Re: v7.4.1 [stable] is released!

herbrico · Mon Aug 08, 2022 11:12 am

Upgraded from 7.4 to 7.4.1 RB1100AHx4DE, RB2011UiAS2HnD, Groove A-5aHpn, RBD23UGS-5HPacD2HnD. For now everything is ok.

reevansxyz · Mon Aug 08, 2022 1:43 pm

Upgraded from 7.4 to 7.4.1 on RB5009UG+S+IN; everything looks to be working as of the moment.

sxtlhglte · Mon Aug 08, 2022 3:49 pm

Upgraded from 7.3.1 to 7.4.1 hap ac2, chateau lte/5g RB953. and Audience all good no issue.

Aerowinder · Mon Aug 08, 2022 4:28 pm

Have (14) CCR-2004-1G-12S+2XS deployed in a ring configuration; using OSPF.

(2) routers failed to re-establish both neighboring links upon installation of the firmware and reboot. Took out 75% of my network. Remote reboots of affected units were successful but did not resolve the issue. Had to visit affected sites for a power cycle of the hardware. Now running normally.

qatar2022 · Mon Aug 08, 2022 5:31 pm

Upgraded from 7.3.1 to 7.4.1 RB5009UG+S+, CRS328-24P-4S+Cloud Router Switch, CRS112-8P-4S-IN Cloud Router Switch, hEX PoE RB960PGS, hEXs RB760iGShEXs RB760iGS and chateau 5g all good no issue.

jhbarrantes · Mon Aug 08, 2022 5:32 pm

Think I bricked a mAP after upgrading it from 7.4 to 7.4.1. All LEDs are ON (solid) when powered, but device is unresponsive. I'm trying to netinstall, but struggling to put this in netboot mode.

Anyone having the same issue with small devices?

Mon Aug 08, 2022 6:00 pm

Think I bricked a mAP after upgrading it from 7.4 to 7.4.1. All LEDs are ON (solid) when powered, but device is unresponsive. I'm trying to netinstall, but struggling to put this in netboot mode.

Anyone having the same issue with small devices?

I'll try later tonight BUT ... on the Help page for ROS7 it is stated that version is not be used on device like mAP Lite (mAP and mAP lite are identical as far as resources are concerned).
Only saw that by accident this weekend.
https://help.mikrotik.com/docs/display/ ... ifications

Mind you, I use ROS7 on mAP and mAPLite already for quite a while. Never had any problems with it (there are other devices having less resources not being mentioned as 'unsuitable')

jhbarrantes · Mon Aug 08, 2022 6:23 pm

Think I bricked a mAP after upgrading it from 7.4 to 7.4.1. All LEDs are ON (solid) when powered, but device is unresponsive. I'm trying to netinstall, but struggling to put this in netboot mode.

Anyone having the same issue with small devices?
I'll try later tonight BUT ... on the Help page for ROS7 it is stated that version is not be used on device like mAP Lite (mAP and mAP lite are identical as far as resources are concerned).
Only saw that by accident this weekend.
https://help.mikrotik.com/docs/display/ ... ifications

Mind you, I use ROS7 on mAP and mAPLite already for quite a while. Never had any problems with it (there are other devices having less resources not being mentioned as 'unsuitable')

Very good point, I didn't know it. And, to be honest, I'm in the same mud, I have been running RouterOS v7 in both devices (mAP and mAP-Lite, I've got both) for a while now without problems. This suddenly get all lights solid after rebooting when installing new version. But has been upgrading to V7 since first beta release.

Thanks anyway, don't want to break yours, so do not apply this just for me!

Regards.

Mon Aug 08, 2022 7:41 pm

Thanks anyway, don't want to break yours, so do not apply this just for me!

Too late ;)
7.4.1 is running on the little bugger.
No problems whatsoever.

Time to dust off those netinstall skills, I think.
Which BTW might just be what is needed if you went from ROS6 to ROS7 with lots of intermittent versions.

Guscht · Mon Aug 08, 2022 11:48 pm

All updated from 7.4 without issues:

Zwischenablage01.jpg

Netstumble · Tue Aug 09, 2022 1:11 am

I just did my wAP AC LTE6.
Pretty basic config (travel ap), but so far it looks ok.

jvanhambelgium · Tue Aug 09, 2022 4:57 pm

Updated my RB5009+UG+S from 7.3.1 towards 7.4.1
No issues so far

cyna · Tue Aug 09, 2022 5:09 pm

hAP ac² - upgraded from 7.4 problem with shutdown back , router only reboot

sirbryan · Tue Aug 09, 2022 9:36 pm

Loaded 7.4 and 7.4.1 onto four CCR2116's.

1.7M BGP routes from two peers on one, 1.4M from one peer on the second (both 7.4.1), and 900K aggregated to the one in the middle (7.4). All boxes using upwards of 700MB of RAM, running at a load of ~10% (<2Gbps of traffic).

Fourth router (7.4.1) is the office router. It's twiddling its thumbs for the most part.

So far, so good.

LonDat · Wed Aug 10, 2022 1:20 am

ROS and firmware updated on Audience.
In log after (re)start:
error while running customized default configuration script: bad command name wireless (line 985 column 25).

CRS1016, AC2 and AC3 updated also, all fine there.

Rox169 · Wed Aug 10, 2022 1:45 pm

Hi,

DO NOT UPGRADE REMOTELY. On hAP AC3 the instalation stuck... wifi and internet was working but I could not access the router. Manual reset helped and after reset was router already on 7.4.1

rumahnetmks · Wed Aug 10, 2022 2:59 pm

RB4011iGS+5HacQ2HnD-IN + hAP-AC3 update and all seem normal...

crondrift · Wed Aug 10, 2022 4:56 pm

hAP ac² update from 7.4 to 7.4.1 went fine. no problems so far.

MrV98 · Thu Aug 11, 2022 11:25 pm

Does anyone know whether this version supports BGP monitoring via SNMP?
Stuff like uptime and prefix count etc.

Jotne · Thu Aug 11, 2022 11:39 pm

Not sure, but all you see in Winbox/SSH can be sent to a log server using Syslog.
See my post here: viewtopic.php?t=188352

lublupospat · Fri Aug 12, 2022 11:03 am

After upgrading from 7.1.5 to 7.4.1, routing through the second provider stopped working.

providers:
1. pppoe (distance 1)
2.dhcp (distance 2)

for the second route created with routing-table=MARK-ISP2

The detailed part of the configuration is attached.
All rules recreated the result is negative.
Replacing the distance in the interfaces of providers normally routes the second provider.

/interface ethernet
set [ find default-name=ether1 ] name=ETH1-ISP1
set [ find default-name=ether2 ] name=ETH2-ISP2

/interface pppoe-client
add add-default-route=yes allow=mschap1,mschap2 disabled=no interface=\
    ETH1-ISP1 name=PPPoE-ISP1 user={login-isp1} password={password-isp1}

/interface list
add name=WAN

/interface list member
add interface=PPPoE-ISP1 list=WAN
add interface=ETH2-ISP2 list=WAN

/routing table
add fib name=MARK-ISP1

/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway={ip-gateway-isp2} \
    routing-table=MARK-ISP2

/ip dhcp-client
add default-route-distance=4 interface=ETH2-ISP2 script="/ip route set gat\
    eway=\$\"gateway-address\" [/ip route find where routing-mark=\"MARK-ISP2\"\
    ]\r\
    \n" use-peer-dns=no use-peer-ntp=no

/ip firewall address-list
add address=10.90.25.8 list=LAN-ISP1

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!{static-ip-isp1} \
    new-routing-mark=MARK-ISP2 passthrough=no src-address-list=LAN-ISP1

/ip firewall nat
add action=masquerade chain=srcnat src-address=10.90.25.0/24

xormac · Fri Aug 12, 2022 5:21 pm

Does anyone know how to remove dynamic Simple Queues? This used to be possible in RouterOS 6. I see someone else noted the issue in 7.4 already.

When trying to remove a dynamic simple queue you get the error: "Couldn't remove Simple Queue <<pppoe-....>> - not permitted (9)"

Would really like a solution or workaround for this please?

eworm · Fri Aug 12, 2022 5:23 pm

I think you can not. However you can create a non-dynamic queue with higher priority (placed above). Queues are handled from top to bottom.

mmc · Fri Aug 12, 2022 5:52 pm

various 10g sfp's still don't work with ccr2004 & ccr2116

mkx · Fri Aug 12, 2022 6:31 pm

various 10g sfp's still don't work with ccr2004 & ccr2116

I don't think MT will ever put much energy into making "various 10g sfp's" work with all of their SFP+ devices. It's simple: some work and some don't, it's by pure chance.

What you can do is to require full functionality when using MT's own SFP+ modules. And you can carefully select 3rd party modules that work and hope no ROS upgrade breaks it. And if it does, complain hoping MT will fix the problem.
Or you can report (to MT support that is, forum members can't help much) the modules you'd like to see working with much detail. Throw in knowledge and willingness to debug things if they ever try to get modules working.

anav · Sat Aug 13, 2022 2:35 am

Sometimes its possible to deduce/find the actual vendor of the module and that is usually a safer bet than anything else, other than an MT branded one.
( I only posted this because I dont like seeing MKXs name when I scan the Forum index ;-P )

mmc · Sat Aug 13, 2022 5:41 am

various 10g sfp's still don't work with ccr2004 & ccr2116
I don't think MT will ever put much energy into making "various 10g sfp's" work with all of their SFP+ devices. It's simple: some work and some don't, it's by pure chance.

What you can do is to require full functionality when using MT's own SFP+ modules. And you can carefully select 3rd party modules that work and hope no ROS upgrade breaks it. And if it does, complain hoping MT will fix the problem.
Or you can report (to MT support that is, forum members can't help much) the modules you'd like to see working with much detail. Throw in knowledge and willingness to debug things if they ever try to get modules working.

till 7.23 all common sfp+ worked well.

even mikrotik's own sfp+ DAC cable doesn't work in ccr2116 & ccr2004 since ros 7.3 anymore. so that's a serious issue.

osc86 · Sat Aug 13, 2022 11:24 am

I'm using 2x XS+DA0001 with my CCR2116 and both work flawless, no matter of the ROS version. No link-downs, 10G, no problems at all.

mmc · Sat Aug 13, 2022 1:59 pm

I'm using 2x XS+DA0001 with my CCR2116 and both work flawless, no matter of the ROS version. No link-downs, 10G, no problems at all.

the original mikrotik cable Q+BC0003-S+ (40gb dac cable = 4 x 10g) doesn't work in ccr2116 & ccr2004 - just continous link flap on the switch side. on the mikrotik side the port always stays down.
sometimes one port comes randomly up and stays up, but this is not stable reproducable and broken by next reboot.

https://mikrotik.com/product/q_bc0003_s

also same for 10g sfp+ from fs.com, which is one of the leading suppliers for datacenter sfp's...

rpingar · Sat Aug 13, 2022 7:31 pm

I'm using 2x XS+DA0001 with my CCR2116 and both work flawless, no matter of the ROS version. No link-downs, 10G, no problems at all.
the original mikrotik cable Q+BC0003-S+ (40gb dac cable = 4 x 10g) doesn't work in ccr2116 & ccr2004 - just continous link flap on the switch side. on the mikrotik side the port always stays down.
sometimes one port comes randomly up and stays up, but this is not stable reproducable and broken by next reboot.

https://mikrotik.com/product/q_bc0003_s

also same for 10g sfp+ from fs.com, which is one of the leading suppliers for datacenter sfp's...

ask Mikrotik a test release about the fix.
They found the cause and testing the fix.

regards
Ros

rplant · Sun Aug 14, 2022 6:07 am

After upgrading from 7.1.5 to 7.4.1, routing through the second provider stopped working.

Hi,
Some things.

/routing table
add fib name=MARK-ISP2

/ip dhcp-client
add default-route-distance=4 interface=ETH2-ISP2 script="/ip route set gat\
eway=\$\"gateway-address\" [/ip route find where routing-mark=\"MARK-ISP2\"\
]\r\
\n" use-peer-dns=no use-peer-ntp=no

routing-mark (in script=) -> routing-table

Also, in 7.2.2 there was a significant (good, but largely un-noted) routing change.
If you apply a routing-mark to a packet, and there is a matching rule (routing-table/dst-address) in the route table.

It will unconditionally follow the rule.

You may need to
-Add additional routes to the MARK-ISP2 routing table.
-Or mark your packets more strictly
-Or go via routing rules.

Possible changes for Routing Rule version (Not tested):

/routing table
add fib name=RULE-ISP2

/ip firewall mangle
;** Change existing mangle for this one **
add action=mark-routing chain=prerouting dst-address=!{static-ip-isp1} \
    new-routing-mark=RULE-ISP2 passthrough=no src-address-list=LAN-ISP1

/routing rule
add action=lookup disabled=no dst-address=10.90.25.0/24 table=main
add action=lookup disabled=no dst-address=0.0.0.0/0 routing-mark=RULE-ISP2 table=MARK-ISP2

npeca75 · Sun Aug 14, 2022 9:24 am

another SNMP

have a running 7.4.1 -> OK
tried to get LLDP data from switch attached to MT -> OK
renamed interface on MT facing to switch
tried to get LLDP data from switch attached to MT -> NOK
MT send old interface name on LLDP
after MT reboot, LLDP is OK with new lldpNeighborPortIdDescr

blurrybird · Sun Aug 14, 2022 10:35 am

hAP ac2 upgraded from 7.2 to 7.4.1 without issue.

npeca75 · Sun Aug 14, 2022 1:30 pm

another SNMP

have a running 7.4.1 -> OK
tried to get LLDP data from switch attached to MT -> OK
renamed interface on MT facing to switch
tried to get LLDP data from switch attached to MT -> NOK
MT send old interface name on LLDP
after MT reboot, LLDP is OK with new lldpNeighborPortIdDescr

same in v7.5b

dear god, imagine production system where you need to reboot network equipment to change LLDP info
:( :(

Znevna · Sun Aug 14, 2022 2:00 pm

Imagine how often (if ever) admins change interface names in production systems.

npeca75 · Sun Aug 14, 2022 3:05 pm

Imagine how often (if ever) admins change interface names in production systems.

ok, you are right

MT knows better
and you known better
rest of us who want to occasionally change ifName ... well, we are all amateurs

after this comment, mr Znevna, i will (again) resign and left to You and other old forum members to find bugs for free
hope you and MT will make better world, and in next release you & MT will polish everything out
good luck & bye

Znevna · Sun Aug 14, 2022 3:14 pm

It was just a reply to your "dear god" reply above that was a reply to your own previous post, take it with a little bit of salt.
I forgot to say about how often admins use ROS7 in production, I'm sorry.
If you found a serious bug, report it.
But please don't go "oh dear god imagine this bug in production!!!111 muh interface name didn't change in LLDP without a reboot!! oh lordy this is nasty" without expecting a salty comment.
PS: the bugs are reported here https://help.mikrotik.com/servicedesk/s ... on=portals

npeca75 · Sun Aug 14, 2022 3:41 pm

It was just a reply to your "dear god"

mr Znevna.
it is my right to be salty
constant messing with dhcp, then ssh keys, lldp, missing sfp info and similar basic functionality ...
it could be called v7 inhouse, or v7 lets-get-fun, or pre v7 or ... anything but not "stable"

but one could expect that five (5) jumps from initial v7 release, we still have lack of basic things
and v7 is only option for new devices

from this point of view, i think it is minimum to be "salty"

and another problem
as i saw here to many times, forum veterans often try to explain others that feature which is missing is perfectly acceptabel
why ?
because one need BGP and he will make 106276272 post about BGP
other need wifi roaming and will make 5636523 post about it
and if someone pop in, and start to bark on basic thing, like "please i want to see what v6 address i got from SLAAC" ...
well, this will delay beloved BGP requests or whatever else

we should to stay steady on ground and all of us to shout for same basics, first
but no, instead, everyone is individual, and think he is smarter

so, really, there is no much joy anymore in this forum

br. Peca

Znevna · Sun Aug 14, 2022 3:51 pm

Is this LLDP bug something new in 7.4.1 or it was there in older versions too? or even in ROS6?
Or is it a SNMP bug? because you mentioned "SNMP".

keithy · Sun Aug 14, 2022 10:17 pm

Hi,

I'm trying to upgrade a RB850Gx2 from 6.49.6 to 7.4.1 and I get:
routeros-powerpc-7.4.1.npk missing

using either winbox or CLI

What have I done wrong??

Thanks

volkirik · Sun Aug 14, 2022 10:33 pm

if you are using free software, it would probably be STABLE when it is EOL!

lol.

MT guys usually fix bugs after months

routeros is not cisco/juniper router software as we all already are aware.

MikrotikOdessa · Sun Aug 14, 2022 11:48 pm

hAP ac2 upgraded from 7.2 to 7.4.1 without issue.

zerotier-7.4.1-arm.npk can not be installed.
Memory issue?

Jotne · Sun Aug 14, 2022 11:49 pm

Cisco are not at all bug free at all and we have experienced nearly 1 year to fix a critical problem.

xkhalidx · Mon Aug 15, 2022 8:00 am

Upgraded from 7.4 to 7.4.1 on D53G-5HacD2HnD

benoitc · Mon Aug 15, 2022 8:35 am

It was just a reply to your "dear god" reply above that was a reply to your own previous post, take it with a little bit of salt.
I forgot to say about how often admins use ROS7 in production, I'm sorry.
If you found a serious bug, report it.
But please don't go "oh dear god imagine this bug in production!!!111 muh interface name didn't change in LLDP without a reboot!! oh lordy this is nasty" without expecting a salty comment.
PS: the bugs are reported here https://help.mikrotik.com/servicedesk/s ... on=portals

if only we have an answer in 24-48h…

benoitc · Mon Aug 15, 2022 8:37 am

updated the CRS504-4XQ-IN and ow freebsd noses are not able to discover their neighbors(IPV6) even after a reboot.

rushlife · Mon Aug 15, 2022 1:28 pm

routeros is not cisco/juniper router software as we all already are aware.

yeah, mikrotik is not cisco/juniper.....

thx God for that

Shoka · Mon Aug 15, 2022 3:31 pm

Upgraded a 750GL fro 6.49.6 to 7.4.1.
The upgrade went ok, and the device functions fine.

I have an issue with webfig to the upgraded device. The OSPF pages do not reflect the config of the device.
Examining the OSPF config from the command line, all is as I expect, a faithful translation of the devices original configuration, its joined the local OSPF network fine and getting the routes I expect.

The OSPF pages via webfig appear unconfigured.

Tellingly the home page of the router does not offer the webfig icon.

I did test upgrades on an out of service router. That path was from 6.49.6 to 7.1 to 7.4.0, that worked fine, and showed ip and ipv6 tabs, and correct OSPF pages.

I'm guessing that the upgrade has not updated the webfig code on the box.

Suggestions? I've not seen advice not to upgrade directly from latest v6 to latest v7, but I may gave missed it.

Harry

Shoka · Mon Aug 15, 2022 3:54 pm

Update. Using Firefox mint-001 - 1.0 103.0.2 64 bit on Linux Mint 20.3. HTTPS is enabled.

skoenman · Wed Aug 17, 2022 2:07 am

any clues maybe on how one can get cake not to reboot(kernel panic) a ccr1009? lowered mem usage(1mb) and seems to be stable with few queues enabled(20) but anything more and it keeps restarting.

rextended · Wed Aug 17, 2022 3:15 pm

you update from v6.x on various step to v7.x???
if yes, netinstall the last 7.4.1 without using the .backup but importing the .rsc section by section.

skoenman · Wed Aug 17, 2022 3:35 pm

you update from v6.x on various step to v7.x???
if yes, netinstall the last 7.4.1 without using the .backup but importing the .rsc section by section.

Hmm no die upgrade from 6.47/8… do i get the rsc file with export function?

mkx · Wed Aug 17, 2022 3:36 pm

you update from v6.x on various step to v7.x???
if yes, netinstall the last 7.4.1 without using the .backup but importing the .rsc section by section.
Hmm no die upgrade from 6.47/8… do i get the rsc file with export function?

Yes, rsc is result of command

/export show-sensitive file=anynameyouwish

.

rextended · Wed Aug 17, 2022 4:27 pm

Hmm no die upgrade from 6.47/8… do i get the rsc file with export function?

Sorry, what's mean "no die upgrade"? I'm not english, thanks.

skoenman · Wed Aug 17, 2022 4:53 pm

Ok did the netinstall loading things manually… will install in morning and check

ErikCarlseen · Thu Aug 18, 2022 12:52 am

Upgrade 7.1 to 7.4.1 on AC2, OSPF2 stopped redistributing connected routes. Worked around this by setting up passive interfaces but still.

infabo · Thu Aug 18, 2022 9:44 am

Still this history undo bug in this release. I need to file a support ticket.

manish · Thu Aug 18, 2022 2:58 pm

I wanted to test Xvlan between 2 routers, I set up the first one and it was fine, while setting up the second one, the router went offline, and would just keep on rebooting, i disabled the IP it was connecting to and the router stabilised, logged in and disabled the XVLAN, and it was back online, looks like a bug.

c1vhosting · Sat Aug 20, 2022 7:01 pm

Getting a flood of "Write to bgp failed (9) { #buf=11 max=64 sk=Socket{ -1[0] } }" info errors, then the BGP sessions crashes and I get:
EBGP peer is not on a shared network and multihop is not configuredBPST{ prm=BSP{ lcl={ rid=152.89.170.1 as=212271/0 afi=2 ht=90 caps=0 } rmt={ rid=0.0.0.0 as=6762/0 afi=2 ht=180 caps=0 } peerid=3 network=(empty) role=ebgp-customer ttl=255 katime=1000 } cvf=0 eorSent=0 eorSeen=0 redist=0 sendQuota=0 mpit=0 startJiffies=0 rmapmSend=0 rmapmRecv=0 maxOutbufs=2 inputRapo=4294967293 outputRapo=4294967289 outputFchainName=as6762_output_filters redist=0 name= }

What could the the issue?

rhaa01 · Mon Aug 22, 2022 3:01 pm

I upgraded a RB1200 from 6.46.something to 7.4.1 just to see if it runs. I was actually surprised to see PPC architecture, as all devices with powerpc are quite old.
But even after a reset-configuration to clear it out only ether9 and ether10 work. Ether1-ether8 light the indicators and show as Running but ping-replies never come. The ARP table is not populated.

pe1chl · Mon Aug 22, 2022 3:30 pm

What could the the issue?

EBGP peer is not on a shared network and multihop is not configured
Note that v7 sometimes requires multihop to be configured even when the connection is not really multihop (a bug...).
You can still set TTL to 1 to make sure your connection is single hop.

BillyVan · Mon Aug 22, 2022 8:45 pm

I upgraded a RB1200 from 6.46.something to 7.4.1 just to see if it runs. I was actually surprised to see PPC architecture, as all devices with powerpc are quite old.
But even after a reset-configuration to clear it out only ether9 and ether10 work. Ether1-ether8 light the indicators and show as Running but ping-replies never come. The ARP table is not populated.

Same problem...

Go back to ros 6

after 5-6 netinstall i have brick rb1200

Stay on ros 6

Mon Aug 22, 2022 9:53 pm

I have a CCR2004-16G-2S+ 7.4.1 and Routerboot 7.4.1

I am trying TCP API connection and Router respond with TCP RST, packet sniffer captures confirm the issue
No logs generated
/ip services settings enabled and without restrictions

Problem present since upgrade to 7.4, i have not tried Downgrade to 7.3.1 because the router is in a remote location

elbob2002 · Tue Aug 23, 2022 2:26 pm

Hi, ipsec problem are fixed ? somebody knows ?

What IPSec problem?

If it's not in the changelog then chances are it's not been fixed.

eddieb · Tue Aug 23, 2022 3:17 pm

If it is not reporterd correctly to MT ( support@mikrotik.com ) changes are it wil never get attention ...
BTW, running several IPSEC tunnels here on 7.4 without issues

pe1chl · Tue Aug 23, 2022 7:54 pm

The problem that upgrade from v6 to v7 resets the clock to 1-1-1970 still has not been fixed...
This causes problems when the only time reference is NTP because the NTP client does not want to make a jump from 1-1-1970 to 2022.
It requires manual setting of the clock or temporary use of IP->Cloud clock to get it in sync again.
Please fix the upgrade (crossfig) to get the last used clock value of v6 into v7.

eworm · Tue Aug 23, 2022 8:30 pm

Even better: Do not allow the date before actual release build date. That also fixes factory reset and the like.

c1vhosting · Wed Aug 24, 2022 1:28 pm

What could the the issue?
EBGP peer is not on a shared network and multihop is not configured
Note that v7 sometimes requires multihop to be configured even when the connection is not really multihop (a bug...).
You can still set TTL to 1 to make sure your connection is single hop.

Really? It seems that after this error, sessions literally disappear until I reboot the router.

muk · Wed Aug 24, 2022 3:52 pm

in v7.4.1 Traffic Accounting Tab is missing

Wed Aug 24, 2022 3:56 pm

in v7.4.1 Traffic Accounting Tab is missing

since ros 7.x that was not available

welcome late to the party

muk · Wed Aug 24, 2022 4:04 pm

any alternative solution..???

Wed Aug 24, 2022 4:16 pm

any alternative solution..???

https://help.mikrotik.com/docs/display/ROS/Traffic+flow

pe1chl · Wed Aug 24, 2022 5:10 pm

Also, for some situations "kid control" can be an alternative (I know it sounds silly).
When you enable kid control but do not add any device rules, like this:

/ip kid-control
add fri=0s-1d mon=0s-1d name=any sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d wed=\
    0s-1d

you will get an overview of all devices on your network and how much internet traffic they use.
You could even poll that using an external system using API, similar to how you poll traffic accounting.

krzysztof · Wed Aug 24, 2022 9:48 pm

SSH crash!

The SSH host key generation end regeneration problem is still very present in 7.4.1
SSH stops working when we have OS 7.x in the following situation:
1. When we set the key siz from 1024 to 8192 bits with these two commands:
/ip ssh set strong-crypto=yes host-key-size=8192
2. /ip ssh regenerate-host-key

The processor works at 100% all the time and it is not possible to connect via SSH.
I have tested on a lot of devices and 80% have this vulnerability. I don't understand why not all of them?
This never finishes even after several days.
Rebooting the device then brings the behavior seen above.

To fix the situation, I need to downgrade to RouterOS 6.X and generate the ssh 8192 bit key and then upgrade to RouterOS 7.x

rb9999 · Thu Aug 25, 2022 10:09 pm

Almost every system went smooth except RB951-2n (upgrading from 7.1.5 to 7.4.1) which stated the following

aug/25/2022 06:50:09 system,error,critical kernel failure in previous boot
aug/25/2022 06:50:09 system,error,critical out of memory condition was detected

Guess I'll stay at 7.1.5 :)

pe1chl · Thu Aug 25, 2022 11:31 pm

Guess I'll stay at 7.1.5 :)

For the hAP lite and mini I recommend the 6.47.9 long-term version. Do not upgrade beyond that... the WiFi will become much slower.

iwlet · Fri Aug 26, 2022 8:59 am

Two days ago I upgraded rb4011 from version 6.48.6 to 7.4.1. Since then I can't access using winbox from outside (internet). DDNS cloud has also stopped working.

I have restarted the computer 3 times without success, I have removed the firewall rules without success.
Has anyone had the same thing happen to them and know how to solve it?

Thanks and best regards.

erlinden · Fri Aug 26, 2022 9:10 am

Love the fact that you can't access using Winbox through WAN...improved your security a lot!

Nevertheless...for proper help please profide us with proper information (/export file=anynameyoulike and make sure any personal information is removed).
Does the logging mention anything?

Xtreme512 · Fri Aug 26, 2022 9:19 am

I upgraded hap AC2 (128/16) few days ago from latest v6 by using netinstall and then used .backup file, all went well. Its been up and running w/o an issue.

I'm using cake with dscp marks given, also wireguard vpn.. its been up and running. both are excellent.

pe1chl · Fri Aug 26, 2022 10:55 am

I upgraded hap AC2 (128/16) few days ago from latest v6 by using netinstall and then used .backup file

I would recommend doing a /export show-sensitive name=anyname now and do the netinstall again an rebuild the config from that export.
(pasting it, importing it, whatever you feel comfortable with)
It will likely save you trouble in the future, often seen on routers that had the v6->v7 upgrade.

BillyVan · Fri Aug 26, 2022 11:17 am

Guess I'll stay at 7.1.5 :)
For the hAP lite and mini I recommend the 6.47.9 long-term version. Do not upgrade beyond that... the WiFi will become much slower.

Do you have a propose for hAP ac lite or Hap ac2 ?

I have one hap lite and after downgrade to 6.47.9 i have better wifi.

pe1chl · Fri Aug 26, 2022 11:22 am

My message is about hAP lite and hAP mini. Not about hAP ac lite or hAP ac2. These are entirely different devices.

iwlet · Fri Aug 26, 2022 12:09 pm

Love the fact that you can't access using Winbox through WAN...improved your security a lot!

Nevertheless...for proper help please profide us with proper information (/export file=anynameyoulike and make sure any personal information is removed).
Does the logging mention anything?

erlinden. Too safe! :)

Logging does not mention anything

I forgot to mention that:
-it doesn't allow ssh access either -->I'm accessing the machine through romon, using another machine that I haven't upgraded yet, thank goodness.
-IP cloud doesn't work
- it doesn't syncronyze with NTP server
- although the internet access works, the router does not ping the outside (e.g. 8.8.8.8.8).
EVERYTHING worked with 6.48.6 and after the update it stopped working.

export:

 
# aug/26/2022 09:16:23 by RouterOS 7.4.1

/interface pppoe-server
add name=TEL service=ServerAIR user=TEL
add name=cu service=cu user=cu
/interface bridge
add fast-forward=no name=b_cu_pppoe
add name=lobridge
add name=publicbridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
/interface vlan
add interface=b_cu_pppoe name=vlan1 vlan-id=20
add interface=b_cu_pppoe name=vlanMNG vlan-id=10
add interface=ether7 name=vlanMNG_net01 vlan-id=10
add interface=ether9 name=vlan_MM vlan-id=20
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether10 name=pppoe-WAN \
    use-peer-dns=yes user=user
/interface list
add name=WAN
add name=MNG
add name=Discoverm
add name=LAN
/ip pool
add name=PPPoE_Localcu ranges=10.205.255.1
add name=dhcp_MNG ranges=10.205.1.1-10.205.1.200
add name=PPPoE_cu-FO ranges=10.200.16.1-10.200.16.63
add name=NAT444-2 ranges=100.105.1.177-100.105.1.253
add name=dhcp_pool20 ranges=10.222.222.2-10.222.222.254
add name=NAT444_06M_FI ranges=100.105.1.32/27
add name=NAT444_12M ranges=100.105.1.64/26
add name=NAT444_20M ranges=100.105.1.128/26
add name=NAT444_30M ranges=100.105.1.192/27
add name=NAT444_40M ranges=100.105.1.224/27
add name=NOPAGO ranges=10.53.255.32/27
/ip dhcp-server
add address-pool=dhcp_MNG interface=vlanMNG lease-time=15m name=dhcp_MNG
add address-pool=Gacela disabled=yes interface=vlanMNG_net01 name=\
    dhcp_MNG_Gacela relay=10.205.2.254
add address-pool=dhcp_pool20 disabled=yes interface=vlan1 name=dhcp1
/ip pool
add name=NAT444 next-pool=NAT444-2 ranges=100.105.1.128-100.105.1.174
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add change-tcp-mss=no dns-server=8.8.8.8,8.8.4.4 local-address=10.205.255.150 \
    name=PPPoE_cu only-one=yes rate-limit=150M/150M remote-address=\
    154.58.216.130
add change-tcp-mss=no local-address=10.205.255.20 name=PPPoE_AIR_20/03 \
    only-one=no rate-limit="3072k/20480k 3684k/21504k 2304k/13440k 16 8 0"
add address-list=ClientesActivos dns-server=8.8.8.8,8.8.4.4 local-address=\
    10.205.255.1 name=ServerAIR-interna only-one=yes remote-address=\
    PPPoE_cu-FO
add change-tcp-mss=no local-address=10.205.255.10 name=backup10/01 only-one=\
    no rate-limit="1024k/10240k 1228k/12288k 768k/7680k 16 8 0"
add change-tcp-mss=no local-address=10.205.255.6 name=profile1 only-one=no \
    rate-limit="4024k/6144k 4228k/7169k 1068k/4480k 16 8 0"
add change-tcp-mss=no local-address=10.205.255.6 name=bkp_06/01 only-one=no \
    rate-limit="1024k/6144k 1228k/7169k 768k/4480k 16 8 0"
add change-tcp-mss=no local-address=10.205.255.30 name=PPPoE_AIR_30/06 \
    only-one=yes rate-limit="6144k/30720k 7368k/32768k 6912k/20480k 16 8 0"
/queue type
add kind=pcq name=06M-pcq-download pcq-burst-rate=7168k pcq-burst-threshold=\
    16 pcq-burst-time=16s pcq-classifier=dst-address pcq-rate=6144k
add kind=pcq name=10M-pcq-download pcq-burst-rate=12288k pcq-burst-threshold=\
    16 pcq-burst-time=16s pcq-classifier=dst-address pcq-rate=10240k \
    pcq-total-limit=4200KiB
add kind=pcq name=20M-pcq-download pcq-burst-rate=21504k pcq-burst-threshold=\
    16 pcq-burst-time=16s pcq-classifier=dst-address pcq-rate=20480k \
    pcq-total-limit=3200KiB
add kind=pcq name=30M-pcq-download pcq-burst-rate=36864k pcq-burst-threshold=\
    16 pcq-burst-time=16s pcq-classifier=dst-address pcq-rate=30720k
add kind=pcq name=pcq-upload-normal pcq-burst-rate=2048k pcq-classifier=\
    src-address pcq-rate=1536k
add kind=pcq name=pcq-upload-mejorado pcq-burst-rate=6144k pcq-classifier=\
    src-address pcq-rate=4096k
add kind=fq-codel name=clientes-pppoe
/ppp profile
add change-tcp-mss=no local-address=10.205.255.10 name=PPPoE_AIR_10/02 \
    only-one=no queue-type=clientes-pppoe rate-limit=\
    "2048k/10240k 3072k/12288k 1920k/7680k 16 8 0"
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no in-filter-chain=ospf-in name=default-v2 originate-default=\
    if-installed router-id=10.255.5.1
/routing ospf area
add disabled=no instance=default-v2 name=backbone-v2
/routing table
add fib name=mm
add disabled=no fib name=WAN
/snmp community
set [ find default=yes ] addresses=10.100.5.0/29 authentication-protocol=SHA1 \
    encryption-protocol=AES 
/system logging action
set 0 memory-lines=3000

/interface bridge port
add bridge=b_cu_pppoe horizon=10 ingress-filtering=no interface=ether1
add bridge=b_cu_pppoe horizon=10 ingress-filtering=no interface=ether2
add bridge=b_cu_pppoe horizon=10 ingress-filtering=no interface=ether4
add bridge=b_cu_pppoe ingress-filtering=no interface=ether5
add bridge=b_cu_pppoe disabled=yes horizon=10 ingress-filtering=no \
    interface=ether7
add bridge=b_cu_pppoe horizon=10 ingress-filtering=no interface=ether3
/ip firewall connection tracking
set tcp-established-timeout=15m
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set max-neighbor-entries=8200 rp-filter=loose tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=vlanMNG list=MNG
add interface=vlanMNG list=Discoverm
add interface=ether8 list=Discoverm
add interface=ether1 list=Discoverm
add interface=ether3 list=Discoverm
add interface=ether4 list=Discoverm
add interface=ether6 list=Discoverm
add interface=ether7 list=LAN
add interface=b_cu_pppoe list=LAN
add interface=pppoe-WAN list=WAN
add interface=vlan_MM list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface pppoe-server server
add default-profile=serverAIR-profile disabled=no interface=b_cu_pppoe \
    max-mru=1500 max-mtu=1500 one-session-per-host=yes service-name=ServerAIR
add disabled=no interface=ether7 keepalive-timeout=disabled \
    one-session-per-host=yes service-name=cu
/ip address
add address=10.255.5.1 interface=lobridge network=10.255.5.1
add address=10.100.5.1/29 interface=ether6 network=10.100.5.0
add address=10.205.1.254/24 interface=vlanMNG network=10.205.1.0

/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add add-default-route=no disabled=yes interface=ether10 use-peer-ntp=no
add add-default-route=no interface=vlan_MM use-peer-dns=no use-peer-ntp=no

/ip dhcp-server network
add address=10.205.1.0/24 dns-none=yes gateway=10.205.1.254 ntp-server=\
    10.205.1.254
add address=10.205.2.0/24 dns-none=yes gateway=10.205.2.254 ntp-server=\
    10.205.2.254
add address=10.222.222.0/24 gateway=10.222.222.1
/ip dns
set servers=1.1.1.1
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/11 comment="Private[RFC 1918] - CLASS A/8" list=bogons
add address=100.64.0.0/10 list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=bogons
add address=192.0.0.0/24 comment="Private[RFC 3330] - CLASS C # Check if you n\
    eed this subnet before enable it" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 3330] - TEST-NET" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=bogons
add address=240.0.0.0/4 comment=\
    "MC, Class E, IANA # Check if you need this subnet before enable it" \
    list=bogons
add address=10.100.5.0/24 list=network
add address=10.205.0.0/16 list=Management
add address=10.255.5.0/24 list=loopback
add address=pt.pool.ntp.org list=zzz
add address=100.105.0.0/22 list=Clientes
add address=10.33.0.0/16 comment="Private[RFC 1918] - CLASS A/8" list=bogons
add address=10.34.0.0/15 comment="Private[RFC 1918] - CLASS A/8" list=bogons
add address=10.36.0.0/14 comment="Private[RFC 1918] - CLASS A/8" list=bogons
add address=10.40.0.0/13 comment="Private[RFC 1918] - CLASS A/8" list=bogons
add address=10.48.0.0/12 comment="Private[RFC 1918] - CLASS A/8" list=bogons
add address=10.64.0.0/10 comment="Private[RFC 1918] - CLASS A/8" list=bogons
add address=10.128.0.0/9 comment="Private[RFC 1918] - CLASS A/8" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A TOTAL" list=\
    bogons
add address=10.5.101.0/24 list=network
add address=10.5.102.0/24 list=network
add address=10.205.1.0/24 list=network
add address=10.205.2.0/24 list=network
add address=10.205.3.0/24 list=network
add address=1.10.16.0/20 list=blacklist-1
add address=1.19.0.0/16 list=blacklist-1
add address=1.32.128.0/18 list=blacklist-1
add address=2.56.192.0/22 list=blacklist-1
add address=2.57.186.0/23 list=blacklist-1
add address=2.57.232.0/22 list=blacklist-1
add address=2.59.200.0/22 list=blacklist-1
add address=5.134.128.0/19 list=blacklist-1
add address=5.180.4.0/22 list=blacklist-1
add address=5.183.60.0/22 list=blacklist-1
add address=5.188.10.0/23 list=blacklist-1
add address=5.188.88.0/22 list=blacklist-1
add address=5.188.206.0/24 list=blacklist-1
add address=23.135.225.0/24 list=blacklist-1
add address=23.151.160.0/24 list=blacklist-1
add address=24.137.16.0/20 list=blacklist-1
add address=24.170.208.0/20 list=blacklist-1
add address=24.233.0.0/19 list=blacklist-1
add address=24.236.0.0/19 list=blacklist-1
add address=27.112.32.0/19 list=blacklist-1

add address=admin.ddns.x list=Administrador
/ip firewall filter
add action=jump chain=forward comment="Check Forward" jump-target=\
    Check-forward
add action=jump chain=input comment="Check Input" jump-target=Check-input
add action=accept chain=Check-forward comment=Established,related,untracked \
    connection-state=established,related,untracked
add action=drop chain=Check-forward comment="Drop invalid" connection-state=\
    invalid log-prefix=forward-invalid
add action=drop chain=Check-forward comment="Drop tries to reach not public ad\
    dresses from LAN - no hace falta con los FILTER en los CPE" \
    dst-address-list=no_internet in-interface-list=LAN log=yes log-prefix=\
    !public_from_LAN src-address-list=Clientes
add action=jump chain=Check-forward comment=\
    "Drop illegal destination port-services" connection-state=new disabled=\
    yes dst-address=154.58.216.128/25 dst-port=\
    0-78,81-123,143,161-162,583,587,993,995-1023,5060-5062,8291 \
    in-interface-list=WAN jump-target=drop log=yes log-prefix=illegalPorts \
    protocol=tcp src-address-list=!Administrador

add action=jump chain=Check-forward comment="Filter icmp" jump-target=ICMP \
    protocol=icmp
add action=jump chain=Check-forward comment="Drop not register SIP" \
    in-interface-list=WAN jump-target=drop src-address-list="SIP Hacker"
add action=add-src-to-address-list address-list="SIP Hacker" \
    address-list-timeout=1w chain=Check-forward connection-state=new \
    dst-port=5060 in-interface-list=WAN protocol=udp src-address-list=\
    "SIP Trial"
add action=add-src-to-address-list address-list="SIP Trial" \
    address-list-timeout=12s chain=Check-forward connection-state=new \
    dst-port=5060 in-interface-list=WAN protocol=udp
add action=drop chain=Check-forward comment="Drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN \
    log-prefix=!not_DSTNATed
add action=jump chain=Check-forward comment="SYN Flood protect" \
    connection-state=new disabled=yes jump-target=SYN-Protect protocol=tcp \
    tcp-flags=syn
add action=accept chain=SYN-Protect connection-state=new disabled=yes limit=\
    600,5:packet protocol=tcp tcp-flags=syn
add action=log chain=SYN-Protect connection-state=new disabled=yes log=yes \
    log-prefix=synPROTEC protocol=tcp tcp-flags=syn
add action=return chain=Check-forward comment=\
    "Return to the chain that jumped" disabled=yes
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
    icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=accept chain=ICMP comment="allow source quench" icmp-options=4:0 \
    protocol=icmp
add action=drop chain=ICMP comment="Deny all other types" disabled=yes \
    log-prefix="Deny ICMPin"
add action=drop chain=Check-input comment="drop scanners port" \
    src-address-list="port scanners"
add action=accept chain=Check-input comment=\
    "Accept established,related,untracked connections" connection-state=\
    established,related,untracked
add action=drop chain=Check-input comment="Dropping invalid connections" \
    connection-state=invalid log-prefix=input_invalid
add action=accept chain=Check-input comment=\
    "Accept ICMP filtered by raw WAN and internal" log-prefix=icmp protocol=\
    icmp
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=Check-input comment=\
    "Port scanners to list " disabled=yes log-prefix=Pscan protocol=tcp psd=\
    21,3s,3,1
add action=jump chain=Check-input comment="Protect WAN" in-interface-list=WAN \
    jump-target=InputWan
add action=accept chain=InputWan comment=administradores src-address-list=\
    Administrador
add action=jump chain=InputWan comment="Detect attack" jump-target=\
    DetectAtack
add action=jump chain=InputWan comment="Drop access to router from atack" \
    disabled=yes jump-target=drop src-address-list=input_blacklist
add action=accept chain=InputWan comment="Drop all from WAN" \
    connection-state=new dst-port=portwinbox,portwww \
    in-interface-list=WAN protocol=tcp
add action=drop chain=InputWan comment="Drop all from WAN" connection-state=\
    new in-interface-list=WAN log-prefix=Drop-input-WAN disabled=yes


/ip firewall mangle
add action=mark-routing chain=prerouting comment=To_WAN-FO connection-mark=\
    WAN log-prefix=FO-route new-routing-mark=WAN passthrough=no
add action=mark-connection chain=input comment="To_WAN-MO input" \
    connection-mark=no-mark in-interface=pppoe-WAN log-prefix=FO-conn-in \
    new-connection-mark=WAN passthrough=no
add action=mark-routing chain=output comment="To_WAN-MO out" connection-mark=\
    WAN log-prefix=FO-route-out new-routing-mark=WAN passthrough=no
add action=mark-routing chain=prerouting comment=To_WAN-MM connection-mark=\
    WAN-MM new-routing-mark=mm passthrough=no
add action=mark-connection chain=input comment="To_WAN-MM input" \
    connection-mark=no-mark in-interface=vlan_MM new-connection-mark=WAN-MM \
    passthrough=no
add action=mark-routing chain=output comment="To_WAN-MM out" connection-mark=\
    WAN-MM new-routing-mark=mm passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-WAN
add action=masquerade chain=srcnat out-interface=vlan_MM
/ip firewall raw
add action=jump chain=prerouting comment="Check from WAN" in-interface-list=\
    WAN jump-target=Check-WAN
add action=jump chain=output comment="Filtro icmp-OUTPUT" jump-target=\
    ICMP-response log-prefix=RAW-icmp-output out-interface-list=WAN protocol=\
    icmp
add action=drop chain=Check-WAN comment=\
    "Drop connections FROM blacklisted hosts included bogons" log-prefix=\
    FromBlacklist src-address-list=blacklist-1
add action=jump chain=Check-WAN comment=\
    "Ports block, Router is not open DNS (53)" jump-target=Block-ports
add action=jump chain=Block-ports comment="Check illegal ports" dst-port=\
    0-78,81-442,444-1024 jump-target=drop log-prefix=RAW-illegalPorts \
    protocol=tcp
add action=jump chain=Block-ports comment="Accept NTP 123" dst-port=\
    0-122,124-442,444-449,501-1024 jump-target=drop log-prefix=RawIllegalUDP \
    protocol=udp
add action=return chain=Block-ports comment="Return to the chain that jumped"
add action=jump chain=Check-WAN comment="Check for bad TCP stuff" \
    jump-target=TCP-check protocol=tcp
add action=jump chain=Check-WAN comment="Check for bad UDP stuff" \
    jump-target=UDP-check protocol=udp
add action=jump chain=Check-WAN comment="Filtro icmp" jump-target=ICMP \
    protocol=icmp
add action=jump chain=TCP-check comment="Invalid TCP destination port (0)" \
    dst-port=0 jump-target=drop protocol=tcp
add action=jump chain=TCP-check comment="Invalid TCP source port (0)" \
    jump-target=drop protocol=tcp src-port=0
add action=jump chain=TCP-check comment="Invalid TCP flag combo" jump-target=\
    drop protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=jump chain=TCP-check comment="Invalid TCP flag combo" jump-target=\
    drop protocol=tcp tcp-flags=fin,urg
add action=jump chain=TCP-check comment="Invalid TCP flag combo" jump-target=\
    drop protocol=tcp tcp-flags=fin,rst
add action=jump chain=TCP-check comment="Invalid TCP flag combo" jump-target=\
    drop protocol=tcp tcp-flags=fin,!ack
add action=jump chain=TCP-check comment="Invalid TCP flag combo" jump-target=\
    drop protocol=tcp tcp-flags=syn,rst
add action=jump chain=TCP-check comment="Invalid TCP flag combo" jump-target=\
    drop protocol=tcp tcp-flags=fin,syn
add action=jump chain=TCP-check comment="Invalid TCP flag combo" jump-target=\
    drop protocol=tcp tcp-flags=rst,urg
add action=jump chain=UDP-check comment="Invalid UDP destination port (0)" \
    dst-port=0 jump-target=drop protocol=udp
add action=jump chain=UDP-check comment="Invalid UDP source port (0)" \
    jump-target=drop protocol=udp src-port=0
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
    icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=accept chain=ICMP comment="Allow source quench" icmp-options=4:0 \
    protocol=icmp
add action=drop chain=ICMP comment="Deny all other types" log-prefix=\
    "RAWDeny ICMP"
add action=drop chain=drop comment="Log everything that we drop" log-prefix=\
    RawDrop
add action=drop chain=prerouting src-address=10.53.255.0/24
/ip firewall service-port
set sip ports=5060,5061,4399
/ip ipsec identity
add peer=MTCO-MTK1
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=192.168.1.0/24 peer=MTCO-MTK1 src-address=192.168.11.0/24 \
    tunnel=yes
/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=vlan_MM \
    routing-table=mm
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=pppoe-WAN \
    pref-src="" routing-table=WAN scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=IPSEC-k1 disabled=no dst-address=192.168.1.0/24 gateway=\
    2.137.226.56 routing-table=WAN-FO target-scope=30
add disabled=no dst-address=0.0.0.0/0 gateway=10.0.3.1 routing-table=Gibra
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.32.0.121
add comment="GA" disabled=no distance=30 dst-address=100.105.2.0/24 \
    gateway=10.100.5.4 scope=20
add comment="AT" disabled=no distance=30 dst-address=100.105.3.0/24 \
    gateway=10.100.5.4 scope=20
add disabled=no dst-address=0.0.0.0/0 gateway=19.0.0.1 routing-table=Equinix
add comment="Ips mng" disabled=no dst-address=10.205.2.0/24 gateway=\
    10.100.5.4
add disabled=no dst-address=0.0.0.0/0 gateway=10.100.5.4 routing-table=Gacela
add disabled=no dst-address=10.5.101.20/32 gateway=10.100.5.4
add disabled=no dst-address=0.0.0.0/0 gateway=212.231.228.1 routing-table=mm
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=212.231.228.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp address=100.105.1.0/24 port=211
set www port=portwww
set ssh disabled=yes port=8822
set api address=100.105.0.0/16
set winbox port=portwinbox
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp aaa
set use-radius=yes
/ppp secret
add name=cu profile=PPPoE_cu remote-address=100.105.1.178 service=pppoe
add local-address=10.0.3.2 name=Gibraleon profile=default-encryption \
    remote-address=10.0.3.1 service=l2tp
/routing filter rule
add chain=ospf-in disabled=yes rule=\
    "if (dst in 10.5.101.0/28 && dst-len in 28-32) { reject; }"
/routing ospf interface-template
add area=backbone-v2 auth-id=1 auth-key="" cost=10 disabled=no interfaces=\
    lobridge networks=10.255.5.1 passive priority=1
add area=backbone-v2 auth-id=1 auth-key="" cost=10 disabled=no interfaces=\
    ether6 networks=10.100.5.0/29 passive priority=1
add area=backbone-v2 auth-id=1 auth-key="" cost=10 disabled=no interfaces=\
    vlanMNG networks=10.205.1.0/24 passive priority=1
/routing rule
add action=lookup disabled=no src-address=100.105.1.128/26 table=mm
/snmp
set enabled=yes trap-version=3
/system identity
set name=M.co
/system logging
set 1 topics=error,!pppoe
set 2 topics=warning,!interface
add topics=radius,!debug
add prefix=PPPoE topics=pppoe,!debug
add prefix=INTERFACE topics=interface
add topics=account
add topics=e-mail
/system package update
set channel=testing
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system watchdog
set watchdog-timer=no
/tool graphing interface
add interface=ether10
add interface=ether7
add interface=ether9
/tool romon
set enabled=yes
/tool romon port
set [ find default=yes ] forbid=yes
add disabled=no interface=ether3
add disabled=no interface=ether6
add disabled=no interface=ether1
add disabled=no interface=ether2
add disabled=no interface=ether7
add disabled=no forbid=yes interface=vlanMNG
add disabled=no forbid=yes interface=ether10
add disabled=no forbid=yes interface=ether8

I hope I don't have to do a netinstall, the computer is in a remote place.

Best regards

localnetplus · Sat Aug 27, 2022 3:53 pm

Running CRS328-24P-RS+ and I noticed when I upgraded to 7.4.1 my troughput on my 500 MB Internet would not go over 300 MB and my CPU % on the appliance was maxed out durring the speed test. I downgraded to 7.2.3 and my througput is back to the 480 MB Range and the CPU % only reaches about 85% during the speed test. I saw similar results on 3 different systems when upgrading to 7.4.1. I tried the 7.5.1 RC and it acted the same way. I believe 7.3.1 did not have this issue, but can’t remember for sure what version they were all on before upgrading to 7.4.1 firmware.

localnetplus · Sat Aug 27, 2022 3:57 pm

Upgraded from 7.3.1 to 7.4.1 RB5009UG+S+, CRS328-24P-4S+Cloud Router Switch, CRS112-8P-4S-IN Cloud Router Switch, hEX PoE RB960PGS, hEXs RB760iGShEXs RB760iGS and chateau 5g all good no issue.

Make sure you check your throughput on all your devices. 7.41 seems to cap throughput on the CRS328 at 300 MB, maxing out CPU Usage at that speed. So far it is the only one I have found with the issue.

mkx · Sat Aug 27, 2022 4:12 pm

First rule of MT networking: don't use ROS speedtest to assess throughput and/or load it causes. Never ever. It was always really only usable as a traffic generator without capability to do it wirespeed. Always use external tools (e.g. a pair of computers running iperf3) to conduct tests if meaningful results are expected.

eworm · Sat Aug 27, 2022 7:28 pm

Running CRS328-24P-RS+ and I noticed when I upgraded to 7.4.1 my troughput on my 500 MB Internet would not go over 300 MB and my CPU % on the appliance was maxed out durring the speed test. [...]

Possibly this is because the device is limited to just one CPU core now?

localnetplus · Sat Aug 27, 2022 10:09 pm

First rule of MT networking: don't use ROS speedtest to assess throughput and/or load it causes. Never ever. It was always really only usable as a traffic generator without capability to do it wirespeed. Always use external tools (e.g. a pair of computers running iperf3) to conduct tests if meaningful results are expected.

Doesn't matter what the test is, if results change solely based on a firmware upgrade, then the firmware upgrade caused the change? Meaningful enough for me. Speedtest.net is what I always use to test bandwidth....may not be the best but seems to get consistent results.

localnetplus · Sat Aug 27, 2022 10:11 pm

Very well could be, but odd the new firmware increases the CPU Demand that much. They should fix it OR just have a warning that certain models shouldn't upgrade beyond 7.31.

Running CRS328-24P-RS+ and I noticed when I upgraded to 7.4.1 my troughput on my 500 MB Internet would not go over 300 MB and my CPU % on the appliance was maxed out durring the speed test. [...]
Possibly this is because the device is limited to just one CPU core now?

eworm · Sat Aug 27, 2022 10:15 pm

Well, after all this is a switch, you should not shout too loud if the routing performance changes.

mkx · Sun Aug 28, 2022 9:30 am

In addition, official test results indicate that CRS328-24P is capable of routing (realistically) at 300Mbps give or take.

netflow · Sun Aug 28, 2022 10:12 pm

I attempted upgrade to v7.4.1, just to discover the legendary instabilities of my hAP AC2 were back with it. Kernel failures, out of memory conditions. It basically reboot 3 to 4 times per hour at minimum, even with almost no traffic. I underclocked the unit without improvements.

The stability of this device (changed under warranty without any improvement) has been a nightmare for me for 2 years, but it eventually managed to be completely stable on recent 6.48.x and 6.49.x series, so I am pretty confident software would eventually work for it on v7.x as well.

Meanwhile will have to downgrade.

sirbryan · Mon Aug 29, 2022 6:06 pm

Running CRS328-24P-RS+ and I noticed when I upgraded to 7.4.1 my troughput on my 500 MB Internet would not go over 300 MB and my CPU % on the appliance was maxed out durring the speed test. I downgraded to 7.2.3 and my througput is back to the 480 MB Range and the CPU % only reaches about 85% during the speed test. I saw similar results on 3 different systems when upgrading to 7.4.1. I tried the 7.5.1 RC and it acted the same way. I believe 7.3.1 did not have this issue, but can’t remember for sure what version they were all on before upgrading to 7.4.1 firmware.

Do you have Layer 3 Switching enabled? It limits some of the firewall/NAT capabilities, but should punt most of the routing to the switch chip.

Mon Aug 29, 2022 6:31 pm

CRS 328 do not support Fasttrack or NAT connection offloading.

https://help.mikrotik.com/docs/display/ ... iceSupport

emils · Wed Aug 31, 2022 1:56 pm

New version v7.5 has been released!

viewtopic.php?t=188851

Who is online