v7.2rc2 and v7.2rc3 is released!

emils · Fri Jan 28, 2022 12:35 pm

RouterOS version 7.2rc3 has been released "v7 testing" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.2rc3 (2022-Jan-28 16:33):

*) bridge - fixed filter and NAT "set-priority" action;
*) queue - fixed traffic processing (introduced in v7.2rc2);

What's new in 7.2rc2 (2022-Jan-28 11:00):

*) arm - fixed "shutdown" command on hAP ac^2;
*) bgp - fixed routing table and BGP configuration order in export;
*) bluetooth - disable scanning by default;
*) bridge - added fast-path and inter-VLAN routing FastTrack support when vlan-filtering is enabled;
*) bridge - fixed bridge filter and NAT rules on ARM64 and TILE devices;
*) capsman - improved stability when running background scan on CAP;
*) clock - properly notify all instances about time changes;
*) conntrack - properly detect helper status;
*) console - improved console responsiveness when processing received characters;
*) console - updated copyright notice;
*) crs3xx - fixed QSFP+ interface LEDs;
*) crs3xx - fixed optical SFP+ linking (introduced in v7.2rc1);
*) crs3xx - improved SFP+ interface linking after reboot for CRS312 device;
*) crs3xx - improved SFP+/QSFP+ link stability for CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices (introduced in v7.2rc1);
*) defconf - made "192.168.188.1/24" the default LAN IP address for LTE CPE devices;
*) dhcpv4-server - remove dynamic leases when server configuration is removed;
*) dot1x - added "server-fail-vlan-id", "guest-vlan-id" and "reauth-timeout" settings for dot1x server;
*) dot1x - added "src-address", "src-mac-address" and "src-port" settings for dynamic switch rules;
*) dot1x - added NAS-Port-ID attribute for RADIUS Access-Request;
*) firewall - improved system stability when using address lists (introduced in v7.2rc1);
*) hotspot - fixed memory leak on every web page loading;
*) hotspot - fixed web page loading using HTTPS;
*) ike2 - ignore "INITIAL-CONTACT" payload on responder when "send-initial-contact" is disabled;
*) interface - fixed minor memory leak when interface or connected route is changed;
*) l3hw - added HW offloaded FastTrack support for inter-VLAN routing;
*) l3hw - fixed HW offloaded NAT;
*) leds - fixed user LED on RB750Gr3;
*) log - include message also in e-mail body;
*) lora - fixed "antenna-gain" parameter unit;
*) lte - added 3 APN profile support and APN name re-using on R11e-LTE6;
*) lte - added MAC address and IPv6 LL address persistence after reboot on EG12 and EG18 modems;
*) lte - added class based support for configless RNDIS LTE modems;
*) lte - do not show external antenna selector on devices that does not support it;
*) lte - fixed IPv6 address addition after startup on R11e-LTE6;
*) lte - fixed possible timeouts when sending SMS in LTE only mode on R11e-LTE;
*) lte - fixed support for Sierra MC7710;
*) lte - fixed support for Telit 960;
*) lte - improved stability on "+EGMR" response in MBIM mode;
*) lte - improved support for sending/receiving SMS in LTE only mode on R11e-LTE6;
*) lte - properly recognize MBIM modem in USB port as LTE on Chateau 5G;
*) ospf - added "ptmp-broadcast" interface type (compatible with RouterOSv6 PTMP type);
*) ospf - convert ospf "static" redistribute to "static,dhcp,modem,vpn" after update from RouterOS v6;
*) ospf - fixed MD5 authentication;
*) ospf - fixed NBMA hello's not being sent if priority is set to 0;
*) ospf - fixed default type-3 LSA's not being injected to stub area;
*) ospf - fixed incorrect LSA types when changing area types;
*) ospf - fixed neighbor election failure;
*) ospf - improved logging;
*) ospf - improved stability on OSPFv3 instance disabling;
*) ovpn - improved UDP session handling;
*) ppp - fixed AT+CPIN chat when SIM PIN is specified;
*) pptp - show insecure connection warning on dynamic interfaces;
*) qsfp - correctly display auto-negotiation status;
*) queue - improved system stability when processing traffic;
*) route - fixed "suppress-hw-offload" update;
*) route - fixed router's LSA for PTP networks;
*) route - fixed routing configuration export on SMIPS devices;
*) route - improved routing table print speed;
*) route - show OSPF and RIP specific attributes in "/routing route" table;
*) route-filter - fixed "return" action;
*) route-filter - fixed complex matchers with "|| or and &&";
*) route-filter - fixed incorrect invert-match configuration upgrade from RouterOS v6;
*) route-filter - fixed range conversion after update from RouterOS v6;
*) rpki - made RPKI verify non-strict, introduces new state "unverified";
*) rpki - show expire timer;
*) smb - fixed SMB2.0 disk size reporting;
*) snmp - added SFP vendor name to optical table;
*) snmp - added support for "ipv6AddrPrefixTable" and "ipv6RouteNumber" OID's;
*) snmp - allow two level nesting for vlan, bonding speed query;
*) system - fixed license loss on some RB1100Dx4 and RB4011 devices;
*) traffic-flow - do not handle NAT events when "nat-events" is disabled;
*) traffic-generator - fixed transmit speed for multiple asymmetric streams;
*) usb - fixed display of incorrect port count for USB serial ports;
*) vlan - fixed improper VLAN priority addition for routed packets;
*) vxlan - allow unsetting "group" and "interface" properties;
*) webfig - do not show side menu if WebFig is disabled by skin;
*) winbox - added "Disconnect Notify" checkbox to "Interface/OVPN Client" menu;
*) winbox - added "Freq. Usage" and "Scan" buttons for WifiWave2 interfaces;
*) winbox - added "Ignore Missing" selector to "System/Packages" menu;
*) winbox - added "Routing Table" parameter for IPv6 routes;
*) winbox - added "VPN" tab to "Routing/BGP" menu;
*) winbox - added "VRF" parameter to "IP/Services" menu;
*) winbox - added "comment" parameter to "User Manager/Users" menu;
*) winbox - added MLAG support;
*) winbox - added SHA256 and SHA512 "Auth" values for OVPN menu's;
*) winbox - added ZeroTier support;
*) winbox - added explicit "Upload" and "Download" names for "Bucket Size" parameters under "Queues" menu;
*) winbox - allow setting "Interface" parameter for 100G LED types;
*) winbox - do not show "Antenna Scan" button on devices that do not support it;
*) winbox - fixed "action" field in "IP/Web Proxy/Access" menu;
*) winbox - fixed CHR License renewing process;
*) winbox - fixed content filtering in "Tools/Packet Sniffer/Packets" menu;
*) winbox - fixed entry order in "Tools/Packet Sniffer/Packets" menu;
*) winbox - made OSPF interface type names consistent between CLI and GUI;
*) winbox - properly save "IPv6/Settings" menu in session file;
*) winbox - renamed "MBPS" to "Mbps" value unit name in "Tools/Traffic Generator" menu;
*) winbox - show "H" flag for offloaded connections in "IP/Firewall/Connections" menu;
*) winbox - show "System/SwOS" menu only on boards that have dual boot;
*) winbox - sort "Address List" parameter values alphabetically in "IP/DHCP Server/Leases" menu;
*) wireless - improved wireless connection stability during background scans;
*) wireless - fixed interface initialization on Metal 2SHPn;
*) x86 - added support for Intel E810 NIC;
*) x86 - made "no" the default value for "disable-running-check" ethernet parameter;
*) x86 - properly distinguish multiple NICs that share the same PCI bus number;
*) zerotier - made MAC and MTU values read-only;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after some problem has appeared on device

Please keep this forum topic strictly related to this particular RouterOS release.

nescafe2002 · Fri Jan 28, 2022 12:47 pm

*) vxlan - allow unsetting "group" and "interface" properties;

The "group" and "interface" properties are (unexpectedly) unset on upgrade from 7.2rc1 to 7.2rc2.

Before upgrade:

/interface vxlan add group=224.0.0.188 interface=bridge-lan name=vxlan-iot port=8472 vni=123

After upgrade:

/interface vxlan add mtu=1400 name=vxlan-iot port=8472 vni=123

ErnyTech · Fri Jan 28, 2022 12:47 pm

Please fix the IPv6 firewall connection tracking problems with the queues enabled, there have been reports on the forum for months about this problem.
All 7.1+ are affected by this problem and it prevents us from using the queues together with the IPv6 firewall, all IPv6 packets are dropped because they result in connection state invalid

gabacho4 · Fri Jan 28, 2022 1:15 pm

Upgraded from 7.1.1 and my wireguard connections no l longer worked. No connection was being made and disabling and reenabling the interface had no effect. Rolled back to 7.1.1 and all was well again. Literally nothing in the config changed between both versions.

EDIT: realized I didn't state what platform I am using. I am running an RB5009.

Jotne · Fri Jan 28, 2022 2:00 pm

Still no ZeroTier for mips...

mozerd · Fri Jan 28, 2022 2:00 pm

On my CCR1009 --- Just loaded 7.2rc2 and that went very smoothly
so far everything is working as I expect ---- CPU is stable .... WireGuard is functioning and to my surprise its a bit faster now

mikegleasonjr · Fri Jan 28, 2022 2:07 pm

Queues are totally broken in this release (for me)

RB4011

PPPoE over VLAN

Bridge vlan filtering enabled

Had 2 queues in the queue tree, one for inboud, one for outboud. I get no Internet when they're enabled. Ping from the router tells me: "rejected packet" or something like that. LAN traffic works.

Creating a simple queue seems to work but as soon as I set Max Limit, Internet connection drops. Removing Max Limits makes it work again.

I tried other queue types besides Cake and I have the same behavior.

Here's my original queue config which was working for several BETAs and RCs:

/queue type
add cake-atm=atm cake-bandwidth=50.0Mbps cake-flowmode=dual-srchost cake-overhead=46 kind=cake name=cake-out
add cake-atm=atm cake-bandwidth=100.0Mbps cake-flowmode=dual-dsthost cake-overhead=46 cake-wash=yes kind=cake name=cake-in

/queue tree
add bucket-size=0.002 name=wan-in packet-mark=wan-in-pk parent=global queue=cake-in
add bucket-size=0.002 name=wan-out packet-mark=wan-out-pk parent=global queue=cake-out

obscurus · Fri Jan 28, 2022 2:08 pm

Upgraded from 7.1.1 and my wireguard connections no l longer worked. No connection was being made and disabling and reenabling the interface had no effect. Rolled back to 7.1.1 and all was well again. Literally nothing in the config changed between both versions.

EDIT: realized I didn't state what platform I am using. I am running an RB5009.

The same issue with wireguard/
RB5009

pe1chl · Fri Jan 28, 2022 2:09 pm

Lots of fixes but still no BFD :-(
That means no chance to test it in our network.

Bergante · Fri Jan 28, 2022 2:13 pm

*) vlan - fixed improper VLAN priority addition for routed packets;

Confirmed. My VoIP registrations no longer fail.

noradtux · Fri Jan 28, 2022 2:16 pm

Still has the IPv6 over Wireguard issue as described in viewtopic.php?p=908865

quotengrote · Fri Jan 28, 2022 2:27 pm

*) bridge - added fast-path and inter-VLAN routing FastTrack support when vlan-filtering is enabled;

That could explain viewtopic.php?p=908851#p907193

korzus · Fri Jan 28, 2022 2:40 pm

Having problems to connect winbox and no internet access.
Connected to webfig through wifi, where i made the rollback to 7.1.1 and upgrade to 7.2rc1.

quotengrote · Fri Jan 28, 2022 2:50 pm

Short question, how do you roll back? Netinstall or just dumping a old npk on the device?

gabacho4 · Fri Jan 28, 2022 2:53 pm

both would technically work. Easiest way is to change your update repo back to stable and then download and install 7.1.1.

Fri Jan 28, 2022 3:04 pm

Upgraded from 7.1.1 and my wireguard connections no l longer worked. No connection was being made and disabling and reenabling the interface had no effect. Rolled back to 7.1.1 and all was well again. Literally nothing in the config changed between both versions.

EDIT: realized I didn't state what platform I am using. I am running an RB5009.

FWIW:
Hex on 7.1.1
mAP on 7.2rc2
wireguard active between both and running

Xifen · Fri Jan 28, 2022 3:08 pm

*) bridge - added fast-path and inter-VLAN routing FastTrack support when vlan-filtering is enabled;
*) l3hw - added HW offloaded FastTrack support for inter-VLAN routing;

I have some difficulties to have this working.
On which devices should this work ?
RB4011 ? RB5009 ?
Many thanks !

biomesh · Fri Jan 28, 2022 3:20 pm

On my crs3xx devices seems to have broken access to my management interfaces (dhcp client on the bridge). The switches work but I can't manage them except through a console cable. ccr1009, cap ac, crs112, and chr working fine.

I think this has to do with some of the changes to vlan filtering. **maybe not - disabling it made no difference **

pe1chl · Fri Jan 28, 2022 3:23 pm

Short question, how do you roll back? Netinstall or just dumping a old npk on the device?

When you have a device with more than the 16MB flash found on low-end devices, always partiton the flash in 2 partitions so you can copy your existing install to the other partition before doing any upgrade.
Then you can switch back (and forth) between those versions in case of problems, to compare things (did it work in the previous version?) etc.

notToNew · Fri Jan 28, 2022 3:41 pm

Winbox-Zerotier Instance is called "Wireguard" in the Window-Capture

codework · Fri Jan 28, 2022 3:43 pm

When will bfd be fixed?

gabacho4 · Fri Jan 28, 2022 3:46 pm

FWIW:
Hex on 7.1.1
mAP on 7.2rc2
wireguard active between both and running

Different architecture. Someone else with a 5009 is reporting the same.

Jotne · Fri Jan 28, 2022 3:51 pm

/export on older ruters like SXT 5HPnD (400Mhz) still does not work.
Start slow and just hangs, or take very long time. Cpu show 100% the whole time
Sometimes it may show the config after 15 min other times it shows this:

Console has crashed; please log in again.

Device works and have some basic configuration.
Has been like this since first 7.x beta.

How hard should it be to just show some config lines?

bruins0437 · Fri Jan 28, 2022 4:04 pm

RouterOS version 7.2rc2 has been released "v7 testing" channel!
*) firewall - improved system stability when using address lists (introduced in v7.2rc1);

Thank you thank you thank you!!

curtdept · Fri Jan 28, 2022 4:06 pm

RB5009, my queues seem completely broken, I had to disable to get any packets through.

gabacho4 · Fri Jan 28, 2022 4:12 pm

RB5009, my queues seem completely broken, I had to disable to get any packets through.

Awesome! I just fired up 7.2rc2 again and disabled my WireGuard queue and guess what? It works! So what about queues has broken things? I’m using a fq_codel queue.

Changing the queue interface from WireGuard to just WAN breaks my connection as well. Definitely a queue issue.

usern · Fri Jan 28, 2022 4:30 pm

Is there going to be webfig or WinBox support for ZeroTier instead of just cli?

Chupaka · Fri Jan 28, 2022 4:58 pm

Like in

*) winbox - added ZeroTier support;

?

huntermic · Fri Jan 28, 2022 5:05 pm

Is there going to be webfig or WinBox support for ZeroTier instead of just cli?

Reading is a real art.......

emils · Fri Jan 28, 2022 5:10 pm

Hotfix for queue processing should be available now.

What's new in 7.2rc3 (2022-Jan-28 16:33):

*) bridge - fixed filter and NAT "set-priority" action;
*) queue - fixed traffic processing (introduced in v7.2rc2);

anav · Fri Jan 28, 2022 5:12 pm

On my CCR1009 --- Just loaded 7.2rc2 and that went very smoothly
so far everything is working as I expect ---- CPU is stable .... WireGuard is functioning and to my surprise its a bit faster now

So brave, I am waiting for 7.2 stable before turning my CCR1009 into a rocking wireguard machine.

(1) This change I have questions about and to me it could be significant!
*) bridge - added fast-path and inter-VLAN routing FastTrack support when vlan-filtering is enabled;

This if not in place before should really speed up performance ??

(2) Happy to see this.
) winbox - added ZeroTier support;

(3) still waiting for.......
route rule - added src-address-list and dst-address-list for traffic identifiers :-)

gabacho4 · Fri Jan 28, 2022 5:15 pm

Hotfix for queue processing should be available now.

What's new in 7.2rc3 (2022-Jan-28 16:33):

*) bridge - fixed filter and NAT "set-priority" action;
*) queue - fixed traffic processing (introduced in v7.2rc2);

Holy crap that was fast!

alibalalo · Fri Jan 28, 2022 5:49 pm

Has the server reboot problem
RB5009UG+S+IN and CCR2004-16G-2S+ been fixed?
Has the hotspot page not showing up problem been fixed?

fragtion · Fri Jan 28, 2022 5:52 pm

Is it worth upgrading RB5009 from 7.1.1 to 7.2rc3, or should we wait rather for a 7.1.x update?

I skipped 7.2rc1 because of the address-list cpu issue (and some other regressive bugs which were reported), but it seems 7.2rc2/3 has many improvements and so I would like to see if it maybe fixes some of the known issues (like port flapping on the RB5009 - although no explicit mentions of such in the changelogs, and also nothing about the broken gaps in traffic graphs, see this post for what I'm talking about)...

7.2rc seems a lot more experimental than 7.1.x, am I correct? Can we expect a 7.1.x update soon? The dichotomy of 7.x release channels is a bit confusing I'll be honest

jvanhambelgium · Fri Jan 28, 2022 6:03 pm

7.2rc3 completely destroyed my RB5009 !
Even for testing/release-candidate quality of software this is quite a joke...really....

OK...let's see how I can regain control over my RB5009. Can't even ping the device anymore....

UPDATE : MAC-connection still works, nice thing ; I cannot "downgrade" at first sight. The ZIP-file with all packages of 7.1.1 in the folder and I press "Downgrade" and confirm to reboot .... box reboots and I do MAC-login with Winbox and see nothing is dowgraded...ok, see to perform this manually of some sort....

UPDATE2 : Managed to get my RB5009 back to 7.1.1 and I think I'm going to stay there for a while ;-) Enough excitement for a Friday evening ;-)

emils · Fri Jan 28, 2022 6:37 pm

jvanhambelgium, please generate a supout.rif file while you are at it. Without any usable information, it is impossible for us to figure out what went wrong.

Xifen · Fri Jan 28, 2022 6:42 pm

On my CCR1009 --- Just loaded 7.2rc2 and that went very smoothly
so far everything is working as I expect ---- CPU is stable .... WireGuard is functioning and to my surprise its a bit faster now
So brave, I am waiting for 7.2 stable before turning my CCR1009 into a rocking wireguard machine.

(1) This change I have questions about and to me it could be significant!
*) bridge - added fast-path and inter-VLAN routing FastTrack support when vlan-filtering is enabled;

This if not in place before should really speed up performance ??

Yes, at least it will decrease CPU utitilization a lot.
But as per my tests (7.2rc2 / 7.2rc3) on both RB4011 and RB5009, it does not work :

korzus · Fri Jan 28, 2022 6:52 pm

Short question, how do you roll back? Netinstall or just dumping a old npk on the device?

As i still had connection through wifi on rb4011, i was able to connect to webfig and did the system/package/stable/download and install. after 7.1.1 i downloaded the rc1 from https://download.mikrotik.com/routeros/ ... c1-arm.npk

Othewise, probably with console cable or hard reset or netinstall.

i will try the 7.2rc3 now.

osc86 · Fri Jan 28, 2022 7:26 pm

I updated a CCR2004-16G-2S+ to 7.2rc3; after the 3rd reboot, I lost all 4 wireguard interfaces. Rebooted again and they were still missing. Loaded a backup and everything is ok again.

eworm · Fri Jan 28, 2022 7:34 pm

This has funny breakage with scripting! With 7.2rc1 (and typing "y"):

[admin@MikroTik] > :put [ :terminal inkey timeout=60 ]
121

This is correct, 121 is the ASCII code for "y". Not with 7.2rc2 (and without typing anything!):

[admin@MikroTik] > :put [ :terminal inkey timeout=60 ]
60940

biomesh · Fri Jan 28, 2022 8:01 pm

Had an issue with the upgrade ccr1009 - the nand /filesystem was corrupt and had to netinstall.

I also was able to duplicate the issue with high utilization on the ccr1009 with regards to l2tp/ipsec. I had no issues with the netinstall/reimport with the exception of the certs, which is to be expected. I reimported the cert and immediately the router goes into 35% utilization and required a reboot. During the upgrade from 6.x to 7.x, it seems this same process happens. It looks like there is an issue with l2tp/ipsec when importing certs.

For my issues with the crs3xx switches, I changed my config from untagged, dhcp client based MGMT access to tagged, static address based MGMT access. This addressed the situation, but this version still has an issue with access to the crs3xx devices when using untagged, dhcp client access to the bridge.

lamaral · Fri Jan 28, 2022 8:02 pm

The issue of BGP routes getting installed in the wrong VRF is still there with 7.2rc3.
Can somebody from Mikrotik at least take a look at the support ticket (SUP-69254) and let me know if you need any more info?

Fri Jan 28, 2022 8:06 pm

BGP vrf problem is acknowledged and will be fixed in one of the next versions.

nescafe2002 · Fri Jan 28, 2022 8:06 pm

Ipsec identities lost after upgrade from 7.2rc1 to 7.2rc2 and again after upgrade from 7.2rc2 to 7.2rc3 (SUP-60031).

Grant · Fri Jan 28, 2022 8:13 pm

Finally they fixed address list, fixed openvpn route push, and fixed wifi speed without using fasttrack

anav · Fri Jan 28, 2022 8:15 pm

7.2rc3 completely destroyed my RB5009 !
UPDATE2 : Managed to get my RB5009 back to 7.1.1 and I think I'm going to stay there for a while ;-) Enough excitement for a Friday evening ;-)

Clearly you need the OFF bridge config schema and dont forget to use safe mode ;-) ( viewtopic.php?t=181718 )
perhaps supout will be possible then?

pe1chl · Fri Jan 28, 2022 8:35 pm

Ipsec identities lost after upgrade from 7.2rc1 to 7.2rc2 and again after upgrade from 7.2rc2 to 7.2rc3 (SUP-60031).

Was that new for you? For me that has happened on every reboot (and of course a reboot is part of an upgrade) since I have been using v7.
But others did not yet see that. OTOH I see a posting by @osc86 above who lost wireguard config.
It seems there still are "random" lost-part-of-config issues.

nescafe2002 · Fri Jan 28, 2022 8:38 pm

Was that new for you?

Not new, but the problem has been acknowledged/reproduced on Jan 11th and "hopefully fixed in the next update" -- this is the next update :)

ErnyTech · Fri Jan 28, 2022 9:01 pm

*) queue - fixed traffic processing (introduced in v7.2rc2);

IPv6 firewall continues to be broken with queues enabled in any 7.1+

VitohA · Fri Jan 28, 2022 9:06 pm

Graphing through https isn't working in all ROS7 releases. MT, do you have any plans to fix it? Seems that rest api broke it in www-ssl.

mikegleasonjr · Fri Jan 28, 2022 9:24 pm

Thanks for the quick fix for the queues, haven't tried it yet. Can you push a quick fix that fast to specify the direction of the Cake queue too :P

jvanhambelgium · Fri Jan 28, 2022 9:36 pm

jvanhambelgium, please generate a supout.rif file while you are at it. Without any usable information, it is impossible for us to figure out what went wrong.

I will go at it again and update my lab RB5009 to 7.2RC3 and see what happens this time ;-)
And generate supout.rif if needed.

jvanhambelgium · Fri Jan 28, 2022 9:55 pm

jvanhambelgium, please generate a supout.rif file while you are at it. Without any usable information, it is impossible for us to figure out what went wrong.
I will go at it again and update my lab RB5009 to 7.2RC3 and see what happens this time ;-)
And generate supout.rif if needed.

Ok this time things went much more smooth. As precaution, I disabled IPv6 (because that cause some issues last time preventing PPPoE connection to the ISP)
So currently running 7.2RC3, and typing this reply through the IPv4 PPPoE connection.
I'll do some testing on the wireguard,zerotier,IPv6 things and get back if issues occur.

jvanhambelgium · Sat Jan 29, 2022 12:03 am

Severe problem in openvpn
openvpn tcp and udp has problem.
im test android and windows client os

Wireguard & ZeroTier work equally as good as they worked in 7.1.1 for me at least. Not using any other types of "vpn"
Tested from Android
Good to see the Wireguard config made it into Winbox in this release.

elgrandiegote · Sat Jan 29, 2022 12:38 am

OpenVpn problem in UDP, apparently the server suddenly disconnects the client (windows), and does not try to reconnect

elgrandiegote · Sat Jan 29, 2022 12:40 am

Severe problem in openvpn
openvpn tcp and udp has problem.
im test android and windows client os

A little more detail would be nice, there are several problems with openvpn in udp.
with more details the people of mikrotik will be able to advance in some solution in next versions

Mp1104 · Sat Jan 29, 2022 4:53 am

Hello. I did want to inform those that updating rc1 to rc3 via packages update method bricked my CCR1009-7G-1C. After a gruesome hour of manual reset attempts, I managed to recover via netinstall 7.1.1. Any version above that would not function. The RB firmware was still on 7.2rc3 after restoring to 7.1.1. I did downgrade the RB firmware to 7.1.1 and let the unit normalize for an hour or so before proceeding to install rc3 manually which did take successfully and has been functioning for the last 6 hours or so.

wojo · Sat Jan 29, 2022 5:21 am

Some major issues on a RB5009:

1) 2.5G link does not work well at all, I'm on 2G U-Verse via a BGW320-505 linked at 2.5G. It causes about 1/2 bandwidth on 1G hosts, and on 10G hosts seeing as bad a 75% reduction in speed.

viewtopic.php?p=908812#p908812
viewtopic.php?p=909086#p909086

2) Major issues with IPv6 in certain scenarios. It seems Linux based hosts (Synology for example) with everything standard, MTU 1500, etc are seeing 25-50% packet loss. On a 10G or 1G link download is around 250Mbps and upload around 25Mbps. The same on macOS 1G link I get gigabit both ways.

I'm shocked at the quality of the RB5009 :(

dg1kwa · Sat Jan 29, 2022 10:26 am

Still no DDM/DOM with a sfp in RB760iGS. With ROS V6.x it works perfect.

Xifen · Sat Jan 29, 2022 10:54 am

Code: Select all
*) bridge - added fast-path and inter-VLAN routing FastTrack support when vlan-filtering is enabled;
*) l3hw - added HW offloaded FastTrack support for inter-VLAN routing;
I have some difficulties to have this working.
On which devices should this work ?
RB4011 ? RB5009 ?
Many thanks !

--

(1) This change I have questions about and to me it could be significant!
*) bridge - added fast-path and inter-VLAN routing FastTrack support when vlan-filtering is enabled;

This if not in place before should really speed up performance ??
Yes, at least it will decrease CPU utitilization a lot.
But as per my tests (7.2rc2 / 7.2rc3) on both RB4011 and RB5009, it does not work :

--
Mmmh, RouterOS adds hw-offload=yes by default to the action=fasttrack-connection rule, I'll give a try without ASAP and report back.

jbl42 · Sat Jan 29, 2022 12:22 pm

2) Major issues with IPv6 in certain scenarios. It seems Linux based hosts (Synology for example) with everything standard, MTU 1500, etc are seeing 25-50% packet loss. On a 10G or 1G link download is around 250Mbps and upload around 25Mbps. The same on macOS 1G link I get gigabit both ways.

IPv6 on RB5009 is broken beyond being usable.
The 2.5GB port has speed issues.
Both reported many times for month and still not fixed

I'm shocked at the quality of the RB5009 :(

That's usual MT standard for new devices. RB4011 had many severe issues when it was new, taking almost 2 years of ROS updates to get everything working.

What's new in 7.2rc3 (2022-Jan-28 16:33):
*) queue - fixed traffic processing (introduced in v7.2rc2);

"queue - fixed traffic processing" is MT speak for fixing queues completly broken in a way not moving any traffic at all.
It is really bothering how such a severe bug can make it into an rc2 release without being discovered.
How is it possible to miss a completly broken core feature in rc testing? With broken meaning not working at all?

hecatae · Sat Jan 29, 2022 12:26 pm

Audience updated, wireless seems to be improved.

quotengrote · Sat Jan 29, 2022 12:35 pm

Code: Select all
*) bridge - added fast-path and inter-VLAN routing FastTrack support when vlan-filtering is enabled;
*) l3hw - added HW offloaded FastTrack support for inter-VLAN routing;
I have some difficulties to have this working.
On which devices should this work ?
RB4011 ? RB5009 ?
Many thanks !

Works good for me, see viewtopic.php?p=909126#p909126

And no problems with my Wireguard-Peers

quotengrote · Sat Jan 29, 2022 12:40 pm

Follow up...

my ONE simple Queue is also <s>working</s> not interfering with anything:

[admin@rb5009] /queue> export 
# jan/29/2022 11:39:40 by RouterOS 7.2rc3
# software id = 56R5-PRTF
#
# model = RB5009UG+S+
/queue simple
add max-limit=30M/200M name=limit-win3-upload target=192.168.2.65/32 time=7h-22h,sun,mon,tue,wed,thu,fri,sat

Xifen · Sat Jan 29, 2022 12:44 pm

Code: Select all
*) bridge - added fast-path and inter-VLAN routing FastTrack support when vlan-filtering is enabled;
*) l3hw - added HW offloaded FastTrack support for inter-VLAN routing;
I have some difficulties to have this working.
On which devices should this work ?
RB4011 ? RB5009 ?
Many thanks !
Works good for me, see viewtopic.php?p=909126#p909126

And no problems with my Wireguard-Peers

Thank you for your report, good news then I would say.
Do you have hw-offload=yes or hw-offload=no on your action=fasttrack-connection rule ?

quotengrote · Sat Jan 29, 2022 12:48 pm

[admin@rb5009] /ip/firewall/filter> export 
# jan/29/2022 11:47:34 by RouterOS 7.2rc3
# software id = 56R5-PRTF
#
# model = RB5009UG+S+
/ip firewall filter
add action=fasttrack-connection chain=forward comment="TEST FASTTRACK" connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment="TEST FASTTRACK" in-interface=vlan10 out-interface=vlan20
add action=accept chain=forward comment="TEST FASTTRACK" in-interface=vlan20 out-interface=vlan10

Xifen · Sat Jan 29, 2022 1:18 pm

OK, same configuration here, I then must have an issue elsewhere...
Just to confirm, your vlan interfaces are on your bridge, and bridge set with vlan-filtering=yes and ingress-filtering=yes ?

quotengrote · Sat Jan 29, 2022 1:23 pm

[admin@rb5009] /interface/bridge> export 
# jan/29/2022 12:23:18 by RouterOS 7.2rc3
# software id = 56R5-PRTF
#
# model = RB5009UG+S+
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=2
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=10
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=20
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=30

2022-01-29 12_25_06-admin@192.168.2.1 (rb5009) - WinBox (64bit) v7.2rc3 on RB5009UG+S+ (arm64).png

2022-01-29 12_25_00-admin@192.168.2.1 (rb5009) - WinBox (64bit) v7.2rc3 on RB5009UG+S+ (arm64).png

Xifen · Sat Jan 29, 2022 1:39 pm

OK, the only difference I see is protocol-mode you enforce to none, whereas I let it to its rstp default value.
I'll give this a try.

quotengrote · Sat Jan 29, 2022 1:40 pm

Never touched that value myself, must be a default-value.

Xifen · Sat Jan 29, 2022 1:44 pm

Mmmh I also did my tests using untagged ports, whereas yours are all tagged, this could be the reason.
I'll re-test all this ASAP.

quotengrote · Sat Jan 29, 2022 1:57 pm

Found a minor Bug?

Ctrl+l

does not clear the cli in WinBox anymore.

-> SUP-73039

jbl42 · Sat Jan 29, 2022 3:35 pm

L3 offloading working on 5009 here too, as described by @quotengrote.

There is a switch property l3-hw-offloading, which I'm not sure only setting offloading for L3 VLAN routing only or also for L3 fasttrack.
I had to set to yes to get everything working. Mine was set to no, can't remember if this is the default or if it was me.

[admin@RB5009] > interface/ethernet/switch print detail 
Flags: I - invalid 
 0   name="switch1" type=Marvell-88E6393X mirror-source=none mirror-target=none mirror-egress-target=none l3-hw-offloading=yes

Now L3 fasttrack offloading, L3 intra VLAN routing offloading and L2 bridge VLAN offloading is all working on top of each other. Using the full potential of the 88E6393X switch SoC.
Once this all runs stable enough for production, this makes the RB5009 a perfect device combining router/coreswitch in one tiny box for branch sites.

quotengrote · Sat Jan 29, 2022 4:06 pm

There is a switch property l3-hw-offloading, which I'm not sure only setting offloading for L3 VLAN routing only or also for L3 fasttrack.
I had to set to yes to get everything working. Mine was set to no, can't remember if this is the default or if it was me.

Is set to no on my rb5009

[admin@rb5009] /interface/ethernet/switch> print 
Columns: NAME, TYPE, L3-HW-OFFLOADING
# NAME     TYPE              L3-HW-OFFLOADING
0 switch1  Marvell-88E6393X  no

jbl42 · Sat Jan 29, 2022 4:27 pm

Weird, checked it again and now l3-hw-offloading is no and I can't set it to yes neither
No idea how that worked before, I fiddled around a lot..

However, with v7.2rc3 I have fasttrack forward rules with hw offload working on RB5009.
Did not find time for propper testing yet, but a quick ipperf run between routed VLANS on SFP+ shows >6GB/s with less than 50% total CPU load.
Compared to <3GB/s with 80% total CPU load without L3 hw offload.

Xifen · Sat Jan 29, 2022 4:36 pm

Once this all runs stable enough for production, this makes the RB5009 a perfect device combining router/coreswitch in one tiny box for branch sites.

Totally agree. Just lack one PoE-out port, as we have on the RB4011, to power-up a LtAP gateway for example :)

Xifen · Sat Jan 29, 2022 4:39 pm

However, with v7.2rc3 I have fasttrack forward rules with hw offload working on RB5009.
Did not find time for propper testing yet, but a quick ipperf run between routed VLANS on SFP+ shows >6GB/s with less than 50% total CPU load.

So I understand you tested with tagged ports.
I'm scared untagged ports would prevent fasttrack to work for them...

denasu · Sat Jan 29, 2022 4:58 pm

*) arm - fixed "shutdown" command on hAP ac^2;

HAP ac^3 (RBD53iG-5HacD2HnD) turns off successfully. Thank you!

mafiosa · Sat Jan 29, 2022 9:06 pm

Still CPU load not properly optimized for RB3011.

simsrw73 · Sat Jan 29, 2022 11:25 pm

Trying RC3 on CRS328, I'm still not able to connect with SFP+, only one way communication seems to be occurring: viewtopic.php?t=182513#p908420
Is this a known issue? Do I need to have RC3 also on RB5009? I can connect the RB5009 to my CRS112, so transceivers and fiber are all working. I just cannot connect between RB5009 & CRS328.

jimmer · Sun Jan 30, 2022 12:15 am

Still CPU load not properly optimized for RB3011.

I too am awaiting a fix for this. my RB3011 idles at 9% CPU which is way higher than the RB2011IUAS I have at another site which only has a 600Mhz single core with similar traffic loads.. I would expect the dual 1.4Ghz core to be idling quite a lot lower than it is.

Hopefully its something in the pipeline.

ufm · Sun Jan 30, 2022 2:15 am

"queue - fixed traffic processing" is MT speak for fixing queues completly broken in a way not moving any traffic at all.
It is really bothering how such a severe bug can make it into an rc2 release without being discovered.
How is it possible to miss a completly broken core feature in rc testing? With broken meaning not working at all?

-

"Or else it doesn't, you know. The name of the song is called 'Haddocks' Eyes'."
"Oh, that's the name of the song, is it?" Alice said, trying to feel interested.
"No, you don't understand," the Knight said, looking a little vexed.
"That's what the name is called. The name really is 'The Aged Aged Man'."
"Then I ought to have said 'That's what the song is called'?" Alice corrected herself.
"No, you oughtn't: that's quite another thing! The song is called 'Ways And Means': but that's only what it's called, you know!"
"Well, what is the song, then?" said Alice, who was by this time completely bewildered.
"I was coming to that," the Knight said. "The song really is 'A-sitting On A Gate': and the tune's my own invention."

(c) Lewis Carroll, "Through the Looking-Glass"

Well.
The version name is called "release candidate (rc)"
The version name is "beta"
The version is called "alpha"
The version is "pre-alpha"
And yes, it's possible in pre-alpha versions.

zandhaas · Sun Jan 30, 2022 12:12 pm

Adding zerotier via the new Winbox option is not working for me.
When I add zerortier via the cli everything works smooth. Someone seen this issue also?
[Edit]
Some further investigation showed the Zerotier IP-Address is not added automaticaly to /ip/adressess.

After adding the address manualy it seems to work.

wispmikrotik · Sun Jan 30, 2022 12:23 pm

Hi,

Failed to disable IP > Firewall > Service Ports :(

[admin@r1] > /ip/firewall/service-port/disable [find]
failure: module udplite is built-in and cannot be individually disabled

DCCP, STCP and udplite not disabled.

Regards ...

Jotne · Sun Jan 30, 2022 12:47 pm

Can confirm that it does not work on 7.2rc3, but do work on 7.1. Send an email to support@mikrotik.com so they make a support case out of it.

pe1chl · Sun Jan 30, 2022 1:31 pm

I have updated my RB4011 from 7.1.1 to 7.2rc3 and I already had all service ports disabled on 7.1.1, they remain so on 7.2rc3.
At least that is what is being displayed, maybe it is not the reality...

At least the big showstopper problem that prevented me from running 7.2rc1 (problems with routing table) seem to have been resolved.

mafiosa · Sun Jan 30, 2022 1:52 pm

Torch for IPv6 still not working. Can anyone confirm?

Znevna · Sun Jan 30, 2022 3:28 pm

There's no fix that mentiones torch, why would you expect it to work?

dtaht · Sun Jan 30, 2022 5:39 pm

I am very happy to see the demand for cake and fq_codel here, and do hope the ipv6 problem is resolved soon. I've been trying to help
with cake specific configuration primarily over here: viewtopic.php?t=179307 and here: viewtopic.php?t=181289

I am a big fan of the flent.org testing tool (the tcp_nup, rrul, and rtt_fair tests primarily), and there a lot of usage of that and examples on those threads. I hope the mikrotik folk start using it also to drive loads and optimize cpu usage, among other additional things.

We still have not validated the diffserv and ecn support actually work, and I hope someone gets on that. You can also specify -6 or -4 to select ipv6 or ipv4 as the transport. I keep hoping for a 2 ports into one test in particular.

(well, my big hope is that more make fq_codel the default on all interfaces, per https://datatracker.ietf.org/doc/rfc7567/ as it's the default nowadays for most other linux, openwrt, ios, and osx. It's really lightweight when run at line rate and way better than a fifo)

It's also not clear to me if mikrotik picked up the wifi work on any of their wifi gear: https://lwn.net/Articles/705884/

I don't actually have any mikrotik hardware at this point, and plan to just haunt those two threads for now, although I'd like to find something that can drive multiple 10GigE ports eventually. My biggest feature request of mikrotik is that somehow they start making packets, drops, marks, and reschedules statistics available, and/or any of the more detailed stats cake provides.

anav · Sun Jan 30, 2022 5:41 pm

Torch for IPv6 still not working. Can anyone confirm?

@ Mafioso Please read through this and tell us where Torch is noted

THEN copy and paste it into excel or any document and do FIND/SEARCH for the word Torch, just in case you missed it doing in manually.

What's new in 7.2rc2 (2022-Jan-28 11:00):

*) arm - fixed "shutdown" command on hAP ac^2;
*) bgp - fixed routing table and BGP configuration order in export;
*) bluetooth - disable scanning by default;
*) bridge - added fast-path and inter-VLAN routing FastTrack support when vlan-filtering is enabled;
*) bridge - fixed bridge filter and NAT rules on ARM64 and TILE devices;
*) capsman - improved stability when running background scan on CAP;
*) clock - properly notify all instances about time changes;
*) conntrack - properly detect helper status;
*) console - improved console responsiveness when processing received characters;
*) console - updated copyright notice;
*) crs3xx - fixed QSFP+ interface LEDs;
*) crs3xx - fixed optical SFP+ linking (introduced in v7.2rc1);
*) crs3xx - improved SFP+ interface linking after reboot for CRS312 device;
*) crs3xx - improved SFP+/QSFP+ link stability for CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices (introduced in v7.2rc1);
*) defconf - made "192.168.188.1/24" the default LAN IP address for LTE CPE devices;
*) dhcpv4-server - remove dynamic leases when server configuration is removed;
*) dot1x - added "server-fail-vlan-id", "guest-vlan-id" and "reauth-timeout" settings for dot1x server;
*) dot1x - added "src-address", "src-mac-address" and "src-port" settings for dynamic switch rules;
*) dot1x - added NAS-Port-ID attribute for RADIUS Access-Request;
*) firewall - improved system stability when using address lists (introduced in v7.2rc1);
*) hotspot - fixed memory leak on every web page loading;
*) hotspot - fixed web page loading using HTTPS;
*) ike2 - ignore "INITIAL-CONTACT" payload on responder when "send-initial-contact" is disabled;
*) interface - fixed minor memory leak when interface or connected route is changed;
*) l3hw - added HW offloaded FastTrack support for inter-VLAN routing;
*) l3hw - fixed HW offloaded NAT;
*) leds - fixed user LED on RB750Gr3;
*) log - include message also in e-mail body;
*) lora - fixed "antenna-gain" parameter unit;
*) lte - added 3 APN profile support and APN name re-using on R11e-LTE6;
*) lte - added MAC address and IPv6 LL address persistence after reboot on EG12 and EG18 modems;
*) lte - added class based support for configless RNDIS LTE modems;
*) lte - do not show external antenna selector on devices that does not support it;
*) lte - fixed IPv6 address addition after startup on R11e-LTE6;
*) lte - fixed possible timeouts when sending SMS in LTE only mode on R11e-LTE;
*) lte - fixed support for Sierra MC7710;
*) lte - fixed support for Telit 960;
*) lte - improved stability on "+EGMR" response in MBIM mode;
*) lte - improved support for sending/receiving SMS in LTE only mode on R11e-LTE6;
*) lte - properly recognize MBIM modem in USB port as LTE on Chateau 5G;
*) ospf - added "ptmp-broadcast" interface type (compatible with RouterOSv6 PTMP type);
*) ospf - convert ospf "static" redistribute to "static,dhcp,modem,vpn" after update from RouterOS v6;
*) ospf - fixed MD5 authentication;
*) ospf - fixed NBMA hello's not being sent if priority is set to 0;
*) ospf - fixed default type-3 LSA's not being injected to stub area;
*) ospf - fixed incorrect LSA types when changing area types;
*) ospf - fixed neighbor election failure;
*) ospf - improved logging;
*) ospf - improved stability on OSPFv3 instance disabling;
*) ovpn - improved UDP session handling;
*) ppp - fixed AT+CPIN chat when SIM PIN is specified;
*) pptp - show insecure connection warning on dynamic interfaces;
*) qsfp - correctly display auto-negotiation status;
*) queue - improved system stability when processing traffic;
*) route - fixed "suppress-hw-offload" update;
*) route - fixed router's LSA for PTP networks;
*) route - fixed routing configuration export on SMIPS devices;
*) route - improved routing table print speed;
*) route - show OSPF and RIP specific attributes in "/routing route" table;
*) route-filter - fixed "return" action;
*) route-filter - fixed complex matchers with "|| or and &&";
*) route-filter - fixed incorrect invert-match configuration upgrade from RouterOS v6;
*) route-filter - fixed range conversion after update from RouterOS v6;
*) rpki - made RPKI verify non-strict, introduces new state "unverified";
*) rpki - show expire timer;
*) smb - fixed SMB2.0 disk size reporting;
*) snmp - added SFP vendor name to optical table;
*) snmp - added support for "ipv6AddrPrefixTable" and "ipv6RouteNumber" OID's;
*) snmp - allow two level nesting for vlan, bonding speed query;
*) system - fixed license loss on some RB1100Dx4 and RB4011 devices;
*) traffic-flow - do not handle NAT events when "nat-events" is disabled;
*) traffic-generator - fixed transmit speed for multiple asymmetric streams;
*) usb - fixed display of incorrect port count for USB serial ports;
*) vlan - fixed improper VLAN priority addition for routed packets;
*) vxlan - allow unsetting "group" and "interface" properties;
*) webfig - do not show side menu if WebFig is disabled by skin;
*) winbox - added "Disconnect Notify" checkbox to "Interface/OVPN Client" menu;
*) winbox - added "Freq. Usage" and "Scan" buttons for WifiWave2 interfaces;
*) winbox - added "Ignore Missing" selector to "System/Packages" menu;
*) winbox - added "Routing Table" parameter for IPv6 routes;
*) winbox - added "VPN" tab to "Routing/BGP" menu;
*) winbox - added "VRF" parameter to "IP/Services" menu;
*) winbox - added "comment" parameter to "User Manager/Users" menu;
*) winbox - added MLAG support;
*) winbox - added SHA256 and SHA512 "Auth" values for OVPN menu's;
*) winbox - added ZeroTier support;
*) winbox - added explicit "Upload" and "Download" names for "Bucket Size" parameters under "Queues" menu;
*) winbox - allow setting "Interface" parameter for 100G LED types;
*) winbox - do not show "Antenna Scan" button on devices that do not support it;
*) winbox - fixed "action" field in "IP/Web Proxy/Access" menu;
*) winbox - fixed CHR License renewing process;
*) winbox - fixed content filtering in "Tools/Packet Sniffer/Packets" menu;
*) winbox - fixed entry order in "Tools/Packet Sniffer/Packets" menu;
*) winbox - made OSPF interface type names consistent between CLI and GUI;
*) winbox - properly save "IPv6/Settings" menu in session file;
*) winbox - renamed "MBPS" to "Mbps" value unit name in "Tools/Traffic Generator" menu;
*) winbox - show "H" flag for offloaded connections in "IP/Firewall/Connections" menu;
*) winbox - show "System/SwOS" menu only on boards that have dual boot;
*) winbox - sort "Address List" parameter values alphabetically in "IP/DHCP Server/Leases" menu;
*) wireless - improved wireless connection stability during background scans;
*) wireless - fixed interface initialization on Metal 2SHPn;
*) x86 - added support for Intel E810 NIC;
*) x86 - made "no" the default value for "disable-running-check" ethernet parameter;
*) x86 - properly distinguish multiple NICs that share the same PCI bus number;
*) zerotier - made MAC and MTU values read-only;

If you got this, far then clearly its not a case of : not having two clues and being lazy, - we can drop the lazy part. ;-P

mozerd · Sun Jan 30, 2022 5:56 pm

@anav
viewtopic.php?t=182748#p909311
Ipv6 definitely should work with Torch just like IPv4 does under RoS v7.x …

Amm0 · Sun Jan 30, 2022 6:00 pm

Torch for IPv6 still not working. Can anyone confirm?
@ Mafioso Please read through this and tell us where Torch is noted
If you got this, far then clearly its not a case of : not having two clues and being lazy, - we can drop the lazy part. ;-P

Look I think it's fair game to comment if the docs don't indicate something is broken. See https://help.mikrotik.com/docs/display/ROS/Torch could just say "IPv6 not support in V7" (and removed when it is). So the fact this isn't documented is a bug IMO.

dtaht · Sun Jan 30, 2022 6:57 pm

Here's another config question: Is it possible to make a mikrotik box into a "Bump on the wire"?

https://apenwarr.ca/log/20180808

pe1chl · Sun Jan 30, 2022 7:42 pm

There's no fix that mentiones torch, why would you expect it to work?

Well, the problems I had with routing in 7.2rc1 are also not mentioned and they are fixed. Unless you mean that "router hangs when showing routes" is fixed by:

*) route - improved routing table print speed;

.

pe1chl · Sun Jan 30, 2022 7:44 pm

Here's another config question: Is it possible to make a mikrotik box into a "Bump on the wire"?

https://apenwarr.ca/log/20180808

Probably, yes. When you need to ask, then not by you.

ivicask · Sun Jan 30, 2022 7:49 pm

Torch for IPv6 still not working. Can anyone confirm?
@ Mafioso Please read through this and tell us where Torch is noted

THEN copy and paste it into excel or any document and do FIND/SEARCH for the word Torch, just in case you missed it doing in manually.

What's new in 7.2rc2 (2022-Jan-28 11:00):

If you got this, far then clearly its not a case of : not having two clues and being lazy, - we can drop the lazy part. ;-P

Even devs wrote numerous times they make alot of silent changes even on big fixes and dont always write it in changelog..

So he asking if by any chance something was fixed isnt so lazy/stupid...

npeca75 · Sun Jan 30, 2022 7:54 pm

how to remove annoying warning about PPTP ????

it is not my choice to use PPTP
so i don't see any reason to throw annoying red errors in something i could not change

npeca75 · Sun Jan 30, 2022 8:33 pm

it is unusable this way
even if pptp is disabled, and only used when needed
the red color always suggest that there is error in interfaces ... but, no, no error
at least, change color to blue, like warnings in LOG

mafiosa · Sun Jan 30, 2022 8:42 pm

@ Mafioso Please read through this and tell us where Torch is noted
If you got this, far then clearly its not a case of : not having two clues and being lazy, - we can drop the lazy part. ;-P
Look I think it's fair game to comment if the docs don't indicate something is broken. See https://help.mikrotik.com/docs/display/ROS/Torch could just say "IPv6 not support in V7" (and removed when it is). So the fact this isn't documented is a bug IMO.

Whenever I find someone defending Mikrotik by calling the user lazy, unaware tec it is always a forum guru.

msatter · Sun Jan 30, 2022 9:04 pm

Torch for IPv6 still not working. Can anyone confirm?
@ Mafioso Please read through this and tell us where Torch is noted

What's new in 7.2rc2 (2022-Jan-28 11:00):

This could be shorter.

If you got this, far then clearly its not a case of : not having two clues and being lazy, - we can drop the lazy part. ;-P

Amm0 · Sun Jan 30, 2022 9:06 pm

it is unusable this way
even if pptp is disabled, and only used when needed
the red color always suggest that there is error in interfaces ... but, no, no error
at least, change color to blue, like warnings in LOG

Well PPTP is safer than IPIP or GRE, which don't have any red error if used without IPSec... There are lot of way to configure a Mikrotik in unsafe ways, so picking on PPTP seems arbitrary since it's entirely possible the traffic inside may be encrypted thus PPTP wouldn't be particular unsafe.

Not sure but this may fixable (or should be at least) by using /system/device-mode. I can see perhaps in mode=home providing this kind of error, but mode="enterprise" the message ideally should be suppressed. The specific behavior of using device-mode set pptp=yes is undefined in the docs however, but seemingly if device-mode allowed PPTP, it's should not be an error.

npeca75 · Sun Jan 30, 2022 11:45 pm

7.2rc3 broken IPv6 SNMP
SNMP['/usr/bin/snmpbulkwalk' '-M' '/opt/librenms/mibs:/opt/librenms/mibs/mikrotik' '-v2c' '-c' 'COMMUNITY' '-OQXUte' 'udp:HOSTNAME:161' 'IPV6-MIB::ipv6RouteTable']
IPV6-MIB::ipv6RouteTable = No Such Object available on this agent at this OID

7.1 working as expected
SNMP['/usr/bin/snmpbulkwalk' '-M' '/opt/librenms/mibs:/opt/librenms/mibs/mikrotik' '-v2c' '-c' 'COMMUNITY' '-OQXUte' 'udp:HOSTNAME:2001' 'IPV6-MIB::ipv6RouteTable']
IPV6-MIB::ipv6RouteDest[2000:0:0:0:0:0:0:0][3][2147483833] = 2000:0:0:0:0:0:0:0

npeca75 · Sun Jan 30, 2022 11:53 pm

Not sure but this may fixable (or should be at least) by using /system/device-mode. I can see perhaps in mode=home providing this kind of error, but mode="enterprise" the message ideally should be suppressed. The specific behavior of using device-mode set pptp=yes is undefined in the docs however, but seemingly if device-mode allowed PPTP, it's should not be an error.

Ok, i tried
already in enterprise mode
pptp=yes, reboot
still same

it is monkey business ... Installing RC on ESXI is advanced stuff
and, nooo, MT decided to burn out eyes after all with red/error marking IFs, like we are novice users

wojo · Mon Jan 31, 2022 12:23 am

Anyone having RADIUS/dot1x issues?

I have three User Manager instances (replicated) between my router and two switches. Most devices are now not responding and getting a timeout instead, I see responses to the EAP challenges but they don't authorize.

pe1chl · Mon Jan 31, 2022 10:22 am

Well PPTP is safer than IPIP or GRE, which don't have any red error if used without IPSec... There are lot of way to configure a Mikrotik in unsafe ways, so picking on PPTP seems arbitrary since it's entirely possible the traffic inside may be encrypted thus PPTP wouldn't be particular unsafe.

I have also seen such red error message when configuring a tunnel with IPsec PSK (instead of using certificates). But it has gone away later.
I agree that a warning may be ok during configuration but it must be possible to override it when you deem the security sufficient for your usage scenario.

npeca75 · Mon Jan 31, 2022 11:25 am

7.2rc3 broken IPv6 SNMP
SNMP['/usr/bin/snmpbulkwalk' '-M' '/opt/librenms/mibs:/opt/librenms/mibs/mikrotik' '-v2c' '-c' 'COMMUNITY' '-OQXUte' 'udp:HOSTNAME:161' 'IPV6-MIB::ipv6RouteTable']
IPV6-MIB::ipv6RouteTable = No Such Object available on this agent at this OID

7.1 working as expected
SNMP['/usr/bin/snmpbulkwalk' '-M' '/opt/librenms/mibs:/opt/librenms/mibs/mikrotik' '-v2c' '-c' 'COMMUNITY' '-OQXUte' 'udp:HOSTNAME:2001' 'IPV6-MIB::ipv6RouteTable']
IPV6-MIB::ipv6RouteDest[2000:0:0:0:0:0:0:0][3][2147483833] = 2000:0:0:0:0:0:0:0

to correct my self
no, it is NOT working on CHR, 7.1 & 7.2 RC both broken on CHR

Mon Jan 31, 2022 11:54 am

Weird, checked it again and now l3-hw-offloading is no and I can't set it to yes neither
No idea how that worked before, I fiddled around a lot..

However, with v7.2rc3 I have fasttrack forward rules with hw offload working on RB5009.
Did not find time for propper testing yet, but a quick ipperf run between routed VLANS on SFP+ shows >6GB/s with less than 50% total CPU load.
Compared to <3GB/s with 80% total CPU load without L3 hw offload.

RB5009 does NOT support l3-hw-offloading (List of supported devices).
Setting hw-offload=yes for FastTrack firewall has a recommendatory meaning (i.e., "please offload if you can"). The actual HW offloading state of FastTrack connections appears in the connection list (H flag):

/ip/firewall/connection print

If you check the above command on RB5009, you notice none of the connections have the H flag (HW-offloaded).

The reason why RB5009 received a huge inter-VLAN routing performance boost in 7.2rc3 is FastPath / FastTrack support by vlan-filtered bridges. Routing is still done by the software (CPU), but now it is going via Fast Path, and RB5009 has a fast CPU.

P.S. Marvell 88E6393 switch chip used in RB5009 is capable of offloading a very limited amount of FastTrack connections, but the feature is not implemented into RouterOS yet. Anyway, if you need hardware-accelerated near wire-speed routing, I suggest looking at CCR2116.

pe1chl · Mon Jan 31, 2022 12:01 pm

to correct my self
no, it is NOT working on CHR, 7.1 & 7.2 RC both broken on CHR

But it is working fine on 7.2rc3 on my RB4011

pe1chl · Mon Jan 31, 2022 12:07 pm

The reason why RB5009 received a huge inter-VLAN routing performance boost in 7.2rc3 is FastPath / FastTrack support by vlan-filtered bridges. Routing is still done by the software (CPU), but now it is going via Fast Path, and RB5009 has a fast CPU.

Don't you think it would be a good idea to work towards a 7.2 release that is feature complete relative to 6.49.2 and has most of the visible bugs fixed
that were introduced during the v6 to v7 transition?

Then the next step could be a 7.3 which adds all kinds of nice new features. But at least the users could "all" upgrade to v7 and/or have a fully functional
RouterOS again on their devices that only work with v7.

Right now it appears that more attention is going towards nice new features and speedups, but known unimplemented features are left behind.

turgon · Mon Jan 31, 2022 1:25 pm

Since there is no mention in changelog, any ETA on PIM?

npeca75 · Mon Jan 31, 2022 1:32 pm

to correct my self
no, it is NOT working on CHR, 7.1 & 7.2 RC both broken on CHR
But it is working fine on 7.2rc3 on my RB4011

yes, when i tested, i tried only CHR on RC
that was a reason for confusion
devices stayed on 7.1, CHR on RC

pe1chl · Mon Jan 31, 2022 2:25 pm

But it is working fine on 7.2rc3 on my RB4011
yes, when i tested, i tried only CHR on RC
that was a reason for confusion
devices stayed on 7.1, CHR on RC

I tried it with 7.2rc3 and it works OK for me. I see that it returns the routing table data when there is any, and it displays that error message whenever there is no IPv6 route.
So maybe you don't have IPv6 configured on that CHR.

Mon Jan 31, 2022 2:45 pm

Don't you think it would be a good idea to work towards a 7.2 release that is feature complete relative to 6.49.2 and has most of the visible bugs fixed
that were introduced during the v6 to v7 transition?

Then the next step could be a 7.3 which adds all kinds of nice new features. But at least the users could "all" upgrade to v7 and/or have a fully functional
RouterOS again on their devices that only work with v7.

Right now it appears that more attention is going towards nice new features and speedups, but known unimplemented features are left behind.

The main focus is on bugfixes and v6 feature completion. According to the rc2 changelog, there are 82 changes (except Winbox): only 3 of them are new features, and 79 bugfixes or improvements.

benlg · Mon Jan 31, 2022 3:03 pm

However, with v7.2rc3 I have fasttrack forward rules with hw offload working on RB5009.
Did not find time for propper testing yet, but a quick ipperf run between routed VLANS on SFP+ shows >6GB/s with less than 50% total CPU load.
So I understand you tested with tagged ports.
I'm scared untagged ports would prevent fasttrack to work for them...

So, faced same issue, FastTrack does not work for untagged ports in a VLAN-filtered bridge.
Works as soon as ports are tagged.
SUP-73092 opened accordingly.

pe1chl · Mon Jan 31, 2022 3:04 pm

The main focus is on bugfixes and v6 feature completion. According to the rc2 changelog, there are 82 changes (except Winbox): only 3 of them are new features, and 79 bugfixes or improvements.

Yeah, but several of those bugfixes are in features that were added in v7.
I would hope that priority would be somewhat like this:
1 - fixing of bugs that were not present in v6 but were introduced in v7
2 - completion of features that were present in v6 and are planned to be in v7 but are not yet implemented
3 - fixing bugs that are in the newly introduced features in v7
4 - introducing new features (and/or fixing bugs and limitations) that were not possible in v6

The sooner v7 can be declared a full and riskfree replacement of v6, the sooner all development and support capacity can be put on v7.

infabo · Mon Jan 31, 2022 3:37 pm

As soon as v7 is a no-brainer-update with a matching v6 stability, noone would like to stay on v6 for any reason. v6 could be shut-down and we would no longer talk a second about v6.

w0lt · Mon Jan 31, 2022 3:49 pm

Don't you think it would be a good idea to work towards a 7.2 release that is feature complete relative to 6.49.2 and has most of the visible bugs fixed
that were introduced during the v6 to v7 transition?

Then the next step could be a 7.3 which adds all kinds of nice new features. But at least the users could "all" upgrade to v7 and/or have a fully functional
RouterOS again on their devices that only work with v7.

Right now it appears that more attention is going towards nice new features and speedups, but known unimplemented features are left behind.
The main focus is on bugfixes and v6 feature completion. According to the rc2 changelog, there are 82 changes (except Winbox): only 3 of them are new features, and 79 bugfixes or improvements.

How about getting “ PIM-SM” working! 🧐

pe1chl · Mon Jan 31, 2022 4:50 pm

As soon as v7 is a no-brainer-update with a matching v6 stability, noone would like to stay on v6 for any reason. v6 could be shut-down and we would no longer talk a second about v6.

Yes, I hope the focus will be on that, at least for the moment. So we can have a single version again. And don't have to warn other users against blindly trying "upgrade".

Mon Jan 31, 2022 4:54 pm

So I understand you tested with tagged ports.
I'm scared untagged ports would prevent fasttrack to work for them...
So, faced same issue, FastTrack does not work for untagged ports in a VLAN-filtered bridge.
Works as soon as ports are tagged.
SUP-73092 opened accordingly.

We have reproduced the issue. It is not related to untagged ports but frame-types. Setting frame-types=admit-only-untagged-and-priority-tagged disables Fast Path. We are working on the fix. Meanwhile, if possible, set frame-types=admit-all for untagged ports.

benlg · Mon Jan 31, 2022 5:05 pm

Good news, many @raimondsp !

npeca75 · Mon Jan 31, 2022 5:59 pm

So maybe you don't have IPv6 configured on that CHR.

nope, devices working as it should rb760, 3011 ...
but CHR does not .

pe1chl · Mon Jan 31, 2022 6:03 pm

Ok so it is something different than "does not work on CHR" because for me it DOES work on CHR.
But I tried it with a static route, maybe that is different.

jbl42 · Mon Jan 31, 2022 7:22 pm

RB5009 does NOT support l3-hw-offloading (List of supported devices).
Setting hw-offload=yes for FastTrack firewall has a recommendatory meaning (i.e., "please offload if you can"). The actual HW offloading state of FastTrack connections appears in the connection list (H flag):

I see. Thanks for the details.
Beeing in my 50ties, I still have to accomodate to the sheer CPU power available in such devices those days. Regarding the throughput, I blindly assumed HW acceleartion in place.

P.S. Marvell 88E6393 switch chip used in RB5009 is capable of offloading a very limited amount of FastTrack connections, but the feature is not implemented into RouterOS yet. Anyway, if you need hardware-accelerated near wire-speed routing, I suggest looking at CCR2116.

Completly agree regarding the interfaces available on RB5009, anything above 2.5GB intra VLAN routing with decent CPU load for NAS etc. at ether 1 is good enough.
Higher rates only make sense for router on a stick setups routing btw. VLANs on SFP+ And for such applications there are better suited devices.

IMHO, RB5009 is best suited for 1GB to 2.5GB uplink srcNAT scenarios. It handles 2.5GBs with srcNAT towards WAN (flowing through CPU anyway) with firewalling and Qeues while still having CPU ressources left for some wireguard and similar.

Mon Jan 31, 2022 7:27 pm

Still no ZeroTier for mips...

This would be of great value indeed. ZeroTier should not be missing on all Mikrotik routers. Mikrotik you are already doing a wonderful job do your best and implement ZeroTier on all routers starting with mipsbe.

eworm · Mon Jan 31, 2022 7:43 pm

... or release new mAP with little ARM CPU. 😉😁

Mon Jan 31, 2022 7:43 pm

... or release new mAP with little ARM CPU. 😉😁

With ac, please.

ormandj · Mon Jan 31, 2022 8:03 pm

Does 7.2RC3 address SFP+ issues such as those called out in SUP-68278 which cause SFP+ links at 10G to flap every 5 minutes or so? This showed up in 7.1, and the only current solution is to force interfaces to 1G, which is obviously non-ideal. I can’t even get a response to the support ticket after over a month of waiting.

nzjc · Mon Jan 31, 2022 11:23 pm

I would describe 7.2rc3 on my CCR2004 as 'weird'. Certain clients such as iPhone could not load images across many websites, such as twitter. Rebooted, nothing. Rolled back to 7.1.1.

Unsure how to provide more diagnostics, nothing I tried seemed to make a difference.

pe1chl · Mon Jan 31, 2022 11:44 pm

When your internet connection uses PPPoE, check the MTU of the PPPoE interface on both versions and see if it is different.

mducharme · Tue Feb 01, 2022 3:44 am

This would be of great value indeed. ZeroTier should not be missing on all Mikrotik routers. Mikrotik you are already doing a wonderful job do your best and implement ZeroTier on all routers starting with mipsbe.

My understanding of the way Zerotier licensing works for hardware vendors is that they have to pay a license fee for every single device that may run ZeroTier. If this is indeed the case in MikroTik's situation, they would have to pay a fee to Zerotier for every single mipsbe architecture device that has ever been sold by MikroTik, which likely includes many old RB4xx and 7xx models that were discontinued years ago and probably do not even work anymore.

Amm0 · Tue Feb 01, 2022 5:33 am

This would be of great value indeed. ZeroTier should not be missing on all Mikrotik routers. Mikrotik you are already doing a wonderful job do your best and implement ZeroTier on all routers starting with mipsbe.
My understanding of the way Zerotier licensing works for hardware vendors is that they have to pay a license fee for every single device that may run ZeroTier.

Are you sure? ZT makes money off the controller – more than one admin, an end customer pays. More devices ZT is on, more potential customers. Mikrotik's volume would seem to feeds their Freemium pricing model (similar plan as Tailscale). AFAIK, nothing stop anyone from deploying ZT on Linux, so their bet is "people are lazy" and they'll take the bet enough organizations are willing to $49+/month.

My guess be that ZT had an ARM-based port of the VL1/VL2, while MIPSBE etc make take more adaptation for Mikrotik. And, if Mikrotik had "*) ZeroTier on all platforms" there be a lot upset folks with open bugs in V6 features.

Chupaka · Tue Feb 01, 2022 8:12 am

Hopefully there will be x86-based port from ZT soon...

pe1chl · Tue Feb 01, 2022 12:01 pm

Hopefully things like ZeroTier can be made to run as containers so there is no need for involvement by MikroTik and more than one such supplier can compete in this field.
It requires a little more refinement of the containers, maybe some way to edit configuration of a container from inside the RouterOS configuration system (winbox, webfig, terminal).
Then ZeroTier just has to setup a cross-compilation platform for all architectures they want to support.

zandhaas · Tue Feb 01, 2022 12:37 pm

Hopefully things like ZeroTier can be made to run as containers so there is no need for involvement by MikroTik and more than one such supplier can compete in this field.
It requires a little more refinement of the containers, maybe some way to edit configuration of a container from inside the RouterOS configuration system (winbox, webfig, terminal).
Then ZeroTier just has to setup a cross-compilation platform for all architectures they want to support.

Zerotier has a manual on how to cross compile their product for different platforms. See the github https://github.com/zerotier/ZeroTierOne

So this could be something Mikrotik could do for all their architectures.

Ullinator · Tue Feb 01, 2022 12:47 pm

Does 7.2RC3 address SFP+ issues such as those called out in SUP-68278 which cause SFP+ links at 10G to flap every 5 minutes or so? This showed up in 7.1, and the only current solution is to force interfaces to 1G, which is obviously non-ideal. I can’t even get a response to the support ticket after over a month of waiting.

Same experiences here including no response to my Ticket either :-(
I rolled back to 7.0.5 (stable) on my CRS3X switches with the described problems and the problem has gone.

mducharme · Tue Feb 01, 2022 6:12 pm

Are you sure? ZT makes money off the controller – more than one admin, an end customer pays.

I'm not sure, but I recall reading about this before. I just had another look at the BSL that ZeroTier uses, MikroTik would not seem to qualify to include it in RouterOS free of charge as RouterOS itself is a commercial product not released under an open source license. So MikroTik would probably had to reach some kind of arrangement with them for a commercial license for ZeroTier in order to include it as an optional package. I remember reading that including it in a commercial hardware device was handled by a per device fee (this was a long time ago, when I first looked into ZeroTier for something else), but I don't recall where I saw that now. If it is the case, it might explain why they only released for arm and arm64.

wojo · Tue Feb 01, 2022 6:15 pm

Anyone having RADIUS/dot1x issues?

I have three User Manager instances (replicated) between my router and two switches. Most devices are now not responding and getting a timeout instead, I see responses to the EAP challenges but they don't authorize.

MikroTik confirmed RADIUS/dot1x is broken in 7.2rc3, heads up. Don't update if you need it.

npeca75 · Tue Feb 01, 2022 10:22 pm

Ok so it is something different than "does not work on CHR" because for me it DOES work on CHR.
But I tried it with a static route, maybe that is different.

and, after all ...
even dynamic IPv4 routes like WireGuard does not appear in SNMP

there is no diplomatic words to describe my feelings about network equipment without SNMP readout

SW 7.xx -> PowerOFF

pe1chl · Tue Feb 01, 2022 10:34 pm

It certainly is interesting... BGP added routes do not appear either.
Still a lot of work to do, yet they are playing with fast-path and inter-VLAN routing FastTrack support...

Znevna · Tue Feb 01, 2022 11:01 pm

I wouldn't call that "playing", those are features that many folks will like.
Probably a step forward ipv6 fasttrack we hope.

mehdi1980 · Wed Feb 02, 2022 8:45 am

there is strange problem in wireguard , some website not opening with mikrotik wireguard but while test with other client wireguard they are ok and not have problem

tri · Wed Feb 02, 2022 10:21 am

Still does not boot in Hetzner hosted CHR. 7.1.1 starts OK, but none of the 7.2 rc{1,2,3} are able to mount the boot disk. Probably something to do with the disk driver (scsi-virtio, maybe, dunno) present in 7.1 line missing from 7.2.

Couldn't get OSPFv2 with MD5 security to work in the 7.1.1 against the 6.48 so I'd like to test 7.2rc, but no avail because of the boot disk problem.

Are you planning to restore this?

pe1chl · Wed Feb 02, 2022 11:25 am

I wouldn't call that "playing", those are features that many folks will like.
Probably a step forward ipv6 fasttrack we hope.

What I mean is that instead of working on stability and completeness, work is done on new features.
Sure there are lots of features that people want, but some of us mostly want a version that can replace v6 and can serve as a foundation for such new versions.
As it is now, users are stuck on v6 and cannot even consider to use v7 in many scenarios, and that means v6 bug reports will keep coming in and the standard reply cannot be "upgrade".
It would help so much when v7 could be the standard release for everyone.

jimmer · Wed Feb 02, 2022 12:48 pm

I put 7.3rc3 on my RB3011 and found that it broke SNMP - could not pull all OIDs from the unit, cacti was graphing nothing.

CAPsMAN failed for me with both my AP's failing to register/provision:

Jan 11 18:01:28 xxxx-upstairs-cap-hapac2 CAP selected CAPsMAN xxxx-RB3011-gw (B8:69:F4:8E:88:97/6/0)
Feb 2 19:16:01 xxxx-downstairs-cap-hapac2 CAP connect to xxxx-RB3011-gw (B8:69:F4:8E:88:97/60/0) failed: timeout
Feb 2 19:16:01 xxxx-downstairs-cap-hapac2 CAP failed to join xxxx-RB3011-gw (B8:69:F4:8E:88:97/60/0)
Jan 11 18:01:54 xxxx-upstairs-cap-hapac2 CAP connect to xxxx-RB3011-gw (B8:69:F4:8E:88:97/6/0) failed: timeout
Jan 11 18:01:54 xxxx-upstairs-cap-hapac2 CAP failed to join xxxx-RB3011-gw (B8:69:F4:8E:88:97/6/0)
Feb 2 19:16:09 xxxx-downstairs-cap-hapac2 CAP selected CAPsMAN xxxx-RB3011-gw (B8:69:F4:8E:88:97/60/0)
Jan 11 18:02:02 xxxx-upstairs-cap-hapac2 CAP selected CAPsMAN xxxx-RB3011-gw (B8:69:F4:8E:88:97/6/0)

Moving back to 7.1.1 fixed the issue and everything came back up ok.

ffries · Wed Feb 02, 2022 3:46 pm

After upgrading to latest Beta on my CCR2204 I can reach 10 Gbit/s in inter-vlan filtering.

*) bridge - added fast-path and inter-VLAN routing FastTrack support when vlan-filtering is enabled;

Thank you very much for this long waited feature.

I no longer want to sell my CCR2004 ...

RohanAJoshi · Wed Feb 02, 2022 4:39 pm

I updated a CCR2004-16G-2S+ to 7.2rc3; after the 3rd reboot, I lost all 4 wireguard interfaces. Rebooted again and they were still missing. Loaded a backup and everything is ok again.

I would describe 7.2rc3 on my CCR2004 as 'weird'. Certain clients such as iPhone could not load images across many websites, such as twitter. Rebooted, nothing. Rolled back to 7.1.1.

Unsure how to provide more diagnostics, nothing I tried seemed to make a difference.

After upgrading to latest Beta on my CCR2204 I can reach 10 Gbit/s in inter-vlan filtering.
*) bridge - added fast-path and inter-VLAN routing FastTrack support when vlan-filtering is enabled;
Thank you very much for this long waited feature.

I no longer want to sell my CCR2004 ...

What about random reboots by watchdog on ccr2004 ?
We are still getting at stable 7.1.1

rpingar · Thu Feb 03, 2022 5:48 pm

ticket SUP-67221, still present here, about issue on icmp after 2/3 days of operation. It stops the output of icmp, so the icmp check route fails on all route, the router is not able to ping outside host, the router itself responf to ping from outside.

Ticket updated with supout screenshot and export.

regards
Ros

pe1chl · Thu Feb 03, 2022 6:50 pm

ticket SUP-67221, still present here, about issue on icmp after 2/3 days of operation. It stops the output of icmp, so the icmp check route fails on all route, the router is not able to ping outside host, the router itself responf to ping from outside.

It works for me... (netwatch, route with ping check, monitoring router using ping). RB4011.

rpingar · Thu Feb 03, 2022 6:58 pm

ticket SUP-67221, still present here, about issue on icmp after 2/3 days of operation. It stops the output of icmp, so the icmp check route fails on all route, the router is not able to ping outside host, the router itself responf to ping from outside.
It works for me... (netwatch, route with ping check, monitoring router using ping). RB4011.

It seems a problem with mellanox connectx5 cards on x86 and CHR with passtrhough.

regards
Ros

ffries · Thu Feb 03, 2022 11:41 pm

What about random reboots by watchdog on ccr2004 ?
We are still getting at stable 7.1.1

The CCR2004 is no longer rebooting.
If you are using vlans, speed at least doubled (I could not measure as it saturates my network).
CPU utilization is down, so it cannot harm on the reboot side.

Have fun!

RohanAJoshi · Fri Feb 04, 2022 12:13 pm

What about random reboots by watchdog on ccr2004 ?
We are still getting at stable 7.1.1
The CCR2004 is no longer rebooting.
If you are using vlans, speed at least doubled (I could not measure as it saturates my network).
CPU utilization is down, so it cannot harm on the reboot side.

Have fun!

Are you using it as ppp server ?
Cause I am using it as ppp server with 250+ ppp clients and still getting reboots on v7.1.1

Amm0 · Sat Feb 05, 2022 3:55 pm

Is there going to be webfig or WinBox support for ZeroTier instead of just cli?

In this release, v7.2rc3 they added winbox for ZeroTier:

*) winbox - added ZeroTier support;

Despite not being the release notes*, good news is I see ZeroTier in web UI/"webfig" in v7.2rc3 too.

So bad news is why wasn't the ZeroTier webfig support noted in Mikrotik's changelog?

pe1chl · Sat Feb 05, 2022 4:57 pm

Is there going to be webfig or WinBox support for ZeroTier instead of just cli?

Please don't reply to spammers that just repeat a random post from the thread to add their own advertisement once it gets accepted.

Amm0 · Sat Feb 05, 2022 5:08 pm

Please don't reply to spammers that just repeat a random post from the thread to add their own advertisement once it gets accepted.

Likely right. I'm actually annoyed by any footers in forums, so I ignore them.

On this one, I was more surprised to see ZeroTier is in webfig actually. Not sure that was part was answered here.

manitonetworks · Sun Feb 06, 2022 10:49 am

Seeing OSPFv2 and RIP neighbors bouncing consistently across a Wireguard tunnel between two CHRs on 7.2rc3. OSPF neighbors going Init-Full-Init-Full and so on. I have steady connectivity between the two "sites" across Wireguard when I use static routes. But getting really inconsistent behavior from dynamic routing protocols across the Wireguard tunnel. Running vanilla CHR configuration other than dynamic routing and Wireguard - no firewall, queues, etc.

Grant · Sun Feb 06, 2022 8:50 pm

Internet speed through wi-fi dropped a lot
hap ac2

mducharme · Sun Feb 06, 2022 9:28 pm

Internet speed through wi-fi dropped a lot

Dropped a lot compared to what? 7.1.1?

Borizo · Sun Feb 06, 2022 11:57 pm

SOCKS5 auth=password does not work: (details here)
-
Please ignore: SOCKS5 works as expected.

Grant · Mon Feb 07, 2022 4:35 pm

Internet speed through wi-fi dropped a lot
Dropped a lot compared to what? 7.1.1?

Yes, on 7.1.1 the speed was about 500 megabits per second, and on 7.2rc3 about 300.
It is the internet speed. The local network speed has not changed.

pe1chl · Mon Feb 07, 2022 5:51 pm

Due to changes in RouterOS v7 it may be that your router which had enough CPU power to cope with your internet speed in RouterOS v6, has trouble in RouterOS v7.
When you suffer from that, it is best to stay at v6 and defer your update to v7 until you can afford a new router with more CPU power.
(e.g. because MikroTik releases new models at comparable price to current models, but with way more CPU power. See the RB5009. There could be models like that but with WiFi.)

Amm0 · Mon Feb 07, 2022 6:11 pm

Dropped a lot compared to what? 7.1.1?
Yes, on 7.1.1 the speed was about 500 megabits per second, and on 7.2rc3 about 300.
It is the internet speed. The local network speed has not changed.

I'd imagine it's the effect of the removal of the "route cache". In V6, a speedtest would hit the cache, while in V7 there is no cache to hit. See viewtopic.php?p=882867#p882867

Certainly newer hardware/faster CPUs care less about route cache, but older devices may relay on it more to deal with a lower CPU capacity. So some merit to staying with V6 unless there is something you really need from V7.

mducharme · Mon Feb 07, 2022 7:12 pm

Route caching would explain a speed drop from 6.x to 7.x, but not from 7.1.1 to 7.2rc3.

Grant · Mon Feb 07, 2022 8:43 pm

it's all about the traffic processing

Tue Feb 08, 2022 7:50 am

Don't you need to put quotes around that key ?

sirbryan · Tue Feb 08, 2022 10:59 pm

Connecting from my iPhone and MacBook Pro do not work over L2TP/IPSEC with 7.2rc3. Log file reports that remote device isn't responding to CHAP requests (using mschap2 only).

Reverting to 7.1.1 solved the problem.

own3r1138 · Wed Feb 09, 2022 4:57 am

@sirbryan

Tested With iOS.

2022-02-09_06-23-47.png

EdgarSoler · Wed Feb 09, 2022 9:41 pm

2X Routerboard 4011 ARM: Works perfectly, no problem with 7.1.1... and better performance. There are no system reboots.
1X 1009 Tilera: Problems... unexpected reboots. Also to install version 7 I had to format the router... this version is a headache in tilera systems. In tested 7.1.1 and 7.2 RC3... if this continues I will have to downgrade to version 6 or buy a routerboard arm.

noyp · Thu Feb 10, 2022 7:12 am

applying cake in queue tree interface breaks its dhcp client functionality. it just keeps on searching mode and you have to disable it in queue tree temporarily in order to obtain public ip then enable it again for cake qos.

sirbryan · Thu Feb 10, 2022 8:39 pm

@sirbryan
Tested With iOS.
2022-02-09_06-23-47.png

The point is an existing configuration should work from one version to the next. It doesn't. (And this is supposed to be a release candidate.)

Tried again with 7.2rc3 after tweaking the firewall and comparing the L2TP setup with stock ROS7 L2TP/IPSEC configurations, but no luck.

Installed 7.1.2 and devices connect right up.

Debugging the L2TP packets shows an initial CHAP challenge that is accepted and tunnel is created. Then a second tunnel starts with another challenge sent by the router, but the device doesn't reply. Eventually both tunnels are torn down and the router complains that the device didn't respond.

pe1chl · Thu Feb 10, 2022 10:00 pm

Debugging the L2TP packets shows an initial CHAP challenge that is accepted and tunnel is created. Then a second tunnel starts with another challenge sent by the router, but the device doesn't reply. Eventually both tunnels are torn down and the router complains that the device didn't respond.

Does that look like the same issue as is being discussed in this thread?

viewtopic.php?t=181449

ianmagsisi · Fri Feb 11, 2022 5:14 am

still UPS is not working...

buset1974 · Fri Feb 11, 2022 1:18 pm

BGP vrf problem is acknowledged and will be fixed in one of the next versions.

Hi,
could u make it fixed fast.
It's been 2 weeks i 've waiting.

thx

pe1chl · Fri Feb 11, 2022 1:30 pm

could u make it fixed fast.
It's been 2 weeks i 've waiting.

Be patient, we already are waiting for "the new and improved BGP" for almost 10 years!

sirbryan · Fri Feb 11, 2022 5:07 pm

Debugging the L2TP packets shows an initial CHAP challenge that is accepted and tunnel is created. Then a second tunnel starts with another challenge sent by the router, but the device doesn't reply. Eventually both tunnels are torn down and the router complains that the device didn't respond.
Does that look like the same issue as is being discussed in this thread?

viewtopic.php?t=181449

No. That's voice over WiFi. This is an L2TP IPSEC tunnel from a phone or laptop coming back into the router. It works on 7.1.1/7.1.2, but not on 7.2rc3. That other issue has been going on since before rc3 was released.

buset1974 · Sat Feb 12, 2022 8:16 am

could u make it fixed fast.
It's been 2 weeks i 've waiting.
Be patient, we already are waiting for "the new and improved BGP" for almost 10 years!

My CCR are getting rusty waiting.
I have a lot of tickets regarding routing issue that promise will be solved in v7
I believe a lot a people buy CCR for advance routing purposes and not for lte or wifi

Thx

mkx · Sat Feb 12, 2022 10:55 am

I believe a lot a people buy CCR for advance routing purposes and not for lte or wifi

You're quite right. And I'm sure Mikrotik is aware of it. But I'm sure as well that MT knows the number of installed devices of certain range and that they're prioritizing things that are beneficial to most of devices.
And not to forget, not every CCR sold is used for advanced routing, at least one CCR located in Nova Scotia is doing quite boring job of PBR ...

One might get impression that ISP core business is driving MT sales ... at least from voiced on this forum. That might be true, but it might as well not be. I'm pretty sure that majority of users of SOHO line never come to this forum, even less they voice their concerns. So their opinion on this matter my not be articulated. But I'm sure MT knows the sales numbers and can judge if certain SOHO feature is important for their sales or not.

pe1chl · Sat Feb 12, 2022 12:24 pm

Well that could be true indeed. One hint is that v7, with the BGP implementation incomplete, buggy and unfinished, was promoted to stable version and offered as an upgrade.
In the typical home scenario v7 works well, but in a network that uses BGP it is basically unusable. So probably there are not so many customers doing that, so they do not consider it very important.
I regularly help people with setting up a small router in our amateur radio network. It uses BGP. People using v7 encounter problems and destabilize the network.
I hope the quality of the BGP implementation is quickly brought up to par so I do not constantly have to watch for (and recommend against) people attempting the upgrade.

mkx · Sat Feb 12, 2022 3:51 pm

One hint is that v7, with the BGP implementation incomplete, buggy and unfinished, was promoted to stable version and offered as an upgrade.

My home router, a hAP ac2, is set to channel=stable, currently running 6.49.1. If I run check-for-updates, it offers me upgrade to 6.49.2.

It's not offering me v7. So sincerely: noone is pushed to install v7 (except on v7-only devices[*]) unless one reaches out to get it ... and if one is doing extra work to get v7, then IMO he should also take full responsibility for it (e.g. research if v7 is fit for his particular use case).

[*]as I wrote in another post that I'm not going to search for: MT indeed should not sell v7-only devices without marking them with big unfriendly letters saying that software is buggy. And MT should mark v7 software with similar notice ... even if some particular v7 release seems to be better than other v7 releases, it is still ... well, different than v6 ;-)

Sat Feb 12, 2022 4:54 pm

Disagree.
I have a hap ac2 running on 6.48.6 and it insist on upgrading to 7.1.1.

mkx · Sat Feb 12, 2022 6:00 pm

Disagree.
I have a hap ac2 running on 6.48.6 and it insist on upgrading to 7.1.1.

Which channel do you have it set to?

pe1chl · Sat Feb 12, 2022 6:18 pm

One hint is that v7, with the BGP implementation incomplete, buggy and unfinished, was promoted to stable version and offered as an upgrade.
My home router, a hAP ac2, is set to channel=stable, currently running 6.49.1. If I run check-for-updates, it offers me upgrade to 6.49.2.

It's not offering me v7. So sincerely: noone is pushed to install v7 (except on v7-only devices[*]) unless one reaches out to get it ...

When you go to the MikroTik software download page https://mikrotik.com/download you'll see RouterOS v7 prominently displayed with Long-term, Stable and Testing channels, and v6 is only available as an option way down the page.
That makes people believe v7 is the proper choice.
And indeed v7 is not offered to existing installations unless you select the "upgrade" channel, but unfortunately that is the kind of thing people do.
I have had to deal with issues due to people upgrading to v7 multiple times now, and each time it was on a router that was properly running a stable v6 install, but the user is just playing around and trying everything, and then gets offered an "upgrade" to a higher version. Some people just cannot resist that.

And unfortunately there are no warnings anywhere that this is not to be done just for the fun of it, but only after reading the forum and taking preventive measures.
Even the message "Remember to make backup/export files before an upgrade and save them on another storage device" which is the first in every release topic on the forum is NOT displayed in the "check for updates" message. BAD BAD BAD!!
I would even vote for a message that tells you about the possibility to partition your router, on devices that can do that (not the hAP ac2 of course).
So many postings have been seen of admins writing "well I have upgraded my CCR1036 core router of the network and now ..." while they could have easily partitioned the router and saved the existing install, to go back to with doing only a reboot, and instead they need to netinstall, find a backup, etc.
Of course it is not possible to work around all ignorance, but a pointer to the page that explains partitioning would be a good service to the overworked admin that has not read the entire manual from A to Z.

mkx · Sat Feb 12, 2022 6:35 pm

When you go to the MikroTik software download page ...

That's the kind of action I was referring to when I wrote "unless one reaches out to get it".
I expect most MT device owners will use WebFig (possibly QuickSet variant of it) and will navigate to the in-device means of upgrading. I don't remember, but I expect that devices ship with setting chain=long-term (or stable), but I doubt they come with setting chain=testing. If user actually goes to download section ... then they as well can go to download page of DD-WRT for that matter.

I fully agree with the arguments that MT should be a bit more conservative when describing v7 status. Which IMO did not get beyond a beta yet.

Sat Feb 12, 2022 7:26 pm

Disagree.
I have a hap ac2 running on 6.48.6 and it insist on upgrading to 7.1.1.
Which channel do you have it set to?

Very odd.
I am convinced it was on stable, even though I had to do the downgrade manually using npk.
It shows testing, which explains partially why it proposes that version.
But then it should have proposed 7.1.2 or 7.2rc3, no ?

mkx · Sat Feb 12, 2022 8:01 pm

It shows testing, which explains partially why it proposes that version.
But then it should have proposed 7.1.2 or 7.2rc3, no ?

Only Mikrotik knows what version sequence is where ... but I guess 7.1.2 is v7stable while 7.1.1 was testing (not v7testing). 7.2rc3 is definitely v7testing. But I do remember that 6.49.2 (or was it .1?) came with channel=upgrade which means MT introduced the v7{stable,testing} at that time.

Amm0 · Sat Feb 12, 2022 10:18 pm

*) lte - fixed support for Telit 960;

Yup, these seem to work very well in this release. The GPS package even works with the Telit LM960s in this build (wrote up the steps here: viewtopic.php?p=912653#p912653 if anyone needs)

jult · Mon Feb 14, 2022 5:34 pm

It's also not clear to me if mikrotik picked up the wifi work on any of their wifi gear: https://lwn.net/Articles/705884/

I've read it all, but it's unclear to me what you mean mikrotik should do on their wifi gear. Set the wireless interface to use fq_codel instead of sfq ? And if so, with what config exactly ? I haven't seen any results to back anything up yet in that article you've linked to.

Masyanich · Wed Feb 16, 2022 7:07 am

how to remove "pptp considered unsafe" notifications in winbox?

Znevna · Wed Feb 16, 2022 7:13 am

you stop using pptp

mducharme · Wed Feb 16, 2022 7:50 am

My ISP requires host-uniq as well as user/pass for PPPoE. Can someone confirm I can set this?

Yes, I can see there is a host-uniq parameter for PPPoE clients in this version. It is only available through the CLI, not through winbox/webfig. I am able to set it in my own device, but because my ISP does not require setting this, I cannot confirm that it works as expected.

mkx · Wed Feb 16, 2022 3:39 pm

First configure pppoe-client via GUI of choice. Then open terminal window and execute something like this:

/interface/pppoe-client/set [ find ] host-uniq="<required string>"

(n.b. the command above will change any pppoe client definition. If you happen to have more than one, you have to find the one needed to change. E.g. run command "print", visually determine the right one, make note of index number printed in the first column of the output. Then run command similar to the one written above, but replace the [ find ] construct (including square brackets) with the sequence number)

memelchenkov · Wed Feb 16, 2022 3:41 pm

bridge - fixed bridge filter and NAT rules on ARM64 and TILE devices; -- please tell what's exactly fixed? I experience bridge filter and bridge IP firewall issues in 7.1.2. Bridge Filter do not mark packets, and bridge IP firewall breaks NAT. But it's ARM platform (Chateau), not ARM64. Does this fix related to my problem or not?

slimmerwifi · Wed Feb 16, 2022 4:32 pm

you stop using pptp

this made my day 😂👌

r00t · Wed Feb 16, 2022 6:21 pm

How is PPTP any less secure than running IPIP, EoIP or any other VPN protocol with no cipher enabled that will show no such warning? And what's next? All open WIFI interfaces will show red warnings too? ROS is supposed to be for professionals that know how to use it and what limitations each of these protocols may have. There are use cases for all of them, be it various vendor hardware or software compatibility, specific MTU requirements etc. There is no need for Mikrotik to be babysitting it's users.

elbob2002 · Fri Feb 18, 2022 2:35 pm

How is PPTP any less secure than running IPIP, EoIP or any other VPN protocol with no cipher enabled that will show no such warning? And what's next? All open WIFI interfaces will show red warnings too? ROS is supposed to be for professionals that know how to use it and what limitations each of these protocols may have. There are use cases for all of them, be it various vendor hardware or software compatibility, specific MTU requirements etc. There is no need for Mikrotik to be babysitting it's users.

If you're still using PPTP in 2022 then you shouldn't consider yourself a professional!

Paternot · Sat Feb 19, 2022 1:38 pm

*) bridge - added fast-path and inter-VLAN routing FastTrack support when vlan-filtering is enabled;
*) l3hw - added HW offloaded FastTrack support for inter-VLAN routing;
*) l3hw - fixed HW offloaded NAT;

Wait, if this is true and it's applies to all devices this is going to be a major improvement. Im going to have to look into this more.

This is true for several devices, but not all. In fact, just a small set of them support this. The link bellow is a good starting point:
https://help.mikrotik.com/docs/display/ ... Offloading

jayooo · Sun Feb 20, 2022 12:11 am

Using Windows Remote Desktop through a Wireguard connection that terminates on Mikrotik 7.2rc3, I am often getting this Remote Desktop error message:

"Because of an error in data encryption, this session will end. Please try connecting to the remote computer again."

This is Client PC -> Mikrotik Wireguard -> Remote PC (all at the same physical location).

Ferrograph · Sun Feb 20, 2022 3:25 am

v7.2rc3 Broke General operation on my CCR1009-7G-1C-1S+ Routers LAN IP is on the bridge along with DHCP server. IP address inaccessible yet DHCP works. Consequently not internet access for devices. No Winbox access via IP but MAC Winbox worked thankfully!

Upon checking lots of things I found that admin MAC had been removed from the bridge, so I reset it but it did not restore operation.

Rolled back to 7.1.2. Everything working again.

sindy · Sun Feb 20, 2022 11:04 am

How is PPTP any less secure than running IPIP, EoIP or any other VPN protocol with no cipher enabled that will show no such warning?
...
There is no need for Mikrotik to be babysitting it's users.

I'm afraid that's only related to the thing of perceived security. There is no username and password specified for IPIP or EoIP, so they are not considered a "VPN" in the sense an "average Joe" understands it (if you set the IPsec secret for these, they become much more secure than PPTP); PPTP does contain the magic username/password combination, so it must be secure, mustn't it?

And worse than that, at least the older versions of Quickset even offered it as the VPN to use, further reinforcing the perception that it was secure.

korzus · Mon Feb 21, 2022 6:02 pm

Still having problem with address-list on 7.2rc3.

A script who reads log searching for IPs trying to connect vpn and negotiation is failed, when adding the IP to address list, ros its saying its already added, when its not.

pe1chl · Mon Feb 21, 2022 7:10 pm

Please show your script, there may be an error there.