The issue with User-Manager and oversize UDP packet that I mentioned in post #236 viewtopic.php?t=212754#p1115736 is still present in 7.17.rc6.

*) user-manager - improved stability;

Did you by chance upgrade the Unifi application to version 9.x? I see others reporting RADIUS problems for that version, unclear what the problem is.

You mentioned that the second fragment never appears on the device directly connected to RB5009 Ethernet port. It could be something related to RB5009 Ethernet or switch. Can you quickly test if disabling bridge HW offloading makes any difference (I assume you are using bridge)? Can you share supout.rif file and pcap files from the RB5009 to support?

I just made some test with a hAP ac² running 7.16.2 using the normal bridge (no VLAN).

The hAP ac² only has the standard bridge from defconf.

With the MTU set to 1480 (or 1476), I used Traceroute to send UPD packets to a Windows machine running Wireshark. Windows doesn't support UDP traceroute but that's not important because I only wanted to capture the incoming packets. By setting the traceroute Packet Size to 1482, I got the same fragmentation where the 2nd fragment has the same 40-byte frame size:

And the exact same issue as the one with User Manager happened. After a while the Packet Sniffer showed a bunch of ICMP packets. On the Windows machine, Wireshark showed that the 40-byte frames never arrived, only the 1490-byte ones. And Windows sent the ICMP Fragment reassembly time exceeded responses.

But at this moment, with the MTU set to 1480, the same RADIUS authentication tests with eapol_test suceeded! Obviously, with smaller MTU the 2nd fragment got bigger. So I tried to increase the size of the traceroute packet to 1492:

Packet sniffer showed the ethernet frame size of the 2nd fragment to be 50 bytes. This time there is no ICMP packets. And on the windows machine, all packets have arrived! But the 2nd fragments have a frame size of 56 bytes. With trailer inserted at the end.

Next, I tried to increase the traceroute packet size from 1482. At 1483 bytes, a 41-byte 2nd fragment was produced, but also disappeared and never arrived. At 1484 bytes however, just two bytes larger than 1482, the fragmentation worked, and the Windows machine could reassemble all the UDP packets:

We can also see that the 2nd fragments are listed as having a 42-byte frame size on ROS, but were sent as 56-byte frames with 14-byte trailer:

When I changed the traceroute target to one UniFi AP, which runs Linux, the traceroute worked with packet size 1484 (because the AP understands UDP traceroute and can respond), but also failed with ICMP fragmentation timeout when the packet size was reduced to 1482 bytes.

It looks like RouterOS is unable to append a 15- or 16-byte trailer, so that the ethernet frame sent can reach the minimum allowed size? Am I unlucky that my certificate size somehow causes User Manager to produce UDP packets that cause fragmentation with the 40-byte second fragment (at MTU 1500)? Maybe I should try to add some junks into the different fields of the certificate to make it larger 🙃?

*) bridge - fixed bridge packet transmit if dhcp-snooping is enabled (introduced in v7.17beta5);

dhcp-snooping (yes | no; Default: no) Enables or disables DHCP Snooping on the bridge.

IPv4 FastTrack is active if the following conditions are met:

no mesh, metarouter interface configuration;
sniffer, torch, and traffic generator are not running;
"/tool mac-scan" is not actively used;
"/tool ip-scan" is not actively used;
FastPath and Route cache are enabled under IP/Settings (route cache condition does not apply to RouterOS v7 or newer);
bridge FastPath is enabled if a connection is going over the bridge interface;

Regarding fasttrack, it is expected behavior. Dhcp-snooping disables bridge fast-path which in turn affects the ability to fasttrack connections going over that bridge. See https://help.mikrotik.com/docs/spaces/R ... quirements

I learned the "monkey test lesson" by enabling IGMP-snooping and multicast querier some months ago. It introduced extreme latency on my whole network I could not explain - just to finally determining these 2 bridge settings as the issue.

It could be considered a lesson "do not enable each and every feature just because it looks cool"...
DHCP snooping can be useful in large networks with access for guests and other BYOD equipment, but on a home network it really isn't worth the (potential) trouble.

@CGGXANNX does your hap ac2 LAN/WAN interfaces are on same bridge, is the config same as RB5009? Depending on your setup (where WAN is not configured on bridge) fasttrack could be working in one direction, but not in the other. But it is getting out of scope, let's keep this discussion related to 7.17, please.

... so IGMP Snooping is now disabled again. And it's a feature that I actually need (IPTV usage).

But on the RB5009 since the beginning I have been unable to turn on the IGMP Snooping feature, and not only because of the VLANs. Turning it on and IPv6 RA/ND stop working.

Regarding fasttrack, it is expected behavior. Dhcp-snooping disables bridge fast-path which in turn affects the ability to fasttrack connections going over that bridge. See https://help.mikrotik.com/docs/spaces/R ... quirements

*) bridge - fixed fragmented packet transmit when dhcp-snooping is enabled (introduced in v7.17beta6);

It depends. My ISP offers IPTV over tagged VLAN ... so I pass that VLAN only to required ports (connecting TV boxes)...

Due to "keep this discussion related to 7.17" and the fact that this post will be locked soon, a moderator could please open new topic and move all the messages related to DHCP / IGMP Snooping?
Would be nice to have a clear statement from @MT Staff like sometimes @raimondsp does, what is affected, when should be used (router / switch / ap) etc.

I had such an issue for quite some time on one of my devices, a hAP ac2 used as a second AP in bridge mode, and at some point I discovered by accident that on that device "Use IP firewall" had been (sort of mistakingly) enabled, and the IPv6 firewall did not forward multicast frames.

With my ISP you normally have to pay a subscription for IPTV and get a TV-Box. But if you don't subscribe and pay nothing, the IPTV multicast streams with all the channels are still available on the ethernet connection that PPPoE uses, not in a separate VLAN, free of charge, you just don't get the physical TV-Box. People in my country just share the playlist file with the UDP multicast URLs of all the channels and I use that to watch the multicast streams on my Phone/Tablet/PC devices with VLC or MPC 😊 for free. Only the TV devices really require UDPXY. But with IGMP Snooping still not really working in 7.17rc, UDPXY is for now needed for the other devices too (but it introduces delay).

You may just need to add the firewall RTSP helper (via /ip/firewall/service-port/enable rtsp), if the multicast IPTV streams are on the WAN side & the IPTV is using RTSP. If the service is not using RTSP, well, than enabling helper is not going help. But the IPTV source may need the PPPoE IP address, not the local LAN address, in the SDP message used by RTSP - which is what the firewall service-port/helper will do.

@EdPa is there any chance that SUP-172111 will be fixed before the stable release?
hAP ac2 reboots itseft with SMB transfers also with 7.17rc7 (more info).
Thanks

@EdPa is there any chance that SUP-172111 will be fixed before the stable release?
hAP ac2 reboots itseft with SMB transfers also with 7.17rc7 (more info).
Thanks

After a month they closed my ticket saying that AC2 with the wifi-qcom-ac driver does not have the hardware to support even a transfer via SMB, the only solution is to use the legacy wifi driver.

I'm noticing a strange thing, AC2 with 7.17 Rc7 can't ping any external IP like the classic 8.8.8.8 or 1.1.1.1. The internal IPs work but the external ones are no way. I haven't touched anything at the firewall level in the last few months. I'm talking about "tools>ping"

Before 7.15, there were stability issues with some SFP ONU sticks and CRS305. (Suddenly, TX Power was showing -40.0dBm with FS.com GPON-ONU-34-20 BI).
Issue was fixed in 7.15 (* sfp - improved "sfp-tx-power" value monitoring in certain cases;)
I have updated my CRS305 to 7.17RC2 (firmware upgrade too) and the issue is back (4 crashes in few days, after months of stability).
I have reopened the original ticket on support side.

Can we get v7.17 out the door and move to v7.18 beta so we can see what's new..... this version dragging now.

I do appreciate stability and rigorous testing but I also want movement and new features as there are stuff I'm waiting for which may or may not be in next version.

@merkkg - If you’ve got an important business case, you can ask support for a special custom patch to test in the meantime. If you’re just “eager” for new features, it’s probably better to wait for a stable version.

well it seems we have 2 groups of people... 1 that needs specific features which is only possible in new versions and other group that has all they need and just want stability.... there is no right answer here...

Can we get v7.17 out the door and move to v7.18 beta so we can see what's new..... this version dragging now.

I do appreciate stability and rigorous testing but I also want movement and new features as there are stuff I'm waiting for which may or may not be in next version.

RoSv7.17RC3. SSTP doesn't work with ciphers=aes256-gcm-sha384. If I change back to ciphers=aes256-sha it works again.
Other relevant configs:

Code: Select all

verify-server-certificate=yes verify-server-address-from-certificate=no authentication=mschap2 pfs=required tls-version=only-1.2 add-sni=no

Edit: SSTP works with ciphers=aes256-gcm-sha384 on v7.16.x

Code: Select all

[oreggin@rtr1.xxxxxx] > interface/sstp-client/monitor 1
               status: connected
               uptime: 1m31s
             encoding: AES256-GCM
                  mtu: 1378
        local-address: 10.1.1.16
       remote-address: 10.1.1.10
   local-ipv6-address: fe80::29ab:d5a4:0:1a
  remote-ipv6-address: fe80::66d5:fa33:f0:6f6c

Just to say: this rc is taking its time - and I love it!

Take 6 months if needed - but wait until its as (reported) "bug free" as possible !

What's new in 7.17rc7 (2025-Jan-10 10:37):

!) webfig - redesigned HTML, styling and functionality (additional fixes);
*) bridge - fixed fragmented packet transmit when dhcp-snooping is enabled (introduced in v7.17beta6);
*) ptp - fixed packet tx/rx when enabling PTP on 1/2.5/100Gbps links for 98CX8410, 98DX8525, 98DX4310 switches (introduced in v7.16);
*) system - improved system stability for CRS520-4XS-16XQ (introduced in v7.17beta2);

RoSv7.17RC3. SSTP doesn't work with ciphers=aes256-gcm-sha384. If I change back to ciphers=aes256-sha it works again.
Other relevant configs:

Code: Select all

verify-server-certificate=yes verify-server-address-from-certificate=no authentication=mschap2 pfs=required tls-version=only-1.2 add-sni=no

Edit: SSTP works with ciphers=aes256-gcm-sha384 on v7.16.x

Code: Select all

[oreggin@rtr1.xxxxxx] > interface/sstp-client/monitor 1
               status: connected
               uptime: 1m31s
             encoding: AES256-GCM
                  mtu: 1378
        local-address: 10.1.1.16
       remote-address: 10.1.1.10
   local-ipv6-address: fe80::29ab:d5a4:0:1a
  remote-ipv6-address: fe80::66d5:fa33:f0:6f6c

Could you please send us your supout rif file. Seems something missing here, as this works for us.

When I tried upgrading my RB450Gx4 router to the latest 7.17rc version, it restarted but remained on 7.16. The first log entry stated: "Upgrade failed, free 9 kB of kernel disk space." My router has over 400MB of free disk space, and despite searching extensively online, I couldn’t find anyone else encountering this error on RouterOS.

Based solely on the weak statistics from my vague memory, every time an RC greater than 5 appears on the sly on a Friday with few changes, and without any mention of the bugs declared in the RC thread on the Forum, it is almost certain that a Stable will appear ignoring the mentioned bugs.

version	count	day_of_week
7.9rc5	3	Fri
7.8rc3	1	Mon
7.7rc5	4	Wed
7.6rc3	2	Fri
7.5rc2	1	Thu
7.4rc2	8	Thu
7.3rc2	3	Thu
7.2rc7	1	Wed
7.17rc7	4	Fri
7.16rc5	5	Fri
7.15rc5	4	Tue
7.14rc4	2	Wed
7.13rc4	6	Tue
7.12rc6	1	Mon
7.11rc4	4	Sun
7.10rc6	4	Tue
7.1rc6	18	Thu
6.49rc2	14	Tue

@ruijzhan how does your partitioning look like? Better to discuss this further in a dedicated topic or contact Mikrotik support.

Code: Select all

/interface bridge
add admin-mac=E1:E1:E1:E1:E1:E1

Code: Select all

/interface bridge
add admin-mac=E1:E1:E1:E1:E1:E1

Your admin-MAC is invalid!
The lower bit of the first byte must be zero.

@ruijzhan how does your partitioning look like? Better to discuss this further in a dedicated topic or contact Mikrotik support.

waiting for this
viewtopic.php?t=213301

Based on facts. Here is the latest RC version before release with number of changes and day of week when it was released.
Not that many RC has passed version 5 :)

rzirzi, oreggin - Thank you for your reports. We have discovered that Alpine CPU ARM64 devices does not work with GCM AES encryption. We are working on a fix.

@EdPa is there any chance that SUP-172111 will be fixed before the stable release?
hAP ac2 reboots itseft with SMB transfers also with 7.17rc7 (more info).
Thanks

rzirzi, oreggin - Thank you for your reports. We have discovered that Alpine CPU ARM64 devices does not work with GCM AES encryption. We are working on a fix.

I did just a few minutes ago the update from 7.17rc2 to rc3 and again (see SUP-172313) the names for the internal disks were changed.
Now with every reboot the names between disk1 and disk2 switches….
sata1 and sata2 flip their names with every reboot…..
You can see it in the screenshots.

Before reboot:
before reboot.jpg
...and after reboot:
after reboot.jpg

7.17.rc3

still not working.
Profile designer is make json file on disk but no more usable by winbox to assign to user group ou web interface, the profile is not listed after creation.

7.17rc2

Making skin with Skin Designer, save it, jason file present in the disk skin directory, but in user group cannot see it.
Even if I try to edit in skin designer, i cannot read it because not present in drop box...
seems system not load existing skin...

@EdPa is there any chance that SUP-172111 will be fixed before the stable release?
hAP ac2 reboots itseft with SMB transfers also with 7.17rc7 (more info).
Thanks

Unfortunately I confirm that it is due to a hardware limit (low RAM) of the hAP ac2 and not a problem of ROS 7.17.
SMB works perfectly by disabling adlist and containers that could use a lot of RAM.
Thanks to MikroTik support for the help and patience.

we need VRF in to netwatch

Properties
Sub-menu: /tool/netwatch

host (Default:"")
The IP address of the server to be probed. Formats:

• - ipv4
• - ipv4@vrf
• - ipv6
• - ipv6@vrf
• - ipv6-linklocal%interface
• - domain name (for type=dns)

What's new in 7.17rc8 (2025-Jan-15 08:19):

!) webfig - redesigned HTML, styling and functionality (additional fixes);
*) system - fixed crypto for Alpine CPUs (introduced in v7.17beta1);

What's new in 7.17rc8 (2025-Jan-15 08:19):

!) webfig - redesigned HTML, styling and functionality (additional fixes);
*) system - fixed crypto for Alpine CPUs (introduced in v7.17beta1);

Once again, I will repeat:
I'm smelling a "If we say it is stable, it is stable! The reported issues do not matter!"

I hope I'm wrong.

But I would like it when it gets released and the 7.18beta versions start appearing with again hope for BGP fixes.

This night our internet connection failed but the backup via LTE (auto switched using BGP), which worked perfectly at least until 7.12 or 7.15, don't remember exactly, again failed to take over. That is because prefixes at lower preference are not in the table.
The users suffer from that and I don't like that.

What's new in 7.17rc8 (2025-Jan-15 08:19):

!) webfig - redesigned HTML, styling and functionality (additional fixes);
*) system - fixed crypto for Alpine CPUs (introduced in v7.17beta1);

I backed my most problematic router off from 7.16.2 to 7.15.3 and the BGP problems seem to have stopped. I saw some appear on other routers due to a bouncing session due to faulty BFD, and so I anticipate moving them all to 7.15.3 (BGP cores and reflectors).

Unfortunately I confirm that it is due to a hardware limit (low RAM) of the hAP ac2 and not a problem of ROS 7.17.
SMB works perfectly by disabling adlist and containers that could use a lot of RAM.
Thanks to MikroTik support for the help and patience.

Well, frankly the hAP ac2 is a low-end device. You are just expecting too much from it.
There even was a time period where it could barely run RouterOS v7 (and be updated), because of the extreme shortage of flash space.
That has been cured (for now), but still I think you should see this as a low-end home router and access point, not as the central piece of your datacenter-like IP infrastructure.
When you have bought that and got excited about RouterOS possibilities, consider buying a more powerful device (maybe RB5009) for that, and continue to use it as a WiFi AP. Or maybe a hAP ax3 when you really want to combine router and AP.

I backed my most problematic router off from 7.16.2 to 7.15.3 and the BGP problems seem to have stopped. I saw some appear on other routers due to a bouncing session due to faulty BFD, and so I anticipate moving them all to 7.15.3 (BGP cores and reflectors).

Thanks for confirming that! I was quite sure that it worked OK very shortly before upgrading to 7.16 but I did not remember at
what version. I had to upgrade our RB5009UPr+S+IN routers due to PoE issues, but I think that was an update pushed to the
PoE controllers and a downgrade may leave that in place. Fortunately I have a spare so I can try that.

Still I think it is a shame that there is total silence from MikroTik about the BGP issues, both on this topic and from support.
(I have an open ticket)

I can agree that AC2 is not a datacenter device but up to ROS 7.15.x the SMB transfer worked now the device goes into kernel panic if used together with the new wifi-qcom-ac drivers (I think I understood that with legacy drivers the problem does not occur correct?) it seems to me a serious bug especially because it is not reproduced anywhere not to use SMB and new drivers and it is not a good image if a stable version behaves like this. If Mikrotik makes it official then they should make sure that in WinBox-WebFig in case of presence of the wifi-qcom-ac driver the IP>SMB entry disappears because I repeat if a system goes into Kernel Panic without any notification from the manufacturer regarding an incompatibility, then it is a bug!

I can agree that AC2 is not a datacenter device but up to ROS 7.15.x the SMB transfer worked now the device goes into kernel panic if used together with the new wifi-qcom-ac drivers (I think I understood that with legacy drivers the problem does not occur correct?) it seems to me a serious bug especially because it is not reproduced anywhere not to use SMB and new drivers and it is not a good image if a stable version behaves like this. If Mikrotik makes it official then they should make sure that in WinBox-WebFig in case of presence of the wifi-qcom-ac driver the IP>SMB entry disappears because I repeat if a system goes into Kernel Panic without any notification from the manufacturer regarding an incompatibility, then it is a bug!

They have recently updated the WiFi doc, it now warns that wifi-qcom-ac uses significant more RAM and is more resource-heavy:

https://help.mikrotik.com/docs/spaces/R ... edexamples

We agree that they take up more RAM but then eliminate the SMB entry on these devices so that a stable version cannot go into Kernel Panic for functions that the manufacturer itself makes available, do you agree?

Still I think it is a shame that there is total silence from MikroTik about the BGP issues, both on this topic and from support.
(I have an open ticket)

I wouldn’t go as far as calling it a shame, but it is certainly irritating. Let’s hope for the best and that it gets fixed soon. Perhaps if someone affected can reliably reproduce the issue and submits a detailed bug report to support, it might help move things along?

That is the beauty and the curse of RouterOS - sky is the limit. But the "sky" here is the administrator