v7.17 [stable] is released!

Thu Jan 16, 2025 3:58 pm

RouterOS version 7.17 have been released in the "v7 stable" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.17 (2025-Jan-16 10:19):

!) device-mode - after upgrade, mode "enterprise" is renamed to "advanced" and traffic-gen, partition (command "repartition"), routerboard and install-any-version features will be disabled;
!) webfig - redesigned HTML, styling and functionality;
*) 6to4 - fixed issue where 6to4 relay would not forward traffic unless destination address is set;
*) adlist - improved logging;
*) adlist - improved system stability;
*) adlist - optimized import on system with low disk space;
*) api - fixed REST API serialization of binary data;
*) arm64 - fixed for bare-metal servers to be able to access more than 2GB RAM;
*) arm64 - show CPU frequency on bare-metal installations;
*) arm64/x86 - added missing PCI id for mlx4 driver;
*) bonding - hide mlag-id property on non-compatible devices;
*) bridge - add HW offload support for active-backup bonds on 98DXxxxx, 88E6393X, 88E6191X and88E6190 switches;
*) bridge - added interface-list support for VLANs;
*) bridge - added message for inactive port reason;
*) bridge - added priority setting to manually elect primary MLAG peer;
*) bridge - correctly display PPP interfaces in VLAN menu;
*) bridge - disallow duplicate static VLAN entries;
*) bridge - disallow multicast MAC address as admin-mac;
*) bridge - enable faster HW offloading when detect-internet is disabled;
*) bridge - fixed first host table response for SNMP;
*) bridge - fixed incorrect HW offloaded port state in certain cases on MSTI add;
*) bridge - fixed missing slave flag on port in certain cases;
*) bridge - fixed MVRP registrar and applicant port options;
*) bridge - fixed port monitor with interface-lists;
*) bridge - fixed port move command;
*) bridge - fixed setting bridge MTU to L2MTU value;
*) bridge - fixed VLAN overlap check;
*) bridge - ignore disabled interfaces when calculating bridge L2MTU;
*) bridge - improved port handling;
*) bridge - improved stability;
*) bridge - prioritize MAC selection from Ethernet interfaces when using auto-mac feature;
*) bridge - re-synchronize MLAG system-id when bridge MAC changes;
*) bridge - removed support for master port config conversion (used before version 6.41);
*) bridge - update dynamic MSTI priority value when changing configuration;
*) bth - improved stability on system time change;
*) certificate - do not download CRL if there is not enough free RAM;
*) certificate - do not show not relevant values for certificate template (CLI only);
*) certificate - fixed handling of capsman-cap certificates (introduced in v7.16);
*) certificate - removed unstructured address field support;
*) chr - added Chelsio VF driver for PCIID 5803;
*) chr/arm64 - fixed kernel crypto use without crypto extensions for RPi CM4;
*) cloud - changed ddns-enabled setting from "no" to "auto" (service is enabled when BTH is enabled);
*) cloud - improved DDNS and VPN state stability;
*) console - added :range command;
*) console - added group-by property for print command;
*) console - added json.no-string-conversion to :serialize;
*) console - added lf/crlf options to :convert transform;
*) console - added more argument definitions for mac-protocol property;
*) console - added password property to "/system/ssh-exec" command;
*) console - added to/from=num option for :convert command;
*) console - allow clearing history for a specific user;
*) console - allow setting width to supout.rif output;
*) console - clear history when removing user;
*) console - disallow autocomplete hints for user without read policy;
*) console - execute :return command without error;
*) console - fixed endless loop when closing input prompt;
*) console - fixed missing arguments in wifi menu in certain cases;
*) console - force print paging when output does not fit terminal width;
*) console - improved printing output in some menus;
*) console - improved scripting system stability;
*) console - increased w60g scan-list size to 6;
*) console - print warning in CLI after enabling protected bootloader;
*) console - removed "chain" names from print parameter list and show all print parameters in "/ipv6/firewall/filter" directory;
*) console - show system-id in export for CHR;
*) console - updated copyright notice;
*) container - allow import from .tar.gz file;
*) container - do not log start, end events unless logging is enabled;
*) container - fixed user and group ID range;
*) container - improved "start-on-boot" stability;
*) container - improved container shell;
*) crypto - improve crypto speeds;
*) crypto - use hardware accelerator for GCM cipher in TLS connection on Alpine CPUs;
*) defconf - changed wireless installation from "indoor" to "any";
*) defconf - disable 5GHz secondary channel on RB4011;
*) defconf - do not add default password for CAP mode configuration on older Audience devices without a password;
*) defconf - fixed new port name recognition;
*) detnet - remove dynamic DHCP client creation;
*) device-mode - added "allowed-versions" list which are allowed to be installed without "install-any-version" mode enabled;
*) device-mode - added "basic" mode;
*) device-mode - added routerboard, install-any-version and partitions features;
*) device-mode - allow feature and mode update on x86 via power button and reboot/shutdown from AWS;
*) device-mode - fixed feature and mode update on ARM64 Hetzner;
*) device-mode - fixed feature and mode update via power-reset on MIPSBE devices;
*) device-mode - limit "/tool/ping-speed" and "/tool/flood-ping" under "traffic-gen" feature;
*) device-mode - limit device-mode update maximum allowed attempt count which can be reset only with reboot or button press;
*) device-mode - provide more precise device-mode update action printout;
*) device-mode - show all features and active restrictions with "print" command;
*) dhcp-relay - added "local-address-as-src-ip" property;
*) dhcp-server - use interface ID for NAS-Port and added interface name to NAS-Port-ID attribute in RADIUS requests;
*) dhcp-server - use single RADIUS accounting session for IPv4 and IPv6 when dual stack is used;
*) dhcpv4-client - correctly handle adding/setting emtpy dhcp-options;
*) dhcpv4-client - fixed crash when releasing disabled DHCP client;
*) dhcpv4-client - respect Renewal-Time (58) and Rebinding-Time (59) options;
*) dhcpv4-server - do not remove options set config when DHCP network is changed;
*) dhcpv4-server - properly detect DHCP server address when underlying interface has multiple IP addresses configured;
*) dhcpv4-server/relay - added additional error messages for DHCP servers and relays;
*) dhcpv4/v6-server - added address-list parameter to which address will be added if the lease is bound;
*) dhcpv6-client - added prefix-address-list parameter;
*) dhcpv6-client - improved system stability when DHCPv6 client is enabled on non-existing interface;
*) dhcpv6-client - log message when response with invalid transaction-id received;
*) dhcpv6-client/server - added support for DHCPv6 reconfigure messages;
*) dhcpv6-server - added IPv6 address delegation support;
*) dhcpv6-server - do not require "prefix-pool" to be specified;
*) dhcpv6-server - fixed DHCPv6 server "address-pool" property showing in command line as "unknown" when real value is "static-only";
*) dhcpv6-server - improved system stability when removing actively used DHCPv6 server;
*) dhcpv6-server - include all existing prefixes (with lifetime 0) in renew reply and new prefix if RADIUS returns different prefix;
*) dhcpv6-server - properly display "static-pool" value in server print output for "prefix-pool" argument;
*) discovery - added support for LLDP DCBX;
*) discovery - use LLDP description field to populate platform, version and board-name;
*) disk - added "type=file" for file-based block devices, useful for using file as a swap, or when having file-based filesystem images (CLI only);
*) disk - added btrfs filesystems list (CLI only);
*) disk - added mount-read-only and mount-filesystem options to allow read-only mounts and prevent mounting device at all (CLI only);
*) disk - added sshfs client to "/disk" menu (CLI only);
*) disk - added support for SWAP, currently allowed on any block device with "set x swap=yes" when container package is installed (CLI only);
*) disk - allow to configure global and per disk mountpoint template - [slot],[model],[serial],[fw-version],[fs-label],[fs-uuid],[fs] variables supported;
*) disk - auto mount iso and squashfs images;
*) disk - fixed managing and cleaning up mount points;
*) disk - fixed raid role auto selection for up to 64 drives;
*) disk - improve slot naming and improvements for visualizing complex hardware topology;
*) disk - improve test to report zero byte iops;
*) disk - improved system stability;
*) disk - read/show exfat filesystem label;
*) disk - recognize virtual sd* interfaces;
*) disk - remove 32 character slot name limit;
*) disk - save raid superblock and raid bitmap superblock on member devices in 1.2 format/location;
*) disk - show detailed mountpoint users when unable to unmount;
*) disk - show usage as percentage (CLI only);
*) disk - try all NFS versions (4.2,4.1,4.0,3,2) when mounting NFS in that order;
*) disk,nvme - show nvme namespaces if configured more than one on a nvme drive;
*) dns - added option to create named DNS servers that can be used as forward-to servers;
*) dns - do not look up local cache when executing ":resolve" command with specified "server" parameter (introduced in v7.16);
*) dns - DoH whitelist support for adlist using static FWD entries;
*) dns - refactored DNS service internal processes;
*) dns - whitelist support for adlist using static FWD entries;
*) ethernet - improved interface stability for RB4011 devices;
*) ethernet - improved linking after reboot for hAP ax lite devices ("/system routerboard upgrade" required);
*) ethernet - improved stability after reboot for Chateau PRO ax;
*) ethernet - improved system stability for CCR2004-1G-2XS-PCIe device;
*) ethernet - log warning only about excessive broadcast (do not include multicast) and reduced log count;
*) fetch - fixed certificate check when provided hostname is IP address;
*) fetch - fixed large file (over 4GB) fetch in HTTP/HTTPS mode;
*) file - correctly identify mounted disks;
*) file - do not needlessly scan large filesystems, could prevent unmounting;
*) file - improved handling of changes to the file system;
*) file - improved service stability when accessing files list from other system services;
*) file - support files over 4GB size;
*) file - update file size before trying to request content;
*) firewall - added none-dynamic and none-static arguments for IPv6 address-list-timout settings;
*) firewall - added support for random external port allocation;
*) firewall - added warning log for TCP SYN flood;
*) firewall - fixed "dst-limit" and "limit" mathers when using zero value for burst argument;
*) firewall - improved matching from deeply nested interface-lists;
*) firewall - removed default mangle passthrough=yes configuration from export;
*) ftp - added VRF support;
*) gps - changed default GPS antenna setting for LtAP mini with internal LTE/GPS combo antenna;
*) graphing - fixed graphing rule removal;
*) graphing - fixed queue graph storing on disk;
*) health - added cpu-overtemp-check on ARM, ARM64 devices (CLI only);
*) health - changed PSU state from "no-ac" to "no-input";
*) health - hide settings in CLI if there is nothing to show;
*) health - removed board-temperature on RB5009UPr+S+IN device;
*) igmp-proxy - refactored IGMP querier;
*) ike2 - improved performance by balancing multicore CPU usage for key exchange calculation also for initiator;
*) iot - added additional debug for LoRa logging;
*) iot - added an option to print out LoRa traffic in CLI (not GUI-only option anymore);
*) iot - added new LoRa traffic FCnt packet counter parameter;
*) iot - added support for USB Bluetooth dongles (LE 4.0+) which enables Bluetooth functionality;
*) iot - bluetooth peripheral device menu now displays correct iBeacon major/minor values;
*) iot - fixed duplicate LoRa payloads in the traffic tab;
*) iot - fixed incorrect LoRa joineui filter export behavior;
*) iot - fixed LoRa behavior, where join eui or dev eui could be incorrectly converted during forwarding;
*) iot - improved system stability for LoRa;
*) iot - improvements to LoRa device's stats tab;
*) iot - LoRa LNS improvement;
*) iot - LoRa traffic tab RSSI now shows proper values for ARM architecture;
*) iot - modbus rework which improves Tx Rx switching behavior;
*) iot - mqtt improvement to support large payloads and gracefully discard payloads above size limit;
*) iot - removed crc-disabled and crc-error options from the LoRa forwarding;
*) iot - removed LoRa pause traffic option/setting;
*) iot - removed some LoRa radio related parameters (e.g. RSSI-OFF and Tx-enabled) that were not meant to be changed;
*) ippool - removed maximum "63 bit" prefix length limitation;
*) ipsec - ike2 improved process for policies;
*) ipv6 - added comment property to "/ipv6/nd/prefix" menu;
*) ipv6 - added IPv6 settings related to stale IPv6 neighbor cleanup;
*) ipv6 - added support for manual link-local address configuration;
*) isis - do not disable fast-path when isis is enabled on an interface;
*) isis - fixed console flags;
*) isis - fixed invalid L2 LSP type;
*) isis - make it work when MTU is larger than 1500;
*) isis - update interface MAC address on change (caused neighbor to stuck in init state);
*) kid-control - use time format according to ISO standard;
*) l3hw - improved system stability;
*) l3hw - rate limit error logging;
*) leds - fixed issue where interface LEDs might not properly disable in some cases;
*) log - added basic validation for "disk-file-name" property;
*) log - added hostname support to remote logging action;
*) log - added regex parameter for log filtering in rules;
*) log - fixed e-mail logging (introduced in v7.16);
*) log - use time format according to ISO standard;
*) lte - added option to check/install modem firmware from early-access/testing channel (CLI only);
*) lte - added provider specific firmware update (FOTA) for Cosmote GR networks on Chateau 5G;
*) lte - disabled ims service for Chateau 5G on operator "3 AT" network (PLMN ID 23205);
*) lte - drop operator selection support for R11e-4G modem as it is unreliable;
*) lte - fixed "default-name" property in export when multiple LTE interfaces are used;
*) lte - fixed "lte monitor" signal reporting for RG520F-EU modem when connected to 5G SA network;
*) lte - fixed "operator" setting for EC200A-EU modem;
*) lte - fixed long "PLMN search in progress" for SXT 3-7;
*) lte - fixed LTE band setting for SXT LTE 3-7;
*) lte - fixed roaming barring (allow-roaming=no) for EC200A-EU modem;
*) lte - fixed signal info reporting for FG621-EA modem in UMTS network;
*) lte - fixed SMS sender parsing;
*) lte - improved modem FW upgrade for Chateau 5G;
*) lte - improved R11eL-EC200A-EU modem firmware upgrade procedure;
*) lte - improved recovery after unexpected modem reboot for Chateau's 5G and 5G R16 series devices;
*) lte - improvements to modem "firmware-upgrade" command;
*) lte - MBIM increased assignable APN profile count up to 8 then modem firmware allows it;
*) lte - modem firmware update (FOTA), added support to install provider specific version;
*) lte - removed trailing "F" symbol from uicc;
*) lte - set "sms-read=no" and "sms-protocol=auto" as default values;
*) lte - set IPv6 address reporting format in modem init for AT modems and MBIM modems with AT channel;
*) mac-server - allow MAC-Telnet access through any bridged port when bridge interface is allowed;
*) mac-telnet - use ASCII DEL as erase/backspace char instead of BS (fixes mac-telnet backspace for WinBox4);
*) macvlan - improved error when trying to create new interface on already busy parent interface;
*) macvlan - updated driver;
*) modem - KNOT BG77 modem, improved handling of modem unexpected restarts;
*) mpls - added fast-path support for VPLS;
*) mpls - added MPLS mangle support;
*) mpls - added support for "ICMP Fragmentation needed";
*) mpls - do no drop LDP peering session on PW deactivation;
*) mpls - do not reconnect VPLS on name or comment changes;
*) netinstall - removed unused "Get key" button;
*) netinstall - save and restore device-mode configuration on format;
*) netinstall-cli - added "-o" option to install devices only once per netinstall run;
*) netinstall-cli - fixed x86 detection;
*) netwatch - added "ignore-initial-up" and "ignore-initial-down" properties;
*) netwatch - fixed multiple variables;
*) netwatch - fixed probe toggle when adding a comment;
*) ospf - fixed memory corruption;
*) ospf - improved stability on configuration update;
*) ovpn - added VRF support to OVPN server (server menu now supports multiple entries and previous server configuration is automatically imported);
*) ovpn - improved system stability;
*) ovpn-client - added tls-crypt, tls-crypt-v2 support;
*) ovpn-server - added "user-auth-method" property and allow mschap2 for RADIUS authentication;
*) pimsm - improved system stability after interface disable;
*) poe-out - added low-voltage-too-low status;
*) poe-out - improved PoE-out configuration handling when doing reset-configuration command;
*) poe-out - upgraded firmware for CRS354-48P-4S+2Q+ device (the update will cause brief power interruption to PoE-out interfaces);
*) poe-out - upgraded firmware for PSE (BT) controlled boards (the update will cause brief power interruption to PoE-out interfaces);
*) port - display a warning when using invalid log-file with the "remote-access" feature;
*) port - more detailed print command output, include in "USED-BY" property channel number(s);
*) ppp - add routes in matching VRF;
*) ppp - added support for bridge-port-pvid configuration via ppp profile;
*) ppp - added support for bridge-port-trusted configuration via ppp profile;
*) ppp - do not print local/remote pool related errors in log when configuration does not require pool usage;
*) ppp - fixed typos in log message;
*) ppp - reuse link-local IPv6 address for static bindings when possible;
*) ppp - set APN/PDN type "IPv4/v6" according assigned PPP profile protocol setting;
*) pppoe - added support for PPPoE server over 802.1Q VLANs;
*) profiler - classify ppp processing;
*) profiler - improved process classification;
*) profiler - renamed radv process to radvd;
*) ptp - added dynamic switch ACL rules in order to trap PTP packets to CPU instead of forwarding;
*) ptp - added option to configure L2 transport with forwardable and non-forwardable MAC destination;
*) ptp - added PTP support for CRS320-8P-8B-4S+ and CRS326-4C+20G+2Q+ devices;
*) ptp - display warning when none of the PTP ports has a link;
*) ptp - fixed DSCP values for IPv4 packets;
*) ptp - fixed packet receive with enabled igmp-snooping;
*) ptp - fixed packet tx/rx when enabling PTP on 1/2.5/100Gbps links for 98CX8410, 98DX8525, 98DX4310 switches (introduced in v7.16);
*) ptp - fixed synchronization on QSFP28 interfaces;
*) ptp - make PTP process more stable and deterministic when applying configuration;
*) ptp - restrict configuring g8275 profile with IPv4 transport;
*) qos-hw - allow to disable/enable profiles, disabled or removed profile gets replaced with the default;
*) qos-hw - enabling PFC on port also requires setting egress-rate-queueN;
*) qos-hw - fixed export when changing default Tx Manager;
*) qos-hw - fixed incorrect port byte-use counter;
*) qos-hw - improved PFC behavior;
*) qos-hw - improved system stability when enabling QoS;
*) qos-hw - improved WRED and ECN behavior;
*) qos-hw - rename pfcN-pause and pfcN-resume to pfcN-pause-threshold and pfcN-resume-threshold;
*) qos-hw - reworked PCP and DSCP mapping (now supports single, multiple and range values, previous configuration with minimal value mapping is converted to a single value);
*) qos-hw - switch-cpu port trust settings are forced to "keep";
*) queue - improved system stability when too many simple queues are added;
*) quickset - added "LTE AP" quickset profile with one wifi interface;
*) rip - improved stability when changing metric;
*) romon - added dynamic switch rules on devices supporting it when enabling the service;
*) romon - added interface-list support;
*) romon - send uptime in discovery;
*) rose-storage - allow to set iscsi-iqn only when type=iscsi and allow nvme-tcp-name only when type=nvme-tcp;
*) rose-storage - do not allow to format exported disks;
*) rose-storage - enable autocomplete for local-path property in "/file/sync" menu;
*) rose-storage - enable more threads for faster RAID sync;
*) rose-storage - ensure unique nvme-tcp-names for nvme-tcp clients;
*) rose-storage - improved error messages;
*) rose-storage - improved system stability;
*) rose-storage,raid - improved stability of degraded arrays on startup;
*) rose-storage,raid - store superblock in 1.2 format, show raid super block info when detected to help with reassembling arrays;
*) route - fixed discourse attribute print;
*) route - fixed minor typo in failure message;
*) route - fixed possible issue with inactive routes after reboot (introduced in v7.16);
*) route - improved stability;
*) route - improved stability with static route configuration;
*) route - increased interface name length limit in log messages;
*) route - removed possibility for IPv6 routes to specify interface in the dst-address;
*) routerboot - fixed boot MAC for devices with Alpine CPU ("/system routerboard upgrade" required);
*) routerboot - fixed boot MAC for MIPSBE CRS3xx and CRS5xx switches ("/system routerboard upgrade" required);
*) routerboot - improved stability for IPQ8072 and IPQ6010 when flash-boot is used ("/system routerboard upgrade" required);
*) routing-filter - fixed subtract and add for numerical values (+x, -x);
*) rsync - fixed when used over ssh and spaces in directory names;
*) sfp - fixed 1Gbps supported rate for RB960 and RB962 devices;
*) sfp - fixed linking with 1Gbps optical modules with "combo-mode=sfp" configuration for CRS312 device;
*) sfp - improved initialization and linking for some SFP modules;
*) sfp - improved initialization for certain SFP modules on CRS309 and CRS317 devices ("/system routerboard upgrade" required);
*) sfp - improved power control configuration for QSFP optical modules according to the EEPROM field;
*) sfp - improved SFP auto-negotiation for L22, L23 devices;
*) sfp - improved SFP28, QSFP28 interface stability using DAC cable for CRS520 switch;
*) smb - stability improvements for client/server;
*) snmp - added wifi fields to MIKROTIK-MIB;
*) socks - fixed comment property for access configuration;
*) ssh - added option to configure SSH ciphers (replaced allow-none-crypto parameter);
*) ssh - do not regenerate host key after update from RouterOS version older than 7.9;
*) ssh - improved logging;
*) ssh - improved speed;
*) ssh - prefer GCM ciphers for arm64 and x86 devices when ciphers=auto;
*) ssl/tls - improved performance;
*) sstp - added pfs=required option to allow only ECDHE during TLS handshake;
*) storage - preserve permissions,owners,attributes when syncing under "/file/sync";
*) storage,rsync - fixed to work with clients passing "-a" option;
*) supout - added BGP advertisements section;
*) supout - added device-mode section;
*) supout - do not create autosupout.rif for second time after system reboot;
*) supout - print non BGP and OSFP routes if route list is too large;
*) supout - reduce minimal RAM required for export to be included;
*) supout - use separate LTE section;
*) switch - added "all" argument for "new-dst-ports" switch rule property for CRS3xx, CRS5xx, CCR2116 and CCR2216 devices;
*) switch - added IPv6 flow label matching in switch rules for CRS3xx, CRS5xx, CCR2116 and CCR2216 devices;
*) switch - allow bond interfaces in switch rules for CRS3xx, CRS5xx, CCR2116 and CCR2216 devices;
*) switch - allow matching network bitmask for IPv4 and IPv6 dst/src-address properties in switch rule;
*) switch - disallow switch-cpu in "ports" and "new-dst-ports" rule properties for CRS3xx, CRS5xx, CCR2116, CCR2216 and RB5009 devices;
*) switch - fixed a potential issue with packet corruption caused by incorrect switch initialization on CRS3xx/5xx devices;
*) switch - fixed L2MTU for 25Gbps ports;
*) switch - fixed RSPAN error message when using mirror-target=cpu;
*) switch - fixed rule disable in certain cases for 98DX224S, 98DX226S, and 98DX3236 switch chips;
*) switch - fixed storm-rate accuracy on 98DX224S, 98DX226S, and 98DX3236 switch chips;
*) switch - force "mac-protocol" when matching IPv4 or IPv6 specific properties;
*) switch - improved CPU performance for CRS328-24P-4S+ switch;
*) switch - improved system stability for RB5009 and CCR2004-16G-2S+ devices;
*) switch - make switch rule "ports" property not required and unsettable (allows matching packets on all switch ports);
*) switch - updated dynamic switch rules when using HW bridge with IGMP snooping (224.0.0.0/24 and ff02::/16 destination addresses are forwarded and copied to CPU);
*) system - improved IPv6 maximum routing table size based on total memory;
*) system - make ICMP error source address selection configurable (icmp-errors-use-inbound-interface-address parameter in ip settings);
*) system - make TCP timestamp handling configurable (tcp-timestamps parameter in ip settings);
*) system - moved "/system/upgrade" to "/system/package/local-update";
*) tftp - improved stability;
*) upnp - rename service description file from gateway_description.xml back to gateway.xml;
*) user-manager - improved stability;
*) vpls - added support for bridge-pvid configuration;
*) vrf - fixed packet handling with enabled queues;
*) vxlan - fixed issue causing to loose IPv6 VTEP address setting;
*) webfig - added search option for settings;
*) webfig - allow download from file details;
*) webfig - allow style.css and script.js in branding packages;
*) webfig - fixed uploading files with Windows style newlines;
*) webfig - hide inherited wifi password;
*) webfig - improved keyboard navigation;
*) webfig - improved screen reader support;
*) webfig - improved system stability when used over many simultaneous sessions;
*) webfig - redirect "/help/license.html" to "/license.txt" for backwards compatibility;
*) webfig - reduce flickering when table is sorted by column with duplicate values;
*) webfig - Skin Designer moved to centralized page;
*) webfig - status page is deprecated, old status page config will work, but can't be updated or created;
*) webfig - support unicode strings;
*) wifi - add information to each interface, showing which CAPsMAN manages it or which CAP hosts it when applicable;
*) wifi - added a debug log entry when switching channel;
*) wifi - added ability to set security.owe-transition-interface to "auto";
*) wifi - added access-list stats (CLI only);
*) wifi - added configuration.installation property to limit use of indoor-only channels;
*) wifi - added debug log messages on station authentication mismatch;
*) wifi - added extra info to CAPsMAN about message;
*) wifi - added last-activity property in registration table;
*) wifi - added multi-passphrase (PPSK) support (CLI only);
*) wifi - added option to reset MAC address (CLI only);
*) wifi - added station-roaming support;
*) wifi - allow IPv6 LL address in caps-man-addresses;
*) wifi - disabled 802.11h on 2.4GHz station;
*) wifi - fixed "disabled" property in certain cases;
*) wifi - fixed failure to resume operation after DFS non-occupancy period has elapsed;
*) wifi - fixed failure with "auto" peer update on the OWE interface;
*) wifi - fixed occasional failure to bring up management frame protection and channel switch capabilities;
*) wifi - fixed the "no available channels" message still being displayed after a setting change has made some channels available;
*) wifi - improved FT roaming with WPA3 for some Apple devices;
*) wifi - indicate radios' ability to perform a channel switch in their "hw-caps" attribute;
*) wifi - indicate which channels are subject to DFS, or are indoor-only in output of "monitor" command;
*) wifi - re-word the "SA Query timeout" log message to "not responding";
*) wifi - show authentication type and wireless standard used by each client in registration table;
*) wifi - show regulatory limits on maximum bandwidth in output of radio/reg-info command;
*) wifi - when operating in station mode, log more information when AP switches to an unsupported channel;
*) wifi-qcom - added Superchannel country profile;
*) wifi-qcom - updated regulatory info for Ukraine, Australia and United States;
*) wifi-qcom-ac - allow use of channel 144 under "Japan" regulatory domain;
*) wifi-qcom-ac - fix possible conflict between radio and USB initialization on hAP ac2;
*) wifi-qcom-ac - improved CPU load balancing and system stability;
*) winbox - added "Copy to Access List" option under "WiFi/Registration" menu;
*) winbox - added "Max Entries" and "Total Entries" properties under "IP/Firewall/Connections/Tracking" menu;
*) winbox - added "Scan" and "Test Disks" features under "System/Disks" menu;
*) winbox - added Enable/Disable buttons under "Tools/Graphing" menus;
*) winbox - added MAC address support for "Group" property under "Bridge/MDB" menu;
*) winbox - added missing "bus" option for compatible devices under "System/RouterBOARD/USB Power Reset" menu;
*) winbox - added missing properties under "IP/Neighbors" menu;
*) winbox - allow to edit Ethernet MAC address;
*) winbox - clear "Value" field when unset under "IP/DNS/Static" menu;
*) winbox - fixed duplicate timezone names;
*) winbox - fixed typo in "System/Reset Configuration" menu;
*) winbox - hide LCD menu for devices without display;
*) winbox - hide LTE "External Antenna" menu for devices without switchable antenna option;
*) winbox - improved stability;
*) winbox - minimal required version is v3.41;
*) winbox - refresh values under "Bridge/VLANs/MVRP Attributes" menu;
*) winbox - renamed and moved "System/Auto Upgrade" to "System/Packages" menu;
*) winbox - renamed wrong invalid interface flag to inactive;
*) winbox - show "FEC" property on status tab for interfaces that use it;
*) winbox - show MLAG settings for CRS326-4C+20G+2Q+ device;
*) winbox - updated properties and behavior under "Switch/QoS" menu;
*) wireguard - do not initiate handshake when peer is configured as responder;
*) wireless - added option to reset MAC address (CLI only);
*) wireless - added vlan-id to registration-table;
*) wireless - allow to set Canada2 country profile when locked with US lock package for CubeG device;
*) wireless - enable all chains by default for RB911 and RB922 series devices;
*) wireless - fixed antenna gain for SXT5ac device;
*) wireless - preserve configured country while using setup-repeater, added "country" argument (CLI only);
*) x86 - Realtek r8169 updated driver;
*) zerotier - added debug logging;
*) zerotier - do not show default settings in export;
*) zerotier - upgraded to version 1.14.0;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while a router is not working as suspected or after some problem has appeared on the device

Please keep this forum topic strictly related to this particular RouterOS release.

infabo · Thu Jan 16, 2025 4:03 pm

Finally! With important and great changes to "wifi" and many other areas. Keep up the great work!

Sit75 · Thu Jan 16, 2025 4:23 pm

"Wireless" is fine with 7.17, but "wifi-qcom-ac" is crap, unfortunately. I have had long time open memory leak ticket SUP-147911 for hAP ac^2. This ticket has been closed without solution - but it is bullet proof the leak is related to "wifi-qcom-ac", because "wireless" is fine and stable. There is no any willingness on Mikrotik side to do any investigation, only short message - it is old HW. But this old HW IPQ-4019 with exact same amount of RAM memory (256MB) and ROM memory (16MB) is used in Chateau 5G R16. There was visible decrease of RAM free memory 10MB/day starting with 150MB to OOP after roughly 14-21 days - kernel panic memory.

Re: v7.17rc [testing] is released!
Post by CGGXANNX » Thu Jan 16, 2025 12:03 pm

Well it may goes out of memory with SMB, but if wifi-qcom-ac really takes a large chunk of RAM, then OOM might also happen if you run a container (that worked fine with wireless), or if you use adlist with huge lists, etc... If they disable and hide SMB, then should they do that with container and adlist too?

Currently you have to explicitly remove wireless and install wifi-qcom-ac. It is assumed that you read the doc before doing that, and from now on, the doc has the warning about the RAM usage. If your router suffers from OOM, your first thought now would be to revert back to wireless.

infabo · Thu Jan 16, 2025 4:32 pm

I just discovered one bug. On Upgrade the timezone gets unset. It is now UTC instead of Europe/Vienna. "/export" is missing this line which was there in 7.16.2:

/system clock set time-zone-name=Europe/Vienna

edit: seems like this line from export is added or removed by the Cloud feature. After a reboot for firmware upgrade I saw the following log entry and suddenly "/system clock set time-zone-name=Europe/Vienna" was there again.

2025-01-16 14:44:43 system,critical,info cloud change time Jan/16/2025 14:43:47 => Jan/16/2025 14:44:43

Sry, not a bug.

KindlyMan · Thu Jan 16, 2025 4:44 pm

"v7 stable"

NOT STABLE.
viewtopic.php?t=198736

infabo · Thu Jan 16, 2025 4:54 pm

"Wireless" is fine with 7.17, but "wifi-qcom-ac" is crap, unfortunately. I have had long time open memory leak ticket SUP-147911 for hAP ac^2. This ticket has been closed without solution - but it is bullet proof the leak is related to "wifi-qcom-ac", because "wireless" is fine and stable. There is no any willingness on Mikrotik side to do any investigation, only short message - it is old HW. But this old HW IPQ-4019 with exact same amount of RAM memory (256MB) and ROM memory (16MB) is used in Chateau 5G R16. There was visible decrease of RAM free memory 10MB/day starting with 150MB to OOP after roughly 14-21 days - kernel panic memory.

This is most probably a configuration related issue. I have cap ac with only 128MB system memory running wifi-qcom-ac and it reached quite 4 weeks uptime on 7.16.2 before I upgraded it to 7.17 today. It reported ~28mb of free memory before I upgraded the system.

txfz · Thu Jan 16, 2025 4:57 pm

> *) bridge - added interface-list support for VLANs;

What does this mean?

grusu · Thu Jan 16, 2025 5:02 pm

Is possible now to add interface-list as tagged or untagged interface.

Jotne · Thu Jan 16, 2025 5:04 pm

NOT STABLE.
In general, the problem of LOST SIGNAL has not been completely solved, and it is strange that Microtic don't pay due attention to this.

Seems that you have not read previous post about the same.
Stable enough to release.
Any code out there have bugs. Some more, some less. There are no perfect software.

Also going from RC to Stable will make more user try the image and more error will be found and fixed.
I do not install a 0 version in production.

mustang1986 · Thu Jan 16, 2025 5:06 pm

"Wireless" is fine with 7.17, but "wifi-qcom-ac" is crap, unfortunately. I have had long time open memory leak ticket SUP-147911 for hAP ac^2. This ticket has been closed without solution - but it is bullet proof the leak is related to "wifi-qcom-ac", because "wireless" is fine and stable. There is no any willingness on Mikrotik side to do any investigation, only short message - it is old HW. But this old HW IPQ-4019 with exact same amount of RAM memory (256MB) and ROM memory (16MB) is used in Chateau 5G R16. There was visible decrease of RAM free memory 10MB/day starting with 150MB to OOP after roughly 14-21 days - kernel panic memory.

Re: v7.17rc [testing] is released!
Post by CGGXANNX » Thu Jan 16, 2025 12:03 pm

Well it may goes out of memory with SMB, but if wifi-qcom-ac really takes a large chunk of RAM, then OOM might also happen if you run a container (that worked fine with wireless), or if you use adlist with huge lists, etc... If they disable and hide SMB, then should they do that with container and adlist too?

Currently you have to explicitly remove wireless and install wifi-qcom-ac. It is assumed that you read the doc before doing that, and from now on, the doc has the warning about the RAM usage. If your router suffers from OOM, your first thought now would be to revert back to wireless.

I have same problem with cap-ac (simple AP mode), SUP-160401 .

ech1965 · Thu Jan 16, 2025 5:13 pm

NOT STABLE.
...

STABLE != free of bugs
As far as I understand, during beta ( eh 7.18 betaX); Mikrotik "Adds" new code ( fixes for long standing bugs, new features, porting from routeros 6....)
once in RC, they only fix bug in the code added during the betas.
-> if you don't see a a fix for an issue appearing in the changelog of the beta, there is little chance to see in the changelog of the RC.

txfz · Thu Jan 16, 2025 5:13 pm

Is possible now to add interface-list as tagged or untagged interface.

Oh, that's pretty good.

nmt1900 · Thu Jan 16, 2025 5:14 pm

Super-stable 7.17 is unable to install on RB450Gx4

upgrade failed, free 9 kB of kernel disk space

450Gx4 has 512 MB storage space and only 25% of it is used. What is going on??? Other devices with 16 MB storage updated without problems...

P. S. It seems to be an overlooked problem from rc stage -> viewtopic.php?p=1119444

infabo · Thu Jan 16, 2025 5:15 pm

Here my update on the "free-memory" topic for those interested and also managing 16MB devices. Before/after of 2 devices I just upgraded. td;dr: free space decreased.

[user@router] > /system/resource/print 
                  version: 7.16.2 (stable)
           free-hdd-space: 556.0KiB
          total-hdd-space: 16.0MiB
               board-name: D53G-5HacD2HnD
                 platform: MikroTik

[user@router] > /system/resource/print        
                  version: 7.17 (stable)         
           free-hdd-space: 272.0KiB           
          total-hdd-space: 16.0MiB       
               board-name: D53G-5HacD2HnD     
                 platform: MikroTik

and

[user@cap] > /system/resource/print 
                  version: 7.16.2 (stable)
           free-hdd-space: 760.0KiB
          total-hdd-space: 16.0MiB
               board-name: cAP ac
                 platform: MikroTik

[user@cap] > /system/resource/print       
                  version: 7.17 (stable)                   
           free-hdd-space: 480.0KiB           
          total-hdd-space: 16.0MiB                   
               board-name: cAP ac             
                 platform: MikroTik

Sit75 · Thu Jan 16, 2025 5:18 pm

We are speaking about RAM issue, not ROM. ROM has been solved roughly in 7.15, what I remember.

Here my update on the "free-memory" topic for those interested and also managing 16MB devices. Before/after of 2 devices I just upgraded. td;dr: free space decreased.

[user@router] > /system/resource/print 
                  version: 7.16.2 (stable)
           free-hdd-space: 556.0KiB
          total-hdd-space: 16.0MiB
               board-name: D53G-5HacD2HnD
                 platform: MikroTik

[user@router] > /system/resource/print        
                  version: 7.17 (stable)         
           free-hdd-space: 272.0KiB           
          total-hdd-space: 16.0MiB       
               board-name: D53G-5HacD2HnD     
                 platform: MikroTik

and

[user@cap] > /system/resource/print 
                  version: 7.16.2 (stable)
           free-hdd-space: 760.0KiB
          total-hdd-space: 16.0MiB
               board-name: cAP ac
                 platform: MikroTik

[user@cap] > /system/resource/print       
                  version: 7.17 (stable)                   
           free-hdd-space: 480.0KiB           
          total-hdd-space: 16.0MiB                   
               board-name: cAP ac             
                 platform: MikroTik

anav · Thu Jan 16, 2025 5:21 pm

@Edpa
1. *) bridge - added interface-list support for VLANs;

Does this mean we can now list the bridge as an interface list member and this will include all vlans attached to the bridge?

2. *) bridge - enable faster HW offloading when detect-internet is disabled;

Will faster HW offloading also occur when detect-internet is set to NONE? ( or only disabled? )

Sit75 · Thu Jan 16, 2025 5:24 pm

Well, what kind of traffic you have? IPv4+IPv6? Or only IPv4? What amount of traffic? 100GB/day?

Regarding "configuration issue", what is wrong on this?

/interface wifi steering
add disabled=no name=steering1 neighbor-group=dynamic-ABC-6754ca15 rrm=yes wnm=yes
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-n .width=20/40mhz configuration.country=Czech .mode=ap .multicast-enhance=enabled .qos-classifier=\
    priority .ssid=ABC disabled=no mtu=1500 security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes .ft-preserve-vlanid=no .wps=\
    disable steering=steering1
set [ find default-name=wifi2 ] channel.band=5ghz-ac .frequency=5500 .width=20/40/80mhz configuration.country=Czech .mode=ap .multicast-enhance=enabled \
    .qos-classifier=priority .ssid=ABC disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes .ft-preserve-vlanid=no \
    .wps=disable steering=steering1

Rest is exactly the same for "wireless.apk", which is without any observable memory leak.

"Wireless" is fine with 7.17, but "wifi-qcom-ac" is crap, unfortunately. I have had long time open memory leak ticket SUP-147911 for hAP ac^2. This ticket has been closed without solution - but it is bullet proof the leak is related to "wifi-qcom-ac", because "wireless" is fine and stable. There is no any willingness on Mikrotik side to do any investigation, only short message - it is old HW. But this old HW IPQ-4019 with exact same amount of RAM memory (256MB) and ROM memory (16MB) is used in Chateau 5G R16. There was visible decrease of RAM free memory 10MB/day starting with 150MB to OOP after roughly 14-21 days - kernel panic memory.
This is most probably a configuration related issue. I have cap ac with only 128MB system memory running wifi-qcom-ac and it reached quite 4 weeks uptime on 7.16.2 before I upgraded it to 7.17 today. It reported ~28mb of free memory before I upgraded the system.

Thu Jan 16, 2025 5:27 pm

@anav

1. You can use interface-list for "tagged", "untagged" properties under the /interface/bridge/vlan menu.
https://help.mikrotik.com/docs/spaces/R ... rfacelists

2. /interface/detect-internet/set detect-interface-list=none

grusu · Thu Jan 16, 2025 5:28 pm

@Edpa
1. *) bridge - added interface-list support for VLANs;

Does this mean we can now list the bridge as an interface list member and this will include all vlans attached to the bridge?

Screenshot 2025-01-16 172728.png

nmt1900 · Thu Jan 16, 2025 5:29 pm

Dude client is failing to update as well

connecting to upgrade.mikrotik.com
...
connection closed

eddieb · Thu Jan 16, 2025 5:31 pm

indeed, dude client fails to upgrade

connecting to upgrade.mikrotik.com
...
connection closed

victorbayas · Thu Jan 16, 2025 5:53 pm

"Wireless" is fine with 7.17, but "wifi-qcom-ac" is crap, unfortunately. I have had long time open memory leak ticket SUP-147911 for hAP ac^2. This ticket has been closed without solution - but it is bullet proof the leak is related to "wifi-qcom-ac", because "wireless" is fine and stable. There is no any willingness on Mikrotik side to do any investigation, only short message - it is old HW. But this old HW IPQ-4019 with exact same amount of RAM memory (256MB) and ROM memory (16MB) is used in Chateau 5G R16. There was visible decrease of RAM free memory 10MB/day starting with 150MB to OOP after roughly 14-21 days - kernel panic memory.

Re: v7.17rc [testing] is released!
Post by CGGXANNX » Thu Jan 16, 2025 12:03 pm

Well it may goes out of memory with SMB, but if wifi-qcom-ac really takes a large chunk of RAM, then OOM might also happen if you run a container (that worked fine with wireless), or if you use adlist with huge lists, etc... If they disable and hide SMB, then should they do that with container and adlist too?

Currently you have to explicitly remove wireless and install wifi-qcom-ac. It is assumed that you read the doc before doing that, and from now on, the doc has the warning about the RAM usage. If your router suffers from OOM, your first thought now would be to revert back to wireless.

I'm surprised they managed to make the propietary QCOM drivers run on a board with 128MB of RAM, back then when I had the ac2 it OOM'd even on OpenWrt running the "small buffers" ath10k driver.

chris6671980309 · Thu Jan 16, 2025 5:54 pm

Have a small bug. On my CCR1009, when I right click Interfaces --> Interface --> any interface --> Detail Mode in winbox3.41 just closed.
https://imgur.com/a/Ompf5pA

infabo · Thu Jan 16, 2025 5:54 pm

We are speaking about RAM issue, not ROM. ROM has been solved roughly in 7.15, what I remember.

Thank you for clarifying, Sit75. My earlier post wasn’t intended as a direct response to the RAM issue you mentioned. I’ve been monitoring free memory on RouterOS since version 7.13, and my recent observation of approximately 280KB less free space after upgrading was meant as a general heads-up for the community.

Devices with limited free memory - say, around 200KB on 7.16 - could potentially encounter issues when moving to 7.17. Hopefully, this additional context will help others keep an eye on their device disk space during upgrades.

Thu Jan 16, 2025 6:08 pm

The Dude upgrade issue acknowledged, we are working on it.

ishanjain · Thu Jan 16, 2025 6:09 pm

Does this also fix NPT? It is broken in 7.16. I don't see it changelog

HZsolt · Thu Jan 16, 2025 6:14 pm

MikroTik RB450Gx4 --> 7.16.2 --> 7.17 upgrade failed, free 5 kB of kernel disk space mikrotik

nmt1900 · Thu Jan 16, 2025 6:15 pm

The Dude upgrade issue acknowledged, we are working on it.

Workaround for now is to download 7.17 installer and run it manually. This way update succeeds and client is able to connect to 7.17 Dude server.

Sddaw · Thu Jan 16, 2025 6:19 pm

For any1 who upgraded to 7.17 pls check if it is still possible to downgrade to 7.14.3 after? Or it is now marked as not "allowed-versions" or whatever device mode forbids

mszru · Thu Jan 16, 2025 6:27 pm

For any1 who upgraded to 7.17 pls check if it is still possible to downgrade to 7.14.3 after? Or it is now marked as not "allowed-versions" or whatever device mode forbids

It should be possible to downgrade to 7.14.3 if I read it right:

/system/device-mode/print 
     mode: advanced     
     allowed-versions: 7.13+,6.49.8+
     ...

osc86 · Thu Jan 16, 2025 6:34 pm

Upgrade from 7.16.2 to 7.17 fails on a CCR2004-1G-12S+2XS. ~35MB of flash storage and ~3.8GB RAM available currently. Tried the upgrade multiple times.
Edit: tried to do the update on a second CCR2004-1G-12S+2XS which has a different configuration, got the exact same error.

upgrade failed, free 25 kB of kernel disk space

Sddaw · Thu Jan 16, 2025 6:41 pm

For any1 who upgraded to 7.17 pls check if it is still possible to downgrade to 7.14.3 after? Or it is now marked as not "allowed-versions" or whatever device mode forbids
It should be possible to downgrade to 7.14.3 if I read it right:
Code: Select all
/system/device-mode/print 
     mode: advanced     
     allowed-versions: 7.13+,6.49.8+
     ...

Thx good man

nmt1900 · Thu Jan 16, 2025 6:52 pm

Dude CHR installs might lose other disk if configured with multiple disks. Made a ticket to support about this as well.

It is probably wise to wait for 7.17.1

mcskiller · Thu Jan 16, 2025 6:58 pm

hi, neighbors is broken for winbox v3.41 with de last update (7.17)
with winbox v4 is working fine

abbio90 · Thu Jan 16, 2025 7:04 pm

How do you go about rebranding Webfig?

If you use an old rebranding.dpk it doesn't work. Do I need to regenerate it or do you still have to work on it?

The login page appears customized after loading the branding package but if I enter the credentials while clicking log in it adds /? instead of /webfig after the router address in the address bar and the login fails

eddieb · Thu Jan 16, 2025 7:40 pm

dude client upgrade seems fixed !
tnx Mikrotik

abbio90 · Thu Jan 16, 2025 7:52 pm

Skins still don't work on Winbox 4

pe1chl · Thu Jan 16, 2025 8:42 pm

"v7 stable"

NOT STABLE.

Remember that "stable" in software releases means: "here you have a version that will remain for a while, we will not release a new version every week or two, so you can install this and won't have to update it immediately". The stability refers to the number of updates.
It does NOT mean that it will work in a stable way, i.e. will not crash or will not have problems with certain functions.

eddieb · Thu Jan 16, 2025 9:04 pm

Skins still don't work on Winbox 4

This has nothing to do with ROS 7.17, it is a Winbox 4 issue.

fischerdouglas · Thu Jan 16, 2025 9:07 pm

NOT STABLE.
Remember that "stable" in software releases means: "here you have a version that will remain for a while, we will not release a new version every week or two, so you can install this and won't have to update it immediately". The stability refers to the number of updates.
It does NOT mean that it will work in a stable way, i.e. will not crash or will not have problems with certain functions.

Wow... And how about me that, using semantic versioning as a reference, I was thinking that Stable could mean that the software manufacturer should only release as stable code that is free of any known bugs.

I think I'll review a little more about versioning standards.

Albirew · Thu Jan 16, 2025 9:25 pm

new webfig is nice, too bad there's still no dark mode in itself :D

Branding all broken here: %host% and %version% are showing as is instead of showing actual ip and ROS version...
it's not showing as breaking change on changelog (branding is not webfig itself), is there documentation about these changes?
(and also, documentation about "allow style.css and script.js in branding packages" would be good since it has potential)

massinia · Thu Jan 16, 2025 9:29 pm

hi, neighbors is broken for winbox v3.41 with de last update (7.17)
with winbox v4 is working fine

It works perfectly for me

mcskiller · Thu Jan 16, 2025 9:31 pm

hi, neighbors is broken for winbox v3.41 with de last update (7.17)
with winbox v4 is working fine

It works perfectly for me

It was a strange situation, I restarted the PC and it works again

ormandj · Thu Jan 16, 2025 9:40 pm

I can't upgrade a CCR2004:

19:35:52 system,error upgrade failed, free 29 kB of kernel disk space

                   uptime: 2m19s
                  version: 7.16.2 (stable)
               build-time: 2024-11-26 12:09:40
         factory-software: 6.48.1
              free-memory: 3840.5MiB
             total-memory: 4096.0MiB
                      cpu: ARM64
                cpu-count: 4
            cpu-frequency: 1700MHz
                 cpu-load: 0%
           free-hdd-space: 35.7MiB
          total-hdd-space: 64.0MiB
  write-sect-since-reboot: 33
         write-sect-total: 310187
               bad-blocks: 0%
        architecture-name: arm64
               board-name: CCR2004-1G-12S+2XS
                 platform: MikroTik

There aren't any non-system files on the disk, and I tried the upgrade following a clean reboot. I've seen another user complaining about the same issue on different hardware:

viewtopic.php?p=1119074&sid=8afa3d3815d ... 4cc46d0daa

BluThunder · Thu Jan 16, 2025 9:45 pm

For me so far, on CCR2004's, it added a new problem.

I have one at my office - one at my home. I use EOIP (yes, I know I should subnet it, but for now I need it all on the same layer 2) with encryption to link the two locations together.

Version 7.16.2 the best on a 1gb symmetrical connection I could get was 400MB/sec between the two locations.

Version 7.17 made some huge improvements, I'm seeing 700-800MB/sec....

BUT connections are dropping. Not packet loss - connections get closed. You'll be winboxed in and poof - you're disconnected to the remote site.

Roll back to 7.16.2 - my speeds are back to what they were - and it's stable again.

Thoughts anyone?

pe1chl · Thu Jan 16, 2025 9:46 pm

Wow... And how about me that, using semantic versioning as a reference, I was thinking that Stable could mean that the software manufacturer should only release as stable code that is free of any known bugs.

I think I'll review a little more about versioning standards.

It would be desirable when it was like that, but for software as complex and versatile as RouterOS that simply isn't realistic.
There will always be known bugs, the only criticism on MikroTik with regard to that is that there is no section "known bugs and limitations" in the release notes. Some other manufacturers do that, but a lot of them do not. So they are not alone.

Due to the versatility, there are always users that concern particular bugs as a showstopper, while 99% of other users do not use that feature and do not mind that it is released with that bug.
(good example: the "SMB crashes the router when there is not enough free memory". some have repeatedly claimed that this is a showstopper bug, but I do not care at all because my router is not my fileserver, SMB is always disabled).

armandfumal · Thu Jan 16, 2025 9:47 pm

Skins still don't work on Winbox 4

skin does not work at all.

Complete rewrite webfig without finish this important feature... I don't understand....

pe1chl · Thu Jan 16, 2025 9:49 pm

Thoughts anyone?

EoIP is a connectionless protocol, there is no "connection that is closing".
However, as with any tunnel protocol, there is the risk of creating a loop where encapsulated traffic is again encapsulated.
Maybe the circumstances have changed due to the version upgrade, like some change in the bridge handling.

Best approach for now: get rid of the EoIP.

BluThunder · Thu Jan 16, 2025 9:53 pm

Yeah, need to but re-ip'ing 40 items and making all those changes in home assistant isn't on my top of the to do list. Wonder if doing layer 2 tunneling a different method would be better.

Seems it's more than just that. After looking at wireshark captures it looks like the packets just quit getting responses - like you unplugged the link. Yet other sessions will stay up. So odd. Pings will go with no loss.

Have rolled forward and back twice and it's definitely with 7.17.

Thanks!

Thu Jan 16, 2025 9:54 pm

Remember that "stable" in software releases means: "here you have a version that will remain for a while, we will not release a new version every week or two, so you can install this and won't have to update it immediately". The stability refers to the number of updates.
It does NOT mean that it will work in a stable way, i.e. will not crash or will not have problems with certain functions.
Wow... And how about me that, using semantic versioning as a reference, I was thinking that Stable could mean that the software manufacturer should only release as stable code that is free of any known bugs.

I think I'll review a little more about versioning standards.

And why is Microsoft releasing versions for Windows then ?
You believe they are bug free ? Surely you are aware of Patch Tuesday mishaps ?
Stable being bug free ... I wish.

sxtlhglte · Thu Jan 16, 2025 10:07 pm

new webfig is nice, too bad there's still no dark mode in itself :D

Branding all broken here: %host% and %version% are showing as is instead of showing actual ip and ROS version...
it's not showing as breaking change on changelog (branding is not webfig itself), is there documentation about these changes?
(and also, documentation about "allow style.css and script.js in branding packages" would be good since it has potential)

With Beta and RC I reported CSS issues and it got Fixed before Final Realse

All good with my heavily modified Brading Packge

Kevo · Thu Jan 16, 2025 10:12 pm

The new web interface is interesting. Maybe I will get used to it, but just in terms of being easy to read, I think the old interface is "clearly" better. The new one just seems softer and less distinct. I'm sure I will find some benefits to it after using it, but I would certainly like it more if it were as easy to see and read as the old one.

CGGXANNX · Thu Jan 16, 2025 10:26 pm

Yeah the custom font that MikroTik insist on using for WinBox 4 and the new WebFig is not very high quality and completely unoptimized for display on non-hiDPI display at non-huge sizes. Whoever produced that font did not spend proper effort with hinting. It's a blurry mess at smaller size, not properly snapping to pixel boundaries or supporting Clear Type. The system fonts are much better, at least on Windows.

Also, the two woff2 font files must be stored on the router and consume 38KB of valuable flash storage on devices like the hAP ac². Just look at how horrible "memory" and "interface" look with the MT font compared to WinBox 3 (zoomed out screenshot):

WebFig:

webfig-font.png

WinBox 3:

winbox3-font.png

WinBox 4:

winbox4-font.png

dang21000 · Thu Jan 16, 2025 10:44 pm

Lot of work on WebUI.
But still no way to easily disable quickset, have an empty user name on login, re-login on page refresh and graphs are still 1998 style instead the webui...

eider · Thu Jan 16, 2025 11:55 pm

Both of my devices (RB5009UG+S+ and RBwAPGR-5HacD2HnD) lost same part of configuration, likely related to changes 7.17 introduced around these parts, but this should absolutely never result in such a loss of configuration, especially near neighbor discovery which after upgrade started leaking out of every interface instead of previously configured set).

/ip firewall connection tracking
  set enabled=yes tcp-close-wait-timeout=30s tcp-fin-wait-timeout=30s tcp-time-wait-timeout=30s
/ip neighbor discovery-settings
  set discover-interface-list=discovery lldp-mac-phy-config=yes lldp-vlan-info=yes
/ip settings
  set max-neighbor-entries=1024 rp-filter=loose
/ipv6 settings
  set accept-redirects=no max-neighbor-entries=1024

Sadly, I do not have ability to generate support ticket for these as I have noticed this change after second reboot to upgrade RouterBOOT, but leaving it here for others to verify their own configs.

---

Additionally, RBwAPGR-5HacD2HnD is showing non-printable characters for current RouterBOOT version:

WinBox_2025-01-16_22-52-28.png

WinBox_2025-01-16_22-54-25.png

Hyperlight · Fri Jan 17, 2025 3:04 am

Having an issue with my Active-Backup interface. Giving a RX looped packet error and crashing the interface. SUP-176645.

bajodel · Fri Jan 17, 2025 3:35 am

I spent 2h this night going about the shop to switch off all the devices after updating the 'device-mode', I still have 2 other sites to update (they will wait some time so that 7.17 is better tested here). I undestand what it is for, but I cannot imagine those that have lots of devices in the fields as I used to .. good luck.

BTW.. so far so good, all my lab office's devices are on 7.17 and they work as expected.

actck · Fri Jan 17, 2025 4:31 am

Remember that "stable" in software releases means: "here you have a version that will remain for a while, we will not release a new version every week or two, so you can install this and won't have to update it immediately". The stability refers to the number of updates.
It does NOT mean that it will work in a stable way, i.e. will not crash or will not have problems with certain functions.
Wow... And how about me that, using semantic versioning as a reference, I was thinking that Stable could mean that the software manufacturer should only release as stable code that is free of any known bugs.

I think I'll review a little more about versioning standards.

Stable in mikrotik standards.

I never think that the existence of errors is unacceptable. The problem is that when there are errors, you spend development resources on ROSE SMB NAS DNS. Is it because these people are not capable of fixing the routeros-core package so they can only develop those features? Why not fire them and hire capable people?

I am a network engineer & Java software engineer from China and also an ordinary user. I have a normal "Stable" cognition no matter what they say.

pekr · Fri Jan 17, 2025 4:41 am

Lot of work on WebUI.
But still no way to easily disable quickset, have an empty user name on login, re-login on page refresh and graphs are still 1998 style instead the webui...

Well, the situation with the new UI is still not perfect, though some improvements have been made.

Webfig - only inline comments? This is a complete usability show stopper for me.
Winbox 4 - login screen - grouping is not about adding just a column, but provide real grouping like with Winbox 3. Difficult to navigate, so I need to resort to filters.
Winbox 4 - column separators - looks weird imo.
Winbox 4 - font colors - improved a bit. Darker comments than items themselves? Drags an attention a bit, but hopefully groving on me. All could be solved, if we would be allowed to choose the colors ourselves.
Winbox 4 - table row padding setting - perfect.
Winbox 4 - table row alternate color might be handy. Conditional coloring would be cool, but that's probably a little too much :-)

ClintonITWorks · Fri Jan 17, 2025 6:29 am

How do I stop my cap from auto updating when I update my router?

AresPo · Fri Jan 17, 2025 6:50 am

*) ovpn-client - added tls-crypt, tls-crypt-v2 support;

Hello
Has anyone checked this? Especially on NordVPN or ProtonVPN services
The problem is that I don't know how to add the tls key, of course I used the import option but the problem still persists and it gives the tls error

Fri Jan 17, 2025 7:49 am

*) wifi - added access-list stats (CLI only);

Can we get an example for this ? I could not figure it out myself and there is no documentation for it.

marsvo · Fri Jan 17, 2025 8:16 am

CHR on KVM/QEMU: VirtIO disk after upgrade not detected.
Solution: remove disk from virtual and re-add it, now it is in disk list with new name...

erlinden · Fri Jan 17, 2025 8:41 am

How do I stop my cap from auto updating when I update my router?

/interface/wifi/capsman/upgrade-policy

none - do not perform upgrade
require-same-version - CAPsMAN suggests to upgrade the CAP RouterOS version and, if it fails it will not provision the CAP. (Manual provision is still possible)
suggest-same-version - CAPsMAN suggests to upgrade the CAP RouterOS version and if it fails it will still be provisioned

I would expect it to be set on require-same-version currently? Set it to none to prevent updating.

https://help.mikrotik.com/docs/spaces/R ... figuration

grusu · Fri Jan 17, 2025 8:55 am

Nowhere in the documentation does it say that the upgrade is done automatically. It doesn't work for me unless I put the packages in the "Packge path" folder.

Fri Jan 17, 2025 9:02 am

For me so far, on CCR2004's, it added a new problem.

I have one at my office - one at my home. I use EOIP (yes, I know I should subnet it, but for now I need it all on the same layer 2) with encryption to link the two locations together.

Version 7.16.2 the best on a 1gb symmetrical connection I could get was 400MB/sec between the two locations.

Version 7.17 made some huge improvements, I'm seeing 700-800MB/sec....

BUT connections are dropping. Not packet loss - connections get closed. You'll be winboxed in and poof - you're disconnected to the remote site.

Roll back to 7.16.2 - my speeds are back to what they were - and it's stable again.

Thoughts anyone?

Install latest testing version and send us supout rif file from the devices.

Fri Jan 17, 2025 9:04 am

*) ovpn-client - added tls-crypt, tls-crypt-v2 support;
Hello
Has anyone checked this? Especially on NordVPN or ProtonVPN services
The problem is that I don't know how to add the tls key, of course I used the import option but the problem still persists and it gives the tls error

Please refer to instructions.
https://help.mikrotik.com/docs/spaces/R ... ls-cryptv2

erlinden · Fri Jan 17, 2025 9:08 am

Nowhere in the documentation does it say that the upgrade is done automatically. It doesn't work for me unless I put the packages in the "Packge path" folder.

Here the text can be improved, as "suggests" seems to either "tried" or "performed".

In regards to the packages:

Folder location for the RouterOS packages. For example, use "/upgrade" to specify the upgrade folder from the files section. If an empty string is set, CAPsMAN can use built-in RouterOS packages, note that in this case only CAPs with the same architecture as CAPsMAN will be upgraded.

MikroTik is always open to improvement, feel free to contact them to make an improvement in the documentation. Thanks for noticing (though it is not 7.17 related).

ivicask · Fri Jan 17, 2025 9:22 am

/interface/wifi/radio/reg-info country="Superchannel" number=0          
ranges: 2402-2482/60dBm/40MHz 
5170-5895/60dBm/160MHz

Trying Superchannel on HAP AX3, isnt it supposed to run all channels at max power? But when i set 5180 it runs at (tx-power: 17), i see briefly 60tx and drops to 17, i did try to set manually 28 it doesn't help.
On the other hand if i set United States it does run on max power (tx-power: 28)

Also not related to superchannel but AP keeps dropping power after some time, interface gets enabled, runs at tx-power: 24, all great, but after few hours it drops to tx-power: 17, there is no channel change or anything in logs it just silently drops power, anyone else notice this?

marianob85 · Fri Jan 17, 2025 9:24 am

RB912UAG-2HPnD

Can not change silent-bool option after upgrading to 7.17

[admin@MT] /system/routerboard/settings> set silent-boot=yes 
failure: not allowed by device-mode

Fri Jan 17, 2025 9:27 am

RB912UAG-2HPnD

Can not change silent-bool option after upgrading to 7.17
Code: Select all
[admin@MT] /system/routerboard/settings> set silent-boot=yes 
failure: not allowed by device-mode

system/device-mode/update routerboard=yes

marianob85 · Fri Jan 17, 2025 9:34 am

That was fast!. Indeed. Didn't notice it was changes after upgrade :/

denissMT · Fri Jan 17, 2025 9:44 am

"Wireless" is fine with 7.17, but "wifi-qcom-ac" is crap, unfortunately. I have had long time open memory leak ticket SUP-147911 for hAP ac^2. This ticket has been closed without solution - but it is bullet proof the leak is related to "wifi-qcom-ac", because "wireless" is fine and stable. There is no any willingness on Mikrotik side to do any investigation, only short message - it is old HW. But this old HW IPQ-4019 with exact same amount of RAM memory (256MB) and ROM memory (16MB) is used in Chateau 5G R16. There was visible decrease of RAM free memory 10MB/day starting with 150MB to OOP after roughly 14-21 days - kernel panic memory.

Re: v7.17rc [testing] is released!
Post by CGGXANNX » Thu Jan 16, 2025 12:03 pm

Well it may goes out of memory with SMB, but if wifi-qcom-ac really takes a large chunk of RAM, then OOM might also happen if you run a container (that worked fine with wireless), or if you use adlist with huge lists, etc... If they disable and hide SMB, then should they do that with container and adlist too?

Currently you have to explicitly remove wireless and install wifi-qcom-ac. It is assumed that you read the doc before doing that, and from now on, the doc has the warning about the RAM usage. If your router suffers from OOM, your first thought now would be to revert back to wireless.

We are working towards optimizing wireless-qcom-ac as we try to optimize other packages to be less resource heavy, but it is still a work in progress. As of this moment, wifi-qcom-ac is known and expected to take up more resources (including RAM) than legacy wireless drivers.

Fri Jan 17, 2025 9:45 am

HZsolt, osc86, ormandj, nmt1900
Please send supout.rif file from your device to support@mikrotik.com

StupidProgrammer · Fri Jan 17, 2025 10:24 am

Code: Select all
/interface/wifi/radio/reg-info country="Superchannel" number=0          
ranges: 2402-2482/60dBm/40MHz 
5170-5895/60dBm/160MHz
Trying Superchannel on HAP AX3, isnt it supposed to run all channels at max power? But when i set 5180 it runs at (tx-power: 17), i see briefly 60tx and drops to 17, i did try to set manually 28 it doesn't help.
On the other hand if i set United States it does run on max power (tx-power: 28)

There is no superchannel in the new wifi-qcom(-ac) drivers, also there is no no_country_set. (BTW, superchannel was a mode, no_country_set was regulatory domain, so you're doing wrong things in the first place.)

The router is probably kicking you back to a default of Latvia, which is at 17.

And yes, I'm also running my wifi as "United States" because of high TX power, despite being in the EU. Isn't that great? :) But the only reason I have that is because I can't remember which South American country is better :D Was it Panama?

erlinden · Fri Jan 17, 2025 10:26 am

Bigger isn't always better...necessity of higher TX Power is an indication that you don't have enough accesspoints.

ivicask · Fri Jan 17, 2025 10:48 am

Code: Select all
/interface/wifi/radio/reg-info country="Superchannel" number=0          
ranges: 2402-2482/60dBm/40MHz 
5170-5895/60dBm/160MHz
Trying Superchannel on HAP AX3, isnt it supposed to run all channels at max power? But when i set 5180 it runs at (tx-power: 17), i see briefly 60tx and drops to 17, i did try to set manually 28 it doesn't help.
On the other hand if i set United States it does run on max power (tx-power: 28)
There is no superchannel in the new wifi-qcom(-ac) drivers, also there is no no_country_set. (BTW, superchannel was a mode, no_country_set was regulatory domain, so you're doing wrong things in the first place.)

The router is probably kicking you back to a default of Latvia, which is at 17.

And yes, I'm also running my wifi as "United States" because of high TX power, despite being in the EU. Isn't that great? :) But the only reason I have that is because I can't remember which South American country is better :D Was it Panama?

What are you even talking about, its literary in changelog of 7.17 update:
) wifi-qcom - added Superchannel country profile;
And it does work for higher channels i just tried like 5500 and 5600 it runs max power and skips DFS check, just not for lower ones for some reason so it seams as a bug..

bbs2web · Fri Jan 17, 2025 10:57 am

Why disable firewall rules that are part of VRFs? We use VRFs extensively on every CPE, to separate management interfaces from client traffic interfaces. All client interfaces are subsequently part of a VRF where we then filter forwarded traffic to prevent traffic from a Guest network towards an address list called local (includes 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16). Similarly for CCTV, we want to drop all traffic unless from DVRs or NVRs.

The change recently disables a firewall forward rule when an input interface is part of a VRF. It however works when we create a new interface list add the interface to that list and then adjust the firewall rule to filter the traffic.

NB: The problem here is that we now have to refactor every router's configuration after upgrading. This introduces human error and will invariably result in routers not being upgraded for several weeks/months.

Filtering semantics really shouldn't be affected whether or not an interface is part of a VRF. It worked perfectly before upgrading to 7.17 and continues to work if we use the above work around. Sounds to me that the config control is disabling the rule and not actually putting it in to the config based on a filter when it determines that the referenced interface is part of a VRF.

Reference snip:

router7_firewall_rule_disabled_when_interface_part_of_VRF.png

Reference where others are doing something similar:
viewtopic.php?t=191016

Documentation reference advising that firewall rules associated with a VRF interfaces will now reference the VRF instead:
https://help.mikrotik.com/docs/spaces/R ... ding+-+VRF

Please don't disable the rules, they should work just fine. This should be optional and possibly recommended for many use cases but not when you have a larger single VRF with various VLANs being members and you want to selectively filter traffic ingressing via one of the VRF VLANs.

StupidProgrammer · Fri Jan 17, 2025 10:57 am

Ah, terribly sorry, the ax3 is wifi-qcom, I thought it was -ac and wasn't added there as per the changelog. I'm still in the -ac phase after upgrading my Audience so I think everything is -ac.

erlinden: If you can tell me how to place an access point in the basement for my washer and dryer that doesn't involve destroying walls and drilling through 0.4m of reinforced concrete, I'm all ears...

Fri Jan 17, 2025 11:06 am

erlinden: If you can tell me how to place an access point in the basement for my washer and dryer that doesn't involve destroying walls and drilling through 0.4m of reinforced concrete, I'm all ears...

Not being erlinden but first thing which comes to mind: powerline.
E,g,:
https://www.devolo.global/products

You don't have to use the wifi variant, you can use the ethernet-only version and use your own AP of choice.
"sender" and "receiver" need to be on the same phase of your electrical installation and presence of solar power installations will reduce throughput drastically if on that same circuit (but I assume for a washer and dryer there is not much bandwidth needed).

svmk · Fri Jan 17, 2025 11:33 am

Unable to update RB450GX4. After rebooting the ROS version remains 16.2

honzam · Fri Jan 17, 2025 11:53 am

Unable to update RB450GX4. After rebooting the ROS version remains 16.2

What say LOG?

Guscht · Fri Jan 17, 2025 11:53 am

Smol homenet updated:

Zwischenablage_01-17-2025_02.jpg

Works good so far :)

QUESTIONS:
*) firewall - added support for random external port allocation;
What means this? A bugfix or something we can configure? What is "random" now and what works now what has not worked before?

*) snmp - added wifi fields to MIKROTIK-MIB;
Where can I view the .mib-file? Which OIDs?

*) health - removed board-temperature on RB5009UPr+S+IN device;
WHY?! I used this as OID and it gave good reading!!
You removed it for the RB5009UPr+S+ (not "IN") too :'(

chart.png

StupidProgrammer · Fri Jan 17, 2025 12:06 pm

Not being erlinden but first thing which comes to mind: powerline.
E,g,:
https://www.devolo.global/products
You don't have to use the wifi variant, you can use the ethernet-only version and use your own AP of choice.
"sender" and "receiver" need to be on the same phase of your electrical installation and presence of solar power installations will reduce throughput drastically if on that same circuit (but I assume for a washer and dryer there is not much bandwidth needed).

Ah yes, that's nice, except for the fact that I have 3-phase electricity at home :) With wifi-qcom-ac my appliances are just barely holding on, whereas the old wireless package with superchannel and no_country_set was great, and I really have no desire to spend a crapload of extra money just so my wife can get notifications when the laundry is done...

xavierbt · Fri Jan 17, 2025 12:21 pm

Hi

After upgrading, l2tp client is not connecting. In Webfig all ipsec tabs are empty and an /ip/ipsec/export results on an error.

# 2025-01-17 11:14:14 by RouterOS 7.17
# software id = WZEK-CJNA
#
# model = CCR2004-16G-2S+
# serial number = XXXXXXXXX
#error exporting "/ip/ipsec/policy/group" (timeout)
#error exporting "/ip/ipsec/proposal" (timeout)
#error exporting "/ip/ipsec/mode-config" (timeout)
#error exporting "/ip/ipsec/policy" (timeout)
#error exporting "/ip/ipsec/profile" (timeout)
#error exporting "/ip/ipsec/settings" (timeout)

Any clues?

sch · Fri Jan 17, 2025 12:26 pm

Smol homenet updated:
Zwischenablage_01-17-2025_02.jpg

Works good so far :)

QUESTIONS:
*) firewall - added support for random external port allocation;
What means this? A bugfix or something we can configure? What is "random" now and what works now what has not worked before?

*) snmp - added wifi fields to MIKROTIK-MIB;
Where can I view the .mib-file? Which OIDs?

*) health - removed board-temperature on RB5009UPr+S+IN device;
WHY?! I used this as OID and it gave good reading!!
You removed it for the RB5009UPr+S+ (not "IN") too :'(

chart.png

Due to a chip issue which reports board temperature MikroTik decided to remove this parameter from health.

Fri Jan 17, 2025 12:29 pm

Hi

After upgrading, l2tp client is not connecting. In Webfig all ipsec tabs are empty and an /ip/ipsec/export results on an error.

# 2025-01-17 11:14:14 by RouterOS 7.17
# software id = WZEK-CJNA
#
# model = CCR2004-16G-2S+
# serial number = XXXXXXXXX
#error exporting "/ip/ipsec/policy/group" (timeout)
#error exporting "/ip/ipsec/proposal" (timeout)
#error exporting "/ip/ipsec/mode-config" (timeout)
#error exporting "/ip/ipsec/policy" (timeout)
#error exporting "/ip/ipsec/profile" (timeout)
#error exporting "/ip/ipsec/settings" (timeout)

Any clues?

Please send supout rif file.

Guscht · Fri Jan 17, 2025 12:32 pm

Due to a chip issue which reports board temperature MikroTik decided to remove this parameter from health.

Sad - it gave me good, plausible and reliable reading.
Opened a ticket (SUP-176683), because I can not relate.

oreggin · Fri Jan 17, 2025 12:39 pm

Ok, I have serious problem with DHCP client after upgrade to 7.17, as it drops default route on multiple type of devices (RB4011, SXTsq 5 ac). I experienced this on RCs and betas too. Routers creating autosupout.rif file after dropping def route. I try to figure out what triggers this issue.

Edit: read next post, this is complex routing issue

Ullinator · Fri Jan 17, 2025 1:08 pm

"Wireless" is fine with 7.17, but "wifi-qcom-ac" is crap, unfortunately. I have had long time open memory leak ticket SUP-147911 for hAP ac^2. This ticket has been closed without solution - but it is bullet proof the leak is related to "wifi-qcom-ac", because "wireless" is fine and stable. There is no any willingness on Mikrotik side to do any investigation, only short message - it is old HW. But this old HW IPQ-4019 with exact same amount of RAM memory (256MB) and ROM memory (16MB) is used in Chateau 5G R16. There was visible decrease of RAM free memory 10MB/day starting with 150MB to OOP after roughly 14-21 days - kernel panic memory.

Re: v7.17rc [testing] is released!
Post by CGGXANNX » Thu Jan 16, 2025 12:03 pm

Well it may goes out of memory with SMB, but if wifi-qcom-ac really takes a large chunk of RAM, then OOM might also happen if you run a container (that worked fine with wireless), or if you use adlist with huge lists, etc... If they disable and hide SMB, then should they do that with container and adlist too?

Currently you have to explicitly remove wireless and install wifi-qcom-ac. It is assumed that you read the doc before doing that, and from now on, the doc has the warning about the RAM usage. If your router suffers from OOM, your first thought now would be to revert back to wireless.

I can´t confirm that there´s a general problem with wifi-qcom-ac.
There are 4 devices running since 50days without any memory leaks or other problems:

hc_438.jpg

svmk · Fri Jan 17, 2025 1:53 pm

Unable to update RB450GX4. After rebooting the ROS version remains 16.2
What say LOG?

upgrade failed, free 9 kB of kernel disk space

Free Memory: 617.6 MiB Total Memory:1024.0 MiB
Free HDD Space: 409.2 MiB Total HDD Size: 512.0 MiB

ormandj · Fri Jan 17, 2025 2:24 pm

What say LOG?
upgrade failed, free 9 kB of kernel disk space

Free Memory: 617.6 MiB Total Memory:1024.0 MiB
Free HDD Space: 409.2 MiB Total HDD Size: 512.0 MiB

MikroTik asked to send supout to them for this. I already netinstalled so can’t, but if you can generate a supout and send it to them as the above post requested, I’m sure they will help them.

HZsolt, osc86, ormandj, nmt1900
Please send supout.rif file from your device to support@mikrotik.com

mkx · Fri Jan 17, 2025 2:44 pm

But the only reason I have that is because I can't remember which South American country is better :D Was it Panama?

Brazil is better than ETSI most of times: 30dBm vs 20dBm on 2.4GHz, 30dBm vs. 14dBm on 5735-5875 MHz ... but not always: ETSI has 30dBm vs. 24dBm on 5490-5730 MHz.

According to reg-info from wAP ax running 7.17, US is the same as Brazil ... but starting with 2025-01-20 I'll like Brazil better than US (regardless nationality of the first lady to be) ;-)

oreggin · Fri Jan 17, 2025 2:59 pm

Ok, I have serious problem with DHCP client after upgrade to 7.17, as it drops default route on multiple type of devices (RB4011, SXTsq 5 ac). I experienced this on RCs and betas too. Routers creating autosupout.rif file after dropping def route. I try to figure out what triggers this issue.

Its strange! I using L2TPv2 tunnels, ip,ipv6,mpls over it. Using IGP protocol (RIP or OSPF doesn't matter) to distribute Loopback addresses. MPLS LDP is active on it and using BGP to exchange VPNvX routes. On IPv4 BGP peers I echange VPNv4 routes, on IPv6 BGP peers I exchange VPNv6 routes.
Here comes the strange part. Until only IPv4 BGP peer is active nothing bad happens. When IPv6 BGP peer is comes up or it gets update(?) then it messing up the IPv4 routing table. For example it deleting the DHCP default route so L2TP tunnel goes down.

ConradPino · Fri Jan 17, 2025 3:01 pm

Due to a chip issue which reports board temperature MikroTik decided to remove this parameter from health.

The questions was "WHY?" What is the chip doing to cause this decision?

nmt1900 · Fri Jan 17, 2025 3:07 pm

What say LOG?
upgrade failed, free 9 kB of kernel disk space

Free Memory: 617.6 MiB Total Memory:1024.0 MiB
Free HDD Space: 409.2 MiB Total HDD Size: 512.0 MiB

First they have to figure out what does this message actually mean...

pe1chl · Fri Jan 17, 2025 3:20 pm

Due to a chip issue which reports board temperature MikroTik decided to remove this parameter from health.
The questions was "WHY?" What is the chip doing to cause this decision?

Sometimes the reported board temperature is ridiculously high, I have seen that in one of our devices (while others are OK).

patrick7 · Fri Jan 17, 2025 3:27 pm

[*]*) ppp - add routes in matching VRF;

Still not all routes added to the correct VRF for PPP interfaces added to an interface list (through PPP profile) and interface list added to VRF.
I'll eat a broom if this bug ever gets fixed.

osc86 · Fri Jan 17, 2025 3:33 pm

I've sent supout files from two devices to support regarding the 'upgrade failed, free XX kB of kernel disk space' error.

pe1chl · Fri Jan 17, 2025 4:03 pm

upgrade failed, free 9 kB of kernel disk space
First they have to figure out what does this message actually mean...

Maybe on some devices there is a separate partition for /boot ?
That used to be required/customary on some Linux filesystems or disk devices, to guarantee that the boot code was always within some area supported by the bootloader.
When for some reason the previous kernel version is not removed after upgrade, a next upgrade may be impossible.
(I know that issue from a server which was installed with a previous Debian version that by default created a "small" boot partition in certain circumstances)

Dartmaul · Fri Jan 17, 2025 4:45 pm

IKEv2 tunnels fail to establish after upgrading to 7.17 (between 7.17<->7.17 and 7.17<->7.16.2). However, 7.17 does establish IKEv2 with Huawei AR (same settings).
Rolling back to 7.16.2 does fix the issue.
Auth method is PSK, 7.17 peer sends "Delete" right after successful IKE_AUTH. Tested on both live RBs and GNS3 lab.

Am I the only one with this issue?

nmt1900 · Fri Jan 17, 2025 4:55 pm

upgrade failed, free 9 kB of kernel disk space
First they have to figure out what does this message actually mean...
Maybe on some devices there is a separate partition for /boot ?
That used to be required/customary on some Linux filesystems or disk devices, to guarantee that the boot code was always within some area supported by the bootloader.
When for some reason the previous kernel version is not removed after upgrade, a next upgrade may be impossible.
(I know that issue from a server which was installed with a previous Debian version that by default created a "small" boot partition in certain circumstances)

On server-space it sounds quite logical, but here we have situation where some of same models succeed and some fail - while using same installation packages and sharing same architecture. It is hard to believe this has anything to do with userspace.

P. S. Even units with same hardware behave differently - hap ac2 with its' 16 MB storage succeeds but RB450Gx4 with 512 MB storage fails while both have essentially same SoC

vovan700i · Fri Jan 17, 2025 5:18 pm

Ok, I have serious problem with DHCP client after upgrade to 7.17, as it drops default route on multiple type of devices (RB4011, SXTsq 5 ac). I experienced this on RCs and betas too. Routers creating autosupout.rif file after dropping def route. I try to figure out what triggers this issue.

Confirm, I have the same problem on RB5009. I’ve implemented a workaround script to trigger DHCP release once the obtained default route gets missing.

mirolm · Fri Jan 17, 2025 5:36 pm

I can confirm this - happened on my hEX Refresh too. Triggered a dhcp release and it went back to normal.

oreggin · Fri Jan 17, 2025 5:52 pm

Ok, I have serious problem with DHCP client after upgrade to 7.17, as it drops default route on multiple type of devices (RB4011, SXTsq 5 ac). I experienced this on RCs and betas too. Routers creating autosupout.rif file after dropping def route. I try to figure out what triggers this issue.
Confirm, I have the same problem on RB5009. I’ve implemented a workaround script to trigger DHCP release once the obtained default route gets missing.

It seems, it reinitializes all the IGPs after 5sec:

 2025-01-17 13:23:21 route,bgp,info JPoP_MTik1-IPv6-1 {l_addr: fc00::10:43:0:126, r_addr: fc00::10:7:255:255} Established
 2025-01-17 13:23:26 route,rip,info instance { 0 IP } created
 2025-01-17 13:23:26 route,rip,info instance { 0 IP6 } created
 2025-01-17 13:23:27 route,rip,info instance { 0 IP } interface { L2TP1 } created
 2025-01-17 13:23:27 route,rip,info instance { 0 IP6 } interface { L2TP1 } created
 2025-01-17 13:23:29 route,rip,info instance { 0 IP6 } interface { L2TP1 } neighbor fe80::eb47:9598:f0:28%*8 created
 2025-01-17 13:23:32 route,ospf,info instance { version: 3 router-id: 10.43.0.126 } created
 2025-01-17 13:23:32 route,ospf,info OSPFv3 { version: 3 router-id: 10.43.0.126 } area { 0.0.0.0 } created
 2025-01-17 13:23:32 route,ospf,info instance { version: 2 router-id: 10.43.0.126 } created
 2025-01-17 13:23:32 route,ospf,info OSPFv2 { version: 2 router-id: 10.43.0.126 } area { 0.0.0.0 } created

This is totally platform independent, experiencing on CHR too. If I add a static default then where forwarding works, where it doesn't:

$ ping 10.43.0.126
PING 10.43.0.126 (10.43.0.126) 56(84) bytes of data.
64 bytes from 10.43.0.126: icmp_seq=11 ttl=60 time=10.5 ms
64 bytes from 10.43.0.126: icmp_seq=12 ttl=60 time=12.1 ms
64 bytes from 10.43.0.126: icmp_seq=13 ttl=60 time=10.6 ms
64 bytes from 10.43.0.126: icmp_seq=14 ttl=60 time=12.0 ms
64 bytes from 10.43.0.126: icmp_seq=15 ttl=60 time=10.3 ms
64 bytes from 10.43.0.126: icmp_seq=16 ttl=60 time=10.3 ms
64 bytes from 10.43.0.126: icmp_seq=17 ttl=60 time=12.1 ms
64 bytes from 10.43.0.126: icmp_seq=18 ttl=60 time=10.1 ms
64 bytes from 10.43.0.126: icmp_seq=19 ttl=60 time=9.82 ms
64 bytes from 10.43.0.126: icmp_seq=20 ttl=60 time=12.5 ms
64 bytes from 10.43.0.126: icmp_seq=21 ttl=60 time=15.8 ms
64 bytes from 10.43.0.126: icmp_seq=22 ttl=60 time=10.4 ms
64 bytes from 10.43.0.126: icmp_seq=23 ttl=60 time=10.2 ms
64 bytes from 10.43.0.126: icmp_seq=24 ttl=60 time=10.2 ms
64 bytes from 10.43.0.126: icmp_seq=25 ttl=60 time=11.6 ms
64 bytes from 10.43.0.126: icmp_seq=26 ttl=60 time=10.2 ms

64 bytes from 10.43.0.126: icmp_seq=75 ttl=60 time=8.75 ms
64 bytes from 10.43.0.126: icmp_seq=76 ttl=60 time=11.5 ms
64 bytes from 10.43.0.126: icmp_seq=77 ttl=60 time=10.0 ms
64 bytes from 10.43.0.126: icmp_seq=78 ttl=60 time=11.7 ms
64 bytes from 10.43.0.126: icmp_seq=79 ttl=60 time=10.8 ms
64 bytes from 10.43.0.126: icmp_seq=80 ttl=60 time=10.6 ms
64 bytes from 10.43.0.126: icmp_seq=81 ttl=60 time=10.8 ms
64 bytes from 10.43.0.126: icmp_seq=82 ttl=60 time=11.8 ms
64 bytes from 10.43.0.126: icmp_seq=83 ttl=60 time=12.2 ms
64 bytes from 10.43.0.126: icmp_seq=84 ttl=60 time=10.1 ms
64 bytes from 10.43.0.126: icmp_seq=85 ttl=60 time=10.5 ms
64 bytes from 10.43.0.126: icmp_seq=86 ttl=60 time=10.2 ms

^C
--- 10.43.0.126 ping statistics ---
201 packets transmitted, 28 received, 86.0696% packet loss, time 202355ms
rtt min/avg/max/mdev = 8.746/10.988/15.813/1.273 ms

Guscht · Fri Jan 17, 2025 6:31 pm

What is this field (Netwatch)?

Screenshot 2025-01-17 173006.jpg

Screenshot 2025-01-17 173021.jpg

Belyache · Fri Jan 17, 2025 7:14 pm

After updating from 7.16.2 to 7.17 yesterday the 5ghz wifi has stopped working.

I have a hAP ax^3 (C53UiG+5HPaxD2HPaxD). The wifi1 interface has all of the configurations that it previously had, but is offline.

Both wifi interfaces are members of Bridge1, Bridge ports show wifi2 (2ghz) is up and running and it transmitting its SSID, whereas wifi1 shows it is not up and is not broadcasting its SSID.

I've looked at the config pre-update and post-update and it has not changed.

I manually uploaded the wifi-qcom package hoping it was just corrupt, that didn't help. I uninstalled the wifi-qcom package and then reinstalled it, no luck.

Any ideas?

Thanks,

Glenn

wispmikrotik · Fri Jan 17, 2025 7:17 pm

Hi,

Arggg it seems like there are too many bugs in this version ...

nmt1900 · Fri Jan 17, 2025 7:26 pm

While usual stable release may sometimes be beta-level quality, this endless polishing of device-mode produced a release of alpha-level quality if not even worse...

Sit75 · Fri Jan 17, 2025 7:31 pm

It might be possible, it is related to some scenarios only. For example: majority of IPv6 traffic, heavy load, traffic handovers between 2,4 and 5 GHz bands, fast BSS transition according IEEE 802.11r etc. etc. If I would know, it would be excellent, but I don't know root cause. Reality is that in my quite simple case and simple config always ending with not only Linux OOPS, but even kernel panic crash and restart with autosupout.rif generated.

All autosupout.rif had been provided to Mikrotik. And result was - nothing, it is fine, old HW, use "wireless.apk". On the other hand "wirelles.apk" works fine. But in this case is big question, why Qualcomm native drivers on Qualcomm HW work so badly in specific cases? And it seems I am not alone. Majority of my connected devices are Apple products and there were more complains from other users about the usage, traffic fluctuation, sudden disconnections and reconnections etc.

I can´t confirm that there´s a general problem with wifi-qcom-ac.
There are 4 devices running since 50days without any memory leaks or other problems:
hc_438.jpg

Sit75 · Fri Jan 17, 2025 7:47 pm

Thank you Deniss for your effort. I wanted not to be rude, but closing the tickets with kernel crashes without any solution makes me little bit angry. And not only here, in my job (mobile telco industry) too. :-)) Resources are in my case fine, I have 256MB RAM, not only 128MB. I am willing to test it, if you want.

We are working towards optimizing wireless-qcom-ac as we try to optimize other packages to be less resource heavy, but it is still a work in progress. As of this moment, wifi-qcom-ac is known and expected to take up more resources (including RAM) than legacy wireless drivers.

msilcher · Fri Jan 17, 2025 8:02 pm

I upgraded to 7.17 on my hAP ax2 and realized that the bridge ports are not shown as "hardware offloaded" anymore. This was always the case on previous versions. Bug?

P.S: Setting "detect interface list" (Detect Internet) to "none" doesn't fix the issue.

msilcher · Fri Jan 17, 2025 8:20 pm

IKEv2 tunnels fail to establish after upgrading to 7.17 (between 7.17<->7.17 and 7.17<->7.16.2). However, 7.17 does establish IKEv2 with Huawei AR (same settings).
Rolling back to 7.16.2 does fix the issue.
Auth method is PSK, 7.17 peer sends "Delete" right after successful IKE_AUTH. Tested on both live RBs and GNS3 lab.

Am I the only one with this issue?

Using Mikrotik as spoke (IKEv2 + PSK) to a Cisco Router and it still works fine after upgrading to 7.17.

Guscht · Fri Jan 17, 2025 9:35 pm

Arggg it seems like there are too many bugs in this version ...

Yeah and some random guy here dreamed *THIS* will be a long-term, because it took so long... LOL
This is a typical MT point-zero release, 3 steps forward and 5 back... The long-term is as far away as with the v7.0 release.

OOJSPI · Fri Jan 17, 2025 9:42 pm

The issue with WiFi password being shown upon entering HTTPS login screen (even though "Hidden/Hide" is ticked) is still there.

t0mm13b · Fri Jan 17, 2025 10:46 pm

Am going to wait it out, would not be surprised if 7.17.1 or .2 release come out shortly to fix up minor issues.

Sit75 · Fri Jan 17, 2025 11:23 pm

Try to add wifi1 (5 GHz) on bridge manually. It might help.

After updating from 7.16.2 to 7.17 yesterday the 5ghz wifi has stopped working.

Both wifi interfaces are members of Bridge1, Bridge ports show wifi2 (2ghz) is up and running and it transmitting its SSID, whereas wifi1 shows it is not up and is not broadcasting its SSID.

Belyache · Fri Jan 17, 2025 11:32 pm

It continues to be "Offline".

I reset the wifi1 interface and re-configured also, still nothing.

Try to add wifi1 (5 GHz) on bridge manually. It might help.

After updating from 7.16.2 to 7.17 yesterday the 5ghz wifi has stopped working.

Both wifi interfaces are members of Bridge1, Bridge ports show wifi2 (2ghz) is up and running and it transmitting its SSID, whereas wifi1 shows it is not up and is not broadcasting its SSID.

infabo · Sat Jan 18, 2025 12:38 am

Arggg it seems like there are too many bugs in this version ...
Yeah and some random guy here dreamed *THIS* will be a long-term, because it took so long... LOL
This is a typical MT point-zero release, 3 steps forward and 5 back... The long-term is as far away as with the v7.0 release.

This is because many people wait for the final release to pull the trigger: "omg!!!!! it broke my xyz". instead of evaluating the testing releases ao Mikrotik can fix release specific issues before final version.

victorbayas · Sat Jan 18, 2025 1:16 am

There is no superchannel in the new wifi-qcom(-ac) drivers, also there is no no_country_set. (BTW, superchannel was a mode, no_country_set was regulatory domain, so you're doing wrong things in the first place.)

The router is probably kicking you back to a default of Latvia, which is at 17.

And yes, I'm also running my wifi as "United States" because of high TX power, despite being in the EU. Isn't that great? :) But the only reason I have that is because I can't remember which South American country is better :D Was it Panama?
What are you even talking about, its literary in changelog of 7.17 update:
) wifi-qcom - added Superchannel country profile;
And it does work for higher channels i just tried like 5500 and 5600 it runs max power and skips DFS check, just not for lower ones for some reason so it seams as a bug..

Superchannel is working great on my hAP ax3, no DFS and max TX power allowed by the hardware just had to limit the frequency to 5180-5805 and 2412-2462. Otherwise it may pick a channel out of the usable spectrum for most WiFi clients.

CGGXANNX · Sat Jan 18, 2025 2:30 am

I upgraded to 7.17 on my hAP ax2 and realized that the bridge ports are not shown as "hardware offloaded" anymore. This was always the case on previous versions. Bug?

I don't think that the hAP ax²/ax³ have ever had hardware offload support for the bridge. It's stated in the doc since the beginning:

https://help.mikrotik.com/docs/spaces/R ... Offloading

Currently, HW offloaded bridge support for the IPQ-PPE switch chip is still a work in progress. We recommend using, the default, non-HW offloaded bridge (enabled RSTP).

ConradPino · Sat Jan 18, 2025 2:54 am

Yeah and some random guy here dreamed *THIS* will be a long-term, because it took so long... LOL
This is a typical MT point-zero release, 3 steps forward and 5 back... The long-term is as far away as with the v7.0 release.
This is because many people wait for the final release to pull the trigger: "omg!!!!! it broke my xyz". instead of evaluating the testing releases ao Mikrotik can fix release specific issues before final version.

@infabo, I know this is well intended.
But as a practical matter, I can't afford to duplicate my network.
MT is slowly killing themselves by dumping testing on the user base.
This is a treadmill where I can't risk upgrading until a 7.xx.2+ version.
Over time fewer and fewer small users will ever touch a 7.xx.0 version.
IMO reliable networking is critical substantially over and above features.
Releasing new features while breaking old ones is beyond a cardinal sin.
Every feature should have an automated test in-place to catch regressions.

nichky · Sat Jan 18, 2025 3:46 am

do we have any update on [SUP-134566]: BGP-VRF V7?

when that feature will be implemented.
It works perfectly fine on v6

wispmikrotik · Sat Jan 18, 2025 9:45 am

Yeah and some random guy here dreamed *THIS* will be a long-term, because it took so long... LOL
This is a typical MT point-zero release, 3 steps forward and 5 back... The long-term is as far away as with the v7.0 release.
This is because many people wait for the final release to pull the trigger: "omg!!!!! it broke my xyz". instead of evaluating the testing releases ao Mikrotik can fix release specific issues before final version.

I respect that you want to be a MikroTik beta tester, but in a network with real network administrators and managers and hundreds of users to explain to if a software update goes wrong, this is something not everyone can afford.

spippan · Sat Jan 18, 2025 10:16 am

"Wireless" is fine with 7.17, but "wifi-qcom-ac" is crap, unfortunately. I have had long time open memory leak ticket SUP-147911 for hAP ac^2. This ticket has been closed without solution - but it is bullet proof the leak is related to "wifi-qcom-ac", because "wireless" is fine and stable. There is no any willingness on Mikrotik side to do any investigation, only short message - it is old HW. But this old HW IPQ-4019 with exact same amount of RAM memory (256MB) and ROM memory (16MB) is used in Chateau 5G R16. There was visible decrease of RAM free memory 10MB/day starting with 150MB to OOP after roughly 14-21 days - kernel panic memory.
This is most probably a configuration related issue. I have cap ac with only 128MB system memory running wifi-qcom-ac and it reached quite 4 weeks uptime on 7.16.2 before I upgraded it to 7.17 today. It reported ~28mb of free memory before I upgraded the system.

same for me.
running 2 hAP ac2 (one with the 256MB and one with the 128MB flash storage)
both running without any issues what so ever on wifi-qcom-ac for weeks under 7.16

spippan · Sat Jan 18, 2025 10:19 am

do we have any update on [SUP-134566]: BGP-VRF V7?

when that feature will be implemented.
It works perfectly fine on v6

what is the problem here?

cannot find SUP-134566 when i search for it here

infabo · Sat Jan 18, 2025 10:46 am

This is because many people wait for the final release to pull the trigger: "omg!!!!! it broke my xyz". instead of evaluating the testing releases ao Mikrotik can fix release specific issues before final version.
I respect that you want to be a MikroTik beta tester, but in a network with real network administrators and managers and hundreds of users to explain to if a software update goes wrong, this is something not everyone can afford.

I believe there’s been a misunderstanding. I’m not looking to be a beta tester, as I use RouterOS in a private capacity and don’t have the inclination to take on that additional work.

However, in a professional environment with dedicated network administrators, as you mentioned, it’s standard practice to have a lab setup for testing and evaluating configurations before rolling out updates to a production network with hundreds of users. It’s worth considering.

spippan · Sat Jan 18, 2025 10:57 am

do we have any update on [SUP-134566]: BGP-VRF V7?

when that feature will be implemented.
It works perfectly fine on v6

what is the problem here?

cannot find SUP-134566 when i search for it here

BobA · Sat Jan 18, 2025 11:07 am

After upgrading my RB3011UiAS (arm) from v7.16.2 to v7.17, I had problems with CAPsMAN allowing devices to connect. Some devices that were connected before the upgrade were still able to connect. However, others were not able to connect and received the message "mikrotik received deauth: sending station leaving (3)". I told the smartphone devices to forget the WiFi network and then tried to reconnect, but it wouldn't work. I also tried connecting new devices to CAPsMAN, but none of them were able to connect, either. After working on it for a day, I downgraded back to v7.16.2 and I was able to connect with new devices and devices that were given the message "mikrotik received deauth: sending station leaving (3)".

erlinden · Sat Jan 18, 2025 11:22 am

You might want to open a new topic, @BobA. There you can supply your config and get some more feedback. As well, you can request for support. Did you also upgrade firmware besides RouterOS?

PiVi · Sat Jan 18, 2025 11:43 am

If you use Wireguard multipeer, please note changelog:

*) wireguard - do not initiate handshake when peer is configured as responder;

If you do not uncheck "Responder" in Wireguard clients in RouterOS 7.17 you will have a problem.
Wireguard will not work.
The gateway remains inactive and the tunnel with the server will not be established.

PiVi

kozistan · Sat Jan 18, 2025 1:00 pm

for now everything look pretty good, upgrade was smooth and i found issue of my VLAN configuration. With restart routerOS was disabling my bridge port device, I was able to fix it now. Only thing I'm dealing with is the Quick Set option, with old winbox and system update I was closing the tab with OK button, now when i press it and all is running smooth I lose the connection to the device and it disappear, can not see it even with RoMON tool.

wispmikrotik · Sat Jan 18, 2025 1:02 pm

I respect that you want to be a MikroTik beta tester, but in a network with real network administrators and managers and hundreds of users to explain to if a software update goes wrong, this is something not everyone can afford.
I believe there’s been a misunderstanding. I’m not looking to be a beta tester, as I use RouterOS in a private capacity and don’t have the inclination to take on that additional work.

However, in a professional environment with dedicated network administrators, as you mentioned, it’s standard practice to have a lab setup for testing and evaluating configurations before rolling out updates to a production network with hundreds of users. It’s worth considering.

I totally agree with you. But we also know that it is not realistic to think that a 100% functioning test can be performed in a laboratory.

MrYan · Sat Jan 18, 2025 1:57 pm

This

*) ppp - add routes in matching VRF;

Doesn't appear to work still:

  DIvH 194.4.172.12/32    10.86.33.193                0  main                                                                            
  DAd  0.0.0.0/0          10.86.33.193@mobile         1  mobile         10.86.33.193%vlan32

The first route is the /32 auto-generated by l2tp-client. The l2tp-client is configured with a VRF (called mobile) in the connect-to= parameter, so should be created in the mobile VRF not main.

nichky · Sat Jan 18, 2025 1:58 pm

@spippan

fyi:

infabo · Sat Jan 18, 2025 2:01 pm

@wuspmikrotik
And yet, it seems that MikroTik is expected to know every possible scenario and real-world setup and perform functional tests to ensure that absolutely no one experiences any problems in their specific environment.

herger · Sat Jan 18, 2025 2:07 pm

upgrade failed, free 9 kB of kernel disk space

Free Memory: 617.6 MiB Total Memory:1024.0 MiB
Free HDD Space: 409.2 MiB Total HDD Size: 512.0 MiB

I had the same problem on my CCR2004, make sure you don't have any features in use that will get disabled by the new device-mode settings. In my case, i had the device partitioned. After removing the second partition the update went flawlessly.

A better error message might certainly help here (;

best

msilcher · Sat Jan 18, 2025 2:12 pm

I upgraded to 7.17 on my hAP ax2 and realized that the bridge ports are not shown as "hardware offloaded" anymore. This was always the case on previous versions. Bug?

I don't think that the hAP ax²/ax³ have ever had hardware offload support for the bridge. It's stated in the doc since the beginning:

https://help.mikrotik.com/docs/spaces/R ... Offloading

Currently, HW offloaded bridge support for the IPQ-PPE switch chip is still a work in progress. We recommend using, the default, non-HW offloaded bridge (enabled RSTP).

Sorry, my bad. I have also other devices like hAP ac2, maybe I'm confusing those 2. I'll upgrade the ac2 to see if hw-offload works.

Thanks for noticing this!

jbl42 · Sat Jan 18, 2025 3:15 pm

I had the same problem on my CCR2004, make sure you don't have any features in use that will get disabled by the new device-mode settings. In my case, i had the device partitioned. After removing the second partition the update went flawlessly.

What takes away the possibility to easy switch back to the previous version in case you run into issues with 7.17.
Make sure to take a backup before the update and in case of pole mounted devices have a ladder ready.

ConradPino · Sat Jan 18, 2025 3:31 pm

I believe there’s been a misunderstanding. I’m not looking to be a beta tester, as I use RouterOS in a private capacity and don’t have the inclination to take on that additional work.

Good to know we are commonly situated.

However, in a professional environment with dedicated network administrators, as you mentioned, it’s standard practice to have a lab setup for testing and evaluating configurations before rolling out updates to a production network with hundreds of users. It’s worth considering.

Small and medium sized business can't afford this either and the enterprise population is numerically small.

FezzFest · Sat Jan 18, 2025 3:38 pm

I don't think that the hAP ax²/ax³ have ever had hardware offload support for the bridge. It's stated in the doc since the beginning:
https://help.mikrotik.com/docs/spaces/R ... Offloading

My hAP ax2 on v7.16.2 shows bridge ports are hardware-offloaded:

It is buggy though, plugging in a 100Mbps ethernet device on any of the ports reduces the max switch capacity to 100Mbps.

nmt1900 · Sat Jan 18, 2025 3:39 pm

upgrade failed, free 9 kB of kernel disk space

Free Memory: 617.6 MiB Total Memory:1024.0 MiB
Free HDD Space: 409.2 MiB Total HDD Size: 512.0 MiB
I had the same problem on my CCR2004, make sure you don't have any features in use that will get disabled by the new device-mode settings. In my case, i had the device partitioned. After removing the second partition the update went flawlessly.

A better error message might certainly help here (;

best

This does not solve my problem with RB450Gx4. After that that madness with polishing device-mode I start to feel somewhat reluctant to be unpaid outsourced beta tester of "stable" releases.

ConradPino · Sat Jan 18, 2025 3:52 pm

@wuspmikrotik
And yet, it seems that MikroTik is expected to know every possible scenario and real-world setup and perform functional tests to ensure that absolutely no one experiences any problems in their specific environment.

MT should be using enterprise software development practices which includes for each function module, in parallel they write a unit test that covers every code path in the function module. The unit tests run late in the build cycle to catch regressions without manual testing which is where the payback occurs to offset the unit test development time. Without unit tests and as features grow the manual regression testing coverage becomes sparse (what we see today) and eventually the user base collapse death spiral occurs.

Don't excuse MT; pressure them to fix their testing process to keep their user base and business alive.
They do pretty good but testing is their weak point and it's a fixable issue.

You know if MT (A) goes open source with a closed proprietary license, and (B) adds unit testing frame work to the build, then the user community could contribute to unit testing. IMO reliability and manual testing time saving leverage would be tremendous compared to the hell hole we are stuck in today.

infabo · Sat Jan 18, 2025 4:48 pm

I’m not making excuses for Mikrotik, and I know there are better ways to approach some of these problems in software development. But the issues being discussed here—like kernel image space and hardware offloading, and similar—aren’t something unit tests can handle. These are integration issues that involve hardware and need automated integration tests, not unit tests.

Unit tests are small, focused, and usually test pure functions. When external dependencies, like hardware, are involved, it’s no longer a unit test. For example, wifi-qcom client disconnection issues can’t be tested this way. It’d be nice if we could just add tests and make all interoperability issues disappear, but it’s not that simple. Something like BGP protocol handling or DNS server implementation might work well for unit testing, though.

Let’s get back on topic. Share your experience with version 7.17, and report any issues to Mikrotik support with a **supout.rif**.

Ullinator · Sat Jan 18, 2025 5:41 pm

I must agree @infabo.
I use 17 MT devices in my home and I participate in nearly every beta or RC to find problems and give MT feedback.
As I use automatic backups any problem is fixed fast ;-)
But I´m also an IT professional and a new ROS should be handled as all software updates, it should be testet in your environment before you roll it out in the productive environment.
In that case MT is nothing special, it´s the same story for ALL vendors (Microsoft, Red Hat, F5, aso.)
I guess you would never make an inplace upgrade of a MS Server 2019 to 2025 without testing, right?

MrYan · Sat Jan 18, 2025 6:24 pm

I don't think that the hAP ax²/ax³ have ever had hardware offload support for the bridge. It's stated in the doc since the beginning:
https://help.mikrotik.com/docs/spaces/R ... Offloading
My hAP ax2 on v7.16.2 shows bridge ports are hardware-offloaded:

It is buggy though, plugging in a 100Mbps ethernet device on any of the ports reduces the max switch capacity to 100Mbps.

You probably have protocol-mode=none configured on your bridge. The Wiki page referenced states:

Currently, HW offloaded bridge support for the IPQ-PPE switch chip is still a work in progress. We recommend using, the default, non-HW offloaded bridge (enabled RSTP).

Sit75 · Sat Jan 18, 2025 6:33 pm

This is most probably a configuration related issue. I have cap ac with only 128MB system memory running wifi-qcom-ac and it reached quite 4 weeks uptime on 7.16.2 before I upgraded it to 7.17 today. It reported ~28mb of free memory before I upgraded the system.
same for me.
running 2 hAP ac2 (one with the 256MB and one with the 128MB flash storage)
both running without any issues what so ever on wifi-qcom-ac for weeks under 7.16

For curiosity, what is your wifi1 and wifi2 configuration? In my case quite basic one SSID with fast roaming on between 2,4 GHz and 5GHz bands. Allowed WPA2 and WPA3. No any interAP roaming. Nothing special. Mixed IPv4 and IPv6 traffic with majority of IPv6.

/interface wifi steering
add disabled=no name=steering1 neighbor-group=dynamic-ABC-6754ca15 rrm=yes wnm=yes
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-n .width=20/40mhz configuration.country=Czech .mode=ap .multicast-enhance=enabled .qos-classifier=\
    priority .ssid=ABC disabled=no mtu=1500 security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes .ft-preserve-vlanid=no .wps=\
    disable steering=steering1
set [ find default-name=wifi2 ] channel.band=5ghz-ac .frequency=5500 .width=20/40/80mhz configuration.country=Czech .mode=ap .multicast-enhance=enabled \
    .qos-classifier=priority .ssid=ABC disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes .ft-preserve-vlanid=no \
    .wps=disable steering=steering1

wispmikrotik · Sat Jan 18, 2025 6:43 pm

Ok, I have serious problem with DHCP client after upgrade to 7.17, as it drops default route on multiple type of devices (RB4011, SXTsq 5 ac). I experienced this on RCs and betas too. Routers creating autosupout.rif file after dropping def route. I try to figure out what triggers this issue.

Where do you get dhcp from? I have tried several models/scenarios and I don't see this problem.

maigonis · Sat Jan 18, 2025 6:44 pm

Updated devices and noticed that haps (RB951Ui-2nD) does brick whit my custom config. Tried to apply config line by line and:

/ip neighbor discovery-settings
set discover-interface-list=L2_neighbor_discovery

is at fault. That list contains vxlans. Reported to sup. Updated also my hap ax lite whit similar config and it was fine, so this does not affect all architectures.

aszodi · Sat Jan 18, 2025 7:10 pm

Hi,
Upgraded RBLtAP-2HnD from 7.16.2 to v7.17 this morning.
These comments I want to add / ask after the upgrade:
1., not used LTE APNs can't be deleted - even if LTE1 interface is disabled. I have 3 created for test purpose. One will stay as a tested/working one. Other two APN profiles (test) can't be deleted. Any restriction for the deletion of them?
2., LTE1 interface is used as passthrough via VLANxx interface. 4GInternet works fine. The status on the top says: "Running", "Not Slave" "Not Passthrough", Not Inactive".So the message "Not Passthrough" is confusing in this case.
3., As the devide is used as a passthrough device from 4G WAN to the main router CCR1009 and configured according to the manual - strangely one DHCP Server entry appeared and can't be deleted. Seems like dynamic entry...The name is equal to the working and used APN "name". Is that with purpose? I read that DHCP server needs to be deleted in such case where device used as an LTE passthrough.
Prior thanks for the clarification.
Regards,
Pal

teleport · Sat Jan 18, 2025 7:32 pm

Super-stable 7.17 is unable to install on RB450Gx4
Code: Select all
upgrade failed, free 9 kB of kernel disk space
450Gx4 has 512 MB storage space and only 25% of it is used. What is going on??? Other devices with 16 MB storage updated without problems...

P. S. It seems to be an overlooked problem from rc stage -> viewtopic.php?p=1119444

Have an rb450gx4 and was able to upgrade to 7.17 without issues from 7.16.2

optio · Sat Jan 18, 2025 8:33 pm

Well, crap...

19:24:07 system,error upgrade failed, free 57 kB of disk space

> /system/package/print 
Columns: NAME, VERSION, BUILD-TIME, SIZE
# NAME          VERSION  BUILD-TIME           SIZE     
0 container     7.16.2   2024-11-26 12:09:40  96.1KiB  
1 wifi-qcom-ac  7.16.2   2024-11-26 12:09:40  2676.1KiB
2 routeros      7.16.2   2024-11-26 12:09:40  11.1MiB 

> /system/resource/print 
                   uptime: 7m2s
                  version: 7.16.2 (stable)
               build-time: 2024-11-26 12:09:40
         factory-software: 6.99
              free-memory: 74.7MiB
             total-memory: 256.0MiB
                      cpu: ARM
                cpu-count: 4
            cpu-frequency: 448MHz
                 cpu-load: 3%
           free-hdd-space: 256.0KiB
          total-hdd-space: 16.0MiB
  write-sect-since-reboot: 891
         write-sect-total: 1243788
        architecture-name: arm
               board-name: D53G-5HacD2HnD
                 platform: MikroTik

Edit:
After 2nd attempt upgrade was successful, but disk space is very low:

> /system/resource/print 
                   uptime: 1m58s              
                  version: 7.17 (stable)      
               build-time: 2025-01-16 08:19:28
         factory-software: 6.99               
              free-memory: 57.9MiB            
             total-memory: 256.0MiB           
                      cpu: ARM                
                cpu-count: 4                  
            cpu-frequency: 672MHz             
                 cpu-load: 3%                 
           free-hdd-space: 68.0KiB            
          total-hdd-space: 16.0MiB            
  write-sect-since-reboot: 510                
         write-sect-total: 1245818            
        architecture-name: arm                
               board-name: D53G-5HacD2HnD     
                 platform: MikroTik

Going back to 7.16.2 until some future version will have less disk consumption...

oreggin · Sat Jan 18, 2025 8:48 pm

Super-stable 7.17 is unable to install on RB450Gx4
Code: Select all
upgrade failed, free 9 kB of kernel disk space
450Gx4 has 512 MB storage space and only 25% of it is used. What is going on??? Other devices with 16 MB storage updated without problems...

P. S. It seems to be an overlooked problem from rc stage -> viewtopic.php?p=1119444
Have an rb450gx4 and was able to upgrade to 7.17 without issues from 7.16.2

What is your RB450Gx4's factory version?

nmt1900 · Sat Jan 18, 2025 9:22 pm

Have an rb450gx4 and was able to upgrade to 7.17 without issues from 7.16.2
What is your RB450Gx4's factory version?

6.45.1

oreggin · Sat Jan 18, 2025 9:32 pm

What is your RB450Gx4's factory version?
6.45.1

My theory is some of older versions creating too small partition for kernel. If you repartition your device for two partition with 7.16.2, and activate the part1 (second) partition and upgrade with part1 then you could upgrade. Or make full backup, netinstall with 7.16.2 then upgrade should be successful.

nmt1900 · Sat Jan 18, 2025 9:47 pm

I have hap ac2 with factory version 6.44 and it updated with no issue. Same chip and older factory version...

msilcher · Sat Jan 18, 2025 10:00 pm

My hAP ax2 on v7.16.2 shows bridge ports are hardware-offloaded:

It is buggy though, plugging in a 100Mbps ethernet device on any of the ports reduces the max switch capacity to 100Mbps.
You probably have protocol-mode=none configured on your bridge. The Wiki page referenced states:
Code: Select all
Currently, HW offloaded bridge support for the IPQ-PPE switch chip is still a work in progress. We recommend using, the default, non-HW offloaded bridge (enabled RSTP).

I validated this, setting protocol-mode=none shows hw-offloaded ports on my hAP ax2. It's a pitty that in 2024/25 we still have recent products without basic features like bridge hw-offload + R/MSTP...

i4ko · Sat Jan 18, 2025 10:36 pm

Not stable!

had a bad upgrade experience. Upgrade to 7.17 - no name resolution for the router or lan clients, no helpful error message - receiving nxdomain, disable/enable, change dns servers for the internal service - nada. Downgrade to 7.16/7.15 - all works fine. Upgrade to 7.17 again - no workie. Again, no dns related messages in console except for tcp syn flood on port 53!.

Tried to disable all static entries - now clients get servfail instead of nxdomain. Disable and enable again - ok, now get resolution. Going on to enable static entries one-by-one - ah, a new error appears - a duplicate entry! What? That has never been the case, and second, why do you care - ignore it, if it is truly duplicate it does not cause any indeterminate state in the config (yes, they were truly duplicate). Why is that error not in console log when the system boots and service is brought up and chokes?

You can't drop the ball like that Mikrotik. This is a simple situation your QAs should test. And not only that but if you roll service with such hairbrained changes it should be a parallel optional service that you ask the users to manually enable in place of the tried and true which should be the default - then the few that actually like to thinker with config will try it and provide feedback and give you the missing test cases that you did not cover, and only that you change what is the default. And at least put some error messages in the console. This is simply not how you produce quality!

Platform: arm32

exitium · Sun Jan 19, 2025 1:04 am

Nice update! I just love how it bricked my RB450Gx4 <3 <3
Factory reset got it back to life, reverted to 7.16.2, guess I'm not updating for a while.

stevenyobrauly · Sun Jan 19, 2025 1:05 am

*) dhcpv6-server - added IPv6 address delegation support;

this not work. When i select a pool on ADDRESS POOL in the dhcpv6 server, i obtain in log: pool6 refused acquire: bad preferred prefix length! (1) and the pool is properly configured

konstantinas · Sun Jan 19, 2025 4:03 am

I was not able to upgrade an MLAG setup on two CRS312-4C+8XG switches successfully. Right after an upgrade it immediately caused a broadcast storm on MLAG bonding-interfaces which were connected to another Mikrotik appliances like CCR2116-12G-4S+ where bonding-interfaces were a slave ports in a switch-chip bridge. CCR2116 was already upgraded to the 7.17 version.

Simpler two interface loops connected via a few same MSTP region Mikrotik switches also started to cause a broadcast storm and printed a multiple errors like these below:

combo2 excessive broadcasts/multicasts, probably a loop
combo2: bridge RX looped packet - MAC 48:a9:8a:be:de:b5 -> 33:33:00:00:00:01 VID 500 ETHERTYPE 0x86dd
combo2: bridge RX looped packet - MAC 48:a9:8a:be:de:b5 -> 33:33:00:00:00:01 VID 500 ETHERTYPE 0x86dd
combo2: bridge RX looped packet - MAC 48:a9:8a:be:de:b5 -> ff:ff:ff:ff:ff:ff VID 500 ETHERTYPE 0x0806
combo2: bridge RX looped packet - MAC 48:a9:8a:be:de:b5 -> ff:ff:ff:ff:ff:ff VID 500 ETHERTYPE 0x0806
combo2: bridge RX looped packet - MAC 48:a9:8a:be:de:b5 -> 33:33:00:00:00:01 VID 500 ETHERTYPE 0x86dd

Thankfully rolling back to the previous 7.16.2 version restored functionality of MLAG setup.

krafg · Sun Jan 19, 2025 4:24 am

R11e-LTE-US is not working! With 7.16.2 works well.

Downgraded and working well again.

llity · Sun Jan 19, 2025 4:25 am

ccr2004 update failed, unable to restart

stathismes · Sun Jan 19, 2025 8:50 am

It seems that 7.17 has broken the VRRP Sync Connection tracking mechanism. On my VRRP interfaces with Torch and I don't see any protocol-112 (vrrp) or UDP/8275 traffic. What gives??

Volui · Sun Jan 19, 2025 9:47 am

*) dhcpv6-server - added IPv6 address delegation support;

this not work. When i select a pool on ADDRESS POOL in the dhcpv6 server, i obtain in log: pool6 refused acquire: bad preferred prefix length! (1) and the pool is properly configured

Same there. But if i set pool prefix lenght to 128 error dissapears. But right setting for my pool prefix lenght is 64. With 64 in settings it gives error "pool6 refused acquire: bad preferred prefix length!".

Maggiore81 · Sun Jan 19, 2025 10:48 am

Well, we should make some test before upgrading en-masse our devices. I have upgraded only one my personal router that is not critical. The other one in my network are all on the 7.16.2

abbio90 · Sun Jan 19, 2025 11:44 am

running 2 hAP ac2 (one with the 256MB and one with the 128MB flash storage)

this model is supposed to have 16MB of flash, how did you get 128 or 256MB?

halacs · Sun Jan 19, 2025 11:53 am

Since I upgraded to this v7.17 release my IPv6 routing working many years ago properly is died now.

I can ping, for example, google.com from the router itself, but from the hosts behind I cannot. I request IPv6 subnet from my ISP via DHCPv6.

Strange, because with packet sniffing, I see the ICMPv6 echo requests packets on the WAN interface but no response and they never reach the remote end too.

What's more, when I try to disable a local ipv6 IP it is not possible. See the picture attached. This thing is related to a bug I reported before in email to support (different bug but related).

UPDATE: Finally I downgraded back to v7.16.2 (from v7.17) and now all fine again with my IPv6 connection. Unfortunately I do not know what could be the problem but both of my two routers were affected and first seems to be fixed by the downgrade. I hope other router will be fine after the downgrade especially because it is quite far away from me so I have no physical access to it.

UPDATE2: I give up. I cannot decide if it is an ISP related issue or a Mikrotik. After a couple of minutes it went wrong again even with the downgraded Mikrotik version version.

infabo · Sun Jan 19, 2025 11:54 am

I guess you would never make an inplace upgrade of a MS Server 2019 to 2025 without testing, right?

Certainly, there are admins who might attempt such an upgrade directly, but it's always a risk. Even on Windows, untested updates - such as Exchange KBs - can cause significant issues if applied without proper research or understanding of others' experiences. Microsoft has had its fair share of problematic updates, despite being a billion-dollar enterprise. Yet, when it comes to Mikrotik, expectations of zero bugs remain sky-high - something to reflect on!

mkx · Sun Jan 19, 2025 2:13 pm

running 2 hAP ac2 (one with the 256MB and one with the 128MB flash storage)
this model is supposed to have 16MB of flash, how did you get 128 or 256MB?

I guess poster is confusing flash and RAM (early units came with 256MB RAM, the rest came with 128MB RAM as it was always advertised). All units AFAIK have 16MB flash (with 7.16 they "recovered" a few kB of flash compared to earlier versions).

Valerio5000 · Sun Jan 19, 2025 4:57 pm

I don't know if the author got confused but in 2020-21 when AC2 came out there were some units, the first ones produced, that came out with this configuration, I remember some posts on this forum.

I take this opportunity to say that my LAN (3 AC2s one Capsman and the others CAP) work perfectly on 7.17, the only flaw that I found and that I have already reported in the various RCs is that if I use a USB key via SMB everything freezes with a nice kernel panic. I was told by MK and other users that this depends on the hardware resources of AC2. I just wanted to point it out to anyone who finds themselves in my situation.

anav · Sun Jan 19, 2025 6:22 pm

Well, we should make some test before upgrading en-masse our devices. I have upgraded only one my personal router that is not critical. The other one in my network are all on the 7.16.2

As a homeowner, I had no issues updating my hapax3, non-critical AP to 7.17. My main router CCR1009 will not get upgraded until 7.17.1 or 7.17.2 are released, fixing the most egregious 7.17 issues.
As an IT provider (business, would never impose new firmware on clients without first testing all required functionality in a sandbox environment as well as wait for at least 7.17.1 ).
MT is not immune from creating new issues when fixing old issues or implementing new features.

npero · Sun Jan 19, 2025 8:51 pm

*) wifi - added access-list stats (CLI only);
Can we get an example for this ? I could not figure it out myself and there is no documentation for it.

Find something ? I also try but can't figure out.

tihovsky · Sun Jan 19, 2025 9:33 pm

Still recieve "association rejected, can't find PMKSA" on v7.17 stable on 2.4 and 5 Ghz channels on Chateau Pro ax just re-tested.
It happens and gets logged in the Capsman log when a single client roams across multiple APs and roams to each.

Interesting is it happens for first device walk through near each AP.
But subsequent walk thorugh done in couple of minutes afte the first one roams fine, without reporting this error.
Package loss when pinging during roaming is 0.5 - 1 second, regardless if error the is logged or not and I couldnt notice any differences.

Settings:
WPA3 PSK,
Management protection required
Management encryption default
PMKID not disabled
Group encryption default
Group key update 23:59:00
Connect group 0/1
FT enabled
FT mobility domain defined hex value
FT over DS enabled
FT preserve VLAN ID enabled
Steering name is defined
Default Neighbour group selected (4 APs, 8 SSIDs)
RRM enabled
WNM enabled

Other settings are more less default, apart from access list pushing clients into different VLANs based on MACs (VLAN driving which works).
Channels are ax, default width, DFS skipped, reselect interval 3-13h (and different accross the bands).
Time and time zones are sync across all devices.

Hope it helps.

leonardogyn · Sun Jan 19, 2025 9:41 pm

Got an interesting situation I first noticed very recently, on v7.16.2, and just confirmed to be happening on v7.17, so "reporting" it here on the v7.17 thread, with the observation I have indeed seen the very same behavior on v7.16.2 last week (when I realized it).

I was trying to add some IP Firewall Mangle rules with the extra "Hotspot" Value, via the webfig. Created a plain "accept" rule, tab Mangle, chain Prerouting, Extra,Hotspot, value "Auth", OK. Rule got created, no problem. If I click (to edit) the rule, Hotspot "Auth" is there selected, as just configured.

However, from an 'export', the rule has no hotspot criteria:

[admin@ACIEG] /ip/firewall/mangle> export terse
[ .... ]
/ip firewall mangle add action=accept chain=prerouting
[admin@ACIEG] /ip/firewall/mangle>

.
Now using Winbox, I can edit the rule and hotspot=auth appears as configured, despite not showing on export (which clearly indicates some persistency is happening, something is being save somewhere). If I edit the rule and change something else, hotspot=auth starts appearing on the export. If I create the rule from scratch via Winbox, hotspot=auth is there on export (as expected).
.

[admin@ACIEG] /ip/firewall/mangle> export terse
[ ... ]
/ip firewall mangle add action=accept chain=prerouting hotspot=auth
[admin@ACIEG] /ip/firewall/mangle>

.
At the end, i'm confused on the rule keeping the hotspot=auth while being edited via Webfig and Winbox, after being created via Webfig, but not showing on the export. I'm not sure if the parameter is being evaluated, despite somehow being made persistent via webfig. I even tried logging off and logging again (from Webfig), and hotspot=auth can be seen selected there, despite not shown on export.

At the end, I'm not sure if this is a webfig problem or just an export problem. I didn't tested to really check if the hotspot=auth is being enforced when it's not showing on the export. Some persitency is clearly happening, but also something clearly is weird because the hotspot=auth parameter doesn't shows on export if rule is created via Webfig.

Rox169 · Sun Jan 19, 2025 9:43 pm

Hi,

7.17 is working great few days on:
HAP AX3, HAP AC 3, HAP AX2, HAP AC2, SXT, WAP G60, CUBE 60

eddieb · Sun Jan 19, 2025 10:06 pm

7.17 upgrade went smooth, running on

PL7411-2nD (2x)
HAP RB962UiGS-5HacT2HnT (5x)
RB750GL (1x)
RB1100 (1x)
RB2011 (1x)
HEX RB750Gr3 (1x)
HAP AX3 (4x)
CHATEAU 5G (1x)
no unexpected issues

stevenyobrauly · Sun Jan 19, 2025 11:43 pm

Yes, after reading the documentation on the wiki, I noticed that dhcp6 can only assign /128 addresses, which if you think about it, makes sense. Since it would be an address only for cpe management, since for navigation there would be the prefix that could be /64, /56, /48, etc.

In that sense, you must create 2 IPv6 pools, one that will assign the prefixes, for example /64 for residential users and another pool that will assign IPv6 addresses /128 to the user's cpe wan

*) dhcpv6-server - added IPv6 address delegation support;

this not work. When i select a pool on ADDRESS POOL in the dhcpv6 server, i obtain in log: pool6 refused acquire: bad preferred prefix length! (1) and the pool is properly configured
Same there. But if i set pool prefix lenght to 128 error dissapears. But right setting for my pool prefix lenght is 64. With 64 in settings it gives error "pool6 refused acquire: bad preferred prefix length!".

ckleea · Mon Jan 20, 2025 12:18 am

Hi,

7.17 is working great few days on:
HAP AX3, HAP AC 3, HAP AX2, HAP AC2, SXT, WAP G60, CUBE 60

Hi,
May I know how you could upgrade HAP AC2 to 7.17? I am still using 7.12

What steps to upgrade?

Thanks

infabo · Mon Jan 20, 2025 12:29 am

Use the ROS built in update functionality. It updates to latest 7.12 first. Then it upgrades to 7.13. After that you can upgrade to 7.17 finally. More info can be found at help.mikrotik.com/docs

teleport · Mon Jan 20, 2025 12:31 am

Have an rb450gx4 and was able to upgrade to 7.17 without issues from 7.16.2
What is your RB450Gx4's factory version?

uptime: 16h9m8s            
                  version: 7.17 (stable)      
               build-time: 2025-01-16 08:19:28
         factory-software: 6.45.3             
              free-memory: 871.9MiB           
             total-memory: 1024.0MiB          
                      cpu: ARM                
                cpu-count: 4                  
            cpu-frequency: 448MHz             
                 cpu-load: 12%                
           free-hdd-space: 429.2MiB           
          total-hdd-space: 512.0MiB           
  write-sect-since-reboot: 39224              
         write-sect-total: 32069553           
               bad-blocks: 0.1%               
        architecture-name: arm                
               board-name: RB450Gx4           
                 platform: MikroTik

itimo01 · Mon Jan 20, 2025 12:32 am

Can we get an example for this ? I could not figure it out myself and there is no documentation for it.
Find something ? I also try but can't figure out.

I think its talking about this:

 /interface/wifi/access-list> print
#  MAC-ADDRESS        ACTION  LAST-LOGGED-OUT      MATCH-COUNT
;;; Switch
 0  E0:F6:B5:XX:XX:XX  accept  2025-01-18 02:15:16            3
;;; Xiaomi
 1  9E:AA:77:XX:XX:XX  accept  2025-01-19 22:56:08           70

Kentzo · Mon Jan 20, 2025 4:27 am

*) smb - stability improvements for client/server;

The SMB client run by Infuse player app on Apple TV stopped working. macOS native SMB client connects without problems.

Below are dissections from Wireshark.

Infuse:

--Request by Infuse--> SMB (Server Message Block Protocol)
    SMB Header
        Server Component: SMB
        SMB Command: Negotiate Protocol (0x72)
        NT Status: STATUS_SUCCESS (0x00000000)
        Flags: 0x18, Canonicalized Pathnames, Case Sensitivity
            0... .... = Request/Response: Message is a request to the server
            .0.. .... = Notify: Notify client only on open
            ..0. .... = Oplocks: OpLock not requested/granted
            ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
            .... 1... = Case Sensitivity: Path names are caseless
            .... ..0. = Receive Buffer Posted: Receive buffer has not been posted
            .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
        Flags2: 0xc843, Unicode Strings, Error Code Type, Extended Security Negotiation, Long Names Used, Extended Attributes, Long Names Allowed
            1... .... .... .... = Unicode Strings: Strings are Unicode
            .1.. .... .... .... = Error Code Type: Error codes are NT error codes
            ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
            ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
            .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported
            .... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path
            .... .... .1.. .... = Long Names Used: Path names in request are long file names
            .... .... ...0 .... = Security Signatures Required: Security signatures are not required
            .... .... .... 0... = Compressed: Compression is not requested
            .... .... .... .0.. = Security Signatures: Security signatures are not supported
            .... .... .... ..1. = Extended Attributes: Extended attributes are supported
            .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
        Process ID High: 0
        Signature: 0000000000000000
        Reserved: 0000
        Tree ID: 0
        Process ID: 1344
        User ID: 0
        Multiplex ID: 0
    Negotiate Protocol Request (0x72)
        Word Count (WCT): 0
        Byte Count (BCC): 34
        Requested Dialects
            Dialect: NT LM 0.12
                Buffer Format: Dialect (2)
                Name: NT LM 0.12
            Dialect: SMB 2.002
                Buffer Format: Dialect (2)
                Name: SMB 2.002
            Dialect: SMB 2.???
                Buffer Format: Dialect (2)
                Name: SMB 2.???

<--Reply by RouterOS-- SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
        ProtocolId: 0xfe534d42
        Header Length: 64
        Credit Charge: 0
        NT Status: STATUS_SUCCESS (0x00000000)
        Command: Negotiate Protocol (0)
        Credits granted: 1
        Flags: 0x00000001, Response
            .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE
            .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command
            .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command
            .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed
            .... .... .... .... .... .... .000 .... = Priority: This pdu does NOT contain a PRIORITY
            ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation
            ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation
        Chain Offset: 0x00000000
        Message ID: 0
        Reserved: 0x00000000
        Tree Id: 0x00000000
        Session Id: 0x0000000000000000
        Signature: 00000000000000000000000000000000
    Negotiate Protocol Response (0x00)
        StructureSize: 0x0041
            0000 0000 0100 000. = Fixed Part Length: 32
            .... .... .... ...1 = Dynamic Part: True
        Security mode: 0x01, Signing enabled
            .... ...1 = Signing enabled: True
            .... ..0. = Signing required: False
        Dialect: SMB2 wildcard (0x02ff)
        Reserved: 0
        Server Guid: 00000000-0000-0000-0000-000000000000
        Capabilities: 0x0000000c, LARGE MTU, MULTI CHANNEL
            .... .... .... .... .... .... .... ...0 = DFS: This host does NOT support DFS
            .... .... .... .... .... .... .... ..0. = LEASING: This host does NOT support LEASING
            .... .... .... .... .... .... .... .1.. = LARGE MTU: This host supports LARGE_MTU
            .... .... .... .... .... .... .... 1... = MULTI CHANNEL: This host supports MULTI CHANNEL
            .... .... .... .... .... .... ...0 .... = PERSISTENT HANDLES: This host does NOT support PERSISTENT HANDLES
            .... .... .... .... .... .... ..0. .... = DIRECTORY LEASING: This host does NOT support DIRECTORY LEASING
            .... .... .... .... .... .... .0.. .... = ENCRYPTION: This host does NOT support ENCRYPTION
            .... .... .... .... .... .... 0... .... = NOTIFICATIONS: This host does NOT support receiving NOTIFICATIONS
        Max Transaction Size: 1048576
        Max Read Size: 4194304
        Max Write Size: 4194304
        Current Time: Jan 19, 2025 19:31:13.155350300 PST
        Boot Time: No time specified (0)
        Blob Offset: 0x00000080
        Blob Length: 74
        Security Blob: 604806062b0601050502a03e303ca00e300c060a2b06010401823702020aa32a3028a0261b246e6f745f646566696e65645f696e5f5246433431373840706c656173655f69676e6f7265
            GSS-API Generic Security Service Application Program Interface
                OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
                Simple Protected Negotiation
                    negTokenInit
                        mechTypes: 1 item
                            MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
                        negHints
                            hintName: not_defined_in_RFC4178@please_ignore
        Reserved2: 0x00000000

--Request by Infuse--> SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
        ProtocolId: 0xfe534d42
        Header Length: 64
        Credit Charge: 0
        Channel Sequence: 0
        Reserved: 0000
        Command: Negotiate Protocol (0)
        Credits requested: 99
        Flags: 0x00000000
            .... .... .... .... .... .... .... ...0 = Response: This is a REQUEST
            .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command
            .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command
            .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed
            .... .... .... .... .... .... .000 .... = Priority: This pdu does NOT contain a PRIORITY
            ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation
            ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation
        Chain Offset: 0x00000000
        Message ID: 1
        Reserved: 0x00000000
        Tree Id: 0x00000000
        Session Id: 0x0000000000000000
        Signature: 00000000000000000000000000000000
        [Response in: 28]
    Negotiate Protocol Request (0x00)
        [Preauth Hash: d5a10eba0dae463de64e00a9d6f28d86caf27f31cbee57633eee39494cbf27b6c601bf7ee95418c314a20508a331866661c4abd3b99240566b0f96e46bb3f036]
        StructureSize: 0x0024
            0000 0000 0010 010. = Fixed Part Length: 18
            .... .... .... ...0 = Dynamic Part: False
        Dialect count: 4
        Security mode: 0x01, Signing enabled
            .... ...1 = Signing enabled: True
            .... ..0. = Signing required: False
        Reserved: 0000
        Capabilities: 0x00000045, DFS, LARGE MTU, ENCRYPTION
            .... .... .... .... .... .... .... ...1 = DFS: This host supports DFS
            .... .... .... .... .... .... .... ..0. = LEASING: This host does NOT support LEASING
            .... .... .... .... .... .... .... .1.. = LARGE MTU: This host supports LARGE_MTU
            .... .... .... .... .... .... .... 0... = MULTI CHANNEL: This host does NOT support MULTI CHANNEL
            .... .... .... .... .... .... ...0 .... = PERSISTENT HANDLES: This host does NOT support PERSISTENT HANDLES
            .... .... .... .... .... .... ..0. .... = DIRECTORY LEASING: This host does NOT support DIRECTORY LEASING
            .... .... .... .... .... .... .1.. .... = ENCRYPTION: This host supports ENCRYPTION
            .... .... .... .... .... .... 0... .... = NOTIFICATIONS: This host does NOT support receiving NOTIFICATIONS
        Client Guid: 51497ea5-5cef-b244-b964-6e8ce408a16f
        NegotiateContextOffset: 0x00000000
        NegotiateContextCount: 0
        Reserved: 0000
        Dialect: SMB 2.0.2 (0x0202)
        Dialect: SMB 2.1 (0x0210)
        Dialect: SMB 3.0 (0x0300)
        Dialect: SMB 3.0.2 (0x0302)

<--Reply by RouterOS-- SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
        ProtocolId: 0xfe534d42
        Header Length: 64
        Credit Charge: 0
        NT Status: STATUS_INSUFFICIENT_RESOURCES (0xc000009a)
        Command: Negotiate Protocol (0)
        Credits granted: 1
        Flags: 0x00000001, Response
            .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE
            .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command
            .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command
            .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed
            .... .... .... .... .... .... .000 .... = Priority: This pdu does NOT contain a PRIORITY
            ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation
            ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation
        Chain Offset: 0x00000000
        Message ID: 1
        Reserved: 0x00000000
        Tree Id: 0x00000000
        Session Id: 0x0000000000000000
        Signature: 00000000000000000000000000000000
        [Response to: 24]
        [Time from request: 0.000004000 seconds]
    Negotiate Protocol Response (0x00)
        [Preauth Hash: f4c7dbdcf3ecb837e5cb129c6cc7c78a3a6f3b2b56109787fd24bcdf2ce7ac44650bd5b25beafbb863ca3411f0f53ebfc1a15743abe42cd58eb4777cdc21ddc2]
        StructureSize: 0x0009
            0000 0000 0000 100. = Fixed Part Length: 4
            .... .... .... ...1 = Dynamic Part: True
        Error Context Count: 0
        Reserved: 0x00
        Byte Count: 0
        Error Data: 00

macOS's Finder:

--Request by macOS--> SMB (Server Message Block Protocol)
    SMB Header
        Server Component: SMB
        SMB Command: Negotiate Protocol (0x72)
        NT Status: STATUS_SUCCESS (0x00000000)
        Flags: 0x08, Case Sensitivity
            0... .... = Request/Response: Message is a request to the server
            .0.. .... = Notify: Notify client only on open
            ..0. .... = Oplocks: OpLock not requested/granted
            ...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized
            .... 1... = Case Sensitivity: Path names are caseless
            .... ..0. = Receive Buffer Posted: Receive buffer has not been posted
            .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
        Flags2: 0xc801, Unicode Strings, Error Code Type, Extended Security Negotiation, Long Names Allowed
            1... .... .... .... = Unicode Strings: Strings are Unicode
            .1.. .... .... .... = Error Code Type: Error codes are NT error codes
            ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
            ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
            .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported
            .... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path
            .... .... .0.. .... = Long Names Used: Path names in request are not long file names
            .... .... ...0 .... = Security Signatures Required: Security signatures are not required
            .... .... .... 0... = Compressed: Compression is not requested
            .... .... .... .0.. = Security Signatures: Security signatures are not supported
            .... .... .... ..0. = Extended Attributes: Extended attributes are not supported
            .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
        Process ID High: 0
        Signature: 0000000000000000
        Reserved: 0000
        Tree ID: 65535
        Process ID: 1
        User ID: 65535
        Multiplex ID: 0
    Negotiate Protocol Request (0x72)
        Word Count (WCT): 0
        Byte Count (BCC): 34
        Requested Dialects
            Dialect: NT LM 0.12
                Buffer Format: Dialect (2)
                Name: NT LM 0.12
            Dialect: SMB 2.002
                Buffer Format: Dialect (2)
                Name: SMB 2.002
            Dialect: SMB 2.???
                Buffer Format: Dialect (2)
                Name: SMB 2.???

<--Reply by RouterOS-- SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
        ProtocolId: 0xfe534d42
        Header Length: 64
        Credit Charge: 0
        NT Status: STATUS_SUCCESS (0x00000000)
        Command: Negotiate Protocol (0)
        Credits granted: 1
        Flags: 0x00000001, Response
            .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE
            .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command
            .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command
            .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed
            .... .... .... .... .... .... .000 .... = Priority: This pdu does NOT contain a PRIORITY
            ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation
            ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation
        Chain Offset: 0x00000000
        Message ID: 0
        Reserved: 0x00000000
        Tree Id: 0x00000000
        Session Id: 0x0000000000000000
        Signature: 00000000000000000000000000000000
    Negotiate Protocol Response (0x00)
        StructureSize: 0x0041
            0000 0000 0100 000. = Fixed Part Length: 32
            .... .... .... ...1 = Dynamic Part: True
        Security mode: 0x01, Signing enabled
            .... ...1 = Signing enabled: True
            .... ..0. = Signing required: False
        Dialect: SMB2 wildcard (0x02ff)
        Reserved: 0
        Server Guid: 00000000-0000-0000-0000-000000000000
        Capabilities: 0x0000000c, LARGE MTU, MULTI CHANNEL
            .... .... .... .... .... .... .... ...0 = DFS: This host does NOT support DFS
            .... .... .... .... .... .... .... ..0. = LEASING: This host does NOT support LEASING
            .... .... .... .... .... .... .... .1.. = LARGE MTU: This host supports LARGE_MTU
            .... .... .... .... .... .... .... 1... = MULTI CHANNEL: This host supports MULTI CHANNEL
            .... .... .... .... .... .... ...0 .... = PERSISTENT HANDLES: This host does NOT support PERSISTENT HANDLES
            .... .... .... .... .... .... ..0. .... = DIRECTORY LEASING: This host does NOT support DIRECTORY LEASING
            .... .... .... .... .... .... .0.. .... = ENCRYPTION: This host does NOT support ENCRYPTION
            .... .... .... .... .... .... 0... .... = NOTIFICATIONS: This host does NOT support receiving NOTIFICATIONS
        Max Transaction Size: 1048576
        Max Read Size: 4194304
        Max Write Size: 4194304
        Current Time: Jan 19, 2025 19:12:36.815501500 PST
        Boot Time: No time specified (0)
        Blob Offset: 0x00000080
        Blob Length: 74
        Security Blob: 604806062b0601050502a03e303ca00e300c060a2b06010401823702020aa32a3028a0261b246e6f745f646566696e65645f696e5f5246433431373840706c656173655f69676e6f7265
            GSS-API Generic Security Service Application Program Interface
                OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
                Simple Protected Negotiation
                    negTokenInit
                        mechTypes: 1 item
                            MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
                        negHints
                            hintName: not_defined_in_RFC4178@please_ignore
        Reserved2: 0x00000000

--Request by macOS--> SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
        ProtocolId: 0xfe534d42
        Header Length: 64
        Credit Charge: 0
        Channel Sequence: 0
        Reserved: 0000
        Command: Negotiate Protocol (0)
        Credits requested: 0
        Flags: 0x00000000
            .... .... .... .... .... .... .... ...0 = Response: This is a REQUEST
            .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command
            .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command
            .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed
            .... .... .... .... .... .... .000 .... = Priority: This pdu does NOT contain a PRIORITY
            ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation
            ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation
        Chain Offset: 0x00000000
        Message ID: 1
        Reserved: 0x0000feff
        Tree Id: 0x00000000
        Session Id: 0x0000000000000000
        Signature: 00000000000000000000000000000000
        [Response in: 58]
    Negotiate Protocol Request (0x00)
        [Preauth Hash: d31c2830b42fa5c6603ae5e67d9fbbd519687ecc35f3a604d91d0b2cf677831d9ee858e922cf7f1e2fbd9e18b9c1fef59ddb991a3fe69433da1d3eac9afa60c8]
        StructureSize: 0x0024
            0000 0000 0010 010. = Fixed Part Length: 18
            .... .... .... ...0 = Dynamic Part: False
        Dialect count: 5
        Security mode: 0x01, Signing enabled
            .... ...1 = Signing enabled: True
            .... ..0. = Signing required: False
        Reserved: 0000
        Capabilities: 0x0000007f, DFS, LEASING, LARGE MTU, MULTI CHANNEL, PERSISTENT HANDLES, DIRECTORY LEASING, ENCRYPTION
            .... .... .... .... .... .... .... ...1 = DFS: This host supports DFS
            .... .... .... .... .... .... .... ..1. = LEASING: This host supports LEASING
            .... .... .... .... .... .... .... .1.. = LARGE MTU: This host supports LARGE_MTU
            .... .... .... .... .... .... .... 1... = MULTI CHANNEL: This host supports MULTI CHANNEL
            .... .... .... .... .... .... ...1 .... = PERSISTENT HANDLES: This host supports PERSISTENT HANDLES
            .... .... .... .... .... .... ..1. .... = DIRECTORY LEASING: This host supports DIRECTORY LEASING
            .... .... .... .... .... .... .1.. .... = ENCRYPTION: This host supports ENCRYPTION
            .... .... .... .... .... .... 0... .... = NOTIFICATIONS: This host does NOT support receiving NOTIFICATIONS
        Client Guid: 5918f3a6-8558-bf44-bce9-89cb9c46119a
        NegotiateContextOffset: 0x00000070
        NegotiateContextCount: 5
        Reserved: 0000
        Dialect: SMB 2.0.2 (0x0202)
        Dialect: SMB 2.1 (0x0210)
        Dialect: SMB 3.0 (0x0300)
        Dialect: SMB 3.0.2 (0x0302)
        Dialect: SMB 3.1.1 (0x0311)
        Negotiate Context: SMB2_PREAUTH_INTEGRITY_CAPABILITIES 
            Type: SMB2_PREAUTH_INTEGRITY_CAPABILITIES (0x0001)
            DataLength: 38
            Reserved: 00000000
            HashAlgorithmCount: 1
            SaltLength: 32
            HashAlgorithm: SHA-512 (0x0001)
            Salt: b2967270afec39d772b756b248b7e7f8c6868f28a5bd3dae84be2c94061cdd38
        Negotiate Context: SMB2_ENCRYPTION_CAPABILITIES 
            Type: SMB2_ENCRYPTION_CAPABILITIES (0x0002)
            DataLength: 10
            Reserved: 00000000
            CipherCount: 4
            CipherId: AES-256-GCM (0x0004)
            CipherId: AES-256-CCM (0x0003)
            CipherId: AES-128-GCM (0x0002)
            CipherId: AES-128-CCM (0x0001)
        Negotiate Context: SMB2_COMPRESSION_CAPABILITIES 
            Type: SMB2_COMPRESSION_CAPABILITIES (0x0003)
            DataLength: 10
            Reserved: 00000000
            CompressionAlgorithmCount: 1
            Flags: 0x00000000
                .... .... .... .... .... .... .... ...0 = Chained: False
                0000 0000 0000 0000 0000 0000 0000 000. = Reserved: 0x00000000
            CompressionAlgorithmId: None (0x0000)
        Negotiate Context: SMB2_SIGNING_CAPABILITIES 
            Type: SMB2_SIGNING_CAPABILITIES (0x0008)
            DataLength: 6
            Reserved: 00000000
            SigningAlgorithmCount: 2
            SigningAlgorithmId: AES-GMAC (0x0002)
            SigningAlgorithmId: AES-CMAC (0x0001)
        Negotiate Context: SMB2_NETNAME_NEGOTIATE_CONTEXT_ID 
            Type: SMB2_NETNAME_NEGOTIATE_CONTEXT_ID (0x0005)
            DataLength: 58
            Reserved: 00000000
            Netname: Shared Movies._smb._tcp.local

<--Reply by RouterOS-- SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
        ProtocolId: 0xfe534d42
        Header Length: 64
        Credit Charge: 0
        NT Status: STATUS_SUCCESS (0x00000000)
        Command: Negotiate Protocol (0)
        Credits granted: 1
        Flags: 0x00000001, Response
            .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE
            .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command
            .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command
            .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed
            .... .... .... .... .... .... .000 .... = Priority: This pdu does NOT contain a PRIORITY
            ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation
            ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation
        Chain Offset: 0x00000000
        Message ID: 1
        Reserved: 0x0000feff
        Tree Id: 0x00000000
        Session Id: 0x0000000000000000
        Signature: 00000000000000000000000000000000
        [Response to: 54]
        [Time from request: 0.000007000 seconds]
    Negotiate Protocol Response (0x00)
        [Preauth Hash: 5c8cf3670d9ca5d3b91e2199ac05900e9dc87288dfab3e1ebf702d0fba52eaeafe46ae3070c36de4b1460af9540cd3ceeb601c97b62ba1d73ab22a9a011d192f]
        StructureSize: 0x0041
            0000 0000 0100 000. = Fixed Part Length: 32
            .... .... .... ...1 = Dynamic Part: True
        Security mode: 0x01, Signing enabled
            .... ...1 = Signing enabled: True
            .... ..0. = Signing required: False
        Dialect: SMB 3.1.1 (0x0311)
        NegotiateContextCount: 3
        Server Guid: 00000000-0000-0000-0000-000000000000
        Capabilities: 0x0000000c, LARGE MTU, MULTI CHANNEL
            .... .... .... .... .... .... .... ...0 = DFS: This host does NOT support DFS
            .... .... .... .... .... .... .... ..0. = LEASING: This host does NOT support LEASING
            .... .... .... .... .... .... .... .1.. = LARGE MTU: This host supports LARGE_MTU
            .... .... .... .... .... .... .... 1... = MULTI CHANNEL: This host supports MULTI CHANNEL
            .... .... .... .... .... .... ...0 .... = PERSISTENT HANDLES: This host does NOT support PERSISTENT HANDLES
            .... .... .... .... .... .... ..0. .... = DIRECTORY LEASING: This host does NOT support DIRECTORY LEASING
            .... .... .... .... .... .... .0.. .... = ENCRYPTION: This host does NOT support ENCRYPTION
            .... .... .... .... .... .... 0... .... = NOTIFICATIONS: This host does NOT support receiving NOTIFICATIONS
        Max Transaction Size: 1048576
        Max Read Size: 4194304
        Max Write Size: 4194304
        Current Time: Jan 19, 2025 19:12:36.820239300 PST
        Boot Time: No time specified (0)
        Blob Offset: 0x00000080
        Blob Length: 74
        Security Blob: 604806062b0601050502a03e303ca00e300c060a2b06010401823702020aa32a3028a0261b246e6f745f646566696e65645f696e5f5246433431373840706c656173655f69676e6f7265
            GSS-API Generic Security Service Application Program Interface
                OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
                Simple Protected Negotiation
                    negTokenInit
                        mechTypes: 1 item
                            MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
                        negHints
                            hintName: not_defined_in_RFC4178@please_ignore
        NegotiateContextOffset: 0x000000d0
        Negotiate Context: SMB2_PREAUTH_INTEGRITY_CAPABILITIES 
            Type: SMB2_PREAUTH_INTEGRITY_CAPABILITIES (0x0001)
            DataLength: 38
            Reserved: 00000000
            HashAlgorithmCount: 1
            SaltLength: 32
            HashAlgorithm: SHA-512 (0x0001)
            Salt: edb44f22adfc8867776d42525d298d1ee4b228e0690e951e33ad271ab36e6f6a
        Negotiate Context: SMB2_ENCRYPTION_CAPABILITIES 
            Type: SMB2_ENCRYPTION_CAPABILITIES (0x0002)
            DataLength: 4
            Reserved: 00000000
            CipherCount: 1
            CipherId: AES-128-GCM (0x0002)
        Negotiate Context: SMB2_SIGNING_CAPABILITIES 
            Type: SMB2_SIGNING_CAPABILITIES (0x0008)
            DataLength: 4
            Reserved: 00000000
            SigningAlgorithmCount: 1
            SigningAlgorithmId: AES-CMAC (0x0001)

SUP-176851

massinia · Mon Jan 20, 2025 11:22 am

R11e-LTE-US is not working! With 7.16.2 works well.

Downgraded and working well again.

It works perfectly for me, do you also have this firmware?
R11e-LTE6_V038

eworm · Mon Jan 20, 2025 11:42 am

Hmm, on some devices I see a lot of...

system;warning possible SYN flooding on tcp port 53

... though this is just regular DNS traffic on a hotspot. Can I mitigate this warning from being triggered?

Mon Jan 20, 2025 11:50 am

i4ko
Please send supout.rif file from your device to support@mikrotik.com

Mon Jan 20, 2025 12:32 pm

Hi,
Upgraded RBLtAP-2HnD from 7.16.2 to v7.17 this morning.
These comments I want to add / ask after the upgrade:
1., not used LTE APNs can't be deleted - even if LTE1 interface is disabled. I have 3 created for test purpose. One will stay as a tested/working one. Other two APN profiles (test) can't be deleted. Any restriction for the deletion of them?
2., LTE1 interface is used as passthrough via VLANxx interface. 4GInternet works fine. The status on the top says: "Running", "Not Slave" "Not Passthrough", Not Inactive".So the message "Not Passthrough" is confusing in this case.
3., As the devide is used as a passthrough device from 4G WAN to the main router CCR1009 and configured according to the manual - strangely one DHCP Server entry appeared and can't be deleted. Seems like dynamic entry...The name is equal to the working and used APN "name". Is that with purpose? I read that DHCP server needs to be deleted in such case where device used as an LTE passthrough.

Regarding #3, dynamic DHCP serves are used to handout IP info to LTE passthrough client in this and previous RouterOS versions, most likely was not noticing it.

Regarding #1 and #2, please create Supout file with extended LTE logging enabled and open servicedesk ticket.
[https://help.mikrotik.com/servicedesk/servicedesk]

This article explains how to make a Supout.rif file:
[https://help.mikrotik.com/docs/display/ROS/Supout.rif]

Use following commands to enable extended LTE logging:

/system logging action remove [find name=support]
/system logging action add name=support target=memory memory-lines=16383
/system logging add action=support topics=lte

Scorcerer · Mon Jan 20, 2025 12:44 pm

It seems that 7.17 has broken the VRRP Sync Connection tracking mechanism. On my VRRP interfaces with Torch and I don't see any protocol-112 (vrrp) or UDP/8275 traffic. What gives??

Yup, seeing the same thing, it shows like this:

Screenshot_20250120_114301.png

Also, when one router was 7.17 and the other 7.16.x the VRRP would move master from the older to newer one when it was not supposed to (higher priority on older).

yhfung · Mon Jan 20, 2025 1:00 pm

I had uploaded v7.17 for my device RB951G-2HnD and carried out tests as in CCR1009 v7.16.1 [1]. The results failed again. The attached excerpt of "RouterOS version 7.17 have been released in the "v7 stable" channel!" is shown below:

*) dns - do not look up local cache when executing ":resolve" command with specified "server" parameter (introduced in v7.16);

Ref.
[1] viewtopic.php?p=1103784#p1103784

stathismes · Mon Jan 20, 2025 1:05 pm

Yup, seeing the same thing, it shows like this:
Screenshot_20250120_114301.png
Also, when one router was 7.17 and the other 7.16.x the VRRP would move master from the older to newer one when it was not supposed to (higher priority on older).

Exactly... I have this red message too.. I should open a SUP but can't do it yet as I'm on vacation.

Mon Jan 20, 2025 1:14 pm

R11e-LTE-US is not working! With 7.16.2 works well.

Downgraded and working well again.

Where are no known general connectivity issue with R11e-LTE-US under RouterOS v7.17 control.

Regarding log in screenshot, according to it modem reports what its registered in home cellular network and instantly reports registration is lost.

Please create Supout file with extended LTE logging enabled from v7.17 and v7.16.2 for reference and open servicedesk ticket.
[https://help.mikrotik.com/servicedesk/servicedesk]

This article explains how to make a Supout.rif file:
[https://help.mikrotik.com/docs/display/ROS/Supout.rif]

Use following commands to enable extended LTE logging:

/system logging action remove [find name=support]
/system logging action add name=support target=memory memory-lines=16383
/system logging add action=support topics=lte

saaremaa · Mon Jan 20, 2025 1:19 pm

After upgrading to 7.17 the dhcp+radius bundle stopped working. We switched back to 7.16.2 and everything works as it should. DHPC clients receive ip after authorization via radius.

aszodi · Mon Jan 20, 2025 2:14 pm

Hello ArtisM,
A support case is created under SUP-176902 for point 1 and 2
For Point 3 I think the IP / DHCP server dynamic entry should noted in LTE > "Passthrough Example" section on WIKI (https://help.mikrotik.com/docs/spaces/R ... 146563/LTE)
Now the reading is this: "...On the host on the network where the Passthrough is providing the IP a DHCP-Client should be enabled on that interface too..."
Better to extend it with this text "LTE Passthrough mode activation will dynamically create a DHCP server entry with nam of the APN used for such purpuse, which can't be deleted". Or similar.
Many of us found info how to do this correctly on Mikrotik and other sites, like this as well (https://wisp.net.au/blog/news/how-do-i- ... tik-router), Step 3 clearly said to disable DHCP Server. I know that the site is not yours, but Mikrotik WIKI does not say about the DHCP Server.

Hi,
Upgraded RBLtAP-2HnD from 7.16.2 to v7.17 this morning.
These comments I want to add / ask after the upgrade:
1., not used LTE APNs can't be deleted - even if LTE1 interface is disabled. I have 3 created for test purpose. One will stay as a tested/working one. Other two APN profiles (test) can't be deleted. Any restriction for the deletion of them?
2., LTE1 interface is used as passthrough via VLANxx interface. 4GInternet works fine. The status on the top says: "Running", "Not Slave" "Not Passthrough", Not Inactive".So the message "Not Passthrough" is confusing in this case.
3., As the devide is used as a passthrough device from 4G WAN to the main router CCR1009 and configured according to the manual - strangely one DHCP Server entry appeared and can't be deleted. Seems like dynamic entry...The name is equal to the working and used APN "name". Is that with purpose? I read that DHCP server needs to be deleted in such case where device used as an LTE passthrough.
Regarding #3, dynamic DHCP serves are used to handout IP info to LTE passthrough client in this and previous RouterOS versions, most likely was not noticing it.

Regarding #1 and #2, please create Supout file with extended LTE logging enabled and open servicedesk ticket.
[https://help.mikrotik.com/servicedesk/servicedesk]

This article explains how to make a Supout.rif file:
[https://help.mikrotik.com/docs/display/ROS/Supout.rif]

Use following commands to enable extended LTE logging:
Code: Select all
/system logging action remove [find name=support]
/system logging action add name=support target=memory memory-lines=16383
/system logging add action=support topics=lte

viteralex · Mon Jan 20, 2025 4:36 pm

In CLI Responder parameter for Wireguard peer renamed to "responder" and was "is-responder" in previous versions. So some exported configs will produce syntax error

iradrian · Mon Jan 20, 2025 7:37 pm

Thank you Deniss for your effort. I wanted not to be rude, but closing the tickets with kernel crashes without any solution makes me little bit angry. And not only here, in my job (mobile telco industry) too. :-)) Resources are in my case fine, I have 256MB RAM, not only 128MB. I am willing to test it, if you want.

We are working towards optimizing wireless-qcom-ac as we try to optimize other packages to be less resource heavy, but it is still a work in progress. As of this moment, wifi-qcom-ac is known and expected to take up more resources (including RAM) than legacy wireless drivers.

Yes, thanks team! I also opened a ticket on it a little bit more than a year ago (7.13 at that time). But my experience is little bit different than yours and others reporting "its fine" in this topic. So for me it's been random kernel crash, but generally speaking likely tied to serious traffic going through the AP via wifi (speedtest etc.). Sometimes after updates I had a kernel panic within 24 hours, sometimes after days, weeks, sometimes it was fine for multiple months after this. But the issue was there. I received an update on my ticket then 7.17rc1 came out, and not installed 7.17 on all my devices - has been stable on all these, so fingers crossed.

Matthiastik · Mon Jan 20, 2025 7:38 pm

Hi,

Where did all data in ip->kid-control and activity field go ?, after upgrade today on rb4011 the activity field is emptry but the rest seems to be the same.

Cheers

ollit · Mon Jan 20, 2025 9:31 pm

I have a problem with CRS112-8P-4S / 7.16.2 (stable) after installing the 7.17 update.

Since then, the CPU has been much more heavily utilised and accordingly there is a lot of hiccups when transferring data. I have tested it with a connected AccessPoint, a bridge with VLAN is configured. The SSID is in an extra subnet/VLAN.

Under 7.16.2 and previous versions there are no restrictions. With 7.17, for example, a YouTube video loads very slowly and is unusable.

I have reinstalled 7.16.2 and the problems are gone.

How can I provide support so that the problem can be found?

Sorry for my english.

erlinden · Mon Jan 20, 2025 10:13 pm

For the CRS112 it is important to configure the switch chip instead of the bridge. Otherwise all traffic will be passed through the CPU.

Therefore, please share the config (in a new topic) to validate current config.
When running into problems, create a supout file and send it to support:
https://help.mikrotik.com/docs/spaces/R ... Supout.rif
https://help.mikrotik.com/servicedesk/s ... on=portals

Did you both update RouterOS and firmware?

fischerdouglas · Mon Jan 20, 2025 10:53 pm

So many new issues...

Could someone help listing the "hypothetical" new issues that our friends brought here to this thread?
I honestly lost count.

Is this Stable, RC, Beta, ou Alpha?

infabo · Mon Jan 20, 2025 10:58 pm

It is RouterOS version 7.17 released in the "v7 stable" channel.