v7.16.1 [stable] is released!

Tue Sep 24, 2024 9:38 am

RouterOS version 7.16 have been released in the "v7 stable" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.16.1 (2024-Oct-10 17:03):

*) defconf - changed wireless installation from "indoor" to "any";
*) defconf - disable 5GHz secondary channel on RB4011;
*) dns - do not look up local cache when executing ":resolve" command with specified "server" parameter (introduced in v7.16);
*) sfp - improved initialization for certain SFP modules on CRS309 and CRS317 devices ("/system routerboard upgrade" required);

What's new in 7.16 (2024-Sep-20 16:00):

*) 6to4 - fixed 6to4 tunnel LL address generation after system reboot;
*) 6to4 - improved system stability when using 6to4 tunnel without specified remote-address;
*) 6to4 - limit keepalive timeout maximum value;
*) address - added "S" flag for addresses that belong to a slave interface;
*) arm64 - fixed "disable-running-check" for ARM64 UEFI;
*) arm64 - increased reserved storage space for bootloader;
*) arm64/x86 - added rtl8111/8168/8411 firmware;
*) arp - fixed possible issue with invalid entries;
*) bgp - fixed BGP sessions missing vpnv6 afi;
*) bgp - fixed cluster-list and originator-id;
*) bgp - fixed corrupted as-path when received update with empty AS_PATH attribute (introduced in v7.15);
*) bgp - fixed minor logging typo;
*) bgp - fixed vpnv6 safi;
*) bgp - small logging improvements;
*) bridge - added dynamic tagged entry when VLAN interface is created on vlan-filtering bridge;
*) bridge - added forward-reserved-addresses property which controls forwarding of MAC 01:80:C2:00:00:0x range (separated from "protocol-mode=none" functionality, disabled by default after upgrade);
*) bridge - added L2 MDB support for IGMP snooping;
*) bridge - added max-learned-entries property for bridge;
*) bridge - added message about who created a dynamic VLAN entry;
*) bridge - added MVRP support for VLANs assigned to bridge;
*) bridge - do not allow duplicate ports;
*) bridge - fixed BPDU address when using "ether-type=0x88a8" configuration;
*) bridge - fixed MVRP leave;
*) bridge - fixed port "point-to-point" status after first link change;
*) bridge - fixed typo in filter and NAT error message;
*) bridge - improved system stability when removing MLAG configuration;
*) bridge - show invalid flag for ports that fails to be added to bridge (e.g. maximum port limit of 1024 is reached);
*) bth - improved stability on system time change;
*) certificate - added no-key-export parameter for import;
*) certificate - added support for cloud-dns challenge validation for sn.mynetname.net (CLI only);
*) certificate - automatically parse uppercase symbols to lowercase when registering domain on Let's Encrypt;
*) certificate - improved DNS challenge error reporting for Let's Encrypt;
*) certificate - improved RSA key signature processing speed;
*) certificate - show validity beyond year 2038;
*) chr - added support for licensing over IPv6 network;
*) chr - fixed incorrect disk size for ARM64;
*) console - added "about" filters for "find" and "print where" commands;
*) console - added "verbose=progress" mode for import status updates, and verbose output only on failures;
*) console - added additional byte-array option to :convert command;
*) console - added dry-run parameter to simulate import of files and find syntax errors without making configuration changes (verbose only);
*) console - added limits for dst-start and dst-end clock properties;
*) console - added lock screen via :lock command;
*) console - added uppercase and lowercase transform modes to :convert command;
*) console - disallow ping command with empty address;
*) console - display hint when requesting specific argument syntax;
*) console - do not show default boot-os setting in export;
*) console - fixed an issue where certain MAC address can be interpreted as time value;
*) console - fixed negative values for gmt-offset clock property;
*) console - fixed output of ping command in certain cases;
*) console - fixed typo in firewall error message;
*) console - improved :serialize and :deserialize commands and added support for DSV (delimiter separated values) format;
*) console - improved large import file handling, error detection and stability;
*) console - improved stability when pasting a large input;
*) console - improved stability when removing script;
*) console - increased default width for bitrate type of columns;
*) console - removed follow-strict parameter;
*) console - show rest-api name for active user connections;
*) container - clear VETH address on container exit and mark interface as running only when VETH is in use;
*) defconf - configure the default-route property for PPP clients only on devices with a built-in modem;
*) detnet - properly detect "Internet" status when multiple detnet instances preset in network;
*) dhcp - added comment property for matchers, options and option sets;
*) dhcp - improved DHCP IPv4 and IPv6 client/relay/server underlying interface state change handling;
*) dhcp - improved insert-queue-before, parent-queue and allow-dual-stack-queue behavior;
*) dhcpv4-client - execute script on DNS server or gateway address change;
*) dhcpv4-server - added "class-id" parameter for DHCP server leases;
*) dhcpv4-server - added matcher ability to match substring;
*) dhcpv4-server - added name for "User-Class" option (77), "Authentication" option (90), "SIP-Servers-DHCP-Option" option (120) and "Unassigned" option (163-174) in debug logs;
*) dhcpv4-server - fixed setting and getting "next-server" property;
*) dhcpv4-server - increased lease offer timeout to 120 seconds;
*) dhcpv4-server - remove corresponding dynamic leases if their address-pool gets removed;
*) dhcpv4-server - show active-server and host-name in print active command;
*) dhcpv6-client - do not add default gateway twice when both prefix and address is acquired;
*) dhcpv6-client - fixed T1, T2, valid-lifetime and preferred-lifetime compliance with RFC8415 by using value 0;
*) dhcpv6-client - pause client and remove dynamically installed objects while it becomes invalid;
*) dhcpv6-client - release client on failed renew attempt;
*) dhcpv6-client - update gateway address for default route on renew;
*) dhcpv6-server - improved system stability;
*) discovery - added discover-interval setting;
*) discovery - added LLDP Port VLAN ID, Port And Protocol VLAN ID, VLAN Name TLVs support;
*) discovery - added LLDP-MED timeout;
*) discovery - changed default discover-interval setting from 60s to 30s;
*) discovery - set unknown bit for any unspecified link type in MAC/PHY TLV;
*) disk - added "wipe-quick" file-system option to format-drive command (CLI only);
*) disk - added log message when disks get added or removed;
*) disk - added simple test command to test device and filesystem speeds (CLI only);
*) disk - improved system stability;
*) disk - remove dummy "slot1" entries on CHR;
*) dns - added support for DoH with adlist;
*) dns - added support for DoH with static FWD entries;
*) dns - added support for mDNS proxy;
*) dns - improved imported adlist parsing;
*) dns - refactored adlist service internal processes and improved logging;
*) dns - refactored DNS service internal processes;
*) dns - show static entry type "A" field in console;
*) dude - fixed map element RouterOS package upgrade functionality;
*) ethernet - fixed port speed downshift functionality for CRS354 devices;
*) ethernet - improved system stability for Alpine CPUs when dealing with unexpected non-UDP/TCP packet transmit;
*) fetch - handle HTTP 401 status correctly;
*) fetch - improved logging;
*) file - renamed "creation-time" to "last-modified";
*) filesystem - improved boot speed after device is rebooted without proper shutdown;
*) filesystem - refactored internal processes to minimize sector writes;
*) firewall - added message when interface belonging to VRF is added in filter rules;
*) firewall - fixed an issue with unsetting src-address-type;
*) firewall - fixed IPv6 "nth" matcher showing up twice in help;
*) firewall - fixed issue that prevents restoring src-address-list and dst-addres-list properties using undo command;
*) firewall - removed unnecessary TLS host matcher from NAT tables;
*) health - fixed board-temperature for KNOT device (introduced in v7.15);
*) health - fixed bogus CPU temperature spikes for CCR2216 device;
*) health - fixed missing health for CRS112-8G-4S device (introduced in v7.15);
*) health - improved voltage measurements for RB912UAG-6HPnD and RB912UAG-5HPnD devices;
*) health - removed unnecessary health settings for RB921 and RB922 devices;
*) health - upgraded fan controller firmware to latest version;
*) hotspot - properly escape all reserved URI characters;
*) ike1 - removed unsupported NAT-D drafts with invalid payload numbers;
*) ike2 - improved performance by balancing multicore CPU usage for key exchange calculation;
*) install - allow to save old configuration during cdrom install;
*) install - fixed ARM64 cdrom install (introduced in v7.15);
*) iot - added an option to delete default LoRa servers and a button to recover them if needed;
*) iot - added an option to log LoRa filtered packets;
*) iot - added LoRa NetID and JoinEUI filtering for LNS and CUPS connections;
*) iot - added LoRa option to filter out proprietary packets;
*) iot - fixed incorrect LoRa filter export behavior;
*) iot - fixed LoRa inability to set SSL for LoRa servers via command line;
*) iot - fixed LoRa inability to use variables for GPS-spoofing setting;
*) ip - added max-sessions property for services;
*) ip/ipv6 - added multipath hash policy settings;
*) ipip6 - make IPv6 LL address random;
*) ipsec - changed default dpd-interval from 2 minutes to 8 seconds and dpd-maximum-failures from 5 to 4;
*) ipsec - improved installed SA statistics update;
*) ipv6 - added "d" deprecated flag for expired IPv6 SLAAC addresses;
*) ipv6 - allow to properly disable address when it is generated from pool;
*) ipv6 - allow to properly move IPv6 address from slave interface to a bridge interface;
*) ipv6 - do not allow adding address with invalid prefix when using pool;
*) ipv6 - do not allow to manually delete LL address;
*) ipv6 - fixed "no-dad" functionality;
*) ipv6 - fixed dynamic duplicate address showing when static address is already configured;
*) ipv6 - fixed pool allocated addresses missing after reboot;
*) ipv6 - fixed SLAAC address dynamic appearance;
*) ipv6 - improved handling of IPv6 address information;
*) ipv6 - improved LL address generation process;
*) ipv6 - properly initialize default ND "interface=all" entry;
*) ipv6 - respect APN settings for "add-default-route" and "use-peer-dns" also when "accept-router-advertisements=yes";
*) ipv6 - warn user that reboot is required in order to properly apply accept-router-advertisements changes;
*) isis - fixed filter-chain and filter-select settings;
*) isis - install IPv6 link-local gateways correctly;
*) l2tp - improved system stability;
*) l3hw - added per-VLAN packet and byte counters to compatible switches;
*) l3hw - disable L3HW on bonding modes that do not support it;
*) log - added basic validation for "disk-file-name" property;
*) lte - added "sms-protocol" setting in "/interface lte" menu (CLI only);
*) lte - fixed "at-chat" for DELL T99W175 (PID: 0x05c6 VID: 0x90d5);
*) lte - fixed cases where LTE interface would take long time to become ready after bootup for Chateau 5G and Chateau 5G R16 (introduced in v7.15);
*) lte - fixed cases where modem could be handled by multiple dialer instances;
*) lte - fixed modem firmware upgrade for Chateau 5G and Chateau 5G R16 (introduced in v7.15);
*) lte - fixed possible crash when enabling/disabling config-less modem interface;
*) lte - fixed R11e-LTE no traffic flow when modem with older firmware version is used;
*) lte - fixed support for Fibocom modem fm150-na;
*) lte - improved modem AT/modem port open;
*) lte - improvements to "/interface/lte/show-capabilities" command;
*) media - improved file indexing for DLNA;
*) modem - added authentication functionality to EC200A;
*) modem - fixed PPP link recovery when port unexpectedly removed and returned due to modem firmware crash;
*) modem - fixed unresponsive PPP link recovery when TX bandwidth was exceeding link capacity;
*) modem - improved support for KNOT BG77 modem firmware update;
*) mqtt - broker password is no longer exported unless "show-sensitive" flag is used;
*) netinstall-cli - added check for device and package architectures match;
*) netinstall-cli - added support for multiple device install;
*) netinstall-cli - allow mixed package architectures;
*) netwatch - added DNS probe;
*) netwatch - added ttl and accept-icmp-time-exceeded properties for ICMP probe;
*) netwatch - use time format according to ISO standard;
*) ospf - improved system stability during LSA monitoring;
*) ovpn - improved system stability;
*) pimsm - improved system stability;
*) poe-out - fixed low-voltage detection while PD is connected for KNOT device;
*) poe-out - fixed silent firmware upgrade fail on CRS112-8P-4S device (introduced in v7.15);
*) poe-out - upgraded firmware for SAMD20 PSE (AF/AT) controlled boards (the update will cause brief power interruption to PoE-out interfaces);
*) port - added IPv6 support for the "remote-access" feature;
*) ppp - added SIM hot-plug enable command to default init-string for KNOT and CME gateway;
*) ppp - added support for IPv6-only domain names to l2tp-client, ovpn-client and sstp-client;
*) ppp - automatically generate IPv6 firewall rules when filter-id is specified;
*) ppp - fixed dynamic queue default name (introduced in v7.15);
*) ppp - fixed PPP info parser showing error for BG77 modem running on KNOT AUX AT/modem port;
*) profiler - classify wifi processing as "wireless";
*) ptp - added PTP support for CCR2116-12G-4S+, CCR2216-1G-12XS-2XQ, CRS518-16XS-2XQ, CRS504-4XQ, CRS510-8XS-2XQ devices;
*) qos-hw - added H and I flags to queues;
*) qos-hw - added new monitoring properties for ports and global QoS stats;
*) qos-hw - added queue-buffers property to tx-manager;
*) qos-hw - allow port print stats, usage and pfc while QoS is disabled;
*) qos-hw - allow to set queue-buffers in bytes, percent or auto;
*) qos-hw - enabling ECN forces WRED (unless share is disabled);
*) qos-hw - fixed egress-rate limit validation;
*) qos-hw - fixed global buffer limits for 98DX8212 and 98DX8332 switches;
*) qos-hw - fixed WRED thresholds;
*) qos-hw - improved behavior when changing ports tx-manger;
*) qos-hw - limit WRED to queues with enabled shared buffers;
*) queue - improved system stability;
*) quickset - removed Basic AP mode;
*) rose-storage - fixed "/file sysnc status" parameter to be read-only;
*) rose-storage - moved "/rsync-daemon" to "/file rsync-daemon;
*) rose-storage - renamed sync "remote-addr" property to "remote-address";
*) route - added ability to redistribute isis routes;
*) route - fixed incorrectly handled route distinguisher and route targets (introduced in v7.15);
*) route - fixed memory leak (introduced in v7.15);
*) route - fixed some missing route parameters when printing (introduced in v7.15);
*) route - improved route attribute handling (may increase memory usage);
*) route - improved routing table update performance;
*) route - improved stability when getting entries from large routing tables;
*) route - place static route in the correct VRF when vrf-interface parameter is used;
*) route - rename route type from is-is to isis;
*) routerboard - improved Etherboot stability for CRS320-8P-8B-4S+ device ("/system routerboard upgrade" required);
*) routerboard - improved Etherboot stability for IPQ-40xx devices ("/system routerboard upgrade" required);
*) routerboot - improved boot process ("/system routerboard upgrade" required);
*) rpki - fixed preference sorting;
*) sfp - fixed calculated link length based on EEPROM in certain cases;
*) sfp - fixed missing traffic after reboot with S-RJ01 module running at 10/100 Mbps rate on CCR2004-16G-2S+ device;
*) sfp - fixed SFP28 interface with fec74 mode on CCR2004-1G-2XS-PCIe device;
*) sfp - fixed SFP28 jumbo frame processing on CCR2004-1G-2XS-PCIe device;
*) sms - added polling setting so that RouterOS itself checks SMS instead of relying on URC messages;
*) snmp - added support for KNOT BG77 modem cellular signal info;
*) snmp - fixed LAST-UPDATED format in MIKROTIK-MIB;
*) ssh - fixed SSH cryptographic accelerator selection for GCM cipher (introduced in v7.14);
*) ssh - fixed unsupported user SSH public key import (introduced in v7.15);
*) ssh - improved system stability when SSH tries to bind to non-existing interface;
*) supout - added detnet section;
*) supout - added monitor command for all wifi interfaces;
*) supout - added netwatch section;
*) supout - added user SSH keys section;
*) supout - increased console output width;
*) supout - limit address-list and connection tracking entries to 999 in supout.rif;
*) supout - rename "store" section to "disk";
*) switch - fixed an issue where half-duplex links could occupy Tx resources for 98DX8xxx, 98DX4xxx, 98DX325x switch chips;
*) switch - fixed an issue with Ethernet port group hang for CRS354 devices;
*) switch - fixed Ethernet interface counter 32bit overflow for CRS354 devices;
*) switch - fixed limited Tx traffic on Ethernet ports for CRS354 devices (introduced in v7.15);
*) switch - improved switch reset;
*) switch - improved system stability on CCR2116-12G-4S+, CCR2216-1G-12XS-2XQ devices;
*) system - added "clock" logging topic for time change related messages;
*) system - added critical log message when not enough space to store new configuration;
*) system - added log message if device failed to reboot gracefully;
*) system - added more details to user initiated reboot (reset, upgrade, downgrade);
*) system - added support for upgrade over IPv6 network;
*) system - do not cancel package upgrade if another architecture packages found on the router;
*) system - do not download packages scheduled for uninstall;
*) system - do not start IPsec and certificate processes when not necessary;
*) system - fixed "free disk space" error message on system upgrade/downgrade;
*) system - fixed an issue where routing configuration was missing after performing a reset, adding a new configuration and then upgrading (introduced in v7.15);
*) system - fixed empty logs after reboot in certain cases;
*) system - improved internal system services messaging;
*) system - improved performance for TCP input;
*) system - improved reporting of total memory size;
*) system - improved system stability for CCR2004-1G-2XS-PCIe device;
*) system - improved system stability for RBSXTsq5nD and RBLDF-5nD;
*) system - improved system stability;
*) system - improved watchdog and kernel panic reporting;
*) system - reduced RAM usage for ARM64 devices;
*) system - set flash-boot mode as "boot-device" after system reset initiated by reset button ("/system routerboard upgrade" required);
*) system - set flash-boot mode as "boot-device" after system reset initiated from software;
*) traceroute - do not stop traceroute after 5 consecutive unreachable hops;
*) tunnel - allow specifying IPv6 LL address as "remote-address" for EoIPv6, GRE6 and IPIP6 tunnels;
*) user - added inactivity timeout for non-GUI sessions;
*) user-manager - updated logo;
*) vxlan - added comment support to VTEPs;
*) vxlan - prevent creating multiple VTEPs with same IP/port combination;
*) webfig - allow to enter time that exceeds 23:59:59;
*) webfig - correctly display default value for number type;
*) webfig - enabled hotlock mode for terminal;
*) webfig - fixed an issue where wrong menu title was shown;
*) webfig - fixed issue with incorrectly applying optional fields;
*) webfig - fixed sorting by datetime;
*) webfig - use "any" argument by default for Torch "Port" property;
*) wifi - added "slave-name-format";
*) wifi - added interface provisioning logs;
*) wifi - adjusted virtual interface naming when provisioning local radios;
*) wifi - do not allow frequency-scan on virtual interfaces;
*) wifi - do not unset radio-mac and master-interface properties on reset;
*) wifi - enable creating virtual wifi interfaces using "copy-from" setting;
*) wifi - fixed packet receive when having multiple station interfaces;
*) wifi - fixed signal strength reporting during association (introduced in v7.15);
*) wifi - fixed typo in log message;
*) wifi - improve regulatory compliance for Chateau ax devices;
*) wifi - improved interface stability when receiving invalid FT authentication frames;
*) wifi - improved system stability after interface hang;
*) wifi - improved WPA3 PMKSA handling when access-lists with custom passphrases are used;
*) wifi - make sniffer tool return an error when attempting to sniff with a radio which does not support it;
*) wifi - send channel switch announcements to clients when switching channels at requested re-select intervals;
*) wifi - use name-format also for local interfaces when provisioning;
*) wifi-qcom - add spectral-scan and spectral-history tools (CLI only);
*) wifi-qcom-ac - count dropped packets to "tx-drop" instead of "tx-error";
*) wifi-qcom-ac - improved memory allocating process;
*) winbox - added "Import Router ID" parameter under "Routing/BGP/VPN" menu;
*) winbox - added "Switch/QoS" menu for CRS3xx, CRS5xx, CCR2116 and CCR2216 devices;
*) winbox - added "Trace" column under "System/History" menu;
*) winbox - added configuration settings for ROSE;
*) winbox - added extra "File System" under "Format Drive" button;
*) winbox - added missing "Default Name" property for interfaces;
*) winbox - do not show "Last Logged In" and "Expire Password" when creating new system user;
*) winbox - fixed "Authority" property under "System/Certificates/Requests" menu;
*) winbox - fixed duplicated "MVRP Attributes" table;
*) winbox - fixed false invalid flag under "System/Ports/Remote Access" menu;
*) winbox - fixed issue with skin file appearing as unknown in user group menu (introduced in v7.15);
*) winbox - fixed signal bar "excellent" tooltip;
*) winbox - fixed Switch menu for RB1100AHx4 device;
*) winbox - improved QR code display;
*) winbox - moved DHCPv6 Server "Allow Dual Stack Queue" property from General to Queues tab;
*) winbox - moved Switch menu tabs to individual menus;
*) winbox - properly display available address-pools for DHCPv6 server configuration;
*) winbox - removed deprecated x86/CHR specific settings under "System/Resources" menu;
*) winbox - removed spare argument for "PFS Group" property under "IP/IPsec/Proposals" menu;
*) winbox - renamed configurable wifi property "Tx Power" to "Max Tx Power";
*) winbox - separated different Watchdog settings into logical tabs;
*) winbox - use CAP serial number with "Set Identity" button under "WiFi/Remote CAP" menu;
*) winbox - use correct default value for "Partition Offset" property;
*) winbox/webfig - fixed skins (introduced in v7.15);
*) wireless - allow unsetting signal-range and ssid-regext properties for capsman access-list;
*) wireless - fixed dynamic VLAN assignments for vlan-filtering bridge in certain cases;
*) wireless - limit antenna-gain property to 100;
*) www - log out inactive REST API users;
*) x86 - added missing PCI ids for bnx2x driver;
*) x86 - added RTL8156 driver support;
*) x86 - fixed missing serial ports with MCS9900;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while a router is not working as suspected or after some problem has appeared on the device

Please keep this forum topic strictly related to this particular RouterOS release.

wispmikrotik · Tue Sep 24, 2024 9:59 am

:) Wow, thanks a lot for the effort Mikrotik team!!

inteq · Tue Sep 24, 2024 10:07 am

All my static leases for other Mikrotik devices got messed up after update to 7.16. Switches and APs .Looks like the MAC on the bridges got reset somehow.
Read again the whole patch note and could not find anything about this. Then again, I just woke up so I could be a bit slow.
If you update remotely and you have lots of other MIkrotik devices behind the router, double check after the update that the leases are as you expect.

usx · Tue Sep 24, 2024 10:12 am

That is a terrifyingly large amount of changes. I'm not feeling good about this update.

Tue Sep 24, 2024 10:17 am

There has been a rather large period of beta and rc testing.

For some there are too much changes.
For some there are never enough changes.

It's never good for everyone everytime.

mantouboji · Tue Sep 24, 2024 10:42 am

Wonderful

RB4011. OK
AX3. OK
J1900 box. OK

Jotne · Tue Sep 24, 2024 10:46 am

That is a terrifyingly large amount of changes.

There has been releases with more changes :)

train	count
6.43	459
6.42	433
6.47	416
6.46	414
6.39	399
7.2	392
6.40	376
6.38	365
6.44	361
6.48	357
6.45	351
7.16	322
6.41	287
7.15	276
7.14	267

erlinden · Tue Sep 24, 2024 10:47 am

All my static leases for other Mikrotik devices got messed up after update to 7.16.

Have you set fixed Admin MAC Address on the bridge for these devices?

For me, upgrade went well on all devices (coming from either 7.16 RC5 or 7.15.3):
RB4011
hEX S
hAP AX 2
cAP AX
cAP XL ac
wAP ac

rextended · Tue Sep 24, 2024 10:57 am

With all those change, is like a long-term release........

Bravi, ottimo lavoro.

infabo · Tue Sep 24, 2024 11:17 am

👏🥂🥳

rextended · Tue Sep 24, 2024 11:28 am

*) console - fixed negative values for gmt-offset clock property;

My scripts are already ready ;)

:global intGoff [:tonum [get gmt-offset]]
:if ($intGoff > 0x7FFFFFFF) do={:set intGoff ($intGoff - 0x100000000)}

pe1chl · Tue Sep 24, 2024 11:30 am

*) dhcpv4-server - added matcher ability to match substring;

It would be even nicer when the matcher could match other DHCP request fields than options...
E.g. the requester's MAC address. I would like to put IEEE-assigned MAC addresses in a different pool than Locally assigned ("random") MAC addresses, for example.

Jotne · Tue Sep 24, 2024 11:30 am

With all those change, is like a long-term release........

MT has not released a Long Term version in the 7 series yet.
And if you look back in history, you will see the how many version was released before a long term was released.
Here is all the first version of Long-Term releases:

version
6.30.1
6.32.3
6.34.5
6.37.4
6.38.7
6.39.3
6.40.6
6.42.9
6.43.13
6.44.5
6.45.8
6.46.7
6.47.9
6.48.5
6.49.7

Example. 6.32 6,32.1 and 6.32.2 was stable version then 6.33.3 a long-term version

rextended · Tue Sep 24, 2024 11:31 am

*) ip - added max-sessions property for services;

Missing (CLI only) on changelog...

rextended · Tue Sep 24, 2024 11:35 am

Update sucessfully one CCR2116-12G-4S+ [from 7.15.3] with 2 BGP full table IPv4 and 1 BGP IPv6 full table.
Apparently work.

inteq · Tue Sep 24, 2024 11:35 am

All my static leases for other Mikrotik devices got messed up after update to 7.16.
Have you set fixed Admin MAC Address on the bridge for these devices?

For me, upgrade went well on all devices (coming from either 7.16 RC5 or 7.15.3):
RB4011
hEX S
hAP AX 2
cAP AX
cAP XL ac
wAP ac

Have admin MAC only on router.
On switches and APs I don't have admin MAC set.

rextended · Tue Sep 24, 2024 11:39 am

So, is all "random"...

pe1chl · Tue Sep 24, 2024 11:46 am

All my static leases for other Mikrotik devices got messed up after update to 7.16. Switches and APs .Looks like the MAC on the bridges got reset somehow.

I don't see that issue here. MAC on bridges is still the Admin MAC that was set all the time (I think defconf now sets it as well).

rextended · Tue Sep 24, 2024 12:05 pm

Until someone change the config, or if is set at the start..............

rextended · Tue Sep 24, 2024 12:06 pm

@inteq: Is better to use another topic for probably unrelated problems.

rextended · Tue Sep 24, 2024 12:07 pm

CHR x86_64 (ESXi 6.5) updated without problem [from 7.15.3], DHCP work as expected.

Rox169 · Tue Sep 24, 2024 12:12 pm

one HAP AX2 updated well but another is in loop...it is restarting...it is as capsman AP and in capsmanager is this message: disconnected RAP AX2 UP@18:FD:74:BB:A9:0C%*8, connection interrupted
then I get ip adress again and again disconnected RAP AX2 UP@18:FD:74:BB:A9:0C%*8, connection interrupted
power off and on did not help...I will have to go there...

fragtion · Tue Sep 24, 2024 12:14 pm

Wireless dissociation issue affecting AX devices fixed? I see no mention of it... but surely by now?

rextended · Tue Sep 24, 2024 12:15 pm

If it's not written, it's not written, so it wasn't done.
By what logic should it have been done, if it's not written?

infabo · Tue Sep 24, 2024 12:21 pm

Sometimes we see e.g. a 3 lines changelog in some minor release. But that release introduces a bug in an area, completely different/unrelated to any changelog item.

So when bugs can sneak into, people assume, fixes can sneak without mentioning into releases as well.

And I sometimes see new CLI options/arguments or even commands in new releases that were not mentioned with a single word in changelog.

pe1chl · Tue Sep 24, 2024 12:26 pm

When I wanted to juggle the wlan names in my 4011 (apparently the defaults have swapped) I noticed an issue with WDS.
I don't use WDS, but there are two fields "WDS default cost" and "WDS cost range" that may be new. In the physical interfaces they were set to 100 and 50-150 respectively.
But I also have two "virtual" interfaces below them, which were disabled during the upgrade, and these values were not set.
When I tried to rename them to align with the wlan1/wlan2 swap, there is an error message about invalid WDS cost range. I think it should have been set to 50-150 as well.
Also, when I now add a new virtual wireless interface, it has an invalid WDS cost range as well and cannot be saved until that is corrected.

rextended · Tue Sep 24, 2024 12:31 pm

I noticed an issue with WDS. there are two fields "WDS default cost" and "WDS cost range" that may be new

they have always been there since 6.x

Yes, in previous versions they were 0 when created (and I put them in the default ones).
Evidently they added the cost control in the real interface, but recycling the interface also for the "fake" now gives an error uselessly.

kowal · Tue Sep 24, 2024 12:39 pm

For me upgrade went well on my setup:
RB5009 (non-poe);
CRS310-8G+2S+( that switch always update a bit longer, but this time it taken about 10 minutes);
cAP-AC (with qcom-ac)
cAP-AX

fragtion · Tue Sep 24, 2024 12:45 pm

If it's not written, it's not written, so it wasn't done.
By what logic should it have been done, if it's not written?

The changelog is massive, so it's possible that one of those many changes fixes the issue even if it doesn't explicitly mention ax wifi anywhere. Maybe it's a problem with bridges or drivers, or who knows what

infabo · Tue Sep 24, 2024 1:07 pm

IMHO it is okay to ask. I would even encourage you to ask on every single release. It is like in real life: the one that barks the loudest gets served. lol

S8T8 · Tue Sep 24, 2024 1:15 pm

*) console - added "about" filters for "find" and "print where" commands;

Hello, could someone explain where we can find or print about?

diamuxin · Tue Sep 24, 2024 1:18 pm

Hi, I have an ax3 and behind it powered by POE (from ether1) an ax2 is connected.

Since I have upgraded both devices to 7.16 there is a continuous error on ax3 “ether1 link down” -> “ether1 link up” -> “ether1 link down” and so it repeats continuously.

Any idea where the problem comes from? Thanks.

wiktorbgu · Tue Sep 24, 2024 1:36 pm

I have a device ax3 with power supply via PoE in Ether1.
Today on version rc5 and after updating to 7.16 also problems appeared “ether1 link down” -> “ether1 link up” -> “ether1 link down” and so it repeats continuously.

diamuxin · Tue Sep 24, 2024 1:46 pm

So, it seems to be a bug affecting “ether1” as I have tested that port as POE=Off and the same thing happens again.

Edit: I have downgraded to version 7.15.3 and still the same problem: “ether1 link down” -> “ether1 link up” -> “ether1 link down” ...etc. Any solution from Support ?

wispmikrotik · Tue Sep 24, 2024 1:46 pm

Hi,

Do you have more information on which devices it is available? or how to check?

*) qos-hw - added H and I flags to queues;
*) qos-hw - added new monitoring properties for ports and global QoS stats;

Regards,

infabo · Tue Sep 24, 2024 1:51 pm

I have a device ax3 with power supply via PoE in Ether1.
Today on version rc5 and after updating to 7.16 also problems appeared “ether1 link down” -> “ether1 link up” -> “ether1 link down” and so it repeats continuously.

It worked on 7.16 rc5?

diamuxin · Tue Sep 24, 2024 1:58 pm

I have downgraded to version 7.15.3 and still the same problem

bratislav · Tue Sep 24, 2024 1:59 pm

*) wifi-qcom-ac - improved memory allocating process;

Upgraded a single hAP ac2 so far to check if (hopefully) OOM reboots are really fixed with this one...

Z0ltan · Tue Sep 24, 2024 2:00 pm

Is it normal for CAPSMAN not to show traffic from the CAPs? I've upgraded, things work but I only see traffic on the individual CAPs but not on CAPSMAN.

Guscht · Tue Sep 24, 2024 2:08 pm

RB912R-2nD is not showing Identity and Board anymore (3rd from top)...

Edit: After another reboot, it shows up correctly...

Zwischenablage_09-24-2024_01.jpg

gigabyte091 · Tue Sep 24, 2024 2:08 pm

Updated 4011, 5009, CRS310, 328, 112, ATLGM, AX3, AX2, cAPax, LHGG, hAP ax lite LTE, wAP LTE, Chateau and cAP ac with no problem so far.

pe1chl · Tue Sep 24, 2024 2:14 pm

I have downgraded to version 7.15.3 and still the same problem

That is not an answer to the question above.
Did you upgrade from 7.15.3 to 7.16 or did you try 7.16x versions in between? (beta,rc)
There have been changes to PoE and they affect the programming of a PoE controller, downgrading does not downgrade that programming.
For me on an RB5009 it fixed a bug, but apparently on the ax3 it introduces a new bug...

Tue Sep 24, 2024 2:33 pm

Is it normal for CAPSMAN not to show traffic from the CAPs? I've upgraded, things work but I only see traffic on the individual CAPs but not on CAPSMAN.

If wifiwave2 capsman, that's already the case since start of wave2 capsman, many, MANY moons ago ...
Or are you referring to legacy wireless capsman ?

But since I see interface names with wifi, I am going to assume it's the wave2 version you're referring to. Old news then.

diamuxin · Tue Sep 24, 2024 2:41 pm

I have downgraded to version 7.15.3 and still the same problem
That is not an answer to the question above.
Did you upgrade from 7.15.3 to 7.16 or did you try 7.16x versions in between? (beta,rc)
There have been changes to PoE and they affect the programming of a PoE controller, downgrading does not downgrade that programming.
For me on an RB5009 it fixed a bug, but apparently on the ax3 it introduces a new bug...

Sorry, in my case I upgraded from 7.15.3 to 7.16

ich777 · Tue Sep 24, 2024 2:41 pm

I've upgraded and everything seems to work except Wifi 2GHz, I get this message:

--- device does not support management protection

I'm running a hAP ax³, this wasn't an issue with the previous version, did I do something wrong?

Strangely the hAP ax² is working fine (2x Caps) as you can see in the screenshot.

1.png

EDIT: I downgraded to 7.15.3 and everything is working again. I'm really not sure if I did something wrong or this is a bug.

EDIT2: Filed a bug report, thanks @pe1chl

pe1chl · Tue Sep 24, 2024 2:48 pm

Sorry, in my case I upgraded from 7.15.3 to 7.16

You need to file a bug in the support system: https://help.mikrotik.com/servicedesk
(when posting only here in the release topic it will probably not be noticed... unless a flood of such reports comes in)

sch · Tue Sep 24, 2024 2:54 pm

wiktorbgu and diamuxin please contact MikroTik support and provide supout.rif files.

wiktorbgu · Tue Sep 24, 2024 2:57 pm

I have a device ax3 with power supply via PoE in Ether1.
Today on version rc5 and after updating to 7.16 also problems appeared “ether1 link down” -> “ether1 link up” -> “ether1 link down” and so it repeats continuously.

It seems that after updating the firmware the situation has stabilized. (System-RouterBOARD-Upgrade)

fischerdouglas · Tue Sep 24, 2024 3:02 pm

There has been releases with more changes :)

train	count
6.43	459
6.42	433
6.47	416
6.46	414
6.39	399
7.2	392
6.40	376
6.38	365
6.44	361
6.48	357
6.45	351
7.16	322
6.41	287
7.15	276
7.14	267

A good statistic would be a graphic timeline of releases.
With zooming and all those fancy things...

Medium time between Betas.
Medium time between RCs.
Medium time between release of Stable and Beta of next release.

It could be just for RouterOSv7.

majestic · Tue Sep 24, 2024 3:07 pm

Has anyone had success with the v7.16 with Wireless Wire (wAP60G) p2p APs?

I am always very hessitant in upgrading these as they provide a core link between rooms and if they don't come up, they would be a nightmare to fix as they are stuck on the wall.

If anyone has a pair or simular hardware, please do let me know, thank you.

Best Regards.

rextended · Tue Sep 24, 2024 3:09 pm

There's no guarantee that if someone can do it, you can do it too.
I don't think there's any real reason why you should update them, do you?

majestic · Tue Sep 24, 2024 3:10 pm

There's no guarantee that if someone can do it, you can do it too.
I don't think there's any real reason why you should update them, do you?

Yeah I get that, but it minimizes the risks.

*Update*
Thinking about it some more, your right, leave them as they are and just upgrade the RB5009 as thats internet facing, the p2p are not, so the exposure is minimal. The RB5009 is easy to access, so if something goes bad, its not a major issue. Thanks for your insight.

infabo · Tue Sep 24, 2024 3:19 pm

That is a terrifyingly large amount of changes.
There has been releases with more changes :)
Code: Select all
train	count
6.43	459
6.42	433
6.47	416
6.46	414
6.39	399
7.2	392
6.40	376
6.38	365
6.44	361
6.48	357
6.45	351
7.16	322
6.41	287
7.15	276
7.14	267

This statistic is wrong. There aren't 322 change in 7.16. There are many changes already published by 7.15.x.

majestic · Tue Sep 24, 2024 3:39 pm

RB5009 upgrade to v7.16 sucessful.
- DNS working inc DoH and static entries
- DHCP working (multi vlans)
- BGP, BFD working, one large table and couple of k8s clusters
- PPPOE working
- VLANS working
- Wireguard roadwarriors config, working

I see a tiny bit of additional RAM being used but its only about ~20mb difference, apart from that, looks fine on RB5009. Will monitor it to make sure but seems sucessful.

Kanzler · Tue Sep 24, 2024 3:46 pm

hAP ac3 (wifi-qcom-ac) updated without problems. Everything works fine.

herbrico · Tue Sep 24, 2024 4:46 pm

So, it seems to be a bug affecting “ether1” as I have tested that port as POE=Off and the same thing happens again.

Edit: I have downgraded to version 7.15.3 and still the same problem: “ether1 link down” -> “ether1 link up” -> “ether1 link down” ...etc. Any solution from Support ?

I've got an HAP AX3 on (7.15.3) ROS 7.16 now connected via POE on eth1 and everything works fine, there is no connection or disconnection. But I had a similar problem with the net metal ac2 connected via poe where there was a connection and disconnection (link up, link down ), changing the poe adapter solved the problem.

Njumaen · Tue Sep 24, 2024 5:27 pm

/ip/dns/set mdns-repeat-ifaces=bridge,vlan-iot

and I'm happy! Dead simple... Thanks!

diamuxin · Tue Sep 24, 2024 5:31 pm

So, it seems to be a bug affecting “ether1” as I have tested that port as POE=Off and the same thing happens again.

Edit: I have downgraded to version 7.15.3 and still the same problem: “ether1 link down” -> “ether1 link up” -> “ether1 link down” ...etc. Any solution from Support ?

I've got an HAP AX3 on (7.15.3) ROS 7.16 now connected via POE on eth1 and everything works fine, there is no connection or disconnection. But I had a similar problem with the net metal ac2 connected via poe where there was a connection and disconnection (link up, link down ), changing the poe adapter solved the problem.

Thanks for the feedback!

Tue Sep 24, 2024 6:28 pm

I just updated the Mikrotik public btest server I maintain to ROS version 7.16
** Everything appears to be working correctly.
** This is a Mikrotik CHR ( P unlimited ) running on a Proxmox hypervisor.

IPv4: 23.162.144.123
IPv6: 2605:6340:0:1b::123
btest username: North-Idaho-Btest-Server
btest password: I-Am-Not-A-Cron-Script

North Idaho Tom Jones

pe1chl · Tue Sep 24, 2024 6:59 pm

Please add to the "Before an upgrade:" section:
4) when upgrading a CHR, check that it has at least 1GB RAM allocated, and increase RAM before attempting upgrade.
(see SUP-161771)

jvanhambelgium · Tue Sep 24, 2024 7:10 pm

Updated my RB5009 & RB3011
No issues, all my basic services work fine.

johnudu · Tue Sep 24, 2024 7:28 pm

hAP ac3 + wifi-qcom-ac - NO PROBLEM

donkeyKong · Tue Sep 24, 2024 7:56 pm

DNS :resolve command is not working as intended.

In ROS 7.15.3, DNS resolution works correctly and queries DNS server:

:resolve "www.google.com" server=<DNS server>

In ROS 7.16, DNS resolution uses the cache and does not seem to query server (10.9.91.200 does not exist in test LAN):

:put [:resolve domain-name="www.google.com" server=10.1.91.200 ]
172.217.20.164

:put [:resolve domain-name="www.google.com.br" server=10.90.90.200 ]
failure: dns server failure

Opened SUP-166143

jordanp123 · Tue Sep 24, 2024 8:07 pm

Has anyone elses setup with VRF's just stopped working ? Mine appears completly broken after the update. I use a VRF to connect to a VPN service for a VLAN.

jordanp123 · Tue Sep 24, 2024 8:29 pm

Looks like the firewall rules parameters changed with regards to VRF's in this release. Still trying to figure it out

pe1chl · Tue Sep 24, 2024 8:52 pm

What type of router do you have? Is it a CHR?

jordanp123 · Tue Sep 24, 2024 9:49 pm

Its a RB5009. I got it figured out, apparently in the last few releases you were allowed in the firewall rules to have VRF interface members in the In/Out portions of the firewall rules, but not now, so you can only have the VRF interface in the firewall rules, it puts a downer on firewall rules since I have to make them more complicated with packet marking now to have the same functionality.

infabo · Tue Sep 24, 2024 9:59 pm

already since 7.14. see viewtopic.php?p=1069285#p1069285

jordanp123 · Tue Sep 24, 2024 10:04 pm

yeah, what was weird is that It was working fine in 7.15. I got hit by the change from 7.13 to 7.14 when that first changed as well.

litvcom · Tue Sep 24, 2024 10:49 pm

I just updated my AX3. It hasn't gotten any worse, but time will tell.

gbtest85 · Tue Sep 24, 2024 11:31 pm

/ip/dns/set mdns-repeat-ifaces=bridge,vlan-iot

and I'm happy! Dead simple... Thanks!

Hi, can you explain the purpose of this new setting?

I think it could be useful to many!

Thank you

Njumaen · Tue Sep 24, 2024 11:35 pm

mdns-repeater-ifaces (list of interfaces; Default: )
Once an interface in this list receives an mDNS packet, it will forward it to all other interfaces in this list. Only supports IPv4.

see https://help.mikrotik.com/docs/display/ROS/DNS

Paternot · Wed Sep 25, 2024 12:06 am

Is this change applied when just upgrading? Or do I have to do something more drastic, as netinstall?

*) arm64 - increased reserved storage space for bootloader;

flynno · Wed Sep 25, 2024 1:01 am

Is roaming fixed in this firmware, running v7.15.3 at the moment and wireless roaming working correctly, devices are disconnecting and reconnecting with no internet for 10 seconds, alot of disassociated, connection lost, signal strength -49

gze100 · Wed Sep 25, 2024 3:18 am

After the upgrade to 7.16, the standard route is no longer redistributed via rip and bfd. A downgrade to 7.15.3 has solved the problem for the time being.

/routing rip instance
add disabled=no name=rip-instance-4 originate-default=if-installed redistribute=connected,static route-gc-timeout=60 route-timeout=30 routing-table=main \
    update-interval=5
/routing rip interface-template
add disabled=no instance=rip-instance-4 interfaces=bridge-local poison-reverse=yes split-horizon=yes use-bfd=yes

kcarhc · Wed Sep 25, 2024 4:40 am

After upgrading from 7.15.3 to 7.16, DNS-related configurations are randomly lost after some time of use.

This includes the settings in **DNS Static**, which also disappear, leaving the fields blank.

The DNS loss in version 7.16 includes, but is not limited to, the disappearance of **dynamic servers**.
The cached usage drops to 0, and the **servers' static settings** are lost.
When opening **DNS Static**, the fields appear blank.

These issues do not occur immediately but arise suddenly after some time following the upgrade to 7.16.

hknet · Wed Sep 25, 2024 5:19 am

it seems vrf-routing is trouble, coming from 7.15.3 static vrf routes were marked inactive and we found no way to get those active, neither deleting, adding new ones, basically all vrf-routes are inactive and show things like:

 4  IsH  dst-address=0.0.0.0/0 routing-table=main gateway=10.100.6.5
         immediate-gw="" distance=1 scope=30 target-scope=10
         vrf-interface=MGMT

in addition to static routes within vrfs not working also dynamic routes (added by pppoe client) were inactive within vrfs. this is seriously messed up.

finally had to downgrade to 7.15.3 to get this working again.

hknet · Wed Sep 25, 2024 5:44 am

Has anyone elses setup with VRF's just stopped working ? Mine appears completly broken after the update. I use a VRF to connect to a VPN service for a VLAN.

probably your vrf routes are inactive, right?

Coughy · Wed Sep 25, 2024 8:34 am

I have downgraded to version 7.15.3 and still the same problem

do a complete new config
i found jumping around firmwares and allpy config has a bug that it does things like this
im running hapax3 , hapax2 and 3 x capax all on 7.16.rc4 all fine to a degree with roaming and very little disconects
try factory reset on stable 7.16 and new config

AresPo · Wed Sep 25, 2024 9:01 am

hAP AX3 + wifi-qcom
on 7.15.3: WiFi (2&5) is ok (RSMB)
on 7.16: WiFi (2&5) drop (M)

After the update, I encountered an issue with WiFi and reconfigured the settings, but the problem persisted, so I had to revert to version 7.15.3

log : "DefConf gen: Unable to find wifi radio data"

infabo · Wed Sep 25, 2024 9:47 am

*) wifi - added "slave-name-format";
*) wifi - adjusted virtual interface naming when provisioning local radios;

Why is this only done for local radios? The local radios are now named similar to slave-name-format.

So e.g.:

Master interface: wifi1
1 slave interface: wifi1-virtual1

That is all nice and good.

But on the CAP, the interfaces are still suffixed by a number.

Master interface: wifi1
1 slave interface: wifi4

This is inconsistent. Why are wifi interfaces on the CAPs still named the old way?

KexyBiscuit · Wed Sep 25, 2024 10:17 am

After updating, Detect Internet suddenly installs default route and DNS servers for me, seems that it's a feature instead of a bug.

Wed Sep 25, 2024 10:38 am

it seems vrf-routing is trouble, coming from 7.15.3 static vrf routes were marked inactive and we found no way to get those active, neither deleting, adding new ones, basically all vrf-routes are inactive and show things like:
Code: Select all
 4  IsH  dst-address=0.0.0.0/0 routing-table=main gateway=10.100.6.5
         immediate-gw="" distance=1 scope=30 target-scope=10
         vrf-interface=MGMT
in addition to static routes within vrfs not working also dynamic routes (added by pppoe client) were inactive within vrfs. this is seriously messed up.

finally had to downgrade to 7.15.3 to get this working again.

Config looks to be incorrect, either you use routing-table to determine to which vrf this route should belong or you use vrf-interfce. But not the both especially if routing table config does not match the vrf to which vrf-inteface belongs to.

infabo · Wed Sep 25, 2024 10:40 am

"free-hdd-space" shrinked by ~50kb on "cAP ac":

7.15.3: 780KiB
7.16: 736KiB

JustAnAccount · Wed Sep 25, 2024 11:02 am

".home.arpa" DNS queries are still being leaked to the WAN network and is not conform to rfc8375. Can it be fixed ASAP please?

infabo · Wed Sep 25, 2024 11:03 am

".home.arpa" DNS queries are still being leaked to the WAN network and is not conform to rfc8375. Can it be fixed ASAP please?

Oh yeah, I really hate that behavior. And I see no possibility to turn that off.

pe1chl · Wed Sep 25, 2024 11:08 am

".home.arpa" DNS queries are still being leaked to the WAN network and is not conform to rfc8375. Can it be fixed ASAP please?

That is only a "proposed standard", one of several that were made with the same objective.
When you want to use that domain and don't want to leak it you can easily configure that yourself using a static record in the DNS resolver.

infabo · Wed Sep 25, 2024 11:23 am

bratislav · Wed Sep 25, 2024 11:41 am

".home.arpa" DNS queries are still being leaked to the WAN network and is not conform to rfc8375. Can it be fixed ASAP please?
That is only a "proposed standard", one of several that were made with the same objective.
When you want to use that domain and don't want to leak it you can easily configure that yourself using a static record in the DNS resolver.

What Mikrotik probably should implement is DNS forwarders so one could host those local domain zones locally...
Also to avoid bogus DNS queries to internet name servers as is strongly advised (https://www.rfc-editor.org/rfc/rfc6303) maybe filter all these local zones by default as Unbound and BIND are doing:

        # local-zone: "localhost." nodefault
        # local-zone: "127.in-addr.arpa." nodefault
        # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
        # local-zone: "home.arpa." nodefault
        # local-zone: "onion." nodefault
        # local-zone: "test." nodefault
        # local-zone: "invalid." nodefault
        # local-zone: "10.in-addr.arpa." nodefault
        # local-zone: "16.172.in-addr.arpa." nodefault
        # local-zone: "17.172.in-addr.arpa." nodefault
        # local-zone: "18.172.in-addr.arpa." nodefault
        # local-zone: "19.172.in-addr.arpa." nodefault
        # local-zone: "20.172.in-addr.arpa." nodefault
        # local-zone: "21.172.in-addr.arpa." nodefault
        # local-zone: "22.172.in-addr.arpa." nodefault
        # local-zone: "23.172.in-addr.arpa." nodefault
        # local-zone: "24.172.in-addr.arpa." nodefault
        # local-zone: "25.172.in-addr.arpa." nodefault
        # local-zone: "26.172.in-addr.arpa." nodefault
        # local-zone: "27.172.in-addr.arpa." nodefault
        # local-zone: "28.172.in-addr.arpa." nodefault
        # local-zone: "29.172.in-addr.arpa." nodefault
        # local-zone: "30.172.in-addr.arpa." nodefault
        # local-zone: "31.172.in-addr.arpa." nodefault
        # local-zone: "168.192.in-addr.arpa." nodefault
        # local-zone: "0.in-addr.arpa." nodefault
        # local-zone: "254.169.in-addr.arpa." nodefault
        # local-zone: "2.0.192.in-addr.arpa." nodefault
        # local-zone: "100.51.198.in-addr.arpa." nodefault
        # local-zone: "113.0.203.in-addr.arpa." nodefault
        # local-zone: "255.255.255.255.in-addr.arpa." nodefault
        # local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
        # local-zone: "d.f.ip6.arpa." nodefault
        # local-zone: "8.e.f.ip6.arpa." nodefault
        # local-zone: "9.e.f.ip6.arpa." nodefault
        # local-zone: "a.e.f.ip6.arpa." nodefault
        # local-zone: "b.e.f.ip6.arpa." nodefault
        # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
        # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.

mustang1986 · Wed Sep 25, 2024 12:01 pm

hAP ac3 + wifi-qcom-ac - NO PROBLEM

7.16 solve it wifi-qcom-ac memory leak?

nichky · Wed Sep 25, 2024 12:28 pm

ip - added max-sessions property for services;

@rextended

how to get into that?

luckybuilding · Wed Sep 25, 2024 1:03 pm

Thanks, it is great! But it has some bugs! After upgrade, my mangles based on incoming interfaces stopped working! I finally had to downgrade it!

hknet · Wed Sep 25, 2024 1:26 pm

do a complete new config
[...]
try factory reset on stable 7.16 and new config

no factory resetting production systems is not an option, sorry - neither do I think this is a good idea to suggest to anyone.

johnudu · Wed Sep 25, 2024 1:31 pm

hAP ac3 + wifi-qcom-ac - NO PROBLEM
7.16 solve it wifi-qcom-ac memory leak?

i dont now

jdub88 · Wed Sep 25, 2024 1:34 pm

Quite significant problems upgrading my hAP AX3 from 7.15.3

Lots of DoH failure errors

Lots of devices getting "offering lease without success"

Wireguard failing to establish

Extremely bad performance for websites

I have a feeling the latter two are due to all the DoH issue but removing DoH endpoint didn't seem to help

Anyone else having this? I didn't see any similar reports

How do I go back to 7.15.3? I assume it's not as simply as simply clicking downgrade?

Definitely shaken my confidence of late

infabo · Wed Sep 25, 2024 1:37 pm

You need to manually download ROS main package and used extra packages. Then upload these npk files to your router (e.g. using Winbox) and finally hit

/system/package/downgrade

PS:
I don't know why updates are just one click but downgrade is not possible without additional knowledge and several manual steps. Why not just offer a dead simple downgrade feature where you can choose to which version you want to downgrade to?

crosswind · Wed Sep 25, 2024 1:56 pm

upgraded CRS309, CRS305, CRS312, hEX S, cAP ax, some hAP ac2, and RB4011, no (new) problems reported so far.

MVRP seems to work much better (7.15.3 had some problems with certains ports not joining vlans properly) and the new comments added to dynamic /interface/bridge/vlan entries are nice.

i noticed a good change in BGP behaviour: routes with a next-hop of :: are now accepted and marked unreachable, instead of being rejected, which means the gateway can be modified in a filter.

marsbeetle · Wed Sep 25, 2024 1:57 pm

Confirming DHCP issues specifically with AX3 and static addresses being ignored after upgrade to 7.16

Also noticed some of my home automation lights no longer connecting via 2ghz band to my AX2 after upgrade(weak signal). Downgraded and everything is back to "normal"

Why always 1 step forward and two steps back with each upgrade. Some consistency would be nice for a change.

sinisa · Wed Sep 25, 2024 2:05 pm

How do I go back to 7.15.3? I assume it's not as simply as simply clicking downgrade?

More and more people coming here who don't know how to use Google.
Did you try "mikrotik downgrade"? First hit, read page carefully...

infabo · Wed Sep 25, 2024 2:09 pm

The phenomenon of "not using google before asking" is probably as old as internet search engines. lmgtfy.com exist for a reason. But more and more people use AI. https://letmegpt.com/?q=how%20to%20down ... version%3F

Ab5 · Wed Sep 25, 2024 2:12 pm

Issue with OpenVPN and Certificat/date times.
When connecting with freshly created cert
disconnected <TLS error: ssl: cert not valid (before: Wed Sep 25 12:57:45 2024 > now: Wed Sep 25 11:09:03 2024)

Wed Sep 25 12:57:45 2024 is the correct current time on devices connecting and the mikrotik itself.

jdub88 · Wed Sep 25, 2024 2:15 pm

Confirming DHCP issues specifically with AX3 and static addresses being ignored after upgrade to 7.16

Also noticed some of my home automation lights no longer connecting via 2ghz band to my AX2 after upgrade(weak signal). Downgraded and everything is back to "normal"

Why always 1 step forward and two steps back with each upgrade. Some consistency would be nice for a change.

I actually had that weak signal issue last week out of the blue on 7.15.3. Most IoT stuff on 2.4ghz just failed. My ring cameras couldn't see the APs at all, or briefly with very low signal. I didn't actually do anything or changed anything. I loaded the most recent backup and rebooted and it was ok since

I looked into it and there have been some WiFi disassociation issues reported. But may be unrelated

This will be the first time I've needed to downgrade but thanks for the patronising comment about Google. This is after all a forum to discuss the products. The first result says click downgrade but it's not super clear on how to load the older packages. It's not intuitive, many would assume you can just click downgrade and it'll roll back to the previous version but I know never to assume with Mikrotik!

jdub88 · Wed Sep 25, 2024 2:16 pm

Issue with OpenVPN and Certificat/date times.
When connecting with freshly created cert
disconnected <TLS error: ssl: cert not valid (before: Wed Sep 25 12:57:45 2024 > now: Wed Sep 25 11:09:03 2024)

Wed Sep 25 12:57:45 2024 is the correct current time on devices connecting and the mikrotik itself.

I wonder if that's the same issue causing my wireguard and DoH issues, but I don't see cert errors in the logs.

Nullcaller · Wed Sep 25, 2024 2:21 pm

The phenomenon of "not using google before asking" is probably as old as internet search engines. lmgtfy.com exist for a reason. But more and more people use AI. https://letmegpt.com/?q=how%20to%20down ... version%3F

Since AI is mostly trained on Reddit, it's only a matter of time before it answers the question "How to downgrade RouterOS?" with "Yes, let me help you with that. But first, let's install the MikroTik downgrade tool. To do that, open terminal, paste 'rm -rf /' and press Enter. *tips fedora*"

Ab5 · Wed Sep 25, 2024 2:25 pm

Issue with OpenVPN and Certificat/date times.
When connecting with freshly created cert
disconnected <TLS error: ssl: cert not valid (before: Wed Sep 25 12:57:45 2024 > now: Wed Sep 25 11:09:03 2024)

Wed Sep 25 12:57:45 2024 is the correct current time on devices connecting and the mikrotik itself.
I wonder if that's the same issue causing my wireguard and DoH issues, but I don't see cert errors in the logs.

Possible i suspect its cause of the GMT Offset fix they pushed through cause it seems the time diff is exactly off by 2 hours for me (I'm GMT+2)

jdub88 · Wed Sep 25, 2024 2:35 pm

I wonder if that's the same issue causing my wireguard and DoH issues, but I don't see cert errors in the logs.
Possible i suspect its cause of the GMT Offset fix they pushed through cause it seems the time diff is exactly off by 2 hours for me (I'm GMT+2)

Good spot. I'm off by 1. Will give that a try later.

Kanzler · Wed Sep 25, 2024 3:32 pm

7.16 solve it wifi-qcom-ac memory leak?

I don't see any memory leak.

Paternot · Wed Sep 25, 2024 3:39 pm

"free-hdd-space" shrinked by ~50kb on "cAP ac":

7.15.3: 780KiB
7.16: 736KiB

I think this answers my question about

"*) arm64 - increased reserved storage space for bootloader;"

viewtopic.php?t=211157#p1099090

mkx · Wed Sep 25, 2024 3:40 pm

cAP ac is "arm" not "arm64" ...

Wed Sep 25, 2024 3:43 pm

There was a memory leak as well on cap ac when using wifi-qcom-ac drivers.
Testing since yesterday, no results yet ( before it would go OOM after almost 2 days).

fischerdouglas · Wed Sep 25, 2024 3:59 pm

That is only a "proposed standard"

Proposed? Wow...
And why other recursive engines implement that?
Are bind, unbound, knot, and others wrong following those recomendations?

I would say that this especial zones are so "proposed" than the use of DNSSEC, another standard that RouterOS ignores for a long-long time.

How?

Maybe with regex in DNS it is possible...
But it is the thing that should come in default-config template...
And being possible to be disabled.

nmt1900 · Wed Sep 25, 2024 4:04 pm

".home.arpa" DNS queries are still being leaked to the WAN network and is not conform to rfc8375. Can it be fixed ASAP please?

I did packet captures on WAN interface and did not manage to find anything related to that (only *.arpa requests appearing were related to public IP addresses).

fischerdouglas · Wed Sep 25, 2024 4:19 pm

What Mikrotik probably should implement is DNS forwarders so one could host those local domain zones locally...
Also to avoid bogus DNS queries to internet name servers as is strongly advised (https://www.rfc-editor.org/rfc/rfc6303) maybe filter all these local zones by default as Unbound and BIND are doing:

That would make DNS way more havier in resources than it is expected. CPU, Memory.

Most users expect from DNS Resolver of Mikrotik a semi-dummy thing like dnsmasq.
Leveling it so up wolud make big part of MikroTik users unhappy.

Stan Marsh says:
"Oh my god! They used extra 1,49MB of RAM..."

Kyle Broflovski says:
"You Bastards! Grrr!"

And even doing that, it would not being good enough in the point of view of thos who wants something really secure and compliance with all the "proposed" standars.

My sugestion here is that Mikrotik creates two DNS Operation Modes:
- UIltra Dummy basic, no DNSSEC, no conditional fowarding, no vrf-source, no nothing... Just a Dummy basic resolver.
- A Good enought DNS Resolver, running on a virtual interface inside RouterOS, with DNSSEC, with v4+v6 adresses for answering queries, with v4+v6 adresses for going out for the recursion, with possible policies being applied.
Maybe an extra package (similar to a a Container) that only allows this alternative more advanced DNS when this package is instaled.
It would reduce space in storage of the basic package, reduce CPU, reduce RAM.

So, if you activate that, you are aware that will consume some extra resourses.
And if you do not activate that, you are aware that funcionality is very limited.

BrateloSlava · Wed Sep 25, 2024 6:37 pm

Router - RB4011iGS+

I have two entries for DHCPv6 client in my settings: active and disabled.

/ipv6 dhcp-client add add-default-route=yes interface=IP-Maxnet-VLAN-130 pool-name=ipv6-maxnet pool-prefix-length=66 rapid-commit=no request=address,prefix use-interface-duid=yes use-peer-dns=no
/ipv6 dhcp-client add add-default-route=yes disabled=yes interface=IP-Triolan-VLAN-131 pool-name=ipv6-triolan pool-prefix-length=66 rapid-commit=no request=prefix use-interface-duid=yes use-peer-dns=no

Before ROS 7.16 these two entries did not interfere with each other and everything worked.

With the upgrade to ROS 7.16, trying to enter the IPv6-DHCP Client menu results in an error:
- this menu item appears empty
- an error appears in the logs that there cannot be two pools with the same name.

Attempting to export IPv6 settings to a text file saves an error in the result file:

#error exporting "/ipv6/dhcp-client" (timeout)

Rollback to 7.15.3 restores functionality.
Deleting the “disabled” DHCPv6 client entry and upgrading to 7.16 - the system works fine.

baragoon · Wed Sep 25, 2024 7:23 pm

ipv6 link local addrss are not deleteable after update from 7.15.3
using this method (for dn42 peering)

/ipv6/pool/add name=link-local prefix=fe80::/56 prefix-length=64
/ipv6/address/add from-pool=link-local advertise=no address=::1 interface=bridge

and (not related to 7.16) - unable to add more than 1 link local address, every next address is like fe80:0:0:2::1/64,fe80:0:0:3::1/64,fe80:0:0:4::1/64
every next addr is fe80:0:0:X+1::y/64

Paternot · Wed Sep 25, 2024 7:27 pm

cAP ac is "arm" not "arm64" ...

Yes, it is. But I find this coincidence quite weird. Exactly when something like this is announced, You see a small shrinkage on disk space? Looks like to me either a wrong changelog (would affect ARM32 too), or a bug on the code (someone forgot to check the ARM architecture before changing the partition size).

jdub88 · Wed Sep 25, 2024 7:43 pm

I wonder if that's the same issue causing my wireguard and DoH issues, but I don't see cert errors in the logs.
Possible i suspect its cause of the GMT Offset fix they pushed through cause it seems the time diff is exactly off by 2 hours for me (I'm GMT+2)

So, things are much better with clocks properly set. DoH and Wireguard working again. Will hold off a rollback for now.

Check your clocks folks :)

Fif · Wed Sep 25, 2024 8:16 pm

There still are issues with the cert dates being reported incorrectly.

/certificate/print detail proplist=issuer,country,organization,common-name,serial-number,fingerprint,akid,skid,invalid-before,invalid-after  where common-name=R10  
Flags: K - private-key; L - crl; C - smart-card-key; A - authority; 
I - issued, R - revoked; E - expired; T - trusted 
 1  L    T issuer=C=US,O=Internet Security Research Group,CN=ISRG Root X1 
           country="US" organization="Let's Encrypt" common-name="R10" 
           serial-number="4ba85293f79a2fa273064ba8048d75d0" 
           fingerprint="9d7c3f1aa6ad2b2ec0d5cf1e246f8d9ae6cbc9fd0755ad37bb974b1
            f2fb603f3" 
           akid=79b459e67bb6e5e40173800888c81a58f6e99b6e 
           skid=bbbcc347a5e4bca9c6c3a4720c108da235e1c8e8 
           invalid-before=2160-04-18 23:28:16 
           invalid-after=2163-04-18 23:28:15

Note the wrong invalid-before and invalid-after dates in 2060 and 2063!
Same cert seen from WebFig shows the correct dates (see attached screenshot).

This seems to be a general issue, all my certs show wrong dates, not just the Let's Crypt R10 chain cert.

infabo · Wed Sep 25, 2024 8:28 pm

*) certificate - show validity beyond year 2038;

Maybe related to this line?

pe1chl · Wed Sep 25, 2024 8:53 pm

That is only a "proposed standard", one of several that were made with the same objective.
When you want to use that domain and don't want to leak it you can easily configure that yourself using a static record in the DNS resolver.
What Mikrotik probably should implement is DNS forwarders so one could host those local domain zones locally...

That is all already available.
You can add static DNS records to forward a domain to another DNS server, and you can enter any FQDN as static record in the router's DNS server as well.
You can have a couple of .home.arpa records in the DNS and at the end a *.home.arpa$ record with NXDOMAIN.

So you can easily configure this. For example, as a good netizen I have added records like
*\.168\.192\.in-addr\.arpa$ NXDOMAIN
as it is useless to forward PTR queries for RFC1918 addresses to the global DNS.

eworm · Wed Sep 25, 2024 8:53 pm

I do not see this issue with certificates. Possibly an issue with specific architecture? What device is that?

pe1chl · Wed Sep 25, 2024 8:59 pm

That is only a "proposed standard"
Proposed? Wow...

You don't know what it means? Read RFC 2026.

And why other recursive engines implement that?
Are bind, unbound, knot, and others wrong following those recomendations?

Anyone can implement it, but it is not mandatory.

Maybe with regex in DNS it is possible...
But it is the thing that should come in default-config template...
And being possible to be disabled.

Of course it is. Someone can publish a cut-and-paste config, and it could even be added to default config.

But it is a debated topic with many different implementations.
And there are other domains that could be added, like 168.192.in-addr.arpa.

Fif · Wed Sep 25, 2024 9:02 pm

I do not see this issue with certificates. Possibly an issue with specific architecture? What device is that?

I'm seeing that with 7.16 on 3 different CRS devices:

CRS305-1G-4S+
CRS309-1G-8S+
CRS317-1G-16S+

pe1chl · Wed Sep 25, 2024 9:10 pm

I have upgraded a couple of RB5009UPr+S+ routers (the PoE model) and I observe that on outputs that are configured for "auto on" but have a normal (non-PoE) device connected, a red "poe status: short circuit" is now being displayed in the interface->ethernet window.
There always was a "short circuit" status in the "PoE status" column of the table, but now it is also shown on a separate line.

Please clarify the situation. This is an 802.3af/at capable PoE device, and that should mean that any non-PoE device can be connected without problem.
Is this warning indicating a problem that should be fixed (i.e. is "auto on" actually a misnomer and should we manually configure any output that has no PoE powered device connected to "off"), or is it only informational? And if so, why is it in red, and why is that changed in 7.16?

I have used 802.3af/at capable switches for ages, and never have I seen a "warning" that non-PoE devices are connected.
It is inconvenient to manually configure this, we have PoE-powered VoIP phones that are connected in front of desktop PCs, and at any time someone can ask for a telephone and it is expected that this can just be plugged in. And this is how it works on our switches (Procurve/Aruba).
In a small office we have a RB5009UPr+S+ where 4 ports are configured "for PC and optional telephone" (others for internet, WiFi AP etc) and now the ports where a PC is directly connected show that warning.

burnduck · Wed Sep 25, 2024 9:27 pm

Not sure if this is a 7.16 or Winbox 4 Beta 8 issue, since I just got this device today and immediately updated it to 7.16.

With an almost empty configuration, a minute or so after I have created an empty bridge on the device, Winbox 4.0beta8 would fail to connect to the device with a "MacConnection syn timeout" error, though the old winbox continues to work with no issue.

[myuser@MikroTik] > /export      
# 1970-01-02 00:20:33 by RouterOS 7.16
# software id = VJPT-SQGP
#
# model = C52iG-5HaxD2HaxD
# serial number = HG209NTVAFV
/interface bridge
add name=bridge
/interface list
add comment="allow macwinbox on all" include=all name=macwinbox
/interface wifi security
add authentication-types=wpa2-psk disabled=no name=mywifi
/interface wifi
set [ find default-name=wifi2 ] configuration.mode=station .ssid=mywifi\
    disabled=no name=wifi-2ghz security=osmium
set [ find default-name=wifi1 ] configuration.mode=station .ssid=mywifi\
    disabled=no name=wifi-5ghz security=osmium
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=bridge list=macwinbox
/system note
set show-at-login=no
/tool mac-server mac-winbox
set allowed-interface-list=macwinbox

Hyperlight · Wed Sep 25, 2024 9:47 pm

Firewall rules for interfaces in a VRF seem to have broken for me.

Wed Sep 25, 2024 9:52 pm

@pe1chl
Did you also upgrade FW on that device ?
I've seen a similar report, I think, which was solved when fw was upgraded.

mendark · Wed Sep 25, 2024 10:08 pm

After upgrade to v7.16 on RB4011iGS+ i noticed that DHCP Server that is created on vlan interface doesn't work. Work only DHCP Server that is configured on physical interface.
Can have someone any solution for this?
Thank you

erlinden · Wed Sep 25, 2024 10:16 pm

Can have someone any solution for this?

Do you have VLAN ID 1 configured?
Anything in the logging?
Or better, share your config?

/export file=anynameyoulike

Remove serial and any other private info.

I have the same MikroTik and this didn't happen for me.

mendark · Wed Sep 25, 2024 10:31 pm

Can have someone any solution for this?
Do you have VLAN ID 1 configured?
Anything in the logging?
Or better, share your config?
Code: Select all
/export file=anynameyoulike
Remove serial and any other private info.

I have the same MikroTik and this didn't happen for me.

This is my configuration:

/interface bridge
add dhcp-snooping=yes frame-types=admit-only-vlan-tagged name=bridge1-MAIN \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="XXXXXXXX"
set [ find default-name=ether2 ] comment="XXXXXXXX"
set [ find default-name=ether3 ] comment="XXXXXXXX"
set [ find default-name=ether4 ] comment="XXXXXXXX"
set [ find default-name=ether5 ] comment="XXXXXXXX"
set [ find default-name=ether6 ] comment="XXXXXXXX"
set [ find default-name=ether7 ] comment="XXXXXXXX"
set [ find default-name=ether8 ] comment="XXXXXXXX"
set [ find default-name=ether10 ] comment="XXXXXXXX"
set [ find default-name=sfp-sfpplus1 ] comment="XXXXXXXX"
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge1-MAIN name=vLAN10-Public_IP vlan-id=10
add interface=bridge1-MAIN name=vLAN20-SRV-MGMT vlan-id=20
add interface=bridge1-MAIN name=vLAN80-iSCSI-vMotion vlan-id=80
add interface=bridge1-MAIN name=vLAN93-Private_IP vlan-id=93
add interface=bridge1-MAIN name=vLAN100-Guest_LAN vlan-id=100
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip firewall layer7-protocol
add name=facebook.com regexp="^.+(facebook.com).*\$"
/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5 \
    enc-algorithm=aes-256,aes-192,aes-128
add dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-256,aes-128 \
    hash-algorithm=sha256 name=ike2
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2 \
    send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha256,sha1 name=ike2 pfs-group=none
/ip pool
add name=Main-DHCP ranges=XXXXXXXX
add name=Local-DHCP ranges=XXXXXXXX
add name=VPN-Pool ranges=XXXXXXXX
add name=Guest-Pool ranges=XXXXXXXX
/ip dhcp-server
add address-pool=Local-DHCP interface=ether10 lease-script=dhcp2dns \
    lease-time=1d name=Local-DHCP
add address-pool=Main-DHCP interface=vLAN93-Private_IP lease-time=1d name=\
    Main-DHCP
add address-pool=Guest-Pool interface=vLAN100-Guest_LAN name=Guest-DHCP
/interface bridge port
add bridge=bridge1-MAIN ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10 pvid=93 trusted=yes
add bridge=bridge1-MAIN ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10 pvid=93 trusted=yes
add bridge=bridge1-MAIN ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10 pvid=93 trusted=yes
add bridge=bridge1-MAIN ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10 pvid=93 trusted=yes
add bridge=bridge1-MAIN ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10 pvid=93 trusted=yes
add bridge=bridge1-MAIN ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10 pvid=93 trusted=yes
add bridge=bridge1-MAIN ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10 pvid=93 trusted=yes
add bridge=bridge1-MAIN interface=ether9 pvid=93 trusted=yes
add bridge=bridge1-MAIN frame-types=admit-only-vlan-tagged interface=\
    sfp-sfpplus1 trusted=yes
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip firewall connection tracking
set enabled=yes udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set max-neighbor-entries=8192 tcp-syncookies=yes
/ipv6 settings
set max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge1-MAIN tagged=bridge1-MAIN,ether3,ether4,ether7,sfp-sfpplus1 \
    vlan-ids=10
add bridge=bridge1-MAIN tagged=bridge1-MAIN,ether3,ether4,ether7,sfp-sfpplus1 \
    vlan-ids=20
add bridge=bridge1-MAIN tagged=bridge1-MAIN,sfp-sfpplus1 vlan-ids=93
add bridge=bridge1-MAIN tagged=bridge1-MAIN,sfp-sfpplus1 vlan-ids=80
add bridge=bridge1-MAIN tagged=bridge1-MAIN,sfp-sfpplus1 vlan-ids=100
/interface l2tp-server server
set allow-fast-path=yes default-profile=VPN enabled=yes use-ipsec=required
/interface list member
add interface=bridge1-MAIN list=LAN
add interface=ether1 list=WAN
add interface=ether10 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
/ip address
add address=XXXXXXXX interface=vLAN93-Private_IP network=XXXXXXXX
add address=XXXXXXXX interface=ether10 network=XXXXXXXX
add address=XXXXXXXX interface=ether1 network=XXXXXXXX
add address=XXXXXXXX interface=vLAN10-Public_IP network=\
    XXXXXXXX
add address=XXXXXXXX interface=wireguard1 network=XXXXXXXX
add address=XXXXXXXX interface=vLAN20-SRV-MGMT network=XXXXXXXX
add address=XXXXXXXX interface=vLAN80-iSCSI-vMotion network=\
    XXXXXXXX
add address=XXXXXXXX interface=vLAN100-Guest_LAN network=XXXXXXXX
/ip dhcp-server network
add address=XXXXXXXX comment=Guest-DHCP dns-server=XXXXXXXX gateway=\
    XXXXXXXX
add address=XXXXXXXX comment=Local-DHCP dns-server=\
    XXXXXXXX gateway=XXXXXXXX
add address=XXXXXXXX comment=Main-DHCP dns-server=XXXXXXXX \
    gateway=XXXXXXXX
/ip dns
set allow-remote-requests=yes cache-max-ttl=3d servers=1XXXXXXXX
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add auth-method=eap-radius certificate=sslcert-autogen_2024-09-06T07:44:00Z \
    generate-policy=port-strict mode-config=ike2-conf peer=ike2 \
    policy-template-group=ike2-policies
/ip ipsec policy
add dst-address=XXXXXXXX group=ike2-policies proposal=ike2 \
    src-address=XXXXXXXX template=yes
/ip route
add disabled=no distance=1 dst-address=XXXXXXXX gateway=XXXXXXXX \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl certificate=*5
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 address
add address=2a02:2f0f:312::2/48 advertise=no interface=*11
/ipv6 firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/10
add action=accept chain=input comment="accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="accept all that matches ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=input comment="allow wireguard VPN (12321/udp)" \
    dst-port=13231 in-interface-list=WAN protocol=udp
add action=drop chain=input comment=\
    "drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="rfc4890 drop hop-limit=1" hop-limit=\
    equal:1 protocol=icmpv6
add action=accept chain=forward comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="accept HIP" protocol=139
add action=accept chain=forward comment="accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment=\
    "accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Bucharest
/system logging
set 0 action=disk
add topics=ipsec,!debug
add disabled=yes topics=wireguard,!debug
/system note
set show-at-login=no
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/user-manager
set certificate=sslcert-autogen_2024-09-06T07:44:00Z enabled=yes \
    require-message-auth=no
/user-manager router
add address=127.0.0.1 comment=localhost name=local

pe1chl · Wed Sep 25, 2024 11:22 pm

@pe1chl
Did you also upgrade FW on that device ?
I've seen a similar report, I think, which was solved when fw was upgraded.

I had not, and now that I have upgraded it (from 7.15.3 to 7.16) the red warning indeed disappears. Thanks for the hint.
What remains confusing is that in the log it says "ether5 detected poe-out status: wait_for_load" which is fine, but in the ethernet interface table it still says "short circuit". For an open port is shows "wait for load" and for 803.af/at PoE that should also be the status when a non-PoE device is connected.
(I can understand that it can detect short circuit and display that when the PoE is "forced on" for passive PoE but a short circuit is detected)

Maybe in addition to "off", "auto on" and "forced on" there should be a "802.3af/at" mode where it strictly uses that protocol and is not worried about shorts.

fischerdouglas · Wed Sep 25, 2024 11:29 pm

I'm seeing several complains related to certificate.

Issues with NTP and correct time is crossing my mind as possible cause to that.

null31 · Thu Sep 26, 2024 12:51 am

Router - RB4011iGS+

I have two entries for DHCPv6 client in my settings: active and disabled.
Code: Select all
/ipv6 dhcp-client add add-default-route=yes interface=IP-Maxnet-VLAN-130 pool-name=ipv6-maxnet pool-prefix-length=66 rapid-commit=no request=address,prefix use-interface-duid=yes use-peer-dns=no
/ipv6 dhcp-client add add-default-route=yes disabled=yes interface=IP-Triolan-VLAN-131 pool-name=ipv6-triolan pool-prefix-length=66 rapid-commit=no request=prefix use-interface-duid=yes use-peer-dns=no
Before ROS 7.16 these two entries did not interfere with each other and everything worked.
With the upgrade to ROS 7.16, trying to enter the IPv6-DHCP Client menu results in an error:
- this menu item appears empty
- an error appears in the logs that there cannot be two pools with the same name.

Attempting to export IPv6 settings to a text file saves an error in the result file:
Code: Select all
#error exporting "/ipv6/dhcp-client" (timeout)
Rollback to 7.15.3 restores functionality.
Deleting the “disabled” DHCPv6 client entry and upgrading to 7.16 - the system works fine.

I had the same issue with hAP ac^3 except that both DHCPv6-client are in use.
Upgrade from 7.13 -> 7.16, in the end doing downgrade to 7.15.3 solved the issue.

Running print or export give timeout like yours, also the error of duplicated name for the pool.
One of DHCPv6-client keep searching and when obtain a prefix give that error of "two pool with same name" while the other one has already obtained a prefix.

#error exporting "/ipv6/dhcp-client" (timeout)

failed to add ipv6 pool ipv6-pool: two pools cannot have the same name! (6)

I opened a ticket with support and attached a supout, let's see what happens :)

deejaysanoj · Thu Sep 26, 2024 1:57 am

interesting seems working fine, il feedback later on if i notice some errors with this new update :)

crosswind · Thu Sep 26, 2024 6:56 am

MVRP seems to work much better (7.15.3 had some problems with certains ports not joining vlans properly)

i spoke too soon, MVRP still does not correctly distribute vlan ids from a port's pvid. opened SUP-166289 for this.

Reinis · Thu Sep 26, 2024 7:11 am

I had not, and now that I have upgraded it (from 7.15.3 to 7.16) the red warning indeed disappears. Thanks for the hint.
What remains confusing is that in the log it says "ether5 detected poe-out status: wait_for_load" which is fine, but in the ethernet interface table it still says "short circuit". For an open port is shows "wait for load" and for 803.af/at PoE that should also be the status when a non-PoE device is connected.
(I can understand that it can detect short circuit and display that when the PoE is "forced on" for passive PoE but a short circuit is detected)

Maybe in addition to "off", "auto on" and "forced on" there should be a "802.3af/at" mode where it strictly uses that protocol and is not worried about shorts.

In this case WinBox visually outputs "short-circuit" warning only after PoE FW upgrade, where upgrade is automatic on boot if versions differ. On next boot, the warning will disappear. We will try to fix it in upcoming releases, but this is an visual issue only.

Regarding "wrong detection of short-circuit on non-poe PD's", it is not wrong as it's simply a measurement issue. Resistance-detection measurement results show really low resistance that cannot be differenced from a real short-circuit. If you don't want port to perform resistance-detection, turn off PoE on it.

BrateloSlava · Thu Sep 26, 2024 8:13 am

@mendark

This is my configuration:

I didn't see anything strange in your configuration, except for this line:

/interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

Why do you need it?

mendark · Thu Sep 26, 2024 8:16 am

@mendark
This is my configuration:
I didn't see anything strange in your configuration, except for this line:
Code: Select all
/interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
Why do you need it?

I didn't need that option, maybe was activated when i upgrade to v7.16
I will test and i will return with an answer.

L.E. I tested and now working. After i set: /interface bridge settings set use-ip-firewall=no everything woriking.
Thanks for your help

pe1chl · Thu Sep 26, 2024 10:04 am

I had not, and now that I have upgraded it (from 7.15.3 to 7.16) the red warning indeed disappears. Thanks for the hint.
What remains confusing is that in the log it says "ether5 detected poe-out status: wait_for_load" which is fine, but in the ethernet interface table it still says "short circuit". For an open port is shows "wait for load" and for 803.af/at PoE that should also be the status when a non-PoE device is connected.
(I can understand that it can detect short circuit and display that when the PoE is "forced on" for passive PoE but a short circuit is detected)

Maybe in addition to "off", "auto on" and "forced on" there should be a "802.3af/at" mode where it strictly uses that protocol and is not worried about shorts.
In this case WinBox visually outputs "short-circuit" warning only after PoE FW upgrade, where upgrade is automatic on boot if versions differ. On next boot, the warning will disappear. We will try to fix it in upcoming releases, but this is an visual issue only.

Ok thanks. But please also explain if "short circuit" is an undesirable condition for the router, or if it can just be in that state forever without any risk of damage, overheating, etc.

Regarding "wrong detection of short-circuit on non-poe PD's", it is not wrong as it's simply a measurement issue. Resistance-detection measurement results show really low resistance that cannot be differenced from a real short-circuit. If you don't want port to perform resistance-detection, turn off PoE on it.

Please also read my post above: we use PoE out on "user ports" where either a PC or a VoIP phone (with through connection to PC) is connected. It is not convenient to have to configure the port differently for the different usages.
And on any industrial standard PoE switch that is not required at all! You just have 802.3af/at PoE enabled on all ports (by default) and you can plugin any device. The status of the PoE will either be "delivering" or "searching". When there is a low resistance it does not satisfy the 802.3af/at conditions and the status remains "searching" (or "wait for load" or whatever you want to call it).
As I understand that it is different for "passive PoE" (where you just need to try to deliver power and shut off when there is a short circuit to protect your equipment), I suggest (as above) to have a separate 802.3af/at mode where it does not even try to detect short circuit when it does not detect the correct resistance of an 802.3af/at device, just like everyone else does.

mendark · Thu Sep 26, 2024 10:35 am

Another problem that i noticed is, i cannot ping any ip in C class, like: 10.x.x.x, even if i ping from router. i take timed out.
Can anyone observer this? Or have this situation?

Thank you

L.E. I found problem, i have in address list (blocked) all 10.0.0.0/8 ip class, and that was mistake

david99 · Thu Sep 26, 2024 10:40 am

Hi All,

For me 7.16 is not working correctly. I have:

1x CCR1009
2x cap ax

After upgrade my router - CCR1009 will start to be unreachable intermittently, few pings are ok then few ping are time out and this repeats. I discovered when I power off both cap ax devices then router is running stable. So downgraded router back to 7.15.3 powered on cap ax devices and router is still unreachable intermittently. After downgrade of one cap ax to 7.15.3 and running it together with router everything is stable, then plugging in also second cap ax with 7.16 and router is again unreachable. After downgrade also second cap ax to 7.15.3 everything is back to normal. So for me this firmware in combination with ccr1009 and cap ax devices is not working well. I'm using capsman for wifi configuration. I was upgrading initially from 7.15.3. Would appreciate if anybody could help me find clue what is happening.

Thanks,

David

BrateloSlava · Thu Sep 26, 2024 10:43 am

@mendark

Another problem that i noticed is, i cannot ping any ip in C class, like: 10.x.x.x, even if i ping from router. i take timed out.

I don't think your question is specifically about ROS 7.16. Create a separate thread for your question. And attach the full text version of your configuration to your post there. I mean - do not hide IP addresses of internal subnets, pools and gateways. Otherwise, it's not clear what you have and where it should be directed.

mendark · Thu Sep 26, 2024 10:45 am

@mendark
Another problem that i noticed is, i cannot ping any ip in C class, like: 10.x.x.x, even if i ping from router. i take timed out.
I don't think your question is specifically about ROS 7.16. Create a separate thread for your question. And attach the full text version of your configuration to your post there. I mean - do not hide IP addresses of internal subnets, pools and gateways. Otherwise, it's not clear what you have and where it should be directed.

Ok, i understand.
Thank you

BrateloSlava · Thu Sep 26, 2024 10:50 am

@david99

Would appreciate if anybody could help me find clue what is happening.

Without knowing what you have and how it's set up, it's impossible to advise anything. Please attach a text version of your configurations. At the same time - remove “critical” information from these files before publishing them on the forum: serial numbers, external IP addresses and gateways, etc.

/export file=file_name

jhbarrantes · Thu Sep 26, 2024 10:57 am

I found 7.16 duplicating RIP routes. Shall I open a ticket to support?. When disabling RIP, the route is still there as dynamic but unreacheable.

/routing rip instance
add afi=ipv4 disabled=no name=rip
/routing rip interface-template
add disabled=no instance=rip interfaces=vlan-voip mode=passive
/ip dhcp-client
add add-default-route=no interface=vlan-voip use-peer-dns=no use-peer-ntp=no

rip-duplicated-route.png

Thanks.

infabo · Thu Sep 26, 2024 11:05 am

"free-hdd-space" shrinked by ~50kb on "cAP ac":

7.15.3: 780KiB
7.16: 736KiB

Unsure why, my Chateau (D53G-5HacD2HnD) got hit differently:

7.15.3: 712.0KiB
7.16: 632.0KiB

foraster · Thu Sep 26, 2024 11:30 am

Experiencing lots of reboots (up to every 2-30 minutes) on a HAP AC2 working as a wireless trunk between two segments of the network, upgraded to v7.16, on logs I only get the "possible power outage" message.

Power supply has not failed before...

Similar devices with wired ethernet trunk connections are fine.

Downgraded the HAP AC2 and after a couple of hours no reboot has happened...

Kanzler · Thu Sep 26, 2024 11:33 am

You need to send supout.rif to support

CGGXANNX · Thu Sep 26, 2024 11:44 am

Experiencing lots of reboots (up to every 2-30 minutes) on a HAP AC2 working as a wireless trunk between two segments of the network, upgraded to v7.16, on logs I only get the "possible power outage" message.

Power supply has not failed before...

Similar devices with wired ethernet trunk connections are fine.

Downgraded the HAP AC2 and after a couple of hours no reboot has happened...

Did you also upgrade the firmware (under System -> RouterBOARD, and then reboot). The hAP ac² has a IPQ-4018 CPU and according to the changelog, a firmware upgrade is required for IPQ-40xx

*) routerboard - improved Etherboot stability for IPQ-40xx devices ("/system routerboard upgrade" required);

david99 · Thu Sep 26, 2024 12:26 pm

@david99
Would appreciate if anybody could help me find clue what is happening.
Without knowing what you have and how it's set up, it's impossible to advise anything. Please attach a text version of your configurations. At the same time - remove “critical” information from these files before publishing them on the forum: serial numbers, external IP addresses and gateways, etc.
Code: Select all
/export file=file_name

Thank you I'm attaching configs from router and from one of the capax. Thank for help.

BrateloSlava · Thu Sep 26, 2024 12:42 pm

@david99
First: on wireless access points, configure the DHCP client correctly. The device to get the IP address is not ether1, but your bridge.
Second, figure out the VLANs on the router. Which ports on the router you have wireless access points connected to and which VLANs should be forwarded there through the router's bridge.

woodych · Thu Sep 26, 2024 12:48 pm

I wonder, as there are some hints about this in the release notes.

Is Bridge IGMP/MLD snooping when using VLAN working now?

It was broken until 7.15.1, especially when using IPv6, multicast packets got dropped by the bridge breaking RA and IPv6 autoconfiguration.

infabo · Thu Sep 26, 2024 1:33 pm

Did you also upgrade the firmware (under System -> RouterBOARD, and then reboot). The hAP ac² has a IPQ-4018 CPU and according to the changelog, a firmware upgrade is required for IPQ-40xx

*) routerboard - improved Etherboot stability for IPQ-40xx devices ("/system routerboard upgrade" required);

Sure, but Etherboot is used for Netinstall. I don't see how it could affect normal operation. But of course, it is a Mikrotik changelog, I agree: there may sneaked some other change into firmware which is necessary for 7.16 to operate normal. So every time one spots a "*) routerboard" changelog-line: UPGRADE regardless of what is written afterwards.

vitaly2016 · Thu Sep 26, 2024 1:54 pm

/ip/dns/set mdns-repeat-ifaces=bridge,vlan-iot

and I'm happy! Dead simple... Thanks!

I can't make my RB3011's mdns Repeater to work.
I have 2 network:
bridge-local (192.168.10.0/24) for my PC and other things and
vlan20 (192.168.20.0/24) for my iot devices
Before this v7.16 release I can't access my iot devices (ESPHome in HomeAssistant)
by their ".local" names from my PC. But direct access by IOT device's IP address worked good.
And now I set two my interfaces in mDNS Repeater following your example.
But I can't access for example bluetooth-tracker-kitchen.local from main network.
May I ask how did your made your vlan-iot network? Is vlan-iot just VLAN interface or is this a separate bridge?

ToTheFull · Thu Sep 26, 2024 2:14 pm

STABLE IS IT!
09:19:57 wireless,info 6C:A1:00:23:77:DE@cap-wifi1 disconnected, SA Query timeout, signal strength -65
09:19:57 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
09:20:39 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
09:20:47 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
09:25:19 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -83
09:25:20 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
09:26:27 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -83
09:26:27 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
09:29:29 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -80
09:29:29 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
09:32:15 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -84
09:32:19 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -86
09:35:16 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
09:35:16 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
09:39:39 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
09:39:39 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
09:43:16 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
09:43:16 wireless,info 6C:A1:00:23:77:DE@cap-wifi1 connected, signal strength -54
09:45:29 wireless,info 6C:A1:00:23:77:DE@cap-wifi1 disconnected, SA Query timeout, signal strength -63
09:45:29 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
09:46:11 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -80
09:46:34 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
09:46:34 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, connection lost, signal strength -83
09:46:35 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
09:46:38 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, connection lost, signal strength -81
09:47:15 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
09:47:16 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, connection lost, signal strength -82
09:47:29 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -56
09:53:38 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -53
09:53:40 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -58
10:03:46 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -48
10:03:49 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -57
10:10:55 wireless,info 0A:BA:D7:A3:E6:19@wifi1 disconnected, connection lost, signal strength -56
10:11:11 wireless,info 0A:BA:D7:A3:E6:19@wifi1 connected, signal strength -58
10:13:56 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -52
10:13:57 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -57
10:24:00 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -54
10:24:04 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -59
10:34:09 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -49
10:34:12 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -57
10:44:19 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -51
10:44:21 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -57
10:54:29 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -51
10:54:38 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -56
10:57:50 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -49
10:57:51 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
10:59:01 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -83
10:59:01 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -56
11:09:07 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -51
11:09:07 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:12:14 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
11:12:32 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:14:39 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -81
11:14:39 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:17:28 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -81
11:17:28 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:20:30 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
11:20:39 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:20:40 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, connection lost, signal strength -83
11:20:40 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
11:26:51 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -80
11:26:53 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
11:30:23 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
11:30:23 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:34:22 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -81
11:34:22 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:36:30 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -80
11:36:31 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
11:39:19 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -81
11:39:26 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:41:28 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
11:41:28 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
11:44:39 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
11:44:41 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:47:57 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -81
11:47:57 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -82
11:50:07 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
11:50:07 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -82
11:52:30 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -83
11:52:30 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -52
12:02:40 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -51
12:02:41 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -56
REALLY!

pe1chl · Thu Sep 26, 2024 2:27 pm

I wonder, as there are some hints about this in the release notes.

Is Bridge IGMP/MLD snooping when using VLAN working now?

It was broken until 7.15.1, especially when using IPv6, multicast packets got dropped by the bridge breaking RA and IPv6 autoconfiguration.

Indeed I had issues with that, but currently with 7.16 all works fine.

mrbyte · Thu Sep 26, 2024 2:30 pm

Thanks @ToTheFull, on my hAP EX2 I had the same problem from v.15.x onwards.
I will stay with v.14.3.

Regards.

osc86 · Thu Sep 26, 2024 2:38 pm

It was broken until 7.15.1, especially when using IPv6, multicast packets got dropped by the bridge breaking RA and IPv6 autoconfiguration.

this is broken since forever.
The workaround is to create static mdb entries for well-known ipv6 multicast groups: https://help.mikrotik.com/docs/pages/vi ... d=59277403 (scroll to the bottom).

david99 · Thu Sep 26, 2024 2:47 pm

@david99
First: on wireless access points, configure the DHCP client correctly. The device to get the IP address is not ether1, but your bridge.
Second, figure out the VLANs on the router. Which ports on the router you have wireless access points connected to and which VLANs should be forwarded there through the router's bridge.

Ok I will reconfigure dhcp client on APs thank you. for the VLANs they are not in use currently but before they were working. I could potentialy remove them at all but do you think those could cause this issue? Basically Vlans were configured to the same port by which router is connected to switch so the same port is also for APs connection. Before it was working without issue.

David

nmt1900 · Thu Sep 26, 2024 3:36 pm

Strange problem seem to be appeared after upgrade - CAPs are unable to connect to CAPsMAN over CAPsMAN's IPv6 link-local address, while other services (like DNS and NTP) are available to CAPs over the same address. Logging in firewall shows that other traffic from CAPs link-local addresses is visible to firewall, while CAPWAP traffic is not. It looks like CAP is unable send requests out to that address.

Neighbour discovery over same address works OK as well.

foraster · Thu Sep 26, 2024 3:59 pm

Did you also upgrade the firmware (under System -> RouterBOARD, and then reboot). The hAP ac² has a IPQ-4018 CPU and according to the changelog, a firmware upgrade is required for IPQ-40xx

*) routerboard - improved Etherboot stability for IPQ-40xx devices ("/system routerboard upgrade" required);

Yes I did upgrade the firmware, but had to downgrade till I have some more time to diagnose if it is a a bad power supply or if the v7.16 is demanding more power han before...

iwikus · Thu Sep 26, 2024 4:01 pm

certificate - added support for cloud-dns challenge validation for sn.mynetname.net (CLI only);

More info on this? Any doc?

dag · Thu Sep 26, 2024 4:06 pm

Quick report: on CRS310

ingress-filtering=no

on a bridge interface does not work anymore after an upgrade to 7.16, VLAN filtering seems to be enforced anyway (which is a problem for stuff like FTTx that often comes with funky VLANs dictated by ISPs who don't seem to care too much about RFCs).

I only tested this with the CRS310, this may or may not impact other devices, I have a couple RBs and CCRs as well, I'll test them when I have a minute.

Reverted back to 7.15.3, it works just fine.

victorbayas · Thu Sep 26, 2024 4:13 pm

Tested reselect-interval again on my AX3, it works great without disconnecting clients only when it chooses non DFS channels. Otherwise the interface goes down for CAC (if you have 802.11k/v/r with the same SSID for both bands it shouldn’t be noticeable).

I left it enabled for 2.4GHz with auto channel and manual DFS channel for 5GHz.

Who knows if MikroTik WiFi 7 APs will have a dedicated radio for zero wait DFS, then it makes sense for them to add the feature.

flynno · Thu Sep 26, 2024 4:42 pm

STABLE IS IT!
09:19:57 wireless,info 6C:A1:00:23:77:DE@cap-wifi1 disconnected, SA Query timeout, signal strength -65
09:19:57 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
09:20:39 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
09:20:47 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
09:25:19 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -83
09:25:20 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
09:26:27 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -83
09:26:27 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
09:29:29 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -80
09:29:29 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
09:32:15 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -84
09:32:19 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -86
09:35:16 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
09:35:16 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
09:39:39 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
09:39:39 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
09:43:16 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
09:43:16 wireless,info 6C:A1:00:23:77:DE@cap-wifi1 connected, signal strength -54
09:45:29 wireless,info 6C:A1:00:23:77:DE@cap-wifi1 disconnected, SA Query timeout, signal strength -63
09:45:29 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
09:46:11 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -80
09:46:34 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
09:46:34 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, connection lost, signal strength -83
09:46:35 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
09:46:38 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, connection lost, signal strength -81
09:47:15 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
09:47:16 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, connection lost, signal strength -82
09:47:29 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -56
09:53:38 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -53
09:53:40 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -58
10:03:46 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -48
10:03:49 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -57
10:10:55 wireless,info 0A:BA:D7:A3:E6:19@wifi1 disconnected, connection lost, signal strength -56
10:11:11 wireless,info 0A:BA:D7:A3:E6:19@wifi1 connected, signal strength -58
10:13:56 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -52
10:13:57 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -57
10:24:00 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -54
10:24:04 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -59
10:34:09 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -49
10:34:12 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -57
10:44:19 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -51
10:44:21 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -57
10:54:29 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -51
10:54:38 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -56
10:57:50 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -49
10:57:51 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
10:59:01 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -83
10:59:01 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -56
11:09:07 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -51
11:09:07 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:12:14 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
11:12:32 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:14:39 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -81
11:14:39 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:17:28 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -81
11:17:28 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:20:30 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
11:20:39 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:20:40 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, connection lost, signal strength -83
11:20:40 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
11:26:51 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -80
11:26:53 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
11:30:23 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
11:30:23 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:34:22 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -81
11:34:22 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:36:30 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -80
11:36:31 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
11:39:19 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -81
11:39:26 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:41:28 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
11:41:28 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
11:44:39 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
11:44:41 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:47:57 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -81
11:47:57 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -82
11:50:07 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
11:50:07 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -82
11:52:30 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -83
11:52:30 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -52
12:02:40 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -51
12:02:41 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -56
REALLY!

How many AP's do u have?

gigabyte091 · Thu Sep 26, 2024 5:04 pm

Well... No wonder you got disconnected... That signal strength is sh*t...

toxicfusion · Thu Sep 26, 2024 5:19 pm

STABLE IS IT!
09:19:57 wireless,info 6C:A1:00:23:77:DE@cap-wifi1 disconnected, SA Query timeout, signal strength -65
09:19:57 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
09:20:39 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
09:20:47 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
09:25:19 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -83
09:25:20 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
09:26:27 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -83
09:26:27 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
09:29:29 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -80
09:29:29 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
09:32:15 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -84
09:32:19 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -86
09:35:16 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
09:35:16 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
09:39:39 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
09:39:39 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
09:43:16 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
09:43:16 wireless,info 6C:A1:00:23:77:DE@cap-wifi1 connected, signal strength -54
09:45:29 wireless,info 6C:A1:00:23:77:DE@cap-wifi1 disconnected, SA Query timeout, signal strength -63
09:45:29 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
09:46:11 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -80
09:46:34 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
09:46:34 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, connection lost, signal strength -83
09:46:35 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
09:46:38 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, connection lost, signal strength -81
09:47:15 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
09:47:16 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, connection lost, signal strength -82
09:47:29 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -56
09:53:38 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -53
09:53:40 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -58
10:03:46 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -48
10:03:49 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -57
10:10:55 wireless,info 0A:BA:D7:A3:E6:19@wifi1 disconnected, connection lost, signal strength -56
10:11:11 wireless,info 0A:BA:D7:A3:E6:19@wifi1 connected, signal strength -58
10:13:56 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -52
10:13:57 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -57
10:24:00 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -54
10:24:04 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -59
10:34:09 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -49
10:34:12 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -57
10:44:19 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -51
10:44:21 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -57
10:54:29 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -51
10:54:38 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -56
10:57:50 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -49
10:57:51 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
10:59:01 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -83
10:59:01 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -56
11:09:07 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -51
11:09:07 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:12:14 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
11:12:32 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:14:39 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -81
11:14:39 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:17:28 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -81
11:17:28 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:20:30 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
11:20:39 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:20:40 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, connection lost, signal strength -83
11:20:40 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
11:26:51 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -80
11:26:53 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
11:30:23 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
11:30:23 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:34:22 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -81
11:34:22 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:36:30 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -80
11:36:31 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
11:39:19 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -81
11:39:26 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:41:28 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
11:41:28 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -84
11:44:39 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
11:44:41 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -83
11:47:57 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -81
11:47:57 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -82
11:50:07 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -82
11:50:07 wireless,info 6C:A1:00:23:77:DE@wifi2 connected, signal strength -82
11:52:30 wireless,info 6C:A1:00:23:77:DE@wifi2 disconnected, SA Query timeout, signal strength -83
11:52:30 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -52
12:02:40 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 disconnected, SA Query timeout, signal strength -51
12:02:41 wireless,info 6C:A1:00:23:77:DE@cap-wifi2 connected, signal strength -56
REALLY!

Same issues here for a customer. Not acceptable, been same since 7.15.3, etc. We're starting to move to another WiFi vendor.

infabo · Thu Sep 26, 2024 5:45 pm

certificate - added support for cloud-dns challenge validation for sn.mynetname.net (CLI only);
More info on this? Any doc?

It's about LetsEncrypt certificate using DNS-01 challenge (https://letsencrypt.org/docs/challenge- ... -challenge) - implemented only for sn.mynetname.net. That's probably why the named it "type=cloud-dns". Maybe one day ROS supports DNS-01 for other domains as well ("type=dns-01" most probably then).

You do not need a public facing HTTP server on port 80 for the .well-known challenge.

To create a certificate for the "your-device-serial.sn.mynetname.net" you just need this:

/certificate/enable-ssl-certificate type=cloud-dns

This is pretty cool. Good job, Mikrotik!

seriquiti · Thu Sep 26, 2024 6:13 pm

Well... No wonder you got disconnected... That signal strength is sh*t...

He is refering to SA query timeouts, and signal strength is not sh*t. He is getting that with signal stronger than -65.

Getting the same issues on my AX2 - went back to 7.14.3 when this wasn't happening.

gigabyte091 · Thu Sep 26, 2024 6:16 pm

After switching to WPA2 only I don't have any problems with that. Connection is much more stable now.

flynno · Thu Sep 26, 2024 6:27 pm

Yeah, I am also getting alot of disconnects with good signal at a clients location using 7.15.3 with 3 ax AP's, I cant seeem to replcate the issue in lab using same config and connected devices roam as they should, could be some interference somewhere at clients location. I will turn down the AP TX power tonight to see if issue goes away

ToTheFull · Thu Sep 26, 2024 9:12 pm

Well... No wonder you got disconnected... That signal strength is sh*t...

You might want to look a little harder!

ToTheFull · Thu Sep 26, 2024 9:15 pm

How many AP's do u have?

Just the 2 AP's you can see the Laptop trying all of the Radios it's allowed on with the same SSID so 3 Choices

mustang1986 · Thu Sep 26, 2024 9:40 pm

7.16 solve it wifi-qcom-ac memory leak?
I don't see any memory leak.

It`s ok? No memory leak?

infabo · Thu Sep 26, 2024 11:10 pm

Give it a try.

infabo · Thu Sep 26, 2024 11:54 pm

*) console - added "about" filters for "find" and "print where" commands;

How does this about parameter work? Can't figure it out. Docs unavailable.

SMARTNETTT · Fri Sep 27, 2024 12:11 am

32 routers x86 and 270 client actualized now all fine
only static dns lose but we put agen and all fine

infabo · Fri Sep 27, 2024 12:50 am

Not directly related to 7.16, but of my interest:

What's new in 7.14beta7 (2024-Jan-15 11:37):

*) sms - moved LTE SMS read settings from "/tool/sms" to "/interface/lte" menu and migrate old configuration (CLI only);

There was a changelog item in 7.14beta7 that did not appear in changelog of 7.14 stable. I dont know what happened to that change. A remaining hint is an option called "sms-read" in /interface/lte. And I dont know what it does or what it is used for. Mikrotik, can you elaborate on this?

crosswind · Fri Sep 27, 2024 1:57 am

Experiencing lots of reboots (up to every 2-30 minutes) on a HAP AC2 working as a wireless trunk between two segments of the network, upgraded to v7.16, on logs I only get the "possible power outage" message.

i'm also seeing this on a hAP ac2 acting as CAP (wifi-qcom-ac, 5GHz only, Ceee).

2024-09-26 12:57:13 system,error,critical router rebooted without proper shutdown, probably power outage
2024-09-26 12:58:23 system,clock,critical,info ntp change time Sep/26/2024 12:57:50 => Sep/26/2024 12:58:23
2024-09-26 12:58:24 system,error,critical router rebooted without proper shutdown, probably power outage
2024-09-26 13:03:03 system,clock,critical,info ntp change time Sep/26/2024 12:59:01 => Sep/26/2024 13:03:03
2024-09-26 13:03:05 system,error,critical router rebooted without proper shutdown, probably power outage
2024-09-26 13:07:11 system,clock,critical,info ntp change time Sep/26/2024 13:03:41 => Sep/26/2024 13:07:11
2024-09-26 13:07:13 system,error,critical router rebooted without proper shutdown, probably power outage
2024-09-26 13:11:39 system,clock,critical,info ntp change time Sep/26/2024 13:07:51 => Sep/26/2024 13:11:39

user reported the problem occurred while downloading from Steam, during idle periods it seems stable. i'll do some more testing and see if downgrading fixes it but i guess this will be a new support request.

infabo · Fri Sep 27, 2024 2:05 am

powered by power supply or Poe?

crosswind · Fri Sep 27, 2024 2:06 am

powered by power supply or Poe?

PoE from a 4011.

infabo · Fri Sep 27, 2024 2:17 am

Maybe device needs more power on load which 4011 can't provide?

crosswind · Fri Sep 27, 2024 2:28 am

Maybe device needs more power on load which 4011 can't provide?

well, it was perfectly stable under 7.15.3, the only change i made recently was upgrading it to 7.16. but as i say i'll do some more testing later today (when users went to sleep) and we'll see.

Kernal87 · Fri Sep 27, 2024 2:42 am

Hi

We have updated all routers to 7.16 since Wednesday.
Now we have the problem that the routers hang up after a while and no longer allow connections. The only thing that helps is a restart.
Both CHR version and hardware such as RB5009UPr+S+.

Does anyone have the same problem?

crosswind · Fri Sep 27, 2024 3:49 am

well, it was perfectly stable under 7.15.3, the only change i made recently was upgrading it to 7.16. but as i say i'll do some more testing later today (when users went to sleep) and we'll see.

i was able to reproduce the problem with iperf3: under wireless load (~500Mbps) the device would reboot every few minutes. downgrading to 7.15.3 fixed the problem.

reported as SUP-166456.

SystemErrorMessage · Fri Sep 27, 2024 4:51 am

i submitted the supout for 7.15 and 7.16 to mikrotik support, its been a few days already and not heard anything back.
Right now its really unusuable when it keeps rebooting frequently not due to load or anything strenuous.

hasmidzul · Fri Sep 27, 2024 5:07 am

Are dns adlists still loaded to flash or already loaded to ram on this 7.16?

Reinis · Fri Sep 27, 2024 6:44 am

Ok thanks. But please also explain if "short circuit" is an undesirable condition for the router, or if it can just be in that state forever without any risk of damage, overheating, etc.

I understand that the name gives an idea, that something is wrong, but that is literally what it is. Any resistance detection device would show exactly the same. It can just be in that state forever without any risk of damage, overheating, etc.

Please also read my post above: we use PoE out on "user ports" where either a PC or a VoIP phone (with through connection to PC) is connected. It is not convenient to have to configure the port differently for the different usages.

There is no need for poe-out to be turned off, suggestion simply implied "hides status that I don't like".

And on any industrial standard PoE switch that is not required at all! You just have 802.3af/at PoE enabled on all ports (by default) and you can plugin any device. The status of the PoE will either be "delivering" or "searching". When there is a low resistance it does not satisfy the 802.3af/at conditions and the status remains "searching" (or "wait for load" or whatever you want to call it).
As I understand that it is different for "passive PoE" (where you just need to try to deliver power and shut off when there is a short circuit to protect your equipment), I suggest (as above) to have a separate 802.3af/at mode where it does not even try to detect short circuit when it does not detect the correct resistance of an 802.3af/at device, just like everyone else does.

Just because other vendors hide the state, does not mean they don't measure the same. Hook up oscilloscope to any vendor PSE and you will see that detection is ran always, otherwise it is impossible for PSE to know -> now turn on the power. For non-pd safety, resistance-detection is done with up to 10.1V and has a very small current-limit. Any PSE evaluation board would show you "short-circuit" against non-poe-devices in their resistance detection register, because as I mentioned, that is literally what physically is measured. What other vendors do is simply hide it, most likely checks that PoE-Out was not enabled, L2 link is on -> no-pd capable device connected, or something like that

I agree that there is a room for improvement and we will be working on it. But all of it is just a "visual trick" and nothing else.

ormandj · Fri Sep 27, 2024 7:09 am

More info on this? Any doc?
It's about LetsEncrypt certificate using DNS-01 challenge (https://letsencrypt.org/docs/challenge- ... -challenge) - implemented only for sn.mynetname.net. That's probably why the named it "type=cloud-dns". Maybe one day ROS supports DNS-01 for other domains as well ("type=dns-01" most probably then).

You do not need a public facing HTTP server on port 80 for the .well-known challenge.

To create a certificate for the "your-device-serial.sn.mynetname.net" you just need this:
Code: Select all
/certificate/enable-ssl-certificate type=cloud-dns
This is pretty cool. Good job, Mikrotik!

DNS-01 support for LE would be amazing. I’m not punching holes for port 80 from the world to internal gear but I already use DNS-01 to handle internal certificates for k8s. This is definitely the right path forward.

akelsey · Fri Sep 27, 2024 8:22 am

Removed. Not related to firmware.

marsbeetle · Fri Sep 27, 2024 9:21 am

Well... No wonder you got disconnected... That signal strength is sh*t...

Wifi signal strength is certainly affected (again) with 7.16. A lot of my home automation lights on 2.4ghz lost connectivity after the upgrade to 7.16 - after downgrade to 7.15.3 they are all connecting fine again. I recall when AX3 was launched all the complaints with weak wifi signal but Mikrotik in their usual denial said it was a configuration issue. Then around 7.13 they updated the driver and suddenly signal strength was much better. Up to 7.15.x signal strength has been fine but with 7.16 it seems this has changed once again. Crazy inconsistency with updates.

Fri Sep 27, 2024 9:36 am

powered by power supply or Poe?
PoE from a 4011.

Updated device FW as well to 7.16 ?
Already 2 users with POE issues which were solved after performing FW upgrade as well.

crosswind · Fri Sep 27, 2024 10:10 am

Updated device FW as well to 7.16 ?
Already 2 users with POE issues which were solved after performing FW upgrade as well.

yes. i don't usually upgrade firmware but i noticed some firmware-related PoE issues with 7.16, so i upgraded firmware on both hAP ac2 and RB4011 to current 7.16. the problem still occurred.

pe1chl · Fri Sep 27, 2024 10:35 am

Ok thanks. But please also explain if "short circuit" is an undesirable condition for the router, or if it can just be in that state forever without any risk of damage, overheating, etc.
I understand that the name gives an idea, that something is wrong, but that is literally what it is. Any resistance detection device would show exactly the same. It can just be in that state forever without any risk of damage, overheating, etc.

Ok thanks for that info (and the other things in the reply)! I will keep the ports on "auto on", I was only worried that it would be trying to put "passive PoE" on the port and detect the short circuit, possibly damaging something.

pe1chl · Fri Sep 27, 2024 10:53 am

Hi

We have updated all routers to 7.16 since Wednesday.
Now we have the problem that the routers hang up after a while and no longer allow connections. The only thing that helps is a restart.
Both CHR version and hardware such as RB5009UPr+S+.

Does anyone have the same problem?

No, don't have that problem. Routers (and memory usage) are stable.
These reports are not very useful when there is no information at all about how the routers are used.
Suspect areas include the DNS resolver. Remove your "adlist", "doh" configuration, set a reasonable cache size (for the device memory) and see if it still occurs.

wispmikrotik · Fri Sep 27, 2024 10:59 am

Hi,

Some of these 3 changes (I would discard the DPD) is making after a while, several polycy stop working between a remote hexs and L009.

The polycy is "established" but traffic stops passing to the tunnel, with a Disable/enable of the Policy everything works again ....

I have not suffered this in any 7.x.x. It is clearly a problem introduced in this version.

*) ike2 - improved performance by balancing multicore CPU usage for key exchange calculation;
*) ipsec - changed default dpd-interval from 2 minutes to 8 seconds and dpd-maximum-failures from 5 to 4;
*) ipsec - improved installed SA statistics update;

I just opened a support ticket, with 2 supout files, before and after enable/disable the policy manually.

Regards,

woland · Fri Sep 27, 2024 11:05 am

With my new Laptop and after upgrading my CAPax to 7.16, WIFI became unusable. It´s probably my new chipset being Intel 6E AX211. Signal is perfect, but lots of SA Query Timeouts.
I read the forum quite often, so I know I would probably need to go back to WPA2. But it´s 2024 and I don´t understand why I would need to do that. With other vendors, including my other setups built with TP Link Omadas, everything is working perfectly and I can just forget the installed APs apart from running updates sometimes. Currently using MT WIFI is an adventure to unfold, instead of a quiet ride, as it should be.

woodych · Fri Sep 27, 2024 11:17 am

CRS210 Switch Menue broken via WebFIG?

It looks like one the ACL and FDBs menues work after the upgrade. The ones regarding VLAN don't.

Also IGMP snooping only seems to be active on vlan 0, not on all vlan in use.

https://wiki.mikrotik.com/wiki/Manual:I ... Offloading Ok, that is a chip hardware limitation I guess.

utiker · Fri Sep 27, 2024 11:35 am

Yesterday I updated my hAP ac3, then my ATL. Since then, I can't connect to the ATL at all:

viewtopic.php?p=1099724

I really hope someone can help.
This is a critical situation and quite strange for a stable release.

mantouboji · Fri Sep 27, 2024 3:10 pm

More info on this? Any doc?
This is pretty cool. Good job, Mikrotik!

Wait for RFC-2136 support