v7.18.1 [stable] is released!

Mon Feb 24, 2025 4:31 pm

RouterOS version 7.18 have been released in the "v7 stable" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.18.1 (2025-Feb-28 13:31):

*) bridge - improved stability in case of configuration error (introduced in v7.15);
*) bridge - show warning instead of causing error when using multicast MAC as admin-mac (introduced in v7.17);
*) cloud - fixed issues when BTH is toggled fast between enable/disable;
*) cloud - improved "BTH Files" web page design;
*) console - fixed issue with files when using scripts (introduced in v7.18);
*) console - improved file add/remove process stability;
*) dhcpv6-relay - clear saved routes on DHCP release;
*) dhcpv6-relay - show client address;
*) disk - add "sector-size" property in print detail;
*) disk - improved stability when formatting crypted partitions;
*) l3hw - remove VLAN tag before VXLAN encapsulation (fixes pvid behavior for bridged VXLAN);
*) lte - fixed modem recovery after firmware upgrade for R11e-LTE modem;
*) lte - fixed Router Advertisement processing issue for AT modems when an APN with "ip-type=ipv6" was configured;
*) ovpn - disable hardware accelerator for GCM on MMIPS CPUs (introduced in v7.18);
*) poe-out - fixed health showing 0V voltage when using PoE-in for RB960;
*) poe-out - upgraded firmware for 802.3at/bt PSE controlled boards (the update will cause brief power interruption to PoE-out interfaces);
*) route - show BGP session name instead of cache-id;
*) switch - improved stability when enabling IGMP snooping with VXLAN (introduced in v7.18);
*) system - improved internal "flash/" prefix handling for different file path related settings;
*) winbox - fixed missing SMB client on non-ROSE devices;

What's new in 7.18 (2025-Feb-24 10:47):

*) 60ghz - improved system stability;
*) bgp - fixed certain affinity options not working properly;
*) bgp - improved system stability when printing BGP advertisements;
*) bgp - make NO_ADVERTISE, NO_EXPORT, NO_PEER communities work;
*) bond - added transmit hash policies for encapsulated traffic;
*) bridge - added MLAG heartbeat property;
*) bridge - avoid duplicate VLAN entries with dynamic wifi VLANs;
*) bridge - do not reset MLAG peer port on heartbeat timeout (log warning instead);
*) bridge - fixed endless MAC update loop (introduced in v7.17);
*) bridge - fixed missing S flag on interface configuration changes;
*) bridge - improved stability when using MLAG with MSTP (introduced in v7.17);
*) bridge - improvements to MLAG host table updates;
*) bridge - process more DHCP message types (decline, NAK, inform);
*) bridge - removed controller-bridge (CB) and port-extender (PE) support;
*) bridge - show VXLAN remote-ip in host table;
*) btest - allow limiting access to server by IP address;
*) certificate - fixed localized text conversion to UTF-8 on certificate creation;
*) chr - fixed limited upgrades for expired instances;
*) chr/x86 - added network driver for Huawei SP570/580 NIC;
*) chr/x86 - fixed error message on bootup;
*) chr/x86 - fixed GRE issues with ice network driver;
*) chr/x86 - Realtek r8169 updated driver;
*) cloud - added "Back To Home Files" feature;
*) cloud,bth - use in-interface matcher for masquerade rule;
*) console - added dsv.remap to :serialize command to unpack array of maps from print as-value;
*) console - added file-name parameter to :serialize;
*) console - allow ISO timezone format in :totime command;
*) console - allow tab as dsv delimiter;
*) console - allow to toggle script error logging with "/console settings log-script-errors";
*) console - do not autocomplete arguments when match is both exact and ambiguous;
*) console - do not show numbering in print follow;
*) console - fixed "get" and "proplist" for certain settings;
*) console - fixed issue where ping command displays two lines at the same time;
*) console - fixed issue with disappearing global variable;
*) console - implement scriptable safe-mode commands and safe-mode handler;
*) console - improved hints;
*) console - log errors within scripts to the system log;
*) console - make non-pseudo terminals work with imports;
*) console - put !empty sentence when API query returns nothing;
*) console - renamed "back-to-home-users" to "back-to-home-user";
*) container - add default registry-url=https: //lscr.io;
*) container - allow HTTP redirects when accessing container registry;
*) container - allow specifying registry using remote-image property;
*) container - improved image arch choice;
*) container - use parent directory of container root-dir for unpack by default, so that container layer files are downloaded directly on target disk;
*) defconf - added IPv6 FastTrack configuration;
*) device-mode - do not allow changing CPU frequency if "routerboard" is not allowed by device mode (introduced in v7.17);
*) device-mode - fixed feature and mode update via power-reset on PPC devices;
*) dhcpv4-client - allow selecting to which routing tables add default route;
*) dhcpv4-client - fixed default option export output;
*) dhcpv4-server - fixed "active-mac-address" update when client has changed MAC address;
*) dhcpv4-server - fixed framed-route removal;
*) dhcpv4-server - fixed lease assigning when server address is not bind to server interface (introduced in v7.17);
*) dhcpv6-client - added "validate-server-duid" option;
*) dhcpv6-client - allow specifying custom DUID;
*) dhcpv6-client - do not run script on prefix renewal;
*) dhcpv6-relay - added option to create routes for bindings passing through relay;
*) dhcpv6-server - respond to client in case of RADIUS reject;
*) discovery - advertise IPv6 capabilities based on "Disable IPv6" global setting;
*) discovery - improved stability during configuration changes;
*) discovery - report actual PSE power-pair with LLDP;
*) discovery - use power-via-mdi-short LLDP TLV only on pse-type1 802.3af;
*) disk - add disk trim command (/disk format-drive diskx file-system=trim);
*) disk - allow to add swap space without container package;
*) disk - allow to set only type=raid devices as raid-master;
*) disk - cleanup raid members mountpoint, improve default name of file base block-device;
*) disk - do not allow adding device in raid when major settings mismatch in superblock and config;
*) disk - do not allow configuring empty slot as raid member;
*) disk - fix detecting disks on virtual machines;
*) disk - fixed removing device from raid while resyncing;
*) disk - fixed setting up dependent devices when file-based block-device becomes available;
*) disk - fixed showing free space on tmpfs (introduced in v7.17);
*) disk - improved stability;
*) disk - improved system stability when SMB interface list is used (introduced in v7.17);
*) disk - mount multi-device btrfs filesystems more reliably at startup;
*) disk - set non-empty fs label when formatting by default;
*) dns - do not show warning messages for DNS static entries when they are not needed;
*) ethernet - fixed issue with default-names for RB4011, RB1100Dx4, RB800 devices;
*) ethernet - fixed link-down on startup for ARM64 devices (introduced in v7.16);
*) ethernet - improved link speed reporting on 2.5G-baseT and 10Gbase-T ports;
*) fetch - added "http-max-redirect-count" parameter, allows to follow redirects;
*) fetch - do not require "content-length" or "transfer-encoding" for HTTP;
*) file - added "recursive" and "relative" parameters to "/file/print" for use in conjunction with "path" parameter;
*) file - allow printing specific directories via path parameter;
*) file - improved handling of filesystems with many files;
*) firewall - allow in-interface/in-bridge-port/in-bridge matching in postrouting chains;
*) firewall - fixed incorrectly inverted hotspot value configuration;
*) firewall - increased maximum connection tracking entry count based on device total RAM size;
*) hotspot - fixed an issue where extra "flash/" is added to html-directory for devices with flash folders (introduced in v7.17);
*) igmp-proxy - fixed multicast routing after upstream interface flaps (introduced in v7.17);
*) iot - added new "iot-bt-extra" package for ARM, ARM64 which enables use of USB Bluetooth adapters (LE 4.0+);
*) iot - improvements to LoRa logging and stability;
*) iot - limited MQTT payload size to 32 KB;
*) ip - added support for /31 address;
*) ippool - added pool usage statistics;
*) ipsec - added hardware acceleration support for hEX refresh;
*) ipsec - fixed chacha20 poly1305 proposal;
*) ipsec - fixed installed SAs update process when SAs are removed;
*) ipv6 - added ability to disable dynamic IPv6 LL address generation on non-VPN interfaces;
*) ipv6 - added FastTrack support;
*) ipv6 - added routing FastPath support (enabled by default);
*) ipv6 - added support for neighbor removal and static entries;
*) ipv6 - fixed configuration loss due to conflicting settings after upgrade (introduced in v7.17);
*) l2tp - added IPv6 FastPath support;
*) l3hw - added initial HW offloading for VXLAN on compatible switches;
*) l3hw - added neigh-dump-retries property;
*) l3hw - fixed /32 (IPv6 /128) route offloading when using interface as gateway;
*) l3hw - fixed partial route offloading for 98DX224S, 98DX226S, 98DX3236 switches;
*) l3hw - respect interface specifier (%) when matching a gateway;
*) log - added CEF format support for remote logging;
*) log - added option to select TCP or UDP for remote logging;
*) lte - added at-chat support for EC21EU;
*) lte - added basic support for Quectel RG255C-GL modem in "at+qcfg="usbnet",0" USB composition;
*) lte - added confirmation-code parameter for eSIM provisioning;
*) lte - added initial eSIM management support;
*) lte - fixed cases where the MBIM dialer could get stuck;
*) lte - fixed Huawei ME909s-120 support;
*) lte - fixed interface recovery in mixed multiapn setup for MBIM modems;
*) lte - fixed missing 5G info for "/interface lte print" command;
*) lte - fixed missing IPv6 prefix advertisement on renamed LTE interfaces;
*) lte - fixed prolonged reboots on Chateau 5G ax;
*) lte - fixed SIM slot initialization with multi-APN setups;
*) lte - improved automatic link recovery and modem redial functions;
*) lte - improved initialization for external USB modems;
*) lte - lte monitor, show CQI when modem reports it as 0 - undetectable, no RX/down-link resource block assigned to modem by provider;
*) lte - R11eL-EC200A-EU fixed online firmware upgrade and added support for firmware update from local file;
*) lte - R11eL-EC200A-EU improved failed connection handling and recovery;
*) lte - reduce modem initialization time for R11e-LTE-US;
*) lte - reduced SIM slot switchover time for modems with AT control channel (except R11e-LTE);
*) lte - removed nonexistent CQI reading for EC200A-EU modem;
*) net - added initial support for automatic multicast tunneling (AMT) interface;
*) netinstall - try to re-create socket if link status changes;
*) netinstall-cli - fixed DHCP magic cookie;
*) ospf - fixed DN bit not being set;
*) ospfv3 - fixed ignored metric for intra-area routes;
*) ovpn - added requirement for server name when exporting configuration;
*) ovpn - disable hardware accelerator for GCM on Alpine CPUs (introduced in v7.17);
*) ovpn-client - added 1000 character limit for password;
*) pimsm - fixed incorrect neighbor entry when using lo interface;
*) poe-out - added "power-pair" info to poe-out monitor (CLI only);
*) poe-out - added console hints;
*) poe-out - added new modes "forced-on-a" and "forced-on-bt" (CLI only);
*) poe-out - upgraded firmware for 802.3at/bt PSE controlled boards (the update will cause brief power interruption to PoE-out interfaces);
*) port - improved handling of USB device plug/unplug events;
*) ppc - fixed HW encryption (introduced in v7.17);
*) ppp - add support for configuration of upload/download queue types in profile;
*) ppp - added support for random UDP source ports;
*) ppp - fixed setting loss when adding new ppp-client interface for BG77 modem from CLI;
*) ppp - properly cleanup failed inactive sessions on pppoe-server;
*) ptp - do not send packets on STP blocked ports;
*) ptp - improved system stability;
*) qos-hw - fixed global buffer limits for 98CX8410 switch;
*) queue - improved system stability when many simple queues are added (introduced in v7.17);
*) queue - improved system stability;
*) queue - prevent CAKE bandwidth config from potentially causing lost connectivity to a device;
*) resolver - fixed static FQDN resolving (introduced in v7.17);
*) rip - fixed visibility of added key-chains in interface-template;
*) rose-storage - add btrfs filesystem add-device/remove-device/replace-device/replace-cancel commands to add/remove/replace disks to/from a live filesystem;
*) rose-storage - add btrfs filesystem balance-start/cancel commands;
*) rose-storage - add btrfs filesystem scrub-start, scrub-cancel commands (CLI only);
*) rose-storage - add btrfs transfers, supports send/receive into/from file for transferring subvolumes across btrfs filesystems;
*) rose-storage - add support to add/remove btrfs subvolumes/snapshots;
*) rose-storage - added support for advanced btrfs features: multi-disk support, subvolumes, snapshots, subvolume send/receive, data/metadata profiles, compression, etc;
*) rose-storage - allow to separately mount any btrfs subvolumes;
*) rose-storage - fixes for btrfs server;
*) rose-storage - update rsync to 3.4.1;
*) rose-storage,ssh - support btrfs send/receive over ssh;
*) route - added /ip/route/check tool;
*) route - added subnet length validation on route add;
*) route - do not use disabled addresses when selecting routing id;
*) route - fixed busy loops (route lockups);
*) route - fixed incorrect H flag usage;
*) route - improved stability when polling static routes via SNMP;
*) route - properly resolve imported BGP VPN routes;
*) routerboot - disable packet switching during etherboot for hEX refresh ("/system routerboard upgrade" required);
*) routerboot - improved stability for IPQ8072 ("/system routerboard upgrade" required);
*) routing-filter - improved stability when using large address lists (>5000);
*) routing-filter - improved usage of quotes in filter rules;
*) sfp - fixed missing "1G-baseX" supported rate for NetMetal ac2 and hEX S devices;
*) sfp - improved linking with certain QSFP modules on CRS354 devices;
*) sfp - improved system stability with some GPON modules for CCR2004 and CCR2116 devices;
*) sfp,qsfp - improved initialization and linking;
*) smb - fixed connection issues with clients using older SMB versions (introduced in v7.17);
*) smb - fixes for SMB server;
*) smb - improved system stability;
*) snmp - added "mtxrAlarmSocketStatus" OID to MIKROTIK-MIB;
*) snmp - added disk serial number through description field;
*) snmp - sort disk list and assign correct disk types;
*) ssh - improved channel resumption after rekey and eof handling;
*) supout - added IPv6 settings section;
*) supout - added per CPU load information;
*) switch - allow entering IPv6 netmask for switch rules (CLI only);
*) switch - fixed dynamic switch rules created by dot1x server (introduced in v7.17);
*) switch - fixed issues with inactive hardware-offloaded bond ports;
*) switch - improved egress-rate on QSFP28 ports;
*) switch - improved system stability for CRS304 switch;
*) switch - improvements to certain switch operations (port disable, shaper and switch initialization);
*) system - added option to list and install available packages (after using "check-for-updates");
*) system - do not allow to install multiple wireless driver packages at the same time;
*) system - do not cause unnecessary sector writes on check-for-updates;
*) system - enable "ipv6" package on RouterOS v6 downgrade if IPv6 is enabled;
*) system - fixed a potential memory leak that occurred when resetting states after an error;
*) system - force time to be at least at package build time minus 1d;
*) system - improved HTTPS speed;
*) system - improved stability on busy systems;
*) system,arm - automatically increase boot part size on upgrade or netinstall (fixed upgrade failed due to a lack of space on kernel disk/partition);
*) tile - improved system stability;
*) traceroute - added "too many hops" error when max-hops are reached;
*) traceroute - limit max-hops maximum value to 255;
*) user - improved authentication procedure when RADIUS is not used;
*) vxlan - added disable option for VTEPs;
*) vxlan - added IPv6 FastPath support;
*) vxlan - added option to dynamically bridge interface and port settings (hw, pvid);
*) vxlan - added TTL property;
*) vxlan - changed default port to 4789;
*) vxlan - fixed unset for "group" and "interface" properties;
*) vxlan - replaced the "inherit" with "auto" option for dont-fragment property (new default);
*) webfig - added confirmation when quitting in Safe Mode;
*) webfig - do not reload form when failed to create new object;
*) webfig - fixed "TCP Flags" property when inverted flags are set in console;
*) webfig - fixed datetime setting under certain menus;
*) webfig - fixed displaying passwords;
*) webfig - fixed Switch/Ports menu not showing correctly;
*) webfig - hide certificate information in IP Services menu when not applicable;
*) webfig - remember expand/fold state;
*) wifi - added max-clients parameter;
*) wifi - avoid excessive re-transmission of SA Query action frames;
*) wifi - fix issue which made it possible for multiple concurrent WPA3 authentications to interfere with each other;
*) wifi - implement steering parameters to delay probe responses to clients in the 2.4GHz band;
*) wifi - log a warning when a client requests power save mode during association as this may prevent successful connection establishment;
*) wifi - re-word the "can't find PMKSA" log message to "no cached PMK";
*) wifi - try to authenticate client as non-FT client if it provides incomplete set of FT parameters;
*) wifi-qcom - fix reporting of radio minimum antenna gain for hAP ax^2;
*) wifi-qcom - prevent AP from transmitting broadcast data unencrypted during authentication of first client;
*) winbox - added "Copy to Provisioning" button under "WiFi/Radios" menu;
*) winbox - added "Last Logged In/Out" and "Times Matched" properties under "WiFi/Access List" menu;
*) winbox - added "Reset Alert" button under "IP/DHCP Server/Alerts" menu;
*) winbox - added L3HW Advanced and Monitor;
*) winbox - added missing options under "System/Disk" menu;
*) winbox - added TCP settings under "Tools/Traffic Generator/Packet Templates" menu;
*) winbox - do not show 0 Tx/Rx rate under "WiFi/Registration" menu when values are not known;
*) winbox - do not show LTE "Antenna Scan" button on devices that do not support it;
*) winbox - fixed locked input fields when creating new certificate template;
*) winbox - show LTE "CA Band" field only when CA info is available;
*) winbox - show warning messages for static DNS entries;
*) x86 - fixed "unsupported speed" warning;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while a router is not working as suspected or after some problem has appeared on the device

Please keep this forum topic strictly related to this particular RouterOS release.

rextended · Mon Feb 24, 2025 4:43 pm

To add default IPv6 FastTrack when updating from ANY v7 previous version, just paste this into the terminal
(barring arbitrary changes to the default configuration already made).
New devices netinstalled with beta4 and later, or reset with default configuration on beta4 and later, are already ready.

enable default IPv6 FastTrack code

{
/ipv6 fire filter
remove [find where comment="defconf: fasttrack6"]
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack6"
:local idone [find where comment="defconf: fasttrack6"]
:local idtwo [find where comment="defconf: accept established,related,untracked" and chain=forward]
:put $idone
:put $idtwo
move $idone destination=$idtwo
}

For full default firewall rules:
viewtopic.php?p=1124805#p856824

maisondasilva · Mon Feb 24, 2025 4:53 pm

Great release Thank you Mikrotik Team

grusu · Mon Feb 24, 2025 5:02 pm

Regarding smb client: cli settings are in the main package but the settings do not appear in winbox unless you install rose-storage or try to copy an existing configuration.

oreggin · Mon Feb 24, 2025 5:38 pm

Do I see right some of RC2 chages are skipped?

$ diff -ruN 7.18rc2.sort 7.18.sort | grep -P '^[\-+]'
--- 7.18rc2.sort	2025-02-24 16:34:05.762863405 +0100
+++ 7.18.sort	2025-02-24 16:31:51.441714374 +0100
-*) fetch - fixed IPv6 handling in URL (introduced in v7.18beta2);
-*) file - fixed missing meta information from special files such as packages (introduced in v7.18beta2);
-*) file - hide store directories, such as container (introduced in v7.18beta2);
-*) lte - fixed R11eL-EC200A-EU modem RAT mode selection (introduced in v7.18beta2);
-*) lte - fix R11e-4G modem initialization (introduced in v7.18beta4);
-*) poe-out - added new modes "forced-on-a" and "forced-on-bt", where old "forced-on" mean "forced-on-bt" (CLI only);
+*) poe-out - added new modes "forced-on-a" and "forced-on-bt" (CLI only);
-*) poe-out - fixed invalid poe-in status detection for RB5009 (introduced in v7.18beta2);
-*) poe-out - fixed PoE-out not working on first boot after upgrade for CRS354 (introduced in v7.18beta2);
-*) qos-hw - fixed wred-threshold (introduced in v7.18beta2);
-*) wifi-qcom - fixed potentially lowered throughput for station interfaces if channel.width property is set (introduced in v7.18beta2);
-*) winbox - fixed usb power-reset bus selection for RB924iR-2nD-BT5&BG77 (introduced in v7.18beta2);

anav · Mon Feb 24, 2025 5:38 pm

Well, I'm glad you're working on it so hard.

+1 - I can just feel zerotrust cloudflare tunnel, in an options package, is right around the corner. ;-), and of course amnezia wireguard in an options package.

buset1974 · Mon Feb 24, 2025 5:45 pm

I can't wait whatsnew in 7.19

eworm · Mon Feb 24, 2025 5:45 pm

Do I see right some of RC2 chages are skipped?

I think they skipped everything introduced and fixed within the same development cycle.

Mon Feb 24, 2025 5:53 pm

Stable release changelog has always been a list of changes since previous stable - bugs introduced and resolved within beta/rc are not in this list.

ech1965 · Mon Feb 24, 2025 6:12 pm

Stable release changelog has always been a list of changes since previous stable - bugs introduced and resolved within beta/rc are not in this list.

Would be very useful to have this changelog present in the last post before locking the rc thread. I agree it should not pollute the main release topic.

rextended · Mon Feb 24, 2025 6:19 pm

bugs introduced and resolved within beta/rc are not in this list.

As it should be.

infabo · Mon Feb 24, 2025 6:20 pm

This release cycle was short. Thank you Mikrotik! Can't wait to see IPv6 FastTrack in action.

Chaosphere64 · Mon Feb 24, 2025 6:32 pm

1.) I keep getting the attached error message, even after numerous reboots. Why is that and how can I get rid of it?

2.) How is IPv6 fast tracking enabled?

pe1chl · Mon Feb 24, 2025 6:33 pm

Stable release changelog has always been a list of changes since previous stable - bugs introduced and resolved within beta/rc are not in this list.

It would be nice when new bugs introduced in a stable release would be added to the changelog (as a separate section) once they become known, so it is easier to watch for them in later releases to see if they have been fixed.
(and also to know beforehand that it is better to wait, e.g. when some functionality is critical for you)

nmt1900 · Mon Feb 24, 2025 6:43 pm

It would be nice when new bugs introduced in a stable release would be added to the changelog (as a separate section) once they become known, so it is easier to watch for them in later releases to see if they have been fixed.
(and also to know beforehand that it is better to wait, e.g. when some functionality is critical for you)

It would be possible if Mikrotik had transparency level of any other vendor which is able to keep a record of known issues and would publish them as a part of release notes. Without that we have no way to know the real state of things what comes to development...

jfim88 · Mon Feb 24, 2025 6:45 pm

Hope that 7.19 comes with a fix for SUP-152693 after several months of waiting (IPTV cuts/pixelations with Movistar Spain)

fischerdouglas · Mon Feb 24, 2025 6:58 pm

They've gone through all the bugs and broken features with a bulldozer.

That's it! Now they can release RDS with 7.18 as a factory default, meeting the pressure from the product and marketing teams.

Who knows, maybe after this they'll go back to focusing at least a little on Routing and Switching.

vivoras · Mon Feb 24, 2025 7:03 pm

After updating several devices, I see that this update automatically installs extra packages that were not installed on the router before the update?

Mon Feb 24, 2025 7:04 pm

Like ?
Coming from which version ?

If coming from pre-7.13, it's normal to see wireless appearing on crs devices ( normal as in: it shouldn't but it's consistent)

anav · Mon Feb 24, 2025 7:15 pm

holvoe, can you comment on the wifi changes, good bad ugly??

optio · Mon Feb 24, 2025 7:15 pm

With 16Mb flash device you can only watch new release notes and cry :)

$ stat --format="%n: %s" *
container-7.16.2-arm.npk: 98449
routeros-7.16.2-arm.npk: 11608772
wifi-qcom-ac-7.16.2-arm.npk: 2740369

= 14447590 bytes

$ stat --format="%n: %s" *
container-7.18-arm.npk: 118929B
routeros-7.18-arm.npk: 12076474B
wifi-qcom-ac-7.18-arm.npk: 2744465B

= 14939868 bytes
------------------------
14939868 - 14447590 = 492278 bytes (480.74 KiB)

Free space after 7.16.2 netinstall with imported config (not backup):

free-hdd-space: 396.0KiB

guipoletto · Mon Feb 24, 2025 7:16 pm

After updating several devices, I see that this update automatically installs extra packages that were not installed on the router before the update?

No, this is just spectacular bad communication from Mikrotik

In previous releases, "greyed" packages meant "the .npk is stored locally in flash, but not loaded at boot" (status = "disabled")
To remove them and free flash space, one would perform the action "uninstall"

from 7.18, all possible available packages are listed in greyed-out form, to be fetched "automagically" from "the clouds" if one selects "action=install"
It does not necessarily mean (as was once true), that there is a kludge of .npk 's in the local storage

vivoras · Mon Feb 24, 2025 7:26 pm

After updating several devices, I see that this update automatically installs extra packages that were not installed on the router before the update?
No, this is just spectacular bad communication from Mikrotik

In previous releases, "greyed" packages meant "the .npk is stored locally in flash, but not loaded at boot" (status = "disabled")
To remove them and free flash space, one would perform the action "uninstall"

from 7.18, all possible available packages are listed in greyed-out form, to be fetched "automagically" from "the clouds" if one selects "action=install"
It does not necessarily mean (as was once true), that there is a kludge of .npk 's in the local storage

Thanks for the clarification. How do we know which packages are locally hosted and disabled? I have selected the greyed out packages and after uninstalling and restarting the router they have disappeared from the list. In The Dude they also appeared as installed (That's why I noticed the "error").

wrkq · Mon Feb 24, 2025 7:31 pm

Depends which packages you've seen.

The new feature from 7.18 it works like this:
* After reboot, the list of packages contains only what is installed.
* After you run the "check online for updates" option, it not only tells you if ROS can be upgraded, but downloads full list of package names and shows them grayed out with "XA" flags (disabled, available for download).
* If you try to enable one of those, it gets downloaded.

If you saw packages with just "X" disabled flag, not "XA", those were on-disk and disabled, and that normally doesn't happen.
(Mind, good chance Dude being barely-on-life-support can't show up the new flag.)

If you saw /enabled/ packages, then it matters what old version you've upgraded from; due to split/merge of some features between the main ROS package and external ones, upgrading across some specific versions installs extra packages to make sure the feature that was there before is still available.
Main example is the legacy "wireless" package showing up even on devices without wifi.

Mon Feb 24, 2025 7:36 pm

holvoe, can you comment on the wifi changes, good bad ugly??

I am not seeing much difference but then again I am lucky enough not to have those problems with disconnects like some others do.

burnduck · Mon Feb 24, 2025 7:42 pm

IPv6 FastTrack has made a noticeable difference on my CCR2004!
When routing 6Gbps of traffic I'm seeing ~15% reduction in total CPU usage.
That's a significant free upgrade by my book!

DeGlucker · Mon Feb 24, 2025 7:50 pm

With 16Mb flash device you can only watch new release notes and cry :)
Code: Select all
$ stat --format="%n: %s" *
container-7.16.2-arm.npk: 98449
routeros-7.16.2-arm.npk: 11608772
wifi-qcom-ac-7.16.2-arm.npk: 2740369
= 14447590 bytes
Code: Select all
$ stat --format="%n: %s" *
container-7.18-arm.npk: 118929B
routeros-7.18-arm.npk: 12076474B
wifi-qcom-ac-7.18-arm.npk: 2744465B
= 14939868 bytes
------------------------
14939868 - 14447590 = 492278 bytes (480.74 KiB)

Free space after 7.16.2 netinstall with imported config (not backup):
Code: Select all
free-hdd-space: 396.0KiB

Looks like Mikrotik doesn't test their releases on 16MB devices at all. My hAP AC2 has 0MB free after update to ROS 7.18 and now Ican't even reboot it... Forced will go to do netinstall...

vivoras · Mon Feb 24, 2025 7:53 pm

Depends which packages you've seen.

The new feature from 7.18 it works like this:
* After reboot, the list of packages contains only what is installed.
* After you run the "check online for updates" option, it not only tells you if ROS can be upgraded, but downloads full list of package names and shows them grayed out with "XA" flags (disabled, available for download).
* If you try to enable one of those, it gets downloaded.

If you saw packages with just "X" disabled flag, not "XA", those were on-disk and disabled, and that normally doesn't happen.
(Mind, good chance Dude being barely-on-life-support can't show up the new flag.)

If you saw /enabled/ packages, then it matters what old version you've upgraded from; due to split/merge of some features between the main ROS package and external ones, upgrading across some specific versions installs extra packages to make sure the feature that was there before is still available.
Main example is the legacy "wireless" package showing up even on devices without wifi.

Ok, I see how it works. So the only problem then is that Dude shows all the packages, both installed and "available" to install.

wrkq · Mon Feb 24, 2025 8:12 pm

Probably, but you should double-check if something weird shows up again.
Compare the listing in Dude and in Winbox/CLI, at least.

infabo · Mon Feb 24, 2025 8:45 pm

Stable release changelog has always been a list of changes since previous stable - bugs introduced and resolved within beta/rc are not in this list.

At least this change was already in 7.17 stable:

*) device-mode - do not allow changing CPU frequency if "routerboard" is not allowed by device mode (introduced in v7.17);

What is the logic behind changelog?

CGGXANNX · Mon Feb 24, 2025 8:52 pm

There was a bug in 7.17 where even with device-mode locking down RouterBOARD, people were able to change the CPU frequency once.

CGGXANNX · Mon Feb 24, 2025 9:00 pm

With 16Mb flash device you can only watch new release notes and cry :)

Free space after 7.16.2 netinstall with imported config (not backup):
Code: Select all
free-hdd-space: 396.0KiB

...

Looks like Mikrotik doesn't test their releases on 16MB devices at all. My hAP AC2 has 0MB free after update to ROS 7.18 and now Ican't even reboot it... Forced will go to do netinstall...

I am linking to my old posts in the 7.18 beta thread:

viewtopic.php?t=214071&start=300#p1125166
viewtopic.php?t=214071&start=300#p1125183

MikroTik does have the possibility to free up at least 565KB (38KB from the useless .woff2 font files) for those AC devices with 16MiB flash if they care.

oe5nip · Mon Feb 24, 2025 9:17 pm

Nice Install on 1100DX4 and RBD52G-5HacD2HnD+RBD53iG-5HacD2Hnd

infabo · Mon Feb 24, 2025 9:17 pm

There was a bug in 7.17 where even with device-mode locking down RouterBOARD, people were able to change the CPU frequency once.

I disagree, this bug was fixed in 7.17.2.

rextended · Mon Feb 24, 2025 9:30 pm

For enable default IPv6 FastTrack, do not suffice just manual/auto update/upgrade, defconf is not applied on already installed devices:
viewtopic.php?p=1128583#p1128583

ksoze · Mon Feb 24, 2025 9:32 pm

I upgraded one device and am now no longer able to acquire a DHCPv6 lease. On my other device (which has different firewall rules) I can, but I can't route for some reason. Perhaps there is a breaking config change I am unaware of with IPv6.

CGGXANNX · Mon Feb 24, 2025 9:48 pm

There was a bug in 7.17 where even with device-mode locking down RouterBOARD, people were able to change the CPU frequency once.
I disagree, this bug was fixed in 7.17.2.

It has been like that since forever. The changelog of the stable c.d release contains changes since the previous a.b release. Version a.b might have additional patch versions a.b.x or a.b.y that already include the same fix, but the fix will still be listed in the changelog of c.d. Just look at https://mikrotik.com/download/changelogs. For example, let's me pick some random excepts:

* Both 7.17 and 7.16.2 have *) certificate - do not download CRL if there is not enough free RAM; among others.
* Both 7.14 and 7.13.4 have *) bridge - fixed MLAG connection after peer-link flap (introduced in v7.13);

pe1chl · Mon Feb 24, 2025 9:48 pm

I upgraded a CHR that is on a local network only (with free license), from version 7.18beta6.
After the reboot, 123MB more disk space is used than before. After another reboot, it falls back to 105MB more used.
After another reboot with internet access, it returns back to normal.
I have seen this before with the 7.18 betas but not every time. One time all my diskspace was used after running without internet access for a while.

szaboistvan007 · Mon Feb 24, 2025 9:59 pm

My RB750Gr3 became unstable under 7.18, it rebooted quite frequently so I couldn't do much, not even troubleshoot, so I reverted to 7.17.2
I have opened a support case and attached the autosupout file

LonDat · Mon Feb 24, 2025 10:32 pm

*) winbox - fixed locked input fields when creating new certificate template;

Yes! Small think, but very helpful...thanks Mikrotik!

infabo · Mon Feb 24, 2025 10:48 pm

I disagree, this bug was fixed in 7.17.2.

It has been like that since forever. The changelog of the stable c.d release contains changes since the previous a.b release. Version a.b might have additional patch versions a.b.x or a.b.y that already include the same fix, but the fix will still be listed in the changelog of c.d. Just look at https://mikrotik.com/download/changelogs. For example, let's me pick some random excepts:

* Both 7.17 and 7.16.2 have *) certificate - do not download CRL if there is not enough free RAM; among others.
* Both 7.14 and 7.13.4 have *) bridge - fixed MLAG connection after peer-link flap (introduced in v7.13);

Thank you for pointing this out. I have noticed these "duplicates" before, but the one regarding the device-mode CPU fix particularly caught my attention, as I had already reported this bug to Mikrotik and tested the fix in version 7.17.2. Could someone clarify why identical changelog items are listed multiple times, especially within the same stable branch? Does this serve a specific purpose? This way of presenting changelogs can be confusing for users who are upgrading. For instance, someone concerned about device mode might think the fix is only in 7.18 and choose to upgrade unnecessarily, even though it was already resolved in 7.17.2.

infabo · Mon Feb 24, 2025 11:30 pm

Duplicates (already contained in 7.17.1 or 7.17.2):

*) device-mode - do not allow changing CPU frequency if "routerboard" is not allowed by device mode (introduced in v7.17);
*) device-mode - fixed feature and mode update via power-reset on PPC devices;
*) disk - fixed showing free space on tmpfs (introduced in v7.17);
*) disk - improved system stability when SMB interface list is used (introduced in v7.17);
*) dns - do not show warning messages for DNS static entries when they are not needed;
*) hotspot - fixed an issue where extra "flash/" is added to html-directory for devices with flash folders (introduced in v7.17);
*) sfp - improved system stability with some GPON modules for CCR2004 and CCR2116 devices;
*) smb - fixed connection issues with clients using older SMB versions (introduced in v7.17);
*) switch - fixed dynamic switch rules created by dot1x server (introduced in v7.17);
*) system - fixed a potential memory leak that occurred when resetting states after an error;
*) bgp - improved system stability when printing BGP advertisements;
*) bridge - fixed endless MAC update loop (introduced in v7.17);
*) dhcpv4-server - fixed lease assigning when server address is not bind to server interface (introduced in v7.17);
*) igmp-proxy - fixed multicast routing after upstream interface flaps (introduced in v7.17);
*) ipsec - fixed chacha20 poly1305 proposal; 
*) ipsec - fixed installed SAs update process when SAs are removed;
*) ovpn - added requirement for server name when exporting configuration;
*) ppc - fixed HW encryption (introduced in v7.17);
*) queue - improved system stability when many simple queues are added (introduced in v7.17);
*) resolver - fixed static FQDN resolving (introduced in v7.17);
*) system,arm - automatically increase boot part size on upgrade or netinstall (fixed upgrade failed due to a lack of space on kernel disk/partition); 
*) winbox - show warning messages for static DNS entries;

wrkq · Mon Feb 24, 2025 11:59 pm

Thank you for pointing this out. I have noticed these "duplicates" before, but the one regarding the device-mode CPU fix particularly caught my attention, as I had already reported this bug to Mikrotik and tested the fix in version 7.17.2. Could someone clarify why identical changelog items are listed multiple times, especially within the same stable branch? Does this serve a specific purpose? This way of presenting changelogs can be confusing for users who are upgrading. For instance, someone concerned about device mode might think the fix is only in 7.18 and choose to upgrade unnecessarily, even though it was already resolved in 7.17.2.

Kinda related to the discussion we had over there: viewtopic.php?t=215049

Short version:
* 7.17 released, developers start working on 7.18 dev/alpha/beta
* bug is discovered, fixed in 7.18 dev, fix is put in changelog of 7.18 as "fixed after 7.17"
* bug is decided to be important enough and easy-to-backport enough, it is backported into a hotfix for 7.17
* hotfix 7.17.2 released, including fix, so fix is put in a changelog

Think of the hotfix "third number" versions as branching to the sides of the main development train, so needing their own changelogs.
7.18.nothirdnumber comes after 7.17.nothirdnumber, not after 7.17.2.

Miyuki · Tue Feb 25, 2025 12:01 am

I have a problem, after updating to 7.18 voltage reporting shows 0V
At 7.17 it worked just right

[admin@MikroTik_Switch] > system/routerboard/print
routerboard: yes
board-name: hEX PoE
model: RB960PGS
revision: r2
serial-number: HD1086861FK
firmware-type: qca9550L
factory-firmware: 6.48.6
current-firmware: 7.18
upgrade-firmware: 7.18
[admin@MikroTik_Switch] > system/health/print
Columns: NAME, VALUE, TYPE
# NAME VALUE TYPE
0 voltage 0 V
1 temperature 61 C

Albirew · Tue Feb 25, 2025 1:27 am

mhh... i have an issue since 7.17, percent variables in branding maker doesn't transform anymore, leading my branded skins like this:

Screenshot 2025-02-25 at 00-24-44 %host% - AlbiTik.png

toxicfusion · Tue Feb 25, 2025 1:35 am

Since MikroTIk mods are now locking prior RC threads.

now that 7.17 is "stable". Will MikroTik return their focus on routing and switching? When will you all realize your identity as a company and become laser focused on software quality. Need to better align your focus and priorities - figure out what MikroTik' identity is. Become laser focused on producing quality software releases. The hardware isnt the problem - MikroTik has quite good hardware engineers [routing, switching] Wireless still needs work [cost cutting on sheilding and antenna designs].

Fork ROSE to separate project for a MikroTik NAS. Work on separating management, control-plane, processing. it's wild to see bug fixes for "ROSE" in v7.18 stable. This should be a separate package release and its own focus.

Why are you still bringing storage technology into RouterOS? Yeah, brb - I'll go convert my NAS to a router, and my Router to a NAS.

icosasupport · Tue Feb 25, 2025 1:37 am

I just upgraded to 7.18 and now it's stuck in a boot loop :( why?
I can't even hit DEL or Control+E :(
I feel as if the testing portion of releases is a bit lacking

RouterBOOT booter 7.18

CCR2116-12G-4S+

CPU frequency: 2000 MHz
  Memory size:  16 GiB
    NAND size: 128 MiB

Press Ctrl+E to enter etherboot mode
Press <delete> key within 2 seconds to enter setup..

loading kernel... OK
setting up elf image... OK
jumping to kernel code
Starting...
Starting services...
stage2_loader v3.63.2
Memory repair completed within 226 uSecs
DDR ECC static poisoning address: (0x1e0000)
DDR ECC static poisoning address: (0x1e1100)
SPD I2C Address: 52, offset 0000(0)
DRAM ch 0: 8GB
SPD I2C Address: 53, offset 0000(0)
DRAM ch 1: 8GB
DRAM total size: 16GB
Executing next at 0x01000000!
agent_wakeup v3.53


RouterBOOT booter 7.18

infabo · Tue Feb 25, 2025 2:01 am

Thank you for pointing this out. I have noticed these "duplicates" before, but the one regarding the device-mode CPU fix particularly caught my attention, as I had already reported this bug to Mikrotik and tested the fix in version 7.17.2. Could someone clarify why identical changelog items are listed multiple times, especially within the same stable branch? Does this serve a specific purpose? This way of presenting changelogs can be confusing for users who are upgrading. For instance, someone concerned about device mode might think the fix is only in 7.18 and choose to upgrade unnecessarily, even though it was already resolved in 7.17.2.
Kinda related to the discussion we had over there: viewtopic.php?t=215049

Short version:
* 7.17 released, developers start working on 7.18 dev/alpha/beta
* bug is discovered, fixed in 7.18 dev, fix is put in changelog of 7.18 as "fixed after 7.17"
* bug is decided to be important enough and easy-to-backport enough, it is backported into a hotfix for 7.17
* hotfix 7.17.2 released, including fix, so fix is put in a changelog

Think of the hotfix "third number" versions as branching to the sides of the main development train, so needing their own changelogs.
7.18.nothirdnumber comes after 7.17.nothirdnumber, not after 7.17.2.

This is a simplified explanation of how a Version Control System (VCS) works: you make a bugfix commit on the main branch and then cherry-pick that commit to the next patch-release branch. However, this is not the right way to write changelogs. I don't know of any software that writes changelogs like this. It doesn't make sense, especially for someone who reads the changelog in the stable branch in chronological order.

wrkq · Tue Feb 25, 2025 2:27 am

Would you be happier if instead of "What's new in 7.18 (2025-Feb-24 10:47):" the caption would say "Version 7.18 (2025-Feb-24 10:47). Changes since 7.17:" ?

icosasupport · Tue Feb 25, 2025 2:56 am

I got past the boot loop after some effort and power cycling :O
Did a fresh net install to 7.18 and formatted the hard drive. It boots with no config :)

First thing I noticed is that the PPP profile now needs a queue statement with 2 values.
Why break our configs with silliness like that?

ver 7.17.2 and below
add bridge=router-bridge bridge-port-vid=30 change-tcp-mss=yes name=private-encryption use-encryption=yes use-upnp=no [b]queue=default[/b]
ver 7.18
add bridge=router-bridge bridge-port-vid=30 change-tcp-mss=yes name=private-encryption use-encryption=yes use-upnp=no [b]queue=default/default[/b]

Second thing, this is what was probably causing the initial boot loop was enabling IGMP snooping. I tested it on the clean install and kernel panic!

add name=router-bridge comment="Site Master Bridge" frame-types=admit-only-vlan-tagged ingress-filtering=no port-cost-mode=short protocol-mode=none pvid=4094 igmp-snooping=yes

From the RIF log:
Feb/24/2025 17:35:19 system,error,critical router was rebooted without proper shutdown, probably kernel failure
Feb/24/2025 17:35:19 system,error,critical router was rebooted without proper shutdown, probably kernel failure

So be careful out there if you're using IGMP snooping on v7.18

infabo · Tue Feb 25, 2025 3:14 am

Would you be happier if instead of "What's new in 7.18 (2025-Feb-24 10:47):" the caption would say "Version 7.18 (2025-Feb-24 10:47). Changes since 7.17:" ?

No, that would just be window dressing. If I upgrade from 7.17.2 to 7.18, I want to see the changes at a glance - specifically compared to the exact previous stable version. I don’t want to have to extract every changelog line from multiple patch versions (e.g., 7.13 had 5 patch versions). As I mentioned earlier, changelogs are meant to be read chronologically. If I upgrade from, say, 7.14.2 to 7.18, I want to be able to read the changelog from 7.14.3 up to 7.18 in order, without constantly encountering repetitive or duplicate changelog entries.

This changelog item is in 7.17.1 changelog, but is not in 7.18 changelog. So it is either a fluke in changelog of 7.18 or it is not contained in 7.18 at all.

ipv6 - fixed an issue where bridge, IP, IPv6 and discovery settings were lost after upgrade due to conflicting IPv6 properties (introduced in v7.17);

It’s unlikely that anything about the changelog will change at this point. But now, back to the topic. Since this time the testing cycle was extremely short (just 1 week of RC phase), I’ll at least wait for 7.18.1 this time - if not 7.18.2.

mantouboji · Tue Feb 25, 2025 5:08 am

How to use IPv6 dhcp-relay? need some detail document, Thx.

julianho · Tue Feb 25, 2025 6:01 am

What does this fix?

*) tile - improved system stability;

Is it about using PPPOE-CLIENT with the cable port, causing intermittent UP/DOWN of all ports?

Wyz4k · Tue Feb 25, 2025 6:19 am

WARNING: Do not install this on RB450G or HAP AC2

Both has been repeatedly bricked, and even brick directly after restoring backup config onto freshly netinstalled 7.18

I am rolling back to 7.17.2 and will wait for the next release

loloski · Tue Feb 25, 2025 7:00 am

hapac2.png

It's working on hapac2

xgalsax1 · Tue Feb 25, 2025 7:47 am

I just had an odd crash on my RB5009 after I removed a Cake Queue Type that was assigned to a disabled rule in the Queue Tree, after removing the Queue Type the system crashed immediately. After that I couldn't boot the system anymore and NetInstall was necessary.

Tue Feb 25, 2025 8:20 am

grusu, vivoras, pe1chl, Miyuki, Albirew, icosasupport - Thank you for your report, we will look into this!
Chaosphere64, ksoze, szaboistvan007, xgalsax1, Wyz4k - Please send supout file from your router to support@mikrotik.com

Everyone #1 - Please remember now and always - if you did find a bug, report it to the support@mikrotik.com. Send supout files and any other materials that might be useful. This is a user forum and even though we monitor version release topics, support@mikrotik.com would be the proper channel for reporting bugs. Especially when these topics so often go off-topic.
Everyone #2 - Please do not turn this version release topic again unrelated to the release itself and talking about how changelogs might be better, testing might be better, etc. Please open new forum topics for such discussions and let us keep these release topics related to RouterOS not management. If not for us, then at least for other colleagues users.
Everyone #3 - Each and every RouterOS release is well tested in countless setups, tests and different router models. However, routers are like levers with millions of possible setting combinations, and not just settings to make things even more interesting - router models, used algorithms, connected devices, etc. If you experience problems, then most likely the problem on your device appeared because "a combination of things" caused the issue. For example, a single specific network packet from some unusual/unpopular network client can call processes on the router which can not be simply simulated or predicted. This is how any software is developed - we do our best and after release find out about unpredicted edge cases. Please report these cases to support@mikrotik.com so we can improve as smoothly as possible. If you report them already within beta/rc stage, then we can address them before the stable release, but no lab in the world will be able to simulate everything.

Jotne · Tue Feb 25, 2025 8:22 am

I am glad MT has added CEF to the logging with UDP/TCP and ISO8601 time format, but it seem that this is the only changes and the logging mess do continue. viewtopic.php?t=124291
Repeatedly I asked for fixing the double name in beta and RC, still not fixed. It do add some unneeded bytes to all package.

How CEF message are created:

2025-02-25T06:38:34.986+0100 RB951-test 
Cef version			CEF:0|
Device Vendor			MikroTik|
Device Product			RB951Ui-2HnD|
Device Version			7.18 (stable)|
Device Event Class ID		65|
Name				dns|
Severity			Unknown|
[Extension]			dvchost=RB951-test msg=serial\=5581045XXXX MikroTik: done query: #194 settings-win.data.microsoft.com. 51.104.136.2

2025-02-25T06:38:34.986+0100 RB951-test CEF:0|MikroTik|RB951Ui-2HnD|7.18 (stable)|65|dns|Unknown|dvchost=RB951-test msg=serial\=5581045XXXX MikroTik: done query: #194 settings-win.data.microsoft.com. 51.104.136.2

Look at this message:

2025-02-25T05:33:10.918+0000 RB951-Jobb CEF:0|MikroTik|RB951Ui-2HnD|7.18 (stable)|10|system,clock,critical,info|Very-High|dvchost=RB951-Jobb msg=serial\=5581045C386A MikroTik: ntp change time Feb/25/2025 05:33:10 \=> Feb/25/2025 05:33:32

Here Name field should be Clock or NTP.
What in the hell does critical,info mean.
1. This is severity field and should be in Severity place of the CEF message.
2. Is it Critical or Info, It can not be both.

Severity= Unknown for DNS is wrong, it should be Informational, not Unknown.

Lets hope 7.19 will get this correct.

Tue Feb 25, 2025 8:55 am

The %version% and %host% variables are deprecated and are no longer supported.
Sorry for the inconvenience caused.

https://help.mikrotik.com/docs/spaces/R ... 4/Branding

mhh... i have an issue since 7.17, percent variables in branding maker doesn't transform anymore, leading my branded skins like this:
Screenshot 2025-02-25 at 00-24-44 %host% - AlbiTik.png

honzam · Tue Feb 25, 2025 9:00 am

Client (CubePRO) 7.12.1 -> upgrade to 7.18. Client does not boot

spippan · Tue Feb 25, 2025 9:08 am

thx. BFD in BGP now working again (as it did not work in 7.18beta4 - i don't know if it was addressed in b5, b6, rc1 or rc2)

Tue Feb 25, 2025 9:09 am

I am glad MT has added CEF to the logging with UDP/TCP and ISO8601 time format, but it seem that this is the only changes and the logging mess do continue. viewtopic.php?t=124291
Repeatedly I asked for fixing the double name in beta and RC, still not fixed. It do add some unneeded bytes to all package.

How CEF message are created:
Code: Select all
2025-02-25T06:38:34.986+0100 RB951-test 
Cef version			CEF:0|
Device Vendor			MikroTik|
Device Product			RB951Ui-2HnD|
Device Version			7.18 (stable)|
Device Event Class ID		65|
Name				dns|
Severity			Unknown|
[Extension]			dvchost=RB951-test msg=serial\=5581045XXXX MikroTik: done query: #194 settings-win.data.microsoft.com. 51.104.136.2
2025-02-25T06:38:34.986+0100 RB951-test CEF:0|MikroTik|RB951Ui-2HnD|7.18 (stable)|65|dns|Unknown|dvchost=RB951-test msg=serial\=5581045XXXX MikroTik: done query: #194 settings-win.data.microsoft.com. 51.104.136.2

Look at this message:
2025-02-25T05:33:10.918+0000 RB951-Jobb CEF:0|MikroTik|RB951Ui-2HnD|7.18 (stable)|10|system,clock,critical,info|Very-High|dvchost=RB951-Jobb msg=serial\=5581045C386A MikroTik: ntp change time Feb/25/2025 05:33:10 \=> Feb/25/2025 05:33:32
Here Name field should be Clock or NTP.
What in the hell does critical,info mean.
1. This is severity field and should be in Severity place of the CEF message.
2. Is it Critical or Info, It can not be both.

Severity= Unknown for DNS is wrong, it should be Informational, not Unknown.

Lets hope 7.19 will get this correct.

this message is taken from RouterOS logs and goes with tags, that are assigned to specific entry, that as well displayed at /log print.

Jotne · Tue Feb 25, 2025 9:21 am

It does not matter from where it comes from. For 10 years I have asked for cleaning up the log message from RouterOS. It will simplify use of SIEM tools like Splunk.

Default Severity:

Level	Severity	Keyword	Description
0	Emergency	emerg	System is unusable
1	Alert	alert	Action must be taken immediately
2	Critical	crit	Critical conditions
3	Error	err	Error conditions
4	Warning	warning	Warning conditions
5	Notice	notice	Normal but significant condition
6	Informational	info	Informational messages
7	Debug	debug	Debug-level messages

So when you are using Critical and Info in same message, how should you know if its a big problem, or just info?

Is there a list of all "Device Event Class ID"?

Here are some:

DeviceEventClassID	Name
73	bridge,stp
16	dhcp,info
65	dns
61	interface,info
9	script,info
10	system,info,account
81	wireguard,info
23	wireless,info

This should be if cleaned up:

DeviceEventClassID	Name
73	bridge
16	dhcp
65	dns
61	interface
9	script
10	system
81	wireguard
23	wireless

Wyz4k · Tue Feb 25, 2025 9:22 am

How should I send a supout? The unit works fine and then after upgrading to 7.18 it no longer responds and needs to be netinstalled.
After netinstall to 7.18 if I restore the backup, it immediately fails again.
After netinstall to 7.17.2 and backup restore, it works without problems.

Do you want my backup file or a supout of it working on 7.17.2?

Jotne · Tue Feb 25, 2025 9:26 am

As far as I remember backup is only for same version, so you need to upgrade or do a import of config.

Try to upgrade from 7.17.2 to 7.18 instead of netinstal.
Or export config from 7.17.2 and import it to 7.18

Tue Feb 25, 2025 9:38 am

Wyz4k - Yes, please generate backup file and send it to us. Add some static IP address to some specific and "unprotected" port on the router so after backup import we can access the router. Additionally add a new system user so you can share this - IP address, username, password and port on which we should be able to connect after backup import. Send this to support@mikrotik.com.

Tue Feb 25, 2025 9:39 am

It does not matter from where it comes from. For 10 years I have asked for cleaning up the log message from RouterOS. It will simplify use of SIEM tools like Splunk.

Default Severity:
Code: Select all
Level	Severity	Keyword	Description
0	Emergency	emerg	System is unusable
1	Alert	alert	Action must be taken immediately
2	Critical	crit	Critical conditions
3	Error	err	Error conditions
4	Warning	warning	Warning conditions
5	Notice	notice	Normal but significant condition
6	Informational	info	Informational messages
7	Debug	debug	Debug-level messages
So when you are using Critical and Info in same message, how should you know if its a big problem, or just info?

Is there a list of all "Device Event Class ID"?

Here are some:
Code: Select all
DeviceEventClassID	Name
73	bridge,stp
16	dhcp,info
65	dns
61	interface,info
9	script,info
10	system,info,account
81	wireguard,info
23	wireless,info
This should be if cleaned up:
Code: Select all
DeviceEventClassID	Name
73	bridge
16	dhcp
65	dns
61	interface
9	script
10	system
81	wireguard
23	wireless

Thank you for the information. Yes, SIEM was not implemented in 7.18, and still RouterOS logging format is being sent by CEF.

Tue Feb 25, 2025 9:40 am

Backups work between different version on the same device. However, for safety it is recommended to import backup on the same version as it was made for obvious reasons - what if some setting is deprecated, syntax has been changed, etc.

As far as I remember backup is only for same version, so you need to upgrade or do a import of config.

Try to upgrade from 7.17.2 to 7.18 instead of netinstal.
Or export config from 7.17.2 and import it to 7.18

whatever · Tue Feb 25, 2025 9:55 am

WARNING: Do not install this on RB450G or HAP AC2

Both has been repeatedly bricked,[...]

Not confirmed, hap ac2 upgrade was successful here.
Admittedly, there is not much free space left and only routeros and wifi-qcom-ac are installed, but the device did not brick:

> /system/resource/print 
                   uptime: 1m26s              
                  version: 7.18 (stable)      
               build-time: 2025-02-24 08:47:02
         factory-software: 6.41.3             
              free-memory: 157.4MiB           
             total-memory: 256.0MiB           
                      cpu: ARM                
                cpu-count: 4                  
            cpu-frequency: 597MHz             
                 cpu-load: 1%                 
           free-hdd-space: 268.0KiB           
          total-hdd-space: 16.0MiB            
  write-sect-since-reboot: 24                 
         write-sect-total: 1692350            
        architecture-name: arm                
               board-name: hAP ac^2           
                 platform: MikroTik    

> /system/package/print 
Columns: NAME, VERSION, BUILD-TIME, SIZE
# NAME          VERSION  BUILD-TIME           SIZE     
0 routeros      7.18     2025-02-24 08:47:02  11.5MiB  
1 wifi-qcom-ac  7.18     2025-02-24 08:47:02  2680.1KiB

CGGXANNX · Tue Feb 25, 2025 9:58 am

My hAP ac² also went through the 7.18 betas, RCs, and final without issues. But it has no wifi packages installed and still has plenty of spaces.

Wyz4k · Tue Feb 25, 2025 9:58 am

If the backups are incompatible it should warn that it is and simply reboot. Bricking is not an acceptable outcome.

I have emailed through the backup, a supout and the config files to support @ mikrotik . com

ips · Tue Feb 25, 2025 10:03 am

*) wifi - implement steering parameters to delay probe responses to clients in the 2.4GHz band;

Is there any doc about this?
Edit: I've just seen the message in the RC thread:

/interface/wifi/steering/ 2g-probe-delay=yes

Babujnik · Tue Feb 25, 2025 10:20 am

pulling images from registry-url seems to not working:

/container> config/print 
      ram-high: 128.0MiB       
  registry-url: https://lscr.io
  
  2025-02-25 09:19:42 container,info,debug [cont] not ok registry auth response: 400

Kanzler · Tue Feb 25, 2025 10:40 am

@ips,
Example:
/interface/wifi/steering
set 2g-probe-delay=yes steering1

Tue Feb 25, 2025 10:41 am

Wyz4k - This is some misunderstanding. Backup might not work on another router, or another version - my answer was to reply to Jotne about assumption that backup works only on the same version as created on. It should not ever crash router. Your crash has nothing to do with backup, most likely, but the configuration combination with your router environment/network/processed traffic/etc.

If the backups are incompatible it should warn that it is and simply reboot. Bricking is not an acceptable outcome.

I have emailed through the backup, a supout and the config files to support @ mikrotik . com

Wyz4k · Tue Feb 25, 2025 10:55 am

Thanks strods. Understood.

asimko · Tue Feb 25, 2025 11:26 am

The CVE-2024-54772 (https://github.com/deauther890/CVE-2024-54772) is still functioning in 7.18, will it be fixed?

guipoletto · Tue Feb 25, 2025 11:31 am

*) wifi - implement steering parameters to delay probe responses to clients in the 2.4GHz band;

/interface/wifi/steering/ 2g-probe-delay=yes

This works only for manually setup neighbor groups

/interface/wifi/configuration/set [find] steering.2g-probe-delay=yes

should work for locally-managed, and automatic/dynamic peer-groups

infabo · Tue Feb 25, 2025 11:32 am

@asimko Look, this is fixed in 7.18: https://mikrotik.com/supportsec/cve-2024-54772

pe1chl · Tue Feb 25, 2025 11:32 am

Everyone #2 - Please do not turn this version release topic again unrelated to the release itself and talking about how changelogs might be better, testing might be better, etc. Please open new forum topics for such discussions and let us keep these release topics related to RouterOS not management. If not for us, then at least for other colleagues users.

The issue is that the opening of another topic (even to add to the topic of feature suggestions) is a no-op.
When discussing things here, at least MikroTik employees are reading it and it may get in the back of their head to look at it some time.
When we open a new topic, only fellow users will reply to it and for sure nothing will happen.

You will probably say "then submit it as a ticket or mail to support" but some of these things really benefit from some discussion involving several users.
Please consider that. Maybe (I don't know if the used ticketing system supports that) allow some publicly visible tickets for feature requests or generic bug reports.

ID · Tue Feb 25, 2025 11:53 am

"then submit it as a ticket or mail to support"

I never do. If i see an problem i'm coming here to aware users about problem. How do we know that version specific problems if everyone send problems to closed system? I'm not gonna jump and update my devices either for unnecessary things with new bugs. That's why we need open bug tracker. Thanks god that most of users reporting problems in forum thus we know most of it...

dynek · Tue Feb 25, 2025 11:59 am

Is it expected that containers created with digest (sha256) have the repo value ending in "latest" ?
I was not able to specify both the tag and the digest.

btw for those scripting stuff around containers, "tag" became "repo", haven't seen anything to that regard in the changelog and it broke my automations (consistency and updates).

Tue Feb 25, 2025 12:02 pm

"is still functioning in 7.18, will it be fixed?" - is there a concrete reason for this claim? We have retested the issue and it is resolved. If it's purely from testing with GitHub PoC, it will return "Valid username!" even for non-existent ones, at least in 7.18.

noradtux · Tue Feb 25, 2025 12:02 pm

Why is this relevant? You don't have the WinBox port (or any management port) open on an untrusted network without at least address constraints, do you?

sch · Tue Feb 25, 2025 12:04 pm

pulling images from registry-url seems to not working:

/container> config/print 
      ram-high: 128.0MiB       
  registry-url: https://lscr.io
  
  2025-02-25 09:19:42 container,info,debug [cont] not ok registry auth response: 400

Please write to support and add a supout.rif file.

infabo · Tue Feb 25, 2025 12:07 pm

Why is this relevant? You don't have the WinBox port (or any management port) open on an untrusted network without at least address constraints, do you?

The same reason you set a password.

Tue Feb 25, 2025 12:24 pm

Maybe I missed something somewhere but it looks like configuration.installation parameter (to set indoor/outdoor) is missing from Winbox for Wifi part.
Verified both Winbox3 and winbox4.
It is there in CLI.
It still shows in documentation so it should be there ?

leonardogyn · Tue Feb 25, 2025 12:42 pm

Got a RB750Gr3 that did not came back after update from v7.17.2 to v7.18. Will have to reach the unit for further analysis and trying to get it back online.

It was running only the core "routeros" package, no extra packages installed at all. It had hotspot enabled, which creates some files on the flash filesystem, but that's about 40-50k, not much difference on the storage usage anyway.

LordNikkon · Tue Feb 25, 2025 1:44 pm

I have to report that three of my RB760 (HexS) constantly rebooting. After checking terminal i saw that last reload was caused by kernel problem. On two routers i was able to log in (routers crashing after 1 minute) download 7.17.2 and force to downgrade. They are working now. Problem is device which is very far. I don't have enough time to copy image before crash.

FFS Mikrotik, how could you release ROS without proper testing on MMIPS based routers which you have in constant sell! Routers which crashed has simple configuration no additional software installed. ARM and ARM64 works fine.

Great! Thank you for giving me extra work! Thanks god we imiddiatly stopped upgrade when we saw that routers not starting up.

leonardogyn · Tue Feb 25, 2025 1:52 pm

Got a RB750Gr3 that did not came back after update from v7.17.2 to v7.18. Will have to reach the unit for further analysis and trying to get it back online.

It was running only the core "routeros" package, no extra packages installed at all. It had hotspot enabled, which creates some files on the flash filesystem, but that's about 40-50k, not much difference on the storage usage anyway.

.
UPDATE: the actual upgrade to v7.18 seems to have completed fine, router is online, however rebooting a few seconds after booting, and kept on this constant reboot loop. On a VERY quick troubleshoot, seems that disabling my OpenVPN management instance (OpenVPN client instance) restored the RB750Gr3 to its working condition, it's not rebooting anymore. Enabling the OpenVPN client instance makes the router crash a few seconds after VPN is established, no messages displayed on '/log print follow' however. It seems to be something OpenVPN-client related on my RB750Gr3s. This is absolutely confirmed to me here, disabling OpenVPN-client brings the RB750Gr3 to a working state again, no rebooting loops, with update to v7.18 being just fine (i mean, no crashes on the update itself, config migration seems OK). OpenVPN-client configuration is pretty simple:
.

/interface ovpn-client add certificate=cliente-<CERT-NAME> cipher=aes256-cbc connect-to=<VPNHOSTNAME> mac-address=FE:D1:A4:68:B2:B1 name=ovpn-management password=password port=11945 user=user

.
Already tried removing the ovpn-client and recreating, with the exact config above, and nothing changed, router reboots few seconds after VPN is established.

Reconnecting to the RB750Gr3 after a reboot shows a kernel failure warning:

2025-02-25 08:52:33 system,clock,critical,info ntp change time Feb/25/2025 08:51:55 => Feb/25/2025 08:52:33
2025-02-25 08:52:36 system,error,critical router was rebooted without proper shutdown, probably kernel failure
2025-02-25 08:52:37 system,error,critical kernel failure in previous boot

No coredumps or anything automatically generated on the filesystem to help further investigation :(

I have other models on exactly same configuration, all connecting to this OpenVPN management VPN, and none presented similar behavior. RB2011s, RB3011s, RB4011s, RB1100s, some CCRs This is happening on RB750Gr3 only (at least among the models I have and use)

accarda · Tue Feb 25, 2025 1:54 pm

FFS Mikrotik, how could you release ROS without proper testing on MMIPS based routers which you have in constant sell! Routers which crashed has simple configuration no additional software installed. ARM and ARM64 works fine.

Actually on my hEX-S I didn't have any issue after installing Ros 7.18, so as indicated in some post above, it's not a specific model issue, but the combination of your setup and situation.

zipiju · Tue Feb 25, 2025 2:17 pm

RBM33G dead after upgrade from I believe 7.13.x with no extra packages. Was used only as an ethernet to serial converter with very basic config on it.

leonardogyn · Tue Feb 25, 2025 2:25 pm

UPDATE: the actual upgrade to v7.18 seems to have completed fine, routers are online, however rebooting a few seconds after booting, and kept on this constant reboot loop. On a VERY quick troubleshoot, seems that disabling my OpenVPN management instance (OpenVPN client instance) restored the RB750Gr3 to its working condition, it's not rebooting anymore. Enabling the OpenVPN client instance makes the router crash a few seconds after VPN is established, no messages displayed on '/log print follow' however.

.
UPDATE 2: Tried setting up a fresh RB750Gr3 with the most basic setup as possible (a plain IP address on an ether interface, DNS and default route). As soon as configured a ovpn-client instance, it connects, disconnects a few seconds later and the router crashes and reboots. It seems to disconnect twice before the router fully crashing and rebooting. Look at the timestamps:

2025-02-25 09:18:21 ovpn,info ovpn-management: using encoding - AES-256-CBC/SHA1
2025-02-25 09:18:21 ovpn,info ovpn-management: connected
(10 seconds)
2025-02-25 09:18:31 ovpn,info ovpn-management: disconnected <peer disconnected>
2025-02-25 09:18:31 ovpn,info ovpn-management: terminating... - peer disconnected
2025-02-25 09:18:31 ovpn,info ovpn-management: disconnected
2025-02-25 09:18:31 ovpn,info ovpn-management: initializing...
2025-02-25 09:18:31 ovpn,info ovpn-management: connecting...
2025-02-25 09:18:32 ovpn,info ovpn-management: using encoding - AES-256-CBC/SHA1
2025-02-25 09:18:32 ovpn,info ovpn-management: connected
(10 seconds)
2025-02-25 09:18:42 ovpn,info ovpn-management: disconnected <peer disconnected>
2025-02-25 09:18:42 ovpn,info ovpn-management: terminating... - peer disconnected
(and router crashes, reboots, and on next connection to it I can see:)
2025-02-25 11:33:33 system,error,critical kernel failure in previous boot

.
And despite the <peer disconnected> message, as previously stated, the very same configuration and VPN (server) instance is working fine for other models I also have: 2011s, 3011s, 4011s, some different CCR models, 1100s. Only the RB750Gr3 is having this behavior. OpenVPN server instance is running on a regular AlmaLinux Linux box, if that matters, and successfully serving different MK models on v7.18 with no problems but RB750Gr3s

leonardogyn · Tue Feb 25, 2025 2:32 pm

I have to report that three of my RB760 (HexS) constantly rebooting. After checking terminal i saw that last reload was caused by kernel problem. On two routers i was able to log in (routers crashing after 1 minute) download 7.17.2 and force to downgrade. They are working now. Problem is device which is very far. I don't have enough time to copy image before crash.

.
Are you, by any chance, running any OpenVPN instance on these routers? I'm facing problems clearly isolated, to me, to a openvpn client instance on the routers. Once disabled, everything works just fine!

LordNikkon · Tue Feb 25, 2025 2:54 pm

I have to report that three of my RB760 (HexS) constantly rebooting. After checking terminal i saw that last reload was caused by kernel problem. On two routers i was able to log in (routers crashing after 1 minute) download 7.17.2 and force to downgrade. They are working now. Problem is device which is very far. I don't have enough time to copy image before crash.
.
Are you, by any chance, running any OpenVPN instance on these routers? I'm facing problems clearly isolated, to me, to a openvpn client instance on the routers. Once disabled, everything works just fine!

Yes i have OpenVPN set up. Problem is that i cant switch it off, because router is far away (like few thousand kilometer from me)

leonardogyn · Tue Feb 25, 2025 3:08 pm

Yes i have OpenVPN set up. Problem is that i cant switch it off, because router is far away (like few thousand kilometer from me)

.
It's fine ... this is just a second confirmation that problem occurs with some OpenVPN configuration/traffic in place. It just confirms my quick analysis here. Thanks!

leonardogyn · Tue Feb 25, 2025 3:15 pm

UPDATE: the actual upgrade to v7.18 seems to have completed fine, routers are online, however rebooting a few seconds after booting, and kept on this constant reboot loop. On a VERY quick troubleshoot, seems that disabling my OpenVPN management instance (OpenVPN client instance) restored the RB750Gr3 to its working condition, it's not rebooting anymore. Enabling the OpenVPN client instance makes the router crash a few seconds after VPN is established, no messages displayed on '/log print follow' however.

.
UPDATE 3: Actually it seems that as soon as some traffic hits the OpenVPN client instance, on the RB750Gr3, it crashes and reboots. On my previous test I wasn't trying to use the OpenVPN client instance, just had it connected. The 10 second interval I was seeing are likely the OpenVPN server heartbeats only. But with a ping to the IP that ovpn client instance interface will receive, as soon as it connects, RB750Gr3 crashes and reboots, it's just immediately.

Also tried netinstalling to the device, to really "clean" old updates gargage that might have been left behind, but no changes. As soon as traffic hits the ovpn client instance, RB750Gr3 crashes and reboots.

LordNikkon · Tue Feb 25, 2025 3:25 pm

i tried to connect to this router but it's reloading to fast and lag (250ms) is not helping. I need to configure new router and send it with older software.

Damm lazy Mikrotik. Great Release candidate checking...

On two routers in EU i was able to log in, quickly upload ROS 7.17.2 and execute commend "/system/package/downgrade". This save me in two sites. Last one is too far to make it in less then minute (also IPSEC tunnel is not start as fast like in EU). Thanks god i didn't upgrade all RB760 (50+).

Summary affected are all MMIPS CPU routers whcih has OpenVPN configured.

leonardogyn · Tue Feb 25, 2025 3:32 pm

i tried to connect to this router but it's reloading to fast and lag (250ms) is not helping. I need to configure new router and send it with older software.

.
I have disabled VPN access for my RB750Gr3 box that is having problems using iptables rules (my OpenVPN server instance is running on a regular linux). While the RB is not connecting to my management interface anymore and I have no management to it, at least it's running fine. Maybe, as a quick workaroung just to get things working, trying to block the VPN connection on your side might help. And when Mikrotik releases a fix for this, someone can grant you access via AnyDesk/TeamViewer from inside the network, and you can update them to v7.18.1 for example.
.
This is the approach I took here, RB750Gr3 is offline to my management VPN network, but at least working and serving its networks fine. This will give me at least time to breath and think.

rextended · Tue Feb 25, 2025 3:34 pm

@LordNikkon you can only cry on your own.
No matter who the vendor is, putting a newly released software into production without even testing it for a month is irresponsible.

blacksnow · Tue Feb 25, 2025 3:36 pm

@LordNikkon you can only cry on your own.
No matter who the vendor is, putting a newly released software into production without even testing it for a month is irresponsible.

Was thinking the exact same thing, not to mention installing it on devices you don't have local access to......

Jotne · Tue Feb 25, 2025 3:37 pm

Yes i have OpenVPN set up. Problem is that i cant switch it off, because router is far away (like few thousand kilometer from me)

So you did a remote upgrade on a router first day after a new release?

Here is what you should do:
Do not upgrade .0 version. Wait to at least .1
Do wait some weeks after a new release to upgrade to make sure no surprise are lurking in the shadows.
Read forum and see what other says.
Then upgrade a local router with same config as the remote and test it (if possible)
If all looks fine, do the upgrade, but only if its needed. Why fix some that is not broken.

blbeczech82 · Tue Feb 25, 2025 3:39 pm

Thank you for adding rtl8125b-2.fw driver in extra-nic package!
I still hope for 8156, resp. r8152 for arm64 (x86 already added). Could you add?

teslasystems · Tue Feb 25, 2025 3:53 pm

Regarding remote logging. Currently, if a connection between a router and log server is lost for some period, all records appeared during this period are not transferred to the server. Please consider implementing some kind of "buffering" such records, so they can be automatically transferred, when connection restores.

labynko · Tue Feb 25, 2025 3:55 pm

I had problems booting via UEFI on two DELL PowerEdge R630 servers after upgrading RouterOS from 7.17.2 to 7.18.
I had to install 7.18 from ISO over it. Up until this version all upgrades were successful.

eworm · Tue Feb 25, 2025 4:07 pm

Regarding remote logging. Currently, if a connection between a router and log server is lost for some period, all records appeared during this period are not transferred to the server. Please consider implementing some kind of "buffering" such records, so they can be automatically transferred, when connection restores.

I think there is some kind of buffering already. But messages can not be kept infinitely to make sure a missing log server does not cause resource exhaustion on all network devices.

leonardogyn · Tue Feb 25, 2025 4:21 pm

I think there is some kind of buffering already. But messages can not be kept infinitely to make sure a missing log server does not cause resource exhaustion on all network devices.

.
When using UDP as transport, which I believe is the default, I don't believe it's typical for syslog exporting to buffer anything. With UDP, there's really no way of knowing server is online or not.

That will be clearly easier with TCP, which syslog supports. But to my experience, UDP is much more commonly used while exporting logs.

teslasystems · Tue Feb 25, 2025 4:21 pm

Regarding remote logging. Currently, if a connection between a router and log server is lost for some period, all records appeared during this period are not transferred to the server. Please consider implementing some kind of "buffering" such records, so they can be automatically transferred, when connection restores.
I think there is some kind of buffering already. But messages can not be kept infinitely to make sure a missing log server does not cause resource exhaustion on all network devices.

I don't see any buffering. If there is no connection, records are not transferred at all. I was testing it, just made a script, that adds a test log record periodically and disabled connection for a short period. All records, that appeared during no connection period, were not transferred.

Of course, there should be some limit for this buffer, same as 'Lines' parameter for memory type logging. Or, if such records are also logged with different types (memory, disk or whatever), they could be internally marked for transferring to save memory. But I think, it doesn't worth to complicate so much.

That will be clearly easier with TCP, which syslog supports. But to my experience, UDP is much more commonly used while exporting logs.

Yeah, but for UDP you could have an option to test its availability by pinging prior to sending. Stupid method probably, just an idea.

pe1chl · Tue Feb 25, 2025 4:29 pm

When you require that functionality, instead log to memory (as is default) and retrieve the logs using API from a remote system...

sinisa · Tue Feb 25, 2025 4:31 pm

UPDATE: the actual upgrade to v7.18 seems to have completed fine, routers are online, however rebooting a few seconds after booting, and kept on this constant reboot loop. On a VERY quick troubleshoot, seems that disabling my OpenVPN management instance (OpenVPN client instance) restored the RB750Gr3 to its working condition, it's not rebooting anymore. Enabling the OpenVPN client instance makes the router crash a few seconds after VPN is established, no messages displayed on '/log print follow' however.
.
UPDATE 3: Actually it seems that as soon as some traffic hits the OpenVPN client instance, on the RB750Gr3, it crashes and reboots. On my previous test I wasn't trying to use the OpenVPN client instance, just had it connected. The 10 second interval I was seeing are likely the OpenVPN server heartbeats only. But with a ping to the IP that ovpn client instance interface will receive, as soon as it connects, RB750Gr3 crashes and reboots, it's just immediately.

Also tried netinstalling to the device, to really "clean" old updates gargage that might have been left behind, but no changes. As soon as traffic hits the ovpn client instance, RB750Gr3 crashes and reboots.

It crashes only with AES-256-CBC. Works fine with AES-256-GCM.

Just fixed one 750gr3 HEX with same reboot problem (yes, it is set to auto-update when new version comes, it is not very important, but it is used every day so I get first impressions early. Also one of the few still on OpenVPN, I have moved most of the others to Wireguard).

leonardogyn · Tue Feb 25, 2025 4:35 pm

It crashes only with AES-256-CBC. Works fine with AES-256-GCM.

.
Good catch, I haven't tried ciphers and hash combinations. Actually this OpenVPN management server instance still runs on TCP, as RouterOS (at that time) didn't support UDP. Still using SHA1 for the same reason, it was the "best" supported option when I setup this instance and whole VPN management network. Might be a good time to analyze options and compatibility again.

mszru · Tue Feb 25, 2025 5:47 pm

"SA Query Timeout" problem renamed to "disconnected, not responding" is still there unfortunately. While in a Zoom meeting I got disconnected 3 times in a half hour. I use hAP ax3 and a laptop with Intel AX203 Wi-Fi card. I had WPA3 and Management Protection disabled since I first encountered the "SA Query..." error and decided to give it a try and enable it again in 7.18

 2025-02-25 15:46:10 wireless,info E4:B3:18:**:**:**@wifi10 reconnecting, signal strength -68
 2025-02-25 15:46:11 wireless,info 90:09:DF:**:**:**@wifi1 disconnected, not responding, signal strength -60
 2025-02-25 15:46:12 wireless,info 90:09:DF:**:**:**@wifi2 connected, signal strength -46
 2025-02-25 15:46:14 wireless,info E4:B3:18:**:**:**@wifi10 connected, signal strength -68
 2025-02-25 15:51:17 wireless,info 90:09:DF:**:**:**@wifi2 disconnected, not responding, signal strength -42
 2025-02-25 15:51:31 wireless,info 90:09:DF:**:**:**@wifi1 connected, signal strength -58
 2025-02-25 16:03:09 wireless,info E4:B3:18:**:**:**@wifi10 reconnecting, signal strength -69
 2025-02-25 16:03:10 wireless,info 90:09:DF:**:**:**@wifi1 disconnected, not responding, signal strength -56
 2025-02-25 16:03:12 wireless,info 90:09:DF:**:**:**@wifi2 connected, signal strength -49
 2025-02-25 16:03:17 wireless,info E4:B3:18:**:**:**@wifi10 connected, signal strength -73
 2025-02-25 16:08:17 wireless,info 90:09:DF:**:**:**@wifi2 disconnected, not responding, signal strength -42
 2025-02-25 16:08:17 wireless,info 90:09:DF:**:**:**@wifi2 connected, signal strength -46
 2025-02-25 16:13:27 wireless,info 90:09:DF:**:**:**@wifi2 disconnected, not responding, signal strength -44
 2025-02-25 16:13:42 wireless,info 90:09:DF:**:**:**@wifi1 connected, signal strength -59

Albirew · Tue Feb 25, 2025 8:03 pm

The %version% and %host% variables are deprecated and are no longer supported.
Sorry for the inconvenience caused.

Thanks for the answer.
Is there still a way to get version number and host address from branding webpage without using rest API? maybe in /assets/script.js ?
(rest api requires login, hence my question for authless alternative usable in branded webpage)

chiem · Tue Feb 25, 2025 10:06 pm

Anyone seeing slightly strange ipv6 behavior in 7.18?

My ipv6 network has been on $prefix:0::/64 for years. After upgrading, it went to $prefix:2::/64. Then later I got a warning about something changing in neighbor discovery and it advised me to reboot. After that, it swapped back over to $prefix:0::/64.

Also, why don't I have any fast-path packets?

[admin@ccr2116] > /ipv6/settings/print
                    disable-ipv6: no
                         forward: yes
           multipath-hash-policy: l3
                accept-redirects: yes-if-forwarding-disabled
    accept-router-advertisements: yes-if-forwarding-disabled
      disable-link-local-address: no
  stale-neighbor-detect-interval: 30
          stale-neighbor-timeout: 60
            min-neighbor-entries: 4096
       soft-max-neighbor-entries: 8192
            max-neighbor-entries: 16384
                 allow-fast-path: yes
           ipv6-fast-path-active: yes
          ipv6-fast-path-packets: 0
            ipv6-fast-path-bytes: 0
           ipv6-fasttrack-active: yes
          ipv6-fasttrack-packets: 1862750
            ipv6-fasttrack-bytes: 2576286552

Doesn't the documentation say that if a packet is fast-tracked, it's also fast-pathed?

https://help.mikrotik.com/docs/spaces/R ... S-FastPath

CGGXANNX · Tue Feb 25, 2025 10:27 pm

The behavior with the incremented prefix was always there. If the interface (bridge, vlan, etc...) gets the address with the prefix from a pool, and you make any modifications to the interface (for instance toggling IGMP Snooping on the bridge interface or changing ARP mode on a VLAN interface), the current allocated prefix is released and a new prefix is retrieved from the pool to be used on the interface.

And if fasttrack is working correctly then it's normal that the fast path counters are all zeroes. If you see non-zero FP counters and zero FT counters, then Fasttrack was not enabled correctly.

eltikpad · Tue Feb 25, 2025 10:32 pm

@ chiem My understanding is that fast-path is only used if many conditions are met, one of which is no firewall filter rules.

My counters show similar 0 ipv6-fast-path-packets and bytes values.

chiem · Tue Feb 25, 2025 10:37 pm

The behavior with the incremented prefix was always there. If the interface (bridge, vlan, etc...) gets the address with the prefix from a pool, and you make any modifications to the interface (for instance toggling IGMP Snooping on the bridge interface or changing ARP mode on a VLAN interface), the current allocated prefix is released and a new prefix is retrieved from the pool to be used on the interface.

But I didn't make any changes to the bridge. This is the first upgrade that came up with a different prefix. Well, I have to admit that I didn't check the address right after the upgrade, only after I noticed that ipv6 wasn't working. Perhaps the addition of the ipv6 firewall fasttrack rule changed it?

And if fasttrack is working correctly then it's normal that the fast path counters are all zeroes. If you see non-zero FP counters and zero FT counters, then Fasttrack was not enabled correctly.

Good to know, thanks!

@eltikpad Thanks for confirming!

mikesaxl · Tue Feb 25, 2025 10:37 pm

I got past the boot loop after some effort and power cycling :O
Did a fresh net install to 7.18 and formatted the hard drive. It boots with no config :)

First thing I noticed is that the PPP profile now needs a queue statement with 2 values.
Why break our configs with silliness like that?
Code: Select all
ver 7.17.2 and below
add bridge=router-bridge bridge-port-vid=30 change-tcp-mss=yes name=private-encryption use-encryption=yes use-upnp=no [b]queue=default[/b]
ver 7.18
add bridge=router-bridge bridge-port-vid=30 change-tcp-mss=yes name=private-encryption use-encryption=yes use-upnp=no [b]queue=default/default[/b]
Second thing, this is what was probably causing the initial boot loop was enabling IGMP snooping. I tested it on the clean install and kernel panic!
Code: Select all
add name=router-bridge comment="Site Master Bridge" frame-types=admit-only-vlan-tagged ingress-filtering=no port-cost-mode=short protocol-mode=none pvid=4094 igmp-snooping=yes
From the RIF log:
Feb/24/2025 17:35:19 system,error,critical router was rebooted without proper shutdown, probably kernel failure
Feb/24/2025 17:35:19 system,error,critical router was rebooted without proper shutdown, probably kernel failure

So be careful out there if you're using IGMP snooping on v7.18

I am currenlty trying out ipv6 multicast. Is that supposed to work with ipv6 and a crs3xx switch? https://help.mikrotik.com/docs/spaces/R ... D+snooping says it should work and ipv6 should not interfere with ipv4 and ff02::1 is aways forwarded.
When I use vlans (the ipv4 querier is not a switch but a router with pimsm, else it is documented it will not work. currently there is no ipv6 querier, I think this is not implemented. pimv6 exists but a mld packet was never sent) neither ff02::1 is forwared reliably when igmp-snooping is enabled even tough mld-querier is none. Strangely bridge/mld populates SOME ipv6 groups, but there is no ff02::1 nor a ff02::2.

What would be helpful is being able to turn on multicast handling only for specific address families (so the switch does not even think to touch mac addresses beginning with 33:33) since this breaks ipv6 completly in a lan since the router advertisements dont come through. The only solution is disabling igmp-querier altogheter and live with multicast flooding
A very nice thing tough would be if optionally ff02::/16 would be treated like 224.0.0.0/24 (that is always forwarded) since heavy multicast should be on ff05::/16 since ff02:: is site local and thus not routable and usually used for low bandwidth neighbour discovery

Maggiore81 · Tue Feb 25, 2025 10:56 pm

I just upgraded to 7.18 and now it's stuck in a boot loop :( why?
I can't even hit DEL or Control+E :(
I feel as if the testing portion of releases is a bit lacking

We had a 2116 that went into a boot loop. We were unable to recover it via netinstall older than 7.18
only 7.18 netinstall could recover it.

Rox169 · Tue Feb 25, 2025 11:01 pm

Hi,
is in 7.18 BUG?
I use DOH DNS with quad9. I also use adlist with StevenBlack from PiHole. Unfortunatelly this adlist block googleadservices. which is sometimes usefull. I tried to use DNS/static and also DNS/Forwarders but NOONE record unblock googleadservices..

Any help pleease?

pe1chl · Tue Feb 25, 2025 11:04 pm

There was a firmware change in 7.16 that of course may affect you only later when you do not update firmware every upgrade.
I had a CCR1009 go into a bootloop when I changed from 2 to 1 partitions (the first one being active) with 7.18beta4 to beta6 upgrade, and when trying to netinstall it things got only worse.
Serial terminal with Ctrl-E was required to recover it, but what if that was a device without serial port?
And of course the bootloop after changing partitions is a bug in itself.

WoZeR · Tue Feb 25, 2025 11:27 pm

Adding a queue with 7.18 on a CCR2004-1G-12S+2XS crashes the OS and boot loops the device. :(
I would avoid using this version, It is very unstable.

/queue type
add kind=pcq name=PCQ-Internet pcq-classifier=src-address
/queue simple
add dst=internet-sfp12 max-limit=950M/950M name=Internet-FairShare queue=\
PCQ-Internet/PCQ-Internet target="" total-queue=PCQ-Internet

dang21000 · Tue Feb 25, 2025 11:35 pm

WebFIG : Please remove the default username in the login field ! And add dark mode too, like WB4

Jotne · Wed Feb 26, 2025 7:39 am

Regarding remote logging. Currently, if a connection between a router and log server is lost for some period, all records appeared during this period are not transferred to the server. Please consider implementing some kind of "buffering" such records, so they can be automatically transferred, when connection restores.

There are no buffer on logging, All logs that are generated at boot are not sent since there are no network up and running. Logs will only be tried sent once, and if that does not work, they are not sent (UDP/TCP).

braidiano · Wed Feb 26, 2025 7:41 am

if you set the /interface/pppoe-server/server set max-sessions=1 and for eg the pppoe-over-vlan-range=1-1000, only one pppo-client can connect at time, because "limit of maximum connections exceeded".

This is wrong, becase it have to take in account how many the sessions "for each inner vlan", and not the whole number of sessions on the outer vlan.

It work properly in the past if you set max-sessions=1 and have the pppo-server in a bridge and have 100 users.

Wed Feb 26, 2025 8:09 am

The issue with OVPN service running on MMIPS devices with "hardware encryption" has been reproduced and fixed already. The fix will be available in the upcoming RouterOS releases.

nereith · Wed Feb 26, 2025 8:22 am

*) ovpn - disable hardware accelerator for GCM on Alpine CPUs (introduced in v7.17);

What's the reason for disabling GCM? What issue was it causing?

infabo · Wed Feb 26, 2025 9:06 am

Probably this: viewtopic.php?p=1124455#p1124455

pe1chl · Wed Feb 26, 2025 11:11 am

There are no buffer on logging, All logs that are generated at boot are not sent since there are no network up and running. Logs will only be tried sent once, and if that does not work, they are not sent (UDP/TCP).

Yes, and it is not something that can be solved easily.
E.g. in our network the branch routers log to a syslog server in the main office, connected via tunnels and routed with BGP.
Due to the BGP bugs introduced in 7.16 it takes a minute for the routing to establish, so everything happening in the first minute is lost. That could be a lot.
Probably when someone is interested in the logs after boot, they should send a trigger message at boot (have a scheduled job at startup that checks if the connection to logserver is already up, or does a simple delay) and on the logserver have some action that recognizes this message and fires a program that contacts the router using API and retrieves the log from memory.

eworm · Wed Feb 26, 2025 11:22 am

Just checked for myself... The very first message I have on the log server for every device is:

system,info MikroTik: router rebooted by ssh:eworm@10.171.215.2/shutdown

I am pretty sure this is before wireguard connection is up, and also before OSPF established any routes. So there must be what ever kind of buffering, no?

Paternot · Wed Feb 26, 2025 11:33 am

Probably when someone is interested in the logs after boot, they should send a trigger message at boot (have a scheduled job at startup that checks if the connection to logserver is already up, or does a simple delay) and on the logserver have some action that recognizes this message and fires a program that contacts the router using API and retrieves the log from memory.

Log servers are mostly passive. To me the best course of action would be to create a memory buffer (a small one, say 1MiB) and send log messages to it. In fact, we already have: it's the "log to memory option".

THEN the contents of this buffers that were marked to remote logging are sent - and only removed either wen successfully sent OR the buffer runs out of space.

Problem 1:
This won't work for logs servers using UDP for communication.

Problem 2:
Increases complexity on a system that should just work.

Possible workaround 1:
Set a job to be run ONLY after boot. It tries to send everything on memory that is marked with the "remote" option. This would take care of the UDP problem, would not need changes to the server and should "just work".

Problem 1 for this workaround:
Now we have several lines of log waiting for network. How do we check connectivity? A simple "fire and forget" UDP log server will not have this. We could ping it - but how do we make sure it's really working? How do we know the ping isn't going trough one secondary route, and the UDP would be blocked by the firewall on this one?

Possible workaround 2:
I had another idea, but just forgot. Early morning and all that. Ah, well.

nipfel · Wed Feb 26, 2025 11:35 am

After updating several devices, I see that this update automatically installs extra packages that were not installed on the router before the update?

I saw exactly the same on hap ac, 600 kb left after that. Even uninstalled packages came back after resetting the router and the reason Is I got locked by no rules. First rule in the FW filter list to filter incoming dhcp-offers disappeared somewhere. It was fine until I simplified some Address Lists (combined them) using WInBox.
They forgot to test again, I suppose.
UPD: Now router rejects offers from netinstall to flash long-term back. Nice piece of software.

pe1chl · Wed Feb 26, 2025 11:43 am

PLEASE PLEASE PLEASE study the matter before you claim that packages get installed.
Starting from 7.18, this list has both the packages that are installed, and those that are optional to install.

erlinden · Wed Feb 26, 2025 11:52 am

Besides marking for uninstall, was the device rebooted to complete uninstall @nipfel?
And did you create supout to inform support?

They forgot to test again, I suppose.

This is not really constructive.

Starting from 7.18, this list has both the packages that are installed, and those that are optional to install.

Can't imagine people overseeing such a thing, can you?

pe1chl · Wed Feb 26, 2025 12:05 pm

Starting from 7.18, this list has both the packages that are installed, and those that are optional to install.
Can't imagine people overseeing such a thing, can you?

Well, I have often commented that the changelog is inadequate and should be replaced with something that has more info, links to documentation, etc.
But when looking at the packages screen, I really do not see how someone could think that packages are installed that are not:

packages.png

Wed Feb 26, 2025 12:09 pm

OVPN related issues are fixed, if you still have problems with this version, send us supout.
https://box.mikrotik.com/d/c2fc960065ed49b78214/

rextended · Wed Feb 26, 2025 12:10 pm

@oskarsk
WARNING: Are links for RouterOS 7.20_ab22!!!

I do not know if is done on purpose, skipping 7.18.x / 7.19

fischerdouglas · Wed Feb 26, 2025 12:13 pm

OK! That's it!

v7.18 "stable" published and with this:

YouTube video officially listed 16 hours ago.
- https://www.youtube.com/watch?v=g1wpIIfYpZA
Rose Data Server Confluence page was published 1 hour ago.
- https://help.mikrotik.com/docs/spaces/U ... ata+Server
- Code: Select all
```
The device supports RouterOS software with version v7.18 or above.
```

The pressures from product teams and marketing teams have already been met.

Now who knows, maybe they can put "renice -19" on everything related to routing and switching, and a "renice 19" on everything that is superfluous.

Let's pray.

pe1chl · Wed Feb 26, 2025 12:29 pm

Yes, that would be great!
But I fear that once the Rose Data Server really hits the street, we will see lots of requests for (in itself) reasonable requests around data server functionality.
(some of them in software not written by MikroTik but becoming their responsibility when used as part of such a product. e.g. I am using BTRFS myself on my home system, and I can tell it is a REAL PAIN when you are running RAID-1 and one of the disks goes offline. It is NOT like in a typical RAID-1 controller where you can just pull the disk and plug the same or another one back in)

leonardogyn · Wed Feb 26, 2025 12:31 pm

OVPN related issues are fixed, if you still have problems with this version, send us supout.
https://box.mikrotik.com/d/c2fc960065ed49b78214/

.
Great news, thanks for the quick fix on this one. Can we expect a v7.18.1 fixing this, or it will be published on v7.19 only, for example?

CHL · Wed Feb 26, 2025 12:57 pm

OVPN still in trouble here on RB4011GS+ / ARM. aes256cbc working fine, aes256gcm results in permanent disconnects as soon as data is transmitted.

rextended · Wed Feb 26, 2025 12:59 pm

OVPN related issues are fixed, if you still have problems with this version, send us supout.
https://box.mikrotik.com/d/c2fc960065ed49b78214/
.
Great news, thanks for the quick fix on this one. Can we expect a v7.18.1 fixing this, or it will be published on v7.19 only, for example?

Probably only on RouterOS 7.20_ab22+ (didn't you notice the shared files versions have, and my comment)?

cyrq · Wed Feb 26, 2025 1:07 pm

It's called branching...

leonardogyn · Wed Feb 26, 2025 1:18 pm

OVPN related issues are fixed, if you still have problems with this version, send us supout.
https://box.mikrotik.com/d/c2fc960065ed49b78214/

.
Tested ab23 and, in a quick lab test, and it solved connections issues for AES-256-CBC. I also tested AES-256-GCM and it worked just fine. Tested on RB750Gr3 only.

leonardogyn · Wed Feb 26, 2025 1:25 pm

Probably only on RouterOS 7.20_ab22+ (didn't you notice the shared files versions have, and my comment)?

.
Fore sure I noticed the filenames (v7.20) and your comments. I'm just looking for a kind of official answer on where to expect that fix to be published on a "stable" release.

teslasystems · Wed Feb 26, 2025 1:52 pm

Regarding remote logging. Currently, if a connection between a router and log server is lost for some period, all records appeared during this period are not transferred to the server. Please consider implementing some kind of "buffering" such records, so they can be automatically transferred, when connection restores.
There are no buffer on logging, All logs that are generated at boot are not sent since there are no network up and running. Logs will only be tried sent once, and if that does not work, they are not sent (UDP/TCP).

Thanks for telling me obvious things... I was talking about changing this behavior.

fischerdouglas · Wed Feb 26, 2025 1:53 pm

Tested ab23 and, in a quick lab test, and it solved connections issues for AES-256-CBC. I also tested AES-256-GCM and it worked just fine. Tested on RB750Gr3 only.

Could you please do me a favor? Just to satisfy my curiosity.

/system/resource/usb/print

What kernel version appears there?

I remember reading something about AES-256-CBC in relation to the Linux Kernel starting to support this type of encryption. But I remember it being about FileSystem encryption, not network encryption.
I don't even know why I'm so curious about this, because even if it was network encryption, and they had changed something to support it, I'm almost certain that they wouldn't update the Kernel, but rather backport changes to the base Kernel they use.
But, hope is the last thing to die, right?

Many other requested features would be more easily achieved if there were a Kernel update.

leonardogyn · Wed Feb 26, 2025 2:00 pm

Could you please do me a favor? Just to satisfy my curiosity.
Code: Select all
/system/resource/usb/print 

.
Sure!

[admin@MikroTik] > /system/resource/print
                   uptime: 43m35s
                  version: 7.20_ab23 (development)
               build-time: 2025-02-26 10:03:54
[ .... ]
        architecture-name: mmips
               board-name: hEX
                 platform: MikroTik
[ .... ]
[admin@MikroTik] > /system/resource/usb/print
Columns: DEVICE, VENDOR, NAME, SPEED
# DEVICE  VENDOR                NAME                  SPEED
0 1-0     Linux 5.6.3 xhci-hcd  xHCI Host Controller    480
1 2-0     Linux 5.6.3 xhci-hcd  xHCI Host Controller   5000
[admin@MikroTik] >

rextended · Wed Feb 26, 2025 2:02 pm

Could you please do me a favor? Just to satisfy my curiosity.

Just open the file with 7-zip or similar for see routeros-7.20_ab23-arm64.npk\lib\modules\5.6.3

LK7R · Wed Feb 26, 2025 2:20 pm

OVPN related issues are fixed, if you still have problems with this version, send us supout.
https://box.mikrotik.com/d/c2fc960065ed49b78214/

I have problem with hEX S device and RouterOS 7.18 too. In my case there is only ipsec in play, but it uses "aes-256 cbd" for Encr. too. As the router reboots it self after a while, i had to quickly downgrade to 7.17.2, will support.rif be of any use from router that has the problem, but is downgraded to 7.17.2?

davetickem · Wed Feb 26, 2025 2:22 pm

Same issue here on HexPoE - health stats in webui and cli show zero Volts. Worked with previous version.

Upgrade path - stable versions only 7.17.2 (working) direct to 7.18 (stable)

I have a problem, after updating to 7.18 voltage reporting shows 0V
At 7.17 it worked just right

<snip>

mike7 · Wed Feb 26, 2025 2:28 pm

*) container - allow HTTP redirects when accessing container registry;
*) container - allow specifying registry using remote-image property;

Starting from v7.18 can't use private HTTP registry without SSL. I've got

unexpected response from container registry: SSL: ssl: record overflow (6)

Looks like I can't specify access protocol (http or https) on remote-image property and protocol is ignored in registry-url config.
The only workaround is using tarball format (

leonardogyn · Wed Feb 26, 2025 2:47 pm

I have problem with hEX S device and RouterOS 7.18 too. In my case there is only ipsec in play, but it uses "aes-256 cbd" for Encr. too. As the router reboots it self after a while, i had to quickly downgrade to 7.17.2, will support.rif be of any use from router that has the problem, but is downgraded to 7.17.2?

.
So maybe it's CBC encryption related, and not OpenVPN only. I have tested the test firmware ab23, provided on the link a few comments above, and at least to me, on OpenVPN, it solved the problem. It's not working as expected with AES-256-CBC and AES-256-GCM on my RB750Gr3s. It might worth trying the ab23 firmware to see it solved IPSec related problems as well.

Tenshinur · Wed Feb 26, 2025 3:00 pm

Mikrotik RB750Gr3
installed 7.17.2
Problems appeared after upgrading to 7.18.
The router starts normally. However, after some time (about 30 seconds) it disappears from the network and so on until the moment of manual restart.
During these 30 seconds, if you connect to it via Winbox, the router immediately reboots.
The ssh connection is normal and you can look at the logs, but again there is nothing about possible causes.
I reset all the settings and the router in the factory configuration loaded and works, but when deploying a backup, everything happens again.
I rolled back the version back to 7.17.2, deployed a backup, the router works without problems.
From this it follows that there are some changes that in the old configuration conflict with the new version. I do not think that this is "stable"

Wed Feb 26, 2025 3:04 pm

There should be an autosupout.rif after reboot.
Best to create ticket to support and include that file.

oreggin · Wed Feb 26, 2025 3:23 pm

Yes, that would be great!
But I fear that once the Rose Data Server really hits the street, we will see lots of requests for (in itself) reasonable requests around data server functionality.
(some of them in software not written by MikroTik but becoming their responsibility when used as part of such a product. e.g. I am using BTRFS myself on my home system, and I can tell it is a REAL PAIN when you are running RAID-1 and one of the disks goes offline. It is NOT like in a typical RAID-1 controller where you can just pull the disk and plug the same or another one back in)

Using BTRFS's RAID finctionality in enterprise environment is a kamikaze solution. I'm curious what solution they use if there is any RAID function in it. I hope it is battery backed HW RAID controller...

Wed Feb 26, 2025 3:36 pm

Host address you can find in address bar.
Unfortunately, version number is not available.

The %version% and %host% variables are deprecated and are no longer supported.
Sorry for the inconvenience caused.
Thanks for the answer.
Is there still a way to get version number and host address from branding webpage without using rest API? maybe in /assets/script.js ?
(rest api requires login, hence my question for authless alternative usable in branded webpage)

massinia · Wed Feb 26, 2025 4:51 pm

BTH File page loading is very slow, I think it's due to many files are not available for download...

BTH Files.png

const iconSrcDir = 'https://cdn.mt.lv/marketing/bth/folder.svg';
const iconSrcFile = 'https://cdn.mt.lv/marketing/bth/file.svg';
const iconMissing = 'https://cdn.mt.lv/marketing/bth/missing.svg';

S8T8 · Wed Feb 26, 2025 5:24 pm

*) wifi - implement steering parameters to delay probe responses to clients in the 2.4GHz band

How does 2g-probe-delay practically work and when should be used?

msilcher · Wed Feb 26, 2025 5:45 pm

In regards to IPv6 fasttrack: I've enabled it based on suggestions but counters always show "0". This doesn't look normal to me. IPv4 counters works properly (as expected).

I'm on a hAP ax2 by the way and the device has been rebooted after enabling the feature.

CGGXANNX · Wed Feb 26, 2025 6:14 pm

If you have DHCP Snooping / IGMP Snooping turned on on the bridge, try to disable those features first. At least DHCP Snooping is confirmed by the updated documentation to cause fast-path to be non-working, which causes fasttrack to be useless on that bridge.

https://help.mikrotik.com/docs/spaces/R ... rfaceSetup

dhcp-snooping (yes | no; Default: no)
Enables or disables DHCP Snooping on the bridge.

Enabling the DHCP snooping feature will turn off bridge fast-path, which in turn affects the ability to fasttrack connections going over that bridge.

marcotmv · Wed Feb 26, 2025 6:18 pm

In regards to IPv6 fasttrack: I've enabled it based on suggestions but counters always show "0". This doesn't look normal to me. IPv4 counters works properly (as expected).

I'm on a hAP ax2 by the way and the device has been rebooted after enabling the feature.

Doesn't Fasttrack have to come after the connection is established or related?

osc86 · Wed Feb 26, 2025 6:27 pm

ehm.. no? putting it after the Established & Related Connections Rule would make it useless.

jsadler · Wed Feb 26, 2025 6:28 pm

I see in the 7.18 changelog the following came in...
>>>console - do not autocomplete arguments when match is both exact and ambiguous

I'm not sure if this is by design or not, but this is taking exact matches to the extreme - where a script triggered "/tool e-mail send file=filename" prior to 7.18 if the filename was an exact match but without the file extension the command would still succeed. On 7.18 the file= parameter must include the file extension for the command to succeed. Eg file=myexport would have worked previously, now it must by file=myexport.rsc - This isn't too much of a major but does mean that scripts that have been working this way for many years now need to be updated to use the exact filename, including extension.

It would be nice to have a configuration setting to enable changes in behaviour like this so that it can be left in the current state if a user wishes.

If this is by design then it isn't a bug, but it did catch us by surprise.

If this is not what Mikrotik intended with this change then it would be nice to see the functionality reverted.

Cheers,
Jono.

whatever · Wed Feb 26, 2025 7:32 pm

*) wifi - implement steering parameters to delay probe responses to clients in the 2.4GHz band
How does 2g-probe-delay practically work and when should be used?

Speculation:
I assume it delays probe responses on 2g interfaces to ensure probe responses on 5g interfaces are faster. So when a client probes 2g and 5g simultaneously, it will receive a response from 5g first and will hopefully prefer the 5g network over the 2g network, even if the client does not implement 802.11v.

pe1chl · Wed Feb 26, 2025 9:12 pm

Using BTRFS's RAID finctionality in enterprise environment is a kamikaze solution. I'm curious what solution they use if there is any RAID function in it. I hope it is battery backed HW RAID controller...

It is unclear if the RAID function uses Linux block-level RAID or the BTRFS balance profile "raid1".
Both have advantages and disadvantages. But the Linux block-level RAID is much easier to use for admins that just want to replace a failed disk without doing a full study of how BTRFS balance works... and why you cannot simply re-seat a disk when it goes offline.
Indeed that would be kamikaze when deployed in an environment where the personnel are used to HW RAID controllers...

rextended · Wed Feb 26, 2025 9:22 pm

WARNING: Installing 7.20_ab28 (on 7.18rc1) reset to "no" the device-mode flagging-enabled, traffic-gen, container, partitions, routerboard,
on my hAPax² that I have already set to "yes" on 7.18rc1

(OK, this topic is about 7.18, but 7.20_alpha_build28 is provided in this topic)

keywork · Wed Feb 26, 2025 10:18 pm

Upgraded my HEX S this morning without a hitch and got ipv6 fasttrack going. Hitting the line-rate of my 800Mbps plan now which is fantastic. Kudos to the MT staff for finally getting this across the line!

tom3f · Wed Feb 26, 2025 10:31 pm

On hap ac2 with routeros + wifi-qcom-ac it works just fine. Update from 7.17.2 was successful. But i can report only 172KiB od free hdd space. It is less and less with every update. Soon it will became big problem.

leah · Wed Feb 26, 2025 10:40 pm

I can see a massive increase in latency spikes and loss after upgrading to v7.18 on multiple CCR2004-1G-12S+2XS

nipfel · Wed Feb 26, 2025 10:47 pm

Besides marking for uninstall, was the device rebooted to complete uninstall @nipfel?
And did you create supout to inform support?

They forgot to test again, I suppose.
This is not really constructive.
Starting from 7.18, this list has both the packages that are installed, and those that are optional to install.
Can't imagine people overseeing such a thing, can you?

Yes rebooted. I will try again. I believe it will repro soon.
I also had 100% CPU usage because I decided to clear DF and IP options somewhere in prerouting. Additionally I managed to drop Martian Addresses and RFC1918 from/to WAN using AddressLists (And also one Turkish subnet who wanna be fonts cdn for me).
Maybe in that case saving or modifying fw filter rules may have such result. Who knows, who knows...

challado · Wed Feb 26, 2025 11:03 pm

Same issue here on HexPoE - health stats in webui and cli show zero Volts. Worked with previous version.

Upgrade path - stable versions only 7.17.2 (working) direct to 7.18 (stable)

I have a problem, after updating to 7.18 voltage reporting shows 0V
At 7.17 it worked just right

<snip>

Same here. Voltage 0v and working OK on 7.17.

mozerd · Thu Feb 27, 2025 12:03 am

CCR1009 RoS v7.18 stable
under ipv6 neighbours list I'm getting a lot of 00:00:00:00:00:00 for Mac Addy .. these are all windows hosts that go into hybridization mode.
This does not happen under ipv4 for the very same hosts.

When I issue a directive like

ipv6/neighbor/remove [find mac-address=00:00:00:00:00:00 status=failed]
or
ipv6/neighbor/remove [find where mac-address=00:00:00:00:00:00 status=failed]
or
ipv6/neighbor/remove [find where interface=vlan100 mac-address=00:00:00:00:00:00 status=failed]

via Terminal nothing happens

BUT the following does work

[:foreach a in=[/ipv6/neighbor find where status=failed] do={:if ([/ipv6/neigh
bor get number=$a mac-address] = []) do={/ipv6/neighbor/remove numbers=$a}}]

leah · Thu Feb 27, 2025 12:51 am

I can see a massive increase in latency spikes and loss after upgrading to v7.18 on multiple CCR2004-1G-12S+2XS

Here is the proof: after downgrading to RouterOS 7.17.2 again, the problem is gone

toxicfusion · Thu Feb 27, 2025 1:02 am

This is what happens when MikroTik rushes a release to "Stable", they did this to themselves. Pushed it out the door so they could make the RDS hardware announcement. Lets hope RDS hardware doesnt ship with 7.18 lol.

MikroTik needs to answer and address. Focus needs to be on software QC, extended change logs and a known-issues section.

chiem · Thu Feb 27, 2025 3:59 am

This is what happens when MikroTik rushes a release to "Stable", they did this to themselves. Pushed it out the door so they could make the RDS hardware announcement.

Why would MikroTik need to release 7.18 to stable in order to announce the rds2216?

joshhboss · Thu Feb 27, 2025 5:01 am

Is VRRP having any issues with this release. That’s the only thing stopping me from moving up my main core network.

Read something about connection syncing

infabo · Thu Feb 27, 2025 8:46 am

Put email.backup in quotes.

file="email.backup"

eworm · Thu Feb 27, 2025 8:47 am

Does it help to put the file name in double quotes? Or add a little delay between the commands?

Other than that you should perhaps open a new topic. I can tell that scripting works just fine with this version.

chiem · Thu Feb 27, 2025 8:55 am

Should the ipv6 fasttrack support make it as fast as ipv4 now? On my ccr2116, 10gbps on ipv4 barely shows a 1% blip, if anything, on the cpu. But the same on ipv6 seems to show up to 250% total cpu usage spread across multiple cores.

All of the hw offload seems to be enabled:

[admin@ccr2116] > /interface/ethernet/switch/l3hw-settings/print
            autorestart: no
           fasttrack-hw: yes
                ipv6-hw: yes
    icmp-reply-on-error: yes
  hw-supports-fasttrack: yes

Thu Feb 27, 2025 9:09 am

This is fixed, please try
https://box.mikrotik.com/d/c2fc960065ed49b78214/
And please send us supout files to us so we can deal with issues faster.

OVPN still in trouble here on RB4011GS+ / ARM. aes256cbc working fine, aes256gcm results in permanent disconnects as soon as data is transmitted.

elmomac · Thu Feb 27, 2025 9:53 am

Should the ipv6 fasttrack support make it as fast as ipv4 now? On my ccr2116, 10gbps on ipv4 barely shows a 1% blip, if anything, on the cpu. But the same on ipv6 seems to show up to 250% total cpu usage spread across multiple cores.

All of the hw offload seems to be enabled:
Code: Select all
[admin@ccr2116] > /interface/ethernet/switch/l3hw-settings/print
            autorestart: no
           fasttrack-hw: yes
                ipv6-hw: yes
    icmp-reply-on-error: yes
  hw-supports-fasttrack: yes

Seeing this too. I think it's due to the limitation still around how many IPv6 routes can be offloaded?

Screenshot 2025-02-27 at 6.51.04 pm.png

chiem · Thu Feb 27, 2025 10:16 am

Mine's not offloading any routes to hardware..

ScreenClip.png

I notice that the /ip/firewall/filter rule for fasttrack has a hw-offload option, but not the corresponding ipv6 version.

fischerdouglas · Thu Feb 27, 2025 10:24 am

Rose Data Server Confluence page was published 1 hour ago.
https://help.mikrotik.com/docs/spaces/U ... ata+Server
Code: Select all
The device supports RouterOS software with version v7.18 or above.

Unpublished!

Yes, that would be great!
But I fear that once the Rose Data Server really hits the street, we will see lots of requests for (in itself) reasonable requests around data server functionality.
(some of them in software not written by MikroTik but becoming their responsibility when used as part of such a product. e.g. I am using BTRFS myself on my home system, and I can tell it is a REAL PAIN when you are running RAID-1 and one of the disks goes offline. It is NOT like in a typical RAID-1 controller where you can just pull the disk and plug the same or another one back in)

Prophecy?

pe1chl · Thu Feb 27, 2025 10:55 am

Prophecy?

Well in the Newsletter #123 topic it already begins... "we want ZFS, not BTRFS".

sinisa · Thu Feb 27, 2025 11:10 am

Prophecy?
Well in the Newsletter #123 topic it already begins... "we want ZFS, not BTRFS".

We DON'T WANT any FS on a ROUTER!

Please make this whole file-sharing cr*p optional on a ROUTER.

Thank you!

rextended · Thu Feb 27, 2025 11:13 am

No one is forcing you to use or buy that model, just ignore it.

merkkg · Thu Feb 27, 2025 11:19 am

Well in the Newsletter #123 topic it already begins... "we want ZFS, not BTRFS".
We DON'T WANT any FS on a ROUTER!

Please make this whole file-sharing cr*p optional on a ROUTER.

Thank you!

You need install rose package so its already optional.... I don't see where issue is.

infabo · Thu Feb 27, 2025 11:40 am

sinisa said "file sharing". "*) cloud - added "Back To Home Files" feature;" is a feature in routeros main package. True, the storage features are part of rose extra package. Regarding the shoutout "We DON'T WANT any FS on a ROUTER!". Every device needs to support at least one file system for the root partition. So the thing of "we don't want any FS on a router" is impossible.

pe1chl · Thu Feb 27, 2025 11:42 am

Indeed it already is optional on the router, that is not the issue.
What most people worry about is that it takes away development resources from router functionality, e.g. BGP.
That is clearly demonstrated by the BGP problems introduced in 7.16 (and not present in 7.15) still not having been fixed in 7.18.

Thu Feb 27, 2025 12:41 pm

No it does not IMHO.

Different type of developers so there should be no conflict.

oreggin · Thu Feb 27, 2025 12:46 pm

No it does not IMHO.

Different type of developers so there should be no conflict.

I wish it were so, but experience shows that it isn't. If I open a ticket about dynamic routing or MPLS issue, it takes months to react. If I am the only one about this issue then there is not so big the problem is.

fischerdouglas · Thu Feb 27, 2025 1:49 pm

It's very unlikely that we'll see the following in v7.18.1, 7.19... And based on spoilers, not even for 7.20.

But can we dream about the following items?

A Kernel update?
- Already targeting nftables
- And as a bonus, better BTRFS support
Support for Hooks triggers and actions, for all types of events? Including:
- Routing events
- BNG events
- Radius events
- Firewall events
- Interface events
Is it too much to ask for the possibility of inserting eBPF apps that can be used in Firewall rules?
And dreaming about a Commit / Commit-Confirmed / Dry-Run / Rollback... Can we dream about that?

pe1chl · Thu Feb 27, 2025 2:14 pm

No it does not IMHO.

Different type of developers so there should be no conflict.
I wish it were so, but experience shows that it isn't. If I open a ticket about dynamic routing or MPLS issue, it takes months to react. If I am the only one about this issue then there is not so big the problem is.

There have been several people here complaining about the BGP issues, and I also opened a ticket half a year ago, but nothing happens.
Maybe there are no developers left for that part of the system?
There have been other times (also recently) when I reported a new issue in a new version, e.g. about PoE, and it was fixed within a couple of days.

SeppBlattered · Thu Feb 27, 2025 2:33 pm

and of course amnezia wireguard in an options package.

I guess nobody's replied because this is a terrible, terrible idea. Nobody wants Wireguard plus some proprietary Russian "improvements" on top running anywhere near their networks. Shipping this would be the end of Mikrotik.

An what potential benefits would it bring? If you think your Wireguard traffic is at risk of DPI monitoring or attacks, run a box on your local network to run Amnezia - at least in that example you can get rooted by the FSB and the rest of us will stay safe.

If you need support you can go to Telegram! I'm going to be chuckling about that one for some time!

philipwillemse · Thu Feb 27, 2025 3:01 pm

Howzit,

I wanted to check if anyone else has experienced this issue on their CCR2216 running v7.16.2. Every now and then, routing seems to stop working properly, and when I go to Routing → BGP, the display is completely blank and unresponsive.

If you’ve encountered this, did upgrading to the latest version resolve the issue?

Would appreciate any feedback!

Thanks,

Cha0s · Thu Feb 27, 2025 3:02 pm

No it does not IMHO.

Different type of developers so there should be no conflict.

The amount of money companies spend on developers is finite.
Wasting money on non-networking features, means that they don't put enough developers to fix networking bugs.

In other words, those developers that work on storage, could have been put to work on networking.
So IMHO as long as there are bugs and missing features in networking, working on non-networking features is a conflict.
It RouterOS after all. Not StorageOS.

Thu Feb 27, 2025 3:10 pm

I understand completely. Just wanted to point out there doesn't have to be a conflict from a personnel point of view.
Obviously other resources (like funding) can of course have an impact as well.

Since at its core Mikrotik is into networking, I can only assume (and that's an assumption from my side) that strategically required resources are available to tackle advanced networking stuff.

kreb · Thu Feb 27, 2025 3:40 pm

Anything changed regarding dhcpv6 server? anyone noticed a problem?

pe1chl · Thu Feb 27, 2025 4:47 pm

I wanted to check if anyone else has experienced this issue on their CCR2216 running v7.16.2. Every now and then, routing seems to stop working properly, and when I go to Routing → BGP, the display is completely blank and unresponsive.

Please make a support ticket!
When the support tickets about BGP keep coming in, maybe someone at MikroTik realizes that they broke something in 7.16 and it needs to be fixed.
When you require it to be fixed quickly, downgrade to 7.15.3 (download from the archive).