Just asked this to support, updated ww2 snmp OID is coming. No ETA.any chance to implement ANY information with new WIFI CapsMan and SNMP ?
in old wireless capsman, there was at least some basic info, but now ... null
*) firewall - added message when interface belonging to VRF is added in filter rules;
7.16beta1 145
7.13beta1 125
7.12beta7 121
7.9beta4 113
7.15beta4 111
7.8beta2 90
7.10beta5 85
7.7beta3 82
7.11beta2 81
7.3beta33 80
7.14beta3 77
7.10beta8 56
7.5beta4 56
7.15beta8 55
7.14beta6 54
7.14beta9 53
7.3beta40 51
7.12beta3 50
No problems here on a CCR2116. Six containers (pihole, open-speedtest, samba, uptime-kuma, home-assistant, esphome).My adguard container won't start after update , nothing in log, anyone else has problem with containers ?
I see now whats wrong, update decided to change my usb from USB2 to USB1 so paths are broken, which also some of previous updates changed from USB1 to USB2..No problems here on a CCR2116. Six containers (pihole, open-speedtest, samba, uptime-kuma, home-assistant, esphome).My adguard container won't start after update , nothing in log, anyone else has problem with containers ?
Now I manage to establish the BGP session against the route reflector. However, there are some issues:*) bgp - fixed vpnv6 safi;
1 E name="ROUTE_REFLECTOR-1"
remote.address=10.1.1.36 .as=65000 .id=10.1.1.36 .capabilities=mp,rr,as4,err .afi=vpnv4 .messages=875 .bytes=73924 .eor=""
local.role=ibgp .address=10.1.1.11 .as=65000 .id=10.1.1.11 .capabilities=mp,rr,gr,as4 .afi=vpnv4 .messages=291 .bytes=5624 .eor=""
output.procid=21
input.procid=21 ibgp
multihop=yes hold-time=3m keepalive-time=1m uptime=4h48m17s690ms last-started=2024-06-06 10:01:47 last-stopped=2024-06-06 10:01:47 prefix-count=1053
routing/route/print where afi=vpn6
Flags: U - UNREACHABLE; b - BGP; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE
DST-ADDRESS GATEWAY AFI DISTANCE SCOPE TARGET-SCOPE
UbH 65000:111 ::ffff:10.1.1.48 vpn6 200 40 30
UbH 2001:db8::/32&65000:111 ::ffff:10.1.1.84 vpn6 200 40 30
That's going to be useful. Thought I'd provide an example, since I tested it (and works with a couple files at least).*) console - improved :serialize and :deserialize commands and added support for DSV (delimiter separated values) format;
# fetch Mikrotik's "Product Matrix CSV" from website
:global productDsvRaw ([/tool/fetch url="https://mikrotik.com/products/matrix" http-data="ax=matrix" output=user as-value]->"data")
# use NEW "DSV" support to convert it to an RouterOS array
:global productsArray [:deserialize from=dsv $productDsvRaw delimiter=";" options=dsv.plain]
# as an array, you can use it a loops etc...
# so to print first 20 devices from the downloaded (to memory) CSV
:foreach k,v in=$productsArray do={ :if ($k<20) do={:put "\$productsArray->$k = $($v->1)"}}
# or perhaps the count of them
:put "\r\nNumber of devices: $([:len $productsArray] / 2 - 1)"
# OR... the new add-on the to=json, which does a pretty print of JSON text
:global prettyProductJson [:serialize to=json options=json.pretty $productsArray]
:put [:pick $prettyProductJson 0 512]
# this also useful since :put <array> is hard to read...
# for example the array looks like
:put [:pick [:tostr $productsArray] 0 512]
It is not strange, it is how it is supposed to be when you send ipv6 routes over ipv4 session. It is ipv4 mapped address.
- The way the default route is represented is strange:
If you deactivate 2.4, are the devices able to connect to 5?Was hoping 7.16 to fix roaming issues, but no luck, all worked perfect until 7.15 and new drivers.
My devices keep roaming from 5ghz to 2ghz and thats very next to router under full signal, and often multiple devices roam same time(Samsung s23, LG OLED TV, ASUS tablet).
I already reduced 2ghz to 10 TX which is over 10db difference from 5ghz, dont know what else to do.
I expected it to be something like "::/0&52308:1000"It is not strange, it is how it is supposed to be when you send ipv6 routes over ipv4 session. It is ipv4 mapped address.
Roaming works fine for me when I'm at distance of router, but devices close to router are doing stupid things which they didn't before in 7.14 and all versions before.If you deactivate 2.4, are the devices able to connect to 5?Was hoping 7.16 to fix roaming issues, but no luck, all worked perfect until 7.15 and new drivers.
My devices keep roaming from 5ghz to 2ghz and thats very next to router under full signal, and often multiple devices roam same time(Samsung s23, LG OLED TV, ASUS tablet).
I already reduced 2ghz to 10 TX which is over 10db difference from 5ghz, dont know what else to do.
I had the same problem and in the end it was my devices fault because they didn't "see" channels above 100.
2.4/5 GHz roaming works great in my case.
*) bridge - added dynamic tagged entry when VLAN interface is created on vlan-filtering bridge;
Ah OK, then maybe it depends on the DFS.sometimes they are connected for hours then suddenly all roam to 2ghz
Was hoping 7.16 to fix roaming issues, but no luck, all worked perfect until 7.15 and new drivers.
My devices keep roaming from 5ghz to 2ghz and thats very next to router under full signal, and often multiple devices roam same time(Samsung s23, LG OLED TV, ASUS tablet).
I already reduced 2ghz to 10 TX which is over 10db difference from 5ghz, dont know what else to do.
Not using dfs, no radar detects,5220.Ah OK, then maybe it depends on the DFS.sometimes they are connected for hours then suddenly all roam to 2ghz
What 5GHz channel are you using?
Enabled day one.Was hoping 7.16 to fix roaming issues, but no luck, all worked perfect until 7.15 and new drivers.
My devices keep roaming from 5ghz to 2ghz and thats very next to router under full signal, and often multiple devices roam same time(Samsung s23, LG OLED TV, ASUS tablet).
I already reduced 2ghz to 10 TX which is over 10db difference from 5ghz, dont know what else to do.
USE
WiFi Security -> FT(TAB) --> FT Enabled = YES
Should fix that for you
Also with Huawei not working on p2p Level 2.IS-IS towards Cisco no longer works on ptp , only broadcast
Are there any plans to bring features of wifi-qcom-ac on par with wifi-qcom ... the list of differences is growing with every new ROS version ...
So sadStill no ipv6 fastpath :/
Until Mikrotik decides to provide the correct level of logging for Wifi, and especially roaming/band steering etc. you won't be able to understand what is going on.Enabled day one.
USE
WiFi Security -> FT(TAB) --> FT Enabled = YES
Should fix that for you
Actually you shouldn't enable FT unless using CAPsMAN and multiple APs...Enabled day one.
USE
WiFi Security -> FT(TAB) --> FT Enabled = YES
Should fix that for you
Not quite. It can also be used for roaming between radios of the same AP provided same SSID is used.Actually you shouldn't enable FT unless using CAPsMAN and multiple APs...
Enabled day one.
That is very interesting!*) l3hw - added per-VLAN packet and byte counters to compatible switches;
Where such list can be found please? Looked into the docs, not being able to find any. I am just curious, if wifi-qcom-ac still does not allow 4 address (repeater mode), or if it will allow one in future?Are there any plans to bring features of wifi-qcom-ac on par with wifi-qcom ... the list of differences is growing with every new ROS version ...
Are there any plans to bring features of wifi-qcom-ac on par with wifi-qcom ... the list of differences is growing with every new ROS version ...
Probably not possible without bloating the size of the package, thus causing more problems for devices like hAP ac². wifi-qcom is over 3.5x the size of wifi-qcom-ac.
Where such list can be found please? Looked into the docs, not being able to find any. I am just curious, if wifi-qcom-ac still does not allow 4 address (repeater mode), or if it will allow one in future?Are there any plans to bring features of wifi-qcom-ac on par with wifi-qcom ... the list of differences is growing with every new ROS version ...
Exactly, i do have CAP and roaming between them works wonderful (HAP AX3(capsman) and HAP AC3(cap)), the problem i described is roaming of devices under same AP interfaces, sometimes they even flap around 2ghz and 5ghz few times in 5mins for no apparent reason, (tv mounted on wall not moving inch and 1m from router...)Not quite. It can also be used for roaming between radios of the same AP provided same SSID is used.
Actually you shouldn't enable FT unless using CAPsMAN and multiple APs...
You can now see Tx/Rx byte and packet counters for each VLAN interface when using L3HW for inter-VLAN routing (on compatible switches). These counters are accessible in the Interface List section of WinBox/WebFig or by running specific CLI commands.Where are these values showed? In which cli command branch?*) l3hw - added per-VLAN packet and byte counters to compatible switches;
/interface/print stats
/interface/monitor-traffic
Mikrotik doesn't want to touch wifi-qcom-ac for a good reason. The moment they do that complaints will start flowing because of the package size increase and lack of storage. It has been the same size for the past couple releases, but the regular wireless package gets a slimdown again. Spectral scan would be nice as well for anything that has support for wifi-qcom-ac package because that has been on the "to-do list" for almost 10 years for ac chipsets: viewtopic.php?t=89696#p455926Are there any plans to bring features of wifi-qcom-ac on par with wifi-qcom ... the list of differences is growing with every new ROS version ...
Ammo, is that a feature that goes with MVLAN.... or whatever the acronym is for automatically adding vlans on trunk ports.This was good too:
It even put comments on in /interface/bridge/vlan on what triggered the "D" dynamic vlan entry there, i.e. "added by pvid", "added by vlan on bridge", ...Code: Select all*) bridge - added dynamic tagged entry when VLAN interface is created on vlan-filtering bridge;
As always, is this something that is inferred or do we have a statement or wiki where this is stated?Not quite. It can also be used for roaming between radios of the same AP provided same SSID is used.
Actually you shouldn't enable FT unless using CAPsMAN and multiple APs...
Nope. No "vlan sharing" required (MVRP).Ammo, is that a feature that goes with MVLAN.... or whatever the acronym is for automatically adding vlans on trunk ports.
It even put comments on in /interface/bridge/vlan on what triggered the "D" dynamic vlan entry there, i.e. "added by pvid", "added by vlan on bridge", ...
/interface/bridge/vlan> /interface/bridge/vlan/print where vlan-ids=42
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
;;; added by vlan on bridge
8 D bridge 42 bridge
;;; added by pvid
11 D bridge 42 ether10
From this line we found out that there is a limit of maximum 1024 ports per bridge!*) bridge - show invalid flag for ports that fails to be added to bridge (e.g. maximum port limit of 1024 is reached);
Well, there is a YouTube video by Toms from Mikrotik. He tells us this as a fact.As always, is this something that is inferred or do we have a statement or wiki where this is stated?
Jun/08/2024 08:53:12 dhcp,debug processing client:005056bf3ea9 iapd:0x2
Jun/08/2024 08:53:12 dhcp,debug binding belongs to other server: 005056bf3ea9 xxxx:xxxx:3:3001::/64
Jun/08/2024 08:53:12 dhcp,debug binding not updated
Jun/08/2024 08:53:12 dhcp,debug,packet send <pppoe-user3> -> fe80::16af:edd3:0:2%2d
While this is partially good news it obviously means no vlan-interface-counters for layer2 traffic only?You can now see Tx/Rx byte and packet counters for each VLAN interface when using L3HW for inter-VLAN routing (on compatible switches). These counters are accessible in the Interface List section of WinBox/WebFig or by running specific CLI commands.
Where are these values showed? In which cli command branch?
Code: Select all/interface/print stats /interface/monitor-traffic
what a mess*) bridge - added dynamic tagged entry when VLAN interface is created on vlan-filtering bridge;
*) system - improved watchdog and kernel panic reporting (additional fixes);
*) bgp - fixed cluster-list and originator-id;
... now also allows type=FWD records (that forward to specific servers) to function with DoH? That's on my wishlist for a long time (and requested in SUP-132300), and would be nice to finally have it.*) dns - added support for DoH with adlist;
I am waiting for this as well. I did never understood the argument "DoH takes it all no matter what".Have not tested, but is it possible that...
... now also allows type=FWD records (that forward to specific servers) to function with DoH? That's on my wishlist for a long time (and requested in SUP-132300), and would be nice to finally have it.*) dns - added support for DoH with adlist;
PoE statistics are off by 1 port on beta2. I have only 1 device plugged into ether14, but PoE statistics show on ether15. This is on my CRS354-48p-4S-+2Q+. You can see the log show ether15 powered on PoE and then ether14 showing the link.*) poe-out - upgraded firmware for SAMD20 PSE (AF/AT) controlled boards (the update will cause brief power interruption to PoE-out interfaces);
Not too sure about that issue being generic.LMK, I can file bug report if needed, but given @mozerd's comments, I'm guess something more generically is wrong in /disk in 7.16beta1/2.
IPv6 PD over PPPoE still not working. Mixing user prefixes for a while.
Jun/08/2024 08:53:12 dhcp,debug processing client:005056bf3ea9 iapd:0x2
Jun/08/2024 08:53:12 dhcp,debug binding belongs to other server: 005056bf3ea9 xxxx:xxxx:3:3001::/64
Jun/08/2024 08:53:12 dhcp,debug binding not updated
Jun/08/2024 08:53:12 dhcp,debug,packet send <pppoe-user3> -> fe80::16af:edd3:0:2%2d
May I suggest splitting change logs into additions/changes and fixes?
Fixes:
- a
- b
New in this release:
- foo
- bar
Breaking changes:
- baz
Yes! Plese do like that!I have never seen this. txfz means "group by". Like:
Code: Select allFixes: - a - b New in this release: - foo - bar Breaking changes: - baz
Perhaps. It may be specific to ROSE + RAID in my case.Not too sure about that issue being generic.LMK, I can file bug report if needed, but given @mozerd's comments, I'm guess something more generically is wrong in /disk in 7.16beta1/2.
No disk nor container problems on my RB5009 :?
/disk set sata1 raid-master=raid1
/disk set sata2 raid-master=raid1
+1Yes! Plese do like that!Code: Select allFixes: - a - b New in this release: - foo - bar Breaking changes: - baz
Or, at least, mark at the beginning of the line the classification.
https://mikrotik.com/product/product_ge ... 3_16_41_07RouterOS version 7.16beta has been released on the "v7 testing" channel!
[admin@RBLHGGR] > /system/routerboard/print
routerboard: yes
model: RBLHGGR
serial-number: ****
firmware-type: a3700
factory-firmware: 6.48.3
current-firmware: 7.16beta2
upgrade-firmware: 7.16beta2
[admin@RBLHGGR] > /system/resource/print
uptime: 1d19h48m39s
version: 7.16beta2 (testing)
build-time: 2024-06-12 09:03:28
factory-software: 6.48.2
free-memory: 135.6MiB
total-memory: 256.0MiB
cpu: ARM64
cpu-count: 2
cpu-load: 0%
free-hdd-space: 1584.0KiB
total-hdd-space: 16.0MiB
write-sect-since-reboot: ****
write-sect-total: ****
architecture-name: arm64
board-name: RBLHGGR
platform: MikroTik
[admin@RBLHGGR] > /interface/lte/print detail
Flags: X - disabled; R - running; I - inactive
0 I default-name="lte1" name="lte1" mtu=1500
apn-profiles=default sms-read=no sms-protocol=auto
network-mode=gsm,3g,lte
1 R default-name="lte1" name="lte2" mtu=1500
apn-profiles=default allow-roaming=no sms-read=no
sms-protocol=auto network-mode=gsm,3g,lte band=""
[admin@RBLHGGR] > /interface/lte/export
/interface lte
set [ find default-name=lte1 ] network-mode=gsm,3g,lte sms-protocol=auto sms-read=no
set [ find default-name=lte1 ] allow-roaming=no band="" name=lte2 sms-protocol=auto sms-read=no
Would also like this functionality.I am waiting for this as well. I did never understood the argument "DoH takes it all no matter what".Have not tested, but is it possible that...
... now also allows type=FWD records (that forward to specific servers) to function with DoH? That's on my wishlist for a long time (and requested in SUP-132300), and would be nice to finally have it.
Maybe this is something you should discuss with Hetzner, after all it is their virtual platform...We have 2 VM's and both with 40GB disks.
On x86 CHR show 37.9GiB, on arm64 CHR show 9.0GiB - shouldn't they show same value in both cases?
root@rescue ~ # e2fsck -f /dev/sda2
e2fsck 1.47.0 (5-Feb-2023)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/sda2: 45/2391200 files (2.2% non-contiguous), 620354/9991168 blocks
root@rescue ~ # resize2fs /dev/sda2
resize2fs 1.47.0 (5-Feb-2023)
Resizing the filesystem on /dev/sda2 to 39964672 (1k) blocks.
The filesystem on /dev/sda2 is now 39964672 (1k) blocks long.
root@rescue ~ # reboot
This was a RouterOS bug, and will be fixed in next version. Resize was 1/4 from actual sizeI would say it is a bug in Hetzner VM installation procedure, on x86 it automatically extends file system for given image to full HDD size, on ARM is does not so you have to do it manually...
Have you tried to reduce tx power on 5 GHz instead of 2,4 GHz to see how that would affect the situation? There is a possibility that high signal level (near the router as in this case) can saturate the the radio on client device causing unpredictable behaviour....Was hoping 7.16 to fix roaming issues, but no luck, all worked perfect until 7.15 and new drivers.
My devices keep roaming from 5ghz to 2ghz and thats very next to router under full signal, and often multiple devices roam same time(Samsung s23, LG OLED TV, ASUS tablet).
I already reduced 2ghz to 10 TX which is over 10db difference from 5ghz, dont know what else to do.
/* If we haven't discovered any modes that this module supports, try
* the bitrate to determine supported modes. Some BiDi modules (eg,
* 1310nm/1550nm) are not 1000BASE-BX compliant due to the differing
* wavelengths, so do not set any transceiver bits.
*
* Do the same for modules supporting 2500BASE-X. Note that some
* modules use 2500Mbaud rather than 3100 or 3200Mbaud for
* 2500BASE-X, so we allow some slack here.
*/
if (linkmode_empty(modes) && br_nom) {
if (br_min <= 1300 && br_max >= 1200) {
phylink_set(modes, 1000baseX_Full);
__set_bit(PHY_INTERFACE_MODE_1000BASEX, interfaces);
}
if (br_min <= 3200 && br_max >= 2500) {
phylink_set(modes, 2500baseX_Full);
__set_bit(PHY_INTERFACE_MODE_2500BASEX, interfaces);
}
}
The interface MTU is device local. "Client MTU" must be set on the client side.Please add a "Client MTU" option to wireguard peer configuration page, in order to set the MTU value in some occasion。
There's room for improvement in that menu. AllowedIPs was requested before, official answer 'till now was "edit it manually on the client", well that's not the point of having a qr / config generator in the first place if you still have to dig into the config to tweak missing pieces, is it?The interface MTU is device local. "Client MTU" must be set on the client side.Please add a "Client MTU" option to wireguard peer configuration page, in order to set the MTU value in some occasion。
For it to be part of the "Client Config" (that can be copy-paste) provided under Wireguard > Peers > Wireguard Peer to another device. This would indeed be a need solution. Rather. Just copy the MTU value of the WG interface configured under Wireguard > Wireguard directly to the example client config shown for the individual Wireguard Peer. The Client MTU should not be ale to be set differently than the parent Wireguard interface.
+1 - it is nice feature but really confusing if you don't know. If on another tab... it both be easy to have some add'l WG attributes like allowedip, mtu, or whatever & be way clear what these "Client Xxxxx:" things are used for. i.e. official WG clients only let you edit (or paste) a config file, so being able to just cut-and-paste all the right WG keys+config from RouterOS is pretty handy to setup a new peer.If it was me, I'd also move the entire "client config" section (that's only used for generating the client qr/config) to another tab on the selected peers menu).
I ran into the same issue at home this week when installing wAP AC using wifi-qcom-ac drivers in capsman environment.I'm running into the "client was disconnected because could not assign vlan".
Is this due to the fact I'm running hybrid (both wifi-qcom and wifi-qcom-ac? Didn't have this with an wifi-qcom-ac only environment.
The issue with the scheduler is now solved. The first script in the “startup” chain had a delay of 10 seconds … apparently this was not enough time cause when RoS reboots the interfaces do not initialize within that time delay so the dynu scrip generates an error condition that it cannot find the pppoe interface - and that kills scheduler from proceeding … I increased the delay to 15 seconds and this time all the scripts completed their tasks … picking 15 seconds was just a random number … when I have time I play with the time element by increments of 1 second and see if I can shorten the delay.CCR1009 RoS v 7.16beta2
Starting with Ros 7.15 Scheduler is still broken as it tries to launch my on STARTUP script ... all the scripts have been tested and have zero errors ... very annoying ...
Yes I agree with your assessment — that it’s a bug …There the workaround is "insert a delay" too, but that kind of kludges should not be necessary.
*) dns - added support for mDNS proxy (CLI only);
*) ipv6 - fixed "no-dad" functionality;
OMG it is what I think is? mDNS repeater trough VLANs?*) dns - added support for mDNS proxy (CLI only);
Am I right that this is Hardware Multicast support ?What's new in 7.16beta3 (2024-Jun-27 08:33):
*) bridge - added L2 MDB support for switch chips with HW offloaded IGMP snooping;
/interface bridge mdb
add bridge=bridge1 group=01:00:5E:01:01:02 ports=ether2
add bridge=bridge1 group=33:33:00:00:00:02 ports=ether2,ether3
I found /ip dns mdns-repeat-ifaces but overlooked "enable". Can you please give a hint? Thanks.yes, real mDNS repeater. Very simple config, just add interfaces and enable.
You just need to specify the interface where mDNS should be "shared".I found /ip dns mdns-repeat-ifaces but overlooked "enable". Can you please give a hint? Thanks.yes, real mDNS repeater. Very simple config, just add interfaces and enable.
/ip/dns set mdns-repeat-ifaces=vlan20,vlan10
/ip/dns set mdns-repeat-ifaces=""
Humm... A new feature, and it already comes without support to Interface-Lists....just add interfaces and enable.
"overhauled" DNS already makes me shiver...Maybe this drop has the "overhauled" DNS?
*) dns - added VRF support;
In other words, you're dropping support for RFC 3056. Because that needs unspecified remote address. Is it intentional?*) 6to4 - make "remote-address" parameter mandatory;
I have had my issues where the /ip/dns VRF-awareness is failing for both the stable 7.15.1 and 7.15.2 aswell as the 7.16beta2 and 7.16beta3.Static DNS querying will be fixed in the upcoming RouterOS beta release. Please remember - this is beta. Released for testing new features and fixes. Some services might not work properly, and these version should not be used on important routers. As for the DoH - we are looking into this and will update later on.
Yup, thats me! (failed to find how to send you a DM so the reply is public instead).@Apachez are you the same Apachez on VYOS forum, if you are I'm glad you are here too
7.16beta1 (2024-06-05 11:52)
Changes
- supout - added netwatch section
Fixes
- route - fixed memory leak (introduced in v7.15);
This is a beta version, not a production version.Rolling back the dns is shit
Yes that's correct. If your firewall drops the udp multicasts on the input chain, the mDNS proxy will not see the traffic and thus does not repeat anything.I am assuming that the mDNS feature requires that the Firewall allows inbound on all the relevant interfaces for udp port 5353 for IP packets addressed even if addressed to 224.0.0.251 ?
So does the firewall rule need to allow 5353udp on the forward chain or the input chain?Yes that's correct. If your firewall drops the udp multicasts on the input chain, the mDNS proxy will not see the traffic and thus does not repeat anything.I am assuming that the mDNS feature requires that the Firewall allows inbound on all the relevant interfaces for udp port 5353 for IP packets addressed even if addressed to 224.0.0.251 ?
AFAIK, repeated mDNS via input (or output) chain (NOT forward) since it's a local process in Packet Flow diagrams.*) dns - added support for DoH with static FWD entries;
*) dns - added support for mDNS proxy (CLI only);
So does the firewall rule need to allow 5353udp on the forward chain or the input chain?
Thanks a lot, Mikrotik!*) dns - added support for DoH with static FWD entries;
andThis is really scary whenever someone from the dev enhancing the DNS code base one way or another they always broke the dns resolver ... this is a recurring issues and the code is very fragile so to speak
This version of RouterOS is marked as beta software. Such breaking issues are to be expected, usually one should expect far worse issues considering it's a beta (regardless of the manufacturer), and one shouldn't run such software in production eg. you should run bleeding edge software only on devices for which critical issues that cause downtime are acceptable.... now you/we are lucky because it does not work at all, a clear state. but once those bugs are fixed we again risk to be in the situation were it seems to work but it fails in all kinds of border cases, as happened several times before. a sad situation...
It is totally possible for stable releases to have issues as well: no software release is perfect. However the difference is that beta software is expected to have critical issues, while stable software is not. What I'm after is that it is totally acceptable for beta software to have major issues and while these should of course be relayed to the manufacturer and fixed, also avoided by the manufacturer in the first place to the best of their abilities, it seems odd to complain about such issues existing when the expectation is that there are going to be such issues indeed. I'd understand complaints of bad quality if a stable version failed to boot due to some trivial issue, or the DNS refactoring in question was sent to stable as-is, however in beta such a thing is the norm.But at the same time these "betas" fixes critical errors found in the "stable" releases - which gives?
Should I use a "stable" release who is more broken than the "beta" release who is just slightly broken? Which one would you recommend to be used in production?
Well, after MikroTik being in the field of router software development for nearly 30 years we could kind of expect that the developers have gotten around to setting up some automated test environment that runs a series of regression tests before even a beta release hits the download servers.This version of RouterOS is marked as beta software. Such breaking issues are to be expected, usually one should expect far worse issues considering it's a beta
They most likely have such tests for previously identified regressions. New features are new, for a regression test to be written a regression first has to happen: either in the MikroTik internal alpha testing phase or the public beta testing phase like here.Well, after MikroTik being in the field of router software development for nearly 30 years we could kind of expect that the developers have gotten around to setting up some automated test environment that runs a series of regression tests before even a beta release hits the download servers.
Exactly, this DNS functionality is novel on RouterOS and thus these problems have not been found and fixed in the past. If they had been why would MikroTik intentionally ship bugs (without marking them as known issues)? The issues concerning this beta version may have been uncovered in this thread for the first time ever.That test set would contain tests for basic functionality, and also for any problems that have been found and fixed in the past.
Such tests are usually ready in the release candidate phase. As the release candidate is a candidate for stable unless new issues are discovered in brief period of running a release candidate. So stable release by definition is the point in time where the tests have been done for the release to be made without these bugs present anymore. Of course this doesn't guarantee that all bugs were found.When beta versions can go out with such issues, at what point in time will the tests be done that make the "stable" version go out without them?
Yes! That is the very definition of beta software and the reason beta versions exist in the first place. If MikroTik wouldn't like the community to help test unstable versions, they would not do beta releases: preparing such releases for no benefit would be a waste of time and effort.Or are "we" (the users) supposed to do the testing?
Long-term releases already exist for RouterOS, however the branch lags behind in features by a lot (as is to be expected). Right now the long term tree has yet to be updated to RouterOS 7+ for example. I'd guess the users of long-term releases have some very mission critical installations or they just want the peace of mind of not having to worry about updates as much.Couldn't this be solved by creating "long term" or "mature" branch which would only contain final versions of previous stable branches - which would currently be 7.14.3 (or 7.14.4 for clarity) and final version of 7.15 branch when 7.16 comes out as stable release?
*) ip/ipv6 - added multipath hash policy settings;
/ip/settings/set ipv4-multipath-hash-policy=<tab>
l3 l3-inner l4
l3 -- layer-3 hashing of src IP, dst IP
l3-inner -- layer-3 hashing or inner layer-3 hashing if available
l4 -- layer-4 hashing of src IP, dst IP, IP protocol, src port, dst port
Especially how new things **should** work. So one can spot a bug eventually. E.g. mDNS proxy put up some questions.If you gave a little more detail on new things, people might try them. i.e.
It is in the manual:If you gave a little more detail on new things, people might try them. i.e.
So what is your explanation that the broken VRF-support of /ip/dns which was released in 7.15 stable (and is still broken in 7.15.2 stable AND 7.16beta3) got through the basic testing internally at Mikrotik HQ (if such tests even exists)?They most likely have such tests for previously identified regressions. New features are new, for a regression test to be written a regression first has to happen: either in the MikroTik internal alpha testing phase or the public beta testing phase like here.Well, after MikroTik being in the field of router software development for nearly 30 years we could kind of expect that the developers have gotten around to setting up some automated test environment that runs a series of regression tests before even a beta release hits the download servers.
Exactly, this DNS functionality is novel on RouterOS and thus these problems have not been found and fixed in the past. If they had been why would MikroTik intentionally ship bugs (without marking them as known issues)? The issues concerning this beta version may have been uncovered in this thread for the first time ever.That test set would contain tests for basic functionality, and also for any problems that have been found and fixed in the past.
Such tests are usually ready in the release candidate phase. As the release candidate is a candidate for stable unless new issues are discovered in brief period of running a release candidate. So stable release by definition is the point in time where the tests have been done for the release to be made without these bugs present anymore. Of course this doesn't guarantee that all bugs were found.When beta versions can go out with such issues, at what point in time will the tests be done that make the "stable" version go out without them?
If I had to criticize MikroTik's processes I'd point out that new features probably shouldn't be added in the release candidate phase like they commonly do. However release candidate might just be the public facing name of these releases and internally such features might have been in testing for a long time, so it's hard to tell.
Yes! That is the very definition of beta software and the reason beta versions exist in the first place. If MikroTik wouldn't like the community to help test unstable versions, they would not do beta releases: preparing such releases for no benefit would be a waste of time and effort.Or are "we" (the users) supposed to do the testing?
When something is changed in a core component like the DNS resolver, I fully expect that the basic functionality is tested.Exactly, this DNS functionality is novel on RouterOS and thus these problems have not been found and fixed in the past
Well, I consider it a waste of people's time and effort to release beta versions that have not been tested to a minimal level in-house.Yes! That is the very definition of beta software and the reason beta versions exist in the first place. If MikroTik wouldn't like the community to help test unstable versions, they would not do beta releases: preparing such releases for no benefit would be a waste of time and effort.Or are "we" (the users) supposed to do the testing?
It looks like this has been fixed in beta4, thank you!Hi there,
I'm using DNS FWD entries and usually could ping to a FQDN for those FWD entries from the terminal. This is not working anymore in 7.16. Please fix it, it is really useful.
ping portal.test.internal
invalid value for argument address:
invalid value of mac-address, mac address required
invalid value for argument ipv6-address
while resolving ip-address: name does not exist
Thank you!
Works in 7.16beta4 now. Thanks a lot!Anyway... This does not (yet) work for me.
Though... Even disabling DoH does not help here, the forwarding does not work as expected. I think I have the regular expression right, so wondering what's the deal here. Anybody else?
I do hope to see the above message regarding logging mess SUP-105353 SUP-144261:What's new in 7.16beta5 (2024-Jul-25 15:47):
*) log - logging now following rfc 5424 standard;
😋What's new in 7.91beta3 (2030-Jul-25 15:47):
*) log - logging now partially following rfc 5424 standard;
Jul/04/2024 13:20:47 dhcp,debug,packet -> ia_pd:
Jul/04/2024 13:20:47 dhcp,debug,packet t1: 43200
Jul/04/2024 13:20:47 dhcp,debug,packet t2: 69120
Jul/04/2024 13:20:47 dhcp,debug,packet id: 0x2
Jul/04/2024 13:20:47 dhcp,debug,packet -> ia_prefix:
Jul/04/2024 13:20:47 dhcp,debug,packet prefix: xxxx:xxxx:3:3002::/64
Jul/04/2024 13:20:47 dhcp,debug,packet valid time: 0
Jul/04/2024 13:20:47 dhcp,debug,packet pref. time: 0
Jul/04/2024 13:21:15 dhcp,debug,packet recv server: <pppoe-user3> fe80::93bf:dd60:0:2 -> ff02::1:2
Jul/04/2024 13:21:15 dhcp,debug,packet type: solicit
Jul/04/2024 13:21:15 dhcp,debug,packet transaction-id: 3b7d34
Jul/04/2024 13:21:15 dhcp,debug,packet -> clientid: 00030001 005056bf 3ea9
Jul/04/2024 13:21:15 dhcp,debug,packet -> oro: 23
Jul/04/2024 13:21:15 dhcp,debug,packet -> elapsed_time: 56
Jul/04/2024 13:21:15 dhcp,debug,packet -> rapid_commit: [empty]
Jul/04/2024 13:21:15 dhcp,debug,packet -> ia_pd:
Jul/04/2024 13:21:15 dhcp,debug,packet t1: 0
Jul/04/2024 13:21:15 dhcp,debug,packet t2: 0
Jul/04/2024 13:21:15 dhcp,debug,packet id: 0x2
Jul/04/2024 13:21:15 dhcp,debug processing client:005056bf3ea9 iapd:0x2
Jul/04/2024 13:21:15 dhcp,debug binding belongs to other server: 005056bf3ea9 xxxx:xxxx:3:3002::/64
Jul/04/2024 13:21:15 dhcp,debug binding not updated
Jul/04/2024 13:21:15 dhcp,debug,packet send <pppoe-user3> -> fe80::93bf:dd60:0:2%8
Jul/04/2024 13:21:15 dhcp,debug,packet type: reply
Jul/04/2024 13:21:15 dhcp,debug,packet transaction-id: 3b7d34
Jul/04/2024 13:21:15 dhcp,debug,packet -> clientid: 00030001 005056bf 3ea9
Jul/04/2024 13:21:15 dhcp,debug,packet -> serverid: 00030001 005056bf 358d
Jul/04/2024 13:21:15 dhcp,debug,packet -> rapid_commit: [empty]
Jul/04/2024 13:21:15 dhcp,debug,packet -> dns_servers:
Jul/04/2024 13:21:15 dhcp,debug,packet xxxx:xxxx:0:10::10
Jul/04/2024 13:21:15 dhcp,debug,packet xxxx:xxxx:0:10::11
Jul/04/2024 13:21:15 dhcp,debug,packet -> ia_pd:
Jul/04/2024 13:21:15 dhcp,debug,packet t1: 43200
Jul/04/2024 13:21:15 dhcp,debug,packet t2: 69120
Jul/04/2024 13:21:15 dhcp,debug,packet id: 0x2
Jul/04/2024 13:21:15 dhcp,debug,packet -> ia_prefix:
Jul/04/2024 13:21:15 dhcp,debug,packet prefix: xxxx:xxxx:3:3002::/64
Jul/04/2024 13:21:15 dhcp,debug,packet valid time: 0
Jul/04/2024 13:21:15 dhcp,debug,packet pref. time: 0
Jul/04/2024 13:27:03 dhcp,debug,packet send pppoe-out1 -> ff02::1:2%8
Jul/04/2024 13:27:03 dhcp,debug,packet type: solicit
Jul/04/2024 13:27:03 dhcp,debug,packet transaction-id: e50e97
Jul/04/2024 13:27:03 dhcp,debug,packet -> clientid: 00030001 005056bf 3ea9
Jul/04/2024 13:27:03 dhcp,debug,packet -> oro: 23
Jul/04/2024 13:27:03 dhcp,debug,packet -> elapsed_time: 15
Jul/04/2024 13:27:03 dhcp,debug,packet -> rapid_commit: [empty]
Jul/04/2024 13:27:03 dhcp,debug,packet -> ia_pd:
Jul/04/2024 13:27:03 dhcp,debug,packet t1: 0
Jul/04/2024 13:27:03 dhcp,debug,packet t2: 0
Jul/04/2024 13:27:03 dhcp,debug,packet id: 0x2
Jul/04/2024 13:27:03 dhcp,debug,packet recv client: pppoe-out1 fe80::e129:567d:f0:1 -> fe80::93bf:dd60:0:2
Jul/04/2024 13:27:03 dhcp,debug,packet type: reply
Jul/04/2024 13:27:03 dhcp,debug,packet transaction-id: e50e97
Jul/04/2024 13:27:03 dhcp,debug,packet -> clientid: 00030001 005056bf 3ea9
Jul/04/2024 13:27:03 dhcp,debug,packet -> serverid: 00030001 005056bf 358d
Jul/04/2024 13:27:03 dhcp,debug,packet -> rapid_commit: [empty]
Jul/04/2024 13:27:03 dhcp,debug,packet -> dns_servers:
Jul/04/2024 13:27:03 dhcp,debug,packet xxxx:xxxx:0:10::10
Jul/04/2024 13:27:03 dhcp,debug,packet xxxx:xxxx:0:10::11
Jul/04/2024 13:27:03 dhcp,debug,packet -> ia_pd:
Jul/04/2024 13:27:03 dhcp,debug,packet t1: 43200
Jul/04/2024 13:27:03 dhcp,debug,packet t2: 69120
Jul/04/2024 13:27:03 dhcp,debug,packet id: 0x2
Jul/04/2024 13:27:03 dhcp,debug,packet -> ia_prefix:
Jul/04/2024 13:27:03 dhcp,debug,packet prefix: xxxx:xxxx:3:3002::/64
Jul/04/2024 13:27:03 dhcp,debug,packet valid time: 0
Jul/04/2024 13:27:03 dhcp,debug,packet pref. time: 0
Jul/04/2024 13:27:03 dhcp,debug handle reply
Jul/04/2024 13:27:03 dhcp,debug ia_pd xxxx:xxxx:3:3002:: expired- ignore
Jul/04/2024 13:27:03 dhcp,error no valid addreses received from the server
/ipv6 settings set accept-redirects=no accept-router-advertisements=no max-neighbor-entries=2048
/ipv6 dhcp-client add add-default-route=yes interface=ether2-NBN pool-name=launtel rapid-commit=no request=prefix use-peer-dns=no
/ipv6 address add advertise=no from-pool=launtel interface=ether2-NBN
/ipv6/address> add from-pool=launtel interface=IoT advertise=yes
failure: already have such address
/ipv6/address> print
Flags: D - DYNAMIC; G - GLOBAL, L - LINK-LOCAL
Columns: ADDRESS, FROM-POOL, INTERFACE, ADVERTISE
# ADDRESS FROM-POOL INTERFACE ADVERTISE
0 DL fe80::54cb:5f35:591a:9f0e/64 wireguard-vpn no
1 D ::1/128 lo no
2 DL fe80::1afd:74ff:fe78:48c6/64 Security no
3 DL fe80::1afd:74ff:fe78:48c6/64 bridge no
4 DL fe80::1afd:74ff:fe78:48c6/64 IoT no
5 DL fe80::1afd:74ff:fe78:48c7/64 ether2-NBN no
6 G 2404:e80:XXXX::/64 launtel ether2-NBN no
/ipv6 dhcp-client
add add-default-route=yes interface=ether2-NBN pool-name=launtel request=prefix use-peer-dns=no
/ipv6/dhcp-client> print
Columns: INTERFACE, STATUS, REQUEST, PREFIX
# INTERFACE STATUS REQUEST PREFIX
0 ether2-NBN bound prefix 2404:e80:XXXX::/48, 23h59m39s
/ipv6/pool> print
Flags: D - DYNAMIC
Columns: NAME, PREFIX, PREFIX-LENGTH, EXPIRES-AFTER
# NAME PREFIX PREFIX-LENGTH EXPIRES-AFTER
0 D launtel 2404:e80:XXXX::/48 64 23h59m20s
With close to 7 years since my first post, I guess we are closer to version 18 before some gets done.Let me check my crystal ball:
😋What's new in 7.91beta3 (2030-Jul-25 15:47):
*) log - logging now partially following rfc 5424 standard;
I'm not sure what you mean, can you explain this in more detail? I don't mind hacking things a bit to get IPv6 functionality back while Mikrotik works the problem.Now I have to manually create the ipv6 addresses using the Bridge dynamic assignment as a guide, copying the address and changing the prefix slightly for each VLAN. Then the pool kicks in and routes and the rest get created dynamically.
It would also be nice to be able to log stuff per IPsec tunnel, or per BGP Peer, etc.Aside of that rfc, I am also still hoping that at some point the assignment of topics will be cleaned up, there will be a unique "topic" for every message (a numeric code), and the "level" of the message (critical/debug/info/warning/error) would occur in each message only once and as the first topic.
Furthermore, it would be nice when logging rules could include a matching regexp on the message content.
Yeah this is not stable for me at all. There are IPv6 addresses assigned to interfaces on the router which are invisible to ROS. If you tinkered with your settings and tried to re-add them I suspect it would give you the errors I'm getting.After the upgrade I only had a global address showing for my Bridge - not my VLANs also. I copied the Bridge global address and changed the interface to my first VLAN interface and changed the global address in the 8 bits I have to work with in the /56 I am provided from 00 to 10 (for example for VLAN10). Saved the new global address.
I then saw that I had a route created, the VLAN now shows up in /IPV6/ND/Prefix…
It has been stable. I repeated the process for my other VLANs where I want IPV6.
Unless the logs change to include some unique string, number, whatever, per BGP peer or per IPsec tunnel or per anything, regex won't really work.Yes, that would often (but not always) be solved by having regexp matching on the message content, which I proposed as well.
I have to pull back from this statement until I do further testing. My ISP also changed the way they issue default routes for IPv6 and so I now I don't know if the core issue was 7.16beta4 or the ISP change.Ergo, IPv6 is way borked in 7.16beta4.
/ipv6 settings set accept-redirects=no accept-router-advertisements=yes
/ipv6 dhcp-client add interface=ether2-NBN pool-name=launtel request=prefix
Have you seen v7 BGP logs? What else is required to differentiate between BGP sessions apart from already logged session name, local/remote address ?
Unless the logs change to include some unique string, number, whatever, per BGP peer or per IPsec tunnel or per anything, regex won't really work.
You mean the ISP router waits for RA from your Mikrotik?I have to pull back from this statement until I do further testing. My ISP also changed the way they issue default routes for IPv6 and so I now I don't know if the core issue was 7.16beta4 or the ISP change.Ergo, IPv6 is way borked in 7.16beta4.
This particular ISP now requires that IPv6 DHCP and routes are handled like so:The change is that the DHCP-client no longer adds a default route, and the router waits for an RA before adding it. I will test this with 7.16beta4 and reply here with results.Code: Select all/ipv6 settings set accept-redirects=no accept-router-advertisements=yes /ipv6 dhcp-client add interface=ether2-NBN pool-name=launtel request=prefix
BGP was just an example, albeit out of date apparently since it just so happens that I didn't have to enable bgp debugging during the last few versions that it got improved, so I didn't notice... Great improvement obviously! :DHave you seen v7 BGP logs? What else is required to differentiate between BGP sessions apart from already logged session name, local/remote address ?
Unless the logs change to include some unique string, number, whatever, per BGP peer or per IPsec tunnel or per anything, regex won't really work.
No, what happens with the config I posted is that, irrespective of DHCP, the ISP regularly sends RA packets that announce the next hop router and default route. The DHCP client in ROS just requests a prefix, which can then be used to assign addresses from the prefix pool that is created.You mean the ISP router waits for RA from your Mikrotik?
Another thing to lookup/verify is if your ISP actually sends you a public nexthop to be used as gateway for your Mikrotik or if they rely on linklocal address instead (which lately seems to have become a thing among ISP's)?
Nope. It may sound weird, but DHCPv6 does not have ability to add default route. The option in RouterOS to do so is MikroTik's non-standard hack, it simply uses link-local address of DHCPv6 server as gateway. Which works only when DHCPv6 server is the same machine (uses same link-local address) as gateway, but there's no guarantee that it's always going to be that way. And if not, this hack fails.The next hop gateway is indeed a link local address. It was always a link local address previously, but it was being issued as part of the DHCP response.
In that case use tcpdump and/or wireshark to find out how the ISP RA's are actually configured.No, what happens with the config I posted is that, irrespective of DHCP, the ISP regularly sends RA packets that announce the next hop router and default route. The DHCP client in ROS just requests a prefix, which can then be used to assign addresses from the prefix pool that is created.You mean the ISP router waits for RA from your Mikrotik?
Another thing to lookup/verify is if your ISP actually sends you a public nexthop to be used as gateway for your Mikrotik or if they rely on linklocal address instead (which lately seems to have become a thing among ISP's)?
The next hop gateway is indeed a link local address. It was always a link local address previously, but it was being issued as part of the DHCP response.
Confirmed via packet capture it's using the O flag, so the behaviour is valid.
The O-flags means that you can use DHCPv6-client to get other information such as which DNS-resolvers to use.
But if the M-flag is set then the Mikrotik is misbehaving because set M-flag means that the client is expected to use its DHCPv6-client to request which IPv6 it should use and gateway to route through.
Yikes. Thanks for that information; it explains why my ISP's change broke Mikrotik, but it probably fixed issues with a bunch of other vendors used by customers.It may sound weird, but DHCPv6 does not have ability to add default route. The option in RouterOS to do so is MikroTik's non-standard hack, it simply uses link-local address of DHCPv6 server as gateway. Which works only when DHCPv6 server is the same machine (uses same link-local address) as gateway, but there's no guarantee that it's always going to be that way. And if not, this hack fails.
I have multiple devices which support Chromecast, but Netflix refuses to cast to most of them regardless of whether they're in the same subnet, or across VLANs and announced via mDNS. Netflix is very picky, and I can't tell you why.Just did a test with mDNS on two different vLANs, and it does not work with Netflix. It works with Chrome, Youtube, Viaplay, Etc.
Any idea why this does not work with Netflix?
Are you sure it's not flushing, my cache became overwhelmed @9 days, that might explain this.....The DNS cache does not flush, it stays in the ram memory on x86
/ipv6 address
add address=::2 from-pool=v6prefix interface=bridge.vlan62
add address=::2 from-pool=v6prefix interface=bridge.vlan64
/ipv6 address
add address=::2 from-pool=v6prefix interface=bridge.vlan62
add address=::3 from-pool=v6prefix interface=bridge.vlan64
Maybe not. At the moment I can not test that.Will the same happen if you do something like this instead?
You are doing that wrong! You should have the /32 routes with "ping" check and the recursive 0.0.0.0/0 routes without "ping".Do recursive route no longer show up red when they are unavailable and inactive?
I've tried both ways, but this way actually let's me have two DNS checks for each WAN route. I've tested it thoroughly. If 1.1.1.1 is unreachable, but 208.67.220.220 is, it keeps the route for WAN1 active. Only if both are unreachable, does it disable the 0.0.0.0/0 route for WAN1.You are doing that wrong! You should have the /32 routes with "ping" check and the recursive 0.0.0.0/0 routes without "ping".Do recursive route no longer show up red when they are unavailable and inactive?
Yes, I've tried closing the route window, opening it back up, closing Winbox, opening it back up. It doesn't refresh nor show red anymore. I've also tried on Webfig, but it shows the same as Winbox.have you hit F5 or closed / reopened the ip/route window? The routing table doesn't get updated in realtime anymore since the release of ROS7. It's incredibly annoying, for all non-bgp users with less than <1000 routes in the routing table.
It looks like every address defined this way would be picked up as different prefix if it was defined as ::2/64 instead of ::2 which is identified as single address i.e. ::2/128. It might be that automatic picking from pool does not work as expected if address is not defined as /64. Maybe this is the problem?Indeed there is a problem obtaining IPv6 addresses from pool.
I have this in the config:The second address silently disappeared. When I try to re-add it, it says "already have such address".Code: Select all/ipv6 address add address=::2 from-pool=v6prefix interface=bridge.vlan62 add address=::2 from-pool=v6prefix interface=bridge.vlan64
Yes sure the suggested address is the same, but it is supposed to fetch another prefix from the pool and add an address using that prefix.
"Sure I would like to specify which prefix," --> check the prefix-length of your pool definitionThe second address silently disappeared. When I try to re-add it, it says "already have such address".Code: Select all/ipv6 address add address=::2 from-pool=v6prefix interface=bridge.vlan62 add address=::2 from-pool=v6prefix interface=bridge.vlan64
Yes sure the suggested address is the same, but it is supposed to fetch another prefix from the pool and add an address using that prefix.
Sure I would like to specify which prefix, but it has never been possible in RouterOS.
What I mean is not to set the prefix length, it is 64 which is fine."Sure I would like to specify which prefix," --> check the prefix-length of your pool definition
https://help.mikrotik.com/docs/display/ROS/IP+Pools
/ip dns
set allow-remote-requests=yes cache-size=51200KiB use-doh-server=https://one.one.one.one/dns-query \
verify-doh-cert=yes
/ip dns adlist
add url=https://cdn.jsdelivr.net/gh/tarampampam/mikrotik-hosts-parser@master/.hosts/basic.txt
add url=https://raw.githubusercontent.com/What-Zit-Tooya/Ad-Block/main/Main-Blocklist/Ad-Block-HOSTS.txt
add url=https://justdomains.github.io/blocklists/lists/easyprivacy-justdomains.txt
add url=https://justdomains.github.io/blocklists/lists/easylist-justdomains.txt
add url=https://justdomains.github.io/blocklists/lists/adguarddns-justdomains.txt
add url=https://justdomains.github.io/blocklists/lists/nocoin-justdomains.txt
add url=https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
add url=https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
add url=https://raw.githubusercontent.com/hagezi/dns-blocklists/main/hosts/native.winoffice.txt
add url="https://pgl.yoyo.org/adservers/serverlist.php\?hostformat=hosts&showintro=0&mimetype=plaintext"
add url=https://adaway.org/hosts.txt
That is true. Releasing PD lease should be possible to do with a script. If even valid lifetime is not honoured then this is a problem as well. They should be gone after valid lifetime (maximum possible lifetime) is expired.I have the "Valid lifetime" set to 1d 00:00:00 on my routers and I know for sure that it is advertising deprecated prefixes until reboot.
The deprecated prefixes were still announced weeks later when I tested that.
W.r.t. exhausting the pool, as I wrote above, you can work around that by refreshing the pool (in my case: release the DHCPv6 client lease). Still that can have impact on other interfaces.
I would prefer to be able to set a prefix hint in the interface address assignment, i.e., not only specify the local part of the address but also the preferred subnet in the global prefix.
*) file - renamed "creation-time" to "last-modified";
*) wifi - send channel switch announcements to clients when switching channels at requested re-select intervals;
OK,kill a container mdns-repeater .*) dns - added support for mDNS proxy;
/ip/dns/set mdns-repeat-ifaces=bridge1,vlan1_iot
OK,kill a container mdns-repeater .*) dns - added support for mDNS proxy;
Works wellCode: Select all/ip/dns/set mdns-repeat-ifaces=bridge1,vlan1_iot
same here .... using 7.15.3 or 7.16beta4 have no problem ....7.16beta7 is causing all BGP sessions to establish and then disconnect in a loop with no error in the log. Had to rollback to stable to fix it.
Can you eleborate this? I'm onto the beta in my home environment (I know, just a small network). Haven't had any strange CAPsMAN things, at least for me it is working not any less stable than the stable version.if u want to get to the trouble, then use the new CapsMan
ouch another mishap and potential savings is already lost, we got the speed we need at the expense of loosing another non optional important feature sigh...wifi-qcom-ac? No, no dynamic VLAN assignment
Of course local forwarding exists in new wifi capsman. It is the only supported forwarding mode.Local forwarding - does not exist in the new one
This is the setup I use at home:as per the above post this is not encouraging my hopes already sunk, 802.1x + 802.1q is pretty much standard in the campus/enterprise, I'm not a native english speaker so please bare with me with the question
802.1x + 802.1q + radius (usermanager/freeradius) with wifi-qcom-ac/wifi-qcom latest and greatest driver does it work Yes/No?
802.1x + 802.1q + radius (usermanager/freeradius) with wifi-qcom-ac/wifi-qcom latest and greatest driver can this setup works with or without capsman Yes/No?
Local forwarding Yes/No?
Thanks in advance
What "mishap"? I have two suggestions for you:ouch another mishap and potential savings is already lost, we got the speed we need at the expense of loosing another non optional important feature sigh...wifi-qcom-ac? No, no dynamic VLAN assignment
Thanks for your reply anyway greatly appreciate it!!!
Any idea what could be changed from 7.15 to 7.16 in Bridge or VLAN or container handling which may cause this in a VLAN context? Any new (default?) feature which may cause this and needs just to ba adjusted?My adguard container won't start after update , nothing in log, anyone else has problem with containers ?
Mikrotik is making this even worse by discontinuing ac-devices and replacing them with ax-devices where there's no way back.ouch another mishap and potential savings is already lost, we got the speed we need at the expense of loosing another non optional important feature sigh...wifi-qcom-ac? No, no dynamic VLAN assignment
wifi-qcom (ax devices) does have per-client VLAN support. It's the wifi-qcom-ac package (which only works with some ac cards, not ax cards) that doesn't do per-client VLAN; this package however is optional for most ac devices and one should use wireless if per-client VLANs are a requirement. Though ax VLAN assignment is in a different menu (Wifi->Datapath or Wifi->Access List) compared to how it was before in Wireless. Maybe you have missed it or maybe I just misunderstood your post?Mikrotik is making this even worse by discontinuing ac-devices and replacing them with ax-devices where there's no way back.
Thanks this is all I need to know, so wifi-qcom-ac is now out as I can't repurpose them, I'm going to lab this asapThis is the setup I use at home:
hex S / RB760iGS as CAPsMAN + UserManager
3 cAP ax as access points controlled by CAPsMAN
This setup only uses wifi-qcom and dynamic vlans using usermanager are absolutely working as intended.
One SSID is wpa3-eap only using peap with dynamic vlans and I have two additional SSIDs using wpa2-psk/wpa3-psk both with an vlan id for each of them
Or the ramdisk. No need to permanently save that file, it is only a tmpfile.Can you please make the storage for adlist configurable, so that I can use the sd-card in my hex S?
This would be the best way.Or the ramdisk. No need to permanently save that file, it is only a tmpfile.Can you please make the storage for adlist configurable, so that I can use the sd-card in my hex S?
Still no fix for logging mess SUP-105353 SUP-144261Still no fix for igmp-proxy issue SUP-152693, so waiting for it at next versions.
*) dns - show static entry type "A" field in console;
[admin@MikroTik] /ip/dns/static> add address=2.2.2.2 name=test.home.lan
[admin@MikroTik] /ip/dns/static> export
add address=2.2.2.2 name=test.home.lan type=A
What's new in 6.48beta12 (2020-Jul-06 13:33):
*) dns - do not use type "A" for static entries with unspecified type;
What's new in 6.48 (2020-Dec-22 11:20):
*) dns - do not use type "A" for static entries with unspecified type;
And (somewhere) in the 7.1beta branch, not sure which beta:
What's new in 7.1beta5 (2021-Mar-16 14:41):
!) ported features and fixes introduced in v6.48.1;
*) other minor fixes and improvements;
There is a route crash, will be fixed in next beta.In 7.16beta7 ALL (all instances in all protocols) dynamic routing and, for some reason, 6to4 tunnel breaks, when using routing filter rule with "set gw" property.
Thanks for the confirmation!There is a route crash, will be fixed in next beta.In 7.16beta7 ALL (all instances in all protocols) dynamic routing and, for some reason, 6to4 tunnel breaks, when using routing filter rule with "set gw" property.
DHCP routes installed with no issues. Contact support.Hm, my device receives an address via dhcp client, but it does not set any routes... Neither default one, nor stateless ones (option 121).
I guess it is the route crash you mentioned earlier, as OSPF is involved. Waiting for next beta, will report then if the issue persists.DHCP routes installed with no issues. Contact support.
Thanks 🙏👍When not setting MAC, it takes the MAC of "the first running interface on the bridge" and that is way to variable to depend on.
Always set the admin MAC!
:global myFOUND "0";
#
# Function to display and log messages
#
:global debugMSG do={
:put "DEBUG: $1";
:log info "DEBUG: $1";
}
#
# Setting static mac-address on bridge1 if ether interface is found
#
:set myFOUND 0;
:foreach i in=[/interface find where !(slave=yes || passthrough=yes || type=loopback || name~"bridge")] do={
:local tmpPORTNAME [/interface get $i name];
:if ($myFOUND = 0) do={
:if ([/interface get $i type] = "ether") do={
:local tmpMAC [/interface get $tmpPORTNAME mac-address];
$debugMSG ("Set bridge1 admin-mac: ".$tmpMAC);
/interface bridge set bridge1 auto-mac=no admin-mac=$tmpMAC;
:set myFOUND 1;
}
}
}
What exactly is that you're after? Your script explicitly sets bridge MAC address to address of first listed ethernet port (even if it's not member of any bridge). Which is kind of default behaviour, only that default only considers interfaces which are actually member ports of that particular bridge. OTOH default heuristics runs every time bridge starts and if interface "enslavement" results in different port order, then bridge MAC address may change after boots. Additionally, your script changes bridge MAC address after bridge is already up&running and that can disturb (hopefully only temporarily) the traffic between bridge interface and subnet(s) attached to bridge port(s).With that being said looking at the restore script from Mikrotik even if they manually set the admin mac they still pick the first available mac from the device itself.
/system reset-configuration keep-users=yes no-defaults=yes skip-backup=yes run-after-reset=flash/custom.rsc
If you set admin-mac without setting auto-mac=no that configuration doesn't make any sense and therefore admin-mac would not be saved at all and auto-mac would be in effect:Auto-mac=on will pick any available mac-address of your device.
interface/bridge/add name=bridge-test admin-mac=9A:3C:61:97:08:8A
interface/bridge/export
/interface bridge
add name=bridge-test
interface/bridge/add name=bridge-test admin-mac=9A:3C:61:97:08:8A auto-mac=no
interface/bridge/export
/interface bridge
add admin-mac=9A:3C:61:97:08:8A auto-mac=no name=bridge-test
/interface bridge set bridge1 auto-mac=no admin-mac=$tmpMAC;
Good point and my fault to uncomplete description: Both networks are routed over a WireGuard/EOIP connection, not bridged. The reason is to archive a 1500 MTU over the VPN connection.Of course you should EITHER use mdns repeater OR use an EOIP tunnel between the networks! Not both.
The repeater is to connect networks that are routed, not for networks that are bridged.
Can confirm. Now I need to add a static route (DHCP client didn't do that) so that the default WAN works as usual.In 7.16beta7 ALL (all instances in all protocols) dynamic routing and, for some reason, 6to4 tunnel breaks, when using routing filter rule with "set gw" property.
Tested on RB4011
[admin@MikroTik] > /ip/ipsec/mode-config/export verbose terse
# 2024-08-04 10:01:34 by RouterOS 7.16beta7
# software id =
#
/ip ipsec mode-config set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
[admin@MikroTik] > /ip/pool/add name=test ranges=192.168.200.100
[admin@MikroTik] > /ip/ipsec/mode-config/add address-pool=test address-prefix-length=32 name=test split-include=0.0.0.0/0 static-dns=192.168.200.1 system-dns=no
[admin@MikroTik] > /ip/ipsec/mode-config/export verbose terse
# 2024-08-04 10:01:34 by RouterOS 7.16beta7
# software id =
#
/ip ipsec mode-config set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec mode-config add address-pool=test address-prefix-length=32 name=test split-dns="" split-include=0.0.0.0/0 system-dns=no
[admin@MikroTik] > /log/print
10:01:01 system,info router rebooted
10:01:01 interface,info lo link up
10:01:07 dhcp,info dhcp-client on ether1 got IP address 10.0.2.15
10:01:15 system,info,account user admin logged in from 10.0.2.2 via winbox
10:01:26 system,info,account user admin logged in from 10.0.2.2 via winbox
10:01:34 system,info pool test added by winbox-3.41/tcp-msg(winbox):admin@10.0.2.2/terminal (*1 = /ip pool add name=test ranges=192.168.200.100)
10:01:34 system,info ipsec modecfg test added by winbox-3.41/tcp-msg(winbox):admin@10.0.2.2/terminal (*2 = /ip ipsec mode-config add name=test)
[admin@MikroTik] > /ip/ipsec/mode-config/export verbose terse
# 2024-08-04 10:05:50 by RouterOS 7.16beta4
# software id =
#
/ip ipsec mode-config set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
[admin@MikroTik] > /ip/pool/add name=test ranges=192.168.200.100
[admin@MikroTik] > /ip/ipsec/mode-config/add address-pool=test address-prefix-length=32 name=test split-include=0.0.0.0/0 static-dns=192.168.200.1 system-dns=no
[admin@MikroTik] > /ip/ipsec/mode-config/export verbose terse
# 2024-08-04 10:05:50 by RouterOS 7.16beta4
# software id =
#
/ip ipsec mode-config set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec mode-config add address-pool=test address-prefix-length=32 name=test split-dns="" split-include=0.0.0.0/0 system-dns=no
[admin@MikroTik] > /log/print
10:05:22 system,info router rebooted
10:05:22 interface,info lo link up
10:05:22 disk,info add
10:05:28 dhcp,info dhcp-client on ether1 got IP address 10.0.2.15
10:05:37 system,info,account user admin logged in from 10.0.2.2 via winbox
10:05:41 system,info,account user admin logged in from 10.0.2.2 via winbox
10:05:50 system,info pool test added by winbox-3.41/tcp-msg(winbox):admin@10.0.2.2/terminal (*1 = /ip pool add name=test ranges=192.168.200.100)
10:05:50 system,info ipsec modecfg test added by winbox-3.41/tcp-msg(winbox):admin@10.0.2.2/terminal (*2 = /ip ipsec mode-config add name=test)
[admin@MikroTik] > /ip/ipsec/mode-config/export verbose terse
# 2024-08-04 10:07:50 by RouterOS 7.16beta3
# software id =
#
/ip ipsec mode-config set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
[admin@MikroTik] > /ip/pool/add name=test ranges=192.168.200.100
[admin@MikroTik] > /ip/ipsec/mode-config/add address-pool=test address-prefix-length=32 name=test split-include=0.0.0.0/0 static-dns=192.168.200.1 system-dns=no
[admin@MikroTik] > /ip/ipsec/mode-config/export verbose terse
# 2024-08-04 10:07:50 by RouterOS 7.16beta3
# software id =
#
/ip ipsec mode-config set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec mode-config add address-pool=test address-prefix-length=32 name=test split-dns="" split-include=0.0.0.0/0 system-dns=no
[admin@MikroTik] > /log/print
10:07:19 system,info router rebooted
10:07:19 interface,info lo link up
10:07:25 dhcp,info dhcp-client on ether1 got IP address 10.0.2.15
10:07:39 system,info,account user admin logged in from 10.0.2.2 via winbox
10:07:42 system,info,account user admin logged in from 10.0.2.2 via winbox
10:07:50 system,info pool test added by winbox-3.41/tcp-msg(winbox):admin@10.0.2.2/terminal (*1 = /ip pool add name=test ranges=192.168.200.100)
10:07:50 system,info ipsec modecfg test added by winbox-3.41/tcp-msg(winbox):admin@10.0.2.2/terminal (*2 = /ip ipsec mode-config add name=test)
[admin@MikroTik] > /ip/ipsec/mode-config/export verbose terse
# 2024-08-04 10:13:55 by RouterOS 7.16beta2
# software id =
#
/ip ipsec mode-config set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
[admin@MikroTik] > /ip/pool/add name=test ranges=192.168.200.100
[admin@MikroTik] > /ip/ipsec/mode-config/add address-pool=test address-prefix-length=32 name=test split-include=0.0.0.0/0 static-dns=192.168.200.1 system-dns=no
[admin@MikroTik] > /ip/ipsec/mode-config/export verbose terse
# 2024-08-04 10:13:55 by RouterOS 7.16beta2
# software id =
#
/ip ipsec mode-config set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec mode-config add address-pool=test address-prefix-length=32 name=test split-dns="" split-include=0.0.0.0/0 system-dns=no
[admin@MikroTik] > /log/print
10:13:32 system,info crossfig will upgrade version 6 configuration
10:13:32 system,info router rebooted
10:13:33 interface,info lo link up
10:13:37 dhcp,info dhcp-client on ether1 got IP address 10.0.2.15
10:13:47 system,info,account user admin logged in from 10.0.2.2 via winbox
10:13:50 system,info,account user admin logged in from 10.0.2.2 via winbox
10:13:55 system,info pool test added by winbox-3.41/tcp-msg(winbox):admin@10.0.2.2/terminal (*1 = /ip pool add name=test ranges=192.168.200.100)
10:13:55 system,info ipsec modecfg test added by winbox-3.41/tcp-msg(winbox):admin@10.0.2.2/terminal (*2 = /ip ipsec mode-config add name=test)
[admin@MikroTik] > /ip/ipsec/mode-config/export verbose terse
# 2024-08-04 10:15:48 by RouterOS 7.16beta1
# software id =
#
/ip ipsec mode-config set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
[admin@MikroTik] > /ip/pool/add name=test ranges=192.168.200.100
[admin@MikroTik] > /ip/ipsec/mode-config/add address-pool=test address-prefix-length=32 name=test split-include=0.0.0.0/0 static-dns=192.168.200.1 system-dns=no
[admin@MikroTik] > /ip/ipsec/mode-config/export verbose terse
# 2024-08-04 10:15:48 by RouterOS 7.16beta1
# software id =
#
/ip ipsec mode-config set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec mode-config add address-pool=test address-prefix-length=32 name=test split-dns="" split-include=0.0.0.0/0 system-dns=no
[admin@MikroTik] > /log/print
10:15:02 system,info crossfig will upgrade version 6 configuration
10:15:02 system,info router rebooted
10:15:03 interface,info lo link up
10:15:08 dhcp,info dhcp-client on ether1 got IP address 10.0.2.15
10:15:41 system,info,account user admin logged in from 10.0.2.2 via winbox
10:15:44 system,info,account user admin logged in from 10.0.2.2 via winbox
10:15:48 system,info pool test added by winbox-3.41/tcp-msg(winbox):admin@10.0.2.2/terminal (*1 = /ip pool add name=test ranges=192.168.200.100)
10:15:48 system,info ipsec modecfg test added by winbox-3.41/tcp-msg(winbox):admin@10.0.2.2/terminal (*2 = /ip ipsec mode-config add name=test)
[admin@MikroTik] > /ip/ipsec/mode-config/export verbose terse
# 2024-08-04 10:38:10 by RouterOS 7.15.3
# software id =
#
/ip ipsec mode-config set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
[admin@MikroTik] > /ip/pool/add name=test ranges=192.168.200.100
[admin@MikroTik] > /ip/ipsec/mode-config/add address-pool=test address-prefix-length=32 name=test split-include=0.0.0.0/0 static-dns=192.168.200.1 system-dns=no
[admin@MikroTik] > /ip/ipsec/mode-config/export verbose terse
# 2024-08-04 10:38:10 by RouterOS 7.15.3
# software id =
#
/ip ipsec mode-config set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec mode-config add address-pool=test address-prefix-length=32 name=test split-dns="" split-include=0.0.0.0/0 static-dns=192.168.200.1 system-dns=no
[admin@MikroTik] > /log/print
10:16:51 system,info router rebooted
10:16:51 interface,info lo link up
10:16:56 dhcp,info dhcp-client on ether1 got IP address 10.0.2.15
10:38:02 system,info,account user admin logged in from 10.0.2.2 via winbox
10:38:06 system,info,account user admin logged in from 10.0.2.2 via winbox
10:38:10 system,info pool test added by winbox-3.41/tcp-msg(winbox):admin@10.0.2.2/terminal (*1 = /ip pool add name=test ranges=192.168.200.100)
10:38:10 system,info ipsec modecfg test added by winbox-3.41/tcp-msg(winbox):admin@10.0.2.2/terminal (*2 = /ip ipsec mode-config add name=test)
Hello.
SUP-161182
....