v7.7 [stable] is released!

Thu Jan 12, 2023 2:37 pm

RouterOS version 7.7 is released in the "v7 stable" channel!

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during the upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.7 (2023-Jan-12 09:35):

*) bgp - added comment functionality for BGP VPN (CLI only);
*) bgp - do not reflect route back to sender;
*) bgp - fixed BGP advertisement PCAP saver;
*) bgp - fixed connection establishment using link-local addresses;
*) bgp - improved BGP advertisement printing;
*) bgp - improved BGP session load distribution across multiple CPU cores;
*) bgp - properly set "bgp-ext-communities" from "communities" list;
*) bluetooth - added unique advertise message filtering;
*) bonding - properly detect VPLS interface state changes;
*) branding - fixed identity setting from branding package;
*) bridge - added support for static MDB entries;
*) bridge - disallow port-controller while the bridge has MSTP enabled;
*) bridge - fixed "edge=yes" setting for MSTP;
*) bridge - fixed MSTP compatibility with STP;
*) bridge - fixed R/M/STP bridge identifier on protocol-mode change;
*) bridge - fixed RSTP BCP with bridged PPP interfaces;
*) bridge - fixed STP blocking state on port-controller;
*) bridge - fixed host moving with fast-path;
*) bridge - fixed incorrect root port blocking for MSTP;
*) bridge - fixed master port conversion;
*) bridge - fixed mst-override port priority for MSTP;
*) bridge - fixed port priority for STP and RSTP;
*) bridge - improved port-controller system stability;
*) bridge - improved system stability when using MSTP and many VLAN mappings;
*) bridge - removed "age" monitoring property from the host table;
*) certificate - improved Let's Encrypt logging and error recovery;
*) certificate - improved certificate management, signing and storing processes;
*) conntrack - improved system stability when PPTP helper is used;
*) conntrack - improved system stability when processing SCTP connections on TILE;
*) console - updated copyright notice;
*) container - fixed access to "/dev/stderr" from containers;
*) container - fixed handling of groups and usernames from Dockerfile;
*) container - fixed tar extracting;
*) container - made "ram" and "tmp" directories use tmpfs;
*) crs1xx/2xx - fixed "new-customer-pcp" setting for ACL rules;
*) dhcpv6-client - handle receiving of invalid T1 and T2 times;
*) discovery - added "discovered-by" parameter to indicate which protocol discovered the neighbor;
*) discovery - added "mode" parameter for discovery configuration;
*) discovery - fixed neighbor discovery on Mesh interfaces;
*) discovery - report IPv6 LL address if global address does not exist;
*) disk - added support for manual RAM file system (TMPFS) creation (CLI only);
*) disk - improved external storage file system mounting, formatting and naming;
*) dns - do not query upstream DNS servers for matched regex records;
*) dns - fixed changing of "forward-to" parameter for FWD entries;
*) dns - fixed handling of CNAME entry pointing to another FWD entry;
*) dns - fixed handling of FWD entries where "forward-to" is a hostname;
*) dns - fixed incorrect TTL=0 reporting for cached entries;
*) dns - improved resolved static entry addition to address list;
*) dns - improved service stability when CNAME points to a FWD entry;
*) dns - query upstream DNS servers for other record types even if static entry exists;
*) dns - require "write" policy for DNS cache flushing;
*) dns - respond with lowest TTL for inner queries containing A, AAAA, CNAME chains;
*) filesystem - fixed repartition on devices with containers;
*) firewall - added "set-priority" option for IPv6 mangle firewall;
*) firewall - made "dynamic" parameter settable for IPv4 address lists;
*) hotspot - added "install-hotspot-queue" parameter to control dynamic queue creation;
*) hotspot - fixed maximum allowed connections limitation;
*) hotspot - fixed minor memory leak after each successful login from WEB;
*) hotspot - improved limitation of maximum allowed connections;
*) hotspot - improved system stability when clients migrate between bridge ports or VLANs;
*) ike1 - disallow "remote-id" setting for identity;
*) ike1 - fixed XAuth responder trying to recreate phase 1;
*) ike1 - improved expired IPsec-SA processing;
*) ike2 - added support for ChaChaPoly1305 encryption;
*) ike2 - added support for DH Group 31 (EC25519) (CLI only);
*) ike2 - fixed rekey notify creation;
*) ike2 - improved certificate payload parsing;
*) interface - do not allow adding invalid "veth" interfaces;
*) interface - improved system stability when handling large packets on CCR2216;
*) interface - show RTL8153 CDC Modem Device as ethernet;
*) ipsec - added "current-address" parameter for peers with DNS address;
*) ipsec - added hardware acceleration support for IPQ-6010;
*) ipsec - added support for AVX optimized SHA acceleration;
*) ipsec - improved "H" (hw-aead) flag presence for accelerated SA's;
*) ipsec - improved IKE payload processing;
*) ipsec - improved configuration of IPsec proposal auth-algorithms;
*) ipsec - removed Blowfish and Camellia encryption algorithms for IKE;
*) ipv6 - do not generate LL addresses for VPN interfaces when IPv6 is disabled;
*) ipv6 - do not use invalid/disabled global addresses for IPv6 ND;
*) l2tp - added VRF support for L2TP Ether interfaces;
*) l3hw - fixed host offloading in a case of MAC address change;
*) l3hw - fixed offloaded NAT for CRS309 switch;
*) l3hw - improved system stability when disabling or enabling L3HW offloading;
*) leds - fixed default LED configuration on netFiber 9;
*) leds - fixed turning off LEDs after system shutdown;
*) lte - added AT channel support for Telit FN990;
*) lte - added CA information in 5G mode;
*) lte - fixed error handling on opening AT control channel;
*) lte - fixed new MTU value validation;
*) lte - improved stability when LTE passthrough is enabled on Chateau 5G;
*) lte - properly show leading zeros in MCC and MNC strings;
*) lte - show band number in "ca-band" in NSA mode on Chateau 5G;
*) lte - use RSRP value reported by MBIM signal for MBIM type modems;
*) macsec - fixed packet duplication on Ethernet interface;
*) macsec - fixed packet transmission using traffic-generator;
*) macsec - fixed packet validation;
*) modem - added USB tethering support for Google Pixel 7 devices;
*) mpls - added VPLS LDP information in remote/local-mappings;
*) mpls - fixed assigning of explicit null label for IPv6;
*) netinstall - added "-i " parameter for Netinstall (CLI Linux);
*) netinstall - fixed Netinstall procedure on RouterBOOT versions from 3.27 to 6.41;
*) netinstall - improved automatic netbooting interface selection;
*) netwatch - added support for "https-get" type (CLI only);
*) netwatch - fixed reporting of VRF name in logging messages;
*) netwatch - improved "interval" and "packet-interval" coexistence for ICMP type;
*) ntp - log error message when server is unreachable;
*) ospf - fixed MD5 checksum calculation;
*) ospf - fixed simple authentication and checksums for NBMA and PTMP links;
*) ospf - fixed simple authentication checksum calculation;
*) ospf - fixed virtual-link address selection for PTP links;
*) ovpn - added "CBC" postfix to AES cipher names;
*) ovpn - added "route-nopull" option for client side;
*) ovpn - added hardware acceleration support for IPQ-6010;
*) ovpn - added support for IPv6 tunneling;
*) ovpn - fixed "Called-Station-Id" usage in RADIUS requests;
*) package - fixed missing menus when both "lora" and "wifiwave2" packages are installed;
*) ping - fixed ARP ping;
*) port - added serial port support for Telit FN990 modem;
*) port - do not show unusable USB port on hAP ax^2;
*) port - fixed R11e-LTE6 port mapping;
*) ppp - changed default lease time of dynamic DHCPv6 server to 1 day;
*) ppp - do not inherit routing mark for encapsulated packets;
*) ppp - fixed displaying of "info" command for PPP client;
*) ppp - improved authentication method negotiation;
*) pppoe - improved service stability when establishing PPPoE sessions;
*) quickset - fixed addition of bridge filter rules in bridged mode;
*) quickset - fixed interface list member table on configuration changes;
*) quickset - update DNS server IP address when changing router's IP address;
*) rb4011 - fixed reporting of current CPU frequency and changed default frequency to "auto";
*) sfp - added 2.5G SFP module support for RB5009;
*) sfp - allow usage of "10G Base-LR" mode for XS+31LC10D module;
*) snmp - added support for "lldpRemLocalPortNum" OID's;
*) snmp - improved stability when receiving bogus packets;
*) ssh - added support for Ed25519 key exchange;
*) ssh - do not allow SHA1 usage with strong crypto enabled;
*) ssh - fixed handling of non standard size RSA keys;
*) supout - added MSTI and mst-override monitor for bridge MSTP;
*) supout - added missing IPv6 firewall sections;
*) switch - avoid packet corruption in some setups for 98DX3257, 98DX3255, 98DX4310, 98DX8525 and 98PX1012 switches;
*) switch - fixed Ethernet monitor when disabling auto-negotiation for 10G interfaces for 98DX8212 switch (introduce in v7.7beta3);
*) switch - fixed SFP Tx disable when changing auto-negotiation settings for 98DXxxxx and 98PX1012 switches;
*) switch - fixed egress mirror for 98DX4310 and 98DX8525 switches;
*) switch - hide invalid settings for 98DX3255 and 98DX8525 switch chips;
*) switch - improved 10G, 25G and 40G interface stability for 98DX8208, 98DX8212, 98DX8332, 98DX3257, 98DX4310, 98DX8525, 98DX3255, 98DX8525, 98PX1012 switches;
*) switch - improved 10G, 25G and 40G interface stability for 98DX8208, 98DX8212, 98DX8332, 98DX3257, 98DX4310, 98DX8525, 98DX3255, 98PX1012 switches;
*) switch - improved 10G, 25G, 40G and 100G interface stability for 98DX8208, 98DX8212, 98DX8332, 98DX3257, 98DX4310, 98DX8525, 98DX3255, 98PX1012 switches;
*) switch - improved 10Gbps Ethernet interface stability for 98DX8212 switch;
*) switch - improved 25G interface stability for 98PX1012, 98DX4310 and 98DX8525 switches (introduced in v7.6);
*) switch - increased the maximum value of "rate" for ACL rules;
*) swos - fixed "allow-from-ports" setting;
*) swos - fixed SwOS configuration changes from RouterOS;
*) swos - improved default SwOS backup file name;
*) system - allow up to 4GB of RAM allocation per process on x86, ARM64 and TILE;
*) system - improved handling of user policies;
*) timezone - updated timezone information from "tzdata2022g" release;
*) tr069-client - updated data model to version 2.15;
*) traffic-flow - fixed sending of sampling interval;
*) tunnels - added VRF support for EoIP, IPIP and GRE tunnels;
*) vpls - expose VPLS related debug logs to "vpls" logging topic;
*) vrrp - always use slave interface MTU;
*) vrrp - improved interface stability on configuration changes;
*) vxlan - added "local-address" parameter support;
*) vxlan - added VRF support;
*) w60g - improved system stability for Cube Pro devices;
*) webfig - ensure login page is displayed after each log out;
*) webfig - fixed accessing of WebFig when "Interface" menu is disabled by skin;
*) webfig - fixed displaying of VRF routes;
*) webfig - fixed input validation for "VPLS ID" parameter;
*) webfig - fixed setting of "DHCP Option Set" parameter;
*) webfig - improved WEB caching capabilities;
*) webfig - properly detect current location for navigation buttons;
*) webfig - properly show limited number of available options;
*) wifiwave2 - added "datapath" settings to configure data forwarding for an interface (CLI only);
*) wifiwave2 - added "ft-preserve-vlanid" parameter to control whether to change VLAN ID after FT;
*) wifiwave2 - added "provisioning" menu to automatically assign interface configurations to radios (CLI only);
*) wifiwave2 - added disable/enable commands to configuration profile sub-menus (CLI only);
*) wifiwave2 - added information of per-station throughput in the registration table;
*) wifiwave2 - added initial CAPsMAN support (only compatible with wifiwave2 interfaces) (CLI only);
*) wifiwave2 - added interworking/Hotspot 2.0 support (CLI only);
*) wifiwave2 - added more informative log messages on configuration profile changes;
*) wifiwave2 - added option to set per-client vlan-id in access list (only supported on 802.11ax interfaces) (CLI only);
*) wifiwave2 - do not permit a client device to be connected to more than one interface at a time;
*) wifiwave2 - fixed "radio-mac" provisioning matcher;
*) wifiwave2 - fixed 4-way handshake with TKIP;
*) wifiwave2 - improved compliance with regulatory domain information;
*) wifiwave2 - improved general system stability;
*) wifiwave2 - improved system stability when multiple virtual AP are configured;
*) wifiwave2 - properly report interface on which traffic is received when multiple station interfaces are used concurrently;
*) wifiwave2 - released packages for MMIPS, PPC, TILE and x86;
*) wifiwave2 - removed maximum limit for group key update interval and changed the default to 1 day;
*) winbox - added "Active" prefix for current "Circuit ID" and "Cookie Length" fields for L2TP-Ether interfaces;
*) winbox - added "Make Static" button to "IP/DHCP Server/Leases" menu;
*) winbox - added "bus" parameter for "USB Power Reset" command on Chateau ax;
*) winbox - added missing "force" parameter for new "IP/DHCP Server/Options" entries;
*) winbox - added missing "vlan-id" column under "IP/Hotspot/Hosts" table;
*) winbox - do not show LACP related status parameters for other bonding types;
*) winbox - fixed default MTU value for CAP interfaces;
*) winbox - fixed minor typo in "Zerotier" menu;
*) winbox - improved handling of large WinBox protocol messages;
*) winbox - increased maximum number of Winbox read-only sessions 5->25;
*) winbox - properly save "Interfaces/Detect Internet/Detect Internet State" menu in session file;
*) winbox - removed bogus VRF tab from "Interface" menu;
*) winbox - show "Switch" menu on Chateau 5G ax;
*) winbox - show "Switch" menu on NetFiber 9;
*) winbox - show "System/Health/Settings" only on boards that have configurable values;
*) winbox - show "System/RouterBOARD/Mode Button" on devices that have such feature;
*) winbox - show "USB Power Reset" menu on Chateau 5G ax;
*) winbox - show dynamic comment in WifiWave2 registration table;
*) wireless - fixed "nstreme" related parameter control in skins;
*) wireless - fixed setting of realms interworking parameter if realms-raw is unset;
*) x86 - added support for SUN 10G NICs;
*) x86 - improved igc driver support;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while the router is not working as suspected or after some problem has appeared on the device

Please keep this forum topic strictly related to this particular RouterOS release.

Rox169 · Thu Jan 12, 2023 3:00 pm

wow...very nice looong change long...thank you

Did anyone already tested to instsall it on Hap AC3, HAP AX3, HapAX2, Cube60,Wap60,Hap AC2?

colinardo · Thu Jan 12, 2023 3:25 pm

*) dns - respond with lowest TTL for inner queries containing A, AAAA, CNAME chains;

Mikrotik please also include TXT records in future fixes, see this thread
viewtopic.php?t=187840

Best regards
@colinardo

ahmedelbarbary · Thu Jan 12, 2023 3:43 pm

Thanks, My pppoe problem is fixed since 7.7 rc4, I updated all my devices to 7.7 stable, I saw the same result, Thanks again

jovaf32128 · Thu Jan 12, 2023 3:51 pm

*) ike2 - added support for ChaChaPoly1305 encryption;
*) ike2 - added support for ChaChaPoly1305 encryption;

equal ChaChaPoly2610)

wow...very nice looong change long...thank you

Did anyone already tested to instsall it on Hap AC3, HAP AX3, HapAX2, Cube60,Wap60,Hap AC2?

ac3 on air

rextended · Thu Jan 12, 2023 4:09 pm

This bug still exist on v7.7

Huge bug in script compiler: after two calls "[ ]" executes all functions defined in the script.

to find out how I got there:

viewtopic.php?p=976194#p976194

to quickly test the bug:

Example code

{
:local test1 do={:put "test1"}
:local test2 do={:put "test2"}
:local test3 do={:put "test3"}
:local test4 do={:put "test4"}
:local test5 do={:put "test5"}
[]
[]
}

rextended · Thu Jan 12, 2023 4:17 pm

Just installed on CCR2116-12G-4S+, one border eBGP machine on production, still work all as expected.
(I know the risk, it's in a HA situation with another CCR1036-12G-4S with RouterOS 6.48.6)

Hispanicbabushka · Thu Jan 12, 2023 4:38 pm

No issues updating using Check for Updates on Winbox on CR326-24G-2S+, and 3 hAP ac2.

Rox169 · Thu Jan 12, 2023 4:41 pm

Already running 7.7 on Hap AC3, HAP AX3, HapAX2, Cube60,Wap60,Hap AC2 and no issue yet.

DanielTheFox · Thu Jan 12, 2023 4:42 pm

(useless comment) If someone with a big PPPoE server has upgraded, I really want to see if it has issues,

rextended · Thu Jan 12, 2023 4:45 pm

I hope not... upgrade a critical PPPoE server with just published software.............
Is not like a switch or a router, you take down all network for xxx customers without be sure than come up again............

gabacho4 · Thu Jan 12, 2023 4:47 pm

(useless comment) If someone with a big PPPoE server has upgraded, I really want to see if it has issues,

Popping some popcorn for the big show. Extra butter!

DanielTheFox · Thu Jan 12, 2023 4:50 pm

haha, i might just try it (i have a second partition with v6.48.6 specifically for jumping back if something funny happens) but first I'm going to camp this post to see if there's a serious issue with TILE or anything shared with my router (a CCR1009-7G-1C-PC)

(extra edit to avoid making a new post)
Also since electricity here is horrible and has a lot of spikes, we always blame electricity if a customer router hangs or becomes unresponsive (most of the time it's actually the cause, but that gives us more wiggle room for upgrade issues and stuff like that.

fischerdouglas · Thu Jan 12, 2023 4:59 pm

*) l2tp - added VRF support for L2TP Ether interfaces;
*) tunnels - added VRF support for EoIP, IPIP and GRE tunnels;

I did not found on Winbox ou CLI the VRF attribute to l2tp-ether, eoip, ipip, gre.
VXLan the VRF Option is really there.

achu · Thu Jan 12, 2023 5:01 pm

No hardware acceleration for openvpn in hAP ax3 router (IPQ-6010 CPU) at least in AES-256-CBC + SHA1 configuration

JoshDi · Thu Jan 12, 2023 5:03 pm

v7.7 working fine on my RBSXTsqG-5acD (upgraded from 7.7rc4)

only issue Ive found is the system->packages "check for update" only works via WinBox. The GUI doesnt show the latest firmware or any changes when clicking "check for updates"

Screenshot 2023-01-12 at 10.01.54 AM.png

Rox169 · Thu Jan 12, 2023 5:39 pm

sorry for offtopic but is openvpn working without public IP?

Babujnik · Thu Jan 12, 2023 5:48 pm

ok.. so how do You import ED25519 SSH keys ?

public keys generated with "ssh-keygen -t ed25519" seems not to import on RoS:

[user@tik] /user/ssh-keys> import public-key-file=id_ed25519.pub user=user
unable to load key file (wrong format or bad passphrase)!

eworm · Thu Jan 12, 2023 5:55 pm

ok.. so how do You import ED25519 SSH keys ?

You can not. This is about ed25519 key exchange. Let's hope host keys and public key authentication will follow...

osc86 · Thu Jan 12, 2023 5:59 pm

updated my hap ax3, PoE was not correctly initialized after the reboot, and required the cable in port1 to be unplugged and plugged in again to power the connected CSS610

Babujnik · Thu Jan 12, 2023 6:09 pm

ok.. so how do You import ED25519 SSH keys ?
You can not. This is about ed25519 key exchange. Let's hope host keys and public key authentication will follow...

my bad ! thanks for clarification

megabitus · Thu Jan 12, 2023 6:17 pm

Updated: hAP ac, hAP ac 2, LtAP mini, hEX PoE, CRS112, CHR, RB4011, RB5009, hAP ac 3 with no problems so far.

DanielTheFox · Thu Jan 12, 2023 6:29 pm

Ok, I upgraded a CCR1009-7G-1C-PC, it didn't explode, updates may follow if something funny happens. Cheers.

faxxe · Thu Jan 12, 2023 7:06 pm

After flawless 72 days online on 7.6 i upgraded our CCR1009-7G-1C-1S+...... no fire or smoke. Resumed the old track to full satisfaction

-faxxe

CTassisF · Thu Jan 12, 2023 7:25 pm

I did not found on Winbox ou CLI the VRF attribute to l2tp-ether, eoip, ipip, gre.

https://help.mikrotik.com/docs/pages/vi ... edfeatures

memelchenkov · Thu Jan 12, 2023 7:50 pm

I have downloaded. ARM Chateau. But after reboot still 7.6, no upgrade performed. Tried twice. In logs: "router was rebooted without proper shutdown, probably kernel failure".

kowal · Thu Jan 12, 2023 8:03 pm

updated : hAP ac3, hAPax3, rb450gx4, cap ac without issues

fischerdouglas · Thu Jan 12, 2023 8:04 pm

https://help.mikrotik.com/docs/pages/vi ... edfeatures

Sorry! My bad not look at the help docs...

The idea of using the @vrf is great!
After seeing that, I trying to guess why not using the same syntax/method with VXLAN, but putting it on VTEP remote-ip attribute.

Could that be considered as a suggestion?

Thu Jan 12, 2023 8:07 pm

memelchenkov - Please send supout file from your router to support@mikrotik.com. Please note that your router did fail while running v7.6. The issue is not caused by v7.7.

memelchenkov · Thu Jan 12, 2023 8:33 pm

memelchenkov - Please send supout file from your router to support@mikrotik.com. Please note that your router did fail while running v7.6. The issue is not caused by v7.7.

It seems you are right, that the problem is not related to 7.7 upgrade, thanks! I rebooted without trying to update and the same kernel error—some bug of 7.6, unfortunately: it restores all my Firewall Address List after reboot, which I deleted before, all thousands entries. Oh well, gotta deal with it now...

UPD: it's a nasty bug when too long firewall address list eats all HDD space (free space become 0%) and then you cannot backup/restore. So I did Netinstall, restored from backup and after upgraded to 7.7, and everything went smooth then.

chiem · Thu Jan 12, 2023 8:44 pm

*) dns - do not query upstream DNS servers for matched regex records;
*) dns - query upstream DNS servers for other record types even if static entry exists;

I didn't have time to test rc4, but it looks like the ability to blacklist ipv6 entries has been restored--thank you! It would appear that the 2nd of the above changes counters the 1st; perhaps they should have been omitted from the change log?

Guscht · Thu Jan 12, 2023 8:55 pm

Works:

Screenshot 2023-01-12 174409.jpg

TOD · Thu Jan 12, 2023 9:14 pm

*) rb4011 - fixed reporting of current CPU frequency and changed default frequency to "auto";

rb4011.png

What did I do wrong? : /

Or is it (for some unknown reason) only for rb4011 version without Wi-Fi ? o_O

kowal · Thu Jan 12, 2023 9:49 pm

Maybe its visible via CLI?

TOD · Thu Jan 12, 2023 10:18 pm

Maybe its visible via CLI?

rb4011_console.png

It doesn't look like.

And somehow it would be very strange, considering that other devices have corresponding items in the same GUI sections.

sirbryan · Thu Jan 12, 2023 10:22 pm

Updated home/office CCR2116 from 7.6 to 7.7. BGP back to main network, Containers, L3HW NAT/FW offloading are all working so far.

Also just got a shiny new hAP AX3 for the lab and upgraded it to 7.7. 2.5Gbps to CRS312 for uplink. Getting just over 100Mbps on 20MHz channel on 2.4GHz, and 800Mbps on 80MHz channel on 5GHz to my iPhone 11.

ginojo · Thu Jan 12, 2023 10:32 pm

Setting fixed line rates (auto negotiation disabled) on SFP-RJ45 module to 100mbps not working anymore after 7.7 update on CCR2004-1G-12S+2XS. Always falls back to 1gbps which makes the line unusable when using older devices (like HP ILO).

jvanhambelgium · Fri Jan 13, 2023 12:14 am

Updated RB5009 with SFP module "S+RJ10" but see in Winbox some "flipping" behaviour, switching between 1G & 10G but the connection (on top of this interface my PPPoE runs) is just fine, 0 errors, maximum performance.
So at this point I'm not sure if this a "Winbox" cosmetic thing because otherwise I would have really glitches on the connection.

Screenshot from 2023-01-12 23-11-30.png

Screenshot from 2023-01-12 23-11-25.png

So these screens are switching between, as is the auto-negotiation is not "stable" but the link is fine.
Same with the screen below, the field like Temp & Supply-Voltage & "Copper Lenght" are flipping visible/not visible

Screenshot from 2023-01-12 23-11-05.png

Screenshot from 2023-01-12 23-10-46.png

nexusds · Fri Jan 13, 2023 2:25 am

Seems update server is unreachable at the moment

Shadowman94 · Fri Jan 13, 2023 2:34 am

CPU Frequency still missing on RB4011 :(

nichky · Fri Jan 13, 2023 2:46 am

bgp-vpn4 still doesn't work, even though im learning the end user ip-address

mducharme · Fri Jan 13, 2023 4:33 am

Now that this is stable, I'm experimenting for the first time with the new wifiwave2 capsman support. I can't find the local-forwarding setting for wifiwave2, and the "bridge" setting in the CAP configuration seems to be missing. I've added the interfaces manually as bridge ports on the CAP and so this seems to be working, but is there a different way of doing this?

mantouboji · Fri Jan 13, 2023 7:48 am

wireguard ipv6 bug still exists.

fluppir · Fri Jan 13, 2023 8:50 am

Is it possible to connect from ax3 device back to ros6 for capsman config ? I don't see where you specify the capsman address or the discovery interface in the CLI - thank you.

Fri Jan 13, 2023 8:55 am

Now that this is stable, I'm experimenting for the first time with the new wifiwave2 capsman support. I can't find the local-forwarding setting for wifiwave2, and the "bridge" setting in the CAP configuration seems to be missing. I've added the interfaces manually as bridge ports on the CAP and so this seems to be working, but is there a different way of doing this?

Local forwarding is the only type of forwarding available for wifiwave2 capsman currently, so there is no setting to switch between local and capsman forwarding.
Adding an interface to a bridge on the cap can be done by

#all commands executed on cap
/interface/wifiwave2/datapath 
add name=datapath-br bridge=bridge0
/interface/wifiwave2
set [find where !dynamic] datapath=datapath-br
#for dynamic interfaces
/interface/wifiwave2/cap
set slaves-datapath=datapath-br

Fri Jan 13, 2023 9:02 am

Is it possible to connect from ax3 device back to ros6 for capsman config ? I don't see where you specify the capsman address or the discovery interface in the CLI - thank you.

Devices running the wifiwave2 package (like the hAP ax^3), can only be managed by capsman from other devices running with wifiwave2 package. So a ROSv6 CAPsMAN from the bundled wireless package cannot manage a hAP ax^3.
CAPsMAN address in wifiwave2 settings can be set with `/interface/wifiwave2/cap set caps-man-address=`

mducharme · Fri Jan 13, 2023 9:03 am

Thank you for the explanation! That makes sense now.

accarda · Fri Jan 13, 2023 9:21 am

I'd like to report some behaviour that I have noticed while updating couple of devices, a CHR and RB4011.
On both I'm running VXLAN where I have attached PPPoE interface.
Initially after upgrading CHR first, VXLAN didn't work properly with RB4011, so PPPoE server was not reached.
After updating also RB4011 to v7.7, then VXLAN started to work again and now PPPoE connection is working again.
So not really sure whether there was any incompatibility for VXLAN between Ros 7.6 and 7.7, so I'm just reporting this here.

mducharme · Fri Jan 13, 2023 9:29 am

I have an audience as a wave2 cap. When I reboot it, the two CAP interfaces do not start getting managed by capsman properly until I disable them and re-enable them, and after that they work fine. It seems to be a bug.

Fri Jan 13, 2023 9:52 am

I'm unable to reproduce the issue going just by the description.
Please open a support ticket and include supouts from both capsman and the affected cap.

rextended · Fri Jan 13, 2023 9:57 am

I'm unable to reproduce the issue going just by the description.

please pass this on to the programmers, I think it hasn't been done yet:
viewtopic.php?t=192427#p976967
Thank you.

rumahnetmks · Fri Jan 13, 2023 10:44 am

hAPAC3 + RB4011iGS+5HacQ2HnD-IN update to v7.7 seems fine.

*) hotspot - added "install-hotspot-queue" parameter to control dynamic queue creation;
This one fix 'error hotspot profile queue' usually occur after router restart. Thx Mikrotik Team.

EDITED :
Same problem with RB4011iGS+5HacQ2HnD-IN, CPU Frequency at System>Resource not show, while at hAPAC3 shown.

rpingar · Fri Jan 13, 2023 11:06 am

x86 7.7 doesn't support Mellanox ConnetX6 cards, it see the pci but the interface are not shown

jimmer · Fri Jan 13, 2023 11:56 am

Is it possible to connect from ax3 device back to ros6 for capsman config ? I don't see where you specify the capsman address or the discovery interface in the CLI - thank you.
Devices running the wifiwave2 package (like the hAP ax^3), can only be managed by capsman from other devices running with wifiwave2 package. So a ROSv6 CAPsMAN from the bundled wireless package cannot manage a hAP ax^3.
CAPsMAN address in wifiwave2 settings can be set with `/interface/wifiwave2/cap set caps-man-address=`

So does that mean if you had a RB3011-RM Running RouterOS 7 without any WiFi interfaces then you cant manage a hAP ax^3 or does it mean you need to install the wifiwave2 package on the RB3011-RM to manage such a device?

Kind Regards,
Jim

Fri Jan 13, 2023 11:58 am

If the wifi2 package is available for that device, that's the way to go.

Fri Jan 13, 2023 12:09 pm

You need to install the wifiwave2 package on the RB3011, yes.

jimmer · Fri Jan 13, 2023 12:13 pm

If the wifi2 package is available for that device, that's the way to go.

Yeah, it uses the ARM packages so same as the hapAC2 and I am guessing the hAPax2 and hAPax3

Flash is OK and it has a gig of RAM so that wont be a prob.

Will just mean I wouldnt be able to use a smaller device for CAPsMAN for the hAPax series such as the RB750Gr3 even though it has the RAM it doesnt have the flash for the wave2 package.

Fri Jan 13, 2023 12:46 pm

Hex should be sufficient to be used.
Ofcourse you need to see if enough flash space is available.

Fri Jan 13, 2023 12:46 pm

The storage requirement for architectures that do not require local wifi interface drivers and firmware files is significantly lower.
The mmips package for the RB750Gr3 is 200kB.

juniorespow · Fri Jan 13, 2023 1:12 pm

working fine on CCR2216 v7.7

mducharme · Fri Jan 13, 2023 1:22 pm

I just tried setting up VLANs with the wifiwave2 CAPsMAN like how I would with the older CAPsMAN (putting the VLAN ID into the datapath settings on the CAPsMAN unit) and I get this error for the interfaces for remote CAPs:

"interface does not support assigning vlans"

Does wave2 capsman not currently support VLAN tagging for slave interfaces on remote CAP devices?

Fri Jan 13, 2023 1:34 pm

Only 802.11ax wifiwave2 interfaces support vlan tagging by the wireless interface.
I suppose the changelog entry regarding this could have been clearer.
All VLAN tagging in wifiwave2 is 'per-user' VLAN tagging. Setting datapath.vlan-id, you set the default VLAN id for users connecting on that interface. The default can be overriden by the access list.

mducharme · Fri Jan 13, 2023 1:39 pm

Is there any way around this for non-ax interfaces with wave2, where you want different SSIDs on different VLANs?

Qper · Fri Jan 13, 2023 1:42 pm

LHGG LTE died after the update...

Fri Jan 13, 2023 1:53 pm

A workaround for non-ax interfaces would be to have static interface configurations and manually add wifi interfaces as bridge ports with the desired pvid like in this example https://help.mikrotik.com/docs/display/ ... ccessPorts

yo3gjc · Fri Jan 13, 2023 2:13 pm

Another old bug is back. In routing/table marks are doubled in 4011 model
screenshot here
https://1drv.ms/u/s!AjSrHqFnTgKVg8YC7it ... w?e=tZF4J2

Fri Jan 13, 2023 2:26 pm

what and where exactly is doubled? As far as I can see routing marks are exactly the same number as being added, nothing is doubled.

kehrlein · Fri Jan 13, 2023 2:30 pm

wireguard ipv6 bug still exists.

Could you please provide any details about the bug?

ksteink · Fri Jan 13, 2023 4:04 pm

I have updated a bunch of devices:

- hAP AC2
- RB951Ui-2HnD, RB450Gx4, RB2011, RB3011, RB4011 and RB5009
- CRS326-24G, CRS328-24P
- hEX S
- cAP

All upgraded without issues.

jplitza · Fri Jan 13, 2023 4:17 pm

We are having issues with wireless mode=station-pseudobridge-clone and ARP replies. With 7.6, the Mikrotik RB951G-2HnD would reply to ARP requests for its own IP address with the cloned MAC address. Now it doesn't always do that, leading to very intermittent connectivity.

Luckily only an unimportant device. We worked around it by adding a static ARP entry to the router.

arash88 · Fri Jan 13, 2023 4:27 pm

Hey guys,
Updating to 7.7 from 7.6 (x86) has corrupted my container or to be more specific, I think it has corrupted a file inside the workdir.(/usr/local/bin)
Downgrading to 7.6 didn't help but Reinstalling the container fixed the problem.
This was the docker image: https://hub.docker.com/r/enwaiax/x-ui
And I got this error after upgrading: open bin/config.json: permission denied

parham · Fri Jan 13, 2023 5:21 pm

Hi

My both WAP R with ZT can't be upgrade due to missing zerotier package

/system/package/update> download
channel: stable
installed-version: 7.6
latest-version: 7.7
status: zerotier-7.7-arm.npk missing, use ignore-missing or disable package(s)

Spidermila · Fri Jan 13, 2023 5:25 pm

I have experienced several messages like "private-dhcp offering lease 192.168.111.50 for 94:EA:32:35:52:98 without success" after upgrading to 7.7. The result was that the clients were unable to access the network nor Internet. Clients are mostly connected via CAP managed APs.
This happened for different clients with different OSes (e.g. Lenovo laptop with Windows 10 and iPhone SE 2020).
I have two bridges, each with a different dhcp server on my RB3011UiAS. Only one of the dhcp servers behaved like that. There were no other messages indicating what the problem could be. The configuration looked fine, just like before the upgrade.
I have downgraded to 7.6 but the problem persisted. Only after restore of configuration from before the upgrade to 7.7, the problem is gone.
This is only a heads up. If someone else gets into trouble with DHCP server, I hope you will have possibility to investigate deeper. I wasn't that lucky. I needed to get rid of the issue ASAP.

AllexRo · Fri Jan 13, 2023 5:26 pm

Hi

My both WAP R with ZT can't be upgrade due to missing zerotier package

/system/package/update> download
channel: stable
installed-version: 7.6
latest-version: 7.7
status: zerotier-7.7-arm.npk missing, use ignore-missing or disable package(s)

You can find zerotier package in all_packages-7.7 zip file. Extract it from there and, with routeros-7.7 npk file, drag both files into Files window. Upon restart, it should update.

DarkNate · Fri Jan 13, 2023 5:34 pm

ROS v7.7 stable is still generating link-local addressing for *disabled* VPN interfaces such as GRE or WireGuard. When will MikroTik fix this?

parham · Fri Jan 13, 2023 5:41 pm

Hi

My both WAP R with ZT can't be upgrade due to missing zerotier package

/system/package/update> download
channel: stable
installed-version: 7.6
latest-version: 7.7
status: zerotier-7.7-arm.npk missing, use ignore-missing or disable package(s)
You can find zerotier package in all_packages-7.7 zip file. Extract it from there and, with routeros-7.7 npk file, drag both files into Files window. Upon restart, it should update.

Thanks buddy, I have already updated that was just to MT team to fix for the rest.

sbr · Fri Jan 13, 2023 6:41 pm

Upgradet two

One bricked it's a hAP ac2

hecatae · Fri Jan 13, 2023 8:16 pm

LHG LTE died after the update...

Netinstall
https://help.mikrotik.com/docs/display/ROS/Netinstall

diamuxin · Fri Jan 13, 2023 9:33 pm

In RB4011 with 7.7 the CPU Frequency has disappeared and it is not possible to see it in Winbox and neither by CLI (in 7.7beta3 it worked fine).

*) rb4011 - fixed reporting of current CPU frequency and changed default frequency to "auto"; ==> NOT working

In the other routers (ac2, ac3, mAP) it works fine, it only fails in RB4011.

Any solution or patch?

BR.

Paternot · Fri Jan 13, 2023 9:37 pm

ROS v7.7 stable is still generating link-local addressing for *disabled* VPN interfaces such as GRE or WireGuard. When will MikroTik fix this?

I understand that's a bug. But is it important? What's the problem of having one link-local address on a disabled interface?

Genuine question.

Rox169 · Fri Jan 13, 2023 11:01 pm

Hi,
my hikvision cameras are not able to connect HDD thorough samba v1 on hAP AX3. When I use the same HDD in ASUS router cameras are able to connect he samba.. [SUP-104510] sent.

lvader · Fri Jan 13, 2023 11:23 pm

ipv6 netmap seems to be still broken in this release

DarkNate · Fri Jan 13, 2023 11:41 pm

ipv6 netmap seems to be still broken in this release

It's probably your configuration. Works fine for me, including NPTv6 via mangle which is better than netmap as it is stateless.

add action=netmap chain=srcnat out-interface-list=WAN src-address=2400:cb00:75::/64 to-address=2400:cb00:75:1::/64
add action=netmap chain=dstnat in-interface-list=WAN dst-address=2400:cb00:75:1::/64 to-address=2400:cb00:75::/64

add action=snpt chain=postrouting comment=Test dst-prefix=2400:cb00:75:1::/64 src-address=2400:cb00:75::/64 src-prefix=2400:cb00:75::/64
add action=dnpt chain=prerouting comment=Test dst-address=2400:cb00:75:1::/64 dst-prefix=2400:cb00:75::/64 src-prefix=2400:cb00:75:1::/64

jvanhambelgium · Sat Jan 14, 2023 12:08 am

Are there any people with a broken ZeroTier setup in this release ?? ZT on my RB5009 is broken.
Stuck in the state "Requesting_Configuration" it seems. Worked just fine on 7.6
My LAB-3011 was also upgraded (first) and ZT is working fine here, that's the strange thing.
The "LEAF" node remain empty.

Screenshot from 2023-01-13 23-02-42.png

** EDIT ** : After a reboot it seems the config came through, but then the containers started to mis-behave.
** EDIT ** : There is definitely something with this release and containers ... less stable ... after stopping Pi-hole I could not start it anymore !! Needed to delete + recreate the container again before I could start the instance.

dvoijen · Sat Jan 14, 2023 12:19 am

I have an issue with version 7.7 on my router i have a OpenVPN Client interface, it is setup to not create a default route.
After updating from 7.6 to 7.7 it creates a default route altough it is setup not to do that.
Even when i disable the interface and re-enable it creates this route.

lvader · Sat Jan 14, 2023 1:19 am

ipv6 netmap seems to be still broken in this release
It's probably your configuration. Works fine for me, including NPTv6 via mangle which is better than netmap as it is stateless.

Please double check what you really getting on network side. right now netmap behaves like masquerade.

/ipv6 firewall nat add action=netmap chain=srcnat out-interface=he src-address=fd66:xxxx::/48 to-address=2600:xxxx:xxxx::/48
/ipv6 firewall nat add action=netmap chain=dstnat dst-address=2600:xxxx:xxxx::/48 in-interface=he to-address=fd66:xxxx::/48

and this is what I observe on network:

ping 2001:xxx:xx:xxx:5c1c:19a5:93f:a082 -I fd66:xxxx:0:2008::1

tcpdump:

01:11:50.482601 IP6 (flowlabel 0x7f8c4, hlim 61, next-header ICMPv6 (58) payload length: 64) 2600:xxxx:xxxx:: > 2001:xxx:xx:xxx:5c1c:19a5:93f:a082: [icmp6 sum ok] ICMP6, echo request, id 9, seq 3

outgoing source is 2600:xxxx:xxxx:: instead of expected 2600:xxxx:xxxx:0:2008::1.

and vice versa in opposite direction:
PING6(56=40+8+8 bytes) 2001:xxx:xx:xxx:5c1c:19a5:93f:a082 --> 2600:xxxx:xxxx:333::1

tcpdump:

23:13:14.678833 IP6 (flowlabel 0x20000, hlim 61, next-header ICMPv6 (58) payload length: 16) 2001:xxx:xx:xxx:5c1c:19a5:93f:a082 > fd66:xxxx::: [icmp6 sum ok] ICMP6, echo request, id 50383, seq 13

destination fd66:xxxx:: instead of expected fd66:xxxx:333::1

chiem · Sat Jan 14, 2023 2:29 am

There's a bug in the DNS static vs caching implementation here. A/AAAA/SOA records can not coexist with CNAME records. If one of them is static, the other set needs to be filtered from the upstream.

Edit: it appears that CNAMEs in general can't coexist with all other record types, so if something other than a CNAME is static, any upstream CNAME needs to be filtered out, and vice versa.

nichky · Sat Jan 14, 2023 4:57 am

can anyone confirm whether bgp -vpn4 works on v7.7?

mmc · Sat Jan 14, 2023 5:35 am

ros 7.7 on ccr2116, rb2004... still don't establish stable 10g ethernet links when connected via DAC breakout cables to devices like cisco nexus, arista, juniper.

on the switch the links are flapping infinite after reboot of the mikrotik device or re-connect of the link. this happesn randomly and affects more than 50 percent of all links connected with 10g breakouts (we tested qsfp/sfp+ breakouts from cisco, gtek, fs and mikrotik - all the same result).

it worked without problems till ros 7.2.3. since 7.3 it's broken with above described non-production ready / non-stable result.

reported to support and updated under #[SUP-95119].

just be aware, in case you want to connect the high-end devices via breakouts.

mantouboji · Sat Jan 14, 2023 8:36 am

wireguard ipv6 bug still exists.
Could you please provide any details about the bug?

viewtopic.php?t=185055

jimint · Sat Jan 14, 2023 10:30 am

*) rb4011 - fixed reporting of current CPU frequency and changed default frequency to "auto";
rb4011.png
What did I do wrong? : /

Or is it (for some unknown reason) only for rb4011 version without Wi-Fi ? o_O

Same issue with my RB4011

armandfumal · Sat Jan 14, 2023 10:44 am

upgrade border eBGP routers CCR2216 + CCR1072 without issues...

Widmo · Sat Jan 14, 2023 12:31 pm

Hi,

upgrade from 7.6 to 7.7
OSPF links have stopped working.

downgrade to 7.6 make everything working.

If Support need more details - please let me know.

DarkNate · Sat Jan 14, 2023 3:14 pm

Please double check what you really getting on network side. right now netmap behaves like masquerade.
Code: Select all
/ipv6 firewall nat add action=netmap chain=srcnat out-interface=he src-address=fd66:xxxx::/48 to-address=2600:xxxx:xxxx::/48
/ipv6 firewall nat add action=netmap chain=dstnat dst-address=2600:xxxx:xxxx::/48 in-interface=he to-address=fd66:xxxx::/48
and this is what I observe on network:

ping 2001:xxx:xx:xxx:5c1c:19a5:93f:a082 -I fd66:xxxx:0:2008::1

tcpdump:
Code: Select all
01:11:50.482601 IP6 (flowlabel 0x7f8c4, hlim 61, next-header ICMPv6 (58) payload length: 64) 2600:xxxx:xxxx:: > 2001:xxx:xx:xxx:5c1c:19a5:93f:a082: [icmp6 sum ok] ICMP6, echo request, id 9, seq 3
outgoing source is 2600:xxxx:xxxx:: instead of expected 2600:xxxx:xxxx:0:2008::1.

and vice versa in opposite direction:
PING6(56=40+8+8 bytes) 2001:xxx:xx:xxx:5c1c:19a5:93f:a082 --> 2600:xxxx:xxxx:333::1

tcpdump:
Code: Select all
23:13:14.678833 IP6 (flowlabel 0x20000, hlim 61, next-header ICMPv6 (58) payload length: 16) 2001:xxx:xx:xxx:5c1c:19a5:93f:a082 > fd66:xxxx::: [icmp6 sum ok] ICMP6, echo request, id 50383, seq 13
destination fd66:xxxx:: instead of expected fd66:xxxx:333::1

You are right, it is behaving like a masquerade. It's a bug for sure. But also I recommend you avoid NAT66 crap and use NPTv6 instead via mangle, it will preserve the end-to-end princple which NAT of any kind cannot.

EgidijusL · Sat Jan 14, 2023 4:19 pm

Hap ax3 - Wifi 5Ghz speed down from ~800Mbs to max ~400Mbs and speed no stable. :(
Update from 7.6 to 7.7

voytec · Sat Jan 14, 2023 4:37 pm

CCR1009-7G-1C-1S+ router OS v7.7
USB port still not working. I can't connect to UPS.

steginger · Sat Jan 14, 2023 6:13 pm

I think this change

*) dns - query upstream DNS servers for other record types even if static entry exists;

creates some big problem for me.

For my local network I have some static A entries in my MT router for local services.
They don't have any static AAAA records as I don't want to use IPv6 for those services.
With 7.6 everything is fine.
After updating to 7.7 resolving the static A entries from within docker containers completely seems to be broken (e.g., ping gives just a bad address error).
Reverting back to 7.6 without changing anything else fixes lookup in the containers.

For 7.6 I got a valid (NOERROR) but empty response trying to resolve an AAAA record for a static A entry:

root@james:~# host -t AAAA -v mqtt.xxx.home 192.168.0.254
Trying "mqtt.xxx.home"
Using domain server:
Name: 192.168.0.254
Address: 192.168.0.254#53
Aliases: 

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48407
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13

;; QUESTION SECTION:
;mqtt.xxx.home.		IN	AAAA

This correctly indicates that there is no IPv6 address to best of my knowledge.

With 7.7 I get a NXDOMAIN error (which is of course valid from an upstream server point of view as upstream server doesn't know anything about my local entries):

root@james:~# host -t AAAA -v test.xxx.home 192.168.0.253
Trying "test.xxx.home"
Using domain server:
Name: 192.168.0.253
Address: 192.168.0.253#53
Aliases: 

Host test.xxx.home not found: 3(NXDOMAIN)

I guess this NXDOMAIN at least confuses name resolution within my docker containers (docker DNS proxy?).
It seems to be no generic problem in host linux (I can ping a static entry from host but not from within container, ping by IP is fine in container).

Any ideas or any possibility to create an "empty" static AAAA entry?

I dont't really want to create real AAAA entries as I had some problems with docker and IPv6 in the past.

Thanks!

Jotne · Sat Jan 14, 2023 6:50 pm

CCR1009-7G-1C-1S+ router OS v7.7
USB port still not working. I can't connect to UPS.

Do other version works? Are there written anything in change log that it should work?
If other version works, make a support case.

East2 · Sat Jan 14, 2023 10:27 pm

hAP ac^2 7.6 (router was rebooted without proper shutdown, probably kernel failure)...

h17 · Sat Jan 14, 2023 10:32 pm

Hap ax3 - Wifi 5Ghz speed down from ~800Mbs to max ~400Mbs and speed no stable. :(
Update from 7.6 to 7.7

I'm seeing the same thing, even worse (down from 630Mbps to 180Mbps).
There's no one else on frequencies used by me (5700/ax/eeCe, Poland).

Didn't change anything. On v7.6 all my devices were connected at 1200Mbps,
now on v7.7 they all are around 260-280Mbps in registration table.

lvader · Sat Jan 14, 2023 11:05 pm

You are right, it is behaving like a masquerade. It's a bug for sure. But also I recommend you avoid NAT66 crap and use NPTv6 instead via mangle, it will preserve the end-to-end princple which NAT of any kind cannot.

NPTv6 unfortunately is also buggy. In my experiments it is matching the firewall rule

/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes

Here what is in logs:
23:03:10 firewall,info forward: in:bridge out:he, connection-state:invalid src-mac b8:27:eb:xx:xx:xx, proto ICMP (type 129, code 0), fd66:xxxx:x:2008::1->2001:xxx:xx:x:xxx:baff:fe35:149a, len 64

and in connection state tracking it has only one direction entry:

      protocol=icmpv6 src-address=2001:xxx:xx:x:xxxx:baff:fe35:149a dst-address=2600:xxxx:xxxx:1000::1
        reply-src-address=2600:xxxx:xxxx:1000::1 reply-dst-address=2001:xxx:xx:x:xxxx:baff:fe35:149a icmp-type=128 icmp-code=0
        icmp-id=104 timeout=29s

Upd: adding in raw table bunch of "no track" rules helps, but looses some part of firewall functionality... that's why netmap might be a better solution anyway...

dave3 · Sun Jan 15, 2023 3:50 am

I did the upgrade from v7.6 to v7.7 on my RB750gr3 yesterday. It's a pretty basic setup, but so far, so good.

DarkNate · Sun Jan 15, 2023 9:45 am

NPTv6 unfortunately is also buggy. In my experiments it is matching the firewall rule
Code: Select all
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes
Here what is in logs:
23:03:10 firewall,info forward: in:bridge out:he, connection-state:invalid src-mac b8:27:eb:xx:xx:xx, proto ICMP (type 129, code 0), fd66:xxxx:x:2008::1->2001:xxx:xx:x:xxx:baff:fe35:149a, len 64

and in connection state tracking it has only one direction entry:
Code: Select all
      protocol=icmpv6 src-address=2001:xxx:xx:x:xxxx:baff:fe35:149a dst-address=2600:xxxx:xxxx:1000::1
        reply-src-address=2600:xxxx:xxxx:1000::1 reply-dst-address=2001:xxx:xx:x:xxxx:baff:fe35:149a icmp-type=128 icmp-code=0
        icmp-id=104 timeout=29s
Upd: adding in raw table bunch of "no track" rules helps, but looses some part of firewall functionality... that's why netmap might be a better solution anyway...

That is not a bug, that is expected. You are using stateful rules to filter NPTv6 traffic which is stateless. To begin with IPv6 restores the end-to-end principle therefore removing NAT and stateful-ness along with it. You are not supposed to create state-full ness for IPv6 if you want maximum possible end-to-end performance and eliminate STUN/TURN completely from the network.

This is off-topic, I will not go further than this, but I suggest you learn network engineering further to understand better.

For IPv6 firewalling, use the raw table, remove all filter/NAT rules. The raw table aka prerouting chain is powerful and you can use various ACLs and parameters like src or dst address type.

Statefulness makes sense only for an IoT VLAN. Everything else, filter on host or not like an iPhone where nothing is running on any port, it doesn't matter.

DeGlucker · Sun Jan 15, 2023 12:24 pm

x86 Router with Atheros AR9300 WiFi adapter installed
Update from 7.6 to 7.7
WiFi clients stopped see WiFi network. I was forced to rollback to 7.6. After that WiFi works again.

mkx · Sun Jan 15, 2023 12:51 pm

To begin with IPv6 restores the end-to-end principle therefore removing NAT and stateful-ness along with it.

I don't agree. Stateful-ness has nothing to do with NAT, it's the other way around (it's not possible to perform sensible NAT without being aware of connection state). When it comes to NPTv6, it can indeed work as stateless ... but that doesn't prevent firewallv6 from work in stateful manner. And stateful firewall has quite a few advantages over stateless firewall (speed is obviously not one of them).

The packet flow explanation doesn't differentiate between IPv4 and IPv6 (in some places it explicitly mixes them ... "IPv4 or IPv6"), doesn't explicitly mention netmap - it uses generic "DST NAT" and "SRC NAT" boxes and I assume netmap is covered (as a special case) with that functionality. And I assume NPTv6 is covered there as well.
If my assumptions are correct, then using NPTv6 (or netmap) doesn't change functioning of firewallv6, one only has to be carefull about which addresses are being used when packets are passing firewall (according to packet flow diagrams the "internal" addresses are seen by firewall).

But then my assumptions can be wrong. And I don't need NPTv6 (or netmap) so I'm not going to test it myself.

Nadol · Sun Jan 15, 2023 1:25 pm

I have downloaded. ARM Chateau. But after reboot still 7.6, no upgrade performed. Tried twice. In logs: "router was rebooted without proper shutdown, probably kernel failure".

I can confirm this. I was trying to upgrade several times without luck. Each time at log I'm getting: "router was rebooted without proper shutdown, probably kernel failure"

pe1chl · Sun Jan 15, 2023 2:01 pm

There's a bug in the DNS static vs caching implementation here. A/AAAA/SOA records can not coexist with CNAME records. If one of them is static, the other set needs to be filtered from the upstream.

Edit: it appears that CNAMEs in general can't coexist with all other record types, so if something other than a CNAME is static, any upstream CNAME needs to be filtered out, and vice versa.

That is according to DNS spec. CNAME and other data on the same name is not allowed in DNS. Sure it is sometimes inconvenient.
Maybe you need to cut back on clever use of static DNS records to override what outside DNS is telling you. That is never going to work well.
Static DNS records should only be used for names that you manage yourself.

vecino · Sun Jan 15, 2023 4:16 pm

This problem with spamming the logs continues in this version unfortunately. OSPF otherwise works without problems, but because of this I have to disable logging.

ROUTE,OSPF,WARNING { version: 2 router-id: 10.107.*.* } backbone-v2 { 0.0.0.0 } interface { broadcast 10.107.*.*%vlan1030 } neighbor { router-id: 10.107.*.* state: Full } crypto sequence invalid	notice
ROUTE,OSPF,WARNING { version: 2 router-id: 10.107.*.* } backbone-v2 { 0.0.0.0 } interface { broadcast 10.107.*.*%vlan1030 } neighbor { router-id: 10.107.*.* state: Full } crypto sequence invalid	notice
ROUTE,OSPF,WARNING { version: 2 router-id: 10.107.*.* } backbone-v2 { 0.0.0.0 } interface { broadcast 10.107.*.*%vlan1030 } neighbor { router-id: 10.107.*.* state: Full } crypto sequence invalid	notice
ROUTE,OSPF,WARNING { version: 2 router-id: 10.107.*.* } backbone-v2 { 0.0.0.0 } interface { broadcast 10.107.*.*%vlan1030 } neighbor { router-id: 10.107.*.* state: Full } crypto sequence invalid	notice
ROUTE,OSPF,WARNING { version: 2 router-id: 10.107.*.* } backbone-v2 { 0.0.0.0 } interface { broadcast 10.107.*.*%vlan1030 } neighbor { router-id: 10.107.*.* state: Full } crypto sequence invalid	notice

+

received wrong LS Ack for network
received wrong LS Ack for router

spippan · Sun Jan 15, 2023 5:49 pm

updated from 7.6 to 7.7:
CRS326-24G-2S+
hAP AC
hAP ac²

and a friend of mine:
CRS326-24G-2S+
RB3011
hAP ac²

so far no funky stuff appeared.

wireguard, bgp peering (hAPac² to my friends RB3011 via wireguard tunnel), queues and vlan-filtering bridges working so far

FIBRANETPLUS · Sun Jan 15, 2023 5:50 pm

I have CCR2004-1G-12S+2XS v6.49.7
Upgrade to 7.7
After upgrade no work
https://www.porvenir.com.co/
http://s16.movilsp.co/

And others webpage

No work apps DirecTVGO and HBOGO

Return to 6.49.7 and work fine again

I have CCR2116-12G-4S+ v7.1.5
After upgrading to any higher version, have same problem.

Andy idea?

Rox169 · Sun Jan 15, 2023 6:03 pm

WiFi speed on hap AX2 is OK on 7.7, the same as on 7.6

DarkNate · Sun Jan 15, 2023 9:23 pm

I don't agree. Stateful-ness has nothing to do with NAT, it's the other way around (it's not possible to perform sensible NAT without being aware of connection state). When it comes to NPTv6, it can indeed work as stateless ... but that doesn't prevent firewallv6 from work in stateful manner. And stateful firewall has quite a few advantages over stateless firewall (speed is obviously not one of them).

Stateful-ness doesn't need NAT. But NAT requires stateful-ness to work. NPTv6 isn't NAT, it is stateless, it doesn't need the conn_track module.

You should stop pretending to be a know-it-all expert and do some reading.

This document describes a stateless, transport-agnostic IPv6-to-IPv6 Network Prefix Translation (NPTv6) function that provides the address-independence benefit associated with IPv4-to-IPv4 NAT (NAPT44) and provides a 1:1 relationship between addresses in the "inside" and "outside" prefixes, preserving end-to-end reachability at the network layer.

https://www.rfc-editor.org/rfc/rfc6296
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

The packet flow explanation doesn't differentiate between IPv4 and IPv6 (in some places it explicitly mixes them ... "IPv4 or IPv6"), doesn't explicitly mention netmap - it uses generic "DST NAT" and "SRC NAT" boxes and I assume netmap is covered (as a special case) with that functionality. And I assume NPTv6 is covered there as well.
If my assumptions are correct, then using NPTv6 (or netmap) doesn't change functioning of firewallv6, one only has to be carefull about which addresses are being used when packets are passing firewall (according to packet flow diagrams the "internal" addresses are seen by firewall).

But then my assumptions can be wrong. And I don't need NPTv6 (or netmap) so I'm not going to test it myself.

You are not entirely wrong about the stateful firewall, it has its place, and is useful for non-advanced users or engineers who lack the expertise to configure a stateless firewall that covers A to Z. I can filter out unsolicited traffic or in other words traffic that could for example try to SSH into the router or my hosts or whatever, using purely the stateless firewall by exploiting the various parameters supported in legacy iptables. But as I stated this is advanced and not everyone can do this, or should, because chances are, they may leave loopholes or break stuff on layer 3/4 (been there, done that).

But if an organisation or business or even a home user, wants true native IPv6 end-to-end principle restored, then they should make the efforts to learn advanced iptables and exploit everything there is in the prerouting chain to filter all the crap they want without harming the end-to-end principle and advantage of IPv6 therefore nearly zero performance loss compared to stateful firewall with severe performance loss when trying to route line-rate.

The packet flow diagram hasn't been updated in decades since the NetFilter project became “public” (mass adoption), which is unfortunately a problem for experts such as yourself that assume it is flawless. It does not differentiate between NAT66 and NPTv6 because both didn't even exist back then, when the original diagram went public. Unfortunately for non-experts like myself and other folks, this has been problematic in the field when we deal with experts that believe blindly the packet flow diagram is flawless, it is not. I recommend, you actually look at the Linux kernel source code, focus on the NPTv6 code and compare it to NAT66, they aren't remotely similar short of “translation”, but the mechanism varies between Earth and Mars. I could be wrong, the diagram could be wrong, but the source code does not lie. It is C programming, so easier to parse for non-programming folks like myself, C being procedural and all.

Now, hopefully someone in the Linux NetFilter project will eventually update both the docs and the diagram to reflect the new changes. Especially since everyone (except MikroTik and other vendors) is moving away from NetFilter for filtering (leaving packet assembly and dis-assembly/sk_buff etc still to NetFilter) to either XDP or entire kernel bypass using DPDK. A proper packet-flow diagram including these technologies to properly represent their flow in the process along with NPTv6 is more important now than ever to prevent misinformation from plaguing the networking industry.

The Wikipedia version of the diagram, is slightly more accurate as it does represent XDP, but does not cover the NPTv6 which is in “mangle” (after conn_track), but is supposed to stateless (can be proven by no_tracking in the raw table that it works). You need to realise it's all just hooks, the different “chains” can be hooked stateless_ly without conn_track under the hood. Performance wise, no_tracking doesn't guarantee performance-loss=zero if you use anything short of prerouting/raw table:

iptables has multiple pre-defined tables and base chains, all of which are registered even if you only need one of them. There have been reports of even unused base chains harming performance.

Source: https://wiki.nftables.org/wiki-nftables ... h_iptables

And hopefully, MikroTik migrates to nftables at the least and perhaps give us XDP support (ASIC offloaded or native mode) or DPDK, and we can all dump the stateful-ness bullshit (mostly but not entirely) and filter at the NIC level. ROSv7 took decades, we can expect this in Tik in about 60 years lol.

mkx · Sun Jan 15, 2023 9:41 pm

You should stop pretending to be a know-it-all expert and do some reading.

Since you're such an expert, why are you writing same thing as I did but using different words ... and then show as if you're writing sonething completely different and that what I wrote is wrong? As far as your latest posts in this thread go, you're trolling. And I'm done discussing with you since you can't seem to handle opinions not supporting your own beliefs.

Znevna · Sun Jan 15, 2023 11:39 pm

Which part of all this is v7.7 release-related?

ormandj · Mon Jan 16, 2023 1:28 am

I have CCR2004-1G-12S+2XS v6.49.7 + stuff was here from FIBRANETPLUS (quoting moderator always gets mad when I quote more than a line of information)

I have the same device with no issues with any of the sites you mentioned on 7.7. It is very likely to be some of your configuration and a change from v6 to v7.

FIBRANETPLUS · Mon Jan 16, 2023 1:35 am

My CCR2116 no have any firewall for test this url
Only: IP, Route, NAT, PPPoE secrets, PCC balance.

ormandj · Mon Jan 16, 2023 2:28 am

Try disabling PCC balancing, and then a netinstall/basic config, and work your way back. Eventually you'll find out what's causing your problem.

nichky · Mon Jan 16, 2023 2:31 am

im not to sure that vrf works well on v7.7

lluu131 · Mon Jan 16, 2023 3:23 am

ospf v3 does not work in 7.7, reverts back to 7.6 and everything is fine,CRS317-1G-16S HW enable

/routing ospf instance
add disabled=no name=ospf-instance-v2-ipv4 router-id=id-1
add disabled=no name=ospf-instance-v3-ipv6 router-id=id-1 version=3
/routing ospf area
add disabled=no instance=ospf-instance-v2-ipv4 name=ospf-area-0-ipv4
add disabled=no instance=ospf-instance-v3-ipv6 name=ospf-area-0-ipv6
/routing ospf interface-template
add area=ospf-area-0-ipv4 disabled=no networks=10.1.1.3/32 type=ptp
add area=ospf-area-0-ipv4 disabled=no networks=10.1.1.4/30 type=ptp
add area=ospf-area-0-ipv4 disabled=no networks=10.1.1.16/28 type=ptp
add area=ospf-area-0-ipv4 disabled=no networks=10.1.1.32/28 passive type=ptp
add area=ospf-area-0-ipv4 disabled=no networks=10.1.1.48/28 passive type=ptp
add area=ospf-area-0-ipv4 disabled=no networks=10.1.1.64/28 passive type=ptp
add area=ospf-area-0-ipv4 disabled=no networks=192.168.1.0/24 passive type=ptp
add area=ospf-area-0-ipv6 disabled=no networks=fd00::2/128 passive type=ptp
add area=ospf-area-0-ipv6 disabled=no networks=fd00:0:0:1::/64 type=ptp
add area=ospf-area-0-ipv6 disabled=no networks=fd00:0:0:11::/64 passive type=ptp
add area=ospf-area-0-ipv6 disabled=no networks=fd00:0:0:12::/64 passive type=ptp
add area=ospf-area-0-ipv6 disabled=no networks=fd00:0:0:20::/64 passive type=ptp
add area=ospf-area-0-ipv6 disabled=no networks=fd00:0:0:30::/64 passive type=ptp
add area=ospf-area-0-ipv6 disabled=no networks=fd00:0:0:100::/64 type=ptp

Nothing has changed in the configuration, in 7.7 the ipv6 neighbours are gone, but the ipv4 neighbours are fine, so ospf v3 has stopped working

buset1974 · Mon Jan 16, 2023 7:57 am

V 7.7 BGP vpn4 routing withdraw still problem.

ilmars · Mon Jan 16, 2023 9:38 am

After upgrading to RouterOS v7.7 from v7.6 for CRS354 connected to vPC (CRS354 has a link to each of two Cisco Nexus 9xxxx that form vPC domain) - links start to flap. Issue goes away after downgrading to v7.6.

As was the case with RouterOS v7.7rc5 also with RouterOS v7.7, using serial cable (have tried only with CRS354 for now) error is shown at startup of switch:

insmod: /lib/modules/5.6.3/drivers/char/music_dog.ko failed: 22 Invalid argument

Stopped experiments with MLAG at v7.6 - does not go well with Cisco Nexus vPC - if there is instruction that would lead to stable MikroTik MLAG <> Cisco vPC connection that would be useful.

R3quiem3 · Mon Jan 16, 2023 9:48 am

I have a problem with SRC-NAT, it is not matching all the connections so there are connections that are passing through the router without being NATed.

uCZBpmK6pwoZg7LR · Mon Jan 16, 2023 10:50 am

I have a problem with SRC-NAT, it is not matching all the connections so there are connections that are passing through the router without being NATed.

This problem persist since 6.xx.xx.

dakobg · Mon Jan 16, 2023 10:51 am

Any idea when we can expect BFD ?

pe1chl · Mon Jan 16, 2023 12:02 pm

I have a problem with SRC-NAT, it is not matching all the connections so there are connections that are passing through the router without being NATed.

You mean "connections"? Or actually you mean only some packets belonging to a previous connection?
There is a wellknown bug (actually a bug in the Linux kernel) where the connection state is removed too early, and late packets like repeated ACK-FIN or RST belonging to an earlier connection are passed through without NAT.
The default firewall rule to block packets with connection state "invalid" is an attempt to block those packets, but it causes other problems as well.
Apparently the Linux developers have chosen to live with this problem (as it is present for decades) so I think it is best to do the same.

shavenne · Mon Jan 16, 2023 12:38 pm

I think this change
*) dns - query upstream DNS servers for other record types even if static entry exists;
creates some big problem for me.
[...]

I'm having the same problem. Since 7.7 my home assistant instance (not on MT, but also in Docker) can't resolve my internal hostnames anymore. I also see AAAA-requests and then a "bad address" in home assistant.

easyswiss · Mon Jan 16, 2023 1:34 pm

We have CCR2216 routers. 3x BGP Full, 1+k DHCP, 1+k NAT Rules. CPU Load range 15-25%.

After the upgrade to RouterOS 7.7 (7.6 before) we have reports for package loss from our clients.
There is also a message in the logs that did not appear before 7.7:

L3HW: Route HW table FULL

Is there a bugfix available?

rpingar · Mon Jan 16, 2023 1:42 pm

We have CCR2216 routers. 3x BGP Full, 1+k DHCP, 1+k NAT Rules. CPU Load range 15-25%.

After the upgrade to RouterOS 7.7 (7.6 before) we have reports for package loss from our clients.
There is also a message in the logs that did not appear before 7.7:

L3HW: Route HW table FULL

Is there a bugfix available?

given the HW table size of ~140k prefixes you have to play with filter rule to "set suppress-hw-offload yes" on the prefixes that don't do traffic.

regards
Ros

mmc · Mon Jan 16, 2023 3:49 pm

After upgrading to RouterOS v7.7 from v7.6 for CRS354 connected to vPC (CRS354 has a link to each of two Cisco Nexus 9xxxx that form vPC domain) - links start to flap. Issue goes away after downgrading to v7.6.

As was the case with RouterOS v7.7rc5 also with RouterOS v7.7, using serial cable (have tried only with CRS354 for now) error is shown at startup of switch:
Code: Select all
insmod: /lib/modules/5.6.3/drivers/char/music_dog.ko failed: 22 Invalid argument
Stopped experiments with MLAG at v7.6 - does not go well with Cisco Nexus vPC - if there is instruction that would lead to stable MikroTik MLAG <> Cisco vPC connection that would be useful.

mclag to cisco n3k and n9k work well for us, as long as you don't use breakout cables. with breakout cables you don't get a stable link.

easyswiss · Mon Jan 16, 2023 5:03 pm

We have CCR2216 routers. 3x BGP Full, 1+k DHCP, 1+k NAT Rules. CPU Load range 15-25%.

After the upgrade to RouterOS 7.7 (7.6 before) we have reports for package loss from our clients.
There is also a message in the logs that did not appear before 7.7:

L3HW: Route HW table FULL

Is there a bugfix available?
given the HW table size of ~140k prefixes you have to play with filter rule to "set suppress-hw-offload yes" on the prefixes that don't do traffic.

regards
Ros

We have disabled L3HW offloading. No more packet loss measurable.

Interesting fact:
CCR2216 CPU with L3HW offloading: 20%.
CCR2216 CPU WITHOUT L3HW offloading: 10%.

Disabling L3HW Offloading also led to a reduction in CPU usage, which is surprising, especially since L3HW Offloading promises exactly the opposite.

spippan · Mon Jan 16, 2023 5:11 pm

We have disabled L3HW offloading. No more packet loss measurable.

Interesting fact:
CCR2216 CPU with L3HW offloading: 20%.
CCR2216 CPU WITHOUT L3HW offloading: 10%.

Disabling L3HW Offloading also led to a reduction in CPU usage, which is surprising, especially since L3HW Offloading promises exactly the opposite.

CCR2216 should have enough cpu power to process this without L3HW offload (which affects the switchport cpu AFAIK)
so the reduced cpu load seems legit

pe1chl · Mon Jan 16, 2023 5:16 pm

Disabling L3HW Offloading also led to a reduction in CPU usage, which is surprising, especially since L3HW Offloading promises exactly the opposite.

With offloading of CPU tasks to external hardware there is always the tradeoff between performing the actual task on the CPU, and detecting that the task may be performed by external hardware + loading the appropriate information into the external hardware. When there is little traffic, it may well be that loading the route into the switch costs more than doing the routing in the CPU.

Paternot · Mon Jan 16, 2023 5:18 pm

Upgrade fom 7.6 to 7.7
hEX (RB750Gr3)

6 BGP peers (5 with Wireguard, one with IPSec) and about 3500 IPv6 routes.

darkmanlv · Mon Jan 16, 2023 9:27 pm

after upgrade to 7.7 hap ac3 and hex s started to freeze randomly, only power reset helps

erlinden · Mon Jan 16, 2023 9:47 pm

I read some comments about higher temperature, nothing about freezing devices.
Couldn't help it, what are freezes in your case? Can you share your config to get some proper feedback?

/export file=anynameyoulike

Make sure to get rid of all personal information.

Ryo · Mon Jan 16, 2023 10:23 pm

after upgrade to 7.7 hap ac3 and hex s started to freeze randomly, only power reset helps

Experienced the same issue as well with hex RB750Gr3, the device will just randomly crashed and rebooted. on next bootup there is warning show "router rebooted without proper shutdown".

Fyi, it don't have this issue with v7.5 and previous version.

pe1chl · Mon Jan 16, 2023 10:35 pm

Maybe you should try to export your config and netinstall the device fresh.

Rox169 · Mon Jan 16, 2023 11:44 pm

Hi,

why is this command not working anymore???

/interface/wifiwave2/info country-info Latvia

sirbryan · Tue Jan 17, 2023 6:28 am

We have CCR2216 routers. 3x BGP Full, 1+k DHCP, 1+k NAT Rules. CPU Load range 15-25%.

After the upgrade to RouterOS 7.7 (7.6 before) we have reports for package loss from our clients.
There is also a message in the logs that did not appear before 7.7:

L3HW: Route HW table FULL

Is there a bugfix available?

This just means there's no more room for offloading routes. Your CPU's are handling all the routing. Mine does that on 7.4.1 unless I filter out routes to a couple hundred thousand down from 1.4 million. It's not a bug.

sirbryan · Tue Jan 17, 2023 6:32 am

We have disabled L3HW offloading. No more packet loss measurable.

Interesting fact:
CCR2216 CPU with L3HW offloading: 20%.
CCR2216 CPU WITHOUT L3HW offloading: 10%.

Disabling L3HW Offloading also led to a reduction in CPU usage, which is surprising, especially since L3HW Offloading promises exactly the opposite.

I found issues with L3HW offload on >7.4.1 (7.5, 7.6), so I've left my border/core 2116's and 310/317's on 7.4.1. (CRS310's did fine with 7.6, but they have much smaller tables.)

When I filter all but about 200K routes from external peers, everything fits in L3HW tables and CPU goes down to 0% on the core and 5% on the borders.

I wonder if there's a bug introduced somewhere in 7.5/6/7.

nichky · Tue Jan 17, 2023 7:20 am

*) ovpn - added hardware acceleration support for IPQ-6010; <<-- from the manu, where can we that?

bluntmike · Tue Jan 17, 2023 8:44 am

I think this change
*) dns - query upstream DNS servers for other record types even if static entry exists;
creates some big problem for me.

For my local network I have some static A entries in my MT router for local services.
They don't have any static AAAA records as I don't want to use IPv6 for those services.
With 7.6 everything is fine.
After updating to 7.7 resolving the static A entries from within docker containers completely seems to be broken (e.g., ping gives just a bad address error).
Reverting back to 7.6 without changing anything else fixes lookup in the containers.

For 7.6 I got a valid (NOERROR) but empty response trying to resolve an AAAA record for a static A entry:
Code: Select all
root@james:~# host -t AAAA -v mqtt.xxx.home 192.168.0.254
Trying "mqtt.xxx.home"
Using domain server:
Name: 192.168.0.254
Address: 192.168.0.254#53
Aliases: 

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48407
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13

;; QUESTION SECTION:
;mqtt.xxx.home.		IN	AAAA
This correctly indicates that there is no IPv6 address to best of my knowledge.

With 7.7 I get a NXDOMAIN error (which is of course valid from an upstream server point of view as upstream server doesn't know anything about my local entries):
Code: Select all
root@james:~# host -t AAAA -v test.xxx.home 192.168.0.253
Trying "test.xxx.home"
Using domain server:
Name: 192.168.0.253
Address: 192.168.0.253#53
Aliases: 

Host test.xxx.home not found: 3(NXDOMAIN)
I guess this NXDOMAIN at least confuses name resolution within my docker containers (docker DNS proxy?).
It seems to be no generic problem in host linux (I can ping a static entry from host but not from within container, ping by IP is fine in container).

Any ideas or any possibility to create an "empty" static AAAA entry?

I dont't really want to create real AAAA entries as I had some problems with docker and IPv6 in the past.

Thanks!

7.7 also broke my home static entries when using home assistant, nslookup returns the ipv4 followed by a NXDOMAIN error.

For example - I have an A for paradox.lan to 192.168.88.49 - I just created an AAAA with the IP as 192.168.88.49 in Winbox which just saved as ::ffff:192.168.88.49 and everything works again.

[edit] bit of a ipv6 noob but i see now @ https://www.ripe.net/manage-ips-and-asn ... stypes.pdf that ::ffff/96 is used to map v4's

rpingar · Tue Jan 17, 2023 9:10 am

for me 7.7 still has two main pppoe issues:
- some time in case of massive client's diisconnections the dynamic simple queue about pppoe got invalid and the only way to delete them is to reboot the router;
- rarely the dynamic pppoe-client interface don't get running, here you can delete it and let the client reauthenticate.
[SUP-97493] updated with a series of supout and autosupout.

it is critical to fix theme asap

sniper113 · Tue Jan 17, 2023 10:46 am

hello
I recently updated my ebs 3011 with 7.7, everything was fine except that in my 3011 that I had as a balancer (pcc with recursive routes) the balancer stopped working, it didn't give me internet I had to return it to 6.48
In rbs with models prior to 3011, all 7.7 is installed without problems, but when doing a reboot they hang, it just happened to me with a RB760IGS and a 2011 all wrong and I couldn't recover them with anything

pe1chl · Tue Jan 17, 2023 11:03 am

hello
I recently updated my ebs 3011 with 7.7, everything was fine except that in my 3011 that I had as a balancer (pcc with recursive routes) the balancer stopped working, it didn't give me internet I had to return it to 6.48

It is a problem with your configuration. The behavior of recursive routes has changed, as have some other related things (e.g. route marks).
You will need to study the changes and adapt your configuration to it, it will not be automatically done by the conversion done when upgrading.

lukik007 · Tue Jan 17, 2023 12:20 pm

We just upgraded from v6.9 to the new v7 were everything was working fine.

For BGP to partially work, we had to disable BFD and now we are currently having issues to advertise networks that are not static assigned within the /ip address or static routes from both ends using eBGP.

Anyone has a solution for this?

FIBRANETPLUS · Tue Jan 17, 2023 12:23 pm

Try disabling PCC balancing, and then a netinstall/basic config, and work your way back. Eventually you'll find out what's causing your problem.

I check and found problem with OLT (ZTEC320) whit 2 OLT same problem.

If I connect any PC o Router to any MikroTik port, this pages and apps work fine

But not work in ONT, very strange.

CCR2004 v6.49.7 no problem
CCR2004 v7.x not work
CCR2116 v7.x not work

Tue Jan 17, 2023 12:26 pm

we are currently having issues to advertise networks that are not static assigned within the /ip address or static routes from both ends using eBGP.

https://help.mikrotik.com/docs/display/ ... s-Networks

TiboGLN · Tue Jan 17, 2023 12:44 pm

Hi Folks,

Route List in /IP/Route
still doesn't work properly on webfig...

lukik007 · Tue Jan 17, 2023 2:15 pm

we are currently having issues to advertise networks that are not static assigned within the /ip address or static routes from both ends using eBGP.
https://help.mikrotik.com/docs/display/ ... s-Networks

in v6 we used synchronize as no and did not use any blackhole. Is there a way to keep as is?

Tue Jan 17, 2023 2:20 pm

As it is mentioned in the article you cannot disable synchronisation.

lukik007 · Tue Jan 17, 2023 2:21 pm

https://help.mikrotik.com/docs/display/ ... s-Networks

in v6 we used synchronize as no and did not use any blackhole. Is there a way to keep as is?

The configuration already has the below but still same issue

/ip/firewall/address-list/
add list=bgp-networks address=192.168.0.0/24
 
/routing/bgp/connection
set peer_name output.network=bgp-networks

lukik007 · Tue Jan 17, 2023 2:22 pm

As it is mentioned in the article you cannot disable synchronisation.

So this is a bug or the way forward from now onwards to configure BGP?

Tue Jan 17, 2023 2:27 pm

It is not a bug.

Simonej · Tue Jan 17, 2023 4:26 pm

*) wifiwave2 - fixed 4-way handshake with TKIP;

This means thath WiFiWave2 devices are capable to be used as repeater in Station mode?

rkrisi · Tue Jan 17, 2023 5:23 pm

I have experienced several messages like "private-dhcp offering lease 192.168.111.50 for 94:EA:32:35:52:98 without success" after upgrading to 7.7. The result was that the clients were unable to access the network nor Internet. Clients are mostly connected via CAP managed APs.
This happened for different clients with different OSes (e.g. Lenovo laptop with Windows 10 and iPhone SE 2020).
I have two bridges, each with a different dhcp server on my RB3011UiAS. Only one of the dhcp servers behaved like that. There were no other messages indicating what the problem could be. The configuration looked fine, just like before the upgrade.
I have downgraded to 7.6 but the problem persisted. Only after restore of configuration from before the upgrade to 7.7, the problem is gone.
This is only a heads up. If someone else gets into trouble with DHCP server, I hope you will have possibility to investigate deeper. I wasn't that lucky. I needed to get rid of the issue ASAP.

Well it seems I'm having the same issue. All APs on 7.7, controller (which is also the router) is on 7.6. Only my MacBook having this problem, others can connect successfully.

pe1chl · Tue Jan 17, 2023 6:50 pm

It is not a bug.

Well, it is a bit unfortunate that both this and "/routing bgp aggregate" have been removed in v7.
An unsynchronized route would have been a simple way to work around the lack of route aggregation.
(but probably it most cases it was used incorrectly and I can understand why it was removed)

mducharme · Tue Jan 17, 2023 7:05 pm

This means thath WiFiWave2 devices are capable to be used as repeater in Station mode?

This has always worked assuming you didn't need bridging and were fine with the repeater using a different SSID than the main network. I think you're probably getting four-way TKIP handshake mixed up with four address mode support, the latter is needed for bridging and extending a network while keeping the same SSID, and is not available yet.

supra107 · Tue Jan 17, 2023 7:11 pm

Tried upgrading my hAP ac2 via System>Packages, router ended up boot looping. Had to restore it via Netinstall, and the backup I've made prior the foul update hasn't been restored fully and I have to reconfigure a whole bunch of settings to get back to where it was before, for example I had to connect to the router via the MAC address to even realize the backup has restored in any form, and from there I can see that a lot of configuration is missing. VPN secrets, interface names, addresses, which was the reason I couldn't connect to my router via IP, services, and so on and so on. I have no idea how it ended up being so bad, this is the first time I had to deal with a failed update and it ruined almost everything.

DeGlucker · Tue Jan 17, 2023 7:34 pm

Yes, the quality of the latest releases of the 7.x branch leaves much to be desired...

Dude2048 · Tue Jan 17, 2023 8:01 pm

Upgraded RB4011, hAPac2, Rb961, Wap ac. No problems here

pe1chl · Tue Jan 17, 2023 8:10 pm

Tried upgrading my hAP ac2 via System>Packages, router ended up boot looping. Had to restore it via Netinstall, and the backup I've made prior the foul update hasn't been restored fully

Did it run v6 before and did you upgrade to v7 without ever doing a netinstall of a v7 version?

supra107 · Tue Jan 17, 2023 8:27 pm

What are you quotting whole preceding post for? Do this help undertending the conversation? No. Use "Post Reply" button.

The factory version was v6, but I upgraded to v7 via WinBox around when it first came out and all the updates since then were going fine, until today. Then I used Netinstall to bring it back to the version it was running before the upgrade, which was v7.6.

pe1chl · Tue Jan 17, 2023 8:31 pm

Ok, it would be best to now do a /export show-sensitive file=xxxx to save what you have, download the .rsc file, do the netinstall to 7.7 with blank configuration, then connect via MAC and upload that export file and import it.
That should save you from having this issue again in the future.
(alternatively, when you do not have too much specific local configuration, it can be better to apply "default configuration" and start to manually configure from there)

supra107 · Tue Jan 17, 2023 8:35 pm

What are you quotting whole preceding post for? Do this help undertending the conversation? No. Use "Post Reply" button.

What I should've done is export the .rsc file before even initiating the update in the first place, that would've saved me a lot of nerves and time. I was misguided to believe that the backup is a universal solution to a botched upgrade, and now I had to rely on an export from last year to try and bring the router back to where it was before.

Tue Jan 17, 2023 8:44 pm

It's mentioned as one of the first things to do...

Jotne · Tue Jan 17, 2023 11:12 pm

I was misguided to believe that the backup is a universal solution to a botched upgrade,

Backup does not work across version and only on same hardware.
You may open the binary backup file and get some information out of it.

tova · Tue Jan 17, 2023 11:58 pm

CCR1036-8G-2S+
After update from 7.6 to 7.7
IPSEC not working
SSTP not working
After downgrade back to 7.6
IPSEC is working
SSTP still not working

Tue Jan 17, 2023 11:59 pm

2x hap ac3 and 1 cap lite upgraded from .6 to .7, no problems seen.

supra107 · Wed Jan 18, 2023 2:01 am

I was misguided to believe that the backup is a universal solution to a botched upgrade,
Backup does not work across version and only on same hardware.
You may open the binary backup file and get some information out of it.

Which is odd, because I rolled back the exact same device to the exact same RouterOS version it was on when I made the backup, yet it ended up being incomplete. Perhaps due to using Netinstall it resulted in it being improper for the device?

kcarhc · Wed Jan 18, 2023 3:53 am

please check
SUP-104900 regex match issue

rextended · Wed Jan 18, 2023 4:39 am

Details?

pe1chl · Wed Jan 18, 2023 10:16 am

Which is odd, because I rolled back the exact same device to the exact same RouterOS version it was on when I made the backup, yet it ended up being incomplete. Perhaps due to using Netinstall it resulted in it being improper for the device?

No, it should normally be possible to use backup across versions, you could even restore a v6 backup into v7 and it would re-do the conversion to v7.
However, your config was probably corrupt. That is why the upgrade went wrong too. The advise is therefore to use the /export instead of the backup, after starting a fresh config database using the blank netinstall.
Lots of users went through this. You have a router running v6, you upgrade it to v7 and it appears to work OK, then you upgrade and some time after that it sometimes forgets part of the configuration at reboot. This is finally solved when the configuration is re-done using a recent v7 install. I don't know when this issue was fixed, it is a long time ago. But it looks like existing installs that have been upgraded in the past do still suffer from it, as it comes up on the forum quite regularly.

tova · Wed Jan 18, 2023 10:22 am

CCR1036-8G-2S+
After update from 7.6 to 7.7
IPSEC not working
SSTP not working
After downgrade back to 7.6
IPSEC is working
SSTP still not working

Same problem in 7.6 and 7.7 - lets encrypt update certificate - name changed (to curent date and time), but certificate is still old and expired.
It is neccessary to delete certificate and create new.

In 7.7 it is not neccessary open port 80 on firewall and enable http.

I downgraded to 7.6, because i had no time to investigate IPSEC problem.
SSTP did not work, disable and enable SSTP did not help.
But change parameters in SSTP (certificate none, tls ver any,...) aply and set it back work.
SSTP is working again.
This problem happened on 1 of 2 routers, the seconds upgrades and SSTP works with 7.7.

benlg · Wed Jan 18, 2023 11:32 am

In 7.7 it is not neccessary open port 80 on firewall and enable http.

Interesting, no more needed to open port 80 to generate a Let'sEncrypt certificate ?
How does RouterOS do then ?
And http service no more needed either ? Certainly they now use the "standalone" certbot method.
But "standalone" method still needs port 80, so rather strange...

Maggiore81 · Wed Jan 18, 2023 5:40 pm

Has been removed the selection "MAKE STATIC" in DHCP Leases, with right-click menu. Now it is in the upper bar.
Please put back because it was placed in a better position.

mkx · Wed Jan 18, 2023 7:49 pm

But "standalone" method still needs port 80, so rather strange...

In some implementations (e.g. certbot for linux), script, when running in standalone mode, starts a limited http server on configured port (can be 80 FWIW) only for certificate renewal. After that, service is shut down again.

benlg · Wed Jan 18, 2023 7:52 pm

Yes, but then it still needs port 80 to be opened in FW :)
tova, a few posts above, seems to say that port 80 does not need to be opened anymore in FW, which then sounds strange :|

mkx · Wed Jan 18, 2023 8:01 pm

Yes, but then it still needs port 80 to be opened in FW :)

Well, if I wrote such a script, then I'd surely also add necessary FW rule (and push it to very top so any rule that might block it, would be evaluated afterwards) ... and remove it after it's not needed anymore. Similarly one can (temprorarily) override DST NAT (which would otherwise redirect packets from chain=input to chain=forward), but can similarly be overshadowed by a action=accept DST NAT rule (again pushed right to the top).
And something similar for IPv6 (if it's enabled on router).

benlg · Wed Jan 18, 2023 8:06 pm

Sure, there's certainly a MikroTik hack somewhere...
Which is exactly what I do for now in my own renew schedules (I do not rely on MikroTik ones, to avoid leaving port 80 opened) :)

benlg · Wed Jan 18, 2023 8:07 pm

Doc still mentions about port 80 though :
https://help.mikrotik.com/docs/display/ ... rtificates

mkx · Wed Jan 18, 2023 9:21 pm

Doc still mentions about port 80 though :

Yeah, it does, but in different context. Here what's written:

Note that the DNS name must point to the router and port TCP/80 must be available from the WAN.

None of it is about router config. It says that FQDN set on command line has to point to router (directly or indirectly) and TCP 80 connection has to arrive at router (if router is behind a firewall, that upstream firewall has to allow/forward connection to this router). That's all the quoted part of manual page says.

dakobg · Wed Jan 18, 2023 11:16 pm

cool a lot new options for VRF :)

snowzach · Thu Jan 19, 2023 6:35 am

Any ideas or any possibility to create an "empty" static AAAA entry?

I dont't really want to create real AAAA entries as I had some problems with docker and IPv6 in the past.

Thanks!

Since 7.7 IPV6 lookups now return NXDOMAIN and it makes my docker containers ignore the valid IPv4.

I finally figured this one out.. I created a regex that matches my internal record and created an AAAA record that points to -2001::- fe80::
I'm not sure if it's right or not but it seems to make docker happy enough to ignore the ipv6 record.
It would be nice if there was an option to return nothing...
EDIT: I switched from 2001:: as that's a valid address to fe80:: which is a link local address. It seems to work better and thus far I haven't found it making and random connections.

Tomek85 · Thu Jan 19, 2023 8:47 am

*) bridge - fixed master port conversion;

Can anyone explain this?

eworm · Thu Jan 19, 2023 9:07 am

Can anyone explain this?

Probably handling upgrades from RouterOS 6.40 and before? That is where a master port did exist.

eworm · Thu Jan 19, 2023 9:12 am

I finally figured this one out.. I created a regex that matches my internal record and created an AAAA record that points to 2001::

That is a valid global unicast address. I guess a request is routed through the internet now just to find out that the host does not exist.

Uqbar · Thu Jan 19, 2023 9:21 am

Bumped from 7.6 to 7.7 on my CRS125-24G-1S-RM. Working as expected.
Only the web UI isn't working any more.
After login I get a neverwnding "Loading ..." animation.
I cleared the cache and the related cookies. No way.
Any way to fix this?

Tomek85 · Thu Jan 19, 2023 10:28 am

Can anyone explain this?
Probably handling upgrades from RouterOS 6.40 and before? That is where a master port did exist.

Yes that makes sense for me also, that's the reason I asked, but is it possible to upgrade directly from 6.40 to 7.7 ?

Thu Jan 19, 2023 10:43 am

Theoretically, yes.
Practically: I wouldn't do that.

Always make proper backups first (digital and export, CHECK completeness of export)
How I would do it: 2 options:
1- first upgrade to latest 6.49, then move to ROS7 (my preference).
2- go all the way and take the big jump

If you experience strange behavior, it might be needed to netinstall device, clean config, and re-import via terminal config from earlier backup (block by block, could be some parts have been re-ordered and may cause errors but that should be pretty obvious)

What device are you aiming for ? Some of the low-resource devices do not feel too happy about ROS7, so be aware of that before you move.

Thu Jan 19, 2023 10:53 am

...
If you experience strange behavior, it might be needed to netinstall device, clean config, and re-import via terminal config from earlier backup (block by block, could be some parts have been re-ordered and may cause errors but that should be pretty obvious)
....

To prevent mistakes: In that context "import from backup" means copying and pasting configuration EXPORTED in a text form with a command:

/export file=filename

or even better

/export terse file=filename

as each line is a complete command then

Thu Jan 19, 2023 10:56 am

Correct. But that should be obvious when you try to open the binary backup ;-)
For completeness however, it doesn't hurt mentioning it again so thank you for the addition.

Thu Jan 19, 2023 11:01 am

It was not a allusion to you but explanation to a whole audience as some tend to interpret words too directly if it comes to technical receipes/explanations.

pe1chl · Thu Jan 19, 2023 11:55 am

I think in any case the wisest thing to do is to first upgrade to 6.49.7 and then do an export, try the upgrade to 7.7 and again do an export, and finally netinstall the device to 7.7 and use those exports to re-build the config.
When you are still on 6.40 and it is not some specialized enterprise device but it is your home router, the very best thing to do is to start completely from scratch with default config and to keep that export only as a manual guideline to remember what things you had configured.
DO NOT copy stuff like bridge configuration, firewall rules or IPsec config from that old config, it has all changed and improved so much over time that it is much better to start fresh. Really. You only use the export to pick up things like passwords and general config outline.

rpingar · Thu Jan 19, 2023 12:07 pm

7.7 stable still freeze CCR2216 with hw-offload enabled after 15gg of operation.
- no console messages or response
- led ports up
- autosupout generated
[SUP-100981] updated with all info I have.
seems that MT knows about the issue.
regards

shavenne · Thu Jan 19, 2023 3:42 pm

Beside the DNS problem I've already mentioned here:
Even though I've disabled the NTP server I can't run a wireguard server on Port 123 anymore. It was working with 7.6.

wg_mobil: Could not create IPv4 socket

Port 124 is working so I guess RouterOS is blocking this port even with NTP server disabled somehow.

Edit: It seems to start (and work) if I disable the NTP client. Is this intended? I'm pretty sure I had it enabled on 7.6 too.

snowzach · Thu Jan 19, 2023 4:36 pm

I finally figured this one out.. I created a regex that matches my internal record and created an AAAA record that points to 2001::
That is a valid global unicast address. I guess a request is routed through the internet now just to find out that the host does not exist.

You are correct.. I just started to wonder about that this morning... I did a tcpdump and it is indeed firing off a request to the internet... So I tried again using `fe80::` and it seems to work. I didn't see my linux docker container making any requests to that address. I assume it knows it's a local link address maybe? Not sure.

ishanjain · Thu Jan 19, 2023 5:09 pm

Hey, I believe this update breaks wireguard for me. I am using RB450GX4 and I am on mikrotik 7.7. I upgraded from ros 7.6.

I can't reach any thing in my internal network from any peer except for one wireguard peer. The wireguard peer that is still working has an endpoint configured and it's a machine on Linode. Every thing else is stuff like Mobile phones//tablets/laptops on public WiFi. These clients do not have an endpoint configured.

In the logs, I see handshake initiation traffic from clients but mikrotik router is not responding to this traffiic.

Screenshot 2023-01-19 203403.png

In the traffic stats in wireguard menu, I see the rx/tx counters are moving, so I captured some packets with packet sniffer(interface=wireguard-interface, no other settings configured, direction=any) and I don't see any traffic at all. I am not sure why is the rx/tx counter moving?

Screenshot 2023-01-19 203528.png

For "Ishan's Phone", Last handshake is stuck at 01:01:34 even as I am typing this but rx/tx stat keeps moving? on the WAN interface, I only see handhsake initiation traffic. I'll try rebooting the router in a few hours and I am guessing that'll fix this but this is really weird.

All wireguard clients except for the machine on linode have this problem.

Thu Jan 19, 2023 5:42 pm

Maybe best to start a new topic with full config of your setup.
Wireguard works just fine on my devices (also 7.7).

As for tx counters moving, wireguard ALWAYS sends. It's only when you see something coming back that you know it works.

eworm · Thu Jan 19, 2023 5:46 pm

Same here, wireguard works just fine.

My guess is that you have one or more wrong ranges in peer's allowed-ips setting.