v7.17beta [testing] is released!

gigabyte091 · Sat Oct 05, 2024 6:28 am

That's because PPSK probably doesn't support management frame protection which is I think needed for WPA3.

toxicfusion · Sat Oct 05, 2024 7:07 am

I appreciate MikroTik here [normis] taking the time to provide detailed replies, taking time to try to answer question and make points. Obviously there is passion here and defending.

I mentioned this before in another general topic/thread. I FEEL MikroTik SHOULD shift to soho/pro/enterprise product models. This new security "feature" of device-mode fits that model.

Further, if this new device-mode and concern of locking features and or requiring remote power-cycle. This should be more for "enterprise" level devices - where most deployments should have OOB management means, or a power control PDU to remotely power cycle power ports in real environments.

Otherwise, for soho devices - it is easy for end-user to power-cycle a device.

What about us that operate as WISP, ISP or consultants deploying devices and are soon ready to upgrade past 7.17+. Would we then need to schedule maintenance AND truck rolls to touch EACH device in order to properly change device-mode? Or we have to instruct the customers / end-users we need them to perform XYZ steps due to a security rollout? Otherwise, we decide to stay away from 7.17. Hard to stay away, especially when have future wireless enhancements -- AX is broken. [mANTBox 15 ax]

However, this might be a MOOT issue, given MikroTik will change the default to "advanced". It would be for those "soho/consumer". COUGH hAP type devices -- need to be set to device-mode=HOME. for HOME users that do not need said features....

Distinctive product lines that properly align with RouterOS functionality makes more sense. Default hAP to 'device-mode=home', and then if we CHOOSE as professionals / enthusiasts to use the hAP type device in other means and function, we can configure for advanced/enterprise and physically power cycle...

liveup · Sat Oct 05, 2024 8:42 am

*) zerotier - upgraded to version 1.14.0;

Thanks for ZT update, have a good weekend all.

+1

There are also newer options in ZeroTier too that are not exposed... yet? i.e. be nice to control multipath and enable low-bandwidth mode
Has anyone checked if private moons support is really working?

need moons ,too

igorr29 · Sat Oct 05, 2024 12:55 pm

is SUPERCHANNEL actually working for anyone with ax boards?
why is it even there if it's not working?

winbox64_2Sq70RX0Ki.png

winbox64_3BWwv2XEbo.png

it *should* work:

winbox64_F4GxNNqQT7.png

Coughy · Sat Oct 05, 2024 2:04 pm

check your logs if you have dude installed i just got a warning that IP 172.169.6.6 tried to log into my dude via winbox
now thats in amsterdam so the hackers are out and about
lucky the firewall did its job and denied that but WHY what is happening mikrotik i have never had syn flooding from ros before why now
and this new attempt to enter my mikrotik mmm
might have to uninstall dude if this keeps up

Screenshot 2024-10-05 210357.png

etRange: 172.160.0.0 - 172.191.255.255
CIDR: 172.160.0.0/11
NetName: RIPE
NetHandle: NET-172-160-0-0-1
Parent: NET172 (NET-172-0-0-0-0)
OrgName: RIPE Network Coordination Centre
OrgId: RIPE
Address: P.O. Box 10096
City: Amsterdam

riv · Sat Oct 05, 2024 7:18 pm

need moons ,too

+1

gabacho4 · Sat Oct 05, 2024 7:40 pm

Is there a specific reason why
multi-passphrase is not supported for the WPA3-PSK authentication type.

Will it be supported in future releases?

WPA3 will never support PPSK as currently implemented. A simple Google query for WPA3 and PPSK will get you all sorts of information from a variety of networking resources.

PackElend · Sat Oct 05, 2024 7:50 pm

Is there a specific reason why
multi-passphrase is not supported for the WPA3-PSK authentication type.

Will it be supported in future releases?
WPA3 will never support PPSK as currently implemented. A simple Google query for WPA3 and PPSK will get you all sorts of information from a variety of networking resources.

😭
So there any option to do the vlan separation based on PSK or similar?
Wondering how to deal with the headless devices which can be assigned to an VLAN easily now (with PPSK).

gigabyte091 · Sat Oct 05, 2024 9:14 pm

You are doing VLAN separation. Every smart device must have some kind of app or a way to select SSID and input password. So just input password you specified for that VLAN and thats it

PackElend · Sat Oct 05, 2024 9:22 pm

You are doing VLAN separation. Every smart device must have some kind of app or a way to select SSID and input password. So just input password you specified for that VLAN and thats it

I want only broadcast two SSIDs guest and locals (locals has several VLANs and assignment is according to MAC, now PPSK).

Are we talking about the same setup?

gigabyte091 · Sat Oct 05, 2024 9:28 pm

Why two ssids ? Just put guest on separate VLAN, assign them password and that's it.

PackElend · Sat Oct 05, 2024 9:36 pm

Why two ssids ? Just put guest on separate VLAN, assign them password and that's it.

Easier for the user, what they are used to.
GUEST and PRIVATE

There are several flats in the building, each flat has his own VLAN-I'd. Assignment is based on Hotspot login (using eworm's scripts), PPSK in the future.

gigabyte091 · Sat Oct 05, 2024 9:40 pm

One thing that came to my mind is to create virtual AP just for guests, without PPSK, and give them one password.

PackElend · Sat Oct 05, 2024 9:41 pm

But how to deal with the PRIVATE ssid, which requires VLAN assignment based on device, password used

gigabyte091 · Sat Oct 05, 2024 9:44 pm

For private SSID use PPSK. Works like a charm for now.

PackElend · Sat Oct 05, 2024 9:46 pm

WPA3 will never support PPSK as currently implemented. A simple Google query for WPA3 and PPSK will get you all sorts of information from a variety of networking resources.
😭
So there any option to do the vlan separation based on PSK or similar?
Wondering how to deal with the headless devices which can be assigned to an VLAN easily now (with PPSK).

PPSK gets me back to here, WPA3 and alternative way doing PPSK

Amm0 · Sat Oct 05, 2024 11:33 pm

multi-passphrase is not supported for the WPA3-PSK authentication type.
WPA3 will never support PPSK as currently implemented. A simple Google query for WPA3 and PPSK will get you all sorts of information from a variety of networking resources.

[...]

PPSK gets me back to here, WPA3 and alternative way doing PPSK

I believe you can do WPA3 and EAP using the user-manager package. You'd have to enable EAP in Wi-Fi, but you'd can keep WPA3. Since user manager let you set a VLAN (excluding wifi-qcom-ac), it be based on the "user" & "password" in EAP & those could map to in similar PPSK scheme (one user per vlan). As bonus, you'd have more control down to a specific user-level if desired, and without more SSIDs broadcasting.

PackElend · Sun Oct 06, 2024 12:22 am

WPA3 will never support PPSK as currently implemented. A simple Google query for WPA3 and PPSK will get you all sorts of information from a variety of networking resources.
[...]
PPSK gets me back to here, WPA3 and alternative way doing PPSK
I believe you can do WPA3 and EAP using the user-manager package.

would that a mix if WPA2 and WPA3?
Shouldn't be it WPA3-SAE?

Has anyone tried this approach?
I'm far from home for some time and cannot test that.

hapoo · Sun Oct 06, 2024 5:05 pm

Bug introduced in ROS 7.16 with :resolve still persists.

If you have a static dns entry for example.com you run:
:resolve example.com server=1.1.1.1
The server is never queried and the static dns entry is returned instead.

VadiKO · Mon Oct 07, 2024 10:47 am

I have to report that the Wi-Fi disable issue is still not resolved... currently the stable version is still 7.14.3
We continue to discuss this in detail here - link

packetnerd · Mon Oct 07, 2024 5:51 pm

fischerdouglas compilation

Lets talk about Hardware Offload?

When will it be possible to use VRF without losing Fast-Path and Hardware Offload features?

+1 this request. Is this newly broken, or has it never worked?

Pretty please, Mikrotik, this is such an important feature.

merkkg · Mon Oct 07, 2024 5:57 pm

fischerdouglas compilation
Code: Select all
Lets talk about Hardware Offload?

When will it be possible to use VRF without losing Fast-Path and Hardware Offload features?
+1 this request. Is this newly broken, or has it never worked?

Pretty please, Mikrotik, this is such an important feature.

From mikrotik help

Only the main routing table gets offloaded. If VRF is used together with L3HW and packets arrive on a switch port with l3-hw-offloading=yes, packets can be incorrectly routed through the main routing table. To avoid this, disable L3HW on needed switch ports or use ACL rules to redirect specific traffic to the CPU.

clambert · Mon Oct 07, 2024 6:12 pm

From my perspective, VRF Hardware Offload in conjunction with MPLS (i.e. MPLS VPNv4) is the most important functionality that should be added.

spippan · Mon Oct 07, 2024 6:31 pm

From my perspective, VRF Hardware Offload in conjunction with MPLS (i.e. MPLS VPNv4) is the most important functionality that should be added.

wonder if there are any 98DX or other marvell chips in use by MT are able to do this (did not read all whitepapers - maybe someone knows someone who might have some insight 🤷‍♂️ )

woland · Mon Oct 07, 2024 6:35 pm

wonder if there are any 98DX or other marvell chips in use by MT are able to do this (did not read all whitepapers - maybe someone knows someone who might have some insight 🤷‍♂️ )

viewtopic.php?t=211511

Unfortunately, L3HW doesn't support VRF yet. The hardware (switch chip) supports it, but the feature has not yet been implemented in RouterOS. There are plans to add VRF L3HW, but I cannot share the ETA at the moment of writing.

Tue Oct 08, 2024 8:54 am

From my perspective, VRF Hardware Offload in conjunction with MPLS (i.e. MPLS VPNv4) is the most important functionality that should be added.
wonder if there are any 98DX or other marvell chips in use by MT are able to do this (did not read all whitepapers - maybe someone knows someone who might have some insight )

They definitely are able to.

Tue Oct 08, 2024 8:57 am

From my perspective, VRF Hardware Offload in conjunction with MPLS (i.e. MPLS VPNv4) is the most important functionality that should be added.

I agree, but Mikrotik cannot just add HW offloading. They need to add FastPath offloading for MPLS Push/Pop including VRF's (L3VPN/VPNv4/VPNv6)

The Marvell based platforms are a very small part of their entire portfolio, and FastPath will benefit a lot more devices than just L3HW. Both are needed to deliver the best outcome for Mikrotik's customers.

Not to mention the long overdue IPv6 FastPath module.

ivicask · Tue Oct 08, 2024 11:06 am

Logs full of connection lost for various devices
For example Samsung soundbar not moving inch, standing next to HAP AX3.
disconnected, connection lost, signal strength -24
disconnected, connection lost, signal strength -32
etc..

Also devices sometimes roam from 5 ghz to 2ghz again under for signal for no reason, or even flap around, 5ghz>2ghz>5ghz in like minute while not moving and under full signal (3m from router)

Disabled WPA3, disabled FT, etc, think i tried about everything.
Its same on 7.16 and 7.15...
Reverting to 7.14.3 fixes the problem.

spippan · Tue Oct 08, 2024 12:37 pm

wonder if there are any 98DX or other marvell chips in use by MT are able to do this (did not read all whitepapers - maybe someone knows someone who might have some insight 🤷‍♂️ )
viewtopic.php?t=211511
Unfortunately, L3HW doesn't support VRF yet. The hardware (switch chip) supports it, but the feature has not yet been implemented in RouterOS. There are plans to add VRF L3HW, but I cannot share the ETA at the moment of writing.

thanks for the link

clambert · Tue Oct 08, 2024 2:20 pm

I agree, but Mikrotik cannot just add HW offloading. They need to add FastPath offloading for MPLS Push/Pop including VRF's (L3VPN/VPNv4/VPNv6)
The Marvell based platforms are a very small part of their entire portfolio, and FastPath will benefit a lot more devices than just L3HW. Both are needed to deliver the best outcome for Mikrotik's customers.
Not to mention the long overdue IPv6 FastPath module.

Totally agree. I'm confident they can implement that, considering the recent implementation of FastPath for VPLS.

spippan · Tue Oct 08, 2024 3:00 pm

a roadmap would be nice (*wishful thinking*)

fischerdouglas · Tue Oct 08, 2024 3:10 pm

I agree, but Mikrotik cannot just add HW offloading. They need to add FastPath offloading for MPLS Push/Pop including VRF's (L3VPN/VPNv4/VPNv6)
The Marvell based platforms are a very small part of their entire portfolio, and FastPath will benefit a lot more devices than just L3HW. Both are needed to deliver the best outcome for Mikrotik's customers.
Not to mention the long overdue IPv6 FastPath module.
Totally agree. I'm confident they can implement that, considering the recent implementation of FastPath for VPLS.

I would guess that in order for RouterOS to interact with the chip to give hardware offload orders for features like L3VPN/VPNv4/VPNv6, they would need to do things like update the kernel they use and the Marvell SDK version.

I sincerely doubt they will have the will and courage to do that any time soon.

merkkg · Tue Oct 08, 2024 3:27 pm

Totally agree. I'm confident they can implement that, considering the recent implementation of FastPath for VPLS.
I would guess that in order for RouterOS to interact with the chip to give hardware offload orders for features like L3VPN/VPNv4/VPNv6, they would need to do things like update the kernel they use and the Marvell SDK version.

I sincerely doubt they will have the will and courage to do that any time soon.

They should aim to keep up to date with kernel and sdk versions else we have situation like we did from ros6 to ros7 taking years as well as wifi6 taking

Paternot · Tue Oct 08, 2024 3:59 pm

I would guess that in order for RouterOS to interact with the chip to give hardware offload orders for features like L3VPN/VPNv4/VPNv6, they would need to do things like update the kernel they use and the Marvell SDK version.

I sincerely doubt they will have the will and courage to do that any time soon.

Well, they are using a fairly recent kernel - and the V7 series already had one kernel change. So, I think they learned their lesson with V6, and things are more decoupled this time.

merkkg · Tue Oct 08, 2024 4:33 pm

I would guess that in order for RouterOS to interact with the chip to give hardware offload orders for features like L3VPN/VPNv4/VPNv6, they would need to do things like update the kernel they use and the Marvell SDK version.

I sincerely doubt they will have the will and courage to do that any time soon.
Well, they are using a fairly recent kernel - and the V7 series already had one kernel change. So, I think they learned their lesson with V6, and things are more decoupled this time.

How u checking kernel version?

elbob2002 · Tue Oct 08, 2024 5:27 pm

How u checking kernel version?

/system/resource/usb

You should see something like:

0 1-0     Linux 5.6.3-64 uhci_hcd  UHCI Host Controller     12

anav · Tue Oct 08, 2024 6:28 pm

a roadmap would be nice (*wishful thinking*)

Easy Peasy just become a valued investor. ;-)

eworm · Tue Oct 08, 2024 6:29 pm

Well, 5.6.3 is from 2020-04-08. IMHO that is far from recent.

https://git.kernel.org/pub/scm/linux/ke ... /?h=v5.6.3

Paternot · Tue Oct 08, 2024 7:13 pm

Well, 5.6.3 is from 2020-04-08. IMHO that is far from recent.

True - but is far from ancient. I said "fairly", I didn´t say "brand new". As long as Mikrotik keeps up with security patches - and backport them to this version - things will work.
At some point (I hope in a reasonably near future), it would be good to have a newer kernel. It must be balanced against what the hardware maker supports though. If Marvell, Qualcomm or <whatever> doesn't have SDK and drivers to a newer kernel... well, Mikrotik will have to keep the latest possible version, until hardware is deprecated.

Tue Oct 08, 2024 7:17 pm

Kernel version have been discussed many times before and like it was mentioned before it is being patched, so you cannot say that it is 5.6.3 in the form as it came out in 2020. Kernel version is updated when it is absolutely necessary or the actual gains are worth the effort.

Network5 · Tue Oct 08, 2024 8:17 pm

Speaking about MPLS / VPLS, did someone try to see if the last versions are still losing packets on CCR2216? As far as I know, it is still an unresolved issue.

infabo · Tue Oct 08, 2024 9:49 pm

Kernel version have been discussed many times before and like it was mentioned before it is being patched, so you cannot say that it is 5.6.3 in the form as it came out in 2020. Kernel version is updated when it is absolutely necessary or the actual gains are worth the effort.

I am sure a XKCD comics exists for this.

Paternot · Tue Oct 08, 2024 9:52 pm

I am sure a XKCD comics exists for this.

At this point, I`m convinced there is one XKCD for everything in life.

Amm0 · Tue Oct 08, 2024 11:52 pm

What's new in 7.16 (2024-Sep-20 16:00):
*) console - added additional byte-array option to :convert command;
*) console - improved :serialize and :deserialize commands and added support for DSV (delimiter separated values) format;

What's new in 7.17beta2 (2024-Sep-27 10:07):
*) console - added to/from=num option for :convert command;

Thank you @Mikrotik for these!

For other folks, I wrote up [dense] examples of new ":convert" and ":serialize" methods – since the usage of the above new scripting function may not be clear from the RN:
CSV parsing ([de]serialize's =dsv)
binary/IOT/"hexstring" data parsing (convert's =byte-array =bit-array =hex =num)

With 7.17 specifically, ":convert from=num to=raw" adds converting from an ASCII code, into a letter (among other uses). Combined with "inkey" to collect a single character but returns a numeric ("num") ASCII code, so if you want to match on a letter, it's much shorter now.

:put "Press 'y' to continue, or any other key to abort"
:if ( [:convert from=num to=raw [/terminal/inkey]] != "y" ) do={ :error "script stopped by user" }
# more code after 'y' key ...

msilcher · Wed Oct 09, 2024 3:26 pm

fischerdouglas compilation

Have you MikroTik guys considered splitting the DNS service as was done with the Wifi packages?
Separating different things of different interest into Packages?
Embedded in RouterOS DNS being just a regular AND SIMPLE DNS relay/recursive.
Focused on attending to the requirements of scenarios of home and basic device-modes.
An extra dns.npk designed to be a more complex DNS service, with all the more advanced features that already exist on actual DNS, and other ones that were not included because it complicates much of the basic.
It would reduce the probability of simple issues affecting a huge number of devices.
Would make it easier to do some demands that are a pain to deploy in the current scenario(like VRF on outgoing queries).
It would also prevent less experienced users from getting into trouble by messing with settings that don't need to exist in more basic scenarios.

In regards to have a "more advanced" DNS service in a separate package is not a bad idea at all, I like it!!
Actually there are a lot of features missing in the DNS service that could be addressed. Users who don't need additional features could stick to the integrated basic DNS service.

spippan · Wed Oct 09, 2024 3:53 pm

fischerdouglas compilation
Code: Select all
Have you MikroTik guys considered splitting the DNS service as was done with the Wifi packages?
Separating different things of different interest into Packages?
....
In regards to have a "more advanced" DNS service in a separate package is not a bad idea at all, I like it!!
Actually there are a lot of features missing in the DNS service that could be addressed. Users who don't need additional features could stick to the integrated basic DNS service.

would like to see that to. +1

additionally, splitting up services / make services more modular would be a great feature anyways. put smb, dlna, mpls, proxy and so on into separate packages like wireless, wifi-qcom(-ac) or rose.
this even helps saving storage footprint and modules which need to get loaded at bootup!

turan · Wed Oct 09, 2024 4:25 pm

there is an issue in hotspot html directory,
if i set "flash/hotspot" it becomes "flash/flash/hotspot" and so on.
keep adding flash/

Board: 750gr3

jpeppard · Wed Oct 09, 2024 5:59 pm

Can anyone else confirm that the packet loss has increased in 7.17beta2 by comparision to 7.16. I noticed websites failing to load on 7.17beta2 and tested using https://speed.cloudflare.com/. I saw in "Packet Loss Measurements" between 1% to 10% lost packets and never 0% of lost packets. I downgraded to 7.16 and most are 0% of lost packets and the highest lost packets was 0.5% of lost packets.

To me its obvious that 7.17beta2 is loosing packets. I turned off all queues and same results.

Tested on my side, running CCR2004-16g-2S+ on 7.17beta2. No packet loss detected on multiple runs of cloudflare speed test.

noradtux · Wed Oct 09, 2024 7:04 pm

Logs full of connection lost for various devices
For example Samsung soundbar not moving inch, standing next to HAP AX3.
disconnected, connection lost, signal strength -24
disconnected, connection lost, signal strength -32
etc..

Also devices sometimes roam from 5 ghz to 2ghz again under for signal for no reason, or even flap around, 5ghz>2ghz>5ghz in like minute while not moving and under full signal (3m from router)

Disabled WPA3, disabled FT, etc, think i tried about everything.
Its same on 7.16 and 7.15...
Reverting to 7.14.3 fixes the problem.

Look if DHCP is working. I had devices disconnecting and reconnecting but had in fact an issue with DHCP snooping.

nmt1900 · Wed Oct 09, 2024 7:36 pm

That might have some truth in it - some devices are so stupid that they "resolve" loss of their IP address configuration by disconnecting from wifi network.

Sit75 · Wed Oct 09, 2024 8:36 pm

Can anyone else confirm that the packet loss has increased in 7.17beta2 by comparision to 7.16. I noticed websites failing to load on 7.17beta2 and tested using https://speed.cloudflare.com/. I saw in "Packet Loss Measurements" between 1% to 10% lost packets and never 0% of lost packets. I downgraded to 7.16 and most are 0% of lost packets and the highest lost packets was 0.5% of lost packets.

To me its obvious that 7.17beta2 is loosing packets. I turned off all queues and same results.
Tested on my side, running CCR2004-16g-2S+ on 7.17beta2. No packet loss detected on multiple runs of cloudflare speed test.

I can not confirm, no any visible packet loss (7.17beta2 cloudflare) on hAP ac^2 IPv6/IPv4 VDSL2 110/25 from Czechia.

ofca · Wed Oct 09, 2024 11:56 pm

What is your proposal, to verify ownership of a device in a way, that a remote attacker can't do?

An option in /system routerboard that will be available for 24 hours since upgrade/since first boot/since running a command confirmed with button press/since running a command confirmed with power cycle, that will return a random 16 character string, that will also be permanently written to the device. This random 16 character string may then be used to authorize restricted operations remotely. What's wrong with this? Why can't we have good things?

guipoletto · Thu Oct 10, 2024 2:00 am

What is your proposal, to verify ownership of a device in a way, that a remote attacker can't do?
An option in /system routerboard that will be available for 24 hours since upgrade/since first boot/since running a command confirmed with button press/since running a command confirmed with power cycle, that will return a random 16 character string, that will also be permanently written to the device. This random 16 character string may then be used to authorize restricted operations remotely. What's wrong with this? Why can't we have good things?

Try keeping track of this across tousands of remotelly managed devices, it would be chaos. Random factory passwords are already bad enough!

Thu Oct 10, 2024 4:57 am

What about us that operate as WISP, ISP or consultants deploying devices and are soon ready to upgrade past 7.17+. Would we then need to schedule maintenance AND truck rolls to touch EACH device in order to properly change device-mode? Or we have to instruct the customers / end-users we need them to perform XYZ steps due to a security rollout? Otherwise, we decide to stay away from 7.17. Hard to stay away, especially when have future wireless enhancements -- AX is broken. [mANTBox 15 ax]

i operate hundreds of devices in multiple locations and several countries as an external consultant, some features that will be blocked in 7.17 i use it frecuently so i will have to stay on 7.16 because of this extreme measures

Thu Oct 10, 2024 5:02 am

What will you be using traffic gen for, in this remote router? There is no need for theoretic, like I said

i use traffic gen on a daily basis for performance testing and bandwidth validation i will have to stay on 7.16 because of this being disabled on 7.17, is very expensive to move personel to every site at off peak hours, paying hotel, etc, to do this upgrades and do the procedure to activate this features on production equipment

nichky · Thu Oct 10, 2024 5:07 am

does TE work on v7?

coddy · Thu Oct 10, 2024 10:33 am

@ofca, @mikrotik,

Another option would be to have a token that can be user settable for say 30 minutes after initial upgrade to v7.17 or first power on if already 7.17+. After that period of time you would need to set a flag and power cycle or reset the device to allow the token to be set again. Once the token is set to nvram the only way to change it would be set a flag and power cycle or reset. This covers someone downgrading and upgrading again to get the 30 minute window (if the user had allowed that already).

Having a user settable token is much easier for enterprises/businesses to handle as they can standardise it.

If you are concerned this could lead to poor token complexity you could have a command to generate a token, have a checksum in the token to ensure its a generated random token. Then only allow 'generated' tokens to be set. The admin would generate a token on one device and use that securely generated token across all devices. Simple as hashSha256('someRandomStringThatOnlyMTknows' | <32 byte random array>) and taking the last 8 bytes of the hash as the 'checksum', then take the combined (in any way you wish) 40 byte result mime encode and present to the user. A secure string that is highly probable to be MT generated and is random and secure with 256 bit strength.

This would allow enterprises to manage their upgrade to 7.17, set a highly secure key that when used would allow the admin to change options without power cycle or reset.

It allows for flexibility as to how the enterprise wants to manage the key(s). They could generate a key, set it and record it (encrypted) against the devices base MAC in a database somewhere on a per device basis.

They could generate a key to be used on a group of devices and record that in a password manager.

I appreciate the need for MT to secure these devices and it is great they are working on options to do it. I also fully agree that this needs to be manageable by IT teams, and especially the transition.

I hope MT takes onboard this approach, and turn this in to a win for everyone.

infabo · Thu Oct 10, 2024 10:55 am

Mikrotik won't adopt this approach. The introduced the "downgrade" flag so an attacker can not downgrade to an insecure ROS version.

In the proposed case of token within 30minutes of initial upgrade to 7.17, the pitfalls are clear:

attacker gains access to device running < 7.17 somehow. Hits upgrade button; the token is presented to the attacker. Now the attacker can enable "downgrade" flag, enable e.g. "scheduler" or whatever device mode property that was previously disabled. Finally downgrade to previous ROS version. An admin without remote logging or remote uptime checks would notice that. It would only take some minutes for upgrade and downgrade again.

Or an attacker that does not want to "sneak into" but wants to make your life hard: Hits upgrade button, knows the token now and sets device-mode to "home". Now you have a "dumb" device instead of your previously full fledged router.

Would be a pretty effort to reset such a device to "advanced" mode again. It would not just involve netinstall, additionally some power cycle or button presses.

But I must admit: it is the best alternative approach suggestion so far. But it has this major pitfall.

sinisa · Thu Oct 10, 2024 11:19 am

I must add that this device-mode change was not thought enough in advance, but pushed on us users in some sort of "let's see if anybody would complain" way. Luckily, it's only in beta, so it should be easy to go back and think things over.
You (Mikrotik) are asking us (users) about "Device Controller" that is not even on horizon (and that most don't care about because they have already got things under control), but did not bother to ask about "security" feature that WILL affect (in most negative way - by hitting their wallets) everyone already using MT devices unless they decide to never update past 7.16 (so bye-bye to "lifetime updates").
PLEASE make this completely optional, let us know that it exists and that we CAN lock-down the devices we WANT to, even remind us every time like with default passwords if you must, but don't force this on us!

nmt1900 · Thu Oct 10, 2024 11:30 am

Mikrotik will now either try (again) to make case that "nothing will change for devices that are already set up" - which is highly questionable (except when you do not use features to be locked out) or will be just ignoring this specific issue here.

Or will it go some other way (?)...

infabo · Thu Oct 10, 2024 11:50 am

I see no other solution than to activate the new device mode defaults only for factory-new devices. Unless someone has a really secure alternative to that power-off/button-press thing that can confirm changes without physical access.

And one reminder: only a few are reading/following beta topics. This discussion will go through the roof - if really introduced in stable version.

coddy · Thu Oct 10, 2024 11:54 am

@infabo, I like how you think, but we need to find a suitable path forward. The pitfall, I guess falls into the "you can't trust a compromised device/pc/mac/toaster" category. You should netinstall such a device or 'recycle it' (rubbish bin).

(A possible workaround would be to only allow the 'devicekey' to be set in that 30 minute window via api/ssh/console/web but not a scheduled script. This would make it much harder for the attacker to maintain their foothold via a scheduled script - yes I can see ways around this too, but again its a compromised device to begin with trust = zero, but we can make them work harder for it, and since the 'door' is already open you probably have much bigger issues inside your network now than power cycling a device! Ransomware/wiper/multiple footholds bell ringing....).

If after upgrading you find you can't set the device key because it has already been set, that should set alarm bells ringing too. Again easy for an enterprise/ISP, they upgrade a device via api/ssh, wait for it to come back online, using api/ssh set the device key, failure to set results in a flagged device. Quarantine/bin.

The point of what I am proposing is to enable enterprises/ISPs to maintain their devices securely and remotely. Again, I am aiming for the win-win if possible. There are probably variations of what I am suggesting, but this fits into what most enterprises/ISPs could easily manage and keeps a very high degree of security by enforcing a strong random 'deviceKey'.

Please Mikrotik strongly consider this

ofca · Thu Oct 10, 2024 12:37 pm

An option in /system routerboard that will be available for 24 hours since upgrade/since first boot/since running a command confirmed with button press/since running a command confirmed with power cycle, that will return a random 16 character string, that will also be permanently written to the device. This random 16 character string may then be used to authorize restricted operations remotely. What's wrong with this? Why can't we have good things?
Try keeping track of this across tousands of remotelly managed devices, it would be chaos. Random factory passwords are already bad enough!

We already do. We manage over 7 thousand routers, have daily backups of configuration of each. Adding one more string to the database should take one man-hour with testing by my estimates +/- 30 min.

ofca · Thu Oct 10, 2024 12:44 pm

Mikrotik won't adopt this approach. The introduced the "downgrade" flag so an attacker can not downgrade to an insecure ROS version.

wait, what? So... if attacker gets access to sub 7.17 device they will upgrade to 7.17 to get the token, that will allow them to downgrade? :D

infabo · Thu Oct 10, 2024 12:48 pm

That's one part I said. Read my full comment and/or don't quote an excerpt which makes no sense standalone quoted.

ofca · Thu Oct 10, 2024 1:10 pm

That's one part I said. Read my full comment and/or don't quote an excerpt which makes no sense standalone quoted.

You seem to be forgetting that reverting "dumb" device to "uber-smart" device is one button-push/power cycle away. This is merely a convenience for people controlling thousands of devices. "Normal" users could simply ignore it, and their routers would lockdown after n hours post-upgrade. Resetting this password could be implemented the same way.

ofca · Thu Oct 10, 2024 4:11 pm

Actually, now that I think about this a little more, instead of forcing an arbitrary device setting requiring reboots and button voodoo, perhaps what we all are looking for is some "superuser" (superadmin?) mode that requires the knowledge of an out-of-band password, like the one you can find on a sticker on the device? This way all routers could start in "home" mode, and enabling superadmin mode would allow setting which features are available to normal admins, and which require superadmin.

Ways to get the superadmin password:
- remotely in /system routerboard menu - using this option would require a button-push / power cycle confirmation, and then it would be possible to see the password only once, before reverting to previous locked state. Admin would make a note of it, or, in our case, our management system would make a note of it)
- one exemption to the above would be the upgrade to 7.17 from a version that didn't have the feature - it would be possible to see the password only once during first 24 hours after an upgrade.

Since this is only relevant to post 7.17 devices, the fact that some theoretical attacker could get hold of the password by upgrading to 7.17+ doesn't matter, since they could already downgrade to whatever vulnerable version they wish without doing pointless steps.

infabo · Thu Oct 10, 2024 4:15 pm

You seem to be forgetting that reverting "dumb" device to "uber-smart" device is one button-push/power cycle away.

Well, what is then this whole discussion about when it is all just a "button-push/power cycle" away?

You can really piss someone's leg really hard by changing device mode to "dumb device" mode when physical access is not easy.

genesispro · Thu Oct 10, 2024 7:05 pm

lte - added provider specific firmware update (FOTA) for Cosmote GR networks on Chateau 5G;

so can anyone explain in depth what is that? It could be interesting

foegra · Thu Oct 10, 2024 8:26 pm

I've been always using container running on USB on my Mikrotik device.
When tried switching from 7.17beta2 to 7.16 -> none of the containers would start.
I've noticed, while extracting - they were filling up internal memory, despite usb device path is set for pulling containers.

Does anyone know - how to go back to stable and still have containers running?

raffav · Thu Oct 10, 2024 8:31 pm

You seem to be forgetting that reverting "dumb" device to "uber-smart" device is one button-push/power cycle away.
Well, what is then this whole discussion about when it is all just a "button-push/power cycle" away?

You can really piss someone's leg really hard by changing device mode to "dumb device" mode when physical access is not easy.

And what about if Mk create a tool in Mk account portal like the branding tool that generate a special package that you install on the device and reboot that will allow to enable the device to advance mode
They can create some sort of authentication that validate that is really you that trying to perform that change..
Or something like that...

FezzFest · Fri Oct 11, 2024 12:20 am

Or, hear me out, what if they just allow people upgrading to v7.17 to keep existing functionality and simply introduce these new lockdown measures on new devices? That would still improve security while simultaneously not screwing over existing users in some way or another.

coddy · Fri Oct 11, 2024 4:18 am

ok, the main points of what I was proposing to ease this transition:

On first upgrade to 7.17, or initial power-on or netinstall with 7.17+

Display or have available (/system/routerboard/get device-token) a secure device token string for a limited period of time (30 minutes)

The admin can copy this token and record it against the device

During this 30 minutes the admin can CHANGE the device token (/system/routerboard/set device-token="newSecureToken")

During this 30 minutes the admin can SET secure device options as needed (downgrade, boot partitions, container use, etc) without being prompted to power-cycle/reset.

After 30 minutes/Second+ boot

The device token becomes inaccessible (/system/routerboard/get device-token returns null)

Changing secure device options, including the device-token would require adding the a device-token="..." to the command to enable it without requiring a power-cycle/reboot - this critically enables enterprises/ISPs/SMBs to continue to manage these and any future options without visiting/remotely power-cycling devices

The admin can also set the secure device options and device-token without using the device-token, but they will then be prompted to power-cycle or reset in the next 5 minutes

Rational

This would give a 'grace' window for setting options without having to go through the power-cycle/reset procedure

This would enable enterprises/ISPs/SMBs to record, and/or set their own device token in a way that works with their existing procedures

For instance, unique device token per device can be recorded in a database using a script to obtain them in the 30 minutes post upgrade

Or the admin can set a known device-token across a group of devices and have that recorded in a password manager

It also allows for the existing set and require a power-cycle/reset procedure

This will not satisfy everyone, if your device is already compromised, then netinstall it, or 'recycle' it.

I would hope that it covers the vast majority of needs out there, and allows for easy integration with existing workflows, would work with scripting.

It is constructive, flexible, and I hope, achieves the presumed goal of ESTABLISHING a secure base in-case of FUTURE compromise.

Pomo · Fri Oct 11, 2024 7:47 am

On restart hap ac3:
No routes injected from pppoe.
No routes injected from LTE.
Uploaded 7.16 files, downgrade button did nothing -> had a look, device mode probably.
Eventually, after rebooting for 5 times, got a default route from pppoe, downgraded via quickset.

Coughy · Fri Oct 11, 2024 10:56 am

Please Team Mikrotik can we have a new tester firmware for the AX devices to some what work with AX CAPS in CAPsMAN
the reauthenticating errors and disconnects are getting annoying and shouldn't be there as we cant use the full functions on the devices.

PS yes i do have wpa3 disabled but why should i have to? and i have tried just about every trick test under the sun to get working from this forums but still no go
so has to be hardware / firmware / ROS

PPSS Yes i did a reset of the devices to default up dated all firmware all running current beta and a complete new config still issues GGGRRR

infabo · Fri Oct 11, 2024 11:29 am

Maybe this is the time to "re-activate" the development channel.

noradtux · Fri Oct 11, 2024 8:04 pm

It's a beta. Issues are to be expected. If it doesn't work properly for you, just downgrade and maybe try the next beta.

infabo · Fri Oct 11, 2024 8:31 pm

It's a beta. Issues are to be expected. If it doesn't work properly for you, just downgrade and maybe try the next beta.

In case it was targeted at me: I have not the guts to try this beta at all. I am done with betas. First and last time I tried was 7.15beta6 and I had to involuntary netinstall because device did not boot up.

Coughy volunteered as tester for new firmware containing possible wifi fixes. That's why I proposed to use the development channel for that case. Testing channel progress is probably too slow. So let's use development channel to go edge.

fischerdouglas · Fri Oct 11, 2024 10:57 pm

Kernel version have been discussed many times before and like it was mentioned before it is being patched, so you cannot say that it is 5.6.3 in the form as it came out in 2020. Kernel version is updated when it is absolutely necessary or the actual gains are worth the effort.

Can Mikrotik team say that Kernel version that is used has nothing to do with the inability to do hardware offload of VXLAN, MPLS L3VPN and L2VPN, and several other features?

If you say that it has nothing to do with it, I will not suggest anymore that should be updated.

But, SKDs of switchchips are offenly demanding that kind of updates.

Coughy · Fri Oct 11, 2024 11:48 pm

It's a beta. Issues are to be expected. If it doesn't work properly for you, just downgrade and maybe try the next beta.

So you Don't read the forums??
there is literally everyone complaining about the AX series in everything Mikrotik
so we are all trying to get a fix and get the working hardware we all shelled out good money for to work as Mikrotik have marketed it to do
but so far nothing fix's the ax series Wi-Fi is behind the competitors And very unstable since its release
it has been Meany months now and still no fix this is why we try betas and try to get them more often
lets be honest here we don't need all the 1000000000 implementations they doing on the next beta
LETS JUST GET A SOILD PLATFORM and FIRMWARE to start with and all its features working as intended like the AX series then they can build up from there
then i wont have to come on here and ask every few weeks for a new beta as my devices will just WORK
cheers rant over
Please TEAM Mikrotik solid base to start then use betas to add and test

I would like to see the development channel back for this area to test

Coughy · Sat Oct 12, 2024 10:00 am

On this development testing
Why cant we have the update broken down in to smaller manageable updates like the list is so long
to be honest I'm not interested or wont to no about 1/2 of it but some do
so why Mikrotik team cant we break the updates down in to like 3 or 4 sections and use the development update as like this
7.17 beta2 A with 1/3 of fix's with base ros
7.17 beta2 B with next 1/3 of fix's with base ros
7.17 beta C with last fix's with baser ros
7.17 beta2 as all combined
this way we can test and see if anything is fixed on a smaller beta
so this way i can test the areas i need to test and should get faster betas as im not waiting for all the tests to get finished which im not worried about really at the moment
and i can test the ones i wont to test and upgraded firmware's
please consider this option
so we as end user don't loose customers and or hardware becaues it is getting silly now
my hapax3 was released with 7.8 and it still isn't working as intended after NUMEROUS updates
So pls think about us the end user

noradtux · Sat Oct 12, 2024 11:38 am

It's a beta. Issues are to be expected. If it doesn't work properly for you, just downgrade and maybe try the next beta.
So you Don't read the forums??

No, I don't read "the forums", the signal to noise ration is too low in many cases. I read selected threads in this forum in search of information and maybe to contribute some information if I just found a way to solve or work around an issue. If you have issues with your stuff, open a support ticket. Once they start working on your bug they might even give you test-firmwares which address just your specific thing. It really works :) In my experience so far Mikrotik are a lot more responsive than what I am used from the likes of Cisco and Fortinet …

I guess everyone has it's own perspective. I for one do not have issues with AX on my Chateau, it is running quite fine. But again: If a beta fixes a bug for you, that's great. That means it will quite probably also be fixed in the next stable. If there are new issues (so far I see none for _my_ setup), please open a bug report so it can be fixed for next stable.

infabo · Sat Oct 12, 2024 12:14 pm

Creating support ticket is the most effective tool we have.

buset1974 · Sat Oct 12, 2024 5:24 pm

Speaking about MPLS / VPLS, did someone try to see if the last versions are still losing packets on CCR2216? As far as I know, it is still an unresolved issue.

that kind of problem in MPLS/VPLS happen since v6 anyway

Amm0 · Sat Oct 12, 2024 6:52 pm

Creating support ticket is the most effective tool we have.

* with a supout.rif - even if you think the problem is obvious and easily tested...

In same PSA category... if someone does try 7.17... then find a problem and downgrades... I'd recommend always generating the supout.rif before downgrade, just in case it's needed. The RIF file no doubt help Mikrotik process a ticket better since it has config/logs. And useful without a ticket, since www.mikrotik.com has a "RIF file viewer" (if you setup a free account) — this let you downgrade and then "look" at the RIF yourself later... after the system is downgrade+service restored.

actck · Sun Oct 13, 2024 7:12 am

Counter wrong. There is no RX activity on vlan4039 why it show about 1G？ And why TX counter on vlan4039 is double ?

dang21000 · Mon Oct 14, 2024 10:50 am

bridge - added interface-list support for VLAN : the best features!!!!

This will simplify VLAN tables!thank you mikrotik.

robertpenz · Mon Oct 14, 2024 10:59 am

What is your proposal, to verify ownership of a device in a way, that a remote attacker can't do?

Put a QR Code on the router which we can scan and save in our management software before deploying the routers. If we need later in a remote location a feature activated which we did not previously, we can enable it and provide the code via CLI. It also helps if someone remote can provide the code without traffic interruption - it also allows collecting the codes over a longer period of time and activating the feature in maintaince window.

Otherwise, you need to set the device mode to full for all systems, as maybe you need it sometime in the future - it would be more secure to active only the mode you need at the time, but this requires a way to change it at runtime.

dang21000 · Mon Oct 14, 2024 7:17 pm

Does the vlan interface list assignment in bridge can help the new behavior with qcomac driver that doesn't support vlan in data path..?

dang21000 · Mon Oct 14, 2024 8:32 pm

Bug with device-mode and switch between partitions.
Like expected in doc (https://help.mikrotik.com/docs/display/ROS/Device-mode) advanced mode should have partition to yes.

[admmikrotik@ap70a] > /partitions/activate part0 
failure: not allowed by device-mode
[admmikrotik@ap70a] > /partitions/print          
Flags: A - ACTIVE; R - RUNNING
Columns: NAME, FALLBACK-TO, VERSION, SIZE
#    NAME   FALLBACK-TO  VERSION                                  SIZE 
0    part0  next         RouterOS v7.16.1 2024-10-10 14:03:32     64MiB
1 AR part1  next         RouterOS v7.17beta2 2024-09-27 07:07:42  64MiB
[admmikrotik@ap70a] > /partitions/activate part0 
failure: not allowed by device-mode
[admmikrotik@ap70a] > 
[admmikrotik@ap70a] > /system/device-mode/print  
       mode: advanced
  container: yes     
[admmikrotik@ap70a] > /system/routerboard/print 
       routerboard: yes                
        board-name: hAP ax^3           
             model: C53UiG+5HPaxD2HPaxD
     serial-number: x        
     firmware-type: ipq6000            
  factory-firmware: 7.6                
  current-firmware: 7.17beta2          
  upgrade-firmware: 7.17beta2

So only way is that : "/system/device-mode/update partitions=yes" and after that all work fine.

[admmikrotik@ap70a] > /system/device-mode/print
        mode: advanced
   container: yes     
  partitions: yes     
[admmikrotik@ap70a] > /partitions/print
Flags: A - ACTIVE; R - RUNNING
Columns: NAME, FALLBACK-TO, VERSION, SIZE
#    NAME   FALLBACK-TO  VERSION                                  SIZE 
0    part0  next         RouterOS v7.16.1 2024-10-10 14:03:32     64MiB
1 AR part1  next         RouterOS v7.17beta2 2024-09-27 07:07:42  64MiB
[admmikrotik@ap70a] > /partitions/activate part0
[admmikrotik@ap70a] > /partitions/print         
Flags: A - ACTIVE; R - RUNNING
Columns: NAME, FALLBACK-TO, VERSION, SIZE
#    NAME   FALLBACK-TO  VERSION                                  SIZE 
0 A  part0  next         RouterOS v7.16.1 2024-10-10 14:03:32     64MiB
1  R part1  next         RouterOS v7.17beta2 2024-09-27 07:07:42  64MiB
[admmikrotik@ap70a] > /system/reboot

infabo · Mon Oct 14, 2024 8:42 pm

You read changelog and followed discussion?

!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled;

And even in the docs you posted the link to, it clearly says partitions is one of the "disabled features" for advanced mode. Where is the bug?

"advanced (default) traffic-gen, container, partitions, bootloader"
https://help.mikrotik.com/docs/display/ ... bootloader

dang21000 · Mon Oct 14, 2024 9:13 pm

You're right, i've not see this part in doc ; but read in the next section :
List of available properties (table) "container, fetch, scheduler, traffic-gen,
ipsec, pptp, smb, l2tp, proxy, sniffer, zerotier, bandwidth-test, email, hotspot, romon, socks, partitions, downgrade, bootloader. (yes | no; Default: yes, for advanced mode)"
Why disable it after upgrade IF they must be yes for advanced mode ...? don't understand ... mistake ?!

I'm scared about this future 7.17 upgrade... with more than 80 AP dev located on wall or ceiling (sometimes hidden).... this will be a great moment on pleasure with this newly disabled features now. And depending of each building, lot are not powered by real POE but standard PSU with injector.

toxicfusion · Mon Oct 14, 2024 9:38 pm

ok, the main points of what I was proposing to ease this transition:

On first upgrade to 7.17, or initial power-on or netinstall with 7.17+
Display or have available (/system/routerboard/get device-token) a secure device token string for a limited period of time (30 minutes)

The admin can copy this token and record it against the device

During this 30 minutes the admin can CHANGE the device token (/system/routerboard/set device-token="newSecureToken")

During this 30 minutes the admin can SET secure device options as needed (downgrade, boot partitions, container use, etc) without being prompted to power-cycle/reset.
After 30 minutes/Second+ boot
The device token becomes inaccessible (/system/routerboard/get device-token returns null)

Changing secure device options, including the device-token would require adding the a device-token="..." to the command to enable it without requiring a power-cycle/reboot - this critically enables enterprises/ISPs/SMBs to continue to manage these and any future options without visiting/remotely power-cycling devices

The admin can also set the secure device options and device-token without using the device-token, but they will then be prompted to power-cycle or reset in the next 5 minutes
Rational
This would give a 'grace' window for setting options without having to go through the power-cycle/reset procedure

This would enable enterprises/ISPs/SMBs to record, and/or set their own device token in a way that works with their existing procedures

For instance, unique device token per device can be recorded in a database using a script to obtain them in the 30 minutes post upgrade

Or the admin can set a known device-token across a group of devices and have that recorded in a password manager

It also allows for the existing set and require a power-cycle/reset procedure
This will not satisfy everyone, if your device is already compromised, then netinstall it, or 'recycle' it.

I would hope that it covers the vast majority of needs out there, and allows for easy integration with existing workflows, would work with scripting.

It is constructive, flexible, and I hope, achieves the presumed goal of ESTABLISHING a secure base in-case of FUTURE compromise.

I hope MikroTik takes this into consideration. This is much better solution for those with NUMEROUS devices that are not within "reach" for a button press. Especially for devices on customer locations as CPE. Or as core routers..... We cant simply truck roll and justify the upgrade past 7.17.

pbr3000 · Tue Oct 15, 2024 12:00 am

You're right, i've not see this part in doc ; but read in the next section :
List of available properties (table) "container, fetch, scheduler, traffic-gen,
ipsec, pptp, smb, l2tp, proxy, sniffer, zerotier, bandwidth-test, email, hotspot, romon, socks, partitions, downgrade, bootloader. (yes | no; Default: yes, for advanced mode)"
Why disable it after upgrade IF they must be yes for advanced mode ...? don't understand ... mistake ?!

I'm scared about this future 7.17 upgrade... with more than 80 AP dev located on wall or ceiling (sometimes hidden).... this will be a great moment on pleasure with this newly disabled features now. And depending of each building, lot are not powered by real POE but standard PSU with injector.

Welcome to the club. This is just the first beta, so I hope MT team changes its mind and choose a better solution for enterprise market.
We have thousands of equipment that will be affected mainly by partition disabled.

pbr3000 · Tue Oct 15, 2024 12:03 am

What is your proposal, to verify ownership of a device in a way, that a remote attacker can't do?
Put a QR Code on the router which we can scan and save in our management software before deploying the routers. If we need later in a remote location a feature activated which we did not previously, we can enable it and provide the code via CLI. It also helps if someone remote can provide the code without traffic interruption - it also allows collecting the codes over a longer period of time and activating the feature in maintaince window.

Otherwise, you need to set the device mode to full for all systems, as maybe you need it sometime in the future - it would be more secure to active only the mode you need at the time, but this requires a way to change it at runtime.

I think this solution is simple and effective for new equipment.

guipoletto · Tue Oct 15, 2024 12:13 am

Put a QR Code on the router which we can scan and save in our management software before deploying the routers. If we need later in a remote location a feature activated which we did not previously, we can enable it and provide the code via CLI. It also helps if someone remote can provide the code without traffic interruption - it also allows collecting the codes over a longer period of time and activating the feature in maintaince window.

Otherwise, you need to set the device mode to full for all systems, as maybe you need it sometime in the future - it would be more secure to active only the mode you need at the time, but this requires a way to change it at runtime.
I think this solution is simple and effective for new equipment.

I think the QR idea is terrible

That would be an immutable string, that would remain valid for the life of the equipment
That's a big no-no.
In case an emplyee absconds with the company database, or you fire your consultatnt, passwords must be *changeable*

I guess Mikrotik should be more open as to what threat-model they are working from
There could probably be a place for a "RouterOS-FIPS-For-Ukraine" version, so long as it's not forced on existing, unwilling customers...

sirbryan · Tue Oct 15, 2024 1:51 am

What is your proposal, to verify ownership of a device in a way, that a remote attacker can't do?
Put a QR Code on the router which we can scan and save in our management software before deploying the routers.

New deployments aren't as big of a problem as existing deployments, as I can readily enable the device-mode on the bench before putting the device in the field. But yes, if some features provide a measure of security, there are some things we might want to leave disabled until the feature is needed. If they are deployed at a site that is inconvenient (or impossible) to reach at the time, it does make it difficult to enable later without having physical access.... hmmm.

For me the most angst is locking down some features that I actively use on deployed devices, and forcing me to go onsite for all of those deployed devices.

Paternot · Tue Oct 15, 2024 3:53 am

I maintain that one simple way is to make one jump version.

Say, 7.16.3 (just made it up) will be a forced stop before going 7.17.1
At 7.16.3 the user would have the option to enable the desired settings - those, that on 7.17.x would need a press of button to enable. It would have no practical effect on this version - but it the option would be set - and without all the button problems.
Then the user upgrades to 7.17.1, and the device honor the settings. If the use4r chose to enable changing partitions, so be it. If the user did nothing, then the new setting is to forbid it.

There. Home devices are protected and hard to access ISP devices can be have the config changed in advance, without the whole mess of getting there.

Yes, I know. There would be a window of opportunity to someone infiltrate the router, before the magical 7.17.1 version. True - but this windows already exists. So...

coddy · Tue Oct 15, 2024 6:21 am

A jump version is simply a temporary solution, what happens when Mikrotik decide there is a 'new' device-mode setting that can be set? Another 'jump' version?

No, I believe the easiest way forward is as I've described:viewtopic.php?p=1103228#p1103228

It enables ISPs/SMBs/Enterprises to upgrade and set desired device mode. It keeps any window of opportunity small, and enables the device to be secured against any future compromises. It also enables ISPs/SMBs/Enterprises to maintain a secure separate device-token that can be used to set any future options.

It would work with existing devices, and new devices. A configuration script can set secure device-token, or record the randomly generated token during this window.

QR codes are more work than is necessary. They involve recording per device, or after the fact having some one visit the device, and does not cover existing devices.

pbr3000 · Tue Oct 15, 2024 7:17 am

I think this solution is simple and effective for new equipment.
I think the QR idea is terrible

That would be an immutable string, that would remain valid for the life of the equipment
That's a big no-no.
In case an emplyee absconds with the company database, or you fire your consultatnt, passwords must be *changeable*

I guess Mikrotik should be more open as to what threat-model they are working from
There could probably be a place for a "RouterOS-FIPS-For-Ukraine" version, so long as it's not forced on existing, unwilling customers...

Yes, you're right. There are many variables to consider. Thanks for clarifying this possible threat ;)

pbr3000 · Tue Oct 15, 2024 8:04 am

No, I believe the easiest way forward is as I've described:viewtopic.php?p=1103228#p1103228

After reading your post better I agree and hope MT changes its mind about this terrible press button / power cycle idea.
It's convenient for home and soho deployments and a nightmare for enterprise. This topic already reflects our legit fear from future chaotic mass upgrades.

m4rk3J · Tue Oct 15, 2024 1:33 pm

Is there a plan to add channel utilization status to the Wi-Fi interface tab? Thank you.

Paternot · Tue Oct 15, 2024 2:00 pm

A jump version is simply a temporary solution, what happens when Mikrotik decide there is a 'new' device-mode setting that can be set? Another 'jump' version?

Yes, a new jump version. There shouldn't be many things added to this device-mode, anyway.
You idea of QR code has several problems, one of them (already pointed out), is that it become a hardcoded password. All You need is one disgruntled employee, and what now? You can't revoke the QR code. You can't change it.

coddy · Tue Oct 15, 2024 3:12 pm

The problem with a jump version is it leaves the admin with a one time only choice, what options do I set? Now if you want to secure the device in case of possible future exploit you should choose the minimum options required. But what do you do if a year down the track you suddenly discover that a device needs to run a container to solve a new problem? Go to the device and set option and power cycle? Trying to avoid this as it is a bad option, as indicated by the large number of comments in this forum.

Alternatively, you could enable all options, because maybe one-day you will need them, even if not right now. Again this is counter productive to the purpose of the device mode options - to lock down the device in case of future exploit.

So, although not opposed to the idea of a simple jump version, it does leave the admin with sub-optimal choices that can only easily be made once, which will invariably lead them to decide to fully unlock the device.

This I why I think the proposal of a device token that is readable/set-able for a short window is better in the long term.

Agreed, in the absence of that, then a jump version is better than an automatically locked down device on upgrade (and certainly better than a QR code). But it will lead me, and many others to just fully unlock the device because I never can be sure when I might need one of those features in the future, especially for my remotely controlled devices.

If Mikrotik can program in a device-token as I've fully outlined in my other posts then admins can safely lock down the devices now, with the features they need now, knowing they can easily, remotely and securely unlock those features or any new features going forward.

I do believe that respects what Mikrotik are trying to achieve, a more secure device in case of future exploit, whilst leaving the admin with the ability to securely enable or disable features if and when necessary in the future.

dang21000 · Tue Oct 15, 2024 4:24 pm

The main problem is not the new advanced/enterprise device mode.
But the change confirmation by button press/power lost.

Security reason ? remotely we can change/break everything else... but not that ?

pbr3000 · Tue Oct 15, 2024 4:54 pm

Yes @dang21000. I suggest you read the whole topic to understand the ideas presented to avoid this press button/power cycle thing.

sirbryan · Tue Oct 15, 2024 5:22 pm

The problem with a jump version is it leaves the admin with a one time only choice, what options do I set? Now if you want to secure the device in case of possible future exploit you should choose the minimum options required. But what do you do if a year down the track you suddenly discover that a device needs to run a container to solve a new problem? Go to the device and set option and power cycle? Trying to avoid this as it is a bad option, as indicated by the large number of comments in this forum.

This is already the case for things like containers. You either unlock it before deploying it remotely, or have to touch it later. So for the existing device-mode options that you have to "physically unlock," this is a moot point.

The bigger issue at hand is locking down existing capabilities that many of us use on already-deployed devices. The ones we're really concerned about are not easily accessible (physically remote locations), or would take an inordinate amount of time (mass deployments in customers' homes or offices).

toxicfusion · Tue Oct 15, 2024 5:44 pm

This is all fault of MikroTik's leadership and decision making / vision. This "one product for everyone" agenda for ALL markets.

The device hardware is quite decent, RouterOS is swiss-army knife with full features. This allows multiple use-cases, from homelab - SOHO/SMB/Enterprise/WISP/ISP.....

This is what I've been saying. If MikroTik carved up a few product sets [CHR,CCR,CRS,etc] for the professional/Enterprise - we may not be in this situation with need of this device-lock. This is a kick in the head to those of us that picked MikroTik due to their flexibility and price to use in a business model. Deploying to customers as CPE's. Or us as professionals deploying to customers as a technology solution, or as our backbone. It is not cost effective to truck roll just to touch a device post-upgrade...

I mean... another vendor is getting heat right now for "forcing" SNMP defaults on devices instead of just keeping disabled. However, this other vendor actually listens to professionals. MikroTik -- are you listening and digesting the gravity of decisions? I think its time for a pivot.

I hope MikroTik will let us contrrol this device lock using the outlined suggestion of device token. RouterOS 7 is a hot mess express, also given this drive for RouterOS enterprise which is not at all synonymous - as they're "add-on" packages that do NOT belong on a router.

RouterOS 7 Focus point should be:
-Fixing current issues [Layer3 items, MLAG, AX, Capsman, IPv4, hardware offloading, VLANS]
- AX wireless
- AC qcom driver fixes
- Security enhancements

Winbox4 -- unsure if this was good timing or how many internal resources on this.
Where is MikroTik device controller?
Move ROSE to be actual RouterOS enterprise on enterprise level hardware, strip the storage network protocols. Leave or rename this to a different MikroTik operating system. MikroTik can probably sell different hardware.

MikroTik RouterOS Core [Routing, wireless packages, options like we had in ROS 6]
MikroTik RouterOS Enterprise [Everything]
MikroTik BoxOS [Enterprise ROSE packages for NAS type appliances - the Gavin Belson]

Then to keep with MikroTik's vision for no feature "lock downs" on THEIR hardware. The above OS's can still be installed onto XXX hardware via NetInstall or via package upload.

Paternot · Tue Oct 15, 2024 7:40 pm

Agreed, in the absence of that, then a jump version is better than an automatically locked down device on upgrade (and certainly better than a QR code). But it will lead me, and many others to just fully unlock the device because I never can be sure when I might need one of those features in the future, especially for my remotely controlled devices.

And that's fine. This whole thing is intended to lock down home devices, once installed and never upgraded. If You take a look at what is affected, all of them have one thing in common: they can be used to insert code to run, use a second partition as a "malware restore backup" and/or run a container with malware inside.

I really think the basic idea is quite good. What I'm not happy with is the planned migration. Even the implementation is good: needing physical access is the ultimate barrier, and a way to guarantee that a user just "turning it off and on again" will not enable something nasty to bypass the lock.

merkkg · Tue Oct 15, 2024 8:20 pm

*) switch - fixed L2MTU for 25Gbps ports;

Any way to get more details on this?

its any device with 25G port or as long as using 25G SFP? visible to see when affected?

spippan · Tue Oct 15, 2024 11:36 pm

bridge - added interface-list support for VLAN : the best features!!!!

This will simplify VLAN tables!thank you mikrotik.

is there any docs how we are ablte to use this feature? or best-practice?

EDIT: found it where it is used... (screenshot)

Screenshot from 2024-10-15 23-02-56.png

Coughy · Wed Oct 16, 2024 2:17 am

This is all fault of MikroTik's leadership and decision making / vision. This "one product for everyone" agenda for ALL markets.

The device hardware is quite decent, RouterOS is swiss-army knife with full features. This allows multiple use-cases, from homelab - SOHO/SMB/Enterprise/WISP/ISP.....

This is what I've been saying. If MikroTik carved up a few product sets [CHR,CCR,CRS,etc] for the professional/Enterprise - we may not be in this situation with need of this device-lock. This is a kick in the head to those of us that picked MikroTik due to their flexibility and price to use in a business model. Deploying to customers as CPE's. Or us as professionals deploying to customers as a technology solution, or as our backbone. It is not cost effective to truck roll just to touch a device post-upgrade...

I mean... another vendor is getting heat right now for "forcing" SNMP defaults on devices instead of just keeping disabled. However, this other vendor actually listens to professionals. MikroTik -- are you listening and digesting the gravity of decisions? I think its time for a pivot.

I hope MikroTik will let us contrrol this device lock using the outlined suggestion of device token. RouterOS 7 is a hot mess express, also given this drive for RouterOS enterprise which is not at all synonymous - as they're "add-on" packages that do NOT belong on a router.

RouterOS 7 Focus point should be:
-Fixing current issues [Layer3 items, MLAG, AX, Capsman, IPv4, hardware offloading, VLANS]
- AX wireless
- AC qcom driver fixes
- Security enhancements

Winbox4 -- unsure if this was good timing or how many internal resources on this.
Where is MikroTik device controller?
Move ROSE to be actual RouterOS enterprise on enterprise level hardware, strip the storage network protocols. Leave or rename this to a different MikroTik operating system. MikroTik can probably sell different hardware.

MikroTik RouterOS Core [Routing, wireless packages, options like we had in ROS 6]
MikroTik RouterOS Enterprise [Everything]
MikroTik BoxOS [Enterprise ROSE packages for NAS type appliances - the Gavin Belson]

Then to keep with MikroTik's vision for no feature "lock downs" on THEIR hardware. The above OS's can still be installed onto XXX hardware via NetInstall or via package upload.

100% Agree with you here mate also it should be able to fix and tweak the parts of the operation to get the devices working correctly as they should not take months and months 27SEPT 3 weeks now to be precise since we as a community have seen anything (come on now mikrotik we need fixs more often not weeks apart we would like to use the devices )
lets get the device working properly first then fix/worry about all the add on's and such later get a good stable base then add on
that way we could get fix's faster as there not playing with the hole ros trying to move faster than the rest
because at the moment they are falling behind the rest as there moving to fast and not fixing the problems that everyday to today needs so people looking else where
they need dedicated engineers to the most important parts

I'm not ungrateful for the work that all is doing just i think that possibly that the work getting done could be done in a more constructive manner and more important items addressed first

-Fixing current issues [Layer3 items, MLAG, AX, Capsman, IPv4, hardware offloading, VLANS]
- AX wireless
- AC qcom driver fixes
- Security enhancements

ckleea · Wed Oct 16, 2024 7:31 am

I lost the mount position of the USB for containers and was unable to run. This happened many times before after the update which I thought it was fixed.

Is there way to recover the mount position and allow the containers to run again?

Wed Oct 16, 2024 7:31 pm

This upgrade appears to be breaking IPv6 ND (a.k.a. NDP) to wired clients connected to RouterOS switches, when those switches sit between the client and the NDP source. Full saga here, but the tl;dr is that rolling back to 7.16.1 via netinstall fixed the symptom, and re-upgrading to 7.17beta2 broke it again.

EDIT: …and resetting the channel to stable to roll back to 7.16.1 via the regular software update (not netinstall) restored SLAAC to the client.

As a result of netinstalling this switch and the consequent need to rebuild its config from text backups, it is close to defconf now. The primary changes that I can see possibly affecting it are the bridge config:

/interface bridge add add-dhcp-option82=yes admin-mac=**ELIDED** auto-mac=no dhcp-snooping=yes igmp-snooping=yes igmp-version=3 mld-version=2 multicast-querier=yes name=bridge priority=0x1000

The path toward the NDP source is marked "Trusted" and has unknown multicast flooding enabled, which should allow the NDP messages to flow despite IGMP and DHCP snooping being enabled.

osc86 · Wed Oct 16, 2024 11:36 pm

try this (or add required ports manually):

/interface/bridge/mdb/add bridge=bridge group=FF02::2 ports=[/interface/bridge/port/find where bridge=bridge]

wiktorbgu · Thu Oct 17, 2024 9:58 am

My flash drive is mounted in different slots after each reboot.
As you can see, it turns on either in USB 3.0 mode or in USB 2.0 mode.
Model ax3.

Thu Oct 17, 2024 10:45 am

My flash drive is mounted in different slots after each reboot.
As you can see, it turns on either in USB 3.0 mode or in USB 2.0 mode.
Model ax3.

Long standing issue with certain USB stick brands.
So it's not yet completely resolved ... I hoped it was since I am not seeing this issue anymore on RB5009 (for now).

Next reboot may correct it.
Or try USB reset with small waiting time.

OlofL · Thu Oct 17, 2024 2:22 pm

is rfc 2136 forwarding possible?

When I run this nsupdate request:
nsupdate:

server 10.6.100.18
zone sub.network.test
update add hello.sub.network.test 300 A 1.3.3.7
send

Response: update failed: NOTIMP

I want to use mikrotik as forwarder only, and I want mikrotik to forward this request to my centralized internal DNS.

infabo · Thu Oct 17, 2024 2:50 pm

Do you have a reference where or which DNS server already implements a forwarding of nsupdate requests? If there are none, why do you want Mikrotik to implement this? Why dont you send the nsupdate request directly to your "centralized" dns server?

Amm0 · Fri Oct 18, 2024 12:23 am

You can only send RFC-2136 updates via /tool/dns-update - not forward them. You also still cannot add a PTR type as a static (so while can forward mDNS, but cannot do more basic DNS-SD) - so we're far from a "real" DNS server. And, I'm sure others have their own DNS grips.

pe1chl · Fri Oct 18, 2024 10:39 am

so we're far from a "real" DNS server. And, I'm sure others have their own DNS grips.

MikroTik should offer "unbound" as an optional DNS resolver package (that replaces the internal one when installed), much like in v6 you could install an optional NTP client/server that would replace/upgrade the internal one.

bratislav · Fri Oct 18, 2024 11:21 am

so we're far from a "real" DNS server. And, I'm sure others have their own DNS grips.
MikroTik should offer "unbound" as an optional DNS resolver package (that replaces the internal one when installed), much like in v6 you could install an optional NTP client/server that would replace/upgrade the internal one.

"unbound" is not "real" DNS server like BIND is for example... it is DNS caching validating recursor and if you need full DNS functionality you should use NSD in addition to be able to provide authoritative DNS services...
So IMHO Mikrotik should probably offer unbound by default for resolving, forwarding etc. and offer NSD as an upgrade for people who need to host their own DNS zones.
It seems to me that Mikrotik would be better of stop trying to develop everything in house and use some opensource software like unbound/nsd for common tasks especially if they are licensed under some non prohibitive license like BSD in case of unbound...

Fri Oct 18, 2024 1:11 pm

container and run whatever you like.

mrshaba · Fri Oct 18, 2024 1:55 pm

unrealistic solution for all non-ARM/X86 based device and also all devices (also ARM based) which have only 16MB of built in storage size and no USB where one could attach an external storage device (tried to get a second instance of a unbound container running on CRS309, no chance)

infabo · Fri Oct 18, 2024 2:18 pm

unbound does not fit into 16mb flash by far. look at the unbound distroless docker images. The binary has at least 4mb+. given microtik has a lot of stuff developed in house (I am pretty sure they dont use any popular ssl library for example). It is all a matter of their limited storage they have opted. They limited themselves.

pe1chl · Fri Oct 18, 2024 2:18 pm

container and run whatever you like.

Except then you have no configuration user interface.
Still, it would be nice when someone with container experience would make a container with unbound for RouterOS.

infabo · Fri Oct 18, 2024 2:20 pm

unbound is a recursive resolver. not an authorative dns. It has some limited features in that regard. The consensus: use powerdns for that purpose.

pe1chl · Fri Oct 18, 2024 2:21 pm

unbound does not fit into 16mb flash by far. look at the unbound distroless docker images. The binary has at least 4mb+. given microtik has a lot of stuff developed in house (I am pretty sure they dont use any popular ssl library for example). It is all a matter of their limited storage they have opted. They limited themselves.

It may be possible to squeeze in a minimal unbound when the existing IP->DNS is removed, but frankly I am not that concerned about 16MB devices, I do not buy them to use as routers.
Even for the useful RB750Gr3 there is now an announced replacement with 128MB flash!

pe1chl · Fri Oct 18, 2024 2:22 pm

unbound is a recursive resolver. not an authorative dns. It has some limited features in that regard.

The features are similar to what the current built-in MikroTik DNS resolver has, plus it can resolve from root servers.
(and it supports DNSSEC, and it has a test suite, and it has developers who know DNS, ...)

pe1chl · Fri Oct 18, 2024 2:23 pm

It seems to me that Mikrotik would be better of stop trying to develop everything in house and use some opensource software like unbound/nsd for common tasks especially if they are licensed under some non prohibitive license like BSD in case of unbound...

+1

bratislav · Fri Oct 18, 2024 2:28 pm

container and run whatever you like.

I usually do run DNS servers on a dedicated VMs and not on RouterOS, but wouldn't it be simpler for all, both Mikrotik and us users, that instead of wasting decades on trying to make proprietary software for something as common as DNS, and fail, you use something open source that is well maintained and reliable, after all you do use Linux. And maybe you could even give something back to open source community in form of patches if you happen to modify and improve something...

infabo · Fri Oct 18, 2024 3:10 pm

Whole essence of ROS is proprietary development. But they contribute: https://github.com/torvalds/linux/commi ... 1bcb1a6574

pe1chl · Fri Oct 18, 2024 3:12 pm

I fully agree! Every time a new feature is added, something else is broken, and we need another cycle to get that fixed.
And all that while ready solutions with the same functionality already exist. The only work that would have to be done is the configuration interface -> mapping to configuration file. That should be a common task in RouterOS.
And maybe to include all functions (like DNSSEC), more storage would be required than the current solution.

Paternot · Fri Oct 18, 2024 3:58 pm

Even for the useful RB750Gr3 there is now an announced replacement with 128MB flash!

That I didn't know! Where is it? Great news, finally we are leaving the 16MB behind!

pe1chl · Fri Oct 18, 2024 5:02 pm

Even for the useful RB750Gr3 there is now an announced replacement with 128MB flash!
That I didn't know! Where is it? Great news, finally we are leaving the 16MB behind!

There is a video on the MikroTik YouTube channel: https://www.youtube.com/watch?v=Zrzq_zPWoQ4
But it is not yet on the products list... strange.

Amm0 · Fri Oct 18, 2024 5:04 pm

container and run whatever you like.

... as long as someone is there to do the device-mode dance.

With the new "changing device-mode on upgrade" scheme here... I hope y'all are mulling how to deal with the device-lock provisioning side. I'd actually like to deploy containers as part of a default config, say a DNS server... but since the device-mode is not controllable via netinstall/flashflig/etc. it ain't possible.

I get security threats have changed, so get device-mode (just removing packages be better IMO). But there needs to be some automated way to set device-mode before deployment at least.

Fri Oct 18, 2024 5:24 pm

What's new in 7.17beta4 (2024-Oct-18 11:32):

!) device-mode - after upgrade, mode "enterprise" is renamed to "advanced" and bandwidth-test, traffic-gen, partition (command "repartition"), bootloader and downgrade features will be disabled;
!) webfig - redesigned HTML, styling and functionality (additional fixes);
*) arm64 - fixed for bare-metal servers to be able to access more than 2GB RAM;
*) arm64 - show CPU frequency on bare-metal installations;
*) bridge - correctly display PPP interfaces in VLAN menu;
*) bridge - fixed first host table response for SNMP;
*) bridge - fixed VLAN overlap check;
*) bridge - improved port handling;
*) certificate - fixed handling of capsman-cap certificates (introduced in v7.16);
*) console - added more argument definitions for mac-protocol property;
*) console - execute :return command without error;
*) crypto - improve crypto speeds (additional fixes);
*) crypto - use hardware accelerator for GCM cipher in TLS connection on Alpine CPUs;
*) defconf - changed wireless installation from "indoor" to "any";
*) defconf - disable 5GHz secondary channel on RB4011;
*) defconf - fixed new port name recognition;
*) device-mode - changed "partition" to allow activate and do not allow repartition (introduced in v7.17beta2);
*) device-mode - clarify message that pressing a button will reboot device;
*) device-mode - limit "/tool/ping-speed" and "/tool/flood-ping" under "traffic-gen" feature;
*) device-mode - show all features and active restrictions with "print" command;
*) dhcp-relay - added "local-address-as-src-ip" property;
*) dhcp-server - use interface ID for NAS-Port and added interface name to NAS-Port-ID attribute in RADIUS requests;
*) dhcp-server - use single RADIUS accounting session for IPv4 and IPv6 when dual stack is used;
*) dhcpv4-client - fixed crash when releasing disabled DHCP client;
*) dhcpv4-server - properly detect DHCP server address when underlying interface has multiple IP addresses configured;
*) dhcpv4-server/relay - added additional error messages for DHCP servers and relays;
*) discovery - added support for LLDP DCBX (additional fixes);
*) disk - added sshfs client to "/disk" menu (CLI only);
*) disk - improve slot naming and improvements for visualizing complex hardware topology;
*) disk - improve test to report zero byte iops;
*) disk - save raid superblock and raid bitmap superblock on member devices in 1.2 format/location;
*) disk - try all NFS versions (4.2,4.1,4.0,3,2) when mounting NFS in that order;
*) dns - added option to create named DNS servers that can be used as forward-to servers (CLI only) (additional fixes);
*) dns - do not look up local cache when executing ":resolve" command with specified "server" parameter (introduced in v7.16);
*) dns - refactored DNS service internal processes;
*) ethernet - log warning only about excessive broadcast (do not include multicast) and reduced log count;
*) file - do not needlessly scan large filesystems, could prevent unmounting;
*) graphing - fixed graphing rule removal (additional fixes);
*) health - changed PSU state from "no-ac" to "no-input";
*) igmp-proxy - refactored IGMP querier (additional fixes);
*) iot - fixed duplicate LoRa payloads in the traffic tab;
*) iot - limit mqtt publish message size to 32 KB;
*) iot - LoRa traffic tab RSSI now shows proper values for ARM architecture;
*) iot - mqtt improvement to support large payloads and gracefully discard payloads above size limit;
*) iot - removed some LoRa radio related parameters (e.g. RSSI-OFF and Tx-enabled) that were not meant to be changed (additional fixes);
*) ipv6 - added comment property to "/ipv6/nd/prefix" menu;
*) l3hw - improved system stability;
*) l3hw - rate limit error logging;
*) log - added hostname support to remote logging action;
*) log - added regex parameter for log filtering in rules;
*) lte - fixed "default-name" property in export when multiple LTE interfaces are used;
*) lte - fixed "lte monitor" signal reporting for RG520F-EU modem when connected to 5G SA network;
*) lte - fixed "operator" setting for EC200A-EU modem;
*) lte - fixed LTE band setting for SXT LTE 3-7;
*) lte - fixed roaming barring (allow-roaming=no) for EC200A-EU modem;
*) lte - set IPv6 address reporting format in modem init for AT modems and MBIM modems with AT channel;
*) mac-server - allow MAC-Telnet access through any bridged port when bridge interface is allowed;
*) mpls - added fast-path support for VPLS (additional fixes);
*) netwatch - added "ignore-initial-up" and "ignore-initial-down" properties (CLI only);
*) netwatch - fixed probe toggle when adding a comment;
*) ovpn-server - added "user-auth-method" property and allow mschap2 for RADIUS authentication;
*) ppp - added support for bridge-port-pvid configuration via ppp profile (additional fixes);
*) ppp - reuse link-local IPv6 address for static bindings when possible;
*) pppoe - added support for PPPoE server over 802.1Q VLANs (additional fixes);
*) ptp - added PTP support for CRS320-8P-8B-4S+ device;
*) ptp - make PTP process more stable and deterministic when applying configuration;
*) qos-hw - improved PFC behavior (additional fixes);
*) qos-hw - improved WRED and ECN behavior (additional fixes);
*) qos-hw - reworked PCP and DSCP mapping (now supports single, multiple and range values, previous configuration with minimal value mapping is converted to a single value);
*) rip - improved stability when changing metric;
*) route - fixed minor typo in failure message;
*) route - increased interface name length limit in log messages;
*) route - removed possibility for IPv6 routes to specify interface in the dst-address;
*) routerboot - fixed boot MAC for devices with Alpine CPU ("/system routerboard upgrade" required);
*) sfp - improved initialization for certain SFP modules on CRS309 and CRS317 devices ("/system routerboard upgrade" required);
*) smb - stability improvements for client/server (additional fixes);
*) snmp - added wifi fields to MIKROTIK-MIB;
*) ssh - added option to configure SSH ciphers (replaced allow-none-crypto parameter);
*) ssh - improved speed;
*) ssh - prefer GCM ciphers for arm64 and x86 devices when ciphers=auto;
*) storage - preserve permissions,owners,attributes when syncing under "/file/sync";
*) storage,rsync - fixed to work with clients passing "-a" option;
*) supout - added device-mode section;
*) switch - updated dynamic switch rules when using HW bridge with IGMP snooping (224.0.0.0/24 and ff02::/16 destination addresses are forwarded and copied to CPU) (additional fixes);
*) system - moved "/system/upgrade" to "/system/package/local-update";
*) vxlan - fixed issue causing to loose IPv6 VTEP address setting;
*) webfig - improved keyboard navigation (additional fixes);
*) webfig - reduce flickering when table is sorted by column with duplicate values (additional fixes);
*) wifi - added extra info to CAPsMAN about message;
*) wifi - fixed "disabled" property in certain cases;
*) wifi - fixed occasional failure to bring up management frame protection and channel switch capabilities;
*) wifi - improved FT roaming with WPA3 for some Apple devices;
*) wifi-qcom - updated regulatory info for Ukraine, Australia and United States;
*) winbox - renamed and moved "System/Auto Upgrade" to "System/Packages" menu;
*) winbox - show MLAG settings for CRS326-4C+20G+2Q+ device;
*) wireless - enable all chains by default for RB911 and RB922 series devices;

pe1chl · Fri Oct 18, 2024 5:29 pm

!) device-mode - after upgrade, mode "enterprise" is renamed to "advanced" and bandwidth-test, traffic-gen, partition (command "repartition"), bootloader and downgrade features will be disabled;

So that means /partitions/activate (changing active partition) will after all remain available, and only /partitions/repartition will become locked?
That is good news!

infabo · Fri Oct 18, 2024 6:02 pm

Yes, it means that.

*) device-mode - changed "partition" to allow activate and do not allow repartition (introduced in v7.17beta2);

crosswind · Fri Oct 18, 2024 6:05 pm

*) wifi - added extra info to CAPsMAN about message;

could you please elaborate? i cannot discern any meaning at all from this entry.

nice that the vxlan/vteps bug was fixed, ty.

crosswind · Fri Oct 18, 2024 6:20 pm

PIM-SM is still broken:

[admin@lab2.i.lfns.org.uk] > routing/pimsm/static-rp/add instance=lan-v6 address=2001:8b0:aab5:3::b
action timed out - try again, if error continues contact MikroTik support and send a supout file (13)
[admin@lab2.i.lfns.org.uk] > put [/system/resource/get version]
7.17beta4 (testing)

Fri Oct 18, 2024 6:40 pm

Upgraded RB5009, USB disk is gone after reboot.
No way to get it back, no USB reset, nada.
Unplugged USB stick, put it back in, doesn't come up again.

Only some small containers on it which are pretty easy to setup again but just wanted to let it know.

massinia · Fri Oct 18, 2024 6:44 pm

*) wifi - improved FT roaming with WPA3 for some Apple devices;

Thanks MikroTik 🎉

Fri Oct 18, 2024 6:45 pm

/interface/bridge/mdb/add bridge=bridge group=FF02::2 ports=[/interface/bridge/port/find where bridge=bridge]

I get "input does not match any value of port" from that command.

However, on inspecting the MDB, I do see an entry for that IPv6 multicast group on the CRS328's bridge and on the ports down which my other RouterOS devices are. I take that to mean the command would not have changed anything even if it had run without error.

I held off trying your (@osc86) suggestion in hopes that this second beta would fix this, but alas, no, despite this entry in the Changelog:

*) switch - updated dynamic switch rules when using HW bridge with IGMP snooping (224.0.0.0/24 and ff02::/16 destination addresses are forwarded and copied to CPU) (additional fixes);

There's still something for MT to fix here.

$ ifconfig en0
en0: flags=…
	inet6 fd88::…%en0 prefixlen 64 secured scopeid 0x4

That's it, just one inet6 entry, not the three I'm used to seeing. (The others being fd80::… and the one for the local PD lease from my ISP.)

Fri Oct 18, 2024 6:47 pm

Upgraded RB5009, USB disk is gone after reboot.
No way to get it back, no USB reset, nada.
Unplugged USB stick, put it back in, doesn't come up again.

Only some small containers on it which are pretty easy to setup again but just wanted to let it know.

"Downgraded" to 7.16.1 -> disk back
Moving again to 7.17b4 -> disk remains

Really odd ...

Paternot · Fri Oct 18, 2024 7:04 pm

So that means /partitions/activate (changing active partition) will after all remain available, and only /partitions/repartition will become locked?
That is good news!

Yes, they are listening! Excellent news indeed. :D
"*) device-mode - changed "partition" to allow activate and do not allow repartition (introduced in v7.17beta2);"

blacksnow · Fri Oct 18, 2024 7:16 pm

In 7.17b4, the sorting on any column in webfig doesn't work on firefox. Not sure if it's just me.

crosswind · Fri Oct 18, 2024 7:20 pm

SUP-168334 also not fixed:

[admin@lab2.i.lfns.org.uk] > /ipv6/route print where dst-address=64:ff9b::/96
Flags: D - DYNAMIC; A - ACTIVE
Columns: DST-ADDRESS, GATEWAY, DISTANCE
   DST-ADDRESS   GATEWAY                       DISTANCE
DA 64:ff9b::/96  fe80::400:ff:fe00:509%ether1       115

[admin@lab2.i.lfns.org.uk] > /routing/route/print where dst-address=64:ff9b::/96
Flags: A - ACTIVE; i - ISIS
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW
   DST-ADDRESS   GATEWAY                       AFI  DISTANCE  SCOPE  TARGET-SCOPE  IMMEDIATE-GW                
Ai 64:ff9b::/96  fe80::400:ff:fe00:509%ether1  ip6       115     20            10  fe80::400:ff:fe00:509%ether1

not a serious issue but i was hoping we'd get a fix for 7.17.

clambert · Fri Oct 18, 2024 8:10 pm

*) dhcp-relay - added "local-address-as-src-ip" property;

Great news! Thanks Mikrotik!

FezzFest · Fri Oct 18, 2024 8:54 pm

What's new in 7.17beta4 (2024-Oct-18 11:32):

!) device-mode - after upgrade, mode "enterprise" is renamed to "advanced" and bandwidth-test, traffic-gen, partition (command "repartition"), bootloader and downgrade features will be disabled;

WHAT THE FUCK?
Instead of listening to the critique bandwidth-test is now also disabled? Are you gonna leave any features intact? Maybe just brick the damn device w/ the software update to v7.17 so we have to physically go to all of our devices and NetInstall them! What a bunch of lunatics you've become.

infabo · Fri Oct 18, 2024 9:10 pm

Makes sense. Bandwidth test tools create a bunch of traffic as well.

BrateloSlava · Fri Oct 18, 2024 9:19 pm

All this ( with device-mode ) is, of course great, and useful to improve security, etc. But still. What is the normal way to update remote devices now?

It is possible that all these new restrictions should be automatically set after netinstall. But switching from 7.16 to 7.17 for currently working remote devices is still seriously confusing for me.

FezzFest · Fri Oct 18, 2024 9:30 pm

Makes sense. Bandwidth test tools create a bunch of traffic as well.

So does routing traffic through my fucking router. We have 2000+ devices and use bandwidth test constantly to debug throughput issues. You don't see Cisco or Arista implement virtual fucking child locks on their routers, they just assume people know what they're doing. MikroTik is trying to be holier than the pope and polish it's turd-like security posture for the rest of the world while screwing over their long-time customers. It's been 3 weeks since the release of v7.17beta2, they've been inundated with replies telling them this needs to be done differently and they ignore all that and introduce this? It's a disgrace.

Sit75 · Fri Oct 18, 2024 9:35 pm

It would be good to either polish the Superchannel a bit or remove it. But it doesn't make sense now. :-)

sirbryan · Fri Oct 18, 2024 9:36 pm

What's new in 7.17beta4 (2024-Oct-18 11:32):

!) device-mode - after upgrade, mode "enterprise" is renamed to "advanced" and bandwidth-test, traffic-gen, partition (command "repartition"), bootloader and downgrade features will be disabled;
Instead of listening to the critique bandwidth-test is now also disabled?

Yay on the "change active partition" being left alone. This bandwidth-test one I missed.

One of my selling points to customers about them purchasing a MikroTik router from me is that I can log in and run tests from it (ping, trace route, bandwidth) as if I was on-site. One of the tools I frequently use on ALL my MikroTik 60GHz radios and routers, especially those installed at customers' homes (500+), is the bandwidth-test (from the GUI) from site-to-site.

I get the need to dial some things down, but for already-deployed devices, there's got to be a compromise. This affects far more devices than the partition issues do (hundreds vs. dozens for me, anyway).

Paternot · Fri Oct 18, 2024 10:36 pm

I get the need to dial some things down, but for already-deployed devices, there's got to be a compromise. This affects far more devices than the partition issues do (hundreds vs. dozens for me, anyway).

To be fair, I think Mikrotik is listening. The recent change on partitioning shows this. They will probably go on tweaking this, using the beta as a RFC for the settings.

pe1chl · Fri Oct 18, 2024 11:29 pm

I hope at some point some scheme will be found where users upgrading to new versions can keep the features they already had, while newly installed devices need the device-mode setting to get access to those features.
(e.g. one of the many schemes proposed where one could set device-mode shortly after upgrade, or using the sticker password, or whatever method that may not be 100% secure but at least is better than nothing)

faxxe · Sat Oct 19, 2024 1:01 am

The approach sounds like success, surprising that a company has not yet recognized this.
Presumably the cheap hardware prevails

gigabyte091 · Sat Oct 19, 2024 6:46 am

On PPSK there is still an incorrect password error when changing from one passphrase to another for the first time after forgetting old network.

frank333 · Sat Oct 19, 2024 1:17 pm

are you planning, an update to register eSIMs with a graphical interface? I tried AT commands but it's hell...

Schermata del 2024-10-19 12.16.33.jpeg

Jotne · Sat Oct 19, 2024 2:10 pm

Even for the useful RB750Gr3 there is now an announced replacement with 128MB flash!
That I didn't know! Where is it? Great news, finally we are leaving the 16MB behind!

And its arm as well, so zerotier etc should work.

Jotne · Sat Oct 19, 2024 2:11 pm

What's new in 7.17beta4 (2024-Oct-18 11:32):

*) log - added hostname support to remote logging action;

Do you have any more information on this?

hapoo · Sat Oct 19, 2024 6:09 pm

Even for the useful RB750Gr3 there is now an announced replacement with 128MB flash!

Was there an announcement I missed? Where do you see this?

bmann · Sat Oct 19, 2024 6:23 pm

I like Mikrotik gear for it's flexibility and features. You can use it home, in SMB or as ISP and it is affordable.
Just not sure if the security is taken seriously as Mikrotik is not much transparent on it.

Anyway one problem that have with many home devices which were installed and forgotten. Then hacked and put to botnet:
https://therecord.media/more-than-90000 ... to-new-bug

I think that many ISPs are responsible to have proper configurations and patched systems, but many of them do not care too.

So I understand why Mikrotik wants to restrict device mode.
For new devices it is OK, but do not like the approach for actual big deployments. The proposals are here so I hope they will adjust the approach.

Sat Oct 19, 2024 6:33 pm

Even for the useful RB750Gr3 there is now an announced replacement with 128MB flash!

Was there an announcement I missed? Where do you see this?

viewtopic.php?t=211863

TomSF · Sat Oct 19, 2024 7:06 pm

Beta 4 issues. I have a wireguard tunnel between two locations. Both locations automatically upgraded to B4 and then I could not access devices at location A from location B, and vice versa. I can Winbox into both routers though. In fact, I could not even ping devices at location B when Winboxed into location B. I downgraded location B to 7.16.1 but the problem remained. I then downgraded location A to 7.16.1 and the problems went away.

Addendum:
I upgraded location B to Beta4 again and no problems. I then upgraded location A to Beta4 again and no problems. I have no idea why things did not work initially.

clorichel · Sat Oct 19, 2024 7:41 pm

the -s option wasn't working anymore on netinstall-cli version 7.16.1, while the latest 7.17beta4 somehow fixed it: thanks 🤗

please update your docs though: https://help.mikrotik.com/docs/spaces/R ... Netinstall mentions "text file in .RSC format" where it actually only works with .scr files

Sit75 · Sat Oct 19, 2024 10:48 pm

Another bug or "feature". The WiFi .wnm parameter does not seem to be supported.

erlinden · Sat Oct 19, 2024 11:42 pm

Can you please share:

/interface/wifi/export

Remove any private info.

Update: it works on my machine. Could it be a typo?

joedoelv · Sun Oct 20, 2024 10:25 am

After updating my RB5009 to 7.17beta4 I've found that there is an issue with v4 DHCP server dealing with static leases.
Windows 11 24H2 failed to obtain IPv4 address (IPv6 is OK) after timeout.
With Wireshark, I've found that Windows is not receiving ACK from Mikrotik.
Checked debug logs on Mikrotik - and here was a message about "not authoritative, ignoring".
Found under address-pool parameter authoritative=after-2sec-delay (wasn't here before) - changed it to 'yes'
After that Mikrotik started to send NACK as soon as second/repeated DHCP REQUEST received.
Have to downgrade to 7.16.1 - no issue whatsoever.
P.S. If static lease is removed - dynamic one is working.

Jotne · Sun Oct 20, 2024 11:50 am

Even for the useful RB750Gr3 there is now an announced replacement with 128MB flash!

Was there an announcement I missed? Where do you see this?

Seems that you did not read this thread, it was posted just above latest beta4 info where we did get this info :)
viewtopic.php?p=1104012#p1104012

pe1chl · Sun Oct 20, 2024 12:40 pm

I get the need to dial some things down, but for already-deployed devices, there's got to be a compromise. This affects far more devices than the partition issues do (hundreds vs. dozens for me, anyway).
To be fair, I think Mikrotik is listening. The recent change on partitioning shows this. They will probably go on tweaking this, using the beta as a RFC for the settings.

Apparently they have gotten a lot of flak for being part of DDoS botnets. And now in panic they try to disable all features that could generate a lot of traffic from the botnet members.
However, as I wrote before I think it is more effective to improve things that affect the home user who is not upgrading anyway...
Like "automatic upgrade" enabled by default on new devices, and upgrading/resetting firewall settings made easier.
It will be years before the millions of routers in the field ever see 7.17 installed, and while the above also does not fix it, at least it improves the situation on the way forward (I already suggested automatic upgrades long ago. Competitors usually have it).

Paternot · Sun Oct 20, 2024 4:22 pm

Apparently they have gotten a lot of flak for being part of DDoS botnets. And now in panic they try to disable all features that could generate a lot of traffic from the botnet members.
However, as I wrote before I think it is more effective to improve things that affect the home user who is not upgrading anyway...

Well, it's a hard nut to crack. If the user doesn't update, there isn't much we can do about it NOW, is there? Future versions could come with better defaults, more sensible options.

I agree with You: years will pass before the last "un-upgraded" unit is put out of its misery. At the same time, they are trying to do something now - even if only for the future. You know: "a thousand steps", "walk", "start" and all that.

And, again, we agree that the transition from "it was this way" and "now device-mode does it this way" is in serious need of attention. They did something for the partitioning - a good signal - but they still need to address the rest. There is simple no way to put this in production the way it is: everything will break.

New units are a whole different thing: I think we would need just minor tweaks on this device thing, nothing more.

infabo · Sun Oct 20, 2024 5:04 pm

pe1chl, automatic updates mean for the vendor: more, more and much more testing. You cant push out another "stable release" when there are millions of devices out there potentially to turn into bricks.
In case of manual update action, as it is until today, the vendor can always play the deny game, commonly something like:

- why do you even upgrade a running system?
- why do you upgrade in production?
- why do you not first test upgrade in lab?
- why do you even hit upgrade button when no disaster recovery plan in place?
- etc

Once this is a automatic process, the vendor cant play the "your fault" card.

Easy as that.

nmt1900 · Sun Oct 20, 2024 5:53 pm

Mikrotik is not even able to provide proper release notes to new releases - big established vendors are able to provide release notes which include "known issues" section which provides workarounds to these issues as well.
(By not doing this) Mikrotik is able to just bury head in sand and pretend not knowing about these at all and there's no transparency about this. All software upgrades being free of charge has the consequence of us paying for this with our own work when managing these devices.

Introducing automatic upgrades and forcing them to be on as default would be suicidal for them.

One snippet related to this - Fortinet does provide this functionality but it is not forced to be on and as they are able to provide information about known issues I found that they had turned this feature off for new release as they found out a huge problem with other devices managed by Fortigates -> FortiOS 7.2.10 release notes

It is not realistic to expect RouterOS automatic upgrades to be "seamless" if at least similar level of release information and handling of known issues is not acheved.

pe1chl · Sun Oct 20, 2024 6:47 pm

pe1chl, automatic updates mean for the vendor: more, more and much more testing. You cant push out another "stable release" when there are millions of devices out there potentially to turn into bricks.

As I explained in the previous iterations of this topic: there should be a separate channel for urgent updates that really need to be installed to cover some serious issue. It would best be based on a long-term version that has been in use for some time, with the least required changes to cover the new vulnerability.
Devices that have not been configured to do otherwise (i.e. those that have been put in use by naive users that just open the box, connect it up, and perform the minimum required work to get the device operational) would auto-upgrade to that version when its version number is higher than the installed version.
Preferably, parts of the default configuration that have been changed in the release but were not changed in the unit will also be upgraded (e.g. the firewall for a default configuration).
Of course it can make existing devices fail. But so can leaving them on ancient versions forever!
When I see the routers that are distributed by ISPs here, they always have such a feature. And those brands do survive.

BrateloSlava · Sun Oct 20, 2024 7:50 pm

Honestly - do you know many home users who would ever update their router firmware at all? Any manufacturer. I haven't met any.

And about the “forced” automatic update. IMHO, this is possible only for devices that are configured somehow “step-by-step”, by a wizard, practically without manual involvement of the user. Next... Next... Next... And we got a ready configuration. There is no room for any variants, any ambiguous situations in such a configuration.

Also. There are just an inordinately large number of home users who continue to use devices for which support has long since expired. And you get the answer from them: “Well, it works somehow and it's fine”.

As a result - you get articles like this: Malware hunters at Lumen Technologies on Tuesday sounded an alarm after discovering a 40,000-strong botnet packed with end-of-life routers and IoT devices being used in cybercriminal activities.

Or this.The Rise of Packet Rate Attacks: When Core Routers Turn Evil

Sit75 · Sun Oct 20, 2024 8:05 pm

Can you please share:
Code: Select all
/interface/wifi/export
Remove any private info.

Update: it works on my machine. Could it be a typo?

Definitely not typo, because I have used GUI, not CLI. But CLI export seems .wnm is not supported somehow. HW hAP ac^2.

/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-n .width=20/40mhz configuration.country=Czech .mode=ap \
    .multicast-enhance=enabled .qos-classifier=priority .ssid=xxx disabled=no mtu=1500 \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes .ft-preserve-vlanid=no .wps=disable \
    steering.neighbor-group=yyy .rrm=yes .wnm=yes
set [ find default-name=wifi2 ] channel.band=5ghz-ac .skip-dfs-channels=10min-cac .width=20/40/80mhz \
    configuration.country=Czech .mode=ap .multicast-enhance=enabled .qos-classifier=priority .ssid=xxx \
    disabled=no mtu=1500 security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes \
    .ft-preserve-vlanid=no .wps=disable steering.neighbor-group=yyy .rrm=yes .wnm=yes

mkx · Sun Oct 20, 2024 8:20 pm

And about the “forced” automatic update. IMHO, this is possible only for devices that are configured somehow “step-by-step”, by a wizard, practically without manual involvement of the user.

I pretty much agree on this ... specially as quite a few breaches were due to inadequate firewall setup. And configuration is (almost) never changed by upgrading ROS. So to make changes in default setup effective on upgraded devices, the configuration either has to be completely stock (i.e. product of QuickSet) or the custom config should entirely be recorded as "delta" against default ... so that "underlying" default can be upgraded without affecting users' changes. And even this has a potential to break end configuration if users' configs still rely on particular variant of default config. Plus this would require a big change in how config changes are handled in ROS, a thing which is a heart of ROS.

I'm affraid that all MT can do is to make default config as bullet-proof as possible while allowing users to keep their config under control when upgrading. Those users, who actually do upgrade, are in better position to take care of security of their devices than those users who don't upgrade ever, upgrading ROS (manually) shows some determination after all. So IMO MT should make upgrade process more friendly to those who bother upgrading devices and less focused on those who don't upgrade ever. Yes, they should make life of owners of new devices "miserable" by requiring some sane initial setup (like setting up admin password before ever allowing any traffic in chain=forward) and I don't have much understanding to those who are whining about their "bulk initial config" tasks becoming harder ... they'll figure something out ... they might even want to pay some "trianed monkeys" to do it "half manually" if needed.

spippan · Sun Oct 20, 2024 9:11 pm

What's new in 7.17beta4 (2024-Oct-18 11:32):

*) crypto - use hardware accelerator for GCM cipher in TLS connection on Alpine CPUs;

*) ssh - added option to configure SSH ciphers (replaced allow-none-crypto parameter);

so, could

*) crypto - use hardware accelerator for GCM cipher in TLS connection on Alpine CPUs;

...mean a pathway to use MACsec with hardware offload in the near future? (yeah i know, MACsec and TLS connection does not go along in the same sentence - but the option to use hw-offload for GCM ciphers ... just curious...)

*) ssh - added option to configure SSH ciphers (replaced allow-none-crypto parameter);

*(CLI only)

pe1chl · Sun Oct 20, 2024 9:15 pm

Honestly - do you know many home users who would ever update their router firmware at all? Any manufacturer. I haven't met any.

And about the “forced” automatic update.

Nobody ever suggested “forced” automatic update.
What I suggest is "default" automatic update configured in devices as they come from the factory.
Experienced admins can disable it. But home users who would never update firmware now are guaranteed a "safe" version.

It could even streamline the initial installation of new devices: normally every new device first has to be upgraded to current stable firmware, THEN it has to be reset to defaults. Because out-of-the-box it will reset to the defaults of the factory installed firmware, and when the user does click the upgrade button they still are left with sub-optimal configuration (configuration is never upgraded).

BrateloSlava · Sun Oct 20, 2024 11:22 pm

What I suggest is "default" automatic update configured in devices as they come from the factory.

In principle, everything is great: the “new” device should, for example, first be connected by the WAN port to the switch or current router and the firmware should be updated. After that - configure it with the help of some wizard.
But - this does not solve the problem, how to “force” users to update in the future?
-------
And again - the unwillingness of the end user to properly “watch and maintain” the purchased device we blame as a problem on the manufacturer of the device.

Let's imagine a situation: you were brought home by a driver. Everyone got out, and the driver did not close the windows. And everyone went to bed. At night it rained heavily, water got into the car and something in the cabin got spoiled. You come to the car in the morning and notice the breakdown. Instead of scolding the driver, who operated the car incorrectly, you call the manufacturer of the car and start expressing your claims of improper quality.

Paternot · Sun Oct 20, 2024 11:52 pm

Let's imagine a situation: you were brought home by a driver. Everyone got out, and the driver did not close the windows. And everyone went to bed. At night it rained heavily, water got into the car and something in the cabin got spoiled. You come to the car in the morning and notice the breakdown. Instead of scolding the driver, who operated the car incorrectly, you call the manufacturer of the car and start expressing your claims of improper quality.

I think that about sums it up. We have a never ending number of aphorisms for this kind of thing:
"We can't fix stupid"
"It´s a PEBCAK"
"You can take a horse to the water, but You can't make it drink from it"
"Another Darwin Awards, I see"
And the list goes on. At some point we must concede that there's no solution for it.

fischerdouglas · Sun Oct 20, 2024 11:54 pm

I feel like that this talk will reach on things like ZTP, Branding, and TR069.

fischerdouglas · Sun Oct 20, 2024 11:57 pm

You guys fight to much!
I think that mayve a new flood of ideas colud help to remember that there is sooooo many things that Mikrotik guys needs to improve!

pe1chl · Mon Oct 21, 2024 10:49 am

What I suggest is "default" automatic update configured in devices as they come from the factory.

In principle, everything is great: the “new” device should, for example, first be connected by the WAN port to the switch or current router and the firmware should be updated. After that - configure it with the help of some wizard.
But - this does not solve the problem, how to “force” users to update in the future?

Once again, I am NOT talking about "force". I am talking about "help".
There can be default configuration like a scheduled script that checks for new versions like once a day or once a week, at some nightly hour, and when a critical new version is available it downloads and installs it.

Mon Oct 21, 2024 11:21 am

igorr29 - regarding Superchannel, it is a country profile that allows wider frequency selection, and must be used with caution to ensure regulatory compliance. What frequency can be selected is a combination of country profile you select and what frequencies the hardware supports, like with any other country profile. In this case, you selected a non-supported range - interfaces point of view. You can find what frequencies interface supports with "/interface/wifi/radio/print detail"

sit75 - what device are you using? Perhaps it is country locked? If it is not country locked device, please create a support ticket.

sharkys · Mon Oct 21, 2024 3:26 pm

What your logs say ? If you are experiencing a problem please create supout.rif file and open a ticket with support so they can fix the bug.

I have few devices on 7.17beta and i experience no problems with dhcp server.
Found the issue, I had to change the interfaces for other relays (up/down) - when I had all set to bridge, it stopped working on 7.17 beta.

2024-10-01 08_15_39-Clipboard.png

I changed it as per relevant interfaces and works again fine.
Re logs, there were no erros just : "dhcp_main offering lease 10.0.0.XX for XX:XX:XX:XX:XX:XX without success"

Installed 7.17beta4 and again issue with DHCP Relay popup - now even changing it to Bridge or to relevant interface, did not help.
Rolled back to 7.16.1 and it's alright.

Anyone experienced any issues with DCHP Relays ? Didn't make yet any traffic dump to see what is really happening as I did upgrade midnight yesterday and had to revert. Any reasonable comments or suggestions appreciated. Thank you.

guipoletto · Mon Oct 21, 2024 5:45 pm

Something that could work for more "secure" environments, instead of forcing a "no downgrade whatsoever" down our throats:

A bootloader package could be provided for interested admins, something like what's already done with the "branding" and "country lock" packages

This package would bump the "minimal supported version" for the platform, but would still allow for necessary downgrades when Mikrotik invariably pushes to "stable" some untested code that messes with production

As it stands, i can not ever risk pushing new versions to production (even those deemed "stable"), due to the massive unjustified overhead to "rollback" when some regression shows up.

Just limit rollback/downgrade to some reasonable baseline (such as whatever version was previously tested and working in that specific scenario)

Sit75 · Mon Oct 21, 2024 10:15 pm

igorr29 - regarding Superchannel, it is a country profile that allows wider frequency selection, and must be used with caution to ensure regulatory compliance. What frequency can be selected is a combination of country profile you select and what frequencies the hardware supports, like with any other country profile. In this case, you selected a non-supported range - interfaces point of view. You can find what frequencies interface supports with "/interface/wifi/radio/print detail"

sit75 - what device are you using? Perhaps it is country locked? If it is not country locked device, please create a support ticket.

Dear Guntis, thanks for reply. There is definitely not any restriction, due to the simple fact Superchannel was possible to set on RouterOS 6 on hAP ac^2. I have raised the ticket SUP-169040 for Superchannel issue and SUP-169041 for wnm=yes issue mentioned above too. To complete overall "trinity" of issues, I have raised SUP-169042 for very probably memory leak related to fq-codel and queue implementation in RouterOS 7 branch.

hjoelr · Mon Oct 21, 2024 11:11 pm

Could we get address lists similar to interface lists where you first define a list and then add items to it? The ultimate goal is the ability to nest address lists. This could simplify my configurations immensely.

hjoelr · Mon Oct 21, 2024 11:14 pm

Another feature I really could use in Winbox is the ability to collapse related rules together in firewall>filter and firewall>mangle in particular.

pe1chl · Tue Oct 22, 2024 12:18 am

Could we get address lists similar to interface lists where you first define a list and then add items to it? The ultimate goal is the ability to nest address lists. This could simplify my configurations immensely.

That sure would have been better...and not only for address lists.
But it seems that in early RouterOS the design objective was to hide things like that from the user, and automagically create lists when you add items, for example.
In recent versions that was sometimes overturned, e.g. routing tables now have to be explicitly created.
Hopefully it will some time happen for address lists as well (and you can specify the type and e.g. if it has counters. just the capabilities of "ipset" in Linux).

Tue Oct 22, 2024 7:41 am

I just had to revert another device from 7.17beta4 to 7.16.1 owing to these DHCP changes. This latest beta utterly wrecked an existing configuration:

Three independent devices stopped getting their lease renewals: an iPhone 14 running iOS 17.6.1, a cheap WiiM DAC, and an AlmaLinux VM bridged to the LAN, served from a QNAP NAS. It should go without saying that these things have nothing in common.
On attempting to debug it, "/ip/dhcp-server/export" hung for many seconds at a time and then errored out. (Sorry, didn't capture the exact text; I was in a bit of a panic.)

I do have DHCP snooping enabled on this LAN, but disabling it on all the devices the DHCP packets pass through did not help.

I ended up switching back to stable, resetting to defconf, and then restoring a binary backup. I'm relieved that worked, because netinstall would've been rather difficult to pull off without a working Internet gateway router. Apparently I need to make it a policy to download the current version's NPKs prior to the upgrade, just in case.

As far as I can tell, this breakage came in with beta4, not beta2. The DHCP leases aren't long enough that I would have failed to notice if all this broke prior to beta4.

pe1chl · Tue Oct 22, 2024 11:13 am

Depending on what type of router you use (16MB flash toy or one with sufficient flash) you can also configure partitioning so you can always switch back to the previous install without hassle...

ToTheFull · Tue Oct 22, 2024 11:25 am

i Just tried to add WPA3 via sec1 and apply to 3 of my wifi interfaces but it didn't work.
WPA3 wasn't applying, to note i don't use the main configuration tab, sec1 normally applies to everything I add it to soo long as evrything else is blanked and back spaced first. However I did notice that per device config tabs were pulled down maybe thats why. IE this vs that. Hope that makes sense.

Tue Oct 22, 2024 12:01 pm

Depending on what type of router you use

hAP ax³ for the moment, 128 MB.

configure partitioning

Solid plan. Thanks for reminding me of the option.

I set the fallback sequence up for part0 → part1→ Etherboot. Sane?

erlinden · Tue Oct 22, 2024 12:34 pm

i Just tried to add WPA3 via sec1 and apply to 3 of my wifi interfaces but it didn't work.

What didn't work?
I tend to perform an export when in doubt if settings are correct:

/interface/wifi/export

Alternatively you can use a wifi scanner for getting insights wether i.e. WPA3 is available.
Fwiw, WPA3 is working next to WAP2 perfectly.

Coughy · Tue Oct 22, 2024 12:46 pm

i Just tried to add WPA3 via sec1 and apply to 3 of my wifi interfaces but it didn't work.
What didn't work?
I tend to perform an export when in doubt if settings are correct:
Code: Select all
/interface/wifi/export
Alternatively you can use a wifi scanner for getting insights wether i.e. WPA3 is available.
Fwiw, WPA3 is working next to WAP2 perfectly.

i wouldnt say perfectly
i have hapax3 , hapax2 , Capax devices running capsman and yes wpa3 and wpa2 are working but still getting reauthenticating and constant disconnections more with wpa3 enabled
still alot of work needs to be done on the ax devices

rextended · Tue Oct 22, 2024 12:58 pm

Netwatch bug: viewtopic.php?t=211157&start=300#p1104591