.
Contact support with supout file and /routing/bgp/advertisements output showing the route you are talking about.
After carefully checking again, I found in some of the netwatch up-scripts a quote was missing. Indeed good that this is now checked.Errors were all the time, a user just did not see that.
This improvement lighted up different issues, for example, missing graceful exit from script.
Not confirmed. Running CRS354-48P-4S+2Q+ about five days with 7.15 without any problem.ACHTUNG !!! ALERT !
Do not use this version with CRS354 !!!
Huge packetloss, huge performance drop, unusable on some ports.
It appears that 7.15 sometimes claims it originates a route while actually it doesn't.Check your routing table, I bet there is a route received from some other peer and is not actually locally originated. Trace where this route is coming from.
MikroTik support logged in to the device and installed RG502QEAAAR13A03M4G_02.003.02.003 which includes fixes related to my 5G provider.There seems to be stability issues with Chateau 5G after modem firmware and ROS upgrade.
After upgrading the modem firmware to the latest version along with upgrading to ROS v7.15 the modem has become very unstable with either randomly resetting itself with error “lte1 mbim: modem's control interface have reset (4)” in the logs or with completely getting into an invalid state with repeated “lte1: no response for: AT E0 V1” errors in the log and needing to restart the whole device to recover itself.
[SUP-154766]
On every other device that I've installed v7.15 (CCR2116, CCR2004, CCR1036, CRS326, CRS318, RB5009, RB4011, RB3011, hAP Lite, CHR), I've got no issues whatsoever.
Hopefully they will make this version available to everyone quickly as I allowed my modem to upgrade it's firmware about a week ago, mine has stayed connected and I've not noticed any issues, but I haven't upgraded to 7.15 yet. I've deliberately held off after seeing posts of issues with chateau 5g and latest modem firmware with 7.15. My supplier is Three UK, what I have noticed though is it's a bit more fussy about aggregating 2 x n78 bands, I've had to tweak it's position a couple of times to keep 2 x n78 carrier aggregation.MikroTik support logged in to the device and installed RG502QEAAAR13A03M4G_02.003.02.003 which includes fixes related to my 5G provider.There seems to be stability issues with Chateau 5G after modem firmware and ROS upgrade.
After upgrading the modem firmware to the latest version along with upgrading to ROS v7.15 the modem has become very unstable with either randomly resetting itself with error “lte1 mbim: modem's control interface have reset (4)” in the logs or with completely getting into an invalid state with repeated “lte1: no response for: AT E0 V1” errors in the log and needing to restart the whole device to recover itself.
[SUP-154766]
On every other device that I've installed v7.15 (CCR2116, CCR2004, CCR1036, CRS326, CRS318, RB5009, RB4011, RB3011, hAP Lite, CHR), I've got no issues whatsoever.
It's been 3+ hours so far without any stability issues.
*) bridge - reworked dynamic VLAN creation;
Indeed... I see that as well. That seems to be a step backward.Before I could join a Port untagged to a VLAN by giving it the PVID that I wanted and it would show up in my static created VLAN in /interface/bridge/vlan. Since 7.15 I need to manually add the untagged port to the VLAN settings, otherwise I have the static VLAN with my tagged ports and another dynamic one with the untagged ports.
[admin@MikroTik] /interface/bridge/vlan> print
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED
# BRIDGE VLAN-IDS CURRENT-TAGGED
;;; added by vlan on bridge
0 D bridge1 99 bridge1
In V7.15, setting pvid= on .../bridge/port still works to dynamic add it as untagged to a .../bridge/vlan. The how changed, I think. It always add these to a dynamic .../bridge/vlan - even if there is a static entry in .../bridge/vlan already for the same VLAN.Before I could join a Port untagged to a VLAN by giving it the PVID that I wanted and it would show up in my static created VLAN in /interface/bridge/vlan. Since 7.15 I need to manually add the untagged port to the VLAN settings, otherwise I have the static VLAN with my tagged ports and another dynamic one with the untagged ports.Code: Select all*) bridge - reworked dynamic VLAN creation;
Is this expected behaviour and if yes: why?
I actually like the automatic untagging of pvid= from the ports to bridge's vlan table.Hopefully at some point the PVID per port will disappear and the "untagged ports" in the VLAN configuration will provide this config...
I don't like that there are 2 ways to configure untagged ports and that they can be contradicting.I actually like the automatic untagging of pvid= from the ports to bridge's vlan table.Hopefully at some point the PVID per port will disappear and the "untagged ports" in the VLAN configuration will provide this config...
As it's now, /interface/bridge/port defines ingress behaviour ... and PVID can correctly only be set to a single value. OTOH /interface/bridge/vlan defines egress behaviour ... and a single port can be untagged member of multiple VLANs. Further more, some vendors allow state where port with PVID set is not member of that VLAN for egress.Hopefully at some point the PVID per port will disappear and the "untagged ports" in the VLAN configuration will provide this config...
In fact, I think /interface/vlan should have some option/attribute that automatically adds tagged=bridge (as a dynamic .../bridge/vlan) – so Layer3/IP work without messing with bridge vlan table at all. So whole /interface/bridge/vlans complexity be only needed for hybrid ports or Layer2-only switching cases.
From what is said in post #190 that will happen in v7.16. If untagged= still exists for special use cases, but in general the dynamic membership based on pvid= is used for untagged then it will be a case of only having to add tagged= membership for the non-CPU trunk/hybrid ports.In fact, I think /interface/vlan should have some option/attribute that automatically adds tagged=bridge (as a dynamic .../bridge/vlan) – so Layer3/IP work without messing with bridge vlan table at all. So whole /interface/bridge/vlans complexity be only needed for hybrid ports or Layer2-only switching cases.
Whilst having a different name would be nice I expect that an automated configuration conversion may break things, from experiences with some of the older master-port to bridge conversions not going well.I'd rather see bridge "the CPU facing port" become a distinct item ... just like switchX-cpu port in switch chip configs. IMO this would prevent quite some confusion which arises from the fact that there are 3 different items (switch-like entity, CPU-facing port and interface) all named the same, while config, related to each of them, is interleaved.
Having the CPU-facing port automatically added as a tagged member when an /interface vlan is attached to a bridge does seem like a reasonable compromise, as long as all of the other port members require explict tagged membership to become trunk or hybrid ports.Behaviour where bridge port would become tagged member of every VLAN, mentioned on any member port config, would also mean reduction of security of ROS devices when used as L2 switch ... because this would make a step closer to make device a router (by making two further steps: creation of corresponding VLAN interfaces and assigning L3 addresses to those). And all of that without clear benefit.
I agree with this idea.Having the CPU-facing port automatically added as a tagged member when an /interface vlan is attached to a bridge does seem like a reasonable compromise
It already was like that! When you only set a PVID on a port, it automatically becomes an untagged port on that VLAN.From what is said in post #190 that will happen in v7.16. If untagged= still exists for special use cases, but in general the dynamic membership based on pvid= is used for untagged then it will be a case of only having to add tagged= membership for the non-CPU trunk/hybrid ports.In fact, I think /interface/vlan should have some option/attribute that automatically adds tagged=bridge (as a dynamic .../bridge/vlan) – so Layer3/IP work without messing with bridge vlan table at all. So whole /interface/bridge/vlans complexity be only needed for hybrid ports or Layer2-only switching cases.
I am having the same problem. Seems there is not any other way to do this currently according to the wiki?on my end it's because some of my scripts were testing conditions (with 'if') and if condition met, then would quit the script by calling ':error'
# Raise priority of all VRRP Interfaces
# This failover script only works when two routers are each individually connected to a
# single internet connection. A different approach is needed when a single router
# is managing failover across two interfaces
/interface vrrp set priority=250 [/interface vrrp find vrid=20]
/interface vrrp set priority=250 [/interface vrrp find vrid=48]
/interface vrrp set priority=250 [/interface vrrp find vrid=50]
/interface vrrp set priority=250 [/interface vrrp find vrid=54]
/interface vrrp set priority=250 [/interface vrrp find vrid=67]
/interface vrrp set priority=250 [/interface vrrp find vrid=75]
/interface vrrp set priority=250 [/interface vrrp find vrid=83]
/interface vrrp set priority=250 [/interface vrrp find vrid=104]
/interface vrrp set priority=250 [/interface vrrp find vrid=122]
/ip dhcp-server enable [/ip dhcp-server find address-pool=mgmt-iprange]
/system/script/run vrrp-up use-script-permissions
/interface ethernet switch port
set sfp28-1 ingress-rate=1G
This has never worked for me. Have seen this happen many versions ago, not new behaviour. Pretty sure there has been forum posts about this.There is an issue with the switch based port policer (ingress traffic) not sure how far this goes back but in v7.15 you can observe the following. The egress shaper works within expectations, however the ingress policer results in limiting speed to about 1/10th of whatever number you place in the rate and at a certain point it seems just limited to roughly 150Mbit/s. For example at 1G rate, the output you get with iperf3 is 160Mbits/s. Bump the rate to 10G and you get still 160Mb/s. Bump it to 50G and it breaks the switch, you get 0Mb/s. This is on version 7.15 CCR2216. This is just using webfig and essentially applying this rule to a particular port.
Perhaps it matters that this switch is l3hw offload enabled at the switch level (not at the port level). And I have a couple of VLANs running through this port.Code: Select all/interface ethernet switch port set sfp28-1 ingress-rate=1G
I've got a few hundred switches where untagged ports are configured via PVID and upgrading to 7.15 will break everyone of the configurations on the existing devices.It already was like that! When you only set a PVID on a port, it automatically becomes an untagged port on that VLAN.
From what is said in post #190 that will happen in v7.16. If untagged= still exists for special use cases, but in general the dynamic membership based on pvid= is used for untagged then it will be a case of only having to add tagged= membership for the non-CPU trunk/hybrid ports.
However, before the untagged port would be listed on the same VLAN line in the bridge VLAN list, and now it creates a duplicate line with the same VLAN number but a D (dynamic) flag, and adds the port to that. Confusing.
Well, maybe it was not clear from the previous discussion, but 7.15 does not actually break this, it only shows strange results on the VLAN screen but it still works fine.I've got a few hundred switches where untagged ports are configured via PVID and upgrading to 7.15 will break everyone of the configurations on the existing devices.
Why break the default behaviour established many moons before instead of just adding a checkbox for bridge ports to activate enhanced VLAN configuration?
add action=drop chain=forward comment="Drop multicast traffic" \
dst-address-type=multicast
add action=drop chain=input comment="Drop multicast traffic" \
dst-address-type=multicast
Seems like there now is a property called inactive with inverted logic: false for active route, true for inactive:
Previously, in RouterOS 7.14.x and earlier, I used the following command to check if a route was active:
/ip/route/get value-name=active [find distance=1]
This command typically returned true or nothing, allowing my scripts to function correctly.
[admin@RB5009] > put [/ip/route/get [find distance=1]]
.id=*80000001;dhcp=true;distance=1;dst-address=0.0.0.0/0;dynamic=true;gateway=192.168.1.1;immediate-gw=192.168.1.1%bridge1_WAN;inactive=false;vrf-interface=bridge1_WAN
[admin@RB5009] > put [/ip/route/get [find distance=1] inactive]
false
[admin@RB5009] > put [/ip/route/get [find distance=1] active]
<empty line>
This does not seem to work as described......
Seems like there now is a property called inactive with inverted logic: false for active route, true for inactive:
.....
[x@y] > put [/ip/route/get [find distance=1]]
...active=true...inactive=false....
[x@y] > put [/ip/route/get [find distance=2]]
.....inactive=false.....
[x@y] > put [/ip/route/get [find distance=2] active]
[x@y] > put [/ip/route/get [find distance=1] active]
true
[x@y] > put [/ip/route/get [find distance=1]]
.....inactive=false....
[x@y] > put [/ip/route/get [find distance=2]]
.....inactive=false.....
[x@y] > put [/ip/route/get [find distance=2] active]
[x@y] > put [/ip/route/get [find distance=1] active]
^empty
/ip/route/print where active=yes
put [/ip/route/get [find active=yes]]
A get works on exactly one item only. Less (none) or more will give an error. Code like this should work for the condition:
:if ([ :len [ /ip/route/find where active=yes ] ] > 0) do={ ...
Can you please create a support ticket and send us the autosupout file? It seems to be something configuration-specific as we can't reproduce this locally.RBSXTR crashes immediately when LTE modem establishes connection to the cell tower [lte1 registered home].
Afterwards it reboots and leaves log entry "router rebooted because some critical program crashed".
Downgrade to 7.14.3 resolves the problem.
Never had this problem before.
Hi, I will try this. I believe I can reproduce this.Hi @rushlife, is packet loss a common problem with 7.15/7.15?
I'm experiencing a similar issue, mine seems to be related to Queue ( viewtopic.php?t=208197 ), did you try some changes to wifi config?
It's nothing special, really. Using CAPsMAN and several cAP ax and hAP ax³ some (not all of them) lock up when using RLAN Band 1 or RLAN Band 1 + 2:I'm using this version since the rc came out...never had any problems with the DFS channels. Can you share your config, @Smoerrebroed?
11 name="RLAN Band 2 (5470 - 5725 MHz)" frequency=5470-5725 width=20/40/80mhz
12 name="RLAN Band 1 (5150 - 5350 MHz)" frequency=5150-5350 width=20/40/80mhz
13 name="RLAN Band 1 + 2 (5150 - 5725 MHz)" frequency=5150-5725 width=20/40/80mhz
I think what happened is find returning a different number of routes matching the filter. So by accident it worked on 7.14.3 but not on 7.15.
A get works on exactly one item only. Less (none) or more will give an error. Code like this should work for the condition:
Code: Select all:if ([ :len [ /ip/route/find where active=yes ] ] > 0) do={ ...
:if ([ :len [ /ip/route/find where distance=1 and active=yes ] ] > 0) do={ ...
greetings, from Chisinau too :-)ax^3 works fine, single disconnections I see in the logs is related to the device which is the 5 floors away and signal is -86/-90 - so, it is expected.
Ax3, have problem wi-fi, always disconnected
skrin.png
I've recreated problem on 3d school's network too. While only RouterOS is upgraded on Router (CRS) and cAP's, RoMON problem is not preset. When Router's (CRS) firmware is upgraded to 7.15 - RoMON connections still work as intended. BUT when cAP's firmware gets upgraded to 7.15 then connections problems begin. It looks like 7.15 firmware on target device is the one to blame.Hi! After upgrading two small schools to ROS 7.15 (including Firmware), there is a problem connecting to CAPs via RoMON. If you try to connect to speciffic device, winbox shows "Connecting to DC:..." and after a while there is "ERRORL disconnected from RoMON". But if You then try to connect to other devices and then return to first device, there is chance You'll get a connection. Other two schools where is still ROS7.14.3 there are no problems.
And one more problem, in scheduler script (or scripts in general, I presume) if You compare FW versions like "if curent version < upgrade then update" then comparing 7.14.3<7.15 wont take effect as formats won't match.
1st school: RB3011, 23xcAP ac's switches running SwOS, config includes 5 VLAN's
2nd school: RB2011, 13x cAP XL ac's, switches running SwOS, no VLAN's.
Hi, there are too much changes in this version but, I work with PPPoE Server and Dynamic Queues and I wanna know why you changed the way to the PPPoE Profile assigns the names for each indivudual queue instead to assign the same than the secret for each one. Actually just assign a number for each queue like queue1, queue2, etc...
Experiencing latency increase caused probably by the use of CAPsMAN: viewtopic.php?p=1079263#p1079263Hi, I will try this. I believe I can reproduce this.
edit : not my case, I don't use CODEL, with ros 7.13.5 no packet loss, with 7.15 can be easily up to 20% with small packet size
Well, that is actually GOOD! Now you see an error that was present in your config all the time since upgrading to v7.I was also getting the script error in my logs after upgrading to 7.15.
"executing script from scheduler failed, please check it manually"
The solution was to replace the word "system" with "routeros"
I disagree:Well, that is actually GOOD! Now you see an error that was present in your config all the time since upgrading to v7.
(that is when the package "system" was renamed "routeros". that was not with 7.15 but already with 7.1)
/system/script add dont-require-permissions=yes name=dummy-script owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":return \"\""
/system/script run dummy-script
:do {/system/script/run dummy-script} on-error={:put error}
I don't disagree that there are issues, but you should agree that the example he posted ACTUALLY caught an ERROR that he had not noticed before (caused by the arbitrary and probably unnecessary change of the system package name to routeros in v7).I disagree:
I agree that would be helpful if this actually works ok, when you have log error every 1min, not much...but you should agree that the example he posted ACTUALLY caught an ERROR that he had not noticed before (caused by the arbitrary and probably unnecessary change of the system package name to routeros in v7).
There is no need to run in circles.I agree that would be helpful if this actually works ok, when you have log error every 1min, not much...
Also see this error!Script execution seems not fixed.
After update to 7.15, red warnings started in sys log with: "Executing script from scheduler failed, please check it manually"
Scrips seems to be working, but this warning is present.
All scripts with :global or other definitions generate error.
Works for me...Many global functions work for me, only scripts that somehow use toip do not work.
:put [ :toip "1.2.3.4" ]
1.2.3.4
It works.Works for me...Many global functions work for me, only scripts that somehow use toip do not work.
What's your input for this?Code: Select all:put [ :toip "1.2.3.4" ] 1.2.3.4
:toip value=$host
:if ([:tobool [:toip value=$host]]) do={...} else={:local resolvedIP [:resolve $host] ...}
Can't find any pointers on the forum or from my posts here. The only option that I have right now is downgrading to 7.14 which is very disappointing.Hitting the issue previously reported in this thread where a script that has been running without any problems up to 7.14, has started failing in 7.15.
[snip]
What causes it? Some specific service or configuration we should know about to avoid until a fix is released?This memory leak is fixed and will be included in the next release.
We have same issue here - this names were used to check traffic for users based on username, I don't see any announcement in ChangeLog for this change - so priobably bug ?
Maybe, I'm trying to find out some posible solution for fixi this issue but unsuccesfully. Please someone tell us if there is something to try...Hi, there are too much changes in this version but, I work with PPPoE Server and Dynamic Queues and I wanna know why you changed the way to the PPPoE Profile assigns the names for each indivudual queue instead to assign the same than the secret for each one. Actually just assign a number for each queue like queue1, queue2, etc...
i haven't upgraded yet but running vpls as well, did you experience this issue running bgp-signalled vpls? if so did you manage to find a solution on 7.15I try today v7.15 on 3 different 4011.
VPLS vs 7.14 2216 doesn't go running.
After dowgrade it to 7.14 interface goes up with no configuration change.
Anyone noticed this issue?
This function (especially with that many lists) is not intended for a small router like the RB750Gr3...Hi everyone!
The /ip/dns/adlist function is not working correctly on my RB750Gr3.
The files are saved in the NAND before being loaded into RAM, if you don't have free space in the flash you can't download the host file.Hi everyone!
The /ip/dns/adlist function is not working correctly on my RB750Gr3.
I have tried the following sources:
add ssl-verify=no url="https://raw.githubusercontent.com/Steve ... ling/hosts"
add ssl-verify=no url="https://raw.githubusercontent.com/Steve ... ster/hosts"
add ssl-verify=no url="https://raw.githubusercontent.com/hagez ... ts/pro.txt"
add ssl-verify=no url="https://raw.githubusercontent.com/Dande ... eHosts.txt"
add ssl-verify=no url="https://raw.githubusercontent.com/FadeM ... Spam/hosts"
add ssl-verify=no url="https://raw.githubusercontent.com/Filte ... Dhosts.txt"
add ssl-verify=no url="https://big.oisd.nl"
add ssl-verify=no url="https://osint.digitalside.it/Threat-Int ... omains.txt"
After adding all of them show match-count=0 name-count=0
But I still found 2 sources that added my Mikrotik normally:
Flags: X - disabled
0 url="https://v.firebog.net/hosts/Prigent-Crypto.txt" ssl-verify=no match-count=2 name-count=16274
1 url="https://pgl.yoyo.org/adservers/serverli ... ip=0.0.0.0" ssl-verify=no
match-count=0 name-count=3555
I then downloaded the files in all the links via browser and uploaded them to my two servers. Then I added the links to my own addresses in Mikrotik.
On my first server all sources were match-count=0 name-count=0
On the second one, only one file was added to Mikrotik - Prigent-Crypto.txt.
At the same time through the browser all files from my servers are downloaded normally.
dynamic-servers:
use-doh-server:
verify-doh-cert: no
doh-max-server-connections: 5
doh-max-concurrent-queries: 50
doh-timeout: 5s
allow-remote-requests: yes
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
max-concurrent-queries: 100
max-concurrent-tcp-sessions: 20
cache-size: 102400KiB
cache-max-ttl: 1w
address-list-extra-time: 0s
vrf: main
cache-used: 3259KiB
uptime: 50m40s
version: 7.15.1 (stable)
build-time: 2024-06-07 12:49:11
factory-software: 6.40
free-memory: 187.3MiB
total-memory: 256.0MiB
cpu: MIPS 1004Kc V2.15
cpu-count: 4
cpu-frequency: 880MHz
cpu-load: 3%
free-hdd-space: 3584.0KiB
total-hdd-space: 16.0MiB
write-sect-since-reboot: 62093
write-sect-total: 11162589
architecture-name: mmips
board-name: hEX
platform: MikroTik
I have updated few devices for testing and the WireGuard VPN came up without a problem on all of them.I upgraded a vultr CHR 7.15 to 7.15.1 using the internal upgrade function and after the necessary restart my wireguard vpns stopped working. Downgrading to 7.15 fixed the problem. So please deploy with caution.
Just tried it and my WG Road Warrior setup works without issues.I upgraded a vultr CHR 7.15 to 7.15.1 using the internal upgrade function and after the necessary restart my wireguard vpns stopped working. Downgrading to 7.15 fixed the problem. So please deploy with caution.
09:38:01 bridge,warning "bridge" peer disconnected
09:38:01 bridge,warning "bridge" peer link down
09:38:01 bridge,info "bridge" peer link up
09:38:01 bridge,info "bridge" peer connected
09:38:01 bridge,info "bridge" peer becomes primary DC:2C:6E:D2:AF:4B
Did it disappear only in winbox?Upgraded from 7.15 to 7.15.1 (Hap aC2) - disappeared routing filters + bgp peers !!!!
Related side question, why do you have BGP filters on a Home WiFI access point?
*) winbox - fixed issue with skin file appearing as unknown in user group menu (introduced in v7.15);
Why does ROS offer BGP filters on a Home WiFi access point when manufacturer drops the opinion that one should not have it?Related side question, why do you have BGP filters on a Home WiFI access point?
Especially because it was often suggested during the times the hAP ac2 was quickly running low on storage to make RouterOS modular again, as it was in v6, so those features would only be present when some optional "advanced routing" package is installed.Why does ROS offer BGP filters on a Home WiFi access point when manufacturer drops the opinion that one should not have it?Related side question, why do you have BGP filters on a Home WiFI access point?
I've recreated problem on 3d school's network too. While only RouterOS is upgraded on Router (CRS) and cAP's, RoMON problem is not preset. When Router's (CRS) firmware is upgraded to 7.15 - RoMON connections still work as intended. BUT when cAP's firmware gets upgraded to 7.15 then connections problems begin. It looks like 7.15 firmware on target device is the one to blame.Hi! After upgrading two small schools to ROS 7.15 (including Firmware), there is a problem connecting to CAPs via RoMON. If you try to connect to speciffic device, winbox shows "Connecting to DC:..." and after a while there is "ERRORL disconnected from RoMON". But if You then try to connect to other devices and then return to first device, there is chance You'll get a connection. Other two schools where is still ROS7.14.3 there are no problems.
And one more problem, in scheduler script (or scripts in general, I presume) if You compare FW versions like "if curent version < upgrade then update" then comparing 7.14.3<7.15 wont take effect as formats won't match.
1st school: RB3011, 23xcAP ac's switches running SwOS, config includes 5 VLAN's
2nd school: RB2011, 13x cAP XL ac's, switches running SwOS, no VLAN's.
P.s. Clearing Winbox cache increases sucessful connection percentage, but overall probelm persists especially on first time connections.
Sorry. No.There is nothing stopped being supported. It most likely is (on a hAP ac2) the exhaustion of flash space that corrupted the configuration.
The change relates on how RouterOS updates LLDP information internally, not sending/receiving LLDP packets*) discovery - optimized LLDP information update;
Cannot comment on 3rd party software error logging, but you should provide more details about how you fixed the error, only then further conclusion can be made.Librenms version 24.5.0-39
Event Log:
discovery 192.168.0.2 LLDP discovery of GS2210 failed - Check name lookup
I made changes to LLDP on my Zyxel managed switch and enabled notification
Screenshot_20240611_205314.png
Screenshot_20240611_210312.png
I think I fixed the LLDP discovery of GS2210... I don't see the above failed error. Can we please get more info other than failed?!!!
I also added on the mikrotik logs for ldp but I get nothing!
Please advise and thanks in advanced.
Unfortunately that sometimes happens after upgrades.i tried a clean winbox from a virtual machine and connects to the same devices from the same location using romon perfectly
i am using winbox 3-40
if i connect with the option session = <none> problem disappears
.Skins on webfig, for the RB750GR3, are still not working. ......
Dear Mikrotik: I would like to see log entries in "wireless, info" topic when channel frequency changes on interface due to reselect. Thank you!*) wifi - added "reselect-interval" support;
I have Wireguard running ever since ROS 7 was still in 7.1 beta. Can't remember ever having troubles after an upgrade with Wireguard. Just works. Even in 7.15.1.I upgraded a vultr CHR 7.15 to 7.15.1 using the internal upgrade function and after the necessary restart my wireguard vpns stopped working. Downgrading to 7.15 fixed the problem. So please deploy with caution.
I tested producing a QRcode locally using Python's qrencode including:[Req] Please add a Wireguard/Peer field for Client AllowedIPs.
I have quite some VPN clients that only to send certain traffic over the VPN and right now it's an annoyance that the QR code always includes a AllowedIPs: 0.0.0.0/0, ::/0 since their WG server isn't even set up to route WG traffic to the internet.
Currently the Docs (https://help.mikrotik.com/docs/display/ROS/WireGuard) read:
*AllowedIPs configuration that is provided to the client through WireGuard peer export (configuration file or QR code) can not be changed and will be "0.0.0.0/0, ::/0" at the moment. If it is necessary to change these values on remote end, then that is up to the remote peer software used for WireGuard connection.
It seems to me that the whole point of generating QR codes is to simplify config distribution and AllowedIPs is a critical field. I can't think of one but is there a reason to rely on editing the setting in the peer's interface rather than including it in the QR code?
AllowedIPs = 10.0.0.0/24,172.16.100.0/24
Seeing downloads go to 10mbps, while upload works fine.. then fine for a bit after a reboot.. definitely something odd going on (link state is full1Gbps) and transfer is to internet or between hosts, so its specific to ports as other ports work fine.ACHTUNG !!! ALERT !
Do not use this version with CRS354 !!!
Huge packetloss, huge performance drop, unusable on some ports.
This function (especially with that many lists) is not intended for a small router like the RB750Gr3...Hi everyone!
The /ip/dns/adlist function is not working correctly on my RB750Gr3.
Get something like a RB5009 or better.
The files are saved in the NAND before being loaded into RAM, if you don't have free space in the flash you can't download the host file.
SUP-146323
Thank you for contacting MikroTik Support.
It looks like your device doesn't have enough storage on the device to use adlist. At the moment the adlist is downloaded to the NAND as well as stored in RAM, we are looking in to maybe changing the behavior, but sadly can't provide more details at the moment.
Did you already increase the DNS cache size? It can be changed from 2048 to 20480 without issue on that router.I think the problem is not only in free space.
I have 3500 KB of free space on my router.
When a VPN serve has a "port-knocking" implemented, the client must "knock" in order to connect. Until 7.14.1 "on-down" script was performing the "knocking" perfectly.I do not understand what this has to do with a port-knocking mechanism.