v7.19beta [testing] is released!

Fri Feb 28, 2025 2:33 pm

RouterOS version 7.19beta has been released on the "v7 testing" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.19beta8 (2025-Apr-04 13:24):

*) certificate - fixed cloud-dns challenge validation for sn.mynetname.net (CLI only);
*) device-mode - added new "rose" mode where "container" feature is enabled by default;
*) fetch - fixed false successful messages in FTP mode;
*) ipsec - lower standalone cipher, hash priority when using ctr aead;
*) log - fixed remote logging after reboot when hostname is forwarded to a DNS server;
*) lte - fixed LTE status update or possible crash when modem is unexpectedly removed from system;
*) netinstall-cli - check for other running Netinstall servers on startup;
*) ptp - allow multiple instances;
*) sfp - improved QSFP link stability for CRS354 devices;
*) system - fixed "/system reboot" when the system disk is completely full;

What's new in 7.19beta7 (2025-Mar-31 10:55):

*) bgp - fixed excessive CPU usage;
*) bridge - properly flush bridge hosts when bonding is used as bridge port and loses hw-offloading status;
*) ike2 - improved initial key exchange process on slow or unreliable connections;
*) ippool6 - properly free IPv6 pool used prefix when it is not used any more;
*) isis - properly validate 3-way hello handshake;
*) ipv6 - fixed EUI-64 false error message on address update when "from-pool" option is used;
*) lte - fixed initialization for R11e-LTE6 modem;
*) lte - fixed initialization for Neoway N75 modem;
*) lte - reset internal link-recovery-timer on sim slot change;
*) netinstall - improved network socket re-opening when NIC status changes while running the server (additional fixes);
*) rose-storage - added Btrfs disk balance command (CLI only);
*) rose-storage - fixed mounting Btrfs subvolumes using macOS SMB client;
*) route-filter - fixed the "blackhole" option setting process;
*) system - improved system stability when sending TCP data from the router;
*) webfig - fixed graphs appearance under "Tools/Graphing" menu (introduced in 7.19beta2);
*) wifi - improved wifi connection stability when used as a station for "b" mode access point;
*) wifi - use at least TLS 1.2 for securing connection between CAPsMAN manager and CAPs (additional fixes);

What's new in 7.19beta6 (2025-Mar-19 09:56):

*) bridge - fixed issue when local MACs were removed unnecessarily;
*) bridge - offload VXLAN only if another HW offloaded port exists in the bridge;
*) dhcp-server - improved stability when dual stack is used and one of the servers is removed (introduced in v7.19beta2);
*) dhcpv4/v6-client - fixed default route when DHCP client interface is in VRF;
*) dhcpv6-server - allow unsetting prefix-pool for static bindings and show warning if prefix is not in selected prefix-pool;
*) file - fixed missing files from The Dude (introduced in v7.18);
*) lte - Chateau 5G R16 fix DHCP relay packet forwarding using LTE interface;
*) net - remove support for automatic multicast tunneling (AMT) interface (introduced in v7.18);
*) netinstall-cli - clear old configuration before user script using "-s";
*) ovpn - properly match GCM hardware acceleration capabilities (introduced in v7.17);
*) route - improve stability on BGP reconnect;
*) x86 - remove unnecessary console output on shutdown;

What's new in 7.19beta5 (2025-Mar-12 12:42):

*) certificate - added built-in root certificate authorities store (additional fixes);
*) console - fixed issue with file-name completion (introduced in v7.18);
*) container - fixed repository name handling to prevent redirect issues when basic authentication is used;
*) dhcpv4-client/server - added support for DHCPv4 reconfigure messages;
*) dhcpv6-server - change static binding bound status to waiting on server disable;
*) dhcpv6-server - improved stability when disabled server have static bindings;
*) firewall - fixed IP/Settings "ipv4-fasttrack-active" status showing as inactive when it is active;
*) queue - fixed system failure when CAKE kind queue was configured but queue type definition does not exist anymore (introduced in v7.18);
*) wifi - fixed incorrect attribution of 802.11be capability to 802.11ax APs in output of scan command (introduced in v7.19beta2);
*) wifi - fixed sending of reassociation response frames (introduced in v7.19beta2);
*) wifi - improved stability for wifi interfaces;

What's new in 7.19beta4 (2025-Mar-06 14:10):

*) bridge - fixed dhcp-snooping in QinQ setups (additional fixes);
*) console - added on-error to "for" and "foreach" loops;
*) console - added proplist to monitor command;
*) console - do not treat return values as errors in scripts run from scheduler;
*) console - enabled verbose error logging for non-scripted/non-verbose imports;
*) console - improve time value handling;
*) console - validate script arguments (do, on-error, etc.) and reject invalid values;
*) dhcpv4-server - "Relay-Agent-Information" (82) option moved at the end of option list in response packets;
*) file - added show-hidden parameter to /file/print, allowing referencing and deleting hidden files;
*) hotspot - improvements to memory usage;
*) lte - additional fixes for eSIM management support;
*) lte - AT modems, improved redialing when modem lost connectivity without notifying host about APN status change;
*) lte - initial support for user settable modem redial timer;
*) netinstall - fixed issue with launching the app (introduced in v7.19beta2);
*) netinstall - provide warning if memory on installed router is full after installation;
*) ospf - fixed "mismatch" typo in logs;
*) port - added support for Huawei E3372-325 variant (vendor-id="0x3566" device-id="0x2001");
*) port - added USB mode switch support for "huawei-alt-mode";
*) port - improvements to KNOT BG77 modem port channel handling;
*) rose-storage - show btrfs balance and scrub errors if any;
*) torch - improved data reporting;
*) wifi - display error when trying to run snooper on interface which does not support wireless packet capture (sniffer);
*) wifi - fix possible snooper crash when parsing frames with malformed headers;
*) wifi - implement WPA2 PSK authentication with key derivation using SHA256 (CLI only);
*) wifi - improve parsing of captured frames which have nested flags in radiotap header;
*) wifi-qcom - fix OWE authentication for 802.11ac interfaces in station mode;
*) winbox - added comment under "User Manager/Routers" menu;
*) winbox - added netmask support for switch rule Src/Dst IPv6 Address settings;
*) winbox - fixed "Multi Passphrase Group" setting for wifi;
*) x86 - i40e updated driver to 2.27.8 version;

What's new in 7.19beta2 (2025-Feb-28 08:58):

*) arp - added warning, when "Published" ARP entry used on an interface with "reply-only" ARP mode enabled;
*) bgp - added input.filter-community;
*) bgp - fixed input.accept-community;
*) bgp - fixed memory leak on receiving notify and closing session;
*) bgp - improved performance on BGP input;
*) bonding - added setting for LACP active/passive modes;
*) bridge - added new STP monitoring fields for bridge and ports (Tx/Rx BPDU, Tx/Rx TC, forward/discard transitions, last topology change, message-age, max-age, remaining-hops, bridge-id);
*) bridge - fixed bridge port hang when using invalid port IDs;
*) bridge - fixed dhcp-snooping in QinQ setups;
*) bridge - fixed minor memory leak on link down;
*) bridge - fixed multicast packet flow on hardware offloaded bridge which acts as "multicast-router";
*) bridge - improved default bridge and port layout on console and GUI;
*) bridge - improved stability in case of configuration error (introduced in v7.15);
*) bridge - moved "TCHANGE" logs from bridge,stp to bridge,stp,debug;
*) bridge - rename "ports" to "interface" under MDB table for configuration consistency with other menus;
*) bridge - renamed STP monitor fields (port-number to port-id, designated-port-number to designated-port-id, designated-bridge to designated-bridge-id);
*) bridge - show designated-* monitor field for all port roles;
*) bridge - show warning instead of causing error when using multicast MAC as admin-mac (introduced in v7.17);
*) capsman - fixed "undo" command for cap interfaces;
*) certificate - added built-in root certificate authorities store;
*) certificate - do not include CA identity in SCEP POST requests;
*) certificate - improve error message when trying to use certificate;
*) certificate - optimize trust store;
*) cloud - fixed issues when BTH is toggled fast between enable/disable;
*) cloud - improved "BTH Files" web page design;
*) console - disallow incomplete double-quoted arguments (allows multiline string pasting);
*) console - fixed issue with files when using scripts (introduced in v7.18);
*) console - fixed misaligned multiline in brief print mode;
*) console - improved file add/remove process stability;
*) console - set "/system/note show-at-login=yes" the default value after configuration reset;
*) container - allow changing container name;
*) container - try to derive a user readable container name from remote image or file;
*) dhcpv4 - improved outgoing packet logging;
*) dhcpv4-server - accept packets with htype 6;
*) dhcpv4/v6-client - added check-gateway parameter;
*) dhcpv6-client - allow selecting to which routing tables add default route;
*) dhcpv6-relay - clear saved routes on DHCP release;
*) dhcpv6-relay - show client address;
*) dhcpv6-server - change bound status to waiting on binding disable;
*) dhcpv6-server - fix when expired static binding is declined with false "binding belogs to another server" reason;
*) dhcpv6-server - improved stability when disabling server with active bindings;
*) disk - add "sector-size" property in print detail;
*) disk - add reset-counters to /disk btrfs filesystem;
*) dlna - improved folder indexing behavior;
*) dns - improved DNS server service stability;
*) dot1x - fixed dynamic switch ACL rules on boards with a lot of ports (e.g. CRS520);
*) ethernet - improved Ethernet and PoE port mapping to ensure a consistent and reliable interface order;
*) file - improved responsiveness on slow filesystems;
*) firewall - always show "passthrough" when exporting mangle table;
*) firewall - detect VRF addresses as local;
*) health - hide settings in CLI if there is nothing to show;
*) health - improved performance on devices with simple voltage sensors;
*) igmp-proxy - do not try to send leave message for multicast groups that the device itself has joined on the upstream interface (cosmetic fix for proxy error logs);
*) iot - improvement to lora dev-addr-validation behavior;
*) iot - improvement to lora join eui/net id filtering behavior;
*) ip-service - show all TCP/UDP connections on the system;
*) ip-service - show all TCP/UDP ports on system, including ports in containers;
*) ip-service - show error message when service enable fails;
*) ipv6 - avoid watchdog reboot due to link-local IPv6 address reconfiguration on thousand of interfaces at once;
*) l2tp-ether - improved stability when trying to connect to disabled L2TP server with IPsec;
*) l3hw - remove VLAN tag before VXLAN encapsulation (fixes pvid behavior for bridged VXLAN);
*) log - added additional CEF fields from firewall and login logs;
*) log - populate in/out fields in firewall CEF logs with correct data;
*) lte - added UICC parameter in LTE monitor for R11e-4G modem;
*) lte - fixed modem recovery after firmware upgrade for R11e-LTE modem;
*) lte - fixed Router Advertisement processing issue for AT modems when an APN with "ip-type=ipv6" was configured;
*) lte - improved dialer for EC200A-EU modem;
*) lte - set apn profile name the same as apn if no name specified when creating the profile;
*) netinstall - improved network socket re-opening when NIC status changes while running the server;
*) netinstall - show warning when network configuration on PC might not be appropriate for installation;
*) netinstall-cli - fixed issue with applying the branding package;
*) ovpn - disable hardware accelerator for GCM on MMIPS CPUs (introduced in v7.18);
*) ovpn-server - do not reset active connections when changing comment or name;
*) pimsm - fixed issue where own query caused querier detection;
*) poe-out - upgraded firmware for 802.3at/bt PSE controlled boards (the update will cause brief power interruption to PoE-out interfaces);
*) ppc - fixed VLAN TCP packet transmit on PPC devices;
*) profiler - improved process classification;
*) ptp - added "ptp" logging topic;
*) quickset - improved system stability;
*) rose-storage - fixes for btrfs;
*) route - added options to set dynamic-in and connected-in chains in /routing/settings;
*) route - fixed stuck output when calling prints from multiple routing menus;
*) route - make AFI naming consistent;
*) route - show BGP session name instead of cache-id;
*) route-filter - improved performance;
*) sfp - added sfp-encoding data output from EEPROM;
*) sniffer - add max-packet-size (2k-64k) setting to be able to sniffer more than 2k data per packet;
*) ssh - fixed authorization with SSH key when multiple user SSH public keys are imported;
*) ssl/tls - respond with more precise alert error messages;
*) ssl/tls - send certificate authority in Certificate message even if it is not trusted;
*) switch - do not count rx-too-long multiple times on 100Gbps QSFP28;
*) switch - fixed egress mirroring for packets coming from external CPU port (e.g. CRS520, CCR2216, CCR2116);
*) switch - flush CPU port FDB entries on switch disable;
*) switch - improve rate limit accuracy for MT7531, MT7621, EN7562CT;
*) switch - improved boot stability on devices with Alpine CPU and switch chip;
*) switch - improved stability when enabling IGMP snooping with VXLAN (introduced in v7.18);
*) system - improved internal "flash/" prefix handling for different file path related settings;
*) webfig - allow table column resize over side toolbar;
*) webfig - don't reorder rows when selecting header cells with Alt+click;
*) webfig - show IPv6 firewall connections;
*) webfig - show missing data in "IP/DNS/Cache" records;
*) wifi - add channel.reselect-time parameter which allows to perform channel re-sellection at given time of day (CLI only);
*) wifi - add information on CAP uptime and connection uptime in "Remote CAP" list;
*) wifi - added "eap-identity" to registration table;
*) wifi - added SSID to logs;
*) wifi - fix authentication of clients which omit some RSN information at association;
*) wifi - fix incorrect info about current channel for station interfaces after AP has switched channel (introduced in v7.17);
*) wifi - re-word log entries about disconnections which are likely caused by peer using a wrong passphrase;
*) wifi - use at least TLS 1.2 for securing connection between CAPsMAN manager and CAPs;
*) wifi-qcom - fix inability of interfaces in station mode to connect if they do not support full bandwidth of AP;
*) winbox - added "MAC Telnet" under "Wifi/Registration" menu;
*) winbox - added "Multi Passphrase Group" for wifi;
*) winbox - added "Reset MAC address" for legacy wireless and wifi;
*) winbox - added country to wireless setup-repeater;
*) winbox - changed default wireless wds-cost-range values;
*) winbox - do not show not relevant values for certificate template;
*) winbox - fixed missing SMB client on non-ROSE devices;
*) winbox - fixed switch menu for Chateau 5G;
*) winbox - improve graphing efficiency when communicating with WinBox;
*) wireguard - add wg-import config-string parameter to import config directly from terminal;
*) wireguard - update peer info on "get" command;
*) wireless - added "eap-identity" to registration table;
*) wireless - implement handling of RADIUS disconnect messages by CAPsMAN;
*) wireless - suggest all legitimate frequencies for interfaces with 20/40mhz-XX channel width in GUI;
*) x86 - added support for Emulex NIC;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. The file must be generated while a router is not working as suspected or after some problem has appeared on the device

Please keep this forum topic strictly related to this particular RouterOS release.

ToTheFull · Fri Feb 28, 2025 2:50 pm

*) dns - improved DNS server service stability;
Can you elaborate please

Larsa · Fri Feb 28, 2025 3:06 pm

In general, "improved stability" usually means that they've fixed a bug that used to cause a crash.

firsak · Fri Feb 28, 2025 3:32 pm

will measures be taken to increase free space on 16mb devices? hardly enough space to save a backup!
only one extra package is installed (wifi-qcom-ac).
Free space decreased by 80kb with this update.

m4rk3J · Fri Feb 28, 2025 3:37 pm

*) wireless - added "eap-identity" to registration table;

Wasn't this already in the legacy drivers?

Or was it only seen under CAPsMAN tab? I'm not sure now :/

anav · Fri Feb 28, 2025 4:21 pm

Similarly two questions
What do the following mean.
*) route - added options to set dynamic-in and connected-in chains in /routing/settings;
and
*) cloud - changed asset CDN URL for "BTH Files";

leonardogyn · Fri Feb 28, 2025 4:37 pm

Some weirdness while using OpenVPN GCM (lots of decrypt errors and massive packet losses) that completely goes away just by changing GCM to CBC are still present on v7.19b2, just tested it on a RB4011 (ARM platform) router.

Report for v7.18 (unchanged on v7.19b2)
viewtopic.php?t=215048#p1129696

UPDATE1: Also tested with a RB750Gr3 (MMIPS) router, and could *NOT* reproduce the problems. Everything works just fine no matter using CBC or GCM
UPDATE2: Also tested with a RB2011 (MIPSBE) router, and could *NOT* reproduce the problems. Everything works just fine no matter using CBC or GCM

Among the CPU platforms I can test on, this behavior seems to be ARM isolated.

Ullinator · Fri Feb 28, 2025 4:53 pm

*) dhcpv6-client - allow selecting to which routing tables add default route;

Great, step 2 after this new feature was already changed in 7.18(beta, rc) for the dhcp-v4-client !!
The last step will be to implement this in the PPPoE-Client as well :-)
Maybe in a 7.19beta3?? :-D

EmanK · Fri Feb 28, 2025 5:04 pm

For my part, neither netinstall or netinstall64 works with this version, the application doesn't start.

I don't have any problems with netinstall 7.18, 7.6, and other versions, it seems 7.19beta2-related, maybe :

"*) netinstall - improved network socket re-opening when NIC status changes while running the server;
*) netinstall - show warning when network configuration on PC might not be appropriate for installation;"

I have Win10 64 bits with last software updates.

rextended · Fri Feb 28, 2025 5:06 pm

Can, please, be explained this:
*) bridge - improved stability in case of configuration error (introduced in v7.15);

rextended · Fri Feb 28, 2025 5:11 pm

To add default IPv6 FastTrack when updating from ANY v7 previous version, just paste this into the terminal
(barring arbitrary changes to the default configuration already made).
New devices netinstalled with default 7.18beta4 config and later, or reset with default configuration on 7.18beta4 and later, have already the rule.

enable default IPv6 FastTrack code

{
/ipv6 fire filter
remove [find where comment="defconf: fasttrack6"]
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack6"
:local idone [find where comment="defconf: fasttrack6"]
:local idtwo [find where comment="defconf: accept established,related,untracked" and chain=forward]
:put $idone
:put $idtwo
move $idone destination=$idtwo
}

For full default firewall rules:
viewtopic.php?p=1124805#p856824

loloski · Fri Feb 28, 2025 5:11 pm

This is very handy

ip-service - show all TCP/UDP connections on the system;
ip-service - show all TCP/UDP ports on system, including ports in containers;
route - added options to set dynamic-in and connected-in chains in /routing/settings;

This is very buggy and slow

[rchan@Home] > /routing/settings/set dynamic-in-chain="dynamic-in"
[rchan@Home] > /routing filter rule
add chain=dynamic-in disabled=no rule="set comment \"test\"; accept;"

at least the intention is clear to resurrect the old dynamic-in & connected-in that we have in v6

pe1chl · Fri Feb 28, 2025 5:50 pm

will measures be taken to increase free space on 16mb devices? hardly enough space to save a backup!

You are not supposed to save your backup in flash memory! That normally is useless anyway.
Make your backup in the RAMdisk (i.e. in the root directory on those 16MB devices), and then download it to your computer.

yuripg1 · Fri Feb 28, 2025 6:26 pm

*) bridge - improved stability in case of configuration error (introduced in v7.15);

Is this related to spikes in CPU due to "mvpp2" and "management" processes in any way? Or is it something else unrelated?

Cha0s · Fri Feb 28, 2025 6:31 pm

Routing is getting from bad to worse with each version.

70% total CPU usage (across 4 CPU cores) by "routing" process, right after upgrading to 7.19b2.
Router (RB4011) has 8 BGP peers, and ~3000 routes and practically zero traffic (1-2mbps).

> /system/resource/cpu/print 
Columns: CPU, LOAD, IRQ, DISK
#  CPU   LOAD  IRQ  DISK
0  cpu0  71%   1%   0%  
1  cpu1  76%   0%   0%  
2  cpu2  76%   1%   0%  
3  cpu3  85%   1%   0%

> /tool/profile duration=10 cpu=total 
Columns: NAME, USAGE
NAME                 USAGE
networking           3.6% 
management           4.2% 
winbox               0%   
ethernet             0.3% 
logging              0%   
console              0.6% 
crypto               0%   
routing              69.6%
queuing              0.2% 
firewall             0.1% 
profiling            0%   
kernel               0.8% 
chacha_neon          0%   
poly1305_arm         0%   
libchacha20poly1305  0%   
8021q                0%   
total                79.4%

eider · Fri Feb 28, 2025 6:44 pm

*) dhcpv4/v6-client - added check-gateway parameter;

Can we also get ability to specify address-list to which IP address will be added once client is bound? It would greatly simplify NAT rules with dual-WAN setups when hairpin mangling is required.

fischerdouglas · Fri Feb 28, 2025 6:56 pm

*) arp - added warning, when "Published" ARP entry used on an interface with "reply-only" ARP mode enabled;
*) bonding - added setting for LACP active/passive modes;
*) bridge - added new STP monitoring fields for bridge and ports (Tx/Rx BPDU, Tx/Rx TC, forward/discard transitions, last topology change, message-age, max-age, remaining-hops, bridge-id);
*) bridge - fixed bridge port hang when using invalid port IDs;
*) bridge - fixed dhcp-snooping in QinQ setups;
*) bridge - fixed minor memory leak on link down;
*) bridge - fixed multicast packet flow on hardware offloaded bridge which acts as "multicast-router";
*) bridge - improved default bridge and port layout on console and GUI;
*) bridge - improved stability in case of configuration error (introduced in v7.15);
*) bridge - moved "TCHANGE" logs from bridge,stp to bridge,stp,debug;
*) bridge - rename "ports" to "interface" under MDB table for configuration consistency with other menus;
*) bridge - renamed STP monitor fields (port-number to port-id, designated-port-number to designated-port-id, designated-bridge to designated-bridge-id);
*) bridge - show designated-* monitor field for all port roles;
*) bridge - show warning instead of causing error when using multicast MAC as admin-mac (introduced in v7.17);
*) dot1x - fixed dynamic switch ACL rules on boards with a lot of ports (e.g. CRS520);
*) l3hw - remove VLAN tag before VXLAN encapsulation (fixes pvid behavior for bridged VXLAN);
*) switch - do not count rx-too-long multiple times on 100Gbps QSFP28;
*) switch - fixed egress mirroring for packets coming from external CPU port (e.g. CRS520, CCR2216, CCR2116);
*) switch - flush CPU port FDB entries on switch disable;
*) switch - improve rate limit accuracy for MT7531, MT7621, EN7562CT;
*) switch - improved boot stability on devices with Alpine CPU and switch chip;
*) switch - improved stability when enabling IGMP snooping with VXLAN (introduced in v7.18);

So many moves on Bridging, Switching, ARP, and other very fundamental layers.
I think(I hope) this can be happening for a good reason!

Compared to other vendors and even to the standards, the bridge implementations, the nomenclature, and etc, were so weird!

My guess is that they had to recognize the weirdness of their implementation of Bridge when they started to work on EVPN and go deeper on SDK of hardware offload. The terminology didn't fit!

I have the impression that someone there did a flip-table and said:
"Enough! I'm not going to break another thing to fit with this mess! Either fix this mess in Bridges or I'm done with this!"

Assuming my guess is correct, I think good things are coming.
But I'm willing to bet that a lot of things will break. Let's wait and see.

infabo · Fri Feb 28, 2025 7:06 pm

Wow, awesome what you can read between the lines.

felixka · Fri Feb 28, 2025 7:57 pm

Compared to other vendors and even to the standards, the bridge implementations, the nomenclature, and etc, were so weird!

The naming of things and how bridges in RouterOS are implemented aligns with how the Linux kernel bridge implementation does things.
That's the most likely explanation from my perspective. In the past, you could always see Linux kernel peculiarities shine through in RouterOS interfaces.
With stronger integration of vendor SDKs, as you mentioned, it looks like they're making everything a bit more independent from the lower layer implementation details.

fischerdouglas · Fri Feb 28, 2025 8:39 pm

*) route - make AFI naming consistent;

[admin@test] > /routing/bgp/connection/print where afi=
ip     ipv6     l2vpn     l2vpn-cisco     vpnv4     vpnv6   
[admin@test] > /routing/route/find where afi=          
bad     ip     ipv6     l2vpn     l2vpn-cisco     l2vpn-link     link     mip4     mip6     vpnv4     vpnv6

Viva! Hurrah!
They listened...
Thank you!

S8T8 · Fri Feb 28, 2025 9:32 pm

channel.reselect-time=01:00 can be used in conjunction with reselect-interval=7d to scan channels at 1am every 7days?

Shortest changelog of beta, means quality and stable update? :)

5nik · Sat Mar 01, 2025 12:00 am

*) dhcpv4-server - accept packets with htype 6;

Please correct hlen to 0 for htype 8 (and other networks without MAC). It should solve the problem SUP-115093 (closed without solution).

Cha0s · Sat Mar 01, 2025 12:06 am

Routing is getting from bad to worse with each version.

70% total CPU usage (across 4 CPU cores) by "routing" process, right after upgrading to 7.19b2.
Router (RB4011) has 8 BGP peers, and ~3000 routes and practically zero traffic (1-2mbps).

> /system/resource/cpu/print 
Columns: CPU, LOAD, IRQ, DISK
#  CPU   LOAD  IRQ  DISK
0  cpu0  71%   1%   0%  
1  cpu1  76%   0%   0%  
2  cpu2  76%   1%   0%  
3  cpu3  85%   1%   0%

> /tool/profile duration=10 cpu=total 
Columns: NAME, USAGE
NAME                 USAGE
networking           3.6% 
management           4.2% 
winbox               0%   
ethernet             0.3% 
logging              0%   
console              0.6% 
crypto               0%   
routing              69.6%
queuing              0.2% 
firewall             0.1% 
profiling            0%   
kernel               0.8% 
chacha_neon          0%   
poly1305_arm         0%   
libchacha20poly1305  0%   
8021q                0%   
total                79.4%

Did a netinstall on a brand new RB5009, manually reconfigured everything the same as the RB4011 (did not restore a backup) and after putting it to work, same behavior. 70% CPU usage over all 4 cores, eaten by "routing" process.

The setup is 8 BGP peers with BFD enabled, over 8 Wireguard tunnels.

Amm0 · Sat Mar 01, 2025 2:34 am

*) ip-service - show all TCP/UDP connections on the system;
*) ip-service - show all TCP/UDP ports on system, including ports in containers;
*) ip-service - show error message when service enable fails;

This is great! It's the small things like this that do help. Really like it includes containers too.

Only tiny gripe be the "protocol" column should be after the port in the default column layout.

*) certificate - added built-in root certificate authorities store;

Y'all should probably include the CA's used by common DoH DNS providers... Or maybe they are not used by DoH yet, because I tried to enable "Verify SSL Certificate", but that didn't work with Cloudflare, Google, nor Quad9. But assuming it work for DoH, users can avoid the search for right Cloudflare/etc certs while still enabling SSL checks.

IMO having default certs seems like a good idea. And I'm sure some will disagree, and be suggesting !) for this one... since it does change the decade+ long scheme that user always add their root certs.

Also, the root certificate list should be in winbox. I found them via CLI which show them at "/certificate/builtin/print". Over time, I'd imagine the check-certificate=yes in various places could default =yes.

Amm0 · Sat Mar 01, 2025 2:59 am

Wow, awesome what you can read between the lines.

I have a tool that diff the "command schema" between version... so you see the starting point for Wi-Fi Easy Connect (had to lookup "dpp", https://www.wi-fi.org/discover-wi-fi/wi-fi-easy-connect) FWIW:

 wifi: {
       add: {
         security.authentication-types: {
-          desc: "wpa-psk|wpa2-psk|wpa-eap|wpa2-eap|wpa3-psk|owe|wpa3-eap|wpa3-eap-192[,SecurityAuthenticationTypes*]"
+          desc: "wpa-psk|wpa2-psk|wpa-eap|wpa2-eap|wpa3-psk|owe|wpa3-eap|wpa3-eap-192|dpp[,SecurityAuthenticationTypes*]"
         }
       }

My "reports" also the lowest number of change to commands and attributes, which I take to mean more bug fixes given the long list. So also good news.

fischerdouglas · Sat Mar 01, 2025 3:52 am

*) ip-service - show all TCP/UDP connections on the system;
*) ip-service - show all TCP/UDP ports on system, including ports in containers;
*) ip-service - show error message when service enable fails;
This is great! It's the small things like this that do help. Really like it includes containers too.

Yes! I agree! This is great!

Only tiny grip be the "protocol" column should be after the port in the default column

I would like to add to this "grip" that I got confused by the existence of what I initially thought were duplicate entries.
Only later did I understand that some of these entries were for IPv4 and IPv6. I only realized this when I looked at service dhcp-client with ports 546 and 547.

I'm not sure whether adding a column for IPv4/IPv6 would be a good idea or not as a solution for this. There is a high possibility that users will get confused by this IPv4/IPv6 attribute for non-dynamic entries that refer to both protocols simultaneously.
But somehow this will need to be addressed.

I was also curious to know why mac-telnet / mac-winbox and etc. were not represented as active services (open sockets).

And already anticipating the inevitable question...
What about sockets for protocols such as BGP, OSPF, and other protocols that interact with the control plane? Will they not be included in this excellent new feature?

fischerdouglas · Sat Mar 01, 2025 3:53 am

*) certificate - added built-in root certificate authorities store;
Y'all should probably include the CA's used by common DoH DNS providers... Or maybe they are not used by DoH yet, because I tried to enable "Verify SSL Certificate", but that didn't work with Cloudflare, Google, nor Quad9. But assuming it work for DoH, users can avoid the search for right Cloudflare/etc certs while still enabling SSL checks.

IMO having default certs seems like a good idea. And I'm sure some will disagree, and be suggesting !) for this one... since it does change the decade+ long scheme that user always add their root certs.

Also, the root certificate list should be in winbox. I found them via CLI which show them at "/certificate/builtin/print". Over time, I'd imagine the check-certificate=yes in various places could default =yes.

This ideia of adding default CAs could be just a "smart button" that triggers some internal script that downloads and installs the actual sets of CA certificate.

Or even better... A button "auto-deploy CA certificates" that would open a window, and in these windows a grid with an array of suggested CAs loaded from MikroTik cloud service and some method of selecting those lines defining which CA certificates should be "auto-deployed" now.

TrevinLC1997 · Sat Mar 01, 2025 4:56 am

While you are focusing on fixing inconsistency’s you should change the OSPF “LSA” tab to “LSDB” or “Database” since that’s what it is. A link state database.

I know it’s been named like that for awhile but I believe changing it for accuracy is better than leaving it for historical reasons.

Sat Mar 01, 2025 12:26 pm

RB433 with 7.19beta configured for homelab as iBGP reflector + OSPF shows constant 100% ... I know, I know 300MHz MIPS.
No complains as it works as expected, just information.
Time to give RB433AH a chance

nichky · Sat Mar 01, 2025 12:43 pm

[rchan@Home] > /routing/settings/set dynamic-in-chain="dynamic-in"
[rchan@Home] > /routing filter rule
add chain=dynamic-in disabled=no rule="set comment \"test\"; accept;"

how to undo this?
i was playing around , and i want to bring it to how it was, without /routing filter rule

Sat Mar 01, 2025 12:54 pm

In Winbox press "Undo" button twice

nichky · Sat Mar 01, 2025 1:00 pm

didnt help

nichky · Sat Mar 01, 2025 1:15 pm

it seems that i have to use for now.

Probably that will be fix in the next versions.

That is really fresh one

fischerdouglas · Sat Mar 01, 2025 1:17 pm

While you are focusing on fixing inconsistency’s you should change the OSPF “LSA” tab to “LSDB” or “Database” since that’s what it is. A link state database.

I know it’s been named like that for awhile but I believe changing it for accuracy is better than leaving it for historical reasons.

If the idea of reviewing the consistency of OSPF terminology follows the same logic as what happened with the Bridge part(triggered by a new protocol that interacts with it, EVPN in Bridge case).
I believe that MikroTik will only review this OSPF terminology when it implements BGP-LinkState.

volkirik · Sat Mar 01, 2025 1:55 pm

ECMP with L4 multipath hashing AND PCC routing marks are currently incompatible with FASTTRACKing...? hope it can be fixed soon...!

We either set hashing to l3 , OR disable fasttrack... Could it be inspected please? I created "bug" ticket on support portal...

infabo · Sat Mar 01, 2025 2:07 pm

didnt help

classic. My experience with "/undo" basically.

blacksnow · Sat Mar 01, 2025 2:15 pm

ECMP with L4 multipath hashing AND PCC routing marks are currently incompatible with FASTTRACKing...? hope it can be fixed soon...!

We either set hashing to l3 , OR disable fasttrack... Could it be inspected please? I created "bug" ticket on support portal...

I can confirm it doesn't work and the scope of the issue can simply be narrowed to ECMP with L4 or L3-Inner isn't working with fasttracking enabled. In my tests, it doesn't matter if you use routing marks via mangle or routing rules.

erlinden · Sat Mar 01, 2025 2:16 pm

channel.reselect-time=01:00 can be used in conjunction with reselect-interval=7d to scan channels at 1am every 7days?

I'm giving it a try by only setting reselect-time, will keep you (and others) posted.

volkirik · Sat Mar 01, 2025 2:30 pm

Found the answer...

In MikroTik, mark-routing and FastTrack do not work together.
This is because FastTrack bypasses many packet processing steps, including routing marks and connection tracking.

Mark-Routing and Persistence
- mark-connection is connection-based (persistent). Once a connection is marked, all packets within that connection inherit the same mark.
- mark-packet is packet-based (temporary) and needs to be applied to every packet separately.
- mark-routing is not connection-based; it is applied per packet, meaning it must be reapplied for each new packet.

If you need connection-based routing, you should first mark connections using mark-connection and then mark packets using mark-routing based on the connection mark.

FastTrack Conflict with Mark-Routing
- FastTrack bypasses the firewall, mangle, and connection tracking processes.
- If FastTrack is enabled, mark-routing will not work because packets will be routed without being marked.
- To use mark-routing, you must disable FastTrack.

Solutions for Using Mark-Routing with FastTrack
1. Disable FastTrack completely
- If you are using mark-routing, you may need to disable FastTrack.
- Add this rule to bypass FastTrack for marked connections:

/ip firewall filter add action=accept chain=forward connection-mark=!no-mark

- Alternatively, you can completely remove the FastTrack rule.

2. Exclude specific traffic from FastTrack and apply mark-routing
- For example, you can exclude marked connections from FastTrack:

/ip firewall mangle add chain=prerouting connection-mark=my_conn_mark action=mark-routing new-routing-mark=my_route

- Then, adjust the fasttrack-connection rule to include only unmarked traffic:

/ip firewall filter add chain=forward action=fasttrack-connection connection-mark=no-mark

Summary
✅ mark-routing is packet-based, not connection-based.
❌ FastTrack prevents mark-routing from working.
✅ To use mark-routing, disable FastTrack or exclude specific traffic from FastTrack.

trmns · Sat Mar 01, 2025 3:03 pm

Upgrading to this version completely breaks routing on my RB5009 from my LAN's side. Every packet towards the router seems to get dropped, thus I can't access the config with winbox anymore. Interestingly enough the device still connects to the internet, and replies to ping from WAN. Also using wireguard from an external network allows me to connect to the device and route traffic through it. I can also access the config from the external device. the wg0 interface isn't part of the bridge. So I am assuming this problem is somehow bridge related? But honestly, I don't know where to start debugging this.

infabo · Sat Mar 01, 2025 3:11 pm

A good start would be, creating a new topic and providing (cleaned of sensitive) config export.

whatever · Sat Mar 01, 2025 3:28 pm

*) dhcpv4/v6-client - added check-gateway parameter;

Nice, no more workarounds with script!

merkkg · Sat Mar 01, 2025 3:30 pm

I can confirm it doesn't work and the scope of the issue can simply be narrowed to ECMP with L4 or L3-Inner isn't working with fasttracking enabled. In my tests, it doesn't matter if you use routing marks via mangle or routing rules.

Was working before?

Naecken · Sat Mar 01, 2025 5:30 pm

*) bridge - added new STP monitoring fields for bridge and ports (Tx/Rx BPDU, Tx/Rx TC, forward/discard transitions, last topology change, message-age, max-age, remaining-hops, bridge-id);
Yes, masterclass.

What about constation diagram and spectral analysis in WiFi drivers? Anything soon?

Sat Mar 01, 2025 6:25 pm

Upgrade of CAPs via Capsman / upgrade, I get this error message in log on wAP AX.
Another wAP AX upgraded just fine, so did AX Lite and AX2.

0x17e0d0 manual upgrade request failed, no file (zerotier-7.19beta2-arm.npk)

There was no zerotier present on that wAP to begin with, so why should it be there ?
I've seen that same issue as well on 7.18-b4 version. So still not fixed ... I updated the ticket I already made before.

jszakmeister · Sat Mar 01, 2025 6:41 pm

Updated my home setup to 7.19beta2 to test things and the Wi-Fi has become very unstable. Downgraded back to 7.18 and the issue has persisted. Filed a ticket with the relevant supout.rif attached. Didn't really expect Wi-Fi issues that given the changelog though. :-(

Guscht · Sat Mar 01, 2025 11:48 pm

So many moves on Bridging, Switching, ARP, and other very fundamental layers.
I think(I hope) this can be happening for a good reason!

Compared to other vendors and even to the standards, the bridge implementations, the nomenclature, and etc, were so weird!

I dont think so. The names are almost identical on all other linux-based systems. If you use for example Proxmox, you see the same nomenclature, which is great, because you know exactly 1:1 what it is and does. But Linux does not always obey what standards dictate in terms of nomenclature :D

If you use KTI-devices and have not read the IEEE 802.1Q, you are totally lost with their C-tag and S-tag nomenclature.

oreggin · Sun Mar 02, 2025 12:37 am

*) route - make AFI naming consistent;

[admin@test] > /routing/bgp/connection/print where afi=
ip     ipv6     l2vpn     l2vpn-cisco     vpnv4     vpnv6   
[admin@test] > /routing/route/find where afi=          
bad     ip     ipv6     l2vpn     l2vpn-cisco     l2vpn-link     link     mip4     mip6     vpnv4     vpnv6

Viva! Hurrah!
They listened...
Thank you!

"Ask and it will be given to you" :) /Matthew 7:7/

BrateloSlava · Sun Mar 02, 2025 9:06 am

wifi - add channel.reselect-time parameter which allows to perform channel re-sellection at given time of day (CLI only);

There is no information in the logs. It is unclear whether there is an attempt to select another channel or not.

pekr · Sun Mar 02, 2025 10:11 am

I would once again like to point out DNS Adlist weird behaviour, as I am considering it being a bug.

After the router reboot, I can find the following log entries:

- [adlist] adlist read: max cache size reached
- cache full, not storing [ignoring repeated messages]

I have my cache size set to 4096 and even with an under 500 entries, it is almost full. The thing is, that I have an entry in the Adlist section, but - it is greayed out / disabled. My suspicion is, that ROS still might update the list in the background? What is the Pause button for?

Disabled, means disabled imo. It should definitely be removed from the memory, but it does not seems so. Only once I delete the Adlist URL entry, it gets removed. In my book, this is clearly a bug - if I disable the feature, it should not occupy the memory anymore. At least not after the reboot / DNS cache flush?

loloski · Sun Mar 02, 2025 10:19 am

how to undo this?
i was playing around , and i want to bring it to how it was, without /routing filter rule

sorry for late reply

/routing/settings/set dynamic-in-chain=""

ID · Sun Mar 02, 2025 4:10 pm

*) dhcpv6-server - fix when expired static binding is declined with false "binding belogs to another server" reason;

Problem is still there. New one "no existing binding found, won't create" come up as well.

Mar/01/2025 23:40:16 dhcp,debug,packet recv server: <pppoe-user1> fe80::2 -> ff02::1:2
Mar/01/2025 23:40:16 dhcp,debug,packet type: renew
Mar/01/2025 23:40:16 dhcp,debug,packet transaction-id: a1d20b
Mar/01/2025 23:40:16 dhcp,debug,packet  -> clientid:   00030001 005056bf 3ea9
Mar/01/2025 23:40:16 dhcp,debug,packet  -> serverid:   00030001 005056bf 358d
Mar/01/2025 23:40:16 dhcp,debug,packet  -> oro: 23 
Mar/01/2025 23:40:16 dhcp,debug,packet  -> elapsed_time: 314
Mar/01/2025 23:40:16 dhcp,debug,packet  -> ia_pd: 
Mar/01/2025 23:40:16 dhcp,debug,packet    t1: 1800
Mar/01/2025 23:40:16 dhcp,debug,packet    t2: 2880
Mar/01/2025 23:40:16 dhcp,debug,packet    id: 0x2
Mar/01/2025 23:40:16 dhcp,debug,packet   -> ia_prefix: 
Mar/01/2025 23:40:16 dhcp,debug,packet     prefix: XXXX:XXXX:3:3001::/64
Mar/01/2025 23:40:16 dhcp,debug,packet     valid time: 3600
Mar/01/2025 23:40:16 dhcp,debug,packet     pref. time: 2880
Mar/01/2025 23:40:16 dhcp,debug processing client:005056bf3ea9 iapd:0x2, binding exists, binding belongs to another server
Mar/01/2025 23:40:16 dhcp,debug,packet send <pppoe-user1> -> fe80::2%35
Mar/01/2025 23:40:16 dhcp,debug,packet type: reply
Mar/01/2025 23:40:16 dhcp,debug,packet transaction-id: a1d20b
Mar/01/2025 23:40:16 dhcp,debug,packet  -> clientid:   00030001 005056bf 3ea9
Mar/01/2025 23:40:16 dhcp,debug,packet  -> serverid:   00030001 005056bf 358d
Mar/01/2025 23:40:16 dhcp,debug,packet  -> dns_servers: 
Mar/01/2025 23:40:16 dhcp,debug,packet     XXXX:XXXX:0:10::10
Mar/01/2025 23:40:16 dhcp,debug,packet     XXXX:XXXX:0:10::11
Mar/01/2025 23:40:16 dhcp,debug,packet  -> ia_pd: 
Mar/01/2025 23:40:16 dhcp,debug,packet    t1: 43200
Mar/01/2025 23:40:16 dhcp,debug,packet    t2: 69120
Mar/01/2025 23:40:16 dhcp,debug,packet    id: 0x2
Mar/01/2025 23:40:16 dhcp,debug,packet   -> ia_prefix: 
Mar/01/2025 23:40:16 dhcp,debug,packet     prefix: XXXX:XXXX:3:3001::/64
Mar/01/2025 23:40:16 dhcp,debug,packet     valid time: 0
Mar/01/2025 23:40:16 dhcp,debug,packet     pref. time: 0
====================================================================================================================
Mar/02/2025 09:41:50 dhcp,debug processing client:005056bf3ea9 iapd:0x2, no existing binding found, won't create
Mar/02/2025 09:41:50 dhcp,debug,packet send <pppoe-user3> -> fe80::10e6:78c6:0:2%22
Mar/02/2025 09:41:50 dhcp,debug,packet type: reply
Mar/02/2025 09:41:50 dhcp,debug,packet transaction-id: 61a941
Mar/02/2025 09:41:50 dhcp,debug,packet  -> clientid:   00030001 005056bf 3ea9
Mar/02/2025 09:41:50 dhcp,debug,packet  -> serverid:   00030001 005056bf 358d
Mar/02/2025 09:41:50 dhcp,debug,packet  -> rapid_commit: [empty]
Mar/02/2025 09:41:50 dhcp,debug,packet  -> dns_servers: 
Mar/02/2025 09:41:50 dhcp,debug,packet     XXXX:XXXX:0:10::10
Mar/02/2025 09:41:50 dhcp,debug,packet     XXXX:XXXX:0:10::11
Mar/02/2025 09:41:50 dhcp,debug,packet  -> ia_pd: 
Mar/02/2025 09:41:50 dhcp,debug,packet    t1: 43200
Mar/02/2025 09:41:50 dhcp,debug,packet    t2: 69120
Mar/02/2025 09:41:50 dhcp,debug,packet    id: 0x2
Mar/02/2025 09:41:50 dhcp,debug,packet   -> status: 6 - no prefix

nichky · Sun Mar 02, 2025 11:46 pm

@loloski

sorry for late reply

/routing/settings/set dynamic-in-chain=""

[/quote]

i asked for undo, but it seems like that i have to use for now, till MikroTik fix it.
Not sure where this can be used for.

Amm0 · Mon Mar 03, 2025 1:22 am

Similarly two questions
What do the following mean.
*) route - added options to set dynamic-in and connected-in chains in /routing/settings;

I'm glad you asked. I missed that one in my first reading. That's another great one for me, so thank Mikrotik. I've complained intermittently about since 7.0beta about this one. Late is better than never.

I used dynamic-in without BGP in V6. So my use case was to always to set check-gateway=ping from a /ip/dhcp-client – without a script there. Basically anything with a "D" in /ip/route is a "dynamic-in", so you can now the same BGP-style "rules" in-between things like LTE or DHCP WANs and the /ip/route they'd create (i.e. with a D). While I use if for check-gateway= in past, any of the setting are "programable" with that change.

So for example this seem to work in 7.19beta2 using them:

/routing filter rule add chain=setcheckgw disabled=no rule="if ( afi ipv4 ) { set gw-check icmp; accept }"
/routing settings set dynamic-in-chain=setcheckgw

And with that change, EVERY dynamic route will always get add with a check-gateway=ping. There is whole sub-scripting language in the rule="" matchers, but you can control what dynamic things are covered etc., that part is same as BGP docs. Much like the firewall, but for new routing information that gets added by RouterOS (thus "dynamic") to /ip/route.

buset1974 · Mon Mar 03, 2025 4:26 am

*) route - fixed stuck output when calling prints from multiple routing menus;

Still having stuck when doing "/routing/route/print where blackhole" or "/ip/route/print where blackhole"

Tested on CCR1009 with 2 full route peering for ipv4 (950k) & ipv6 (210k) and 1 RTBH peer route (80k prefixes) without traffic pass the router and cpu state 32%

BGP Session state

Screenshot 2025-03-03 092407.jpg

This is /tool/profiles state

Screenshot 2025-03-03 093206.jpg

thx

Mon Mar 03, 2025 9:13 am

I would once again like to point out DNS Adlist weird behaviour, as I am considering it being a bug.

After the router reboot, I can find the following log entries:

- [adlist] adlist read: max cache size reached
- cache full, not storing [ignoring repeated messages]

I have my cache size set to 4096 and even with an under 500 entries, it is almost full. The thing is, that I have an entry in the Adlist section, but - it is greayed out / disabled. My suspicion is, that ROS still might update the list in the background? What is the Pause button for?

Disabled, means disabled imo. It should definitely be removed from the memory, but it does not seems so. Only once I delete the Adlist URL entry, it gets removed. In my book, this is clearly a bug - if I disable the feature, it should not occupy the memory anymore. At least not after the reboot / DNS cache flush?

That's much too low for adlist. Try something like this:

/ip dns set allow-remote-requests=yes cache-max-ttl=1d cache-size=400000KiB

eider · Mon Mar 03, 2025 9:20 am

That's much too low for adlist. Try something like this

His point was to demonstrate that disabled Adlist entry still seem to consume cache, when it should not.

Mon Mar 03, 2025 9:24 am

sorry, misread the report. will check

erlinden · Mon Mar 03, 2025 9:37 am

channel.reselect-time=01:00 can be used in conjunction with reselect-interval=7d to scan channels at 1am every 7days?
I'm giving it a try by only setting reselect-time, will keep you (and others) posted.

Yep, channel changed over night. So reselect-time has an implicit reselect-interval of 24h.

infabo · Mon Mar 03, 2025 10:40 am

*) wifi - add channel.reselect-time parameter which allows to perform channel re-sellection at given time of day (CLI only);

important part: "at given time of day". It is meant as written obviously. In combination with reselect-interval this is getting hard to predict the resulting behaviour (as proven). Which of these settings has priority? It makes kind of sense to not combine these settings. As "reselect-interval=2h" while having "reselect-time=01:00" would be complete nonsense. So it has to be documented in a way people can understand it. Or even better: not allowing users to set both at a time.

BrateloSlava · Mon Mar 03, 2025 12:35 pm

As "reselect-interval=2h" while having "reselect-time=01:00" would be complete nonsense.

Configuring these parameters via the command line allows you to do even that:

reselect-interval=8h..12h reselect-time=08:00:00..09:00:00

It's absolutely unclear how this is all going to work.

erlinden · Mon Mar 03, 2025 12:48 pm

If this is part of the V7.19 RC, it will probably be added to the documentation.

Mon Mar 03, 2025 2:07 pm

*) ip-service - show all TCP/UDP connections on the system;
*) ip-service - show all TCP/UDP ports on system, including ports in containers;
*) ip-service - show error message when service enable fails;
This is great! It's the small things like this that do help. Really like it includes containers too.

Only tiny gripe be the "protocol" column should be after the port in the default column layout.

*) certificate - added built-in root certificate authorities store;
Y'all should probably include the CA's used by common DoH DNS providers... Or maybe they are not used by DoH yet, because I tried to enable "Verify SSL Certificate", but that didn't work with Cloudflare, Google, nor Quad9. But assuming it work for DoH, users can avoid the search for right Cloudflare/etc certs while still enabling SSL checks.

IMO having default certs seems like a good idea. And I'm sure some will disagree, and be suggesting !) for this one... since it does change the decade+ long scheme that user always add their root certs.

Also, the root certificate list should be in winbox. I found them via CLI which show them at "/certificate/builtin/print". Over time, I'd imagine the check-certificate=yes in various places could default =yes.

When updating from an older version of RouterOS, built-in root certificates are not trusted and cannot be used for certificate verification.
Execute the following command to change trust settings for these certificates.

/certificate/settings/set builtin-trust-anchors=trusted

itimo01 · Mon Mar 03, 2025 2:53 pm

Well well well it seems that now even i do have wifi issues :D
This didn't happen before 7.19beta2 and i think i will switch to my other partition (7.18beta2) later to check:

Screenshot 2025-03-03 135122.png

Anyone with similar issues on 7.19beta2?

EDIT: I just update the other partition to 7.18.1 and copied the config will check now.
EDIT: EDIT: I just noticed that the echo dot i have here now doesnt disconnect every 30 seconds.
I thought that had been an issue the whole time. I guess not :/

EDIT:EDIT:EDIT:
I just tested 7.18.1 against 7.19beta2 and on the beta roaming is completely broken for me.
It didnt work A SINGLE time without disconnecting my client (aka my phone).
I opened a ticket for this SUP-180964

83jsg90 · Mon Mar 03, 2025 6:39 pm

Netinstall64.exe and Netinstall.exe 7.19 do not launch at all. I used Netinstall 7.18 to flash 7.19b2 onto my device.

BrateloSlava · Mon Mar 03, 2025 8:42 pm

On the CAPsMAN controller, I have displayed a column showing the “Current Channel” parameter.
However, the values that are displayed in this column do not match the values that can be seen on the APs themselves.
Or am I misunderstanding something?

Displayed channel values:

wAP ac - 2452/5745 (AP) - 2452/5745 (CAPsMAN)
cAP ac - 2442/5805 (AP) - 2442/5180 (CAPsMAN)
hAP ax3 - 2442/5220 (AP) - 2442/5180 (CAPsMAN)

CAPsMAN:

Screenshot_capsman.png

AP:

Screenshot_cap_kitchen.png

Screenshot_wap_room.png

Screenshot_rt-slava.png

rkrisi · Mon Mar 03, 2025 8:45 pm

How to add a CA certificate in this version to be trusted and to be used for certificate verification?
Previously this worked without any extra config, just by importing CA to certificates.
After upgrade to this version, ovpn does not connect, it says:

ovpn_mgmt: terminating... - TLS error: ssl: no trusted CA certificate found (6)

Amm0 · Mon Mar 03, 2025 9:15 pm

Opps...

*) certificate - added built-in root certificate authorities store;
Y'all should probably include the CA's used by common DoH DNS providers... Or maybe they are not used by DoH yet, because I tried to enable "Verify SSL Certificate", but that didn't work with Cloudflare, Google, nor Quad9. [...]

FWIW, Mikrotik added docs to help on this one: https://help.mikrotik.com/docs/spaces/R ... uthorities

So on updated devices there is a command to enable (or disable), the "trust anchors" (i.e. the built-in CAs) via:

/certificate/settings/set builtin-trust-anchors=trusted

And with that you can check the "Verify TLS Certificate" for DoH DNS, etc. WITHOUT download certs. Or at least it worked with Cloudflare, Google, OpenDNS, and Quad9 in a quick test.

TrevinLC1997 · Tue Mar 04, 2025 2:46 am

Is DHCP snooping goofed up in this version? I accidentally enabled it on my CCR2116, this prevented me from pinging different VLAN interfaces although I was able to before.

I disabled DHCP snooping, now none of my devices are able to communicate to the DHCP server (Hosted on the CCR2116) and I am forced to set a static. Directly connected my Unifi AP to my CCR2116 to confirm it wasn't a misconfigured switch setting.

When I re-enable DHCP snooping although I have no trusted ports. All my devices are now once again able to talk to the DHCP server and everything works properly except for the fact I can no longer ping the default gateway nor can I connect to it via WinBox. I can't communicate with the CCR2116 at all from my local LAN. I had to connect via wireguard over my phone to disable DHCP snooping which restores access (pinging, winbox etc, but breaks DHCP as stated above)

lurker888 · Tue Mar 04, 2025 3:44 am

Yep. DHCP snooping has some sort of major problem. I updated a previously working rb5009 router (from 7.18 stable) to 7.19b2, and can't ping/connect to the router through a bridge that has VLAN filtering and DHCP snooping enabled. A bit weirdly the DHCP server works correctly (provided by the same router) on its VLANs and IP forwarding behavior is also correct. Also, if discovery (MDP) is enabled, the device shows up, but MAC Winbox fails to connect.

Turning DHCP snooping off corrects the issue.

I tried disabling bridge HW offloading on all ports, but it has no effect (either positive or negative) on this phenomenon.

chiem · Tue Mar 04, 2025 5:50 am

Can we have ipv6 fasttrack hw offload?

un9edsda · Tue Mar 04, 2025 11:15 am

Upgrading to this version completely breaks routing on my RB5009 from my LAN's side. Every packet towards the router seems to get dropped, thus I can't access the config with winbox anymore. [...] the device still connects to the internet, and replies to ping from WAN. [...] I can also access the config from the external device. [...] this problem is somehow bridge related? [...]

The issue may be due to DHCP snooping as described by @TrevinLC1997 and @lurker888.

And to jump on the bandwagon I do have similar issues after upgrading from 7.18.0RC2 to 7.19.0BETA2 while using DHCP snooping and option 82 (interfaces connected to other MikroTik devices are trusted, rest are not).

jbl42 · Tue Mar 04, 2025 5:52 pm

Updated a Lab RB5009 to 7.19b2 and enabled DHCP snooping. With the same results: The router is not accessible from LAN. L3 forwarding works, DHCP clients get an address.
It looks like L2 broadcasts are forwarded to the CPU port, but packets from LAN going to the CPU port MAC address are dropped either by the bridge or by the CPU network interface towards the bridge.

trmns · Tue Mar 04, 2025 6:27 pm

Thank you guys for figuring this out, I hope Mikrotik support now knows what to do. (I downgraded to 7.18.1 and the downgrade works fine :))

Cha0s · Tue Mar 04, 2025 8:51 pm

Routing is getting from bad to worse with each version.

70% total CPU usage (across 4 CPU cores) by "routing" process, right after upgrading to 7.19b2.
Router (RB4011) has 8 BGP peers, and ~3000 routes and practically zero traffic (1-2mbps).
Code: Select all
> /system/resource/cpu/print 
Columns: CPU, LOAD, IRQ, DISK
#  CPU   LOAD  IRQ  DISK
0  cpu0  71%   1%   0%  
1  cpu1  76%   0%   0%  
2  cpu2  76%   1%   0%  
3  cpu3  85%   1%   0%  
Code: Select all
> /tool/profile duration=10 cpu=total 
Columns: NAME, USAGE
NAME                 USAGE
networking           3.6% 
management           4.2% 
winbox               0%   
ethernet             0.3% 
logging              0%   
console              0.6% 
crypto               0%   
routing              69.6%
queuing              0.2% 
firewall             0.1% 
profiling            0%   
kernel               0.8% 
chacha_neon          0%   
poly1305_arm         0%   
libchacha20poly1305  0%   
8021q                0%   
total                79.4%
Did a netinstall on a brand new RB5009, manually reconfigured everything the same as the RB4011 (did not restore a backup) and after putting it to work, same behavior. 70% CPU usage over all 4 cores, eaten by "routing" process.

The setup is 8 BGP peers with BFD enabled, over 8 Wireguard tunnels.

I isolated the issue to BFD. When enabled it causes high CPU usage.
I experience the issue on multiple routers and I set up a new router with empty configuration with just BGP + BFD and the issue still occurs.

I reported the bug on ticket #SUP-181114

m4rk3J · Tue Mar 04, 2025 9:17 pm

When I see new feature about EAP identity in registration table... how hard will be for devs to add channel utilization stats? I would like to see it in CAPsMAN, it will be very usefull.

pe1chl · Wed Mar 05, 2025 11:22 am

I isolated the issue to BFD. When enabled it causes high CPU usage.
I experience the issue on multiple routers and I set up a new router with empty configuration with just BGP + BFD and the issue still occurs.

I reported the bug on ticket #SUP-181114

What parameters do you use for BFD?
I have several routers using BFD, e.g. a CCR2004 with 14 peers 8 of them using BFD and at the moment 3 RB5009 with 5 peers of which 4 use BFD, and I do not experience that issue on 7.18.1 (I think you already had it in 7.18)
But I use a 1-second BFD interval, maybe you have 1 millisecond?

erlinden · Wed Mar 05, 2025 11:35 am

When I see new feature about EAP identity in registration table... how hard will be for devs to add channel utilization stats? I would like to see it in CAPsMAN, it will be very usefull.

What are you looking for?

Frequency scan: https://help.mikrotik.com/docs/spaces/R ... quencyscan
Scan command: https://help.mikrotik.com/docs/spaces/R ... cancommand
Sniffer: https://help.mikrotik.com/docs/spaces/R ... Fi-Sniffer

m4rk3J · Wed Mar 05, 2025 11:51 am

For something like this:

ui.png

fischerdouglas · Wed Mar 05, 2025 1:09 pm

[admin@test] > /routing/bgp/connection/print where afi=
ip     ipv6     l2vpn     l2vpn-cisco     vpnv4     vpnv6   
[admin@test] > /routing/route/find where afi=          
bad     ip     ipv6     l2vpn     l2vpn-cisco     l2vpn-link     link     mip4     mip6     vpnv4     vpnv6

Viva! Hurrah!
They listened...
Thank you!

"Ask and it will be given to you" :) /Matthew 7:7/

Hey! I have to thank the MikroTik team for "isis" vs IS-IS" too!

With 7.19 being prepared, I decided to revisit a project that involves isis in Mikrotik.

The first criticism/request I was going to make about this was precisely about the lack of consistency in syntax.
But it seems that they have already fixed ISIS as well.

*) route - make AFI naming consistent;

[admin@test] > /routing/isis/instance/print   
Flags: X - disabled, I - inactive 
[admin@test] > /routing/route/print where isis

Thanks and congratulations!

I think this syntax adjustment needs to be touched up in the topic about isis in Router-OS confluence as well.
They are probably waiting for 7.19 to become stable to do this.

And as a suggestion, is worth mentioning in the release notes which protocols received this improvement in syntax consistency.

Jotne · Wed Mar 05, 2025 1:39 pm

Critically of this action seems for me to be way to high. Exactly Very High :)

2025-03-05T11:31:21.363+0000 RB2011-test CEF:0|MikroTik|RB2011iLS|7.19beta2 (testing)|10|system,critical,info|Very-High|dvchost=RB2011-test msg=serial\=xxxx MikroTik: cloud change time Mar/05/2025 11:30:58 \=> Mar/05/2025 11:31:21

That a router adjusts its time after reboot when it gets the correct time trough a NTP server is from me an informational message.

Now that we have CEF (a huge improvement) MT should work on all the other logging mess.

nkourtzis · Wed Mar 05, 2025 1:41 pm

Upgrading two routers (hAP ax, Chateau Pro AX) to 7.19b2 makes all devices connected via WiFi report "internet not available". They are getting valid IPs and traceroutes with IPs work. What seems to be broken is DNS resolution via the router. Reverting to 7.18.1 fixed the issue in both cases.

pe1chl · Wed Mar 05, 2025 1:56 pm

Critically of this action seems for me to be way to high. Exactly Very High :)

Well, actually a change of time-of-day is a very critical event, but one could argue that in a device without built-in clock it could be labeled a little less severe when the time adjustment is forward, and less than 5 minutes.
However, I doubt that MikroTik want to add logic to many log messages to cover such cases...

mkx · Wed Mar 05, 2025 2:10 pm

Well, actually a change of time-of-day is a very critical event, but one could argue that in a device without built-in clock it could be labeled a little less severe when the time adjustment is forward, and less than 5 minutes.

When upgrading my fleet from 7.17.2 to 7.18.1 ... I saw time jump of a few hours after reboot due to upgrade on one of devices. So the "after boot" time jump can be rather large. However I'd say that severity of first time jump (if caused by NTP client) after reboot can be down-tuned to informational ... regardless the size of time jump.

rextended · Wed Mar 05, 2025 2:15 pm

This exist on 7.18.1 so, probably, also exist on 7.19beta
BUG:
Removing not default queue type used on queue simple or queue tree before removing/changing the existant queue cause permalock.

How to replicate:

/queue type
add kind=cake name=queue1
/queue simple
add name=queue1 target="" total-queue=queue1
/queue tree
add name=queue1 parent=global queue=queue1
/queue type
remove [find where default=no]

pe1chl · Wed Mar 05, 2025 6:45 pm

When upgrading my fleet from 7.17.2 to 7.18.1 ... I saw time jump of a few hours after reboot due to upgrade on one of devices. So the "after boot" time jump can be rather large. However I'd say that severity of first time jump (if caused by NTP client) after reboot can be down-tuned to informational ... regardless the size of time jump.

Well, in your case it would have been valuable when you were warned because what happened is likely not what you intended!
E.g. a device was powercycled without clean shutdown (maybe because of a PoE upgrade, and you should have shut down or upgraded the powered device first), or the device failed over to a backup partition.
Also a big jump can happen after any crash or powerloss, good that there is a critical warning.

smotrov · Wed Mar 05, 2025 6:48 pm

Regarding file - improved responsiveness on slow filesystems;
Which filesystems exactly are considered as slow?

fischerdouglas · Wed Mar 05, 2025 6:59 pm

Regarding file - improved responsiveness on slow filesystems;
Which filesystems exactly are considered as slow?

fs over remote protocol like sshfs and similar.

EmanK · Wed Mar 05, 2025 7:50 pm

Same problem happened for me with the routing process, only since 7.19beta2 (7.18 and lower perfectly OK), but only after some uptime (few hours), on my RB2011.

I only have 6 OSPF instances over WireGuard, and with nearly 0 traffic.

mkx · Wed Mar 05, 2025 10:38 pm

Well, in your case it would have been valuable when you were warned because what happened is likely not what you intended!
E.g. a device was powercycled without clean shutdown ...

Nope, device was cleanly rebooted due to ROS upgrade. I can't explain the few hours jump myself, usually it is, as everybody says, a few minutes.

Just wanted to mention that initial jump on devices without RTC can be just anything (netinstalled device will jump from 1.1.1970). And since this initial jump is expected, it should not be even a warning let alone critical ... it's simply informational (so that when reading logs one can extrapolate timestamps of log entries earlier than time jump into right time).

eworm · Wed Mar 05, 2025 10:55 pm

... netinstalled device will jump from 1.1.1970...

That's no longer true. With recent versions you can not go before release build date.

mkx · Wed Mar 05, 2025 11:02 pm

... netinstalled device will jump from 1.1.1970...
That's no longer true. With recent versions you can not go before release build date.

Whatever. It's been a while since I last netinstalled a device (more than a couple of weeks for sure ;-) ).
The point is: there's no need for initial time step to be considered as critical event ... there are other log entries telling admin that device might have suffered from fatal problem prior to reboot.

Cha0s · Wed Mar 05, 2025 11:37 pm

I isolated the issue to BFD. When enabled it causes high CPU usage.
I experience the issue on multiple routers and I set up a new router with empty configuration with just BGP + BFD and the issue still occurs.

I reported the bug on ticket #SUP-181114
What parameters do you use for BFD?
I have several routers using BFD, e.g. a CCR2004 with 14 peers 8 of them using BFD and at the moment 3 RB5009 with 5 peers of which 4 use BFD, and I do not experience that issue on 7.18.1 (I think you already had it in 7.18)
But I use a 1-second BFD interval, maybe you have 1 millisecond?

/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5

This is a 7.19beta2 issue. That's why I posted it on this thread. It doesn't appear on v7.18.1 and prior, with the exact same config.
v7.18 (actually v7.16 to .18) have other issues with BGP, among them the ones you have already mentioned multiple times, and mine - which the routing process gets stuck at 100% CPU on one core.
I've downgraded all my routers back to v7.15.3. I'm tired of having to reboot routers every once and a while because of this.

pe1chl · Thu Mar 06, 2025 10:39 am

Ok I seemed to remember that you posted it has been a problem for a while...
But indeed there are several BGP problems and the silence from MikroTik is deafening...
However, on my routers (with 7.18 and 7.18.1) there is no CPU usage problem, only the issues I mentioned before.

merkkg · Thu Mar 06, 2025 10:54 am

Ok I seemed to remember that you posted it has been a problem for a while...
But indeed there are several BGP problems and the silence from MikroTik is deafening...
However, on my routers (with 7.18 and 7.18.1) there is no CPU usage problem, only the issues I mentioned before.

You still have the same BGP problems on 7.19b2? Do you have a forum post listing them all? I also have BGP with stuck routes on 7.16.1 that drive me crazy.

Cha0s · Thu Mar 06, 2025 11:01 am

Ok I seemed to remember that you posted it has been a problem for a while...
But indeed there are several BGP problems and the silence from MikroTik is deafening...
However, on my routers (with 7.18 and 7.18.1) there is no CPU usage problem, only the issues I mentioned before.

The CPU issue is on v7.19beta2.

pe1chl · Thu Mar 06, 2025 11:35 am

You still have the same BGP problems on 7.19b2? Do you have a forum post listing them all? I also have BGP with stuck routes on 7.16.1 that drive me crazy.

I have not installed 7.19b2 yet. It does not list a fix for any of my problems in the changes list.
I have posted several times in release topics about my BGP problems.
They started in 7.16, in 7.15.x all was OK.

pe1chl · Thu Mar 06, 2025 11:39 am

Well, in your case it would have been valuable when you were warned because what happened is likely not what you intended!
E.g. a device was powercycled without clean shutdown ...

Nope, device was cleanly rebooted due to ROS upgrade. I can't explain the few hours jump myself, usually it is, as everybody says, a few minutes.

It means that something was seriously wrong. In a normal upgrade procedure, the new packages are installed and the device is cleanly rebooted. That includes closing the configuration database and setting its time to the current time.
Then after boot the system clock is set to that database time, and further adjusted to the network time (NTP or Cloud).
So the time difference in that log message should only be the boot time delay.

When that causes a jump of several hours, it means that the reboot was not clean, there was a crash during installation.
Certainly something to carefully look at and consider a netinstall!

azerty · Thu Mar 06, 2025 12:24 pm

*) dhcpv6-client - allow selecting to which routing tables add default route;

Great, step 2 after this new feature was already changed in 7.18(beta, rc) for the dhcp-v4-client !!
The last step will be to implement this in the PPPoE-Client as well :-)
Maybe in a 7.19beta3?? :-D

pppoe-client and l2tp-client please. It's very helpful when a router have multiple ppp.

mkx · Thu Mar 06, 2025 12:42 pm

Certainly something to carefully look at and consider a netinstall!

Thanks for you considerations. Since devices work as intended, without any noticeable problems, I'll skip further actions (for now).

Santi · Thu Mar 06, 2025 1:44 pm

I just tested 7.18.1 against 7.19beta2 and on the beta roaming is completely broken for me.
It didnt work A SINGLE time without disconnecting my client (aka my phone).
I opened a ticket for this SUP-180964

Happened to me too, rolling back to 7.18.1

rbilka · Thu Mar 06, 2025 4:37 pm

I upgraded from 7.18beta2 to 7.19beta:
... ROAMING is not working again!

Upgrade from 7.17 to 7.18beta2 has broken ROAMING too, but that time adding this fixed it:
/interface wifi security
connect-priority=0/1

... and after adding additional:
/interface wifi steering
2g-probe-delay=yes
... ROAMING was working GREAT at 7.18beta2.

Any idea what I should test beffore downgrade?

Added some info:
I tested it on 2 devices (both "AX"), monitoring via Android APP "WifiMAN":
Device A (Realme 9Pro+):
I see that it shows "AP roaming", but it still seems to roam to the one and only device where it is already connected (even though it has almost no signal -80dB, and I am standing right next to the new one with about -20dB).

Device B (Samsung S25):
It does not show "AP roaming" but the signal strength jumps up as if it was already on the new AP, then it disconnects and reconnects to the new AP.

Either something is being transmitted incorrectly within the "steering", or the new AP drops communication until the given client fully logs in to the given AP?

It was working nice at 7.17 and 7.18beta2 .

BrateloSlava · Thu Mar 06, 2025 6:02 pm

I upgraded from 7.18beta2 to 7.19beta: ... ROAMING is not working again!

I got roaming working only after returning the CAPsMAN controller to 7.17.2. The access points work fine under 7.18.1 and 7.19beta.

CAPsMAN controller settings:

/interface wifi channel add band=5ghz-ac disabled=no name=Home-5GHz-auto reselect-interval=1h..2h skip-dfs-channels=10min-cac width=20/40/80mhz
/interface wifi channel add band=2ghz-n disabled=no name=Home-2.4GHz-auto reselect-interval=1h..1h30m width=20/40mhz
/interface wifi channel add band=2ghz-ax disabled=no name=Home-2.4GHz-auto-AX reselect-interval=1h..1h30m width=20/40mhz
/interface wifi channel add band=5ghz-ax disabled=no name=Home-5GHz-auto-AX reselect-interval=1h..2h skip-dfs-channels=10min-cac width=20/40/80mhz

/interface wifi security add authentication-types=wpa2-psk,wpa3-psk connect-priority=0/1 disable-pmkid=yes disabled=no encryption=ccmp ft=yes ft-over-ds=yes group-key-update=1h management-protection=allowed name=secur-Home passphrase=wifi_password wps=disable

/interface wifi steering add disabled=no name=steering-Home neighbor-group=NG-Home rrm=yes wnm=yes

/interface wifi configuration add chains=0,1 channel=Home-5GHz-auto country=Panama disabled=no dtim-period=3 mode=ap multicast-enhance=enabled name=Home-5ghz qos-classifier=priority security=secur-Home ssid=MikroAP steering=steering-Home tx-chains=0,1 tx-power=20
/interface wifi configuration add chains=0,1 channel=Home-2.4GHz-auto country=Panama disabled=no mode=ap multicast-enhance=enabled name=Home-2ghz qos-classifier=priority security=secur-Home ssid=MikroAP steering=steering-Home tx-chains=0,1 tx-power=10
/interface wifi configuration add chains=0,1 channel=Home-2.4GHz-auto-AX country=Panama disabled=no mode=ap multicast-enhance=enabled name=Home-2ghz-AX qos-classifier=dscp-high-3-bits security=secur-Home ssid=MikroAP steering=steering-Home tx-chains=0,1 tx-power=10
/interface wifi configuration add chains=0,1 channel=Home-5GHz-auto-AX country=Panama disabled=no dtim-period=3 mode=ap multicast-enhance=enabled name=Home-5ghz-AX qos-classifier=dscp-high-3-bits security=secur-Home ssid=MikroAP steering=steering-Home tx-chains=0,1 tx-power=20

How to “correctly” use the “2g-probe-delay=yes” parameter is unclear. If I just add this parameter to the CAPsMAN settings I described above - everything breaks down. And roaming disappears.

AP - cAP ac, wAP ac, hAP ax3

itimo01 · Thu Mar 06, 2025 6:22 pm

-10dB

-10dBm? Did you put your phone inside the AP or what? :D

But anyway i didnt set the probe delay as i dont need the clients to prefer 5ghz.
But i do have connect-priority set as this helped my Xiaomi Phone with FT.

For me the issues with 7.19beta2 are like this:

1. The client roams successfully
2. Then the MT disconnects my client.
3. After a few seconds the client reconnects to the AP it roamed to and everything works.

But the 2.4ghz interface seems a little unstable too as an alexa disconnects every few seconds and my laptop (if getting far from 5ghz range) does the same, but the interval is way longer (more like 5 mins)

erlinden · Thu Mar 06, 2025 6:35 pm

How to “correctly” use the “2g-probe-delay=yes” parameter is unclear. If I just add this parameter to the CAPsMAN settings I described above - everything breaks down. And roaming disappears.

For me this is working without problems:

/interface wifi steering
add 2g-probe-delay=yes disabled=no name=[My name redacted] neighbor-group=[My group redacted] rrm=yes wnm=yes

BrateloSlava · Thu Mar 06, 2025 6:44 pm

-10dBm? Did you put your phone inside the AP or what? :D

The -10dBm is enough for me to have fully functional smart WiFi outlets.

When updating the CAPsMAN controller to 7.18 and 7.19, roaming for my Poco M5 and Xiaomi 14T phones no longer works properly. When I move away from the access point, I get disconnected from the wifi network, but not roaming to the next access point. Then within about 5 seconds it connects to the new access point.
I completely rolled back my test network at home to 7.17.2 via netinstall last night. After that I updated the access points to 7.18.1 and 7.19. And checked the roaming via WifiMAN.

BrateloSlava · Thu Mar 06, 2025 6:50 pm

For me this is working without problems:

/interface wifi steering
add 2g-probe-delay=yes disabled=no name=[My name redacted] neighbor-group=[My group redacted] rrm=yes wnm=yes

On version 7.19?

How are the other parameters set?

I am interested in whether the following parameters are used:

connect-priority=0/1 ft=yes ft-over-ds=yes

rbilka · Thu Mar 06, 2025 6:51 pm

My config:

# 2025-03-06 17:34:36 by RouterOS 7.19beta2
# software id = ZQCL-RJAH

/interface wifi steering
add 2g-probe-delay=yes disabled=no name=steering_home neighbor-group=dynamic-rbhn-5cba8134 rrm=yes wnm=yes
add 2g-probe-delay=yes disabled=no name=steering_guests neighbor-group=dynamic-rbhn-guests-5cba8134 rrm=yes wnm=yes
add 2g-probe-delay=yes disabled=no name=steering_iot neighbor-group=dynamic-rbhn-iot-f1990f75 rrm=yes wnm=yes
/interface wifi datapath
add bridge=bridgeSwitch client-isolation=yes disabled=no name=datapath_guests vlan-id=111
add bridge=bridgeSwitch client-isolation=yes disabled=no name=datapath_iot vlan-id=112
add bridge=bridgeSwitch client-isolation=no disabled=no name=datapath_home vlan-id=110
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0/1 disable-pmkid=no disabled=no ft=yes ft-over-ds=yes management-protection=required name=security_home wps=disable
add authentication-types=wpa2-psk connect-priority=0/1 disable-pmkid=no disabled=no ft=yes ft-over-ds=yes management-protection=allowed name=security_guests wps=disable
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0/1 disable-pmkid=no disabled=no ft=yes ft-over-ds=yes management-protection=allowed name=security_iot wps=disable
/interface wifi configuration
add channel="channel_2G_40Ce_ch1(-1<>6)_f2412(2402-2442)" country=Czech datapath=datapath_home disabled=no mode=ap name="configWifi_2G_home_ch(-1<>6)" security=security_home ssid=rbhn
add channel="channel_2G_40eC_ch13(8<>14)_f2472(2442-2482)" country=Czech datapath=datapath_home disabled=no mode=ap name="configWifi_2G_home_ch(7<>14)" security=security_home ssid=rbhn
add channel="channel_5G_80_ch106(100<>112)_f5500(5490-5570)" country=Czech datapath=datapath_home disabled=no mode=ap name="configWifi_5G_home_ch(100<>112)" security=security_home ssid=rbhn
add channel="channel_5G_80_ch122(116<>128)_f5580(5570-5650)" country=Czech datapath=datapath_home disabled=no mode=ap name="configWifi_5G_home_ch(116<>128)" security=security_home ssid=rbhn
add channel="channel_5G_80_ch138(132<>144)_f5660(5650-5730)" country=Czech datapath=datapath_home disabled=no mode=ap name="configWifi_5G_home_ch(132<>144)" security=security_home ssid=rbhn
add datapath=datapath_guests disabled=no name="configWifi_2G_guests_ch(any)" security=security_guests ssid=rbhn-guests
add datapath=datapath_iot disabled=no name="configWifi_2G_iot_ch(any)" security=security_iot ssid=rbhn-iot
add datapath=datapath_guests disabled=no name="configWifi_5G_guests_ch(any)" security=security_guests ssid=rbhn-guests
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no identity-regexp=chr master-configuration="configWifi_2G_home_ch(-1<>6)" name-format=%I_wifi-2G slave-configurations="configWifi_2G_guests_ch(any),configWifi_2G_iot_ch(any)" supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no identity-regexp=lvr|bdr master-configuration="configWifi_2G_home_ch(7<>14)" name-format=%I_wifi-2G slave-configurations="configWifi_2G_guests_ch(any),configWifi_2G_iot_ch(any)" supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no identity-regexp=lvr master-configuration="configWifi_5G_home_ch(100<>112)" name-format=%I_wifi-5G slave-configurations="configWifi_5G_guests_ch(any)" supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no identity-regexp=chr master-configuration="configWifi_5G_home_ch(116<>128)" name-format=%I_wifi-5G slave-configurations="configWifi_5G_guests_ch(any)" supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no identity-regexp=bdr master-configuration="configWifi_5G_home_ch(132<>144)" name-format=%I_wifi-5G slave-configurations="configWifi_5G_guests_ch(any)" supported-bands=5ghz-ax
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412 name="channel_2G_40Ce_ch1(-1<>6)_f2412(2402-2442)" skip-dfs-channels=disabled width=20/40mhz-Ce
add band=2ghz-ax disabled=no frequency=2472 name="channel_2G_40eC_ch13(8<>14)_f2472(2442-2482)" skip-dfs-channels=disabled width=20/40mhz-eC
add band=5ghz-ax disabled=no frequency=5500 name="channel_5G_80_ch106(100<>112)_f5500(5490-5570)" skip-dfs-channels=disabled width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5580 name="channel_5G_80_ch122(116<>128)_f5580(5570-5650)" skip-dfs-channels=disabled width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5660 name="channel_5G_80_ch138(132<>144)_f5660(5650-5730)" skip-dfs-channels=disabled width=20/40/80mhz

Names of "neighbor-group" in "/interface wifi steering" I used according this otput:

interface/wifi/steering/neighbor-group> print
 0 name="dynamic-rbhn-5cba8134" bssids=...,...,... 
 1 name="dynamic-rbhn-guests-5cba8134"  bssids=...,...,... 
 2 name="dynamic-rbhn-iot-f1990f75"  bssids=...,...,...

Small history:
Before version 7.17, ROAMING was working for me ONLY when "wpa3-psk" was disabled (only "wpa2-psk" allowed).
I thing that in 7.17, ROAMING stated working fine, even with "wpa3-psk" enabled.

After upgrade from 7.17 to 7.18beta2, ROAMING stops working again. Disabling "wpa3-psk" as before did not help.
But after adding "connect-priority=0/1" to "/interface wifi security", it was fully working againg.
I added even new option "2g-probe-delay=yes" into "/interface wifi steering", and ROAMING was GREAT at 7.18beta2.

After upgrade from 7.18beta2 to 7.19beta, ROAMING is not working again:
Either devices try to roam, but are disconected and reconected, or even don't try at all, or few shows that roam to the same AP (probably did not roam at all).

It seems that there are no more clients with "AUTH-TYPE" "ft-wpa2-psk", only "wpa2-psk" and "wpa3-psk".
(check "/interface/wifi/registration-table> print" )

Downgraded only (separate dedicated) caps manager device (withouth AP) back to the "7.18.1 stable", AP's are still on 7.19beta2, and ROAMING works again. No config change.

rbilka · Thu Mar 06, 2025 7:05 pm

-10dB
-10dBm? Did you put your phone inside the AP or what? :D

Sorry, typo, should be -20 ... maybe -22 to be precise ... fixed in my post above.

1. The client roams successfully
2. Then the MT disconnects my client.
3. After a few seconds the client reconnects to the AP it roamed to and everything works.

Are you sure that you receive any packet/frame after step 1 on client devices from new AP?
It seems to me that clients just try to send frames to the new AP, but that AP just drops them, no answer is replyed, and therefore client iniciate full reconnect (disconnect/connect). But I didn't have time to capture packets/frame to confirm that.
But previously, that "connect-priority=0/1" parameter was responsible for not dropping frames on "new AP" from client, when client's MAC address is still registered on "old AP".

rbilka · Thu Mar 06, 2025 9:01 pm

My config:

# 2025-03-06 17:34:36 by RouterOS 7.19beta2
# software id = ZQCL-RJAH

/interface wifi steering
add 2g-probe-delay=yes disabled=no name=steering_home neighbor-group=dynamic-rbhn-5cba8134 rrm=yes wnm=yes
add 2g-probe-delay=yes disabled=no name=steering_guests neighbor-group=dynamic-rbhn-guests-5cba8134 rrm=yes wnm=yes
add 2g-probe-delay=yes disabled=no name=steering_iot neighbor-group=dynamic-rbhn-iot-f1990f75 rrm=yes wnm=yes
/interface wifi datapath
add bridge=bridgeSwitch client-isolation=yes disabled=no name=datapath_guests vlan-id=111
add bridge=bridgeSwitch client-isolation=yes disabled=no name=datapath_iot vlan-id=112
add bridge=bridgeSwitch client-isolation=no disabled=no name=datapath_home vlan-id=110
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0/1 disable-pmkid=no disabled=no ft=yes ft-over-ds=yes management-protection=required name=security_home wps=disable
add authentication-types=wpa2-psk connect-priority=0/1 disable-pmkid=no disabled=no ft=yes ft-over-ds=yes management-protection=allowed name=security_guests wps=disable
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0/1 disable-pmkid=no disabled=no ft=yes ft-over-ds=yes management-protection=allowed name=security_iot wps=disable
/interface wifi configuration
add channel="channel_2G_40Ce_ch1(-1<>6)_f2412(2402-2442)" country=Czech datapath=datapath_home disabled=no mode=ap name="configWifi_2G_home_ch(-1<>6)" security=security_home ssid=rbhn
add channel="channel_2G_40eC_ch13(8<>14)_f2472(2442-2482)" country=Czech datapath=datapath_home disabled=no mode=ap name="configWifi_2G_home_ch(7<>14)" security=security_home ssid=rbhn
add channel="channel_5G_80_ch106(100<>112)_f5500(5490-5570)" country=Czech datapath=datapath_home disabled=no mode=ap name="configWifi_5G_home_ch(100<>112)" security=security_home ssid=rbhn
add channel="channel_5G_80_ch122(116<>128)_f5580(5570-5650)" country=Czech datapath=datapath_home disabled=no mode=ap name="configWifi_5G_home_ch(116<>128)" security=security_home ssid=rbhn
add channel="channel_5G_80_ch138(132<>144)_f5660(5650-5730)" country=Czech datapath=datapath_home disabled=no mode=ap name="configWifi_5G_home_ch(132<>144)" security=security_home ssid=rbhn
add datapath=datapath_guests disabled=no name="configWifi_2G_guests_ch(any)" security=security_guests ssid=rbhn-guests
add datapath=datapath_iot disabled=no name="configWifi_2G_iot_ch(any)" security=security_iot ssid=rbhn-iot
add datapath=datapath_guests disabled=no name="configWifi_5G_guests_ch(any)" security=security_guests ssid=rbhn-guests
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no identity-regexp=chr master-configuration="configWifi_2G_home_ch(-1<>6)" name-format=%I_wifi-2G slave-configurations="configWifi_2G_guests_ch(any),configWifi_2G_iot_ch(any)" supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no identity-regexp=lvr|bdr master-configuration="configWifi_2G_home_ch(7<>14)" name-format=%I_wifi-2G slave-configurations="configWifi_2G_guests_ch(any),configWifi_2G_iot_ch(any)" supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no identity-regexp=lvr master-configuration="configWifi_5G_home_ch(100<>112)" name-format=%I_wifi-5G slave-configurations="configWifi_5G_guests_ch(any)" supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no identity-regexp=chr master-configuration="configWifi_5G_home_ch(116<>128)" name-format=%I_wifi-5G slave-configurations="configWifi_5G_guests_ch(any)" supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no identity-regexp=bdr master-configuration="configWifi_5G_home_ch(132<>144)" name-format=%I_wifi-5G slave-configurations="configWifi_5G_guests_ch(any)" supported-bands=5ghz-ax
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412 name="channel_2G_40Ce_ch1(-1<>6)_f2412(2402-2442)" skip-dfs-channels=disabled width=20/40mhz-Ce
add band=2ghz-ax disabled=no frequency=2472 name="channel_2G_40eC_ch13(8<>14)_f2472(2442-2482)" skip-dfs-channels=disabled width=20/40mhz-eC
add band=5ghz-ax disabled=no frequency=5500 name="channel_5G_80_ch106(100<>112)_f5500(5490-5570)" skip-dfs-channels=disabled width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5580 name="channel_5G_80_ch122(116<>128)_f5580(5570-5650)" skip-dfs-channels=disabled width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5660 name="channel_5G_80_ch138(132<>144)_f5660(5650-5730)" skip-dfs-channels=disabled width=20/40/80mhz

Names of "neighbor-group" in "/interface wifi steering" I used according this otput:

interface/wifi/steering/neighbor-group> print
 0 name="dynamic-rbhn-5cba8134" bssids=...,...,... 
 1 name="dynamic-rbhn-guests-5cba8134"  bssids=...,...,... 
 2 name="dynamic-rbhn-iot-f1990f75"  bssids=...,...,...

Small history:
Before version 7.17, ROAMING was working for me ONLY when "wpa3-psk" was disabled (only "wpa2-psk" allowed).
I think that in 7.17, ROAMING started working fine, even with "wpa3-psk" enabled.

After upgrade from 7.17 to 7.18beta2, ROAMING stops working again. Disabling "wpa3-psk" as before did not help.
But after adding "connect-priority=0/1" to "/interface wifi security", it was fully working againg.
I added even new option "2g-probe-delay=yes" into "/interface wifi steering", and ROAMING was GREAT at 7.18beta2.

After upgrade from 7.18beta2 to 7.19beta, ROAMING is not working again:
Either devices try to roam, but are disconected and reconected, or even don't try at all, or few shows that roam to the same AP (probably did not roam at all).

It seems that there are no more clients with "AUTH-TYPE" "ft-wpa2-psk", only "wpa2-psk" and "wpa3-psk".
(check "/interface/wifi/registration-table> print" )

Downgraded only (separate dedicated) caps manager device (withouth AP) back to the "7.18.1 stable", AP's are still on 7.19beta2, and ROAMING works again. No config change.

LionB12 · Thu Mar 06, 2025 11:49 pm

This update did not go well, while everything works 100%, disk space is a major issue.
With wifi, I now have 0 KiB free, and hitting out of space errors in my logs.

ivicask · Fri Mar 07, 2025 9:27 am

Wifi is in total mess on 7.19 beta2 and devices loose connection.
My log is full of this when i roam around.
@Dnevna_5GHz reauthenticating
@Dnevna_5GHz associated, but was associated already
@Dnevna_5GHz reconnecting, signal strength -55
@Dnevna_5GHz disassociated, key handshake timeout, signal strength -55

And bunch of disconnects while using devices with this in log.
disconnected, not responding, signal strength -56

noradtux · Fri Mar 07, 2025 9:29 am

Quick test with CRS317 and Chateau 5g ax failed. Chateau seems to go into boot loop, crs317 was unreachable via ip and mac. Ipv6 worked, at least from some systems (sounds like that report with vlan interfaces and dhcp snooping). Rolled back both, probably wont have time to debug this weekend.

psztoch · Fri Mar 07, 2025 9:52 am

Problem with IPsec IKEv2 with multi identities (Remote ID type address and match by remote id) is still broken.

erlinden · Fri Mar 07, 2025 10:26 am

Wifi degraded for me as well, lots of:

disconnected, not responding, signal strength -57
disconnected, connection lost, signal strength -69

/interface wifi channel add disabled=no frequency=2412,2437,2462 name=CHAN-2G reselect-interval=4h..6h width=20mhz
/interface wifi channel add disabled=no frequency=5500,5260,5660 name=CHAN-5G-Beneden reselect-time=03:00:00 width=20/40/80mhz
/interface wifi channel add disabled=no frequency=5660,5260,5500 name=CHAN-5G-Boven reselect-time=03:15:00 width=20/40/80mhz
/interface wifi channel add disabled=no frequency=5580 name=CHAN-5G-Buiten reselect-time=03:30:00 width=20/40mhz
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk connect-priority=0/1 disable-pmkid=yes disabled=no ft=yes ft
-over-ds=yes group-encryption=ccmp group-key-update=1h management-protection=allowed name=MYSSID-PSK passphrase=REDACTED
/interface wifi steering add 2g-probe-delay=yes disabled=no name=MYSSID-steering neighbor-group=MYSSID rrm=yes wnm=yes
/interface wifi configuration add channel=CHAN-2G country=Netherlands disabled=no mode=ap name=
MYSSID-CONF-2G security=MYSSID-PSK ssid=MYSSID steering=MYSSID-steering tx-power=9
/interface wifi configuration add channel=CHAN-5G-Boven country=Netherlands disabled=no mode=ap name=MYSSID-CONF-Boven-5G security=MYSSID-PSK ssid=MYSSID steering=MYSSID-steering
/interface wifi configuration add channel=CHAN-5G-Beneden country=Netherlands disabled=no mode=ap name=MYSSID-CONF-Beneden-5G security=MYSSID-PSK ssid=MYSSID steering=MYSSID-steering
/interface wifi configuration add channel=CHAN-5G-Buiten country=Netherlands disabled=no mode=ap name=MYSSID-CONF-Buiten-5G security=MYSSID-PSK ssid=MYSSID steering=MYSSID-steering tx-power=17
/interface wifi access-list add action=accept comment="REDACTED" disabled=no mac-address= REDACTED vlan-id=50
/interface wifi access-list add action=accept comment="REDACTED" disabled=no mac-address= REDACTED vlan-id=51
/interface wifi access-list add action=accept comment="Default to VLAN ID 53" disabled=no vlan-id=53
/interface wifi capsman set ca-certificate=auto enabled=yes interfaces=VLAN99 package-path=/packages require-peer-certificate=no
 upgrade-policy=none
/interface wifi provisioning add action=create-dynamic-enabled comment=AP-Beneden-5G disabled=no master-configuration=MYSSID-CONF-Beneden-5G name-format="%I - 5G" radio-mac= REDACTED
/interface wifi provisioning add action=create-dynamic-enabled comment=AP-Boven-5G disabled=no master-configuration=MYSSID-CONF-Boven-5G name-format="%I - 5G" radio-mac= REDACTED
/interface wifi provisioning add action=create-dynamic-enabled comment=AP-Buiten-5G disabled=no master-configuration=MYSSID-CONF-Buiten-5G name-format="%I - 5G" radio-mac= REDACTED
/interface wifi provisioning add action=create-dynamic-enabled disabled=no master-configuration=MYSSID-CONF-2G name-format="%I - 2G" supported-bands=2ghz-ax

Fri Mar 07, 2025 10:49 am

What's new in 7.19beta4 (2025-Mar-06 14:10):

*) bridge - fixed dhcp-snooping in QinQ setups (additional fixes);
*) console - added on-error to "for" and "foreach" loops;
*) console - added proplist to monitor command;
*) console - do not treat return values as errors in scripts run from scheduler;
*) console - enabled verbose error logging for non-scripted/non-verbose imports;
*) console - improve time value handling;
*) console - validate script arguments (do, on-error, etc.) and reject invalid values;
*) dhcpv4-server - "Relay-Agent-Information" (82) option moved at the end of option list in response packets;
*) file - added show-hidden parameter to /file/print, allowing referencing and deleting hidden files;
*) hotspot - improvements to memory usage;
*) lte - additional fixes for eSIM management support;
*) lte - AT modems, improved redialing when modem lost connectivity without notifying host about APN status change;
*) lte - initial support for user settable modem redial timer;
*) netinstall - fixed issue with launching the app (introduced in v7.19beta2);
*) netinstall - provide warning if memory on installed router is full after installation;
*) ospf - fixed "mismatch" typo in logs;
*) port - added support for Huawei E3372-325 variant (vendor-id="0x3566" device-id="0x2001");
*) port - added USB mode switch support for "huawei-alt-mode";
*) port - improvements to KNOT BG77 modem port channel handling;
*) rose-storage - show btrfs balance and scrub errors if any;
*) torch - improved data reporting;
*) wifi - display error when trying to run snooper on interface which does not support wireless packet capture (sniffer);
*) wifi - fix possible snooper crash when parsing frames with malformed headers;
*) wifi - implement WPA2 PSK authentication with key derivation using SHA256 (CLI only);
*) wifi - improve parsing of captured frames which have nested flags in radiotap header;
*) wifi-qcom - fix OWE authentication for 802.11ac interfaces in station mode;
*) winbox - added comment under "User Manager/Routers" menu;
*) winbox - added netmask support for switch rule Src/Dst IPv6 Address settings;
*) winbox - fixed "Multi Passphrase Group" setting for wifi;
*) x86 - i40e updated driver to 2.27.8 version;

pe1chl · Fri Mar 07, 2025 10:58 am

*) rose-storage - show btrfs balance and scrub errors if any;

Well, in the 7.18 topic we discussed a little about whether they would use the "btrfs balance" or the "block-level mdraid" function for the RAID setups, and now we know: it is "balance".
May the force be with them (and the users of the storage server)... having operated btrfs with unreliable drives, I know how it is. And that is with a generic Linux machine that I can boot from USB to run shell commands on the unmounted devices.
With everything going through the RouterOS user interface layers, and no way to boot an alternate OS, it will probably be impossible to fix any problems.

itimo01 · Fri Mar 07, 2025 11:47 am

*) wifi-qcom - fix OWE authentication for 802.11ac interfaces in station mode;

Without testing: shouldn't this be "wifi-qcom-ac"?

pekr · Fri Mar 07, 2025 11:48 am

Wifi is in total mess on 7.19 beta2 and devices loose connection.
My log is full of this when i roam around.
@Dnevna_5GHz reauthenticating
@Dnevna_5GHz associated, but was associated already
@Dnevna_5GHz reconnecting, signal strength -55
@Dnevna_5GHz disassociated, key handshake timeout, signal strength -55

And bunch of disconnects while using devices with this in log.
disconnected, not responding, signal strength -56

I can confirm. We have 2x hAP ax2 connected in a repeater mode. Disconnects happen only with my daughters iPhone 14, on 5GHz radio. It flaps so fast, that I can barely make a screenshot of which device is constantly reconnecting. I am not sure it is even reflected in a log.

The iPhone is connected to the child rooms 2.4 GHz radio, which uses only WPA2, due to the presence of an old printer, whereas 5GHz radio is flapping. Updated to the beta4 here and will look into it again.

ToTheFull · Fri Mar 07, 2025 11:51 am

Wifi degraded for me as well, lots of:

disconnected, not responding, signal strength -57
disconnected, connection lost, signal strength -69

/interface wifi channel add disabled=no frequency=2412,2437,2462 name=CHAN-2G reselect-interval=4h..6h width=20mhz
/interface wifi channel add disabled=no frequency=5500,5260,5660 name=CHAN-5G-Beneden reselect-time=03:00:00 width=20/40/80mhz
/interface wifi channel add disabled=no frequency=5660,5260,5500 name=CHAN-5G-Boven reselect-time=03:15:00 width=20/40/80mhz
/interface wifi channel add disabled=no frequency=5580 name=CHAN-5G-Buiten reselect-time=03:30:00 width=20/40mhz
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk connect-priority=0/1 disable-pmkid=yes disabled=no ft=yes ft
-over-ds=yes group-encryption=ccmp group-key-update=1h management-protection=allowed name=MYSSID-PSK passphrase=REDACTED
/interface wifi steering add 2g-probe-delay=yes disabled=no name=MYSSID-steering neighbor-group=MYSSID rrm=yes wnm=yes
/interface wifi configuration add channel=CHAN-2G country=Netherlands disabled=no mode=ap name=
MYSSID-CONF-2G security=MYSSID-PSK ssid=MYSSID steering=MYSSID-steering tx-power=9
/interface wifi configuration add channel=CHAN-5G-Boven country=Netherlands disabled=no mode=ap name=MYSSID-CONF-Boven-5G security=MYSSID-PSK ssid=MYSSID steering=MYSSID-steering
/interface wifi configuration add channel=CHAN-5G-Beneden country=Netherlands disabled=no mode=ap name=MYSSID-CONF-Beneden-5G security=MYSSID-PSK ssid=MYSSID steering=MYSSID-steering
/interface wifi configuration add channel=CHAN-5G-Buiten country=Netherlands disabled=no mode=ap name=MYSSID-CONF-Buiten-5G security=MYSSID-PSK ssid=MYSSID steering=MYSSID-steering tx-power=17
/interface wifi access-list add action=accept comment="REDACTED" disabled=no mac-address= REDACTED vlan-id=50
/interface wifi access-list add action=accept comment="REDACTED" disabled=no mac-address= REDACTED vlan-id=51
/interface wifi access-list add action=accept comment="Default to VLAN ID 53" disabled=no vlan-id=53
/interface wifi capsman set ca-certificate=auto enabled=yes interfaces=VLAN99 package-path=/packages require-peer-certificate=no
 upgrade-policy=none
/interface wifi provisioning add action=create-dynamic-enabled comment=AP-Beneden-5G disabled=no master-configuration=MYSSID-CONF-Beneden-5G name-format="%I - 5G" radio-mac= REDACTED
/interface wifi provisioning add action=create-dynamic-enabled comment=AP-Boven-5G disabled=no master-configuration=MYSSID-CONF-Boven-5G name-format="%I - 5G" radio-mac= REDACTED
/interface wifi provisioning add action=create-dynamic-enabled comment=AP-Buiten-5G disabled=no master-configuration=MYSSID-CONF-Buiten-5G name-format="%I - 5G" radio-mac= REDACTED
/interface wifi provisioning add action=create-dynamic-enabled disabled=no master-configuration=MYSSID-CONF-2G name-format="%I - 2G" supported-bands=2ghz-ax

Wifi is in total mess on 7.19 beta2 and devices loose connection.
My log is full of this when i roam around.
@Dnevna_5GHz reauthenticating
@Dnevna_5GHz associated, but was associated already
@Dnevna_5GHz reconnecting, signal strength -55
@Dnevna_5GHz disassociated, key handshake timeout, signal strength -55

And bunch of disconnects while using devices with this in log.
disconnected, not responding, signal strength -56

i've just rolled back this morning due to devices dropping switching more than needed etc...

BrateloSlava · Fri Mar 07, 2025 12:18 pm

Upgrading to version 7.19 beta4 did not fix the problem. Roaming still does not work. Switching back to the stable version fixes the problem.

rextended · Fri Mar 07, 2025 1:16 pm

*) console - added on-error to "for" and "foreach" loops;
*) console - do not treat return values as errors in scripts run from scheduler;

trmns · Fri Mar 07, 2025 1:40 pm

Upgrading to this version completely breaks routing on my RB5009 from my LAN's side. Every packet towards the router seems to get dropped, thus I can't access the config with winbox anymore. Interestingly enough the device still connects to the internet, and replies to ping from WAN. Also using wireguard from an external network allows me to connect to the device and route traffic through it. I can also access the config from the external device. the wg0 interface isn't part of the bridge. So I am assuming this problem is somehow bridge related? But honestly, I don't know where to start debugging this.

7.19beta4 fixes this. Sadly there is still no fix for the scheduling issues with the CPU on pppoe connections, I have to keep my RB5009 locked on 1400 MHz, instead of 'auto', because it will otherwise drop packets and not reach its full speed when sending at 1 gbit :(

rzirzi · Fri Mar 07, 2025 2:03 pm

Thank You MikroTik team form new experience with RouterOS with 7.19beta4 version! :)
I have bricked (ROS 7.19beta4 bricked) my home RB493G RouterBoard!!!
I had to netinstall and back to stable ROS 7.17.2, because RB was booting.....booting.....booting... loop...

Fri Mar 07, 2025 2:27 pm

Why apply a beta version on your main router ?
If you can not afford the downtime, don't use beta/rc versions.

rextended · Fri Mar 07, 2025 2:30 pm

I don't understand the blame,
the software is beta,
if you didn't want risk to brick the device, why did you put it in?

fragtion · Fri Mar 07, 2025 2:37 pm

@holvoetn, @rextended This forum is PRECISELY for feedback about this latest build. If it's causing boards to brick, I WANT TO KNOW ABOUT IT. Regardless of whether it's beta or not.
Devs should want to know about it too, so that they can figure out what bricked his board so that it won't happen on STABLE builds as well, don't you think? Yeah, I thought so.

Yes, it's a Beta build, so go ahead and "state the obvious" disclaimer if you feel the need, but stop bullying people who face dire consequences of buggy builds. It's not their fault Mikrotik released a buggy build, is it? After all, it's released to public, so someone's gotta test it and report when things don't go as planned. There's really no need to shoot them down or make them feel stupid for it

I'll even go a step further to say that if there is ANY "bug" that should be pointed out in a thread like this and be treated with absolute HIGHEST PRIORITY, it's ones which render your routerboard unbootable after applying the update. Such bugs are the most disruptive and difficult to deal with, especially for anyone managing equipment remotely, and should therefore be backed by the most noise possible

infabo · Fri Mar 07, 2025 2:55 pm

Thank You MikroTik team form new experience with RouterOS with 7.19beta4 version! :)
I have bricked (ROS 7.19beta4 bricked) my home RB493G RouterBoard!!!
I had to netinstall and back to stable ROS 7.17.2, because RB was booting.....booting.....booting... loop...

Which ROS version did you upgrade from?

Fri Mar 07, 2025 3:01 pm

@fragtion:
Please try yo understand: beta testing is beta testing.
Do it on a spare device/test lab etc or agree problems with your main device or Internet connection.

rzirzi · Fri Mar 07, 2025 3:03 pm

Which ROS version did you upgrade from?

I was ipgrading from ROS 7.17.2.
@holvoetn and @rextended who told that it is my main router?, it's just home router as I wrote!

infabo · Fri Mar 07, 2025 3:04 pm

To a certain extent, even the "stable channel" can be considered a form of testing. So, BartoszP, your advice should not be limited to the beta version.

fragtion · Fri Mar 07, 2025 3:04 pm

@fragtion:
Please try yo understand: beta testing is beta testing.
Do it on a spare device/test lab etc or agree problems with your main device or Internet connection.

@BartoszP: I run beta version on my main home router religiously. I do this by choice, well aware of the risks. I know that if it fails, I can just netinstall. But if it causes my device to brick, should I rather not report it here? Is that what you are suggesting?

I concede that it's a bit stupid to roll out a beta in any kind of remote or commercial setup, but I also maintain that the forum should be more tolerant of people who report bricked devices as a result of a latest built, otherwise that bug (assuming it is not caused by an issue with their own hardware) may find its way into a stable build, which won't be nice for the rest of us and will shatter some taken-for-granted assumptions that "stable" really is stable after all

Fri Mar 07, 2025 3:09 pm

Have I written to "not report"? No, just commented beta testing.
You wrote

I have bricked (ROS 7.19beta4 bricked) my home RB493G RouterBoard!!!

what sounds like "what happend to my beloved and main router ...."

BTW. I've changed my test RB433 to RB433AH and have strange effects with BGP so I'm still testing 7.19b4 on it. Not bricked yet

rextended · Fri Mar 07, 2025 3:51 pm

it's released to public, so someone's gotta test it and report when things don't go as planned

I would really like to know what quality control they do, since it takes very little to block an updated routerboard.

Do they expect the user to just do netintall to update them???

LionB12 · Fri Mar 07, 2025 4:02 pm

I have the CCR2116-12G-4S+ , 7.19beta4 Testing drops my 2Gbps ISP connection to 0.30Mbps. This beta is a bit broken, normally the previous betas have all been fine on my devices, like the RB5009 I often run the betas, this time. I am sticking to stable for a bit.

Cha0s · Fri Mar 07, 2025 6:35 pm

Did a netinstall on a brand new RB5009, manually reconfigured everything the same as the RB4011 (did not restore a backup) and after putting it to work, same behavior. 70% CPU usage over all 4 cores, eaten by "routing" process.

The setup is 8 BGP peers with BFD enabled, over 8 Wireguard tunnels.
I isolated the issue to BFD. When enabled it causes high CPU usage.
I experience the issue on multiple routers and I set up a new router with empty configuration with just BGP + BFD and the issue still occurs.

I reported the bug on ticket #SUP-181114

MikroTik support confirmed this as a bug and that it will be fixed in the next beta release.

pe1chl · Fri Mar 07, 2025 7:06 pm

Ok that is great! Is there further indication that they are working on fixing the BGP problems?

rzirzi · Fri Mar 07, 2025 9:12 pm

Thank You MikroTik team form new experience with RouterOS with 7.19beta4 version! :)
I have bricked (ROS 7.19beta4 bricked) my home RB493G RouterBoard!!!
I had to netinstall and back to stable ROS 7.17.2, because RB was booting.....booting.....booting... loop...

I tried a second time and the same thing happened. I am upgrading from ROS 7.17.2 to 7.19beta4. After that RB493 does not load ROS.

leonardogyn · Fri Mar 07, 2025 10:31 pm

This exist on 7.18.1 so, probably, also exist on 7.19beta
BUG:
Removing not default queue type used on queue simple or queue tree before removing/changing the existant queue cause permalock.

How to replicate:
Code: Select all
/queue type
add kind=cake name=queue1
/queue simple
add name=queue1 target="" total-queue=queue1
/queue tree
add name=queue1 parent=global queue=queue1
/queue type
remove [find where default=no]

.
Tried on v7.19beta4 on a RB750Gr3 and it was instant lock and stuck to some kind of bootloop that never recovers itself. So absolutely confirmed on the scenario I tested (7.19b4 and RB750Gr3). The commands above, on the exact sequence above, completely killed the router here.

osc86 · Fri Mar 07, 2025 11:07 pm

confirmed, also happens in virtual environment (GNS3).

sirbryan · Fri Mar 07, 2025 11:17 pm

*) rose-storage - show btrfs balance and scrub errors if any;
Well, in the 7.18 topic we discussed a little about whether they would use the "btrfs balance" or the "block-level mdraid" function for the RAID setups, and now we know: it is "balance".

You can do either one. mdraid is also available, and is the way I tested things for the first year or so of ROSE being a thing.

teslasystems · Fri Mar 07, 2025 11:18 pm

What's new in 7.19beta4 (2025-Mar-06 14:10):

*) console - added on-error to "for" and "foreach" loops;

Will "break" functionality ever be added for loops? (Don't tell me about workarounds)

Sat Mar 08, 2025 10:04 am

We have discovered that CAKE type queue can crash router in v7.18 and v7.19 – we are working on a fix for that. However, it is not as simple as - add queue and router crashes. Seems that a set of events or precise timing is required for the problem to appear. And yes - when your router fits the "match" then this happens right away. For others - CAKE queues works just fine. We will fix this ASAP and release new versions.

Routers are devices which does thousands of things in milliseconds, maybe even millions - sometimes issues appear to be "so obvious". However, this usually happens just because on your router there is a "perfect match" for the issue to appear, which can not be simply "guessed" before the release. Yes, this happens in RouterOS and also in other software - in such complex systems it is not possible to predict combinations of so many configurations/events/network packets/timing/etc. We are very sorry for any inconvenience caused, however, almost never the issue is as simple as - copy these commands on a blank router and it will crash. Yes, rarely that is true, but in most cases - under the hood, requirements for an issue to appear are not as simple as they might seem from the outside. This time it is true - commands mentioned above will cause the router to crash - from now on that will be tested on every release.

rextended · Sat Mar 08, 2025 10:14 am

Thanks for the explanation, in this case you have my total understanding.

A suggestion for the future:
If it were possible to introduce automatic measures to prevent permalocks,
such as preventing deleting or disabling a bridge if there are still (active) ports connected.
It always makes me think of user X who when he buys the router as the first thing, perhaps accidentally,
deactivates the default bridge and is left without the possibility of doing anything else with the device, except using netinstall...

And also avoid to delete a queue type if it is already used somewhere by some active queue,
avoid to activate something that inside have someting deleted,
and so on...

Sat Mar 08, 2025 10:25 am

For such purposes, you should use "Safe Mode". Very much suggested, especially for new users.
https://help.mikrotik.com/docs/spaces/R ... t-SafeMode

rextended · Sat Mar 08, 2025 10:34 am

I don't want to bother you in this thread,
but wouldn't it be better to find the safe-mode active by default (maybe it can be disabled with an option when launching winbox)
and ask for confirmation of the changes when exiting winbox?
(at most from the browser if you forget to confirm or the operating system crashes, you lose the things done, but you don't risk blocking the device)

Honestly, mistakes happen to everyone.
Even if I don't need it, since I've been working there since 2007 and I've learned "a little bit"...,
I only think about new users and the difficulties they might have...

pe1chl · Sat Mar 08, 2025 11:29 am

What's new in 7.19beta4 (2025-Mar-06 14:10):

*) console - added on-error to "for" and "foreach" loops;
Will "break" functionality ever be added for loops? (Don't tell me about workarounds)

Or a way to exit from a script midway? ("exit" command with ok/error parameter)

pe1chl · Sat Mar 08, 2025 11:33 am

For such purposes, you should use "Safe Mode". Very much suggested, especially for new users.
https://help.mikrotik.com/docs/spaces/R ... t-SafeMode

That would only work for mistakes that make the router unreachable (like deleting the bridge that you use to connect to the router), but not for RouterOS errors that make the router crash and bootloop (like deleting a queue type that is in use), right?
Or is "Safe Mode" implemented in such a way that the changes are rolled back even when the router crashes?
(I thought it simply did an "undo" of recent changes when the admin's connection gets closed, and would work only when the router is still alive by that time but merely unreachable)

pe1chl · Sat Mar 08, 2025 11:43 am

We have discovered that CAKE type queue can crash router in v7.18 and v7.19 – we are working on a fix for that. However, it is not as simple as - add queue and router crashes. Seems that a set of events or precise timing is required for the problem to appear. And yes - when your router fits the "match" then this happens right away. For others - CAKE queues works just fine. We will fix this ASAP and release new versions.

When working on CAKE, please also add a way to show the status of the queue, the output of "tc -s qdisc show dev xxxx".
As of now, we cannot see at all what the queue is doing.
(this would help for some other queue types as well... only with "queue tree" you get insight in the traffic handling)

ela002 · Sat Mar 08, 2025 2:14 pm

will measures be taken to increase free space on 16mb devices? hardly enough space to save a backup!
You are not supposed to save your backup in flash memory! That normally is useless anyway.
Make your backup in the RAMdisk (i.e. in the root directory on those 16MB devices), and then download it to your computer.

The actual problem isn't about the backup but what we are going to do with 16mb devices in the future. Is is the end for these devices? Is mikrotik going to find a way to update without problems in the future? Should we replace all these devices with more space?

Amm0 · Sat Mar 08, 2025 4:30 pm

Mikrotik seems to want to keep making them with 16MB. I just saw in specs for their upcoming 5G products, a new LMP 5G that show "16MB Flash". So while perhaps RouterOS without wifi fit okay, if you add something like zerotier, which is handy with LTE, you'd also be close to 16MB today.

IMO 16MB flash is a risk since it's so close, that even stuff #bad blocks comes into play.
Now so far Mikrotik has made RouterOS work on 16MB, but it's just way too close for comfort.

pe1chl · Sat Mar 08, 2025 4:58 pm

Indeed... while that LMP 5G is exactly what I am looking for at one of our locations, and it would be used with an RB5009 as a router so no need for additional packages, I really don't like the idea of having a device with so little flash space.
Not only is there a risk of routeros not fitting anymore in the future, the existance of such devices also hinders the development.
Time is wasted on keeping things as small as possible, good solutions to provide features (like a better DNS resolver) are probably held back by the space requirements too. Which means on our RB5009 and CCR routers we cannot have a good DNS resolver like unbound, just because these 16MB devices exist.

teslasystems · Sat Mar 08, 2025 7:41 pm

Will "break" functionality ever be added for loops? (Don't tell me about workarounds)
Or a way to exit from a script midway? ("exit" command with ok/error parameter)

It's not related to loops and there is an :error command already for that.

infabo · Sat Mar 08, 2025 9:01 pm

MikroTik could keep the existing DNS as it is but offer an extra DNS package that, when installed, replaces the built-in DNS service.

For example, OpenWrt provides lightweight versions of services with limited functionality and size, but if you have enough space, you can install the full version. MikroTik could take a similar approach. Managing with just 16MB of flash storage requires some creativity; otherwise, these platforms may not last much longer.

ips · Sun Mar 09, 2025 11:15 am

Developing two versions requires efforts that cost, too. And that only for keeping the flash small...

infabo · Sun Mar 09, 2025 4:05 pm

Everything here requires either time or money, not just keeping the flash size small. Please take a look at the changelog and see where the effort goes in recent versions.

pe1chl · Sun Mar 09, 2025 6:05 pm

It's not related to loops and there is an :error command already for that.

:error can only exit with error. what would be useful is an exit that exits without error.
(especially now that every script that exits with an error triggers a log message)

rzirzi · Sun Mar 09, 2025 6:09 pm

Thank You MikroTik team form new experience with RouterOS with 7.19beta4 version! :)
I have bricked (ROS 7.19beta4 bricked) my home RB493G RouterBoard!!!
I had to netinstall and back to stable ROS 7.17.2, because RB was booting.....booting.....booting... loop...
I tried a second time and the same thing happened. I am upgrading from ROS 7.17.2 to 7.19beta4. After that RB493 does not load ROS.

I tried a third time... First i upgraded ROS to 7.18.1 - this bricked RB493G too! I had to use Netinstall and revert to 7.17.2

pe1chl · Sun Mar 09, 2025 6:10 pm

Everything here requires either time or money, not just keeping the flash size small. Please take a look at the changelog and see where the effort goes in recent versions.

The problem is that working on new features and fixing bugs in existing features inevitably leads to code expansion and people complaining that their device got inoperative as a result of an update... and that all takes time to handle.
When all devices still had the 128MB flash that the typical MikroTik device had in 2011, we would have been spared a lot of grief.
And now that we know that, new devices with 16MB should simply not be released, or at least they should be boycotted.

Paternot · Sun Mar 09, 2025 6:44 pm

And now that we know that, new devices with 16MB should simply not be released, or at least they should be boycotted.

That one I'm already doing. Anything less than 64MB is a no sale for me.

infabo · Sun Mar 09, 2025 7:33 pm

I would not expect fixing bugs in an existing feature to result in a massive code expansion. If that is the case, I would submit the code for a review.

I agree with the statement regarding features. However, why do certain features have to be packed into the base package instead of an extra package? There are already several very small extra packages, despite the frequent emphasis on package overhead.

For example, ups (45kb), lora (8kb), gps (24kb), calea (20kb), and others that are only a few hundred KB in size. It is often said that creating a separate package is not worthwhile, yet these packages already exist.

Additionally, I do not understand why smb has to be an integrated service. It could be migrated to an extra package, similar to how wireless was handled in 7.13, allowing users to uninstall it if they do not need it.

merkkg · Sun Mar 09, 2025 7:41 pm

I would not expect fixing bugs in an existing feature to result in a massive code expansion. If that is the case, I would submit the code for a review.

I agree with the statement regarding features. However, why do certain features have to be packed into the base package instead of an extra package? There are already several very small extra packages, despite the frequent emphasis on package overhead.

Maybe this is their plan, which is what they made the packaging system list whats available, once thats mainstream they can break up alot of code into smaller packages and easier for people to find compared to previous method

infabo · Sun Mar 09, 2025 8:05 pm

That is both my hope and my assumption.

ips · Mon Mar 10, 2025 2:23 am

Still the savings ensured by using small chips are likely less than the increased sw development and user assistance costs.

oquiroz · Mon Mar 10, 2025 7:16 am

Can someone explain what does this mean?

*) dhcpv4-server - "Relay-Agent-Information" (82) option moved at the end of option list in response packets;

mkx · Mon Mar 10, 2025 8:29 am

Can someone explain what does this mean?

*) dhcpv4-server - "Relay-Agent-Information" (82) option moved at the end of option list in response packets;

It's about structure of DHCP server's response packet ... some DHCP clients are sensitive regarding order in which different DHCP options are included in the packet (in theory order should not matter).

heywood · Mon Mar 10, 2025 9:07 am

Installed v7.19beta4 (on RB951G-2HnD) and now DHCP Client is broken—it fails to get an IP address from the cable modem (/ip dhcp-client print just shows "Searching..."). Plugging laptop directly into cable modem gets an address just fine, so that isn't the issue.

Worse, I cannot downgrade. Followed instructions at https://help.mikrotik.com/docs/spaces/R ... g+RouterOS to try several old versions (7.14.3, 7.16, 7.18, all MIPSBE) but the version remains at 7.19beta4.

I would be grateful for any suggestions.

mkx · Mon Mar 10, 2025 9:13 am

Worse, I cannot downgrade.

If you upgraded to 7.19beta from 7.17.x or older, then you may have to properly set-up device mode prior to downgrading https://help.mikrotik.com/docs/spaces/R ... evice-mode

pe1chl · Mon Mar 10, 2025 10:19 am

Also, when you are so lucky to have a device like the RB951G-2HnD (low-end router from the good old days when you still got 128MB flash) you should have partitioned it before installing a beta!

heywood · Mon Mar 10, 2025 10:30 am

Also, when you are so lucky to have a device like the RB951G-2HnD (low-end router from the good old days when you still got 128MB flash) you should have partitioned it before installing a beta!

I had no idea I'd have to do this (and don't know how, though I could probably figure it out from reading the MTK help pages). For what it's worth, I have a dozen routeros .npk packages on my laptop, going back to the 6.x series, and the file size of the latest beta is no larger than any of the previous ones. Also, I have been happily upgrading in place for years without any issues at all until this issue cropped up.

heywood · Mon Mar 10, 2025 10:34 am

Worse, I cannot downgrade.
If you upgraded to 7.19beta from 7.17.x or older, then you may have to properly set-up device mode prior to downgrading https://help.mikrotik.com/docs/spaces/R ... evice-mode

Thanks for the pointer. I read the manual section on device mode and have now tried advanced, home, and even basic—no luck with any of them, and 7.19beta4 stubbornly remains installed.

For what it's worth, I checked that "flagged: no" is shown each time, and I even tried manually setting install-any-version="yes". But after uploading the older routeros .npk into Files and running /system/packages/downgrade, and rebooting, the version does not change.

Sorry to be obtuse, but is there something obviously wrong with what I'm doing? Any chance you could point me toward a step-by-step downgrade process?

Thanks very much in advance,
/H

mkx · Mon Mar 10, 2025 10:42 am

But after uploading the older routeros .npk into Files and running /system/packages/downgrade, and rebooting, the version does not change.

Does anything with regard to this appear in /log ? One thing to worry: if you're downgrading, you have to upload .npk files for all packages installed ... for RB951 I'd expect routeros and wireless packages to be installed.

heywood · Mon Mar 10, 2025 11:35 am

But after uploading the older routeros .npk into Files and running /system/packages/downgrade, and rebooting, the version does not change.

Does anything with regard to this appear in /log ? One thing to worry: if you're downgrading, you have to upload .npk files for all packages installed ... for RB951 I'd expect routeros and wireless packages to be installed.

Success! ... mostly. I managed to downgrade to 7.14.3(stable) by putting the exactly corresponding RouterOS and Wireless packages, and nothing else, in Files, then setting device-mode to advanced, and finally doing system/package/downgrade and rebooting. The router now grabs a WAN-side address from the cable modem via DHCP, as before, so I have wireless connectivity again.

The only thing that's not working is Quick Set > System > Check For Updates... that check results in "ERROR: could not resolve dns name." I recall seeing this before, but I can't remember how I fixed it. Not a big deal, since I can check for updates manually for now.

However, I now have a mismatch in System/RouterBOARD: current firmware = 7.19beta4, upgrade firmware = 7.14.3 (... it's like 7.19beta4 is a zombie that just won't go away). Any idea how to revert the firmware?

grusu · Mon Mar 10, 2025 11:37 am

system/routerboard/upgrade
system/reboot

MrYan · Mon Mar 10, 2025 12:03 pm

*) dhcpv6-client - allow selecting to which routing tables add default route;

Great, step 2 after this new feature was already changed in 7.18(beta, rc) for the dhcp-v4-client !!
The last step will be to implement this in the PPPoE-Client as well :-)
Maybe in a 7.19beta3?? :-D
pppoe-client and l2tp-client please. It's very helpful when a router have multiple ppp.

Does connect-to=<l2tp-server>@vrf do what you want for L2TP?

heywood · Mon Mar 10, 2025 12:54 pm

system/routerboard/upgrade
system/reboot

I thought I'd tried exactly this before, with no success... but it worked perfectly this time. Thanks!

azerty · Tue Mar 11, 2025 12:13 am

pppoe-client and l2tp-client please. It's very helpful when a router have multiple ppp.
Does connect-to=<l2tp-server>@vrf do what you want for L2TP?

No, it's not the same like pushing a route in multiple table.

noradtux · Tue Mar 11, 2025 4:34 pm

Updated Chateau 5G AX and CRS317 to beta4. Encountered some interface flapping on CRS317 which I could "solve" by pulling and replugging the corresponding SFP+. Didn't have time to further investigate yet.

lurker888 · Wed Mar 12, 2025 4:00 pm

I'm happy to confirm that the DHCP snooping issue is fixed in beta4. (At least for me.)

Setting the DHCP client "routing table" parameter to "default" from Winbox (v3) and Webfig still doesn't work correctly. (In fact, the default is "main", and trying to set it to "default" sets it to "main." From CLI it works correctly.)

Ozzone · Wed Mar 12, 2025 7:40 pm

Problem with IPsec IKEv2 with multi identities (Remote ID type address and match by remote id) is still broken.

Confirm.
Only first identity works.

pe1chl · Wed Mar 12, 2025 9:01 pm

When was that introduced?

buset1974 · Thu Mar 13, 2025 9:00 am

Any reason why MT still hide vpn6 from winbox.
They should tell us reason and the limitation because there is 7.18.x announce as stable version

Thx

Thu Mar 13, 2025 10:00 am

What's new in 7.19beta5 (2025-Mar-12 12:42):

*) certificate - added built-in root certificate authorities store (additional fixes);
*) console - fixed issue with file-name completion (introduced in v7.18);
*) container - fixed repository name handling to prevent redirect issues when basic authentication is used;
*) dhcpv4-client/server - added support for DHCPv4 reconfigure messages;
*) dhcpv6-server - change static binding bound status to waiting on server disable;
*) dhcpv6-server - improved stability when disabled server have static bindings;
*) firewall - fixed IP/Settings "ipv4-fasttrack-active" status showing as inactive when it is active;
*) queue - fixed system failure when CAKE kind queue was configured but queue type definition does not exist anymore (introduced in v7.18);
*) wifi - fixed incorrect attribution of 802.11be capability to 802.11ax APs in output of scan command (introduced in v7.19beta2);
*) wifi - fixed sending of reassociation response frames (introduced in v7.19beta2);
*) wifi - improved stability for wifi interfaces;

pe1chl · Thu Mar 13, 2025 10:29 am

*) queue - fixed system failure when CAKE kind queue was configured but queue type definition does not exist anymore (introduced in v7.18);

Was the instability of CAKE that you previously mentioned really limited to having an interface with a CAKE queue and then deleting the queue type?
In the mention it seemed to be more complicated than that. Was it reduced to only this?
(i.e. can I go back to using CAKE in 7.18.1 without worry when I do not delete the type)

fischerdouglas · Thu Mar 13, 2025 10:47 am

What's new in 7.19beta5 (2025-Mar-12 12:42):

I upgraded to it on 3 devices (2 mipsbe, 1 arm) and everything looks good until now

*) queue - fixed system failure when CAKE kind queue was configured but queue type definition does not exist anymore (introduced in v7.18);

I tested in one of those devices, apparently it did not happened.

rzirzi · Thu Mar 13, 2025 11:04 am

I have upgraded my RB493G from ROS 7.17.2 to 7.19beta5 and now it works! But nothing about changes about RB booting.... Previous beta4 was problematic, but now it is working!!! :)

itimo01 · Thu Mar 13, 2025 1:24 pm

Well well well it seems that now even i do have wifi issues :D
This didn't happen before 7.19beta2 and i think i will switch to my other partition (7.18beta2) later to check:
Screenshot 2025-03-03 135122.png

Anyone with similar issues on 7.19beta2?

EDIT: I just update the other partition to 7.18.1 and copied the config will check now.
EDIT: EDIT: I just noticed that the echo dot i have here now doesnt disconnect every 30 seconds.
I thought that had been an issue the whole time. I guess not :/

EDIT:EDIT:EDIT:
I just tested 7.18.1 against 7.19beta2 and on the beta roaming is completely broken for me.
It didnt work A SINGLE time without disconnecting my client (aka my phone).
I opened a ticket for this SUP-180964

P.s.: 7.19beta5 fixes this issue.

But i did have my interfaces disappear after update+reboot+10 min dfs wait and had to reboot again and reprovision the radios. (Im using capsman)

rbilka · Thu Mar 13, 2025 3:40 pm

What's new in 7.19beta5 (2025-Mar-12 12:42):

...
*) wifi - fixed sending of reassociation response frames (introduced in v7.19beta2);
...

Roaming WORKS fine in 7.19beta5 , thanks.

Sit75 · Thu Mar 13, 2025 4:07 pm

I can confirm it too. It is MUCH, MUCH BETTER now. The repeating reconnection is gone.

And those helped too:

steering.2g-probe-delay=yes
.connect-priority=0/1

What's new in 7.19beta5 (2025-Mar-12 12:42):

...
*) wifi - fixed sending of reassociation response frames (introduced in v7.19beta2);
...
Roaming WORKS fine in 7.19beta5 , thanks.

Sit75 · Thu Mar 13, 2025 6:08 pm

But what I am worry about 7.19Beta 5 is the HDD space. It's starting to get critical again. 96 KiB is not that much, especially for overwriting operational data. Flash storage will be weared off quite quickly.

pe1chl · Thu Mar 13, 2025 7:14 pm

Yes, when you have a hAP ac2 it is better to do a netinstall and also to give up on wifi-qcom-ac.
That simply will not last. Go back to "wireless" and when you want new drivers buy a hAP ax2 or ax3.

fischerdouglas · Thu Mar 13, 2025 7:44 pm

What's new in 7.19beta5 (2025-Mar-12 12:42):
*) wifi - fixed sending of reassociation response frames (introduced in v7.19beta2);

Roaming WORKS fine in 7.19beta5 , thanks.

I can confirm it too. It is MUCH, MUCH BETTER now. The repeating reconnection is gone.

And those helped too:

steering.2g-probe-delay=yes
.connect-priority=0/1

Sorry for the silly question... I hardly use Wi-Fi on Mikrotik.
When you're talking about "reassociation", "Roaming", and "reconnection"...
Are you talking about:

802.11r-2008
802.11k-2008
802.11v-2011
802.11-2012

?

itimo01 · Thu Mar 13, 2025 8:11 pm

What's new in 7.19beta5 (2025-Mar-12 12:42):
*) wifi - fixed sending of reassociation response frames (introduced in v7.19beta2);

Roaming WORKS fine in 7.19beta5 , thanks.

I can confirm it too. It is MUCH, MUCH BETTER now. The repeating reconnection is gone.

And those helped too:

steering.2g-probe-delay=yes
.connect-priority=0/1
Sorry for the silly question... I hardly use Wi-Fi on Mikrotik.
When you're talking about "reassociation", "Roaming", and "reconnection"...
Are you talking about:

802.11r-2008

802.11k-2008

802.11v-2011

802.11-2012

?

Dont know what the 2012 standard covers but otherwise yes.

fischerdouglas · Thu Mar 13, 2025 8:26 pm

Dont know what the 2012 standard covers but otherwise yes.

Woooow!
Seeking for compliance with standards that are almost 15 years old?
That's a little scary, but also a little exciting.

I've noticed some major changes in Bridge stuff lately, probably to better adapt to VXLAN and EVPN.
Now these moves are related to Wi-Fi.

Looks like they're cleaning up the backlog over there, huh?
That's good, right?

Hey MikroTik guys, how about you talk publicly a little about what's on the Roadmap?

mikrotikedoff · Thu Mar 13, 2025 10:14 pm

Mikrotik Road Map:

1. Make road map
2.
3. Profit

(:

Sit75 · Thu Mar 13, 2025 10:44 pm

This is Mikrotik fault, and they know it. They can easily split wifi-qcom-ac package for IPQ4019 only, but they are not willing to do. It's in vain, it's in vain, it's in vain.

Yes, when you have a hAP ac2 it is better to do a netinstall and also to give up on wifi-qcom-ac.
That simply will not last. Go back to "wireless" and when you want new drivers buy a hAP ax2 or ax3.

infabo · Thu Mar 13, 2025 10:45 pm

Dont know what the 2012 standard covers but otherwise yes.
Woooow!
Seeking for compliance with standards that are almost 15 years old?
That's a little scary, but also a little exciting.

fischerdouglas, I am sure you've seen this little detail:

(introduced in v7.19beta2);

So no, not covering 2012 standard from scratch. Just fixing a bug introduced in this exact beta version.

infabo · Thu Mar 13, 2025 10:51 pm

This is Mikrotik fault, and they know it. They can easily split wifi-qcom-ac package for IPQ4019 only, but they are not willing to do. It's in vain, it's in vain, it's in vain.

see viewtopic.php?t=202423&start=600#p1054046

Sit75 · Thu Mar 13, 2025 10:57 pm

Support for 802.11r was added in RouterOS 7.4 July 2022
Support for 802.11k was added in RouterOS 7.5 August 2022

And solely for wifiwave2 driver - now qualcomm and qualcomm-ac.

Woooow!
Seeking for compliance with standards that are almost 15 years old?
That's a little scary, but also a little exciting.
fischerdouglas, I am sure you've seen this little detail:
Code: Select all
(introduced in v7.19beta2); 
So no, not covering 2012 standard from scratch. Just fixing a bug introduced in this exact beta version.

Sit75 · Thu Mar 13, 2025 11:01 pm

Even 96kB of free space would be fine, if there is no any operational data write on HDD and store everything in RAM memory. But it is obviously not the Mikrotik case.

This is Mikrotik fault, and they know it. They can easily split wifi-qcom-ac package for IPQ4019 only, but they are not willing to do. It's in vain, it's in vain, it's in vain.
see viewtopic.php?t=202423&start=600#p1054046