v7.1rc1 [development] is released!

emils · Mon Aug 23, 2021 12:31 pm

RouterOS version 7.1rc1 has been released in public "development" channel!

What's new in 7.1rc1 (2021-Aug-19 13:06):

!) added support for IPv6 NAT (CLI only);
!) added support for L2TPv3 (CLI only);
*) added "expired" user status with suggestion to change password (WinBox v3.29 required);
*) added bridge HW offload support for vlan-filtering on RTL8367 switch chip (RB4011, RB1100AHx4);
*) added password strength requirement settings;
*) added skin support for WinBox (WinBox v3.29 required);
*) fixed support for RIP (Routing Information Protocol);
*) improved general stability and performance;
*) other minor fixes and improvements;

All released RouterOS v7 changelogs are available here:
https://mikrotik.com/download/changelog ... lease-tree

Mon Aug 23, 2021 12:33 pm

So i guess the leaked date was right after all....

shavenne · Mon Aug 23, 2021 12:39 pm

omg .. IPv6 NAT? Now I'm kind of hyped.
Always had IPv6 turned off in my main vlan because I couldn't make failover possible. So now it should be possible or am I wrong?

anthonws · Mon Aug 23, 2021 12:47 pm

Is this working on LHGGR now? Hoping LTE is now fixed

rextended · Mon Aug 23, 2021 12:50 pm

I was right then to put it in my signature...

(Be ready, 23 August is coming...)

rextended · Mon Aug 23, 2021 12:51 pm

So i guess the leaked date was right after all....

Eheheheh...

fruel · Mon Aug 23, 2021 12:53 pm

Quick first impression: Upgrading an mAP Lite from beta5 worked fine (config: dual-stack, basic Firewall, AP, Wireguard, EoIP)
EoIP/GRE keepalive seems to be fixed.

Znevna · Mon Aug 23, 2021 12:59 pm

*) added bridge HW offload support for vlan-filtering on RTL8367 switch chip (RB4011, RB1100AHx4);

Just to clarify, does this mean that RB4011 & RB1100AHx4 will be added as exception here:
https://help.mikrotik.com/docs/display/ ... NFiltering
"Currently, only CRS3xx series devices are capable of using bridge VLAN filtering and hardware offloading at the same time, [...]
Which means we'll be able to use Bridge VLAN Filtering as in CRS3xx;
OR does it mean that the VLAN Table support is added for those switches and we could use the scenario provided here, to setup VLANS using the Switch Chip Menu:
https://wiki.mikrotik.com/wiki/Manual:B ... witch_chip
Thank you.

Mon Aug 23, 2021 1:09 pm

You will be able to use bridge vlan-filtering with HW offload just like the CRS3xx series. No need to configure "/interface ethernet switch" settings.

There are some limitations, for example, no HW support for other EtherTypes 0x88a8 or 0x9100 (only 0x8100 is supported) and no tag stacking. The manuals will be updated shortly.

aussetg · Mon Aug 23, 2021 1:33 pm

Be careful the update breaks OSPF, again...

And you still have to create interface-templates by hand because the GUI adds networks="" automatically and breaks things.

wispmikrotik · Mon Aug 23, 2021 1:38 pm

RouterOS version 7.1rc1 has been released in public "development" channel!

What's new in 7.1rc1 (2021-Aug-19 13:06):

!) added support for IPv6 NAT (CLI only);
!) added support for L2TPv3 (CLI only);
*) added "expired" user status with suggestion to change password (WinBox v3.29 required);
*) added bridge HW offload support for vlan-filtering on RTL8367 switch chip (RB4011, RB1100AHx4);
*) added password strength requirement settings;
*) added skin support for WinBox (WinBox v3.29 required);
*) fixed support for RIP (Routing Information Protocol);
*) improved general stability and performance;
*) other minor fixes and improvements;

All released RouterOS v7 changelogs are available here:
https://mikrotik.com/download/changelog ... lease-tree

Hi,

But this version is still not stable for production, right?

Fantastic work Mikrotik team.

Regards,

OlofL · Mon Aug 23, 2021 1:39 pm

Is v7.1rc1 also known as "beta 7"?

https://help.mikrotik.com/docs/display/ ... col+Status

colin · Mon Aug 23, 2021 1:44 pm

I was right then to put it in my signature...
(Be ready, 23 August is coming...)

So when can we see the stable version?

colin · Mon Aug 23, 2021 1:49 pm

!) added support for IPv6 NAT (CLI only);
Great news. Finally we can use ipv6 nat now(useful for multi wan+load balance).

FezzFest · Mon Aug 23, 2021 1:49 pm

Built-in GPS is broken on LtAP in v7.1rc1. Downgrade to v6.47.10 fixes the issue. Will submit bug report.

Spirch · Mon Aug 23, 2021 1:51 pm

all device are compatible or compatible device list available somewhere?

rextended · Mon Aug 23, 2021 1:54 pm

I was right then to put it in my signature...
(Be ready, 23 August is coming...)
So when can we see the stable version?

This is not a question, the 7 is perennial "beta", like 6 is perennial "rc"....

rextended · Mon Aug 23, 2021 1:56 pm

all device are compatible or compatible device list available somewhere?

Any device on production: not compatible
Any device for play on free times: compatible

emils · Mon Aug 23, 2021 2:13 pm

We believe this "release candidate" version is pretty much ready for "stable" release on all devices. If you experience any issue, please open a support ticket with as much details as possible and supout.rif file attached. Faster we can acknowledge all active issues, faster we can resolve them and release a "stable" version.

pe1chl · Mon Aug 23, 2021 2:19 pm

I upgraded my test router (CHR) and when I re-connect using Winbox 3.21 it says "router requires newer winbox, please upgrade".
But I cannot upgrade winbox because all versions newer than 3.21 contain a fatal flaw that makes them unusable for me.
MikroTik: please fix the issue SUP-26372 (also discussed in winbox release topic).
Others: be warned that you cannot use older winbox version, even though this is not mentioned in the release notes!

npeca75 · Mon Aug 23, 2021 2:20 pm

rb750 gr3

system/health

temperature is missing
voltage is 0.5v

both, winbox & SNMP

Znevna · Mon Aug 23, 2021 2:21 pm

I took a bite and installed it on my RB750Gr3 here. (PS: no changelog shows up on "Check for Updates".
One thing, IPv6 wasn't functional. Checking routes, I had somehow TWO default routes, both of them had ECMP flag.
I had to disable "add default route" from DHCPv6 client in order to get things working.
But what adds the other default route? What's wrong in this picture?
Is it set by the PPPoE Client? that one still has 'add default route' checked, but it didn't add an IPv6 route before.

IPv6 Default Route.JPG

mrz · Mon Aug 23, 2021 2:27 pm

Each route has a flag showing which protocol added the route, from your screenshots default route is added by the VPN (PPPoe)

whatever · Mon Aug 23, 2021 2:30 pm

!) added support for IPv6 NAT (CLI only);
[...]
*) added bridge HW offload support for vlan-filtering on RTL8367 switch chip (RB4011, RB1100AHx4);

Holy sh*t, these are pleasant surprises.

Znevna · Mon Aug 23, 2021 2:41 pm

Each route has a flag showing which protocol added the route, from your screenshots default route is added by the VPN (PPPoe)

Indeed, it is set by the PPPoE Client.
So for dual stack setups we have to disable the add-default-route from DHCPv6 client and let the PPPoE client add both routes.
Or disable add-default-route from PPPoE client and add the IPv4 route manually. Or set another distance for the DHCPv6 default route.
Or... some other workaround.
Because having them both with distance=1 does not work.
PS: I was wrong earlier, only one of them gets the ECMP flag.

IPv6 Default Routes.JPG

aussetg · Mon Aug 23, 2021 2:47 pm

And to the people wondering: yes, Cake is still broken and causes a kernel panic.

lomayani · Mon Aug 23, 2021 2:50 pm

NV2 is still broken. No any association after upgrade

mfrey · Mon Aug 23, 2021 2:54 pm

And to the people wondering: yes, Cake is still broken and causes a kernel panic.

That's unfortunate, thanks for checking. IPv6 connection tracking also seems to be still broken.

Edit: While pasting a multilined command (containing "\") into the terminal, WinBox produces a lot of output, because a preview of all lines is shown for every character.

Other findings:
- If admin has no password, there is now a change password prompt. This is good.
- WireGuard handshake issues do now produce log output, which is nice.
- hide-sensitive in exports is now default and has to be explicitly disabled with show-sensitive. A good idea in my opinion, but should be mentioned somwhere in bold letters! This broke my WireGuard, RoMON and CAPsMAN setup on export -> reset -> import without any error message.
- The RoMON export -> import flow is still broken if the secret contains a "{" character

Paternot · Mon Aug 23, 2021 3:00 pm

V7rc1! They grow up so fast...

Really looking forward to the stable version...

huntermic · Mon Aug 23, 2021 3:07 pm

We believe this "release candidate" version is pretty much ready for "stable" release on all devices. If you experience any issue, please open a support ticket with as much details as possible and supout.rif file attached. Faster we can acknowledge all active issues, faster we can resolve them and release a "stable" version.

Does this version support IGMP-Proxy?

Cablenut9 · Mon Aug 23, 2021 3:13 pm

For VLAN filtering, does this mean I can set PVIDs on ports and have it still HW offloaded? Also, will STP/RSTP be supported for offloading as well?

Mon Aug 23, 2021 3:20 pm

Yes, you can set PVID and still have HW offload.
STP, RSTP and MSTP are supported as well.

Cha0s · Mon Aug 23, 2021 3:25 pm

Will routing filters ever get a traditional winbox gui, or are we stuck with manually writing "if ( [matchers] ) { [actions] } else { [actions] }" rules?

ivicask · Mon Aug 23, 2021 3:34 pm

After upgrade on one HEX S which i use only for Wireguard i get spamm of this for all peers constantly in log.

wireguard1: =(peer): Handshake for peer did not complete after 5 seconds, retrying (try 16)

But everything works fine, i also tried closing the WG port because i was thinking it may be invalid attempts from net, but spam continues.

Any idea whats this about?

rpingar · Mon Aug 23, 2021 3:34 pm

Is v7.1rc1 also known as "beta 7"?

https://help.mikrotik.com/docs/display/ ... col+Status

No, seems rc1 to be a step forward because Winbox seems now supporting routing/filter!
in 7.1beta7 it was not supported.

regards

Ros

rpingar · Mon Aug 23, 2021 3:49 pm

We believe this "release candidate" version is pretty much ready for "stable" release on all devices. If you experience any issue, please open a support ticket with as much details as possible and supout.rif file attached. Faster we can acknowledge all active issues, faster we can resolve them and release a "stable" version.

#[SUP-44860]: v7.1beta5 x86 still crashes
ip route crash in winbox when it sort all the fullroute. Opened since last year.

sent to Maris the supout generated also on 7.brc1

regards
Ros

frank333 · Mon Aug 23, 2021 4:02 pm

great mikrotik!! now i try to install it on the little rbm11

Cablenut9 · Mon Aug 23, 2021 4:07 pm

Looks like enabling VLAN offloading on the RB4011 stops inter-VLAN routing, even though there's valid routes for each VLAN. Also, the CLI ? key doesn't work.

tpedko · Mon Aug 23, 2021 4:10 pm

does not work socks 5 + auth-method=password

buset1974 · Mon Aug 23, 2021 4:30 pm

someone please give me info regarding mpls on v7.1rc1, is it works nicely or something?

thx

CTassisF · Mon Aug 23, 2021 4:32 pm

So far so good on my hAP ac³ with PPPoE, IPv6, WifiWave2, Hotspot, Web Proxy etc.

Only issue I have (and I guess this issue has been going on since the first time I've tested 7.1 betas) is that RouterOS does not know the proper way to setup OWE (opportunistic wireless encryption) after a reboot. Because of that you get a "OWE transition mode misconfiguration" on the insecure interface (the one with security.authentication-types=""). You have to remove security.owe-transition-interface and set security.owe-transition-interface again to fix this after every reboot.

Mon Aug 23, 2021 4:38 pm

Cablenut9, inter-VLAN routing seems to work for me with enabled HW vlan-filtering. Check if you have included the bridge interface as a tagged member in "/interface bridge vlan" menu, see this example

mikegleasonjr · Mon Aug 23, 2021 4:40 pm

And to the people wondering: yes, Cake is still broken and causes a kernel panic.

Thanks, I can confirm the reboot on a RB4011 too.

Trying out codel right now.

Rfulton · Mon Aug 23, 2021 4:58 pm

Can someone confirm that GRE Keepalive timers are working?

mrz · Mon Aug 23, 2021 5:00 pm

Yes, keepalive is fixed.

benbgg · Mon Aug 23, 2021 5:14 pm

RouterOS version 7.1rc1 has been released in public "development" channel!

What's new in 7.1rc1 (2021-Aug-19 13:06):

!) added support for IPv6 NAT (CLI only);
!) added support for L2TPv3 (CLI only);
*) added "expired" user status with suggestion to change password (WinBox v3.29 required);
*) added bridge HW offload support for vlan-filtering on RTL8367 switch chip (RB4011, RB1100AHx4);
*) added password strength requirement settings;
*) added skin support for WinBox (WinBox v3.29 required);
*) fixed support for RIP (Routing Information Protocol);
*) improved general stability and performance;
*) other minor fixes and improvements;

All released RouterOS v7 changelogs are available here:
https://mikrotik.com/download/changelog ... lease-tree

No going to GA with no igmp proxy? that's a show stopper for me

mkamenjak · Mon Aug 23, 2021 5:16 pm

Will routing filters ever get a traditional winbox gui, or are we stuck with manually writing "if ( [matchers] ) { [actions] } else { [actions] }" rules?

Seconding this.
Mikrotik please give us a Winbox routing filters experience similar to what it was in v6.

mkamenjak · Mon Aug 23, 2021 5:19 pm

Is v7.1rc1 also known as "beta 7"?

https://help.mikrotik.com/docs/display/ ... col+Status
No, seems rc1 to be a step forward because Winbox seems now supporting routing/filter!
in 7.1beta7 it was not supported.

regards

Ros

I can't confirm this. I have tried routing filters on winbox in beta6 and I see no difference as to what they are in rc1.
Ideally they should be as below:

Will routing filters ever get a traditional winbox gui, or are we stuck with manually writing "if ( [matchers] ) { [actions] } else { [actions] }" rules?
Seconding this.
Mikrotik please give us a Winbox routing filters experience similar to what it was in v6.

Also it seems like it forgot my routing filter config from beta6 to rc1.

mikegleasonjr · Mon Aug 23, 2021 5:24 pm

And to the people wondering: yes, Cake is still broken and causes a kernel panic.
Thanks, I can confirm the reboot on a RB4011 too.

Trying out codel right now.

fq codel also rebooted the router after 2 hours, falling back to sfq..

huntermic · Mon Aug 23, 2021 5:35 pm

No going to GA with no igmp proxy? that's a show stopper for me

Same here, without igmp-proxy i cannot use this version

frank333 · Mon Aug 23, 2021 5:43 pm

on rbm11 it works fine it loaded without any problems .
I will update this post with any problems I encounter.

71.png

some % characters remained in some webfig windows.

in webfig firewall and others, these columns can no longer be adjusted.

LTE cell scanning has been reduced to two, with the old 7.1beta6 I recorded more than 20 cells

The command sequences written in Terminal, when executed, display all the characters on the screen in a second progression,

Traveller · Mon Aug 23, 2021 6:02 pm

What's new in 7.1rc1 (2021-Aug-19 13:06):
*) added skin support for WinBox (WinBox v3.29 required);

Where a can find skins in winbox?

santyx32 · Mon Aug 23, 2021 6:12 pm

And to the people wondering: yes, Cake is still broken and causes a kernel panic.

I hope MT can fix it on RC2 or at least before moving 7.1 from development to testing channel.

Chupaka · Mon Aug 23, 2021 6:27 pm

Be careful the update breaks OSPF, again...
And you still have to create interface-templates by hand because the GUI adds networks="" automatically and breaks things.

Yep, I had to recreate backbone area and interface-templates.
Yes, WinBox adds networks="" to them, needs to be unset via CLI.
And interface cost is now hidden from WinBox, available only via CLI.

jeetlal · Mon Aug 23, 2021 6:36 pm

Yes, you can set PVID and still have HW offload.
STP, RSTP and MSTP are supported as well.

can anyone confirm following fetures also hardware ofload on rb4011
IGMP Snooping
DHCP Snooping
bonding

thanks

Cablenut9 · Mon Aug 23, 2021 6:38 pm

can anyone confirm following fetures also hardware ofload on rb4011
IGMP Snooping
DHCP Snooping
bonding

I tried IGMP and DHCP and those aren't offloaded, only VLAN filtering, port PVIDs, and STP/RSTP/MSTP.

xvo · Mon Aug 23, 2021 6:38 pm

Yep, I had to recreate backbone area and interface-templates.

Same here.

Yes, WinBox adds networks="" to them, needs to be unset via CLI.

You can set networks=0.0.0.0/0 (in winbox as well) instead of unsetting it.

rextended · Mon Aug 23, 2021 6:39 pm

Bravo!!!

noradtux · Mon Aug 23, 2021 6:58 pm

So far all is working fine on my CRS317, RB4011 and LtAP-Mini (+R11e-LTE6). Noteworthy features in use are IPv6 to Internet, IPv6 over Wireguard (multiple tunnels), CAKE using queue tree. Lets see how stable it is ...

paintballer4lfe · Mon Aug 23, 2021 7:34 pm

So some 4011 info for anyone wondering.

Memory leak is still a thing - just slower but still unusable.
Upgrade breaks static route config - at least for mine it did. (removed default route)

Updated my 4011 memory leak ticket but of course it's been completely ignored for 3 months now so there's that.

elbob2002 · Mon Aug 23, 2021 7:41 pm

Upgraded my test RB750GR3

Netflow now reports an incorrect date of 1970-01-01

Netflow v9 with NFSEN target

Cablenut9 · Mon Aug 23, 2021 7:44 pm

Netflow now reports an incorrect date of 1970-01-01

How do you know your GR3 isn't time-traveling? After all, with all the new features v7 is bringing, time warping isn't out of the question.

mducharme · Mon Aug 23, 2021 7:56 pm

- hide-sensitive in exports is now default and has to be explicitly disabled with show-sensitive. A good idea in my opinion, but should be mentioned somwhere in bold letters! This broke my WireGuard, RoMON and CAPsMAN setup on export -> reset -> import without any error message.

IMO this is not good behavior and should be reconsidered. The issue is that when using automated config backup systems (ex. RANCID, Oxidized, etc.) it will not use this command since RouterOS v6 does not have this show-sensitive. When moving a network from RouterOS v6 to v7 we either would not get a complete backup (Oxidized would be backing up v7 with the default hide-sensitive), or we would have to remember to reconfigure the backup one device at a time for the RouterOS v7 export command with show-sensitive instead of the RouterOS v6 export command. There is a huge opportunity here to screw things up by forgetting a device and then backups are no longer happening.

Or at the very least, backport the show-sensitive option to v6 so that we can use it on v6 devices without them throwing errors.

buset1974 · Mon Aug 23, 2021 7:56 pm

Missing bgp-as-path information when /ip/route/print detail

MikroTik-BGP] > /ip/route/print detail where 8.8.4.4 in dst-address
Flags: D - dynamic; X - disabled, I - inactive, A - active;
c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem,
y - copy;
H - hw-offloaded; + - ecmp
DAb dst-address=8.0.0.0/9 routing-table=main gateway=116.58.193.33
immediate-gw=116.58.193.33%ether7-to-PE-MK-02 distance=20 scope=40
target-scope=10 suppress-hw-offload=no

DAb dst-address=8.0.0.0/12 routing-table=main gateway=116.58.193.33
immediate-gw=116.58.193.33%ether7-to-PE-MK-02 distance=20 scope=40
target-scope=10 suppress-hw-offload=no

DAb dst-address=8.8.4.0/24 routing-table=main gateway=116.58.193.33
immediate-gw=116.58.193.33%ether7-to-PE-MK-02 distance=20 scope=40
target-scope=10 suppress-hw-offload=no

sep · Mon Aug 23, 2021 8:07 pm

omg .. IPv6 NAT? Now I'm kind of hyped.
Always had IPv6 turned off in my main vlan because I couldn't make failover possible. So now it should be possible or am I wrong?

IPv6 NAT can give you the ipv4 style design you are used to from ipv4. but ipv6 have much better solutions as well.

Failover/multihoming on ipv6 in my own order of preference.
1 . Proper BGP multihoming : this is the way the internet is built. This do require BGP sessions with upstreams, and your own PI prefix. massive technical advantages, but probably costly isp subscriptions. (identical to ipv4)
1.5 BGP multihoming using one isp's prefix. and a deal with the isp that isp2 is also allowed to announce your prefix. require really really good isp's. large ones are difficult. this is a bit rare tho, since getting PI space is so easy.
2. use a prefix from a VPN/Tunnel broker (eg HE or similar) - tunnel via both isp's . this give you a single prefix, making looking up DNS services easier, on a single prefix. adds some latency tho, and broker must be Highly available.
3.Use multiple isp's with separate isp prefixes, on 2x redundant routers, configure the routers with different IPv6 Router Advertisement Preference if you want a active/passive failover. complex DNS setup with 2 targets for each service. you need low dns TTL's and some way to fail over DNS (disable the broken one) when one of the isp's fail or your services will have an outage. optionally use some CDN service.
4. Use multiple isp's like above but choose one of the isp's prefxes for LAN, use NPTv6 to do stateless prefix mapping from the LAN prefix to isp2's prefix. Same DNS problem as above. but simple LAN setup. There is also some isp's that do not follow the BCP's and change your prefix. especially germany where i understand that is mandatory?!? in those cases you can use ULA locally. and NPTv6 to both isp's . ULA will lead to using ipv4 where there is both. but you will have ipv6 access. OK for outbond internet access only.
5. Cold failover. (stop announcing the broken prefix. start announcing the working prefix when an outage happen) Same DNS problem as above, but only one prefix/DNS entry active at the time. require lower RA lifetimes. Noticeable for users.
6. ipv6 NAT on ULA local prefix using ipv4 style session tracking and ip overloading, But keep in mind that on ipv6 you still do not have the ALG's and helpers we are used to from ipv4. This reintroduces all the common ipv4 problems that ipv6 have solved. : split view DNS, no end to end connnectiviy, , 1 to many ip overloading.

there are many ways to determine preferred isp in the above situations RFC 8678 for inspiration.

good luck
SEP

anthonws · Mon Aug 23, 2021 8:42 pm

Upgraded my test RB750GR3

Netflow now reports an incorrect date of 1970-01-01

Netflow v9 with NFSEN target

I reported this also for beta 6 (SUP-51582). Support told me they could not repro... I provided all of the needed info (several traces and debug logs from netflow from a Linux box...).

I gave up TBH (please don't take me wrong, but it's just hard to keep pushing on these kind of things, after multiple people report the same behavior in the forum).

sander123 · Mon Aug 23, 2021 8:48 pm

Does anybody know if routing functions are updated to?

In the link they only talk about v7.1beta7 not about 7.1rc1
https://help.mikrotik.com/docs/display/ ... col+Status

Jotne · Mon Aug 23, 2021 9:23 pm

Memory leak is still a thing - just slower but still unusable.

Do you know what module leaks memory?
Do it leak memory with default config?
Do you have DoH enabled?

jbl42 · Mon Aug 23, 2021 9:34 pm

*) added bridge HW offload support for vlan-filtering on RTL8367 switch chip (RB4011, RB1100AHx4);

RB4011 and RB1100AHx4 have more than one RTL8367 chip (one for ports 1-5 and 6-10 on RB4011). HW acceleration for VLAN filtering is obviously only possible on ether ports on the same chip.
Question is: If a bridge spans among ports off different chips (for ex ports 3-8) will HW filtering only be available between ports of the same chip (3-5 and 6-8) or completly disabled? What about STP/RSTP in such a configuration?

mafiosa · Mon Aug 23, 2021 9:47 pm

GRE tunnel keepalive is now working between 7.1rc routers.

mrz · Mon Aug 23, 2021 10:00 pm

Missing bgp-as-path information when /ip/route/print detail

ip route menu will not show any dynamic routing protocol specific info, all routing protocol info is available in /routing/route menu

anuser · Mon Aug 23, 2021 10:08 pm

RouterOS version 7.1beta5 has been released in public "development" channel!
*) wifiwave2 - improved interface stability with multiple WPA3 authenticated clients;

I would like to request a separate wifiwave2 package for IPQ4018/IPQ4019 devices with 16MB of ROM and 128M of RAM. With such a package a lot of more users could test this it, send feedbacks and bug reports which will result in an earlier available bugfree stable release.

sep · Mon Aug 23, 2021 10:09 pm

Hello mikrotik

on this page https://help.mikrotik.com/docs/display/ ... col+Status
there is a very nice overview of the routing protocol features and the status of them that ROS7 have in progress.

Are there any similar view or roadmap for all features ? it would make it easier to know when Ros 7 was ready for use. without having to consolidate a lot of release notes.
things like:
HA accelerated L3 forwarding on IPv6 similar to ipv4 (crs3xx)
dhcp relay link layer option rfc6939
RA Guard
DHCP Snooping
igmp proxy
464xlat/nat64

npeca75 · Mon Aug 23, 2021 10:13 pm

rb750 gr3

rebooted after 4 hours

cpu 6%
free mem 70%
no fancy queues
only few wireguard and one bridge with 6 vlans

santyx32 · Mon Aug 23, 2021 10:46 pm

I would like to request a separate wifiwave2 package for IPQ4018/IPQ4019 devices with 16MB of ROM and 128M of RAM. With such a package a lot of more users could test this it, send feedbacks and bug reports which will result in an earlier available bugfree stable release.

I don't think that would happen since dual ath10k radios are RAM hungry even with OpenWrt's small buffers patches 128MB devices can go OOM under certain conditions, also Mikrotik may release ath11k based WiFi 6 products the next year.

PD: Just gave CAKE a try on this build and my ac2 went into a kernel panic after 5 minutes, fq_codel seems stable as usual.

Grant · Mon Aug 23, 2021 11:07 pm

openvpn didn’t work and it doesn’t work

Znevna · Mon Aug 23, 2021 11:39 pm

Just take OpenVPN out! and all the other useless features. (socks5, rly?).
PS: I've reverted to 6.47 to test something else and I've noticed that there were also two IPv6 default routes, just that only one of them was active, so it just might be that it worked by accident in pre-7 versions.
I've also tried to upgrade one hAP ac2, from 6.47.10, no go

21:31:11 system,error broken package routing-7.1rc1-arm.npk 
21:31:11 system,error broken package ipv6-7.1rc1-arm.npk 
21:31:11 system,error broken package wireless-7.1rc1-arm.npk 
21:31:11 system,error broken package security-7.1rc1-arm.npk 
21:31:11 system,error broken package ppp-7.1rc1-arm.npk 
21:31:11 system,error broken package dhcp-7.1rc1-arm.npk 
21:31:11 system,error broken package advanced-tools-7.1rc1-arm.npk 
21:31:11 system,info installed system-7.1rc1 
21:31:11 system,error not enough space for upgrade 
21:31:11 system,info router rebooted

           free-hdd-space: 2152.0KiB
          total-hdd-space: 15.3MiB

I'll netinstall it some other time.

mhugo · Mon Aug 23, 2021 11:45 pm

Please update - https://help.mikrotik.com/docs/display/ ... col+Status

And if some of these are postponed to after 7.1 please not that too so we know what to test and what to expect.

Sit75 · Mon Aug 23, 2021 11:58 pm

IPv6 doesn't work. Tested on iOS WiFi client - PPP VDSL2 upstream. IPv6 DNS is broken as well.

Znevna · Tue Aug 24, 2021 12:03 am

read the previous posts.

anthonws · Tue Aug 24, 2021 12:08 am

Updated LHGGR from 6.49 latest beta to 7.1RC1.

Update went smooth. I'm still testing, but it seems that the radio is now finding much less antennas than it did and also it looks like throughput has decreased a bit (TBD with more tests).

And Winbox is always saying a modem firmware update is available, when the update is the same as I have installed (v27).

fbl · Tue Aug 24, 2021 1:36 am

Updated our CCR1036 BGP router from 7.1beta2 to 7.1rc1 just now.

It is the first version since 7.1beta2, which we haven't had to rollback due to significant issues right away. So far, 7.1rc1 feels pretty solid.

Rfulton · Tue Aug 24, 2021 3:47 am

capsman crashes immediately on ccr2004

codelogic · Tue Aug 24, 2021 4:03 am

After upgrade on one HEX S which i use only for Wireguard i get spamm of this for all peers constantly in log.
Code: Select all
wireguard1: =(peer): Handshake for peer did not complete after 5 seconds, retrying (try 16)
But everything works fine, i also tried closing the WG port because i was thinking it may be invalid attempts from net, but spam continues.

Any idea whats this about?

I noticed this as well; it seems related to the wireguard peers "Persistent Keepalive" value being present. If I remove the persistent keepalive entry and then disable/enable my wireguard interface the "handshake for peer did not complete" log spam stops.

Although, I'm not sure where my wireguard interface was trying to handshake when there isn't an endpoint IP defined or listed for the peer.

Rfulton · Tue Aug 24, 2021 4:08 am

Wave 2 on audience can't do vlan tagging. srsly.....

santyx32 · Tue Aug 24, 2021 5:38 am

Wave 2 on audience can't do vlan tagging. srsly.....

server8 · Tue Aug 24, 2021 7:23 am

capsman crashes immediately on ccr2004

ccr2004 crashes evertime bad HW

nithinkumar2000 · Tue Aug 24, 2021 8:20 am

Happy to See Progress in v7.... Waiting for a Stable Release...

Well Done Mikrotik Team... Please also try to solve the Delegate-IPv6-Prefix Radius Accounting issue... we are waiting for years for the fix.

elbob2002 · Tue Aug 24, 2021 9:43 am

In addition to my netflow issue above I realised that the incorrect voltage is now being reported. RB750GR3

This occurs both in System --> Health and on my NMS

Mtik Voltage.png

Tue Aug 24, 2021 9:57 am

can anyone confirm following fetures also hardware ofload on rb4011
IGMP Snooping
DHCP Snooping
bonding

The RTL8367 currently does not support bonding, IGMP and DHCP snooping. Enabling these features will disable the HW offload on the bridge or bridge port (in case of bond). We are planning to add switch rules (ACL), DHCP snooping and possibly IGMP snooping in future RouterOS releases.

RB4011 and RB1100AHx4 have more than one RTL8367 chip (one for ports 1-5 and 6-10 on RB4011). HW acceleration for VLAN filtering is obviously only possible on ether ports on the same chip.
Question is: If a bridge spans among ports off different chips (for ex ports 3-8) will HW filtering only be available between ports of the same chip (3-5 and 6-8) or completly disabled? What about STP/RSTP in such a configuration?

HW offload is only possible on the same switch chip, but you can still use a single HW bridge on both chips and allow the CPU to forward packets between them. In case a VLAN spans accross multiple switches, add the bridge interface as a VLAN member in the "/interface bridge vlan" menu. This will add the "switch-cpu" port as a VLAN member under the hood. For example:

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether1 pvid=10
add bridge=bridge1 interface=ether6 pvid=10
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=10

mrz · Tue Aug 24, 2021 11:12 am

Yes, WinBox adds networks="" to them, needs to be unset via CLI.
And interface cost is now hidden from WinBox, available only via CLI.

Thanks, will be fixed as well as currently missing OSPF redistribution settings and routing table parameter. Report if you spot any other inconsistency with winbox and cli.

Znevna · Tue Aug 24, 2021 11:27 am

Does this count?
Happens after a few PPPoE reconnects. Never saw more than one old entry, yet.

IPv6 Pool winbox old entry.JPG

aussetg · Tue Aug 24, 2021 11:39 am

Can you please add the *ingress* keyword for Cake settings ?

Thanks

mrz · Tue Aug 24, 2021 11:48 am

Does this count?

Hit F5 to refresh Winbox pools dialog

Znevna · Tue Aug 24, 2021 11:56 am

Sad to say I didn't know about F5 in WinBox. Thanks, that fixes the glitch.

rpingar · Tue Aug 24, 2021 12:28 pm

We believe this "release candidate" version is pretty much ready for "stable" release on all devices. If you experience any issue, please open a support ticket with as much details as possible and supout.rif file attached. Faster we can acknowledge all active issues, faster we can resolve them and release a "stable" version.

when will you fix the [SUP-35291]: bug about udp pps in dst-limit? (it works up to 9999 packets/s)
open since some years ago?????

thanks
Ros

big0bum · Tue Aug 24, 2021 12:33 pm

Hi,

I can't update an RB3011 to the latest rc1 from beta6.

RIght after reboot, the router starts on beta6 again. Opening up a terminal it gives me an error about a kernel panic. Any ideas about this?

I've also made a support ticket: SUP-58027.

doneware · Tue Aug 24, 2021 12:34 pm

just updated my audience (non-LTE) version that uses wifiwave2.

aug/24/2021 09:24:04 system,info,critical Firmware upgraded successfully, please reboot for changes to take effect!
aug/24/2021 09:24:10 system,error,critical error while running customized default configuration script: bad command name wireless (line 977 column
 25)
aug/24/2021 09:24:10 system,error,critical

apart from that, stuff works fine. also cli output in wifiwave2 has improved significantly. print outputs are finally making sense

also l2tpv3 - a long needed addition:

[bat@audience] /interface/l2tp-ether> add 
allow-fast-path  connect-to     digest-hash   l2tp-proto-version  local-tunnel-id  name               remote-tunnel-id  use-ipsec               
circuit-id       cookie-length  disabled      local-address       mac-address      peer-cookie        send-cookie       use-l2-specific-sublayer
comment          copy-from      ipsec-secret  local-session-id    max-mtu          remote-session-id  unmanaged-mode

but sadly still no v6 support

[bat@audience] /interface/l2tp-ether> add connect-to=2001:4c48::1
failure: bad address or dns name

colin · Tue Aug 24, 2021 12:46 pm

Seems that there are duplicate settings about vrf:

vrf-diff.png

But in interfaces->vrf, vrf can't be added(interface list must be specified).

colin · Tue Aug 24, 2021 12:49 pm

Is there a plan to support macvlan or set mac address for the pppoe interface?

zainarbani · Tue Aug 24, 2021 1:04 pm

Seriously though, random reboot or kernel panic with CAKE&FQ_Codel should be pointing out here.

CPU&RAM resources seems fine but still, kernel panic with deadlock memory.
Do we need to hardcoded memory-limit value or any way to calculate it?

pe1chl · Tue Aug 24, 2021 1:12 pm

Is there a plan to support macvlan or set mac address for the pppoe interface?

You can probably do that using a bridge...

doneware · Tue Aug 24, 2021 1:16 pm

Also, question mark (?) in CLI doesn't seem to work on my end. it supposes to show the available input options, but all i get is a red '?'

ros7.1rc1.png

this is true for new features and previously existing things things.

anthonws · Tue Aug 24, 2021 1:24 pm

So far all is working fine on my CRS317, RB4011 and LtAP-Mini (+R11e-LTE6). Noteworthy features in use are IPv6 to Internet, IPv6 over Wireguard (multiple tunnels), CAKE using queue tree. Lets see how stable it is ...

Where are you targeting the CAKE queue? At the LTE connection? Has it been stable? I wanted to try our CAKE + Autorate Ingress (given my LTE connection bandwidth is quite random).

Thanks!

krisjanisj · Tue Aug 24, 2021 1:24 pm

Also, question mark (?) in CLI doesn't seem to work on my end. it supposes to show the available input options, but all i get is a red '?'

ros7.1rc1.png

this is true for new features and previously existing things things.

As noted by the terminal when You open it up:


  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 7.1rc1 (c) 1999-2021       http://www.mikrotik.com/

Press F1 for help

colin · Tue Aug 24, 2021 1:33 pm

Is there a plan to support macvlan or set mac address for the pppoe interface?
You can probably do that using a bridge...

Do you mean bridge+nat?
I think it's too complicated, and may be it will affect performance.

pe1chl · Tue Aug 24, 2021 1:37 pm

You can probably do that using a bridge...
Do you mean bridge+nat?
I think it's too complicated, and may be it will affect performance.

No. You can add a VLAN to your ethernet port to get the VLAN tag, then create a bridge and add the VLAN interface to that as a port, set the admin MAC on the bridge, and add the PPPoE client to the bridge.
That should result in VLAN-tagged PPPoE packets with your specified MAC address, I think.

doneware · Tue Aug 24, 2021 1:55 pm

As noted by the terminal when You open it up:

bummer, missed that. thanks for pointing it out, albeit it doesn't make me any happier. there are certain platforms where the so called function keys don't mix really well with terminal. while it's not impossible to hold 'fn' while pressing F1, please at least make this configurable so old school folks like me can keep on working as before. switching between multiple network platforms is alone a PITA, but rendering '?' inoperable is a whole new level of inconvenience.

i'm not the one to stop progress, but can we have a settable option in /console ? like so:

/console set help-key=\?

mafiosa · Tue Aug 24, 2021 1:56 pm

RouterOS version 7.1rc1 has been released in public "development" channel!

Kindly update https://help.mikrotik.com/docs/display/ ... col+Status

colin · Tue Aug 24, 2021 2:04 pm

Do you mean bridge+nat?
I think it's too complicated, and may be it will affect performance.
No. You can add a VLAN to your ethernet port to get the VLAN tag, then create a bridge and add the VLAN interface to that as a port, set the admin MAC on the bridge, and add the PPPoE client to the bridge.
That should result in VLAN-tagged PPPoE packets with your specified MAC address, I think.

It's ok if you only have a little pppoe clients. But if you have 20+,50+ or even 100+ pppoe clients, and each one needs unique mac address, then i don't think it's acceptable.

pe1chl · Tue Aug 24, 2021 2:23 pm

It's ok if you only have a little pppoe clients. But if you have 20+,50+ or even 100+ pppoe clients, and each one needs unique mac address, then i don't think it's acceptable.

Maybe you should consider adding relevant informations to the questions you post... it is not even clear if you are a PPPoE client or PPPoE server.

Cha0s · Tue Aug 24, 2021 2:48 pm

As noted by the terminal when You open it up:
bummer, missed that. thanks for pointing it out, albeit it doesn't make me any happier. there are certain platforms where the so called function keys don't mix really well with terminal. while it's not impossible to hold 'fn' while pressing F1, please at least make this configurable so old school folks like me can keep on working as before. switching between multiple network platforms is alone a PITA, but rendering '?' inoperable is a whole new level of inconvenience.

i'm not the one to stop progress, but can we have a settable option in /console ? like so:
Code: Select all
/console set help-key=\?

++

bpwl · Tue Aug 24, 2021 2:59 pm

Maybe lonely with this limitation ... OVA image cannot start in 32 bit Virtual Box

ROS7.1rc1 OVA template does not start in a 32 bit Virtual BOX. 5.2.44 (highest version for Windows10/32 bit). Previous versions of ROS all do load and work.as expected.
Console says: "error loading operating system"
It did load and start on my Synology DS218+ Virtual Machine NAS environment.

Klembord-2.jpg

freemannnn · Tue Aug 24, 2021 3:12 pm

user manager question. sorry deleted and posted to correct category

loloski · Tue Aug 24, 2021 3:16 pm

openvpn didn’t work and it doesn’t work

It's working as ovpn client, I was able to establish connection to my CCR1036 in production, I haven't test though as a server

welder · Tue Aug 24, 2021 3:36 pm

rb750 gr3

system/health

temperature is missing
voltage is 0.5v

both, winbox & SNMP

same here

Model RB750Gr3
Revision r4
Serial Number CC210Exxyyzz
Firmware Type mt7621L
Factory Firmware 6.46.8
Current Firmware 7.1rc1
Upgrade Firmware 7.1rc1

infabo · Tue Aug 24, 2021 4:12 pm

 /system/backup/cloud/upload-file action=create-and-upload password=mikrotik

results in kernel panic

`system,error,critical router was rebooted without proper shutdown, probably kernel failure`

Cablenut9 · Tue Aug 24, 2021 4:12 pm

The change from ? to F1 is pure junk. Cisco is keeping it, so why not The Tik?

Tue Aug 24, 2021 4:17 pm

As noted by the terminal when You open it up:
i'm not the one to stop progress, but can we have a settable option in /console ? like so:
Code: Select all
/console set help-key=\?

PLEASE allow the help key to be bound to alternative mappings, or just return it to ?

StubArea51 · Tue Aug 24, 2021 4:32 pm

i'm not the one to stop progress, but can we have a settable option in /console ? like so:
Code: Select all
/console set help-key=\?
PLEASE allow the help key to be bound to alternative mappings, or just return it to ?

Agree with this 100% - either use the '?' or allow for it to be set.

Chupaka · Tue Aug 24, 2021 5:08 pm

Or at the very least, backport the show-sensitive option to v6 so that we can use it on v6 devices without them throwing errors.

Great idea, btw!

edielson_atm · Tue Aug 24, 2021 5:10 pm

Captura de Tela 2021-08-24 às 11.04.47.png

after a while using V7.rc1 on EVE-NG it just crashes,
when trying to run the command /ip route/print the screen freezes

guipoletto · Tue Aug 24, 2021 5:14 pm

Code: Select all
/console set help-key=\?

Also, since we're here: can "CTRL+V" be un-mapped from autocomplete? I've seen so many people think thei'r router is cursed/haunted, it's not funny anymore.

pe1chl · Tue Aug 24, 2021 5:14 pm

Edit: While pasting a multilined command (containing "\") into the terminal, WinBox produces a lot of output, because a preview of all lines is shown for every character.

No, that is the result of you using Ctrl-V to paste something, then see that it does not work and paste with right-mouse menu instead.
Sure it is a dumb thing to use Ctrl-V to toggle hotlock mode, and lots of users have been baffled by this, but it is not something related to this version.
See https://wiki.mikrotik.com/wiki/Manual:C ... tLock_Mode

krisjanisj · Tue Aug 24, 2021 5:19 pm

Also, since we're here: can "CTRL+V" be un-mapped from autocomplete? I've seen so many people think thei'r router is cursed/haunted, it's not funny anymore.

Along with "?" being remapped as "F1", "Ctrl+V" has been remapped as "F7" (as stated by the help menu) in this version.

Tue Aug 24, 2021 5:28 pm

Thank you very much for your posts here, as well we are grateful for your trust and that many of you tried 7.1rc1.
Your reports helped us a lot and we are always open for more (free to post here or write to us to support@mikrotik.com).
Currently most of the issues are reported (nv2, cake crashes, and others.) and we are working on fixes for them.

Rfulton · Tue Aug 24, 2021 5:43 pm

CCR2004 rebooted after 12 hours.

Reverting back to stable.

StubArea51 · Tue Aug 24, 2021 5:44 pm

Feedback on the route filtering in ROSv7rc1:

viewtopic.php?f=1&t=177846

dksoft · Tue Aug 24, 2021 7:14 pm

... (free to post here or write to us to support@mikrotik.com).

Can you please have a look at SUP-56377 or at post viewtopic.php?f=1&t=177803
Still happens on 7.1rc1 and is a show stopper for me.

Thanks
dksoft

rextended · Tue Aug 24, 2021 7:39 pm

Under the hood there is also...

SPOILER!!! Do not scroll!!!

.
.
.
.
.
.
.
.
.
.
.
.
"Extreme Performances" ARM64 Series:
CCR-eOW-12x100G-36x25Gw
CCR-eOW-1x25Gw-2x10G
CCR-eOW-1Gw-1G

ARM64:
CCR2116-12G-4S+
CRS520-4xS-16xQ

Cablenut9 · Tue Aug 24, 2021 8:03 pm

CCR-eOW-12x100G-36x25Gw
CCR-eOW-1x25Gw-2x10G
CCR-eOW-1Gw-1G

What is "Gw" anyway? If there's a CCR with two 1G ports, then that would be interesting.

Liopleus · Tue Aug 24, 2021 8:09 pm

Wifi LED on Hap ac^3 doesn't seem to work after installing the wifiwave2 package and there's no way to configure it in the system/LEDs panel.

By the way, does the wifiwave2 on ROS support airtime fairness?

mrleongalaxyum · Tue Aug 24, 2021 9:21 pm

Hello everyone! I'm trying to make my hap acˇ2 connect as a client to wireguard server. The server is on port 51821 on a _____.ddns.net domain. The server is properly configured since it works with mobile clients using wireguard android app. Mikrotik has a static public address 185.xxx.xxx.xxx and subnet 192.168.1.0/24 Remote wireguard server is on xxxxx.ddns.net and subnets 192.168.5.0/24 and behind that is another subnet 192.168.31.0/24 on which the wireguard server is running.
The wireguard server is configured as following:

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Address = 10.7.0.1/24
MTU = 1420
ListenPort = 51821

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wlp58s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wlp58s0 -j MASQUERADE

### begin mikrotik ###
[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
PresharedKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
AllowedIPs = 10.7.0.3/32
### end mikrotik ###

I've tried both https://help.mikrotik.com/docs/display/ROS/WireGuard and viewtopic.php?t=168231#p825479 but the wireguard peer is not connecting to the server, RX packets stays at 0B

aliclubb · Tue Aug 24, 2021 9:28 pm

Under the hood there is also...

SPOILER!!! Do not scroll!!!
Code: Select all
.
.
.
.
.
.
.
.
.
.
.
.
"Extreme Performances" ARM64 Series:
CCR-eOW-12x100G-36x25Gw
CCR-eOW-1x25Gw-2x10G
CCR-eOW-1Gw-1G

ARM64:
CCR2116-12G-4S+
CRS520-4xS-16xQ

The eOW models are a joke from MikroTik. Something about Ethernet over Water or something like that. You can find it with a Google fairly easily. The other two models will be legit but they have been in the code for a while.

noradtux · Tue Aug 24, 2021 9:33 pm

So far all is working fine on my CRS317, RB4011 and LtAP-Mini (+R11e-LTE6). Noteworthy features in use are IPv6 to Internet, IPv6 over Wireguard (multiple tunnels), CAKE using queue tree. Lets see how stable it is ...
Where are you targeting the CAKE queue? At the LTE connection? Has it been stable? I wanted to try our CAKE + Autorate Ingress (given my LTE connection bandwidth is quite random).

No, it's on my pppoe Internet connection. I didn't think there was a point in using CAKE on LTE since I don't know the available uplink speed. Or do I?

hel · Tue Aug 24, 2021 9:35 pm

Sadly, the issue I've reported several times that's preventing me from testing v7 on my hAP lite was not fixed or ignored. Reporting it again in hope that it will be fixed in the next rc.

The issue is in high CPU load that goes up to the 100% and staying there for tens of minutes, sometimes hours, locking up management and internet. And that's preventing me from testing different features.

Couldn't get supout, because it is locking up the router to the point I can't use internet. Also couldn't get export, even compact. It stucks after dhcp-server export.

/ip dhcp-server
add address-pool=dhcp interface=bridge-lan name=dhcp-lan
#error exporting /mpls/traffic-eng/path
#interrupted
[admin@MikroTik] >

Going to terminal inside winbox could trigger this 100% load. A reboot triggering this problem in almost all times, so I have to wait some time (5-10 minutes usually).
If I enable ipsec tunnel it could lock up so much that router will even disappear from winbox discovery.
Reset to defaults do not solve the issue. It just become less frequent.
This time I got the screenshots from tool>profile.

Device: hAP lite (941-2nD)
Affected v7 builds: from 7.0 limited beta to 7.1rc1.

mrz · Tue Aug 24, 2021 9:40 pm

The eOW models are a joke from MikroTik. Something about Ethernet over Water or something like that. You can find it with a Google fairly easily. The other two models will be legit but they have been in the code for a while.

This is not the same as RB mEOW. CCR-eOW is a new improved model.

pe1chl · Tue Aug 24, 2021 9:41 pm

Sadly, the issue I've reported several times that's preventing me from testing v7 on my hAP lite was not fixed or ignored. Reporting it again in hope that it will be fixed in the next rc.

Frankly I am surprised that v7 even boots on a hAP lite...

hel · Tue Aug 24, 2021 9:52 pm

Frankly I am surprised that v7 even boots on a hAP lite...

Most of the time it is working with no problems, but I couldn't touch anything and test different features. I wasn't reverted to v6, so I'll be waiting for any updates from devs.

Znevna · Tue Aug 24, 2021 10:02 pm

Maybe this gets implemented in the future? I know there's little hope for v6, but maybe until v7 reaches stable..
viewtopic.php?t=153437
Thank you.

edielson_atm · Tue Aug 24, 2021 10:42 pm

what is the syntax to use BGP AS-PATH in the ROSv7 filter ?

Captura de Tela 2021-08-24 às 16.40.37.png

Chupaka · Tue Aug 24, 2021 10:49 pm

Isn't that what you're looking for?..

bgp-as-path
    {regexp}

https://help.mikrotik.com/docs/pages/vi ... d=74678285

anthonws · Tue Aug 24, 2021 10:56 pm

Where are you targeting the CAKE queue? At the LTE connection? Has it been stable? I wanted to try our CAKE + Autorate Ingress (given my LTE connection bandwidth is quite random).
No, it's on my pppoe Internet connection. I didn't think there was a point in using CAKE on LTE since I don't know the available uplink speed. Or do I?

AFAIU, that's what autorate-ingress is for.

edielson_atm · Tue Aug 24, 2021 11:32 pm

Isn't that what you're looking for?..
Code: Select all
bgp-as-path
    {regexp}
https://help.mikrotik.com/docs/pages/vi ... d=74678285

how can you show me an example?

ominous · Tue Aug 24, 2021 11:38 pm

Hi,

I can't update an RB3011 to the latest rc1 from beta6.

RIght after reboot, the router starts on beta6 again. Opening up a terminal it gives me an error about a kernel panic. Any ideas about this?

I've also made a support ticket: SUP-58027.

I also have the same issue with RB4011. Did you get a reply on your support ticket about this one?

Znevna · Wed Aug 25, 2021 12:10 am

No IPv6 traffic in /tool/torch.

Seán · Wed Aug 25, 2021 12:26 am

The LTE cell-monitor now only shows 3 to 4 cells on my Chateau 5G with V7.1rc1. In the beta versions up to V7.1 beta 6, it showed around 10 cells including the cells it is connected on.

This means when the Chateau 5G is connected in 3CA, it now only intermittently shows one neighbour at most for each band. My Chateau 4G LTE12 which is still on the previous V7.1 beta 6 version continues to show the full list of neighbouring cells.

Cell monitor example from V7.1 beta 6:

Cell monitor V71 beta 6.png

Cell monitor example from V7.1rc1:

Cell monitor rc1.png

infabo · Wed Aug 25, 2021 12:38 am

 /certificate enable-ssl-certificate dns-name=your.domain.tld

kernel panic reboot here straigt after hitting enter. anyone else?

urielka · Wed Aug 25, 2021 1:19 am

Did anyone tried MBIM based cards like Sierra MC7455? last working version is 7.1beta2

eworm · Wed Aug 25, 2021 1:52 am

Trying to add an IPv6 network in /routing/ospf/interface-template results in just the netmask ("/64") being added...

[admin@thyone] /routing/ospf/interface-template> add networks=2001:db8::/64 area=backbone-v3
[admin@thyone] /routing/ospf/interface-template> print where area=backbone-v3
Flags: X - disabled, I - inactive 
 1   area=backbone-v3 instance-id=0 networks=/64 type=broadcast retransmit-interval=5s transmit-delay=1s hello-interval=10s dead-interval=40s priority=128 cost=1

Did I get that work or is it broken?

brg3466 · Wed Aug 25, 2021 2:01 am

Modem Re11-LTE-US works on v05.03.183961, but cannot be upgraded.
Upgraded to 7.1rc1 on my LtAP mini Kit (US version), and saw " A newer version of modem firmware is available ", but when I want to upgrade it from CLI, it lost connection. Tried several times, no luck .

[brg3466@LtAP] > interface/lte/firmware-upgrade lte1 once
  installed: R11eL_v05.03.183961
     latest: R11eL_v05.04.193841

Anyone successfully upgraded the modem of R11e-LTE-US ?

gtj0 · Wed Aug 25, 2021 2:20 am

Attempted an upgrade from 7.1beta6 ro 7.1rc1 on a CCR-1009. On reboot, I got "std failure timeout (13)", all CLI commands hanging, script timeout errors. Couldn't even create a supout. I had to reformat the nand and reinstall via netinstall.

santyx32 · Wed Aug 25, 2021 2:45 am

Looks like CAKE doesn't cause a kernel panic if the target of your simple queue is an IP address instead of an interface, I setup mine like this where vlan999 is my WAN and 192.168.88.0/24 my LAN.

(notice that leaving the destination empty will throttle your LAN speeds which is really bad)

/queue type
add cake-diffserv=besteffort kind=cake name=cake
/queue simple
add bucket-size=0.01/0.01 dst=vlan999 max-limit=90M/90M name=wan queue=cake/cake target=192.168.88.0/24

mjbnz · Wed Aug 25, 2021 2:52 am

what is the syntax to use BGP AS-PATH in the ROSv7 filter ?

Which winbox version is that? Routing -> Filters gives me a text representation of filters, and editing one is a freeform text box, not winbox-style editing

Wed Aug 25, 2021 6:34 am

Looks like CAKE doesn't cause a kernel panic if the target of your simple queue is an IP address instead of an interface, I setup mine like this where vlan999 is my WAN and 192.168.88.0/24 my LAN.

(notice that leaving the destination empty will throttle your LAN speeds which is really bad)
Code: Select all
/queue type
add cake-diffserv=besteffort kind=cake name=cake
/queue simple
add bucket-size=0.01/0.01 dst=vlan999 max-limit=90M/90M name=wan queue=cake/cake target=192.168.88.0/24

Yes, it seems that limit and target-address are required.

santyx32 · Wed Aug 25, 2021 6:56 am

Looks like CAKE doesn't cause a kernel panic if the target of your simple queue is an IP address instead of an interface, I setup mine like this where vlan999 is my WAN and 192.168.88.0/24 my LAN.

(notice that leaving the destination empty will throttle your LAN speeds which is really bad)
Code: Select all
/queue type
add cake-diffserv=besteffort kind=cake name=cake
/queue simple
add bucket-size=0.01/0.01 dst=vlan999 max-limit=90M/90M name=wan queue=cake/cake target=192.168.88.0/24
Yes, it seems that limit and target-address are required.

I don't think this should be the intended behavior, Mikrotik users (and guides on the internet) have been applying simple queues directly to interfaces for years without issues.

It works great with the V6 queue types but V7 ones such as CAKE, Codel or fq_codel are causing kernel panic and bootloop issues with this setup.

Wed Aug 25, 2021 7:01 am

Yes, it seems that limit and target-address are required.
I don't think this should be the intended behavior, Mikrotik users (and guides on the internet) have been applying simple queues directly to interfaces for years without issues.

It works great with the V6 queue types but V7 ones such as CAKE, Codel or fq_codel are causing kernel panic and bootloop issues with this setup.

We have not admitted that it is expected behavior. Currently we heavily researching the issue and looking for the fix!

Cablenut9 · Wed Aug 25, 2021 7:08 am

Will there be a way to have CAKE without a bandwidth limit? I'd like to see a version where it detects packet loss and automatically enables queueing.

ivicask · Wed Aug 25, 2021 8:25 am

Yes, it seems that limit and target-address are required.
I don't think this should be the intended behavior, Mikrotik users (and guides on the internet) have been applying simple queues directly to interfaces for years without issues.

It works great with the V6 queue types but V7 ones such as CAKE, Codel or fq_codel are causing kernel panic and bootloop issues with this setup.

I have codel directly on my wifi interface queue and no crashes so far, didnt try cake yet but I'm sure that one would crash.

Wed Aug 25, 2021 10:15 am

Wave 2 on audience can't do vlan tagging. srsly.....

You can tag wifiwave2 wireless traffic by following the generic bridge vlan configuration example shown here.
The vlan tagging settings in the regular wireless package were redundant and so have not been ported to wifiwave2.

rextended · Wed Aug 25, 2021 10:27 am

The eOW models are a joke from MikroTik. Something about Ethernet over Water or something like that.

Why you ruin the joke so fast...???

emils · Wed Aug 25, 2021 10:37 am

This might sound bizarre, but anyone experiencing kernel crashes with cake/fq_codel, can you confirm the router is stable if there is no active WinBox session to the device? We currently think the crashes are caused by WinBox management session shaping.

buset1974 · Wed Aug 25, 2021 10:45 am

Keep Crashing/ rebooted anytime i add new vrf using /ip/vrf/add or using GUI
I'am testing using RB1100
i try to activate vrf and the problem happen

please check the supout file (this is a lab router not a production one so there is no secret on supout file)

Is there any tutorial how to properly set up vrf on v7?

thx

mikegleasonjr · Wed Aug 25, 2021 10:48 am

This might sound bizarre, but anyone experiencing kernel crashes with cake/fq_codel, can you confirm the router is stable if there is no active WinBox session to the device? We currently think the crashes are caused by WinBox management session shaping.

Thanks for the heads up. Indeed in both cases when I tried FQ Codel and Cake Winbox was open to monitor the logs.

Trying with Winbox closed on a RB4011.

I will report back later

pe1chl · Wed Aug 25, 2021 11:11 am

Will there be a way to have CAKE without a bandwidth limit? I'd like to see a version where it detects packet loss and automatically enables queueing.

Of course with any shaping that is done to provide QoS it would be nice when it could be done directly at the point where the bottleneck occurs.
Within MikroTik routers that would usually only be on a WiFi or LTE interface. And else you need to work around it with those bandwidth limits...
For example I have used a queue tree on a VDSL line to limit the upload to "just below the VDSL rate" and thus provide room for QoS.
However, unfortunately, there is no way to dynamically adjust the upload rate and all its child rates automatically depending on the actual VDSL rate

But now, I have changed my VDSL modem, it was a Draytek 130 and now I have a ZyXEL VMG4005-B50A. I need to do PPPoE-over-VLAN6 with my provider and this modem can do QoS using 802.1p tagging on the PPPoE packets sent from MikroTik to the modem (which operates in bridge mode).
Hooray! now there is no more need to do queueing on the MikroTik for QoS, I just need to do a mangle "set priority from DSCP", the priority is copied into the VLAN header sent to the modem, and the modem has 8 queues to sort the priority at the moment the packets are transmitted!

Solutions like this are the best. Of course when you have malicious users you still may want to use some shaping to avoid the abuse of high-priority DSCP values for all traffic, and also unfortunately RouterOS does not provide "set priority from DSCP" in IPv6. Still not, in 7.1rc1 in 2021.

stsimb · Wed Aug 25, 2021 11:19 am

Hi everyone, thanks for this release!

remote logging with BSD Syslog flag enabled produces unreadable logs in remote syslog server (full of #000#000#000#000).

No BSD Syslog flag ->
Aug 25 11:11:12 tik-vpn-1-lan.hellasdirect.gr system,info log action changed by admin
Aug 25 11:11:13 warning denied winbox/dude connect from 118.174.111.6
Aug 25 11:11:47 warning denied message repeated 12 times: [ winbox/dude connect from 118.174.111.6]

Enable BSD Syslog flag ->
Aug 25 11:11:49 tik-vpn-1-lan.hellasdirect.gr #000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000
Aug 25 11:11:50 tik-vpn-1-lan.hellasdirect.gr #000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000

mikegleasonjr · Wed Aug 25, 2021 12:25 pm

This might sound bizarre, but anyone experiencing kernel crashes with cake/fq_codel, can you confirm the router is stable if there is no active WinBox session to the device? We currently think the crashes are caused by WinBox management session shaping.
Thanks for the heads up. Indeed in both cases when I tried FQ Codel and Cake Winbox was open to monitor the logs.

Trying with Winbox closed on a RB4011.

I will report back later

Cake is rebooting the router after an hour, no Winbox session opened, trying now with fq codel...

Just for your infos, here's my config:

/ip firewall mangle
	add action=mark-connection chain=postrouting comment=wan connection-state=new new-connection-mark=wan-conn out-interface-list=WAN passthrough=yes
	add action=mark-connection chain=prerouting comment=wan connection-state=new in-interface-list=WAN new-connection-mark=wan-conn passthrough=yes
	add action=mark-packet chain=postrouting comment=wan connection-mark=wan-conn new-packet-mark=wan-out-pk out-interface-list=WAN passthrough=no
	add action=mark-packet chain=prerouting comment=wan connection-mark=wan-conn in-interface-list=WAN new-packet-mark=wan-in-pk passthrough=no

/queue type
	add kind=sfq name=fair

/queue tree
	add bucket-size=0.002 max-limit=95M name=wan-in packet-mark=wan-in-pk parent=global queue=fair
	add bucket-size=0.002 max-limit=47500k name=wan-out packet-mark=wan-out-pk parent=global queue=fair

Then I just replace sfq with either cake or fq-codel.

safik · Wed Aug 25, 2021 12:37 pm

Hello,
marked in red is a cosmetic defect or is something wrong set? In version 6 it does not.
Thank you for answer.

Clipboard 2.jpg

FezzFest · Wed Aug 25, 2021 12:58 pm

Did anyone tried MBIM based cards like Sierra MC7455? last working version is 7.1beta2

wAP R with Sierra MC7430 works fine, but it also worked fine with 7.1beta6.

loloski · Wed Aug 25, 2021 2:22 pm

Code: Select all
 /system/backup/cloud/upload-file action=create-and-upload password=mikrotik
results in kernel panic

`system,error,critical router was rebooted without proper shutdown, probably kernel failure`

Using winbox GUI not in the terminal were able to backup and upload the config, but can't delete though

Wed Aug 25, 2021 2:25 pm

Wifi LED on Hap ac^3 doesn't seem to work after installing the wifiwave2 package and there's no way to configure it in the system/LEDs panel.

By the way, does the wifiwave2 on ROS support airtime fairness?

Airtime fairness is enabled by default for wifiwave2 interfaces.

Rfulton · Wed Aug 25, 2021 3:20 pm

Creating a new WIFI Wave 2 interface and assigning the same country code as the physical interfaces reports "Country not allowed"

I cannot create a sub interface whatsoever.

ivicask · Wed Aug 25, 2021 5:27 pm

One more thing i found broken is under PPP->Profile-> On up / Down Scripts dont work anymore, hope can be fixed in next update because i have some scripts for fast failover and email sending there..

Znevna · Wed Aug 25, 2021 5:37 pm

 time=17:35:10 topics=pppoe,ppp,info message=pppoe-wan: disconnected
 time=17:35:10 topics=script,warning message=ivicask ppp profile on-down test, if you see this, it works.
 time=17:35:15 topics=pppoe,ppp,info message=pppoe-wan: initializing...
 time=17:35:15 topics=pppoe,ppp,info message=pppoe-wan: connecting...
 time=17:35:18 topics=pppoe,ppp,info message=pppoe-wan: authenticated
 time=17:35:18 topics=pppoe,ppp,info message=pppoe-wan: connected
 time=17:35:18 topics=system,info message=address list entry removed
 time=17:35:18 topics=script,warning message=ivicask ppp profile on-up test, if you see this, it also works.
 time=17:35:28 topics=system,info message=address list entry added

Check your scripts for whatever is broken.

ivicask · Wed Aug 25, 2021 6:13 pm

 time=17:35:10 topics=pppoe,ppp,info message=pppoe-wan: disconnected
 time=17:35:10 topics=script,warning message=ivicask ppp profile on-down test, if you see this, it works.
 time=17:35:15 topics=pppoe,ppp,info message=pppoe-wan: initializing...
 time=17:35:15 topics=pppoe,ppp,info message=pppoe-wan: connecting...
 time=17:35:18 topics=pppoe,ppp,info message=pppoe-wan: authenticated
 time=17:35:18 topics=pppoe,ppp,info message=pppoe-wan: connected
 time=17:35:18 topics=system,info message=address list entry removed
 time=17:35:18 topics=script,warning message=ivicask ppp profile on-up test, if you see this, it also works.
 time=17:35:28 topics=system,info message=address list entry added

Check your scripts for whatever is broken.

Iv put only this for test in both up and down, and its default profile and assigned to only pppoe connection i have..

log info "This is a test"

And its not printing it in log, doesnt matter what script i put, its not script thats broken, its not executing it!

EDIT:Tried it on one SXT ap here and it works fine! Same thing DOESNT work on my HAP AC2.

I did already sent bug report with supout to MT so i hope they figure it out.

anthonws · Wed Aug 25, 2021 6:52 pm

Will there be a way to have CAKE without a bandwidth limit? I'd like to see a version where it detects packet loss and automatically enables queueing.

Isn't this what autorate-ingress is all about? I'm waiting to have CAKE stable to test this on my LHGGR LTE6, mainly for bufferbloat management and naturally making sure that no one here at home kills the entire connection

).

mducharme · Wed Aug 25, 2021 7:16 pm

Hello, I have these two static ipv6 routes that show up in a config export but do not appear in the routes list, or the output of the print command, so I cannot delete them (at first I just had one, and I tried creating a new one to replace it but it got changed in the same way somehow):

/ipv6 route
add disabled=no distance=1 dst-address=/0 gateway=fc00:bbbb:bbbb:bb01::1 routing-table=vpn scope=30 target-scope=10
add disabled=no distance=1 dst-address=/0 gateway=fc00:bbbb:bbbb:bb01::1 routing-table=vpn scope=30 target-scope=10

Cablenut9 · Wed Aug 25, 2021 7:17 pm

Isn't this what autorate-ingress is all about?

I thought so, but the Mik Wiki doesn't say how to enable autorate-ingress.

Chupaka · Wed Aug 25, 2021 7:51 pm

Hooray! now there is no more need to do queueing on the MikroTik for QoS, I just need to do a mangle "set priority from DSCP", the priority is copied into the VLAN header sent to the modem, and the modem has 8 queues to sort the priority at the moment the packets are transmitted!

So, "set priority from DSCP" copies priority value from IP packet to pppoe frame with that packet?..

big0bum · Wed Aug 25, 2021 7:51 pm

Hi,

I can't update an RB3011 to the latest rc1 from beta6.

RIght after reboot, the router starts on beta6 again. Opening up a terminal it gives me an error about a kernel panic. Any ideas about this?

I've also made a support ticket: SUP-58027.
I also have the same issue with RB4011. Did you get a reply on your support ticket about this one?

Hi,

No, didn't get an answer.

santyx32 · Wed Aug 25, 2021 7:58 pm

This might sound bizarre, but anyone experiencing kernel crashes with cake/fq_codel, can you confirm the router is stable if there is no active WinBox session to the device? We currently think the crashes are caused by WinBox management session shaping.

I had the Mikrotik Android app open on my phone to measure the CPU usage of the router when downloading large files from my laptop, then it crashed after some minutes.

Target interface was vlan999 (WAN) and queue type CAKE.

ivicask · Wed Aug 25, 2021 9:38 pm

This might sound bizarre, but anyone experiencing kernel crashes with cake/fq_codel, can you confirm the router is stable if there is no active WinBox session to the device? We currently think the crashes are caused by WinBox management session shaping.
I had the Mikrotik Android app open on my phone to measure the CPU usage of the router when downloading large files from my laptop, then it crashed after some minutes.

Target interface was vlan999 (WAN) and queue type CAKE.

What if you try FastTrack winbox packets, will they avoid queue and maybe fix the issue until proper fix is done?

santyx32 · Wed Aug 25, 2021 10:16 pm

What if you try FastTrack winbox packets, will they avoid queue and maybe fix the issue until proper fix is done?

Maybe it can do the trick but the simple queue setup I described some posts above it's working great for me.

Cablenut9 · Thu Aug 26, 2021 3:35 am

Does this mean that if I want CAKE in v7 without crashes, I just can't use Winbox?

mducharme · Thu Aug 26, 2021 4:19 am

Does wifiwave2 have four address mode support yet?

Thu Aug 26, 2021 8:08 am

Creating a new WIFI Wave 2 interface and assigning the same country code as the physical interfaces reports "Country not allowed"

I cannot create a sub interface whatsoever.

This is an issue on boards with country locks. It will be fixed in rc2.

Thu Aug 26, 2021 8:10 am

Does wifiwave2 have four address mode support yet?

Not yet, no.

npeca75 · Thu Aug 26, 2021 8:22 am

Rb3011 uias-rm

uptime 23h
idling
no traffic
no CPU usage
no memory leak
it only sitting on desk and idling

after 23h, it is frozen
LCD does not respond, frozen at last screen
Watchdog does not kick in
could not access over network
serial console does not respond

after power cycle, it is live again

man20820 · Thu Aug 26, 2021 9:27 am

What's new in 7.1rc1 (2021-Aug-19 13:06):
*) added skin support for WinBox (WinBox v3.29 required);
Where a can find skins in winbox?

set the skin on webfig

doneware · Thu Aug 26, 2021 11:46 am

The eOW models are a joke from MikroTik. Something about Ethernet over Water or something like that. You can find it with a Google fairly easily. The other two models will be legit but they have been in the code for a while.

these items were in the code for a while. but the 12x100GE + 36x25GE is nothing too far fetched. there are a dozen of SoCs out there that aren't too expensive, pack a significant punch and the 25/50/100G geared capabilities can essentially totally back the name: you can break down a single 100GE into 4x25GE, so this would be handled by 21 x 100GE which is not unheard of.
broadcom had its trident/tomahawk series of switch ASICs out for years, and they support either 32x100GE or 64x100GE single-handedly on a single chip.

the only thing that bothers me is the number 21, but it can be traced back to "front panel real-estate" challenges: you cannot fit more ports to a 1RU device. 12+36 = 48.

so jokes aside, this can be a real device - as there are countless implementations based on the open design, Mikrotik might only need to adapt RouterOS to the control plane to one of them.
Broadcom had a presentation 3 or 4 years ago, claiming the manufacturing costs for a 32x100GE device are well below $3000.

Thu Aug 26, 2021 11:52 am

Rb3011 uias-rm

after 23h, it is frozen

My RouterOS v7 test lab consists of 3x RB3011.

They are all happily running with OSPF + LDP with no lockups or reboots.

aussetg · Thu Aug 26, 2021 12:02 pm

Does wifiwave2 have four address mode support yet?
Not yet, no.

Will it be added in time for 7.1 Release ?

npeca75 · Thu Aug 26, 2021 12:26 pm

My RouterOS v7 test lab consists of 3x RB3011.

They are all happily running with OSPF + LDP with no lockups or reboots.

@nz_monkey

you are lucky one
my problem started with 6.48 and port flapping, now rc1 freeze
but it work perfectly on LTS
so, downgrade & coffee & happiness

rplant · Thu Aug 26, 2021 12:47 pm

Wireguard vs OpenVPN routing difference.
(OpenVPN is broken)

Hi,
In previous versions both Wireguard and OpenVPN Servers did not keep their connection tracking from input to output properly.
Visible when incoming wg/ovpn traffic comes in on a non default gateway, where the connection is marked and routing rules are used to
route the traffic back the way it came.
In 7.1rc1 Wireguard does appear to keep it's connection, however OpenVPN is still broken.

I have some pass through firewall rules doing logging.

OpenVPN
The traffic is entering the router is destined for OpenVPN at address 192.168.93.26, but leaving the router using a source of 192.168.1.55
The connection does not succeed. (There is a bunch of Nat and SPI firewalls in the way)

time=19:18:49 topics=firewall,info message=wgin-uses93 input: in:bridge-93 out:(unknown 0), src-mac a4:91:b1:7e:a5:97, proto UDP, 49.184.18.30:15085->192.168.93.26:20194, len 42
time=19:18:49 topics=firewall,info message=ovpn,wg input: in:bridge-93 out:(unknown 0), src-mac a4:91:b1:7e:a5:97, proto UDP, 49.184.18.30:15085->192.168.93.26:20194, len 42
time=19:18:49 topics=firewall,info message=wgout-all output: in:(unknown 0) out:ether2, proto UDP, 192.168.1.55:20194->49.184.18.30:15085, len 42
time=19:18:49 topics=firewall,info message=wgout-all output: in:(unknown 0) out:ether2, proto UDP, 192.168.1.55:20194->49.184.18.30:15085, len 50

Wireguard
During idle, the remnants of a previous connection (long closed) are leaving via 192.168.1.55
When a new connection comes in, The traffic enters the router destined for wireguard on 192.168.93.26, and then also leaves the
wireguard on the router with a source of 192.168.93.26
This connection works ok.

time=19:22:16 topics=firewall,info message=wgout-all output: in:(unknown 0) out:ether2, proto UDP, 192.168.1.55:13231->49.184.18.30:15064, len 176
time=19:22:22 topics=firewall,info message=wgout-all output: in:(unknown 0) out:ether2, proto UDP, 192.168.1.55:13231->49.184.18.30:15064, len 176
time=19:22:28 topics=firewall,info message=wgout-all output: in:(unknown 0) out:ether2, proto UDP, 192.168.1.55:13231->49.184.18.30:15064, len 176

time=19:22:32 topics=firewall,info message=wgin-uses93 input: in:bridge-93 out:(unknown 0), src-mac a4:91:b1:7e:a5:97, proto UDP, 49.184.18.30:15089->192.168.93.26:13231, len 176
time=19:22:32 topics=firewall,info message=ovpn,wg input: in:bridge-93 out:(unknown 0), src-mac a4:91:b1:7e:a5:97, proto UDP, 49.184.18.30:15089->192.168.93.26:13231, len 176

time=19:22:32 topics=firewall,info message=wgout-all output: in:(unknown 0) out:bridge-93, proto UDP, 192.168.93.26:13231->49.184.18.30:15089, len 120
time=19:22:32 topics=firewall,info message=wgin-uses93 input: in:bridge-93 out:(unknown 0), src-mac a4:91:b1:7e:a5:97, proto UDP, 49.184.18.30:15089->192.168.93.26:13231, len 60
time=19:22:32 topics=firewall,info message=wgout-all output: in:(unknown 0) out:bridge-93, proto UDP, 192.168.93.26:13231->49.184.18.30:15089, len 60

parham · Thu Aug 26, 2021 1:32 pm

Would be great if Mikrotik can add just two CA root certificate in the kernel for the next release, with just two certificate (DigiCert Global Root CA and GTS Root R1) you can cover the DOH for 1.1.1.1 family, 9.9.9.9 and 8.8.8.8

Also would be great to have additional line for DOH not just one.

osc86 · Thu Aug 26, 2021 1:39 pm

IMO ROS should have all major Root-CAs included by default. Saves a lot of headache with LE and DoH.

pe1chl · Thu Aug 26, 2021 2:07 pm

IMO ROS should have all major Root-CAs included by default. Saves a lot of headache with LE and DoH.

That takes quite some space, which is at a premium in some devices.
It could be made an optional package, but it looks like packages are becoming a thing of the past...

zainarbani · Thu Aug 26, 2021 2:14 pm

We have not admitted that it is expected behavior. Currently we heavily researching the issue and looking for the fix!

Hi, since we don't have access to internal shell.
Could you set simple or queue tree with cake/fq_codel scheduler and share output from this command?

tc qdisc list
tc filter list
tc class list

mikegleasonjr · Thu Aug 26, 2021 2:33 pm

This might sound bizarre, but anyone experiencing kernel crashes with cake/fq_codel, can you confirm the router is stable if there is no active WinBox session to the device? We currently think the crashes are caused by WinBox management session shaping.

So I tried to open as few and quick Winbox sessions as possible (just to check the uptime)...

cake rebooted after 2 hours yesterday
fq codel rebooted after 24 hours this morning

Back to sfq to see if it's not something else that made the router reboot this morning with fq codel.

But it's by far the biggest uptime that I had on fq codel of all the betas.

Thanks for the suggestion. Good luck to you guys, I hope a solution will come...

Cablenut9 · Thu Aug 26, 2021 3:10 pm

Interestingly, my RB4011 has fq_codel on all interfaces and never crashes because of fq_codel.