Only ONE item for BGP fixes? At this rate we need to go to 7.2rc19 before it is ready...*) bgp - fixed VPNv4 route sending to remote peer;
Why, according to Mozerds links, its important to have different peer cryptography or did I read that wrong.Do I take the JUMP????
....wireguard - allow same peer's public key for different interfaces;
Thank you!!!
/routing table
add disabled=no fib name=ampr
/routing bgp template
add as=4220406101 disabled=no hold-time=15s name=ampr nexthop-choice=\
force-self router-id=44.137.41.109 routing-table=ampr
@404Why, according to Mozerds links, its important to have different peer cryptography or did I read that wrong.
The best practices for WireGuard keys are similar to those for SSH keys or client certificates (or any other host-based credentials) — no two hosts should share the same key (even for hosts that are considered simple “clients”). While this takes a little more work to set up, it’s much more maintainable in the long run.
KEY POINT: Additionally, if you operate more than one WireGuard interface on an individual host, it’s an okay practice to use the same key for all the interfaces on the host (it won’t result in a bad user experience) — but the best practice is to use a different key for each individual interface. The same security-practice issues described above also apply when sharing keys among interfaces on the same host (albeit to a lesser degree) — so not sharing keys makes for better/easier auditability, access control, and key rotation.
[cesar@MikroTik] > /interface/pppoe-client/print detail
Flags: X - disabled, I - invalid; R - running
0 R name="pppoe-client" max-mtu=1492 max-mru=1492 mrru=disabled interface=ether3 user="xxx@xxx" password="xxx" profile=pppoe-client keepalive-timeout=60 service-name="" ac-name="" add-default-route=yes
default-route-distance=1 dial-on-demand=no use-peer-dns=no allow=pap,chap
[cesar@MikroTik] > /interface/list/member/print detail where interface=pppoe-client
Flags: X - disabled, D - dynamic
5 list=WAN interface=pppoe-client dynamic=no
[cesar@MikroTik] > /interface/detect-internet/state/print detail where name=pppoe-client
[cesar@MikroTik] >
I hope you are not really using that feature... just set all "detect internet" interface lists to "none" and add the pppoe-client to list WAN manually.pppoe-client is not being detected as WAN or INTERNET after upgrading to rc4.
I use different chains to mark the connection and the packets for my queue trees.IPv6 with queues is a blocker for me as well... It is not fixed with 7.1.3 😢 - as there's no log entry I guess the same applies for 7.2rc4. 😢
/ipv6 firewall mangle
add action=mark-connection chain=forward connection-mark=no-mark connection-state=new dst-port=80,443 in-interface=LAN new-connection-mark=http-con out-interface=WAN passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=http-con in-interface=LAN new-packet-mark=http-ul-pkt passthrough=no
add action=mark-packet chain=postrouting connection-mark=http-con new-packet-mark=http-dl-pkt out-interface=LAN passthrough=no
We reproduced a similar behavior locally. We are looking forward to improving such behavior with different link speeds in further RouterOS releases.
Has not worked since 6.43, what did you upgrade from?pppoe-client is not being detected as WAN or INTERNET after upgrading to rc4.
IIRC it was working on rc3 (the version I was using before rc4).Has not worked since 6.43, what did you upgrade from?
Had some other versions in my archive.Winbox 3.32 cannot connect to 7.2rc4 !
The log shows logged in/logged out in the same second.
But winbox 3.35 is buggy...
Please do not make such version dependencies!
I also lost the single custom routing table I had after upgrading from rc3 to rc4 🤡 At least in my case it was easy to fix, but it took me a while to understand what was wrong after the upgrade.WTF Mikrotik!! Erase the routing tables (/routing/table), leaving me with setting about 50 different routing-marks all who are all over the place!!!!!
Could you elaborate into this? Specifically, where can this information be seen now?*) wireless - correctly preserve WMM priority when receiving packets;
Better some more...How many RC versions are planned before stable release?
Priority should be to fix features that already were working in v6 but are broken in v7.no changes in ovpn udp? let's get to the rc58 at this rate...
This info should be in the "priority" field present in each packet. That would be transferred to the priority in a VLAN tag, or it can be used (albeit with a detour via packet marks) in a queue tree.Could you elaborate into this? Specifically, where can this information be seen now?*) wireless - correctly preserve WMM priority when receiving packets;
> routing/filter/rule/export
# feb/24/2022 14:45:29 by RouterOS 7.2rc4
# software id =
#
/routing filter rule
add chain=ospf-out disabled=no rule=reject
add chain=ospf-out disabled=no rule="if ( gw-interface ether1 || gw-interface wg-RedShield ) { reject; } accept;"
add chain=ospf-out disabled=no rule=reject
> routing/filter/rule/export
# feb/24/2022 14:48:16 by RouterOS 7.2rc4
# software id =
#
/routing filter rule
add chain=ospf-out disabled=no rule=reject
add chain=ospf-out disabled=no rule=reject
Did you already do a clean netinstall and import of the old exported config before?I noticed this in rc3, now it's reproducible in rc4. I have a Routing Filter rule that disappears after reboot:
Thanks but it seems that v 7.2rc3 cannot be downloaded... (or where exactly?) the archive contains only stable releases, not beta and rc?All older versions can be found on the MikroTik download page.
When you downgrade from v7 to v6 your configuration will revert to what it was when you last had v6, so all changes made since then will be lost.
Of course you can export your config before you downgrade and import it after the downgrade, but it may be that edits in the export are required.
And of course you have to reset to a blank config before you can import an entire config. But maybe you only have a specific section where you made changes, and you can clear and import only that.
Any chance to get it now somewhere? I need mmips version.Ok indeed it seems the development release tree has been removed from that.
As always, I recommend to partition the router (if possible, not on 16MB FLASH devices) so you can always go back after an upgrade.
It seems most users do not know about that.
It's still there, no ?Ok indeed it seems the development release tree has been removed from that.
As always, I recommend to partition the router (if possible, not on 16MB FLASH devices) so you can always go back after an upgrade.
It seems most users do not know about that.
https://download.mikrotik.com/routeros/ ... -mmips.npkAny chance to get it now somewhere? I need mmips version.Ok indeed it seems the development release tree has been removed from that.
As always, I recommend to partition the router (if possible, not on 16MB FLASH devices) so you can always go back after an upgrade.
It seems most users do not know about that.
You may download it by direct link: https://download.mikrotik.com/routeros/ ... c3-arm.npk (I just replaced "4" from current download link published on the website to "3").Thanks but it seems that v 7.2rc3 cannot be downloaded... (or where exactly?) the archive contains only stable releases, not beta and rc?
Thanks!!!! :-)https://download.mikrotik.com/routeros/ ... -mmips.npk
Any chance to get it now somewhere? I need mmips version.
Is it available in a bridge filter rule only or throughout RouterOS (incl. IP filter)? I hope automatic WMM -> VLAN priority is preserved when vlan is configured on a wlan too.This info should be in the "priority" field present in each packet. That would be transferred to the priority in a VLAN tag, or it can be used (albeit with a detour via packet marks) in a queue tree.
Yes that should work (unless there are bugs, of course...). The priority field remains with the packet as long as it is forwarded through the device (and is not overridden by some mangle rule), and it does not matter if a VLAN is used. Only when the packet is forwarded outside of the device this comes into play.Is it available in a bridge filter rule only or throughout RouterOS (incl. IP filter)? I hope automatic WMM -> VLAN priority is preserved when vlan is configured on a wlan too.This info should be in the "priority" field present in each packet. That would be transferred to the priority in a VLAN tag, or it can be used (albeit with a detour via packet marks) in a queue tree.
How exactly?*) ups - fixed UPS support;
I think this is a great point. Figure out a way to handle exports with sensitive information in a secure way, but not as a binary backup. This frustrates me to no end when dealing with devices having issues, as I am unsure if I’m dealing with them related to some strange corruption in a backup file, since dealing with exports is so painful when operating under time constraints. Backups have many downsides when dealing with hardware swaps, differing versions, etc. I’m really surprised exports that support sensitive information haven’t been implemented with how easy it would be to generate and restore, and with the lessened support load regarding backups/restores.exports are mostly useless because they don't include certificates, um db, ssh keys, etc. which could easily be done by converting them into base64 and also storing them in the rsc/text file.
binary backups are (currently) also useless, because they store the entire database, and at the time of taking that backup nobody knows if it's already corrupted, and every time you have to restore that file, you'll end up having the same problem.
Thanks! I assumed it will be in the base package, 7.x being "monolithic" :)@sinisa UPS is an extra package.
[admin@MikroTik] > /ip/firewall/service-port/disable dccp
failure: module dccp is built-in and cannot be individually disabled
[admin@MikroTik] > /ip/firewall/service-port/disable sctp
failure: module sctp is built-in and cannot be individually disabled
[admin@MikroTik] > /ip/firewall/service-port/disable udplite
failure: module udplite is built-in and cannot be individually disabled
/interface ethernet switch rule add dst-address=192.168.192.200/32 new-vlan-id=100 ports=ether2 switch=switch1
Finally, RB5009 switch chip is simply not able to handle dst-address related ARP traffic, while CRS317 has more advanced switch features, and so properly handles it.Strange issue on RB5009 where the following rule does not handle the related ARP traffic :No issue on (for example) CRS317.Code: Select all/interface ethernet switch rule add dst-address=192.168.192.200/32 new-vlan-id=100 ports=ether2 switch=switch1
SUP-74646 created accordingly.
Any word on what this initialization issue / change is? I've got some evidence that the CCR2004-16g-2s+ (running 7.1.1) is providing an open "dumb" switch for a short while during reboots. I haven't dug into this too far because I've got other things to deal with, but it'd be useful to know if it's a known issue with a fix in the pipeline.*) switch - improved switch chip initialization process on bootup for CCR2004-16g-2s+ devices;
Please keep this forum topic strictly related to this particular RouterOS release.
I am still having problems with PPP sessions - CCR that is running as PPP Server (OVPN) suddenly starts to duplicate sessions without eliminating old ones ... I found out that also configuration changes that are made when router is already making this problems are lost after reboot - like it does not permanently stores them...*) ppp - improved stability when handling large amount of connections simultaneously;
I see no claim that this has been fixed... in general, one can say that when there is no mention in the changes, it is still broken.Simple Queues with IPv6 are still broken.
it's in the changelog :This version appears to fix the serious mipsbe 5ghz issues detailed here: viewtopic.php?t=182058
Why is there seemingly nothing in the changelog about this? It is like it was fixed silently. It was not working in 7.2rc3 and 7.1.3.
What do queue fixes have to do with a 5ghz mipsbe wireless issue? And, no, I was running 7.2rc3 before this, so I can guarantee that these 5ghz mipsbe wireless issues were present in that version too.*) queue - improved system stability when processing traffic;
*) queue - fixed traffic processing (introduced in v7.2rc2);
it works in 7.2rc3
The kernel does not allow them to be turned off, according to MikroTik support.SUP-75572 created accordingly.Code: Select all[admin@MikroTik] > /ip/firewall/service-port/disable dccp failure: module dccp is built-in and cannot be individually disabled [admin@MikroTik] > /ip/firewall/service-port/disable sctp failure: module sctp is built-in and cannot be individually disabled [admin@MikroTik] > /ip/firewall/service-port/disable udplite failure: module udplite is built-in and cannot be individually disabled
7.1 isn't really long term. It is just there as a dummy placeholder until there is an actual long term v7.Strange that 7.1.3 is stable and 7.1 is long term :)
I have also lost all routing tables, i was upgrading from first V7 ever released thru all versions until this one and its first time it did something like that..I took the JUMP and hit the concrete on the bottom with my head!!
WTF Mikrotik!! Erase the routing tables (/routing/table), leaving me with setting about 50 different routing-marks all who are all over the place!!!!!
I started the recovery but ran out off breath doing them all and will think hard over it before trying to go from 7.1.1 to 7.2RC again. I went back to 7.1.1 and then restored the config and all worked again like a well oiled machine. oooooooooooooooooooooooof!
Is there not a better way change routing tables without let us running in to walls??
Wait a minute... you're hoping to see new bugs ?It is a easy fix but takes a lot of time to do. I rather wait till Mikrotik fix this bug and hope new are created doing so.
If this was a production router in a company (with 50 routing-marks its not a home router), I would say that it 90% your fault.I took the JUMP and hit the concrete on the bottom with my head!!
WTF Mikrotik!! Erase the routing tables (/routing/table), leaving me with setting about 50 different routing-marks all who are all over the place!!!!!
I started the recovery but ran out off breath doing them all and will think hard over it before trying to go from 7.1.1 to 7.2RC again. I went back to 7.1.1 and then restored the config and all worked again like a well oiled machine. oooooooooooooooooooooooof!
Is there not a better way change routing tables without let us running in to walls??
Or better yet: PARTITION the router! Copy running version to 2nd partition, upgrade, when it is a disaster: make 2nd partition active, reboot, back in business.3. With backup, you would only use some minute to downgrade to 7.1.1 and restore your backup.
Makes it a difference then!? ;-)Wait a minute... you're hoping to see new bugs ?It is a easy fix but takes a lot of time to do. I rather wait till Mikrotik fix this bug and hope new are created doing so.
If the router goes up in smoke then I rather have backup and an export (off-site). If I can't get the same router again then I have still the export, to manually copy-and-paste.Or better yet: PARTITION the router! Copy running version to 2nd partition, upgrade, when it is a disaster: make 2nd partition active, reboot, back in business.3. With backup, you would only use some minute to downgrade to 7.1.1 and restore your backup.
Of course you always make a backup, but for the depicted scenario of upgrading a router that is running in production to the next version of RouterOS, using partitioning is the best method.If the router goes up in smoke then I rather have backup and an export (off-site).
Or better yet: PARTITION the router! Copy running version to 2nd partition, upgrade, when it is a disaster: make 2nd partition active, reboot, back in business.
Yes you need some space. That page is incorrect saying "Partitioning is supported on MIPS, TILE and PowerPC RouterBOARD type devices.", I have a RB4011 as home router (ARM) and it works there. This device has 512MB of space (a bit of a useless in-between value, too much for a single or dual partition of RouterOS, not enough to do a lot with Docker containers later...).Most home ruter does only have 16MB, so to use multiple partition you need a larger router with at least 32MB
https://wiki.mikrotik.com/wiki/Manual:Partitions
Here they work fine. Do you use the "Set" features? (now renamed to "List")Routing filters seem to not be working in v7.2rc4.
/interface/wireguard/peers/print detail
Do you really need a mail to support, incurring extra work for you, to know about problems? Would it not be easier to read the comments on the release topic, as you clearly are doing for the v7 rc releases? Especially when there is a new problem introduced in a winbox release, and everyone is writing about it in the release topic, I would expect that to be looked at at high priority as it is still a fresh change and likely easier to fix.pe1chl, holvoetn - WinBox dependencies are made when it is absolutely necessary. We are not doing this without any reason. Please report problems with WinBox 3.35 to support@mikrotik.com so we can fix them. Without knowing them, we can not fix them.
It is difficult to know what you mean by "such problems" when only the username is quoted and the user posted several messages in the topic. I regularly send issues to the Jira system, I suppose that is equivalent to mailing them to support.osc86, pe1chl - If you notice such problems, then please report them to us through the official support channel - support@mikrotik.com. Provide examples so we can fix them.
elgrandiegote - To what changes are you referring to? If you refer to reboots, then they should be fixed in the next release.
Agree, v7 is not a beta anymore, it's a stable version, specially for their flagship product such as CCR, but there is a lot of homework must be fixed fast, specially for advance dynamic routing such as BGP.About the whole "v7" thing...: well, you should be aware of the fact that some devices can only run v7. Also, v7 is presented prominently on the software download page as a stable release, which makes some people do the upgrade at a time they probably should not do that yet.
I surely understand that there is a lot of work to do, but I think many of us would prefer if all efforts are first concentrated on making v7 a worthy replacement of v6, where the same features work at the same quality level, and only then work is done on extending v7 with new features.
We are running a network operated by hobbyists and volunteers, which is heavily relying on BGP functionality, and I am holding my breath as more and more operators "discover" v7 and upgrade to it, causing frequent issues in the network. Sure it would have been better when we had a well functioning contact platform where I could send messages to all users requesting them not to upgrade, but we don't have that. So I am hoping that BGP will "soon" be again on par with v6 quality.
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" jump-target=kid-control
You’re not the only one. Exact same issue here. My ticket is: SUP-68278 which was last updated by Mikrotik Dec. 23. I’ve posted in these threads about it before and been told to create a new support ticket… The same resolution (auto-negotiation off/1G fixed) “works” for me, but this is obviously not a fix.The problem with the irregulary broken fiber connections with 10GB is still present in 7.2RC4.
I´ve updated yesterday all my MikroTik Devices from 6.48.6 over 6.49.4, 7.1.3 (via upgrade) to 7.2RC4. (RB5009, CRS326-24S+2Q+, CRS328-24P-4S+, RB4011, CRS32624G2S+, 5x CAP AC).
After the update the fiber connection between the CRS326-24S+2Q+ and the CRS328-24P-4S+ began to toggle. Every 5 min. the connection was broken. After deactivation of Graphing the disconnection happend ~ every 20-30 min.
This behaviour didn´t happen with ROS 6.48.6 or 6.49.4 and I only upgraded the ROS, nothing else.
Only the deactivation of "Auto Negotiation" and the fixing to 1GB stopped the diconnections to ~1x per day.
The cable between both devices is ~35m (2x)
The problem exists also with 7.0.5, the days where I´ve tried this ROS version I´ve also changed the cables without success. So the problem exists inside ROS 7.X
(https://help.mikrotik.com/servicedesk/s ... /SUP-71233)
I've reopened SUP-38224 since it was about the same thing and provided a supout, thank you.Znevna - Please provide supout file to support@mikrotik.com when MTU is set to 1480, instead of 1492.
*) ipsec - added hardware acceleration support for CCR2116;
Do we have a date for the new rc with bug fixes, and possible feature additions?@strods
Sat Mar 05, 2022 8:30 am
/ip firewall connection remove [find]
Adding:If you can experiment: if you disable CAPsMAN on RB4011, do crashes cease to happen?
It´s it main role (CAPsMAN). I would loose all my WLAN on my 5 CAP AC´s, so it´s not really a choice to do so.... :-(If you can experiment: if you disable CAPsMAN on RB4011, do crashes cease to happen?
It seems there were some WLAN-related fixes with 7.2rc4 (but nothing was really mentioned in the change log, users just noticed ...)I´ve tried 7.1.3 with clean config also, but it doesn´t work very well (WLAN Veeery sloooow and regulary discoonections of my WLAN dfevices)
I updated our Metal 52 because of what you mention here. Is it required to also upgrade Routerboard firmware, or will just the packages do, do you know?It seems there were some WLAN-related fixes with 7.2rc4 (but nothing was really mentioned in the change log, users just noticed ...)I´ve tried 7.1.3 with clean config also, but it doesn´t work very well (WLAN Veeery sloooow and regulary discoonections of my WLAN dfevices)
Is it required to also upgrade Routerboard firmware, or will just the packages do
NoIs there any support for ZeroTier on Hex-S (mmips) in this v7.2rc4?
[demo@MikroTik] > /system routerboard print
routerboard: yes
board-name: hEX S
model: RB760iGS
serial-number:
firmware-type: mt7621L
factory-firmware: 6.46.4
current-firmware: 6.47.10
upgrade-firmware: 7.2rc4
[demo@MikroTik] > [tab]
caps-man interface partitions routing user password
certificate ip port snmp beep ping
console ipv6 ppp special-login blink quit
disk log queue system export redo
file mpls radius tool import undo
[demo@MikroTik] >
I know its only arm yet. Can you post a link to where MT stats that there will be no ZeroTier for other platform?no plans for other architecture atm as per MT
viewtopic.php?t=178353#p890747I know its only arm yet. Can you post a link to where MT stats that there will be no ZeroTier for other platform?
That is not the same as that there will never be.We only can do it for ARM systems, no plans for MIPS now.
You are correct, I didn't have any extra packages loaded. But I don't think MikroTik currently has anything for non ARM processors.Wouldn't you need to load a package before it would show the ZT directory? Are they working on a package to enable ZT on this version I guess was my question...
Something new on this topic.The problem with the irregulary broken fiber connections with 10GB is still present in 7.2RC4.
I´ve updated yesterday all my MikroTik Devices from 6.48.6 over 6.49.4, 7.1.3 (via upgrade) to 7.2RC4. (RB5009, CRS326-24S+2Q+, CRS328-24P-4S+, RB4011, CRS32624G2S+, 5x CAP AC).
After the update the fiber connection between the CRS326-24S+2Q+ and the CRS328-24P-4S+ began to toggle. Every 5 min. the connection was broken. After deactivation of Graphing the disconnection happend ~ every 20-30 min.
This behaviour didn´t happen with ROS 6.48.6 or 6.49.4 and I only upgraded the ROS, nothing else.
Only the deactivation of "Auto Negotiation" and the fixing to 1GB stopped the diconnections to ~1x per day.
The cable between both devices is ~35m (2x)
The problem exists also with 7.0.5, the days where I´ve tried this ROS version I´ve also changed the cables without success. So the problem exists inside ROS 7.X
(https://help.mikrotik.com/servicedesk/s ... /SUP-71233)
Have you ever tried setting it to "layer 3 and 4" ? This is by far recommended over all others for LACP.I´ve changed my settings within the Bonding set, specially the "Transmit Hash Policy" from "Layer 2" to "Layer 2 and 3" and the disconnections are gone (until now for more than 24h) and my latency in the LAN went dramatically down from >30ms to 1-2ms :-)
Is this feature available for all wireless interfaces? Or is wifiwave2 some special device?*) wifiwave2 - added "client-isolation" feature;
See https://help.mikrotik.com/docs/display/ROS/WifiWave2Is this feature available for all wireless interfaces? Or is wifiwave2 some special device?*) wifiwave2 - added "client-isolation" feature;
Thanks for the tipp, I´ve implemented it right some minutes ago and will keep an eye on it ;-)Have you ever tried setting it to "layer 3 and 4" ? This is by far recommended over all others for LACP.I´ve changed my settings within the Bonding set, specially the "Transmit Hash Policy" from "Layer 2" to "Layer 2 and 3" and the disconnections are gone (until now for more than 24h) and my latency in the LAN went dramatically down from >30ms to 1-2ms :-)