v7.18beta [testing] is released!

Tue Jan 21, 2025 4:47 pm

RouterOS version 7.18beta has been released on the "v7 testing" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.18beta4 (2025-Jan-31 15:46):

*) bridge - fixed endless MAC update loop (introduced in v7.17);
*) chr/x86 - fixed error message on bootup;
*) cloud - added file-share feature (additional fixes);
*) console - added dsv.remap to :serialize command to unpack array of maps from print as-value (additional fixes);
*) defconf - added IPv6 FastTrack configuration;
*) dhcpv4-server - fixed framed-route removal;
*) dhcpv4-server - fixed lease assigning when server address is not bind to server interface (introduced in v7.17);
*) fetch - fixed IPv6 handling in URL (introduced in v7.18beta2);
*) file - improved handling of filesystems with many files (additional fixes);
*) hotspot - fixed an issue where extra "flash/" is added to html-directory for devices with flash folders (introduced in v7.17);
*) igmp-proxy - fixed multicast routing after upstream interface flaps (introduced in v7.17);
*) ipsec - fixed chacha20 poly1305 proposal;
*) ipv6 - added routing FastPath support (enabled by default) (additional fixes);
*) ipv6 - fixed configuration loss due to conflicting settings after upgrade (introduced in v7.17);
*) l3hw - added initial HW offloading for VXLAN on compatible switches (additional fixes);
*) log - added CEF format support for remote logging (additional fixes);
*) lte - added basic support for Quectel RG255C-GL modem in "at+qcfg="usbnet",0" USB composition;
*) lte - added initial eSIM management support (CLI only) (additional fixes);
*) lte - reduced SIM slot switchover time for modems with AT control channel;
*) net - added initial support for automatic multicast tunneling (AMT) interface (additional fixes);
*) ovpn - added requirement for server name when exporting configuration;
*) poe-out - fixed invalid poe-in status detection for RB5009 (introduced in v7.18beta2);
*) port - improved handling of USB device plug/unplug events;
*) ppc - fixed HW encryption (introduced in v7.17);
*) queue - improved system stability when many simple queues are added (introduced in v7.17);
*) resolver - fixed static FQDN resolving (introduced in v7.17);
*) routerboot - improved stability for IPQ8072 ("/system routerboard upgrade" required);
*) smb - fixed connection issues with clients using older SMB versions (introduced in v7.17);
*) supout - added IPv6 settings section;
*) switch - improvements to certain switch operations (port disable, shaper and switch initialization) (additional fixes);
*) vxlan - added IPv6 FastPath support;
*) vxlan - fixed unset for "group" and "interface" properties;
*) vxlan - replaced the "inherit" with "auto" option for dont-fragment property (new default);
*) wifi-qcom - fixed potentially lowered throughput for station interfaces if channel.width property is set (introduced in v7.18beta2);
*) winbox - fixed locked input fields when creating new certificate template;
*) winbox - show warning messages for static DNS entries;
*) x86 - fixed "unsupported speed" warning (additional fixes);

What's new in 7.18beta2 (2025-Jan-21 11:27):

*) 60ghz - improved system stability;
*) bgp - fixed certain affinity options not working properly;
*) bgp - improved system stability when printing BGP advertisements;
*) bgp - make NO_ADVERTISE, NO_EXPORT, NO_PEER communities work;
*) bond - added transmit hash policies for encapsulated traffic;
*) bridge - added MLAG heartbeat property;
*) bridge - avoid duplicate VLAN entries with dynamic wifi VLANs;
*) bridge - do not reset MLAG peer port on heartbeat timeout (log warning instead);
*) bridge - fixed missing S flag on interface configuration changes;
*) bridge - improvements to MLAG host table updates;
*) bridge - process more DHCP message types (decline, NAK, inform);
*) bridge - removed controller-bridge (CB) and port-extender (PE) support;
*) bridge - show VXLAN remote-ip in host table;
*) btest - allow limiting access to server by IP address;
*) certificate - fixed localized text conversion to UTF-8 on certificate creation;
*) chr - fixed limited upgrades for expired instances;
*) chr/x86 - added network driver for Huawei SP570/580 NIC;
*) chr/x86 - fixed GRE issues with ice network driver;
*) chr/x86 - Realtek r8169 updated driver;
*) cloud - added file-share feature;
*) cloud,bth - use in-interface matcher for masquerade rule;
*) console - added dsv.remap to :serialize command to unpack array of maps from print as-value;
*) console - added file-name parameter to :serialize;
*) console - allow ISO timezone format in :totime command;
*) console - allow tab as dsv delimiter;
*) console - allow to toggle script error logging with "/console settings log-script-errors";
*) console - do not autocomplete arguments when match is both exact and ambiguous;
*) console - do not show numbering in print follow;
*) console - fixed "get" and "proplist" for certain settings;
*) console - fixed issue where ping command displays two lines at the same time;
*) console - fixed issue with disappearing global variable;
*) console - implement scriptable safe-mode commands and safe-mode handler;
*) console - improved hints;
*) console - log errors within scripts to the system log;
*) console - make non-pseudo terminals work with imports;
*) console - put !empty sentence when API query returns nothing;
*) container - add default registry-url=https: //lscr.io;
*) container - allow HTTP redirects when accessing container registry;
*) container - allow specifying registry using remote-image property;
*) container - improved image arch choice;
*) container - use parent directory of container root-dir for unpack by default, so that container layer files are downloaded directly on target disk;
*) dhcpv4-client - allow selecting to which routing tables add default route;
*) dhcpv4-client - fixed default option export output;
*) dhcpv4-server - fixed "active-mac-address" update when client has changed MAC address;
*) dhcpv6-client - added "validate-server-duid" option;
*) dhcpv6-client - allow specifying custom DUID;
*) dhcpv6-client - do not run script on prefix renewal;
*) dhcpv6-relay - add routes for bindings passing through relay;
*) dhcpv6-server - respond to client in case of RADIUS reject;
*) discovery - advertise IPv6 capabilities based on "Disable IPv6" global setting;
*) discovery - improved stability during configuration changes;
*) discovery - report actual PSE power-pair with LLDP;
*) discovery - use power-via-mdi-short LLDP TLV only on pse-type1 802.3af;
*) disk - add disk trim command (/disk format-drive diskx file-system=trim);
*) disk - fix detecting disks on virtual machines;
*) ethernet - fixed issue with default-names for RB4011 and RB1100Dx4 devices;
*) ethernet - improved link speed reporting on 2.5G-baseT and 10Gbase-T ports;
*) fetch - added "http-max-redirect-count" parameter, allows to follow redirects;
*) fetch - do not require "content-length" or "transfer-encoding" for HTTP;
*) file - added "recursive" and "relative" parameters to "/file/print" for use in conjunction with "path" parameter;
*) file - allow printing specific directories via path parameter;
*) file - improved handling of filesystems with many files;
*) firewall - allow in-interface/in-bridge-port/in-bridge matching in postrouting chains;
*) firewall - fixed incorrectly inverted hotspot value configuration;
*) firewall - increased maximum connection tracking entry count based on device total RAM size;
*) iot - added new "iot-bt-extra" package for ARM, ARM64 which enables use of USB Bluetooth adapters (LE 4.0+);
*) iot - improvements to LoRa logging and stability;
*) iot - limited MQTT payload size to 32 KB;
*) ip - added support for /31 address;
*) ippool - added pool usage statistics;
*) ipsec - added hardware acceleration support for EN7562CT (hEX refresh);
*) ipsec - fixed installed SAs update process when SAs are removed;
*) ipv6 - added ability to disable dynamic IPv6 LL address generation on non-VPN interfaces;
*) ipv6 - added FastTrack support;
*) ipv6 - added routing FastPath support;
*) ipv6 - added support for neighbor removal and static entries;
*) l2tp - added IPv6 FastPath support;
*) l3hw - added initial HW offloading for VXLAN on compatible switches;
*) l3hw - added neigh-dump-retries property;
*) l3hw - fixed /32 (IPv6 /128) route offloading when using interface as gateway;
*) l3hw - fixed partial route offloading for 98DX224S, 98DX226S, 98DX3236 switches;
*) l3hw - respect interface specifier (%) when matching a gateway;
*) log - added CEF format support for remote logging:
*) log - added option to select TCP or UDP for remote logging;
*) lte - added initial eSIM management support (CLI only);
*) lte - fixed Huawei ME909s-120 support;
*) lte - fixed missing 5G info for "/interface lte print" command;
*) lte - fixed missing IPv6 prefix advertisement on renamed LTE interfaces;
*) lte - fixed prolonged reboots on Chateau 5G ax;
*) lte - fixed SIM slot initialization with multi-APN setups;
*) lte - lte monitor, show CQI when modem reports it as 0 - undetectable, no RX/down-link resource block assigned to modem by provider;
*) lte - R11eL-EC200A-EU fixed online firmware upgrade and added support for firmware update from local file;
*) lte - R11eL-EC200A-EU improved failed connection handling and recovery;
*) lte - removed nonexistent CQI reading for EC200A-EU modem;
*) net - added initial support for automatic multicast tunneling (AMT) interface;
*) netinstall - try to re-create socket if link status changes;
*) netinstall-cli - fixed DHCP magic cookie;
*) ospf - fixed DN bit not being set;
*) ospfv3 - fixed ignored metric for intra-area routes;
*) ovpn-client - added 1000 character limit for password;
*) pimsm - fixed incorrect neighbor entry when using lo interface;
*) poe-out - added "power-pair" info to poe-out monitor (CLI only);
*) poe-out - added console hints;
*) poe-out - added new modes "forced-on-a" and "forced-on-bt", where old "forced-on" mean "forced-on-bt" (CLI only);
*) poe-out - upgraded firmware for 802.3at/bt PSE controlled boards (the update will cause brief power interruption to PoE-out interfaces);
*) ppp - add support for configuration of upload/download queue types in profile;
*) ppp - added support for random UDP source ports;
*) ppp - fixed setting loss when adding new ppp-client interface for BG77 modem from CLI;
*) ppp - properly cleanup failed inactive sessions on pppoe-server;
*) ptp - do not send packets on STP blocked ports;
*) qos-hw - fixed global buffer limits for 98CX8410 switch;
*) queue - improved system stability;
*) queue - prevent CAKE bandwidth config from potentially causing lost connectivity to a device;
*) rip - fixed visibility of added key-chains in interface-template;
*) rose-storage - add btrfs filesystem add-device/remove-device/replace-device/replace-cancel commands to add/remove/replace disks to/from a live filesystem;
*) rose-storage - add btrfs filesystem balance-start/cancel commands;
*) rose-storage - add btrfs filesystem scrub-start, scrub-cancel commands (CLI only);
*) rose-storage - add btrfs transfers, supports send/receive into/from file for transferring subvolumes across btrfs filesystems;
*) rose-storage - add support to add/remove btrfs subvolumes/snapshots;
*) rose-storage - added support for advanced btrfs features: multi-disk support, subvolumes, snapshots, subvolume send/receive, data/metadata profiles, compression, etc;
*) rose-storage - allow to separately mount any btrfs subvolumes;
*) rose-storage - update rsync to 3.4.1;
*) rose-storage,ssh - support btrfs send/receive over ssh;
*) route - added /ip/route/check tool;
*) route - added subnet length validation on route add;
*) route - do not use disabled addresses when selecting routing id;
*) route - fixed busy loops (route lockups);
*) route - fixed incorrect H flag usage;
*) route - improved stability when polling static routes via SNMP;
*) route - properly resolve imported BGP VPN routes;
*) routing-filter - improved stability when using large address lists (>5000);
*) routing-filter - improved usage of quotes in filter rules;
*) sfp - fixed missing "1G-baseX" supported rate for NetMetal ac2 and hEX S devices;
*) sfp - improved linking with certain QSFP modules on CRS354 devices;
*) sfp - improved system stability with some GPON modules for CCR2004 and CCR2116 devices;
*) sfp,qsfp - improved initialization and linking;
*) smb - improved system stability;
*) snmp - added disk serial number through description field;
*) snmp - sort disk list and assign correct disk types;
*) supout - added per CPU load information;
*) switch - improved system stability for CRS304 switch;
*) switch - improvements to certain switch operations (port disable, shaper and switch initialization);
*) system - added option to list and install available packages (after using "check-for-updates");
*) system - do not allow to install multiple wireless driver packages at the same time;
*) system - do not cause unnecessary sector writes on check-for-updates;
*) system - enable "ipv6" package on RouterOS v6 downgrade if IPv6 is enabled;
*) system - force time to be at least at package build time minus 1d;
*) system - improved HTTPS speed;
*) system - improved stability on busy systems;
*) system,arm - automatically increase boot part size on upgrade or netinstall (fixed upgrade failed due to a lack of space on kernel disk/partition);
*) tile - improved system stability;
*) traceroute - added "too many hops" error when max-hops are reached;
*) traceroute - limit max-hops maximum value to 255;
*) user - improved authentication procedure when RADIUS is not used;
*) vxlan - added disable option for VTEPs;
*) vxlan - added option to dynamically bridge interface and port settings (hw, pvid);
*) vxlan - added TTL property;
*) vxlan - changed default port to 4789;
*) webfig - added confirmation when quitting in Safe Mode;
*) webfig - do not reload form when failed to create new object;
*) webfig - fixed "TCP Flags" property when inverted flags are set in console;
*) webfig - fixed datetime setting under certain menus;
*) webfig - fixed displaying passwords;
*) webfig - fixed Switch/Ports menu not showing correctly;
*) webfig - hide certificate information in IP Services menu when not applicable;
*) webfig - remember expand/fold state;
*) wifi - added max-clients parameter;
*) wifi - avoid excessive re-transmission of SA Query action frames;
*) wifi - fix issue which made it possible for multiple concurrent WPA3 authentications to interfere with each other;
*) wifi - implement steering parameters to delay probe responses to clients in the 2.4GHz band;
*) wifi - log a warning when a client requests power save mode during association as this may prevent successful connection establishment;
*) wifi - re-word the "can't find PMKSA" log message to "no cached PMK";
*) wifi - try to authenticate client as non-FT client if it provides incomplete set of FT parameters;
*) wifi-qcom - fix reporting of radio minimum antenna gain for hAP ax^2;
*) winbox - added "Copy to Provisioning" button under "WiFi/Radios" menu;
*) winbox - added "Last Logged In/Out" and "Times Matched" properties under "WiFi/Access List" menu;
*) winbox - added L3HW Advanced and Monitor;
*) winbox - added TCP settings under "Tools/Traffic Generator/Packet Templates" menu;
*) winbox - do not show 0 Tx/Rx rate under "WiFi/Registration" menu when values are not known;
*) x86 - fixed "unsupported speed" warning;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. The file must be generated while a router is not working as suspected or after some problem has appeared on the device

Please keep this forum topic strictly related to this particular RouterOS release.

wispmikrotik · Tue Jan 21, 2025 4:47 pm

Ouhhhhh thanks!

shavenne · Tue Jan 21, 2025 4:49 pm

*) ipv6 - added FastTrack support;

Finally! <3

blacksnow · Tue Jan 21, 2025 4:57 pm

Amazing job, this really is impressive and the reason why I only use Mikrotik wherever possible. Keep up the solid work!

jlgonzalez · Tue Jan 21, 2025 5:16 pm

*) console - allow to toggle script error logging with "/console settings log-script-errors";
*) console - implement scriptable safe-mode commands and safe-mode handler;
*) console - log errors within scripts to the system log;
*) console - make non-pseudo terminals work with imports;

What's this about? Could somebody provide some info?

Tue Jan 21, 2025 5:16 pm

*) l3hw - added initial HW offloading for VXLAN on compatible switches;

very interesting !!!

aglabs · Tue Jan 21, 2025 5:19 pm

*) l3hw - added initial HW offloading for VXLAN on compatible switches;

very interesting !!!

I cannot wait for free time in the day to play with this! I was hoping to see radsec get fixed but this is a nice, distracting, consolation prize.

baragoon · Tue Jan 21, 2025 5:19 pm

OH WOW!

bajodel · Tue Jan 21, 2025 5:24 pm

*) ip - added support for /31 address;
*) route - added /ip/route/check tool;

finally! ..thank you!

ToTheFull · Tue Jan 21, 2025 5:34 pm

Some nice fixes, I like the look of this one *) wifi - try to authenticate client as non-FT client if it provides incomplete set of FT parameters;

fischerdouglas · Tue Jan 21, 2025 5:51 pm

*) l2tp - added IPv6 FastPath support;
*) l3hw - added initial HW offloading for VXLAN on compatible switches;
*) l3hw - fixed partial route offloading for 98DX224S, 98DX226S, 98DX3236 switches;
*) qos-hw - fixed global buffer limits for 98CX8410 switch;
*) winbox - added L3HW Advanced and Monitor;

Hey, I'm inclined to get happy!
They decided to return to do some efforts in hardware offload things.

Still soon to say something, but it sounds good.

loloski · Tue Jan 21, 2025 5:58 pm

This will surely be an exciting release, lot's of changes across the board most notable changes mlag fixes, ipv6 fasttrack and /31 support

Paternot · Tue Jan 21, 2025 5:59 pm

*) ipv6 - added ability to disable dynamic IPv6 LL address generation on non-VPN interfaces;
*) ipv6 - added FastTrack support;
*) ipv6 - added routing FastPath support;
*) ipv6 - added support for neighbor removal and static entries;

IPv6 getting some love! :D

wispmikrotik · Tue Jan 21, 2025 6:03 pm

Hi,

hex constantly rebooting itself. Only has IPsec tunnel configured for lab.

  MikroTik RouterOS 7.18beta2 (c) 1999-2025       https://www.mikrotik.com/


Press F1 for help

(7 messages not shown)
2025-01-21 16:29:20 system,error,critical router was rebooted without proper shutdown by watchdog timer
2025-01-21 16:31:00 system,clock,critical,info ntp change time Jan/21/2025 16:30:02 => Jan/21/2025 16:31:00
2025-01-21 16:31:02 system,error,critical router was rebooted without proper shutdown by watchdog timer
2025-01-21 16:44:33 system,clock,critical,info ntp change time Jan/21/2025 16:31:38 => Jan/21/2025 16:44:33
2025-01-21 16:44:35 system,error,critical router was rebooted without proper shutdown by watchdog timer
2025-01-21 16:46:23 system,error,critical router was rebooted without proper shutdown by watchdog timer
2025-01-21 16:48:03 system,clock,critical,info ntp change time Jan/21/2025 16:47:00 => Jan/21/2025 16:48:03
2025-01-21 16:48:04 system,error,critical router was rebooted without proper shutdown by watchdog timer

Config:

/interface bridge
add frame-types=admit-only-vlan-tagged name=BDI100 protocol-mode=none pvid=99 vlan-filtering=yes
/interface vlan
add interface=BDI100 name=vlan2 vlan-id=2
add interface=ether1 name=vlan30 vlan-id=30
/interface list
add name=WAN
add name=LAN
add name=DMZ
/ip ipsec policy group
add name=group_pelvet
add name=group_core
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
add dh-group=ecp384 enc-algorithm=aes-128 lifetime=2h name=pf_pha1_pelvet
add dh-group=ecp256 enc-algorithm=aes-128 hash-algorithm=sha384 name=pf_pha1_core prf-algorithm=sha384
/ip ipsec peer
add address=<> exchange-mode=ike2 name="peer=>Radiusa_pelvet" profile=pf_pha1_pelvet
add address=<> exchange-mode=ike2 name="peer=>PBXa_pelvet" profile=pf_pha1_pelvet
add address=<> exchange-mode=ike2 name="peer=>PBXb-Radiusb_pelvet" profile=pf_pha1_pelvet
add address=<> exchange-mode=ike2 name="peer=>core01" port=4501 profile=pf_pha1_core
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=aes-128-cbc name=pp_pha2_pelvet pfs-group=ecp384
add enc-algorithms=aes-128-cbc lifetime=4h name=pp_pha2_core pfs-group=ecp384
/ip pool
add name=pool_vlan2 ranges=10.2.2.10-10.2.2.30
/routing ospf instance
add disabled=yes in-filter-chain=ospf100_in name=ospf100 out-filter-chain=ospf100_out redistribute=connected
/routing ospf area
add disabled=yes instance=ospf100 name=area0
/interface bridge port
add bridge=BDI100 interface=ether2 pvid=2
add bridge=BDI100 interface=ether3 pvid=2
add bridge=BDI100 interface=ether4 pvid=2
add bridge=BDI100 interface=ether5 pvid=2
/ip firewall connection tracking
set enabled=yes tcp-established-timeout=2h udp-stream-timeout=2m
/ip neighbor discovery-settings
set discover-interface-list=none protocol=""
/interface bridge vlan
add bridge=BDI100 tagged=all untagged=ether2,ether3,ether4,ether5 vlan-ids=2
/interface list member
add interface=lte1 list=WAN
add interface=vlan30 list=WAN
/interface ovpn-server server
add mac-address=FE:35:CD:54:08:7F name=ovpn-server1
/ip address
add address=100.64.2.1 interface=lo network=100.64.2.1
add address=10.2.2.1/27 interface=vlan2 network=10.2.2.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m update-time=no
/ip dhcp-client
add add-default-route=no interface=vlan30 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server
add add-arp=yes address-pool=pool_vlan2 interface=vlan2 lease-time=2h name=dhcp_vlan2
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server network
add address=10.2.2.0/27 dns-server=10.2.2.1 gateway=10.2.2.1
/ip dns
set allow-remote-requests=yes servers=195.76.102.1
/ip firewall address-list
add address=10.0.2.0/27 list=ACL150
add address=10.0.3.0/28 list=ACL150
add address=10.0.4.0/27 list=ACL150
add address=10.0.5.0/24 list=ACL150
add address=195.76.102.0/24 list=ACL150
add address=cloud2.mikrotik.com list=ACL180
add address=upgrade.mikrotik.com list=ACL180
add address=cloud.mikrotik.com list=ACL180
add address=pool.ntp.org list=ACL180
add address=3.pool.ntp.org list=ACL180
/ip firewall filter
add action=accept chain=input comment=INPUT src-address-list=ACL150
add action=accept chain=input in-interface-list=WAN packet-size=0-256 protocol=icmp
add action=drop chain=input dst-port=7000,7001,22900 in-interface-list=WAN protocol=tcp src-address-list=ACL180
add action=accept chain=input in-interface-list=WAN src-address-list=ACL180
add action=drop chain=input in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=MGMT-LTE_modem dst-address=192.168.8.1 out-interface-list=WAN \
    src-address=0.0.0.0/0 to-addresses=192.168.8.100
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec identity
add generate-policy=port-strict peer="peer=>PBXa_pelvet" policy-template-group=group_pelvet secret=\
    <laquesea>
add generate-policy=port-strict peer="peer=>PBXb-Radiusb_pelvet" policy-template-group=group_pelvet secret=\
    <laquesea>
add generate-policy=port-strict peer="peer=>Radiusa_pelvet" policy-template-group=group_pelvet secret=\
    <laquesea>
add auth-method=digital-signature certificate=IKEv2_MGMT_cl.crt generate-policy=port-strict peer="peer=>core01" \
    policy-template-group=group_core
/ip ipsec policy
set 0 disabled=yes
add comment=Policy_pelvet dst-address=10.142.0.7/32 level=unique peer="peer=>PBXa_pelvet" proposal=\
    pp_pha2_pelvet src-address=100.64.2.1/32 tunnel=yes
add dst-address=10.128.0.11/32 level=unique peer="peer=>Radiusa_pelvet" proposal=pp_pha2_pelvet src-address=\
    100.64.2.1/32 tunnel=yes
add dst-address=10.128.0.15/32 level=unique peer="peer=>PBXb-Radiusb_pelvet" proposal=pp_pha2_pelvet \
    src-address=100.64.2.1/32 tunnel=yes
add dst-address=10.142.0.7/32 level=unique peer="peer=>PBXa_pelvet" proposal=pp_pha2_pelvet src-address=\
    10.2.2.0/27 tunnel=yes
add dst-address=10.128.0.11/32 level=unique peer="peer=>Radiusa_pelvet" proposal=pp_pha2_pelvet src-address=\
    10.2.2.0/27 tunnel=yes
add dst-address=10.128.0.15/32 level=unique peer="peer=>PBXb-Radiusb_pelvet" proposal=pp_pha2_pelvet \
    src-address=10.2.2.0/27 tunnel=yes
add comment=Policy_Core01 dst-address=100.64.0.1/32 level=unique peer="peer=>core01" proposal=pp_pha2_core \
    src-address=100.64.2.1/32 tunnel=yes
add dst-address=10.0.3.0/28 level=unique peer="peer=>core01" proposal=pp_pha2_core src-address=10.2.2.0/27 \
    tunnel=yes
/ip route
add disabled=no distance=5 dst-address=10.0.2.0/27 gateway=195.76.102.1%vlan30 routing-table=main scope=20 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=22910
set api disabled=yes
set winbox port=8000
set api-ssl disabled=yes
/routing filter rule
add chain=ospf100_out disabled=no rule="if (dst in 0.0.0.0/0 && dst-len>0) {reject}"
add chain=ospf100_in disabled=no rule="if (dst in 10.0.2.0/27) {accept}\
    \nif (dst in 10.0.3.0/28) {reject}\
    \nif (dst in 10.0.4.0/27) {accept}\
    \nif (dst in 10.0.5.0/24) {accept}\
    \nif (dst in 10.0.6.0/24) {accept}\
    \nif (dst in 100.64.0.2/32) {accept}\
    \nif (dst in 192.168.1.0/24) {accept}"
/routing ospf interface-template
add area=area0 disabled=yes interfaces=vlan30 networks=195.76.102.0/24
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Madrid
/system identity
set name=hex01.lb
/system logging
add disabled=yes topics=ipsec,debug,!packet
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
add address=3.pool.ntp.org
/system package update
set channel=testing
/system routerboard settings
set auto-upgrade=yes silent-boot=yes
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

CTassisF · Tue Jan 21, 2025 6:16 pm

/file/print now shows the contents of container store 🤯

Not sure this is a good idea. It gets too cluttered too easily.

Jotne · Tue Jan 21, 2025 6:23 pm

*) log - added CEF format support for remote logging:
*) log - added option to select TCP or UDP for remote logging;

After 10+ years of waiting, we may have hopefully a working modern logging for Mikrotik.
Will test it out as soon as I get home :)

PS I did make several post before this, so history of request is much older :)
viewtopic.php?t=124291

It may be to much to also support syslog using TLS (so we get encrypted logs)

rextended · Tue Jan 21, 2025 6:25 pm

NICE WORK.

I'm undecided on what to report the most beautiful, besides the FastTrak, I should copy half the list...

Znevna · Tue Jan 21, 2025 6:38 pm

[...]
*) ipv6 - added FastTrack support;
[...]

Can't believe it's been only 9 years and 8 months since we are waiting for this, seems like yesterday.

Thank you, MikroTik!

Florian · Tue Jan 21, 2025 6:56 pm

Yeah for ipv6 fasttrack \o/

infabo · Tue Jan 21, 2025 7:01 pm

This release adds a lot of improvements. Mikrotik, very strong!

jbl42 · Tue Jan 21, 2025 7:03 pm

It's 2025 and Mikrotik finally shows some love for IPv6. And starts working on l3hw and mlag again. Both of if which hopelessly broken since many releases.
And still wondering who is after all this rose file sharing stuff on a router.

But better late than never, so i'll stop complaining and look forward to take our CCR2116 from the shelf were they gather dust, waiting for a ROS release with working l3hw and IPv6 support. And we're also eager to play with the new HW VXLAN support.

BrateloSlava · Tue Jan 21, 2025 7:17 pm

I would like to understand how to properly activate Fasstrack for IPv6.

/ipv6 settings set allow-fast-path=yes

/ipv6 firewall filter add action=fasttrack-connection chain=forward comment="Enable FastTracked v6 traffic" connection-state=established,related
/ipv6 firewall filter add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked

Is that option enough? I'm confused by the identical counter values for both rules.

Screenshot_v6.png

kalamaja · Tue Jan 21, 2025 7:27 pm

While you are working on IPv6 stack, please
a) add/fix discovery by IPv6 addresses. Currently iOS apps are not useful in IPv6-only envs, because logging in using MAC and IPv4 are not usable
b) NAT64 functionality (for creating IPv6-only envs) runs really well with tayga in a container, but seeing it as built-in functionality would be even nicer.

teslasystems · Tue Jan 21, 2025 7:29 pm

*) console - fixed issue where ping command displays two lines at the same time;

Wow, it was since first v7 release and finally fixed. I'm shocked. But thanks.

biomesh · Tue Jan 21, 2025 7:40 pm

I would like to understand how to properly activate Fasstrack for IPv6.

I have a similar config and see basically the same thing. The counter for fastpath are working, but the actual fast path/ offloading is not working as my CPU is still affected like previous versions. (this is even with the second rule disabled)

infabo · Tue Jan 21, 2025 7:42 pm

Maybe analogously to ipv4 fasttrack?

teslasystems · Tue Jan 21, 2025 7:43 pm

...
*) console - log errors within scripts to the system log;
...
What's this about? Could somebody provide some info?

The log will show exact line in a script which has failed. Very nice feature, helps a lot while debugging scripts.

Tue Jan 21, 2025 7:53 pm

Upgraded RB460GX4 from 7.17 basic package and the result is full set of disabled additional packages.
For RB433 only installed packages are still installed after upgrade and no additional list.

EDIT: for RB450Gx4 I see that it's only a list of available packages. Not installed according to "Installed" column.

slarner · Tue Jan 21, 2025 7:53 pm

*) l3hw - added initial HW offloading for VXLAN on compatible switches;

very interesting !!!

Have we got a list of which Switches are supported? or is this just the software part been done so far?

BrateloSlava · Tue Jan 21, 2025 7:58 pm

Upgraded RB460GX4 from 7.17 basic package and the result is full set of disabled additional packages.
For RB433 only installed packages are still installed after upgrade and no additional list.

EDIT: for RB450Gx4 I see that it's only a list of available packages. Not installed according to "Installed" column.

Everything will be back to normal after upgrading RB firmware to 7.18beta.

BrateloSlava · Tue Jan 21, 2025 7:59 pm

Maybe analogously to ipv4 fasttrack?

I made all the settings for IPv6 in the same way as IPv4. I have shown the result above.

Amm0 · Tue Jan 21, 2025 8:00 pm

NICE WORK.
I'm undecided on what to report the most beautiful, besides the FastTrak, I should copy half the list...

Indeed.

Upgraded a RB1100AHx4, KNOT, and CHR(s). The RB1100 has some auto-start containers with ROSE RAID/bfrs & all just came up – which includes MQTT and LoRa server, and 7.18beta2 KNOT's LoRa test devices all worked too. My scheme tools suggest +34 commands and +196 attributes from 7.17stable to 7.18beta2, which also means CHR 7.18beta2 works.

Still reading this list. But lot to like in this one!

clambert · Tue Jan 21, 2025 8:02 pm

*) l3hw - added initial HW offloading for VXLAN on compatible switches;

As I had assumed, VXLAN beat MPLS in the race to hardware offload :(

eworm · Tue Jan 21, 2025 8:09 pm

This has some severe issues with file handling... I have scripts failing that can not remove an existing file.

Still investigating, can not tell exactly what conditions have to be met. 🤨

rextended · Tue Jan 21, 2025 8:19 pm

Not installed for test, but this help comparing commands differencies on terminal:
viewtopic.php?p=1047229#p1047229

pe1chl · Tue Jan 21, 2025 8:25 pm

*) system - added option to list and install available packages (after using "check-for-updates");

Oh that is great! Have been asking for that / suggesting it for ages...
Now get on with it and split off some niche functions/applications into separate packages again!

m4rk3J · Tue Jan 21, 2025 8:35 pm

*) ipv6 - added FastTrack support;

love you guys <3

Amm0 · Tue Jan 21, 2025 8:40 pm

This one could use a bit more explanation...

*) cloud - added file-share feature;

Now it did work to create a /ip/cloud/file-share ... but the URL with "routingthecloud.net" does not seem to work in browser (it gets a 404). Is this for BTH use only? i.e. I noticed the /ip/cloud/back-to-home-users seem to have some [unmentioned here] file options. Anyway, I couldn't figure it out.

Also on this one...

*) fetch - added "http-max-redirect-count" parameter, allows to follow redirects;

While it works! The logging around it could be improved, since there is no log that a redirect happened (other than see another request & previous 301 error logged)

*) lte - added initial eSIM management support (CLI only);

On this above, what modems/devices support these eSIM commands?

Since I complained about this ones – so thanks – but I can explain these items:

*) console - added dsv.remap to :serialize command to unpack array of maps from print as-value;
*) console - added file-name parameter to :serialize;
*) console - allow tab as dsv delimiter;

FWIW, this allow RouterOS "print" to be output as CSV (or tab-separated) file (or console). Here is an example of esoteric sounding "dsv.remap", which is likely more useful than it sounds:

# output /ip/firewall/connection using :serialize...
# using tab to console
:put [:serialize to=dsv delimiter="\t" options=dsv.remap  [/ip/firewall/connection/print as-value]]          
# CSV to file
:serialize to=dsv delimiter="," options=dsv.remap [/ip/firewall/connection/print as-value] file-name=connections.csv

Florian · Tue Jan 21, 2025 8:59 pm

Maybe analogously to ipv4 fasttrack?

Yes, working good on my CCR1036.

pe1chl · Tue Jan 21, 2025 9:14 pm

On this above, what modems/devices support these eSIM commands?

Most likely some device that still is in development...
We can still hope there will be more 5G client devices :-)

blbeczech82 · Tue Jan 21, 2025 10:23 pm

Since 7.16 is added driver for RTL8156 but on x86 only. Would it be possible to add driver for arm64 too? Don't rush, 7.18beta3 is OK for me ;-)
Thanks...

Sit75 · Tue Jan 21, 2025 10:45 pm

There is necessary to restart the device. At least in my case - hAP ac^2. IPv6 traffic is really fasttracked - CPU load went down under load. You can check it in IPv6 Firewall Mangle section - if dummy rules are with real figures IPv6 fasttrack is working, if there are the zeroes - it doesn't work.

I would like to understand how to properly activate Fasstrack for IPv6.
Code: Select all
/ipv6 settings set allow-fast-path=yes
Code: Select all
/ipv6 firewall filter add action=fasttrack-connection chain=forward comment="Enable FastTracked v6 traffic" connection-state=established,related
/ipv6 firewall filter add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
Is that option enough? I'm confused by the identical counter values for both rules.
Screenshot_v6.png

RaresC95 · Tue Jan 21, 2025 10:46 pm

After manually adding IPv6 Fasttrack and enabiling IPv6 Fast Path in IPv6 settings, I can confirm that the new IPv6 FastTrack is working corectly:

Tue Jan 21, 2025 10:46 pm

Upgraded RB460GX4 from 7.17 basic package and the result is full set of disabled additional packages.
For RB433 only installed packages are still installed after upgrade and no additional list.

EDIT: for RB450Gx4 I see that it's only a list of available packages. Not installed according to "Installed" column.
Everything will be back to normal after upgrading RB firmware to 7.18beta.

Not possible on CHR.
Simple reboot does the trick as well (just verified on wAP AC).

biomesh · Tue Jan 21, 2025 11:10 pm

I saw better throughput/CPU usage with a different set of hosts on the IPv6 fasttrack. On a CCR2004-16G-IN I see 10gbit IPv6 speeds with ~50-60% cpu utlization.

What is odd is that an iperf in one direction has only ~40% cpu on the CCR but the other direction the "kernel" process spikes and adds an additional ~20% cpu to the load. Both iperf outputs give ~9 Gbits/s. This is just between 2 vlans with no additional firewall rules restricting access between vlans.

eworm · Tue Jan 21, 2025 11:14 pm

This has some severe issues with file handling... I have scripts failing that can not remove an existing file.

Still investigating, can not tell exactly what conditions have to be met. 🤨

Let's try...

[eworm@mt] > /file/add name=test
[eworm@mt] > /file/remove test
[eworm@mt] > /file/add name=path/test
[eworm@mt] > /file/remove path/test
no such item
[eworm@mt] > /file/print
 # NAME           TYPE         SIZE LAST-MODIFIED       
 0 path           directory         2025-01-21 22:10:39 
 1 tmpfs          disk              2025-01-21 22:09:37 
 2 pub            directory         2022-03-04 07:46:16 
 3 skins          directory         2022-03-04 07:46:16 
 4 path/test      file            0 2025-01-21 22:10:39 
[eworm@mt] > /file/remove path/test
[eworm@mt] >

What the heck... Please fix this...

infabo · Tue Jan 21, 2025 11:26 pm

How this works? Has someone tried already?

*)  cloud - added file-share feature;

CGGXANNX · Wed Jan 22, 2025 12:03 am

IPv6 Fasttrack works great. Tested with my old RB750Gr3, on speedtest.net with IPv6 server the hEX can now push 919 Mbps (equivalent to 932 Mbps with IPv4 due to 20-byte overhead), and that with a PPPoE WAN connection. Under 7.17 it could only achieve 266 Mbps with the same test server 😊.

Kaldek · Wed Jan 22, 2025 2:38 am

Tested with my old RB750Gr3, on speedtest.net with IPv6 server the hEX can now push 919 Mbps

Awesome news. I wonder how the good old RB5009 will improve; it already does gigabit IPv6 without breaking a sweat!

Amm0 · Wed Jan 22, 2025 3:15 am

How this works? Has someone tried already?
Code: Select all
*)  cloud - added file-share feature;

I enabled it, or at least I thought, but doesn't work. It says running, and looked based on BTH's relay service to share files over internet.

/ip/cloud/file-share/settings/print
                enabled: yes                                                                         
               dns-name: <sn>.routingthecloud.net                                            
                 status: running                                                                     
             relay-rtts: EUR1 (ip4: 166.163ms, ip6: timeout)                                         
                         USA1 (ip4: 70.25ms, ip6: timeout)                                           
      relay-ipv4-status: connected (region: USA1 ip: <public ipv4> rtt: 70.25ms reachable: directly )
      relay-ipv6-status: testing rtt                                                                 
          relay-regions: EUR1                                                                        
                         USA1                                                                        
       relay-addressess: <public ipv4>                                                                
                         <public ipv4>.                                                               
  relay-addressess-ipv6: 2a02::<...>                                                          
                         2602::<...>                                                            
            certificate: <sn>.routingthecloud.net

Additionally it does a dynamic firewall rule to allow 443 from anywhere, and generates some HTTPS URLs in /ip/cloud/file-server – which I presume are how you use it — but those didn't work and returned a 404 from the router with a file-share enable:

/ip/cloud/file-share/print detail 
Flags: X - disabled; I - invalid 
 0    path=/ allow-uploads=yes expires=never key="UaN<keys>hs1" 
      url="https://9b<sn>.routingthecloud.net/s/UaN<keys>hs1" 
      direct-url="https://9b<sn>.routingthecloud.net/s/Ua<keys>hs1?dl" downloads=0

With "9b<sn>.routingthecloud.net" address resolves to my router's WAN IP address.

And, did find another bug when trying /ip/cloud/export - it fails to export config for the new /ip/cloud/file-share. (Thus the "print" output above.)

patrick7 · Wed Jan 22, 2025 3:38 am

Upgraded one of 2 mlag members and experienced this:

 2025-01-22 00:32:45 bridge,info "bridge" peer link up
 2025-01-22 00:32:45 bridge,info "bridge" peer connected
 2025-01-22 00:32:45 bridge,info "bridge" peer becomes primary AA:BB:C0:CA:C0:1A
 2025-01-22 00:32:56 bridge,warning "bridge" peer disconnected
 2025-01-22 00:32:56 bridge,warning "bridge" peer link down
 2025-01-22 00:32:56 bridge,info "bridge" peer link up
 2025-01-22 00:32:56 bridge,info "bridge" peer connected
 2025-01-22 00:32:56 bridge,info "bridge" peer becomes primary AA:BB:C0:CA:C0:1A
 2025-01-22 00:33:06 bridge,warning "bridge" peer disconnected
 2025-01-22 00:33:06 bridge,warning "bridge" peer link down
 2025-01-22 00:33:06 bridge,info "bridge" peer link up
 2025-01-22 00:33:06 bridge,info "bridge" peer connected
 2025-01-22 00:33:06 bridge,info "bridge" peer becomes primary AA:BB:C0:CA:C0:1A
 2025-01-22 00:33:16 bridge,warning "bridge" peer disconnected
 2025-01-22 00:33:16 bridge,warning "bridge" peer link down
 2025-01-22 00:33:16 bridge,info "bridge" peer link up
 2025-01-22 00:33:16 bridge,info "bridge" peer connected
 2025-01-22 00:33:16 bridge,info "bridge" peer becomes primary AA:BB:C0:CA:C0:1A
 2025-01-22 00:33:26 bridge,warning "bridge" peer disconnected
 2025-01-22 00:33:26 bridge,warning "bridge" peer link down
 2025-01-22 00:33:26 bridge,info "bridge" peer link up
 2025-01-22 00:33:27 bridge,info "bridge" peer connected
 2025-01-22 00:33:27 bridge,info "bridge" peer becomes primary AA:BB:C0:CA:C0:1A
 2025-01-22 00:33:37 bridge,warning "bridge" peer disconnected
 2025-01-22 00:33:37 bridge,warning "bridge" peer link down
 2025-01-22 00:33:37 bridge,info "bridge" peer link up
 2025-01-22 00:33:37 bridge,info "bridge" peer connected
 2025-01-22 00:33:37 bridge,info "bridge" peer becomes primary AA:BB:C0:CA:C0:1A
 2025-01-22 00:33:47 bridge,warning "bridge" peer disconnected
 2025-01-22 00:33:47 bridge,warning "bridge" peer link down
 2025-01-22 00:33:47 bridge,info "bridge" peer link up
 2025-01-22 00:33:47 bridge,info "bridge" peer connected
 2025-01-22 00:33:47 bridge,info "bridge" peer becomes primary AA:BB:C0:CA:C0:1A
 2025-01-22 00:33:57 bridge,warning "bridge" peer disconnected
 2025-01-22 00:33:57 bridge,warning "bridge" peer link down
 (add this 10 times)

Remote systems warned about "mismatching peer aggregator ID". So the layer2 network was broken.

Probably upgrading the second switch would have fixed the issue, but how to upgrade, if it breaks the MLAG?

After downgrading, the issue was gone.

firmfe · Wed Jan 22, 2025 5:23 am

) x86 - fixed "unsupported speed" warning;

update 7.18 b2，also have unsupported speed
download/file.php?mode=view&id=71149
download/file.php?mode=view&id=71150
download/file.php?mode=view&id=71152
download/file.php?mode=view&id=71151

noradtux · Wed Jan 22, 2025 8:22 am

Oh, nice list of features :)
Upgraded my Chateau 5G AX, no issues so far (simple setup). Upgraded my CRS317, something was off, could not get data through. Disconnected that thing from power for some minutes and rebooted, it is running fine now (??). I tried CEF syslog via TCP to graylog, logs seem to parse correctly :)

wispmikrotik · Wed Jan 22, 2025 9:31 am

Hi,

hex constantly rebooting itself. Only has IPsec tunnel configured for lab.

Confirmed, in v7.18beta2 the IPsec tunnels are established but no "traffic" passes through them and the router restarts by watchdog without creating a supout automatically.

Reverting to v7.17 resolves the problem immediately.

BrateloSlava · Wed Jan 22, 2025 9:44 am

At least in my case - hAP ac^2. IPv6 traffic is really fasttracked - CPU load went down under load.

After manually adding IPv6 Fasttrack and enabiling IPv6 Fast Path in IPv6 settings, I can confirm that the new IPv6 FastTrack is working corectly:

I wrote above that the meters are not working correctly. That is why it is not clear through which chain the packets go.

Wed Jan 22, 2025 9:46 am

Well yes OF COURSE "file share" function will open up 443 HTTPS from anywhere, it creates a public website with https on your router, which anyone can visit. This function is to create public download links for files, like this: https://hcf087skgys.routingthecloud.net ... 3nJTFhJq3b

You can also enable uploads. Currently it works only for sharing Folders, there is a known bug that single file share does not work.

fischerdouglas · Wed Jan 22, 2025 9:48 am

7.18 "heavier" in weaker devices?

After trying (just for fun) 7.18beta2 in ARM and MIPSBE devices...

In an ARM (2 cpus) I saw no difference... What is good.
But on MIPSBE (my old RB951G-2HnD) I felt like it is making much more effort than with 7.16.2.

Yes, I know this is completely lay information.
It is not based on anything other than my perception of use.
Unfortunately, I do not have the graphs of these boxes to make any comparison, and even if I did, I would not be comparing identical conditions, which would invalidate any comparison.

But I decided to share this story... Maybe another colleague has the same feeling and can provide a more accurate comparison.

Before you ask me:

These boxes I tested are for my personal use, not from the ISPs I usually work with.
Their configuration is in vanilla mode for a home CPE.
The packages that are enabled on both are only RouterOS and Wireless. All other packages are installed but disabled.

My guess is that for these more modest devices, this large amount of extra functionality that is embedded in routeos.npk is weighing more than on the fatter devices.

And if that is the case, I reiterate my recurring suggestion to further fragment the resources of the base package into other packages.

Guscht · Wed Jan 22, 2025 10:08 am

What is:

*) route - added /ip/route/check tool;

fischerdouglas · Wed Jan 22, 2025 10:09 am

The syntax between routing and routes (and probably in other places also) is still incongruent, as mentioned int 7.17rc:

By the way, it is worth mentioning that the syntax between routing and routes is still incongruent:

[administrator@fischerdouglas] > /routing/bgp/connection/print where address-families=
ip     ipv6     l2vpn     l2vpn-cisco     vpnv4     vpnv6

[administrator@fischerdouglas] > /routing/route/print where afi=  
bad     ip4     ip6     l2vpn     l2vpn-cisco     l2vpn-link     link     mip4     mip6     vpn4     vpn6

"address-families=" vs "afi="
"vpnv4" vs "vpn4"
"vpnv6" vs "vpn6"

dksoft · Wed Jan 22, 2025 10:25 am

> *) net - added initial support for automatic multicast tunneling (AMT) interface;

Is this the solution to route mDNS over WireGuard without using an EOIP tunnel?
If so, is there any usage information?

Thanks
dksoft

infabo · Wed Jan 22, 2025 10:49 am

Well yes OF COURSE "file share" function will open up 443 HTTPS from anywhere, it creates a public website with https on your router, which anyone can visit. This function is to create public download links for files, like this: https://hcf087skgys.routingthecloud.net ... 3nJTFhJq3b

You can also enable uploads. Currently it works only for sharing Folders, there is a known bug that single file share does not work.

This file share feature is pretty neat. Hopefully it is hardened - from a security perspective - as much as possible. Would not be fun to have a remote code execution just because someone can use a custom crafted POST request or/and special crafted query params.

honzam · Wed Jan 22, 2025 11:31 am

CubePRO and CubeSA. Upgrade from 7.17 to 7.18beta2. Device will not boot, physical power disconnection required :-(

pe1chl · Wed Jan 22, 2025 11:53 am

Everything will be back to normal after upgrading RB firmware to 7.18beta.
Not possible on CHR.
Simple reboot does the trick as well (just verified on wAP AC).

There is no "issue", it is the new normal. It says it shows the available packages after a "check for updates", and apparently until a reboot.
Nothing wrong. Move along people! It is actually a GOOD addition as now you can install packages without jumping through the hoops of downloading a zip file, extracting it, uploading a package to the router. Just "enable" the package and reboot.

Wed Jan 22, 2025 11:59 am

yes, pe1chl is correct.
check for updates command will read the package list from the server. you can install packages directly from the server now. no need to download them and upload them by hand.

the list needs to be refreshed after reboot.

lilianmoraru · Wed Jan 22, 2025 12:03 pm

> *) lte - added initial eSIM management support (CLI only);

This sounds interesting. Sounds as if eSIM support is coming. This is the main reason I didn't end up buying more Mikrotik LTE devices - it's very expensive to pay for multiple subscriptions, for each device to have its own SIM.

CGGXANNX · Wed Jan 22, 2025 12:07 pm

I wrote above that the meters are not working correctly. That is why it is not clear through which chain the packets go.

Do the counters here show non-zero values?

ipv6-settings-ft.png

If not, you might need to turn off some feature on the bridge, according to MikroTik. Anything that might disable bridge fast-path viewtopic.php?t=212754&start=300#p1118497

But normally the counter values for the two rules in the filter table are identical. That's why there is a dummy rule at the top of the table that shows you the real fasttrack'ed packets/bytes counters.

infabo · Wed Jan 22, 2025 12:15 pm

yes, pe1chl is correct.
check for updates command will read the package list from the server. you can install packages directly from the server now. no need to download them and upload them by hand.

the list needs to be refreshed after reboot.

That's a great new feature! I would love to see such functionalities described/announced in detail in the changelog or linked to a dedicated Confluence (help.mikrotik.com/docs) release page. Otherwise, it feels a bit like an Easter egg hunt. Fun, perhaps, but we're not kids anymore. 😊

Wed Jan 22, 2025 12:17 pm

it's still beta2, and the feature is in the changelog actually

infabo · Wed Jan 22, 2025 12:23 pm

I understand it’s mentioned in the changelog, and yes, it’s still in beta. Similarly, the file share feature had its place in the changelog, but it wasn’t entirely clear what it was about until I saw a screenshot. Even stable channel releases often don’t provide much more detail than what’s written in the changelog.

I’m not suggesting creating something as elaborate as Apple’s release pages (e.g., https://www.apple.com/macos/macos-sequoia/). I’m simply offering suggestions on how features could be better communicated or marketed to users.

Wed Jan 22, 2025 12:30 pm

When the release is in Stable, we do often highlight interesting new features at the top of the changelog, but not while in beta

killersoft · Wed Jan 22, 2025 12:35 pm

Hi, what hardware( chips ) / CRSxxx / CCR2 will VXLAN hardware offload will be available on.
I note I get the HW tickbox on my CCR1036( probably should not see that )...

massinia · Wed Jan 22, 2025 1:12 pm

Well yes OF COURSE "file share" function will open up 443 HTTPS from anywhere, it creates a public website with https on your router, which anyone can visit.

For me this feature is really useful, thank you!
I can finally stop using the container File Browser.

PS. beautiful cats! 😍

lubomirs · Wed Jan 22, 2025 1:31 pm

... will open up 443 HTTPS from anywhere...

will it be safe? open port 443 on the router for everyone from where?

rextended · Wed Jan 22, 2025 1:40 pm

Why this do not work since 7.17??? (on all 7.16.2 and less, included v6, work)

/sys log action set [find] disk-file-name="/log"

(work without the /)

Those, and other points where can be set a path, with "/" work correctly:

/ip hotspot profile set [find default=yes] html-directory="/hotspot"
/interface wifi capsman set package-path="/package"
/interface lte settings set firmware-path="/firmware"
/tool sniffer set file-name="/pcap/sniffer.pcap"
/ip proxy set cache-path="/web-proxy"
/ip smb shares set [ find default=yes ] directory="/pub"

maigonis · Wed Jan 22, 2025 1:48 pm

*) lte - removed nonexistent CQI reading for EC200A-EU modem;

This also can be applied to 621, I dont see any CQI values.

Wed Jan 22, 2025 1:49 pm

... will open up 443 HTTPS from anywhere...
will it be safe? open port 443 on the router for everyone from where?

yes it is safe, as it only opens up the file share and has a valid HTTPS certificate. Webfig is not opened to the world, when you enable file share. It is a different service.
To be clear, if you already have yourself opened webfig to the world via https (not recommended though), fileshare will not be able to also run on TCP443, so it will only work through our relay service in this case.

pe1chl · Wed Jan 22, 2025 2:19 pm

It would be nice to have REST API as a separate service too, that you can enable without allowing webfig...

woland · Wed Jan 22, 2025 2:26 pm

I love the new filesharing function, I tried to get it work on my Hap ax lite LTE6 and invested an hour. I could not access it. Then I realized it will never work behind CGNAT, whatever I will try.... Except maybe over BTH VPN. Switching to a connection with no CGNAT and using the shown "File Direct URL" it works like a charm. Now I´d just need some small ARM box with an USB3 or SDCard, sthg like a HEX-S remake or even better a HAPax lite LTE with an SDCard slot or/and USB3.
Very nice release MT, thanks! IPv6 FastTrack and lots of WLAN stability improvements. A home user like me can´t miss much more.
Maybe Ipsec VTI in beta6. ? :)

rextended · Wed Jan 22, 2025 2:30 pm

Wed Jan 22, 2025 2:43 pm

I love the new filesharing function, I tried to get it work on my Hap ax lite LTE6 and invested an hour. I could not access it. Then I realized it will never work behind CGNAT, whatever I will try.... Except maybe over BTH VPN. Switching to a connection with no CGNAT and using the shown "File Direct URL" it works like a charm. Now I´d just need some small ARM box with an USB3 or SDCard, sthg like a HEX-S remake or even better a HAPax lite LTE with an SDCard slot or/and USB3.
Very nice release MT, thanks! IPv6 FastTrack and lots of WLAN stability improvements. A home user like me can´t miss much more.
Maybe Ipsec VTI in beta6. ?

it should work behind CGNAT. What error did you get when trying to access the URL? Can you switch back to CGNAT and post the URL?

NB! there is a known issue with sharing just one file. Share a folder instead.

woland · Wed Jan 22, 2025 3:01 pm

it should work behind CGNAT. What error did you get when trying to access the URL? Can you switch back to CGNAT and post the URL?

NB! there is a known issue with sharing just one file. Share a folder instead.

Can´t reproduce, sorry! It works now over the LTE & CGNAT. I probably messed up sthg myself.

I'm sharing a folder, but referencing the file directly works:
https://XXX.routingthecloud.net/s/YYY/testshare1.txt and also https://XXX.routingthecloud.net/s/YYY/testshare1.txt?dl

I´m missing a way to assign a new file share key.

There seems to be no way to export the config of the file share?

[admin@roamlte1] /ip/cloud/file-share> export
# 2025-01-22 13:56:28 by RouterOS 7.18beta2
# software id = AAA-BBBB
#
# model = L41G-2axD&FG621-EA
# serial number = CCCCCCCCCC
[admin@roamlte1] /ip/cloud/file-share>

For "settings":

[admin@roamlte1] /ip/cloud/file-share/settings> export
# 2025-01-22 13:59:35 by RouterOS 7.18beta2
# software id = AAA-BBBB
#
# model = L41G-2axD&FG621-EA
# serial number = CCCCCCCCC
[admin@roamlte1] /ip/cloud/file-share/settings>

That´s all no config shown.

WeWiNet · Wed Jan 22, 2025 3:07 pm

Hap ax3 with 18.rc2,

PPSK authentication has issues.
All clients have difficulties to connect. When some of them are able to connect there is no internet.
Some other clients just refuse to connect at all (ipad/macbooks).

Rolling back to 17, everything works again...

Valerio5000 · Wed Jan 22, 2025 3:38 pm

> *) net - added initial support for automatic multicast tunneling (AMT) interface;

Is this the solution to route mDNS over WireGuard without using an EOIP tunnel?
If so, is there any usage information?

Thanks
dksoft

wow! I'm curious about this feature too. Anyway, thanks to the Mikrotik team that gives me the impression that they listen to their users a little more!

mkx · Wed Jan 22, 2025 3:58 pm

> *) net - added initial support for automatic multicast tunneling (AMT) interface;

Is this the solution to route mDNS over WireGuard without using an EOIP tunnel?

AMT is a tunnel by itself ... not encrypted, only encapsulated into unicast UDP packets. My employer is using it to receive certain multicasts from source which is half a continent away without need for every transit network provider to reconfigure their routers. On linux machine AMT daemon creates tunnel which has to be attached to a TUN-type interface (the later can have IP address attached etc.). Multicast packets then drop out of that TUN interface. Probably setup on the other end (MC sender) is similar, with multicasts being routed through TUN interface.

Not sure how it's supposed to work on ROS ... And I doubt it would help with mDNS (but I might be very wrong here).

Since AMT itself doesn't offer any encryption, one could use wireguard (or any other encrypted tunneling solution) as outer "pipe". Then it boils down to proper routing settings to pass AMT unicast packets through encrypted tunnel.

rkrisi · Wed Jan 22, 2025 4:10 pm

yes, pe1chl is correct.
check for updates command will read the package list from the server. you can install packages directly from the server now. no need to download them and upload them by hand.

the list needs to be refreshed after reboot.

That is great, thank you! It would be great if we could select the version to upgrade to, instead of just updating to "latest".
On RouterOS v7 in prod environment, I'm usually one-two minor version behind than latest.

Wed Jan 22, 2025 4:41 pm

About HW VXLAN.

Supported devices are ones that support L3HW offloaded fasttrack/NAT: CRS309-1G-8S+, CRS317-1G-16S+, CRS312-4C+8XG, CRS326-24S+2Q+, CRS326-4C+20G+2Q+, CRS354-48G/P-4S+2Q+, CRS504-4XQ, CRS510-8XS-2XQ, CRS518-16XS-2XQ, CRS520-4XS-16XQ, CCR2116-12G-4S+, CCR2216-1G-12XS-2XQ.

The main goal for v7.18 is to introduce basic VXLAN data-plane support. This allows you to set up static one-to-one mappings between VLANs and VXLANs in vlan-filtering bridge.

A configuration example (using static routing, but could be done through ospf,bgp):
sfp-sfpplus1 - upstream (underlay) interface
sfp-sfpplus3 - bridged port for untagged VLAN 10
sfp-sfpplus4 - bridged port for untagged VLAN 20
vxlan-1010 - overlay port for untagged VLAN 10
vxlan-1020 - overlay port for untagged VLAN 20

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vxlan
add bridge=bridge1 bridge-pvid=10 local-address=192.168.1.1 name=vxlan-1010 vni=1010
add bridge=bridge1 bridge-pvid=20 local-address=192.168.1.1 name=vxlan-1020 vni=1020
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus3 pvid=10
add bridge=bridge1 interface=sfp-sfpplus4 pvid=20
/interface vxlan vteps
add interface=vxlan-1010 remote-ip=192.168.1.2
add interface=vxlan-1020 remote-ip=192.168.1.2
/ip address
add address=192.168.1.1 interface=lo network=192.168.1.1
add address=192.168.10.10/24 interface=sfp-sfpplus1 network=192.168.10.0
/ip route
add dst-address=192.168.1.2 gateway=192.168.10.20
/interface ethernet switch
set 0 l3-hw-offloading=yes

At this point, some known features are not yet implemented.

Underlay (routing encapsulated VXLAN packets):
1. VTEPs are not supported over ECMP
2. VTEPs are not supported over bond, VLAN interface
3. VTEPs cannot operate within VRFs
4. VTEPs are not supported with IPv6

Overlay (forwarding between Ethernet and VXLAN):
1. VLAN tagging over VXLAN is not supported
2. Routing between different VXLAN VNIs is not supported
3. VTEPs are isolated, and there is no mechanism to control "horizon" between them

These things will be mentioned in our help documentation page shortly.

Let us know what VXLAN-related features you need, this could help us prioritize development. Also, work on EVPN has started, but would like to hear from you about the most important capabilities and how you imagined they would look like in RouterOS.

BrateloSlava · Wed Jan 22, 2025 4:56 pm

But normally the counter values for the two rules in the filter table are identical. That's why there is a dummy rule at the top of the table that shows you the real fasttrack'ed packets/bytes counters.

Counter values for IPv4

Screenshot_IPv4_counter.png

Counter values for IPv6

Screenshot_IPv6_counter.png

Settings for IPv6

Screenshot_IPv6_settings.png

As you can see from the pictures - the values for IPv4 are different and the values for IPv6 are the same. So my question is - which of the rules in the picture handles IPv6 traffic?

merkkg · Wed Jan 22, 2025 5:02 pm

Let us know what features you need, this could help us prioritize development. Also, work on EVPN has started, but would like to hear from you about the most important capabilities and how you imagined they would look like in RouterOS.

Feature which will help me considerably are L3HW offloading full vrf support not only the main table

As well as Full MPLS Offloading or multicore processing

I'm using CCR2216 and i'm happy to do any testing thats needed and provide feedback.

CGGXANNX · Wed Jan 22, 2025 5:21 pm

Counter values for IPv4
Screenshot_IPv4_counter.png

Counter values for IPv6
Screenshot_IPv6_counter.png

Settings for IPv6
Screenshot_IPv6_settings.png

As you can see from the pictures - the values for IPv4 are different and the values for IPv6 are the same. So my question is - which of the rules in the picture handles IPv6 traffic?

If fasttrack is working well, then most of the traffic will NOT be handled by those two rules, but will be counted by the dummy rule at the top of the filter table. That rule should show significantly higher counter values.

dummy-fasttrack6.png

In your case, it looks like fasttrack is working well for IPv6, because the two rows down below only have 20MiB and 84K packets, while the dummy rule at the top should show 4.4GiB and 4 million packets.

Fasttrack BYPASSES the firewall, which means what hit the two rules at the middle of the tables are normally only the 2nd packet of a connection, plus some more packets periodically (to keep connection tracking alive). Most packets of a fasttrack'ed connection will not be seen by the firewall, and will not hit those two rules. If you see huge values there, then fasttrack is not working well, or not working at all. If you see more traffic with the 2nd rule than the fasttrack rule, then that means you have a non-zero number of no-track packets (packets that bypass connection tracking). The untracked packets will not be fasttrack'ed, because fasttrack needs connection tracking.

In this case it looks like your IPv4 firewall has seen a lot of untracked packets (over 6GiB), that traffic is not using fasttrack.

AlexandruL · Wed Jan 22, 2025 5:27 pm

Awesome early beta release!

I see some nice fixes on the wifi and wifi-qcom packages. Any chance to get remote cap reboot and the ability to customize Wi-Fi rates?

Thank you!

elipsion · Wed Jan 22, 2025 5:37 pm

Let us know what features you need, this could help us prioritize development. Also, work on EVPN has started, but would like to hear from you about the most important capabilities and how you imagined they would look like in RouterOS.

We're looking to implement this in our campus network, which makes use of 802.1x/RADIUS for VLAN assigment.

It'd be useful to have a VXLAN template, so that we could assign ranges for VNI/mcast group/RD/etc once, and have them only be realized when a VLAN is actually present on the bridge. When a VLAN is no longer present on the bridge; the control daemon can, after some grace period, prune the VXLAN config and leave the multicast groups.

I imagine it looking something like this:

# One range, computer does math
/interface/vxlan/template add bridge=bridge interface=uplink vlan-ids=10-19 base-vni=5000 base-group=239.0.1.10 ttl=10
# More explicit, prone to errors
/interface/vxlan/template add bridge=bridge interface=uplink vlan-ids=10-19 vnis=5000-5009 groups=239.0.1.10-239.0.1.19 ttl=10

The same pattern would apply when EVPN is implemented, otherwise the TCAM would fill up far too quickly.

Edit: And local loopback address as source interface, not having to specify a distinct uplink would be appreciated.

BrateloSlava · Wed Jan 22, 2025 5:38 pm

In this case it looks like your IPv4 firewall has seen a lot of untracked packets (over 6GiB), that traffic is not using fasttrack.

Yeah, that's right. For IPv4, I exclude from processing traffic that goes through VPN tunnels to other networks (in different offices).
Thank you, that makes sense.

Amm0 · Wed Jan 22, 2025 5:47 pm

Okay, I got the /ip/cloud/file-share feature almost working. However @normis's comments do not quite match my experience:

it only opens up the file share and has a valid HTTPS certificate. Webfig is not opened to the world, when you enable file share. It is a different service.

I had HTTPS enabled in /ip/services before the upgrade. It actually replaced an existing LE certificate on the HTTPS service with one generated by file-share with the routingthecloud.net domain. So it's not quite a "different service" if it's messing with /ip/services' HTTPS one... And it seems /ip/cloud/fire-share listens on everything EXCEPT what the standard HTTPS service listens on. I already had an "Allowed IPs" set on HTTPS, with the LAN, so once I removed the LAN subnet... I could see the /ip/cloud/file-share using the URLs.

To be clear, if you already have yourself opened webfig to the world via https (not recommended though), fileshare will not be able to also run on TCP443, so it will only work through our relay service in this case.

Since I kept getting 404 errors when using file-share URLs, I now get they were going the webfig/rest HTTPS. But it did NOT use the proxy as @normis describes when the HTTPS port conflicts. The <sn>.routingthecloud.net resolves to my WAN IP, and the /ip/cloud/file-share/setting/print shows it having a "direct" connection.

Anyway, the interaction between /ip/cloud/file-share and the default /ip/service HTTPS should be looked at...i.e.

there should be a separate entry from file-share shown under /ip/services — since that useful to audit the router's listen ports, and now this one can hide under /ip/cloud/....
ideally, you should be able to use BOTH file-share and webfig on LAN at same time — as noted above that did not work. Right now, it seem file-share listens on everything except what /ip/service HTTPS listens on, so it's file-share OR webfig in my observations.
if /ip/service HTTPS is enabled with a cert, it should not just replace any existing certificate, or at least prompt (and if really separate it shouldn't muck with /ip/service HTTPS at all....)
not sure if the "proxy" failback works if the router has a public IP, as I was getting 404 not a proxied connection @normis suggests
some hash of serial number <sn> be better in <sn>.routingtheworld.net, as the <sn> be same as /ip/cloud one uses — I already don't like <sn> in the /ip/cloud DDNS since in might allow scanning on known serial number/ranges, so might be able to prevent that here

It would be nice to have REST API as a separate service too, that you can enable without allowing webfig...

Agree. Or some fine-grain controls on the existing HTTPS one (i.e. allow-webfig=, allow-file-share=, allow-rest=, etc.)

It also be nice of the "automatic TLS certificate" that's used by /ip/cloud/file-share was made generic on the /certificate/enable-ssl-certificate one. That part of the new /ip/cloud/file-share was pretty nifty — it actually got a certificate without needing open port 80, etc. & I presume it will automatically renew — this has been a sourly lacking feature of the LE/ACME support & now it's hidden inside a boutique feature like file-share. IMO the certificate part of the /ip/cloud/file-share should be broken out into a GENERIC feature to get TLS cert, and then /ip/cloud/file-share using that feature to enable SSL cert it needs.

Wed Jan 22, 2025 5:50 pm

It's the first public beta, there might be (for sure there are) bugs. Thank for the report, will investigate all the issues described.

Valerio5000 · Wed Jan 22, 2025 5:54 pm

It's the first public beta, there might be (for sure there are) bugs. Thank for the report, will investigate all the issues described.

More info

> *) net - aggiunto supporto iniziale per l'interfaccia di tunneling multicast automatico (AMT);

:D

Kanzler · Wed Jan 22, 2025 6:08 pm

It would be nice to have the ability to set a password for file sharing.

syadnom · Wed Jan 22, 2025 6:31 pm

A configuration example (using static routing, but could be done through ospf,bgp):
sfp-sfpplus1 - upstream (underlay) interface
sfp-sfpplus3 - bridged port for untagged VLAN 10
sfp-sfpplus4 - bridged port for untagged VLAN 20
vxlan-1010 - overlay port for untagged VLAN 10
vxlan-1020 - overlay port for untagged VLAN 20

&

At this point, some known features are not yet implemented.

Underlay (routing encapsulated VXLAN packets):
1. VTEPs are not supported over ECMP
2. VTEPs are not supported over bond, VLAN interface
3. VTEPs cannot operate within VRFs
4. VTEPs are not supported with IPv6

Overlay (forwarding between Ethernet and VXLAN):
1. VLAN tagging over VXLAN is not supported
2. Routing between different VXLAN VNIs is not supported
3. VTEPs are isolated, and there is no mechanism to control "horizon" between them

These things will be mentioned in our help documentation page shortly.

For the config examples, all of these are for untagged VLANs, but can tagged VLANs be bridged to vxlans?

For the 'not yets', are you mentioning these things specifically because they are on the roadmap and just not implemented?
I ask, because without VTEP over IPv6, this is useless to me. Without being able to carry a VLAN on the VXLAN, it's useless to me. as in, there's no work around to let me even partially use it.

As far as what we would like to see.

VXLAN over IPv6 VTEPS with the ability to be bridged to VLANs on interfaces, and the ability to carry VLANs.

For EVPN, basically what model are you building? EVPN on MPLS or vxlan etc? I would prefer IPv6 and VXLAN. And hardware accelleration.

sirbryan · Wed Jan 22, 2025 7:30 pm

A configuration example (using static routing, but could be done through ospf,bgp):
sfp-sfpplus1 - upstream (underlay) interface
sfp-sfpplus3 - bridged port for untagged VLAN 10
sfp-sfpplus4 - bridged port for untagged VLAN 20
vxlan-1010 - overlay port for untagged VLAN 10
vxlan-1020 - overlay port for untagged VLAN 20
Code: Select all
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vxlan
add bridge=bridge1 bridge-pvid=10 local-address=192.168.1.1 name=vxlan-1010 vni=1010
add bridge=bridge1 bridge-pvid=20 local-address=192.168.1.1 name=vxlan-1020 vni=1020
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus3 pvid=10
add bridge=bridge1 interface=sfp-sfpplus4 pvid=20
/interface vxlan vteps
add interface=vxlan-1010 remote-ip=192.168.1.2
add interface=vxlan-1020 remote-ip=192.168.1.2
/ip address
add address=192.168.1.1 interface=lo network=192.168.1.1
add address=192.168.10.10/24 interface=sfp-sfpplus1 network=192.168.10.0
/ip route
add dst-address=192.168.1.2 gateway=192.168.10.20
/interface ethernet switch
set 0 l3-hw-offloading=yes

Yay. Testing it and it works well on two 309's with two RB5009's on either end. I'm able to saturate the link with 9+Gbps.

Your example is missing an MTU adjustment that is necessary for full 1500-byte-sized packets to traverse the VXLAN. While the routers could ping across the link, they couldn't do a bandwidth test until I bumped the L3 MTU on the SFP+ ports (set them to 9000) and the VXLAN MTU to a minimum of 1550.

Winbox 4 shows odd results in the bandwidth test. All ports on all devices show 8-9Gbps of traffic, but the test window shows 5, 6, 7 Gbps randomly.

Wed Jan 22, 2025 7:37 pm

>all of these are for untagged VLANs, but can tagged VLANs be bridged to vxlans?

Yes, VLAN can be tagged on the Ethernet side (in the example sfp-sfpplus3 or sfp-sfpplus4). But VXLAN cannot encapsulate VLANs, so it must be configured only for a one untagged VLAN.

>you mentioning these things specifically because they are on the roadmap and just not implemented?

Yes, these things are known limitations of the current implementation. They are on the roadmap, but wanted to understand what use cases are more common.

Thanks @sirbryan! MTU needs some work, will update the example later.

StupidProgrammer · Wed Jan 22, 2025 7:45 pm

Is wifi-qcom-ac dead as far as new features and bugfixes are concerned?

itimo01 · Wed Jan 22, 2025 7:48 pm

Is wifi-qcom-ac dead as far as new features and bugfixes are concerned?

changes for "wifi" (not "wifi-qcom") should also apply to wifi-qcom-ac

infabo · Wed Jan 22, 2025 7:52 pm

We occasionally notice bugfixes for wifi-qcom-ac in the changelog, which is highly appreciated. However, it would be quite interesting to know if dynamic VLAN assignment is planned for implementation - be it even in the distant future.

syadnom · Wed Jan 22, 2025 7:53 pm

>all of these are for untagged VLANs, but can tagged VLANs be bridged to vxlans?

Yes, VLAN can be tagged on the Ethernet side (in the example sfp-sfpplus3 or sfp-sfpplus4). But VXLAN cannot encapsulate VLANs, so it must be configured only for a one untagged VLAN.

not exactly what I was looking for. Can a VXLAN be bridged to sftpplus4.vlan25 for example.
vxlan1 bridge to sfpplus4.vlan25
vxlan2 bridge to sfpplus4.vlan26

>you mentioning these things specifically because they are on the roadmap and just not implemented?

Yes, these things are known limitations of the current implementation. They are on the roadmap, but wanted to understand what use cases are more common.

Thanks.
For me it's IPv6 VTEPs (IPv6+OSPFv3 underlay network)
and VLANs. For example, I might have radios on PVID1 on a port (sfp1) but be bridging the client port on the CPE to VLAN25, CPE untagged->VLAN25->sfp1.v25->bridged to vxlan25->core-router.

AlexandruL · Wed Jan 22, 2025 7:56 pm

We occasionally notice bugfixes for wifi-qcom-ac in the changelog, which is highly appreciated. However, it would be quite interesting to know if dynamic VLAN assignment is planned for implementation - be it even in the distant future.

Do you mean VLAN assignment via RADIUS or Access list?

syadnom · Wed Jan 22, 2025 8:22 pm

@EdPa viewtopic.php?t=214110
I didn't want to jam this thread up too much, but that's my current use case.

BigCol · Wed Jan 22, 2025 8:26 pm

My Chateau LTE has been having some stability issues and seeing the improvements in this Beta release, i thought I'd upgrade. this went fine, then i noticed there was a modem firmware upgrade available, i did this also. now i cant connect to 3/4G. I noticed just now that my routerboard fw is still at 7.17, with an Upgrade Firmware version of 7.18beta2. should i upgrade this also?

noradtux · Wed Jan 22, 2025 8:39 pm

I gave upgrading my ccr2116 a shot. What worked: IPv6 routing and firewall, isis routing, multiple wireguard tunnels and containers on legacy-ip. What did not work: Containers were not reachable through ipv6 anymore. Didn't have time to do deeper investigations, I reverted to my backup partition (v7.17).

ToTheFull · Wed Jan 22, 2025 8:43 pm

Some nice fixes, I like the look of this one *) wifi - try to authenticate client as non-FT client if it provides incomplete set of FT parameters;

I thought this might fix my device not being able to connect to a SSID with FT enabled. Sadly not for me. Oh well!

infabo · Wed Jan 22, 2025 8:45 pm

We occasionally notice bugfixes for wifi-qcom-ac in the changelog, which is highly appreciated. However, it would be quite interesting to know if dynamic VLAN assignment is planned for implementation - be it even in the distant future.
Do you mean VLAN assignment via RADIUS or Access list?

datapath in first place. but yes others as well.

infabo · Wed Jan 22, 2025 8:46 pm

My Chateau LTE has been having some stability issues and seeing the improvements in this Beta release, i thought I'd upgrade. this went fine, then i noticed there was a modem firmware upgrade available, i did this also. now i cant connect to 3/4G. I noticed just now that my routerboard fw is still at 7.17, with an Upgrade Firmware version of 7.18beta2. should i upgrade this also?

yes, upgrade routerboard firmware too. Regarding the modem: maybe you need to powercycle your chateau to give the modem a cold boot.

CTassisF · Wed Jan 22, 2025 8:50 pm

Since upgrading to v7.18beta2, I'm seeing write-sect-since-reboot increasing very fast (40k in 24h).

[cesar-ro@RB5009] > /system/resource/print 
                   uptime: 1d1h17m20s         
                  version: 7.18beta2 (testing)
               build-time: 2025-01-21 09:27:58
         factory-software: 7.0.5              
              free-memory: 451.9MiB           
             total-memory: 1024.0MiB          
                      cpu: ARM64              
                cpu-count: 4                  
            cpu-frequency: 350MHz             
                 cpu-load: 6%                 
           free-hdd-space: 980.7MiB           
          total-hdd-space: 1024.0MiB          
  write-sect-since-reboot: 42222              
         write-sect-total: 11915918           
               bad-blocks: 0%                 
        architecture-name: arm64              
               board-name: RB5009UG+S+        
                 platform: MikroTik

I'm not sure what is causing this. I can't run /file/print to check further because of the risk of crashing RouterOS due to the container stores I have.

fischerdouglas · Wed Jan 22, 2025 8:53 pm

Let us know what features you need, this could help us prioritize development. Also, work on EVPN has started, but would like to hear from you about the most important capabilities and how you imagined they would look like in RouterOS.
Feature which will help me considerably are L3HW offloading full vrf support not only the main table

As well as Full MPLS Offloading or multicore processing

I'm using CCR2216 and i'm happy to do any testing thats needed and provide feedback.

i++; on VRF Hardware Offload!

L3VPN (over MPLS or over EVPN Routes Type 5) also with Hardware Offload+Fastpath+Multicore would be great!

ToTheFull · Wed Jan 22, 2025 8:57 pm

Since upgrading to v7.18beta2, I'm seeing write-sect-since-reboot increasing very fast (40k in 24h).

[cesar-ro@RB5009] > /system/resource/print 
                   uptime: 1d1h17m20s         
                  version: 7.18beta2 (testing)
               build-time: 2025-01-21 09:27:58
         factory-software: 7.0.5              
              free-memory: 451.9MiB           
             total-memory: 1024.0MiB          
                      cpu: ARM64              
                cpu-count: 4                  
            cpu-frequency: 350MHz             
                 cpu-load: 6%                 
           free-hdd-space: 980.7MiB           
          total-hdd-space: 1024.0MiB          
  write-sect-since-reboot: 42222              
         write-sect-total: 11915918           
               bad-blocks: 0%                 
        architecture-name: arm64              
               board-name: RB5009UG+S+        
                 platform: MikroTik

I'm not sure what is causing this. I can't run /file/print to check further because of the risk of crashing RouterOS due to the container stores I have.

Why is your CPU frequency 350Mhz ?

rzirzi · Wed Jan 22, 2025 8:59 pm

RouterOS version 7.18beta has been released on the "v7 testing" channel!
*) console - allow to toggle script error logging with "/console settings log-script-errors";

GREAT! - thank you MikroTik team!

CTassisF · Wed Jan 22, 2025 9:01 pm

Why is your CPU frequency 350Mhz ?

cpu-frequency: auto in /system/routerboard/settings.

ToTheFull · Wed Jan 22, 2025 9:03 pm

Oh ok mine goes from 864 to 1800, just curious!

sirbryan · Wed Jan 22, 2025 9:11 pm

>all of these are for untagged VLANs, but can tagged VLANs be bridged to vxlans?

Yes, VLAN can be tagged on the Ethernet side (in the example sfp-sfpplus3 or sfp-sfpplus4). But VXLAN cannot encapsulate VLANs, so it must be configured only for a one untagged VLAN.

Ed, the following isn't working. Is it supposed to?

/interface bridge
add name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1-rb5009-3 pvid=100
/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus1-rb5009-3 untagged=vxlan-10 vlan-ids=10
/interface vxlan
add bridge=bridge bridge-pvid=10 local-address=10.10.10.1 mtu=1600 name=vxlan-10 vni=10
/interface vxlan vteps
add interface=vxlan-10 remote-ip=10.10.10.2

(Traffic on the rb5009's ports is tagged into VLAN 10 then sent to the CRS309's SFP+1 port.)

Also not working: Creating a VLAN10 interface, tagged to VLAN 10 on the bridge. The bridge can ping itself and the local router, but it can't ping across the VXLAN to the remote switch and router (I put an IP on VLAN10 all the way through just for testing).

clambert · Wed Jan 22, 2025 9:16 pm

Let us know what features you need, this could help us prioritize development. Also, work on EVPN has started, but would like to hear from you about the most important capabilities and how you imagined they would look like in RouterOS.
Feature which will help me considerably are L3HW offloading full vrf support not only the main table

As well as Full MPLS Offloading or multicore processing

I support this request.

spippan · Wed Jan 22, 2025 9:58 pm

About HW VXLAN.

Supported devices are ones that support L3HW offloaded fasttrack/NAT: CRS309-1G-8S+, CRS317-1G-16S+, CRS312-4C+8XG, CRS326-24S+2Q+, CRS326-4C+20G+2Q+, CRS354-48G/P-4S+2Q+, CRS504-4XQ, CRS510-8XS-2XQ, CRS518-16XS-2XQ, CRS520-4XS-16XQ, CCR2116-12G-4S+, CCR2216-1G-12XS-2XQ.

The main goal for v7.18 is to introduce basic VXLAN data-plane support. This allows you to set up static one-to-one mappings between VLANs and VXLANs in vlan-filtering bridge.

A configuration example (using static routing, but could be done through ospf,bgp):
sfp-sfpplus1 - upstream (underlay) interface
sfp-sfpplus3 - bridged port for untagged VLAN 10
sfp-sfpplus4 - bridged port for untagged VLAN 20
vxlan-1010 - overlay port for untagged VLAN 10
vxlan-1020 - overlay port for untagged VLAN 20
Code: Select all
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vxlan
add bridge=bridge1 bridge-pvid=10 local-address=192.168.1.1 name=vxlan-1010 vni=1010
add bridge=bridge1 bridge-pvid=20 local-address=192.168.1.1 name=vxlan-1020 vni=1020
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus3 pvid=10
add bridge=bridge1 interface=sfp-sfpplus4 pvid=20
/interface vxlan vteps
add interface=vxlan-1010 remote-ip=192.168.1.2
add interface=vxlan-1020 remote-ip=192.168.1.2
/ip address
add address=192.168.1.1 interface=lo network=192.168.1.1
add address=192.168.10.10/24 interface=sfp-sfpplus1 network=192.168.10.0
/ip route
add dst-address=192.168.1.2 gateway=192.168.10.20
/interface ethernet switch
set 0 l3-hw-offloading=yes
At this point, some known features are not yet implemented.

Underlay (routing encapsulated VXLAN packets):
1. VTEPs are not supported over ECMP
2. VTEPs are not supported over bond, VLAN interface
3. VTEPs cannot operate within VRFs
4. VTEPs are not supported with IPv6

Overlay (forwarding between Ethernet and VXLAN):
1. VLAN tagging over VXLAN is not supported
2. Routing between different VXLAN VNIs is not supported
3. VTEPs are isolated, and there is no mechanism to control "horizon" between them

These things will be mentioned in our help documentation page shortly.

Let us know what VXLAN-related features you need, this could help us prioritize development. Also, work on EVPN has started, but would like to hear from you about the most important capabilities and how you imagined they would look like in RouterOS.

MT you are starting to do serious business to leverage your marvell chips product line.

very appreciated

pa:
GREAT work for a beta2 release.
looking forward for more awesome stuff.

next: MACsec with HW-offload ❤️

spippan · Wed Jan 22, 2025 9:59 pm

Feature which will help me considerably are L3HW offloading full vrf support not only the main table

As well as Full MPLS Offloading or multicore processing

I'm using CCR2216 and i'm happy to do any testing thats needed and provide feedback.
i++; on VRF Hardware Offload!

L3VPN (over MPLS or over EVPN Routes Type 5) also with Hardware Offload+Fastpath+Multicore would be great!

+1 too.
could replace some serious cisco parts with this working!

spippan · Wed Jan 22, 2025 10:08 pm

side note

love how engaged MT support is on 7.17 and 7.18bXX forum threads the last days.
feels like things really start to get moving again

oreggin · Wed Jan 22, 2025 10:15 pm

Feature which will help me considerably are L3HW offloading full vrf support not only the main table

As well as Full MPLS Offloading or multicore processing
I support this request.

+1

Wed Jan 22, 2025 10:47 pm

Let us know what features you need, this could help us prioritize development. Also, work on EVPN has started, but would like to hear from you about the most important capabilities and how you imagined they would look like in RouterOS.
Feature which will help me considerably are L3HW offloading full vrf support not only the main table

As well as Full MPLS Offloading or multicore processing

+1 for both !

Wed Jan 22, 2025 10:58 pm

At this point, some known features are not yet implemented.

Underlay (routing encapsulated VXLAN packets):
1. VTEPs are not supported over ECMP
2. VTEPs are not supported over bond, VLAN interface
3. VTEPs cannot operate within VRFs
4. VTEPs are not supported with IPv6

Overlay (forwarding between Ethernet and VXLAN):
1. VLAN tagging over VXLAN is not supported
2. Routing between different VXLAN VNIs is not supported
3. VTEPs are isolated, and there is no mechanism to control "horizon" between them

These things will be mentioned in our help documentation page shortly.

Let us know what VXLAN-related features you need, this could help us prioritize development. Also, work on EVPN has started, but would like to hear from you about the most important capabilities and how you imagined they would look like in RouterOS.

First off. Thank you to the Mikrotik team. This has been a LONG time coming, it is great to have this functionality arrive.

Regarding VXLAN:

Of the Underlay features 1-4 are important to us, and in approximately that order of importance. Of the Overlay features 1 and 3 are also important to us immediately.

Regarding eVPN:

- eVPN+VXLAN
- eVPN+MPLS
- eVPN Type 2 routes (IP/MAC Distribution)
- eVPN Type 3 routes (ingress replication)
- eVPN Type 5 routes (IP prefix route)

Why these features ?
They allow:

- Datacentre Interconnect
- Multi-point replication of packets (MC-LAG equivalent)
- Multi-Homed IP Gateways

RafGan · Thu Jan 23, 2025 12:06 am

Why in my log is THAT:

LAN: radius authentication failed for F4:02:28:75:7A:10: current license allows only 20 active sessions

and:

License maximum active session limit reached.

???

sxtlhglte · Thu Jan 23, 2025 12:43 am

Why in my log is THAT:

LAN: radius authentication failed for F4:02:28:75:7A:10: current license allows only 20 active sessions

and:

License maximum active session limit reached.

???

Your Router with LVL 4 has only 20 User manager Sesions
https://help.mikrotik.com/docs/spaces/R ... ekeylevels

PS Mega +1 on all work for HW VXLAN.

fischerdouglas · Thu Jan 23, 2025 12:46 am

Please stop setting MTU underlay as "just enough"!

I know that is a bit off topic... Sorry!
But what is written here, stays forever...

Please do not exemplify or even use 1550 or 1600 MTU on underlay interfaces...

Warning this because I already suffered a lot with this sloppy deployments, needing to rebuild entire scenarios with hundreds of equipments.

And that could be avoided just following a simple rule:
"It is an undelay point-to-point link on the backbone? Set the bigger MTU is supported by both equipments!"

This applies to vxlan, MPLS, SRv6, and all sorts of encapsulating protocols.

I even suggest that this recommendation to be inserted in some way into the RouterOS confluence.

killersoft · Thu Jan 23, 2025 1:33 am

+1 on nz_monkey regarding VXLAN comments and eVPN.

Could I add in( no doubt a new switch chip for future products ), but hardware offloaded MACSEC as part of the underlay.
"And include jumbo frames ( aka 9000 byte + frame)"
My use case is commercial datacenter/carrier providers(via L2) to remote sites, as part of cyber security uplift.

RafGan · Thu Jan 23, 2025 2:01 am

Why in my log is THAT:

LAN: radius authentication failed for F4:02:28:75:7A:10: current license allows only 20 active sessions

and:

License maximum active session limit reached.

???
Your Router with LVL 4 has only 20 User manager Sesions
https://help.mikrotik.com/docs/spaces/R ... ekeylevels

PS Mega +1 on all work for HW VXLAN.

Thank you. I know that. But, device is in basements, works only in special case, and uptime only 15 minutes. First log like this from 10 years. Strange.

dormancygrace · Thu Jan 23, 2025 2:48 am

*) chr - fixed limited upgrades for expired instances;

No more updates for expired instances?

Thu Jan 23, 2025 2:58 am

+1 on nz_monkey regarding VXLAN comments and eVPN.

Could I add in( no doubt a new switch chip for future products ), but hardware offloaded MACSEC as part of the underlay.
"And include jumbo frames ( aka 9000 byte + frame)"
My use case is commercial datacenter/carrier providers(via L2) to remote sites, as part of cyber security uplift.

Agreed on this, but in-theory if the chipset supports it, the MACSEC will be transparent to the upper layer protocols e.g. IP, VXLAN, MPLS

teleweb · Thu Jan 23, 2025 4:07 am

Let us know what VXLAN-related features you need, this could help us prioritize development.

@EdPa:
If I had to pick one, defintely VLAN support! (VTEPs over VLAN interface but most importantly: ability for customers to carry tagged vlans in the VXLAN (overlay))

CBVista · Thu Jan 23, 2025 4:20 am

I have all my ip>services in a separate VRF
After upgrading to 7.18b2 the winbox service was 'invalid'
Opened and applied the current settings with no changes and it became valid

nichky · Thu Jan 23, 2025 5:30 am

how does that work?

*) log - added option to select TCP or UDP for remote logging;

mkx · Thu Jan 23, 2025 8:12 am

Please stop setting MTU underlay as "just enough"!

I guess that L2MTU setting affect number of frame buffers available. E.g.: if switch chip has 1MB of memory, if L2MTU is set to 1516 bytes, then this means space for 691 frames buffered. Setting L2MTU to 2000 bytes reduces number of buffered frames to maximum of 524. Setting it to 9000 bytes maximum buffered frames reduces to 116. And this buffer reduction will affect overall throughput through switch/bridge.

So IMO setting L2MTU to something just large enough does improve performance of L2 operations. Even if every so slightly. And contrast this to small portion of users wanting to do something special on their equipment (no, running VXLAN is not the norm yet) ... they just have to think everything over down to L1.

Jotne · Thu Jan 23, 2025 8:25 am

how does that work?

*) log - added option to select TCP or UDP for remote logging;

Before RouterOS only did send syslog over UDP, you can now select TCP as well.
For long log lines TCP is a must. But from my experience, do use UDP of TCP is not needed. Faster.

tcp log.png

Pro tip. (but other combination does work)
Use
514/UDP
1514/TCP
6514/TLS

Thu Jan 23, 2025 8:27 am

how does that work?

*) log - added option to select TCP or UDP for remote logging;

Like this:
/system/logging/action> add target=remote remote-protocol=udp

It depends on the software on the receiving end. This goes together with the new remote log format CEF, which works with SIEM such as Greylog and Elastic.

Thu Jan 23, 2025 8:30 am

It would be nice to have the ability to set a password for file sharing.

The random link itself is a security measure. Set "expires" and do not put the link anywhere public, then it's just as secure. You can even treat the last part of the URL as a password and give it separately.

CGGXANNX · Thu Jan 23, 2025 8:32 am

I guess that L2MTU setting affect number of frame buffers available. E.g.: if switch chip has 1MB of memory, if L2MTU is set to 1516 bytes, then this means space for 691 frames buffered. Setting L2MTU to 2000 bytes reduces number of buffered frames to maximum of 524.

Not only that, it will halve the number of buffers to 345, because the increase is in a whole-number-factor of the original buffer size. Even increasing the L2MTU by a few bytes will double the buffer usage, according to this MikroTik video at the 7:03 mark:

https://www.youtube.com/watch?v=7a_z1jAdIME&t=423s

mkx · Thu Jan 23, 2025 9:02 am

I guess that L2MTU setting affect number of frame buffers available. E.g.: if switch chip has 1MB of memory, if L2MTU is set to 1516 bytes, then this means space for 691 frames buffered. Setting L2MTU to 2000 bytes reduces number of buffered frames to maximum of 524.

Not only that, it will halve the number of buffers to 345, because the increase is in a whole-number-factor of the original buffer size.

Yep. I was calculating "best case scenario" where buffer memory is used to its max ... but with very likely performance hit due to how switch chip engine works with memory (some sort of boundary alignment is used very often and that introduces some buffer item size granularity into equation).

massinia · Thu Jan 23, 2025 9:04 am

Set "expires"

What is the format to use for expires?
I tried with 5d 00:00:00 but it is not accepted
Thanks

Thu Jan 23, 2025 9:05 am

set 0 expires=2025-01-25

(2025-01-25 00:00:00)

massinia · Thu Jan 23, 2025 9:11 am

set 0 expires=2025-01-25

So with WinBox it is like this

fshare.png

Thanks Normis!

Thu Jan 23, 2025 9:21 am

That's in old winbox, the new WinBox 4 also uses ISO8601 date format

Jotne · Thu Jan 23, 2025 10:35 am

Double post

Jotne · Thu Jan 23, 2025 10:41 am

Regarding new CEF logging format.
I do not see a filed that shows severity
As example I did send:
:log warning "warning"
:log error "error"
etc

2025-01-23T08:49:43.951+0100 RB951 CEF:0|MikroTik|RB951Ui-2HnD|7.18beta2 (testing)|9|script,debug|Low|msg=debug
2025-01-23T08:48:16.902+0100 RB951 CEF:0|MikroTik|RB951Ui-2HnD|7.18beta2 (testing)|9|script,error|High|msg=error
2025-01-23T08:48:05.161+0100 RB951 CEF:0|MikroTik|RB951Ui-2HnD|7.18beta2 (testing)|9|script,warning|Medium|msg=warning
2025-01-23T08:47:55.690+0100 RB951 CEF:0|MikroTik|RB951Ui-2HnD|7.18beta2 (testing)|9|script,info|Low|msg=info

I see that debug and info shows Low
warning show Medium
Error show High

I do expect a field show a value from 0-7
From RouterOS manual:

syslog-severity (alert, auto, critical, debug, emergency, error, info, notice, warning; Default: auto)

I can see info as part of an other field, like script,warning, but should be a separated field with correct syslog severity.

What does the number after the OS version mean (in example 9)

It stills show some messy info.
system,info for config changes.
system,info,account for users logging inn or out
etc
I did hope this part goes away and all be structured at same format.

But this is just the first beta, so lets hope :)

Edit:
Many system uses a message ID, maybe 9 is that?

Jotne · Thu Jan 23, 2025 11:13 am

That's in old winbox, the new WinBox 4 also uses ISO8601 date format

Did found that the new CEF log format also support ISO8601 and will give milliseconds. That is fantastic :)

pe1chl · Thu Jan 23, 2025 11:17 am

I'm not familiar with that CEF format, but isn't there supposed to be a unique message identifier as well? Or does CEF not specify that?

Thu Jan 23, 2025 11:20 am

More CEF features are in development for the next betas

rextended · Thu Jan 23, 2025 11:28 am

More CEF features are in development for the next betas

well..

Jotne · Thu Jan 23, 2025 11:47 am

Make me happy. :) :)

Seems that just the main header is added and not much done to messages it self.

nmt1900 · Thu Jan 23, 2025 12:08 pm

*) system,arm - automatically increase boot part size on upgrade or netinstall (fixed upgrade failed due to a lack of space on kernel disk/partition);

Well I tried to beta-test as update to 7.17 was failing and it looks like this change does not help (for in-place update).
RB450Gx4 7.16.2 -> 7.18beta2 - "upgrade failed, free 17 kB of kernel disk space"

Is there any alternative to netinstall in this situation? Update to 7.18beta2 fails in same way as update to 7.17...

Thu Jan 23, 2025 12:29 pm

Maybe the problem is worn out disk? It works but the usable area is smaller than needed.

nmt1900 · Thu Jan 23, 2025 12:48 pm

That would need to be over 70% of all space "worn out" then. It does not look even remotely plausible. We already know that problem is elsewhere...

osc86 · Thu Jan 23, 2025 1:10 pm

if you have multiple partitions, remove them, then reboot twice and update to 7.17. This worked with 2 CCR2004.

Thu Jan 23, 2025 1:38 pm

...It does not look even remotely plausible....

We are in the middle of a brainSTORM so even the stupidest idea could have positive effect.

rextended · Thu Jan 23, 2025 1:42 pm

on [successful] upgrade or netinstall

Simply the "fix" is not installed until is not successfully installed the 7.18beta2.
The fix is for future versions, not to fix current.

nmt1900 · Thu Jan 23, 2025 1:48 pm

if you have multiple partitions, remove them, then reboot twice and update to 7.17. This worked with 2 CCR2004.

Device does not have multiple partitions

nmt1900 · Thu Jan 23, 2025 1:49 pm

on [successful] upgrade or netinstall

Simply the "fix" is not installed until is not successfully installed the 7.18beta2.
The fix is for future versions, not to fix current.

Then original question stands - are there any alternatives to netinstall...

colin · Thu Jan 23, 2025 1:59 pm

*) ipv6 - added FastTrack support;

Finally!!!
Can we expect fast track with policy routing support?

slarner · Thu Jan 23, 2025 2:21 pm

Let us know what VXLAN-related features you need, this could help us prioritize development.

Works great here with the simple config supplied. Between a CRS518-16XS-2XQ and CRS326-24S+2Q+

We would like to see Tagged vlans being able to be passed over the VXLan Bridge as a feature.

rextended · Thu Jan 23, 2025 2:27 pm

Then original question stands - are there any alternatives to netinstall...

They should make 7.16.3 (which would be the same size as the kernel that goes with it) with the space fix,
mandatory before moving to 7.17.x or 7.18.x
That way you would have the problem already solved.

nmt1900 · Thu Jan 23, 2025 2:31 pm

If Mikrotik was unable to even notice this problem since September (when first 7.17 beta came out) then it does not look likely that this will happen...

rextended · Thu Jan 23, 2025 2:36 pm

If you think about it, it's the only logical solution for those stuck on 7.16.2, which obviously doesn't concern those who have already installed 7.17 or 7.18beta2.

What I wonder is why if I think about it in a few moments, that I AM NOT PAID TO DO IT,
why those who are paid by MikroTik to do things properly, don't do it???

eworm · Thu Jan 23, 2025 2:37 pm

Well, no one reported it for the testing (beta and rc) releases...

eworm · Thu Jan 23, 2025 2:38 pm

Mikrotik came up with a version-independent fixup package in the past... That could work here as well.

rextended · Thu Jan 23, 2025 2:43 pm

I AM NOT an expert on the file system used,
but in the past updates left space occupied on the disk not assigned to any file.
A "fsck" solved it by releasing the space.
This happened in x86 and CHR (mounted separately the disk on ubuntu for launch "fsck"), but probably
given the space freed up by netinstall compared to an update from one version (just netinstalled) to another (autoupdate or drag-n-drop), it was the same...

rextended · Thu Jan 23, 2025 2:46 pm

Well, no one reported it for the testing (beta and rc) releases...

Because this time with device-mode s–t no one want lock his devices, so less persons than before do tests...

pe1chl · Thu Jan 23, 2025 2:55 pm

Well I skipped 7.17 because of that, but now I am testing this beta because it fixes a BGP problem (still have to test if it fixes all problems)...
Now I find that by default "partitions" mode is OFF but I still can switch between partitions and copy active to backup, so it is not so bad as feared.

rextended · Thu Jan 23, 2025 2:59 pm

Yes, but the first implementations lock "everything", so this caused many testers to skip any testing...

teslasystems · Thu Jan 23, 2025 3:08 pm

Tried a new local update feature.
If both host and client have RouterOS 7.17 installed, client shows available package correctly. But after updating the host to 7.18beta2, client shows empty name and 0.0 version.
.

LocalUpdateBug.png

guipoletto · Thu Jan 23, 2025 3:11 pm

Well, no one reported it for the testing (beta and rc) releases...
Because this time with device-mode s–t no one want lock his devices, so less persons than before do tests...

Good to know i'm not the only one

(also, 7.17 apparently can brick certain hardware, such as rb450gx4, also reported on 7.18b2 )

all the more reason for moving 7.16.x to "longterm"

Amm0 · Thu Jan 23, 2025 3:18 pm

Anyway, this release is shaping up much better. 7.17 was a mess, I lost the RAID in the first 7.17 beta myself and containers didn't start etc. With 7.18beta2, I had no issues.

I'm guessing Mikrotik would rather see case to support@mikrotik – with a supout.rif – on the 7.16.2 upgrade with kernel disk space issue from @nmt1900. It could be something dumb or hardware-specific etc., and not a wholesale failure of Mikrotik release process... But without more detail than be appropriate in the release thread, we're not going to get the bottom of it.

*) dhcpv4-client - allow selecting to which routing tables add default route;

Now if the only added one more drop-down to /ip/dhcp-client to set check-gateway= so you don't need a DHCP script to do it for multiwan... I'd be willing to issue a pardon for 7.17 to Mikrotik.

pe1chl · Thu Jan 23, 2025 3:46 pm

I am happy to notice that the "regex" match in Logging Rules was added! (actually in 7.17 but I skipped that release)
In the category "it is never good enough": could we get a "not" option for that (the familiar box in which a ! can be clicked)?

pe1chl · Thu Jan 23, 2025 3:48 pm

Also in the "logging" category: could we get a log message when the state of a route with check-gateway option changes (up or down)?
I enabled all "route" messages but there does not appear to be a message for that, other than during initial establishment.

nmt1900 · Thu Jan 23, 2025 4:25 pm

Because this time with device-mode s–t no one want lock his devices, so less persons than before do tests...
Good to know i'm not the only one

(also, 7.17 apparently can brick certain hardware, such as rb450gx4, also reported on 7.18b2 )

all the more reason for moving 7.16.x to "longterm"

viewtopic.php?p=1121167#p1121155

irghost · Thu Jan 23, 2025 4:39 pm

viewtopic.php?t=213301
fixed

pateutz · Thu Jan 23, 2025 5:25 pm

I'm not familiar with that CEF format, but isn't there supposed to be a unique message identifier as well? Or does CEF not specify that?

Hello,

you may have a look at the following if you want to understand what CEF means :

https://www.microfocus.com/documentatio ... %20CEF.htm

https://www.microfocus.com/documentatio ... andard.pdf

Best Regards,

Daniel

pe1chl · Thu Jan 23, 2025 5:34 pm

Thanks! What I mean is the deviceEventClassId field that I have seen in some examples, but apparently does not yet exist in RouterOS.
It probably requires "changes all over the software" to add that, and it would be nice if it would appear in non-CEF messages as well.
(in the text or as a topic)

Luizfilipesl · Thu Jan 23, 2025 6:02 pm

About HW VXLAN.

Supported devices are ones that support L3HW offloaded fasttrack/NAT: CRS309-1G-8S+, CRS317-1G-16S+, CRS312-4C+8XG, CRS326-24S+2Q+, CRS326-4C+20G+2Q+, CRS354-48G/P-4S+2Q+, CRS504-4XQ, CRS510-8XS-2XQ, CRS518-16XS-2XQ, CRS520-4XS-16XQ, CCR2116-12G-4S+, CCR2216-1G-12XS-2XQ.

About the supported devices, besides the ones you cited, are there plans to grant VXLAN HW to CRS3XX that doesn't have fasttrack/NAT offloading?

glueck05 · Thu Jan 23, 2025 6:52 pm

Feature which will help me considerably are L3HW offloading full vrf support not only the main table

As well as Full MPLS Offloading AND multicore processing
+1 for both !

+1 for both !

rextended · Thu Jan 23, 2025 6:54 pm

pe1chl · Thu Jan 23, 2025 9:32 pm

When upgrading a RB951G-2HnD and logging in to the commandline I got this story:

2025-01-23 20:11:32 system,info,critical Optimal nand stability requires a backup-routerboot upgrade.\r
2025-01-23 20:11:32 system,info,critical Universal package can be found here:\r
2025-01-23 20:11:32 system,info,critical https://help.mikrotik.com/docs/display/ROS/RouterBOARD#RouterBOARD-Settings

I remember I have seen that before. So I went to that page and downloaded a file "bb-upgrade-7.6.dpk" which is supposed to be a "universal package to fix it" but on the boot log it says:

installed bb-upgrade-7.6
FAILED to upgrade backup booter: wrong running booter version

What's up with that? Did I wait too long to apply this fix?

rextended · Thu Jan 23, 2025 9:37 pm

What is your backup firmware??

You must install and use 7.6 RouterBOOT and RouterOS
do not work with other version of current RouerBOOT (you already know that RouterBOOT is not RouterOS, I write that for the others...)

when trying to enable the feature, do the following:
a) upgrade or downgrade the device specifically to the 7.6 release
b) upgrade your current RouterBOOT version with "/system routerboard upgrade" then reboot the device, so that the RouterBOOT version (current-firmware version when checking "/system routerboard print") is the same as the firmware version ("/system resource print") installed, which should be 7.6.

and the correct link is this:
https://help.mikrotik.com/docs/spaces/R ... bootloader

pe1chl · Thu Jan 23, 2025 9:42 pm

That is of course completely impractical. One cannot install an arbitrary RouterBOOT version, and the maintainers decided to change the RouterBOOT version for each and every RouterOS version, for whatever stupid reason...
This package has to be updated to current RouterBOOT version (= the current RouterOS version).

The factory firmware is 3.24 back from the days they only changed the version when something actually changed...

rextended · Thu Jan 23, 2025 9:50 pm

Only on 5 occasions MikroTik provide packages for change "any" backup version
on 6.29.1 for 3.24 backup,
on 6.40.7 for 3.41 backup,
on 6.43.7 for 6.43.7 backup,
on 6.49.7 for 6.43.7 backup,
and on 7.6 for 7.6 backup.

My 2017 post already explain how...
viewtopic.php?t=94303#p580430

pe1chl · Thu Jan 23, 2025 9:55 pm

Maybe the statement "Optimal nand stability requires a backup-routerboot upgrade" has to be explained.
Given the fact that a backup-routerboot upgrade is impossible, what is the risk?
Is there a risk when running, when booting, when using the backup booter, or all of these?
I am not going to use Protected RouterBOOT.

rextended · Thu Jan 23, 2025 9:58 pm

I think it's actually a data alignment problem in the NAND, since the backup "bios" itself is started only by holding down the reset button before turning on the device, or by selecting "force backup booter" item in system/routerboard/settings.

Also old 3.x and 6.x do not longer reboot if is installed v7 because is not recognized...

I have some CPE with 6.48.7 without bios aligned that sometime go on perpetual reboot after 1st beep.
I notice that devices have different RouterBOOT older than 6.43.7.
Never happen on 6.43.7+ devices (till now)

Cha0s · Thu Jan 23, 2025 10:03 pm

A simple backup to mail script has stopped working on v7.18beta2.

The script is:

:local date [/system clock get date];
:local time [/system clock get time];
:local timezone [/system clock get time-zone-name];
:local hostname [/system identity get name];

/system backup save name=email password=xxxxx;

/tool e-mail send to="xxxxxxxx" subject="$date $time $timezone -- $hostname" file=email.backup;
:log info "Backup e-mail sent.";

When run via scheduler, it fails with:

2025-01-22 00:00:00 script,error executing script from scheduler (e-mail-backup) failed, please check it manually
2025-01-22 00:00:00 script,error,debug (scheduler:e-mail-backup) syntax error (line 9 column 94)

The thing is, that line 9 is the last line, and it doesn't have 94 columns.

If run manually via winbox it fails the same.

2025-01-23 01:23:22 script,error executing script e-mail-backup from winbox failed, please check it manually
2025-01-23 01:23:22 script,error,debug syntax error (line 9 column 94)

If run manually command by command through terminal (within curly braces), there are no errors.

2025-01-23 22:01:03 script,info Backup e-mail sent.
2025-01-23 22:01:03 e-mail,info sent <2025-01-23 22:01:03 xxxxxx - xxxxxx> to: xxxxxxx

On v7.17 the same exact script runs without issues.

rextended · Thu Jan 23, 2025 10:06 pm

Export also the scheduler, how can check if you put all necessary policies?

/system clock
:local d [get date]
:local t [get time]
:local z [get time-zone-name]
/system identity
:local n [get name]

/system backup
save name=email dont-encrypt=no encryption=aes-sha256 password=pippo
:delay 2s
/tool e-mail send to="xxx@example.com" subject=("$d $t $z -- $n") file="email.backup"
:log info "Backup e-mail sent."

Cha0s · Thu Jan 23, 2025 10:11 pm

All policies are checked both on the script and on the scheduler.

Also my BGP monitoring script (which is way more complex than this) works without issues.

fischerdouglas · Fri Jan 24, 2025 1:19 am

viewtopic.php?t=213301
fixed

Hummm, Finaly some progress on Hardware Offload.
I got happy seeing that!

I just don't understand why it seems so painful that they recognized at that moment that the problem was actually related to Hardware Offload.
And if it wasn't that... What was it? Where are the details?

PackElend · Fri Jan 24, 2025 8:44 am

I love the new filesharing function,

filehsaring on network devices?
Could you tell me where to find the documentation?

buset1974 · Fri Jan 24, 2025 9:19 am

any plan to make some /ip/route or /routing/route option faster (specially when we run the command on full route router)
example:

/ip route print where blackhole
/routing/route print where blackhole

BigCol · Fri Jan 24, 2025 11:15 am

My Chateau LTE has been having some stability issues and seeing the improvements in this Beta release, i thought I'd upgrade. this went fine, then i noticed there was a modem firmware upgrade available, i did this also. now i cant connect to 3/4G. I noticed just now that my routerboard fw is still at 7.17, with an Upgrade Firmware version of 7.18beta2. should i upgrade this also?
yes, upgrade routerboard firmware too. Regarding the modem: maybe you need to powercycle your chateau to give the modem a cold boot.

router board upgraded, still no LTE connectivity.

would a factory reset be required?

infabo · Fri Jan 24, 2025 11:17 am

We dont even know what is wrong. Whats the output of

/interface/lte/monitor lte1 once

Consider downgrading to ROS 7.17 before doing factory reset. This is BETA.

oreggin · Fri Jan 24, 2025 11:26 am

It is nice to see useful new features!
Maybe I'm wrong but it would be nice if existing features would not be neglected. It is one thing to implement new eyecandy features, and another is to found and fix bug in them. I miss balance between introducing new features and fixing bugs in existing features. For example it is not practical to implement a feature which is breaks another, or if a feature is works only in a very corner/special case.
Kind Regards!

BigCol · Fri Jan 24, 2025 11:45 am

We dont even know what is wrong. Whats the output of
Code: Select all
/interface/lte/monitor lte1 once
Consider downgrading to ROS 7.17 before doing factory reset. This is BETA.

the problem started not when i upgraded to the beta version, but just after when i upgraded the modem to 16121.1034.00.01.01.08 and i was wondering if that's the problem.

[GLOVERC7@Boat] > /interface/lte/monitor lte1 once
status: connected
model: FG621-EA
revision: 16121.1034.00.01.01.08
current-operator: EE
current-cellid: 7001604
enb-id: 27350
sector-id: 4
phy-cellid: 274
data-class: LTE
session-uptime: 12m47s
imei: 863359043719802
imsi: 234304307454535
uicc: 8944303633230353117
primary-band: B3@20Mhz earfcn: 1815 phy-cellid: 274
rssi: -77dBm
rsrp: -105dBm
rsrq: -11dB
sinr: 3dB

pe1chl · Fri Jan 24, 2025 12:01 pm

The BGP situation appears to be improved, but I am still hunting a gremlin.
What happened: my home router has 2 templates for 2 different networks (different AS, different routing table, different bgp-networks), one in default and one added template. The routers at work just have the default template.
I updated the router at home and everything continued to work fine. Then I updated the router at work and the BGP sessions came up but routes were not stored in the table, although they are received according to the packet sniffer. More or less what I also observed in 7.16.
I decided to bring the "default" template back to default settings and add a new template with the settings, and use that. Then it worked. And the routes between the work routers are complete now, unlike in 7.16.
Still puzzled...

Fri Jan 24, 2025 12:08 pm

We dont even know what is wrong. Whats the output of
Code: Select all
/interface/lte/monitor lte1 once
Consider downgrading to ROS 7.17 before doing factory reset. This is BETA.
the problem started not when i upgraded to the beta version, but just after when i upgraded the modem to 16121.1034.00.01.01.08 and i was wondering if that's the problem.

Only way to know for sure: file support ticket.
They are (in my experience) pretty responsive for LTE issues.